STANDARD TERMS OF BUSINESS
Last updated: 12th November 2024
The purpose of this schedule is to set out the standard terms of business that apply to all accepted engagements. All work carried out is subject to these terms except where changes are explicitly agreed in writing.
These standard terms of business are applicable to all types of entities (e.g., companies, LLPs, charities, friendly societies, academies, pension schemes, etc.) Any reference therefore to director or company should be interpreted as appropriate for the entity type (e.g., partner, trustee, governor, charity, LLP, etc.)
The titles Partner and Director refer to employees of similar professional standing and are not subject to the obligations and responsibilities of Directors within part 10 of the Companies Act 2006. A list of statutory Directors can be found at the registered office.
Xeinadin Group Limited and its subsidiary companies, hereafter referred to as “Xeinadin.”
1 Professional obligations
1.1 Details of Xeinadin’s professional registrations, including audit registration where applicable together with details of statutory directors can be found on our website as required by the Provision of Services Regulations 2009 (SI 2009/2999
1.2 We will adhere to the byelaws and regulations of our professional body The Institute of Chartered Accountants in England & Wales (ICAEW) together with their code of ethics. We accept instructions to act for you on this basis. You give us authority to correct errors made by HM Revenue & Customs (HMRC) where we become aware of them, and we will keep you informed should these arise. We will not be liable for any loss, damage or cost arising from our compliance with statutory or regulatory obligations. You can find copies of these requirements in our offices. The requirements are also available online at https://www.icaew.com/technical/practice-resources/regulations-standards-guidance-and-ethics
Professional indemnity insurance
1.3 In accordance with the disclosure requirements of the Provision of Services Regulations 2009, details of our professional indemnity insurer is provided
2 Client monies
2.1 We may, from time to time, hold money on your behalf. Such money will be held in trust in a client bank account, which is segregated from the firm’s funds. The account will be operated, and all funds dealt with, in accordance with the Clients’ Money Regulations of our professional body ICAEW.
If you transfer funds to our client account you will be agreeing that we shall not be liable for any monies lost because of a banking failure. The Financial Services Compensation Scheme (FSCS) covers deposits belonging to clients who are individuals or small businesses per authorised deposit-taking institution. There are limits to the amounts of compensation that the FSCS will pay (please refer to the FSCS website for current limits). Accordingly, you are responsible for maintaining a record of all balances held by us as your agent and for ensuring that we receive from you any instructions regarding those monies.
2.2 In order to avoid an excessive amount of administration, interest will only be paid to you where the amount of interest that would be earned on the balances held on your behalf in any calendar year exceeds £25. Any such interest would be calculated using the prevailing rate applied by the Bank for small deposits subject to the minimum period of notice for withdrawals. Subject to any tax legislation, interest will be paid gross.
2.3 If the total sum of money held on your behalf exceeds £10,000 for a period of 30 days or more, or such sum is likely to be held for 30 days, or if you instruct us to do so in respect of lesser amounts, then the money will be placed in a Designated Client Monies Bank Account. This account may be interest bearing. Any interest earned on the Designated Client Monies Account will be paid to you. Subject to any tax legislation, interest will be paid gross.
2.4 We will return monies held on your behalf promptly as soon as there is no longer any reason to retain those funds. In the unlikely event of us holding any unclaimed monies we reserve the right to pay such monies to a registered charity in line with the guidelines set out in the Clients’ Money Regulations referred to above. We will not do this unless we have been unable to contact you for at least five years and we have taken reasonable steps to trace you and return the monies.
2.5 We will transact through a Client Monies Bank Account where the transactions relate to accountancy services being provided by us.
2.6 The Financial Services Compensation Scheme (FSCS) may provide compensation in the unlikely event of the failure of a bank authorised by the UK Financial Conduct Authority (FCA). Compensation limits will apply to the combined total of client’s money held by us on your behalf, and any accounts which you also hold with the same bank, or other bank brand name covered by the same FCA authorisation number. Further information about compensation arrangements is available from the FSCS at http://www.fscs.org.uk or by calling them on 0800 678 110 or 020 7741 4100.
3 Fees
3.1 Our fees are calculated based on the time spent on your affairs by the Directors, our staff, sub-contractors, or consultants and on the levels of skill and responsibility involved. Our charges will be reviewed from time to time. Unless otherwise agreed our fees and disbursements will be billed at regular intervals during the course of the year and will be due on presentation. Where we have provided a fee estimate, this is an indication, made in good faith and on the basis of the information we have at the time the estimate is given, of our likely fee for carrying out the work concerned. An estimate is subject to revision and is not a commitment by us to carry out the work for that fee. If it is necessary to carry out work outside the responsibilities agreed with you for each service, we will advise you in advance. Any additional work will involve additional fees. We would like to point out that it is in your interests to ensure that your records etc. are completed to the agreed stage.
3.2 Our fees, disbursements and expenses are, where applicable, subject to VAT at the prevailing rate from time to time, which will be added where it is chargeable.
If you are established outside the UK but within the EU and you are registered for VAT in the relevant jurisdiction(s) you agree to provide us with your VAT registration number(s) so that we can meet our invoicing obligations in order to treat our fee as outside the scope of UK VAT.
3.3 Additional fees to cover disbursements such as transaction charges, bank fees, governmental levies, duties or fines and all other charges incurred in the course of the provision of the Services together with all other disbursements and out-of-pocket expenses may be made from time to time. Additional charges will be subject to VAT where applicable. We may render invoices in advance in respect of any anticipated additional charges.
3.4 Any fee budget agreed with you assumes that the information required for our work is available in accordance with agreed timetables and that the necessary personnel are available during our work. If delays or other unanticipated problems occur which are beyond our control this may result in additional fees for which fee notes will be raised on the above basis. We will advise you of any delays as they occur and will estimate their effect.
3.5 Invoices are payable in full (including disbursements) in accordance with the terms set out on the invoice. If you do not accept that an invoiced fee is fair and reasonable you must notify us within 21 days of receipt, failing which you will be deemed to have accepted that payment is due.
3.6 It is our normal practice to request that clients plan to pay a proportion of their fee on a monthly Direct Debit/Standing order. These payments will be applied to fees arising from work agreed in this letter of engagement for the current and ensuing years. Once we have been able to assess the amount of work and time involved, we would be grateful if you would agree to pay an amount to us on a regular basis. This instalment agreement is not a regulated credit agreement.
3.7 We reserve the right to charge interest on overdue accounts at the current rate under the Late Payment of Commercial Debts (Interest) Act 1998. We also reserve the right to terminate our engagement and cease acting if payment of any fees billed is unduly delayed. We accept settlement of fees by certain credit cards.
