SaaS Terms of Use | → Data Processing Addendum
Please read this SaaS Terms of Use (Terms of Use) carefully. It governs Your commercial relationship with Us and sets out legally binding provisions which regulate Your use of Our website platform and the services that We make available through Our platform.
To assist You, We have prepared summaries of Our Terms of Use. Our summaries are in the right hand column below. The summaries are not a substitute for reading the operative provisions of Our Terms of Use (i.e those in the left hand column below). The operative provisions of Our Terms of Use are legally binding. Our summaries are not legally binding, and do not limit the scope or operation of the operative provisions.
Operative Provisions | Summary |
---|---|
1. Acceptance and modification of these Terms of Use 1.1. You may only access, browse and use our website Platform and the Services that We make available through Our Platform if You accept and agree to these Terms of Use. By accessing, browsing and/or using Our Platform, and by submitting an Application Form to Us, You will be deemed to have confirmed that You have read and understand, and wholly and unconditionally agree to be legally bound by, and accept, these Terms of Use including the provisions of the documents incorporated into these Terms of Use (namely, Our Privacy Policy and if You are a Subscriber – the Application Form and Our Data Processing Addendum). |
You may only use the Platform if you agree to Our Terms of Use. |
2. Definitions and Interpretation 2.1. Definitions In these Terms of Use: 1.1. Interpretation In these Terms of Use: |
Capitalised terms in these Terms of Use are defined in this clause. |
2. Access and use of the Platform by unregistered users 2.1. Only Subscribers may access and use the Services. Please contact Us if You wish to become a Subscriber. |
You can’t use most of the functionality provided by the Platform until You become a Subscriber. |
3. Applications for subscription to the Platform 3.1. We reserve the right to accept or reject any person’s subscription to the Platform in Our absolute discretion. |
Your registration on Our Platform is subject to Our approval. You and your company are both responsible for your or their breach of Our Terms of Use and for the security of your login credentials. |
4. Renewal 4.1. If You become a Subscriber, Your subscription to the Services commences on the Commencement Date specified in the Application Form. |
The SaaS Agreement will continue for 12 month periods after the Initial Term. |
5. Service Charges 5.1. Each Subscriber must pay the fees and charges set out in the SaaS Agreement, or as otherwise agreed between Us and the Subscriber in writing, in consideration for the Subscriber’s subscription to the Services (“Service Charges”) monthly in advance, plus any GST that is applicable in respect of the supply of the Services to the Subscriber. |
Subscribers must pay any Set up fees and monthly Service Charges in advance by the 28th day of every month.
|
6. Custom Software Development 6.1. You may issue a Request for Quotation to Us at any time and from time to time with respect to any custom software development that You may require for the purposes of enhancing or modifying the Platform. |
You may request custom software development from us. We will consider your requests on a case by case basis. |
7. Responsibility for and ownership of Subscriber Data 7.1. If You are a Subscriber, We agree that as between You and Us, You own all data that You upload into the Services (“Subscriber Data”). |
As between You and Us, You own the data that You upload into the Platform. You have to obtain consent, where relevant, before uploading it. |
8. Availability of Services 8.1. Subject to clauses 8.2, 8.3 and 8.4, while You are a Subscriber of the Platform, We agree to use Our best endeavours to procure hosting of the Services and the Subscriber Data and to ensure that the Services are available. |
Our Platform might go offline from time to time. |
9. Usage Restrictions 9.1. You may not make any use of the Platform except as permitted by these Terms of Use. |
We own the Platform and all IP in the Platform. You cannot infringe our IP rights. |
10. Acceptable Use Policy 10.1. You agree that: |
You cannot use the Platform for any illegal purpose or to violate any person’s legal rights. |
11. Intellectual Property Rights 11.1. You agree and acknowledge that these Terms of Use do not transfer or assign any Intellectual Property Rights to You. |
We own the Platform and all IP in the Platform. We also own all improvement suggestions that You make regarding the Platform. |
12. Responsibility for other Subscribers 12.1. We do not accept responsibility for the conduct of any Subscribers of Our Platform. |
We cannot be held responsible for the conduct of Our Subscribers. |
