Resources
Data Processing Addendum
PARTIES
Hexicom Software Pty Ltd ABN 99 129 473 472 of PO Box 299 Berowra Heights NSW 2082 Australia
(“Hexicom”)
The subscriber of Hexicom’s Platform specified in the Application Form in the SaaS Agreement to which
this Data Processing Addendum (“Addendum”) is incorporated into.
RECITALS
A. Hexicom agrees, or has agreed, to provide, and the Subscriber agrees, or has agreed to engage
Hexicom, to provide the Subscriber with access to Hexicom’s online platform (collectively, the
“Platform”) under a SaaS Agreement (the “Agreement”).
B. This Addendum addresses a number of compliance matters for the purposes of Data Protection
Laws.
C. In addition, this Addendum outlines how Hexicom and the Subscriber will approach actual, potential
or suspected data breaches that may occur from time to time with respect to personal information
and/or personal data under the Agreement ‘held’ by both Hexicom and the Subscriber (“Jointly
Held Personal Information”) pursuant to the Agreement for the purposes of The Privacy
Amendment (Notifiable Data Breaches) Act 2017 (Cth) (“NDB Law”) and/or the General Data
Protection Regulation (GDPR) (EU) 2016/679 (the “GDPR”).
THE PARTIES AGREE AS FOLLOWS:
1. Definitions and Interpretation
1.1. Definitions
In this Addendum:
(a) any words starting with a capital letter shall have the meanings given to them in the
Agreement unless otherwise defined in this Addendum;
(b) Hexicom and the Subscriber will each be referred to as a “party” and together the
“parties”;
(c) “end user” means any person who accessed the Platform using the Subscriber’s
subscription to the Platform;
(d) “Subscriber Personal Data” means personal data and/or personal information entered
by the Subscriber into the Platform;
(e) the words “controller”, “consent”, “processor”, “data subject”, “personal data”,
“processing”, “processed”, “special categories of personal data”, “Data Protection
Officer” and “process” shall have the meanings given to them in the GDPR;
(f) the word “held” (and other forms of that word) has the meaning that ‘held’ is given in the
Privacy Act 1988 (Cth) (the “Privacy Act”);
(g) “personal information” has the meaning given in the Privacy Act.
1.2 Interpretation
(a) The rules of interpretation set out in the Agreement will apply to this Addendum, except
where inconsistent with Data Protection Laws, in which case the interpretation provisions
of the relevant Data Protection Laws will prevail.
(b) The recitals to this Addendum form part of its operative binding terms.
1.3 References to GDPR
In this Addendum, any provision which refers to an obligation of a party to comply with the
GDPR, or the right of a party under the GDPR, only applies to the extent that the GDPR applies
to the processing pursuant to Article 3 of the GDPR. The parties have agreed that if Hexicom
processes personal data of the Subscriber or any end user on behalf of the Subscriber and
such processing is regulated by the GDPR (where the processing is within the territorial scope
of the GDPR as set out in Article 3 thereof) (“GDPR Data”), this Addendum will govern
Hexicom’s and the Subscriber’s commercial relationship for the purposes of the GDPR.
2. Term of this Addendum
2.1. This Addendum will apply for the Term of the Agreement and will automatically and
immediately terminate upon termination or expiry of the Agreement for any reason.
3. Compliance with Data Protection Laws
3.1. Each party hereby agrees that it will comply with its obligations under all Data Protection Laws,
including by collecting, holding, disclosing and otherwise processing personal data only in
accordance with those laws and by maintaining all records and information required by any
such laws.
3.2. The Subscriber must not provide instructions to Hexicom with respect to Subscriber Personal
Data which contravene any Data Protection Laws. Hexicom will not have any obligation to
process any such instructions or to process any personal data on behalf of the Subscriber if
doing so would contravene any Data Protection Laws.
3.3. The Subscriber must provide Hexicom with any information and otherwise cooperate with
Hexicom, to the extent reasonably required by Hexicom to comply with its obligations under
Data Protection Laws.
