OdataLink Data Processing Agreement Addendum (GDPR)

Home / End-User License Agreement / Data Processing Agreement Addendum (GDPR)

For older versions, see the Data Processing Agreement Addendum (GDPR) archive.

IMPORTANT – PLEASE READ CAREFULLY: This Data Processing Agreement (“Agreement“) forms part of the OdataLink End-User License Agreement (“Principal Agreement“) between the customer entity that is party to this agreement (the “Customer”) and OdataLink Pty Ltd (the “Processor”) (together as the “Parties”).

This addendum only applies of and to the extent the Processor processes Customer Personal Data on behalf of the Customer and that Customer qualifies as a controller with respect to that Customer Personal Data under Applicable Data Protection Laws (as defined below).

The Processor reserves the right to periodically update this Agreement. If you have an active subscription with the Processor, you will be informed of any modification by email.

The term of this Agreement shall follow the term of the Principal Agreement. Terms not defined
herein shall have the meaning as set forth in the Principal Agreement.

WHEREAS

(A) The Customer acts as a Data Controller.

(B) The Customer wishes to subcontract certain Services, which imply the processing of Customer Personal Data, to the Processor.

(C) The Parties seek to implement a data processing agreement that complies with the requirements of the current legal framework in relation to data processing and with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) and/or if in the UK, the UK General Data Protection Regulation (UK GDPR) tailored by the Data Protection Act 2018.

(D) The Parties wish to lay down their rights and obligations.

IT IS AGREED AS FOLLOWS:

1. Definitions and Interpretation

1.1 Unless otherwise defined herein, capitalized terms and expressions used in this Agreement shall have the following meaning:

1.1.1 “Agreement” means this Data Processing Agreement and all Schedules;

1.1.2 “Customer Personal Data” means any Personal Data processed by a Contracted Processor on behalf of the Customer pursuant to or in connection with the Principal Agreement;

1.1.3 “Contracted Processor” means a Subprocessor;

1.1.4 “GDPR” means EU General Data Protection Regulation 2016/679 and/or UK General Data Protection Regulation;

1.1.5 “Data Protection Laws” means the EU General Data Protection Regulation (Regulation 2016/679) and/or the UK General Data Protection Regulation and any EU Member State and/or UK laws made under or pursuant to the GDPR;

1.1.6 “Data Transfer” means:

1.1.6.1 a transfer of Customer Personal Data from the Customer to a Contracted Processor; or

1.1.6.2 an onward transfer of Customer Personal Data from a Contracted Processor to a Subcontracted Processor, or between two establishments of a Contracted Processor, in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws);

1.1.7 “Service” or “Services” means the use of OData Feeds or other technology provided by the Processor in order for the Customer to access the Customer’s Data stored in other systems such as, but not limited to, Xero, MYOB and OdataLink.

1.1.8 “Subprocessor” means any person appointed by or on behalf of the Processor to process Customer Personal Data on behalf of the Customer in connection with the Agreement.

1.1.9 “Security Incident” means any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, or alteration of, or unauthorized disclosure of or access to, Customer Data on systems managed or otherwise controlled by the Processor.

1.1.10 “Sensitive Data” means (a) social security number, tax file number, passport number, driver’s license number, or similar identifier (or any portion thereof); (b) credit or debit card number (other than the truncated (last four digits) of a credit or debit card); (c) employment, financial, credit, genetic, biometric or health information; (d) racial, ethnic, political or religious affiliation, trade union membership, information about sexual life or sexual orientation, or criminal record; (e) account passwords; or (f) other information that falls within the definition of “special categories of data” under applicable Data Protection Laws.

1.2 The terms, “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.

2. Processing of Customer Personal Data

2.1 The Processor shall:

2.1.1 comply with all applicable Data Protection Laws in the Processing of Customer Personal Data; and

2.1.2 not process Customer Personal Data other than on the relevant Customer’s documented instructions or according to settings configured in the Service and controlled by the Customer.

2.2 The Customer instructs the Processor to process Customer Personal Data.

2.3 The Customer agrees that it will not provide any Sensitive Data, according to the definition provided by GDPR, to the Processor and the Processor will have no liability whatsoever for any Sensitive Data, whether in connection with a security incident or otherwise.

2.4 The Customer agrees and warrants that it is in compliance with all application laws, including Data Protection Laws, with respect to its instructions to process data on the Customer’s behalf.

2.5 The Customer further agrees to ensure that its instructions to process data on the Customer’s behalf will not cause the Processor to violate any applicable law, rule, or regulation.

