Data Processing Agreements GIIN

The Parties are entering into this agreement for the purposes of the Client instructing MUFG to submit a GIIN registration on its behalf. Accordingly, the Parties agree as follows:

    1. For the purposes of this Data Processing Agreement (“DPA”), the following capitalised terms shall have the following meanings:
Associated Person means, with respect to any person, another person that, directly or indirectly through one or more intermediaries, controls, is controlled by, or is under common control with, the person specified. Solely for this purpose “control” means, with respect to any person, the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of such person, whether through the ownership of voting shares or partnership interests, or the ability to exercise voting power by contract or otherwise.
AgreementMeans this DPA.
Clientmeans each natural or legal person entering into a business relationship with MUFG.
DPAmeans this Data Processing Agreement.
Data Controllershall have the meaning as set out in the GDPR.
Data Processorshall have the meaning as set out in the GDPR.
Data Protection Lawsmeans all applicable laws relating to privacy, data protection, data transfer, the Processing or security of Personal Data, data breaches and marketing, including but not limited to the Data Protection Act (2021 Revision) of the Cayman Islands (“DPA”), the General Data Protection Regulation (EU) 2016/679 (“GDPR”), and the UK version of the GDPR which is part of UK law by virtue of the European Union (Withdrawal) Act 2018, as supplemented by the Data Protection Act 2018 (“UK GDPR”), all as amended from time to time.
Data Subjectsshall have the meaning as set out in the GDPR.
GIINmeans the Global Intermediary Identification Number issued by the IRS.
IRSmeans the US Internal Revenue Service.
MUFGmeans the MUFG Investor Services entity providing the Services to the Client.
Party or Partiesmeans MUFG and Client as parties to this Agreement.
Personal Datashall have the meaning as set out in the GDPR.
Process (and its derivatives)has the meaning assigned to it in the GDPR.
Processing Schedulemeans a document outlining items such as but not limited to subject matter, Processing operations, types of Personal Data Processed, categories of Data Subjects and duration of the Processing of Personal Data by MUFG in the provision of the Services, as set out in the First Schedule which may be amended from time to time by the Parties in accordance with the terms of this Agreement.
Reportable Breachmeans a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed. For the avoidance of doubt a Reportable Breach does not necessarily mean a breach that requires reporting to a Supervisory Authority.
Servicesmeans submitting a GIIN registration on behalf of the Client.
Standard Contractual Clausesthe standard contractual clauses annexed to the European Commission’s Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of the personal data and on the free movement of such data, and repealing Directive 95/46/EC, as may be amended or replaced from time to time.
Sub-processormeans a third party and/or a Third-Party Vendor engaged by the Data Processor or by any sub-processor of the Data Processor, who is not a Party to this Agreement and who agrees to receive from the Data Processor or from any other sub-processor of the Data Processor, Personal Data exclusively for Processing activities to be carried out on behalf of the Data Controller.
Supervisory Authoritymeans any local, national or multinational agency, department, official, parliament, public or statutory person or any government or professional body, regulatory or supervisory authority, board or other body responsible for administering Data Protection Laws.
Third Party Vendormeans a third party engaged/to be engaged by MUFG or an Associated Person to assist in the fulfilment of its Services under this Agreement
UK Addendummeans an addendum to the Standard Contractual Clauses, being the template addendum B.1.0 issued by the UK Information Commissioner’s Office (ICO) in accordance with section 119(A) of the Data Protection Act 2018, as revised under Section 18 of the mandatory clauses included therein, and as may be amended or replaced from time to time.

