1. Introduction and scope 

This Personal Data Protection Policy ("Policy") describes the privacy practices of MY VIRTUAL ACCOUNTING FIRM regarding the Processing of Personal Data of the directors, officers and employees and – to the extent applicable – the customers of the User and/or the relevant User Affiliates, as part of the provision of MY VIRTUAL ACCOUNTING FIRM’ Services to its Users. This Personal Data can be stored on MY VIRTUAL ACCOUNTING FIRM systems, User systems or third-party systems to which MY VIRTUAL ACCOUNTING FIRM is provided access to for the provision of Services. Where MY VIRTUAL ACCOUNTING FIRM provides Services to its Users, MY VIRTUAL ACCOUNTING FIRM will be acting as Processor and the User will be acting as Controller. This Policy applies globally to any and all Services provided by MY VIRTUAL ACCOUNTING FIRM to its Users.

MY VIRTUAL ACCOUNTING FIRM Processes Personal Data on behalf of the User in accordance with Data Protection Laws. In so far necessary, the Service Agreement will be supplemented with an Addendum to set out any additional matters that are specific to the User and cannot be regulated in this Policy.

This Policy does not apply to the collection of Personal Data through our website or through cookies with respect to which Personal data MY VIRTUAL ACCOUNTING FIRM can be considered Controller; we refer to our separate Website Policy and  Cookies Policy for more information in this regard.

This Policy is available through the My Virtual Accounting Firm website at the following link: https://www.myvirtualaccountingfirm.com/en/legal/data-protection/. MY VIRTUAL ACCOUNTING FIRM reserves the right to update this Policy without consulting or pre-informing its Users. 

2. Definitions

The capitalized terms listed below have the follow meaning in this Policy:

a. “User” means the counterparty to the Service Agreement with MY VIRTUAL ACCOUNTING FIRM;

b. “User Affiliate” means any legal entity affiliated to the User;

c. “User Data Subjects” shall mean the former and current directors, officers and employees and customers of the User and User Affiliates;

d. “Controller” shall mean the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data;

e. “Data Protection Laws” means in relation to any Personal Data which is Processed in the performance of the Service Agreement, the General Data Protection Regulation (EU) 2016/679 ("GDPR") together with all implementing laws and any other applicable data protection, privacy laws or privacy regulations;

f. “Personal Data” means any information through which a User Data Subject can be identified directly or indirectly;

g. “Processing” means any operation or set of operations which is performed upon Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

h. “Processor” shall mean the party, which Processes Personal Data on behalf of the Controller;

i. “Services” means services MY VIRTUAL ACCOUNTING FIRM provides to the User under the Service Agreement;

j. “Service Agreement” means any written contract, any written statement of work, or any other written binding agreement, including any annexes thereto, between MY VIRTUAL ACCOUNTING FIRM and the User;

k. “Subprocessor” means any data processor appointed by Processor to process Personal Data on behalf of the Controller;

l. “MY VIRTUAL ACCOUNTING FIRM” means MY VIRTUAL ACCOUNTING FIRM Affiliate that is the contracting entity to the Service Agreement;

m. “MY VIRTUAL ACCOUNTING FIRM Affiliate” means with respect to any specified person or entity, any other person or entity directly or indirectly controlling or controlled by or under direct or indirect common control with such specified person or entity. For the purpose of this definition, “control”, when used with respect of any specified person or entity means the power to direct or cause the direction of the management or policies of such person or entity, whether through ownership of voting securities or by contract or otherwise. The terms “controlling” and “control” have meaning correlative to the foregoing. Specifically excluded from this definition are the shareholding companies controlling My Virtual Accounting Firm.

3. Personal data processed by My Virtual Accounting Firm

The details of the Personal Data that will be Processed by MY VIRTUAL ACCOUNTING FIRM on behalf of the User, including the duration, purpose and categories of Personal Data, will be set out in (the Addendum to) the Service Agreement.

4. Use of personal data

MY VIRTUAL ACCOUNTING FIRM shall not process, transfer, modify, amend or alter the Personal Data or disclose or permit the disclosure of the Personal Data to any third party other than:

as necessary to process Personal Data to provide the Services and/or otherwise in accordance with the documented instructions of User, or

as required to comply with Data Protection Laws or other laws to which MY VIRTUAL ACCOUNTING FIRM is subject, in which case MY VIRTUAL ACCOUNTING FIRM shall (to the extent permitted by law) inform User of that legal requirement before processing the Personal Data.

In addition, MY VIRTUAL ACCOUNTING FIRM is allowed to use aggregated data – to the extent this can no longer be considered Personal Data - for analysing purposes, for website and for internal operations, including troubleshooting, data analysis, testing, research, for statistical purposes and for improving the quality of its Services.

