Data Processing Addendum

 Date: 

 

1. Introduction

 

1.1     This Data Processing Addendum (DPA) forms part of and amends the General Conditions that govern the Customer’s use of the Platform (General Conditions).

1.2     This DPA has been signed on behalf of RobobAI and will only be effective if, in accordance with the instructions provided at the location from which this DPA can be downloaded:

          (a)    all information requested by RobobAI has been provided by the Customer; and

          (b)    this DPA is signed by the Customer and submitted to RobobAI.

1.3     Where the Customer makes any changes to this DPA before signing and submitting to RobobAI, this DPA will be of no effect

1.4     This DPA takes the effect on the date having been signed by the Customer it is submitted to RobobAI.

1.5     Capitalized terms used in this DPA, that are not defined in this DPA, have the meaning given to them in the General Conditions. Terms used in this DPA, such as controller, data subject, member state, processing and supervisory authority have the same meaning as in the GDPR.

1.6     In this DPA unless the context otherwise requires:

Agreement means this DPA and the General Conditions.

Customer Personal Data means any Personal Data that is received from a Customer and processed by RobobAI or its Affiliates or its Sub-processors under the General Conditions.

Europe means the European Economic Area (and its member states) and Switzerland.

European Data Protection Law means all data protection laws and regulations applicable to Europe, including:

 

1. Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free      movement of such data (General Data Protection Regulation) (GDPR);

2. Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector; and               

3. applicable national implementations of (a) and (b),

   as updated from time to time.

Other Data Protection Laws means all data protection laws and regulations applicable to a party’s processing of Customer Personal Data under the Agreement (other than the European Data Protection Laws and the UK Data Protection Laws) including where applicable the:

          (a)     Swiss Federal Act on Data Protection;

          (b)     Californian Consumer Privacy Act;

          (c)     Canadian Personal Information Protection and Electronic Documents  Act; and

          (d)     Australian Privacy Act,

           as updated from time to time.

Personal Data means any information relating to an identified or identifiable natural person.

EU Standard Contractual Clauses or EU SCCs means standard contractual clauses adopted on by the European Commission in its Implementing Decision (EU) 2021/91 of 4 June 2021 available here.

           Security Incident means a breach of security leading to:

           (a)     accidental or unlawful destruction, loss or alteration of; or

           (b)     unauthorized disclosure of or access to,

           Personal Data.

Sub-processor means a processor engaged by RobobAI (or its Affiliates), as described in clause 4, to assist in providing the Services pursuant to General Conditions or this DPA but only to the extent that the processor processes Customer Personal Data.

UK means United Kingdom.

UK Addendum means the International Data Transfer Addendum (version B1.0) issued by the UK Information Commissioner’s Office under section 119(A) of the UK Data Protection Act 2018,

UK Data Protection Law means the GDPR as it forms part of UK law by virtue of:

           (a)     section 3 of the UK European Union (Withdrawal) Act 2018;

           (b)     the UK Data Protection Act 2018; and

           (c)     the UK Addendum,

                     as updated or amended from time to time.

1.7     A description of the processing of Personal Data related to the Services, as applicable, is set out in Schedule B. The description of processing may be updated by RobobAI from time to time to reflect new features or functionality comprised within the Services.

2. Relationship Between RobobAI  and Customer

 

2.1     This clause applies to the extent laws, relating to protection of personal data, regulates the roles of “controller,” “processor,” and “sub-processor”.

2.2     RobobAI will process Customer Personal Data, either (depending on the Services it provides):
         (a)     as a processor or sub-processor on behalf of the Customer (who, in turn, processes such personal data as a controller or processor); and
         (b)     in the case of the Platform, as a controller.
2.3     RobobAI will process the Customer Personal Data as necessary to perform the Services and for the Purpose.
2.4     RobobAI will not “sell” the Customer Personal Data within the meaning of the Californian Consumer Privacy Act.
2.5     RobobAI will process Customer Personal Data in compliance with applicable laws relating to protection of personal data.
2.6     The Customer will comply with its obligations in providing Customer Personal Data to RobobAI including, obtaining all consents necessary for RobobAI to process that Customer Personal Data pursuant to the Agreement (including this DPA).

 

3. Transfers of Personal Data

 

3.1     RobobAI may process Customer Personal Data to and in the United States and elsewhere in the world where RobobAI and its Affiliates or its Sub-processors maintain data processing operations and for this purpose transfer Customer Personal Data to those data processing operations. Such transfers will be made in compliance with all applicable laws relating to protection of personal data and this DPA.

