United Kingdom
Updated on 1 July 2023
1. Definitions and interpretation
1.1 Clause 1 of the Terms shall apply to these Country Specific Terms.
1.2 Any reference to a ‘clause’ in these Country Specific Terms are to clauses set out in these Country Specific Terms unless stated otherwise.
1.3 In addition to the definitions set out in the Terms, the following definitions shall apply in these Country Specific Terms, and where applicable, in the Terms:
Assurance Documentation means the information available on the ‘Governance’, ‘Legal’ and ‘Investors’ pages of the Iress website (www.iress.com) from time to time, together with Iress’ standard pack of assurance information which is available to the Customer on request.
Authorised Processor means a Subprocessor engaged by Iress in accordance with clause 2.8.
EU GDPR means the General Data Protection Regulation (EU) 2016/679
Group means a member of the group of companies of which the party referred to forms part, comprising that party and all other companies from time to time being that party’s holding company, subsidiaries of that party, subsidiaries of that party’s holding company; “subsidiary” and “holding” bearing the meanings ascribed to them in Section 1159 of the Companies Act 2006.
Office Hours means 09:00-17:00 on a Business Day.
Privacy Legislation means the UK Data Protection Legislation and, to the extent applicable, any other European Union legislation relating to personal data (including the EU GDPR) and all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of Personal Data (including, without limitation, the privacy of electronic communications).
Subprocessor means any person (including any third party and any member of the Iress Group, but excluding an employee of Iress) appointed by or on behalf of Iress to process Customer Personal Data on behalf of Iress.
UK Data Protection Legislation means all applicable data protection and privacy legislation in force from time to time in the UK including the UK GDPR, the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended.
UK GDPR means the General Data Protection Regulation (EU) 2016/679 as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018.
The terms "Controller", “Processor”, "Data Subject", “Personal Data", “Personal Data Breach”, and "processing" shall have the meaning given to those terms in the UK GDPR (and "process" and "processed" shall be construed accordingly), and the term “Supervisory Authority” shall have the meaning given to it in the EU GDPR.
2. Privacy
2.1 Processing of Customer Personal Data
a) The parties agree that for the purposes of the Privacy Legislation Iress shall, in the course of the provision of the Iress Services, be acting as a Processor in respect of the Customer Personal Data.
b) Notwithstanding Clause 2.1(a), the parties acknowledge and agree that Iress may anonymise certain of the Customer Personal Data for research, statistical or commercial purposes, and in such circumstances Iress shall undertake such processing as a separate Controller.
c) Each party agrees to comply with the Privacy Legislation applicable to it in its role as Controller or Processor (as the case may be) to the extent that it relates to the provision and/or receipt of the Iress Services provided under this Agreement.
d) Iress shall not process any Customer Personal Data on behalf of the Customer other than on the documented instructions of the Customer (provided that such instructions are within the scope of the Iress Services), unless Iress is required to process the Customer Personal Data by any law to which Iress is subject (in such a case Iress shall inform the Customer of that legal requirement before processing unless that law prohibits Iress from so notifying the Customer). For the avoidance of doubt, an instruction given by an Authorised User shall be deemed to have been given on behalf of the Customer.
e) Details regarding the scope, nature and purpose of the processing, the type of Personal Data processed by Iress, the duration of the processing and the categories of Data Subject (the “Processing Information”) are set out in annex 1. The Customer instructs and authorises Iress (and any Authorised Processor), on the Customer’s behalf, to process the Customer Personal Data in a manner consistent with annex 1, and where the Customer is acting on behalf of a member of its Group, the Customer warrants that it is and will at all relevant times remain duly authorised to give the instruction set out in this clause on behalf of each relevant member of the Customer’s Group.
