This Data Processing Policy (“DPP”) is incorporated into, and is subject to the terms and conditions of, the Policy between BPN Solutions Pty Ltd and the customer entity that is a party to the Policy (“Customer” or “you”).
All capitalized terms not defined in this DPP shall have the meanings set forth in the Policy. For the avoidance of doubt, all references to the “Policy” shall include this DPP (including the Standard Contractual Clauses (“SCCs”) (where applicable), as defined herein).
The Contractor shall process personal data on behalf of the Customer, in the meaning of Article 4 (8) and Article 28 of the EU GDPR 2016/679 – General Data Protection Regulation (GDPR). The Personal Information collected shall be in accordance to Privacy Act 1988 (Cth), the Privacy Amendment (Enhancing Privacy Protection) Act 2012 which includes the Australian Privacy Principles (collectively, the Privacy Act). This Policy regulates the rights and obligations of the Parties in connection with the processing of personal data.
As long as the term “data processing” or “processing” (of data) is used, the definition of “processing” in the meaning of Article 4 (2) of the GDPR will be considered the basis.
In this regard, the Parties agree as follows:
Data Processing Agreement
- “Collect” means gather, acquire or obtain by a lawful and fair means, information in circumstances where the individual is identifiable or identified.
- “Express Consent Consequences” includes the fact that that we will not be accountable under the Privacy Act and you will not be able to seek redress under the Privacy Act in the event that you provide consent to the disclosure of your Personal Information by us to an overseas recipient and the overseas recipient handles your Personal information in breach of the Privacy Act.
- “Expressly Informed” means the circumstance where we have provided you with a clear statement (either verbal or in writing) of the Express Consent Consequences.
- “Personal Information” means information that is not Sensitive Information, including information or an opinion (whether information or an opinion forming part of a database), whether true or not and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained from the information or opinion. This includes, but is not limited to, an individual’s first name, last name, email address, password and address.
- “Primary Purpose” is the main reason for the Collection of any Personal Information.
- “Reasonable Expectation” means a reasonable individual’s expectation that their personal information might be Used or Disclosed for the relevant purpose.
- “Secondary Purpose” means a purpose of Use or Disclosure other than a Primary Purpose.
- “Sensitive Information” is given its meaning in section 6(1) of the Privacy Act 1988 (Cth).
- “Use” means the handling of Personal Information by our Company
- “Data Protection Laws” means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of Australia;
- “EEA” means the European Economic Area;
- “EU Data Protection Laws” means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;
- “GDPR” means EU General Data Protection Regulation 2016/679;
- “Data Transfer” means:
- a transfer of Contractor Personal Data from the Contractor to a Contracted Processor; or
- an onward transfer of Contractor Personal Data from a Contracted Processor to a Subcontracted Processor, or between two establishments of a Contracted Processor, in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws);
2. Object and duration of order processing, Term
- This Order Processing Policy (hereinafter referred to as OP Policy) regulates the legal rights and obligations of the Parties in as far as data protection is concerned and with reference to the software as a service contractconcluded between the Parties (hereinafter referred to as: the “main contract”). This OP Policy reifies particularly the data protection legal obligations of the contracting parties, which arise from the service described in detail in the main contract.
- In the event of possible inconsistencies between service specifications or regulations in the main contract, the terms of this OP Policy shall have priority. Divergent regulations shall only then have priority over this OP Policyif they expressly refer to this OP Policy.
- This OP Policy is valid for the duration of the main contract. In as far as the contractor processes personal data of the contractor over and beyond the term of the OP Policy or of an individual order processing, the contractual agreements on the predetermination for a specific purpose and compliance with the technical and organisational measures shall remain applicable.
3. Scope and responsibility
- The Contractor shall process personal data on behalf of the Customer. Object of order processing, type of data, type and purpose of the data processing (collection, processing and use of personal data) are reified in the main contract and the related service specification as well as Annex B.
- The Customer is aware, that he alone, within the context of the main contract, as a controller (“controller” in the meaning of Article 4 (7) of the GDPR) bears the responsibility for compliance with the legal regulations of the Data Protection Acts, particularly the responsibility for the legitimacy of sharing the data with the contractor, as well as the legitimacy of data processing.
