Where Schedule 2 or the Statement of Work determines so, this Data Processing Addendum, including its Schedules (“DPA”) forms part of the Terms and Conditions to reflect the parties’ agreement with regard to the processing of Your personal data.
| Data Breach | means, in respect of any of Your Personal Information in the Customer Data held by Us under the Agreement, any (i) unauthorised access to, modification or disclosure of; or (ii) any interference with loss or misuse of; such data; |
| Personal Information | means information or an opinion about an identified individual, or an individual who is reasonably identifiable; |
| Privacy Policy | means the Aspire Digitel Group Privacy Policy |
| Privacy Laws | means any applicable laws that deals with the regulation, storing and using of Personal Information in Australia. |
2.1. We must comply with the Privacy Laws in respect of all Personal Information disclosed to Us by You.
2.2. You must comply with the Privacy Laws in respect of all Personal Information which is disclosed to Us, or collected by the You in relation to Your use of the Access Products and or Services.
2.3. Where You disclose or input any Personal Information in connection with the Access Products and or Services, You warrant that You have the express written consent of the relevant individuals to disclose or input that Personal Information.
2.4. Any Personal Information We collect or hold in providing the Access Products and or Services will be handled in accordance with Our Privacy Policy. You agree that You consent to the collection, use and disclosure of Personal Information by Us in accordance with Our Privacy Policy. If the Access Product’s log-in page incorporates a separate privacy policy, the Access Product’s specific privacy policy shall take precedence over the Privacy Policy to the extent of any inconsistency.
2.5. If You obtain Third Party Product that requires access to, or transfer of, Customer Data, You acknowledge that any such access or transfer is between You and the Third Party Provider pursuant to the Third Party Provider’s privacy notices and policies.
2.6. At any time, You may provide Us Notice authorising Us to provide Customer Data requested by the Third Party Product. We are not responsible for any modification, loss, damage or deletion of Customer Data by Third Party Product.
2.7. In the event of a Data Breach, We will:
2.7.1. promptly notify You in writing;
2.7.2. promptly take all reasonable steps to remediate the Data Breach and mitigate the risk of harm (if any) to any individuals affected by the Data Breach; and
2.7.3. co-operate with You in investigating what has occurred and the circumstances of the Data Breach, including by providing all information reasonably requested by You for the purpose of determining the likelihood that the Data Breach will result in serious harm to any individual affected by the Data Breach.
2.8. If either You or Us determine or has reasonable grounds to believe that a Data Breach is serious and reportable to the privacy authority, then the Parties will work together to coordinate any notifications required under applicable Privacy Laws. You must not make any required notification unless You have first obtained Our prior written consent (such consent not to be unreasonably withheld).
2.9. If We provide Aspire Digitel Group Products over the internet via networks We only partially control. Our obligations under this clause 2 extend only to networks and equipment within Our control and We are not responsible for any delay, loss, interception or alteration of Customer Data on a network or infrastructure outside Our control.
2.10. Nothing in this clause 2 requires a party to take any action, or refrain from taking any action, that would result in that party breaching its obligations under any applicable Privacy Laws.
2.1. Save for as set out in clause 2.17, in the event that We process Your personal data under or in connection with the Agreement, the parties record their intention that We are the processor, and You are the controller of such personal data. The Product Fact Sheet sets out the subject-matter and duration of the processing of Your personal data, the nature and purpose of the processing, the type of personal data and the categories of data subjects. Subject to clause 2.7 of this DPA, We may amend the Product Fact Sheet from time to time.
2.2. Each party shall comply with its obligations under applicable Data Protection Legislation, and You warrant and undertake that You shall not instruct Us to process Your personal data where such processing would be unlawful.
2.3. Subject to clause 2.4 and 2.7 below, We shall process Your personal data only in accordance with Your documented instructions and shall not transfer Your personal data outside of the European Union (the “Approved Jurisdiction”) without the documented instruction. For the avoidance of any doubt, any configuration of the service by You (or Us, acting on Your instruction) shall constitute ‘written instructions’ for the purposes of this DPA and in relation to any transfer as a result of such configuration, We shall have put in place appropriate safeguards to protect Your personal data and ensure that the relevant data subjects have enforceable subject rights and effective legal remedies as required by the Data Protection Legislation.
2.4. We may process Your personal data other than in accordance with Your documented instructions where required to do so by applicable law provided that (unless prohibited by applicable law on important grounds of public interest) We shall notify You of such legal requirement before such processing.
2.5. We shall ensure that individuals engaged in the processing of Your personal data under the Agreement are subject to written obligations of confidentiality.
2.6. We shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk involved in processing Your personal data pursuant to the Agreement. We shall assist You by appropriate technical and organisational measures in fulfilling Your obligations as controller in relation to the security of processing Your personal data.
2.7. We may engage such other processors (“Sub Processors”) as We consider reasonably appropriate for the processing of Your personal data in accordance with the terms of the Agreement (including but not limited to in connection with support, maintenance and development, staff augmentation and the use of third-party data centres). In addition to any entity within The Aspire Digitel Group Group, any Sub Processors in place as of the Effective Date shall be outlined in the Product Fact Sheet and are accepted by You, save for where it is explicitly stated otherwise in the relevant Statement of Work. By You signing this Agreement, You are providing Us with general written authorisation to add a Sub Processor and/or replace or remove a Sub Processor where We deem necessary, provided that We shall notify You (which may be by email, through Our customer success portals, or otherwise within the relevant Aspire Digitel Group Product itself) of the appointment of a new Sub Processor and You may, on reasonable grounds, object to the appointment of a Sub Processor by notifying Us in writing within 14 days of receipt of Our notification (or other such timescale as may be specified on Our notification), giving reasons for Your objection. The parties shall work together to reach agreement on the engagement of Sub Processors, and, for the avoidance of doubt, We shall not share Your personal data with any Sub Processor You have objected to in accordance with this Agreement. We shall ensure that all Sub Processors are bound by contract with Us which include appropriate data processing terms and We shall remain liable for Sub Processors’ acts and omissions in connection with this Agreement.
