Data Processing Addendum
Data Processing Agreement (DPA) pursuant to Art. 28 (3) GDPR between the customer ("Controller") and Released PTY LTD, 273 Lilyfield Road, 2040 NSW, Australia ("Processor") (collectively also "Parties").
(2) The Parties conclude the present agreement to specify the mutual rights and obligations under data protection law. In case of doubt, the provisions of this Agreement shall take precedence over the provisions of the Main Agreement.
(3) The provisions of this Agreement shall apply to all activities related to the Main Agreement in which the Processor and its employees or persons authorized by the Processor come into contact with personal data originating from or collected for the Controller or otherwise processed on the Controller's behalf.
(4) The term of this Agreement shall be based on the term of the Main Agreement, unless the following provisions give rise to obligations or rights of termination going beyond this.
(5) The provision of the contractually agreed data processing usually takes place in a member state of the European Union or another contracting state of the Agreement on the European Contractual Area (Decision 94/1/EC). If the Processor transfers Personal Data to subcontractors outside the EU or the EEA, they have previously agreed to comply with the standard data protection clauses pursuant to Commission Implementing Decision (EU) 2021/914 of 4.6.2021 and thus ensure an adequate level of data protection within the meaning of Art. 46 (2) lit. c GDPR.
The personal data to which the Processor will have access in the course of the performance of the Main Agreement are set out in Annex 1 - Purpose, nature of processing and categories of data subjects.
(1) The Processor may only collect, use or otherwise process data within the scope of the Main Agreement and in accordance with the instructions of the Controller; this applies in particular with regard to the transfer of personal data to a third country or to an international organization. If the Processor is required by the law of the European Union or the Member States to which it is subject to carry out further processing, it shall notify the Controller of these legal requirements prior to the processing.
(2) The instructions of the Controller are initially defined by this Agreement and may thereafter be amended, supplemented or replaced by the Controller by individual written instructions. The authorized contact persons of each Party and the communication channel to be used are shown in Annex 2 - Authorized persons, entitled persons, Communication channel. Any changes shall be taken into account in a timely manner.
(3) All instructions issued shall be documented by both the Controller and the Processor and shall be retained for the duration of their validity and subsequently for three additional full calendar years.
(4) If the Processor is of the opinion that an instruction of the Controller violates data protection provisions, it shall notify the Controller thereof without undue delay. The Processor shall be entitled to suspend the implementation of the relevant instruction until it is confirmed or amended by the Controller. The Processor may refuse to implement an instruction that is obviously unlawful.
(1) The Processor is obliged to observe the legal provisions on data protection and not to disclose information obtained from the area of the Controller to third parties or expose it to their access. Documents and data shall be secured against disclosure to unauthorized persons, taking into account the state of the art.
(2) The Processor shall design the internal organization in its area of responsibility in such a way that it meets the special requirements of data protection. It shall ensure that it has taken all appropriate technical and organizational measures (TOMs) to adequately protect the data of the Controller pursuant to Art. 32 GDPR. The Processor is entitled to adapt measures to technical and organizational developments, provided that they do not fall short of the agreed standards.
(3) The persons employed in the data processing by the Processor are prohibited from collecting, using or otherwise processing personal data without authorization. The Processor shall oblige all persons entrusted by it with the processing and fulfilment of this Agreement ("Employees") accordingly (obligation to confidentiality, Art. 28 (3) lit. b GDPR) and shall instruct them about the special data protection obligations resulting from this Agreement as well as the existing instruction and/or purpose limitation and shall ensure compliance with the aforementioned obligation with due care. These obligations must be formulated in such a way that they remain in force even after termination of this Agreement or the employment relationship between the Employee and the Processor. The obligations shall be proven to the Controller in an appropriate manner upon request.
(1) In the event of disruptions, suspected data protection violations or breaches of contractual obligations of the Processor, suspected security related incidents or other irregularities in the processing of personal data by the Processor, by persons employed by it within the scope of the contract or by third parties, the Processor shall inform the Controller in writing without undue delay. The same shall apply to audits of the Processor by the data protection supervisory authority. The notification of a personal data breach shall contain the following information as far as possible:
- (a) a description of the nature of the personal data breach, including, to the extent possible, the categories and number of data subjects, the categories affected, and the number of personal data records affected;
- (b) a description of the probable consequences of the injury; and
- (c) a description of the measures taken or proposed by the Processor to address the breach and, where applicable, measures to mitigate its potential adverse effects.
(2) The Processor shall immediately take the necessary measures to secure the data and to mitigate any possible adverse consequences for the data subject(s), inform the Controller thereof and request further instructions from the Controller.
(3) The Processor shall furthermore be obligated to provide the Controller with information at any time insofar as the Controller's data is affected by a violation pursuant to Paragraph 1.
(4) If necessary, the Processor shall support the Controller in fulfilling the Controller's obligations pursuant to Art. 33 and 34 GDPR in an appropriate manner (Art. 28 (3) sentence 2 lit. f GDPR). Notifications for the Controller pursuant to Art. 33 or 34 GDPR may only be made by the Processor after prior instruction by the Controller pursuant to section 3 of this Agreement
(5) Should the Controller’s data at the Processor be endangered by attachment or seizure, by insolvency or composition proceedings or by other events or measures of third parties, the Processor shall inform the Controller thereof without undue delay, unless the Processor is prohibited from doing so by court or administrative order. In this context, the Processor shall immediately inform all competent bodies that the decision-making authority over the data lies exclusively with the Controller (Art. 4 No. 7 GDPR).