- The right to issue instructions belongs to the Customer, as stipulated in the main contract. The instructions are fixed by the main contract and can be changed, supplemented, or replaced through individual instructions by the Customer in writing (“Individual instruction”). Instructions which are not provided for in the main contract shall be dealt with as proposals for change in service provision. Verbal instructions must be immediately confirmed by the Customer in writing.
4. Obligations of the Contractor
- The contractor may process data only in the context of the purpose mentioned in the main contract and/or in Annex B as per the instructions of the Customer, provided that there are no exceptional cases as per Article 28 (3) lit. a) of the GDPR. If the contractor believes that an instruction given by the Customer violates applicable regulations about data protection, he must inform the Customer of this immediately. The contractor is authorised, to defer the execution of the relevant instruction for as long as it has not been confirmed or changed by the Customer in writing. If the Contractor is of the opinion that the processing of data according to instructions can make the Contractor liable in any way, in accordance with Article 82 of the GDPR, he is authorised to stop any further processing until the issue of liability between the Parties is clarified. The Contractor is not obligated to carry out substantive, legal checks.
- The Contractor shall, upon request by the Customer, support the Customer in the fulfilment of the inquiries and claims of the data subjects in accordance with chapter III of the GDPR, as well as in ensuring compliance with the obligations mentioned in Articles 33 to 36 of the GDPR, taking into consideration the nature of the processing and the information available to him in the context of his possibilities. The Contractor is authorised to bill the Customer for the expenses arising from this process, based on the Contractor’s hourly rate applicable at that material time, and provided that nothing contrary has been agreed between the Parties.
- The Contractor shall oblige all employees engaged by him to process the Customer’s data, as well as all other persons working for him, to ensure that data confidentiality is maintained. The employees of the Contractor are forbidden to process the Customer’s data in any manner beyond the instructions given and they must handle the Customer’s data with confidentiality. These obligations of confidentiality and secrecy persist even after completion of the order.
- Provided this is required by law, the Contractor shall appoint a data protection officer. At the time of the conclusion of this contract, there was no legal obligation to make such an appointment, in Article 37 of the GDPR. Upon request by the Customer, the Contractor shall appoint a contact person for legal issues of data protection in connection with this order. If the data protection officer and/or the contact person for matters of data protection mentioned here is replaced, the Customer must be notified of this immediately.
- The Contractor shall inform the Customer immediately if he learns of any breaches to the protection of the Customer’s personal data. The Contractor shall take the required measures to safeguard the data and to minimise any possible negative consequences to the data subjects and he shall immediately consult the Customer about this.
- In the event that a claim is made against a Customer by a data subject with regard to possible demands as per Article 82 of the GDPR, the Contractor shall undertake to support the Customer, to the extent possible, in defending himself against this claim. The Contractor is authorised to bill the Customer for the expenses arising from this process, based on the Contractor’s hourly rate applicable at that material time, and provided that nothing contrary has been agreed between the Parties.
5. Obligations of the Customer
- The Customer must inform the Contractor immediately and in detail if he notices errors or irregularities in the order results concerning data protection legal regulations.
- The Customer shall appoint a contact person with sufficient powers, who shall handle all issues relating to data protection in the context of the OP-contract, and he shall inform the Contractor about this person upon request. If the contact person is changed, the Customer must inform the Contractor of this immediately.
- In the event that a claim is made against the Contractor by a data subject with regard to possible demands as per Article 82 of the GDPR, the Customer shall undertake to support the Contractor, to the extent possible, in defending himself against this claim.
6. Technical and organisational measures for data protection (Article 32 of the GDPR)
- The Contractor shall set up his internal organisation in such a way that it meets the requirements of data protection to the extent required. The Contractor shall, in this regard, take technical and organisational measures for the adequate protection of data processed on behalf of the Customer, which meet the requirements of Article 32 of the GDPR.
