Data Processing Addendum
Version dated 30/03/2022
In this Data Processing Addendum, ‘we’, ‘us’, ‘our’ refer to SlaveCheck Pty Ltd ACN 634 863 433, and ‘you’, ‘your’ refer to a SlaveCheck User.
This Data Processing Addendum sets out the terms and conditions with regard to the Processing of SlaveCheck Personal Data by us.
1. Definitions and Interpretation
1.1 For a definition of any terms used in this Data Processing Addendum but not defined below, refer to the General Terms and Conditions.
Contracted Processor means us or a Subprocessor;
Data Breach is a security breach within the meaning of Article 4.12 of the GDPR;
Data Protection Laws means any applicable data protection or privacy laws of any country, and includes EU Data Protection Laws;
Data Subject is the person to whom SlaveCheck Personal Data pertains;
EU Data Protection Laws means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;
GDPR means The General Data Protection Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC;
Informant means any person who uses SlaveCheck to record or provide any information that might be used to evidence a known or suspected modern slavery situation that involves themselves or others
Parties means us (SlaveCheck Pty Ltd ACN 634 863 433) and you (the SlaveCheck Client);
Processing is any activity or combination of activities involving Personal Data, in any event including the collecting, recording, organising, storing, updating, amending, accessing, consulting, using, providing by way of forwarding, distributing or any other form of supplying, compiling, linking, as well as safeguarding, deleting or destroying of data (“Process”, “Processes” and “Processed” shall have the same meaning);
Subprocessor means any person (including any Third Party, but excluding our employees, contractors or advisors) appointed by us or on our behalf to Process SlaveCheck Personal Data;
SlaveCheck Client means any identified or identifiable natural person or organisation that accepts and agrees to the Agreement as part of using SlaveCheck as a paid customer or as an unpaid (free) customer.
SlaveCheck Personal Data is any Personal Data regarding an identified or identifiable natural person, which are or will be Processed by us in any way whatsoever in the context of the use of SlaveCheck by you, any of your Organisations, Staff Members or Informants authorised or deemed to be authorised by you to use SlaveCheck; and
1.2 The interpretation provisions contained in the General Terms and Conditions apply to this Data Processing Addendum.
2. Processing of SlaveCheck Personal Data
2.1 Role of the parties
The parties acknowledge and agree that with regard to the Processing of SlaveCheck Personal Data:
(a) you (the SlaveCheck Client) are the Controller;
(b) we are the Processor;
(c) we may engage Subprocessors in accordance with clause 3 of this Data Processing Addendum;
(d) Users, Staff Members and Informants using SlaveCheck and providing SlaveCheck Personal Data are Data Subjects.
2.2 Our obligations
(a) We will comply with the applicable Data Protection Laws in the Processing of SlaveCheck Personal Data.
(b) We will not Process SlaveCheck Personal Data other than on your documented instructions unless Processing is required by the Data Protection Laws to which the relevant Contracted Processor is subject, in which case to the extent permitted by law, we will inform you of that legal requirement before the relevant Processing of that SlaveCheck Personal Data.
(c) We will only Process SlaveCheck Personal Data to the extent necessary to provide SlaveCheck and any related services to you, your Organisations, your Staff Members and your Informants in accordance with the Agreement.
(d) We will only process SlaveCheck Personal Data on and in accordance with your instructions. We will not process SlaveCheck Personal Data for our own benefit, for the benefit of any Third Party, or for our own purposes or advertising purposes or other purposes, unless required by any Data Protection Laws.
(e) We will immediately inform you regarding any changes to SlaveCheck or the performance of our services, so that you may monitor compliance between these new arrangements and Data Protection Laws.
(f) Annexure 1 to this Data Processing Addendum sets out certain information regarding our Processing of the SlaveCheck Personal Data as required by article 28(3) of the GDPR (and, possibly, equivalent requirements of other Data Protection Laws). Nothing in Annexure 1 (including as amended pursuant to this clause 2.2) confers any right or imposes any obligation on any party to this Data Processing Addendum.
2.3 Your obligations
(a) You, as the SlaveCheck Client and on behalf of each of your Organisations, Staff Members or Informants authorised or deemed to be authorised by you to use SlaveCheck, instruct us (and authorise us to instruct each Subprocessor) to Process SlaveCheck Personal Data.
(b) You warrant and represent that you are and will at all relevant times remain duly and effectively authorised to give the instruction set out in clause 2.3(a) on behalf of each of your Organisations, Staff Members or Informants authorised or deemed to be authorised by you to use SlaveCheck.
(c) You must, in your use of SlaveCheck, Process and otherwise deal with SlaveCheck Personal Data in accordance with the requirements of Data Protection Laws. For the avoidance of doubt, your instructions for the Processing of SlaveCheck Personal Data must comply with Data Protection Laws.
(d) You have sole responsibility for the accuracy, quality, and legality of SlaveCheck Personal Data and the means by which SlaveCheck Personal Data are collected.
3. Use of Subprocessors
3.1 You authorise us to appoint (and permit each Subprocessor appointed in accordance with this clause 3 to appoint) Subprocessors in accordance with this clause 3.
