Data processing addendum
Last updated on February 17, 2023
This Data Processing Addendum (“DPA”) supplements, and forms part of, the User Terms or the Subscription Agreement (the “Agreement”) between the applicable Deputy contracting entity (“Deputy”) and the entity or person(s) identified as Customer in the relevant account or Agreement (as applicable) (“Customer”).
This DPA applies where and to the extent that Deputy is acting as a processor and/or controller of personal data on behalf of Customer under the Agreement. In the event of any conflict between this DPA and the Agreement, this DPA shall prevail to the extent of such conflict. In the event of any conflict between the SCCs (defined in Section 1 below) and the Agreement (including this DPA), the SCCs shall prevail to the extent of such conflict.
1. DEFINITIONS AND INTERPRETATION
1.1 Definitions. In this DPA, the following terms shall have the following meanings:
“Applicable Data Protection Laws” means the US Data Protection Laws and the European Data Protection Laws that are applicable to the processing of Personal Data under this DPA.
“Controller”, “processor”, “data subject”, “personal data” and “processing” (and “process”) shall have the meanings given to them in the European Data Protection Laws.
“Customer Personal Data” means any personal data provided by, or on behalf of, Customer to Deputy in connection with the Services.
“Europe” means, for the purposes of this DPA, the Member States of the European Economic Area, the United Kingdom (the “UK”) and Switzerland.
“European Data Protection Laws” means: (a) Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (the ”EU GDPR”); (b) the UK’s Data Protection Act 2018 and the EU GDPR as incorporated into United Kingdom law pursuant to Section 3 of the European Union (Withdrawal) Act 2018 (the “UK GDPR”); (c) EU Directive 2002/58/EC on Privacy and Electronic Communications; and (d) the Swiss Federal Data Protection Act and its implementing regulations (“Swiss DPA”), in each case as updated, amended, replaced or superseded from time to time.
“Personal Data Breach” means any act or omission that compromises either the security, confidentiality or integrity of Customer Personal Data transmitted, stored or otherwise processed by Deputy that is likely to create a risk to the privacy rights or harm to any individual. Without limiting the foregoing, a material compromise shall include unauthorized access to or disclosure or acquisition of Personal Information.
“Restricted Transfer” means a transfer of personal data that is subject to European Data Protection Laws to a country outside Europe that is not subject to an adequacy decision by the European Commission, or the competent authorities in the UK or Switzerland (as applicable).
“SCCs” means the standard contractual clauses annexed to the European Commission’s Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to the EU GDPR.
“Special categories of personal data” or “sensitive data” means any Customer Personal Data: (a) revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership; (b) that is genetic data, biometric data, data concerning health, or data concerning a natural person’s sex life or sexual orientation; and (c) relating to criminal convictions and offences.
“Sub-processor” means any processor engaged by Deputy to assist in fulfilling its obligations with respect to providing the Services pursuant to the Agreement where such entity processes Customer Personal Data. Sub-processors may include Deputy’s affiliates or other third parties.
“UK Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (version B1.0, in force 21 March 2022) issued by the Information Commissioner’s Office under S119(A)(1) of the UK’s Data Protection Act 2018, as amended, superseded or replaced from time to time.
“US Data Protection Laws” means all data protection or privacy laws and regulations applicable to Customer Personal Data in force within the United States, including the California Consumer Privacy Act (as amended from time to time) (the “CCPA”), and any rules or regulations implementing the foregoing.
1.2 Interpretation. Capitalised terms used but not defined in this DPA shall have the meanings given to them in the Agreement.
2. PROCESSING OF PERSONAL DATA
2.1 Relationship of the parties.
(a) Deputy as a processor. The parties acknowledge that, except as set out in Section 2.1(b), Customer shall act as a controller and Deputy shall act as a processor in respect of its processing of Customer Personal Data disclosed to Deputy for the purpose of Deputy providing the Services.
(b) Deputy as a controller. The parties acknowledge that Customer acts as a controller and Deputy may also act as a controller in respect of its processing of Customer Personal Data to: (i) comply with its own obligations under applicable law and regulations and to establish, exercise or defend legal claims; (ii) contact Authorised Users in relation to the Services and/or any Third Party Products and Services; (iii) provide any services directly to Authorised Users, other than the Services provided to Customer; (iv) facilitate the provision of Third Party Products and Services to Authorised Users; (v) conduct research and development and improve the Services in a way that is not specific to Customer; (vi) communicate directly with Authorised Users, other than for the purpose of providing the Services to Customer; (vii) protect the safety and security of the Services in a way that is not specific to Customer, including detecting and responding to Personal Data Breaches or malicious and unlawful activity; (viii) generate de-identified statistical data to uncover collective insights about the use of the Services (and not to specifically analyse personal characteristics); and/or (ix) process such Customer Personal Data in any other context which requires Deputy to determine the purposes and means of such processing.