3.8 We are entitled to recover on a full indemnity basis any costs incurred by us in collecting overdue payments, including our time charges, the costs, and expenses of any third parties we may appoint to collect such amounts. We reserve the rights to retain all documents and any items in our possession relating to any matter until all invoices/request for payments are paid in full.
3.9 If an agreement has been made whereby our fees are to be paid by someone other than you, you will nevertheless remain liable for all our fees outstanding and all expenses incurred on your behalf until payment has been made in full.
3.10 You agree that we may deduct or cause to be deducted the fees and all additional charges from any monies or assets held by us for you.
3.11 If a client company, trust or other entity is unable or unwilling to settle our fees, we reserve the right to seek payment from the individual (or parent company) giving us instructions on behalf of the client, and we shall be entitled to enforce any sums due against the group company or individual nominated to act for you.
3.12 Insofar as we are permitted to so by law or by professional guidelines, we reserve the right to exercise a lien over all funds, documents and records in our possession relating to all engagements for you until all outstanding fees and disbursements are paid in full.
3.13 In the event that we cease to act in relation to your company’s affairs we will not charge for reasonable costs of providing information to the company’s new advisers. However, we reserve the right to charge for our costs where there is a significant amount of time and work involved in providing this information to the new provider.
4 Investment services
DPB Licensed
4.1 Investment Business is regulated by the Financial Services and Markets Act 2000. If, during the provision of professional services to you, you need advice on investments (including assurances), we may have to refer you to someone who is authorised by the Financial Conduct Authority as we are not. However, as we are licensed by our professional body, we may be able to provide certain investment services that are complementary to, or arise out of, the professional services we are providing to you.
4.2 Such advice may include:
• advising you on investments generally, but not recommend a particular investment or type of investment;
• referring you to a Permitted Third Party (PTP) (an independent firm authorised by the FCA), assisting you and the PTP during the course of any advice given by that party and commenting on, or explaining, the advice received (but not making alternative recommendations). The PTP will issue you with their own terms and conditions letter, will be remunerated separately for their services and will take full responsibility for compliance with the requirements of the Financial Services and Markets Act 2000;
• advising you in connection with the disposal of an investment, other than your rights in a pension policy or scheme;
• advising and assisting you in transactions concerning shares or other securities not quoted on a recognised exchange;
• assisting you in making arrangements for transactions in investments in certain circumstances; and
• managing investments or acting as trustee (or done of a power of attorney) where decisions to invest are taken on the advice of an authorised person.
4.3 For corporate clients we may also, on the understanding that the shares or other securities of the company are not publicly traded:
• advise the company, existing or prospective shareholders in relation to exercising rights, taking benefits or share options, valuations and methods of such valuations;
• arrange any agreements in connection with the issue, sale or transfer of the company’s shares or other securities;
• arrange for the issue of new shares; and
• act as the addressee to receive confirmation of acceptance of offer documents etc.
4.4 In the unlikely event that we cannot meet our liabilities to you, you may be able to claim compensation under the Chartered Accountants’ Compensation Scheme in respect of exempt regulated activities undertaken.
Financial Promotions
4.5 To enable us to provide you with a proper service, there may be occasions when we will need to contact you without your express permission concerning investment business matters. For example, it may be in your interests to sell a particular investment, and we would wish to inform you of this. We may therefore contact you in such circumstances but would only do so in our normal office hours. We shall of course comply with any restrictions you may wish to impose which you notify to us in writing.
5 Commissions or other benefits
5.1 In some circumstances, commissions or other benefits may become payable to us in respect of transactions we or our business associates arrange for you, in which case you will be notified in writing of the amount and terms of payment.
It is a requirement of being an ICAEW DPB licenced firm that we disclose to you the amount of commission we receive from third parties, arising from products/services arranged on your behalf, and request your consent to retain such commission.
If any route other than giving the money to you is chosen, you must give written consent to your agreement specific to the occasion. By doing so you consent to such commission or other benefits being retained by us.
6 Retention of and access to records
6.1 You have a legal responsibility to retain documents and records relevant to your financial affairs. During the course of our work, we may collect information from you and others relevant to your tax and financial affairs. We will return any original documents to you if requested. Documents and records relevant to your tax affairs are required by law to be retained as follows:
Individuals, trustees and partnerships:
• with trading or rental income: five years and 10 months after the end of the tax year;
• otherwise: 22 months after the end of the tax year.
Companies, Limited Liability Partnerships, and other corporate entities:
• six years from the end of the accounting period.
6.2 Although certain documents may legally belong to you, we may destroy correspondence and other papers that we store electronically or otherwise that are more than seven years old, except documents we think may be of continuing significance. You must notify us in writing if you wish us to keep any document for a longer period.
7 Conflicts of interest and independence
7.1 We reserve the right during our engagement with you to deliver services to other clients whose interests might compete with yours or are or may be averse to yours, subject to clause 8 below. We confirm that we will notify you immediately should we become aware of any conflict of interest involving us and affecting you unless we are unable to do so because of our confidentiality obligations. We have safeguards that can be implemented to protect the interests of different clients if a conflict arises. Where conflicts are identified which cannot be managed in a way that protects your interests then we regret that we will be unable to provide further services.
7.2 During and after our engagement, you agree that we reserve the right to act for other clients whose interests are or may compete with or be adverse to yours, subject, of course, to our obligations of confidentiality and the safeguards set out in the paragraph on confidentiality below.
8 Confidentiality
8.1 We confirm that where you give us confidential information we shall at all times keep it confidential, except as required by law or as provided for in regulatory, ethical or other professional statements relevant to our engagement.
8.2 You agree that, if we act for other clients who are or who become your competitors, to comply with our duty of confidentiality it will be sufficient for us to take such steps as we think appropriate to preserve the confidentiality of information given to us by you, both during and after this engagement. These may include taking the same or similar steps as we take in respect of the confidentiality of our own information.
8.3 In addition, if we act for other clients whose interests are or may be averse to yours, we will manage the conflict by implementing additional safeguards to preserve confidentiality. Safeguards may include measures such as separate teams, physical separation of teams, and separate arrangements for storage of, and access to, information.
8.4 You agree that the effective implementation of such steps or safeguards as described above will provide adequate measures to avoid any real risk of confidentiality being impaired.
8.5 We may, on occasions, subcontract work on your affairs to other tax or accounting professionals. The subcontractors will be bound by our client confidentiality terms.
8.6 If we use external or cloud-based systems, we will ensure confidentiality of your information is maintained.
8.7 For the purpose of promotional activity, training or other business purposes we may request permission to mention that you are a client. As stated above, we will not disclose any confidential information.
8.8 During the performance of the Services, we may provide interim reports and advice. Any reports are based upon partial completion of the Services. Consequently, these are not our final views or conclusions and cannot be relied upon as such. You agree that we do not assume a duty of care to you, or any other party to whom we have agreed to assume a duty of care, in respect of interim reports and advice. The final results of our work and our definitive conclusions will be contained in our final report. This report will be signed in manuscript by a Director/Partner on behalf of the company, and will not bear any qualification within its title, header or footer.
