Data Processing Agreement with Customers
Company Number or identifier
Strength By Numbers and the Data Exporter intend to work together as set out in the Strength By Numbers Terms of Service.
There will be, or is likely to be, an exchange of data between the parties.
The parties have agreed to handle and transfer any data in accordance with the terms of this Data Processing Agreement.
The date signed by the last party.
This Data Processing Agreement (the Agreement ) supplements, amends and forms part of the General Terms of Service ( Terms) between Strength By Numbers and the Data Exporter.
Relationship between the parties
as strictly necessary for performance of the Terms and to comply with Applicable Laws in the context of that individual’s duties to Strength By Numbers.
Data Exporter hereby instructs Strength By Numbers (and authorises Strength By Numbers to instruct each Approved Subprocessor) to:
as reasonably necessary for the provision of the Services and consistent with the Terms.
Pursuant to clause 9 of the Standard Contractual Clauses, the Data Exporter hereby provides Strength By Numbers with general written authorisation to engage the Approved Subprocessors from the agreed list [strengthbynumbers.com/pages/list-of-subprocessors] to carry out processing on behalf of Strength By Numbers to the extent necessary for Strength By Numbers to provide the Services.
Notwithstanding section 5(a), Strength By Numbers will give the Data Exporter prior written notice of any changes to the above agreed list of Approved Subprocessors at least 30 days before the intended appointment of any new Approved Subprocessor, including full details of the processing to be undertaken by the Approved Subprocessor, or the removal of any current Approved Subprocessor. If, within two weeks of receipt of that notice, the Data Exporter notifies Strength By Numbers in writing of any reasonable objections to the intended appointment:
Strength By Numbers may provide written notice to the Data Exporter that it intends to appoint the proposed Approved Subprocessor irrespective of the Data Exporter’s written objections, following the receipt of which the Data Exporter may, by written notice to Strength By Numbers, terminate the Terms with immediate effect only to the extent that it relates to the Services which require the use of the proposed Approved Subprocessor.
With respect to each Approved Subprocessor, Strength By Numbers will ensure that the:
Approved Subprocessor will be required to meet the terms of the Standard Contractual Clauses insofar as they apply to that Approved Subprocessor;
ensure that the arrangement between Strength By Numbers and the Approved Subprocessor is governed by a written contract including terms which offer at least the same level of protection for the Data Exporter Personal Data as those set out in this Agreement and meet the requirements of the Data Protection Laws, including article 28(3) of the EU GDPR; and
the agreement with the Approved Subprocessor contains an agreed third party beneficiary clause where in the event Strength By Numbers has factually disappeared, ceased to exist in law or has become insolvent, the Data Exporter will have the right to terminate the agreement with the Approved Subprocessor and instruct the Approved Subprocessor to erase or return the Data Exporter Personal Data.
Strength By Numbers acknowledges that it:
is liable to the Data Exporter for an Approved Subprocessor’s compliance with its obligations under this section 5; and
Strength By Numbers acknowledges that it will provide, at the Data Exporter’s request, a copy of each agreement with an Approved Subprocessor and any subsequent amendments to that agreement, with any relevant parts of the agreement redacted to the extent necessary to protect business secrets or other confidential information, including Personal Data, prior to sharing the copy with the Data Exporter.
Data Protection Impact Assessment and Prior Consultation
Each party will cooperate with the other party to investigate, mitigate and remediate Personal Data Breaches.
In respect of any Personal Data Breach, Strength By Numbers will:
take such appropriate measures to address the breach, including measures to mitigate its adverse effects;
notify the Data Exporter of the Personal Data Breach without undue delay upon becoming aware of the Personal Data Breach; and
provide the Data Exporter, without undue delay, with such details as the Data Exporter reasonably requires to consider the Personal Data Breach. This may include, depending on the nature of the Personal Data Breach, information regarding:
Strength By Numbers will promptly inform the Data Exporter if it receives a complaint or request relating to either party’s obligations under Data Protection Laws relevant to this Agreement, including any compensation claim from a Data Subject or any notice, investigation or other action from a Supervisory Authority or the Commissioner.