- The technical and organisational measures taken by the Contractor and agreed on by contract in accordance with Article 32 of the GDPR, are enclosed in Annex A. The Customer is aware of these measures and shall take responsibility for ensuring that the measures meet an adequate protection standard for the risk of the processing procedures agreed on with the Contractor. The contractor is authorised to change the organisation of the data processing on order any time; this is crucial for the safety of the data, particularly the security procedures taken according to Article 32 of the GDPR, provided he ensures that the protection standard does not fall below the level agreed on by contract. The contractor shall inform the Customer about essential revisions of his technical and organisational measures.
7. Correction, deletion and blocking of data
- The Contractor has a duty, according to the instructions of the Customer, to correct, delete or to block the data, which is being processed on order, provided that this falls within the instructional framework of the Customer. If it proves impossible to delete the data or to restrict its processing accordingly, in conformity with data protection regulations, the Contractor shall, on the basis of a separate order, undertake the destruction of data storage media and other materials in conformity with data protection regulations. The Contractor is authorised to bill the Customer for the expenses arising from this process, based on the Contractor’s hourly rate applicable at that material time, and provided that nothing contrary has been agreed between the Parties.
- After completion of the order, the Contractor shall delete or return all data upon request from the Customer. After you discontinue using our services, on our own instance, or upon your request, we will delete or de-identify your personal information unless we are legally required or allowed to maintain such personal information.” The Contractor is authorised to bill the Customer for expenses incurred in returning the data and/or those arising from the divergent specifications of the Customer for returning or deleting the data, basing on the Contractor’s hourly rate applicable at that material time, and provided that nothing contrary was agreed on between the Parties.
- As long as the deletion of the data is prohibited by a legal retention period of two years , or any other period defined in any other law applicable for the time being, the data shall only be deleted after expiry of this legal retention period.
8. Justification for sub-order relationships
- The Contractor is allowed to provide reasons, at any time, for sub-order relationships with affiliated companies or third parties, (i.e. with service providers, who support the Contractor during service delivery and in the process gain access to the data, e.g. computer centres). At the time of concluding this policy, the companies listed in Annex B as sub-contractors for part services were working for the Contractor and were directly processing and/or using the Customer’s data for this purpose. For these sub-contractors, the consent for taking action is deemed to have been granted. The Customer has to be informed about any planned commissioning of other affiliated companies or third parties and/or changes, so that the Customer can object to the commissioning, if there are some important reasons for such. If the Customer does not submit his objection within 2 weeks the issue of the information by the Contractor, the consent of the Contractor shall then be deemed to have been granted.
- If there are important legal reasons pertaining to data protection on the part of the Customer (particularly reasons of the data security) or mandatory technical reasons for the retention of the activity agreed on by contract, or if the need to avert an imminent loss and/or to prevent the intensification or expansion of damage already incurred so demands, assignment of the aforementioned persons can take place immediately, clause 7.1 notwithstanding.
- Such services, which the Contractor takes up with third parties as pure supplementary services for purposes of perform the business activity at hand, should not be regarded as sub-contractual relationships in the meaning of clause 7. These include, for example, cleaning services, pure telecommunication services without any concrete reference to the services, which the Contractor renders for the Customer, post and courier services, transport services and surveillance services. The Contractor has a duty, nevertheless, to ensure that adequate arrangements as well as technical and organisational measures are taken to ensure the protection of personal data, even in the case of supplementary services provided by third parties. The maintenance and care of the IT system or applications constitutes a sub-contractual relationship in the sense of clause 7, and order processing in the sense of Article 28 of the GDPR, if the maintenance and inspection touches on such IT systems which can also be used in connection with the provision of services for the Customer and during whose maintenance personal data being processed on behalf of the customer can be accessed.
- The Contractor shall, together with the subcontractors, meet regulations for data processing on order, which at least meet the requirements of the existing conditions. The Contractor will, above all, oblige the subcontractors to follow the instructions of the Customer, to supply him with information, and – if need be – also to give him access to and, in the context of the required control measures pursuant to clause 8 of this OP Policy, to allow him to view relevant contract documents.
- The Contractor is authorised to transfer the Customer’s personal data to subcontractors in a third country and to have it processed by them, provided that the mandatory legal regulations for data export to third countries are fulfilled. To this end, the Customer should furthermore be provided with the required details and information in advance. Any processing or transfer of data to a third country, that was already on-going at the time of concluding this OP Policy, was done in accordance with Annex B.