3.2     To the extent that RobobAI is a recipient of Customer Personal Data protected by:

          (a)     European Data Protection Laws;

          (b)     UK Data Protection Laws;

          (c)     the Swiss Federal Act on Data Protection,

in a country outside of Europe and the UK, that is not recognized as providing an adequate level of protection for personal data (as described in laws relating to protection of personal data), the parties will in relation the processing of Customer Personal Data, comply with the EU SSCs.

3.3      The EU SSCs are deemed to be incorporated into and form part of this DPA, subject to clauses 3.4, 3.5 and 3.6.

3.4     In relation to transfers of Customer Personal Data protected by European Data Protection Law:
           (a)     and processed in accordance with clause 2.2(a) of this DPA the EU SSCs will apply, completed as follows:

 

 

(b) and processed in accordance with clause 2.2(b) of this DPA, the EU SSCs will apply, completed as follows:

 

Module One	Applies.
Clause 7	Docking clause applies.
Clause 11	Optional language does not apply.
Clause 17	Option 1 applies. EU SSCs relating to transfers of Customer Personal Data from Europe, will be governed by law of Eire. EU SSCs relating to transfers of Customer Personal Data from the UK, will be governed by the law of England and Wales.
Clause 18(b)	Disputes, relating to transfers of Customer Personal Data from Europe, will be resolved before the courts of Eire. Disputes, relating to transfers of Customer Personal Data from the UK, will be resolved before the courts of England.
Annex I	Deemed completed with the information set out in Schedule A.
Annex II	Deemed completed with the information set out in Schedule B.

 

3.5     In relation to transfers of Customer Personal Data protected by UK Data Protection Law, the EU SCCs:

          (a)     apply as completed in accordance with clauses 3.4(a) and (b); and

          (b)     are deemed amended as specified by the UK Addendum, which is deemed to be incorporated into and form part of this DPA.

In addition:

          (c)      Tables 1 to 3 in Part 1 of the UK Addendum are deemed completed respectively with the information set out in:

                    (i)     Clauses 3.4(a) and (b); and

                    (ii)    Schedule A and B;

          (d)     Table 4 in Part 1 of the UK Addendum is deemed completed by selecting “neither party”; and

          (e)     any conflict between the terms of the EU SCCs and the UK Addendum will be resolved in accordance with Section 10 and Section 11 of the UK Addendum.

3.6     In relation to transfers of Customer Personal Data, protected by the Swiss Federal Act on Data Protection, the EU SCCs will apply as completed in accordance with clauses 3.4(a) and (b), with the following modifications:

          (a)     references in the EU SCCs to “Directive 95/46/EC” or “Regulation (EU) 2016/679” will be interpreted as references to the Swiss Federal Act on Data Protection; and

          (b)     references to specific Articles of “Regulation (EU) 2016/679” will be replaced with the equivalent article or section of the Swiss Federal Act on Data Protection;

          (c)     references to “EU”, “Union”, “Member State” and “Member State law”:

                   (i)      will be interpreted as references to Switzerland and Swiss law, as the case may be; and

                   (ii)     will not be interpreted in such a way as to exclude data subjects in Switzerland from exercising their rights in their place of habitual residence in accordance with Clause 18(c) of the EU SCCs;

          (d)     clause 13 and Part C of Annex 1 of the EU SCCs are modified to provide that the Federal Data Protection and Information Commissioner of Switzerland (FDPIC) will have authority over data transfers governed by the Swiss DPA;

          (e)     subject to clause 3.6(d), all other requirements of clause 13 of the EU SCCs will be observed;

          (f)      references to the “competent supervisory authority” and “competent courts” will be interpreted as references to the FDPIC and competent courts in Switzerland;

         (g)     in clause 17 of the EU SCCs, the governing law will be the laws of Switzerland; and

         (h)     in clause 18(b) disputes will be resolved before the applicable courts of Switzerland.

3.7     It is not the intention of either party to contradict or restrict any of the provisions set forth in the EU SCCs. If, and to the extent the EU SCCs conflict with any provision of the Agreement (including this DPA), the EU SCCs prevail to the extent of such conflict.

 

4. Sub-Processors

 

4.1     The Customer gives to RobobAI general authorisation for the engagement of sub-processor(s) from the list of Sub-processors available here.

4.2     RobobAI may make changes to the Sub-processor List from time to time, including the addition of other Sub-processors. The Customer is responsible for checking the Sub-processor List to inform itself of RobobAI’s Sub-processors.