8.9 With the exception of any audit or other report which we expressly agree may be provided to third parties, the reports, letters, information and advice which arise as a result of this engagement are given in confidence solely for the purpose of this engagement and are provided on the condition that you undertake not to disclose these, or any other confidential information made available to you by us during the course of our work, to any other party without our prior written consent.
8.10 In circumstances where our reports, letters or information will be provided to or used by a third party, you will inform us so that we can stipulate terms regarding such provision or require the third party to enter into a direct relationship with us before any report, letter, information or advice is provided to that third party. Unless the third party agrees appropriate terms with us, we recognise no responsibility whatsoever other than that owed to you in the context of this engagement as at the date on which our report or other advice is given.
We will not be prevented from disclosing confidential information:
• which is or becomes public knowledge other than by a breach of an obligation of confidentiality;
• which is or becomes known from other sources without restriction on disclosure; or
• which is required to be disclosed by law or any professional regulatory obligation.
For the purposes of carrying out our responsibilities in this engagement, we shall not be treated as having notice of information, which may have been provided to individuals within this firm who are not involved in this engagement.
8.11 This clause applies in addition to our obligations as to data protection below.
8.12 You agree to take reasonable steps to ensure that these terms are understood by your advisors.
9 Quality control
9.1 As part of our ongoing commitment to providing a high-quality service, our files are periodically subject to an independent regulatory or quality review. Our reviewers are highly experienced and professional people and are, of course, bound by the same requirements of confidentiality as our principals and staff.
Dealing with HM Revenue & Customs
9.2 When dealing with HMRC on your behalf we are required to be honest and to take reasonable care to ensure that your returns are correct. To enable us to do this, you are required to be honest with us and to provide us with all necessary information in a timely manner. For more information about ‘Your Charter’ for your dealings with HMRC, see http://www.hmrc.gov.uk/charter/index.htm. To the best of our abilities, we will ensure that HMRC meet their side of the Charter in their dealings with you.
10 Help us to give you the right service
10.1 We are committed to providing you with a high-quality service that is both efficient and effective. If at any time you would like to discuss with us how our service to you could be improved, or if you are dissatisfied with the service you are receiving, please let us know, by firstly contacting the managing director of the office that deals with your affairs, if you are still dissatisfied please contact our Complaints team at [email protected] We will acknowledge your letter within five business days of its receipt and endeavour to deal with it within eight weeks. If we do not deal with your complaint in this time, or if you are unhappy with our response, you may of course take up the matter with the ICAEW https://www.icaew.com/regulation/complaints-process
If you remain unsatisfied and your complaint relates to one of our Licensed Insolvency Practitioners, you have the right to refer the matter the Insolvency Complaints Gateway which is operated by the Insolvency Service, Department for Business, Energy & Industrial Strategy (BEIS) by:
• calling the Insolvency Service Enquiry Line on 0845 602 9848 (Monday to Friday 8am to 5pm); or
• completing an online complaints form at https://www.gov.uk/complain-about-insolvency-practitioner (guidance for those who wish to complain can also be found on this site); or
• by sending the completed complaints form by post to IP Complaints, Insolvency Service, 3rd Floor, 1 City Walk, Leeds, LS11 9DA.
10.4 In order for us to provide you with a high quality service on an ongoing basis it is essential that you provide us with relevant records and information when requested, reply to correspondence in a timely manner and otherwise follow the terms of the agreement between us set out in this Standard Terms of Business and associated engagement schedules. We therefore reserve the right to cancel the engagement between us with immediate effect in the event of:
• your insolvency, bankruptcy or other arrangement being reached with creditors;
• failure to pay our fees by the due dates;
• either party being in breach of their obligations where this is not corrected within 30 days of being asked to do so; or
• an independence issue or change in the law which means we can no longer act.
11 Period of engagement and termination
11.1 Unless otherwise agreed in our engagement letter, our work will begin when we receive implicit or explicit acceptance of that letter. Except as stated in that letter, we will not be responsible for periods before that date.
11.2 Each of us may terminate our agreement by giving not less than 21 days’ notice in writing to the other party except if you fail to cooperate with us or we have reason to believe that you have provided us (or HMRC) with misleading information, in which case we may terminate this agreement immediately. Termination will be without prejudice to any rights that may have accrued to either of us before termination.
11.3 We reserve the right to suspend any work for you with or without notice to you in the event that we are obliged to do so under any applicable law and regulations, including legislation in relation to money laundering or proceeds of crime
11.4 In the event of termination of our contract, we will endeavour to agree with you the arrangements for the completion of work in progress at that time, unless we are required for legal or regulatory reasons to cease work immediately. In that event, we will not be required to carry out further work and shall not be responsible or liable for any consequences arising from termination.
12 Applicable law
12.1 This engagement letter is governed by, and construed in accordance with English Law if the services that are covered by the engagement letter are provided by our offices in England, Wales or Northern Ireland, or Scottish Law if the services that are covered by the engagement letter are provided by our offices in Scotland. The Courts will have exclusive jurisdiction in relation to any claim, dispute or difference concerning this engagement letter and any matter arising from it. Each party irrevocably waives any right it may have to object to any action being brought in those courts, to claim that the action has been brought in an inappropriate forum, or to claim that those courts do not have jurisdiction.
12.2 If any provision in this Standard Terms of Business or any associated engagement schedules, or its application, are found to be invalid, illegal or otherwise unenforceable in any respect, the validity, legality or enforceability of any other provisions shall not in any way be affected or impaired.
13 Our advice, changes in the law, in practice or in public policy
13.1 We will endeavour to record all advice on important matters in writing. Advice given orally is not intended to be relied upon unless confirmed in writing. Therefore, if we provide oral advice (for example during the course of a meeting or a telephone conversation) and you wish to be able to rely on that advice, you should ask for the advice to be confirmed by us in writing.
13.2 We will only assist with implementation of our advice if specifically instructed and with our agreement in writing.
13.3 All of our advice to you is based on laws, regulations, statements of practice and codes of practice that are current at the time the advice is given and no warranty is made in respect of the continued accuracy or applicability of our advice. Unless we have expressly agreed to do so in our engagement letter, we will have no obligation actively to inform you if the laws, regulations, statements of practice and codes of practice upon which any advice we have given to you was based has changed, or if any change has any implications that will require you to obtain additional or updated advice or services.
13.4 We will not accept responsibility if you act on advice previously given by us without first confirming with us that the advice is still valid in light of any change in the law, public policy or your circumstances.