5. Sub processing

MY VIRTUAL ACCOUNTING FIRM may be required to appoint certain third parties to provide part of the Services to the User or assist with providing technical support, such as IT service providers or other suppliers. By signing the Service Agreement, the User authorises MY VIRTUAL ACCOUNTING FIRM to subcontract the Processing of Personal Data to Sub processors. Sub processors are in each case subject to the terms between MY VIRTUAL ACCOUNTING FIRM and the Sub processor which are no less protective than those set out in this Policy and the Service Agreement. MY VIRTUAL ACCOUNTING FIRM will inform the User of the details of such Sub processor(s) upon written request from the User. MY VIRTUAL ACCOUNTING FIRM will inform the User in advance of any intended changes concerning the addition or replacement of Sub processors and thereby give the User the opportunity to object to such changes. If the User does not object in writing within five (5) days of receipt of the notice, the User is deemed to have accepted the new Sub processor. If the User does object in writing within five (5) days of receipt of the notice, MY VIRTUAL ACCOUNTING FIRM and the User will discuss possible resolutions.

6. Confidentiality and security

MY VIRTUAL ACCOUNTING FIRM shall keep the Personal Data confidential and will instruct its staff and Sub processors to the same. MY VIRTUAL ACCOUNTING FIRM shall implement appropriate technical and organisational measures to ensure a level of security of the Personal Data appropriate to the risk required pursuant to applicable Data Protection Laws and, where the Processing concerns personal data of EU residents, shall take all measures required pursuant to article 32 GDPR. In assessing the appropriate level of security, MY VIRTUAL ACCOUNTING FIRM shall take account in particular of the risks that are presented by Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed. The security measures are further described and specified in the document "Statement of Continuity", which is published on the MY VIRTUAL ACCOUNTING FIRM website (https://www.My Virtual Accounting Firm.com/en/legal/data-protection/) and forms an integral part of this Policy. 

7. Co-operating with requests of the User

MY VIRTUAL ACCOUNTING FIRM shall, upon request and to the extent required under Data Protection Laws, co-operate with requests of the User that relate to the Processing of Personal Data. In particular, MY VIRTUAL ACCOUNTING FIRM shall co-operate with requests that relate to User Data Subject rights, Data Protection Impact Assessments and audit rights as described below. 

User Data Subject rights: MY VIRTUAL ACCOUNTING FIRM shall co-operate as requested by the User to enable the User to comply with any exercise of rights by a User Data Subject in respect of Personal Data and comply with any assessment, enquiry, notice or investigation under Data Protection Laws. Provided in each case that the User shall reimburse MY VIRTUAL ACCOUNTING FIRM in full for all costs (including for internal resources and any third party costs) reasonably incurred by MY VIRTUAL ACCOUNTING FIRM performing its obligation under this section.

Data Protection Impact Assessment: MY VIRTUAL ACCOUNTING FIRM shall provide reasonable assistance to the User with any data protection impact assessments which are required under Article 35 GDPR and with any prior consultations to any Supervisory Authority of the User which are required under Article 36 GDPR, in each case in relation to Processing of Personal Data by MY VIRTUAL ACCOUNTING FIRM on behalf of the User and taking into account the nature of the processing and information available to MY VIRTUAL ACCOUNTING FIRM.

Audit rights: On reasonable request and notice and at the User's expense, MY VIRTUAL ACCOUNTING FIRM will co- operate in the conduct of any audit or inspection, reasonably necessary to demonstrate MY VIRTUAL ACCOUNTING FIRM's compliance with the obligations laid down in this Policy, provided always that this requirement will not oblige MY VIRTUAL ACCOUNTING FIRM to provide or permit access to information concerning: (i) Supplier internal pricing information; (ii) information relating to MY VIRTUAL ACCOUNTING FIRM's other Users; (iii) any of MY VIRTUAL ACCOUNTING FIRM non-public external reports; (iv) MY VIRTUAL ACCOUNTING FIRM confidential information, or (v) any internal reports prepared by MY VIRTUAL ACCOUNTING FIRM's internal audit function.

The User’s requests provided in this section 7. will be fulfilled in close co-operation with and under supervision of MY VIRTUAL ACCOUNTING FIRM's Chief Information Security Officer, MY VIRTUAL ACCOUNTING FIRM’s Chief Privacy Officer, or similar MY VIRTUAL ACCOUNTING FIRM local officials.

8. Deletion or return of User personal data

My Virtual Accounting Firm will, at the choice of the User, delete or return the Personal Data at the end of the provision of the Services relating to Processing, to the extent reasonably possible and unless (i) Data Protection Laws, (ii) any law, statute, order, regulation, rule, requirement, practice and guidelines of any government, regulatory authority or self-regulating organization that applies to the Services in the country where those Services are being provided (“Applicable Law”), or (iii) competent court, supervisory or regulatory body, require the retention of such Personal Data by My Virtual Accounting Firm.

