Data Processing Addendum
Last updated 30/09/2022
1 Application of this addendum
1.1 This Data Processing Addendum, including its Schedules (Addendum) applies if the Processing (as defined below) of Data is governed by the GDPR (as defined below) or the equivalent laws of the United Kingdom.
1.2 If this Addendum applies, this Addendum forms part of the Agreement and sets out the parties’ agreement in relation to the processing of Data in accordance with the requirements of European Union and United Kingdom data protection laws and regulations.
1.3 The Supplier is located in New Zealand, which the European Commission has determined provides adequate protection for the purposes of Article 45 of the GDPR and which is also deemed to provide adequate protection for the purposes of the equivalent laws of the United Kingdom.
2 Interpretation
2.1 Unless the context requires otherwise:
a. capitalised terms used, but not defined, in this Addendum will have the meanings given to them in the Applicable Data Protection Laws (or, if not defined in the Applicable Data Protection Laws, the Agreement);
b. the rules of interpretation set out in the Agreement apply to this Addendum; and
c. references to clauses are references to the clauses in this Addendum.
2.2 In this Addendum:
Applicable Data Protection Laws means EU/UK Data Protection Laws and any applicable data protection or privacy laws of any other country
EEA means the European Economic Area
EU/UK Data Protection Laws means all laws and regulations, including laws and regulations of the European Union, its member states and the United Kingdom, that apply to the Processing of Personal Data under the Agreement, including (where applicable) the GDPR and the equivalent laws of the United Kingdom
Instruction means the instructions set out in clause 3.3or agreed under clause 3.4
Personal Data means all Data which is personal data, personally identifiable information or personal information under Applicable Data Protection Laws (as applicable under those laws)
Processing means any operation or set of operations which is performed upon Personal Data, whether or not by automated means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction. Process has a consistent meaning
Sub-Processor means any person appointed by the Supplier or on its behalf to Process Personal Data on the Client’s behalf in connection with the Agreement.
2.3 If there is any conflict between any of the following, they will have precedence in the descending order of priority set out below:
a. this Addendum; and
b. the Agreement.
3 Processing of Personal Data
3.1 With respect to the Processing of Personal Data under the Agreement:
a. the Client acts as the Data Controller;
b. the Supplier acts as the Data Processor; and
c. subject to clause 6, the Supplier may engage the Sub-Processors listed in Schedule 2.
3.2 The Supplier will comply with all Applicable Data Protection Laws that apply to its Processing of Personal Data on the Client’s behalf, including all EU/UK Data Protection Laws that apply to Data Processors.
3.3 The Client must, when using the Services, comply with all Applicable Data Protection Laws that apply to its Processing of Personal Data, including all EU/UK Data Protection Laws that apply to Data Controllers.
3.4 The Client instructs the Supplier to Process Personal Data and in particular, subject to clause 6, transfer Personal Data to any country or territory:
a. as reasonably necessary to provide the Services in accordance with the Agreement;
b. as initiated through the use of the Services by the Client, its Personnel and other end users the Client allows to use the Services; and
c. to comply with any further instruction from the Client (including by email or through the Supplier’s support channels) that is consistent with the Agreement and this Addendum.
3.5 This Addendum and the Agreement are the Client’s complete and final instructions for the Processing of Personal Data as at the time this Addendum takes effect. Any additional or alternate instructions must be agreed between the parties separately in writing.
3.6 The Supplier will not Process Personal Data other than on the Client’s Instructions unless required by any law to which the Supplier is subject, in which case the Supplier will to the extent permitted by applicable law inform the Client of that legal requirement before the Supplier Processes that Personal Data.
3.7 As required by Article 28(3) of the GDPR (and, if applicable, equivalent requirements of other Applicable Data Protection Laws), the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this Addendum are set out in Schedule 1. The Supplier may amend Schedule 1 from time to time on written notice to the Client as the Supplier reasonably considers necessary to meet the requirements of the GDPR (and applicable equivalent requirements of other Applicable Data Protection Laws).
3.8 The duration of Processing is limited to the duration of the Agreement. The Supplier’s obligations in relation to Processing will continue until the Personal Data has been properly deleted or returned to the Client in accordance with clause 11 of this Addendum.
3.9 The Client is solely responsible for ensuring that its Instructions comply with Applicable Data Protection Laws. It is also the Client’s responsibility to enter into data processing agreements with other relevant Data Controllers in order to allow the Supplier and its Sub-Processors to Process Personal Data in accordance with this Addendum.
3.10 If, in the Supplier’s reasonable opinion, an Instruction infringes Applicable Data Protection Laws, the Supplier will notify the Client as soon as reasonably practicable.
4 Data Subject Requests
4.1 To the extent permitted by law, the Supplier will notify the Client promptly if it receives a request from a Data Subject to exercise the Data Subject’s rights under Applicable Data Protection Laws relating to any Personal Data (Data Subject Request).