3.4. Each party must take reasonable steps to ensure that its employees, agents and contractors
comply with Data Protection Laws.
4. The GDPR
4.1. With respect to the processing of Subscriber Personal Data by Hexicom (as a processor) on
behalf of the Subscriber (as controller) within the scope of the GDPR, Hexicom shall, at a
minimum retain a record of all categories of processing activities carried out on behalf of the
Subscriber by Hexicom, containing:
(a) the name and contact details of Hexicom and of the Subscriber and, where applicable,
Hexicom’s or the Subscriber’s representative, and the data protection officer;
(b) the categories of processing carried out on behalf of the Subscriber;
(c) where applicable, transfers of personal data to a third country or an international
organisation, including the identification of that third country or international organisation
and, in the case of transfers referred to in the second subparagraph of Article 49(1) of the
GDPR, the documentation of suitable safeguards;
(d) where possible, a general description of the technical and organisational security
measures referred to in Article 32(1) of the GDPR.
4.2. In addition, with respect to GDPR Data, Hexicom agrees that:
(a) it will only process the personal data only on documented instructions from the
Subscriber, including with regard to transfers of personal data to a third country or an
international organisation, unless required to do so by Union or Member State law to
which Hexicom is subject; in such a case, Hexicom shall inform the Subscriber of that
legal requirement before processing, unless that law prohibits such information on
important grounds of public interest;
(b) it will ensure that persons authorised to process the personal data have committed
themselves to confidentiality or are under an appropriate statutory obligation of
confidentiality;
(c) it will take all measures required pursuant to Article 32 of the GDPR;
(d) it will respect the conditions referred to in paragraphs 2 and 4 of Article 28 of the GDPR
for engaging another processor;
(e) taking into account the nature of the processing, it will assist the Subscriber by
appropriate technical and organisational measures, insofar as this is possible, for the
fulfilment of the Subscriber’s obligation to respond to requests for exercising the data
subject’s rights laid down in Chapter III of the GDPR;
(f) it will assist the Subscriber in ensuring compliance with the obligations pursuant to
Articles 32 to 36 taking into account the nature of processing and the information
available to Hexicom;
(g) at the choice of the Subscriber, it will delete or return all the personal data to the
Subscriber after the end of the provision of services relating to processing, and delete
existing copies unless Union or Member State law requires storage of the personal data;
(h) it will make available to the Subscriber all information necessary to demonstrate
compliance with the obligations laid down in Article 28 of the GDPR and allow for and
contribute to audits, including inspections, conducted by the Subscriber or another auditor
mandated by the Subscriber.
5. Processing duration and de-identification
5.1. Hexicom may only process Subscriber Personal Data during the Term of the Agreement, and
following the Agreement only for the purposes of deleting or returning Subscriber Personal
Data to the Subscriber or complying with applicable law.
5.2. Following termination of the Agreement and subject to this clause 5 , at the choice of the
Subscriber, Hexicom must delete or return to the Subscriber all Subscriber Personal Data in
Hexicom’s possession or control. Where the Subscriber requires that personal data to be
returned, it must be returned to the Subscriber after the end of the provision of services relating
to Hexicom’s processing thereof (“Processing Conclusion Date”), and Hexicom must
thereafter delete all then remaining existing copies of that personal data in Hexicom’s
possession or control as soon as reasonably practicable, but in any event not more than thirty
(30) days after the Processing Conclusion Date, unless applicable law requires Hexicom to
retain the personal data. For the purposes of complying with those applicable laws, Hexicom
must notify the Subscriber of that requirement and only use such retained data for such
purposes.
