DATA PROCESSING ADDENDUM

This Data Processing Addendum (“DPA”) forms part of the System Agreement (“Agreement”) between the parties identified in the System Agreement. This DPA applies to the extent that (i) “Barringtons” processes Personal Data on behalf of the Customer in the course of providing Services, and (ii) the System Agreement expressly incorporates this DPA by reference. 

This DPA only concerns personal data and does not amend or modify any terms in the Agreement that are not specifically referenced in this DPA. In the event of a conflict between this DPA and the Agreement, the terms of this DPA shall control. All capitalized terms not defined in this DPA will have the meanings set forth in the Agreement. 

1. DEFINITIONS. 

1.1 “Agreement” means the written or electronic agreement between Customer and Service Provider for the provision of the Services to Customer. 

1.2 “Data Subject” means an identified or identifiable individual whose Personal Data is processed. 

1.3 “Data Protection Law” means all data protection and privacy laws applicable to the processing of Personal Data under the Agreement. 

1.4 “Applicable Data Protection Law” or “ADPL” means Australia’s Privacy Act 1988, its Australian Privacy Principles, and all other applicable laws and regulations governing the processing of personal data and data privacy and security that apply. The term “Personal Information” has the meaning given to it in the ADPL. 

1.5 Applicable Privacy Laws” means all data protection and privacy laws and regulations applicable to the Personal Data in question including, where applicable the Australian Privacy Act 1988 (“Australian Privacy Laws”). 

1.7 “Personal Data” means any information relating to an identified or identifiable individual or any other information defined as ‘personal data’ or ‘personal information’ under Applicable Privacy Laws. 

1.8 “Business Data” means Personal Information that Service Provider collects, retains, uses, discloses, or processes on behalf of the Business and/or pursuant to the Agreement.

1.9 “Personal Data Breach” means a breach of security of the Services leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data. 

1.10 “Services” means any cloud service offering or customer support services provided by to Customer pursuant to the Agreement. 

1.11 “Service Provider” means Barrington Group Australia Pty Ltd. 

1.12 “Sub-processor” means any Processor engaged by “Barringtons” or any member of its group of companies that processes Personal Data pursuant to the Agreement. Sub-processors may include third parties or any member of “Barringtons” group of companies. 

2. PROCESSNG OF DATA. 

2.1 Role of the Parties. As between Service Provider and Customer, Service Provider will process Personal Data under the Agreement on behalf of the Customer. 

2.2 Relationship of the Parties. Service Provider and Customer shall each comply with their respective obligations under Applicable Privacy Laws and further guidance from data protection authorities with respect to such processing. 

2.3 Customer’s Processing of Personal Data. Customer will, in its use of the Services, comply with its obligations under Data Protection Laws in respect of its processing of Personal Data and any processing instructions it issues to Service Provider. The Customer represents that it has all rights and authorizations necessary for the Service Provider to process Personal Data pursuant to the Agreement. 

2.4 Purpose. The Service Provider shall process the Data as necessary to perform its obligations under the Agreement and in accordance with the documented instructions of the Customer (the “Permitted Purpose“). Unless otherwise notified by the Customer, the Service Provider’s obligations under the Agreement shall be the standing instructions of the Customer. 

2.5 Customer’s Obligations.

2.5.1 The Customer shall comply with Applicable Data Protection Law, including without limitation, and to the extent required: (a) providing notice; (b) obtaining consent; (c) honoring access, deletion, opt-out, and opt-in rights and requests; and (d) otherwise ensuring that it and the Service Provider have any and all rights required in order for Service Provider to collect, retain, use, disclose, and otherwise process Customer Data under this DPA. 

2.5.2 The Customer shall not direct the Service Provider to collect, retain, use, disclose, or otherwise process Customer Data in violation of Applicable Data Protection Law. 

2.6 Personal Data Details

2.6.1 Subject matter. The subject matter of the processing under the Agreement is Personal Data. 

2.6.2 Duration. The duration of the processing under the Agreement is determined by the Customer and as set forth in the Agreement. 

2.6.3 Purpose. The purpose of the processing under the Agreement is the provision of the Services by the Service Provider to Customer as specified in the Agreement. 

