Data Transfer Terms of Agreement
- (the "Customer" who is also the "data exporter" for the purposes of this Agreement); and
- JobAdder Operations Pty Ltd ACN 167 597 953 (the "Supplier" who is also the "data importer" for the purposes of this Agreement).
- The Customer has purchased the right to use on a Software as a Service basis the Supplier’s recruitment management software system (the "Services"as more particularly defined below).
- The provision of the Services will entail the Supplier’s personnel having access to Personal Data as defined below in the course of hosting the same.
- This Data Transfer Agreement regulates the terms on which the Supplier handles Personal Data and incorporates the model terms of data transfer approved pursuant to the Data Protection Legislation (as defined below) as set out in Appendix 2 of this Agreement.
In this Agreement, the following words shall have the following meanings.
“Data Protection Legislation”
means all privacy laws applicable to the Data which is Processed under or in connection with this Agreement, including the General Data Protection Regulation (Regulation (EU) 2016/679) (the “GDPR”) and the Data Protection Act 2018 and all codes of practice, secondary legislation and regulatory guidance issued in respect to the above;
“Data Transfer Agreement”
means the individual who is the subject of any Personal Data;
“Process” and other derivations such as “Processed” and “Processing”
This Agreement shall, unless terminated in accordance with clause 2.2, run from the date the Principal Agreement commences until the date of termination of the Principal Agreement and then automatically expire. For the avoidance of doubt, this Agreement including without limitation the Supplier’s warranties shall also apply in respect of Personal Data (if any) transferred by the Customer to the Supplier prior to the date of this Agreement.
- The Customer may terminate this Agreement at any time by giving one month’s prior written notice to the Supplier.
- Following termination or expiry of this Agreement, the Supplier agrees to comply with the provisions of Appendix 2 with respect to Personal Data held by it, as well as with any provisions of the Principal Agreement relevant to this Data Transfer Agreement (including but not limited to those relating to confidentiality) which are expressed to survive termination or which by necessary implication survive termination.
- The parties acknowledge that the terms of Appendix 2 represent the standard contractual clauses approved by the European Commission for the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in countries outside the European Economic Area (“third countries”) which do not ensure an adequate level of data protection at the date of this Agreement. If there are any changes to the Data Protection Legislation which require the adoption of new standard contractual clauses approved by the European Commission for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection, whether those clauses are required pursuant to the GDPR or otherwise, the parties will use all reasonable endeavours to agree the terms of a replacement Appendix 2 and such consequential changes to this Agreement as may reasonably be required to comply with the requirements of the Data Protection Legislation (“Compliant Terms”) and incorporate the same as an amendment to this Agreement.
- In the event that the parties are unable to agree Compliant Terms by the date that the change in the Data Protection Legislation referred to in clause 1.3 above comes into effect, the Supplier shall cease to Process the Data and this Agreement will terminate with immediate effect.
Act on Instructions
- The Supplier undertakes on a continuing basis that it shall and shall procure that the Third Parties shall:
- only Process the Data in order to provide the Service(s) and then strictly only in accordance with this Agreement and with instructions received from the Customer from time to time relating to the Data;
- in respect of the parties’ rights and obligations under this Agreement regarding the Data the Parties agree that the Customer is the Data Controller and that the Supplier is a Data Processor (such terms as defined in the Data Protection Legislation);
- promptly and fully cooperate with and assist the Customer in relation to any reasonable request for cooperation and/or assistance and/or information relating to its Processing of the Data;
- ensure that the Data shall only be accessible by the Supplier Personnel to the extent they need to know or require access for the purposes of properly performing their duties in relation to the Services and to Supplier Personnel who, where relevant, understand the confidentiality of such Personal Data (and who are contractually bound to maintain its confidentiality). In particular the Supplier and the Third Parties shall take adequate precautions to ensure that Personal Data is not used, accessed or Processed in a manner incompatible with these purposes.