    1. The Client authorises MUFG to Process Personal Data provided to MUFG, or which is made available to it for the purposes of providing Services to the Client pursuant to this Agreement and for any other purpose set out in this Agreement and as may be further agreed by the Parties.
  2. The Parties record their intention that in respect of any Personal Data Processed by MUFG in its provision of the Services and except as set out in Clause 10, the Client shall be the Data Controller and MUFG shall be a Data Processor for the purposes of Data Protection Law. In any such case, the Client represents and warrants that:
    1. all Personal Data it provides or makes available to MUFG has been lawfully obtained in accordance with Data Protection Law, and can be lawfully disclosed to MUFG for the provision of Services by MUFG and any other agreed purposes;
    2. the Data Subjects have been informed of MUFG’s Processing of such Personal Data for the agreed purposes and the Client can demonstrate a lawful basis for such Processing and on request will provide evidence of such to MUFG; and
    3. it complies and has complied with any Data Protection Law applicable to the collection and Processing of the Personal Data.
  3. To the extent that Personal Data is Processed by MUFG as a Data Processor pursuant to this Agreement, MUFG shall:
    1. only act on and Process such Personal Data in accordance with the documented instructions of the Client, as set out in this Agreement or otherwise provided, unless otherwise prevented or required by any applicable laws in which case MUFG shall promptly inform the Client of such unless applicable laws prohibit such information being given on important public interest grounds;
    2. as soon as practicable inform the Client if in MUFG’s opinion, and without any obligation to perform any legal assessment, an instruction is given to it which breaches any applicable laws;
    3. take appropriate technical and organisational measures against unauthorised or unlawful Processing of Personal Data and against accidental loss or destruction of, or damage to, the Personal Data;
    4. ensure that all persons who have access to Personal Data have committed themselves to appropriate obligations of confidentiality;
    5. save for information which is confidential, commercially sensitive or privileged, make available to the Client (or the Client’s auditor acting under its direction), at the Client’s cost and upon reasonable notice and access arrangements, all information requested by the Client to demonstrate compliance by MUFG with its obligations under this Clause 4 which may include data protection audits, assessments and inspections concerning MUFG’s data protection procedures relating to its compliance with this Clause. Unless required by a Supervisory Authority, any such audits, assessments and inspections shall be limited to once per calendar year and on the condition that thirty (30) days’ advance written notice is provided to MUFG;
    6. provide reasonable assistance to the Client to enable the Client to comply with: (i) the rights of Data Subjects under Data Protection Law; (ii) the security requirements under Data Protection Law; and (iii) any privacy assessment procedure or consultation conducted under Data Protection Law;
    7. notify the Client without undue delay on becoming aware of a Reportable Breach and will provide the Client with assistance in responding to and mitigating it PROVIDED ALWAYS that where the Reportable Breach is connected to MUFG’s Processing of the Personal Data, the Client is obliged to provide MUFG with a copy of the intended notification (if any) to be made by the Client to the affected Data Subjects and/or Supervisory Authority, and any such notification requires MUFG’s prior written approval, such approval not to be unreasonably withheld or delayed;
    8. upon termination of this Agreement, the Personal Data shall, at the Client’s option, be destroyed or returned to the Client, unless Applicable Law prevents the return or deletion of such Personal Data;
    9. be permitted to perform any or all of its data processing obligations through Associated Persons or Sub-Processors, PROVIDED ALWAYS that: (i) MUFG shall remain liable for such performance of its data processing obligations by any Associated Person or Sub-Processor; and (ii) all Associated Persons and Sub-Processors engaged by MUFG shall be bound by the terms of an agreement which contain the same or equivalent obligations with respect to data processing as are imposed on MUFG under this Agreement. MUFG shall notify the Client of its intention to replace an Associated Person or Sub-Processor in accordance with the applicable Data Protection Law. The Client acknowledges and agrees that it shall only object to such replacement where it has reasonable grounds for doing so;
    10. be permitted to transfer the Personal Data outside of the Cayman Islands in accordance with the Standard Contractual Clauses or other available data transfer solutions or as otherwise permitted under Data Protection Law or with the consent of the Client. Solely to the extent required for the limited purpose of entering into any appropriate legitimizing transfer mechanism, the Client appoints MUFG as its agent.
  4. Pursuant to Clause 4.j, the Client hereby represents, warrants and covenants to MUFG that disclosure of any transfer contemplated by Clause 4.j will be disclosed to Data Subjects and that consent to this transfer shall, if required under applicable Data Protection Law, be obtained; a form of such disclosure is available from MUFG on request. The Client agrees to indemnify and hold MUFG and its Associated Persons harmless in the event MUFG or its Associated Persons suffer any loss as a result of the Client’s failure to ensure compliance with this Clause 5.
  5. The Client shall remain solely and fully liable for any damage which a Data Subject may suffer as a result of the Processing of their Personal Data which is under the Client’s control and which does not result from MUFG’s non-compliance with its obligations under Data Protection Law or otherwise from MUFG’s actions that are outside of or contrary to the documented instructions of the Client.
  6. The Client acknowledges and agrees that MUFG is reliant upon the Client as Data Controller for lawful direction and documented instructions as to the extent to which MUFG is entitled to Process any Personal Data and, consequently, the Client agrees that MUFG will not be liable and it shall fully and effectively indemnify MUFG for any claim whatsoever brought by a Data Subject and/or any competent authority or body arising from any action or omission of MUFG, to the extent that such action or omission resulted from the Client’s instructions given to MUFG with respect to the Processing of such Personal Data.
  7. MUFG shall be liable in respect of any breach of its obligations caused by its own gross negligence, wilful default or fraud, under this Agreement and Data Protection Law with respect to the Processing of Personal Data permitted PROVIDED ALWAYS that the Client acknowledges and agrees that MUFG shall not be liable in the event that any failure to comply with its obligations is caused by or results from the acts or omissions of the Client in which case the Client shall be fully liable.
  8. Both Parties acknowledge and agree that, whether MUFG or the Client has paid full compensation for damages suffered by a Data Subject, where joint liability has been determined by the Parties or in the course of any legal proceeding or other decision, the Party that paid the compensation in full to the Data Subject is entitled to claim back from the other Party that portion of the compensation corresponding to the other Party’s responsibility for the damage.
  9. MUFG agrees to comply with the obligations imposed on Data Controllers under Data Protection Law to the extent that such obligations apply (for example, in connection with its due diligence of the Client pursuant to the anti-money laundering legislation or regulations, resolution of disputes or investigations, the enforcement of MUFG’s rights).
  10. The Parties acknowledge that Personal Data will be transferred to MUFG in the Cayman Islands.
    1. To the extent that Personal Data processed subject to the GDPR is transferred, the Parties hereby enter into the Standard Contractual Clauses, with details as follows:
    2. Module Two applies to transfers from the Client as Data Controller/data exporter to MUFG as Data Processor/data importer; Module Four applies to transfers from MUFG as Data Processor/data exporter to the Client as Data Controller/data importer;
    3. in Clause 7, the optional docking clause does not apply;
    4. in Clause 9(a) of Module Two, Option 2 applies, and the period for prior notice of sub-processor changes is at least thirty (30) days;
    5. in Clause 11(a), the optional language does not apply;
    6. in Clause 17, the Parties agree that the governing law shall be that of the Republic of Ireland;
    7. in Clause 18, the Parties agree that disputes will be resolved before the courts in Dublin, Republic of Ireland;
    8. Annex I and Annex II of the Standard Contractual Clauses are completed with the information in the Processing Schedule to this Agreement, whereby the roles of the Parties are as set out in Clause 11.1 above;
    9. insofar as they apply, Clauses 17 and 18 of the Standard Contractual Clauses prevail over any other selection of governing law or jurisdiction in the Agreement; and
    10. MUFG and the Client are deemed to have signed the Standard Contractual Clauses with effect from the date of this Agreement.
  11. To the extent that Personal Data processed subject to the UK GDPR is transferred, the Parties hereby enter into the UK Addendum, which is subject to Clauses 11 to 11.j above, as amended pursuant to the UK Addendum, and whereby either Party may end the UK Addendum as set out in Section 19 of the UK Addendum. The Parties agree that the UK International Addendum (incorporating the Standard Contractual Clauses) shall apply even where a transfer is not also subject to the GDPR.
  13. No provision of this Agreement may be amended, except in writing signed by the Parties hereto, save for the Processing Schedule which may be amended by notification by MUFG to the Client giving the Client reasonable time to object and it is hereby agreed that such amendment will be binding on both parties if the Client continues to receive the Services and no written objection is received by the expiration of the reasonable time to object. The amended Processing Schedule shall then become legally valid. In the notification set forth in this Clause 19.1, MUFG shall draw the Client’s attention to the factual content of the amendment, pointing out that the Client’s continued receipt of the Services and no written objection received by MUFG shall be deemed to constitute agreement to the amendment.
    1. Unless otherwise outlined in Clauses 3.9 or 3.10, this DPA shall be governed by and construed in accordance with the laws of the Cayman Islands and shall be subject to the exclusive jurisdiction of the Courts of the Cayman Islands.


