Data Processing Agreement
-
Basis of Agreement
- Where you, or the organisation you represent (Data Controller) instruct Turner Software Pty Ltd (Data Processor) to the process Personal Data, the provisions of this Data Processing Agreement will apply.
- By instructing the Data Processor to process Personal Data, you agree that you will be bound by the terms of this Data Processing Agreement.
- If you do not agree with the terms of this Data Processing Agreement, you must immediately cease to instruct the Data Processor to process Personal Data.
-
Where there is inconsistency between the provisions of this Data Processing Agreement and:
- the Terms of Service, the Terms of Service shall prevail; or
- the Data Processor Privacy Policy, the Data Processor Privacy Policy will prevail.
-
Definitions
In this Data Processing Agreement:
- GDPR means EU General Data Protection Regulation 2016/679;
- Data Processor Privacy Policy means the privacy policy of the Data Processor, as amended from time to time;
- Data Protection Laws means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country, including Australia;
- Services means the data processing services offered by the Data Processor as part of its business operations;
- Terms of Service means the terms and conditions of service governing the provision of services by the Data Processor to the Data Controller, as amended from time to time, and available on the Data Processor's website;
- the terms, Commission, Controller, Data Subject, Member State, Personal Data, Personal Data Breach, Processing and Supervisory Authority shall have the same meaning as in the GDPR.
-
Processing of Personal Data
-
The Data Controller may request the Data Processor process Personal Data by:
- using, or making available to its customers, the Data Processor's Services; or
- making a written request to the Data Processor to process certain Personal Data.
(each a Request).
-
If the Data Processor agrees to a Request, the Data Processor shall process Personal Data in accordance with:
- the Data Controller's instructions;
- relevant privacy laws applying to the processing of that Personal Data;
- the provisions of the Terms of Service; and
- the Data Processor Privacy Policy.
- This Data Processing Agreement shall continue until such time as the Data Processor ceases to provide Services to the Data Controller.
-
The Data Controller may request the Data Processor process Personal Data by:
-
Confidentiality
- The Data Processor shall take reasonable steps to ensure that, in processing Personal Data, it restricts access to the Personal Data to only those individuals who need to access the Personal Data to enable the Data Processor to provide the Services, and to comply with any applicable laws.
-
Where Personal Data is confidential (in that it is not freely available in the public domain other than by breach of this Data Processing Agreement), it shall ensure that the Personal Data is kept confidential (unless disclosure is required by law) other than disclosure to:
- the Data Controller;
- the employees, agents and sub-contractors of the Data Processor; and
- the Data Processor's professional advisors and legal representatives.
-
Security measures
- The Data Processor shall take reasonable steps to ensure the security of its systems and the servers on which Personal Data is processed and stored.
- The Data Processor may process, communicate or store Personal Data on servers located in Australia and the United States of America.
- All security of Personal Data will be handled in accordance with the Data Processor Privacy Policy.
-
Use of sub-processors
- From time to time, the Data Processor may contract with third parties (Sub-Processors) to assist in the processing of Personal Data. Where this occurs, the Data Processor will ensure that each Sub-Processor complies with relevant privacy laws, and that the rights of the Data Controller as articulated in this Data Processing Agreement.
- Where the Data Processor engages a Sub-Processor not previously disclosed to the Data Controller, it shall notify the Data Controller of the identity of the Sub-Processor.
-
Data Subject rights
- The Data Processor shall take reasonable steps to assist the Data Controller to implement appropriate measures to allow Data Subjects to exercise their rights in relation to their Personal Data that is processed by the Data Processor.
- The Data Processor shall promptly notify the Data Controller of any queries it receives from Data Subjects relating to the Data Controller.
- The Data Controller shall notify the Data Processor of any query it receives from a Data Subject regarding the processing of Personal Data by the Data Processor.
- The parties will take reasonable steps to work cooperatively in dealing with any query, complaint or request from a Data Subject relating to the Data Processor's processing of Personal Data.
-
Data Breaches
- The Data Processor will notify the Data Controller as soon as reasonably practicable if it becomes aware of a Personal Data Breach affecting Personal Data provided by the Data Controller.
- The Data Processor will provide relevant information to the Data Controller to assist it in meeting any legal obligation to inform Data Subjects of the Personal Data Breach.
- The Data Processor shall co-operate with the Data Controller and take reasonable commercial steps as are directed by Data Controller to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
-
Data Protection Impact Assessment and Prior Consultation
- The Data Processor shall provide reasonable assistance to the Data Controller with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which the Data Controller reasonably considers to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Company Personal Data by, and taking into account the nature of the Processing and information available to, the Contracted Processors.
-
Return of Data
- Where a Data Subject has a right under the GDPR or other Data Protection Law to access, modify or request deletion of their Personal Data, the Data Processor shall promptly comply with that request to the extent required by law.
- The Data Processor will notify the Data Controller of any such action within a reasonable period of time.
-
Provision of Reasonable Assistance
The Data Processor will provide the Data Controller with reasonable assistance to comply with any auditing, reporting or other legal requirements arising from the engagement of the Data Processor to process Personal Data by the Data Controller.
-
Governing Law and Jurisdiction
- This Agreement is governed by the laws of South Australia.
- Any dispute arising in connection with this Agreement, which the Parties will not be able to resolve amicably, will be submitted to the exclusive jurisdiction of the courts of South Australia.