1. You (the ‘Organisation’) and I Sixty-One Charitable Foundation (collectively the ‘parties’) undertake to comply with all applicable requirements of the data protection legislation (‘Data Protection Legislation’) under Mauritius laws and shall at all times adhere to the terms set out in the Privacy Policy of I Sixty-One Charitable Foundation.

2. The parties acknowledge that for the purposes of the services (the ‘Services’) to be provided by I Sixty-One Charitable Foundation to the Organisation, I Sixty-One Charitable Foundation may require the Organisation to communicate the personal data (the ‘Personal Data’) of certain data subjects (including but not limited to the directors, shareholders, agents and authorised representatives of the Organisation) (the ‘Data Subjects’). The parties acknowledge that the Organisation shall be a controller (as defined under the Data Protection Act 2017 of Mauritius (the ‘DPA 2017’)) and I Sixty-One Charitable Foundation may be both a controller and a processor (as defined under the DPA 2017) of such Personal Data.

3. Unless covered by any lawful exception/exemption, the parties will ensure that all necessary consents and notices are in place to enable the lawful transfer of the Personal Data to I Sixty-One Charitable Foundation for the duration and purposes of the provision of the Services by I Sixty-One Charitable Foundation to the Organisation. Without limitation to the foregoing, the Organisation shall ensure that the prior written consent of the Data Subjects is obtained before the Organisation communicates their Personal Data to I Sixty-One Charitable Foundation.

4. I Sixty-One Charitable Foundation may (a) as data controller, alone or jointly with the Organisation, determine the purpose and means of the processing of the Personal Data and have decision making powers in relation thereto and (b) as data processor, collect, use, store, transfer or otherwise process the Personal Data for the purposes of providing the Services to the Organisation, client on-boarding and complying with the legal and regulatory obligations of I Sixty-One Charitable Foundation (the ‘Purpose’).

5. I Sixty-One Charitable Foundation shall not transfer any Personal Data outside of Mauritius unless the prior written consent of the Data Subject has been obtained and I Sixty-One Charitable Foundation has duly complied with the Data Protection Legislation. Where so requested by I Sixty-One Charitable Foundation, the Organisation shall use its best endeavours to obtain such prior written consent from the Data Subject.

6. I Sixty-One Charitable Foundation shall facilitate any request received from a Data Subject or the Organisation in relation to the enforcement of the rights of the Data Subjects under the Data Protection Legislation.

7. I Sixty-One Charitable Foundation shall notify the relevant Data Subject and the Organisation, without undue delay, upon becoming aware of any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Personal Data.

8. I Sixty-One Charitable Foundation shall maintain complete and accurate records and information in compliance with the Data Protection Legislation.

9. Save and except in exceptional circumstances as provided under the Data Protection Legislation and any other applicable legislation, I Sixty-One Charitable Foundation shall remain liable to obtain any necessary consent of a Data Subject to disclose its Personal Data when required to do so (a) to any of our affiliates, service providers, brokers, dealers, custodians, agents, bankers, auditors and professional advisers or (b) where it is necessary for the Purpose.

10. I Sixty-One Charitable Foundation shall ensure that it has in place appropriate technical and organisational measures to protect against any unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, the Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the Personal Data, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting the Personal Data, ensuring confidentiality, integrity, availability and resilience of the systems and services of I Sixty-One Charitable Foundation, ensuring that availability of and access to the Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it).