13. Responsibility for third party claims 13.1. You agree and acknowledge that You are solely responsible for and You indemnify Us in respect of any loss and damage We may incur in connection with any claims and/or complaints made by any third party where the claim is caused directly or indirectly by: |
We are not responsible for any claims made by third parties. |
14. Hyperlinks 14.1. We do not represent, recommend or endorse any websites to which We have linked from the Platform via hyperlink or otherwise. |
We are not responsible for third party sites. |
15. Liability 15.1. Except in respect of any Non-Excludable Guarantees, We do not represent that the information on the Platform is accurate, correct, up-to-date or error free. |
Our liability is limited in a number of ways. |
16. Termination 16.1. If You are not a Subscriber, We may terminate these Terms of Use and Your access to the Platform or any part of it at any time without notice. |
We can terminate your access to the Platform under certain conditions. |
17. Notices 17.1. Any notice issued to You from Us or from Us to You shall be in writing and sent by hand delivery, post or email. Where sent from Us to You, We shall use Your contact details for your Platform Account set out in the Application Form. |
Notices between you and us are deemed to be delivered at different times, depending on how and when they are sent. |
18. General 18.1. Other rights: All rights not expressly granted to Us in these Terms of Use are expressly reserved by Us. |
We reserve our rights. |
18.2. Amendment: These Terms of Use may be amended by Us at any time. If You are a Subscriber, We will notify You of the amendments by providing notice in writing, or via a notice on the Platform (Amendment Notice). If You do not agree with the Amendment Notice, You must notify Us by written notice of that fact within seven (7) days of the date of the Amendment Notice (Objection Notice). If You and Us are unable to resolve the objection within seven (7) days from the date of the Objection Notice (Dispute Resolution Period), either party may terminate the SaaS Agreement for its convenience by written notice within seven (7) days of the expiry of the Dispute Resolution Period. We may withdraw an Amendment Notice prior to the expiry of the Dispute Resolution Period – if We do so You may not terminate the Agreement pursuant to this clause. |
We can change these Terms of Use at any time. If You are unhappy about the changes, You can terminate your subscription. |
18.3. Assignment: You may not assign, transfer, license or novate Your rights or obligations under these Terms of Use without Our prior written consent. We may assign, transfer, licence or novate Our rights or obligations under these Terms of Use at any time, subject to Our Privacy Policy. |
You cannot transfer your rights under these Terms of Use unless we approve the transfer. We can transfer our right and obligations at any time. |
18.4. Severability: If any part of these Terms of Use is deemed invalid by a court of competent jurisdiction, the remainder of these Terms of Use shall remain enforceable. |
If part of these Terms of Use are not legally binding, the rest still are. |
18.5. Relationship: You and Us are independent contracting entities and these Terms of Use do not create any relationship of partnership, joint venture, fiduciary, or employer and employee or otherwise. |
We are not partners, employers or employee or any other special commercial relationship. |
18.6. Australian Consumer Law: The exclusions and limitations of liability set out in these Terms of Use shall apply to the fullest extent permissible at law, but We do not exclude or limit liability which may not be excluded or limited by law. Without limiting the foregoing provisions, We do not exclude liability under the Australian Consumer Law which is prohibited from being excluded. |
Our liability is only limited to the extent permitted by law. |
18.7. Entire Agreement: These Terms of Use, the Application Form, the Privacy Policy and the Data Processing Addendum constitute the entire agreement between You and Us (collectively, the SaaS Agreement) and to the extent possible by law, supersede all prior understandings, representations, arrangements and agreements between You and Us regarding its subject matter. |
These Terms of Use, the Application Form, Privacy Policy and Data Processing Addendum set out our entire agreement. |
18.8. Jurisdiction: The SaaS Agreement will be interpreted in accordance with the laws in force in New South Wales. You and Us irrevocably submit to the non-exclusive jurisdiction of the courts situated in New South Wales. |
These Terms of Use will be subject to the law of New South Wales. |
— UPDATED 6 DECEMBER 2018 —
Data Processing Addendum
PARTIES
Hexicom Software Pty Ltd ABN 99 129 473 472 of PO Box 299 Berowra Heights NSW 2082 Australia (“Hexicom”)
The subscriber of Hexicom’s Platform specified in the Application Form in the SaaS Agreement to which this Data Processing Addendum (“Addendum”) is incorporated into.
