Employment Hero Vendor Data Processing Addendum
This Vendor Data Processing Addendum sets out how we expect Personal Data to be handled when you’re providing goods or services to us, and it forms part of the terms between us. If we’ve separately agreed a different data processing agreement with you during procurement, that one will apply instead.
If you’re an Employment Hero customer, this is not the agreement that applies to you. Instead, please refer to our Customer Data Processing Addendum.
|
Employment Hero |
Vendor |
|||
|---|---|---|---|---|
|
Name: |
as specified in the MSA |
Name: |
as specified in the “Vendor Details” section of the Form |
|
|
ABN / Company No: |
as specified in the MSA |
ABN / Company No: |
as specified in the “Vendor Details” section of theForm |
|
|
Address: |
as specified in the MSA |
Address: |
as specified in the “Vendor Details” section of the Form |
|
Each a party, and together the parties.
Background
This Data Processing Addendum (“Vendor DPA“) sets out the terms, requirements, and conditions on which Vendor will process Personal Data when providing its Services to Employment Hero Pty Ltd and/or its Affiliates (“Employment Hero”) pursuant to the governing agreement for the Services (the “MSA“) entered into between the parties concurrently with, or around the same date as, this Vendor DPA.
The parties agree that the specific details of the processing, including entity names, data categories, and security measures, are those provided by the Vendor in the Procurement Intake Form (“Form”), which is hereby incorporated into this Vendor DPA by reference.
The parties agree:
1. Definitions and interpretation
1.1 Definitions
In this addendum, unless the contrary intention appears:
Affiliate means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
Data Protection Legislation means the European Union legislation relating to Personal Data, UK Data Protection Legislation and all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of Personal Data (including, without limitation, the privacy of electronic communications).
Data Subject means an individual who is the subject of Personal Data.
Controller means the entity which alone or jointly with others determines the purposes and means of processing of Personal Data, it will be interpreted in accordance with the GDPR and the UK GDPR.
EEA means the European Economic Area.
EU Standard Contractual Clauses means the standard contractual clauses published by the European Commission, reference 2021/914 https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc/standard-contractual-clauses-international-transfers_en (or any replacement website of the European Commission) for the transfer of Personal Data to third countries pursuant to the GDPR, including the text from MODULE 2 and MODULE 3 of such clauses and no other modules and not including any clauses marked as optional in the clauses unless otherwise stated and with the specifications in Schedule 1, Annex I, Annex II and Annex III.
GDPR means Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data.
Personal Data means any information relating to an identified or identifiable natural person that is processed by the Vendor as a result of, or in connection with, the provision of the Services.
Personal Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Employment Hero’s Personal Data transmitted, stored or otherwise processed.
Processing has the meaning given to it in Data Protection Legislation (the “GDPR” and the “UK GDPR”) and “process”, “processes” and “processed” will be interpreted accordingly.
Processor means an entity which Processes Personal Data on behalf of a Data Controller, it will be interpreted in accordance with the GDPR and the UK GDPR.
Restricted Transfer means (i) where the GDPR applies, a transfer of Personal Data from within the European Economic Area (EEA) to countries outside of the EEA which are not subject to an adequacy decision by the European Commission, where such transfer would be prohibited by Data Protection Laws, and (ii) where the UK GDPR applies, a transfer of Personal Data from the United Kingdom to countries that are not the subject of adequacy regulations under section 17A of the United Kingdom Data Protection Act of 2018.
Services means Planning, buying and reporting of media on behalf of Employment Hero Ltd
Standard Contractual Clauses means the EU Standard Contractual Clauses and the UK Standard Contractual Clauses.
Sub-processor means other processors engaged by the Vendor to process Personal Data as identified in Annex III of this Vendor DPA (and as may be amended from time to time).
UK Data Protection Legislation means all applicable data protection and privacy legislation in force from time to time in the UK including the UK GDPR; the Data Protection Act 2018; the Privacy and Electronic Communications Directive 2002/58/EC (as updated by Directive 2009/136/EC) and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended.
UK GDPR means the GDPR as applicable as part of UK domestic law by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (as amended).
