Data Processing Addendum.
TeLoRa Trading Pty Limited ACN 635 385 545of PO Box 556, Kensington, New South Wales 1465 Australia (TeLoRa).
You, if you are a Sub-Admin user of the TeLoRa Platform (the Sub-Admin).
- This Data Processing Addendum (Addendum addresses a number of compliance matters for the purposes of the Privacy Act 1988 (Cth) (the Privacy Act) and the General Data Protection Regulation (GDPR) (EU) 2016/679 (the GDPR)..
- In addition, this Addendum outlines how TeLoRa and the Sub-Admin will approach actual, potential or suspected data breaches that may occur from time to time with respect to personal information and/or personal data that is ‘held’ by both TeLoRa and the Sub-Admin (Jointly Held Personal Information) for the purposes of the Privacy Act and/or the GDPR (as applicable).
THE PARTIES AGREE AS FOLLOWS:
In this Addendum:
- (b) TeLoRa and the Sub-Admin will each be referred to as a “party” and together the “parties”;
- (c) Data Protection Laws means the Privacy Act, the GDPR and any other applicable data protection laws;
- (d) User means the Sub-Admin or the Sub-Admin’s Clients and/or Workers (as applicable);
- (e) User Data means personal data and/or any special categories of personal data for the purposes of the GDPR, and personal information including sensitive information for the purposes of the Privacy Act and includes User Content entered by any Sub-Admin or any other User into the Platform and/or collected by the Platform with respect to any User;
- (f) the words controller, consent, processor, data subject, personal data, processing, processed, special categories of personal data, Data Protection Officer and process shall have the meanings given to them in the GDPR;
- (g) the word held (and other forms of that word) has the meaning that ‘held’ is given in the Privacy Act;
- (h) personal information and sensitive information have the meanings given to those terms in the Privacy Act.
- (b) The recitals to this Addendum form part of its operative binding terms.
- References to GDPR
In this Addendum, any provision which refers to an obligation of a party to comply with the GDPR, or the right of a party under GDPR, only applies to the extent that the GDPR applies to the processing pursuant to GDPR Article 3. The parties have agreed that if TeLoRa processes personal data of any User on behalf of the Sub-Admin and such processing is regulated by the GDPR (where the processing is within the territorial scope of the GDPR as set out in Article 3 thereof) (GDPR Data), this Addendum will govern TeLoRa’s and the Sub-Admin’s commercial relationship for the purposes of the GDPR.
- 2.2. By accessing, browsing and/or using the Platform, the Sub-Admin will be deemed to have read, understood and wholly and unconditionally agreed to be legally bound by, and accepted, the term and conditions set out in this Addendum.
- 3.1. Each party hereby agrees that in respect of User Data that the Sub-Admin engages TeLoRa to process on its behalf, it will comply with its obligations under all Data Protection Laws, including by collecting, holding, disclosing and otherwise processing personal data only in accordance with those laws and by maintaining all records and information required by any such laws.
- 3.2. The Sub-Admin must not provide instructions to TeLoRa with respect to User Data which contravenes Data Protection Laws. TeLoRa will not have any obligation to process any such instructions or to process any personal data on behalf of the Sub-Admin if doing so would contravene the Data Protection Laws.
- 3.3. The Sub-Admin must provide TeLoRa with any information and otherwise cooperate with TeLoRa, to the extent reasonably required by TeLoRa to comply with its obligations under Data Protection laws.
- 3.4. Each party must take reasonable steps to ensure that its employees, agents and contractors comply with Data Protection Laws in respect of User Data that the Sub-Admin engages TeLoRa to process on its behalf.
- 4.1. With respect to the processing of User Data that the Sub-Admin engages TeLoRa to process on its behalf within the scope of the GDPR, TeLoRa shall, at a minimum retain a record of all categories of processing activities carried out on behalf of the Sub-Admin by TeLoRa, containing:
- (a) the name and contact details of TeLoRa and of the Sub-Admin and, where applicable, TeLoRa’s or the Sub-Admin’s representative, and the data protection officer;
- (b) the categories of processing carried out on behalf of the Sub-Admin;
- (c) where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1) of the GDPR, the documentation of suitable safeguards;
- (d) where possible, a general description of the technical and organisational security measures referred to in Article 32(1) of the GDPR.
- 4.2. In addition, with respect to GDPR Data that the Sub-Admin engages TeLoRa to process on its behalf, TeLoRa agrees that:
- (a) it will take all measures required pursuant to Article 32 of the GDPR;
- (b) it will respect the conditions referred to in paragraphs 2 and 4 of Article 28 of the GDPR for engaging another processor;
- (c) taking into account the nature of the processing, assist the Sub-Admin by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Sub-Admin’s obligation to respond to requests for exercising a data subject’s rights laid down in Chapter III of the GDPR;
- (d) it will assist the Sub-Admin in ensuring compliance with its obligations pursuant to Articles 32 to 36 taking into account the nature of processing and the information available to TeLoRa; and
- (e) it will make available to the Sub-Admin all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the Sub-Admin or another auditor mandated by the Sub-Admin, in accordance with processes and procedures determined by TeLoRa.
