Data Processing Agreement

1. Definitions

Terms such as “personal data”, “processing”, “controller”, “processor”, and “supervisory authority” have the meanings given to them in the General Data Protection Regulation (EU) 2016/679 (“GDPR”).

2. Scope and Role of the Parties

The Customer acts as the data controller and REGREP acts as the data processor when processing personal data on behalf of the Customer in the course of providing the Services.

REGREP processes personal data only on documented instructions from the Customer, including with regard to transfers of personal data to a third country, unless required to do so by applicable law.

3. Nature and Purpose of Processing

REGREP processes personal data for the purpose of providing regulatory reporting infrastructure, technical data processing, validation, storage, and related support services, as described in the applicable agreement and documentation.

4. Categories of Data Subjects and Personal Data

Processing may involve personal data relating to the following categories of data subjects, as determined by the Customer:

• Employees, officers, and representatives
• Customers and counterparties
• Other individuals whose data is included in Customer-provided datasets

Categories of personal data may include identifiers, contact details, professional information, and other data submitted by the Customer in connection with regulatory reporting obligations.

5. Customer Obligations

The Customer warrants that it has a lawful basis for processing personal data and for instructing REGREP to process such data. The Customer is responsible for the accuracy, quality, and legality of personal data provided to REGREP.

6. REGREP Obligations

REGREP shall:

• Process personal data only in accordance with documented instructions from the Customer
• Ensure personnel are subject to confidentiality obligations
• Implement appropriate technical and organisational security measures
• Assist the Customer in responding to data subject rights requests, where applicable
• Assist with data protection impact assessments and supervisory authority consultations, where required

7. Security Measures

REGREP implements appropriate technical and organisational measures designed to protect personal data against unauthorised or unlawful processing, accidental loss, destruction, or damage, taking into account the state of the art, costs of implementation, and the nature of the processing.

8. Sub-processors

The Customer authorises REGREP to engage sub-processors for the provision of the Services. REGREP remains responsible for the performance of its sub-processors and ensures that appropriate contractual safeguards are in place.

An up-to-date list of sub-processors may be made available upon request or via REGREP documentation.

9. International Data Transfers

Where personal data is transferred outside the European Economic Area, REGREP ensures that appropriate safeguards are in place, such as Standard Contractual Clauses or other lawful transfer mechanisms.

10. Data Breach Notification

REGREP shall notify the Customer without undue delay after becoming aware of a personal data breach affecting personal data processed on behalf of the Customer and provide reasonable information to assist the Customer in meeting its legal obligations.

11. Deletion or Return of Data

Upon termination or expiry of the Services, REGREP shall, at the Customer’s choice and subject to applicable law, delete or return personal data processed on behalf of the Customer.

12. Audits

REGREP shall make available information reasonably necessary to demonstrate compliance with this DPA and allow for audits conducted by the Customer or an independent auditor, subject to reasonable confidentiality and security requirements.

13. Liability

Liability arising from this DPA is subject to the limitations and exclusions set out in the applicable commercial agreement between the parties.

14. Governing Terms

This DPA forms part of and is subject to the governing terms of the applicable agreement between REGREP and the Customer. In the event of a conflict, this DPA shall prevail with respect to data protection matters.