DATA PROCESSING AGREEMENT
PARTIES:
Saropa Pty Ltd, legally based in Australia at the address Level 14, 309 Kent St, Sydney NSW 2000, hereinafter referred to as ‘Data Controller’;
and
[Third Party name], legally based in [Third Party legal location] at the address [Third Party full address] hereinafter referred to as ‘Data Processor’.
WHEREAS
- Data Controller and Data Processor have entered into an agreement for the supply of the following services [Insert brief description of the Data Processor (Third Party) services]. This agreement results in Data Processor processing Personal Data on behalf of Data Controller.
- Data Controller and Data Processor wish to lay down their mutual rights and obligations for the processing of Personal Data in accordance with the applicable Data Protection Legislation in this Agreement.
IT IS AGREED AS FOLLOWS:
1. Definitions
1.1 Unless otherwise defined herein, capitalized terms and expressions used in this Agreement shall have the following meaning:
- Agreement: means this Data Processing Agreement and all Annexes and Schedules;
- Data Protection Legislation: all applicable national, international and EU laws and regulations, including Regulation (EU) 2016/679, also known as the General Data Protection Regulation (GDPR), or binding codes of conduct, which contain rules with regard to the protection Personal Data of natural persons;
- Data Subjects: the natural persons whose Personal Data are processed;
- GDPR: means EU General Data Protection Regulation 2016/679;
- Personal Data: all information about an identified or identifiable natural person, whereby identifiable is considered to be a natural person who can be identified directly or indirectly, that Data Processor Processes on the basis of the Principal Agreement, of which the type of Personal Data and the categories of Data Subjects are further specified in Annex A;
- Personal Data Breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed;
- Principal Agreement: the agreement dated 26 Apr 2024 in which the Data Controller has instructed the Data Processor to the Processing of Personal Data;
- Processing: an operation or whole of operations with regard to Personal Data, whether or not carried out via automated processes, such as collecting, recording, organizing, structuring, storing, updating or modifying, retrieving, consulting, using, providing by transmission, distribution or otherwise making available, aligning or combining, blocking, deleting or destroying of Personal Data. In this Agreement, all verb forms of "Processing" are included within this definition.
2. Applicability
2.1 Unless the Parties have otherwise agreed in writing, the provisions of this Agreement apply to any Processing by Data Processor on the basis of the Principal Agreement.
3. Processing by Data Processor
3.1 Data Processor Processes Personal Data in accordance with the written instructions of Data Controller and in the manner set out in the Principal Agreement and this Agreement.
3.2 Data Processor only Processes Personal Data when instructed by Data Controller, except for deviating legal obligations.
3.3 Data Processor has no authority over the purpose and the means for the Processing of Personal Data and it does not make any decisions about the use of the Personal Data, the provision to third parties and the duration of the storage of Personal Data.
3.4 Data Processor must ensure compliance with the obligations for the Processing of Personal Data on the basis of Data Protection Legislation.
3.5 Data Processor shall immediately notify Data Controller in writing if, in the opinion of Data Processor, an instruction of Data Controller violates Data Protection Legislation.
3.6 At the first request of Data Controller, Data Processor will make available all information necessary to demonstrate compliance with the obligations laid down in this Agreement.
4. Security
4.1 Data Processor will take all appropriate technical and organizational measures to protect Personal Data against loss or any form of unlawful processing in accordance with Article 32 of the GDPR. These measures guarantee an appropriate level of security taking into account of the state of the art, the implementation costs, and the nature, scope, context and purpose of Processing as well as the different risks in varying likelihood and severity for the rights and freedoms of the Data Subjects.
4.2 In assessing the appropriate level of security, Data Processor shall take into account the risks that are presented with the Processing, in particular the risk destruction, loss, alteration, unauthorized disclosure or access to transmitted, stored or otherwise Processed Personal Data. Data Processor shall forthwith inform Data Controller if the level of security changes.
5. Data Subject rights
5.1 Processor shall promptly notify Data Controller of requests received directly from a Data Subject regarding the rights of Data Subjects under Data Protection Legislation, including but not limited to requests for access, rectification, deletion, restriction of processing or transfer. Data Processor shall only comply with such a request if Data Controller has instructed Data Processor to do so in writing.
5.2 At the first request of the Data Controller, Data Processor shall provide Data Controller with full assistance to enable Data Subjects to exercise their rights with regard to the Processing of Personal Data. If instructed to do so, Data Processor shall smoothly and properly fulfill such requests of Data Subjects.
