Between:
Inclusive Pay Africa
Address: QuaQua Capital Consultancy PLC.
Noah Centrum Apartment Building | Bole Atlas, Addis Ababa, Ethiopia
Email: Kassahun.ayalew@quauqacapital.com
Contact Person: Kassahun Ayalew, COO
AND
[Data Processor’s Name]
Address: [Processor’s Address]
Email: [Processor’s Email]
Contact Person: [Name and Title]
(“Processor”)
Effective Date: [Insert Date]
1. Introduction and Purpose of the Agreement
This Data Processing Agreement (“Agreement”) is entered into by and between Inclusive Pay Africa (“Controller”) and [Data Processor’s Name] (“Processor”) to govern the processing of personal data in accordance with applicable privacy and data protection laws. This Agreement ensures compliance with the Ethiopian Privacy and Data Protection Law (“Ethiopian Law”) as well as other relevant international regulations, including but not limited to the General Data Protection Regulation (GDPR) of the European Union, the California Consumer Privacy Act (CCPA), and other applicable global privacy laws.
The Processor agrees to process personal data exclusively for the purposes defined in this Agreement and to adhere strictly to the requirements of Ethiopian Law, GDPR, and any other applicable data protection laws.
2. Definitions
2.1. “Personal Data”: Any information relating to an identified or identifiable natural person (“data subject”), as defined by applicable privacy laws, including Ethiopian Law, GDPR, and other relevant regulations.
2.2. “Processing”: Any operation or set of operations performed on personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure, or destruction.
2.3. “Controller”: IPA that determines the purposes and means of the processing of personal data.
2.4. “Processor”: The entity that processes personal data on behalf of the Controller.
2.5. “Data Subject”: Any natural person whose personal data is being processed.
2.6. “Supervisory Authority”: The relevant authority responsible for overseeing the enforcement of applicable privacy and data protection laws, including but not limited to the Ethiopian Data Protection Commission, the European Data Protection Board (EDPB), and relevant authorities in other jurisdictions.
3. Scope of the Agreement
3.1. Purpose of Processing:
The Processor is engaged by the Controller to process personal data for specific purposes, providing payment processing services for Inclusive Pay Africa’s customers. The Processor agrees to process personal data only for the agreed purposes and in accordance with the Controller’s instructions.
3.2. Types of Personal Data:
The Processor will process various types of personal data, which may include but are not limited to:
• Identification Data: Name, date of birth, gender, and national identification numbers.
• Contact Data: Address, email, phone number.
• Financial Data: Bank account details, credit card information, transaction histories.
• Usage Data: IP addresses, cookies, browsing histories.
3.3. Categories of Data Subjects:
The personal data processed by the Processor pertains to the following categories of data subjects:
• Customers: Individuals who use Inclusive Pay Africa’s services.
• Employees: Staff members of Inclusive Pay Africa.
• Business Partners: Representatives of Inclusive Pay Africa’s corporate partners.
3.4. Duration of Processing:
The Processor shall process the personal data for as long as is necessary to fulfill the purposes outlined in this Agreement or until the Agreement is terminated, whichever comes first.
4. Obligations of the Processor
4.1. Compliance with Applicable Laws:
The Processor shall process personal data in strict compliance with Ethiopian Law, GDPR, and any other applicable privacy and data protection laws. The Processor shall also stay informed of and adhere to any updates or amendments to these laws.
4.2. Processing Instructions:
The Processor shall process personal data only in accordance with the documented instructions of the Controller, unless required by law to act otherwise. In such cases, the Processor shall immediately inform the Controller, unless prohibited by law.
4.3. Confidentiality:
The Processor shall ensure that all personnel authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
4.4. Security Measures:
The Processor shall implement appropriate technical and organizational measures to protect personal data from unauthorized access, loss, alteration, or destruction. These measures may include:
• Encryption: Encrypting personal data both in transit and at rest.
• Access Controls: Implementing role-based access controls and multi-factor authentication to ensure that only authorized personnel have access to personal data.
• Regular Security Audits: Conducting regular security audits and assessments to identify and mitigate potential vulnerabilities.
• Data Anonymization: Where applicable, anonymizing personal data to minimize risks to data subjects.
4.5. Use of Sub-processors:
The Processor shall not engage any sub-processors without prior specific or general written authorization from the Controller. Where sub-processors are authorized, the Processor shall ensure that they are bound by data protection obligations no less stringent than those imposed on the Processor under this Agreement.
4.6. Assistance with Data Subject Rights:
The Processor shall assist the Controller in responding to data subject requests to exercise their rights under applicable privacy laws. These rights may include access, rectification, erasure, restriction, data portability, and objection. The Processor shall promptly notify the Controller of any such requests and shall not respond to the data subject without the Controller’s prior written consent.
4.7. Data Breach Notification:
In the event of a personal data breach, the Processor shall notify the Controller without undue delay, and in any case within 24 hours of becoming aware of the breach. The notification shall include all relevant information required for the Controller to meet its legal obligations, including but not limited to the nature of the breach, the categories and approximate number of data subjects and data records concerned, and the measures taken or proposed to address the breach.
4.8. Data Protection Impact Assessments and Consultation:
Where required, the Processor shall assist the Controller in conducting data protection impact assessments (DPIAs) and in consulting with relevant supervisory authorities regarding the processing of personal data, in accordance with applicable privacy laws.