- 5.1. TeLoRa may only process User Data on behalf of the Sub-Admin during the Term of the Sub-Admin’s subscription to the Platform, and following termination of the Sub-Admin’s subscription to the Platform only for the purposes of deleting or returning User Data to the Sub-Admin or complying with Applicable Law.
- 5.2. Notwithstanding any other provisions of this clause 5, with respect to Worker names and email addresses, TeLoRa may keep such data for the purposes of trading it to third parties, but only where the Worker has given his or her consent to such processing.
- 6.2. Without limiting the foregoing provisions, the Sub-Admin hereby warrants and represents to TeLoRa that all Users have authorised the Sub-Admin to appoint TeLoRa as a processor (or sub-processor) where such authorisation is required by Data Protection Laws in order for TeLoRa to lawfully process User Data.
- 7.1. TeLoRa acknowledges that it will not process any GDPR Data (in its capacity as a processor on behalf of the Sub-Admin), except pursuant to the Sub-Admin’s documented instructions (including with respect to data transfers) unless Data Protection Laws to which TeLoRa is subject to requires other processing of that personal data by TeLoRa, in which case TeLoRa will inform the Sub-Admin of that legal requirement (unless that law prohibits TeLoRa from doing so on important grounds of public interest).
- 7.2. TeLoRa may assume that the Sub-Admin’s final and complete documented instructions to TeLoRa to act as a processor on the Sub-Admin’s behalf with respect to the processing of User Data is constituted by the following (Sub-Admin Instructions):
- (b) the act of the Sub-Admin adding Clients and Workers to the Sub-Admin’s TeLoRa Account;
- (c) the act of the any User’s uploading and/or entering of any personal data into the Platform;
- (d) any settings selected, and/or configurations made, by the Sub-Admin or any of the Sub-Admin’s Clients and Workers in the Platform (such as accessing and configuring geo-tracking locations including geo-fences and issuing notifications through the Platform);
- (e) any reasonable written instructions provided by the Sub-Admin to TeLoRa; and
- (f) the Sub-Admin and relevant Users using the functionality of the Platform to issue instructions to process personal data, such as, to delete personal data, export personal data or transfer personal data to a sub-processor.
- 7.3. TeLoRa is not required to comply with the instructions of the Sub-Admin with respect to the processing of personal data, where complying with the instructions would contravene any Data Protection Laws.
- 8.1. The Platform is designed to be used to process User Data of Sub-Admins, and of Clients and Workers on behalf of their Sub-Admins.
- 8.2. TeLoRa may elect not to analyse all or any personal data uploaded or entered into the Platform. It is the Sub-Admin’s responsibility to ensure that only personal data of individuals’ that the Platform is designed to process is uploaded or entered into the Platform.
- 9.1. The types of personal data that will be processed by TeLoRa via the Platform on the Sub-Admin’s behalf is as follows:
- (a) names;
- (b) telephone numbers;
- (c) mobile numbers;
- (d) email addresses;
- (e) postal addresses;
- (f) business addresses of Sub-Admins and Clients;
- (g) residential addresses of Workers;
- (h) location data (particularly, locations of Workers);
- (i) health data including medical and private health insurance records of Workers;
- (j) next of kin for Workers and next of kin contact details of Workers;
- (k) transactional financial records (with respect to the subscription fees charged by TeLoRa to the Sub-Admin); and
- (l) any other personal data uploaded or entered into the Platform by Sub-Admins, Clients and/or Workers. TeLoRa will process this personal data on behalf of the Sub-Admin in TeLoRa’s capacity as a processor in order to provide the Sub-Admin and its Users with the functionality of the Platform. TeLoRa will also process names and email addresses of Workers when it trades them with third parties (but only where the Workers provide their consent to TeLoRa doing so).
- 10.1. All Workers are requested to provide their consent to TeLoRa’s collection of health information via the TeLoRa Platform where necessary in order for the Platform to transmit health information so that incident responders can access medical conditions, medications and health insurance information of Workers recorded in the Platform.
- 10.2. TeLoRa may also process any special categories of personal data when necessary for the establishment, exercise or defence of legal claims or in any of the other circumstances referred to in paragraphs 2 and 3 of Article 9 of the GDPR.
