APS Data Processing Addendum

This Data Processing Addendum (Addendum) forms part of the Terms and is entered into between you (the Company) and the Reckon entity set out in the Order Form (us and we as applicable), together the Parties and each a Party.

1. Definitions

1.1 In this Addendum, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:

(a) Applicable Laws means (a) any Data Protection Laws applying to the Processing of any Company Personal Data ; and (b) any other law applicable to a Party;

(b) Company Personal Data means any Personal Data Processed by a Contracted Processor on your behalf including any Personal Data of your customers, employees or contractors (Users) pursuant to, or in connection with the Addendum;

(c) Contracted Processor means us and/or a Subprocessor;

(d) Customer Agreement means the services agreement entered into between us and the Company for the Services (referred to as the Terms in the relevant Order);

(e) Data Protection Laws means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country;

(f) EEA means the European Economic Area;

(g) EU Data Protection Laws means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;

(h) GDPR means EU General Data Protection Regulation 2016/679;

(i) Restricted Transfer means a transfer of Company Personal Data where such transfer would be prohibited by EU Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws) in the absence of the Standard Contractual Clauses or another lawful data transfer mechanism as set out at clause 7

(j) Services means the services and other activities to be supplied to or carried out for you by us, or on behalf of us, pursuant to the Addendum;

(k) Standard Contractual Clauses means the contractual clauses set out by the European Commission available at https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/model-contracts-transfer-personal-data-third-countries, as updated or replaced from time to time;

(l) Subprocessor means any person (including any third party, but excluding our employees or our sub-contractors) appointed by or on behalf us to Process Personal Data on behalf of you; and

(m) You means the entity that accepts/accepted the Addendum.

1.2 The terms, Commission, Controller, Data Subject, Member State, Personal Data, Personal Data Breach, Processor, Processing, Special Categories of Data and Supervisory Authority shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.

1.3 The word include shall be construed to mean include without limitation, and cognate terms shall be construed accordingly.

2. Processing of Company Personal Data

2.1 Role of Parties: The Parties acknowledge that for the purposes of this Addendum, we act as a Processor and you are the Controller in relation to Company Personal Data.

2.2 The Parties will comply with all applicable Data Protection Laws in the Processing of Company Personal Data.

2.3 We will only Process Company Personal Data on behalf of and in accordance with your relevant instructions and while carrying out our obligations under the Addendum, unless other processing is required by Applicable Laws to which the relevant Contracted Processor is subject, in which case the Contracted Processor will, to the extent permitted by law, immediately inform you of that legal requirement before processing that Company Personal Data.

2.4 Annex 1 to this Addendum sets out the following details:

2.5 description of the types of Processing we will carry out and the types of Company Personal Data Processed under this Addendum; and

2.6 the types of Data Subjects to which the Company Personal Data relates.

2.7 You agree to update us (as soon as practicable) if the details in Annex 1 are incorrect or change.

3. Subprocessing

3.1 You authorise us to continue to use those Subprocessors already engaged by us as at the date of this Addendum (as set out in Annex 2), subject to our obligations at clause 3.

3.2 We shall give you prior written notice of the appointment of any new Subprocessor, including full details of the Processing to be undertaken by the Subprocessor. If, within 10 days of receipt of that notice:

(a) you have not notified us in writing of any objections (on reasonable grounds) to the proposed appointment of that Subprocessor we will assume that you have consented to the appointment of that Subprocessor; or

(b) if you notify us in writing of any objections (on reasonable grounds) to the proposed appointment we shall do one of the following: (i) not appoint that Subprocessor; (ii) not disclose any Company Personal Data to that Subprocessor; or (ii) not disclose any Company Personal Data to that Subprocessor until reasonable steps have been taken to address the objections you raised and you have been informed of and agreed to that Subprocessor based on the reasonable steps taken.

3.3 With respect to each Subprocessor we shall:

(a) from time to time, carry out adequate due diligence to ensure that the Subprocessor is capable of providing the level of protection for Company Personal Data required by the Addendum and this Addendum; and

(b) ensure that the arrangement between us and the relevant intermediate Subprocessor is governed by a written contract including terms which meet the requirements of Article 28(3) of the GDPR.

4. Data Subject Rights

4.1 We shall:

(a) promptly notify you if any Contracted Processor receives a request from a Data Subject under any Data Protection Law in respect of Company Personal Data;

(b) ensure that the Contracted Processor does not respond to that request except on your documented instructions, or as required by Applicable Laws to which the Contracted Processor is subject, in which case we shall to the extent permitted by Applicable Laws inform you of that legal requirement before the Contracted Processor responds to the request;

(c) implement appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of your obligations under the Data Protection Laws; and

(d) where you require our assistance to respond to a Data Subject request, use commercially reasonable efforts to assist you and to the extent legally permitted, and you shall be responsible for the costs arising from our assistance.

4.2 You acknowledge and agree that we may use an automated functionality within our Services to seek and document your instructions in response to a Data Subject request relating to your Company Personal Data.

5. Security

5.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, we will implement appropriate technical and organisational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.

5.2 We will take reasonable steps to ensure any of our personnel who Process the Company Personal Data, have been informed of the confidential nature of the Company Personal Data and are committed to keeping the Company Personal Data confidential.

5.3 In assessing the appropriate level of security we shall take into account the risks that are presented by Processing, in particular from a Personal Data Breach.

