Heidi Standard Terms and Conditions (UK)

1. Accounts and registration

1.1 Accounts

To access Heidi, you and any individuals within your organisation assigned a seat to access Heidi, (hereinafter referred to as “you”) must register for, and hold, a user account (Account). By creating an Account you confirm that you:

1. possess the legal right and ability to enter into a legally binding agreement with us; and
2. agree to use Heidi only in accordance with these Terms and our Usage Policy.

1.2 Registration process

As part of registering for, and activating, your Account, you will need to provide us with information, including personal information about you, which we collect to operate our business and Heidi and ensure Heidi remains safe and secure for users. This information will include your full name, employment, and contact details (such as the contact email and phone number). We will use and disclose this information for the purposes of operating our business, Heidi, the related services, and as otherwise described in our Privacy Policy.

1.3 Account security

When you register and activate your Account, you can choose your username and password. You are responsible for keeping this username and password secure and are responsible for all use and activity carried out on your Account with Heidi.

2. Services

2.1 Heidi overview

Heidi facilitates your delivery of healthcare services by transcribing and filtering your patient encounters and preparing a customizable formatted medical progress note, as well as certain additional support functions as described on our website.

2.2 Updates to Heidi functions

From time to time, we may (in our sole discretion):

1. change or update Heidi or its functions; or
2. agree to provide new functions.

Such updates or new functions may be subject to additional terms and fees as notified to you by Heidi.

2.3 Term

These Terms commence when you first access Heidi and will continue until terminated by you or Heidi in accordance with these Terms.

3. Fees and payments

3.1 Subscription Fees and additional fees

1. Notwithstanding any other provision in this Agreement or the standard subscription terms available on Heidi’s website, the subscription terms contained in this Agreement and the payment details in Order Form shall exclusively govern the Second Party’s access to and use of Heidi. The specific terms agreed upon in this Agreement shall supersede any existing or prior subscription terms that are under the standard subscription model provided by Heidi.
2. In the event that this Agreement is terminated, declared void or discontinued for any reason, and the User wishes to continue using Heidi, the User must subscribe to and will be subject to the then-current standard subscription terms as outlined by Heidi on its website. This clause shall survive the termination or expiration of this Agreement and continue in full force and effect.
3. Upon termination or discontinuation of this Agreement, the User will be required to affirmatively re-subscribe to Heidi under the standard subscription terms, and Heidi is under no obligation to maintain or reserve the User's previous subscription status or terms under this Agreement.
4. Heidi shall notify the User of the applicable standard subscription terms at the time of re-subscription. It is the User's responsibility to review all applicable terms prior to re-subscription.

4. Security and Data Privacy 

4.1 Information Security

Heidi shall maintain industry-standard technical and organisational measures to maintain the security of the Service.

4.2 Privacy obligations

1. Each party must, in the performance of these Terms, comply with privacy laws in respect of any personal information, including but not limited to the General Data Protection Regulation (GDPR) and the UK's Data Protection Act 2018 (DPA 2018).
2. Without limiting clause 4.1(a), you must ensure that at all times you hold all necessary authorisations and current consents from individuals (including patients) to disclose their personal information (including sensitive information) to Heidi, so that Heidi may collect, use, store and disclose personal information (including sensitive information) for the purpose of operating Heidi and as described in our Privacy Policy, without you or Heidi infringing any law or the rights (including the intellectual property rights, moral rights or privacy rights) of any individual.
3. In the event of a data breach, actual or suspected, you must notify Heidi immediately. Where required, you must collaborate with Heidi to take all reasonable steps to contain and remedy the breach.

4.3 Personal Information Collection Notice

1. We collect, store, use and disclose personal information about you and patients in order to provide you with use of Heidi and for purposes otherwise set out in our Privacy Policy at https://www.heidihealth.com/legal/privacy-policy.
2. Our Privacy Policy explains:some text
   1. how we store and use, and how you may access and correct your personal information;
   2. how you can lodge a complaint regarding the handling of your personal information; and
   3. how we will handle any complaint. If you would like any further information about our Privacy Policy or practices, you can view our Privacy Policy or contact us at support@heidihealth.com. 
3. By providing your personal information to us, you consent to the collection, use, storage, and disclosure of that information as described in these Terms and our Privacy Policy.
4. We may disclose personal information to third parties that help us deliver our services or improve Heidi (including to software developers, information technology and communication suppliers and our business partners) or as required or permitted by law.
5. If you do not provide this information, we will not be able to provide Heidi or related services to you.

