Data Processing Agreement

CREWGO MANAGER Data Processing Agreement

PARTIES

Crewgo Australia Pty Ltd ABN 31 623 216 713  of Suite 152, 10 Park Road, Hurstville NSW 2220 (the  Crewgo Australia)

The client of Crewgo Australia specified in the agreement to which this Data Processing Agreement is incorporated into or attached (the Registered User)

 

RECITALS

  1. Crewgo Australia agrees, or has agreed, to provide, and the Registered User agrees, or has agreed to engage Crewgo Australia, to provide to the Registered User access to the Crewgo Manager Platform (collectively, the “Cloud Services) under the Terms of Use at www.crewgo.co/terms (the “Main Agreement“).
  2. The Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) (“NDB Law“) that came into effect on 22 February 2018 established a Notifiable Data Breaches Scheme that requires among other things, APP Entities to assess suspected data breaches and notify individuals whose personal information is involved in a data breach that is likely to result in serious harm, and the Australian Information Commissioner. The purpose of this Data Processing Agreement is to outline how Crewgo Australia Pty Ltd and the Registered User will approach actual, potential or suspected data breaches that may occur from time to time with respect to Personal Information ‘held’ by both Crewgo Australia Pty Ltd and the Registered User (“Jointly Held Personal Information“). For the purposes of this Data Processing Agreement, the word ‘held‘ (and other forms of that word) has the meaning that ‘held’ is given in the Privacy Act 1988 (Cth) (the “Privacy Act“). Crewgo Australia Pty Ltd’s policy is to investigate and properly address all suspected, actual or potential data breaches involving Jointly Held Personal Information to ensure that Crewgo Australia Pty Ltd’s legal obligations under the NDB Law are discharged.
  3. Under the NDB Law, eligible data breaches are notifiable. A data breach is an eligible data breach for the purposes of the NDB Law if there is unauthorised access to or unauthorised disclosure of Jointly Held Personal Information, or a loss of Jointly Held Personal Information, and a reasonable person concludes that the access, disclosure or loss is likely to result in serious harm to one or more individuals to whom the Jointly Held Personal Information relates, and the entity that held the Jointly Held Personal Information has not been able to prevent the likely risk of serious harm to any of the individuals with remedial action.
  4. Crewgo Australia and the Registered User jointly ‘hold’ personal data hosted by Crewgo Australia pursuant to the Main Agreement. The parties have agreed that any breaches of that jointly held personal data will be addressed pursuant to this Data Processing Agreement.
  5. The parties have also agreed that where Crewgo Australia processes personal data of the Registered User (or of any end-user of the Registered User) that is regulated by the General Data Protection Regulation (GDPR) (EU) 2016/679 (the “GDPR) (where the processing is within the territorial scope of the GDPR as set out in Article 3 thereof), this Data Processing Agreement will also govern their relationship for the purposes of the GDPR.

 

THE PARTIES AGREE AS FOLLOWS:

 

  1. Definitions and Interpretation
    • Definitions

In this Data Processing Addendum, Crewgo Australia and Registered User will each be referred to as a “party” and together the “parties” and any words starting with a capital letter shall have the meanings given to them in the Main Agreement unless otherwise defined in this Data Processing Addendum. Further, in this Data Processing Addendum the words “controller“, “consent“, “processor“, “data subject“, “personal data“, “processing“, and “process” shall have the meanings given to them in the GDPR.

  • Interpretation

The rules of interpretation set out in the Main Agreement will apply to this Data Processing Agreement, except where inconsistent the Privacy Act, the GDPR and any other applicable data protection laws (collectively, “Data Protection Laws) in which case the interpretation provisions of the relevant Data Protection Laws will prevail. Further, in this Data Processing Agreement any reference to a subclause is a reference to the subclause of the clause in which the reference is made and the recitals to this Data Processing Agreement form part of the operative binding terms.

  • Scope of this Agreement

This Data Processing Agreement only applies to personal data uploaded into the Cloud Services by the Registered User and/or any End-User for processing by Crewgo Australia on behalf of the Registered User.

  • References to GDPR

In this Data Processing Agreement, any provision in the body or the Schedule which refers to an obligation of a party to comply with the GDPR, or the right of a party under the GDPR, only applies to the extent that the GDPR applies to the personal data and/or processing pursuant to Article 3 of the GDPR.

 

  1. Acceptance of this Data Processing Agreement
    • By accessing, browsing and/or using Crewgo Australia’s cloud based platform and the Cloud Services made available by Crewgo Australia through the platform, the Registered User will be deemed to have read, understood and wholly and unconditionally agreed to be legally bound by, and accepted, the terms and conditions set out in this Data Processing Agreement and agreed that the Main Agreement is varied to incorporate this Data Processing Agreement, such that this Data Processing Agreement is hereby incorporated into and forms part of the Main Agreement by reference.
    • Except as set out in this Data Processing Agreement (and in any other previously agreed variations to the Main Agreement), the Main Agreement remains unaltered and in full force and effect.
    • This Data Processing Agreement will apply for the term of the Main Agreement and will automatically and immediately terminate upon termination or expiry of the Main Agreement for any reason.