2.2 Prohibited Data. Customer will not disclose (and will not permit any Authorised User to disclose) any special categories of personal data (including “Protected Health Information” as defined by the United States Health Insurance Portability and Accountability Act) to Deputy for processing. Notwithstanding the foregoing, Customer may disclose (and may permit its Authorised Users to disclose) biometric data to Deputy for processing for the sole purpose of Deputy’s optional “Face Unlock” Kiosk feature.
2.3 Purpose Limitation. Deputy shall process Customer Personal Data as necessary to perform its obligations under the Agreement and strictly in accordance with the documented lawful instructions of Customer (including the terms of the Agreement), or as otherwise agreed in writing by the parties (the “Permitted Purpose”). Deputy shall not use, disclose or otherwise process the Customer Personal Data for any other purpose other than the Permitted Purpose, except where otherwise required by any law applicable to Deputy, and shall not “sell” the Customer Personal Data within the meaning of the CCPA or otherwise. Deputy shall notify Customer, without undue delay, if it becomes aware that Customer’s processing instructions infringe Applicable Data Protection Laws.
2.4 Security. Deputy shall implement appropriate technical and organisational measures to protect Customer Personal Data against a Personal Data Breach and to preserve the security and confidentiality of Customer Personal Data, in accordance with Deputy’s security standards described at the following URL: https://www.deputy.com/au/security-features (“Security Measures”). Customer acknowledges that the Security Measures are subject to technical progress and development and that Deputy may update or modify the Security Measures from time to time.
2.5 Personal Data Breach. Upon becoming aware of a Personal Data Breach, Deputy shall notify Customer without undue delay by written notice with all relevant details reasonably available of the Personal Data Breach to allow Customer to fulfil its data breach reporting obligations under Applicable Data Protection Laws. Deputy shall take further reasonable steps to contain, investigate and mitigate the effects of the Personal Data Breach. Deputy’s notification of or response to a Personal Data Breach in accordance with this Section 2.5 will not be construed as an acknowledgement by Deputy of any fault or liability with respect to the Personal Data Breach.
2.6 Confidentiality. Deputy shall take reasonable steps to ensure that it has appropriate policies and procedures in place in relation to any person that it authorises to process Customer Personal Data (including Deputy’s employees, agents and Sub-processors) and to ensure that such persons are subject to a duty of confidentiality.
2.7 Deletion or return of Customer Personal Data. Upon written request from Customer, Deputy shall anonymise, delete or return to Customer all Customer Personal Data in its possession or control subject to any requirement on Deputy to retain some or all of the Customer Personal Data to comply with applicable laws, in which event Deputy shall isolate and protect the Customer Personal Data from further processing except to the extent required by such law until deletion is possible. Customer acknowledges that there may also be circumstances in which one or more of its Authorised Users are Authorised Users of one or more other customers and in such circumstances, Deputy will continue to process the applicable Customer Personal Data related to such Authorised User(s) until a written request from such Authorised User(s) is received by Deputy in accordance with this Section 2.7.
2.8 Cooperation and data subjects’ rights. Deputy shall provide reasonable assistance to Customer (at Customer’s expense) to enable Customer to respond to: (a) any request from a data subject to exercise any of its rights under Applicable Data Protection Laws (including its rights of access, correction, objection, erasure, and data portability, as applicable); and (b) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party, in each case in respect of Customer Personal Data that Deputy processes on Customer’s behalf. In the event that any request, correspondence, enquiry or complaint is made directly to Deputy, Deputy shall promptly notify Customer and provide it with a copy of the request, unless legally prohibited from doing so.
2.9 Data Protection Impact Assessment. Deputy shall provide reasonable assistance to Customer (at Customer's expense) with undertaking an assessment of the impact of processing Customer Personal Data, and with any consultations with a data protection authority, if and to the extent an assessment or consultation is required to be carried out under the Applicable Data Protection Laws.
2.10 Audits. Customer acknowledges that Deputy is regularly audited against ISO 27001:2013 standards by independent third-party auditors. Upon written request from Customer, Deputy shall: (a) supply a copy of its ISO 27001:2013 certificate to Customer so Customer can verify Deputy’s compliance with the ISO 27001:2013 standards, and this DPA; and (b) respond to reasonable written audit questions submitted to it by Customer (such responses will be in the manner and form that Deputy generally makes such responses available to its customers), provided that Customer shall not exercise this right more than once per year. Customer agrees that Customer shall exercise its rights under Clause 8.9 of the SCCs by instructing Deputy to comply with the audit measures described in this Section 2.10. To the extent that Deputy’s provision of information under this Section 2.10 does not provide sufficient information or Customer is required to respond to a regulatory authority audit, Customer agrees to a mutually agreed-upon audit plan with Deputy that: (i) involves the use of an independent third party; (ii) provides written notice to Deputy in a timely fashion; (iii) requests access only during business hours; (iv) accepts billing to Customer at Deputy’s then-current rates; (v) occurs no more than once annually; (vi) restricts its findings to only Customer Personal Data; and (vii) obligates Customer, to the extent permitted by law or regulation, to keep confidential any information gathered that, by its nature, should be confidential.