4.4 Use of de-identified information

1. Heidi Health may de-identify personal data, including health information, that is made available to Heidi Health in connection with Heidi and use or disclose such information in a de-identified form for the purposes of:
   1. making available relevant functionality to you; and
   2. as otherwise described in our Privacy Policy.
      (De-identified Use).
2. You acknowledge that De-identified Use may involve disclosure of de-identified information to third parties as part of making Heidi and certain functionality (including Third Party Functionality) available to you.
3. Heidi will take reasonable steps to ensure that information that is de-identified under clause 4.3(a) cannot be reverse-engineered, re-identified, or linked back to you, or patients by third parties.

5. Use of Heidi

5.1 General

1. Except as otherwise permitted under these Terms, you must not:
   
   1. distribute, sub licence or otherwise transfer all or any part of Heidi to any other person;
   2. grant any security interest over Heidi;
   3. attempt to disassemble, decompile or otherwise reverse engineer the Platform;
   4. alter, customise, modify, or create derivative works of Heidi;
   5. expose Heidi, or any data to reasonably avoidable cyber risks;
   6. remove, obliterate or alter any proprietary notice on Heidi;
   7. supply inaccurate data to Heidi or any other person through Heidi;
   8. you must not do any act that would have an adverse impact on the reputation or standing of Heidi; or
   9. you must not do any act that is unlawful or is prohibited by any Laws applicable to Heidi.

5.2 Third-party functionality

1. Heidi's functionality may involve the use of software, data, applications, services, or content that is provided to Heidi by third parties (Third Party Functionality).
2. You agree to comply with any reasonable additional terms notified to you by Heidi in respect of the use of Third Party Functionality, or outputs of such functionality. If you do not agree to comply with those terms, we will not be able to offer Heidi and the related services to you and accordingly, we may need to cancel or terminate your Account, or you may cancel or terminate your Account.

5.3 Records

You will maintain accurate and complete records and documents related to your interaction with and use of Heidi and the related services, as required by law.

6. Linked sites and resources

Heidi may contain links to websites and resources (including emergency medical resources) operated by third parties (Third Party Resources). Unless expressly stated otherwise, we do not endorse and are not responsible for the content of Third Party Resources, and have no control over or rights in those Third Party Resources. The terms that may apply to Third Party Resources may differ substantially from these Terms, so you should read them before using Third Party Resources.

7. Intellectual Property

7.1 Our intellectual property rights

1. Unless otherwise indicated, we own or license from third parties all rights, title, and interest (including copyright, designs, patents, trademarks and other intellectual property rights) in Heidi and any material (including all text, graphics, logos, audio and software) made available through Heidi (Heidi Content).
2. To enable Heidi Health to use your feedback for its business purposes and to improve Heidi, you agree to grant us a non-exclusive, worldwide, perpetual, irrevocable, royalty-free, sublicensable licence and authority to use feedback you provide to us for these purposes. This licence allows us to make improvements to Heidi from your suggestions, enhancement requests, recommendations, and information you provide to us (including any information which is your intellectual property) without restriction and without payment.

7.2 License to the Heidi and Content

1. Heidi grants you a limited, non-transferable, non-exclusive licence to use Heidi and Heidi Content for the duration of these Terms solely for the purpose of facilitating the delivery of healthcare services by you to patients. You must not use Heidi or Heidi Content for any other purpose, or otherwise modify, copy, distribute, transmit, display, perform, reproduce, publish, license, commercially exploit, create derivative works from, transfer, or sell any Heidi Content, software, products, or services contained within Heidi.
2. Heidi licenses Heidi from third parties. You acknowledge and agree that your use of such Content may be subject to further restrictions imposed by such third parties and notified to you by Heidi.