9. Verification possibilities & inspection rights
- The Contractor must prove to the Customer that he is complying with his obligations in accordance with this OP Policy, using appropriate means of his choice, such as completion of a self-audit, presentation of a current audit report or self-assessment, using reports or report excerpts from independent authorities (e.g. auditors, audit firms, data protection officers, IT safety department, data protection audit, quality assurance audits, certificates for data protection and/or information safety (e.g. according to BSI basic protection or ISO 270001) or certificates in accordance with Article 42 of the GDPR).
- If it becomes necessary in individual cases, (for example if there are justifiable suspicions that evidence in the meaning of clause 9.1, is insufficient or inappropriate, or cannot be presented, or in special cases according to Article 33 (1) of the GDPR), for the Customer or an auditor contracted by him at his own expense to carry out checks regarding compliance with the obligations of this OP Policy, particularly the technical and organisational measures taken, the checks will be carried out during the Contractor’s normal working hours, without disrupting the latter’s work routine and following prior notification. The Contractor may make the control measures of the Customer contingent upon a previous written notification with an adequate lead time (at least 14 days) and stating at least three alternative dates as well as the signing of a confidentiality declaration with regard to the data of other customers and the technical and organisational measures established, provided that special incidents do not justify the performance of another control measure different from the one in question. If the auditor contracted by the Customer is found to be in competition with the Contractor, the Contractor has a right to object to his appointment. Controls carried out by the Customer on site are basically to be organised as random checks of the departments relevant to the execution of the order processing, except if there are more important reasons pertaining to the legality of data processing, and they should be limited to one day per calendar year at most.
- The Contractor is authorised to bill the Customer for the expenses arising out of the control measures, based on the Contractor’s hourly rate applicable at that material time, and provided that nothing contrary has been agreed between the Parties. This also applies to inspections and controls of the Customer carried out by a data protection supervisory authority or any other sovereign supervisory authority.
10. Inquiries of data subjects
- As long as a data subject contacts the Contractor directly for purposes of correction, deletion of his data or information concerning the data, the Contractor shall refer the data subject to the Customer, provided that an assignment to the Customer is possible based on the information from the data subject. The Contractor will immediately pass the request of the data subject on to the Customer.
- The Contractor shall support the Customer to the extent possible upon request, provided this was agreed on. The Contractor is authorised to bill the Customer for the expenses arising from this process, based on the Contractor’s hourly rate applicable at that material time, and provided that nothing contrary has been agreed between the Parties.
- The Contractor is not liable if the data subject’s request is either not answered by the Customer, not answered correctly or not answered in due time.
11. Measures of third parties or rights of third parties with regard to data
If items containing data are affected by the actions of third parties (e.g. attachments or confiscations) or by rights of third parties (transfer of ownership as security on a debt), the Contractor has to inform the Customer immediately. The Contractor shall inform all persons responsible in connection with this matter that the sovereignty and ownership of the data lie exclusively with the Customer as a “controller” in the meaning of the General Data Protection Regulation.
12. Personal data breach
- Contractor shall notify Customer without undue delay upon Processor becoming aware of a Personal Data Breach affecting Customer’s Personal Data, providing Company with sufficient information to allow the Company to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.
- Contractor shall co-operate with the Customer and take reasonable commercial steps as are directed by Customer to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
13. Deletion of Data
The Contractor is authorised to delete the personal data in his hands, which was processed for the Customer, as well as other data arising out of the OP Policy, 4 weeks after departure of the guest or after cessation of any other mandatory data retention reason. The above will happen, unless the Customer issues a written instruction that the data in question should continue to be accessible at the Contractor’s premises. The Contractor will not verify the legitimacy of the data processing. The Customer shall indemnify the Contractor from all claims which might be asserted against him by third parties, because of the prolonged storage of data. The Contractor can ask for reasonable compensation for the prolonged data storage.