13.5 We will accept no liability for losses arising from changes in the law or the interpretation thereof, practice or public policy that are first published after the date on which the advice is given to the fullest extent permitted by applicable law.
14 Internet communication
14.1 Unless you instruct us otherwise, we may, where appropriate, communicate with you and with third parties via email or by other electronic means. However, internet communications are capable of data corruption and therefore we do not accept any responsibility for changes made to such communications after their despatch. It may therefore be inappropriate to rely on advice contained in an e-mail without obtaining written confirmation of it. We do not accept responsibility for any errors or problems that may arise through the use of internet communication and all risks connected with sending commercially sensitive information relating to your business are borne by you. If you do not agree to accept this risk, you should notify us in writing that e-mail is not an acceptable means of communication.
14.2 It is the responsibility of the recipient to carry out a virus check on any attachments received.
15 Limitation of third-party rights
15.1 Persons who are not party to this agreement shall have no rights under the Contracts (Rights of Third Parties) Act 1999 to enforce any term of this agreement. This clause does not affect any right or remedy of any person which exists or is available otherwise than pursuant to that Act.
15.2 The advice we give you is for your sole use and is confidential to you and will not constitute advice for any third party to whom you may communicate it, unless we have expressly agreed in writing that a specified third party may rely on our work. We will accept no responsibility to third parties, including any group company to whom the engagement letter is not addressed, your spouse nor any family member of yours or your employer, for any aspect of our professional services or work that is made available to them.
16 Client identification
16.1 In common with other professional firms we are required by the Proceeds of Crime Act 2002 and the Money Laundering Regulations 2017 to:
• maintain identification procedures for clients, beneficial owners of clients, and persons purporting to act on behalf of clients;
• maintain records of identification evidence and the work undertaken for the client; and
• report, in accordance with the relevant legislation and regulations.
16.2 We have a statutory obligation under the above legislation to report to the National Crime Agency (NCA) any reasonable knowledge or suspicion of money laundering. Any such report must be made in the strictest confidence. In fulfilment of our legal obligations, neither the firm’s principals nor staff may enter into any correspondence or discussions with you regarding such matters.
16.3 If we are not able to obtain satisfactory evidence of your identity and where applicable that of the beneficial owners, we will not be able to proceed with the engagement.
16.4 You agree that we may use personal information provided by you in order to conduct appropriate identity and anti-fraud checks. Personal information that you provide may be disclosed to a credit reference or fraud prevention agency that will check details against any particulars on any database (public or otherwise) to which they have access. Personal information may be retained by the credit reference or fraud prevention agency for the purpose of future identity and anti-fraud checks. A record of the search will be retained. This information provided by you is used by us only to confirm your identity and no credit check is being performed by us. Accordingly, your credit rating will not be affected.
16.5 In addition, we may also request similar information in order to conduct appropriate identity and anti-fraud checks on management and beneficial owners as we consider necessary. You agree to inform such persons of these checks as described in clause 18.1 below.
17 Foreign Account Tax Compliance Act (FATCA) and The Common Reporting Standards
17.1 Unless agreed specifically in a separate engagement letter, we are not responsible for your compliance with the International Tax Compliance (United States of America) Regulations 2013, produced as a result of FATCA. In particular, we are not responsible for the categorisation of any UK entity into either a Financial Institution (FI) or an active or passive Non-Financial Foreign Entity (NFFE) nor, if a Financial Institution, for its registration with the US Internal Revenue Service (IRS) and subsequent submission of the required annual returns to HMRC.
17.2 However, if requested to do so we can provide advice on the completion of the forms supplied by Financial Institutions under these Regulations, or under The Common Reporting Standards, and used by them to determine the status of an entity. We can also provide advice on setting up the appropriate systems to identify and report on your clients or beneficiaries who are foreign citizens affected by FATCA or The Common Reporting Standards.
18 General limitation of liability
18.1 We will provide our services with reasonable care and skill. Our liability to you is limited to losses, damages, costs and expenses caused by our negligence or wilful default. However, to the fullest extent permitted by law, we will not be responsible for any losses, penalties, surcharges, interest or additional tax liabilities where you or others supply incorrect or incomplete information or fail to supply any appropriate information or where you fail to act on our advice or respond promptly to communications from us or the tax authorities. Further, we will not be liable to you for any delay or failure to perform our obligations if the delay or failure is caused by circumstances outside our reasonable control. Subject to clause 19.6 below, our liability to you shall be limited as set out in clause 20.
18.2 You will not hold us, our principals/directors and staff, responsible, to the fullest extent permitted by law, for any loss suffered by you arising from any misrepresentation (intentional or unintentional) supplied to us orally or in writing. This applies equally to fraudulent acts, misrepresentation or wilful default on the part of any party to the transaction and their directors, officers, employees, agents or advisers. However, this exclusion shall not apply where such misrepresentation, withholding or concealment is or should (in carrying out the procedures which we have agreed to perform with reasonable care and skill) have been evident to us without further enquiry.
18.3 We are not liable to the extent that our breach of duty results from something you do or fail to do (such as giving us wrong or incomplete information or failing to provide information in a timely manner) unless we knew (or ought reasonably to have known) that your act or failure to act would give rise to a breach of duty and we failed to inform you of this or take other reasonable steps to avoid that breach of duty or minimise its effects.
18.4 We are not liable for any loss arising from or connected with our compliance with any statutory obligation that we may have, or reasonably believe we may have, to report matters to the relevant authorities under the provisions of any applicable laws and regulations, for example, legislation relating to money laundering or proceeds of crime.
18.5 For statutory audit work, we will provide our professional services with reasonable care and skill. However, we will not be held responsible for any losses arising from the supply by you or others of incorrect or incomplete information, or your or others’ failure to supply any appropriate information or your failure to act on our advice or respond promptly to communications from us or other relevant authorities.
18.6 You agree that you will not bring any claim in connection with services we provide to you against any of our partners or employees personally.
18.7 In particular, the fact that an individual member, employee, agent or consultant signs in his or her own name any letter, email or other document in the course of carrying out that work does not mean he or she is assuming any personal legal liability.
18.8 Our work is not, unless there is a legal or regulatory requirement, to be made available to third parties without our written permission and we will accept no responsibility to third parties for any aspect of our professional services or work that is made available to them. You agree to indemnify us and our agents in respect of any claim (including any claim for negligence) arising out of any unauthorised disclosure by you or by any person for whom you are responsible of our advice and opinions, whether in writing or otherwise. This indemnity will extend to the cost of defending any such claim, including payment at our usual rates for the time that we spend in defending it and our legal fees on an indemnity basis.
18.9 Nothing in this agreement shall exclude or limit our liability for death or personal injury caused by negligence nor for fraudulent misrepresentation or other fraud which may not as a matter of applicable law be excluded or limited.