6. Third parties
6.1 Data Processor shall not disclose, provide or make available Personal Data to third parties unless it has obtained prior written consent from Data Controller or it is required to do so by mandatory law. If a third party is engaged to perform specific processing activities on behalf of the Data Processor after written permission from the Data Controller, Data Processor will impose on this other third party by agreement at least the same obligations with regard to the Processing and protection of Personal Data as the obligations included in this Agreement. Data Processor is responsible and liable in all respects for the actions of third parties that it engages in the context of this Agreement.
7. Confidentiality
7.1 Data Processor will keep the Personal Data and other information obtained from Data Controller strictly confidential, whereby it will exercise at least the same level of care as that it observes with regard to the protection of its own information of a highly confidential nature. Data Processor will not distribute, provide or otherwise disclose Personal Data or other information obtained from Data Controller to persons other than its employees.
7.2 Data Processor only gives its employees access to Personal Data insofar as this is strictly necessary for the purposes of the Principal Agreement, ensuring that all such individuals are subject to a confidentiality undertakings or professional or statutory obligations of confidentiality. Data Processor shall ensure the provisions of this Agreement are also imposed on its employees.
8. Personal Data Breach
8.1 Data Processor shall notify Data Controller without undue delay upon Data Processor becoming aware of a Personal Data Breach affecting Personal Data, providing Data Controller with sufficient information to allow it to meet any obligations under Data Protection Regulation.
8.2 Data Processor shall cooperate with the Data Processor in fulfilling its obligations to report a Personal Data Breach to any regulatory body and/or Data Subjects as well as take reasonable steps as directed by Data Controller to assist in the investigation of a Personal Data Breach.
9. Data Protection Impact Assessment
9.1 Data Processor shall provide reasonable assistance to Data Controller with any data protection impact assessment, and prior consultations with supervising authorities or other competent data privacy authorities, which Data Controller reasonably considers to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Regulation in relation to the Processing of Personal Data.
10. Deletion or return of Personal Data
10.1 Data Processor shall promptly and in any event within 10 business days after the end date of the Principal Agreement, delete all copies of Personal Data. Data Processor shall provide Data Controller with written notice that it has fully complied with this article 10.
11. Audit
11.1 Data Processor shall make available to Data Controller on request all information necessary to demonstrate compliance with this Agreement, and shall allow for and contribute to audits, including inspections, by Data Controller or an auditor mandated by Data Controller in relation to the Processing of the Personal Data.
11.2 Information and audit rights of Data Controller only arise to the extent that the Agreement does not otherwise give it information and audit rights meeting the relevant requirements of Data Protection Regulation.
12. Data transfer
12.1 Without prior written consent of Data Controller, Data Processor may not transfer or authorize the transfer of Personal Data to third countries other than countries in the EU and/or the European Economic Area (EEA) or a European Commission approved country providing an adequate level of protection.
12.2 In the event that Personal Data is transferred to a different country the Parties shall ensure that Personal Data is adequately protected, by, unless agreed otherwise, relying on EU approved standard contractual clauses for the transfer of Personal Data.
13. No assignment
13.1 This Agreement and the rights and obligations under this Agreement cannot be assigned by Data Processor to third parties without the prior written consent of Data Controller.
14. Indivisibility
14.1 If one or more provisions of this Agreement prove to be invalid, the Agreement will remain in force for the remainder. The Parties will consult on the provisions that are not legally valid, in order to make a replacement article that is legally valid and that matches the purpose of the original article as much as possible.
15. Applicable law and jurisdiction
15.1 Australian law is applicable to this Agreement.
15.2 All disputes arising from or in connection with this Agreement will be submitted exclusively to the jurisdiction of the court in New South Wales, Australia.
IN WITNESS WHEREOF, the parties by their duly authorized representatives hereby have caused this Agreement to come into effect from the last date set out below,
| Saropa | [Data Processor Name] |
| (Data Controller) | (Data Processor) |
| |
| Date: 26 Apr 2024 | Date: 26 Apr 2024 |
| By: [Data Processor Signee Name] | By: [Data Processor Signee Name] |
| Title: [Data Processor Signee Title] | Title: [Data Processor Signee Title] |
Annex A - Personal Data and Data Subjects
Personal Data, as defined in Saropa’s GDPR Privacy Policy, includes customer data such as:
- customer first and last name, address, email address and phone number;
- the contact information about customer emergency contact(s), like their name and phone number;
- customer date of birth;
- customer national identifying number (Social Security, National Insurance, PPS, etc.);
- information about customer physical appearance, like eye colour, skin colour, weight and/or height;
- information about customer employment or education, like information about customer salary or student identification number;
- geo-tracking data;
- any other Personal Data that is actively provided by customers when contacting us or making use of the Service.
Customer Personal Data that is of particularly sensitive nature includes:
- information concerning customer health and medical history;
- genetic data;
- data about customer religious or other beliefs;
- any other Sensitive Data that is actively provided by contacting us or making use of the Service.