This Data Processing Addendum forms part of the written or electronic agreement(s) between the Customer and Employment Hero for the Employment Hero Platform and/or the Employment Hero Payroll Platform (the “Agreement “), to reflect the parties’ agreement with regard to the processing of personal data.
- Definitions and interpretation
- In this Data Processing Addendum:
“Affiliates” shall mean any corporation or other business entity controlling, controlled by or under common control with Employment Hero. A current list of Affiliates is available at https://employmenthero.com/privacy/subprocessors
“Applicable Laws” means all laws, regulations, orders, rules, judgments, directives, industry agreements or determinations in force from time to time applicable to a party and relevant to the Agreement or this Data Processing Addendum, including, without limitation European Data Protection Law;
“Customer” means the specific party which has entered into the Agreement with Employment Hero;
“Customer Personal Data” means Personal Data in respect of which Customer is the Data Controller and Employment Hero is the Data Processor; but which excludes Personal Data held for Hero Passport for which Employment Hero is Data Controller;
“Data Controller” means the entity which alone or jointly with others determines the purposes and means of Processing of Personal Data;
“Data Processor” means an entity which Processes Personal Data on behalf of a Data Controller;
“Data Subject” has the meaning given to it in European Data Protection Law;
“EEA” means the European Economic Area;
“European Data Protection Law” means GDPR, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), any national laws or regulations implementing the foregoing Directives, the GDPR and any amendments to or replacements for such laws and regulations;
“GDPR” in each case to the extent applicable to the processing activities: (i) Regulation (EU) 2016/679; and (ii) Regulation (EU) 2016/679 as amended by any legislation arising out of the withdrawal of the UK from the European Union;
“Employment Hero” means Employment Hero Pty Ltd or the relevant Employment Hero Affiliate which has entered into the Agreement with the Customer for the provision of Services;
“Personal Data” means any information relating to an identified or identifiable natural person and an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
“processing” has the meaning given to it in European Data Protection Law and “process”, “processes” and “processed” will be interpreted accordingly;
“Relevant Country” means all countries other than those (a) within the EEA and (b) countries in respect of which an adequacy finding under Article 25(6) of the European Data Protection Directive or Article 45 of the GDPR has been given;
“Services” mean services provided by Employment Hero under the Agreement;
“Standard Contractual Clauses” means the agreement executed by and between the Customer and Employment Hero Pty Ltd attached hereto as Attachment 1 pursuant to the European Commission’s decision of 5 February 2010 on Standard Contractual Clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection. These Clauses have been presigned by Employment Hero Pty Ltd on its own behalf and on behalf of its Affiliates who are established outside of the EEA and the United Kingdom; and
“Sub-Processor” means any entity which is engaged by Employment Hero or by any other sub-processor of Employment Hero who receives Customer Personal Data for processing activities to be carried out on behalf of Customer;
- In this Data Processing Addendum:
- any words following the terms including, include, in particular, for example or any similar expression shall be construed as illustrative and shall not limit the sense of the words, description, definition, phrase or term preceding those terms; and
- references to Clauses and Schedules are, unless otherwise stated, references to the clauses of, and schedules to, this Data Processing Addendum; and
- references to this Data Processing Addendum or any other agreement or document are to this Data Processing Addendum or such other agreement or document as it may be varied, amended, supplemented, restated, renewed, novated or replaced from time to time.
- DATA PROCESSING TERMS
- The Parties acknowledge that the Customer is the Data Controller and Employment Hero is a Data Processor of Customer Personal Data.
- This Data Processing Addendum only applies to the processing of Customer Personal Data by Employment Hero in connection with the Services under the Agreement. The categories of Data Subjects and types of Customer Personal Data processed are set out in Schedule 1 hereto. Customer Personal Data is processed for the purpose of providing the Services and other purposes as identified in the “processing activities” section of Schedule 1 hereto. Employment Hero shall process Customer Personal Data for the duration of the Agreement (or longer to the extent permitted by Applicable Law).
- Each party warrants that in relation to this Data Processing Addendum, it is compliant with and will remain compliant with all applicable Laws. Customer shall ensure that it has a provided notice to data subjects and that there is a valid lawful basis under European Data Protection Laws for all Customer Personal Data that is disclosed to Employment Hero in connection with the Agreement for the data processing activities envisaged by the Agreement and this Addendum.
