DATA PROTECTION ADDENDUM
This Data Protection Addendum (the “Addendum”) to the Transfer Agency Agreement dated November 7, 2015 between Victory Portfolios II, on behalf of its series portfolios, individually and not jointly (the “Client”) and FIS Investor Services LLC, formerly known as SunGard Investor Services LLC (assignee of Citi Fund Services Ohio, Inc.) (“FIS”), as amended, (the “Agreement”) sets out obligations of the Client and FIS with respect to data protection.
The parties hereto agree as follows:
Definitions
“Authorized Recipients” means FIS Affiliates and their respective contractors and third-party providers which assist in providing the Services as of the date of this Addendum;
“Data” means any information or data to be Processed by FIS pursuant to the Agreement including any Personal Data, if applicable;
“FIS Affiliate” means an entity: (a) that Processes Personal Data for which Client or a Client Affiliate qualifies as a Controller; and (b) which owns or controls, is owned or controlled by or is or under common control or ownership with FIS, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise.
“GDPR” means the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679);
“Services” means technology services provided by FIS to the Client pursuant to the Agreement.
“Standard Contractual Clauses” means the contractual clauses set out in EU Commission Decision C(2010)593 Standard Contractual Clauses (processors) for the purposes of Article 26(2) of Directive 95/46/EC;
The terms, “Controller”, “Data Subject”, “Personal Data”, “Processing” and “Processor”, shall have the same meaning as in the GDPR, and their related terms shall be construed accordingly.
Capitalized terms not defined herein shall have the meaning assigned to them in the Agreement.
Clauses
1. In the course of FIS providing the Services under the Agreement, Client may from time-to-time provide or make available Data to FIS and/or its Affiliates. The parties acknowledge and agree that, in relation to any Personal Data provided or made available to FIS for Processing by Client under the Agreement, Client will be the Controller and FIS will be a Processor for the purposes of the GDPR.
2. The Agreement determines the subject matter and the duration of FIS’ Processing of Personal Data, as well as the nature and purpose of any collection, use and other Processing of Personal Data and the obligations of the Client.
3. Client shall ensure that it is entitled to transfer the relevant Personal Data to FIS so that FIS may lawfully Process the Personal Data in accordance with the Agreement on Client’s behalf, which may include FIS Processing the relevant Personal Data outside the country where Client and the Data Subjects are located in order for FIS to provide the Services and perform its other obligations under the Agreement. In this regard, the parties agree to incorporate the Standard Contractual Clauses into this Addendum, including the information set out in Annex 1 which is to be incorporated into such Standard Contractual Clauses for the purposes of this Addendum. The EEA country where the data exporter is established shall be deemed inserted in Clause 9 and Clause 11 at the appropriate places.
4. FIS shall Process the Personal Data only in accordance with any lawful and reasonable instructions given by Client from time to time as documented in and in accordance with the terms of the Agreement.
5. FIS shall ensure that all persons it authorizes to access the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
6. FIS may engage the Authorized Recipients as Processors under the Agreement and FIS shall (i) impose upon such Processors the equivalent data protection obligations as set out herein and (ii) be responsible for the acts and omissions of its Authorized Recipients under the Agreement. FIS shall inform Client of any intended changes concerning the addition or replacement of its Authorized Recipients, by making such information available to Client in the GDPR section of its Client Portal. These details will be made available on the Client Portal prior to the GDPR effective date. Unless Client objects to such changes in writing setting out its reasonable concerns in detail within four (4) weeks from such notice, the change shall be deemed accepted by Client. If Client objects, FIS shall consult with Client, consider Client’s concerns in good faith and inform Client of any measures taken to address the Client concerns. If Client upholds its objection and/or demands significant accommodation measures and either would result in a material increase in cost to provide the Service, FIS shall be entitled to increase the fees for the Service or, at its option, terminate the relevant Agreement. Where necessary to legalize the use of an Authorized Recipient as Processor, Client hereby authorizes FIS to conclude the Standard Contractual Clauses as per Section 3 above with such Processors on behalf of Client and (if required) Client’s Affiliates. Each such conclusion of Standard Contractual Clauses shall be considered a supplement to the respective Agreement and shall be subject to the terms and conditions set out therein.
7. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Client and FIS shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
8. Each party shall take reasonable steps to ensure that any natural person acting under its authority who has access to Personal Data does not Process that Personal Data except on instructions from it.