- 11.1. The technical and organisational measures that TeLoRa has implemented, and will continue to implement for the duration of a Sub-Admin’s subscription to the Platform to protect User Data against unauthorised or unlawful processing and against accidental loss, destruction or damage are as follows:
- (a) TeLoRa performs security testing (including penetration testing of the Platform), and maintains other electronic (e-security) measures for the purposes of securing personal information, such as passwords, anti-virus management and firewalls;
- (b) TeLoRa maintains physical security measures in its buildings and offices such as door and window locks and visitor access management, cabinet locks, surveillance systems and alarms;
- (c) TeLoRa requires all of its employees and contractors to comply with privacy and confidentiality terms and conditions in their employment contracts and subcontractor agreements;
- (d) TeLoRa carries out security audits of its systems which seek to find and eliminate any potential security risks in TeLoRa’s electronic and physical infrastructure as soon as possible;
- (e) if appropriate in the circumstances, taking into account the state of the art, the costs of implementation and the nature, scope, content and purpose of the processing, pseudonymising and/or encrypting personal data;
- (f) TeLoRa implements passwords and access control procedures into its computer systems;
- (g) TeLoRa has data backup, archiving and disaster recovery processes in place;
- (h) TeLoRa has anti-virus and security controls for email and other applicable computer software and systems in place; and
- (i) TeLoRa has processes in place to ensure integrity and resiliency of systems, servers and personal data.
- 11.2. The Sub-Admin warrants and represents that (taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing of personal data by TeLoRa as referred to in this Addendum, and the risks to individuals), the security measures referred to in subclause 1 provide a level of security appropriate to the risk in respect of the User Data to be processed by TeLoRa on behalf of the Sub-Admin.
- 12.1. TeLoRa must ensure that its personnel, appointed by TeLoRa to process User Data entered into and/or uploaded into the Platform by the Sub-Admin and/or any User and/or captured by TeLoRa from them or their use of the Platform or interaction with TeLoRa, have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
- 13.1. TeLoRa will only engage new third parties to process GDPR Data for TeLoRa to process as a processor on behalf of the Sub-Admin (subprocessors) where permitted by applicable law. The Sub-Admin hereby authorises TeLoRa to engage its hosting providers as required by TeLoRa to host the Platform.
- 13.2. As at the date of this Addendum, TeLoRa is authorised to continue to engage the subprocessors already engaged by TeLoRa to process GDPR Data.
- 13.3. Either party may terminate the Sub-Admin’s subscription to the Platform if the Sub-Admin rejects any proposed subprocessor nominated by TeLoRa from being appointed as a subprocessor by TeLoRa.
- 14.1. Any request made by any User or by any data subject pursuant to any Data Protection Law whose data is held by TeLoRa on behalf of the Sub-Admin, where such request is made directly to TeLoRa, is to be referred to the Sub-Admin and the Sub-Admin must action any such request in accordance with Data Protection Laws.
- 14.2. If TeLoRa is obliged to provide cooperation to the Sub-Admin pursuant to the GDPR or any other Data Protection Laws, all such cooperation will be at the cost of the Sub-Admin payable at the Ad Hoc Rates, except where charging a fee for such cooperation is prohibited by Data Protection Laws.
- 16.1 Each party (the first party) must indemnify the other party from and against any loss or damage incurred by the other party as a result of the first party’s breach of this Addendum.
- 17.1. Each party hereby agrees for the purposes of this Addendum and the GDPR that, as between them, TeLoRa is the processor and the Sub-Admin is the controller (or the Sub-Admin has obtained the consent of the controller to agree to the processing of personal data by TeLoRa pursuant to this Addendum), in connection with any processing of GDPR Data carried out by TeLoRa on behalf of the Sub-Admin, as contemplated by this Addendum.
- 17.3. Where required by GDPR Article 27, the Sub-Admin must designate in writing a representative in the European Union for the purposes of that Article.
- 17.4. TeLoRa’s contact details are as follows:
PO Box 556, Kensington, New South Wales 1465 Australia
Annexure – Agreed Data Breach Procedures
- 1.1. If there is a suspected, potential or actual eligible data breach of User Data (Breach), the party that detects the Breach (the Detecting Party) must immediately notify the other party of the Breach by email with full particulars of the Breach. The email address for the purposes of this subclause are as follows:
- (a) TeLoRa: firstname.lastname@example.org
- (b) Sub-Admin: any email address provided to TeLoRa from time to time by or on behalf of the Sub- Admin.
- 1.2. Upon the Detecting Party detecting the Breach, it must also carry out the following actions:
- (a) Step 1: Contain and assess the data breach. The Detecting Party must conduct a preliminary assessment and/or investigation to determine whether or not there has been a data breach or whether one is likely to occur, and then use reasonable endeavours to contain the Breach by removing the cause of the Breach to prevent further unauthorised access or disclosure or loss of information. If the Detecting Party is aware of reasonable grounds for suspecting a Breach occurred, the Detecting Party must promptly use reasonable endeavours to contain any potential avenues for further similar data breaches whether or not it is ultimately proven that a suspected data breach actually occurred. The Detecting Party is to engage all relevant IT, security and managerial personnel to remove the cause of any actual, suspected or potential data breaches.