 

  1. Term of this Data Processing Agreement
    • By accessing, browsing and/or using Crewgo Australia’s cloud based platform and the Cloud Services made available by Crewgo Australia through the platform, the Registered User will be deemed to have read, understood and wholly and unconditionally agreed to be legally bound by, and accepted, the terms and conditions set out in this Data Processing Agreement and agreed that the Main Agreement is varied to incorporate this Data Processing Agreement, such that this Data Processing Agreement is incorporated into and forms part of the Main Agreement by reference.
    • Except as set out in this Data Processing Agreement (and in any other previously agreed variations to the Main Agreement), the Main Agreement remains unaltered and in full force and effect.
    • This Data Processing Agreement will apply for the term of the Main Agreement and will automatically and immediately terminate upon termination or expiry of the Main Agreement for any reason.

 

  1. Compliance with Data Protection Laws
    • Each party hereby agrees that it will comply with its obligations under all Data Protection Laws, including but not limited to, by collecting, holding, disclosing and processing personal data only in accordance with those laws, by maintaining all records and information required by any such laws and by appointing a Data Protection Officer where required pursuant to the GDPR.
    • With respect to personal data processed by Crewgo Australia (as a processor) on behalf of the Registered User (in the Registered User’s capacity of a controller) (“Registered User Personal Data“), Crewgo Australia must at a minimum retain:
  • records confirming the name and contact details of its personnel who are appointed to respond to questions about Crewgo Australia’s processing activities, and where applicable the name and contact details of Crewgo Australia’s data protection officer;
  • the names and contact details of subprocessors who are appointed to process Registered User Personal Data;
  • records of any countries to which Registered User Personal Data is transferred;
  • records of and copies of the agreements with any subprocessors, including any upstream hosting suppliers;
  • details of the categories of Registered User Personal Data processed;
  • records of the technical and other security measures taken by Crewgo Australia as referred to in this Data Processing Agreement.
    • The Registered User must not provide any instructions to Crewgo Australia with respect to Registered User Personal Data which contravene any Data Protection Laws. Crewgo Australia will not have any obligation to process any such instructions or to process any personal data on behalf of the Registered User if doing so would contravene any Data Protection Laws. The Registered User must provide Crewgo Australia with any information and otherwise cooperate with Crewgo Australia, to the extent reasonably required by Crewgo Australia to comply with its obligations under Data Protection Laws.
    • Each party must take reasonable steps to ensure that its employees, agents and contractors comply with Data Protection Laws.
    • Each party acknowledges that this Data Processing Agreement does not set out all of the parties’ obligations under Data Protection Laws.

 

  1. Processing duration and de-identification
    • Crewgo Australia only process personal data of the Registered User or any End-User in its capacity as a processor, during the term of the Main Agreement, and following the Main Agreement only for the purposes of deleting or returning that personal data to the Registered User. At the choice of the Registered User, Crewgo Australia must delete or return to the Registered User all of the personal data uploaded and/or entered into the Cloud Services, or otherwise collected by Crewgo Australia, in Crewgo Australia’s capacity as a processor; where the Registered User requires that personal data to be returned, it must be returned to the Registered User after the end of the provision of services relating to processing (“Processing Conclusion Date“), and Crewgo Australia must thereafter delete all then remaining existing copies of that personal data in Crewgo Australia’s possession or control as soon as reasonably practicable, but in any event not more than 30 days after the Processing Conclusion Date, unless applicable law requires Crewgo Australia to retain the personal data in which case Crewgo Australia must notify the Registered User of that requirement and only use such retained data for the purposes of complying with those applicable laws.
    • Notwithstanding subclause 1, where the personal data is not GDPR Data and is personal information for the purposes of the Privacy Act, within the 30 day period following the Processing Conclusion Date instead of destroying the personal information Crewgo Australia will take such steps as are reasonable in the circumstances to de-identify the applicable Registered User Personal Data where it no longer needs it for any purpose for which it may be used in accordance with this Data Protection Agreement or its Privacy Policy and the information is not contained in a Commonwealth record and Crewgo Australia is not required by Australian law (or a court or tribunal order) to retain it.
    • Crewgo Australia must not keep any Registered User Personal Data for longer than is necessary for the purposes for which the personal data is processed.
    • Where a party no longer needs personal data for any purpose for which it may be used or disclosed under the Australian Privacy Principles, the party must take reasonable steps to destroy the information or ensure that it is de-identified.