5.3. Notwithstanding clause 5.2 , where the Subscriber Personal Data is not GDPR Data and is
personal information for the purposes of the Privacy Act, within the thirty (30) day period
following the Processing Conclusion Date instead of destroying the personal information
Hexicom may take all reasonable steps in the circumstances to de-identify the applicable
Subscriber Personal Data where it no longer needs it for any purpose for which it may be used
in accordance with this Addendum or its Privacy Policy and the information is not contained in
a Commonwealth record and Hexicom is not required by Australian law (or a court or tribunal
order) to retain it.
6. Responsibility for consents, authorisations and approvals
6.1. The Subscriber warrants and represents that it consents to, approves and authorises, and that
it has or will obtain (and will in any event, maintain for the Term of the Agreement) any other
necessary consents, approvals and authorisations including any consents and authorisations
of end users, and those of third party controllers where the Subscriber is a processor), with
respect to any Subscriber Personal Data, to the extent that such consents, approvals and
authorisations are necessary for Hexicom to process that personal data for the purposes of the
Agreement pursuant to Data Protection Laws.
6.2. Without limiting the foregoing provisions, the Subscriber hereby warrants and represents to
Hexicom that all end users have authorised the Subscriber to appoint Hexicom as a processor
(or sub-processor) where such authorisation is required by Data Protection Laws in order for
Hexicom to lawfully process Subscriber Personal Data.
7. Subscriber processing instructions
7.1. Hexicom acknowledges that it will not process any GDPR Data in its capacity as a processor,
except pursuant to the Subscriber’s instructions (including with respect to data transfers)
unless applicable law to which Hexicom is subject requires other processing of that personal
data by Hexicom, in which case Hexicom will inform the Subscriber of that legal requirement
(unless that law prohibits Hexicom from doing so on important grounds of public interest).
7.2. Hexicom may assume that the Subscriber’s final and complete documented instructions to
Hexicom to act as a processor on the Subscriber’s behalf with respect to the processing of
Subscriber Personal Data are constituted by the following (“Subscriber Instructions”):
(a) the Agreement (including this Addendum incorporated into the Agreement);
(b) the act of the Subscriber uploading and/or entering of any personal data into the Platform;
(c) the act of the any end users’ uploading and/or entering of any personal data into the
Platform;
(d) any settings selected, and/or configurations made, by the Subscriber or any end users in
the Platform;
(e) any reasonable written instructions provided by the Subscriber to Hexicom; and
(f) the Subscriber and relevant end users using the functionality of the Platform to issue
instructions to process personal data, such as, to delete personal data, export personal
data or transfer personal data to a subprocessor.
7.3. Hexicom is not required to comply with the instructions of the Subscriber with respect to the
processing of personal data, where complying with the instructions would contravene any
applicable law.
8. Whose personal data will Hexicom process?
8.1. The Platform are designed only to be used to process personal data of end users.
8.2. However, the Platform will automatically process any personal data uploaded or entered into it.
Hexicom may elect not to analyse all or any personal data uploaded or entered into the
Platform. It is the Subscriber’s responsibility to ensure that only personal data of individuals
that the Platform is designed to process is uploaded or entered into the Platform.
9. Types of Personal Data that will be processed
9.1. The types of personal data that will be processed by Hexicom in connection with the
Agreement is Subscriber Personal Data, namely:
(a) names
(b) telephone numbers
(c) mobile numbers
(d) email addresses
(e) credit card details
(f) tax file numbers
(g) bank account details
(h) postal addresses
(i) residential addresses
(j) business addresses.
9.2. The Platform will also process any other personal information that end users voluntarily enter
or upload into the Platform.
9.3. Hexicom will process the types of personal data referred to in this clause on behalf of the
Subscriber in Hexicom’s capacity as a processor in order to provide the Subscriber and its end
users with the functionality of the Platform.
9.4. The operations and sets of operations that will be performed by Hexicom on personal data or
on sets of personal data (whether or not by automated means) will include collecting,
recording, organising, structuring, storage, adaptation or alteration, modification, copying,
duplication, replication, retrieval, consultation, use, disclosure by transmission, dissemination
or otherwise making available, alignment or combination, restriction, erasure or destruction of
personal data, but only as required for the purposes of the Agreement.
