This Data Processing Addendum (DPA) forms part of the Contract between you and us. It addresses the parties’ respective rights and obligations with respect to data protection under Data Protection Laws. Please read this Data Processing Addendum carefully.
1. Definitions and Interpretation
1.1 Capitalised terms which are not defined in this DPA shall have the meaning provided in the General Terms and Conditions and Service Terms and Conditions that form part of the Contract.
1.2 In addition, the following defined terms apply solely with respect to this DPA:
“CCPA” means the California Consumer Privacy Act 2018;
“Customer Personal Data” means any Personal Data that is Processed by us on your behalf in relation to the Contract, but excluding Personal Data with respect to which we are a data controller;
“Data Protection Laws” means the EU GDPR, the UK GDPR, the CCPA and all other applicable laws relating to the Processing of Personal Data;
“Data Subject” means an identified or identifiable natural person whose rights are protected by the EU GDPR or the UK GDPR or a “Consumer” as defined under the CCPA;
“EU GDPR” means the General Data Protection Regulation (Regulation (EU) 2016/679) and all other EU laws regulating the Processing of Personal Data, as such laws may be updated, amended and superseded from time to time;
“Personal Data” means personal data or personal information under the Data Protection Laws;
“Process”, when used with respect to Personal Data, means:
(a) to record, store, organize, structure, analyse, query, modify, combine, encrypt, display, disclose, transmit, receive, render unusable, or destroy, by automated means or otherwise;
(b) to provide cloud or other remote technology hosting services for applications or services that do any of the things listed in paragraph (a); and
(c) any other use or activity that is defined or understood to be Processing under the Data Protection Laws,
and “Processing” and “Processed” have a corresponding meaning;
“UK GDPR” means the EU GDPR as transposed into UK law (including by the Data Protection Act 2018 and the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019) and all other UK laws regulating the Processing of Personal Data, as such laws may be updated, amended and superseded from time to time;
“We”, “us” and “our” means Conetix Pty Ltd ABN 47 126 3675 268 of 142 Brisbane Street, Ipswich Queensland; and
“You” and “your” means the person or entity which has entered into a Contract with us for the supply of services whether via our website or otherwise.
2. Data protection
2.1 Each party shall comply with the Data Protection Laws with respect to the Processing of the Customer Personal Data.
2.2 You warrant to us that you have the legal right to disclose all Personal Data that you do in fact disclose to us under or in connection with the Contract.
2.3 You shall only supply to us, and we shall only Process, Personal Data that is necessary for the performance of our obligations under the Contract.
2.4 We shall only Process the Customer Personal Data for the purpose of performing our obligations under the Contract or as strictly necessary for our internal administrative purposes related to performing our obligations under the Contract.
2.5 We shall only Process the Customer Personal Data as set out in this DPA or on your documented instructions (including with regard to transfers of the Customer Personal Data to a third country under the Data Protection Laws).
2.6 You hereby authorise us to make the following transfers of Customer Personal Data:
(a) we may transfer the Customer Personal Data internally to our own employees, offices and facilities in Australia;
(b) we may transfer the Customer Personal Data to our third party processors in jurisdictions identified in this list [insert hyperlink to list of third party processors and jurisdictions] and may permit our third party processors to make such transfers, provided that our third party processors have contractually agreed to terms at least as protection of the Customer Personal Data as those stated in this DPA and the Contract; and
(c) we may transfer the Customer Personal Data to a country, territory or sector to the extent that the competent data protection authorities have decided that the country, territory or sector ensures an adequate level of protection for Personal Data.
2.7 Notwithstanding any other provision of the Contract, we may Process the Customer Personal Data if and to the extent that we are required to do so by applicable law. In such a case, we shall inform you of the legal requirement before Processing, unless that law prohibits us from doing so.
2.8 We shall ensure that persons authorised to Process the Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
2.9 Each party shall implement appropriate technical and organisational measures to ensure an appropriate level of security for the Customer Personal Data.
2.10 We must not engage any third party to Process the Customer Personal Data without your prior specific or general written authorisation. In the case of a general written authorisation, we shall inform you at least 14 days in advance of any intended changes concerning the addition or replacement of any third party processor. If you object to any such changes before their implementation, then you may terminate the Contract by giving us not less than 7 days’ written notice of termination, expiring at the end of any calendar month, provided that such notice must be given within 7 days of us informing you of the intended changes. We shall ensure that each third party processor is subject to the same or equivalent legal obligations as those imposed on us by this clause 2.
2.11 We must not engage any third party to Process the Customer Personal Data without your prior specific or general written authorisation. In the case of a general written authorisation, we shall inform you at least 14 days in advance of any intended changes concerning the addition or replacement of any third party processor. If you object to any such changes before their implementation, then you may terminate the Contract by giving us not less than 7 days’ written notice of termination, expiring at the end of any calendar month, provided that such notice must be given within 7 days of us informing you of the intended changes. We shall ensure that each third party processor is subject to the same or equivalent legal obligations as those imposed on us by this clause 2.
2.12 We shall, insofar as possible and taking into account the nature of the Processing, take appropriate technical and organisational measures to assist you with the fulfilment of your obligation to respond to requests exercising a Data Subject’s rights under the Data Protection Laws.
2.13 We shall assist you in ensuring the compliance with the obligations relating to the security of Processing of personal data, the notification of personal data breaches to the supervisory authority, the communication of personal data breaches to the Data Subject, data protection impact assessments and prior consultation in relation to high-risk Processing under the Data Protection Laws. We may charge you at our standard time-based charging rates for any work performed by us at your request pursuant to this clause 2.13
2.14 We must notify you or any Personal Data breach affecting the Customer Personal Data without undue delay and, in any case not later than 36 hours after we become aware of the breach.
2.15 We will make available to you all information necessary to demonstrate our compliance with our obligations under this clause 2 and the Data Protection Laws. We may charge you at our standard time-based charging rates for any work performed by us at your request pursuant to this clause 21.5
2.16 We will, at your choice, delete or return all of the Customer Personal Data to you after the provision of services relating to the Processing and shall delete existing copies save to the extent that applicable law requires storage of the relevant Personal Data.
2.17 We will allow for and contribute to audits, including inspections, conducted by you or another auditor mandated by you in respect of the compliance of our Processing of Customer Personal Data with the Data Protection Laws and this clause 2. We may charge you at our standard time-based charging rates for any work performed by us at your request pursuant to this clause 2.17, providing that no such charges shall be levied where the request to perform the work arises out of any breach by us of the Contract or any security breach affecting our systems.
3. CCPA
3.1 For the purposes of the CCPA:
(a) we are a “Service Provider” as defined under section 1798.140(v);
(b) you are disclosing Personal Data to us solely for a valid business purpose in providing the Services to you; and
(c) we may not sell Personal Data or retain, use or disclose Personal Data except as required to perform our obligations under the Contract.
3.2 We certify that we understand and will comply with the obligations in clause 3.1
4. Limitations and exclusions of liability
For the avoidance of doubt, the limitations and exclusions of liability set out in clause 12 of the General Terms and Conditions and elsewhere in the Contract Documents apply to any liability of either party arising under this DPA.
5. Survival
For the purposes of clause 16.1 of the General Terms and Conditions, the following provisions of this DPA shall survive and continue to have effect (in accordance with their express terms or otherwise indefinitely): Clauses 1, 2, 3, 4 and 5.