7.3 License to your materials

You grant to Heidi a non-exclusive, worldwide, perpetual, irrevocable, royalty-free, sublicensable licence and authority to use the deidentified material you provide or otherwise make available to Heidi for the purpose of Heidi making Heidi functionality available to you, and as otherwise permitted by these Terms.

8. Confidential information

1. Each party must not disclose any content or any information of a confidential nature communicated by the disclosing party, or otherwise learnt, accessed or generated by you as a result of entering into these Terms or using Heidi, Heidi Content or receiving related services (Confidential Information) except:
   1. to such party’s personnel who have a need to know;
   2. if the disclosure is required by law; or
   3. if the recipient of the Confidential Information has independently obtained such information from a third party (other than via a breach of confidence).
   4. for the avoidance of doubt, information which is in the public domain (other than as a result of a breach of confidence) will not constitute Confidential Information.
2. Each party must hold the Confidential Information in strict confidence and employ all reasonable steps to protect the Confidential Information from unauthorised or inadvertent disclosure, including without limitation all steps the receiving party takes to protect its own information that you consider proprietary and/or confidential. The receiving party must promptly notify the disclosing party of any actual or suspected security breach in relation to the Confidential Information.

9. Limitations

9.1 Technical requirements

You acknowledge that you are responsible for ensuring that your information technology and other systems are able to work in conjunction with the system standards set forth by Heidi.

9.2 No professional medical or healthcare advice

1. You agree that your use of Heidi, Heidi Content and the related services is solely for the purposes of supporting your clinical administrative processes. You must exercise all necessary, and final, professional and medical decisions in relation to a patient's diagnosis, advice, or treatment.
2. You further agree and acknowledge that Heidi, Heidi Content and the related services do not:
   1. constitute or make out to be a medical device;
   2. constitute professional medical or healthcare advice, diagnosis or recommendation of treatment, or to replace professional medical advice;
   3. directly assess, maintain or improve the physical, mental or emotional health of a patient; or
   4. directly diagnose or treat a Patient's illness or disability.
3. You agree that you must not frame or suggest that:
   1. Heidi or any Heidi Content constitutes professional medical or healthcare advice, diagnosis or recommendation of treatment, or that it can be relied upon as professional medical advice (including any representation or warranty with respect to any treatment, action, suitability or application of medication, preparation by any person or health service); or
   2. Heidi or any Heidi Content can be relied upon without independent consideration and confirmation by a qualified medical practitioner.
4. We make no representations or warranties with respect to any treatment, action, suitability or application of medication or preparation by you or any person whether based on Heidi Content or not. In no circumstances will we be liable for any direct, indirect, consequential, special, exemplary or other damages, however arising, from the same.

9.3 Notification of adverse events

You must notify Heidi immediately if you become aware of:

1. any problem or incident associated with Heidi that has caused, or could cause, harm to patients or others; or
2. any deficiencies or potential deficiencies in safety, quality, efficacy, performance or presentation of Heidi.

10. Suspension 

Where practicable, we will provide you with notice of any outages or suspensions of Heidi and will communicate this to you within a reasonable time. We reserve the right to restrict, suspend or terminate your access to Heidi without notice in the event that such suspension or termination of access is determined by Heidi to be essential to protect the security of Heidi, Heidi Content, or any User supplied data (although we will provide prior notice wherever practicable).

11. Pilot Period

11.1 Duration 

Heidi may invite you to try, at no charge, Heidi Content that is only available to enterprise customers. You may elect to use these services during the pilot period at your discretion.The duration of the Pilot Period is as specified in the contract details above.

11.2 Evaluation

Upon completion of the Pilot Period, you may choose to either continue with our service or terminate the Agreement. If you choose to continue with our service, it will be deemed that you have accepted the testing criteria provided by Heidi.

11.3 Continuation of Service

Further details and any amendments to the terms will be provided as necessary or as requested.If you decide to continue with Heidi’s service after the Pilot Period, the terms of this Agreement will continue to apply. 

12. Cancellation and Termination

12.1  Cancellation

You have the right to cancel from this Agreement free of charge and without incurring any penalty by providing written notice to Heidi:

1. at the completion of the Pilot Period; and
2. if any of the key requirements specified in the contract details above have not been met before the mutually agreed-upon date (if applicable).