Technical and organisational measures and security
Deletion or return of data
and securely delete existing copies (unless storage of any data is required by Applicable Law and, if so, the Data Exporter will inform Strength By Numbers of any such requirement).
Strength By Numbers shall provide written certification to the Data Exporter that it, and each Approved Subprocessor, has fully complied with this section 10.
Access by Public Authorities
Strength By Numbers agrees to notify the Data Exporter and where possible, any affected Data Subjects (if necessary, with the help of the Data Exporter) in accordance with clause 15 of the Standard Contractual Clauses, if it:
receives a legally binding request from a public authority under the laws of the country of destination for the disclosure of Data Exporter Personal Data, with the notification including:
becomes aware of any direct access by public authorities to Data Exporter Personal Data in accordance with the laws of the country of destination with the notification including all information available to Strength By Numbers.
With respect to the legally binding requests or direct access by public authorities in section 12(a) above, Strength By Numbers agrees to:
use its best efforts to obtain a waiver against any prohibition against notifying the Data Exporter and to document these efforts;
where permissible under the laws of the country of destination, to provide the Data Exporter at regular intervals as much relevant information as possible on the requests received by public authorities in the country of destination, including;
review the legality of any requests for disclosure and to challenge those requests if there are reasonable grounds to do so, documenting any reviews or challenges and providing these to the Data Exporter where permissible, and to the relevant Supervisory Authority or the Commissioner on request; and
pursue possibilities of appeal against the requests for disclosure.
If Strength By Numbers is required to provide any disclosures as detailed in this section 12, it will only provide the amount of information required to comply with the request.
Approved Addendum means the template Addendum issued by the UK’s Information Commissioner’s Office and laid before the UK Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022 (or as revised under Section 18 of the Data Protection Act 2018 from time to time);
Approved Subprocessor means any person (including any third party, but excluding an employee or independent contractor of Strength By Numbers) appointed by or on behalf of Strength By Numbers to process Personal Data on behalf of the Data Exporter in connection with the Terms which has been authorised (through general written or specific authorisation) by the Data Exporter to process Personal Data on behalf of the Data Exporter and which has agreed to a written contract with the same level of protection as under these Terms and the Standard Contractual Clauses in Schedule 1 in accordance with clause 9 of the Standard Contractual Clauses;
Data Exporter Personal Data means any Personal Data processed by Strength By Numbers or an Approved Subprocessor on behalf of the Data Exporter pursuant to or in connection with the Agreement; and
Data Protection Laws means (as applicable):
EU means the member states of the European Union and the European Economic Area;
Strength By Numbers means the applicable Strength By Numbers entity that provides the Services, as designated in the Terms;
Representative means, in respect of a party, any person acting for or on behalf of the party and includes any director, officer, employee, agent, contractor or sub-contractor of the party;
Restricted Transfer means:
Services means the services and other activities to be supplied to or carried out by or on behalf of Strength By Numbers for the Data Exporter pursuant to the Terms;
Standard Contractual Clauses means the contractual clauses set out in the Decision of the Commission of the European Union 2021/194of 4 June 2021 and the module of these contractual clauses which is applicable to the situation between the Data Exporter and the Data Importer (or any replacement European Commission standard contractual clauses from time to time) as amended by the Approved Addendum where required under the Data Protection Laws;
Supplementary Measures means any additional technical, organisational, contractual or other measures adopted by agreement between the Data Exporter and Strength By Numbers after undertaking the assessment and steps outlined in the European Data Protection Board’s Recommendations 01/2020, or other similar Recommendations published by the European Data Protection Board or the Information Commissioner’s Office from time to time; and
UK means the United Kingdom of Great Britain and Northern Ireland.