RECITALS
A. Hexicom agrees, or has agreed, to provide, and the Subscriber agrees, or has agreed to engage Hexicom, to provide the Subscriber with access to Hexicom’s online platform (collectively, the “Platform”) under a SaaS Agreement (the “Agreement”).
B. This Addendum addresses a number of compliance matters for the purposes of Data Protection Laws.
C. In addition, this Addendum outlines how Hexicom and the Subscriber will approach actual, potential or suspected data breaches that may occur from time to time with respect to personal information and/or personal data under the Agreement ‘held’ by both Hexicom and the Subscriber (“Jointly Held Personal Information”) pursuant to the Agreement for the purposes of The Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) (“NDB Law”) and/or the General Data Protection Regulation (GDPR) (EU) 2016/679 (the “GDPR”).
THE PARTIES AGREE AS FOLLOWS:
1. Definitions and Interpretation
1.1. Definitions
In this Addendum:
(a) any words starting with a capital letter shall have the meanings given to them in the Agreement unless otherwise defined in this Addendum;
(b) Hexicom and the Subscriber will each be referred to as a “party” and together the “parties”;
(c) “end user” means any person who accessed the Platform using the Subscriber’s subscription to the Platform;
(d) “Subscriber Personal Data” means personal data and/or personal information entered by the Subscriber into the Platform;
(e) the words “controller”, “consent”, “processor”, “data subject”, “personal data”, “processing”, “processed”, “special categories of personal data”, “Data Protection Officer” and “process” shall have the meanings given to them in the GDPR;
(f) the word “held” (and other forms of that word) has the meaning that ‘held’ is given in the Privacy Act 1988 (Cth) (the “Privacy Act”);
(g) “personal information” has the meaning given in the Privacy Act.
1.2 Interpretation
(a) The rules of interpretation set out in the Agreement will apply to this Addendum, except where inconsistent with Data Protection Laws, in which case the interpretation provisions of the relevant Data Protection Laws will prevail.
(b) The recitals to this Addendum form part of its operative binding terms.
1.3 References to GDPR
In this Addendum, any provision which refers to an obligation of a party to comply with the GDPR, or the right of a party under the GDPR, only applies to the extent that the GDPR applies to the processing pursuant to Article 3 of the GDPR. The parties have agreed that if Hexicom processes personal data of the Subscriber or any end user on behalf of the Subscriber and such processing is regulated by the GDPR (where the processing is within the territorial scope of the GDPR as set out in Article 3 thereof) (“GDPR Data”), this Addendum will govern Hexicom’s and the Subscriber’s commercial relationship for the purposes of the GDPR.
2. Term of this Addendum
2.1. This Addendum will apply for the Term of the Agreement and will automatically and immediately terminate upon termination or expiry of the Agreement for any reason.
3. Compliance with Data Protection Laws
3.1. Each party hereby agrees that it will comply with its obligations under all Data Protection Laws, including by collecting, holding, disclosing and otherwise processing personal data only in accordance with those laws and by maintaining all records and information required by any such laws.
3.2. The Subscriber must not provide instructions to Hexicom with respect to Subscriber Personal Data which contravene any Data Protection Laws. Hexicom will not have any obligation to process any such instructions or to process any personal data on behalf of the Subscriber if doing so would contravene any Data Protection Laws.
3.3. The Subscriber must provide Hexicom with any information and otherwise cooperate with Hexicom, to the extent reasonably required by Hexicom to comply with its obligations under Data Protection Laws.
3.4. Each party must take reasonable steps to ensure that its employees, agents and contractors comply with Data Protection Laws.