 

  1. Responsibility for consents, authorisations and approvals
    • The Registered User warrants and represents that it consents to, approves and authorises, and that it has or will obtain (and will in any event, maintain for the term of the Main Agreement) any other necessary consents, approvals and authorisations including any authorisations by any End-Users, and those of third party controllers where the Registered User is a processor), with respect to any personal data uploaded into the Cloud Services by the Registered User and/or any End-User and/or otherwise collected by Crewgo Australia pursuant to this Data Processing Agreement, to the extent such consents, approvals and authorisations are necessary for Crewgo Australia to process that personal data for the purposes contemplated by this Data Processing Agreement.
    • Without limiting the foregoing provisions, the Registered User hereby warrants and represents to Crewgo Australia that all employees, customers and other end-users of the Registered User who use the Cloud Services on behalf of the Registered User (“End-Users“) have authorised the Registered User to appoint Crewgo Australia as a processor (or sub-processor).
    • The Registered User must not provide Crewgo Australia with the personal data of any third party without Crewgo Australia’s prior written consent (“Third Party Data“). If the Registered User provides Crewgo Australia with Third Party Data, the Registered User must notify the relevant third party of that fact together with any other information required by Article 14 of the GDPR.
    • The Registered User and any End-Users may withdraw any such consents, approvals and authorisations that they have provided as referred to in this clause. However, where such withdrawal occurs, Crewgo Australia shall have no further obligation to process any personal data on behalf of the person or entity that has so withdrawn the applicable consents, approvals and authorisations.
    • The withdrawal of any consents, approvals and authorisations by the Registered User or any End-User will not prevent Crewgo Australia from using personal data to which the consents, approvals and authorisations relate, for the purposes of complying with any applicable laws or enforcing any rights of Crewgo Australia.
    • Where the Registered User withdraws its consent to process Registered User Personal Data, Crewgo Australia may terminate the Main Agreement.

 

  1. Relationship of the parties
    • Each party hereby agrees for the purposes of this Data Processing Agreement and the GDPR that, as between them, Crewgo Australia is the processor and the Registered User is the controller, in connection with any processing of personal data carried out by Crewgo Australia on behalf of the Registered User, as contemplated by this Data Processing Agreement.
    • However, the parties also hereby agree that Crewgo Australia has a legitimate interest in using any data entered into and/or uploaded into the Cloud Services by the Registered User and/or End-Users, and/or otherwise collected by Crewgo Australia pursuant to this Data Processing Agreement for Crewgo Australia’s own legitimate purposes (including for billing, product development, debt recovery and sales and marketing purposes, and for the purposes of enforcing Crewgo Australia’s rights) – and to the extent that Crewgo Australia uses such data for those purposes Crewgo Australia will be the controller for the purposes of the GDPR and any other Data Protection Laws.
    • Where Crewgo Australia is a controller in connection with personal data for the purposes of the GDPR, it will process that personal data in accordance with the GDPR and its Privacy Policy.

 

  1. Registered User processing instructions
    • Crewgo Australia acknowledges that it will not process any Registered User Personal Data in its capacity as a processor, except pursuant to the Registered User’s instructions (including with respect to data transfers) unless applicable law to which Crewgo Australia is subject requires other processing of that personal data by Crewgo Australia, in which case Crewgo Australia will inform the Registered User of that legal requirement (unless that law prohibits Crewgo Australia from doing so on important grounds of public interest).
    • Crewgo Australia may assume that the Registered User’s final and complete documented instructions to Crewgo Australia to act as a processor on the Registered User’s behalf with respect to the processing of personal data entered into or uploaded into the Services by the Registered User and any End-User are constituted by the following (“Registered User Instructions):
  • the Main Agreement (including this Data Processing Agreement incorporated into the Main Agreement);
  • the act of the Registered User and/or any End-Users’ uploading and/or entering any personal data into the Cloud Services;
  • any settings selected, and/or configurations made, by the Registered User or any End-Users in or of the Cloud Services;
  • any reasonable written instructions provided by the Registered User to Crewgo Australia via email or through any communications tool facilitated by the Cloud Services which are expressly stated to be written instructions issued by the Registered User as controller to Crewgo Australia as processor, for the purposes of the GDPR; and
  • the Registered User and relevant End-Users using the functionality of the Cloud Services to issue instructions to process personal data, such as, to delete personal data, export personal data or transfer personal data to a subprocessor.
    • Crewgo Australia will not process personal data on behalf of the Registered User, except where it is entitled to do so pursuant to the Australian Privacy Principles and any other applicable Data Protection Laws.
    • Crewgo Australia is not required to comply with the instructions of the Registered User with respect to the processing of personal data, where complying with the instructions would contravene any applicable law.