Schedule 1: STANDARD CONTRACTUAL CLAUSES
For the purposes of Article 46(2)(c) of Regulation (EU) 2016/679 for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection, the parties (each a “party”) specified in ANNEX I.A have agreed on the following Standard Contractual Clauses in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in ANNEX I.B.
These Standard Contractual Clauses use Module Two – Controller to Processor.
The Parties (each a “party”; together “the parties”) listed in ANNEX I.A HAVE AGREED on the following Standard Contractual Clauses ( the Clauses).
STANDARD CONTRACTUAL CLAUSES
have agreed to these standard contractual clauses (hereinafter: “Clauses”).
Effect and invariability of the Clauses
Third-party beneficiaries
Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions:
Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU) 2016/679.
In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.
Description of the transfers(s)
The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.
SECTION II – OBLIGATIONS OF THE PARTIES
Data protection safeguards
The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations under these Clauses.
The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I.B, unless on further instructions from the data exporter.
On request, the data exporter shall make a copy of these Clauses, including the Appendix as completed by the Parties, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including the measures described in Annex II and personal data, the data exporter may redact part of the text of the Appendix to these Clauses prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand the its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information. This Clause is without prejudice to the obligations of the data exporter under Articles 13 and 14 of Regulation (EU) 2016/679.
If the data importer becomes aware that the personal data it has received is inaccurate, or has become outdated, it shall inform the data exporter without undue delay. In this case, the data importer shall cooperate with the data exporter to erase or rectify the data.
8.5 Duration of processing and erasure or return of data
Processing by the data importer shall only take place for the duration specified in Annex I.B. After the end of the provision of the processing services, the data importer shall, at the choice of the data exporter, delete all personal data processed on behalf of the data exporter and certify to the data exporter that it has done so, or return to the data exporter all personal data processed on its behalf and delete existing copies. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit return or deletion of the personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process it to the extent and for as long as required under that local law. This is without prejudice to Clause 14, in particular the requirement for the data importer under Clause 14(e) to notify the data exporter throughout the duration of the contract if it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under Clause 14(a).
8.6 Security of processing
Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (hereinafter “sensitive data”), the data importer shall apply the specific restrictions and/or additional safeguards described in Annex I.B.
Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.
8.9 Documentation and compliance
[Where the data exporter is established in an EU Member State:] The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C, shall act as competent supervisory authority.
[Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679:] The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority.
[Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679:] The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, as indicated in Annex I.C, shall act as competent supervisory authority.
The data importer agrees to submit itself to the jurisdiction of and cooperate with the competent supervisory authority in any procedures aimed at ensuring compliance with these Clauses. In particular, the data importer agrees to respond to enquiries, submit to audits and comply with the measures adopted by the supervisory authority, including remedial and compensatory measures. It shall provide the supervisory authority with written confirmation that the necessary actions have been taken.
SECTION III – LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES
Local laws and practice affecting compliance with the Clauses
Obligations of the data importer in case of access by public authorities
15.2 Review of legality and data minimisation
SECTION IV – FINAL PROVISIONS
Non-compliance with the Clauses and termination
In these cases, it shall inform the competent supervisory authority of such non-compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise.
These Clauses shall be governed by the law of the EU Member State in which the data exporter is established. Where such law does not allow for third-party beneficiary rights, they shall be governed by the law of another EU Member State that does allow for third-party beneficiary rights. The Parties agree that this shall be the law of Austria.
Choice of forum and jurisdiction
Contact person’s position
Contact person’s telephone
Activities relevant to the data transferred under these Clauses
Other identifying information
Role (Controller/Processor)
[Insert customer company name]
Cheltenham, Victoria, 3192
Contact person’s position
Contact person’s telephone
Activities relevant to the data transferred under these Clauses
The Data Importer provides a service that allows users (Data Exporter) to assess the movement of individuals.
