WHISPLI DATA PROCESSING ADDENDUM
Version dated 20/02/2018
In this Data Processing Addendum, we, us, our refer to Fraudsec Pty Ltd ACN 605 003 825 trading as Whispli, and you, your refer to a Whispli Client.
A. This Data Processing Addendum sets out the terms and conditions with regard to the Processing of Whispli Personal Data by us.
B. By using Whispli, you, as a Client, accept and agree to
1. Definitions and interpretation
Contracted Processor means us or a Subprocessor;
Data Breach is a security breach within the meaning of Article 4.12 of the GDPR;
Data Protection Laws means any applicable data protection or privacy laws of any country, and includes EU Data Protection Laws;
Data Subject is the person to whom Whispli Personal Data pertains;
EU Data Protection Laws means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;
GDPR means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC;
parties means us (Fraudsec Pty Ltd ACN 605 003 825 trading as Whispli) and you (the Client);
Processing is any activity or combination of activities involving Personal Data, in any event including the collecting, recording, organising, storing, updating, amending, accessing, consulting, using, providing by way of forwarding, distributing or any other form of supplying, compiling, linking, as well as safeguarding, deleting or destroying of data (“Process”, “Processes” and “Processed” shall have the same meaning);
Subprocessor means any person (including any Third Party, but excluding our employees, contractors or advisors) appointed by us or on our behalf to Process Whispli Personal Data;
Whispli Personal Data is any Personal Data regarding an identified or identifiable natural person, which are or will be Processed by us in any way whatsoever in the context of the use of Whispli by you, any of your Organisations, Staff Members or Informants authorised or deemed to be authorised by you to use Whispli; and
You, your refer to a Client.
2. Processing of Whispli Personal Data
2.1 Role of the parties
The parties acknowledge and agree that with regard to the Processing of Whispli Personal Data:
(a) you (the Client) are the Controller;
(b) we are the Processor;
(c) we may engage Subprocessors in accordance with clause 3 of this Data Processing Addendum;
(d) Users, Staff Members and Informants using Whispli and providing Whispli Personal Data are Data Subjects.
2.2 Our obligations
(a) We will comply with the applicable Data Protection Laws in the Processing of Whispli Personal Data.
(b) We will not Process Whispli Personal Data other than on your documented instructions unless Processing is required by the Data Protection Laws to which the relevant Contracted Processor is subject, in which case to the extent permitted by law, we will inform you of that legal requirement before the relevant Processing of that Whispli Personal Data.
(c) We will only Process Whispli Personal Data to the extent necessary to provide Whispli and any related services to you, your Organisations, your Staff Members and your Informants in accordance with the Agreement.
(d) We will only process Whispli Personal Data on and in accordance with your instructions. We will not process Whispli Personal Data for our own benefit, for the benefit of any Third Party, or for our own purposes or advertising purposes or other purposes, unless required by any Data Protection Laws.
(e) We will immediately inform you regarding any changes to Whispli or the performance of our services, so that you may monitor compliance between these new arrangements and Data Protection Laws.
(f) Annexure 1 to this Data Processing Addendum sets out certain information regarding our Processing of the Whispli Personal Data as required by article 28(3) of the GDPR (and, possibly, equivalent requirements of other Data Protection Laws). Nothing in Annexure 1 (including as amended pursuant to this clause 2.2) confers any right or imposes any obligation on any party to this Data Processing Addendum.
2.3 Your obligations
(a) You, as the Client and on behalf of each of your Organisations, Staff Members or Informants authorised or deemed to be authorised by you to use Whispli, instruct us (and authorise us to instruct each Subprocessor) to Process Whispli Personal Data.
(b) You warrant and represent that you are and will at all relevant times remain duly and effectively authorised to give the instruction set out in clause 2.3(a) on behalf of each of your Organisations, Staff Members or Informants authorised or deemed to be authorised by you to use Whispli.
(c) You must, in your use of Whispli, Process and otherwise deal with Whispli Personal Data in accordance with the requirements of Data Protection Laws. For the avoidance of doubt, your instructions for the Processing of Whispli Personal Data must comply with Data Protection Laws.
(d) You have sole responsibility for the accuracy, quality, and legality of Whispli Personal Data and the means by which Whispli Personal Data are collected.
3. Use of Subprocessors
3.1 You authorise us to appoint (and permit each Subprocessor appointed in accordance with this clause 3 to appoint) Subprocessors in accordance with this clause 3.
3.2 We may continue to use those Subprocessors already engaged by us as at the date of this Addendum, subject to us in each case as soon as practicable meeting the obligations set out in clause 3.4.