 

  1. Whose personal data will Crewgo Australia process?
    • The Cloud Services are designed only to be used to process the following individuals’ personal data: the Registered User; End-Users; employees and contractors of the Registered User; directors and officers of the Registered User;.
    • However, the Cloud Services will automatically process any personal data uploaded or entered into them. Crewgo Australia may elect not to analyse all or any personal data uploaded or entered into the Cloud Services. It is the Registered User’s responsibility to ensure that only personal data of individuals’ that the Cloud Services is designed to process is uploaded or entered into the Cloud Services by the Registered User and any End-Users.

 

  1. Types of Personal Data that will be processed
    • The types of personal data that will be processed by Crewgo Australia in connection with the Main Agreement is Any personal data that the Registered User or any End-User uploads or enters into the Cloud Services either manually or via their computer systems, smartphone devices and tablets, namely:

 

  • Subscription/registration, payment, transaction and profile data: If you register or subscribe to our Cloud Services, we will collect and otherwise process the following categories of personal data: names, telephone numbers, mobile numbers, email addresses, credit card details, bank account details, records of products and services purchased by our customers and any end users of the Cloud Services, postal addresses, residential addresses and business addresses. We will process this personal data in order to administer our customer and end user subscriptions, registrations and accounts on the Cloud Services, for the purposes of providing our customers and end users with access to and use of the Cloud Services, to enforce our customers and end users’ obligations to pay the relevant fees and charges to us and to otherwise enforce compliance by our customers and end users with our Terms of Service and the contractual obligations that they owe to us. We will also process this personal data in order to provide our customers and end users with information and assistance about the Cloud Services, and to communicate with our customers and end users in connection with any maintenance notices (that we may issue when the Cloud Services are unavailable), renewal notices and service status updates for the purposes of keeping our customers and end users informed and up to date about the status of our Cloud Services.

 

  • Data entered into and/or uploaded into the Cloud Services by our Customers and/or end users when accessing the Cloud Services: We collect and process any personal data that our customers and end users upload or enter into the Cloud Services either manually or via computer systems, smartphone devices and tablets, namely: names,  telephone numbers,  mobile numbers,  email addresses,  credit card details,   bank account details,  postal addresses,  residential addresses, business addresses, photos of staff (headshots), staff GPS location, qualifications (eg. Forklift Riggers Ticket Inductions), drivers licence, ID or passport numbers, white cards and working visas (expiry date/number visa type).  We also collect notes and running commentary about staff behaviour, performance and/or issues. Additionally, the Cloud Services will process any other personal information that our Customers and end users voluntarily enter or upload to CrewServr. We will process this personal data on behalf of our Customers and end users in our capacity as a processor in order to provide our Customers and end users with the Cloud Services and the functionality provided by the Cloud Services in accordance with their specific instructions (unless applicable law to which we are subject requires other processing of that personal data by us, in which case we will inform applicable Customers and end users of that legal requirement (unless that law prohibits us from doing so on important grounds of public interest). We will also process this personal data as a controller to monitor compliance with the terms and conditions of our Terms of Service, to maintain backups of our databases and to detect unauthorised use and faults with the Cloud Services (such as, by examining log files and error messages). The personal data will also be used to provide our customers and end users with professional services (including technical support and training services) if and where required pursuant to our Terms of Service.

 

  • Data relating to communications between us and our Customers and end users: When our end Customers and users contact us, we will collect and process personal data including the name of the Customer/end user, the IP address of the Customer/end user and any other personal data that Customers/end users provide to us during the communications. For example, our Customers and/or end users may contact us to ask questions about our Cloud Services, seek technical support or advice and to express their interest in subscribing to the Cloud Services or for the purposes of upgrading or modifying their accounts on our platform. We will process this personal data in order to provide our Customers and end users with information and assistance about the Cloud Services, and to communicate with them in connection with any breach, expiry, termination or suspension of the Cloud Services.

 

  • Analytics data: We collect and process personal data known as analytics data for statistical and analytical purposes, designed to measure and monitor how our Cloud Services are being used and to highlight any areas for improvement, optimisation and enhancement of the Cloud Services, including user location,  IP addresses,  cookie data,  information about devices accessing the Cloud Services (IP address, the type of device used to access the Cloud Services and the operating system), the amount of time a user spent on our cloud platform and in which parts of the platform, and the path they navigated through the platform. We will process this personal data in order to monitor and detect unauthorised use of the Cloud Services and to establish how the Cloud Services are used and to highlight areas for potential improvement of the Cloud Services. We often aggregate this data with other data. However, where the data is classified as personal information (or in the case of GDPR Data, personal data) we treat it in accordance with this Privacy Policy.