This Processing Schedule describes the categories of Personal Data, Data Subjects and the Processing operations to be carried out by MUFG. As outlined in the Agreement, this Processing Schedule may be amended from time to time by the Parties in accordance with the terms of this Agreement.

  1. Data Subjects
    The Personal Data to be Processed by MUFG concerns but is not limited to the following categories of Data Subjects:
    1. Client’s directors and employees
    2. Persons who have a commercial relationship with the Client
  2. Categories of Data
    The Personal Data to be Processed by MUFG includes but is not limited to:
    1. Name
    2. Legal domicile
    3. Profession, title and work contact details
    4. Telephone number
    5. Signature
    6. Email
    7. Address

Processing Operations
The Personal Data will be Processed (including by receiving, accessing, updating, disclosing and storing) for purposes including, but not limited to:

  1. Regulatory obligations related to client
  2. Hosting
  3. Software development
  4. Business development
  5. Audit and compliance activities related to the above
  6. The Services
  7. Fraud mitigation

Frequency and Duration
Personal Data will be transferred per request per the Services.

Personal Data may be Processed by MUFG for the duration during which it is to provide Services pursuant to this Agreement or perform investigations in relation to such, unless otherwise required by applicable law and/or justified under applicable statutory limitation periods, whichever is the later.

Transfers to Sub-Processors
The subject matter, nature and duration of processing by sub-processors is as set out above.

MUFG may engage and use the sub-processors listed at (as updated from time to time, notice of which shall be provided in accordance with the provisions of the Agreement).

Competent Supervisory Authority and Contacts
For transfers subject to GDPR the Data Protection Commissioner Ireland shall be the competent supervisory authority.

For transfers subject to Cayman Islands Data Protection law the Cayman Islands Ombudsman shall the competent supervisory authority.

MUFG Contact: Data Protection Officer, Data [email protected]

Client Contact: As per correspondence contact for GIIN registration.

Security Measures

MUFG has implemented technical and organizational measures to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons. MUFG has aligned to ISO 27001:2013 for the implementation and management of a global Information Security Management System (ISMS). The ISMS provides clear direction and supports continuous improvement, through effective risk management, the delivery of security projects and broader initiatives, effective policies and procedures, and performance evaluation and reporting.