2.2 Security and Confidentiality
a) Iress shall ensure that appropriate technical, organisational and security measures are taken against unauthorised or unlawful processing of the Customer Personal Data and against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, such Personal Data, and on request confirm to the Customer in writing the measures it has adopted.
b) Iress shall take reasonable steps to ensure the reliability of any employee, agent or contractor of Iress or any Authorised Processor who may have access to Customer Personal Data, and shall ensure that such personnel are aware of the confidential nature of the Customer Personal Data and are subject to enforceable duties of confidence in respect of Customer Personal Data.
2.3 Requests by Data Subject
Iress shall notify the Customer promptly upon receipt of any subject access request or other request received from a Data Subject in accordance with the Privacy Legislation, and at the Customer’s cost, assist the Customer utilising appropriate technical and organisational measures, in so far as this is possible, in order that the Customer may respond to any such request in a timely manner and in accordance with the Customer’s obligations under the Privacy Legislation.
2.4 Breach Notification
a) Iress shall notify the Customer without undue delay upon becoming aware of a Personal Data Breach affecting the Customer Personal Data.
b) Iress shall provide all cooperation and information reasonably requested by the Customer in respect of a Personal Data Breach as soon as possible following the detection of the Personal Data Breach by Iress, including (i) details of the nature of the Personal Data Breach, (ii) details of the Customer Personal Data compromised, (iii) details of how the Personal Data Breach is being investigated and remedial steps already put in place and to be put in place; and (iv) contact details of the person within Iress where more information can be obtained regarding the Personal Data Breach. To the extent that the information detailed above cannot be provided at the same time, it may be provided in phases without undue delay.
2.5 Data Protection Impact Assessment and Prior Consultation
Iress shall, at the Customer’s cost, provide reasonable assistance to the Customer in relation to any data protection impact assessments and prior consultations with Supervisory Authorities or other competent data privacy authorities, which the Customer reasonably considers to be required pursuant to the Privacy Legislation, in each case solely in relation to the processing of the Customer Personal Data by, and taking into account the nature of the processing and information available to, any Authorised Processor.
2.6 Audit Rights
Iress shall maintain all necessary records and information to demonstrate its compliance with the provisions set out in this schedule and shall allow for audits to be conducted by the Customer (or an auditor mandated by the Customer) in accordance with clause 3.
2.7 Deletion or return of Customer Personal Data
Iress shall, upon receipt of a written request from the Customer, delete or return all Customer Personal Data at the end of the provision of the Iress Services to which the Customer Personal Data relates, provided that Iress may retain copies of the Customer Personal Data in accordance with any legal and regulatory requirements, and any guidance that has been issued in relation to deletion or retention by a Supervisory Authority.
2.8 Sub-processing
a) Iress shall not engage a Subprocessor without the prior authorisation of the Customer.
b) For the purposes of clause 2.8(a), the Customer shall be deemed to have authorised those Subprocessors set out in the list at https://www.iress.com/resources/legal/data-protection/ (the “Authorised Processor List”). The Authorised Processor List will include details of the country in which the Subprocessor is based and the nature of the processing services to be provided by that Subprocessor. At least 30 days prior to authorising a new Subprocessor to access Customer Personal Data Iress shall provide notice to the Customer by updating the Authorised Processor List. Customers may receive notifications of any updates to the Authorised Processor list by emailing dpa@iress.com with the subject “Subscribe”.
c) If the Customer objects on reasonable grounds relating to data protection to Iress’ use of a new Subprocessor then the Customer shall promptly, and within 30 days following Iress’ notification pursuant to clause 2.8(b) above, provide written notice of such objection to Iress. In the event Iress decides that notwithstanding the Customer’s objection it is reasonable for it to continue with the appointment of the relevant Subprocessor, Iress shall notify the Customer prior to authorising the relevant Subprocessor to process Customer Personal Data and the Customer shall be entitled to terminate all or part of the Services with immediate effect upon written notice to Iress. The Customer shall remain obligated to make all payments required under this Agreement up to and including the relevant termination date. If the Customer does not notify Iress of any objections and/or terminate this Agreement in accordance with this clause 2.8(c) then it shall be deemed to have authorised the appointment of the relevant Subprocessor.
d) Iress shall ensure that any arrangement between Iress and a Subprocessor is governed by a written contract including terms which offer at least the same level of protection for Customer Personal Data as those set out in this schedule and meet the requirements of article 28(3) of the UK GDPR and the EU GDPR.
