Personal Data Protection Policy – TMF Group
Introduction, Scope and Purpose
This Personal Data Protection Policy ("Policy") describes the privacy practices of TMF regarding processing Personal Data of Client Data Subjects and – to the extent applicable – the customers of the Client and/or the relevant Client Affiliates, as part of provision of Services to its Clients. Personal Data can be stored in TMF systems, Client systems or third-party systems to which TMF is provided access to for the purpose of providing Services. Where TMF provides Services to its Client and processes Personal Data on Client’s behalf, TMF will be acting as Processor and the Client will be acting as Controller.
The Policy applies globally to any and all Services provided by TMF to its Clients under the Service Agreements where TMF is acting as Processor, executed on or after the effective date of this Policy.
TMF processes Personal Data on behalf of the Client in accordance with Data Protection Laws. Insofar necessary, the Service Agreement will be supplemented with an addendum to set out any additional matters that are specific to the Client and cannot be regulated in this Policy.
This Policy does not apply to processing of Personal Data for which TMF is considered Controller . Such processing is governed by the Privacy Statement of TMF Group and any other relevant privacy statement or policy presented to the Client or to other data subjects whose/which Personal Data TMF processes as Controller
The Policy is available through the TMF Group website at the following link: https://www.tmfgroup.com/en/legal/data-protection/. TMF reserves the right to update this Policy without consulting or pre-informing Clients.
Notwithstanding the foregoing, the version of the Policy that applies and will continue to apply to a particular Service Agreement will be the version of the Policy that is in effect at the time of the effective date of such Service Agreement, unless amendments are required to comply with Data Protection Laws in which case the most recent version of the Policy published on the website shall apply.
1. Personal Data Processes by TMF
Details of Personal Data that will be processed by TMF on behalf of the Client, including the duration, purpose and types and categories of Personal Data, as well as Subprocessors, if any, will be set out on TMF Group website pages Details of Processing (https://www.tmfgroup.com/en/legal/data-protection/details-of-processing/) and Subprocessors (https://www.tmfgroup.com/en/legal/data-protection/subprocessors/) respectively.
Where additional authorizations or consents are required from the Client Data Subjects under applicable Data Protection Laws to process Personal Data on behalf of the Client, the Client shall collect such authorization or consent from the Client Data Subjects for the respective processing activity of the Personal Data, as required under Data Protection Laws.
2. Use of Personal Data
TMF shall not process, transfer, modify, amend or alter Personal Data or disclose or permit disclosure of Personal Data to any third party other than:
- as necessary to process Personal Data to provide Services and/or otherwise in accordance with the documented instructions of Client; or
- as required to comply with Data Protection Laws or other laws which TMF is subject to, in which case TMF shall (to the extent permitted by law) inform Client of that legal requirement before processing Personal Data.
In addition, TMF is allowed to use aggregated data – to the extent this can no longer be considered Personal Data and which is, therefore, not subject to Data Protection Laws - for analysing purposes, for website and for internal operations, including troubleshooting, data analysis, testing, research, for statistical purposes, for developing and improving Services and products of TMF as well as benchmarking.
3. Subprocessing
TMF may be required to appoint certain third parties, including TMF Affiliates, to provide part of Services to Client or assist with providing technical support, such as IT service providers or other suppliers.
By signing the Service Agreement Client authorises TMF to subcontract processing Personal Data to Subprocessors in the relevant countries where Services will be rendered as listed on Subprocessors (https://www.tmf-group.com/en/legal/data-protection/subprocessors) page. Subprocessors are in each case subject to the terms between TMF and Subprocessor which are no less protective than those set out in the Policy and the Service Agreement.
TMF will inform the Client of the details of such Subprocessor(s) upon written request from the Client. TMF will inform the Client in advance of any intended changes concerning the addition or replacement of Subprocessors and thereby give the Client the opportunity to object to such changes. If (i) the Client does not provide its contact details on the Subprocessors page, (ii) the Client provides its contact details on the Subprocessors page but does not object in writing within fifteen (15) calendar days of receipt of the notice, the Client is deemed to have accepted the new Subprocessor. If the Client does object in writing within fifteen (15) calendar days of receipt of the notice, TMF and the Client will discuss possible resolutions within a reasonable timeframe and without detriment to the Parties and to their compliance with each of their respective obligations set forth in the Service Agreement.