 

  • Cookies: We use cookies on CrewServr. However, we will not use cookies with a Customers and/or end users account on CrewServr without express consent, unless the cookies are strictly required in order for us to provide the Cloud Services. Cookies are pieces of information that a web site transfers to a computer’s hard disk for record-keeping purposes. This helps us tailor and improve the information we present to you, promoting higher end user satisfaction when you visit our site. The use of cookies is common in the Internet industry, and many major web sites use them to provide useful features to their end users. A cookie may be used to tell when your computer or device has contacted CrewServr. Cookies may also be used to personalise your experience with us. Where we request your consent for a cookie we will explain to you what the cookie is proposed to be used for, what information it collects, and give you an opportunity to withdraw your consent to the placement of the cookie on your machine or device if you do consent. You may configure your web browser on your computer or device to reject or block cookies if you wish. If we request your consent to a cookie and you consent to our use of the cookie, you may withdraw your consent to our use of the cookie on your computer or device at any time by contacting us.

 

  • Location data: The GPS location of service providers and staff is tracked and this is available to customers, supervisors and us. The location of staff is also tracked when they enter and exit a jobsite. This information is available in timesheets for customers, supervisors, partners and administrative staff. Although CrewServr includes tools which allow location based monitoring and tracking of Service Providers and Staff (including, by tracking the locations of employees of Service Providers by Customers), any user of CrewServr can prevent their location from being tracked through CrewServr by turning off or restricting location based tracking using their smartphone operating system settings. Any user who wishes to prevent or restrict location based tracking should do so via those settings.

 

  • The Cloud Services will also process any other personal information that the Registered User or any End-User voluntarily enters or uploads into the Cloud Services. Crewgo Australia will process this personal data on behalf of the Registered User in Crewgo Australia’s capacity as a processor in order to provide the Registered User and its End-Users with the Cloud Services.
  • The above operations and sets of operations which will be performed by Crewgo Australia on personal data or on sets of personal data (whether or not by automated means) will include collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data, but only as required for the purposes set out in this clause.

 

  1. Processing of Special Categories of Personal Data
    • Crewgo Australia and the Registered User each agree that the Cloud Services are not to be used for processing of special categories of personal data without the prior written consent of both Crewgo Australia and the Registered User. The Registered User must not, and must procure that all End-Users will not, enter or upload any personal data that falls within the scope of special categories of personal data into the Cloud Services. Special categories of personal data are those revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, or genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person’s sex life or sexual orientation.
    • Notwithstanding subclause 1, Crewgo Australia may process any Personal Data when necessary for the establishment, exercise or defence of legal claims or in any of the other circumstances referred to in paragraph 2 of Article 9 of the GDPR.

 

  1. Security
    • The technical and organisational measures that Crewgo Australia has implemented, and will continue to implement for the term of the Main Agreement to protect personal data against unauthorised or unlawful processing and against accidental loss, destruction or damage are as follows:
  • Crewgo Australia performs security testing (including penetration testing of the Cloud Services), and maintains other electronic (e-security) measures for the purposes of securing personal information, such as passwords, anti-virus management, multi-factor authentication and firewalls
  • Crewgo Australia maintains physical security measures in its buildings and offices such as door and window locks and visitor access management, cabinet locks, surveillance systems and alarms.
  • Crewgo Australia requires all of its employees and contractors to comply with privacy and confidentiality terms and conditions in their employment contracts and subcontractor agreements.
  • Crewgo Australia carries out security audits of its systems which seek to find and eliminate any potential security risks in Crewgo Australia’s electronic and physical infrastructure as soon as possible.
  • If appropriate in the circumstances, taking into account the state of the art, the costs of implementation and the nature, scope, content and purpose of the processing, pseudonymizing and/or encrypting personal data
  • Crewgo Australia implements passwords and access control procedures into its computer systems
  • Crewgo Australia has a Data Breach Response Plan in place
  • Crewgo Australia has data backup, archiving and disaster recovery processes in place
  • Crewgo Australia has anti-virus and security controls for email and other applicable computer software and systems in place
  • Crewgo Australia has processes in place to ensure integrity and resilience of systems, servers and personal data
    • The Registered User warrants and represents that (taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing of personal data by Crewgo Australia as referred to in this Data Processing Agreement, and the risks to individuals) the security measures referred to in subclause 2 provide a level of security appropriate to the risk in respect of the personal data to be processed by Crewgo Australia on behalf of the Registered User, as referred to in this Data Processing Agreement.