4.2 Taking into account the nature of the Processing, the Supplier will assist the Client by implementing appropriate technical and organisational measures, to the extent possible, to fulfil the Client’s obligation to respond to a Data Subject Request under Applicable Data Protection Laws.
4.3 To the extent the Client does not have the ability to address a Data Subject Request, the Supplier will, on the Client’s written request, provide reasonable assistance in accordance with Applicable Data Protection Laws to facilitate that Data Subject Request. The Client will reimburse the Supplier for the costs arising from this assistance.
4.4 The Supplier will not respond to a Data Subject Request except on the Client’s written request or if required by applicable law.
5 Supplier Personnel
5.1 The Supplier will:
a. take reasonable steps to ensure the reliability of any of its Personnel engaged in the Processing of Personal Data;
b. ensure that access to Personal Data is limited to its Personnel who require that access as strictly necessary for the purposes of exercising its rights and performing its obligations under the Agreement;
c. ensure that its Personnel engaged in Processing Personal Data are subject to confidentiality undertakings or professional or statutory obligations of confidentiality; and
d. ensure that its Personnel engaged in Processing Personal Data are informed of the confidential nature of the Personal Data and receive appropriate training on their responsibilities.
5.2 The Supplier has appointed a data protection officer who can be contacted at dataprotectionofficer@tatou.app.
6 Sub-processors
6.1 The Client acknowledges and agrees that the Supplier may engage third party Sub-Processors in connection with the provision of the Services.
6.2 The Supplier has entered into (and will, for any new Sub-Processor, enter into) written agreements with each Sub-Processor containing data protection obligations which offer at least the same level of protection for Personal Data as set out in this Addendum and that meet the requirements of Article 28(3) of the GDPR and equivalent requirements of other Applicable Data Protection Laws, as applicable to the nature of the services provided by that Sub-Processor.
6.3 The Client may request copies of the Supplier’s written agreements with Sub-Processors (which may be redacted to remove confidential information not relevant to this Addendum).
6.4 A list of current Sub-Processors for the Services as at the date set out in Schedule 2. The Supplier may update the list of Sub-Processors from time to time and, subject to clause 6.5, the Supplier will give at least 30 days’ written notice of any new Sub-Processor (Change Notice).
6.5 The Supplier may engage Sub-Processors as needed to serve as an Emergency Replacement to maintain and support the Services. Emergency Replacement means a sudden replacement of a Sub-Processor where a change is outside the Supplier’s reasonable control. In this case, the Supplier will inform the Client of the replacement Sub-Processor as soon as reasonably practicable.
6.6 The Customer may object to any new Sub-Processor on reasonable grounds by notifying the Supplier within 10 days of receipt of the Supplier’s Change Notice. The Customer’s notice of objection to any new Sub-Processor must explain the reasonable grounds for the Customer’s objection. The Supplier must discuss the Customer’s concerns with the Customer about the new Sub-Processor in good faith with a view to resolve the objection to the use of the new Sub-Processor in a commercially reasonable manner. If it is not possible to resolve the objection, and the Supplier does not revoke the Change Notice before the date the Change Notice takes effect, the Customer may, despite anything to the contrary in the Agreement, terminate the applicable Services under the Agreement that cannot be provided to the Customer without that new Sub-Processor. If the Customer does not terminate the relevant Services under the Agreement in accordance with this clause, the Customer is deemed to have agreed to the new Sub-Processor.
6.7 The Supplier is liable for the acts and omissions of its Sub-Processors to the same extent the Supplier would be liable if performing the services of each Sub-Processor directly under the terms of this Addendum, except as otherwise set out in this Addendum.
7 Security
The Supplier will maintain technical and organisational measures to protect the confidentiality, integrity and security of Personal Data (including protection against unauthorised or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorised disclosure of, or access to, Personal Data), and to manage data security incidents affecting Personal Data, in accordance with Applicable Data Protection Laws.
8 Security Breach Management
8.1 The Supplier will comply with all applicable laws requiring notification to the Client of any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data Processed by the Supplier or its Sub-Processors of which the Supplier becomes aware (Breach Incident).
8.2 The Supplier will make reasonable efforts to identify the cause of that Breach Incident, notify the Client within a timely manner to allow the Client to meet its obligations to report a Breach Incident, and take steps the Supplier considers necessary and reasonable to remediate the cause of the Breach Incident, to the extent remediation is within its reasonable control.
9 Audit and Compliance
Upon the Client’s written request, the Supplier will, at the Client’s cost, submit to the Client’s audits and inspections, and provide the Client all information necessary, to demonstrate that both parties are complying with their respective obligations under Applicable Data Protection Laws (including each party’s respective obligations under Article 28 of the GDPR) and equivalent requirements of other Applicable Data Protection Laws.