12.2 Notification Procedure 

If you choose to exercise the right of cancellation, you must notify Heidi in writing within the period. Upon receipt of your withdrawal notice, Heidi will refund any prepaid payments, if any, made by you within a reasonable timeframe.

12.3 Termination

You may terminate your use of Heidi by providing written notice to Heidi.

Heidi will not refund any fees or other amounts that you have paid unless you decide to terminate your use of Heidi upon the completion of Pilot Period under clause 11.

We may terminate these Terms if:

(i)  we reasonably believe you have breached any of these Terms;

(ii)  we withdraw Heidi from market, provided you will be entitled to a pro rata refund of fees paid; or

(iii)  we consider it reasonably necessary to comply with applicable law.

Where we terminate these Terms, except as expressly provided in these Terms or as required by applicable law, we will not refund any fees or other amounts that you have paid.

12.4 Effect of termination

1. you must pay all relevant outstanding fees or other amounts (including under an indemnity) due under these Terms;
2. the licence granted by Heidi to you under clause 7.2 will cease and we shall cease providing (and you shall cease using) Heidi and related services;
3. to the extent permitted by law, you must (at our request) return or destroy all copies of Confidential Information retained in your systems or otherwise in your possession or control;
4. to the extent permitted by law, we may in our discretion, delete any data, content or materials which have been provided to us; and
5. this will not affect any accrued rights, and rights and obligations which are intended or which by their nature survive termination will continue to have effect.

13. Indemnity

You must at all times indemnify and hold harmless and release Heidi and our related bodies corporate from and against any loss, liability, demand, claim, action or expense (however arising and whether present or future, fixed or unascertained, actual or contingent) incurred or suffered by any of Heidi or its related bodies corporate relating to or arising from:

1. any claim made by a patient in relation to any act or omission of you, except to the extent the loss is attributable to the unlawful, or wilful misconduct of Heidi or its related bodies corporate;
2. any negligence or breach of or failure to comply with applicable law (including privacy laws) or applicable professional obligations by you in connection with these Terms;
3. any willful, unlawful, fraudulent or negligent act or omission by you or your personnel;
4. any damage to or loss of any real or personal property or death or injury to us or any of our related bodies corporate to the extent caused by your (or your personnel's) negligent or willful acts or omissions arising as a result of these Terms;
5. your use of Heidi, Heidi Content or related services, except to the extent the loss is attributable to the unlawful, or wilful misconduct of Heidi or its related bodies corporate; and
6. any infringement or misappropriation of intellectual property rights in connection with Heidi, Heidi Content or the related services by you or your personnel, except where caused by an act or omission of Heidi or its related bodies corporate.

14. Liability

14.1 Disclaimer

1. You acknowledge that the functionalities of Heidi involve the use of artificial intelligence and machine learning and while Heidi seeks to ensure accuracy of Heidi and Heidi Content, due to the probabilistic and rapidly evolving nature of such functions, Heidi and Heidi Content may in certain circumstances be inaccurate, incomplete or inappropriate. While we continue to work on improving the accuracy, reliability and safety of Heidi, it is your responsibility to evaluate the accuracy of any Heidi Content as appropriate, including by undertaking a manual review of Heidi Content, to ensure that it appropriately reflects the information you have inputted, before such Heidi Content is further used or relied upon. We cannot guarantee that Heidi will not incur errors that are outside of our reasonable control and are inherent with the use of artificial intelligence and machine learning.
2. EXCEPT AS PROVIDED IN THIS AGREEMENT, YOU UNDERSTANDS AND AGREE THAT THE HEIDI CONTENT, TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IS PROVIDED "AS IS" AND WE EXPRESSLY DISCLAIMS ALL WARRANTIES OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, INCLUDING WITHOUT LIMITATION, ANY WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. 
3. We will not be liable for any direct and indirect loss, damage or expense – irrespective of the manner in which it occurs – which may be suffered:
   1. due to your use of Heidi, the related services and/or the information or materials contained on or made available through it (including Heidi Content);
   2. as a result of the inaccessibility of Heidi, Heidi Content or the related services (including any loss, corruption or destruction of your material);
   3. as a result of unauthorised access to, or alteration of either data or materials entered into or produced by Heidi or the related services;
   4. due to communications, performance, security or data corruption problems, disconnection of transmission services or failures or delays in transmission of Heidi or the related services connected with telecommunication services and other means of transmission provided by third parties;
   5. as a result of the fact that certain information or materials contained on Heidi or through the related services (including any Heidi Content) are incorrect, incomplete or not up-to-date; and/or
   6. in connection with an interference with or damage to your computer systems occurring in connection with the use of Heidi or a linked site.
4. These terms do not affect consumer rights that cannot by law be waived or limited.

