These terms and conditions set out here form an integral part of this agreement, which is effective from the date of the letter of engagement signed by you. Where the terms of this appendix do not agree with the terms in the letter of engagement, the terms contained in the letter of engagement will prevail.
The provision of audit, accounting and taxation services are businesses in the regulated sector under the Criminal Justice (Money Laundering and Terrorist Financing ) Acts 2010 to 2018, and as such, partners and staff in audit, accounting and taxation firms are required, under the anti-money laundering regime in the Republic of Ireland, to report any suspicion that a criminal offence giving rise to proceeds from criminal conduct has been or is being committed, regardless of whether that offence has been committed or is being committed by their client or by a third party.
If as part of our normal work, we form a suspicion that such an offence has been or is being committed we are required to make a report to the Garda Síochána and the Revenue Commissioners. In such circumstances, it is not our practice to discuss such reports with you because of the restrictions on disclosure imposed on us by the anti-money laundering legislation.
John McCarthy Consulting Limited is an independent consulting and training company. We are regulated by Chartered Accountants Ireland (CAI) and are recognised by the CAI Professional Standards Department as a training consortium for the purposes of carrying out hot file reviews.
We are subject to the ethical and other similar requirements of Chartered Accountants Ireland when providing advice and training to you. We confirm that we have no independence issues or conflicts of interest while engaging in this assignment. Should any such matters come to our attention after commencing this engagement, we will notify you immediately and discuss the correct course of action.
We will keep information of a confidential nature which you give to us confidential. However, if we are working on a matter with your other advisers we will assume, unless you notify us otherwise, that we may disclose any such information to, and discuss it with, such other advisers.
If we are required by law or regulation to share information with a regulator, or if our professional indemnity insurers require information on our work for you, we will disclose that information only to the extent that is necessary to satisfy the relevant requirements.
We will not be required to disclose to you any documents or information in our possession and in respect of which we owe a duty of confidentiality to another client.
Retention of documents
In general, we will retain information and documents about a matter where we have acted for you for a period of seven years after the matter is completed. After that period, we-may dispose of the information and documents without reference to you.
When using electronic modes of communication, we take reasonable precautions to preserve confidentiality. However, we cannot guarantee confidentiality or non- interference with electronic transmissions. You accept that we cannot be held liable by you for any breaches of confidentiality or interference in transmission which may occur through electronic communications with us. You also accept the inherent risks associated with electronic communications (including any messages that may not be encrypted and are less secure).
We will assume that any e-mail address which you provide or which you use to communicate with us is regarded by you as suitable for all e-mail communications unless you inform us otherwise in writing. If you prefer not to use electronic communications on any particular matter, please let us know.
Although our computer systems make use of virus protection software and we take reasonable measures to reduce the risk of viruses finding their way on to our computers, we are not responsible for any loss or damage caused to you or your computer system directly or indirectly as a result of electronic communications with us. Further, we are not responsible, and shall have no liability to you, for any loss, theft or corruption of data.
Copyright in documents
Our working papers, draft documents, and copies of memoranda, reports and letters sent by us and provided for the purposes of any matters on which you have instructed us will remain our property. We retain copyright and all other intellectual property rights in all documents and other works (including know-how and working materials as well as final documents) we develop, generate or create for you in providing the services. Copyright in any document developed, generated or created by us will not be transferred to you unless we have specifically agreed otherwise in writing.
Termination of our instructions
We expect to continue to act for you until we finish the work concerned. However, either you or we may bring our representation of you to an end at any time by giving notice in writing. Without restricting this right, we may cease to act for you if you have failed to give us clear, timely and proper instructions as to how you wish to proceed; if you have failed to pay an invoice by the due date; if you fail to pay us money on account when requested; if you fail to follow our advice; if you instruct us to act unlawfully or unethically; if you indicate that you have lost confidence in us; if you make material misrepresentations about facts relevant to your engagement; if we have an interest in any matter; if a conflict of interest arises; if we believe that a relationship of trust and confidence does not exist between us; or if we believe that our continuing to represent you may cause damage to the professional or personal reputation of our firm or any of its personnel.
