Data Processing Addendum

Last Updated 2 March 2022 CIRCLE IN DATA PROCESSING ADDENDUM - APPLICABLE TO EU AND UK CLIENTS This Data Processing Addendum (“DPA”) forms part of the Platform Licence & Services Agreement (the “Agreement”) between Circle In Pty Ltd (ACN 609 227 018) (“Circle In”) and the Client (as defined in the Agreement) and is dated and entered into on the same date as the Agreement.  Circle In and the Client are referred to herein individually as a “party” and, collectively, the “parties”.
  1. Defined Terms. In this DPA:
    1. "Agreement Personal Data" means Personal Data which is to be processed under this DPA in accordance with the processing activities set out in Exhibit A of this DPA.
    2. "Applicable Laws" means the laws of the EU, the laws of any member state of the EU, and/or UK law, including any statute, statutory instrument, bye-law, order, regulation, directive, treaty, decree decision (as referred to in Article 288 of the Treaty on the Functioning of the European Union) (including any judgment, order or decision of any court, regulator or tribunal), rule, policy, guidance or recommendation issued by any governmental, statutory or regulatory body, and/or industry code of conduct or guideline, in force from time to time which relates to the Agreement Personal Data which is to be processed under this Agreement.
    3. "Data Protection Legislation" means the EU/UK Data Protection Legislation and any other applicable EU legislation and regulatory requirements in force from time to time in any EU member state relating to personal data (including, without limitation, the privacy of electronic communications), and the guidance and codes of practice issued by the relevant data protection or supervisory authority and applicable to a party. References to "Controller", “Processor”, “Data Subject”, “Personal Data”, “process”, “processed”, “processing”, and "appropriate technical and organisational measures" have the same meanings as defined in the Data Protection Legislation.
    4. "Data Security Incident" means:
      1. a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Agreement Personal Data transmitted, stored or otherwise processed;
      2. a discovery or reasonable suspicion that there is a vulnerability in any technological measure used to protect any Agreement Personal Data that has previously been subject to a breach within the scope of paragraph 1(d)(i) above which may result in exploitation or exposure of that Agreement Personal Data; or
      3. any defect or vulnerability with the potential to impact on ongoing resilience, security and/or integrity of systems processing Agreement Personal Data.
    5. "EU/UK Data Protection Legislation" means all applicable data protection and privacy legislation in force from time to time in the UK including the General Data Protection Regulation ((EU) 2016/679); the Data Protection Act 2018; the Privacy and Electronic Communications Directive (2002/58/EC) (as updated by Directive 2009/136/EC) and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended.
    6. "Services" means the services provided to the Client by Circle In in accordance with the terms of the Agreement.
  2. Compliance with Data Protection Legislation. In relation to any Personal Data provided or disclosed to Circle In by the Client or which Circle In otherwise processes, in connection with Circle In’s performance of the Services, the parties will comply with all applicable requirements of the Data Protection Legislation. This paragraph 2 is in addition to, and does not relieve, remove or replace, a party’s obligations or rights under the Data Protection Legislation. For the purposes of the Data Protection Legislation, the Client is the Controller and Circle In is the Processor.
  3. Client Consents. Without prejudice to the generality of paragraph 2 of this DPA, the Client will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Agreement Personal Data to Circle In for the duration and purposes of the Agreement.
  4. Subject Matter, Nature, Purpose and Duration. Circle In has agreed to carry out the processing activities in relation to the Agreement Personal Data as set out in Exhibit A of this DPA and otherwise as provided in reasonable written instructions by the Client to Circle In from time to time on behalf of the Client for the purpose of providing the Services.