19 Financial limitation of liability
19.1 We have discussed with you the extent of our liability to you in respect of the professional services described within our engagement letter (the professional services), comprising the Engagement Covering Letter, Agreement of Terms and the relevant Appendices.
19.2 For all causes of action accruing in any 12 month period, the first period commencing on the date of our engagement letter, our total liability (regardless of the number of persons who comprise our client for any particular matter) shall be limited to the lower of the figures produced by the operation of clauses 19.3 and 19.4. This provision, and the provisions of the following paragraphs, shall not apply to any liability:
• for work requiring us to report as statutory auditors (see clause 20.2);
• for work required to be carried out by us under the rules of the US Securities and Exchange Commission;
• for death or personal injury or other liability for which exclusion or restriction is prohibited by law; or
• to liability arising as a result of fraud on our part.
In no event shall we be liable for any special, indirect or consequential loss or damage of any kind however it arises, whether or not such loss or damage is foreseeable, foreseen or known.
19.3 Subject to the provisions of clause 19.5 below, our liability in respect of breach of contract or breach of duty or fault or negligence or otherwise whatsoever arising out of or in connection with this engagement shall be limited to a maximum limit of £1 million/€1,170,985 including interest and costs to cover claims of any sort whatsoever in connection with the engagement, unless an alternative liability cap has been included and agreed in the limitation of liability section of the engagement letter.
Any claim for breach of contract, breach of duty or fault or negligence or otherwise whatsoever arising out of or in connection with this engagement shall be brought against us within six years of the act or omission alleged to have caused the loss in question.
19.4 Our liability to you in respect of breach of contract or breach of duty or fault or negligence or otherwise whatsoever arising out of or in connection with this engagement shall be limited to a just and equitable proportion of the total loss or damage after taking into account contributory negligence and the responsibility of any other party (regardless of the ability of any other party to make payment).
19.5 You agree that you will not bring any claim in connection with services we provide to you against any of our partners or employees personally.
19.6 In particular, the fact that an individual member, employee, agent or consultant signs in his or her own name any letter, email or other document in the course of carrying out that work does not mean he or she is assuming any personal legal liability.
19.7 Our work is not, unless there is a legal or regulatory requirement, to be made available to third parties without our written permission and we will accept no responsibility to third parties for any aspect of our professional services or work that is made available to them. You agree to indemnify us and our agents in respect of any claim (including any claim for negligence) arising out of any unauthorised disclosure by you or by any person for whom you are responsible of our advice and opinions, whether in writing or otherwise. This indemnity will extend to the cost of defending any such claim, including payment at our usual rates for the time that we spend in defending it and our legal fees on an indemnity basis.
19.8 Nothing in this agreement shall exclude or limit our liability for death or personal injury caused by negligence nor for fraudulent misrepresentation or other fraud which may not as a matter of applicable law be excluded or limited.
20 Intellectual property rights and use of our name
20.1 We will retain all intellectual property rights in any document prepared by us during the course of carrying out the engagement except where the law specifically states otherwise. You may only use such rights to the extent we agreed when engaged to provide services to you and may not resell or sublicense such rights without our further prior consent.
20.2 The same applies to copyright and other intellectual property rights in any records, reports, papers, designs, typographical arrangements, software, and all other materials in whatever form, including but not limited to hard copy and electronic form, prepared by us or on our behalf in the provision of services to you.
20.3 You are not permitted to use our name in any statement or document that you may issue unless our prior written consent has been obtained. The only exception to this restriction would be statements or documents that in accordance with applicable law are to be made public.
21 Environmental issues
21.1 We will not give advice on environmental or health and safety issues nor will we perform an environmental audit as part of our services, unless specified in our scope of services. You agree that environmental issues and their impact are excluded from the services unless otherwise agreed in the
Letter of Engagement.
22 Interpretation
22.1 If any provision of our engagement letter or terms of business is held to be void for whatever reason, then that provision will be deemed not to form part of this contract, and no other provisions will be affected or impaired in any way. In the event of any conflict between these terms of business and the engagement letter or appendices, the relevant provision in the engagement letter or schedules will take precedence.
23 Internal disputes within a client
23.1 If we become aware of a dispute between the parties who own the business, or who are in some way involved in its ownership and management, it should be noted that our client is the business (unless we have agreed otherwise) and we would not provide information or services to one party without the express knowledge and permission of all parties. Unless otherwise agreed by all parties, we will continue to supply information to the registered office/normal place of business for the attention of the directors/proprietors. If conflicting advice, information or instructions are received from different directors/principals in the business, we will refer the matter back to the board of directors/the partnership and take no further action until the board/partnership has agreed the action to be taken. In certain cases, we reserve the right to cease acting for the business/client entirely.
24 Engagement of Xeinadin (and its subsidiaries)
Employees
24.1 If you directly engage an employee of Xeinadin or any of our associates or introduce an employee of Xeinadin to any third party resulting in an Engagement, you will be liable to an introduction fee of 22% of the annual starting salary. If you fail to advise Xeinadin of the starting salary the fee will be based on the charge out rate for the employee.
24.2 This applies during employment and for a period of 12 months post termination. No refund of the introduction fee will be paid if the engagement terminates.
25 Changes in members/successor firm
25.1 The continuing validity of this agreement will not be affected by any change in the members of the firm. If we merge with another firm or transfer substantially all of our business to a partnership, a limited liability partnership or company, then you agree that we may transfer our engagement with you on substantially the same terms (so far as applicable) to the successor enterprise. We shall write and tell you if this happens.
26 Disengagement
26.1 If we resign or are asked to resign, we will normally issue a disengagement letter to ensure that our respective responsibilities are clear.
Data protection
The concepts of controller and processor play a crucial role in the application of Regulation (UK & EU) 2016/679, The Data Protection Act (2018) and the applicable Union or Member State data protection provisions.
Depending upon the nature of the services being delivered under this agreement Xeinadin may be acting as an independent controller or as a processor. The relevant obligations in each circumstance are described in the following clauses.
Where Xeinadin are acting as a Processor, the “Data Processing Agreement: Xeinadin as a Data Processor” forms part of this engagement letter and sets out our obligations. We act as a data processor when the customer has determined the purpose and means of processing personal data; often when Xeinadin is providing services to the customer and performing specific tasks based on instructions from the customer.
Where Xeinadin are acting as a Controller, the “Data Processing Agreement: Xeinadin as a Data Controller” forms part of this engagement letter and sets out our obligations. We act as a Data Controller when Xeinadin determines the purpose and means of processing personal data, often when we engage a Provider to perform specific tasks based on our instructions.
Where Xeinadin are each considered independent Controllers in relation to Personal Data, Xeinadin shall each comply with the relevant provisions of applicable data protection legislation.
Where Xeinadin are each considered independent Processors in relation to Personal Data, Xeinadin shall each comply with the relevant provisions of applicable data protection legislation.
