Definitions and Interpretation
Unless otherwise defined herein, capitalised terms and expressions used in this GDPR Annex shall have the following meaning:
- “Controller” has the meaning given in applicable Data Protection Laws from time to time;
- “Data Protection Laws” means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;
- “Data Subject” has the meaning given in applicable Data Protection Laws from time to time;
- “GDPR” means EU General Data Protection Regulation 2016/679;
- “Personal Data” has the meaning given in applicable Data Protection Laws from time to time;
- “Personal Data Breach” has the meaning given in applicable Data Protection Laws from time to time;
- “Processing” has the meaning given in applicable Data Protection Laws from time to time (and related expressions, including process, processed, and processes shall be construed accordingly);
- “Processor” has the meaning given in applicable Data Protection Laws from time to time;
- “Protected Data” means Personal Data received from or on behalf of the Customer in connection with the performance of the Licensor’s obligations under the Agreement;
- “Services” means the services provided by the Licensor to the Customer under the Agreement;
- “Sub-Processor” means any agent, subcontractor or other third party (excluding Licensor’s employees) engaged by the Licensor for carrying out any processing activities on behalf of the Customer in respect of the Protected Data.
- Unless otherwise defined herein, capitalised terms and expressions used in this GDPR Annex shall have the following meaning:
Processing of Protected Data
- The parties agree that the Customer is a Controller and the Licensor is a Processor for the purposes of processing Protected Data pursuant to the Agreement.
- The Licensor shall process the data fairly and lawfully and follow all applicable Data Protection Laws in the Processing of Customer Personal Data.
- The Licensor shall only use and process the Protected Data in accordance with, and for the purposes set out in Schedule 1, or otherwise in accordance with any written instructions received from the Customer from time to time, unless processing is required by applicable laws and regulations to which the Licensor is subject. Under no circumstances shall the Licensor use or Process Protected Data for any other purpose without the prior written agreement or instructions of the Customer.
- The Licensor shall implement and maintain appropriate technical and organisational measures to protect the Protected Data against accidental, unauthorised or unlawful destruction, loss, alteration, disclosure or access, as set forth in Schedule 2.
- In assessing the appropriate level of security, the Licensor shall take account of the risks that are presented by processing, in particular the risks of a Personal Data Breach.
- The Licensor shall:
- The Licensor may continue to use those Subprocessors already engaged as at the date of this Agreement.
- The Licensor will not permit any processing of Protected Data by any new sub processors (except its own employees in the course of their employment with the Licensor and that are subject to an enforceable obligation of confidence with regards to the Protected Data) without the written authorisation of the Customer. Such authorisation will be sort as soon as is practical;
- prior to the relevant Sub-Processor carrying out any processing activities in respect of the Protected Data, appoint each Sub-Processor under a written contract containing materially the same obligations as set forth in this Annex, that is enforceable by the Licensor and ensure that each such Sub-Processor complies with all such obligations;
- remain fully liable to the Customer under the Agreement for all the acts and omissions of each Sub-Processor as if they were its own; and
- ensure that all persons authorised by the Licensor or any Sub-Processor to process Protected Data are subject to a binding written contractual obligation to keep the Protected Data confidential.
- The Licensor shall:
- The Licensor shall co-operate and assist, as reasonably requested by the Customer to enable the Customer to comply with any exercise of rights by a Data Subject under the Data Protection Laws in respect of Protected Data Processed by the Licensor or any Sub-Processor under the Agreement (including, without limitation, in relation to the retrieval and/or deletion of a Data Subject’s Personal Data).
- The Licensor shall:
- promptly notify the Customer if it receives a request from a Data Subject under Data Protection Laws in respect of Protected Data; and
- ensure that it does not respond to that request except on the documented instructions of the Customer, or as required by Applicable Laws to which the Contracted Processor is subject, in which case Licensor shall to the extent permitted by Applicable Laws inform Customer of that legal requirement before the Contracted Processor responds to the request.
- The Licensor shall provide reasonable assistance to the Customer with any data protection impact assessments, and prior consultations with competent data privacy authorities, which Customer reasonably considers to be required by article 35 or 36 of the GDPR or equivalent provisions of any other data protection law, in each case solely in relation to processing of Protected Data by the Licensor or any Sub-Processor.
Personal Data Breach
- The Licensor shall notify Customer without undue delay (and in any event within 24 hours) upon the Licensor becoming aware of a Personal Data Breach affecting Protected Data, providing Customer with sufficient information to allow Customer to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.
- The Licensor shall cooperate with the Customer and take reasonable steps as are directed by Customer to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
Deletion or return of Protected Data
- The Licensor shall promptly and in any event within 15 business days of the date of cessation of any Services involving the processing of Protected Data (the “Cessation Date”), delete and procure the deletion of all copies of those Protected Data from our Servers and from our Back-Ups within the confines of those back up cycles.
- The Licensor shall provide written certification to the Customer that it has fully complied with this section 8 within 10 business days of the Cessation Date.
- The Licensor will retain Customer Personal Data to the extent required by Applicable Laws.
- The Licensor shall make available to the Customer on request all information necessary to demonstrate compliance with this GDPR addendum, and shall allow for and contribute to audits, including inspections, by the Customer or an auditor mandated by the Customer in relation to the processing of the Protected Data.
- The Customer undertaking an audit shall give Licensor reasonable notice (being no less than 14 days) of any audit or inspection and shall make reasonable endeavours to avoid causing any damage, injury or disruption to the Licensor.
- The customer acknowledges that all data will be stored in Australia.
- The Customer (as “data exporter”) and the Licensor, (as “data importer”) hereby enter into the Standard Contractual Clauses in respect of any Restricted Transfer from the Customer to the Licensor, and these come into effect with the commencement of a relevant restricted transfer.
- The Licensor agrees not transfer or authorise the transfer of Protected Data outside of Australia without the prior written consent of the Customer.
Right to Make Changes
- The licensor may by at least 30 calendar days’ written notice to Customer from time to time make any variations to the Standard Contractual Clauses to ensure they continue to not breach Data Protection Laws.
The processing of the Protected Data by the Licensor under the Agreement shall be for the subject-matter, duration, nature and purposes and involve the types of Personal Data and categories of Data Subjects set out below.
- Subject-matter of processing:
The Licensor’s provision of Services to the Customer under the Agreement.
- Duration of the processing:
The term set out in the Agreement plus the period from the expiry of the term until deletion of all Customer data by the Licensor in accordance with the Agreement.
- Nature and purpose of the processing:
The Licensor will process Customer Personal Data for the purposes of providing the Services to Customer in accordance with the Agreement.
- Type of Personal Data:
Personal Data relating to individuals provided to the Licensor in order for the Licensor to provide the Services, by (or at the direction of) the Customer or by the Customer end users including but not limited to name, name, email, date of birth, start date, job title, manager, business unit, location, feedback and performance data.
- Categories of Data Subjects:
Data subjects include the individuals about whom data is provided to the Licensor for the purpose of the provision of the Services by (or at the direction of) the Customer or by the Customer end users.
- Firewalls and anti-virus
- Access control
- Confidentiality agreements
- Physical security measures
- Cybersecurity training
- Virus and malware protection
- Penetration testing
- Company policies
- Regular system maintenance