2.11 Sub-processors. Customer agrees that Deputy may engage Sub-processors to process Customer Personal Data for the Permitted Purpose. The Sub-processors currently engaged by Deputy and authorised by Customer are listed at the following URL: https://www.deputy.com/au/terms/data-subprocessors. Deputy shall ensure that: (a) there is a written agreement in place with each Sub-processor that imposes terms and conditions that require the relevant Sub-processor to protect Customer Personal Data to the standard required by the Applicable Data Protection Laws; and (b) it remains responsible to Customer for the performance of such Sub-processors data protection obligations under such terms and conditions. Deputy shall notify Customer if it adds or replaces any new Sub-processors at least 20 days before the proposed addition or replacement by posting details at the following URL: https://web-assets.deputy.com/f/64010/x/7c533e59fc/deputy-sub-processors-05012022.pdf,
in order to allow Customer to raise any reasonable objections on grounds of data protection. If Customer rejects the appointment of any new Subprocessor and Deputy is unable to perform its Services without this new Subprocessor, Customer shall have the right to terminate the Agreement.
2.12 Restricted Transfers. The parties agree that when the transfer of Customer Personal Data from Customer (as “data exporter”) to Deputy (as “data importer”) is a Restricted Transfer and Applicable Data Protection Laws require that appropriate safeguards be put in place, it shall be subject to the SCCs, which shall be deemed incorporated into and form part of this DPA, as follows:
(a) in relation to transfers of Customer Personal Data protected by the EU GDPR and processed in accordance with Section 2.1(a) of this DPA, the SCCs shall apply and be completed as follows:
(i) Module Two will apply;
(ii) in Clause 7, the optional docking clause will apply;
(iii) in Clause 9(a), Option 2 will apply, and the time period for prior notice of Sub-processor changes is as set out in Section 2.11 of this DPA;
(iv) in Clause 11, the optional language will not apply;
(v) in Clause 17, Option 1 will apply, and the SCCs will be governed by the laws of Ireland;
(vi) in Clause 18(b), disputes will be resolved before the courts of Ireland; and
(vii) the Annexes of the SCCs shall be populated with the information set out in the corresponding Annexes to this DPA;
(b) in relation to transfers of Customer Personal Data protected by the EU GDPR and processed in accordance with Section 2.1(b) of this DPA, the SCCs shall apply and be completed as follows:
(i) Module One will apply;
(ii) in Clause 7, the optional docking clause will apply;
(iii) in Clause 11, the optional language will not apply;
(iv) in Clause 17, Option 1 will apply, and the SCCs will be governed by the laws of Ireland;
(v) in Clause 18(b), disputes will be resolved before the courts of Ireland; and
(vi) the Annexes of the SCCs shall be populated with the information set out in the corresponding Annexes to this DPA;
(c) in relation to transfers of Customer Personal Data protected by the UK GDPR, the SCCs will apply as completed in accordance with Sections 2.12(a) and (b) of this DPA and are deemed amended as specified by the UK Addendum, which is deemed executed by the parties and incorporated into and forming a part of this DPA. In addition, Tables 1 to 3 in Part 1 of the UK Addendum are deemed completed with the relevant information set out in Sections 2.12(a) and (b) of this DPA, as well as the Annexes to this DPA and Table 4 in Part 1 of the UK Addendum is deemed completed by selecting “neither party”. Any conflict between the terms of the SCCs and the UK Addendum will be resolved in accordance with Section 10 and Section 11 of the UK Addendum; and
(d) in relation to transfers of Customer Personal Data protected by the Swiss DPA, the SCCs will apply in accordance with Sections 2.12(a) and (b) of this DPA, with the following amendments:
(i) any references to “Directive 95/46/EC” or “Regulation (EU) 2016/670” will be replaced with references to the Swiss DPA, and references to specific
Articles of “Regulation (EU) 2016/679” will be replaced with the equivalent
Article(s) or Section(s) of the Swiss DPA;
(ii) any references to “EU”, “Union”, “Member State” and “Member State Law” will be replaced with references to Switzerland and Swiss Law, as applicable;
(iii) Clause 13 and Part C of Annex 1 will be amended to provide that the Federal Data Protection and Information Commissioner (“FDPIC”) of
Switzerland will have authority over data transfers governed by the Swiss DPA;
(iv) references to the “competent supervisory authority” and “competent courts” will be replaced with references to the FDPIC and competent courts in Switzerland;
(v) Clause 17 is amended to provide that the SCCs will be governed by the laws of Switzerland; and
(vi) Clause 18(b) is amended to provide that disputes will be resolved before the applicable courts of Switzerland.
