Data Privacy Addendum (Australia)
This Data Privacy Addendum (the “DPA”) forms an integral part of, and is bound by, the Terms into which this DPA is incorporated by reference. In the event of a conflict between this DPA and the main body of the Terms, the terms and conditions that are more protective of Client Personal Data shall supersede and control to the extent of such conflict. Any capitalized term used but not defined herein shall be ascribed the meaning set forth in the Terms.
Definitions
Client Personal Data means any Personal Data provided to Harbor by or on behalf of Client.
Data Breach means any unauthorized access, use, acquisition, exfiltration, or disclosure of Client Personal Data, but excludes an Unsuccessful Data Breach.
Data Protection Law means all applicable legislation, principles, industry codes and policies relating to the collection, use, disclosure, storage or granting of access rights to Personal Data, including the Privacy Act.
Information Security Program means commercially reasonable technical and organizational controls to protect Client Personal Data, including written policies describing its security controls and measures.
IRP means a written response plan to identify, remediate, respond to, and recover from a Data Breach.
Personal Data has the same meaning as “Personal Information” under the Privacy Act.
Privacy Act means the Privacy Act 1988 (Cth).
Process, Processing, or Processes means any action performed on Client Personal Data, including collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure, transfer or otherwise making available, alignment or combination, restriction, deletion, or destruction.
Terms means the terms and conditions available at https://harborglobal.com/business-terms/.
Unsuccessful Data Breach means an unsuccessful attempt or activity that does not compromise the security of Client Personal Data, including (without limitation) pings and other broadcast attacks of firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond headers) or similar incidents.
Scope and Applicability; Ownership
Scope; Applicability. This DPA applies only to the extent Harbor Processes Client Personal Data in connection with the Agreement. Notwithstanding anything else, it remains in effect until, and automatically expires on, deletion or return by Harbor of all Client Personal Data. The Parties acknowledge and agree that Harbor, its Affiliates and their Personnel may receive Client Personal Data from the Client and use and disclose that Client Personal Data in the course of providing the Services. Client further acknowledges and agrees that, in providing the Services, Harbor may use Affiliates and Personnel outside of Australia, including in Canada, the European Economic Area, the United Kingdom, and the United States. For purposes of this DPA, Harbor shall not be deemed to Process, hold or have access to any Client Personal Data to the extent it is held in encrypted form and Harbor does not hold the encryption key as part of providing the Services.
Data Ownership. Client grants Harbor a non-exclusive, worldwide, royalty-free license to access, use, copy, modify, process, store, transmit, and display Client Personal Data solely as necessary to provide and maintain the Services.
Client and Harbor Obligations
Compliance with Privacy Laws. In the performance of its obligations and the exercise of its rights under the Agreement, including with respect to the Services, the Client shall comply with all Data Protection Laws in relation to any Client Personal Data that is collected, stored, used, disclosed or otherwise dealt with under or in connection with the Agreement. If the Client is not an APP Entity (within the meaning of the Privacy Act), the Client will comply with the requirements of the Privacy Act as if it were an APP Entity. Client must not do or omit to do anything in relation to Client Personal Data that would cause Harbor, its Affiliates or their Personnel to contravene any Data Protection Laws. Client must not instruct Harbor or use the Services to collect, use, disclose or otherwise do anything with respect to Client Personal Data in any way that would cause Harbor to contravene any Data Protection Laws.
Accuracy; Compliance. Client shall be solely responsible for the following: (i) the accuracy, quality, and legality of Client Personal Data; (ii) its own compliance with applicable Data Protection Laws, including all transparency and other requirements for the collection and use of Client Personal Data and/or the use of cookies or similar mechanisms (such as obtaining any necessary consents and authorizations from individuals or otherwise); and (iii) ensuring its instructions to Harbor comply with all applicable laws, statutes, and regulations, including applicable Data Protection Laws.
Harbor's Responsibilities. Harbor may refuse to accept, use or disclose Client Personal Data if it believes that to do so would contravene any Data Protection Laws. Harbor will, in the performance of its obligations and the exercise of its rights under the Agreement, including the provision of the Services, comply with all Data Protection Laws in relation to any Client Personal Data that is collected, stored, used, disclosed or otherwise dealt with under or in connection with the Agreement.
Confidentiality; Security
Information Security. Harbor shall implement and maintain an Information Security Program, which shall include the controls specified in Exhibit A to this DPA. Harbor shall designate a senior individual to be responsible for the overall management of Harbor’s Information Security Program. Harbor may update, amend, or otherwise alter its Information Security Program at any time and without notice to Client, provided that any such update, amendment, or alteration does not reduce the level of security in the Information Security Program.
