Overview

Background

1. Definition

1.1 Clarifications for this DPA

2.Data processing terms

2.1 General data processing terms

  1. process Customer Personal Data only in accordance with your instructions as established in the Agreement or as you have provided to us in writing from time to time, given that these instructions are reasonable and subject to our right to charge additional sums at our current rates should the scope of the agreed services be exceeded. In addition to this, we may:
    1. process Customer Personal Data as required under Applicable Law and take reasonable steps to inform you of such a requirement before processing the data, unless the law prohibits this; and
    2.  process Customer Personal Data when analysing and/or providing support in relation to the Services, and carrying out measures to further develop and improve the Services for our customer base as a part of the ongoing delivery of Services, provided that necessary safety measures are put in place as may be required by Applicable Law;
  2. promptly notify you, if in our opinion, an instruction given to us by you infringes Data Protection Law;
  3. where applicable, make sure that access to Customer Personal Data is given to our (or our Sub-Processors’) personnel who are contractually bound to respect the confidentiality of this type of Customer Personal Data;
  4. implement appropriate technical and organisational measures to protect against unauthorised or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Customer Personal Data. These measures will be appropriate to the harm which might result from any unauthorised or unlawful processing, accidental loss, destruction, damage, or theft of Customer Personal Data, and having regard to the nature of the Customer Personal Data which is to be protected and is set forth in Schedule 1 of this DPA. You acknowledge that we may change the security measures through the adoption of new or enhanced security technologies, and you authorise us to make such changes provided that they do not materially diminish the level of protection. We make information about our most up-to-date security measures applicable to the Services available here;
  5. at your reasonable request and at your cost, to the extent that this is possible, assist you with your obligations to respond to requests from Data Subjects of Customer Personal Data looking to exercise their rights under Data Protection Law (to the extent that the Customer Personal Data is not accessible to you through the Services provided under the Agreement);
  6. at your reasonable request and at your cost, taking into account the nature of the processing and the information available to us, assist you with your obligations under Articles 32 to 36 of the GDPR; and
  7. at your written request, delete or return to you any Customer Personal Data within the agreed period of time after the end of the provision of the Services as set out in the Agreement (or within a reasonable period of time if the Agreement is silent on this point), unless Applicable Law requires storage of the Customer Personal Data.

2.2 Sub-Processors

2.3 International transfer mechanisms

International Data Transfers Out Of The EEA, UK And/Or SwitzerlandObligations
Customer (as Controller) to Employment Hero Affiliate (EEA, and/or Switzerland to Relevant Countries)If we (acting as a Processor) are based outside of the EEA, United Kingdom and/or Switzerland, and transfer of Customer Personal Data is made by you out of the EEA, United Kingdom and/or Switzerland to our Affiliates located in Relevant Countries, this transfer will be governed by Module Two (Controller-to-Processor) of the Standard Contractual Clauses, if you act as a Controller.
Customer (as Processor) to Employment Hero Affiliate (EEA, and/or Switzerland to Relevant Countries)If we (acting as a Processor) are based outside of the EEA, United Kingdom and/or Switzerland, and transfer of Customer Personal Data is made by you out of the EEA, United Kingdom and/or Switzerland to our Affiliates located in Relevant Countries, this transfer will be governed by Module Three (Processor-to-Processor) of the Standard Contractual Clauses, if you act as a Processor. 
Customer to Employment Hero Affiliate (United Kingdom to Relevant Countries)Transfers of Customer Personal Data out of the United Kingdom to our Affiliates (acting as sub-processors) located in Relevant Countries, will be governed by the applicable Module of the Standard Contractual Clauses as described in the two columns above (amended by the UK Addendum).
Employment Hero to Employment Hero Affiliate (United Kingdom to Relevant Countries)If we (acting as a Processor) are based within the United Kingdom, transfers of Customer Personal Data out of the United Kingdom to our Affiliates (acting as sub-processors) located in Relevant Countries, will be governed by Module Three (Processor-to-Processor) of the Standard Contractual Clauses as amended by the UK Addendum.
Employment Hero to Employment Hero Affiliate (EEA and/or Switzerland to Relevant Countries)If we (acting as a Processor) are based within the EEA, and/or Switzerland, transfers of Customer Personal Data out of the EEA, and/or Switzerland to our Affiliates (acting as sub-processors) located in Relevant Countries, will be governed by Module Three (Processor-to-Processor) of the Standard Contractual Clauses.
Employment Hero to Sub-Processor Transfers of Customer Personal Data out of the EEA, United Kingdom and/or Switzerland to our third-party Sub-Processors will be governed by data processing agreements, incorporating the Standard Contractual Clauses (as amended by the UK Addendum where applicable), that have been executed by us at a global level with the third-party Sub-Processors.
  1. Clause 9 OPTION 2: where applicable, general written authorisation will be required for the engagement of new Sub-Processors, subject to clause 2.2 of this DPA;
  2. Clause 17 (Governing law): the clauses will be governed by the laws of the Republic of Ireland; and
  3. Clause 18 (Choice of forum and jurisdiction) the courts of the Republic of Ireland will have jurisdiction