4. The GDPR
4.1. With respect to the processing of Subscriber Personal Data by Hexicom (as a processor) on behalf of the Subscriber (as controller) within the scope of the GDPR, Hexicom shall, at a minimum retain a record of all categories of processing activities carried out on behalf of the Subscriber by Hexicom, containing:
(a) the name and contact details of Hexicom and of the Subscriber and, where applicable, Hexicom’s or the Subscriber’s representative, and the data protection officer;
(b) the categories of processing carried out on behalf of the Subscriber;
(c) where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1) of the GDPR, the documentation of suitable safeguards;
(d) where possible, a general description of the technical and organisational security measures referred to in Article 32(1) of the GDPR.
4.2. In addition, with respect to GDPR Data, Hexicom agrees that:
(a) it will only process the personal data only on documented instructions from the Subscriber, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by Union or Member State law to which Hexicom is subject; in such a case, Hexicom shall inform the Subscriber of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;
(b) it will ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
(c) it will take all measures required pursuant to Article 32 of the GDPR;
(d) it will respect the conditions referred to in paragraphs 2 and 4 of Article 28 of the GDPR for engaging another processor;
(e) taking into account the nature of the processing, it will assist the Subscriber by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Subscriber’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III of the GDPR;
(f) it will assist the Subscriber in ensuring compliance with the obligations pursuant to Articles 32 to 36 taking into account the nature of processing and the information available to Hexicom;
(g) at the choice of the Subscriber, it will delete or return all the personal data to the Subscriber after the end of the provision of services relating to processing, and delete existing copies unless Union or Member State law requires storage of the personal data;
(h) it will make available to the Subscriber all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the Subscriber or another auditor mandated by the Subscriber.
5. Processing duration and de-identification
5.1. Hexicom may only process Subscriber Personal Data during the Term of the Agreement, and following the Agreement only for the purposes of deleting or returning Subscriber Personal Data to the Subscriber or complying with applicable law.
5.2. Following termination of the Agreement and subject to this clause 5, at the choice of the Subscriber, Hexicom must delete or return to the Subscriber all Subscriber Personal Data in Hexicom’s possession or control. Where the Subscriber requires that personal data to be returned, it must be returned to the Subscriber after the end of the provision of services relating to Hexicom’s processing thereof (“Processing Conclusion Date”), and Hexicom must thereafter delete all then remaining existing copies of that personal data in Hexicom’s possession or control as soon as reasonably practicable, but in any event not more than thirty (30) days after the Processing Conclusion Date, unless applicable law requires Hexicom to retain the personal data. For the purposes of complying with those applicable laws, Hexicom must notify the Subscriber of that requirement and only use such retained data for such purposes.
5.3. Notwithstanding clause 5.2, where the Subscriber Personal Data is not GDPR Data and is personal information for the purposes of the Privacy Act, within the thirty (30) day period following the Processing Conclusion Date instead of destroying the personal information Hexicom may take all reasonable steps in the circumstances to de-identify the applicable Subscriber Personal Data where it no longer needs it for any purpose for which it may be used in accordance with this Addendum or its Privacy Policy and the information is not contained in a Commonwealth record and Hexicom is not required by Australian law (or a court or tribunal order) to retain it.
6. Responsibility for consents, authorisations and approvals
6.1. The Subscriber warrants and represents that it consents to, approves and authorises, and that it has or will obtain (and will in any event, maintain for the Term of the Agreement) any other necessary consents, approvals and authorisations including any consents and authorisations of end users, and those of third party controllers where the Subscriber is a processor), with respect to any Subscriber Personal Data, to the extent that such consents, approvals and authorisations are necessary for Hexicom to process that personal data for the purposes of the Agreement pursuant to Data Protection Laws.
6.2. Without limiting the foregoing provisions, the Subscriber hereby warrants and represents to Hexicom that all end users have authorised the Subscriber to appoint Hexicom as a processor (or sub-processor) where such authorisation is required by Data Protection Laws in order for Hexicom to lawfully process Subscriber Personal Data.
7. Subscriber processing instructions
7.1. Hexicom acknowledges that it will not process any GDPR Data in its capacity as a processor, except pursuant to the Subscriber’s instructions (including with respect to data transfers) unless applicable law to which Hexicom is subject requires other processing of that personal data by Hexicom, in which case Hexicom will inform the Subscriber of that legal requirement (unless that law prohibits Hexicom from doing so on important grounds of public interest).