If either of the parties to the letter of engagement terminates the contract for services, you must pay us all fees and expenses incurred before termination, plus any further fees and expenses for work necessary to transfer our files to you or another adviser of your choice. We will be entitled to retain your documents and other working papers and files until full payment of our fees and expenses is made.
You must give us full, frank and timely disclosure of all information which might influence our decision to act for you. You must not deliberately withhold relevant information from us. You must: be prompt and thorough in providing instructions to us at all times keep us informed of your contact details and notify us of any changes to those details; and ensure that at all times you, or someone knowledgeable of your matters, is available to provide instructions and to meet with us when reasonably necessary.
Conflict of interest
If at any time we are instructed to act for another client in relation to any matter which is similar to any matter on which we have received instructions from you, we will not be prevented from acting for them unless to do so would, in our opinion, give rise to an actual conflict of interest with you.
We may decline to act for you where accepting, or continuing to accept, your instructions would create a conflict of interest or cause us to break an existing agreement with a third party.
Where the Chartered Accountant Ireland ethical rules allow, and subject to satisfying the requirements of those rules, we may act for you and another client where a conflict of interest would otherwise exist, provided that we have your express written consent and the express written consent of all other relevant parties.
If, whether through a change in circumstances or otherwise, we find that we have agreed to provide services to you in circumstances which could give rise to a conflict of interest we will discuss with you how to deal with the conflict and may be obliged to stop providing services to you and/or to all other clients affected by any such conflict of interest.
Whilst we have established processes for seeking to identify conflicts of interest, by agreeing to these Terms of Engagement, you acknowledge that no such system may be entirely failsafe. If you take a view that a conflict of interest does, or may, arise, you agree to bring it to the attention of John McCarthy, in writing, as soon as possible.
We shall endeavour at all times to provide you with a professional service of the highest quality. If, however, you are dissatisfied with our service in any way you should contact John McCarthy, who will undertake to look into any complaint carefully and promptly. If we have given you a less than satisfactory service, we will undertake to do everything reasonable to put it right. In the event that you are still dissatisfied, you may make a formal complaint to Chartered Accountants Ireland.
This engagement letter shall be governed by and construed in accordance with the law of Ireland. The Courts of Ireland shall have exclusive jurisdiction in relation to any claim, dispute or difference concerning the engagement letter and any matter arising from it. Each party irrevocably waives any right it may have to object to an action being brought in those Courts, to claim that the action has been brought in an inconvenient forum, or to claim that those courts do not have jurisdiction.
1. Definitions & Interpretation
1.1 In this DPA, the following definitions apply:
(a) Alternative Adequate Level of Protection means (i) the country where the Firm or a Sub-processor is located is recognised by the European Union to have a similar or adequate level of protection of Personal Data as described in Data Protection Laws, or (ii) the Firm or the Sub-processor has fully implemented binding corporate rules which provide adequate safeguards as required by the Data Protection Laws, or has any other similar program that is recognised as providing an adequate level of protection.
(b) Appropriate Security Measures means appropriate security measures required by Data Protection Laws to protect against unauthorised access to, alteration, disclosure or destruction of data and against their accidental loss or destruction and, in particular, where the processing involves the transmission of data over a network, it shall mean having regard to the state of technological development and the cost of implementing the measures, and ensuring that the measures provide a level of security appropriate to:
(i) the harm that might result from unauthorised or unlawful processing, accidental or unlawful destruction or accidental loss of or damage to the data concerned, and
(ii) the nature of the data;
(c) Client means the Client entity (as identified on the cover page of this letter of engagement) that is a party to the DPA and who is the Data Controller of the Client Personal Data.
(d) Client Group means all companies that are part of the Client ownership group.
(e) Client Personal Data means personal data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the Client and that is provided to the Firm (being the accounting firm providing the services set out in this engagement letter) or collected by the Firm from the Client for the purpose of the Firm rendering Services to the Client.
(f) Data Controller means the Client who, either alone or with others (known as a ‘joint controller’ in Article 21 of the GDPR), controls the contents and use of personal data. Both the Firm and the Client shall each also be considered an independent data controller, and/or joint controllers, in certain circumstances, in relation to the client personal data. Each of us will comply with all requirements and obligations applicable to us under the data protection legislation in respect of the client personal data.