Other identifying information
Role (Controller/Processor)
Categories of data subjects whose personal data is transferred
The personal data transferred concern the following categories of data subjects:
Categories of personal data transferred
The personal data transferred concern the following categories of data:
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
The data importer only collects sensitive data that is entered into the data importer’s Services by the data exporter and the data exporter’s end users, which is limited to end user previous injury history including the type of injury and date of the injury, and examination data and test results.
The data importer protects this sensitive data through password protection and only deals with and shares sensitive data internally within the data importer after it has been anonymised on a “need to know” basis in order to improve the data importer’s Services..
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
The personal data will be transferred in bursts to the data importer from the data exporter when the data exporter communicates with the data importer and / or uses the data importer’s Service through the data importer’s hardware and software.
The data importer receives information from the data exporter when the data exporter uses the data importer’s Services, makes a query in relation to the data importer’s Service and / or becomes a customer of the data importer. The data exporter can then use the data importer’s Service to assess the physical performance of its end users, in which case the data importer will receive information from the data exporter when the data exporter’s end users use the data importer’s Services.
Purpose(s) of the data transfer and further processing
The data exporter transfers the personal data to the data importer for processing in order for the data importer to provide its service to the data exporter under the Terms between the data importer and the data exporter.
The purpose of the data importer’s processing for the data exporter under the Terms includes providing the data importer’s Services to the data exporter and the data exporter’s clients (end users) through the data exporter’s insertion of personal data into the data importer’s Services and the data exporter’s end users’ interaction with and use of the data importer’s Services. Some purposes of the Services include client physical performance assessment or any other purpose as specified by the data exporter.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
5 years after the date of termination of the Terms with the data exporter, unless otherwise agreed by the parties.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
The data importer maintains an up to date list of its subprocessors at [www.strengthbynumbers.com/pages/list-of-subprocessors].
COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13
If the data exporter is based in the EU, the competent supervisory authority will be the relevant supervisory authority in the EU member state where the data exporter is based.
If the data exporter is not based in the EU, the competent supervisory authority will be the relevant supervisory authority in the EU member state where the data exporter’s GDPR representative is based.
ANNEX II – TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.
Measures to assist the data controller
The data importer has the following organisational measures in place to provide assistance to the data controller:
a point of contact for the data exporter;
an internal data processing register;
a data breach response plan;
a data subject rights policy;
a data processing policy;
a form for data subjects to fill out to exercise their rights; and
a request register where the data importer will record any data subject requests.
measures for ensuring data minimisation;
measures for ensuring data quality;
measures for ensuring limited data retention;
measures for secure transmission of personal data;
measures for restricting the processing of personal data;
measures for ensuring accountability; and
measures for allowing data portability and ensuring erasure.
ANNEX III – LIST OF SUB-PROCESSORS
The controller has authorised the use of the following sub-processors:
Contact person’s position
Contact person’s telephone
Description of processing and responsibilities
Other identifying information
Name: ……………………………………………………………………………………………………..
Authorised Signature ……………………………………………………………………………….
Name: SBN Technology Pty Ltd
Authorised Signature ……………………………………………………………………………….
Schedule 2: INTERNATIONAL DATA TRANSFER ADDENDUM TO THE EU COMMISSION STANDARD CONTRACTUAL CLAUSES
This Addendum has been issued by the Information Commissioner under the Data Protection Act 2018 for Parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract.
The date signed by the last party.
Exporter (who sends the Restricted Transfer)
Importer (who receives the Restricted Transfer)
Full legal name: [insert]
Full legal name: SBN Technology Pty Ltd
Trading name (if different): [insert]
Trading name (if different): N/A
Main address (if a company registered address): [insert]
Main address (if a company registered address):
Official registration number (if any) (company number or similar identifier): [insert]
Official registration number (if any) (company number or similar identifier): 624 009 598
Full Name (optional): [insert]
Full Name (optional): [insert]
Contact details including email: [insert]
[Insert customer company name]
Signature (if required for the purposes of Section 2)
Table 2: Selected SCCs, Modules and Selected Clauses
The version of the Approved EU SCCs which this Addendum is appended to, detailed below, including the Appendix Information:
Table 3: Appendix Information
“Appendix Information ” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:
Annex 1A: List of Parties: as set out above in the Appendix to Schedule 1 which contains the Approved EU SCCs.