7.2. Hexicom may assume that the Subscriber’s final and complete documented instructions to Hexicom to act as a processor on the Subscriber’s behalf with respect to the processing of Subscriber Personal Data are constituted by the following (“Subscriber Instructions”):
(a) the Agreement (including this Addendum incorporated into the Agreement);
(b) the act of the Subscriber uploading and/or entering of any personal data into the Platform;
(c) the act of the any end users’ uploading and/or entering of any personal data into the Platform;
(d) any settings selected, and/or configurations made, by the Subscriber or any end users in the Platform;
(e) any reasonable written instructions provided by the Subscriber to Hexicom; and
(f) the Subscriber and relevant end users using the functionality of the Platform to issue instructions to process personal data, such as, to delete personal data, export personal data or transfer personal data to a subprocessor.
7.3. Hexicom is not required to comply with the instructions of the Subscriber with respect to the processing of personal data, where complying with the instructions would contravene any applicable law.
8. Whose personal data will Hexicom process?
8.1. The Platform are designed only to be used to process personal data of end users.
8.2. However, the Platform will automatically process any personal data uploaded or entered into it. Hexicom may elect not to analyse all or any personal data uploaded or entered into the Platform. It is the Subscriber’s responsibility to ensure that only personal data of individuals that the Platform is designed to process is uploaded or entered into the Platform.
9. Types of Personal Data that will be processed
9.1. The types of personal data that will be processed by Hexicom in connection with the Agreement is Subscriber Personal Data, namely:
(a) names
(b) telephone numbers
(c) mobile numbers
(d) email addresses
(e) credit card details
(f) tax file numbers
(g) bank account details
(h) postal addresses
(i) residential addresses
(j) business addresses.
9.2. The Platform will also process any other personal information that end users voluntarily enter or upload into the Platform.
9.3. Hexicom will process the types of personal data referred to in this clause on behalf of the Subscriber in Hexicom’s capacity as a processor in order to provide the Subscriber and its end users with the functionality of the Platform.
9.4. The operations and sets of operations that will be performed by Hexicom on personal data or on sets of personal data (whether or not by automated means) will include collecting, recording, organising, structuring, storage, adaptation or alteration, modification, copying, duplication, replication, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data, but only as required for the purposes of the Agreement.
10. Processing of Special Categories of Personal Data
10.1. Hexicom and the Subscriber each agree that the Platform is not to be used for processing of special categories of personal data without the prior written consent of both Hexicom and the Subscriber. The Subscriber must not, and must procure that all end users will not, enter or upload any personal data that falls within the scope of special categories of personal data into the Platform. Special categories of personal data are those revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, or genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person’s sex life or sexual orientation as provided in paragraph 1 of Article 9 of the GDPR.
10.2. Notwithstanding subclause 1, Hexicom may process any Personal Data when necessary for the establishment, exercise or defence of legal claims or in any of the other circumstances referred to in paragraphs 2 and 3 of Article 9 of the GDPR.
11. Security
11.1. The technical and organisational measures that Hexicom has implemented, and will continue to implement for the Term to protect personal data against unauthorised or unlawful processing and against accidental loss, destruction or damage are as follows:
• Hexicom performs security testing (including penetration testing of the Platform), and maintains other electronic (e-security) measures for the purposes of securing personal information, such as passwords, anti-virus management, multi-factor authentication and firewalls;
• Hexicom requires all of its employees and contractors to comply with privacy and confidentiality terms and conditions in their employment contracts and subcontractor agreements;
• Hexicom has a Data Breach Response Plan in place;
• Hexicom has data backup, archiving and disaster recovery processes in place;
• Hexicom has processes in place to ensure integrity and resilience of systems, servers and personal data.
11.2. The Subscriber warrants and represents that (taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing of personal data by Hexicom as referred to in this Addendum, and the risks to individuals), the security measures referred to in subclause 1 provide a level of security appropriate to the risk in respect of the personal data to be processed by Hexicom on behalf of the Subscriber pursuant to the Agreement.