‍

14.2 Heidi Liability

To the extent permitted by law, the aggregate liability of the Heidi for loss sustained by you in connection with these Terms (whether under statute, in contract or in tort, including for negligence, or otherwise) during any consecutive twelve month period from the commencement of these Terms and from any anniversary of the commencement date (as the case may be) is limited to the fees which Heidi is entitled to in relation to your use of Heidi and the related services during that period.

15. Jurisdiction and Dispute Resolution

15.1 Jurisdiction and governing law

These Terms will be governed by and construed in accordance with the laws of Victoria, Australia, without regard to any conflict of laws provisions and you submit to the non-exclusive jurisdiction of the courts in Victoria, Australia.

15.2  Dispute Resolution 

If you have a dispute arising out of These Terms, contact us first and we’ll attempt to work with you to resolve the dispute. In the event that we’re unable to resolve a dispute directly, each party agrees to resolve any claim, dispute, or controversy (excluding any Heidi claims for injunctive or other equitable relief) arising out of or in connection with These Terms in the venue as set forth in Section 15.1, unless another venue is chosen by both parties through mutual agreement.

16. Updates and Support

1. We may (in our sole discretion) modify, update or replace any or all of these Terms from time to time by providing reasonable and, where practicable, 30 days' prior written notice of the update to the Terms, including details of the relevant changes.
2. This notice may be provided via notification on Heidi or via other methods. Where the change materially and detrimentally affects:
   1. your use of Heidi;
   2. the function, receipt or use of related services; or
   3. your rights and obligations under these Terms, you will be entitled to terminate these Terms and your Account (including your access to Heidi and the related services) through your Account settings on Heidi or by emailing support@heidihealth.com. In such circumstances, you will be entitled to a pro rata refund of any relevant Subscription Fees paid in advance. Continued use of Heidi following the reasonable notice period and implementation of the update shall be deemed acceptance of the new updated Term.
3. Heidi uses commercially reasonable efforts to maintain the highest service availability and provide technical support as needed.

17. Relationship of parties

1. Each party is acting in the capacity of an independent contractor. These Terms do not constitute any partnership, trust, agency, joint venture or employment relationship between the parties.
2. Neither party has the authority to act, contract or to incur any obligation or responsibility on behalf of the other party except as provided in these Terms.

18. General

1. Your Account is personal to you, and you may not permit any other person to use your Account or transfer, assign or sub-contract or sub-licence or otherwise dispose of any of your interests, rights or obligations under these Terms.
2. If we are partially or wholly precluded from complying with our obligations under these Terms by any event, matter or circumstance that is beyond our reasonable control, then our obligation to perform will be suspended for the duration of the delay arising out of that event, matter or circumstance and we will not be liable for failure to perform our obligations.
3. Nothing in these Terms or any circumstances associated with it or its performance give rise to any relationship of partnership, principal and agent, or employer and employee and you have no right to assume or create any obligations of any kind, express or implied, in the name of or on behalf of us.
4. These Terms constitute the entire agreement between us relating to the subject matter of these Terms and supersedes and cancels any previous agreement, understanding or arrangement whether written or oral.
5. If any part or provision of these Terms are invalid, unenforceable or in conflict with the law, the invalid or unenforceable part or provision will be replaced with a provision which, as far as possible, accomplishes the original purpose of the part or provision. The remainder of these Terms will be binding on the parties.
6. Each party agrees to do all things and execute all deeds, instruments, transfers or other documents as may be necessary or desirable to give full effect to the provisions of this Terms and the transactions contemplated by it.

