This Data Processing Addendum is current as of 19 July 2024 and explains our data processing activities carried out as a Data Processor on behalf of our Customers.
It is important for users of the Swag app to know that ‘Swag’ is a brand created by Employment Hero, and this Data Processing Addendum also applies to relevant data processing activities carried out on behalf of Customers of the Swag app.
Previous versions of this document can be found here.
Background
This Data Processing Addendum (‘DPA‘) forms part of the agreement between Employment Hero (and its Affiliates including Employment Innovations entities) (‘us‘, ‘we‘, or ‘our‘) and our Customers (‘you’ or ‘your‘). It reflect our agreement with you regarding the processing of your Customer Personal Data and acts as an addendum to the Employment Hero Platform Terms and Conditions, and/or any other terms and conditions found here that you agree to when receiving Services from us (the ‘Agreement‘).
When you enter into the Agreement, including this DPA, you do so to receive our Services, including the use of the Employment Hero Platform and/or the Swag app.
1. Definition
In this DPA:
Affiliates means any corporation or other business entity controlling, controlled by or under common control with Employment Hero Pty Ltd. A current list of Affiliates is available here;
Applicable Law means all laws, regulations, orders, rules, judgments, directives, industry agreements or determinations in force from time to time applicable to a party and relevant to the Agreement or this DPA, including, without limitation the GDPR and the UK GDPR;
Customer means you, the specific party which has entered into the Agreement with us;
Customer Personal Data means Personal Data in respect of which you are the Data Controller, and we are the Data Processor; but which excludes Personal Data processed by us when acting as a Data Controller;
Data Controller means the entity which alone or jointly with others determines the purposes and means of Processing of Personal Data, it will be interpreted in accordance with the GDPR and the UK GDPR;
Data Processor means an entity which Processes Personal Data on behalf of a Data Controller, it will be interpreted in accordance with the GDPR and the UK GDPR;
Data Protection Law means the GDPR, the UK GDPR, Directive 2002/58/EC concerning the processing of Personal Data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), any national laws or regulations implementing the foregoing Directives, any other privacy and data protection laws that may be applicable to the parties (including data privacy laws that are specific to the region in which you or our relevant Affiliate entity is based), and any amendments to or replacements of such laws and regulations;
Data Subject has the meaning given to it in the GDPR and the UK GDPR;
EEA means the European Economic Area;
GDPR means in each case to the extent applicable to the processing activities: (i) Regulation (EU) 2016/679; and (ii) Regulation (EU) 2016/679 as amended by any legislation arising out of the withdrawal of the UK from the European Union;
Employment Hero means Employment Hero Pty Ltd, Employment Hero (UK) Ltd or the relevant Employment Hero Affiliate which has entered into the Agreement with you for the provision of the Services;
Personal Data means any information relating to an identified or identifiable natural person and an identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Processing has the meaning given to it in Data Protection Law (the ‘GDPR’ and the ‘UK GDPR’) and ‘process’, ‘processes’ and ‘processed’ will be interpreted accordingly;
Relevant Country means all countries other than those (a) within the EEA and (b) countries in respect of which an adequacy finding under Article 25(6) of the European Data Protection Directive or Article 45 of the GDPR has been given;
Services means the provision of cloud-based and artificial intelligence powered human resources and payroll software services, Managed Payroll services, Global Teams Employer of Record services where we act on behalf of our Customer, Applicant Tracking System (ATS), financial services products, and/or other products and services provided by us and/or our Affiliates under the Agreement through our websites, platforms and apps where we act in the capacity of a Data Processor;
Standard Contractual Clauses mean:
- in respect of EU Personal Data, the EU Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to the GDPR, adopted by the European Commission under Commission Implementing Decision (EU) 2021/914 and made available on the European Commission website (or any replacement publication made on the website), including the text from modules two and three of such clauses and not including any clauses marked as optional (‘EU Standard Contractual Clauses’);
- in respect of UK Personal Data:
- the International Data Transfer Addendum to the EU Standard Contractual Clauses (‘UK Addendum‘) made available on the ICO website (or any replacement publication made on the website), issued by the Information Commissioner and laid before Parliament in accordance with s.119A of the Data Protection Act 2018 on 2 February 2022 but, as permitted by clause 17 of such addendum, the parties agree to change the format of the information set out in Part 1 of the UK Addendum so that:
- the details of the parties in table 1 of the UK Addendum will be as set out in Schedule 3 (with no requirement for signature);
- for the purposes of table 2 of the UK Addendum, the UK Addendum will be appended to the EU Standard Contractual Clauses (including the selection of modules and non-application of optional clauses as noted above); and
- the appendix information listed in table 3 of the UK Addendum is set out in Schedule 3.