5.4 Personal Data Breach: We shall notify you without undue delay if we become aware of a Personal Data Breach and provide you with information to assist you to meet your obligations under the EU Data Protection Laws. On your reasonable request we shall take such reasonable commercial steps as are directed by you to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

6. Data Protection Impact Assessment and Prior Consultation

6.1 Upon your request and to the extent required by the GDPR we shall provide reasonable assistance to you where you are fulfilling your obligations under the GDPR by carrying out a data protection impact assessment, as follows:

(a) to the extent that the assessment you are carrying out directly relates to the Processing of Company Personal Data, you do not otherwise have access to the information and such information is available to us; and

(b) where you reasonably require our assistance with prior consultations with Supervising Authorities or other competent data privacy authorities.

6.2 If you request assistance which goes beyond the scope of clause 1, we may provide you with notice of our fees and charge you for this additional assistance.

7 Restricted Transfers

7.1 Subject to clause 3, you (as data exporter) and each Contracted Processor, as appropriate, (as data importer) hereby enter into the Standard Contractual Clauses in respect of any Restricted Transfer from you to that Contracted Processor.

7.2 The Standard Contractual Clauses shall come into effect under clause 1 on the commencement of the relevant Restricted Transfer.

7.3 Clause 1 shall not apply to a Restricted Transfer unless its effect, together with other reasonably practicable compliance steps (which, for the avoidance of doubt, do not include obtaining consents from Data Subjects), is to allow the relevant Restricted Transfer to take place without breach of applicable Data Protection Law.

8 Audit

8.1 Subject to reasonable notice (not less than 30 days) and your reasonable request to demonstrate compliance with this Addendum we shall (subject to obligations of confidentiality):

(a) make available information directly relating to your Company Personal Data and necessary to demonstrate your compliance with Article 28(3) of the GDPR;

(b) shall allow you or an independent auditor appointed by you, to carry out audits, including inspections, in relation to the Processing of Company Personal Data by the Contracted Processors,

and you agree to take all reasonable measures to limit any impact on the Contracted Processors.

9 Deletion or return of Company Personal Data

9.1 Following the termination or expiry of this Addendum, we shall destroy or return to you (where you make such a request), all Company Personal Data in our possession or control unless any Applicable Laws require that we retain Company Personal Data.

10 General Terms

10.1 Order of Precedence: In the event of any conflict or inconsistency between the agreements entered into between the Parties, the Standard Contractual Clauses shall prevail, then the Addendum, followed by the Customer Agreement.

10.2 Obligations under the Addendum: Subject to clause 1, nothing in this Addendum reduces the Parties’ obligations under the Customer Agreement and all clauses in the Customer Agreement will continue to apply and will apply to this Addendum unless they conflict with the Applicable Laws, including but not limited to: limitation of liability and indemnity.

10.3 Legal effect: This Addendum is entered into and becomes a binding part of the Addendum with the effective date being the date you accept this Addendum.

10.4 Severance: If a provision of this Addendum is held to be void, invalid, illegal or unenforceable, that provision is to be read down as narrowly as necessary to allow it to be valid or enforceable, failing which, that provision (or that part of that provision) will be severed from this Addendum without affecting the validity or enforceability of the remainder of that provision or the other provisions in this Addendum.

10.5 Governing law: This Addendum is governed by the laws of New South Wales. Each Party irrevocably and unconditionally submits to the exclusive jurisdiction of the courts operating in New South Wales and any courts entitled to hear appeals from those courts and waives any right to object to proceedings being brought in those courts.

Annex 1 details of processing of company personal data
This Annex 1 includes certain details of the Processing of Company Personal Data as required by Article 28(3) GDPR.
1. The subject matter and duration of the Processing of Company Personal Data
The subject matter and duration of the Processing of Company Personal Data are set out in the Customer Agreement and this Addendum.

2. The nature and purpose of the Processing of Company Personal Data
The nature and purpose of the Processing of Company Personal Data is further specified in the Customer Agreement and as further instructed by you.

1. The types of Company Personal Data to be Processed
The types of Company Personal Data to be Processed may include but is not limited to the following:
i. a Data Subject’s name;
ii. a Data Subject’s contact details, including email address and telephone number;
iii. a Data Subject’s role within their business;
iv. a Data Subject’s preferences and/or opinions including in response to any customer surveys we send to the Data Subject;
v. details of products and services we have provided to a Data Subject and/or that a Data Subject has enquired about, and our response to them (eg. a support request);
vi. a Data Subject’s browser session and geo-location data, device and network information, statistics on page views and sessions, acquisition sources, search queries and/or browsing behaviour;
vii. information about a Data Subject’s access and use of the Services we deliver to you, including through the use of Internet cookies, a Data Subject’s communications with the Services we deliver to you, the type of browser a Data Subject is using, the type of operating system a Data Subject is using and the domain name of a Data Subject’s Internet service provider;
viii. additional personal information that a Data Subject may provide to us, directly or indirectly, through a Data Subject’s use of the Services and any associated applications; and
ix. any other personal information requested by us and/or provided by you or a third party about a Data Subject.

We currently do not actively collect or Process Special Categories of Company Personal Data.

2. The categories of Data Subject to whom Company Personal Data relates

The categories of Data Subject to whom Company Personal Data relates are as follows:

i. the Company’s contact person/s who we communicate with;
ii. the Company’s employees, contractors, suppliers and customers or other users who use our Services through the Company’s account and actively contact us (including for a support request), or where they the Company enters their Personal Data when using our Services.

3. Your obligations and rights