12. Confidentiality
12.1. Hexicom must ensure that its personnel, appointed by Hexicom to process personal data entered into and/or uploaded into the Platform by the Subscriber and/or any end user and/or captured by Hexicom from them or their use of the Platform or interaction with Hexicom, have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
13. Sub-processing
13.1. Hexicom will only engage new third parties to process GDPR Data for Hexicom to process as a processor on behalf of the Subscriber (“subprocessors”) if the Subscriber has authorised Hexicom to do so pursuant to a specific or general written authorisation from the Subscriber.
13.2. As at the date of this Addendum, Hexicom is authorised to continue to engage the subprocessors already engaged by Hexicom to process GDPR Data. In addition, it is specifically authorised to engage any hosting providers deemed appropriate by Hexicom to host Subscriber Personal Data.
13.3. In the case of a general written authorisation, Hexicom shall inform the Subscriber of any intended changes concerning the addition or replacement of Hexicom’s subprocessors, thereby giving the Subscriber the opportunity to object to such changes. If the Subscriber objects to such changes, the parties must meet (physically or by telephone or online) within seven (7) days of the objection to discuss the changes. If the parties are unable to resolve any dispute about the changes, Hexicom may terminate the Agreement.
14. Cooperation between Hexicom and the Subscriber
14.1. Any request made by any end user or by any data subject pursuant to any Data Protection Law whose data is held by Hexicom on behalf of the Subscriber, where such request is made directly to Hexicom, is to be referred to the Subscriber and the Subscriber must action any such request.
14.2. If Hexicom is obliged to provide cooperation to the Subscriber pursuant to the GDPR or any other Data Protection Laws, all such cooperation will be at the cost of the Subscriber payable at Hexicom’s standard rates then in effect, except where charging a fee for such cooperation is prohibited by Data Protection Laws.
15. Data breaches
15.1. Each party must comply with its obligations set out in the Annexure to this Addendum in relation to any data breach of Jointly Held Personal Information held or otherwise processed for the purposes of the Agreement, where the party is required to do so pursuant to Data Protection Laws.
15.2. All time spent by Hexicom complying with subclause 1 will be at the cost of the Subscriber payable at Hexicom’s standard rates then in effect, except where the cause of any applicable breach of Jointly Held Personal Information was caused by Hexicom’s breach of Data Protection Laws or its obligations under the Agreement.
16. Indemnity
16.1. Each party (the first party) must indemnify the other party from and against any loss or damage incurred by the other party as a result of the first party’s breach of this Addendum.
17. Relationship of the parties
17.1. Each party hereby agrees for the purposes of this Addendum and the GDPR that, as between them, Hexicom is the processor and the Subscriber is the controller, in connection with any processing of GDPR Data carried out by Hexicom on behalf of the Subscriber, as contemplated by this Addendum.
17.2. However, the parties also hereby agree that Hexicom has a legitimate interest in using any data entered into and/or uploaded into the Platform by end users, and/or otherwise collected by Hexicom for Hexicom’s own legitimate purposes (including for billing and product development, and for the purpose of enforcing Hexicom’s rights) – and to the extent that Hexicom uses such data for those purposes, Hexicom will be the controller for the purposes of the GDPR and any other Data Protection Laws.
17.3. Where Hexicom is not a processor in connection with Subscriber Personal Data, it will process that personal data in accordance with its Privacy Policy and all Data Protection Laws.
18. General
18.1. Amendment: Hexicom may amend this Addendum by written notice to the Subscriber (“Amendment Notice”) if and to the extent the amendment is necessary to comply with Data Protection Laws or any amendments made to them, or the requirements of any applicable supervisory, government or regulatory authority, or to implement any standard clauses or comply with any certification or code of conduct approved by the European Commission or issued pursuant to the GDPR.
18.2. Assignment: Neither party may assign, transfer, license or novate its rights or obligations under this Addendum without the prior written consent of the other party (not to be unreasonably withheld).