- the International Data Transfer Addendum to the EU Standard Contractual Clauses (‘UK Addendum‘) made available on the ICO website (or any replacement publication made on the website), issued by the Information Commissioner and laid before Parliament in accordance with s.119A of the Data Protection Act 2018 on 2 February 2022 but, as permitted by clause 17 of such addendum, the parties agree to change the format of the information set out in Part 1 of the UK Addendum so that:
Swag app means the mobile application and its services provided to you (Customers and Users) under our ‘Swag’ brand.
Sub-Processor means any entity which is engaged by us or by any other sub-processor of ours who may access or process Customer Personal Data;
UK GDPR means the GDPR as applicable as part of UK domestic law by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (as amended);
User means individual users of the Services including employees of your organisation.
1.1 Clarifications for this DPA
1.1.1 any words following the terms “like”, “include”, “for example” or any similar expression will be construed as illustrative and will not limit the sense of the words, description, definition, phrase or term preceding those terms;
1.1.2 references to Clauses and Schedules are, unless otherwise stated, references to the clauses of, and schedules to, this DPA; and
1.1.3 references to this DPA or any other agreement or document are to this DPA or such other agreement or document as it may be varied, amended, supplemented, restated, renewed, novated, or replaced from time to time.
2.Data processing terms
2.1 General data processing terms
2.1.1 Roles of the parties: You are the Data Controller and we are the Data Processor of the Customer Personal Data. We require certain Personal Data to set up and manage your account on our platforms and apps and to provide Services under the Agreement. We may also provide specific services and support relating to individuals where we determine the purposes for which, and means in which, the Personal Data is processed, and in these cases, we will process Personal Data as a Data Controller.
2.1.2 Scope of this DPA: This DPA only applies to the processing of Customer Personal Data by us in connection with the Services under the Agreement. The categories of Data Subjects and types of Customer Personal Data processed are set out in Schedule 1 of this DPA. Customer Personal Data is processed for the purpose of providing the Services and other purposes as identified in Schedule 1 of this DPA. We may process Customer Personal Data for the duration of the Agreement (or longer to the extent permitted by Applicable Law).
2.1.3 Legal compliance obligation: Each party agrees that in relation to this DPA, it is compliant with, and will remain compliant with all Applicable Law. You will make sure that you have provided notice to Data Subjects of the data processing activities carried out under this DPA. If you are based in UK and/or EU, then you will make sure that there is a valid lawful basis under the UK GDPR and/or GDPR for all Customer Personal Data that is disclosed in connection with the Agreement for the data processing activities envisaged by the Agreement.