Where the TMF Affiliate were to appoint another TMF Affiliate to process Client Personal Data on behalf of Client, TMF Affiliate will inform the Client in advance of such appointment and thereby give the Client an opportunity to object to such change. If the Client does not object in writing within five (5) calendar days of receipt of the notice, the Client has deemed to have accepted the respective TMF Affiliate as a new Subprocessor.
4. Confidentiality and Security
TMF shall keep Personal Data confidential and will ensure its staff and Subprocessors are bound by the same confidentiality obligation. TMF shall implement appropriate technical and organisational measures to ensure a level of security of Personal Data appropriate to the risk required pursuant to applicable Data Protection Laws and, shall take all measures required pursuant to Article 32 GDPR (security of processing) and any other more protective corresponding requirement under Data Protection Laws.
In assessing the appropriate level of security, TMF shall take account in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed.
The security measures are further described and specified in the document "Statement of Continuity", which is published on the TMF website (https://www.tmf-group.com/en/legal/dataprotection/). Any subsequent versions of the document Statement of Continuity shall be applicable to the Service Agreement and its content will be no less stringent than its previous version.
5. Co-operating with Requests of Client
TMF shall, upon request and to the extent required under Data Protection Laws, co-operate with requests of Client that relate to processing of Personal Data. In particular, TMF shall co-operate with requests that relate to Client Data Subject rights, data protection impact assessments and Data Protection Audit rights as described below.
Client Data Subject rights: TMF shall co-operate as requested by Client to enable the Client to comply with its obligations with any exercise of rights by Client Data Subject in respect of Personal Data and reasonably assist Client in its compliance with any assessment, enquiry, notice or investigation as required under Data Protection Laws. In case the assistance provided by TMF to the Client exceeds the reasonable assistance, the Client shall reimburse TMF in full for all costs (including for internal resources and any third party costs) reasonably incurred by TMF providing the assistance that exceeds the reasonable limits in performing its obligation to assist Client in its compliance under this section.
Data protection impact assessment: TMF shall provide reasonable assistance to the Client with any data protection impact assessments which are required under Data Protection Laws, including Article 35 GDPR or other corresponding obligations determined by Data Protection Laws, and with any prior consultations to any supervisory authority of the Client which are required under Data Protection Laws, including Article 36 GDPR or other corresponding obligations determined by Data Protection Laws, in each case in relation to Processing of Personal Data by TMF on behalf of the Client and taking into account the nature of the processing and information available to TMF.
Audit rights: On reasonable request and notice, TMF will co-operate in the conduct of any Data Protection Audit or inspection, reasonably necessary to demonstrate TMF's compliance with Processor’s obligations laid down in Data Protection Laws and the Policy related to the Service Agreement, provided always that this requirement will not oblige TMF to provide or permit access to information concerning: (i) TMF internal pricing information, (ii) information relating to TMF's other Clients, (iii) any of TMF non-public external reports, or (iv) any internal reports prepared by TMF's internal audit function.
The Client shall avoid causing any damage, injury or disruption to TMF's equipment, personnel and business in the course of such Data Protection Audit or inspection.
A maximum of one Data Protection Audit may be activated under this section in any twelve (12) month period at no additional cost to the Client, unless (i) the audit is following upon a Personal Data Breach caused by TMF in the same period, (ii) the Data Protection Audit request made by the Client in the same period would exceed commercially reasonable market audit standard costs and/or (iii) Data Protection Audit request made by the Client in the same period would require allocation of TMF internal resources for more than one (1) business day in order to fulfil the request. In the foregoing events, TMF will promptly notify Client of such additional expected costs in advance, for which Client and TMF will agree to such costs prior to initiating the referred Data Protection Audit request. Any further Data Protection Audit within the referred twelve (12) month period shall be at the Client’s expense.
