Legal Information

GDPR Data Processing Schedule

ClickSend’s GDPR Data Processing Schedule

Data Processing Schedule

This Data Processing Schedule (Schedule) forms part of the ClickSend Terms of Service (Agreement) entered into between you and Clicksend Pty Ltd (ACN 165 918 525) (us and we as applicable), together the Parties and each a Party.

1. Definitions

1.1 In this Schedule, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:

(1.1.a) Applicable Laws means (a) European Union or Member State laws with respect to any Company Personal Data in respect to any Company Personal Data in respect of which Company is subject to EU Data Protection Laws; and (b) any other applicable law with respect to any Company Personal Data in respect to which Company is subject to any other Data Protection Laws;

(1.1.b) Company Personal Data means any Personal Data Processed by a Contracted Processor on behalf of a Company including any Personal Data of the Company’s customers, employees or contractors (Users) pursuant to, or in connection with the Agreement;

(1.1.c) Contracted Processor means us and/or a Subprocessor;

(1.1.d) Data Protection Laws means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country;

(1.1.e) EEA means the European Economic Area;

(1.1.f) EU Data Protection Laws means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;

(1.1.g) GDPR means EU General Data Protection Regulation 2016/679;

(1.1.h) Restricted Transfer means a transfer of Company Personal Data where such transfer would be prohibited by EU Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws) in the absence of the Standard Contractual Clauses or another lawful data transfer mechanism as set out at 6.4.3 or 12 below.

(1.1.i) Services means the services and other activities to be supplied to or carried out for you by us, or on behalf of us, pursuant to the Agreement;

(1.1.j) Standard Contractual Clauses means the contractual clauses set out by the European Commission available at https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/model-contracts-transfer-personal-data-third-countries, as updated or replaced from time to time;

(1.1.k) Subprocessor means any person (including any third party, but excluding our employees or our sub-contractors) appointed by or on behalf us to Process Personal Data on behalf of you; and

(1.1.l) You means the entity that accepts/accepted the Agreement.

1.2 The terms, Commission, Controller, Data Subject, Member State, Personal Data, Personal Data Breach, Processing, Special Categories of Data and Supervisory Authority shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.

1.3 The word include shall be construed to mean include without limitation, and cognate terms shall be construed accordingly.

2. Processing of Company Personal Data

2.1 Role of Parties: The Parties acknowledge that for the purposes of this Schedule, we act as a processor and you are the controller in relation to Company Personal Data.

2.2 The Parties will comply with all applicable Data Protection Laws in the Processing of Company Personal Data.

2.3 We will only Process Company Personal Data on behalf of and in accordance with your relevant instructions and while carrying out our obligations under the Agreement, unless other processing is required by Applicable Laws to which the relevant Contracted Processor is subject, in which case the Contracted Processor will, to the extent permitted by law, immediately inform the Company of that legal requirement before processing that Company Personal Data.

2.4 Annex 1 to this Schedule sets out the following details:

(2.4.a) description of the types of Processing we will carry out and the types of Company Personal Data Processed under this Agreement; and

(2.4.b) the types of Data Subjects your Company Personal Data relates to.

2.5 You agree to update us (as soon as practicable) if the details in Annex 1 are incorrect or change.

3. Subprocessing

3.1 You authorise us to continue to use those Subprocessors already engaged by us as at the date of this Schedule, subject to our obligations at 3.3.

3.2 We shall give you prior written notice of the appointment of any new Subprocessor, including full details of the Processing to be undertaken by the Subprocessor. If, within 10 days of receipt of that notice:

(3.2.a) you have not notified us in writing of any objections (on reasonable grounds) to the proposed appointment of that Subprocessor we will assume that you have consented to the appointment of that Subprocessor; or

(3.2.b) if you notify us in writing of any objections (on reasonable grounds) to the proposed appointment we shall do one of the following: (i) not appoint that Subprocessor; (ii) not disclose any Company Personal Data to that Subprocessor; or (ii) not disclose any Company Persona Data to that Subprocessor until reasonable steps have been taken to address the objections you raised and you have been informed of and agreed to that Subprocessor based on the reasonable steps taken.

3.3 With respect to each Subprocessor we shall:

(3.3.a) before the Subprocessor Processes Company Personal Data (or, where relevant, in accordance with clause 3.2), carry out adequate due diligence to ensure that the Subprocessor is capable of providing the level of protection for Company Personal Data required by the Agreement and this Schedule;

(3.3.b) ensure that the arrangement between us and the relevant intermediate Subprocessor is governed by a written contract including terms which meet the requirements of Article 28(3) of the GDPR.

4. Data Subject Rights

4.1 We shall:

(4.1.a) promptly notify you if any Contracted Processor receives a request from a Data Subject under any Data Protection Law in respect of Company Personal Data;

(4.1.b) ensure that the Contracted Processor does not respond to that request except on your documented instructions, or as required by Applicable Laws to which the Contracted Processor is subject, in which case we shall to the extent permitted by Applicable Laws inform you of that legal requirement before the Contracted Processor responds to the request;

(4.1.c) implement appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of your obligations under the Data Protection Laws; and

(4.1.d) where you require our assistance to respond to a Data Subject request, use commercially reasonable efforts to assist you and to the extent legally permitted, and you shall be responsible for the costs arising from our assistance.

5. Security

5.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, we will implement appropriate technical and organisational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.

5.2 We will take reasonable steps to ensure any of our personnel who Process the Company Personal Data, have been informed of the confidential nature of the Company Personal Data and are commited to keeping the Company Personal Data confidential.