9. Incident management

MY VIRTUAL ACCOUNTING FIRM shall notify the User without undue delay after becoming aware of a personal data breach, providing the User with sufficient information which allows the User to meet any obligations to report a data breach under Data Protection Laws. Upon request by the User and at the full expense of the User for all costs incurred by MY VIRTUAL ACCOUNTING FIRM (including for internal resources and any third party costs), MY VIRTUAL ACCOUNTING FIRM shall fully co-operate with the User and take such reasonable steps as are directed by the User to assist in the investigation, mitigation and remediation of each data breach, in order to enable the User to (i) perform a thorough investigation into the data breach, (ii) formulate a correct response and to take suitable further steps in respect of the data breach in order to meet any requirement under the Data Protection Laws. 

10. International transfers of User personal data

In the event of international transfers of Personal Data between MY VIRTUAL ACCOUNTING FIRM and any Sub processor, the following shall apply (insofar relevant):

a.  The Personal Data may, at the discretion of MY VIRTUAL ACCOUNTING FIRM, be transferred to (i) one or more of MY VIRTUAL ACCOUNTING FIRM's Affiliates in either one or more Member States of the European Economic Area ("EEA") or Switzerland on the basis of Data Protection Laws, or to (ii) one or more of the MY VIRTUAL ACCOUNTING FIRM's affiliates in one or more third countries on the basis of the Binding Corporate Rules, which are published on the website of My Virtual Accounting Firm (https://www.My Virtual Accounting Firm.com/en/legal/data-protection/). The User or the relevant MY VIRTUAL ACCOUNTING FIRM Affiliate shall upon request of the User Data Subject, provide the User Data Subject with a copy of such Binding Corporate Rules and this Policy (without any business sensitive or confidential information). Where permitted by Data Protection Laws, MY VIRTUAL ACCOUNTING FIRM shall obtain all relevant authorizations or permits for such transfer of Personal Data based on such Binding Corporate Rules. Where Data Protection Laws do not allow MY VIRTUAL ACCOUNTING FIRM to obtain such authorization or permit for itself, the User shall in a timely manner issue a power of attorney to the relevant MY VIRTUAL ACCOUNTING FIRM Affiliate to obtain such authorization or permit on behalf of the User. Where the use of a power-of-attorney is not accepted under Data Protection Laws, the User warrants that it has obtained all necessary authorizations or permits to allow MY VIRTUAL ACCOUNTING FIRM to share the personal Data with MY VIRTUAL ACCOUNTING FIRM's Affiliates in a third country.

b.  The Personal Data may (i) be transferred to one or more Sub processors (other than MY VIRTUAL ACCOUNTING FIRM's Affiliates) in one or more Member States of the EEA or Switzerland on the basis of Data Protection Laws pursuant to the Users permission ex section 5 of this Policy, or (ii) to one or more such Sub processors in one or more third countries on the basis of an exception under Data Protection Laws, or (iii) on the basis of adequate safeguards added either, insofar as allowed under Data Protection Laws, by MY VIRTUAL ACCOUNTING FIRM to ensure the protection of the Personal Data, or by the User, in which case MY VIRTUAL ACCOUNTING FIRM shall cooperate with the User to seek an adequate basis for the cross-border transfer of Personal Data to such Sub processor. At the User's request, MY VIRTUAL ACCOUNTING FIRM shall inform the User of the applicable basis for the cross-transfer of the Personal Data.

c.   Where the data protection or privacy law of any country outside the EEA or Switzerland applies to the Personal Data, the User warrants that any cross-border transfer of Personal Data from MY VIRTUAL ACCOUNTING FIRM to a Sub processor shall be allowed, by implementing additional safeguards pursuant to Data Protection Laws or as otherwise permitted by Data Protection Laws.

11. Indemnification

The User warrants that all Personal Data processed by MY VIRTUAL ACCOUNTING FIRM on behalf of the User has been and shall be Processed by the User in accordance with Data Protection Laws including without limitation: (a) ensuring that all notifications to and approvals from regulators which are required by Data Protection Laws are made and maintained by the User; and (b) ensuring that all Personal Data is Processed fairly and lawfully, is accurate and up to date and that a fair notice is provided to User Data Subjects which described the processing to be undertaken by MY VIRTUAL ACCOUNTING FIRM pursuant to the Services agreed upon in the Service Agreement.

By signing the Service Agreement, the User shall indemnify and hold MY VIRTUAL ACCOUNTING FIRM harmless against all claims, actions, third party or Supervisory Authority claims, losses, damages and  expenses arising from any breach by the User of this Policy.

The exclusions and limitations of the liability of MY VIRTUAL ACCOUNTING FIRM set out in the Service Agreement shall also apply to this Policy.