4.3     RobobAI will:

          (a)     enter into a written agreement with each Sub-processor containing data protection obligations that provide at least the same level of protection for Customer Personal Data as those in this DPA, to the extent applicable to the nature of the service provided by such Sub-processor; and 

          (b)     remain responsible for such Sub-processor’s compliance with the obligations of this DPA and for any acts or omissions of such Sub-processor that cause RobobAI to breach any of its obligations under this DPA.

 

5. Security Measures

 

5.1     RobobAI will implement and maintain appropriate technical and organisational security measures appropriate to the risk of unauthorised disclosure, designed to:

         (a)     protect Customer Personal Data from Security Incidents; and

         (b)     preserve the security and confidentiality of Customer Personal Data,

         (Security Measures).

The Security Measures are described in Robobai’s Data Security Policy available here.

5.2     RobobAI will ensure that any person, who is authorised by it to process Customer Personal Data (including its employees and subcontractors), is under an obligation of confidentiality (and that obligation may exist under law or pursuant to contract or as a result of a professional obligation).

5.3     The Customer is responsible for reviewing the information made available by RobobAI relating to its Security Measures and making an independent determination as to whether the Security Measures meet the Customer’s requirements and legal obligations under applicable laws relating to the protection of data.

5.4     The Security Measures are subject to technical progress and development. RobobAI may update or modify the Security Measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Services provided by RobobAI to the Customer.

5.5     In addition to any Reports provided under clause 9.3, RobobAI will respond to all reasonable requests for information made by the Customer to confirm RobobAI’s compliance with this DPA, including by making additional information available regarding its Security Measures upon Customer’s written request provided that the Customer will not exercise this right more than once in each 12-month period.

 

6. Security Incidents

 

6.1     Upon becoming aware of a Security Incident, RobobAI will inform the Customer without undue delay and provide timely information (taking into account the nature of processing and the information available to RobobAI) relating to the Security Incident as it becomes known or as is reasonably requested by Customer to allow Customer to fulfill its data breach reporting obligations under applicable data protection laws.

6.2     RobobAI will take reasonable steps to contain, investigate, and mitigate the effects of the Security Incident.

6.3     RobobAI’s notification of, or response to, a Security Incident in accordance with this clause 6 is not to be construed as an acknowledgment by RobobAI of any fault or liability with respect to the Security Incident.

 

7. Data Subject Rights

 

7.1     Taking into account the nature of the processing it undertakes, RobobAI will provide reasonable and timely assistance to Customer (at Customer’s expense) to enable Customer to respond to:

         (a)     any request from a data subject exercising any of their rights under applicable data protection laws (including their rights of access, to rectification, to erasure, to restriction, to objection, and data portability, as applicable); and

         (b)     any other correspondence, enquiry or complaint received from a data subject, supervisory authority or other third party, in each case in respect of Customer Personal Data that RobobAI processes in the course of providing Services to the Customer.

7.2     If any request, enquiry, correspondence or complaint (referred to in clause 6.1) is made directly to RobobAI, RobobAI (acting as a processor) will not respond directly except:

         (a)     as appropriate (for example, to direct the data subject to contact Customer); or

         (b)     if legally required,

without Customer’s prior written authorisation.

7.3     If RobobAI is required to respond, RobobAI will, where the Customer is identified or identifiable from the request, promptly notify Customer and provide Customer with a copy of the request unless RobobAI is legally prohibited from doing so.

7.4     For clarity, nothing in the Agreement restricts or prevents RobobAI from responding to any data subject or data protection authority requests in relation to Personal Data for which Mailchimp is a controller of that Personal Data.

7.5     RobobAI will provide reasonable assistance to the Customer with any data protection impact assessments, and prior consultations competent data privacy authorities, which the Customer reasonably considers to be required by article 35 or 36 of the GDPR or equivalent provisions of any other data protection law, in each case solely in relation to the processing of Company Personal Data taking into account the nature of the processing and the applicable data.

 

8. Deletion or Return of Company Personal Data

 

8.1     Upon termination or expiration of the Agreement. RobobAI will (at Customer’s written election) delete or return to Customer all Customer Data (including copies) in its possession or control unless and to the extent that RobobAI is required by applicable law to retain some or all of the Customer Data.

8.2     The certification of deletion of Customer Data described in Clause 8.5 and 16(d) of the EU SCCs (as applicable) will be provided by RobobAI to the Customer only upon the Customer’s written request.

 

9. Audit

 

9.1     RobobAI will:

         (a)     make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA; and

         (b)     allow for and contribute to audits, including inspections by the Customer in order to assess compliance with this DPA.

