Data Processing Addendum

Version dated 23/12/2023

In this Data Processing Addendum, ‘we’, ‘us’, ‘our’, ‘SlaveCheck’ refers to SlaveCheck Pty Ltd ACN 634 863 433, and ‘you’, ‘your’ refers to a SlaveCheck Customer (as defined in the General Terms and Conditions).

This Data Processing Addendum sets out the terms and conditions with regard to the Processing of SlaveCheck Personal Data (as defined below) by us.

By submitting a signed offer for SlaveCheck products and/or services, clicking “I Agree” (or similar), or using a SlaveCheck product, you acknowledge that you have read and agree to this data processing addendum, the website terms, the general terms and conditions and the privacy policy.

1. Definitions and Interpretation

1.1 For a definition of any terms used in this Data Processing Addendum but not defined below, refer to the General Terms and Conditions.

Contracted Processor means us or a Subprocessor;

Controller has the meaning given to it under the GDPR;

Data Breach is a personal data breach within the meaning of Article 4.12 of the GDPR;

Data Protection Laws means any applicable data protection or privacy laws of any country, including the GDPR;

Data Subject is the person to whom SlaveCheck Personal Data pertains;

GDPR means The General Data Protection Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and the Data Protection Act 2018 (UK);

Informant means any person who uses SlaveCheck to record or provide any information that might be used to evidence a known or suspected modern slavery situation that involves themselves or others

Parties means us (SlaveCheck Pty Ltd ACN 634 863 433) and you (the Customer);

Processing is any activity or combination of activities involving Personal Data, in any event including the collecting, recording, organising, storing, updating, amending, accessing, consulting, using, providing by way of forwarding, distributing or any other form of supplying, compiling, linking, as well as safeguarding, deleting or destroying of data (“Process”, “Processes” and “Processed” shall have the same meaning);

Subprocessor means any person (including any third party, but excluding our employees, contractors or advisors) appointed by us or on our behalf to Process SlaveCheck Personal Data;

SlaveCheck Personal Data is any Personal Data regarding an identified or identifiable natural person, which are or will be Processed by us in any way whatsoever in the context of the use of SlaveCheck by you, any of your organisations, staff members or Informants authorised or deemed to be authorised by you to use SlaveCheck.

1.2 The interpretation provisions contained in the General Terms and Conditions apply to this Data Processing Addendum.

2. Processing of SlaveCheck Personal Data

2.1 Role of the parties

The parties acknowledge and agree that with regard to the Processing of SlaveCheck Personal Data:

(a) you (the Customer) are the Controller;

(b) we are the Processor;

(d) Users, staff members and Informants using SlaveCheck and providing SlaveCheck Personal Data are Data Subjects.

2.2 Our obligations

(a) We will comply with the applicable Data Protection Laws in the Processing of SlaveCheck Personal Data.

(b) We will not Process SlaveCheck Personal Data other than on your documented instructions unless Processing is required by the Data Protection Laws to which the relevant Contracted Processor is subject, in which case to the extent permitted by law, we will inform you of that legal requirement before the relevant Processing of that SlaveCheck Personal Data (to the extent required by applicable laws).

(c) We will only Process SlaveCheck Personal Data to the extent necessary to provide SlaveCheck and any related services to you, your organisations, your staff members and your Informants in accordance with the Agreement.

(d) We will, as soon as reasonably practicable, inform you of any changes to SlaveCheck or our products and/or services, so that you may monitor compliance between these new arrangements and Data Protection Laws but only to the extent such changes will, in SlaveCheck’s reasonable opinion, have the effect or likely effect of impacting your instructions under clause 2.2(b).

(e) Annexure 1 to this Data Processing Addendum sets out certain information regarding our Processing of the SlaveCheck Personal Data as required by article 28(3) of the GDPR (and, possibly, equivalent requirements of other Data Protection Laws). Nothing in Annexure 1 (including as amended pursuant to this clause 2.2) confers any right or imposes any obligation on any party to this Data Processing Addendum.

2.3 Your obligations

(a) You, as the Customer and on behalf of each of your organisations, staff members or Informants authorised or deemed to be authorised by you to use SlaveCheck, instruct us (and authorise us to instruct each Subprocessor) to Process SlaveCheck Personal Data.

(b) You warrant and represent that you are and will at all relevant times remain duly and effectively authorised to give the instructions set out in clause 2.3(a) on behalf of each of your organisations, staff members or Informants authorised or deemed to be authorised by you to use SlaveCheck.

(c) You must, in your use of SlaveCheck, Process and otherwise deal with SlaveCheck Personal Data in accordance with the requirements of Data Protection Laws. For the avoidance of doubt, your instructions for the Processing of SlaveCheck Personal Data must comply with Data Protection Laws.