2.6 The Customer further agrees that the Processor is not liable for any use, misuse and/or transfer of Customer Personal Data via the Processor’s Services to other systems such as, but not limited to, Power BI, Excel, SQL Server, SQL Azure, Tableau used by the Customer that are outside of the Processor’s Services.

2.7 The Customer further understands that a separate Data Processing Agreement may be required between the Customer and other processors where the data is being used (such as, but not limited to, Xero, MYOB, Microsoft and Tableau).

2.8 The Customer acknowledges that OdataLink Pty Ltd is located in Australia and as such has nominated a UK and EU Data Representative as stated in Annex D.

3. Processor Personnel

The Processor shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Contracted Processor who may have access to the Customer Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Customer Personal Data, as strictly necessary for the purposes of the Principal Agreement, and to comply with Applicable Laws in the context of that individual’s duties to the Contracted Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

4. Security

4.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Processor shall in relation to the Customer Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR or equivalent provisions of any other Data Protection Law.

4.2 In assessing the appropriate level of security, the Processor shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.

4.3 The Customer agrees that it is responsible for the secure use of Services provided by the Processor, including securing its account credentials, and ensuring the security of Customer Personal Data when it transit to and/or from the Processor.

4.4 The Customer acknowledges that the Processor provides mechanism to secure the Service by such means as, and not limited to, restricting IP Address, requiring authentication, choosing which endpoints to expose. It is up to the Customer to utilise these mechanism to secure their data sufficiently.

5. Subprocessing

5.1 With the exception of Subprocessors disclosed in Annex B, the Processor shall not appoint (or disclose any Customer Personal Data to) any Subprocessors unless required or authorized by the Customer.

5.2 In the event that Processor appoints a new Subprocessor, the Processor shall notify the Customer in writing via email to the administrator of the Customer’s account. The Customer may object to the Processor’s appointment or replacement of a Subprocessor prior to its appointment or replacement, provided such objection is based on reasonable grounds relating to data protection. In such an event, the Processor will either not appoint or replace the Subprocessor or, if the Processor determines at its sole discretion that this is not reasonably possible, the Customer may suspend or terminate the Agreement without penalty (without prejudice to any fees incurred by Customer up to and including the date of suspension or termination).

6. Data Subject Rights

6.1 Taking into account the nature of the Processing, the Processor shall assist the Customer by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Customer obligations, as reasonably understood by Customer , to respond to requests to exercise Data Subject rights under the Data Protection Laws.

6.2 The Processor shall:

6.2.1 promptly notify Customer if it receives a request from a Data Subject under any Data Protection Law in respect of Customer Personal Data; and

6.2.2 ensure that it does not respond to that request except on the documented instructions of the Customer or as required by Applicable Laws to which the Processor is subject, in which case the Processor shall to the extent permitted by Applicable Laws inform the Customer of that legal requirement before the Contracted Processor responds to the request.

7. Personal Data Breach

7.1 The Processor shall notify the Customer without undue delay upon the Processor becoming aware of a Personal Data Breach affecting Customer Personal Data, providing the Customer with sufficient information to allow the Customer to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.

7.2 The Processor shall co-operate with the Customer and take reasonable commercial steps as are directed by Customer to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

8. Data Protection Impact Assessment and Prior Consultation

8.1 The Processor shall provide reasonable assistance to the Customer with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which the Customer reasonably considers to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Customer Personal Data by, and taking into account the nature of the Processing and information available to, the Contracted Processors.

9. Deletion or return of Customer Personal Data

9.1 Subject to this section 9 the Processor may retain Customer Personal Data for a maximum period of up to 1 year from the time the Customer Personal Data was last accessed via the Service after which the Customer Personal Data will be deleted. This requirement will not apply to the extent that the Processor is required by applicable law to retain some or all of the Customer Personal Data, or to Customer Personal Data it has archived on back-up systems, which Customer Personal Data the Processor shall securely isolate and protect from any further processing.

9.2 The Customer acknowledges that the Processor provided functionality within the Service to control the storing of Customer Personal Data.

9.3 The Customer acknowledges that the Processor has implemented automatic deletion of Customer Personal Data and other data from it’s system and this automatic deletion is built into the Service and cannot be changed.

9.4 The Customer acknowledges that only the Processor’s Service has access to Customer Personal Data provided via the Service and that employees, contractors and others do not have the ability to access Customer Personal Data without being authorised by the Customer to do so via the Invite functionality of the Service.