2.1.4 Our rights and responsibilities: Other than for anything to the contrary in the Agreement, in relation to Customer Personal Data, we will:
a. process Customer Personal Data only in accordance with your instructions as established in the Agreement or as you have provided to us in writing from time to time, given that these instructions are reasonable and subject to our right to charge additional sums at our current rates should the scope of the agreed services be exceeded. In addition to this, we may:
i. process Customer Personal Data as required under Applicable Law and take reasonable steps to inform you of such a requirement before processing the data, unless the law prohibits this; and
ii. process Customer Personal Data when analysing and/or providing support in relation to the Services, and carrying out measures to further develop and improve the Services for our customer base as a part of the ongoing delivery of Services, provided that necessary safety measures are put in place as may be required by Applicable Law;
b. promptly notify you, if in our opinion, an instruction given to us by you infringes Data Protection Law;
c. where applicable, make sure that access to Customer Personal Data is given to our (or our Sub-Processors’) personnel who are contractually bound to respect the confidentiality of this type of Customer Personal Data;
d. implement appropriate technical and organisational measures to protect against unauthorised or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Customer Personal Data. These measures will be appropriate to the harm which might result from any unauthorised or unlawful processing, accidental loss, destruction, damage, or theft of Customer Personal Data, and having regard to the nature of the Customer Personal Data which is to be protected and is set forth in Schedule 1 of this DPA. You acknowledge that we may change the security measures through the adoption of new or enhanced security technologies, and you authorise us to make such changes provided that they do not materially diminish the level of protection. We make information about our most up-to-date security measures applicable to the Services available here;
e. at your reasonable request and at your cost, to the extent that this is possible, assist you with your obligations to respond to requests from Data Subjects of Customer Personal Data looking to exercise their rights under Data Protection Law (to the extent that the Customer Personal Data is not accessible to you through the Services provided under the Agreement);
f. at your reasonable request and at your cost, taking into account the nature of the processing and the information available to us, assist you with your obligations under Articles 32 to 36 of the GDPR; and
g. at your written request, delete or return to you any Customer Personal Data within the agreed period of time after the end of the provision of the Services as set out in the Agreement (or within a reasonable period of time if the Agreement is silent on this point), unless Applicable Law requires storage of the Customer Personal Data.
2.1.5 Data storage: Personal Data that we hold will be stored and managed on secure data centres in Australia and Ireland by a third-party storage provider.
2.2 Sub-Processors
2.2.1 Appointment of Sub-Processors: You agree that we may transfer Customer Personal Data or give access to Customer Personal Data to Sub-Processors for the purposes of providing the Services or other purposes identified in Schedule 1 of this DPA, provided that we comply with our requirements under this section of the DPA. We will remain responsible for our Sub-Processor’s compliance with the obligations of this DPA. We will make sure that any Sub-Processors, to whom we transfer Customer Personal Data, enter into written agreements with us requiring them to agree to terms no less protective, in any material respect, than this DPA.
2.2.2 List of current Sub-Processors and notice of updates to the list: A current list of Sub-Processors is available here and is deemed to be pre-approved by you. We can at any time and without justification either appoint a new Sub-Processor, or remove or change an existing Sub-Processor. If you subscribe for updates in regard to the Sub-Processor list by emailing privacy@employmenthero.com, you will be given prior written notice of additions to the Sub-Processor list by email, or via the Employment Hero Platform and Swag app. We recommend that you occasionally check our website, platforms, or apps for communications concerning updates to the Sub-Processor list.
2.2.3 Objections to Sub-Processors: If you do not legitimately object to changes to the Sub-Processor list within 30 days’ of being notified of a new Sub-Processor, the Sub-Processor list update is considered to be approved by you. Legitimate objections to the Sub-Processor list update must contain reasonable and documented data protection grounds relating to a Sub-Processor’s non-compliance with applicable Data Protection Law. In the event that you reasonably objects to a new Sub-Processor, we will use reasonable efforts to make available to you a change in the Services or recommend a commercially reasonable change to your use of the Services. This will be done to avoid processing of Personal Data by the new Sub-Processor to whom you object without unreasonably burdening you. If we are unable to make these types of changes available to you within within a reasonable period of time, which will not exceed 60 days, you may, subject to the terms of the Agreement, terminate the applicable Services, which cannot be provided by us without the use of the objected-to new Sub-Processor with written notice to us.