The Client’s requests provided in this section 6 of the Policy will be fulfilled in close co-operation with and under supervision of TMF's Chief Security and Resilience Officer, TMF’s Chief Privacy Officer, or similar stakeholders of TMF local officials.
6. Deletion or Return of Client Personal Data
TMF will, at the choice of Client, delete or return Personal Data at the end of the provision of the Services involving processing, unless (i) Data Protection Laws, (ii) any law, statute, order, regulation, rule, requirement, practice and guidelines of any government, regulatory authority or self-regulating organization that applies to the Services in the country where those Services are being provided, or (iii) competent court, supervisory or regulatory body, require the retention of such Personal Data by TMF.
7. Incident Management
TMF shall notify Client without undue delay after becoming aware of a Personal Data Breach, providing the Client with sufficient information which allows the Client to meet any obligations to report a Personal Data Breach under Data Protection Laws.
Upon request by the Client, TMF shall fully co-operate with the Client and take such reasonable steps as are directed by the Client to assist in the investigation, mitigation and remediation of each Personal Data Breach, in order to enable the Client to (i) perform a thorough investigation into the Personal Data Breach and provide incident details as required under Data Protection Laws such as Article 33(3) GDPR or other corresponding obligations determined by Data Protection Laws, (ii) formulate a correct response and (iii) take suitable further steps in respect of the Personal Data breach in order to meet any requirement under the Data Protection Laws (“Remediation Measures”).
If TMF caused the Personal Data Breach, TMF shall bear the reasonable costs of Remediation Measures taken by TMF.
If and to the extent costs incurred by TMF related to Remediation Measures as directed by the Client are related to the Personal Data Breach caused by the Client, the Client shall compensate reasonable costs of the Remediation Measures taken by TMF. Any costs borne by TMF that exceed those reasonable costs for Remediation Measures shall be mutually agreed by parties to Service Agreement in advance.
Remediation Measures shall: (i) start without undue delay, (ii) be completed within a reasonable period after TMF has become aware of a Personal Data Breach, and (iii) be carried out within the regular business hours of TMF where Remediation Measures are required to be taken.
8. International Transfers of Personal Data
Always subject to section 3 and section 4 of the Policy and in the event Services require international transfers of Personal Data between TMF, TMF Affiliate(s) and/or any Subprocessor(s), the following shall apply (insofar relevant):
a. Transfer to TMF Affiliates in or from EU. Personal Data may be transferred to:
(i) one or more of TMF Affiliates in either one or more member states of the European Economic Area ("EEA"), Switzerland or the UK on the basis of Data Protection Laws; or (ii) one or more of TMF Affiliates in one or more third countries on the basis of the Binding Corporate Rules, which are published on the website of TMF Group (https://www.tmfgroup.com/en/legal/data-protection/binding-corporate-rules/).
The Client or the relevant TMF Affiliate shall upon request of the Client Data Subject provide the Client Data Subject with a copy of such Binding Corporate Rules and this Policy (without any business sensitive or confidential information). Where permitted by Data Protection Laws, TMF shall obtain all relevant authorizations or permits for such transfer of Personal Data based on such Binding Corporate Rules. Where Data Protection Laws do not allow TMF to obtain such authorization or permit for itself, the Client shall in a timely manner issue a required authorisation to TMF and any other relevant TMF Affiliate.
In the event the Binding Corporate Rules were not recognized or applicable under Data Protection Laws of a specific jurisdiction, TMF and the relevant TMF Affiliate(s) will undertake the necessary actions to satisfy the cross-border transfer requirements applicable to Personal Data under the Data Protection Laws of that jurisdiction.