If you need to contact us about any data protection issue, please contact our Data Protection Officer at [email protected]
For more information about how we handle your data, please refer to our privacy notice here.
Data Processing Agreement: Xeinadin as a Data Processor
This agreement is between the customer and Xeinadin Group Limited and its subsidiary companies. Registered Office: 8th Floor Becket House, 36 Old Jewry, London, United Kingdom, EC2R 8DD; Registered in England, Wales and Ireland
The agreement shall be in force from the signed date of this Letter of Engagement and will continue until otherwise stated by the customer or Xeinadin Group Limited and its subsidiary companies.
For the purpose of this agreement “data controller”, “personal date” and “processing” have definitions contained in Data Protection Legislation such as the EU/UK General Data Protection Regulation (GDPR) 2016/679 and The Data Protection Act 2018.
To enable us to discharge the services agreed under our engagement, and for other related purposes including updating and enhancing client records, analysis for management purposes and statutory returns, crime prevention and legal and regulatory compliance, Xeinadin may obtain, use, process and disclose Personal Data about the Controller/ the Controllers business/ Controller/ partnership/ its officers and employees and shareholders (‘Personal Data’). In the course of providing services to the Controller and processing Personal Data, Xeinadin may disclose Personal Data to other firms in our network, a regulatory body or a third party.
Obligations of the Data Controller (Customer):
The Data Controller will ensure that any disclosure of Personal Data to Xeinadin complies with data protection legislation. If the Controller supply us with any Personal Data or confidential information the Controller shall ensure the Controller have a lawful basis to pass it to us and will fully indemnify and hold us harmless if the Controller do not have such a basis and that causes us loss. If the Controller are supplying us with Personal Data based on a power of attorney, the Controller must produce to us an original or certified power of attorney on demand. The Controller must ensure the Controller have provided the necessary information to the relevant Data Subjects regarding its use. It is the duty of the Data Controller to ensure that the instructions and Personal Data which are provided to us by the Controller are lawfully provided; provide all communications, information (including copies of Personal Data) which are required to be provided to the Data Subjects pursuant to data protection legislation; liaise directly with Data Subjects in respect of data protection and privacy matters; reasonably co-operate with us in all matters relating to this agreement; undertake the Controllers obligations with reasonable skill and care; provide such information materials as Xeinadin may reasonably require, and ensure that they are provided in a reasonable state. Xeinadin shall immediately inform the Controller if, in our opinion, an instruction infringes data protection legislation.
The Data Controller holds the duty to guarantee that the processing of the data conforms to all applicable data protection laws and regulations. The Data Controller is obligated to oversee the handling of Personal data by the data controller to ensure that it abides by all applicable laws and regulations.
The Data Controller is obligated to provide the Data Processor with any pertinent information and aid to facilitate the provision of its services under this Agreement. This encompasses granting access to essential documents, systems, files, and other vital resources, as well as any queries for elucidation or further information from the Processor.
The Data Controller has the responsibility to keep the Data Processor informed about any material changes in the processing activities. This includes promptly notifying the processor of alterations that may impact data handling or security.
Obligations of the Data Processor (Xeinadin):
Xeinadin shall provide the Data Controller with all necessary assistance to enable the Data Controller to comply with its obligations under applicable data protection laws and regulations. Xeinadin is required to comply with all Data Protection Legislation when processing personal data and providing services. They must also fulfil their obligations under this Agreement without causing the Data Controller or any other party to breach any Data Protection Legislation, whether through an act or omission.
Xeinadin shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR.
Xeinadin shall process personal data only on documented instructions from the Controller, unless required to do so by Union or Member State law to which the processor is subject. In this case, Xeinadin shall inform the Controller of that legal requirement before processing, unless the law prohibits this on important grounds of public interest. Xeinadin shall immediately inform the controller if, in the processor’s opinion, instructions given by the controller infringe Regulation (UK & EU) 2016/679 / The Data Protection Act (2018) or the applicable Union or Member State data protection provisions.
Xeinadin warrant that, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Xeinadin shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk and shall take all measures required pursuant to Article 32 of the GDPR. This includes protecting the data against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access to the data (personal data breach). Xeinadin shall promptly notify the Controller in the event of any security breach involving the Controllers personal data without undue delay and within 24 hours.
If the processing involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (“special category data”), Xeinadin shall apply specific restrictions and/or additional safeguards.
Xeinadin shall notify the Data Controller within 72 hours if Xeinadin receive from a Data Subject a request to exercise any Data Subject’s rights. Considering the nature of the processing, Xeinadin shall assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controllers obligation to respond to requests for exercising Data Subject’s rights by law.
Xeinadin shall not engage another Processor without prior specific authorisation (such authorisation not to be unreasonably withheld) from the Data Controller. Where Xeinadin engages a sub-processor for carrying out specific processing activities (on behalf of the Controller), it shall do so by way of a contract which imposes on the sub- processor, the same data protection obligations as the ones imposed on Xeinadin in accordance with these Clauses. Xeinadin shall inform the Controller of any intended changes concerning the addition or replacement of Sub processors, giving the Controller the opportunity to object to such changes by allowing the Controller to provide prompt written reasonable justification for such objections. Xeinadin will not use such Sub-processor where the Controller has raised such reasonable justification for such objections, and performance of this agreement will be suspended until Xeinadin have appointed a reasonable replacement Sub-processor which is approved by the Controller.
Xeinadin is obligated to ensure that Personal Data can only be accessed by its Employees and authorised Agents, Contractors and Sub-Processors. Access to Personal Data will be granted only to those who need it for the purpose of performing their duties are subject to appropriate confidentiality obligations. Xeinadin will also provide data protection training to Employees and authorised Agents, Contractors, and Sub-Processors with access to Personal Data, so that they understand their responsibilities and the legal requirements associated with the handling of Personal Data.
Xeinadin shall allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller, with no less than 30 days written notice of intent. Where the Controller undertake any audits (either the Controller itself or through the Controllers third parties), this will be subject to the Controller ensuring that: it does not disrupt our activities or the activities of our processors and third parties; the audit is undertaken in a reasonable and professional manner, with access being sought to only those aspects which are required by data protection legislation (but not to any legally privileged information, nor any information of any third parties who are not the Data Subjects); any site visit at our premises or our Processors’ premises, is subject to accompaniment at all times by our representatives or our Processors’ representatives; the auditor enters into a reasonable confidentiality agreement with us and our relevant Processors; and the cost of the audit and any assistance and attendance by us, our Processors, and any of the aforementioned representatives is paid for by the Controller.
At the Controllers discretion, in respect of the Personal Data which is in our possession or our Processors’ possession: securely delete or return all Personal Data to the Controller after the end of the provision of services and delete existing if storage of such data is required by applicable law. If storage is required, Xeinadin will inform the Controller and delete the data as soon as permitted under the law.