(d) You have sole responsibility for the accuracy, quality, and legality of SlaveCheck Personal Data and the means by which SlaveCheck Personal Data is collected.

3. Use of Subprocessors

3.1 You authorise us to appoint (and permit each Subprocessor appointed in accordance with this clause 3 to appoint) Subprocessors in accordance with this clause 3.

3.2 We may continue to use those Subprocessors already engaged by us as at the date of this Addendum, subject to us in each case as soon as practicable meeting the obligations set out in clause 3.4.

3.3 We will give you prior written notice of the appointment of any new Subprocessor, including full details of the Processing to be undertaken by the Subprocessor. If, within 5 days of receipt of that notice, you notify us in writing of any objections (on reasonable grounds) to the proposed appointment, we will not appoint (or disclose any SlaveCheck Personal Data to) that proposed Subprocessor until reasonable steps have been taken to address the objections raised by you and you have been provided with a reasonable written explanation of the steps taken.

3.4 With respect to each Subprocessor, we will ensure that the arrangement between us and the Subprocessor is governed by a written contract including terms which offer at least the same level of protection for SlaveCheck Personal Data as those set out in this Data Processing Addendum and meet the requirements of article 28(3) of the GDPR.

3.5 We will ensure that each Subprocessor performs the obligations under this Data Processing Addendum, as they apply to Processing of SlaveCheck Personal Data carried out by that Subprocessor, as if it were party to this Data Processing Addendum in our place.

4. Security

4.1 We will implement appropriate technical and organisational measures in accordance with Data Protection Laws to secure SlaveCheck Personal Data against loss or any form of unlawful Processing, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.

4.2 To the extent required by Data Protection Laws, we will record the measures in writing and will ensure that the security as referred to in this clause meet the security requirements under the GDPR.

4.3 On request, we shall, as soon as reasonably practicable, provide you with all reasonable information relating to the security of SlaveCheck Personal Data.

5. Data and Security Breaches

5.1 We will notify you (and any other party if required by law) as soon as reasonably practicable upon us or any Subprocessor becoming aware of a Personal Data Breach affecting SlaveCheck Personal Data, providing you with sufficient information as requested by you to allow you to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.

5.2 We will co-operate with you and take such reasonable steps as required under applicable Data Protection Laws and/or as are directed by you to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

6. Data Subject Rights

6.1 We will, to the extent permitted by the Data Protection Laws, promptly notify you if we receive a request from a Data Subject under any Data Protection Laws in respect of SlaveCheck Personal Data, including any request to exercise the Data Subject’s right of access, right to rectification, restriction of Processing, erasure (“right to be forgotten”), data portability, object to the Processing, or its right not to be subject to an automated individual decision making (Data Subject Request).

6.2 Taking into account the nature of the Processing, we will assist you by taking appropriate technical and organisational measures, insofar as this is possible, to assist you to perform your obligation to respond to a Data Subject Request under any Data Protection Laws.

6.3 To the extent that you do not have the ability to address a Data Subject Request, we will, upon your request, provide reasonable efforts to assist you in responding to such Data Subject Request, to the extent we are permitted to do so under the Data Protection Laws and the response to such Data Subject Request is required under the Data Protection Laws.

6.4 To the extent permitted by law, the Customer will be responsible for any costs arising from our assistance.

7. Data Protection Impact Assessment and Prior Consultation

We will provide you with reasonable assistance with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which you reasonably consider to be required of you by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Laws, in each case solely in relation to Processing of SlaveCheck Personal Data by, and taking into account the nature of the Processing and information available to the Contracted Processors.

8. Retention of Data

8.1 We will retain SlaveCheck Personal Data only to the extent and for such period as required by law and always provided that we will use our reasonable endeavours to ensure the confidentiality of all such SlaveCheck Personal Data and to ensure that such SlaveCheck Personal Data is only retained as necessary for the purpose(s) specified in the laws requiring its storage and for no other purpose.

8.2 We will not retain SlaveCheck Personal Data made available to us any longer than is necessary:

(a) for the performance of the Agreement; or

(b) to comply with any of our obligations at law.

9. Audit

9.1 Subject to clauses 9.4 to 9.7, to the extent required by Data Protection Laws, we will allow for and contribute to audits, including inspections, by you or an auditor authorised by you in relation to the Processing of the SlaveCheck Personal Data by us.

9.2 You must give us at least 30 days’ written notice of any audit or inspection to be conducted under clause 9.3 and you must make (and ensure that each of your mandated auditors makes) reasonable endeavours to avoid causing (or, if it cannot avoid, to minimise) any damage, injury or disruption to our premises, equipment, personnel and business while your personnel are on those premises in the course of such an audit or inspection.