2.4 Data Breach

2.5 Audits and inspections

2.6 Return or deletion of Personal Data

2.7 Limitation on liability

2.8 Other general terms

Schedule 1 – Data Processing Information

Nature and purpose of processing operations

  • Employment Hero HR and Payroll platform,
  • Managed Payroll services;
  • Applicant Tracking System; and
  • Global Teams Employer of Record services (if we act as a Processor)

Categories of data subject

You (the Customers), Users including employees, contractors, applicants and other persons authorised to use the Services by a Customer of the Services provided by us and our Affiliates.

Categories of data

  • Business account information including business name and details, logos and information relating to representatives of the business;
  • Individual account information including name, date of birth, age, gender, sex, marital status, profile photo;
  • Contact information including residential and/or postal address, email address, telephone number, and social media handles;
  • Payroll information including information relating to payroll processing, salary and other compensation, timesheets and bank account information;
  • General business information including information relating to employees’ and the businesses goals, accomplishments, training and development, awards and performance, feedback and reviews, onboarding and offboarding details, and implementation process information;
  • Employment related information including occupation or job title, information relating to current and former employers, key dates relating to the current role and/or past roles, superannuation information, salary and/or pension details including documents such as payslips and payment summaries, timesheets, performance reviews and workplace engagement information, workplace issues and incident information citizenship and visa status for work eligibility purposes, emergency contact information, and tax information;
  • Recruitment related information including job vacancy details, profile photo, company details relevant to the job posting such as work location and contact emails, and the name and contact details of any personnel involved in the recruitment process; and
  • Job application related information including name, contact email, job seeker profiles, CV, cover letter, profile photo, work preferences, salary expectations, education history, work history, qualifications, languages, and references.
  • You or users of the Services may submit Special Category Personal Data to the platform or app at their discretion, or we may collect such data with prior consent for the purpose of providing its Services to you or relevant end-users. 
  • This data primarily includes:
    • sensitive information provided in compliance documentation stored on the Services by you or end-users;
    • ID documents and information provided within such documents that may include details about ethnicity or race, religious beliefs;
    • health information such as disability information, health status relevant to administration of long-term disability or other medical benefit programs, vaccination history, medical reports, return or work/adjustment reports and workplace injury reports; and
    • work eligibility information such as immigration status, visa status and details, and criminal history and background.

Duration of Processing

Schedule 2 – Technical and Organisational Measures

Schedule 3 – Annexes to the EU SCCs and Appendices to the UK SCCs

Annex I/ Appendix 1:

A: List of parties

B: Description of transfers

Purpose of Processing: See Schedule 1 above.

Categories of Data Subjects: See Schedule 1 above.

Categories of Personal data Transferred: See Schedule 1 above.

Sensitive data transferred (if applicable): See Schedule 1 above.

Frequency of transfer: Continuous.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period (EU standard contractual clauses only): in accordance with relevant data retention/deletion obligations.

C: Competent supervisory authority

South Dublin 2

Republic of Ireland

D02 RD28

Annex II/ Appendix 2: Technical and organisational measures

Annex III of the EU Standard Contractual Clauses

List of Employment Hero Affiliates

Republic of Ireland