 

  1. Confidentiality
    • Crewgo Australia must ensure that authorised persons appointed by Crewgo Australia to process personal data entered into and/or uploaded into the Cloud Services by the Registered User and/or any End-User, and/or captured by Crewgo Australia from them or their use of the Cloud Services or interaction with Crewgo Australia, have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

 

  1. Sub-processing
    • Crewgo Australia will only engage new third parties to process personal data entered into and/or uploaded into the Cloud Services by the Registered User and/or any End-User for Crewgo Australia to process as a processor on behalf of the Registered User (“subprocessors“) where permitted by applicable law. The Registered User hereby authorises Crewgo Australia to engage its hosting providers as required by Crewgo Australia to host the Cloud Services.
    • As at the date of this Data Processing Agreement, Crewgo Australia is authorised to continue to engage the subprocessors already engaged by Crewgo Australia as at the date of this Data Processing Agreement, to process personal data on behalf of the Registered User that is entered into and/or uploaded into the Cloud Services by the Registered User and/or any End-User.

 

  1. International Transfers
    • Crewgo Australia must not transfer Registered User Personal Data which is the subject of the GDPR, to any country or organisation outside of the European Union, except:
      • as reasonably necessary for Crewgo Australia to provide or procure the provision of the Cloud Services; or
      • as instructed by the Registered User.
    • Unless otherwise agreed in writing by the Registered User, any transfer by Crewgo Australia of Registered User Personal Data which is the subject of the GDPR outside the European Union must not be made unless Crewgo Australia has taken such measures as are necessary to ensure the transfer complies with Data Protection Laws.
    • Crewgo Australia may transfer personal information for the purposes of the Privacy Act 1988 (Cth) (other than GDPR Data) to any country provided that it complies with Australian Privacy Principle 8 (Cross-border disclosure of personal information).

 

  1. Cooperation between Crewgo Australia and the Registered User
    • Any request made by an End-User or by any other person whose data is held by Crewgo Australia on behalf of the Registered User, where such request is made directly to Crewgo Australia, is to be referred to the Registered User and the Registered User must action any such request.
    • Crewgo Australia will assist the Registered User in providing data subjects with access to personal data held by Crewgo Australia in its capacity as a processor on behalf of the Registered User, and by allowing the Registered User and data subjects to exercise their rights under the GDPR, and with other reasonable cooperation where and to the extent reasonably necessary to assist the Registered User with its responses to data subjects and data protection authorities, and otherwise where reasonably required by the Registered User to assist it with complying with its obligations under the GDPR, including but not limited to, by:
      • taking into account the nature of the processing, assisting the Registered User by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Registered User’s obligation to respond to requests for exercising a data subject’s rights laid down in Chapter III of the GDPR;
      • permitting and contributing to inspections and audits and the provision of information to verify Crewgo Australia’s compliance with the GDPR;
      • reporting breaches of personal data held by Crewgo Australia, where such data is held on behalf of the Registered User;
      • assisting the Registered User in meeting its GDPR obligations in relation to the security of processing;
      • the provision of information to the Registered User in connection with the Registered User’s preparation of Data Protection Impact Assessments;
      • assist the Registered User in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR taking into account the nature of processing and the information available to Crewgo Australia;
      • making available to the Registered User all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and by allowing for and contributing to audits, including inspections, conducted by the Registered User or an auditor selected by the Registered User.
    • All such access and cooperation provided by Crewgo Australia referred to in subclause 2 will be at the cost of the Registered User payable at Crewgo Australia’s standard hourly rates within 7 days of invoice, except where charging a fee for such access and cooperation is prohibited by applicable law.
    • Crewgo Australia must appoint a Data Protection Officer and notify the Registered User of the Data Protection Officer’s name and contact details where required by Article 37 of the GDPR or any other Data Protection Laws.
    • Where required by Article 27 of the GDPR, the Registered User must designate in writing a representative in the European Union for the purposes of that Article.

 

  1. Data breaches
    • Each party must comply with its obligations set out in the Schedule to this Data Processing Agreement in relation to any data breach of personal data held or otherwise processed for the purposes of this Data Processing Agreement, where the party is required to do so pursuant to Data Protection Laws.

 

  1. Liability

To the extent permissible by applicable law, the exclusions and limitations of liability set out in the body of the Main Agreement will apply to this Data Processing Agreement and any claim or proceedings brought by either party under or in connection with this Data Processing Agreement.

 

  1. Indemnity
    • Each party (the first party) must indemnify the other party from and against any loss or damage incurred by the other party as a result of the first party’s breach of this Data Processing Agreement.