(g) Data Processor means any natural or legal person, public authority, agency or other body which processes personal data on behalf of the Data Controller but does not include an employee of the Data Controller who processes such data in the course of his employment.
(h) Data Protection Laws means all legislation and regulations relating to the protection of personal data including (without limitation) the Data Protection Acts 1988 to 2018 of Ireland, the General Data Protection Regulation (‘GDPR’) (General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of The Council of 27 April 2016),including the ‘PECR’ and all other industry guidelines (whether statutory or non-statutory) or codes of practice or guidance issued by the Data Protection Commission or relevant Irish Supervisory Authority (as defined in the GDPR) relating to the processing of personal data or privacy or any amendments and re-enactments thereof.
(i) Data Subject means the individual who is identified or an identifiable natural person whose Client Personal Data is, or is to be, Processed.
(j) The Firm means the Firm entity (as identified above) that is a party to this DPA and who is the Data Processor of the Client Personal Data.
(k) The Firm Group means all companies that are part of the Firm company group.
(l) EEA means European Economic Area.
(m) Firm means the incorporated or unincorporated accountancy firm that is the processor of the client data. In some circumstances the Firm will also be a data controller and will handle client data in accordance with Data Protection Laws.
(n) Loss includes any demand, claim, proceeding, suit, judgement, loss, liability, cost, expense, fee, penalty or fine.
(o) Permitted Purpose means the purpose required by the Client from the performance of the Services by the Firm or any Specific Request.
(p) ‘PECR’ means the European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011 (SI 336 of 2011).
(r) Process or Processing means any operation or set of operations which is performed upon Client Personal Data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction. Any derivative of the word Process has a corresponding meaning.
(s) Specific Request means any instruction, in email or other form, to the Firm stating the specific services that the Client requires and containing the information required by the Firm to perform those specific Services.
(t) Standard Contractual Clauses means the Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in non-adequate countries, as defined under Data Protection Laws.
(u) Sub-processor means any Data Processor engaged by the Firm to perform Services.
(v) Application of DPA: The provisions of this DPA shall apply to Client Personal Data to which the Firm had access on any date prior to the date of this DPA (the “Prior Date”) as if this DPA had been executed and come into force on the Prior Date and all Client Personal Data to which the Firm has had access since the Prior Date.
2. Status of the Parties
2.1 Status: The parties acknowledge that, in relation to Client Personal Data, and for the purposes of the Data Protection law, the Firm is a Data Processor when carrying out training services and audit cold file reviews and similar consultancy.
Both the Firm and the Client shall each also be considered an independent data controller, in certain circumstances, (including hot file reviews and when giving opinions on technical and ethical matters) in relation to the Client personal data. Each of us will comply with all requirements and obligations applicable to us under the data protection legislation in respect of the client personal data.
2.2 Cooperation: Upon the reasonable request of the other, we shall each co-operate with the other and take such reasonable commercial steps or provide such information as is necessary to enable each of us to comply with the data protection legislation in respect of the services provided to you in accordance with our engagement letter with you in relation to those services;
2.3 Ownership: As between the Client (the Data Controller) and the Firm (the Data Processor), all Client Personal Data shall at all times be the property of the Client and/or the Client’s Authorised Users, except in the case of audit working papers created by the Firm, while acting as principal, in which case the data is the property of the Firm.
3. Document Retention
It is our policy to retain engagement documentation for a period of seven years, after which time we will commence the process of destroying the contents of our engagement files. To the extent we accumulate any of your original records during the engagement, those documents will be returned to you promptly upon completion of the engagement, and you will provide us with a receipt for the return of such records.
The balance of our engagement file, other than the reports and/or training slides and support training materials produced for your benefit, which we will provide to you at the conclusion of the engagement, is our property, and we will provide copies of such documents at our discretion and if compensated for any time and costs associated with the effort.