  5. Processing Covenants. Without prejudice to the generality of paragraph 2 of this DPA, Circle In will, in relation to any Agreement Personal Data processed in connection with the performance by Circle In of its obligations under the Agreement:
    1. process Agreement Personal Data only on documented instructions from the Client, unless otherwise required to do so by an Applicable Law, in which case Circle In will inform the Client of that legal requirement before processing, unless that Applicable Law prohibits Circle In from informing the Client. For the avoidance of doubt, this DPA will constitute the Client’s documented instructions to Circle In to process Agreement Personal Data in connection with Circle In’s provision of the Services to the Client;
    2. act in accordance with the Data Protection Legislation and Applicable Laws and not cause the Client to breach any obligation under the Data Protection Legislation and Applicable Laws;
    3. use commercially reasonable efforts intended to ensure that persons authorised to process Agreement Personal Data hereunder have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality or are subject to ethical rules of responsibility that include confidentiality;
    4. taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, implement commercially reasonable technical and organisational measures intended to meet the security requirements described in Article 32 of the GDPR;
    5. taking into account the nature of the processing, use commercially reasonable efforts to assist the Client, at the Client’s expense, by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Client’s obligation to respond to requests for exercising the data subjects’ rights with respect to their Agreement Personal Data under the Data Protection Legislation and any Applicable Laws;
    6. notify the Client promptly if Circle In becomes aware of a Data Security Incident, provided that the provision of such notice by Circle In will not be construed as an acknowledgement of fault or liability with respect to any such Data Security Incident;
    7. at the choice of the Client, delete or return all Agreement Personal Data to the Client within thirty (30) days after the end of the parties’ business relationship and delete existing copies unless Applicable Law requires retention of Agreement Personal Data; and
    8. make available upon the Client’s reasonable request information reasonably necessary to demonstrate material compliance with the obligations laid down in this DPA, and allow for and contribute to audits (each, an "Audit"), at the Client’s expense, including inspections of processing facilities under Circle In’s control, conducted by the Client or another auditor chosen by the Client (an "Auditor"), during normal business hours, no more frequently than once during any twelve (12) month period, and upon reasonable prior notice, provided that no Auditor will be a competitor of Circle In, and provided further that in no event will the Client have access to the information of any other client or customer of Circle In, and the disclosures made pursuant to this paragraph 5(i) ("Audit Information") will be held in confidence as Circle In’s confidential information and subject to any confidentiality obligations in the Agreement, and provided further that no Audit will be undertaken unless or until the Client has requested, and Circle In has provided, documentation pursuant to this paragraph 5(i) and the Client reasonably determines that an Audit remains necessary to demonstrate material compliance with the obligations laid down in this DPA. Without limiting the generality of any provision in the Agreement, the Client will employ the same degree of care to safeguard Audit Information that it uses to protect its own confidential and proprietary information and in any event, not less than a reasonable degree of care under the circumstances, and the Client will be liable for any improper disclosure or use of Audit Information by the Client or its agents.
  6. Subprocessors. The Client hereby grants Circle In general authorisation to engage subprocessors to assist Circle In in processing Agreement Personal Data as set out in this DPA. Circle In will enter into contractual arrangements with such subprocessors requiring the same level of data protection compliance and information security as that provided for herein. The Client hereby consents to the processing of Agreement Personal Data by, and the disclosure and transfer of Agreement Personal Data to any subprocessors listed in Exhibit A to this DPA. Circle In will inform the Client of any intended changes concerning the addition or replacement of subprocessors at least ten (10) calendar days before the new subprocessor processes Agreement Personal Data. The Client may object to such changes in writing within five (5) days of such notice, provided that such objection is based on reasonable grounds relating to data protection (an "Objection"). In the event of an Objection, the parties will discuss such concerns in good faith with the intention of achieving a resolution. If the parties are not able to achieve a resolution as described in the previous sentence, the Client, as its sole and exclusive remedy, may terminate the Agreement for convenience, on the condition that the Client provides written notice to Circle In within five (5) calendar days of being informed of the engagement of the subprocessor. The Client will not be entitled to any refund of fees paid prior to the date of any termination pursuant to this paragraph 6.