5.3 In assessing the appropriate level of security we shall take into account the risks that are presented by Processing, in particular from a Personal Data Breach.

5.4 Personal Data Breach: We shall notify you without undue delay if we become aware of a Personal Data Breach and provide you sufficient information to meet your legal obligations. On your reasonable request we shall take such reasonable commercial steps as are directed by you to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

6. Data Protection Impact Assessment and Prior Consultation

6.1 Upon your request and to the extent required by the GDPR we shall provide reasonable assistance to you where you are fulfilling your obligations under the GDPR by carrying out a data protection impact assessment, as follows:

(6.1.a) to the extent that the assessment you are carrying out directly relates to the Processing of Company Personal Data, you do not otherwise have access to the information and such information is available to us; and

(6.1.b) where you reasonably require our assistance with prior consultations with Supervising Authorities or other competent data privacy authorities.

6.2 If you request assistance which goes beyond the scope of clause 6.1, we may provide you with notice of our fees and charge you for this additional assistance.

7. Restricted Transfers

7.1 Subject to clause 7.3, you (as data exporter) and each Contracted Processor, as appropriate, (as data importer) hereby enter into the Standard Contractual Clauses in respect of any Restricted Transfer from you to that Contracted Processor. The Standard Contractual Clauses are available here.

7.2 The Standard Contractual Clauses shall come into effect under clause 7.1 on the commencement of the relevant Restricted Transfer.

7.3 Clause 7.1 shall not apply to a Restricted Transfer unless its effect, together with other reasonably practicable compliance steps (which, for the avoidance of doubt, do not include obtaining consents from Data Subjects), is to allow the relevant Restricted Transfer to take place without breach of applicable Data Protection Law.

8. Audit

8.1 Subject to reasonable notice (not less than 30 days) and your reasonable request to demonstrate compliance with this Schedule we shall (subject to obligations of confidentiality):

(8.1.a) make available information directly relating to your Company Personal Data and necessary to demonstrate your compliance with Article 28(3) of the GDPR;

(8.1.b) shall allow you or an independent auditor appointed by you, to carry out audits, including inspections, in relation to the Processing of Company Personal Data by the Contracted Processors,

and you agree to take all reasonable measures to limit any impact on the Contracted Processors.

9. Deletion or return of Company Personal Data

9.1 Within four months after the termination or expiry of this Schedule, we shall destroy or return to you (where you make such a request), all Company Personal Data in our possession or control unless any Applicable Laws require that we retain Company Personal Data.

10. General Terms

10.1 Order of Precedence: In the event of any conflict or inconsistency between the agreements entered into between the Parties the Standard Contractual Clauses shall prevail, then the Schedule, followed by the Agreement.

10.2 Obligations under the Agreement: Subject to clause 10.1, nothing in this Schedule reduces the Parties’ obligations under the Agreement and all clauses in the Agreement will continue to apply unless they conflict with the Applicable Laws, including but not limited to: governing law and jurisdiction and limitation of liability.

10.3 Legal effect: This Schedule is entered into and becomes a binding part of the Agreement with the Effective Date being the date you accept online the Agreement and this Schedule, which forms part of the Agreement.

Annex 1 details of processing of company personal data

This Annex 1 includes certain details of the Processing of Company Personal Data as required by Article 28(3) GDPR.

1. Subject matter and duration of the Processing of Company Personal Data

The subject matter and duration of the Processing of Company Personal Data are set out in the Agreement and this Schedule.

2. The nature and purpose of the Processing of Company Personal Data

The nature and purpose of the Processing of Company Personal Data is further specified in the Agreement and as further instructed by you.

3. The types of Company Personal Data to be Processed

The types of Company Personal Data to be Processed may include but is not limited to the following:

i. a Data Subject’s name;

ii. a Data Subject’s work contact details;

iii. a Data Subject’s personal mobile number;

iv. any personal data about a Data Subject which is included in the body of the text message you choose to send via our Services (eg. the Data Subject’s appointment details); and

v. any other personal data requested by us and/or provided by you, a Data Subject or a third party.

Please note: Personal data about a Data Subject which is included in the body of the text message may include Special Categories of Data, such as health data which relates to that Data Subject.

4. The categories of Data Subject to whom Company Personal Data relates

The categories of Data Subject to whom Company Personal Data relates are as follows:

i. your contact person/s who we communicate with;

ii. your employees or contractors who use our Services and actively contact us (including for a support request); and

iii. your customers where you enter their details when using our Services.

5. Your obligations and rights

Your obligations and rights are set out in the Agreement and this Schedule.

Appendix 1 to the Standard Contractual Clauses

This Appendix forms part of the Clauses.

The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix.

Data subjects

The personal data transferred concern the following categories of data subjects:

  • as specified in the Agreement and Schedule.

Categories of data

The personal data transferred concern the following categories of data:

  • as specified in the Agreement and Schedule.

Special categories of data (if appropriate)

The personal data transferred concern the following special categories of data:

  • as specified in the Agreement and Schedule.

Processing operations

The personal data transferred will be subject to the following basic processing activities:

  • activities reasonably required for the provision of the Services or authorised by you.

Appendix 2 to the Standard Contractual Clauses

Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c):

We take technical and organisation security measures to protect the Company Personal Data which we Process.

Details of these technical and organisational security measures can be found here: https://www.clicksend.com/en/api-docs/security-compliance/

Questions?

Free accounts and free advice. Our legal team can’t wait to help you.