In the event we are required to respond to a subpoena, court order or other legal process for the production of documents and/or testimony relative to information we obtained and/or prepared during the course of this engagement, you agree to compensate us at our standard hourly rates then existing for the time we spend in connection with such response, and to reimburse us for all of our out-of-pocket costs incurred in that regard.In the e
vent that we are or may be obliged to pay any cost, settlement, judgment, fine, penalty, or similar award or sanction as a result of a claim, investigation, or other proceeding instituted by any third party, and if such obligation is or may be a direct or indirect result of any inaccurate or incomplete information that you provide to us during the course of this engagement, you agree to indemnify us, defend us, and hold us harmless as against such obligation.
4. Provision of Client Personal Data
4.1 The Client will provide Client Personal Data to the Firm or the Firm will collect Client Personal Data from the Client and/or the Client’s Authorised Users pursuant to this DPA for the purpose of the Firm rendering Services to the Client, or any other members of the Client Group, and the Firm will have access to the Client Personal Data provided by the Client in the course of rendering the Services.
4.2 When the Firm receives the completed and signed Letter of Engagement including this DPA, this DPA becomes a legally binding agreement.
5. Use of Client Personal Data
5.1 In providing the Services to the Client pursuant to the letter of engagement, the Firm may Process Client Personal Data on behalf of the Client. The Firm will comply with the provision of this DPA, with respect to the Processing of Personal Data provided or collected by and/or on behalf of the Client using the Services.
5.2 The Firm shall, as instructed by Client, correct, delete or block the data being Processed under the letter of engagement. If an individual should request the correction or deletion of their data, the Firm shall immediately pass this request to the Client. Such instruction shall not impact the delivery of the agreed services, and delivery failures caused by such instructions will be the Client’s responsibility.
6. Rights and Obligations of Client
6.1 The Client is the Data Controller of the Client Personal Data and is responsible for the legitimacy of the Processing of Client Personal Data and any transfer of Client Personal Data to a third party. Data Protection Laws determine the rights and obligations of the Client as a Data Controller as described in this DPA.
6.2 You shall only disclose client personal data to us where:
(ii) you have a lawful basis upon which to do so, which, in the absence of any other lawful basis, shall be with the relevant data subject’s consent; and
(iii) you have complied with the necessary requirements under the data protection legislation to enable you to do so.
Should you require any further details regarding our treatment of personal data, please get in touch contact your main point of contact in our Firm.
6.3 As the Data Controller, the Client shall use its right to issue instructions to the Firm, as the Data Processor, on the method of Processing Client Personal Data as well as the services performed by the Firm. The Client’s submission of Personal Data to the Firm and instructions for Processing of Personal Data will comply with Data Protection Laws.
6.4 The Client has the right, in relation to Client Personal Data, to review:
(a) the security measures taken by the Firm;
(b) the compliance with Data Protection Laws by the Firm; and
(c) the compliance with this Data Processing Agreement by the Firm, at any time during normal working days and normal working hours, subject to notice given in advance with a reasonable notice period. The review may take place at the Firm’s place of business by inspecting the stored Client Personal Data in a storage facility or data centre and the Processing activities taking place at the premises of the Firm in accordance with the Firm’s security and access policies.
6.5 Data is handled exclusively in accordance with the agreed provisions and in accordance with the Client’s instructions. Any alterations to the data being Processed and the procedures employed will be discussed, agreed and recorded. The Firm may supply information to third parties or individuals only if the Client has given prior written consent.
6.6 The Firm will not use Client Personal Data for any other purposes, in particular, providing such data to third parties. No copies or duplicates of Client Personal Data will be made without the Client’s knowledge and agreement, except when copies must be made for security purposes to ensure that data can be preserved in order to comply with legal requirements.
7. Rights and Obligations of The Firm
7.1 The Firm shall only Process Client Personal Data to the extent necessary pursuant to the Client’s instructions and as set forth in the letter of engagement. The Client instructs the Firm to Process Client Personal Data:
(a) in accordance with the letter of engagement;
(b) (ii) as part of any Processing initiated by the Client in its use of the services outlined in this letter; and
(c) (iii) to comply with the Client’s reasonable instructions to the extent they are consistent with the terms of the letter of engagement.
7.2 The Firm will conduct the Processing in compliance with Data Protection Laws.
7.3 The Firm will keep Client Personal Data confidential and ensure Appropriate Security Measures are in place and take appropriate technical, physical and organisational security measures as described in the Privacy Statement to protect Client Personal Data against unauthorised or unlawful Processing, accidental loss or damage or destruction.