- not cause the Customer to be in breach of any part of the Data Protection Legislation whether by reason of an act or omission by it or them, or by any of its or their directors, officers, staff, employees or the Third Parties;
- not allow any third parties to access the Personal Data except to the extent that it obtains the prior written consent of The Customer to appoint a Third Party in order to assist it in delivering the Services, and PROVIDED ALWAYS that the following conditions shall apply to such consent and after such consent is given:
- such Third Parties shall not be entitled to subcontract further in whole or in part or to allow any third party access to the Personal Data;
- their appointment is otherwise on the same basis and terms as in this clause 3;
- the Supplier shall procure compliance by the Third Party with these terms and shall be responsible for the acts and omissions of such Third Parties; and
- the Supplier shall comply with such other conditions as the Customer may impose in relation to its consent.
- put in place and maintain appropriate technical and organisational measures against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access to the Personal Data (including, without limitation the measures set out in Appendix 1); and
- take reasonable steps to ensure the reliability of its/their personnel who have access to Personal Data and to ensure they are aware of the Supplier’s or Third Party’s (as appropriate) obligations in relation to Personal Data.
- notify the Customer within 24 hours (or any shorter period which may be imposed pursuant to any Data Protection Legislation) of any actual or suspected, threatened or ‘near miss’ incident of accidental or unlawful destruction or accidental loss, alteration, unauthorised or accidental disclosure of or access to the Personal Data or other breach of clause 3.2 (a "Security Breach");
- thereafter provide the Customer within 72 hours (or any shorter period which may be imposed pursuant to any Data Protection Legislation) with all relevant information in its or their possession as required by the Customer to comply with any informal or formal management and reporting obligations recommended or required by Data Protection Legislation concerning any Security Breach (including at the date of this Agreement: type of Personal Data or other information involved; number of records involved/Data Subjects affected; circumstances of Security Breach; mitigation and actions taken; investigation details; details of reports to and reactions from other relevant bodies of the breach; and remedial action taken and action to avoid repeats);
- not make any announcement or publish or otherwise authorise any broadcast of any notice or information about a Security Breach (a "Breach Notice") without the prior written consent of and prior written approval by the Customer of the content, media and timing of the Breach Notice (if any).
- Subject to the Customer and its auditors entering into reasonable confidentiality obligations, the Supplier warrants and undertakes on a continuing basis that it shall and shall procure that the Third Parties shall at any time upon request of the Customer, on reasonable notice and during regular business hours, at no cost to the Customer:
- ensure that its and/or their staff are made available to the Customer and its auditors (whether internal and/or external);
- provide all such persons with access to all relevant information (whether in electronic or hard copy form) and premises where the Data is processed; and
- procure that its and/or their staff shall provide all reasonable co-operation and assistance to the Customer,
as may be necessary in the reasonable opinion of the Customer to permit an accurate and complete assessment of the Supplier’s compliance with its obligations under this Agreement.
- The Supplier warrants and undertakes that it shall and shall procure that the Third Parties shall notify the Customer within five (5) Business Days of any complaint by a Data Subject in respect of his Personal Data or any request received from a Data Subject to have access to his Personal Data or of any other communication relating directly or indirectly to the Processing of any Data in connection with this Agreement and provide all details of such complaint, request or communication to the Customer and promptly and fully cooperate and assist the Customer in relation to any such request or communication.
- Neither Supplier nor any Third Party shall respond directly to any Data Subject access request for their Personal Data, to any Data Subject complaint in relation to their Personal Data, or (unless and to the extent required by law) any communication by a Data Protection Authority to them in relation to the Data, in each case unless expressly approved in writing in advance by the Customer.
- The Supplier is based in Australia and the parties acknowledge that some of the Services will be carried out by Supplier Personnel based in Australia and that as a result some Personal Data may be transferred to the Supplier as a result. The terms of this Data Transfer Agreement are hereby incorporated into the Principal Agreement
- Appendix 2, which incorporates the Standard Clauses approved by the European Commission for transfers of personal data outside the EEA shall have effect. The Supplier will, for these purposes, be “the data importer”, the Customer will be “the data exporter” and any person appointed by the Supplier to process data under its direction with the approval of the Customer will be “the sub-processor”.