b. Transfer to Subprocessors in or from EU. Personal Data may be transferred to:
(i) one or more Subprocessors (other than TMF Affiliates) in one or more member states of the EEA, Switzerland or the UK on the basis of Data Protection Laws pursuant to the Clients authorisation under section 4 of this Policy; or
(ii) one or more such Subprocessors in one or more third countries on the basis of an exception under Data Protection Laws; or
(iii) on the basis of adequate safeguards added either, insofar as allowed under Data Protection Laws, by TMF to ensure protection of Personal Data, or by the Client, in which case TMF shall cooperate with the Client to seek an adequate basis for the cross-border transfer of Personal Data to such Subprocessor. At the Client's request, TMF shall inform the Client of the applicable basis for the cross-transfer of Personal Data.
c. Transfer between Client and TMF. Where the Services provided by TMF would require an international transfer of Personal Data from one of the parties, either Client or TMF, located in a member state of the EEA to another party, respectively Client or TMF, located in a country not supported by an adequacy decision from the EU Commission for the cross-border transfer of the Client and TMF will duly execute the relevant EU Standard Contractual Clauses for such specific transfer, pursuant to the requirements set forth under the GDPR.
d. Other transfers. Pursuant to the Data Protection Laws outside the EEA, Switzerland or the UK applicable to the Personal Data Processed to render the Services, the Client – acting as Controller – shall ensure that any cross-border transfer of Personal Data from TMF to a Subprocessor shall be allowed, by implementing additional safeguards as required under those Data Protection Laws. If such Data Protection Laws would require further information to be provided to the Client Data Subjects or further consents to be obtained by the Controller, the Client shall take these additional steps before the transfer to TMF and/or TMF Affiliates is taking place.
9. Liability
Client warrants that Personal Data processed by TMF on behalf of the Client has been and shall be processed by the Client in accordance with Data Protection Laws, including without limitation:
a. ensuring that all notifications to and approvals from regulators which are required by Data Protection Laws are made and maintained by the Client; and
b. ensuring that all Personal Data is processed fairly and lawfully, is accurate and up to date and that a fair notice is provided by the Client to Client Data Subjects which described processing to be undertaken by TMF or its Subprocessors pursuant to the Services agreed upon in the Service Agreement.
TMF shall be liable for the damage caused by processing only where it has not complied with obligations of Data Protection Laws specifically directed to Processor or where it has acted outside or contrary to lawful instructions of the Client as indicated in the Service Agreement. Client shall be liable for the damage caused by processing by Client which infringes Data Protection Laws. TMF shall be exempt from liability under this section 9 of the Policy if it proves that it is not in any way responsible for the event giving rise to the damage.
Where more than one Controller or Processor, or both Controller and Processor, are involved in the same processing and where they are, under the Service Agreement, responsible for any damage caused to Client Data Subject by processing, each Controller or Processor shall be held liable for the entire damage in order to ensure effective compensation of Client Data Subject(s). Where Controller or Processor has paid full compensation for the damage suffered, that Controller or Processor shall be entitled to claim back from the other Controller(s) or Processor(s) involved in the same processing that part of the compensation corresponding to their part of responsibility for the damage, in accordance with the conditions set out in the previous paragraph.
Save for this section 9 third paragraph of the Policy, the indemnities, liabilities and exclusions or limitations thereof set out in the Service Agreement, shall also apply to the obligations of the parties pursuant to the Policy and the Service Agreement, and in case of any conflict will prevail.
10. Contact Us
If you have any queries about the Policy or about the privacy practices of TMF Group, please send an email to dataprotection@tmf-group.com and be sure to indicate the nature of your query.
Information about rights of Clients or data subjects whose/which Personal Data TMF processes as Controller, including with regard to details of processing activities regarding their Personal Data, transfers of their Personal Data within TMF Group, and principles related to processing their Personal Data that TMF Group applies, are included in the Privacy Statement of TMF Group, available on TMF Group website (https://www.tmf-group.com/en/legal/privacy-statement/).