19. Integration Services

Heidi may provide integration services to you to ensure compatibility of the Heidi Platform with the your existing EHR (Electronic Health Record) systems or equivalent system, contingent upon a request from you,

The integration services may include utilising third-party integration platform services to facilitate data exchange and system interoperability as outlined in clause 5.2 regarding third-party functionality.

You shall provide Heidi with necessary access, information, and cooperation essential for Heidi to perform the integration services. This includes but is not limited to API access, system documentation, and any required technical specifications.

Any additional costs associated with the integration services will be mutually agreed upon and documented in the Contract Details above.

20. Customisations

Heidi may provide customisation services as requested by you, such as agreed-upon modifications to enhance the functionality of using Heidi. The scope, deliverables, and additional fees for such services will be detailed in the contract details above

All intellectual property rights in the customisations developed by Heidi for the you shall remain with Heidi, unless otherwise agreed in writing between the parties.

21. Service Levels and Remedy

For Heidi content and platform, Heidi shall provide the following monthly uptime percentage to you (the “Service Level Commitment”):

Heidi shall also provide email support and other relevant support where applicable by a designated service person.

Service support shall only include assistance with issues which are exclusively due to an error with Heidi's services (i.e., a failure of the service to conform to the performance specifications provided by Heidi). Any support outside the scope of service support shall be provided by Heidi on a time and materials basis. 

The Service Level Commitment will be measured on a monthly basis, with all hours weighted equally, but the Service Level measurement will exclude reasonable scheduled downtime for system maintenance as well as any downtime resulting from outages of third party connections or utilities or other reasons beyond Heidi’s control .

Incident Response 

An “Incident” means an error or failure in Heidi's services which significantly degrades the services as compared to Heidi’s published performance specifications. For each Incident reported by you Heidi shall 

1. assign a priority level to such error in its discretion in accordance with our current Incident Response Plan, and 

2. respond to you and provide status updates in accordance with the time periods set forth in our Incident Response Plan. 

In the event that Heidi fails to meet the uptime commitment stated in this clause, you may claim a discount of up to 20% based on downtime on your next renewal fee for the Service provided that your account is fully paid up, without any overdue payments or disputes. 

Discount for renewal fee shall be the Second Party’s sole and exclusive remedy for any failure to meet the service levels.

‍

EU/UK Data Processing Addendum 

This Data Processing Agreement (“Agreement“) forms part of the Contract Agreement (“Principal Agreement“) between Heidi Health Trading Pty Ltd
(the “Company”) and the Second Party (the “Data Processor”) (together as the “Parties”)

WHEREAS

(A) The Company acts as a Data Controller.

(B) The Company wishes to subcontract certain Services, which imply the processing of personal data, to the Data Processor.

(C) The Parties seek to implement a data processing agreement that complies with the requirements of the current legal framework in relation to data processing and with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

(D) The Parties wish to lay down their rights and obligations.

IT IS AGREED AS FOLLOWS:

1. Definitions and Interpretation

1.1 Unless otherwise defined herein, capitalised terms and expressions used in this Agreement shall have the following meaning:

1.1.1 “Agreement” means this Data Processing Agreement and all Schedules;

1.1.2 “Company Personal Data” means any Personal Data Processed by a Contracted Processor on behalf of Company pursuant to or in connection with the Principal Agreement;

1.1.3 “Contracted Processor” means a Subprocessor;

1.1.4 “Data Protection Laws” means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country;

1.1.5 “EEA” means the European Economic Area;

1.1.6 “EU Data Protection Laws” means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;

1.1.7 “GDPR” means EU General Data Protection Regulation 2016/679;

1.1.8 “Data Transfer” means:

1.1.8.1 a transfer of Company Personal Data from the Company to a Contracted Processor; or

1.1.8.2 an onward transfer of Company Personal Data from a Contracted Processor to a Subcontracted Processor, or between two establishments of a Contracted Processor, in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws);

1.1.9 “Services” means the services the Company provides.