2.2.4 Access to our agreements with Sub-Processors: We may provide you with a copy of our agreements with Sub-Processors (subject to redaction of any confidential information and this being reasonable for us to do). These copies may be provided by us in a manner to be determined by us, only upon the written request by you via email to privacy@employmenthero.com, and at your sole expense.
2.3 International transfer mechanisms
2.3.1 If you are a EU or UK Customer, you acknowledge that, in relation to providing the Services, Customer Personal Data may be transferred to, or accessed from Australia or another Relevant Country. Where such transfer occurs, the Standard Contractual Clauses as specified in Schedule 3 of this DPA will apply and be incorporated as part of this DPA, with application of the UK Addendum for UK Customers.
2.3.2 We will not, and will make sure that none of our Affiliates or contractors, transfer, access or use EU or UK Personal Data in a Relevant Country other than in compliance with the terms of this DPA and the Standard Contractual Clauses (and as amended by the UK Addendum, where applicable). You agree to authorise the international transfers in application of Schedule 3, and the parties agree to comply with the obligations set out in the Standard Contractual Clauses as though they were set out in full in this DPA, with you as the ‘data exporter’ and us as the ‘data importer’, with the parties signature and dating of the Agreement being deemed to be the signature and dating of the Standard Contractual Clauses and with the Annexes and/or Appendices to the Standard Contractual Clauses being as set out in Schedule 3 to this DPA.
international data transfers out of the EEA, UK and/or Switzerland | obligations |
Customer (as Controller) to Employment Hero Affiliate (EEA, and/or Switzerland to Relevant Countries) | If we (acting as a Processor) are based outside of the EEA, United Kingdom and/or Switzerland, and transfer of Customer Personal Data is made by you out of the EEA, United Kingdom and/or Switzerland to our Affiliates located in Relevant Countries, this transfer will be governed by Module Two (Controller-to-Processor) of the Standard Contractual Clauses, if you act as a Controller. |
Customer (as Processor) to Employment Hero Affiliate (EEA, and/or Switzerland to Relevant Countries) | If we (acting as a Processor) are based outside of the EEA, United Kingdom and/or Switzerland, and transfer of Customer Personal Data is made by you out of the EEA, United Kingdom and/or Switzerland to our Affiliates located in Relevant Countries, this transfer will be governed by Module Three (Processor-to-Processor) of the Standard Contractual Clauses, if you act as a Processor. |
Customer to Employment Hero Affiliate (United Kingdom to Relevant Countries) | Transfers of Customer Personal Data out of the United Kingdom to our Affiliates (acting as sub-processors) located in Relevant Countries, will be governed by the applicable Module of the Standard Contractual Clauses as described in the two columns above (amended by the UK Addendum). |
Employment Hero to Employment Hero Affiliate (United Kingdom to Relevant Countries) | If we (acting as a Processor) are based within the United Kingdom, transfers of Customer Personal Data out of the United Kingdom to our Affiliates (acting as sub-processors) located in Relevant Countries, will be governed by Module Three (Processor-to-Processor) of the Standard Contractual Clauses as amended by the UK Addendum. |
Employment Hero to Employment Hero Affiliate (EEA and/or Switzerland to Relevant Countries) | If we (acting as a Processor) are based within the EEA, and/or Switzerland, transfers of Customer Personal Data out of the EEA, and/or Switzerland to our Affiliates (acting as sub-processors) located in Relevant Countries, will be governed by Module Three (Processor-to-Processor) of the Standard Contractual Clauses. |
Employment Hero to Sub-Processor | Transfers of Customer Personal Data out of the EEA, United Kingdom and/or Switzerland to our third-party Sub-Processors will be governed by data processing agreements, incorporating the Standard Contractual Clauses (as amended by the UK Addendum where applicable), that have been executed by us at a global level with the third-party Sub-Processors. |
2.3.3 For the purposes of the EU Standard Contractual Clauses, the following will apply:
a. Clause 9 OPTION 2: where applicable, general written authorisation will be required for the engagement of new Sub-Processors, subject to clause 2.2 of this DPA;
b. Clause 17 (Governing law): the clauses will be governed by the laws of the Republic of Ireland; and
c. Clause 18 (Choice of forum and jurisdiction) the courts of the Republic of Ireland will have jurisdiction.
