Date Effective: 9 October 2018
This Data Processing Addendum (“DPA”) applies to CONTROLLER’s who are subject to the EU General Data Protection Regulation (EU) 2016/679 or “GDPR”, or any similar and applicable legislation, and who require PROCESSOR to process Personal Data on their behalf as part of CONTROLLER’s use of PROCESSOR’s Services.
In this DPA references to “you” means the CONTROLLER and references to “we”, “us”, “our” and “PROCESSOR” means Radix Software Pty Ltd ABN 35 010 955 156, an Australian company acting on its own behalf and on behalf of its Affiliates with offices located at 12 Railway Terrace, Milton, QLD 4064, Australia.
NOTE: To learn more about PROCESSOR’s Terms of Service click here.
- The terms of this DPA are hereby incorporated in to PROCESSOR’s Terms of Service or any other applicable services agreement between you and PROCESSOR (the “Agreement”).
- With respect to provisions regarding Processing of Personal Data, this Agreement is supplemental to PROCESSOR’s Terms of Service (the “Agreement”) and in the event of any conflict between the terms of this DPA and the terms of the Agreement, the terms of this DPA shall prevail unless CONTROLLER and PROCESSOR have individually negotiated data processing terms that are different from this DPA and which meet the requirements of Applicable Data Protection Law in full, in which case those negotiated terms will prevail.
- “Data Controller”, “Data Processor”, “Data Subject”, “Processing” and “Personal Data” shall have the meanings ascribed to them in GDPR;
- “Data Security Breach” means a breach of security which causes the destruction, loss, alteration, unauthorised disclosure of, or unauthorised access to, Personal Data transmitted, stored or otherwise Processed;
- “Services” means the services which are described and accessible on PROCESSOR’s website (including, without limitation, the OfficeMaps software application), or other tools or services offered by PROCESSOR to CONTROLLER from time to time; and
- “Technical and Organisational Security Measures” means security measures implemented by PROCESSOR appropriate to the type of Personal Data being Processed and the Services being provided by PROCESSOR to protect Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure.
2. Applicability of DPA and Scope of Data Processing Activities
- In using PROCESSOR’s Services and for the purposes of GDPR, CONTROLLER is a Data Controller of the Personal Data associated with an individual (a “Data Subject”) who
- uses PROCESSOR’s website to register for and use the Services offered by PROCESSOR’s software when that Software is deployed by CONTROLLER across CONTROLLER’s business operations; or
- is otherwise recorded in CONTROLLER’s database when that database is uploaded to, or integrated with PROCESSOR’s database.
CONTROLLER agrees to Process a Data Subject’s Personal Data in accordance with CONTROLLER’s obligations under GDPR and any other applicable data protection laws including the Australian Privacy Act 1988 (Cth). CONTROLLER indemnifies PROCESSOR against all costs, claims, damages and expenses incurred by PROCESSOR or for which PROCESSOR may become liable due to any failure by CONTROLLER or CONTROLLER’s employees or sub-contractors to comply with any obligations under this Agreement, applicable Data Protection Laws, or our instructions.
- When PROCESSOR Processes the Personal Data of Data Subjects on behalf of CONTROLLER as part of the Services, PROCESSOR is a Data Processor in performing such Processing and CONTROLLER is the Data Controller. This includes circumstances where PROCESSOR obtains Personal Data as a result of enabling CONTROLLER to run OfficeMaps Software application (whether hosted on Controllers servers or by Processor); For example, where PROCESSOR facilitates the transmission of emails to Data Subjects at the request of CONTROLLERs, processes Data Subjects’ registrations, or provides reports and tools to enable CONTROLLER and Data Subjects or third parties to gain insights into the location of individuals within an office setting.
- To the extent that PROCESSOR Processes Personal Data as a Data Processor on behalf of CONTROLLER, clause 3 and 4 of this DPA shall apply.
- Details about the Personal Data to be Processed by PROCESSOR and the Processing activities to be performed under the Agreement are as follows:
- duration for which Personal Data will be retained- as set out in the Agreement;
- nature, purpose and subject matter – to enable CONTROLLER to keep track of who and what is where in CONTROLLER’s organisation, including with a visual representation on an interactive map of business locations, using PROCESSOR Services;
- data categories – name, address, phone number, email address, job title, experience, qualifications, as well as certain related information like company name, information related to events attended, social media accounts and profiles, and any other Personal Data that CONTROLLER requests of the Data Subjects.
3. Obligations of the Controller
- CONTROLLER will comply with the Data Protection Laws in its collection and provision of Personal Data to the PROCESSOR and in the event that CONTROLLER is required under Data Protection Laws to provide a privacy notice to Data Subjects informing them of the Processing of their Personal Data for the Permitted Purpose and to obtain Data Subjects’ consent for such Processing, CONTROLLER shall provide any such privacy notices and obtain any such consents.
- CONTROLLER shall use reasonable endeavours to ensure that the instructions which it provides to the PROCESSOR pursuant to this Agreement comply with GDPR and any other applicable Data Protection Laws.
- CONTROLLER shall deal with all requests made by Data Subjects under Data Protection Laws and all communications from Supervisory Authorities which relate to the Personal Data, in accordance with the GDPR.
