fbpx

Data Processing Agreement (DPA) 

Effective Date: 20 January, 2025

Last Updated: 19 January, 2025

This Data Processing Agreement (DPA) forms part of the User’s Agreement on Terms and Conditions between EQC Compliance Advisory (“we”, “us”, or “our”) and the CPA Practice Unit (“you”, “your”, or “user”) for the use of Audit Program 4.0.  EQC Compliance Advisory has the sole discretion to update this Data Processing Agreement from time to time. 

This DPA outlines the respective responsibilities of EQC Compliance Advisory and the CPA Practice Unit under Hong Kong’s Personal Data (Privacy) Ordinance (Cap. 486) (PDPO), ensuring compliance when personal data belonging to your audit clients is processed through Audit Program 4.0.

  1. Definitions

For the purposes of this DPA: 

– “Personal Data”: Any data relating directly or indirectly to a living individual from which it is possible to ascertain the individual’s identity, as defined under PDPO. 

– “Sensitive Personal Data”: Types of personal data requiring additional protection, such as financial information, though not expressly defined under PDPO. 

– “Data User”: The CPA Practice Unit that controls the collection, holding, processing, or use of personal data. 

– “Data Processor”: EQC Compliance Advisory, through Audit Program 4.0, which processes Personal Data and Sensitive Personal Data on behalf of the Data User. 

– “Processing”: Any operation performed on personal data, including collection, use, disclosure, storage, or destruction. 

  1. Scope and Applicability

This DPA applies to personal data processed by EQC Compliance Advisory through Audit Program 4.0 on behalf of CPA Practice Units registered with the Accounting and Financial Reporting Council (AFRC) in the HKSAR. 

– CPA Practice Units act as Data Users and are responsible for ensuring compliance with the PDPO when collecting, using, or disclosing their clients’ Personal Data and Sensitive Personal Data. 

– Audit Program 4.0, acts as a Data Processor, processing Personal Data and Sensitive Personal Data solely in accordance with the instructions of CPA Practice Units and the requirements of the PDPO. 

  1. Our Role as a Data Processor

As a Data Processor, EQC Compliance Advisory agrees that Audit Program 4.0, installed on the workstations of the CPA Practice Units, to: 

3.1. Process personal data solely for the purposes specified by the CPA Practice Unit and in accordance with their instructions. 

3.2. Not collect, use, or disclose personal data for any purpose other than those instructed by the CPA Practice Unit or required by law. 

3.3. Implement appropriate technical and organizational measures to ensure the security and confidentiality of personal data. 

  1. Responsibilities of the CPA Practice Unit (Data User)

As the Data User, the CPA Practice Unit agrees to: 

4.1. Ensure compliance with the PDPO when collecting, using, and disclosing personal data belonging to their audit clients. 

4.2. Obtain valid and informed consent from their audit clients for the collection, use, and disclosure of personal data. 

4.3. Provide EQC with clear and lawful processing instructions that comply with the requirements of the PDPO. 

4.4. Ensure that personal data provided in Audit Program 4.0 is accurate, complete, and up-to-date. 

  1. Data Processing Obligations of EQC

EQC Compliance Advisory agrees that: 

5.1. Purpose Limitation: Audit Program 4.0 processes personal data only for the purposes specified by the CPA Practice Unit or as required by law. 

5.2. Confidentiality: Ensure that all personnel authorized to process personal data are bound by confidentiality obligations. 

5.3. Security Measures: Implement appropriate safeguards to protect personal data against unauthorized access, loss, or misuse, including: 

   – Encryption of personal data during transmission and at rest. 

   – Role-based access controls to limit access to authorized personnel only. 

   – Conducting regular audits and monitoring to identify and mitigate vulnerabilities. 

5.4. Retention and Deletion: Retain personal data only for as long as necessary to fulfill the purposes specified by the CPA Practice Unit or as required by law. Upon termination of services, EQC will securely delete or return all personal data to the CPA Practice Unit, as instructed. 

5.5. Subprocessing: Engage subprocessors only with the CPA Practice Unit’s prior written consent and ensure that they adhere to the same obligations set forth in this DPA. 

5.6. Cross-Border Transfers: Ensure that personal data is not transferred outside Hong Kong without the CPA Practice Unit’s explicit written instructions and that the recipient provides comparable levels of protection in compliance with the PDPO. 

  1. Data Breach Notification

6.1 Notification Obligations 

In the event of a data breach involving personal data, EQC will: 

  1. Notify the CPA Practice Unit without undue delay upon becoming aware of the breach.
  2. Provide details of the breach, including:

   – The nature and scope of the breach. 

   – The categories and approximate number of affected individuals. 

   – The potential consequences and risks to affected individuals. 

   – The measures taken or proposed to address the breach. 

  1. Assist the CPA Practice Unit in fulfilling its obligations under the PDPO, including notifying affected individuals and, where applicable, the Privacy Commissioner for Personal Data (PCPD).

6.2 Mitigation Measures 

EQC will: 

– Take immediate steps to contain and mitigate the effects of the breach. 

– Investigate the root cause of the breach. 

– Implement measures to prevent recurrence. 

  1. Individual Rights and Requests

7.1 Assistance with Data Access and Correction Requests 

EQC will assist CPA Practice Units in responding to requests from individuals to exercise their rights under the PDPO, including: 

– Accessing their personal data. 

– Correcting inaccurate or incomplete information. 

7.2 Notification of Requests 

If EQC receives a request from an individual, it will notify the CPA Practice Unit promptly and will not respond to such requests without the CPA Practice Unit’s prior written instructions. 

  1. Audit and Compliance

EQC will: 

  1. Make available to the CPA Practice Unit all necessary information to demonstrate compliance with this DPA.
  2. Allow for and contribute to audits or inspections conducted by the CPA Practice Unit or an independent auditor authorized by the CPA Practice Unit, provided such audits are limited to EQC’s data processing activities under this DPA.
  1. Termination and Return of Data

Upon termination of the services provided under the User’s Agreement: 

  1. EQC will, at the CPA Practice Unit’s choice, securely return or delete all personal data processed on behalf of the CPA Practice Unit.
  2. EQC will delete any remaining copies of personal data unless retention is mandated by applicable laws or regulations.

 

 

  1. Cross-Border Transfers

EQC will: 

  1. Ensure that personal data is not transferred outside Hong Kong without the CPA Practice Unit’s explicit written consent.
  2. Ensure that any cross-border transfers comply with the PDPO, including ensuring that the recipient provides comparable protections for personal data.
  1. Liability and Indemnity

EQC’s liability under this DPA is limited to the extent permitted under the User’s Agreement.

The CPA Practice Unit agrees to indemnify EQC for any claims, damages, or expenses arising from non-compliance with the PDPO due to the CPA Practice Unit’s actions or instructions.

  1. Acceptance of Terms

By installing and using Audit Program 4.0, the CPA Practice Unit confirms that it has read, understood, and agreed to the terms of this Data Processing Agreement (DPA). 

PHP Code Snippets Powered By : XYZScripts.com
Scroll to Top
× Contact us!