3.2 We may continue to use those Subprocessors already engaged by us as at the date of this Addendum, subject to us in each case as soon as practicable meeting the obligations set out in clause 3.4.
3.3 We will give you prior written notice of the appointment of any new Subprocessor, including full details of the Processing to be undertaken by the Subprocessor. If, within 5 days of receipt of that notice, you notify us in writing of any objections (on reasonable grounds) to the proposed appointment, we will not appoint (or disclose any SlaveCheck Personal Data to) that proposed Subprocessor until reasonable steps have been taken to address the objections raised by you and you have been provided with a reasonable written explanation of the steps taken.
3.4 With respect to each Subprocessor, we will:
(a) before the Subprocessor first Processes SlaveCheck Personal Data (or, where relevant, in accordance with clause 3.3), carry out adequate due diligence to ensure that the Subprocessor is capable of providing the level of protection for SlaveCheck Personal Data required by the General Terms and Conditions;
(b) ensure that the arrangement between us and the Subprocessor, is governed by a written contract including terms which offer at least the same level of protection for SlaveCheck Personal Data as those set out in this Data Processing Addendum and meet the requirements of article 28(3) of the GDPR; and
(c) provide you for review such copies of the Contracted Processors’ agreements with Subprocessors (which may be redacted to remove confidential commercial information not relevant to the requirements of this Data Processing Addendum) as you may request from time to time.
3.5 We will ensure that each Subprocessor performs the obligations under this Data Processing Addendum, as they apply to Processing of SlaveCheck Personal Data carried out by that Subprocessor, as if it were party to this Data Processing Addendum in our place.
4.1 We will implement appropriate technical and organisational measures to secure SlaveCheck Personal Data against loss or any form of unlawful Processing.
4.2 Taking into account the state of the art and the costs of their implementation, these measures guarantee an appropriate security level given the risks associated with Processing and the nature of the SlaveCheck Personal Data to be protected. The measures are, in part, aimed at preventing unnecessary collection and further Processing.
4.3 We will record the measures in writing and will ensure that the security as referred to in this clause meet the security requirements under the GDPR.
4.4 On request, we shall immediately provide you with all reasonable information relating to the security of SlaveCheck Personal Data.
5. Data and Security Breaches
5.1 We will notify you (and any other party if required by law) without undue delay upon us or any Subprocessor becoming aware of a Personal Data Breach affecting SlaveCheck Personal Data, providing you with sufficient information to allow you to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.
5.2 We will co-operate with you and take such reasonable commercial steps as are directed by you to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
6. Data Subject Rights
6.1 We will, to the extent permitted by the Data Protection Laws, promptly notify you if we receive a request from a Data Subject under any Data Protection Laws in respect of SlaveCheck Personal Data, including any request to exercise the Data Subject’s right of access, right to rectification, restriction of Processing, erasure (“right to be forgotten”), data portability, object to the Processing, or its right not to be subject to an automated individual decision making (Data Subject Request).
6.2 Taking into account the nature of the Processing, we will assist you by taking appropriate technical and organisational measures, insofar as this is possible, to assist you to perform your obligation to respond to a Data Subject Request under any Data Protection Laws.
6.3 To the extent that you do not have the ability to address a Data Subject Request, we will, upon you request, provide commercially reasonable efforts to assist you in responding to such Data Subject Request, to the extent we are permitted to do so under the Data Protection Laws and the response to such Data Subject Request is required under the Data Protection Laws.
6.4 To the extent permitted by law, the SlaveCheck Client will be responsible for any costs arising from our assistance.
7. Data Protection Impact Assessment and Prior Consultation
We will provide you with commercially reasonable assistance with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which you reasonably considers to be required of you by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Laws, in each case solely in relation to Processing of SlaveCheck Personal Data by, and taking into account the nature of the Processing and information available to the Contracted Processors.
8. Retention of Data
8.1 We will retain SlaveCheck Personal Data to the extent required by law and only to the extent and for such period as required by law and always provided that we will use our reasonable endeavours to ensure the confidentiality of all such SlaveCheck Personal Data and to ensure that such SlaveCheck Personal Data is only retained as necessary for the purpose(s) specified in the laws requiring its storage and for no other purpose.
8.2 We will not retain SlaveCheck Personal Data made available to us any longer than is necessary:
(a) for the performance of the Agreement; or
(b) to comply with any of our obligations at law.
9.1 Subject to clauses 9.4 to 9.7, we will allow for and contribute to audits, including inspections, by you or an auditor mandated by you in relation to the Processing of the SlaveCheck Personal Data by the Contracted Processors.