4. Obligations of the Processor
- Whenever PROCESSOR Processes Personal Data on behalf of CONTROLLER, PROCESSOR shall:
- Process Personal Data according to the CONTROLLER’s documented instructions, unless required to do otherwise by applicable law. PROCESSOR shall inform CONTROLLER before Processing Personal Data if there is some legal requirement to Process other than in accordance with CONTROLLER’s instructions, unless that same law prohibits PROCESSOR from doing so. PROCESSOR will notify CONTROLLER if in its opinion an instruction is in breach of GDPR. CONTROLLER hereby instructs PROCESSOR, and PROCESSOR hereby agrees, to Process Personal Data as necessary to perform PROCESSOR’s obligations under the Agreement;
- Have in place Technical and Organisational Security Measures to protect Personal Data;
- Notify CONTROLLER in the event of a Data Security Breach without undue delay and assist CONTROLLER to enable CONTROLLER to comply with its obligations as a Data Controller in relation to data breach notification requirements;
- Ensure its employees have committed themselves to keeping Personal Data confidential by signing binding confidentiality undertakings in the terms of their engagement;
- Impose obligations on its sub-processors that have access to Personal Data that are the same as or equivalent to those set out in this clause 4 by way of written contract;
- Provide reasonable assistance to CONTROLLER in responding to rights requests under GDPR, complaints, or other communications received from any data protection authority or a Data Subject. In the event that a Data Subject submits a Personal Data deletion request to PROCESSOR, CONTROLLER hereby instructs and authorises PROCESSOR to delete or anonymize the Data Subject’s Personal Data on CONTROLLER’s behalf;
- Upon CONTROLLER’s written request, make available to CONTROLLER all information reasonably necessary to demonstrate its compliance with the obligations set out in this clause 4), and allow for and co-operate with any audits, PROVIDED THAT, without limitation, an on-site audit shall be: (A) permitted only on reasonable advance notice to PROCESSOR; (B) subject to appropriate confidentiality undertakings; and (C) limited to not more than once every three (3) years and only in order to evaluate a specific suspected deficiency after exhausting all other reasonable means as determined by PROCESSOR; and
- Except for that Personal Data with respect to which PROCESSOR acts as a Data Controller (if any), return, delete, or destroy (at CONTROLLER’s election), the Personal Data and copies thereof, at CONTROLLER’s request (unless applicable law requires the storage of such Personal Data).
- CONTROLLER hereby consents to PROCESSOR’s current sub-processors (i.e. those listed on PROCESSOR’s website on the Effective Date of this DPA, as well as those listed on PROCESSOR’s website as of the Effective Date of the Agreement) (“Current Sub-Processors“) to Process Personal Data on its behalf.
- CONTROLLER hereby consents to PROCESSOR appointing additional and replacement sub-processors (“Replacement Sub-Processors”) to Process Personal Data on its behalf. PROCESSOR shall:
- notify CONTROLLER if there is a Replacement Sub-Processors via PROCESSOR’s website. (CONTROLLER should regularly check and review PROCESSOR’s website for any such changes because PROCESSOR’s website shall be the sole means of PROCESSOR notifying any such changes); and
- give CONTROLLER the opportunity to object to such changes that take place after the Effective Date of the Agreement.
- For the avoidance of doubt, any termination rights available herein shall only apply in the instance of objections to Replacement Sub-Processors appointed after the Effective Date of this DPA that are not remedied in accordance with the terms herein, and shall not apply in relation to Current Sub-Processors.
- CONTROLLER shall raise any objection to the appointment of Replacement Sub-Processors within ten (10) days of PROCESSOR posting the changes on its website by sending its objection to firstname.lastname@example.org with the subject line ‘Legal Objection to Replacement Sub-Processor’.
- Provided that CONTROLLER’s objection:
- concerns the Replacement Sub-Processor’s ability to allow PROCESSOR to materially comply with its data protection obligations under this DPA; and
- includes sufficient detail to support its objection and provide specific examples,PROCESSOR will then use commercially reasonable efforts to review and respond to CONTROLLER’s objection within thirty (30) days. If PROCESSOR does not view the objection as providing sufficient supporting detail, the objection shall be deemed invalid and PROCESSOR has no further obligations.
- If PROCESSOR determines in its sole discretion that it cannot reasonably accommodate CONTROLLER’s objection, upon notice from PROCESSOR, CONTROLLER may choose to terminate the Agreement by providing written notice to PROCESSOR, and complying with the terms herein, which shall be CONTROLLER’s sole and exclusive remedy. Should CONTROLLER choose to terminate the Agreement as a result of a Replacement Sub-Processor, then nothing in this clause shall relieve CONTROLLER from any of its payment and/or repayment obligations to PROCESSOR under the Agreement. Without limiting PROCESSOR’s other rights and remedies, if CONTROLLER terminates the Agreement pursuant to this clause 5.f., then CONTROLLER will immediately pay to PROCESSOR all amounts accruing and owed to PROCESSOR, including, without limitation, obligations to pay and/or repay PROCESSOR for any Fees otherwise payable under the Agreement.