UK Standard Contractual Clauses means in respect of UK Personal Data, the International Data Transfer Addendum to the EU Standard Contractual Clauses (available on the ICO website at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf (or any replacement publication made on the website), issued by the Information Commissioner, the parties agree to change the format of the information set out in Part 1 of the addendum so that:
the details of the parties in table 1 of the UK’s International Data Transfer Addendum will be as set out in Annex I;
for the purposes of table 2 of the UK’s International Data Transfer Addendum, the addendum will be appended to the EU Standard Contractual Clauses (including the selection of modules and disapplication of optional clauses as noted in this Vendor DPA); and
the appendix information listed in table 3 of the UK’s International Data Transfer addendum is set out in Annex I, Annex II, and Annex III.
2. Processing of Personal Data
2.1 The parties acknowledge that for the purpose of the Data Protection Legislation and this Vendor DPA, Employment Hero is the Controller, and the Vendor is the Processor, except when Employment Hero acts as a Processor, in which case the Vendor is a Sub-processor.
2.2 Annex I of this Vendor DPA describes the subject matter, duration, nature and purpose of processing and the Personal Data categories and Data Subject types in respect of which the Vendor may process Personal Data to provide its Services to Employment Hero.
3. The Vendor’s Obligations
3.1 The Vendor will only process the Personal Data to the extent, and in such a manner, as is necessary for carrying out its Services for Employment Hero under the MSA and in accordance with the documented written instructions of Employment Hero. The Vendor will not process the Personal Data for any other purpose or in a way that does not comply with this Vendor DPA or the Data Protection Legislation. The Vendor will immediately notify Employment Hero if, in its opinion, Employment Hero’s instructions would not comply with the Data Protection Legislation.
3.2 Subject to the MSA, the Vendor will promptly comply with any request or instruction made by Employment Hero requiring the Vendor to amend, transfer, delete or otherwise process the Personal Data, or to stop, mitigate or remedy any unauthorised processing.
3.3 The Vendor will maintain the confidentiality of all Personal Data and will not disclose Personal Data to third parties unless Employment Hero, the MSA or this Vendor DPA specifically authorises the disclosure, or as required by law. If a law, court, regulator, or supervisory authority requires the Vendor to process or disclose Personal Data, the Vendor will first use its reasonable endeavours to inform Employment Hero of the legal or regulatory requirement and give Employment Hero an opportunity to object or challenge the requirement, unless the law prohibits such notice.
3.4 The Vendor will take reasonable steps to ensure that all its employees are informed of the confidential nature of the Personal Data and are bound by confidentiality obligations and use restrictions in respect of the Personal Data.
3.5 The Vendor will reasonably assist Employment Hero with meeting its compliance obligations under the Data Protection Legislation, taking into account the nature of the Vendor’s processing activities and the information available to the Vendor, including in relation to Data Subject rights, data protection impact assessments and reporting to and consulting with supervisory authorities under the Data Protection Legislation.
3.6 The Vendor will promptly notify Employment Hero of any changes to Data Protection Legislation that may adversely affect the Vendor’s performance of the Services.
3.7 Artificial Intelligence and Model Training. To the extent that the Services utilise any artificial intelligence or machine learning technologies (collectively, “AI Technologies”), the following will apply:
- Training Prohibition: The Vendor must not use, nor permit any third party or Sub-processor to use, any Personal Data to train, retrain, fine-tune, or improve any AI Technologies, algorithms, or machine learning models.
- Third-Party APIs: If the Vendor routes Personal Data through third-party AI infrastructure providers, the Vendor must reasonably ensure such data is processed on an enterprise-grade “zero-data retention” or “opt-out of model training” basis.
- Scope: Processing of Personal Data via AI Technologies is permitted solely to deliver the immediate Services to Employment Hero under the MSA. If the Services do not involve AI Technologies, this clause shall be disregarded.
4. Data Subject Requests
4.1 At the request of Employment Hero, the Vendor will take such technical and organisational measures as may be appropriate to enable Employment Hero to satisfy the Data Subjects requests and comply with the related rights held by Data Subjects under the Data Protection Legislation.
4.2 The Vendor must promptly notify Employment Hero if it receives a request from a Data Subject in respect of that Data Subject’s Personal Data, or to exercise their related rights under the Data Protection Legislation and will give Employment Hero its full co-operation and assistance in responding to any Data Subject request.
4.3 The Vendor must not respond to any such Data Subject requests without Employment Hero’s prior written consent except to confirm that the request relates to Employment Hero.
5. Security
5.1 The Vendor must have in place appropriate technical and organisational measures as further described in Annex II of this Vendor DPA to safeguard Personal Data for the protection of the security, confidentiality, and integrity of such data and for the purpose of preventing unauthorised or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data.