7.4 For the purpose of providing our services to you, pursuant to our engagement letter, we may disclose the client personal data to our regulatory bodies or other third parties (for example, our professional advisors, regulators or service providers). [The third parties to whom we disclose such personal data may be located outside of the European Economic Area (EEA).] We will only disclose client personal data to a third party (including a third party outside of the EEA), provided that the transfer is undertaken in compliance with the data protection legislation.
7.5 The Firm is obliged to provide information and cooperate when the Client conducts a review as described in Section 6.4; however, the Firm shall not be required to disclose any commercial or trade secrets (including, without limitation, algorithms, source codes, etc.). The Firm also will reasonably assist the Client (at the Client’s expense) in the event of data protection checks or audits by a data protection authority, to the extent that such checks or audits relate to the Processing under this DPA.
7.6 All persons under the Firm’s employ or control who can access Client Personal Data during performing their duties for the Firm must understand the obligations to keep the data confidential and must be bound by an appropriate non-disclosure agreement. The Firm and the Client must instruct their respective employees on their particular data protection obligations arising from this DPA and the existence of their duty to act as directed or for the purpose stipulated.
7.7 The Firm will promptly inform the Client of any actual or suspected security breach involving Client Personal Data. The Firm must take adequate remedial measures immediately and must promptly provide the Client with all the relevant information and assistance as reasonably requested by the Client regarding the actual or suspected security breach.
7.8 The Firm shall inform the Client as soon as reasonably possible if: (i) a formally designated authority demands the access to Client Personal Data, or (ii) a formally designated authority has taken measures against the Firm, unless the Firm is by law prohibited from informing the Client about the request of such authority or the measures taken.
7.9 The Firm agrees with the Client that for the duration of the provision of the Services it shall only process, use and disclose the Client Personal Data for the Permitted Purpose and strictly in accordance with the instructions of the Data Controller as set out in a Specific Request from time to time and in accordance with the terms of this DPA;
7.10 The Firm agrees with the Client that for the duration of the provision of the Services it shall not sell, transfer, disclose or allow access to any Client Personal Data to any other party other than those of its officers, employees, agents and contractors to whom, and to the extent to which, such disclosure is necessary for the Permitted Purpose or in accordance with the express approval of the Client;
7.11 The Firm agrees with the Client that for the duration of the provision of the Services it shall take reasonable steps to ensure that the Client Personal Data is accurately recorded and kept up to date; and
7.12 The Firm agrees with the Client that for the duration of the provision of the Services it shall not perform the Services in such a way as to cause the Client to breach any of its obligations under the Data Protection Laws.
8. Additional Requirements for Transfer of Personal Data Outside the EEA
8.1 The Client acknowledges and agrees that the performance of the Services involves from time to time a transfer of Client Personal Data from the Firm to Sub-Processors located outside the EEA. In respect of such transfers and where no Alternative Level of Protection applies, the Firm shall ensure that in addition to the requirements described in Section 6 of this DPA, certain additional requirements shall be met.
8.2 The additional requirements which must be met pursuant to Section 7.1 above are incorporated in Standard Contractual Clauses which, where required, must be entered between the Firm and a Sub-Processor.
9.1 The Client acknowledges and expressly agrees that the Firm is entitled to retain any member of the Firm Group (“the Firm Affiliates”) as further sub-processors for the Firm and that the Firm or the Firm Affiliates respectively may engage third-party service providers as sub-processors that may provide Client support, including processing of Client Personal Data, in connection with the Services.
9.2 Sub-processors. The Firm shall make available to the Client for the Client’s approval a current list of sub-processors for the Services with the identities of those Sub-processors (“Sub-processor List”) (such approval not to be unreasonably delayed or withheld). This shall be done prior to the Firm authorising those sub-contractors to Process Personal Data supplied by the Client.