1.1.10 “Subprocessor” means any person appointed by or on behalf of Processor to process Personal Data on behalf of the Company in connection with the Agreement.

1.2 The terms, “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.

2. Processing of Company Personal Data

2.1 Processor shall:

2.1.1 comply with all applicable Data Protection Laws in the Processing of Company Personal Data; and

2.1.2 not Process Company Personal Data other than on the relevant Company’s documented instructions.

2.2 The Company instructs Processor to process Company Personal Data.

3. Processor Personnel
Processor shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Contracted Processor who may have access to the Company Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Company Personal Data, as strictly necessary for the purposes of the Principal Agreement, and to comply with Applicable Laws in the context of that individual’s duties to the Contracted Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

4. Security

4.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Processor shall in relation to the Company Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.

4.2 In assessing the appropriate level of security, the Processor shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.

5. Subprocessing

5.1 Processor shall not appoint (or disclose any Company Personal Data to) any Subprocessor unless required or authorized by the Company.

6. Data Subject Rights

6.1 Taking into account the nature of the Processing, Processor shall assist the Company by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Company obligations, as reasonably understood by Company, to respond to requests to exercise Data Subject rights under the Data Protection Laws.

6.2 Processor shall:

6.2.1 promptly notify Company if it receives a request from a Data Subject under any Data Protection Law in respect of Company Personal Data; and

6.2.2 ensure that it does not respond to that request except on the documented instructions of Company or as required by Applicable Laws to which the Processor is subject, in which case Processor shall to the extent permitted by Applicable Laws inform Company of that legal requirement before the Contracted Processor responds to the request.

7. Personal Data Breach

7.1 Processor shall notify Company without undue delay upon Processor becoming aware of a Personal Data Breach affecting Company Personal Data, providing Company with sufficient information to allow the Company to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.

7.2 Processor shall co-operate with the Company and take reasonable commercial steps as directed by the Company to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

8. Data Protection Impact Assessment and Prior Consultation Processor shall provide reasonable assistance to the Company with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Company reasonably considers to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Company Personal Data by, and taking into account the nature of the Processing and information available to, the Contracted Processors.

9. Deletion or return of Company Personal Data

9.1 Subject to this section 9 Processor shall promptly and in any event within

10 business days of the date of cessation of any Services involving the Processing of Company Personal Data (the “Cessation Date”), delete and procure the deletion of all copies of those Company Personal Data.

10. Audit rights

10.1 Subject to this section 10, Processor shall make available to the Company on request all information necessary to demonstrate compliance with this Agreement, and shall allow for and contribute to audits, including inspections, by the Company or an auditor mandated by the Company in relation to the Processing of the Company Personal Data by the Contracted Processors.

10.2 Information and audit rights of the Company only arise under section 10.1 to the extent that the Agreement does not otherwise give them information and audit rights meeting the relevant requirements of Data Protection Law.

11. Data Transfer

11.1 The Processor may not transfer or authorize the transfer of Data to countries outside the EU and/or the European Economic Area (EEA) without the prior written consent of the Company. If personal data processed under this Agreement is transferred from a country within the European Economic Area to a country outside the European Economic Area, the Parties shall ensure that the personal data are adequately protected. To achieve this, the Parties shall, unless agreed otherwise, rely on EU approved standard contractual clauses for the transfer of personal data.

12. General Terms

12.1 Confidentiality. Each Party must keep this Agreement and information it receives about the other Party and its business in connection with this Agreement (“Confidential Information”) confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that:
(a) disclosure is required by law;
(b) the relevant information is already in the public domain.

12.2 Notices. All notices and communications given under this Agreement must be in writing and will be delivered personally, sent by post or sent by email to the address or email address set out in the heading of this Agreement at such other address as notified from time to time by the Parties changing address.

13. Governing Law and Jurisdiction

13.1 This Agreement is governed by the laws of Victoria, Australia.

13.2 Any dispute arising in connection with this Agreement, which the Parties will not be able to resolve amicably, will be submitted to the exclusive jurisdiction of the courts of Victoria, Australia.

‍

‍

‍