2.13 General Customer obligations. Without limiting Customer’s other obligations under the Agreement, Customer shall: (a) comply at all times with the Applicable Data Protection Laws in its processing of Customer Personal Data, including (but not limited to) when Customer discloses Customer Personal Data to Deputy under the Agreement, and provide Deputy with such cooperation, assistance and information as Deputy may reasonably request to comply with its obligations under the Applicable Data Protection Laws; (b) ensure that any instructions it issues to Deputy comply with the Applicable Data Protection Laws; (c) ensure that it has provided notice and obtained (or will obtain) all consents and rights necessary under Applicable Data Protection Laws to process Customer Personal Data (including but not limited to any special categories of data) and to enable Deputy to provide the Services pursuant to the Agreement (including this DPA); (d) ensure that any Customer Personal Data provided to Deputy is limited to only what is necessary in order for Deputy to provide the Services and such Customer Personal Data is accurate and up-to-date to the best of Customer's knowledge at the time that it is provided to Deputy; (e) use all reasonable endeavours to promptly notify Deputy upon becoming aware that Customer Personal Data has become inaccurate or out of date; and (f) not do or permit to be done anything within its knowledge or control which may cause or otherwise result in Deputy being in breach of the Applicable Data Protection Laws.
2.14 Exclusions and limitations of liability. Notwithstanding anything to the contrary in the Agreement or this DPA, the liability of each party and each party’s affiliates under this DPA shall be subject to the exclusions and limitations of liability set out in the Agreement.
DESCRIPTION OF THE PROCESSING ACTIVITIES / TRANSFER
ANNEX 1A: LIST OF PARTIES
Name: Customer (as identified in the Agreement).
Address: Customer’s address (as identified in the Agreement).
Contact Person’s name, position and contact details: Customer Contact Name and corresponding details (as identified in the Agreement).
Activities relevant to the transfer: Refer to Annex 1B below.
Name: The Deputy contracting entity (as identified in the Agreement).
Address: The Deputy contracting entity’s address (as identified in the Agreement).
Contact Person’s name, position and contact details: Frank Chila, General Counsel, firstname.lastname@example.org.
Activities relevant to the transfer: Refer to Annex 1B below.
Role: Processor and/or controller.
ANNEX 1B: DESCRIPTION OF PROCESSING / TRANSFER
Categories of data subjects
● Authorised Users
Categories of personal data
● Personal details, including any information that identifies the data subject and their personal characteristics, including: name, address, contact details, age, date of birth, sex, and photo;
● Personal details issued as an identifier by a public authority, including passport details, national insurance numbers, identity card numbers, and driving licence details;
● Education and training details, including information which relates to the education and any professional training of the data subject, including academic records, qualifications, skills, training records, and professional expertise;
● Employment details, including information relating to the employment of the data subject, including employment and career history, recruitment and termination details, shift and attendance records, health and safety records, performance appraisals, training records, and security records;
● Financial details, including information relating to the financial affairs of the data subject, including bank account details, income, and payroll information;
● Device data, including connection type and settings, operating system, browser type, IP address, time zone settings, the time spent on webpages, unique device identifiers, cookies, online tracking data, geolocation data and other diagnostic data; and
● Content created by Customer or data subjects and submitted to a Deputy technology platform.
Special categories of personal data
● Biometric information.
Other special categories of personal data may be processed by Deputy, from time to time, in circumstances where Customer or its Authorised Users choose to disclose special categories of personal data using the Services. Customer is responsible for ensuring that suitable safeguards are in place prior to disclosing, or prior to permitting its Authorised Users to disclose, any other special categories of personal data using the Services.
Frequency of the transfer
Nature and purpose of the processing
The nature and purpose of processing personal data is to enable the functionality of the Deputy platform as set out in the Agreement and related documentation.
Duration of the processing
Processing of the personal data will continue for the duration of the Agreement. ANNEX 1C: COMPETENT SUPERVISORY AUTHORITY
The data exporter’s competent supervisory authority will be determined in accordance with the EU GDPR or UK GDPR (as applicable).
TECHNICAL AND ORGANISATIONAL SECURITY MEASURES
Deputy implements a variety of technical and organisational security measures, the details of which are set out at the following URL: https://www.deputy.com/au/security-features.
LIST OF SUB-PROCESSORS
A list of Deputy’s current Sub-processors is set out at the following URL: https://www.deputy.com/au/terms/data-subprocessors