3.3 We will give you prior written notice of the appointment of any new Subprocessor, including full details of the Processing to be undertaken by the Subprocessor. If, within 5 days of receipt of that notice, you notify us in writing of any objections (on reasonable grounds) to the proposed appointment, we will not appoint (or disclose any Whispli Personal Data to) that proposed Subprocessor until reasonable steps have been taken to address the objections raised by you and you have been provided with a reasonable written explanation of the steps taken.
3.4 With respect to each Subprocessor, we will:
(b) ensure that the arrangement between on the one hand us and the Subprocessor, is governed by a written contract including terms which offer at least the same level of protection for Whispli Personal Data as those set out in this Data Processing Addendum and meet the requirements of article 28(3) of the GDPR; and
(c) provide you for review such copies of the Contracted Processors' agreements with Subprocessors (which may be redacted to remove confidential commercial information not relevant to the requirements of this Data Processing Addendum) as you may request from time to time.
3.5 We will ensure that each Subprocessor performs the obligations under clauses [insert], as they apply to Processing of Whispli Personal Data carried out by that Subprocessor, as if it were party to this Data Processing Addendum in our place.
4.1 We will implement appropriate technical and organisational measures to secure Whispli Personal Data against loss or any form of unlawful Processing.
4.2 Taking into account the state of the art and the costs of their implementation, these measures guarantee an appropriate security level given the risks associated with Processing and the nature of the Whispli Personal Data to be protected. The measures are, in part, aimed at preventing unnecessary collection and further Processing.
4.3 We will record the measures in writing and will ensure that the security as referred to in this clause meet the security requirements under the GDPR.
4.4 On request, we shall immediately provide you with all reasonable information relating to the security of Whispli Personal Data.
5. Data and Security Breaches
5.1 We will notify you (and any other party if required by law) without undue delay upon us or any Subprocessor becoming aware of a Personal Data Breach affecting Whispli Personal Data, providing you with sufficient information to allow you to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.
5.2 We will co-operate with you and take such reasonable commercial steps as are directed by you to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
6. Data Subject Rights
6.1 We will, to the extent permitted by the Data Protection Laws, promptly notify you if we receive a request from a Data Subject under any Data Protection Laws in respect of Whispli Personal Data, including any request to exercise the Data Subject's right of access, right to rectification, restriction of Processing, erasure (“right to be forgotten”), data portability, object to the Processing, or its right not to be subject to an automated individual decision making (Data Subject Request).
6.2 Taking into account the nature of the Processing, we will assist you by taking appropriate technical and organisational measures, insofar as this is possible, to assist you to perform your obligation to respond to a Data Subject Request under any Data Protection Laws.
6.3 To the extent that you do not have the ability to address a Data Subject Request, we will, upon you request, provide commercially reasonable efforts to assist you in responding to such Data Subject Request, to the extent we are permitted to do so under the Data Protection Laws and the response to such Data Subject Request is required under the Data Protection Laws.
6.4 To the extent permitted by law, the Client will be responsible for any costs arising from our assistance.
7. Data Protection Impact Assessment and Prior Consultation
We will provide you with commercially reasonable assistance with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which you reasonably considers to be required of you by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Laws, in each case solely in relation to Processing of Whispli Personal Data by, and taking into account the nature of the Processing and information available to the Contracted Processors.
8. Retention of Data
8.1 We will retain Whispli Personal Data to the extent required by law and only to the extent and for such period as required by law and always provided that we will use our reasonable endeavours to ensure the confidentiality of all such Whispli Personal Data and to ensure that such Whispli Personal Data is only retained as necessary for the purpose(s) specified in the laws requiring its storage and for no other purpose.
8.2 We will not retain Whispli Personal Data made available to us any longer than is necessary:
(a) for the performance of the Agreement; or
(b) to comply with any of our obligations at law.
9.1 Subject to clauses 9.4 to 9.7, we will allow for and contribute to audits, including inspections, by you or an auditor mandated by you relation to the Processing of the Whispli Personal Data by the Contracted Processors.