  7. Client Obligations. The Client warrants that: (i) it will comply with its obligations as a Controller under the Data Protection Legislation in respect of its processing of Agreement Personal Data and any processing instructions it issues to Circle In as referred to in paragraph 5(a) of this DPA; (ii) it has provided notice and obtained all consents and rights required by the Data Protection Legislation for Circle In to process Agreement Personal Data pursuant to the Agreement and this DPA; and (iii) the processing of Agreement Personal Data by Circle In upon the documented instructions of the Client under paragraph 5(a) of this DPA will have a lawful basis of processing pursuant to Article 6 of the GDPR.
  8. Circle In Obligations. Circle In will reasonably assist the Client with meeting the Client’s compliance obligations under the Data Protection Legislation, taking into account the nature of Circle In’s processing and the information available to Circle In, including in relation to Data Subject rights, data protection impact assessments, and reporting to and consulting with supervisory authorities under the Data Protection Legislation.
  9. Restricted Transfer of Personal Data. The Client hereby consents to the transfer of Agreement Personal Data to and the processing of Agreement Personal Data in Australia. The parties hereby enter into the Standard Contractual Clauses for Processors, as approved by the European Commission under Decision 2010/87/EU (the "SCCs"), and appendices 1 and 2 of the SCCs of which are set out in Exhibit B of this DPA, and are hereby incorporated into this DPA in their entirety.
  10. Conflict. In the event of a conflict between this DPA and any other terms in the Agreement, the terms of this DPA will prevail. In the event of a conflict between this DPA and the SCCs executed by the parties, the provisions of the executed SCCs will prevail.
  11. Term and Termination. This DPA will remain in effect as long as Circle In carries out Agreement Personal Data processing operations on behalf of the Client or until the expiry or termination of the Agreement (and all Agreement Personal Data has been returned or deleted in accordance with Section 5(h) of this DPA).
  12. Construction. In this DPA, unless a clear contrary intention appears: (a) where not inconsistent with the context, words used in the present tense include the future tense and vice versa, and words in the plural number include the singular number and vice versa; (b) reference to any person includes such person’s successors and assigns but, if applicable, only if such successors and assigns are not prohibited by this DPA; (c) reference to any gender includes each other gender; (d) reference to any agreement, document or instrument means such agreement, document or instrument as amended or modified and in effect from time to time in accordance with the terms thereof and includes all addenda, exhibits and schedules thereto; (e) the titles and subtitles used in this DPA are used for convenience only and are not to be considered in construing or interpreting this DPA; and (f) “including” (and with correlative meaning, “include”) means including without limiting the generality of any description preceding such term.
  13. Notice. Any notice or other communication given to a party under or in connection with this DPA must be in writing.
Exhibit A – Subject Matter, Nature, Purpose and Duration of the Processing
  1. Subject Matter of the Processing: Refer to Exhibit B
  2. Nature of the Processing: Refer to Exhibit B
  3. Purposes for which EU Personal Data is Processed: Refer to Exhibit B
  4. Type of EU Personal Data: Refer to Exhibit B
  5. Categories of Data Subject: Refer to Exhibit B
  6. Duration of the Processing: During the Term of the Platform Licence and Services Agreement in effect between the parties.
  7. Subprocessors: N/A
Exhibit B – Appendices 1 and 2 of the SCCs Appendices 1 and 2 form part of the Clauses. By the data exporter entering into the Agreement or otherwise placing an order with the data importer, the parties will be deemed to have agreed to Appendices 1 and 2. Appendix 1 Data exporter Purchaser of data importer’s Services Data importer Provider of Services to data exporter Data subjects Employees of the data exporter Categories of data
  • First and last name of data subjects
  • Email addresses for data subjects
  • Details of data subject parenting status
Special categories of data (if appropriate) N/A Processing operations Processing strictly for the purposes of performance of the Platform Licence and Services Agreement in effect between the data importer and data exporter. Appendix 2 Description of the technical and organisational security measures implemented by the data importer: Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the data importer has implemented appropriate technical and organisational measures intended to ensure a level of security appropriate to the risk.