 

  1. Processor Contact Details
    • Crewgo Australia’s contact details are as follows:

 

Privacy Representative

Privacy Officer

Suite 152, 10 Park Road, Hurstville NSW 2220

admin@quickersupport.com.au

 

 

 

  1. General
    • Amendment: This Data Processing Agreement represents the entire agreement of the parties with respect to its subject matter and may not be amended except by a written document executed by the parties. Notwithstanding the foregoing provisions of this paragraph, Crewgo Australia may amend this Data Processing Agreement by written notice to the Registered User (“Amendment Notice“) if and to the extent the amendment is necessary to comply with Data Protection Laws or any amendments made to them, or the requirements of any applicable supervisory, government or regulatory authority, or to implement any standard clauses or comply with any certification or code of conduct approved by the European Commission or issued pursuant to the GDPR. If the Registered User does not agree with any Amendment Notice, it must notify Crewgo Australia by written notice of that fact within 7 days of the date of the Amendment Notice (“Objection Notice“). If the parties are unable to resolve the objection within 7 days from the date of the Objection Notice (“Dispute Resolution Period“), either party may terminate this Agreement for its convenience by written notice within 7 days of the expiry of the Dispute Resolution Period.
    • Assignment: Neither party may assign, transfer, licence or novate its rights or obligations under this Data Processing Agreement without the prior written consent of the other party.
    • Severability: If any provision of this Data Processing Agreement is deemed invalid by a court of competent jurisdiction, the remainder of this Data Processing Agreement shall remain enforceable. If a provision of this Data Processing Agreement conflicts with any Data Protection Law affecting the parties’ commercial relationship, that provision will be severed and the remainder of this Data Processing Agreement will remain enforceable.
    • Relationship: The parties are independent contractors and this Data Processing Agreement does not create any relationship of partnership, joint venture, or employer and employee or otherwise.
    • Counterparts: This Data Processing Agreement may be executed in counterparts provided that no binding agreement shall be reached until the executed counterparts are exchanged.
    • Entire Agreement: This Data Processing Agreement and any terms implied herein by any applicable Data Protection Laws constitute the entire agreement between the parties and to the extent possible by law, supersedes all prior understandings, representations, arrangements and agreements between the parties, regarding its subject matter.
    • Applicable law: This Data Processing Agreement will be governed by and construed in accordance with the law of the Main Agreement. To the extent this Data Processing Agreement is inconsistent with any other provision of the Main Agreement, this Data Processing Agreement shall prevail.

 

[The remainder of this page is left intentionally blank]

 

Schedule

Action the parties must take following a suspected, potential or actual eligible data breach

 

  1. Action to be taken for the purposes of the Privacy Act 1988 (Cth)
    • If there is a suspected, potential or actual eligible data breach (“Breach“), the party that detects the Breach (the “Detecting Party) must immediately notify the other party of the Breach by email with full particulars of the Breach. The email addresses for the purposes of this subclause are as follows:
      • Crewgo Australia Pty Ltd: admin@quickersupport.com.au
      • Registered User: any email address provided to Crewgo Australia Pty Ltd from time to time by or on behalf of the Registered User
    • Upon the Detecting Party detecting the Breach, it must also carry out the following actions:
      • Step 1: Contain and assess the data breach. The first action that must be taken in response to a suspected, actual or potential data breach is to firstly conduct a preliminary assessment and/or investigation to determine whether or not there has been a data breach or whether one is likely to occur, and then contain the breach to prevent further unauthorised access or disclosure or loss of information. If the Detecting Party is aware of reasonable grounds for suspecting a Breach occurred, the Detecting Party must immediately lock down any potential avenues for further similar data breaches whether or not it is ultimately proven that a suspected data breach actually occurred. In some cases, it may be impossible to determine whether there has been a data breach, particularly where relevant records confirming the breach have been destroyed or are otherwise unavailable. Even so, the Detecting Party must immediately lock down any potential avenues for further data breaches. Similarly, the Detecting Party must do everything possible to prevent the data breach from occurring. The Detecting Party is to engage all relevant IT, security and managerial personnel to contain any suspected or potential data breaches. Where an actual data breach has occurred, the Detecting Party must similarly engage all relevant IT, security and managerial personnel to contain the breach. Once a Breach is properly contained, the Detecting Party must determine if a data breach has occurred that requires notification under the NDB Law. The NDB Law requires that only eligible data breaches must be notified. If the Detecting Party becomes aware of reasonable grounds that indicate that has been an eligible data breach, the Breach is required to be notified to the relevant individuals at risk of serious harm and the Australian Information Commissioner.
      • Step 2: Notify insurers. Each party must promptly notify its insurers from which it has obtained any Cyber Liability Insurance policy of the Breach.
      • Step 3: Determine if an eligible data breach has occurred. For the purposes of the NDB Law and this Data Processing Agreement, an eligible data breach occurs if the following 3 criteria are satisfied:
        • there is unauthorised access to or unauthorised disclosure of Jointly Held Personal Information, or a loss of Jointly Held Personal Information;
        • the Breach is likely to result in serious harm to one or more individuals; and
        • the Detecting Party has not been able to prevent the likely risk of serious harm with remedial action.