14. Support inquiries/maintenance and servicing of the Customer’s systems
- The Contractor shall, from time to time, carry out maintenance and/or servicing of automated processes or of data processing equipment (especially IT systems and applications); particularly support service, in the context of the main contract and upon request by the Customer. For this purpose, it is sometimes necessary to gain remote access to systems at the Customer’s premises (client computers or sometimes integrated third-party solutions). If the Contractor receives data from the Customer for this purpose, particularly in connection with support inquiries, and this data enables access to the Contractor’s systems (particularly TeamViewer access data and/or permanent access, Windows and/or user names and passwords) – hereinafter referred to as (“access data”), the Contractor undertakes to arrange his work sequences in such a manner that this access data is appropriately protected from unauthorised access by third parties and is immediately deleted after execution of the assigned tasks. The Contractor shall make use of the rights given to him to access the Customer’s automated processes or data processing systems, only to the extent necessary – also in terms of time – for proper execution of the commissioned maintenance and service assignments.
- Upon request, the Customer shall allow the Contractor to have effective control over remote accesses, for example by using technologies which enable the Customer to follow the work carried out by the Contractor or to ensure proper documentation of these tasks. The Customer is authorised to check testing and maintenance work before, during and after execution. In the case of remote access, the Customer is authorised, in as far as this is technically possible, to follow the processes on a control screen and to terminate them any time.
- The liability regulation agreed on between the Parties in the main contract also applies to this particular order processing, provided that no other policy to the contrary was reached.
- If any damage arises from inadmissible or wrongful data processing in the context of this order data processing relationship, and if this damage has resulted from the correct implementation of the commissioned service or an instruction issued by the Customer, the Customer alone shall be liable for this. The Customer shall indemnify the Contractor upon first request from all claims which are laid against the Customer in connection with the concrete implementation of the commissioned service or the instruction issued by the Customer. Under these prerequisites, the Customer shall also compensate the Contractor for all costs incurred in the course of his legal defence.
16. Commencement of the agreement, abolition of previous agreements
- This contract shall come into force upon confirmation of the conclusion of the contract by the Customer. Confirmation of the conclusion of the contract by the Customer can be carried out using an electronic format in accordance with Article 28 of the GDPR.
- The Parties agree amicably, that concurrent with the commencement of this contract as mentioned in section 15.1 above, all previously existing policies on order data processing between the Parties are hereby amicably annulled and replaced by the current contract.
17. Final provisions
- Any amendments and additions to this OP Policy and all its components – including possible assurances of the Contractor – require a written agreement which can also be in an electronic format (text form) and the express statement that this is an amendment or addition to the existing conditions. The same shall apply to any renunciation of this written form requirement.
- This policy is governed by the Australian laws and the EU Regulations insofar they are not inconsistent with each other. In case of any contradiction or inconsistency, if the customer is subject to EU laws/Regulations, then EU laws/Regulations will prevail and in case of an Australian customer, the Australian law will prevail. This shall not prejudice the venue of determination of disputes between the Company and the customer.
- If any provision or parts of this OP Policy should become invalid, this shall not affect the validity of the remaining provisions. The parties shall undertake, in mutual agreement, to replace the invalid provision with another provision that comes closest to the invalid provision in terms of meaning.
- The annexes listed below shall become a component of this OP Policy.
Additional – Annexes
Annex A: Technical and organisational measures in accordance with Article 32 of the GDPR and includes the Australian Privacy Principles (collectively, the Privacy Act)
Annex B: Supplementary information on order processing
Annex C: Jurisdiction – Specific Terms
Annex A – Technical and organisational measures
The Contractor shall take the following technical and organisational measures for data safety in the meaning of Article 32 of the GDPR and Privacy Act 1988 (Cth), the Privacy Amendment (Enhancing Privacy Protection) Act 2012 which includes the Australian Privacy Principles (collectively, the Privacy Act).
Access Monitoring – Internal
The following measures of access control are in place:
- Only employees of the company have right of access. Visitors may only access the offices of the company accompanied by our staff. Cleaning staff may enter the rooms only outside office hours when the data processing workstations of the employees are closed.
- Only employees of the Contractor have access to the business premises. This is guaranteed by an electronic key system.
- Storage of the data is carried out exclusively in the data centre or in the business premises of the Contractor.