2.3.4 In the event that you give us consent to transfer Personal Data to a Relevant Country but a relevant European Commission decision or other valid adequacy method under applicable Data Protection Legislation, on which you have relied on in authorising the data transfer, is held to be invalid, or that any supervisory authority requires transfers of Personal Data made pursuant to such decision to be suspended, then the parties agree to discuss in good faith and facilitate use of an alternative transfer mechanism.
2.3.5 For transfer of Customer Personal Data out of countries other than the EEA, United Kingdom and/or Switzerland, we will meet its obligations under Applicable Laws when carrying out these transfer.
2.4 Security incident
2.4.1 We will notify you in writing (including via email), without undue delay, if we become aware of any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Customer Personal Data processed by us (‘Security Incident‘) that requires notice under Applicable Law. We will take steps, within a reasonable timescales, to remedy the Security Incident and provide further information to you as may be reasonably required.
2.4.2 We will make reasonable efforts to identify the cause of any Security Incident and take steps as we deem necessary and reasonable to remediate the cause of the Security Incident to the extent the remediation is within our reasonable control.
2.4.3 Our assistance under this clause which exceeds any obligations set out by Applicable Law will be chargeable, as incurred, at our current rates unless you demonstrate that that type of assistance is required because of a failure by us to comply with our obligations under this DPA.
2.4.4 The obligations under this clause will not apply to Security Incidents that are caused by you or your personnel.
2.5 Audits and inspections
2.5.1 To the extent required by Applicable Law, and upon written request from you within reasonable intervals between each request and at your cost and expense, we will, audit the security of our processes and computing environment that we use in handling Customer Personal Data. This audit will be performed no more than once annually and it may be performed by independent third-party security professionals as chosen by us (in which case such choice is made at our expense). In the event that we have recently acted in respecting such rights for another customer, or undergone any type of audit that would provide the relevant information needed by you, we will provide you with a summary of those recent audit results.
2.5.2 We will respond, no more frequently than annually, to any reasonable security questionnaire provided by you which seeks to assist your assessment of our compliance with the security obligations under this DPA and which may be applicable to the Services. The responses to these questionnaires and any supporting evidence provided by us will be considered confidential information.
2.5.3. If you want to change this instruction regarding exercising the audit rights or the provision of information to demonstrate compliance with Article 28 of the GDPR, then you have the right to change this instruction to the extent required to ensure compliance, which must be requested in writing via email to privacy@employmenthero.com, in which case we will have no obligation to provide commercially confidential information.
2.6 Return or deletion of Personal Data
2.6.1 At the end of the Services, at your written request, we must securely destroy, or return Customer Personal Data to you, and delete existing copies unless Applicable Law requires storage of such Customer Personal Data.
2.6.2 We will provide written a certification of deletion regarding deletion of your Customer Personal Data if you request it in writing via email to privacy@employmenthero.com, and provided that you have a right to receive a certification of deletion under Applicable Law.
2.7 Limitation on liability
2.7.1 The parties acknowledge and agree that our total aggregate liability, together with our Affiliates, arising out of or in relation to this DPA is subject to the liability sections of the Agreement (namely the applicable sections of the Employment Hero Platform Terms and Conditions and/or any other specified terms and conditions of an Agreement entered into between you and us).
2.7.2 We and our Affiliates’ total liability for all claims from you and all of your affiliates arising out of or in relation to the Agreement and the DPA, will apply in the aggregate for all claims under both the Agreement and all DPAs established under the Agreement, including by you and your Affiliates, and will not be understood to apply individually and severally to you and/or to any of your affiliates that is a contractual party to any such DPA.