Definitions and Abbreviations
The capitalized terms and abbreviations listed below, have the follow meaning in this Policy:
Definition | Meaning |
Client | means the counterparty to the Service Agreement with TMF. |
Client Affiliate | means any legal entity affiliated to the Client. |
Client Data Subjects | mean the former and current employees and customers of the Client and Client Affiliates and any other categories of data subjects of which Client entrusts TMF for processing their Personal Data in order to perform Services. |
Controller | means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing of Personal Data. |
Data Protection Audit | means audits, including data protection compliance questionnaires, carried out by Client or a third-party on behalf of Client, with the objective to verify TMF compliance with the data protection obligations stated in the Service Agreement and the Policy. |
Data Protection Laws | means in relation to any Personal Data which is processed in the performance of Service Agreement, GDPR together with all implementing laws and any other applicable data protection laws, privacy laws or privacy regulations. Any references to specific clauses of the GDPR in the Policy shall also be understood as references to the corresponding clauses of any other applicable data protection laws, privacy laws or privacy regulations, if applicable. |
data subject(s) | means (i) an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his/her physical, physiological, mental, economic, cultural or social identity; and (ii) only if so provided by national laws of a given country – a legal person. |
GDPR | means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Official Journal of the European Union, L 119/1). |
Personal Data | means any information that Client entrusts TMF for processing through which a Client or a Client Data Subject can be identified directly or indirectly, including any other information if and to the extent that information is protected by Data Protection Laws. |
Personal Data Breach | means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed. |
processing | means any operation or set of operations which is performed upon Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. |
Processor | means the natural or legal person, public authority, agency or other body which processes Personal Data on behalf of Controller. |
Remediation Measures | have a meaning as provided for in section 8 of the Policy. |
Services | means services TMF provides to Client under Service Agreement. |
Service Agreement | means any written contract, any written statement of work, or any other written binding agreement, including any annexes thereto, between TMF and Client. |
EU Standard Contractual Clauses | means the Standard Contractual Clauses for the transfer of personal data to third Countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council adopted by the European Commission Decision 2021/914 of 4 June 2021, as updated from time to time. |
Subprocessor | means any third party appointed or engaged by Processor to Process Personal Data on behalf of the Controller. |
TMF | means the TMF Affiliate that is the contracting entity to the Service Agreement. |
TMF Affiliate | means with respect to any specified person or entity, any other person or entity directly or indirectly controlling or controlled by or under direct or indirect common control of TMF Group B.V., including it. For the purpose of this definition, “control”, when used with respect of any specified person or entity means the power to direct or cause the direction of the management or policies of such person or entity, whether through ownership of voting securities or by contract or otherwise. The terms “controlling” and “control” have meaning correlative to the foregoing. Specifically excluded from this definition are the shareholding companies controlling TMF Group B.V. |
Reference to Associated Documents
Related Standards |
Client Affiliate | means any legal entity affiliated to the Client. |
Client | means the counterparty to the Service Agreement with TMF. |
Related Internal Documents |
BCR Controller Extract | means any legal entity affiliated to the Client. |
Revision History and Records
Version | Date | Author | Details |
v.1.0 | 01-03-2018 | Chief Privacy Officer | First version approved. |
v.2.0e | 29-04-2019 | Chief Privacy Officer | Sections 1, 3, 6, 7, 9, 10 and 11 revised to clarify TMF Group Personal Data Processing role and duties. |
v.2.1 | 24-01-2020 | Chief Privacy Officer | Sections 3 and 5 revised to include the details of processing and the list of Subprocessors links. |
v.2.2 | 17-05-2021 | Group Privacy Office |
Section 1 revised to clarify appliable version of Policy to the Services Agreement, as well as amendments required by law.
Section 2 updated to include definitions for “Data Protection Audit” and “Personal Data Breach”.
Section 5 revised to increase number of days for controller to object to appointment of new subprocessor(s) and clarifying language for potential resolutions upon objection. Section 6 revised to clarify application of further versions of the Statement of Continuity.
Section 7 revised language to clarify obligations under data protection laws, inclusion of new defined terms and update due to organisational change.
Section 9 updated to include allocation of costs for personal data breaches caused by TMF |
v.3.0 | 20-05-2022 | Senior Privacy Officer |
Template updated to the most recent version.