(7) The Processor and, if applicable, its representative shall keep a register of all categories of processing activities carried out on behalf of the Controller, which shall contain all information pursuant to Art. 30 (2) GDPR. The directory shall be made available to the Controller upon request.
(1) The Processor shall demonstrate to the Controller compliance with the obligations set forth in this Agreement by appropriate means.
(2) If, in individual cases, inspections by the Controller or an auditor commissioned by the Controller are necessary, they shall be carried out during normal business hours without disrupting operations. The Processor may make the inspection dependent on prior notification with an appropriate lead time and on the signing of a confidentiality agreement regarding the data of other customers and the technical and organizational measures set up. If the auditor commissioned by the Controller is in a competitive relationship with the Processor, the Processor shall have a right of objection against him.
(3) In order to carry out the control, the Processor only needs to permit such a person who is under a special obligation to maintain confidentiality, in particular with regard to information about the Processor's operations, its equipment, the Processor's business secrets and security measures. If the control is not carried out by a person already known to the Processor, such person must prove his legitimation by the Controller in writing at least ten calendar days before the control is carried out.
(4) The Controller shall document the inspection result and notify the Processor thereof. In the event of errors or irregularities which the Controller discovers, in particular during the inspection of order results, he shall inform the Processor without undue delay. If facts are found during the inspection, the future avoidance of which requires changes to the ordered procedure, the Controller shall inform the Processor of the necessary procedural changes without undue delay.
(1) Within the scope of its contractual obligations, the Processor shall in principle be authorized to establish further subcontracting relationships with sub-processors ("Sub-processor Relationship"). The Processor shall carefully select sub-processors according to their suitability and reliability. The Processor shall oblige them in accordance with the provisions of this Agreement and in doing so shall ensure that the Controller can exercise its rights under this Agreement, in particular its audit and control rights. Upon request, the Processor shall provide the Controller with evidence of the conclusion of the aforementioned agreements with its sub-processors.
(2) The sub-processors currently working for the Processor in accordance with Paragraph 1 are listed in Data Sub-Processors. The Processor shall inform the Controller of any changes in a timely manner. The Controller may object within a reasonable period of time if an important reason under data protection law opposes the commissioning of the sub-processors.
(4) A sub-processors Relationship within the meaning of the above provisions does not exist if the Processor commissions third parties with services that are to be regarded as purely ancillary services. These include, for example, postal, transport and shipping services, security and cleaning services, as well as telecommunication services without any specific reference to services provided by the Processor to the Controller.
(1) The Processor shall support the Controller as far as possible with appropriate technical and organizational measures in fulfilling the Controller's obligations pursuant to Articles 12 to 22 and Articles 32 and 36 GDPR.
(2) If a data subject asserts rights, such as the right to information, correction or deletion with regard to his/her data, directly against the Processor, the Processor shall forward the request to the Controller without undue delay, provided that an allocation to the Controller is possible according to the data subject. The Processor shall not be liable if the Data Subject's request is not answered, not answered correctly or not answered in a timely manner by the Controller.
(1) The Controller and Processor are liable to data subjects in accordance with the provision set out in Art. 82 GDPR. The Processor shall coordinate any fulfillment of liability claims with the Controller.
(2) The Processor shall indemnify the Controller against all claims asserted by data subjects against the Controller due to the breach of an obligation imposed on the Processor by the GDPR or this Agreement or due to the noncompliance or breach of a lawful instruction separately issued by the Controller.
(3) The Processor does not have to indemnify the Controller if the data processing or measure giving rise to the Parties´ liability was carried out on the basis of instructions from the Controller. The same shall apply to measures that have been previously coordinated with the Controller. Coordination shall also be deemed to have taken place if a provision in this Agreement has been inserted at the request of the Controller.
(4) The Parties shall indemnify each other against liability to the extent that a Party proves that it is not responsible in any respect for the circumstance that caused the damage to a data subject. In all other respects, Art. 82(5) GDPR shall apply.
(1) This Agreement shall remain valid after a termination of the Main Agreement for as long as the Processor has personal data which have been forwarded to him by the Controller or which he has collected for the Controller.
(2) The Processor shall return all documents, data and data carriers provided to it to the Controller after termination of the Main Agreement or at any time at the Controller's request or delete them at the Controller's request, unless there is an obligation to store the personal data under EU law or the law of the Federal Republic of Germany. The Processor shall provide documentary evidence of the proper deletion.
(3) Upon termination of this Agreement, the Main Agreement shall also terminate, provided that it cannot be performed without the processing of personal data.
(1) Unless otherwise provided, declarations between the Parties shall be made in text form, whereby E-mail shall suffice.
(2) The Agreement shall be governed by and construed in accordance with German law.
(3) Should one of the above provisions be or become invalid or should a provision that is necessary in itself not be included, this shall not affect the validity of the remaining provisions. The Parties shall endeavour to find a mutually agreeable provision in this case.
The below tables describe the nature of personal data and categories of data subjects of the Controller that can generally be processed as part of the Processor's service list.
In view of the nature of the service, the Controller acknowledges that the Processor can neither review nor maintain the below table. The Controller undertakes to notify the Processor of any changes to the table below (via the communication channel specified in Annex 2).
The following processes are available no matter which app or apps you use and regardless of whether you use Cloud or on premise apps.
The following table describes the data processing of all Cloud apps of the Processor.
The General processes that also apply to Cloud apps are described above.