10. Processing of Special Categories of Personal Data
10.1. Hexicom and the Subscriber each agree that the Platform is not to be used for
processing of special categories of personal data without the prior written consent of both
Hexicom and the Subscriber. The Subscriber must not, and must procure that all end users will
not, enter or upload any personal data that falls within the scope of special categories of
personal data into the Platform. Special categories of personal data are those revealing racial
or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership,
or genetic data, biometric data for the purpose of uniquely identifying a natural person, data
concerning health, or data concerning a natural person’s sex life or sexual orientation as
provided in paragraph 1 of Article 9 of the GDPR.
10.2. Notwithstanding subclause 1, Hexicom may process any Personal Data when
necessary for the establishment, exercise or defence of legal claims or in any of the other
circumstances referred to in paragraphs 2 and 3 of Article 9 of the GDPR.
11. Security
11.1. The technical and organisational measures that Hexicom has implemented, and will
continue to implement for the Term to protect personal data against unauthorised or unlawful
processing and against accidental loss, destruction or damage are as follows:
Hexicom performs security testing (including penetration testing of the Platform), and
maintains other electronic (e-security) measures for the purposes of securing personal
information, such as passwords, anti-virus management, multi-factor authentication and
firewalls;
Hexicom requires all of its employees and contractors to comply with privacy and
confidentiality terms and conditions in their employment contracts and subcontractor
agreements;
Hexicom has a Data Breach Response Plan in place;
Hexicom has data backup, archiving and disaster recovery processes in place;
Hexicom has processes in place to ensure integrity and resilience of systems, servers and
personal data.
11.2. The Subscriber warrants and represents that (taking into account the state of the art,
the costs of implementation and the nature, scope, context and purposes of the processing of
personal data by Hexicom as referred to in this Addendum, and the risks to individuals), the
security measures referred to in subclause 1 provide a level of security appropriate to the risk
in respect of the personal data to be processed by Hexicom on behalf of the Subscriber
pursuant to the Agreement.
12. Confidentiality
12.1. Hexicom must ensure that its personnel, appointed by Hexicom to process personal
data entered into and/or uploaded into the Platform by the Subscriber and/or any end user
and/or captured by Hexicom from them or their use of the Platform or interaction with Hexicom,
have committed themselves to confidentiality or are under an appropriate statutory obligation of
confidentiality.
13. Sub-processing
13.1. Hexicom will only engage new third parties to process GDPR Data for Hexicom to
process as a processor on behalf of the Subscriber (“subprocessors”) if the Subscriber has
authorised Hexicom to do so pursuant to a specific or general written authorisation from the
Subscriber.
13.2. As at the date of this Addendum, Hexicom is authorised to continue to engage the
subprocessors already engaged by Hexicom to process GDPR Data. In addition, it is
specifically authorised to engage any hosting providers deemed appropriate by Hexicom to
host Subscriber Personal Data.
13.3. In the case of a general written authorisation, Hexicom shall inform the Subscriber of
any intended changes concerning the addition or replacement of Hexicom’s subprocessors,
thereby giving the Subscriber the opportunity to object to such changes. If the Subscriber
objects to such changes, the parties must meet (physically or by telephone or online) within
seven (7) days of the objection to discuss the changes. If the parties are unable to resolve any
dispute about the changes, Hexicom may terminate the Agreement.
14. Cooperation between Hexicom and the Subscriber
14.1. Any request made by any end user or by any data subject pursuant to any Data
Protection Law whose data is held by Hexicom on behalf of the Subscriber, where such
request is made directly to Hexicom, is to be referred to the Subscriber and the Subscriber
must action any such request.
14.2. If Hexicom is obliged to provide cooperation to the Subscriber pursuant to the GDPR or
any other Data Protection Laws, all such cooperation will be at the cost of the Subscriber
payable at Hexicom’s standard rates then in effect, except where charging a fee for such
cooperation is prohibited by Data Protection Laws.