Rights of individuals
Requests. Each Party shall, to the extent legally permitted, promptly notify the other Party if it receives a request from an individual who wishes to access or correct their Personal Data held by Harbor or has a complaint regarding their Personal Data. If an individual requests access to or correction of, or has a complaint regarding, their Personal Data which is held by Harbor, then to the extent required by the Data Protection Laws, each Party shall use reasonable measures (including in the case of Harbor, appropriate technical measures) to assist the other to respond to and resolve such a request or complaint in accordance with the Data Protection Laws.
Data Breach Procedures
Response Plans. Harbor shall establish, implement, and maintain an IRP.
Reporting to Client. Harbor will notify the Client without undue delay after becoming aware of any Data Breach in respect of Client Personal Data held by Harbor, its Affiliates or their subcontractors. Harbor shall make reasonable efforts to identify the cause of such Data Breach and take those steps as Harbor considers necessary and reasonable in order to remediate the cause of such a Data Breach to the extent the remediation is within Harbor’s reasonable control. Harbor will provide timely information to Client relating to the Data Breach as it becomes known or as is reasonably requested by Client. These obligations will not apply to incidents that are caused by Client or Client’s Personnel.
Incident Notification. The Parties will cooperate to investigate and assess the Data Breach and to enable each Party to comply with its data breach notification obligations under Data Protection Laws.
Subcontractors
Appointment of subcontractors. Client agrees that Harbor may engage subcontractors to Process Client Personal Data on Client's behalf. Upon request, Harbor will make available to Client information about the identity and country of location of each subcontractor.
Subcontractor Obligations. Harbor shall ensure that each subcontractor is subject to binding obligations that require the subcontractor to protect the Client Personal Data to the same standard as Harbor.
Exhibit A
(Security Controls)
Harbor shall apply the following security measures to safeguard Client Personal Data:
General Obligations. Harbor shall have reasonable security measures in place to protect Client Personal Data against unauthorized access, use, acquisition, exfiltration, or disclosure. These measures include firewall, anti-virus software, malware protection and similar protections installed and kept up-to-date on all information systems used to Process the Client Personal Data. Harbor shall evaluate and, where necessary to meet industry standards, improve the effectiveness of such safeguards.
Access Control. Harbor shall restrict access to the Client Personal Data to Personnel on a need-to-know basis and shall revoke access where appropriate, including from any employee whose employment is terminated.
Physical Security. Harbor shall ensure that third-party datacenters prevent any unauthorized persons from gaining access to data processing systems that Process Client Personal Data by implementing a physical access control system (ID reader, magnetic card, chip card), keys, door locking (electric door openers, etc.), security staff, janitors, and surveillance facilities (alarm system, monitoring).
IT System Access Controls. Harbor shall prevent systems Processing Client Personal Data from being used without authorization by implementing password procedures (e.g., special characters, minimum length, change of passwords), automatic blocking (e.g., password or timeout), creation of unique credentials per user, differentiated access rights (profiles, roles, transactions and objects), reports, access, change, deletion, and encryption of backup production data.
Transmission Control. Harbor shall ensure that Client Personal Data cannot be read, copied, altered or removed without authorization during electronic transfer or transport or while being recorded onto data storage media, and that it is possible to ascertain and check the recipient addressee to which the Client Personal Data will be transferred by using data transmission facilities.
Input Control and Integrity. Harbor shall employ measures to ensure the integrity of the Client Personal Data, including without limitation, monitoring systems able to ascertain whether Client Personal Data has been accessed, altered or removed from data processing systems, and if so, by whom. Harbor shall employ measures that allow Client Personal Data to be updated or completed pursuant to a Data Subject Request.
Availability control. Harbor shall ensure Harbor’s data processing systems are protected against accidental destruction or loss of Client Personal Data by implementing backup procedures, mirroring of hard disks, uninterruptible power supply, anti-virus and firewall systems, and disaster recovery plans.
Separation Control. Harbor shall ensure that data collected for different purposes can be processed separately by implementing “internal client” concept / limitation of use, segregation of functions production / testing, logical or physical data separation, and multitenancy.
Job Control and Training. Harbor shall ensure that its employees and contractors Processing Client Personal Data have undergone reasonably adequate training on information security and the protection of Client Personal Data, the care, handling and processing of the Client Personal Data, and the requirements of applicable Data Protection Law. Harbor Personnel having access or otherwise Processing Client Personal Data will be subject to confidentiality obligations, which will survive termination of the relationship with Harbor.
Data Security Officer. Harbor has appointed one or more employees to be in charge of: data security; data protection matters, including receiving the complaints due to any violation or non-compliance with the applicable Data Protection Law; and any amendment to Client Personal Data for accuracy/completeness.