10 Data Protection Impact Assessment
Upon the Client’s written request, the Supplier will, at the Client’s cost, provide the Client with reasonable assistance needed to fulfil the Client’s obligation under Applicable Data Protection Laws to carry out a data protection impact assessment relating to the Client’s use of the Services, to the extent the Client does not otherwise have access to the relevant information.
11 Return and Deletion of Personal Data
11.1 Subject to clauses 11.2 and 11.3, following termination of the Agreement the Supplier will delete all Personal Data within a reasonable period from termination of the Agreement.
11.2 Subject to clause 11.3, the Client may submit a written request to the Supplier within 10 working days of the termination of the Agreement requiring the Supplier, within 20 working days of the Client’s written request, to:
a. return a complete copy of all Personal Data by secure file transfer in a common format; and
b. delete all other copies of Personal Data Processed by the Supplier or any Sub-Processor.
11.3 The Supplier, or each Sub-Processor, may retain Personal Data to the extent that it is required by applicable laws, provided that the Supplier ensure the confidentiality of all such Personal Data and ensure that such Data is only processed as necessary for the purposes required under applicable laws requiring its Processing and for no other purpose.
11.4 If the Supplier cannot delete all Personal Data due to technical reasons, the Supplier will inform the Client as soon as reasonably practicable and will take reasonably necessary steps to:
a. come as close as possible to a complete and permanent deletion of the Personal Data;
b. fully and effectively anonymise the remaining data; and
c. make the remaining Personal Data which is not deleted or effectively anonymised unavailable for future Processing.
12 Changes in Data Protection Laws
12.1 The Supplier may on at least 30 days' written notice to the Client from time to time, make any variations to this Addendum, which the Supplier considers (acting reasonably) are required as a result of any change in, or decision of a competent authority under, Applicable Data Protection Laws, to allow transfers and Processing of Personal Data to continue without breach of Applicable Data Protection Laws.
12.2 If the Client objects to any variation under clause 12.1 on reasonable grounds, the Client may, despite anything to the contrary in the Agreement, terminate the Agreement and its right to access and use the Services without penalty on written notice, provided the Client’s notice of termination is received by the Supplier before the effective date of the Supplier’s notice. If the Client does not terminate the Agreement and its right to access and use the Services in accordance with this clause, the Client is deemed to have agreed to the variation.
13 Limitation of Liability
The liability of each party to the other party under or in connection with this Addendum is subject to the limitations and exclusions set out in the Agreement, and any reference in the Agreement to the liability of a party means the aggregate liability of that party under the Agreement and this Addendum together.
14 General
If any provision of this Addendum is, or becomes unenforceable, illegal or invalid for any reason, the relevant provision is deemed to be varied to the extent necessary to remedy the unenforceability, illegality or invalidity. If variation is not possible, the provision must be treated as severed from this Addendum without affecting any other provisions of this Addendum.
Schedule 1
Details of data processing
Nature and Purpose of Processing
The Supplier will Process Personal Data as necessary to provide the Services in accordance with the Agreement, as further specified in the Supplier’s online documentation relating to the Services, and as further instructed by the Client and its Personnel and other end users the Client allows to use the Services through the use of the Services.
Duration of Processing
Subject to clause 11 of this Addendum, the Supplier will Process Personal Data for the duration of the Agreement, unless otherwise agreed upon in writing.
Categories of Data Subjects
The Client may submit Personal Data to the Services, the extent of which is determined and controlled by the Client in its sole discretion, and which may include, but is not limited to, Personal Data relating to the following categories of data subjects:
Employees of the Client
Contractors of the Client who are natural persons
Customers of the Client who are natural persons
Type of Personal Data
The Client may submit Personal Data to the Services, the extent of which is determined and controlled by the Client in its sole discretion, and which may include, but is not limited to, the following categories of personal data:
First name
Last name
Phone number
Email address (work and personal)
Date of birth
Postal address
Medical notes
Emergency contact details
Passport details (including scan copy)
Visa details (including scan copy)
Drivers license (including scan copy)
Tax number
Tax code
Employment agreement(s)
Inductions
Training and qualifications
Hourly rates
Joint Agreement To Recruit (New Zealand Recognised Seasonal Employer scheme specific)
VisaView: Scanned file (New Zealand specific)
Schedule 2
List of sub-processors as at 30/09/2022
Amazon Web Services Inc, USA. Cloud infrastructure for the Supplier’s apps and services
Google Inc, USA. Website analytics, application analytics and email
Hubspot Inc, USA. Marketing, sales and service software
Jira Service Desk by Atlassian, Australia. IT service management
Functional Software, Inc. (“Sentry"), USA. Error monitoring software
New Relic Inc., USA. Software Performance tracking
AppSignal B.V., Netherlands Software Performance tracking