9. Upon Client’s written request, FIS shall (at Client’s choice) delete or return all Personal Data Processed on behalf of Client to Client after the end of the provision of services relating to Processing, subject to FIS retaining any copies required by applicable law.
10. FIS shall cooperate with Client as reasonably requested by Client in order to assist Client with its compliance with its legal obligations under Chapter III and pursuant to Articles 32 to 36 of the GDPR, and Client shall reimburse FIS for any time spent by FIS personnel as part of any such cooperation at FIS’ then standard professional services rate, together with any out of pocket costs reasonably incurred.
11. If FIS becomes aware of any breach of security leading to the accidental, unauthorised or unlawful destruction, loss, alteration, or disclosure of, or access to the Personal Data that FIS Processes for the Client, FIS shall without undue delay notify the Client thereof.
12. Where FIS is acting as a Processor under the Agreement, at Client’s written request, no more than once per year unless required under applicable law, FIS shall make available to Client all information reasonably necessary to demonstrate FIS’ compliance with the obligations laid down in this Addendum. To this end, FIS may allow a reputable third-party auditor chosen by FIS to perform audits on Client’s behalf and Client hereby authorizes FIS to issue such mandate to the third-party auditor.
13. The name “Victory Portfolios II,” including its Board of Trustees, refers to the Trust created, and the Trustees, as trustees but not individually or personally, acting from time to time under the Certificate of Trust, as amended, filed at the office of the Secretary of the State of Delaware.
The obligations of “Victory Portfolios II” entered into in the name or on its behalf thereof by any of the Trustees, representatives or agents are made not individually but in such capacities, and are not binding upon any of the Trustees, agents or representatives of the Trust personally, but bind only the “Trust Property” (as defined in the Amended and Restated Agreement and Declaration of Trust, as amended), and all persons dealing with any class of shares of the Trust must look solely to the Trust Property belonging to such class for the enforcement of any claims against the Trust.
***
IN WITNESS WHEREOF, this Addendum is entered into and becomes a binding part of the Agreement with effect from the date first set out above.
Victory Portfolios II, on behalf of its series portfolios, individually and not jointly |
|
FIS Investor Services LLC | ||||||
|
|
| ||||||
Signature |
/s/ Xxxxxxxxxxx Xxxx |
|
Signature |
/s/ Xxxxxxxxx Xxxxxx | ||||
|
|
|
| |||||
Name |
Xxxxxxxxxxx Xxxx |
|
Name |
Xxxxxxxxx Xxxxxx | ||||
|
|
|
| |||||
Title |
President |
|
Title |
Contract Manager | ||||
|
|
|
| |||||
Date Signed |
5/23/18 |
|
Date Signed |
5/30/2018 | ||||
ANNEX 1
Standard Contractual Clauses
The Standard Contractual Clauses (excluding the optional parts thereof) are hereby incorporated into this Addendum.
Standard Contractual Clauses (processors)
The gaps in the Standard Contractual Clauses are populated with the details set out in this Annex 1.
Name of the data exporting organisation: Victory Portfolios II.
Address: 0000 Xxxxxxxx Xxxx, 0xx Xxxxx, Xxxxxxxxx, XX 00000
Tel.: 000-000-0000; fax: ; e-mail: xxxxx@xxx.xxx
Other information needed to identify the organisation
|
|
(the data exporter) |
|
And
Name of the data importing organisation: FIS Investor Services LLC
Address: 0000 Xxxxxx Xxx, Xxxxx 000, Xxxxxxxx, XX 00000
Tel.: 000.000.0000; fax: ; e-mail: xxxxx.xxxxx@xxxxxxxxx.xxx
Other information needed to identify the organisation:
|
|
(the data importer) |
|
each a “party”; together “the parties”,
Appendix 1 to the Standard Contractual Clauses
Data subjects
The personal data transferred concern the following categories of data subjects:
Shareholders and related parties of the Funds
Categories of data
The personal data transferred concern the following categories of data:
Name, contact details and account numbers
Special categories of data (if appropriate)
The personal data transferred concern the following special categories of data:
Not applicable
Processing operations
The personal data transferred will be subject to the following basic processing activities:
As detailed in the Agreement
DATA EXPORTER
[Populated with details of, and deemed to be signed on behalf of, the data exporter:]
Name: Victory Portfolios II
Authorised Signature |
|
|
DATA IMPORTER
[Populated with details of, and deemed to be signed on behalf of, the data importer:]
Name: FIS Investor Services LLC
Authorised Signature |
/s/ Xxxxxxxxx Xxxxxx |
|