Access Monitoring – External
The following measures of access monitoring are in place:
- Access to the data processing systems is protected by a combination of registration and firewall.
- Unattended workstations are protected during business hours by locking screens and/or by users logging off.
- Only employees of the company have right of access.
- Storage of the data is carried out exclusively in the data centre and in the business premises of the Contractor.
- Connection to the data processing systems outside the business premises takes place exclusively via VPN tunnels.
- Access to the data processing systems is granted to only a select number of employees.
Data Access Monitoring
The following measures of data access monitoring are in place:
- Both user authorisations and a logging system are in use within the CRM system, to which the ticket system is connected.
The following measures of data separation are in place:
- The data is strictly connected to a hotel and only users of this hotel can have access to it.
Data sharing control
The following measures of data sharing monitoring are in place:
- The entire process of transmission on the Contractor’s side takes place in an encrypted form. The Customer shall bear the responsibility for the transmission of data from the Customer to the Contractor in encrypted form. The Contractor shall provide the Customer with standard technical options for this.
- Transmission control: the data will not be transmitted to third party authorities, with the exception of subcontracted order processing companies in accordance with this contract or the main contract.
2. Availability and capacity
The following measures of availability monitoring are in place:
- The data is stored and processed in a data centre. A data security strategy is available there.
- The operating parameters of the computer centre are monitored.
3. Processes for regular testing, assessment and evaluation (Purpose control)
The following measures of purpose control are in place:
- The data collected may only be processed for the purpose arising from the main contract.
- The data may not be used for marketing purposes except in a manner authorized by law, rules and regulations.
- The employees are obligated to protect the data.
Annex B – Description of order processing on individual contract
This Annex B, as a supplement to the main contract, regulates the methods used to process data on order, in connection with the main Policy concluded between the Parties.
1. Duration of order processing
The duration of order processing is determined by the main contract.
2. Object of the contract
The object of the order processing is determined by the main Policy. It comprises the execution of the following tasks by the Contractor:
- Generate internal logbook entries, guest requests and customer-facing email correspondence furnished with guest details on behalf of hotels.
- For this purpose, all reservation and guest profile data required for above content is exported and transmitted to BPN Solutions Pty Ltd.
- BPN Solutions Pty Ltd generates above content for the hotel from this data and stores them on servers of BPN Solutions Pty Ltd owned by Amazon in Singapore via Amazon Web Services (AWS).
- The generated correspondence is dispatched by BPN Solutions Pty Ltd via Amazon Simple Email Service (SES) in the name and on behalf of the Customer.
3. Type of data, nature and purpose of the data processing as well as data subjects
The following data types/data categories are affected (multiple selections allowed):
- Contract master data (contract relationship, product and/or contractual interest)
- Customer history
- Contract billing and payment data
- Contact data (surname/first name/e-mail/phone number)
- Recipient and sender of messages addressed to the Customer or originating from the Customer
- Customer system access data
- Working data from the customer systems (production data and real data)
- Log files of the customer (names of users of IT systems or applications, IP-addresses)
The following categories of persons are affected by the storage of your data:
- Guests (booking guest plus companions)
- Customer (natural person)
- Customer’s employee
- Customer’s supplier
- Contact persons who can be assigned to the Customer as his assistants without being his employees
- Recipient and sender of messages addressed to the Customer or originating from the Customer
4. Return or Deletion of Data
The date of deletion on termination:
Upon termination or expiration of the Policy, BPN Solutions Pty Ltd shall (at Customer’s request) delete or return to Customer all Customer Data (including copies) in its possession or control, except that this requirement shall not apply to the extent BPN Solutions Pty Ltd is required by applicable law to retain some or all of the Customer Data, or to Customer Data it has archived on back-up systems, which Customer Data BPN Solutions Pty Ltd shall securely isolate, protect from any further processing and eventually delete in accordance with BPN Solutions Pty Ltd’s deletion policies, except to the extent required by applicable law.After you discontinue using our services, on our own instance, or upon your request, we will delete or de-identify your personal information unless we are legally required or allowed to maintain such personal information, or where the deletion of the data is prohibited by a legal retention period of two years , or where a different time is mentioned in any other law applicable for the time being, the data shall only be deleted after expiry of this legal retention period.