We do need not to give access to any of our premises for the purposes of such an audit or inspection:

(a) to any individual unless he or she produces reasonable evidence of identity and authority;

(b) outside normal business hours at those premises, unless the audit or inspection needs to be conducted on an emergency basis and you have given notice to us that this is the case before attendance outside those hours begins; or

(c) for the purposes of more than one audit or inspection, in any calendar year, except for any additional audits or inspections:

(i) where a previous audit has shown that we have failed to comply with this Data Processing Addendum; or

(ii) which you are required or requested to carry out by Data Protection Laws, a Supervisory Authority or any similar regulatory authority responsible for the enforcement of Data Protection Laws in any country or territory where you have identified its concerns or the relevant requirement or request in your notice to us of the audit or inspection.

9.3 The costs of any audit conducted under this clause 9 will be borne by you.

9.4 If it is established during an audit that we have failed to comply with this Data Processing Addendum, we will take all reasonably necessary measures to ensure compliance in the future.

10. Local Processing

Data Processor may not transfer or authorize the transfer of SlaveCheck Personal Data to countries outside the EU and/or the UK without your prior written consent. If SlaveCheck Personal Data Processed under the Agreement is transferred from a country within the EU and/or UK to a country outside the EU and/or UK, the parties shall ensure that the SlaveCheck Personal Data is adequately protected. To achieve this, the parties shall, unless agreed otherwise, rely on approved standard contractual clauses for the transfer of SlaveCheck Personal Data.

11. Requests to investigate

11.1 If we receive a request or order from a Supervisory Authority, Government Agency or investigation, prosecution or national security agency to provide access to Personal Data, we will notify you as soon as reasonably practicable (to the extent permitted by law).

11.2 When handling the request or order, we will (to extent permitted by the Data Protection Laws) comply with your instructions and cooperate with you, as reasonably required.

12. Informing Data Subjects

12.1 We will fully cooperate, in so far as possible, so that you may comply with your legal obligations in the event that a Data Subject exercises its rights under the GDPR or other applicable Data Protection Laws.

12.2 If a Data Subject contacts us directly in relation to any matter under any Data Protection Laws, we will advise them to address any such request to the Controller, with a request for further instructions.

12.3 Our privacy policy available at https://www.slavecheck.com/privacy-policy and to all Data Subjects upon request, includes the following information:

(a) our name and address;

(b) the purposes for which SlaveCheck Personal Data are processed by us;

(d) any third party to whom SlaveCheck Personal Data are made accessible to;

(e) the countries where SlaveCheck Personal Data are collected and Processed;

(f) the Data Subject’s rights to access, correct and delete Personal Data.

13. Limitation of Liability

To the extent permitted by law, our Liability under this Data Processing Addendum is subject to the ‘Limitation of Liability’ provisions of the Agreement, and any reference in such provisions to our Liability means our aggregate Liability under the Agreement and the Data Processing Addendum together.

14. Duration and Termination

14.1 Subject to any surviving rights and obligations, this Data Processing Addendum will automatically terminate upon termination of the Agreement.

14.2 Provisions which, by their nature, are intended to continue to apply after termination of this Data Processing Addendum, will continue to apply after termination of this Data Processing Addendum. These include provisions concerning confidentiality, indemnity and limitation of Liability, and applicable law.

15. General Terms

This Data Processing Addendum is governed by the laws that govern the Agreement. Any dispute arising in connection with this Data Processing Addendum will be submitted to the non-exclusive jurisdiction of the courts that have jurisdiction in the Agreement.

Annexure 1 – Details of Processing of SlaveCheck Personal Data

This Annexure 1 includes certain details of the Processing of SlaveCheck Personal Data as required by Article 28(3) GDPR.

Subject matter, nature, purpose and duration of the Processing of SlaveCheck Personal Data

The subject matter, nature, purpose and duration of the Processing of the SlaveCheck Personal Data are set out in the Agreement.

The types of SlaveCheck Personal Data to be Processed

The Customer may submit SlaveCheck Personal Data to SlaveCheck, the extent of which is determined and controlled by the Customer in its sole discretion, and which may include the following categories of Personal Data:

First and last name
Title
Position
Employer
Contact information (company, email, phone, physical business address)
Professional life data
Personal life data
Connection data
Localisation data

The categories of Data Subject to whom the SlaveCheck Personal Data relates

The Customer may submit SlaveCheck Personal Data to SlaveCheck, the extent of which is determined and controlled by the Customer in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of Data Subjects:

(a) employees, agents, contractors and advisors of the Customer (who are natural persons); and

(b) other Users authorised or deemed to be authorised by the Customer to use SlaveCheck.

The obligations and rights of the Customer

The obligations and rights of the Customer are set out in the Agreement.

– ENDS –