9.3 Objection Right for new Sub-processors. If the Client has a reasonable basis to object to the Firm’s use of a new Sub-processor, the Client shall notify the Firm promptly in writing within 10 business days after receipt of the Firm’s notice. In the event the Client objects to a new Sub-processor(s) and that objection is not unreasonable, the Firm will use reasonable efforts to make available to the Client a change in the affected Services or recommend a commercially reasonable change to the Client’s configuration or use of the affected Services to avoid processing of Personal Data by the objected-to new Sub-processor without unreasonably burdening the Client. If the Firm is unable to make available such change within a reasonable period of time, which shall not exceed sixty (60) days, the Client may terminate the applicable Service(s) in respect only to those Services which cannot be provided by the Firm without the use of the objected-to new Sub-processor, by providing written notice to the Client. The Client shall receive a refund of any prepaid fees for the period following the effective date of termination in respect of such terminated Services.
9.4 All Sub-processors will be subject to data protection obligations at least equivalent to those contained in this DPA under a written agreement, and such sub-processors shall be obliged to comply with applicable Data Protection Laws. Where the Sub-processor fails to fulfil its data protection obligations under such written agreement The Firm shall remain fully liable to the Client for the performance of the sub- processor’s obligations under such agreement.
9.5 The Firm shall audit third-party sub-processors that are not the Firm Affiliates at least once per year to ensure they have appropriate physical, technical, organisational, and administrative controls in place. Upon the Client’s reasonable request at reasonable intervals, the Firm shall provide the Client with an executive summary of the most recent audits of such third-party sub-processors.
9.6 Upon the Client’s request, the Firm agrees to promptly make available to the Client a copy of an applicable sub-processor data processing agreement executed in relation to this DPA, provided that the Firm may remove any commercial information contained in such agreement. The Client may make available a summary of the agreement, or the agreement if required, to the Client provided that such summary, or the agreement if required, is treated as Confidential Information, including that the Client has entered into a non-disclosure agreement containing confidentiality provisions substantially similar to those set forth in the letter of engagement to protect the Firm’s Confidential Information.
10.1 The Firm shall implement Appropriate Security Measures with a view to preventing accidental or unauthorised, loss, destruction, damage, alteration, disclosure or unlawful or unauthorised access to any Client Personal Data in the custody of the Firm, and the Firm shall ensure that its personnel are aware of and comply with those measures. This will include but is not limited to maintaining commercially reasonable and appropriate security measures, including administrative, physical and technical safeguards, to protect against unauthorised or unlawful processing of the client personal data and against accidental loss or destruction of, or damage to, the client personal data.
11.1 Notice: The Firm shall notify all incidents of loss of control of Client Personal Data to the Client, as soon as it becomes aware of the incident and in any event no later than 24 hours after so becoming aware.
11.2 Remedy: In the event of any such breach, the Firm shall:
(a) take prompt action at its own expense on the instruction of the Client to remedy the cause of the breach;
(b) bear the costs of investigation into said breach; and
(c) promptly, and at its own expense provide the Client on request with all information required by the Client to fulfil its obligations, as data controller, under all applicable laws, regulations and codes of practice.
12. Data Subject Requests
12.1 The Firm shall promptly notify the Client of each request from a data subject for access to Client Personal Data relating to him or her. The Firm shall not accede to any such request for access except on the instructions of the Client.
13.1 The Client shall indemnify the Firm on demand from time to time from and against all Losses suffered or incurred by the Firm arising out of or in connection with the breach by the Client of its obligations under this DPA. The provision of this Clause shall continue in force and effect without limit in time after the termination of the provision of the Services.
14.1 This DPA will enter into effect on the Effective Date and will remain effective notwithstanding termination of the letter of engagement. Where Client Personal Data is no longer required by the Firm for the performance of the Services, the Firm will either return such data immediately after termination of the letter of engagement or destroy it if requested to do so by the Client.
14.2 To the extent required by applicable Data Protection Laws, this DPA shall be
15. Conflicting Provisions
15.1 The DPA supersedes any conflicting terms in the letter of engagement. Notwithstanding the foregoing, the letter of engagement and the terms of this DPA apply only between the parties and do not confer any rights to any third-party Data Subjects.
15.2 This DPA does not replace any additional rights or obligations related to processing of Client Personal Data in the letter of engagement.
16.1 The parties will send any communications or notices required under this DPA in writing, which includes by fax or e-mail, to the address of the Firm shown on the covering letter attached to this agreement.
Version date – November 2019