- This Agreement together with the Principal Agreement forms the sole Agreement between the parties relating to the subject matter of it.
- Save as expressly set out in and required by the Standard Clauses, no person who is not a party to this Agreement has any right under the Contracts (Rights of Third Parties) Act 1999 to enforce any term of this Agreement but this does not affect any right or remedy of a third party which exists or is available apart from that act.
- This Agreement is governed by the laws of England and Wales and the parties hereto submit to the jurisdiction of the courts of England and Wales in relation to any dispute arising under this Agreement.
Minimum Security Measures
The Supplier shall use the same degree of care, but never less than a reasonable degree of care, to prevent unauthorized use or publication of Personal Data, as the Customer uses to protect its own information, and will implement any measures to protect Personal Data which are required by applicable law. The Supplier will be given a copy of the Customer’s current applicable privacy and data protection policies and shall (and shall procure that all Third Parties) comply with the same.
At a minimum, the Supplier agrees
- To implement appropriate technical and organizational measures to protect Personal Data against (i) accidental or unlawful destruction or loss, (ii) unauthorized disclosure or access (e.g., where processing involves the transmission of Personal Data over a network), (iii) alteration, and (iv) all other unlawful forms of processing; and
- To implement appropriate procedures to ensure that (i) unauthorized persons will not have access to the data processing equipment used to process the Personal Data, (ii) any persons it authorizes to have access to the Personal Data will respect and maintain the confidentiality and security of the Personal Data, and (iii) the measures and procedures that it uses will be sufficient to comply with all applicable legal requirements.
- To comply with the Customer’s specific security requirements which shall involve the following:
- The Supplier shall only access Personal Data on the Customer’s servers via the Customer’s dedicated portal made available to them for the purpose and will not seek to access, use or store Personal Data on its own systems;
- The Supplier shall maintain logs of all access to the Customer portal by its personnel and make these available to the Customer for inspection on request;
- All Supplier’s personnel accessing the Personal Data shall do so on a strictly needs-based basis for the performance of the Services and with the knowledge and under the supervision of Supplier senior management responsible for the relationship with the Customer;
- The Supplier shall only access Personal Data through its named personnel each of whom will have a unique log-on ID onto the Customer servers via the Customer portal. Any such personnel who leave the Supplier or who cease to be engaged in the performance of the Services will surrender their log-on IDs to the Supplier who will permanently retire those log-on IDs
Any additional security measures, where any specific requirements of a Project require specific uses of Personal Data, will be included within the Project Documentation.
Standard Contractual Clauses for Data Processors outside the EEA
Standard Contractual Clauses (processors)
For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection
Both the data exporter (customer) and data importer (JobAdder Operations Pty Ltd) HAVE AGREED on the following Contractual Clauses (the “Clauses”) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.
For the purposes of the Clauses:
- 'personal data', 'special categories of data', 'process/processing', 'controller', 'processor', 'data subject' and 'supervisory authority' shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
- 'the data exporter' means the controller who transfers the personal data;
- 'the data importer' means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country's system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;
- 'the subprocessor' means any processor engaged by the data importer or by any other subprocessor of the data importer who agrees to receive from the data importer or from any other subprocessor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;
- 'the applicable data protection law' means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;
- 'technical and organisational security measures' means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
Details of the transfer
The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.
Third-party beneficiary clause
- The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.
- The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
- The data subject can enforce against the subprocessor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
- The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.