15. Data breaches
15.1. Each party must comply with its obligations set out in the Annexure to this Addendum in
relation to any data breach of Jointly Held Personal Information held or otherwise processed
for the purposes of the Agreement, where the party is required to do so pursuant to Data
Protection Laws.
15.2. All time spent by Hexicom complying with subclause 1 will be at the cost of the
Subscriber payable at Hexicom’s standard rates then in effect, except where the cause of any
applicable breach of Jointly Held Personal Information was caused by Hexicom’s breach of
Data Protection Laws or its obligations under the Agreement.
16. Indemnity
16.1. Each party (the first party) must indemnify the other party from and against any loss or
damage incurred by the other party as a result of the first party’s breach of this Addendum.
17. Relationship of the parties
17.1. Each party hereby agrees for the purposes of this Addendum and the GDPR that, as
between them, Hexicom is the processor and the Subscriber is the controller, in connection
with any processing of GDPR Data carried out by Hexicom on behalf of the Subscriber, as
contemplated by this Addendum.
17.2. However, the parties also hereby agree that Hexicom has a legitimate interest in using
any data entered into and/or uploaded into the Platform by end users, and/or otherwise
collected by Hexicom for Hexicom’s own legitimate purposes (including for billing and product
development, and for the purpose of enforcing Hexicom’s rights) – and to the extent that
Hexicom uses such data for those purposes, Hexicom will be the controller for the purposes of
the GDPR and any other Data Protection Laws.
17.3. Where Hexicom is not a processor in connection with Subscriber Personal Data, it will
process that personal data in accordance with its Privacy Policy and all Data Protection Laws.
18. General
18.1. Amendment: Hexicom may amend this Addendum by written notice to the Subscriber
(“Amendment Notice”) if and to the extent the amendment is necessary to comply with Data
Protection Laws or any amendments made to them, or the requirements of any applicable
supervisory, government or regulatory authority, or to implement any standard clauses or
comply with any certification or code of conduct approved by the European Commission or
issued pursuant to the GDPR.
18.2. Assignment: Neither party may assign, transfer, license or novate its rights or obligations
under this Addendum without the prior written consent of the other party (not to be
unreasonably withheld).
18.3. Severability: If any provision of this Addendum is deemed invalid by a court of competent
jurisdiction, the remainder of this Addendum shall remain enforceable. If a provision of this
Addendum conflicts with any Data Protection Law affecting the parties’ commercial
relationship, that provision will be severed and the remainder of this Addendum will remain
enforceable.
18.4. Relationship: The parties are independent contractors and this Addendum does not create any
relationship of partnership, joint venture, or employer and employee or otherwise.
18.5. Counterparts: This Addendum may be executed in counterparts provided that no binding
agreement shall be reached until the executed counterparts are exchanged.
18.6. Entire Agreement: This Addendum including the attached Annexure and any terms implied
herein by any applicable Data Protection Laws constitute the entire agreement between the
parties and to the extent possible by law, supersedes all prior understandings,
representations, arrangements and agreements between the parties, regarding its subject
matter.
18.7. Jurisdiction and Governing law: This Addendum will be governed by and construed in
accordance with the law of New South Wales. To the extent this Addendum is inconsistent
with any other provision of the Agreement, this Addendum shall prevail.
Annexure – Agreed Data Breach Procedures
1. Actions to be taken for the purposes of the Privacy Act
1.1. If there is a suspected, potential or actual eligible data breach of Subscriber Personal Data
(“Breach”), the party that detects the Breach (the “Detecting Party”) must immediately notify the
other party of the Breach by email with full particulars of the Breach to the other party using the
contact details set out in the Application Form.