5. Obligations of the Controller
5.1. Lawful Basis for Processing:
The Controller warrants that it has obtained and documented a lawful basis for processing personal data, in accordance with applicable privacy laws, and that it has provided all necessary notices to data subjects.
5.2. Instructions to Processor:
The Controller shall provide the Processor with clear and documented instructions regarding the processing of personal data and shall ensure that these instructions are compliant with applicable privacy laws.
5.3. Cooperation with Supervisory Authorities:
The Controller shall cooperate with relevant supervisory authorities, including the Ethiopian Data Protection Commission and the EDPB, in matters related to the processing of personal data, including audits and investigations.
6. International Data Transfers
6.1. Transfers Outside Ethiopia:
The Processor shall not transfer personal data outside Ethiopia or any other applicable jurisdiction without the prior written consent of the Controller. Where such consent is granted, the Processor shall ensure that appropriate safeguards, as required by Ethiopian Law, GDPR, and other applicable privacy laws, are in place. These may include:
• Adequacy Decisions: Ensuring that the recipient country has been recognized by the relevant authorities as providing an adequate level of data protection.
• Binding Corporate Rules (BCRs): Implementing BCRs approved by the relevant supervisory authority.
• Standard Contractual Clauses (SCCs): Using SCCs adopted by the European Commission or other relevant bodies for international data transfers.
6.2. Cross-Border Data Transfers:
The Processor shall comply with any additional requirements for cross-border data transfers as stipulated by other applicable privacy laws, including the CCPA and similar regulations.
7. Audit and Compliance
7.1. Audit Rights:
The Controller has the right to conduct audits or inspections of the Processor’s data processing activities to verify compliance with this Agreement, Ethiopian Law, GDPR, and other applicable privacy laws. The Processor shall fully cooperate with such audits and provide all necessary information and access.
7.2. Independent Audits:
The Controller may engage independent third-party auditors to conduct compliance audits. The Processor shall allow such third-party auditors reasonable access to its facilities, systems, and records, subject to appropriate confidentiality obligations.
7.3. Remediation:
If any audit reveals non-compliance, the Processor shall take immediate steps to remediate the identified issues and prevent future occurrences. The Processor shall report the remediation progress to the Controller within a reasonable timeframe.
8. Termination and Data Return/Deletion
8.1. Termination of Agreement:
This Agreement shall remain in effect until the termination of the main service agreement between the Controller and the Processor, or until the Controller instructs the Processor to cease processing personal data.
8.2. Return or Deletion of Data:
Upon termination of this Agreement or upon the Controller’s request, the Processor shall promptly return or securely delete all personal data processed on behalf of the Controller. The Processor shall certify in writing that all data has been returned or deleted, unless retention is required by law.
9. Liability and Indemnity
9.1. Processor’s Liability:
The Processor shall be liable for any damage or loss suffered by the Controller, data subjects, or any third party as a result of the Processor’s breach of this Agreement or applicable privacy laws, subject to the limitations agreed upon in the main service agreement between the parties.
9.2. Indemnification
The Processor agrees to indemnify and hold the Controller harmless from any claims, fines, or damages arising from the Processor’s failure to comply with the terms of this Agreement or applicable privacy laws.
9.3. Controller’s Liability:
The Controller shall be responsible for ensuring that its instructions to the Processor comply with applicable privacy laws and shall indemnify the Processor against any claims resulting from the Controller’s failure to meet its obligations under this Agreement.
10. Governing Law and Dispute Resolution
10.1. Governing Law:
This Agreement shall be governed by and construed in accordance with the laws of Ethiopia, unless otherwise agreed upon by the parties in writing. Where applicable, international privacy laws such as GDPR and CCPA shall also be considered.
10.2. Dispute Resolution:
Any disputes arising from this Agreement shall be resolved through amicable negotiations between the parties. If the dispute cannot be resolved amicably, it shall be referred to arbitration in accordance with the laws of Ethiopia, unless otherwise agreed upon by the parties in writing. The decision of the arbitrator(s) shall be final and binding on both parties.
10.3. Jurisdiction:
The parties agree to submit to the exclusive jurisdiction of the courts of Ethiopia, unless otherwise mutually agreed upon.
11. Miscellaneous
11.1. Amendments:
This Agreement may be amended or modified only by a written document signed by authorized representatives of both parties.
11.2. Severability:
If any provision of this Agreement is found to be invalid or unenforceable by a court of competent jurisdiction, the remaining provisions shall remain in full force and effect.
11.3. Entire Agreement:
This Agreement constitutes the entire understanding between the parties regarding the processing of personal data and supersedes all prior agreements, discussions, and understandings, whether written or oral, relating to the subject matter herein.
11.4. Notices:
Any notice required to be given under this Agreement shall be in writing and delivered to the relevant party at the address or email provided above.
IN WITNESS WHEREOF, the parties have executed this Data Processing Agreement as of the Effective Date.
For Inclusive Pay Africa (Controller):
Name: Firehiwot Birke
Title: CEO, QuaQua Capital Consultancy PLC
Date:
For [Data Processor’s Name] (Processor):
Name: [Processor’s Representative]
Title: [Processor’s Title]
Date: [Date]