2.8 Other general terms
2.8.1 Conflict: In the event of any conflict or inconsistency between the body of this DPA and any of its Schedules (not including the specifications of the Standard Contractual Clauses), and the Standard Contractual Clauses specified in Schedule 3, the Standard Contractual Clauses will prevail (unless this would result in the invalidity of this DPA under Data Protection Laws (in which case the relevant term(s) of this DPA will prevail).
2.8.2 Changes to this DPA: We reserve the right to make any updates or changes to this DPA to reflect changes in our Services, information practices, operational requirements, or changes to laws and regulations. You should periodically review this DPA to see any amendments that have been made. If we make any significant changes to this DPA, we may provide notice to you via email or by other means of communication like in-platform or in-app notifications.
Schedule 1
Data Processing Information
Nature and purpose of processing operations
The nature of processing is the collection, recording, organisation, storage, adaptation, use, disclosure, or transfer of Customer Personal Data.
The Customer Personal Data will be processed for the purpose of providing, and further improving the Services provided by us. This primarily includes the provision of:
- Employment Hero HR and Payroll platform,
- Managed Payroll services;
- Applicant Tracking System; and
- Global Teams Employer of Record services (if we act as a Processor)
Categories of data subject
You (the Customers), Users and other persons authorised to use the Services by Customer of the Services provided by us and our Affiliates.
Categories of data
This data primarily includes data relevant for processing carried out in the provision of the Services including:
Categories of Personal Data |
Customers
Users
|
Special Categories of Personal Data |
|
Duration of Processing
We will process Customer Personal Data for the duration of the Agreement (or longer to the extent permitted by Applicable Law).
Schedule 2
Technical and Organisational Measures
The Technical and Organisational Measures are detailed in our Security Centre and Security Portal.
The measures identified in these pages may be updated by us from time to time in accordance with clause 2.1.4(d).
Schedule 3
Annexes to the EU SCCs and Appendices to the UK SCCs
Annex I/ Appendix 1:
A: List of parties
Data exporter:
Name: Customer
Activities relevant to the data transferred under these Clauses: Provision of the Services, all data processing categorised as ‘C2P’ where the Controller is located inside, and the Processor is located outside the EU/EEA or the UK.
Role (controller/processor): controller
Data importer:
Name: Employment Hero
Address: Set forth in the applicable Customer Services Agreement
Contact email: privacy@employmenthero.com
Activities relevant to the data transferred under these clauses: Provision of the Services and all data processing categorised as ‘C2P’, where the Controller is located inside, and the Processor is located outside the EU/EEA or the UK.
Role (controller/processor): processor
B: Description of transfers
MODULE TWO: CONTROLLER TO PROCESSOR
Nature of Processing: See Schedule 1 above.
Purpose of Processing: See Schedule 1 above.
Categories of Data Subjects: See Schedule 1 above.
Categories of Personal data Transferred: See Schedule 1 above.
Sensitive data transferred (if applicable): See Schedule 1 above.
Frequency of transfer: Continuous.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period (EU standard contractual clauses only): in accordance with relevant data retention/deletion obligations.
For transfers to sub- processors, the subject matter, nature and duration of the processing (EU standard contractual clauses only): As set out in Schedule 1.
C: Competent supervisory authority
Irish Data Protection Commission
21 Fitzwilliam Square
South Dublin 2
Republic of Ireland
D02 RD28
Annex II/ Appendix 2: Technical and organisational measures
Data importer has implemented and will maintain appropriate technical and organisational measures to protect Customer Personal Data (as defined in the DPA) against the unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, Personal Data. The measures described in Schedule 2 of the DPA are hereby incorporated into this Appendix 2 by this reference and are binding on the data importer as if they were set forth in this Appendix 2 in their entirety.
Annex III of the EU Standard Contractual Clauses
List of Sub-Processors
You can find a list of all Employment Hero Sub-Processors here.
List of Employment Hero Affilitates
You can find a list of all Employment Hero Affiliates here.