9.2 You must give us reasonable notice of any audit or inspection to be conducted under clause 9.3 and you must make (and ensure that each of its mandated auditors makes) reasonable endeavours to avoid causing (or, if it cannot avoid, to minimise) any damage, injury or disruption to the Contracted Processors' premises, equipment, personnel and business while its personnel are on those premises in the course of such an audit or inspection. A Contracted Processor need not give access to its premises for the purposes of such an audit or inspection:
(a) to any individual unless he or she produces reasonable evidence of identity and authority;
(b) outside normal business hours at those premises, unless the audit or inspection needs to be conducted on an emergency basis and you have given notice to us that this is the case before attendance outside those hours begins; or
(c) for the purposes of more than one audit or inspection, in respect of each Contracted Processor, in any calendar year, except for any additional audits or inspections which:
(i) you reasonably consider necessary because of genuine concerns as to our compliance with this Addendum; or
(ii) you are required or requested to carry out by Data Protection Laws, a Supervisory Authority or any similar regulatory authority responsible for the enforcement of Data Protection Laws in any country or territory,
where you have identified its concerns or the relevant requirement or request in its notice to us of the audit or inspection.
9.3 The costs of the audit upon request under clause 9.3 will be borne by you.
9.4 If it is established during an audit that we have failed to comply with this Data Processing Addendum, we will take all reasonably necessary measures to ensure compliance in the future.
10. Local Processing
All Processing of Personal Data in connection with Whispli or any related services performed by us or on our behalf, including any Third Parties engaged by us, will take place within the European Union (EU) or in countries that guarantee an appropriate level of protection in accordance with the Data Protection Laws.
11. Requests to investigate
11.1 If we receive a request or order from a Supervisory Authority, Government Agency or investigation, prosecution or national security agency to provide (access to) Personal Data, we will immediately notify you.
11.2 When handling the request or order, we will (to extent permitted by the Data Protection Laws) comply with your instructions and cooperate with you, as reasonably required.
12. Informing Data Subjects
12.1 We will fully cooperate, in so far as possible, so that you may comply with your legal obligations in the event that a Data Subject exercises its rights under the GDPR or other applicable Data Protection Laws.
12.2 If a Data Subject contacts us directly in relation to any matter under any Data Protection Laws, we will advise them to address any such request this to the Controller, with a request for further instructions.
(a) our name and address;
(b) the purposes for which Personal Data are processed by us;
(c) the categories of Personal Data processed by us;
(d) any Third Party to whom Personal Data are made accessible;
(e) the countries where Personal Data are collected and Processed;
(f) the Data Subject’s rights to access, correct and delete Personal Data.
13. Limitation of Liability
To the extent permitted by law, our Liability under this Data Processing Addendum is subject to the ‘Limitation of Liability’ provisions of the Agreement, and any reference in such provisions to our Liability means our aggregate Liability under the Agreement and the Data Processing Addendum together.
14. Change to Whispli Personal Data
14.1 If a change in Whispli Personal Data to be Processed or a risk analysis of the Processing of Whispli Personal Data gives reason to do so, upon your first request, we will consult with you on amending the arrangements made in the Data Processing Addendum.
14.2 The arrangements to be newly made must be recorded in writing and form part of the Data Processing Addendum prior to their application.
14.3 The changes can never have the effect that you cannot comply with the Data Protection Laws.
15. Duration and termination
15.3 Provisions which, by their nature, are intended to continue to apply after termination of this Data Processing Addendum, will continue to apply after termination of this Data Processing Addendum. These include provisions concerning confidentiality, indemnity and limitation of Liability, and applicable law.
We have appointed a Privacy and Data Protection Officer. The appointed person may be reached at:
The Privacy and Data Protection Officer
Fraudsec Pty Ltd
Level 29, 20 Bond Street, Sydney, NSW, 2000 Australiacontact@whispli.com
Please contact the Privacy and Data Protection Officer by email in the first instance.
Annexure 1 - DETAILS OF PROCESSING OF WHISPLI PERSONAL DATA
This Annexure 1 includes certain details of the Processing of Whispli Personal Data as required by Article 28(3) GDPR.
Subject matter, nature, purpose and duration of the Processing of Whispli Personal Data
The subject matter, nature, purpose and duration of the Processing of the Whispli Personal Data are set out in the Agreement.
The types of Whispli Personal Data to be Processed
The Client may submit Whispli Personal Data to Whispli, the extent of which is determined and controlled by the Client in its sole discretion, and which may include the following categories of Personal Data:
First and last name
Contact information (company, email, phone, physical business address)
Professional life data
Personal life data
The categories of Data Subject to whom the Whispli Personal Data relates
The Client may submit Whispli Personal Data to Whispli, the extent of which is determined and controlled by the Client in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of Data Subjects:
employees, agents, contractors and advisors of the Client (who are natural persons); and
other Users authorised or deemed to be authorised by the Client to use Whispli.
The obligations and rights of the Client
The obligations and rights of the Client are set out in the Agreement.