1.2. Upon the Detecting Party detecting the Breach, it must also carry out the following actions:
(a) Step 1: Contain and assess the data breach. The Detecting Party must conduct a
preliminary assessment and/or investigation to determine whether or not there has been a
data breach or whether one is likely to occur, and then contain the Breach by removing
the cause of the Breach to prevent further unauthorised access or disclosure or loss of
information. If the Detecting Party is aware of reasonable grounds for suspecting a Breach
occurred, the Detecting Party must immediately lock down any potential avenues for
further similar data breaches whether or not it is ultimately proven that a suspected data
breach actually occurred. In some cases, it may be impossible to determine whether there
has been a data breach, particularly where relevant records confirming the breach have
been destroyed or are otherwise unavailable. Even so, the Detecting Party must
immediately lock down any potential avenues for further data breaches. Similarly, the
Detecting Party must do everything possible to prevent the data breach from occurring.
The Detecting Party is to engage all relevant IT, security and managerial personnel to
remove the cause of any suspected or potential data breaches. Where an actual data
breach has occurred, the Detecting Party must similarly engage all relevant IT, security
and managerial personnel to remove the cause of the breach. Once the cause of the
Breach has been removed, the Detecting Party must determine if a data breach has
occurred that requires notification under the NDB Law. The NDB Law requires that only
eligible data breaches must be notified. If the Detecting Party becomes aware of
reasonable grounds that indicate that there has been an eligible data breach, the Breach
is required to be notified to the relevant individuals at risk of serious harm and the
Australian Information Commissioner.
(a) Step 2: Notify insurers. Each party must promptly notify its insurers from which it has
obtained any Cyber Liability Insurance policy of the Breach.
(b) Step 3: Determine if an eligible data breach has occurred. For the purposes of the
NDB Law and this Addendum, an eligible data breach occurs if the following 3 criteria are
satisfied:
(i) there is unauthorised access to or unauthorised disclosure of Jointly Held
Personal Information, or a loss of Jointly Held Personal Information;
(ii) the Breach is likely to result in serious harm to one or more individuals; and
(iii) the Detecting Party has not been able to prevent the likely risk of serious harm
with remedial action.
The Detecting Party must consider the above criteria when determining whether an
eligible data breach has occurred. For the purposes of the NDB scheme, serious harm
is deemed to have occurred or be likely to occur if a reasonable person would consider
that it has so occurred or is likely to occur. Serious harm is not defined in the Privacy Act,
but in the context of a Breach it may include among other things serious psychological,
physical, emotional, financial or reputational harm. Some of the matters that may inform a
decision that serious harm has occurred include the sensitivity of the Jointly Held
Personal Information that was the subject of the Breach, the type of Jointly Held Personal
Information lost, accessed or disclosed, and whether the Jointly Held Personal
Information was encrypted.
If the Detecting Party suspects that a Breach may have occurred, it must take all
reasonable steps to ensure that an assessment is completed expeditiously and in any
event within thirty (30) days after it becomes aware of the reasonable grounds to suspect
that there may have been an eligible data breach for the purpose of the NDB Law. The
Detecting Party must keep the other party informed at all times while the Detecting Party
is undertaking any assessment of a suspected eligible data breach, and must notify the
other party if the Detecting Party becomes aware of reasonable grounds that indicate that
an actual eligible data breach has occurred with full particulars of the eligible data breach.