Obligations of the data exporter
The data exporter agrees and warrants:
- that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;
- that it has instructed and throughout the duration of the personal data processing services will instruct the data importer to process the personal data transferred only on the data exporter's behalf and in accordance with the applicable data protection law and the Clauses;
- that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;
- that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
- that it will ensure compliance with the security measures;
- that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;
- to forward any notification received from the data importer or any subprocessor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;
- to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for subprocessing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
- that, in the event of subprocessing, the processing activity is carried out in accordance with Clause 11 by a subprocessor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and
- that it will ensure compliance with Clause 4(a) to (i).
Obligations of the data importer
The data importer agrees and warrants:
- to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
- that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
- that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;
- that it will promptly notify the data exporter about:
- any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation,
- any accidental or unauthorised access, and
- any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;
- to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;
- at the request of the data exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;
- to make available to the data subject upon request a copy of the Clauses, or any existing contract for subprocessing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;
- that, in the event of subprocessing, it has previously informed the data exporter and obtained its prior written consent;
- that the processing services by the subprocessor will be carried out in accordance with Clause 11;
- to send promptly a copy of any subprocessor agreement it concludes under the Clauses to the data exporter.
- The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or subprocessor is entitled to receive compensation from the data exporter for the damage suffered.
- If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity.
- If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the subprocessor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the subprocessor agrees that the data subject may issue a claim against the data subprocessor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the subprocessor shall be limited to its own processing operations under the Clauses.
The data importer may not rely on a breach by a subprocessor of its obligations in order to avoid its own liabilities.
Mediation and jurisdiction
- The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:
- to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;
- to refer the dispute to the courts in the Member State in which the data exporter is established.
- The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.
Cooperation with supervisory authorities
- The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
- The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any subprocessor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.
- The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any subprocessor preventing the conduct of an audit of the data importer, or any subprocessor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5 (b).
The Clauses shall be governed by the law of the Member State in which the data exporter is established, namely England and Wales.
Variation of the contract
The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.
- The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the subprocessor which imposes the same obligations on the subprocessor as are imposed on the data importer under the Clauses. Where the subprocessor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the subprocessor's obligations under such agreement.
- The prior written contract between the data importer and the subprocessor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
- The provisions relating to data protection aspects for subprocessing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established, namely that of England and Wales.
- The data exporter shall keep a list of subprocessing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5 (j), which shall be updated at least once a year. The list shall be available to the data exporter's data protection supervisory authority.
Obligation after the termination of personal data processing services
- The parties agree that on the termination of the provision of data processing services, the data importer and the subprocessor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
- The data importer and the subprocessor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1.
APPENDIX 1 TO THE STANDARD CONTRACTUAL CLAUSES
This Appendix forms part of the Clauses and is consented to both parties
The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix
The data exporter is the Customer pursuant to the Principal Agreement pursuant to which it has engaged the data importer to carry out software development activities
The data importer is the Supplier pursuant to the Principal Agreement pursuant to which it has been engaged by the data exporter to carry out SaaS services and the provision of the Services requires it to have access to data input by the Customer in order to host the software and permit the Customer to obtain the benefit of the SaaS services.
The personal data transferred concern the following categories of data subjects (please specify):
Customers of the data exporter
Employees of the data exporter
Other personnel of the data exporter
Contractors of the data exporter
Targets and leads
Job candidates and prospects
Categories of data
The personal data transferred concern the following categories of data (please specify):
System test data
Marketing data relating to targets and prospects
Data related to job candidates and prospects
Special categories of data (if appropriate)
The personal data transferred concern the following special categories of data (please specify):
The personal data transferred will be subject to the following basic processing activities (please specify):
They will be viewed by the data importer only in the course of providing the SaaS services and providing the software hosting environment to allow this to be provided.
APPENDIX 2 TO THE STANDARD CONTRACTUAL CLAUSES
This This Appendix forms part of the Clauses and must be completed and signed by the parties
Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):
- All Supplier’s personnel accessing the Personal Data shall do so on a strictly needs-based basis for the performance of the Services and with the knowledge and under the supervision of Supplier senior management responsible for the relationship with the Customer;