Xeinadin shall neither transfer nor process Personal Data outside the United Kingdom/EEA, nor permit Personal Data to be transferred or processed outside the United Kingdom/EEA by a Sub processor or third party without permission from the data controller. Should Xeinadin engage a sub-processor in accordance with Clause 7 for carrying out specific processing activities and those processing activities involve an international transfer of personal data, Xeinadin will ensure compliance with Chapter V of Regulation (UK & EU) 2016/679 by using standard contractual clauses (or other appropriate safeguards), provided the conditions for the use of those standard contractual clauses (or other appropriate safeguards) are met.
Data Processing Agreement: Xeinadin as a Data Controller:
This agreement is between the customer and Xeinadin Group Limited and its subsidiary companies. – Registered Office: 8th Floor Becket House, 36 Old Jewry, London, United Kingdom, EC2R 8DD; Registered Number – 11354408. Registered in England and Wales.
The agreement shall be in force from the signed date of this Letter of Engagement and will continue until otherwise stated by the customer or Xeinadin Group Limited and its subsidiary companies.
For the purpose of this agreement “data controller”, “personal date” and “processing” have definitions contained in Data Protection Legislation such as the EU/UK General Data Protection Regulation (GDPR) 2016/679 and The Data Protection Act 2018.
Obligations of the Data Controller (Xeinadin):
Xeinadin will ensure that any disclosure of Personal Data to Xeinadin complies with such legislation. Where Xeinadin supplies Personal Data or confidential information the processor, it shall ensure there is an established lawful basis to supply it and will fully indemnify and hold the Processor harmless if Xeinadin does not have such a basis and that causes the Processor a loss. If Xeinadin is supplying the processor with Personal Data based on a power of attorney, Xeinadin must produce an original or certified power of attorney on demand. It is the duty of Xeinadin to ensure that the instructions are lawfully provided; provide all communications, information (including copies of Personal Data) which are required to be provided to the Data Subjects pursuant to data protection legislation; liaise directly with Data Subjects in respect of data protection and privacy matters; reasonably co-operate with the Processor in all matters relating to this agreement; undertake the Controllers obligations with reasonable skill and care; provide such information materials as the Processor may reasonably require, and ensure that they are provided in a reasonable state.
Xeinadin holds the duty to guarantee that the processing of the data conforms to all applicable data protection laws and regulations. Xeinadin is obligated to oversee the handling of Personal data by the Data Processor to ensure that it abides by all applicable laws and regulations.
Xeinadin is obligated to provide the Data Processor with any pertinent information and aid to facilitate the provision of its services under this Agreement. This encompasses granting access to essential documents, systems, files, and other vital resources, as well as any queries for elucidation or further information from the Processor.
Xeinadin has the responsibility to keep the Data Processor informed about any material changes in the processing activities. This includes promptly notifying the Processor of alterations that may impact data handling or security.
Obligations of the Data Processor (Provider):
General:
The Data Processor shall provide the Data Controller with all necessary assistance to enable the Data Controller to comply with its obligations under applicable data protection laws and regulations. The Data Processor is required to comply with all Data Protection Legislation when processing personal data and providing services. They must also fulfil their obligations under this Agreement without causing the Data Controller or any other party to breach any Data Protection Legislation, whether through an act or omission.
The Data Processor shall process personal data only on documented instructions from Xeinadin, unless required to do so by Union or Member State law to which the processor is subject. In this case, the Processor shall inform the Controller of that legal requirement before processing, unless the law prohibits this on important grounds of public interest. The Processor shall immediately inform Xeinadin if, in the Processor’s opinion, instructions given by Xeinadin infringe Regulation (UK & EU) 2016/679 / The Data Protection Act (2018) or the applicable Union or Member State data protection provisions.
Data Subject Rights:
The Processor shall notify the Data Controller within 24 hours if the Processor receives from a Data Subject a request to exercise any Data Subject’s rights. The Processor shall assist Xeinadin by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controllers obligation to respond to requests for exercising Data Subject’s rights by law. The Processor shall not respond to the request itself, unless authorised to do so by the controller.
The Processor is obligated to assist in the issuance of Data Subject Access Requests (DSARs) and facilitation of data subject rights, including having the relevant processes in place for recording receipt of the DSAR, referring it to Xeinadin within 72 hours, collating all required information and presenting it to the company for inspection and issuance. Xeinadin may request that the Processor issue the DSAR however the Processor may not issue one without explicit direction from Xeinadin.
In addition to the Processor’s obligation to assist the controller pursuant to the above clauses, the processor shall furthermore assist Xeinadin in ensuring that personal data is accurate and up to date, by informing Xeinadin without delay if the processor becomes aware that the personal or protected data it is processing is inaccurate or has become outdated.
Security:
The Data Processor shall implement the adequate technical and organisational measures to ensure the security of the personal data. This includes protecting the data against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access to the data (personal or protected data breach). The Processor shall promptly notify the Company in the event of any security breach involving the Data without undue delay and within 24 hours.
The Processor shall ensure that the security level provided corresponds to the real risks to the protected or personal data. The processor shall monitor the external environment for cyber security and data protection threats and adjust the security posture in relation to such threats. The Processor can modify the data security measures to reflect technological advancements if the level of security does not fall below the agreed-upon minimum. In the event of a significant alteration to any of the security measures, the Processor shall inform the Company promptly.
The Processor will maintain an obligation to carry out an assessment a ‘Data Protection Impact Assessment’ (DPIA) where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons; and will consult the competent Supervisory Authority prior to processing where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk.
The Processor shall process only the minimum amount of personal or protected data required to fulfil its duties and only process the personal or protected data for the specific purpose(s) and duration of the processing unless it receives further instructions from Xeinadin. Copies or duplicates of the data will not be made without the knowledge of Xeinadin except for temporary duplications that do not impact the agreed-upon level of data protection.
The Processor is obliged to maintain the confidentiality of the personal or protected data and refrain from revealing it to any other individuals, except where explicitly authorised under this Agreement. The Provider is permitted to share personal or protected data with its Employees, Sub-Processors, and Contractors based on ‘least privilege’ and only to the extent necessary for the fulfilment of this Agreement. The Processor will also provide data protection training to Employees, Contractors and Sub-Processors, so that they understand their legal responsibilities and requirements associated with the handling of Personal Data.
If the processing involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (“sensitive or special category data”), the Processor shall apply specific restrictions and/or additional safeguards.