Annex 1B: Description of Transfer: as set out above in the Appendix to Schedule 1 which contains the Approved EU SCCs.
Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: as set out above in the Appendix to Schedule 1 which contains the Approved EU SCCs.
Annex III: List of Sub processors (Modules 2 and 3 only): as set out above in the Appendix to Schedule 1 which contains the Approved EU SCCs.
Table 4: Ending this Addendum when the Approved Addendum Changes
Ending this Addendum when the Approved Addendum changes
Which Parties may end this Addendum as set out in Section 19:
Part 2: Mandatory Clauses
Entering into this Addendum
Interpretation of this Addendum
Where this Addendum uses terms that are defined in the Approved EU SCCs those terms shall have the same meaning as in the Approved EU SCCs. In addition, the following terms have the following meanings:
This International Data Transfer Addendum which is made up of this Addendum incorporating the Addendum EU SCCs.
The version(s) of the Approved EU SCCs which this Addendum is appended to, as set out in Table 2, including the Appendix Information.
The standard of protection over the personal data and of data subjects’ rights, which is required by UK Data Protection Laws when you are making a Restricted Transfer relying on standard data protection clauses under Article 46(2)(d) UK GDPR.
The template Addendum issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18.
The Standard Contractual Clauses set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
The Information Commissioner.
A transfer which is covered by Chapter V of the UK GDPR.
The United Kingdom of Great Britain and Northern Ireland.
All laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018.
As defined in section 3 of the Data Protection Act 2018.
Incorporation of and changes to the EU SCCs
This Addendum incorporates the Addendum EU SCCs which are amended to the extent necessary so that:
Unless the Parties have agreed alternative amendments which meet the requirements of Section 12, the provisions of Section 15 will apply.
No amendments to the Approved EU SCCs other than to meet the requirements of Section 12 may be made.
The following amendments to the Addendum EU SCCs (for the purpose of Section 12) are made:
References to the “Clauses” means this Addendum, incorporating the Addendum EU SCCs;
In Clause 2, delete the words:
“and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679”;
Clause 6 (Description of the transfer(s)) is replaced with:
“The details of the transfers(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred) are those specified in Annex I.B where UK Data Protection Laws apply to the data exporter’s processing when making that transfer.”;
Clause 8.7(i) of Module 1 is replaced with:
“it is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer”;
Clause 8.8(i) of Modules 2 and 3 is replaced with:
“the onward transfer is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer;”
“the Secretary of State makes regulations pursuant to Section 17A of the Data Protection Act 2018 that cover the transfer of personal data to which these clauses apply;”;
Clause 17 is replaced with:
“These Clauses are governed by the laws of England and Wales.”;
Clause 18 is replaced with:
“Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts.”; and
The footnotes to the Approved EU SCCs do not form part of the Addendum, except for footnotes 8, 9, 10 and 11.
Amendments to this Addendum
The revised Approved Addendum will specify the start date from which the changes to the Approved Addendum are effective and whether the Parties need to review this Addendum including the Appendix Information. This Addendum is automatically amended as set out in the revised Approved Addendum from the start date specified.
If the ICO issues a revised Approved Addendum under Section 18, if any Party selected in Table 4 “Ending the Addendum when the Approved Addendum changes”, will as a direct result of the changes in the Approved Addendum have a substantial, disproportionate and demonstrable increase in:
and in either case it has first taken reasonable steps to reduce those costs or risks so that it is not substantial and disproportionate, then that Party may end this Addendum at the end of a reasonable notice period, by providing written notice for that period to the other Party before the start date of the revised Approved Addendum.
The Parties do not need the consent of any third party to make changes to this Addendum, but any changes must be made in accordance with its terms.