Section 1 revised as to clarify TMF Affiliate role as a Processor for the purpose of this Policy and reference to the TMF Group Privacy Statement, where links are available for situations where TMF Affiliate processes Personal Data as a Controller.
Former section 2 (Definitions) moved to an appendix – Definitions and Abbreviations.
Section 2 updated to contemplate client obligations with regards to data subjects under data protection laws.
Section 3 revised language to clarify concept of aggregated data.
Section 4 updated language to clarify notification mechanism and objection period: language added for notification and authorization obligations in the event TMF Affiliate acts as a Subprocessor.
Section 5 revised language to clarify legal coverage of security requirements under Data Protection Laws.
Section 6 revised language to include commercial costs resulting from Data Protection Audits.
Section 8 revised language to contemplate compliance with additional legal requirements in relation to Personal Data Breaches.
Section 9 revised language to comply with international data transfers requirements under current Data Protection Laws, including EU Standard Contractual Clauses.
Section 10 revised to include liability of TMF Affiliate for appointed Subprocessors.
Section 11 updated to include reference to the Controller BCR Extract.
Definitions and Abbreviations - updated to include definition “EU Standard Contractual Clauses” and revised language added to definitions “Data Protection Laws”, “Personal Data”, “Subprocessors” and “TMF Affiliate” to provide legal coverage and clarification on data protection laws requirements. |
v.3.1 | 18-08-2022 | Senior Privacy Officer |
Numbering was adjusted.
Section 3 updated with regard to purposes for which aggregated data could be used. |
v.3.2 | 21-03-2023 | Privacy Officer |
Section 1 - revised as to use the definition of Client Data Subjects where required and clarify the scope of application of the TMF Group Privacy Statement.
Section 4 - slightly updated for consistency purposes to align the wording used for the type of days for objections (calendar days).
Section 6 - revised language to clarify the costs resulting from the assistance provided by TMF to the Client that exceeds the reasonable assistance with respect to Client Data Subject rights. Section 6 comprises adjusted wording to include the correspondent stakeholders of the TMF local office similar to TMF's Chief Security and Resilience Officer, TMF’s Chief Privacy Officer to be involved in cooperation with and supervision in case of Data Protection Audit.
Section 9 - updated language regarding the presigned version of EU Standard Contractual Clauses.
Section 10 - revised to clarify that the Client’s responsibility to provide a notice to Client Data Subjects describing the Processing to be undertaken by TMF or its Subprocessors pursuant to the Services agreed upon in the Service Agreement.
Section 11 - updated to include a reference to the details of processing activities provided in the TMF Group Privacy Statement.
Definitions and Abbreviations - updated to include the definition “Processor”. |
v.3.3 | 25-04-2024 | Group Privacy Office | Reviewed. No changes needed. |
Downloads
Personal Data Protection Policy – TMF Group | version 1.0 | 1 March 2018
Personal Data Protection Policy – TMF Group | version 2.0 | 5 July 2019
Personal Data Protection Policy – TMF Group | version 2.1 | 30 January 2020
Personal Data Protection Policy – TMF Group | version 2.2 | 15 June 2021
Personal Data Protection Policy – TMF Group | version 3.0 | May 2022
Personal Data Protection Policy – TMF Group | version 3.1 | September 2022
Personal Data Protection Policy – TMF Group | version 3.2 | April 2023
Personal Data Protection Policy – TMF Group | version 3.3 | April 2024
We make a complex world simple
TMF Group is a leading provider of critical administrative services, helping clients invest and operate safely around the world. with over 11,000 colleagues in more than 125 offices across 87 jurisdictions provide local expertise. Our locations cover 92% of world GDP and 95% of FDI inflow.
We are a key part of our clients’ governance, providing the accounting, tax, payroll, fund administration and legal entity management services essential to their success. We make sure rules are followed, reputations protected and operational compliance maintained. We work with the majority of the Fortune Global 500, FTSE 100 and top 300 private equity firms. Learn more about us Learn more about usExpand your business efficiently across borders
Get in touch to find out how we can help your organisation grow in a complex world.
Contact us Contact us