- Notwithstanding anything to the contrary in the Agreement, in relation to Customer Personal Data, Employment Hero shall:
- process Customer Personal Data only in accordance with the Customer’s instructions as established in the Agreement or as provided in writing by the Customer from time to time, provided such instructions are reasonable and subject to Employment Hero’s right to charge additional sums at its current rates should the scope of the agreed services be exceeded. Notwithstanding the foregoing, Employment Hero may process Customer Personal Data as required under Applicable Laws. In this situation, Employment Hero will take reasonable steps to inform the Customer of such a requirement before Employment Hero processes the data, unless the law prohibits this;
- notify Customer immediately, if in Employment Hero’s opinion, an instruction from the Customer infringes European Data Protection Law;
- ensure only its (or its Sub-Processors) personnel who are contractually bound to respect the confidentiality of Customer Personal Data shall have access to the same;
- implement appropriate technical and organizational measures to protect against unauthorized or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Customer Personal Data. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful processing, accidental loss, destruction, damage or theft of Customer Personal Data and having regard to the nature of the Customer Personal Data which is to be protected and shall be as set forth in Schedule 1. Customer acknowledges that Employment Hero may change the security measures through the adoption of new or enhanced security technologies and authorises Employment Hero to make such changes provided that they do not materially diminish the level of protection. Employment Hero shall make information about the most up to date security measures applicable to the Services available at https://employmenthero.zendesk.com/hc/en-au/articles/360001054196-Security-processes;
- at the Customer’s reasonable request and at the Customer’s cost, taking into account the nature of the processing, assist the Customer by implementing appropriate technical and organisational measures, insofar as this is possible, to assist with the Customer’s obligation to respond to requests from Data Subjects of Customer Personal Data seeking to exercise their rights under European Data Protection Law (to the extent that the Customer Personal Data is not accessible to the Customer through the Services provided under the Agreement);
- at the Customer’s reasonable request and at the Customer’s cost, taking into account the nature of processing and the information available to Employment Hero, assist the Customer with its obligations under Articles 32 to 36 of the GDPR; and
- upon request by the Customer, delete or return to the Customer any such Customer Personal Data within the agreed period of time after the end of the provision of the Services as set out in the Agreement (or within a reasonable period of time if the Agreement is silent on this point), unless Applicable Laws requires storage of the Customer Personal Data. Unless otherwise provided in the Agreement, Employment Hero reserves the right to charge for such deletion or return of such Customer Personal Data. Customer acknowledges and agrees that Employment Hero may use Customer Personal Data for analytics, research, development and product improvement purposes.
- The Customer agrees that Employment Hero may transfer Customer Personal Data or give access to Customer Personal Data to Sub-Processors for the purposes of providing the Services or other purposes identified in the ‘Processing activities’ section of the Appendix to the Agreement, provided that Employment Hero complies with the provisions of this Clause. Employment Hero shall remain responsible for its Sub-Processor’s compliance with the obligations of this Data Processing Addendum. Employment Hero shall ensure that any Sub-Processors to whom Employment Hero transfers Customer Personal Data enter into written agreements with Employment Hero requiring that the subcontractor abide by terms no less protective, in any material respect, than this Data Processing Addendum. A current list of Sub-Processors approved as at the date of this Data Processing Addendum is available at [https://employmenthero.com/privacy/subprocessors]. Employment Hero can at any time and without justification appoint a new Sub-processor provided that the Customer is given fifteen (15) days’ prior written notice and the Customer does not legitimately object to such changes within that timeframe. Legitimate objections must contain reasonable and documented grounds relating to a Sub-processor’s non-compliance with applicable European Data Protection Law. If Employment Hero is unable to make available such change within a reasonable period of time, which shall not exceed sixty (60) days, Customer may terminate the applicable Services which cannot be provided by Employment Hero without the use of the objected-to new Sub-Processor by providing written notice to Employment Hero. Employment Hero will refund Customer any prepaid fees covering the remainder of the term of the Services following the effective date of termination with respect to such terminated Services.