After you discontinue using our services, on our own instance, or upon your request, we will delete or de-identify your personal information unless we are legally required or allowed to maintain such personal information, or where the deletion of the data is prohibited by a legal retention period of two years , the data shall only be deleted after expiry of this legal retention period.
5. Data processing Locations
Customer acknowledges that BPN Solutions Pty Ltd transfers and processes Customer Data to and in Singapore and anywhere else in the world where BPN Solutions Pty Ltd, its Affiliates or its Sub-processors maintain data processing operations. BPN Solutions Pty Ltd shall at all times ensure that such transfers are made in compliance with the requirements of Data Protection Laws and this DPP.
6. Data Transportation
The Customer agrees to the electronic transmission of data, provided that the following minimum requirements are met:
- Encrypted transmission of data
- Record keeping concerning the transmission of the information
- Access to the information is only possible with a protected password
The Contractor uses the following subcontractors for the current processing of the Customer’s personal data, and the Customer agrees to their assignment:
|Subcontractor (Company, address, contact person)||Data categories processed||Processing steps / purpose of subcontractor order data processing|
|Amazon.com, Inc||Contract data, customer data, working data, log data||Operation and hosting of the servers required for this service and operation of the e-mail servers|
|Cloudflare, Inc||Contract data, customer data, working data, log data||Guaranteeing the worldwide accessibility to the service and protection from attacks on the IT infrastructure|
|Google LLC||Contractual data||Telecommunication services, data storage and administration|
Annex C – Jurisdiction-Specific Terms
European Economic Area (EEA):
Objection to Sub-processors. Customer may object in writing to BPN Solutions Pty Ltd appointment of a new Sub-processor within five (5) calendar days of receiving notice in accordance with Section 3.1 of DPA, provided that such objection is based on reasonable grounds relating to data protection. In such event, the parties shall discuss such concerns in good faith with a view to achieving a commercially reasonable resolution. If no such resolution can be reached, BPN Solutions Pty Ltd will, at its sole discretion, either not appoint such Sub-processor, or permit Customer to suspend or terminate the affected Service in accordance with the termination provisions in the Policy without liability to either party (but without prejudice to any fees incurred by Customer prior to suspension or termination).
Government data access requests. As a matter of general practice, BPN Solutions Pty Ltd does not voluntarily provide government agencies or authorities (including law enforcement) with access to or information about BPN Solutions Pty Ltd accounts (including Customer Data). If BPN Solutions Pty Ltd receives a compulsory request (whether through a subpoena, court order, search warrant, or other valid legal process) from any government agency or authority (including law enforcement) for access to or information about a BPN Solutions Pty Ltd account (including Customer Data) belonging to a Customer whose primary contact information indicates the Customer is located in Europe, BPN Solutions Pty Ltd shall: (i) inform the government agency that BPN Solutions Pty Ltd is a processor of the data; (ii) attempt to redirect the agency to request the data directly from Customer; and (iii) notify Customer via email sent to Customer’s primary contact email address of the request to allow Customer to seek a protective order or other appropriate remedy. As part of this effort, BPN Solutions Pty Ltd may provide Customer’s primary and billing contact information to the agency. BPN Solutions Pty Ltd shall not be required to comply with this paragraph 2 if it is legally prohibited from doing so, or it has a reasonable and good-faith belief that urgent access is necessary to prevent an imminent risk of serious harm to any individual, public safety, or BPN Solutions Pty Ltd’ s property, Sites, or Service.
United Kingdom (UK):
For the avoidance of doubt, when European Union law ceases to apply to the UK upon the UK’s withdrawal from the European Union and until such time as the UK is deemed to provide adequate protection for personal data (within the meaning of applicable EU Data Protection Law) then to the extend BPN Solutions Pty Ltd processes (or causes to be processed) any Customer Data protected by EU Data Protection Law applicable to EEA and Switzerland in the United Kingdom, BPN Solutions Pty Ltd shall process such Customer Data in compliance with the SCCs or any applicable Alternative Transfer Mechanism implemented in accordance with Section 6.2 and 6.3 of this DPP.
Effective 1st of December 2020