<

Data Protection Agreement

Last updated: March 6, 2025

This Data Protection Agreement ("DPA") is entered into between ONWEGO NEXT PHASE LIMITED ("the Company", "we", "us") and you, the Data Controller, regarding the processing of personal data in connection with your use of our services. This DPA forms part of our overall Privacy Policy, which contains our full company details including our registered business address. We act solely as a data processor – processing data strictly in accordance with your instructions and applicable data protection laws – and do not store data beyond what is necessary for the delivery of our services.

1. Role and Scope

Our role is limited to processing, organizing, and transmitting personal data on your behalf. We are not responsible for long-term data storage; our function is strictly that of a processor.

2. Data Processing Obligations

  • Processing in Accordance with Instructions: We process personal data only as documented in your instructions and solely for the purposes necessary to deliver our services.
  • Confidentiality: All personnel and sub-processors involved in processing are bound by confidentiality agreements or statutory obligations.
  • Sub-processors: We engage only with sub-processors that meet our rigorous security and privacy standards. All transfers to these providers are governed by Data Protection Agreements and Standard Contractual Clauses (SCCs).

3. Security Measures

We employ industry-standard technical and organizational measures – including encryption, strict access controls, and regular security audits – to protect personal data during processing. These measures ensure that your data is safeguarded against unauthorized access, accidental loss, or disclosure.

4. Data Breach Notification

In the event of a data breach affecting the personal data processed on your behalf, we will notify you without undue delay and provide sufficient details to help you meet any legal reporting requirements.

5. International Data Transfers

If personal data is transferred outside the European Union, such transfers will be governed by the latest Standard Contractual Clauses (SCCs) and other applicable safeguards as required by law.

6. Limited Liability

Our liability under this DPA is limited to the maximum extent permitted by applicable law. We shall not be liable for any indirect, incidental, or consequential damages arising from our processing activities, except where required by law.

7. Term and Termination

This DPA remains in effect for as long as there is a service agreement between you and us. Termination of the service agreement will automatically terminate this DPA, except where retention of certain data is required by law.

8. Governing Law

This DPA is governed by and construed in accordance with the laws of Ireland. Any disputes arising from this DPA shall be subject to the exclusive jurisdiction of the Irish courts.

9. Contact Information

For any questions regarding this Data Protection Agreement, please contact us at: privacy@getukstatepension.com.