9.2 You must give us reasonable notice of any audit or inspection to be conducted under clause 9.3 and you must make (and ensure that each of its mandated auditors makes) reasonable endeavours to avoid causing (or, if it cannot avoid, to minimise) any damage, injury or disruption to the Contracted Processors’ premises, equipment, personnel and business while its personnel are on those premises in the course of such an audit or inspection. A Contracted Processor need not give access to its premises for the purposes of such an audit or inspection:
(a) to any individual unless he or she produces reasonable evidence of identity and authority;
(b) outside normal business hours at those premises, unless the audit or inspection needs to be conducted on an emergency basis and you have given notice to us that this is the case before attendance outside those hours begins; or
(c) for the purposes of more than one audit or inspection, in respect of each Contracted Processor, in any calendar year, except for any additional audits or inspections which:
(i) you reasonably consider necessary because of genuine concerns as to our compliance with this Addendum; or
(ii) you are required or requested to carry out by Data Protection Laws, a Supervisory Authority or any similar regulatory authority responsible for the enforcement of Data Protection Laws in any country or territory,
where you have identified its concerns or the relevant requirement or request in its notice to us of the audit or inspection.
9.3 The costs of the audit upon request under clause 9.3 will be borne by you.
9.4 If it is established during an audit that we have failed to comply with this Data Processing Addendum, we will take all reasonably necessary measures to ensure compliance in the future.
10. Local Processing
All Processing of Personal Data in connection with SlaveCheck or any related services performed by us or on our behalf, including any Third Parties engaged by us, will take place within countries that guarantee an appropriate level of protection in accordance with the Data Protection Laws.
11. Requests to investigate
11.1 If we receive a request or order from a Supervisory Authority, Government Agency or investigation, prosecution or national security agency to provide (access to) Personal Data, we will immediately notify you.
11.2 When handling the request or order, we will (to extent permitted by the Data Protection Laws) comply with your instructions and cooperate with you, as reasonably required.
12. Informing Data Subjects
12.1 We will fully cooperate, in so far as possible, so that you may comply with your legal obligations in the event that a Data Subject exercises its rights under the GDPR or other applicable Data Protection Laws.
12.2 If a Data Subject contacts us directly in relation to any matter under any Data Protection Laws, we will advise them to address any such request this to the Controller, with a request for further instructions.
(a) our name and address;
(b) the purposes for which Personal Data are processed by us;
(c) the categories of Personal Data processed by us;
(d) any Third Party to whom Personal Data are made accessible;
(e) the countries where Personal Data are collected and Processed;
(f) the Data Subject’s rights to access, correct and delete Personal Data.
13. Limitation of Liability
To the extent permitted by law, our Liability under this Data Processing Addendum is subject to the ‘Limitation of Liability’ provisions of the Agreement, and any reference in such provisions to our Liability means our aggregate Liability under the Agreement and the Data Processing Addendum together.
14. Change to SlaveCheck Personal Data
14.1 If a change in SlaveCheck Personal Data to be Processed or a risk analysis of the Processing of SlaveCheck Personal Data gives reason to do so, upon your first request, we will consult with you on amending the arrangements made in the Data Processing Addendum.
14.2 The arrangements to be newly made must be recorded in writing and form part of the Data Processing Addendum prior to their application.
14.3 The changes can never have the effect that you cannot comply with the Data Protection Laws.
15. Duration and Termination
15.1 Subject to any surviving rights and obligations, this Data Processing Addendum will automatically terminate upon termination of the Agreement.
15.2 In the event of termination of the Agreement for any reason, we will assist you (at your cost, which shall not exceed the reasonable cost incurred by us) to ensure that all or part of the SlaveCheck Personal Data made available for you, by you or on your behalf in the context of SlaveCheck (as determined by you), is either destroyed, returned to you or the Data Subjects, or made available to another service provider, as required by you and to the extent permitted by law.
15.3 Provisions which, by their nature, are intended to continue to apply after termination of this Data Processing Addendum, will continue to apply after termination of this Data Processing Addendum. These include provisions concerning confidentiality, indemnity and limitation of Liability, and applicable law.
We have appointed a Privacy and Data Protection Officer. Please contact the appointed person in the first instance by email at [email protected], or by post to:
The Privacy and Data Protection Officer
SlaveCheck Pty Ltd
43 Figtree Avenue,
Randwick NSW 2031
Annexure 1 – Details of Processing of SlaveCheck Personal Data
This Annexure 1 includes certain details of the Processing of SlaveCheck Personal Data as required by Article 28(3) GDPR.
Subject matter, nature, purpose and duration of the Processing of SlaveCheck Personal Data
The subject matter, nature, purpose and duration of the Processing of the SlaveCheck Personal Data are set out in the Agreement.
The types of SlaveCheck Personal Data to be Processed
The SlaveCheck Client may submit SlaveCheck Personal Data to SlaveCheck, the extent of which is determined and controlled by the SlaveCheck Client in its sole discretion, and which may include the following categories of Personal Data:
First and last name
Contact information (company, email, phone, physical business address)
Professional life data
Personal life data
The categories of Data Subject to whom the SlaveCheck Personal Data relates
The SlaveCheck Client may submit SlaveCheck Personal Data to SlaveCheck, the extent of which is determined and controlled by the SlaveCheck Client in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of Data Subjects:
(a) employees, agents, contractors and advisors of the SlaveCheck Client (who are natural persons); and
(b) other Users authorised or deemed to be authorised by the SlaveCheck Client to use SlaveCheck.
The obligations and rights of the SlaveCheck Client
The obligations and rights of the SlaveCheck Client are set out in the Agreement.
– ENDS –