(c) Step 4: remedial action. Under the NDB Law, where there is an eligible breach of Jointly
Held Personal Information, a party must use its best endeavours to take positive steps to
address the eligible breach in a timely manner, which results in the eligible data breach
not being likely to cause serious harm. In circumstances where personal information is
lost but the remedial action removes the likelihood of it causing serious harm, the NDB
Law provides that the eligible data breach will be taken to have not occurred. The parties
agree that if a Breach occurs involving Jointly Held Personal Information, the Subscriber
and Hexicom must each use their respective best endeavours to take positive steps to
address the Breach in a timely manner, which results in the eligible data breach not being
likely to cause serious harm. Each party must keep the other party informed at all times
while that remedial action is being undertaken, and must notify the other party if the
remedial action has removed the likelihood of the Breach causing serious harm. If
Hexicom forms the opinion in its absolute discretion that the Subscriber has not
completed an expeditious assessment of the Breach and/or has not expeditiously carried
out remedial action that may result in the Breach not being likely to cause serious harm,
Hexicom may notify the Subscriber that Hexicom requires the Subscriber to notify the
Breach pursuant to paragraph (e) below (“Notification Demand”). If Hexicom issues a
Notification Demand, the Subscriber must notify all relevant individuals and the Office of
the Information Commissioner pursuant to paragraph (e) below within twenty-four (24)
hours of the Notification Demand (time being of the essence) notwithstanding that
paragraph may require the notifications to be issued within a different period of time.
(d) If an eligible data breach of Jointly Held Personal Information has occurred for the
purposes of the NDB Law (that has not been remedied in accordance with paragraph (d)),
the Subscriber must as soon as possible:
(i) notify the Australian Information Commissioner of the eligible data breach; and
(ii) notify relevant individuals of whom the Jointly Held Personal Information relates to
of the eligible data breach,
in accordance with the NDB Law.
2. Action to be taken by the Subscriber for the purposes of the GDPR
2.1. This clause 2 only applies to GDPR Data held or otherwise processed by Hexicom as a
processor on behalf of the Subscriber.
2.2. In the case of a personal data breach, Hexicom must notify the Subscriber of a data breach
that it becomes aware of without undue delay. The Subscriber shall without undue delay and,
where feasible, not later than seventy two (72) hours after having become aware of it, notify
the personal data breach to the supervisory authority competent in accordance with Article 55
of the GDPR, unless the personal data breach is unlikely to result in a risk to the rights and
freedoms of natural persons.
2.3. Where the notification to the supervisory authority is not made within seventy two (72) hours, it
shall be accompanied by reasons for the delay.
2.4. The notification referred to in subclauses 2 and 3 shall at least:
(a) describe the nature of the personal data breach including where possible, the categories
and approximate number of data subjects concerned and the categories and approximate
number of personal data records concerned;
(e) communicate the name and contact details of the data protection officer or other contact
point where more information can be obtained;
(f) describe the likely consequences of the personal data breach; and
(g) describe the measures taken or proposed to be taken by the controller to address the
personal data breach, including, where appropriate, measures to mitigate its possible
adverse effects.
2.5. Where, and in so far as, it is not possible to provide the information at the same time, the
information may be provided in phases without undue further delay.
2.6. The Subscriber shall document any personal data breaches, comprising the facts relating to
the personal data breach, its effects and the remedial action taken. That documentation shall
enable the supervisory authority to verify compliance with Article 33 of the GDPR.
2.7. When the personal data breach is likely to result in a high risk to the rights and freedoms of
natural persons, the Subscriber shall communicate the personal data breach to the data
subject without undue delay as required under Article 34 of the GDPR.
2.8. The communication to the data subject referred to in subclause 7 shall describe in clear and
plain language the nature of the personal data breach and contain at least the information and
measures referred to in points (b), (c) and (d) of Article 33(3) of the GDPR.
2.9. The communication to the data subject referred to in subclause 7 shall not be required if any
of the following conditions are met:
(a) the Subscriber has implemented appropriate technical and organisational protection
measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to
any person who is not authorised to access it, such as encryption;
(b) the Subscriber has taken subsequent measures which ensure that the high risk to the
rights and freedoms of data subjects referred to in subclause 7 is no longer likely to
materialise;
(c) it would involve disproportionate effort. In such a case, there shall instead be a public
communication or similar measure whereby the data subjects are informed in an equally
effective manner.
2.10. If the Subscriber has not already communicated the personal data breach to the data subject,
the supervisory authority, having considered the likelihood of the personal data breach
resulting in a high risk, may require it to do so or may decide that any of the conditions
referred to in subclause 9 are met.