2.9 Transfers of Customer Personal Data outside of the UK
The Customer agrees that in the course of providing the Iress Services, Iress may transfer Customer Personal Data:-
a) to an Authorised Processor who is located outside of the UK, provided that such transfer is made in accordance with any obligations or standards imposed by the Privacy Legislation; or
b) to a Third Party Service Provider who processes data outside of the UK in accordance with clause 2.10(b).
2.10 Customer Acknowledgment
a) Without prejudice to the generality of clause 2.1(b) above, the Customer shall ensure that all required fair processing notices have been given to the relevant Data Subjects (and/or, as applicable, consents obtained) which are sufficient in scope to enable Iress and/or any of the Authorised Processors to lawfully Process the Customer Personal Data and to carry out their obligations under this Agreement in accordance with the Privacy Legislation.
b) Where the Customer receives Third Party Services pursuant to the terms of the Agreement the Customer:
(i) acknowledges that this may involve Iress sending certain Customer Personal Data to the relevant Third Party Service Provider on behalf of the Customer (but for the avoidance of doubt, the Third Party Service Provider shall not be deemed to be a Subprocessor of Iress);
(ii) authorises Iress to transfer Customer Personal Data to a Third Party Service Provider, including where such Third Party Service Provider is based outside of the UK.
3. Audit and review
3.1 (Subject to clause 3.2 to 3.4, Iress agrees to allow for and contribute to audits conducted by or on behalf of the Customer by:
(a) making available to the Customer (or its Permitted Recipients) its Assurance Documentation; and
(b) providing any relevant information or documentation (including copies thereof) relating to the Iress Services to a Regulatory Authority, upon receipt of a written request from a Regulatory Authority to do so.
3.2 The audit rights set out above are subject to:
a) a request pursuant to clause 3.1(a) being limited to once every 12 months, unless (i) otherwise required by a Regulatory Authority; or (ii) an inspection of the Assurance Documentation reveals a material default by Iress – in either case this restriction will not apply;
b) any confidentiality obligations owed to third parties, and subject to compliance with any relevant Iress’ policies and process which are notified to the Customer;
c) if the Customer receives any Services which are provided by Amazon Web Services, Inc (“AWS”), then:
(i) Iress shall review AWS’ service organisation controls 1, type 2 report (or such alternative industry standard reports or certifications that are substantially equivalent as reasonably determined by AWS) (“AWS Audit Report”) no less than bi-annually in order to satisfy itself as to the ongoing effectiveness of the security measures provided by AWS in relation to those of the Iress Services performed by AWS;
(ii) Iress may share with the Customer certain AWS compliance reports if Iress is permitted to do so pursuant to the terms applicable to the relevant AWS compliance report and/or the Customer is able to access AWS compliance reports directly subject to the Customer agreeing to follow any applicable procedure(s) set out by AWS in order to enable such access.
3.3 In the event the Customer (acting reasonably) requires Iress to provide any information which is not addressed by the Assurance Documentation, then it shall provide Iress with details in writing of the specific areas which have not been addressed and engage with Iress in order to agree the manner in which any additional information shall be provided.
3.4 The parties shall bear their own respective costs and expenses incurred in respect of compliance with their obligations under this clause 3, provided that to the extent the effort required by Iress in complying with a request made by the Customer or its authorised representatives pursuant to clause 3.3 exceeds half a Business Day, the Customer shall pay Iress for any effort involved over and above half a Business Day at a rate of £950 per day (or part thereof).