- (b) Step 2: Notify insurers. Each party must promptly notify its insurers from which it has obtained any Cyber Liability Insurance policy of the Breach, where the policy requires notification.
- (c) Step 3: Determine if an eligible data breach has For the purposes of the Privacy Act and this Addendum, an eligible data breach occurs if the following 3 criteria are satisfied:
- (i) there is unauthorised access to or unauthorised disclosure of Jointly Held Personal Information, or a loss of Jointly Held Personal Information;
- (ii) the Breach is likely to result in serious harm to one or more individuals; and
- (iii) the Detecting Party has not been able to prevent the likely risk of serious harm with remedial action.
The Detecting Party must consider the above criteria when determining whether an eligible data breach has occurred. The Detecting Party must keep the other party informed at all times while the Detecting Party is undertaking any assessment of a suspected eligible data breach, and must notify the other party if the Detecting Party becomes aware of reasonable grounds that indicate that an actual eligible data breach has occurred with full particulars of the eligible data breach.
- (d) Step 4: remedial action. Under the Privacy Act, where there is an eligible breach of Jointly Held Personal Information, a party must use its best endeavours to take positive steps to address the eligible breach in a timely manner, which results in the eligible data breach not being likely to cause serious harm. In circumstances where there is an eligible data breach but the remedial action removes the likelihood of it causing serious harm, the Privacy Act provides that the eligible data breach will be taken to have not occurred. The parties agree that if an eligible data breach occurs involving Jointly Held Personal Information, the Sub-Admin and TeLoRa must each use their respective best endeavours to take positive steps to carry out remedial action in a timely manner, which results in the eligible data breach not being likely to cause serious harm. Each party must keep the other party informed at all times while that remedial action is being undertaken, and must notify the other party if the remedial action has removed the likelihood of the Breach causing serious harm. If TeLoRa forms the opinion in its absolute discretion that the Sub-Admin has not completed an expeditious assessment of the Breach and/or has not expeditiously carried out remedial action that may result in the Breach not being likely to cause serious harm, TeLoRa may inform the Sub-Admin that TeLoRa requires the Sub-Admin to notify the Breach pursuant to paragraph (e) below (Notification Demand). If TeLoRa issues a Notification Demand, the Sub-Admin must notify all relevant individuals and the Office of the Information Commissioner pursuant to paragraph (e) below.
- (e) If an eligible data breach of Jointly Held Personal Information has occurred for the purposes of the Privacy Act (that has not been remedied in accordance with paragraph (d)), the Sub-Admin must promptly:
- (i) notify the Australian Information Commissioner of the eligible data breach; and
- (iv) notify relevant individuals of whom the Jointly Held Personal Information relates to of the eligible data breach,
in accordance with the Privacy Act.
- 2.1. This clause 2 only applies to GDPR Data held or otherwise processed by TeLoRa as a processor on behalf of the Sub-Admin.
- 2.2. In the case of a personal data breach, TeLoRa must notify the Sub-Admin of a data breach that it becomes aware of without undue delay. The Sub-Admin shall without undue delay and, where feasible, not later than seventy-two (72) hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55 of the GDPR, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
- 2.3. Where the notification to the supervisory authority is not made within seventy-two (72) hours, it shall be accompanied by reasons for the delay.
2.4. The notification referred to in subclauses 2 and 3 shall at least:
- (a) describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
- (b) communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
- (c) describe the likely consequences of the personal data breach; and
- (d) describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
- 2.5. Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.
- 2.6. The Sub-Admin shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. That documentation shall enable the supervisory authority to verify compliance with Article 33 of the GDPR.
- 2.7. When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the Sub-Admin shall communicate the personal data breach to the data subject without undue delay as required under Article 34 of the GDPR.
- 2.8. The communication to the data subject referred to in subclause 7 shall describe in clear and plain language the nature of the personal data breach and contain at least the information and measures referred to in points (b), (c) and (d) of Article 33(3) of the GDPR.
- 2.9. The communication to the data subject referred to in subclause 7 shall not be required if any of the following conditions are met:
- (a) the Sub-Admin has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;
- (b) the Sub-Admin has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects referred to in subclause 7 is no longer likely to materialise;
- (c) it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.
- 2.10. If the Sub-Admin has not already communicated the personal data breach to the data subject, the supervisory authority, having considered the likelihood of the personal data breach resulting in a high risk, may require it to do so or may decide that any of the conditions referred to in subclause 9 are met.