SAJARI PTY LTD - GDPR SCHEDULE

1. DEFINED TERMS

(a) This clause 1 defines terms used in this GDPR Schedule. Other terms are defined elsewhere in this schedule. Capitalised terms in this schedule which are defined in the Services Agreement, have the meaning as defined therein.

(b) Controller means the entity which determines the purposes and means of the Processing of Personal Data.

(c) Data Subject means an identified or identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

(d) Data Subject Request means a request from a Data Subject to exercise the Data Subject’s right of access, right to rectification, right to erasure (“right to be forgotten”), right to restriction of processing, right to data portability, right to object to Processing, or right not to be subject to an automated individual decision-making, as set out in Chapter III of the GDPR.

(e) Personal Data means any information relating to a Data Subject.

(f) Personal Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.

(g) Processing means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

(h) Processor means the entity which processes Personal Data on behalf of the Controller.

(i) Services Agreement means the agreement between Customer and Sajari for services to which this schedule is a schedule.

2. PERSONAL DATA PROCESSING

2.1 Controller, Processors and subprocessors

(a) With regards to the Processing of Personal Data in relation to the Services Agreement, the parties acknowledge and agree:

  • Sajari is the Controller;
  • Organisations engaged by Sajari from time to time to Process Personal Data are Processors; and
  • Organisations engaged by Processors from time to time to Process Personal Data are subprocessors.

(b) For the time being and subject to change, the following organisations are Processors:

  • Google Inc – for data storage, processing and distribution;

2.2 Personal Data – Customer obligations

(a) Customer warrants to Sajari that Customer has the legal right to disclose all Personal Data disclosed to Sajari pursuant to the Services agreement.

(b) Customer’s instructions (if any) in relation to the Personal Data must comply with the GDPR.

(c) Customer is solely responsible for the accuracy, quality and legality of Personal Data and the means by which Customer acquired Personal Data.

2.3 Personal Data Processing – Sajari obligations

(a) In supplying the Services, Sajari acknowledges and agrees to Process Personal Data in compliance with its obligations under the GDPR.

(b) Without limiting its obligations under the GDPR, Sajari must:

  • Process Personal Data only on documented instructions from Customer, including with regard to transfers of Personal Data to any place outside the European Economic Area. Sajari must promptly notify Customer if, in the opinion of Sajari, any such instruction from Customer infringes the GDPR;
  • ensure that all Sajari personnel engaged in the Processing of Personal Data are informed of the nature of the Personal Data, have received appropriate training on their responsibilities and are employed or engaged under agreements that include provisions with the effect of imposing appropriate obligations in respect of Personal Data; and
  • at the choice of Customer, delete or return all Personal Data to Customer after the end of the supply of Services relating to Processing, and delete existing copies, unless applicable law requires storage of Personal Data; and
  • make available to Customer all information necessary to demonstrate compliance with Sajari’s obligations under this sub-clause and allow for and contribute to audits, including inspections, conducted by Customer or another audited mandated by Customer, but only insofar as required by the GDPR or under the Services Agreement.

3. DETAILS OF PERSONAL DATA PROCESSING

3.1 Subject-matter

The subject-matter of Processing is the performance of Services pursuant to the Services Agreement.

3.2 Nature and purpose

Personal Data will be Processed as necessary to perform Services pursuant to the Services Agreement.

3.3 Duration

Subject to its obligation under clause 2.3(b) above to delete or return Personal Data, Personal Data will be Processed for the duration of this agreement, or unless otherwise agreed between the parties in writing.

3.4 Categories of Data Subjects and types of Personal Data

Customer must not submit any Personal Data to the Services unless the Personal Data is limited to data (to be read cumulatively):

  • about individual users of the Software;
  • data in the nature of IP address; or
  • that Sajari expressly requests or permits Customer to disclose or transfer to Sajari.

4. SAJARI PERSONNEL

4.1 Reliability

Sajari must take commercially reasonable steps to ensure the reliability of any Sajari personnel engaged in the Processing of Personal Data.

4.2 Limitation of access

Sajari must take commercially reasonable steps ensure that its access to Personal Data is limited to those Sajari personnel engaged in performing the Services in accordance with this agreement.

4.3 Data Protection Officer

(a) Sajari has appointed a data protection officer, as required by Section 4 of the GDPR, and acknowledges and agrees that the data protection officer will carry out the tasks required by that position.

(b) The data protection officer may be contacted at privacy@sajari.com.

5. PROCESSORS & SUBPROCESSORS

(a) Sajari must not engage any third party to Process Personal Data pursuant to the Services Agreement, without the prior specific or general written authorisation of Customer.

(b) Customer hereby acknowledges and agrees Sajari is authorised by Customer to engage Processors and permit Processors to engage subprocessors.

(c) Sajari must provide Customer with 14 days’ written notice of any intended changes concerning the addition or replacement of a subprocessor.

(d) Sajari must enter into a written agreement with each authorised Processor containing data protection obligations no less protective than those in this schedule, with respect to the protection of Personal Data, to the extent applicable to the nature of the services provided by such Processor.

6. RIGHTS OF DATA SUBJECTS

Sajari must, to the extent legally permitted, notify Customer if Sajari receives a Data Subject Request.

7. SECURITY

(a) Sajari must implement appropriate technical and organisational measures for the protection of security (including protection against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data), confidentiality and integrity of Personal Data.

(b) Sajari must ensure any person acting under the authority of Sajari who has access to Personal Data does not Process that data, except on instructions from Customer, unless required by applicable law.

8. DATA INCIDENT MANAGEMENT

(a) Sajari must notify Customer without undue delay after becoming aware of a Personal Data Breach in relation to the Services Agreement.

(b) Sajari will make reasonable efforts to identify the cause of any such Personal Data Breach and, save where the Personal Data Breach is caused by Customer, take all steps Sajari considers reasonably necessary to remediate the cause of such Personal Data Breach, to the extent such remediation is within Sajari’s reasonable control.