Use of Sub-Processors:
Where the Processor engages a sub-processor for carrying out specific processing activities (on behalf of Xeinadin), it shall do so by way of a contract which imposes on the Sub-Processor the same data protection obligations as the ones imposed on the Processor in accordance with these Clauses. The processor shall ensure that the Sub-Processor complies with the obligations to which the processor is subject pursuant to these Clauses and to Regulation (UK & EU) 2016/679 and/or The Data Protection Act (2018) and the applicable Union or Member State data protection provisions.
The Processor shall not transfer the data to any third party without the prior written consent of Xeinadin. The processor shall submit the request for specific authorisation at least 30 days prior to the engagement of the sub-processor in question, together with the information necessary to enable the controller to decide on the authorisation. The Processor shall inform Xeinadin of any intended changes concerning the addition or replacement of Sub processors, giving Xeinadin the opportunity to object to such changes by allowing the Controller to provide prompt written reasonable justification for such objections. In such cases, The Processor will not use such Sub processor where the Controller has raised such reasonable justification for such objections, and our performance of this agreement will be suspended until the Processor has have appointed a reasonable replacement Sub processor which is approved by the Controller.
If the Processor employs the services of a Sub-Processor, it is mandatory for the Processor to guarantee that the Sub-Processor agrees in writing to the same obligation of confidentiality that has been established between the parties. The Processor must also ensure that the Sub-Processor adheres strictly to this commitment to maintain confidentiality.
The Processor shall remain fully responsible for the performance of the Sub-Processor’s obligations in accordance with its contract with the processor. The Processor shall notify Xeinadin of any failure by the sub-processor to fulfil its contractual obligations.
At Xeinadin’s request, the Processor shall provide a copy of such a sub-processor agreement and any subsequent amendments to Xeinadin. To the extent necessary to protect confidential information, the Processor may redact sensitive text of the agreement prior to sharing the copy.
The Processor shall agree a third-party beneficiary clause with the Sub-Processor whereby – in the event the processor has factually disappeared, ceased to exist in law or has become insolvent – the Controller shall have the right to terminate the Sub-Processor contract and to instruct the sub-processor to erase or return Xeinadin’s personal data.
Data Breaches:
In the event of a personal or protected data breach, the Processor shall cooperate with and assist Xeinadin for the controller to comply with its obligations under Articles 33 and 34 of Regulation (UK & EU) 2016/679 or under Articles 34 and 35 of The Data Protection Act (2018).
In the event of a personal data breach, the Processor shall assist Xeinadin by providing all details, including investigation documentation relating to the data breach. This should include a description of the nature of the breach; its likely consequences and the measures taken to address the breach, mitigating its possible adverse effects. Where it is not possible to provide all this information at the same time, the initial notification shall contain the known information then further information shall subsequently be provided without undue delay.
Where required, the Processor shall assist Xeinadin in notifying the personal data breach to the competent supervisory authority without undue delay after the controller has become aware of it.
International Transfers:
Any transfer of data to a third country or an international organisation by the Processor shall be done only on the basis of documented instructions from Xeinadin or in order to fulfil a specific requirement under Union or Member State law to which the Processor is subject.
The Processor shall neither transfer nor process Personal Data outside the United Kingdom/EEA, nor permit Personal Data to be transferred or processed outside the United Kingdom/EEA by a Sub processor or third party without permission from Xeinadin. Should the Processor engage a sub-processor for processing activities that involve an International transfer of personal or personal data within the meaning of Chapter V of Regulation (UK & EU) 2016/679, the Processor will ensure compliance with Chapter V of Regulation (UK & EU) 2016/679 by using standard contractual clauses (or other appropriate safeguards), provided the conditions for the use of those standard contractual clauses (or other appropriate safeguards) are met.
Right to Audit:
The Processor shall make available to Xeinadin all information necessary to demonstrate compliance with the obligations that are set out in these Clauses and stem directly from Regulation (UK & EU) 2016/679 and/or The Data Protection Act (2018). In deciding on a review or an audit, Xeinadin may consider relevant certifications held by the Processor.
Where required, the Processor shall allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by Xeinadin, with no less than 30 days written notice of intent. The Processor will ensure reasonable access for the Company or such other auditor as Xeinadin may specify (during normal business hours).
In the event of an audit or inspection that exposes a significant violation by the Processor of its duties under Data Protection Legislation or a breach of this Agreement by the Processor, the Processor is responsible for reimbursing the reasonable costs and expenditures of Xeinadin or its authorised auditors relating to the audit or inspection.
The Processor is obligated to expeditiously address any concerns that may come to light as a result of Xeinadin’s investigation and that indicate a breach or the likelihood of a breach by the Processor of its obligations under this Agreement.
Post Contract:
At Xeinadin’s discretion, the Processor and their Sub-processors must securely delete (in a manner to prevent recoverability) or return all the Personal Data to Xeinadin after the end of the provision of services relating to processing. If continued storage is required by applicable law, the Processor will inform Xeinadin and delete the data as soon as permitted under the law. Additionally, the Processor must ensure that any deletion or destruction of personal data is done in a secure manner to prevent recoverability.
Non-Compliance and Termination:
In the event that the Processor is in breach of its obligations under these Clauses, Xeinadin may instruct the Provider to suspend the processing of personal or protected data until the Processor complies with these Clauses or the contract is terminated. The Processor shall promptly inform Xeinadin in case it is unable to comply with these Clauses, for any reason.
Xeinadin shall be entitled to terminate the contract insofar as it concerns processing of personal or protected data in accordance with these Clauses if: compliance with these Clauses is not restored within a reasonable time and in any event within one month following suspension; the Processor is in substantial or persistent breach of these Clauses or its obligations under Regulation (UK & EU) 2016/679 and/or The Data Protection Act (2018); the Processor fails to comply with a binding decision of a competent court or the competent Supervisory Authority regarding its obligations pursuant to these Clauses or to Regulation (UK & EU) 2016/679 and/or The Data Protection Act (2018).
Conflict & Losses
In the event of a contradiction between these Clauses and the provisions of related agreements between the Controller & Processor existing at the time when these Clauses are agreed or entered into thereafter, these Clauses shall prevail.
The Processor is responsible for indemnifying and compensating Xeinadin for any Data Protection Losses incurred because of a breach of its obligations under this Agreement or if it processes the Protected Data in a way that goes against the lawful Processing Instructions provided by Xeinadin. This clause is intended to govern the allocation of liability for such losses between the parties, including compensation to Data Subjects, regardless of any provisions under Data Protection Legislation, except where prohibited by Applicable Law.
The laws of the Data Controller’s country shall be the governing and interpreting authority for any dispute or claim relating to this Agreement, its subject matter or creation, including non-contractual disputes or claims. The parties mutually agree that any dispute or claim arising from or related to this Agreement, its subject matter or creation, including non-contractual disputes or claims, shall be resolved exclusively by the courts of the Data Controller’s country.
The liability of both parties to any Data Subject is not affected by this clause.