Orbus Software

Data Processing Addendum

Data Processing Addendum

This Data Processing Addendum sets out the additional terms and conditions that shall apply if the transfer of Personal Data from one Party to the other is required in order to provide the Services under Your Agreement with the Supplier and shall be incorporated into and form part of such agreement.

 

1. Definitions and Interpretation

1.1 In this Addendum:

"Client Personal Data" means any Personal Data Processed by a Contracted Processor on behalf of the Client pursuant to or in connection with the Agreement;

"Contracted Processor" means the Supplier or a Subprocessor;

"Controller to Processor SCCs" means:

(a) the standard contractual clauses (processors) for the transfer of personal data to processors established in third countries which do not ensure an adequate level of protection as set out in Commission Decision 2010/87/EC as the same are revised, updated or replaced from time to time by the European Commission;

(b) in relation to the UK, any Controller Processor data protection standard data protection clauses specified in either:

(i) regulations pursuant to Article 46(2)(c) UK GDPR; or

(ii) a document issued (and not withdrawn) pursuant to Article 46(2)(d) UK GDPR; and

(c) where required from time to time by a Supervisory Authority for use with respect to any specific restricted transfer, any other set of contractual clauses or other similar mechanism approved by such Supervisory Authority or by Data Protection Laws for use in respect of such restricted transfer, as updated, replaced or superseded from time to time by a Supervisory Authority or Data Protection Laws;

"Data Protection Laws" means the European Data Protection Laws, UK Data Protection Laws, Privacy Act 1988 (Cth) and, to the extent applicable, the data protection or privacy laws of any other country;

"Eligible Data Breach" has the same meaning as in the Privacy Act 1988 (Cth);

"European Data Protection Laws" means the GDPR and laws implementing or supplementing the GDPR, together with the Directive on Privacy and Electronic Communications 2002/58 and other data protection or privacy legislation in force from time to time in the EEA;

"GDPR" means EU General Data Protection Regulation 2016/679;

"Subprocessor" means any person (including any third party and any member of the Supplier's Group, but excluding any employee of the Supplier or any of the Supplier's sub contractors) appointed by or on behalf of the Supplier to Process Client Personal Data on behalf of Client in connection with this Agreement; 

"Supervisory Authority" means:

(a) an independent public authority which is established by a Member State pursuant to Article 51 of the GDPR;

(b) Australian Privacy Commissioner; or

(c) any similar regulatory authority responsible for the enforcement of Data Protection Laws;

"UK Data Protection Laws" means the UK GDPR, together with the Data Protection Act 2018, the Privacy and Electronic Communications (EC Directive) Regulations 2003 (as amended), the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 and other data protection or privacy legislation in force from time to time in the United Kingdom; and

"UK GDPR" means the GDPR as transposed into United Kingdom national law by operation of section 3 of the European Union (Withdrawal) Act 2018 and subsequently amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 ("UK GDPR").

The terms, "Commission", "Controller", "Data Subject", "Processor", "Member State", "Personal Data", "Personal Data Breach", and "Processing" shall have the same meaning as in the Data Protection Laws, and their cognate terms shall be construed accordingly.  All references to "Personal Data" is deemed to include "Personal Information" as that term is defined in the Privacy Act 1988 (Cth).

1.2 Personal Data Processing:

1.2.1 Subject matter and duration of the Processing of the Personal Data: The subject matter and duration of the Processing of the Personal Data are set out in this Agreement and includes the creation of group/user profiles, account management.

1.2.2 The nature and purpose of the Processing of the Personal Data: As necessary for the provision of Services, and in accordance with this Agreement.

1.2.3 The types of the Personal Data to be Processed:  name, employer, role, business contact details. 

1.2.4 The categories of Data Subject to whom the Personal Data relates: Client Personal Data relating to individuals who are nominated as Authorized Users by the Client or whose data is entered into the Software by the Client.

1.3 Authorized affiliate Sub-processors providing application support: 

1.3.1 Seattle Software Limited in London, UK;

1.3.2 Seattle Business Software Inc. in New York, USA; and 

1.3.3 Seattle Software (Australia) Pty. Ltd. in Sydney Australia.

1.4 Third party supplier providing support and consultancy services: 

1.4.1 N-IX Ltd. (a company registered in Malta) and its affiliates and suppliers in Ukraine.

 

2. Obligations on both Parties when Processing Personal Data as independent Controllers

2.1 In relation to the Supplier's provision of Services to the Client, the Parties agree that each Party will Process Personal Data shared by the other Party as an independent Controller.

2.2 With respect to its Processing of Personal Data under this paragraph 2, each Party shall:

2.2.1 comply with all applicable Data Protection Laws when Processing Personal Data; and

2.2.2 only Process the Personal Data:
(i) in connection with the provision or receipt (as applicable) of the Services; and
(ii) in the case of the Supplier only, as an independent Controller for the additional purposes of:
(A) maintaining and developing the Supplier's relationship with Client;
(B) billing and invoicing Client;
(C) security related processing (for example, automated scanning of incoming and outgoing emails for viruses);
(D) complying with legal and regulatory obligations; and
(E) establishing, exercising and defending legal claims and no other purpose;

(iii) solely to the extent permitted by applicable Data Protection Laws, where applicable, deal promptly and in good faith with all reasonable and relevant enquiries from the other Party relating to its Processing of Personal Data.