2.6.4 Nature of the processing. The Service Provider and/or its Sub-processors are providing Services or fulfilling contractual obligations to Customer as described in the Agreement. These Services may include the processing of Personal Data by the Service Provider and/or its Sub-processors on systems that may contain Personal Data. 

2.6.5 Categories of data subjects. The Customer determines the data subjects which may include Customer’s clients, end-users, employees, contractors, suppliers, and other third parties. 

2.6.6 Categories of data. Personal Data that Customer submits to the Services. 

3. SUB-PROCESSING. 

3.1 Use of Sub-Processors. Service Providers may engage Sub-processors to provide certain services on its behalf. Customer consents to Service Provider’s engaging Sub-processors to process Personal Data under the Agreement.

3.2 Obligations. The Service Provider will enter into an agreement with each Sub-processor that obligates the Sub-processor to process the Personal Data in a manner substantially similar to the standards set forth in the DPA, and at a minimum, at the level of data protection required by Data Protection Law (to the extent applicable to the services provided by the Sub-processor). 

3.3 Notice. Service Provider will provide a list of Sub-processors that it engages to process Personal Data upon written request by Customer. 

4. SECURITY MEASURES. 

4.1 Security Measures by Service Provider. The Service Provider will implement and maintain appropriate technical and organizational security measures to protect against Personal Data Breaches and to preserve the security and confidentiality of Personal Data processed by the Service Provider on behalf of the Customer in the provision of the Services (“Security Measures”). The Security Measures are subject to technical progress and development. The Service Provider may update or modify the Security Measures from time to time provided that any updates and modifications do not result in the material degradation of the overall security of the Services purchased by the Customer. 

4.2 Security Measures by Customer. The Customer is responsible for using and configuring the Services in a manner that enables the Customer to comply with Data Protection Laws, including implementing appropriate technical and organizational measures. 

4.3 Personnel. The Service Provider will restrict its personnel from processing Personal Data without Customer authorization (unless required to do so by applicable law) and will ensure that any person authorized by the Service Provider to process Personal Data is subject to an obligation of confidentiality. 

4.4 Prohibited Data. The Customer acknowledges and agrees that the Agreement may prohibit the submission of certain types of Personal Data (such as unwanted individual’s financial or health information) to the Services. The Customer shall not upload any unnecessary data or information that is not required under the Agreement. 

5. PERSONAL DATA BREACH RESPONSE. 

Upon becoming aware of a Personal Data Breach, the Service Provider will notify the Customer without undue delay and will provide information relating to the Personal Data Breach as reasonably requested by the Customer. The Service Provider will provide reasonable assistance to the Customer in mitigating, where possible, the adverse effects of any Personal Data Breach.

6. DATA TRANSFERS AND EXPORTS. 

The Service Provider may transfer and process Personal Data to and in other locations around the world where the Service Provider or its Sub-processors maintain data processing operations as necessary to provide the Services as set forth in the Agreement. 

7. DELETION OF DATA. 

Upon written request of the Customer, the Service Provider will delete or return to Customer all Personal Data in Service Provider’s possession as set forth in the Agreement except to the extent the Service Provider is required by the applicable law to retain some or all the Personal Data (in which case Service Provider will archive the data and implement reasonable measures to prevent the Personal Data from any further processing). The terms of this DPA will continue to apply to that retained Personal Data. 

8. COOPERATION. 

8.1 Data Protection Requests. If the Service Provider receives any requests from individuals or applicable data protection authorities relating to the processing of Personal Data under the Agreement, including requests from individuals seeking to exercise their rights under Data Protection Law, the Service Provider will, without unreasonable delay, redirect the request to the Customer. The Service Provider will not respond to such a communication directly without the Customer’s prior authorization unless legally compelled to do so. If the Service Provider is required to respond to such a request, the Service Provider will promptly notify the Customer and provide the Customer with a copy of the request, unless legally prohibited from doing so. 

8.2 Customer Requests. The Service Provider will reasonably cooperate with the Customer, at the Customer’s expense, to permit the Customer to respond to any requests from individuals or applicable data protection authorities relating to the processing of Personal Data under the Agreement to the extent that the Customer is unable to access the relevant Personal Data in their use of the Services. 

8.3 DPIAs and Prior Consultations. To the extent required by Data Protection Law, the Service Provider will, upon reasonable notice and at Customer’s expense, provide reasonably requested information regarding the Services to enable the Customer to carry out data