5.2 The Vendor will maintain an up-to-date written record of its then current security measures, which it must provide to Employment Hero on request, and review at least on an annual basis to ensure they remain current and complete.
5.3 The Vendor will provide Employment Hero with reasonable assistance as necessary to enable Employment Hero to comply with its obligations under Article 32 of the GDPR (security of processing), taking into account the nature of processing and the information available to the Vendor.
6. Personal Data Breach
6.1 The Vendor will notify Employment Hero if any of the Personal Data is lost or destroyed or becomes damaged, corrupted, or unusable. The Vendor will restore such Personal Data at its own expense.
6.2 The Vendor will notify Employment Hero without undue delay, of:
any accidental, unauthorised, or unlawful processing of Employment Hero’s Personal Data; or
any Personal Data Breach relating to Employment Hero’s Personal Data.
6.3 Where the Vendor becomes aware of an event within the scope of clause 6.2, it must, without undue delay, also provide Employment Hero with the following:
a description of the nature of such event, including the categories and approximate number of both Data Subjects and Personal Data records concerned;
the likely consequences of the event; and
a description of the measures taken or proposed to be taken to address such an event, including measures to mitigate its possible adverse effects.
6.4 The Vendor must reasonably cooperate with Employment Hero to assist Employment Hero in complying with the Data Protection Legislation with respect to notifying the supervisory authority and the Data Subjects affected by the Personal Data Breach.
7. International Data Transfers
7.1 The parties agree that where a Restricted Transfer of Personal Data is made from the EEA, the EU Standard Contractual Clauses will govern such transfer of Personal Data.
7.2 The parties agree that where a Restricted Transfer is made from the UK, the UK Standard Contractual Clauses will govern such transfer of Personal Data.
7.3 Schedule 1, Annex I and Annex II of this Vendor DPA provides the specifications of the Standard Contractual Clauses that will govern any Restricted Transfer.
7.4 Employment Hero authorises the Vendor to enter into the Standard Contractual Clauses with its Sub-processors on Employment Hero’s behalf, if required to ensure the relevant Processing of Personal Data complies with Data Protection Legislation. The Vendor will make the executed Standard Contractual Clauses available to Employment Hero on written request.
8. Sub-processors
8.1 The Vendor can only authorise a Sub-processor to process the Personal Data if:
Employment Hero is provided written notice of the appointment of the Sub-processor and is provided with an opportunity to make a good faith objection to the appointment of the Sub-processor within 30 days’ of being notified of the forthcoming changes to the Vendor’s Sub-processors;
the Sub-processors provided in Annex III of this Vendor DPA are deemed to be already approved by Employment Hero, subject to the terms of this Vendor DPA;
the Vendor enters into a written contract with the Sub-processor that contains terms reasonably similar to those set out in this Vendor DPA, in particular, in relation to requiring appropriate technical and organisational data security measures, and, upon Employment Hero’s written request, provides Employment Hero with copies of such contracts (subject to redaction of any confidential information); and
the Vendor maintains control over all Personal Data it entrusts to the Sub-processor.
9. Audits and Inspections
9.1 The Vendor must make available to Employment Hero all information necessary to demonstrate compliance with its obligations under this Vendor DPA, provided that Employment Hero exercises such audit rights by giving at least 30 days prior written notice of the proposed audit.
9.2 Upon Employment Hero’s written request, the Vendor will exercise relevant audit rights it has against its Sub-processors’ in connection with such Sub-processors’ obligations regarding Employment Hero’s Personal Data and provide Employment Hero with a summary of the audit results.
10. Return or Deletion of Personal Data
10.1 Upon termination or expiration of the MSA, or at Employment Hero’s request, the Vendor will either return to Employment Hero, or delete, the Personal Data within 30 days of receiving such request.
10.2 The obligations to return or delete Personal Data under this clause will not apply to the extent any law, regulation, or government or regulatory body requires the Vendor to retain any documents or materials that the Vendor would otherwise be required to return or destroy.
10.3 The Vendor will provide Employment Hero with a certification confirming deletion on request.
11. Limitation of Liability
11.1 Employment Hero’s total liability pursuant to this Vendor DPA will be limited to the liability cap in the MSA.
11.2 The Vendor’s total liability pursuant to this Vendor DPA will be limited to the liability cap in the MSA other than for a Personal Data Breach. The parties agree and acknowledge that the Vendor’s liability arising under the Vendor DPA for a Personal Data Breach and any and all actual losses, damages, costs, expenses, claims, fines or penalties issued or imposed by a supervisory authority, regulator or governing body, or by a court (or settlement of such claim with the consent of Employment Hero) will not exceed three times the liability cap in the MSA.