18.3. Severability: If any provision of this Addendum is deemed invalid by a court of competent jurisdiction, the remainder of this Addendum shall remain enforceable. If a provision of this Addendum conflicts with any Data Protection Law affecting the parties’ commercial relationship, that provision will be severed and the remainder of this Addendum will remain enforceable.
18.4. Relationship: The parties are independent contractors and this Addendum does not create any relationship of partnership, joint venture, or employer and employee or otherwise.
18.5. Counterparts: This Addendum may be executed in counterparts provided that no binding agreement shall be reached until the executed counterparts are exchanged.
18.6. Entire Agreement: This Addendum including the attached Annexure and any terms implied herein by any applicable Data Protection Laws constitute the entire agreement between the parties and to the extent possible by law, supersedes all prior understandings, representations, arrangements and agreements between the parties, regarding its subject matter.
18.7. Jurisdiction and Governing law: This Addendum will be governed by and construed in accordance with the law of New South Wales. To the extent this Addendum is inconsistent with any other provision of the Agreement, this Addendum shall prevail.
Annexure – Agreed Data Breach Procedures
1. Actions to be taken for the purposes of the Privacy Act
1.1. If there is a suspected, potential or actual eligible data breach of Subscriber Personal Data (“Breach”), the party that detects the Breach (the “Detecting Party”) must immediately notify the other party of the Breach by email with full particulars of the Breach to the other party using the contact details set out in the Application Form.
1.2. Upon the Detecting Party detecting the Breach, it must also carry out the following actions:
(a) Step 1: Contain and assess the data breach. The Detecting Party must conduct a preliminary assessment and/or investigation to determine whether or not there has been a data breach or whether one is likely to occur, and then contain the Breach by removing the cause of the Breach to prevent further unauthorised access or disclosure or loss of information. If the Detecting Party is aware of reasonable grounds for suspecting a Breach occurred, the Detecting Party must immediately lock down any potential avenues for further similar data breaches whether or not it is ultimately proven that a suspected data breach actually occurred. In some cases, it may be impossible to determine whether there has been a data breach, particularly where relevant records confirming the breach have been destroyed or are otherwise unavailable. Even so, the Detecting Party must immediately lock down any potential avenues for further data breaches. Similarly, the Detecting Party must do everything possible to prevent the data breach from occurring. The Detecting Party is to engage all relevant IT, security and managerial personnel to remove the cause of any suspected or potential data breaches. Where an actual data breach has occurred, the Detecting Party must similarly engage all relevant IT, security and managerial personnel to remove the cause of the breach. Once the cause of the Breach has been removed, the Detecting Party must determine if a data breach has occurred that requires notification under the NDB Law. The NDB Law requires that only eligible data breaches must be notified. If the Detecting Party becomes aware of reasonable grounds that indicate that there has been an eligible data breach, the Breach is required to be notified to the relevant individuals at risk of serious harm and the Australian Information Commissioner.
(b) Step 2: Notify insurers. Each party must promptly notify its insurers from which it has obtained any Cyber Liability Insurance policy of the Breach.
(c) Step 3: Determine if an eligible data breach has occurred. For the purposes of the NDB Law and this Addendum, an eligible data breach occurs if the following 3 criteria are satisfied:
(i) there is unauthorised access to or unauthorised disclosure of Jointly Held Personal Information, or a loss of Jointly Held Personal Information;
(ii) the Breach is likely to result in serious harm to one or more individuals; and
(iii) the Detecting Party has not been able to prevent the likely risk of serious harm with remedial action.
The Detecting Party must consider the above criteria when determining whether an eligible data breach has occurred. For the purposes of the NDB scheme, serious harm is deemed to have occurred or be likely to occur if a reasonable person would consider that it has so occurred or is likely to occur. Serious harm is not defined in the Privacy Act, but in the context of a Breach it may include among other things serious psychological, physical, emotional, financial or reputational harm. Some of the matters that may inform a decision that serious harm has occurred include the sensitivity of the Jointly Held Personal Information that was the subject of the Breach, the type of Jointly Held Personal Information lost, accessed or disclosed, and whether the Jointly Held Personal Information was encrypted.