The Detecting Party must consider the above criteria when determining whether an eligible data breach has occurred. For the purposes of the NDB scheme, serious harm is deemed to have occurred or be likely to occur if a reasonable person would consider that it has so occurred or is likely to occur. Serious harm is not defined in the Privacy Act, but in the context of a Breach it may include among other things serious psychological, physical, emotional, financial or reputational harm. Some of the matters that may inform a decision that serious harm has occurred include the sensitivity of the Jointly Held Personal Information that was the subject of the Breach, the type of Jointly Held Personal Information lost, accessed or disclosed, and whether the Jointly Held Personal Information was encrypted.

The NDB Law requires entities subject to the Privacy Act to investigate suspected eligible data breaches when they are aware that there are reasonable grounds to suspect that there may have been an eligible data breach but the entity is not aware whether or not there has been an actual eligible data breach. The NDB Law requires such entities to carry out a reasonable and expeditious assessment of whether there are reasonable grounds to believe that the relevant circumstances amount to an eligible data breach of the entity. Therefore, if the Detecting Party suspects that a Breach may have occurred, it must take all reasonable steps to ensure that an assessment is completed expeditiously and in any event within thirty (30) days after it becomes aware of the reasonable grounds to suspect that there may have been an eligible data breach for the purpose of the NDB Law. The Detecting Party must keep the other party informed at all times while the Detecting Party is undertaking any assessment of a suspected eligible data breach, and must notify the other party by email (to the address referred to in clause 1.1 of this Schedule) if the Detecting Party becomes aware of reasonable grounds that indicate that an actual eligible data breach has occurred with full particulars of the eligible data breach.

  • Step 4: remedial action. Under the NDB Law, where there is an eligible breach of jointly held information, a party must use its best endeavours to take positive steps to address the eligible breach in a timely manner, which results in the eligible data breach not being likely to cause serious harm. In circumstances where personal information is lost but the remedial action removes the likelihood of it causing serious harm, the NDB Law provides that the eligible data breach will be taken to have not occurred. The parties agree that if a Breach occurs involving Jointly Held Information, the Registered User and Crewgo Australia Pty Ltd must each use their respective best endeavours to take positive steps to address the Breach in a timely manner, which results in the eligible data breach not being likely to cause serious harm. Each party must keep the other party informed at all times while that remedial action is being undertaken, and must notify the other party if the remedial action has removed the likelihood of the Breach causing serious harm. If Crewgo Australia Pty Ltd forms the opinion in its absolute discretion that the Registered User has not completed an expeditious assessment of the Breach and/or has not expeditiously carried out remedial action that may result in the Breach not being likely to cause serious harm, Crewgo Australia Pty Ltd may notify the Registered User that Crewgo Australia Pty Ltd requires the Registered User to notify the Breach pursuant to paragraph (e) below (“Notification Demand). If Crewgo Australia Pty Ltd issues a Notification Demand, the Registered User must notify all relevant individuals and the Office of the Information Commissioner pursuant to paragraph (e) below within twenty-four (24) hours of the Notification Demand (time being of the essence) notwithstanding that paragraph may require the notifications to be issued within a different period of time.
  • If an eligible data breach of Jointly Held Personal Information has occurred for the purposes of the NDB Law (that has not been remedied in accordance with paragraph (d)), the Registered User must as soon as possible:
    • notify the Australian Information Commissioner of the eligible data breach; and
    • notify relevant individuals of whom the Jointly Held Personal Data relates to of the eligible data breach,

in accordance with the NDB Law.

 

  1. Action to be taken by the Registered User for the purposes of the GDPR
    • This clause 2 applies to personal data held or otherwise processed by Crewgo Australia as a processor on behalf of the Registered User.
    • In the case of a personal data breach, Crewgo Australia must notify the Registered User of a data breach that it becomes aware of without undue delay. The Registered User shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55 of the GDPR, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
    • Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
    • The notification referred to in subclauses 1 and 3 shall at least:
      • describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
      • communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
      • describe the likely consequences of the personal data breach;
      • describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
    • Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.
    • The Registered User shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. That documentation shall enable the supervisory authority to verify compliance with Article 33 of the GDPR.
    • When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the Registered User shall communicate the personal data breach to the data subject without undue delay.
    • The communication to the data subject referred to in subclause 1 shall describe in clear and plain language the nature of the personal data breach and contain at least the information and measures referred to in points (b), (c) and (d) of Article 33(3) of the GDPR.
    • The communication to the data subject referred to in subclause 1 shall not be required if any of the following conditions are met:
      • the Registered User has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;
      • the Registered User has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects referred to in subclause 1 is no longer likely to materialise;
      • it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.
    • If the Registered User has not already communicated the personal data breach to the data subject, the supervisory authority, having considered the likelihood of the personal data breach resulting in a high risk, may require it to do so or may decide that any of the conditions referred to in subclause 9 are met.