12. Miscellaneous
12.1 This Vendor DPA will be governed by and construed in accordance with the governing law and jurisdiction provisions in the MSA, unless required otherwise by applicable Data Protection Legislation.
12.2 Neither party can assign this Vendor DPA without the written approval of the other party.
12.3 Any amendments to this Vendor DPA must be agreed in writing between the parties.
12.4 In the event of any conflict or inconsistency between the MSA, this Vendor DPA along with any of its Schedules (not including the specifications of the Standard Contractual Clauses), and the Standard Contractual Clauses specified in Schedule 1, the order of priority will be as follows:
Standard Contractual Clauses (unless this would result in the invalidity of this Vendor DPA under Data Protection Laws, in which case the relevant term(s) of this Vendor DPA will prevail);
this Vendor DPA; and
the MSA.
12.5 If a party fails to enforce a right under this Vendor DPA, that does not constitute a waiver of any rights held by that party under this Vendor DPA.
Schedule 1 – EU Standard Contractual Clauses
The parties agree the following specifications with respect to the Standard Contractual Clauses, including the attached Annexes.
- Clause 9 – Use of sub-processors
MODULE TWO and MODULE THREE
As set out at clause 8. The provisions of OPTION 2: GENERAL WRITTEN AUTHORISATION. - Clause 17 – Governing Law
MODULE TWO and MODULE THREE
The parties agree that the Standard Contractual Clauses will be governed by the laws of the Republic of Ireland. - Clause 18 – Choice of Forum and Jurisdiction
MODULE TWO and MODULE THREE
Any disputes arising from the Standard Contractual Clauses will be resolved in the courts of the Republic of Ireland.
Annex I – Details of Processing
1. The Parties
a. Data Exporter:
Name: Employment Hero UK Ltd and its Affiliates
Address: 10 John Street, London, United Kingdom, WC1N 2EB
Contact person’s name, position, and contact details
Name: Dineth Samarasinghe
Position: Legal Counsel – Lead Product + Privacy
Email: privacy@employmenthero.com
b. Data Exporter:
Name: as specified in the “Data Importer Details” section of the Form
Address: as specified in the Form.
Contact person’s name, position, and contact details
Name: as specified in the “Data Importer Details” section of the Form.
Position: as specified in the “Data Importer Details” section of the Form.
Email: as specified in the “Data Importer Details” section of the Form.
Phone Number: as specified in the “Data Importer Details” section of the Form.
2. Description of Transfer
MODULE TWO and MODULE THREE
2.1 Nature of the processing: Personal Data will be used by the Vendor to carry out the Services.
2.2 Purpose of the processing: The provision of the Services.
2.3 Categories of Data Subjects: Employment Hero’s employees, customers and platform users.
2.4 Categories of Personal Data transferred: As specified by the Vendor in the “Data Privacy” section of the Form. In the absence of such specification, the categories will include those listed in the MSA or standard service documentation.
2.5 Frequency of the transfer: As specified by the Vendor in the “Data Privacy” section of the Form
2.6 Duration of the processing: For the term of the MSA.
2.7 Subject matter, nature and duration of processing by Sub-processors: As specified by the Vendor in the “Subprocessors” section of the Form. In the absence of such specification, the subject matter, nature and duration of processing by each Sub-processor will be the same as set out above for the Vendor’s own processing.
3. Competent Supervisory Authority
Irish Data Protection Commission
21 Fitzwilliam Square
South Dublin 2
Republic of Ireland
D02 RD28
dpo@dataprotection.ie
Annex II – Technical and Organisational Measures
MODULE TWO and MODULE THREE
The Vendor will implement and maintain the technical and organisational security measures as specified in the “Technical Measures” section of the Form submitted by the Vendor in connection with this Vendor DPA.
In addition to the above, the Vendor will, at a minimum, maintain the security standards required by the MSA and the Data Protection Legislation. If the Vendor maintains a formal security policy or holds certifications (e.g., ISO 27001, SOC 2) as disclosed in the Form, those documents are incorporated into this Annex by reference.
Annex III – Sub-processors
The list of Sub-processors provided by the Vendor in the “Subprocessors” section of the Form.



