10. Audit rights

10.1 Subject to this section 10, the Processor shall make available to the Customer on request all information necessary to demonstrate compliance with this Agreement, and shall allow for and contribute to audits, including inspections, by the Customer or an auditor mandated by the Customer in relation to the Processing of the Customer Personal Data by the Contracted Processors. The Customer agrees that the cost of such audits, to the extent allowable by applicable law, shall be borne by Customer.

10.2 Information and audit rights of the the Customer only arise under section 10.1 to the extent that the Agreement does not otherwise give them information and audit rights meeting the relevant requirements of Data Protection Law.

11. Data Transfer

11.1 The Customer acknowledges that the Processor will transfer Data to countries outside the EU and/or the European Economic Area (EEA) and/or United Kingdom (UK) and that the use of Processor’s services requires such transfer, and the Customer gives consent for such transfer through the use of the Processor’s Services. The Customer acknowledges the list of countries are indicated in Annex C. The Parties shall, unless agreed otherwise, rely on EU approved standard contractual clauses for the transfer of Customer Personal Data.

11.2 The Customer acknowledges that the Processor will transfer and process Customer Personal Data to and in Australia and anywhere else in the world where the Processor, its Affiliates or its Subprocessors maintain data processing operations. The Processor shall at all times ensure that such transfers are made in compliance with the requirements of Data Protection Laws and this Agreement.

11.3 Other than for countries indicated in Annex C, the Processor may not transfer or authorize the transfer of Data to countries outside the EU and/or the European Economic Area without the prior written consent of the Customer. If Customer Personal Data processed under this Agreement is transferred from a country within the European Economic Area to a country outside the European Economic Area, the Parties shall ensure that the Customer Personal Data are adequately protected. To achieve this, the Parties shall, unless agreed otherwise, rely on EU approved standard contractual clauses for the transfer of Customer Personal Data.

11.4 The Customer acknowledges that anyone with access to the Processor Services directly or indirectly can potentially transfer Customer Personal Data to other jurisdictions and it is the Customer responsibility to protect the use or misuse of the Service as indicated in 4.4.

12. General Terms

12.1 Confidentiality. Each Party must keep this Agreement and information it receives about the other Party and its business in connection with this Agreement (“Confidential Information”) confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that:
(a) disclosure is required by law;
(b) the relevant information is already in the public domain.

12.2 Notices. All notices and communications given under this Agreement must be in writing and will be delivered personally, sent by post or sent by email to contact@odatalink.com.

13. Governing Law and Jurisdiction

13.1 This Agreement is governed by the laws of South Australia, Australia.

13.2 Any dispute arising in connection with this Agreement, which the Parties will not be able to resolve amicably, will be submitted to the exclusive jurisdiction of the courts of South Australia.

Annex A: Data Processing Schedule

1. Subject matter and duration of processing of personal data

The subject matter of Customer Personal Data to be processed is that of the contacts, customers, suppliers, employees, cards and associated data entered within MYOB or Xero or other systems and provided via an OData Feed or other technology.

The duration of processing Customer Personal Data shall be for as long as the Processor have a business relationship with the Customer, and at the end of that relationship, the Processor will act in accordance with clause 9 regarding deletion of such personal data.

2. Nature and purpose of processing personal data

The nature and purpose of processing Customer Personal Data is to enable the transmission by means of OData Feeds or other technology provided by the Processor from Customer Data stored within other systems (such as, but not limited to, Xero, MYOB or OdataLink) used by the Customer .

3. Types of personal data processed

The types of Customer Personal Data processed include:

  1. names
  2. addresses
  3. contact details
  4. identification details (for example, tax registration numbers)
  5. other personal data types or related data types

4. Categories of data subjects

The categories of data subjects include:

  1. suppliers / service providers of Customer
  2. customers / clients of Customer
  3. employees / contractors of Customer
  4. other contacts of the Customer

Annex B: List of Subprocessors

The Processor uses the following Subprocessors:

  1. Microsoft Azure

Annex C: List of Data Centre Locations

The Processor uses data centres located in the following countries:

  1. Australia

Annex D: UK and EU Data Representative

To comply with UK and EU Data Representation, OdataLink Pty Ltd has appointed the Prighter Group with its local partners as our privacy representative and your point of contact.

Prighter gives you an easy way to exercise your privacy-related rights (e.g. requests to access or erase personal data). If you want to contact us via our representative, Prighter or make use of your data subject rights, please visit the following website. https://prighter.com/q/18601883166

PrighterUKRep certificate of Art 27 representation Prighter certificate of Art 27 representation