2.8. In the event that any data subject exercises its rights under applicable Data Protection Legislation against You, We shall use reasonable commercial efforts to assist You in fulfilling Your obligations as controller and provide You with a suitable response without undue delay (and in any event within 5 days) following written request from You provided that We may: (a) extend such time period (provided always that We shall use all reasonable endeavours to provide such assistance within a time period to enable You to comply with Your obligations under applicable Data Protection Legislation); and/or (b) charge You on a time and materials basis in the event that We consider, in Our reasonable discretion, that such assistance is onerous, complex, frequent or time consuming. We shall promptly notify You in writing in the event that We receive any request, complaint, notice or other communication direct from a third party or data subject which relates directly or indirectly to the processing of Your personal data.
2.9. Upon discovering We have experienced a Personal Data Breach in respect of Your personal data We shall notify You without undue delay and shall assist You to the extent reasonably necessary in connection with mitigation of the impact of the Personal Data Breach and any notification to the applicable supervisory authority and data subjects, considering the nature of processing and the information available to Us.
2.10. In the event that You consider that the processing of personal data performed pursuant to the Agreement requires a privacy impact assessment or prior consultation with a supervisory authority to be undertaken, following written request from You, We shall use reasonable commercial endeavours to provide relevant information and assistance to You to facilitate such privacy impact assessment or prior consultation. We may charge You for such assistance on a time and materials basis. We shall provide you with a data protection impact assessment upon request, and prior consultations with supervisory authorities, which are required by Article 35 or 36 of the GDPR, in each case solely in relation to the processing of Your personal data by Us.
2.11. Following the earlier of termination or expiry of the Agreement (the “End Date”), Your instruction is for Us to delete Your personal data held by Us. Before deleting Your personal data, We will seek a Revised Instruction from You on or shortly after the End Date confirming Your instruction. You will have 30 days from the date the Revised Instruction was sent by Us to respond (the “Timeframe”). You may, at no additional cost and within the Timeframe, choose to have Your personal data returned to You in the format specified in the Product Fact Sheet, the Exit Policy, or as otherwise agreed with Us. Where applicable law requires Us to retain all or some of Your personal data, We shall notify You of this lawful requirement.
2.12. Where requested by You, We shall make available all information reasonably necessary to demonstrate Our compliance with the foregoing clauses 2.2 to 2.11 inclusive, and shall allow for and contribute to audits (including inspections) conducted by You or another auditor mandated by You (where such persons are subject to binding obligations of confidentiality) on a frequency of no more than once per annum (save where requested by the relevant supervisory authority) with reasonable prior Notice during Business Hours. You will ensure that your representatives make all reasonable endeavours to minimise any business interruption to Us during any such audit. We may charge You for any assistance required to facilitate such audits on a time and materials basis.
2.13. In the event that We consider that Your instructions relating to processing of Your personal data under the Agreement infringes Data Protection Legislation We shall inform You immediately and You shall reconsider Your instruction considering the Data Protection Legislation and Our reasoning (where such reasoning is provided). We shall not be obliged to process any of Your personal data in relation to such instructions until You notify Us that Your instructions are non-infringing or amend Your instructions to make them non-infringing and notify Us accordingly. Further, where We request the same, You shall sign a waiver provided by Us which will absolve Us of any liability associated with Us following Your processing instruction.
2.14. Without prejudice to any other provision in this Agreement which may apply, You shall for the Licence Term have in place and maintain any and all appropriate consents from the relevant data subjects and or an appropriate lawful basis for processing the personal data of the data subjects affected by this Agreement.
2.15. We shall for the Licence Term use reasonable endeavours to assist You in meeting Your obligations under Articles 32 to 36 (inclusive) of the GDPR.
2.16. Where You consider it necessary to amend this DPA as a result of any changes in law relating to the protection or treatment of personal data, You shall notify Us of the same. Thereafter the parties shall act reasonably and in good faith in agreeing appropriate amendments to this DPA to ensure compliance with such law.
2.17. Nothing in this DPA is intended to govern the processing of personal data as it relates to personal data collected by Us (or a third party or agent instructed by Us) as an independent controller. For information on how We process personal data as an independent controller, please see Our privacy notice made available on Our website.
2.18. Some of Our Aspire Digitel Group Products may have an API, allowing the transfer of data (which may include personal data) to and from the Aspire Digitel Group Product to a third-party product (“Third-Party API”) or a separate Aspire Digitel Group Product (only where You have a licence to this separate Aspire Digitel Group Product will the API be turned on). Where an API exists, We use reasonable commercial efforts to document this in the Product Fact Sheet. Whether a Third-Party API is turned on or off is at Your discretion, where it is turned on, You are authorising Us to share the relevant data through the Third-Party API and where relevant, receive data from the Third-Party API for input into the Aspire Digitel Group Product. We are not liable or responsible for the quality or accuracy of data transferred to Us via a Third-Party API. Nor are We liable for what happens to the data once transferred outbound via a Third-Party API (the “Transferred API Data”). For the avoidance of doubt, the Transferred API Data will be governed by the contract held between You and the relevant third-party.
3.1. For details of how personal data is processed under this Agreement, please register to see our “GDPR Portal” at https://aspire-digitel-group-support.force.com/Support/s/gdpr-hub.
3.2. If you are not already registered on the GDPR Portal you will need to do so. If you have any problems registering, please contact [email protected]
3.3. We reserve the right to change the location of the Product Fact Sheets. Where We do change the location, We will notify You.