2.3 If a Party ("First Party") receives any complaint, notice or communication from a Supervisory Authority which relates directly or indirectly to the other Party's:

2.3.1 Processing of the relevant Personal Data; or

2.3.2 potential or actual failure to comply with Data Protection Laws,

the First Party shall, to the extent permitted by applicable Law, promptly forward the complaint, notice or communication to the other Party and to the extent requested by the other Party, provide the other Party with reasonable cooperation and assistance in relation to the same.

2.4 If a Data Subject makes a written request to either Party ("Receiving Party") to exercise any of its rights under Data Protection Laws with respect to Personal Data Processed under this paragraph 2, the Receiving Party shall respond to that request in accordance with Data Protection Laws.  If the request relates to Personal Data transferred to the Receiving Party by the other Party, the Receiving Party shall, to the extent permitted by applicable Laws, promptly, and in any event within five Working Days after it receives the request, notify the other Party of the request.

2.5 To the extent a Data Subject's request concerns Processing of Personal Data undertaken by the other Party, the Receiving Party shall:

2.5.1 promptly, and in any event within five (5) Working Days after it receives the request, forward the request to the other Party; and

2.5.2 to the extent requested by the other Party, cooperate and provide reasonable assistance in relation to that request to enable the other party to respond in accordance with the requirements of Data Protection Laws.

2.6 Without prejudice to paragraph 2.2, each Party shall implement technical and organisational measures in respect of its Processing of Personal Data pursuant to this paragraph 2 to ensure a level of security appropriate to the risk, including the risk of a Personal Data Breach or an Eligible Data Breach.

 

3. Obligations on the Supplier when Processing Client Personal Data as a Processor

3.1 Except as set out in paragraph 2 above, the Supplier will, in respect of Services for which the Supplier acts as Processor for the Client, Process Client Personal Data on behalf of the Client and the Supplier shall comply with paragraph 3.3.

3.2 You shall ensure that:

3.2.1 We may lawfully hold and process any Personal Data as contemplated by this Agreement; and

3.2.2 You only collect Personal Data that is provided to the Supplier that is reasonably necessary for one or more of Your functions or activities; and

3.2.3 You have given each Data Subject appropriate notice of what data is collected and used relating to them, the purposes for which it is used, the manner of collection and their rights concerning that data. 

3.3 Where We are Processing Personal Data under or in connection with this Agreement, We shall: 

3.3.1 only Process the Personal Data in accordance with Your documented instructions (as set out in this Agreement or otherwise) for the purposes of providing the Services from time to time (unless permitted or required by Data Protection Laws to which We are subject, in which case We shall inform You of that legal requirement before such Processing, unless that law prohibits such information on important grounds of public interest or otherwise). The details of the Personal Data to be Processed by Us is set out in the Purchase Order;

3.3.2 ensure that persons authorized to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

3.3.3 be entitled to transfer any Personal Data outside of the United Kingdom, EEA or other jurisdiction provided that We take such measures as are necessary to ensure the transfer is in compliance with applicable Data Protection Laws including entering in a valid data transfer mechanism;

3.3.4 implement technical and organisational security measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: (i) the pseudonyimisation and/or encryption of Personal Data; (ii) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (iii) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; (iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing; and (v) the preparation and implementation of a data breach policy and response plan (that includes a process for notifying a Supervisory Authority and any affected individuals in the event of an Eligible Data Breach that could give rise to a real risk of serious harm to affected individuals); 

3.3.5 promptly notify You of any communication from a data subject regarding the Processing of Personal Data, or any other communication (including from a Supervisory Authority) relating to Client's obligations under Data Protection Laws in respect of the Personal Data and, taking into account the nature of the Processing, assist You by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Client's obligation to respond to requests for exercising the data subject's rights; 

3.3.6 be entitled to subcontract any Processing of Personal Data to a third party subprocessor set out in the Purchase Order. We shall also be entitled to engage any other third party subprocessors to Process Personal Data provided that: (i) We provide at least 30 days' prior notice of the addition of any subprocessor (including details of the processing it performs or will perform); (ii) We impose data protection terms on any subprocessor We appoint that protect the Personal Data to the same or similar standard as provided for by this paragraph 3; and (iii) We remain fully liable for any breach of this paragraph 3 that is caused by an act, error or omission of Our subprocessor as required by Data Protection Laws.  Notice for the purpose of this paragraph 3.3.6 shall include updates to Our website which sets out the details of Our subprocessors.  If You have valid objections to Our appointment of a third party subprocessor on grounds relating to the protection of the Personal Data and We are unable to agree any appropriate mitigations, then either We will not appoint the subprocessor or You may elect to suspend or terminate this agreement without penalty;

3.3.7 cease Processing the relevant Personal Data upon the termination or expiry of this Agreement and at Client's option, either return or delete all copies of the Personal Data Processed by Us unless (and solely to the extent and for such period as) Data Protection Laws requires or permits storage of the Personal Data;

3.3.8 keep a record of any Processing of Personal Data that We carry out on Client's behalf and shall create and maintain a register, as required under Data Protection Laws, setting out: (a) the types of Personal Data and categories of Data Subject whose Personal Data are Processed during the provision of the Services; (b) each transfer of Personal Data authorised by You from time to time; and (c) a description of the technical and organisational measures adopted by Us to protect the Personal Data; 

3.3.9 assist You with any data protection impact assessments which are required under Data Protection Laws and with any prior consultations to any Supervisory Authority of Client which may be required, in each case solely in relation to the Processing of Personal Data by Us on behalf of the Client and taking into account the nature of the Processing and information available to Us; and

3.3.10 make available to You on request all information necessary to demonstrate compliance with this paragraph 3 and shall allow for and contribute to audits, including inspections, by You or an auditor mandated by You.