3.5 The Customer agrees, for the purposes of reviewing any use of Services, subject to any confidentiality obligations to third parties, to allow (a) Iress, and (b) Third Party Service Providers (including, in each case, their respective authorised representatives) reasonable and appropriate access to any of the Customer's premises where such Services are being used, stored or accessed in order to inspect, test and audit the same and the Customer's compliance with the requirements of this Agreement (including any Third Party Terms). If any audit results in the Customer being notified that the Customer is not in compliance with its obligations under this Agreement, the Customer will promptly remedy the issue.
Annex 1 - Processing information
(a) Scope and purpose of processing:
Iress may process Customer Personal Data during the provision of any of the following services to the Customer:
- Advisory, consultancy and project-related services;
- Training;
- Data migration services;
- System administration services;
- Configuration, design, development and implementation services;
- Testing and verification services;
- Sourcing financial products and services (including, but not limited to, mortgage, life and protection and pension products);
- Hosted services;
- Support Services;
(b) Nature of processing
The nature of the processing activity may include:-
- receiving, uploading, downloading, extracting, copying, duplicating, transmitting, organising, referencing, indexing, classifying, compressing, compiling, updating, transferring, transforming, analysing, modelling, changing, maintaining, protecting or securing, preserving, storing, backing-up or archiving, restoring, retrieving and accessing Customer Personal Data in order to perform any of the services set out in paragraph (a) to this annex 1 (or any other services which Iress may be instructed to provide in accordance with clause 2.1(c));
- destroying, erasing and/or anonymising Customer Personal Data;
- processing Customer Personal Data in order to comply with Iress’ obligations under the Privacy Legislation, or to assist the Customer in complying with its obligations, including responding to any requests made by Data Subjects;
- transferring to or receiving Customer Personal Data from Third Party Service Providers (where applicable to the Services being provided) – this may include transferring the Customer Personal Data to a Third Party Service Provider located outside of the UK depending on the location of that Third Party Service Provider.
(c) Duration of Processing
Iress will process Customer Personal Data for the duration of the provision of the Iress Services. Upon termination of the Iress Services, and subject to clause 2.7, Customer Personal Data will be retained in accordance with the principles set out in Iress’ privacy and data retention policies (each as amended from time to time).
(d) Types of Personal Data
Iress may process Customer Personal Data which falls into the following categories:
● names, addresses, date of birth, sex, National Insurance number, passport number, tax identification numbers, telephone and mobile numbers and email addresses
● family details, for example marital status, number of dependents
● lifestyle and social circumstances
● goods and services
● employment and education details
● income and financial details which may include (without limitation) bank account details, investment details, insurance details, documentation of the above and notes of meetings
● physical or mental health details which may include (without limitation) smoker status and health records
● racial or ethnic origin
● nationality
● photographs and videos
● IP addresses
● any other information which is uploaded into the Services
(e) Categories of data subject
- Staff (including permanent staff, volunteers, agents, temporary and casual workers), sub-contractors, agents, advisers, consultants, referrers or other professional experts, of (a) the Customer; (b) members of the Customer’s Group; (c) third party suppliers to the Customer (or members of its Group); (d) other third parties to whom the Customers may make Iress Services available in accordance with the Agreement.
- End Clients, potential End Clients or former End Clients (including, where relevant, their relatives, dependents, guardians and associates).
Version Control
| Date of first publication on the website | 22 May 2020 | |
| 1 July 2021 | Clause | Summary of amendment |
| Definitions | New definitions of 'EU GDPR' and 'UK GDPR' have been added. | |
| Definitions of Privacy Legislation, UK Data Protection Legislation and Supervisory Authority have been amended | ||
| The section relating to the withdrawal of the UK from the EEA has been deleted | ||
| Clause 2.5 | Reference to article 35 and 36 of the GDPR has been deleted | |
| Clause 2.8(d) | Reference to the GDPR has been deleted | |
| Clause 2.9(a) | Amended to refer to the provision of Iress Services | |
| Clause 2.9(b) | Amended to refer to the UK GDPR | |
| Clause 3.2(a) | Amended to include reference to Iress’ audit process | |