9.2     The Customer will exercise its audit rights:

          (a)     under this DPA (including this clause 9 and, where applicable, the EU SCCs); and

          (b)     any audit rights granted by applicable data protection laws,

by instructing RobobAI to comply with the audit measures described in clauses 5.5 and 9.3.

9.3     RobobAI is audited against compliance with ISO27001 by British Standards Institution auditors and third-party auditors respectively. Upon the Customer’s written request, RobobAI will supply (on a confidential basis) a summary copy of its most current audit report(s) prepared by such auditors (each a Report) to the Customer, so that the Customer can verify RobobAI’s compliance with:

         (a)    the audit standards against which it has been assessed; and 

          (b)    its obligations under this DPA.

 

10. Confidentiality

 

10.1     Each party must keep the Agreement and information it receives about the other party and its business in connection with this DPA (Confidential Information) confidential.

10.2     Neither party may use or disclose that Confidential Information without the prior written consent of the other party except to the extent that:

            (a)     disclosure is required by law;

            (b)     the relevant information is already known to it (at the time of disclosure) or in the public

 

11. Notices

 

11.1     All notices and communications given under this DPA must be in writing and will be delivered personally, sent by post or sent by email to the address or email address set out in the heading of this DPA at such other address as notified from time to time by the Parties changing address.

 

12. General

 

12.1     Notwithstanding anything to the contrary in this DPA, the liability of each party and each party’s Affiliates under this DPA is subject to the exclusions and limitations of liability set out in the Agreement.

12.2     Each party must (at its own expense) do all things as any other party asks as may be reasonably required or necessary to give the other party the full benefit of any obligations owed to the other party as expressed in this DPA.

12.3     If any provision of this DPA is determined by a court or other competent tribunal or authority to be void, voidable or unenforceable then:

           (a)     where the offending provision can be read down so as to give it a valid and enforceable operation of a partial nature it must be read down to the extent necessary to achieve that result; and

           (b)     where the offending provision cannot be read down then that provision must be severed from the agreement in which event, the remaining provisions of this DPA operate as if the severed provision had not been included,

but only to the extent that is consistent with giving substantial effect to the intentions of the parties under this DPA.

12.4     Delivery of a signed copy of this DPA by electronic means will have the same effect as delivery of the physical copy bearing the original signature, provided that such copy, on receipt, can be reproduced in an eye-readable form. Signing of this DPA by means of a digital, electronic signature is deemed, for all purposes, to have the same legal effect as signing of a physical copy.

12.5     The agreement recorded in this DPA is governed by the laws of the State of New South Wales, Australia. Each party submits to the non-exclusive jurisdiction of courts exercising jurisdiction there in connection with all matters concerning the agreement recorded in this DPA. No party may object to the jurisdiction of any of those courts on the ground that it is an inconvenient forum or that it does not have jurisdiction.

 

Executed for and on behalf of RobobAI Pty Ltd by its authorized officer:
		Signature
		Name:
		Title:

 

Executed for and on behalf of the Customer by its authorized officer:
		Signature
		Name:
		Title:

 

Schedule A

Details of Parties

Data Exporter	Data Importer
Name: (Customer)	Name: RobobAI
Address/Email Address: As provided for in this DPA	Address/Email Address: As provided for in this DPA
Contact Person's Name, position, and contact details: As provided for in this DPA	Contact Person's Name, position, and contact details: As provided for in this DPA
Activities relevant to the transfer: See Schedule B	Activities relevant to the transfer: See Schedule B
Role: See Schedule B	Role: See Schedule B

 

Schedule B

Description of Processing and Transfer (as applicable)

RobobAI’s processing of Personal Data will include Customer Personal Data (if any) supplied by the Customer from time to time for the purposes of, or otherwise in connection with, RobobAI providing Services to the Customer.

Set out below are descriptions of the processing and transfers of Personal Data as contemplated as of the date of this DPA. Such descriptions are subject to change or may be supplemented pursuant to clause 1.7 of this DPA.

 

Description of Processing and Transfer (as applicable)

for Modules 2 and 3 of the EU SCCs

 

RobobAI Platform
Categories of data subjects	Customer's clients - where they are natural persons Customers' employees and contractors - where they are natural persons.
Categories of Personal Data transferred	Name Physical address Email address Job title Office / location Company / organization
Transfer of Sensitive Data	No.
Frequency of the transfer	Continuous
Nature of processing	Providing the services
Purpose of Personal Data transfer	Providing the Services, including allowing the collaboration and maintaining proper access controls and user permissions.
Duration of processing	In accordance with the General Conditions and any Order thereunder.