If the Detecting Party suspects that a Breach may have occurred, it must take all reasonable steps to ensure that an assessment is completed expeditiously and in any event within thirty (30) days after it becomes aware of the reasonable grounds to suspect that there may have been an eligible data breach for the purpose of the NDB Law. The Detecting Party must keep the other party informed at all times while the Detecting Party is undertaking any assessment of a suspected eligible data breach, and must notify the other party if the Detecting Party becomes aware of reasonable grounds that indicate that an actual eligible data breach has occurred with full particulars of the eligible data breach.
(d) Step 4: remedial action. Under the NDB Law, where there is an eligible breach of Jointly Held Personal Information, a party must use its best endeavours to take positive steps to address the eligible breach in a timely manner, which results in the eligible data breach not being likely to cause serious harm. In circumstances where personal information is lost but the remedial action removes the likelihood of it causing serious harm, the NDB Law provides that the eligible data breach will be taken to have not occurred. The parties agree that if a Breach occurs involving Jointly Held Personal Information, the Subscriber and Hexicom must each use their respective best endeavours to take positive steps to address the Breach in a timely manner, which results in the eligible data breach not being likely to cause serious harm. Each party must keep the other party informed at all times while that remedial action is being undertaken, and must notify the other party if the remedial action has removed the likelihood of the Breach causing serious harm. If Hexicom forms the opinion in its absolute discretion that the Subscriber has not completed an expeditious assessment of the Breach and/or has not expeditiously carried out remedial action that may result in the Breach not being likely to cause serious harm, Hexicom may notify the Subscriber that Hexicom requires the Subscriber to notify the Breach pursuant to paragraph (e) below (“Notification Demand”). If Hexicom issues a Notification Demand, the Subscriber must notify all relevant individuals and the Office of the Information Commissioner pursuant to paragraph (e) below within twenty-four (24) hours of the Notification Demand (time being of the essence) notwithstanding that paragraph may require the notifications to be issued within a different period of time.
(e) If an eligible data breach of Jointly Held Personal Information has occurred for the purposes of the NDB Law (that has not been remedied in accordance with paragraph (d)), the Subscriber must as soon as possible:
(i) notify the Australian Information Commissioner of the eligible data breach; and
(ii) notify relevant individuals of whom the Jointly Held Personal Information relates to of the eligible data breach,
in accordance with the NDB Law.
2. Action to be taken by the Subscriber for the purposes of the GDPR
2.1. This clause 2 only applies to GDPR Data held or otherwise processed by Hexicom as a processor on behalf of the Subscriber.
2.2. In the case of a personal data breach, Hexicom must notify the Subscriber of a data breach that it becomes aware of without undue delay. The Subscriber shall without undue delay and, where feasible, not later than seventy two (72) hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55 of the GDPR, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
2.3. Where the notification to the supervisory authority is not made within seventy two (72) hours, it shall be accompanied by reasons for the delay.
2.4. The notification referred to in subclauses 2 and 3 shall at least:
(a) describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
(b) communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
(c) describe the likely consequences of the personal data breach; and
(d) describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
2.5. Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.
2.6. The Subscriber shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. That documentation shall enable the supervisory authority to verify compliance with Article 33 of the GDPR.
2.7. When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the Subscriber shall communicate the personal data breach to the data subject without undue delay as required under Article 34 of the GDPR.
2.8. The communication to the data subject referred to in subclause 7 shall describe in clear and plain language the nature of the personal data breach and contain at least the information and measures referred to in points (b), (c) and (d) of Article 33(3) of the GDPR.
2.9. The communication to the data subject referred to in subclause 7 shall not be required if any of the following conditions are met:
(a) the Subscriber has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;
(b) the Subscriber has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects referred to in subclause 7 is no longer likely to materialise;
(c) it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.
2.10. If the Subscriber has not already communicated the personal data breach to the data subject, the supervisory authority, having considered the likelihood of the personal data breach resulting in a high risk, may require it to do so or may decide that any of the conditions referred to in subclause 9 are met.