- The Customer acknowledges that as part of the Services the Customer Personal Data may be located in or accessed from Australia or another Relevant Country. Where this involves Employment Hero or its Affiliates, the Standard Contractual Clauses in Attachment 1 of this Data Processing Addendum will apply in addition to the terms of this Data Processing Addendum. For other Sub-Processors based in Relevant Countries, the parties shall take steps to ensure that there is adequate protection for any such transfers of Customer Personal Data as defined in European Data Protection Laws. Where the Standard Contractual Clauses apply, the Customer acknowledges the following:
- Instructions: For the purposes of Clause 5(a) of the Standard Contractual Clauses, processing in accordance with the Agreement or as provided in writing by the Customer from time to time (subject to the data importer’s right to charge additional sums at its current rates should the scope of the agreed services be exceeded is deemed to be an instruction by the Customer to process Customer Personal Data);
- Sub-Processors: Pursuant to Clause 5(h) of the Standard Contractual Clauses the Customer acknowledges that data importer may engage third party Sub-processors in connection with the provision of the Services and that Employment Hero shall make available to the Customer the current list of all Sub-processors as set out in Clause 2.5 above. Employment Hero will notify the Customer of any new Sub-processors engaged by the data importer as set out in Clause 2.5 above;
- Copies of Sub-Processor Agreements. The Customer agrees that copies of any Sub-processor agreements that must be provided to the Customer pursuant to Clause 5(j) of the Standard Contractual Clauses may have all commercial information or clauses unrelated to the Standard Contractual Clauses or their equivalent removed by the data importer beforehand; and that such copies will be provided by the data importer in a manner to be determined in its discretion, only upon request by the Customer via email to firstname.lastname@example.org;
- Audits: The Customer agrees that the audits described in Clause 5(f) and Clause 12(2) of the Standard Contractual Clauses shall be carried out in accordance with Clauses 2.7-2.9 below;
- Certification of Deletion: To the extent applicable and required, the parties agree that the certification of deletion of personal data that is described in Clause 12(1) of the Standard Contractual Clauses shall be provided by the data importer only upon the Customer’s written request via email to email@example.com.; and
- Conflict: In the event of any conflict or consistency between the body of this Data Processing Addendum and any of its Schedules (not including the Standard Contractual Clauses) and the Standard Contractual Clauses in Attachment 1, the Standard Contractual Clauses will prevail (unless this would result in the invalidity of this Data Processing Addendum under European Data Protection Laws (in which case the relevant term(s) of this Data Processing Addendum shall prevail).
- Employment Hero shall notify the Customer, without undue delay, if Employment Hero becomes aware of any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Customer Personal Data transmitted, stored or otherwise processed by Employment Hero (“Security Incident“) and take such steps as the Customer may reasonably require, within the timescales reasonably required by the Customer, to remedy the Security Incident and provide such further information as the Customer may reasonably require. Employment Hero’s assistance under this Clause 2.6 shall be chargeable, as incurred, at Employment Hero’s then current rates unless and to the extent that the Customer demonstrates that such assistance is required because of a failure by Employment Hero to comply with the obligations under this Data Processing Addendum.
- Employment Hero shall audit the security of the computers and computing environment that it uses in processing Customer Personal Data and the physical locations from which it processes Customer Personal Data (including that of its Sub-Processors). This audit: (a) will be performed at least annually; and (b) may be performed by independent third-party security professionals at Employment Hero’s selection and expense.
- Employment Hero shall respond, no more frequently than annually, to any reasonable security questionnaire provided by Customer which seeks to assist Customer’s assessment of Employment Hero’s compliance with the security obligations under this Data Processing Addendum. Such security questionnaire may request copies of any third-party compliance certificates or audit reports (or equivalent) held by Employment Hero and which may be applicable to the Services. The responses to such questionnaire and any supporting evidence provided by Employment Hero shall be considered confidential information of Employment Hero.
- If the Customer desires to change this instruction regarding exercising the audit right or the provision of information in order to demonstrate compliance with Article 28 of the GDPR, then the Customer has the right to change this instruction to the extent so required to ensure compliance, which shall be requested in writing via email to firstname.lastname@example.org., provided that Employment Hero shall have no obligation to provide commercially confidential information.
- [If the Customer’s request for information or access relates to a sub-processor, or information held by a sub-processor which Employment Hero cannot provide to the Customer itself, Employment Hero will promptly submit a request for additional information in writing to the relevant sub-processor(s). The Customer acknowledges that access to the sub-processor’s premises or to information about the sub-processor’s previous independent audit reports is subject to agreement from the relevant sub-processor, and that Employment Hero cannot guarantee access to that sub-processor’s premises or audit information at any particular time, or at all].
- The parties acknowledge and agree that any liability arising under this Addendum is subject to the liability sections of the Agreement (including as applicable Section 12 and 13 of the Employment Hero Platform Terms and Conditions and/or Section 7 of the Employment Hero Payroll Terms and Conditions ).