APAC Data Protection Addendum

Last update on August 03, 2023

Go back

This APAC data protection addendum (“APAC Addendum”) sets forth the terms under the Data Protection Laws pursuant to which a Disclosing Party may transmit, disclose, or otherwise make available Personal Data to the Receiving Party for the Processing Purposes further defined in Annex A, and is applicable where the Disclosing Party is located within the Asia Pacific region. This APAC Addendum supplements and forms part of the Agreement. This APAC Addendum is effective as of the Effective Date; provided, however, the relevant obligations apply only to the extent the Personal Data is subject to the Data Protection Laws.

Section 1

Definitions

For purposes of this APAC Addendum, the following terms will have the meaning ascribed below:

1.1

Security Incident” includes a real or suspected adverse event in relation to cybersecurity that results in unauthorised access, denial of service, disruption, unauthorised use of a computer resource for processing or storage of information or unauthorised changes to data or information.

Terms which are not defined in this APAC Addendum shall bear the meaning ascribed to them in the Global Addendum.

Section 2

Roles

2.1

Under this APAC Addendum, each Party acts as a Controller in the processing of the other Party’s Personal Data.

2.2

In the event that any Disclosing Party, as a Processor on behalf of a Controller, provides Personal Data to Receiving Party, the Disclosing Party will ensure that the Controller on whose behalf it is providing Personal Data has agreed to the obligations set forth in Section 3 herein.

Section 3

Mutual Processing Obligations

Each Party will:

3.1

Comply with its respective obligations under the relevant Data Protection Laws with respect to the Processing of Personal Data, including having in place appropriate physical, technical and organisational measures which ensure a level of security as required under applicable Data Protection Laws.To the extent acting as a Disclosing Party:

3.2

Provide all notices and obtain any consents required by relevant Data Protection Laws necessary to permit each Party to Process Personal Data for the Processing Purposes in accordance with this APAC Addendum (including without limitation in respect of direct marketing);

3.3

To the extent providing Personal Data originally collected by another Controller, (i) contractually obligate such Controller to provide all notices and obtain any consents required by relevant Data Protection Laws necessary to permit each Party to Process Personal Data for the Processing Purposes in accordance with this APAC Addendum and (ii) take reasonable steps to ensure compliance with such contractual obligations;

3.4

Notify the Receiving Party if it, or any applicable Processor, is, or believes it will be, unable to comply with the terms of this APAC Addendum and/or any relevant Data Protection Laws.

To the extent acting as a Receiving Party:

3.5

Except as expressly permitted by the Agreement, not retain, use or disclose Personal Data of the Disclosing Party for longer than necessary to serve the purposes set out in the Agreement and in this APAC Addendum; and

3.6

Take reasonable steps to ensure in each case that access to Personal Data is strictly limited to those individuals who need to know and access the relevant Personal Data of the Receiving Party, for the purposes of the Agreement and this APAC Addendum, and to comply with Data Protection Laws.

Section 4

International Transfers

4.1

The Parties shall only transfer or disclose Personal Data of the other Party to a Third Country (or, where the Disclosing Party is subject to the New Zealand Privacy Act 2020, to a Foreign Person or Entity (as defined in the Privacy Act 2020)) with the other Party’s prior written consent and in accordance with Data Protection Laws.

4.2

Each Party shall provide prompt reasonable assistance to the other Party in connection with any and all personal data impact assessments and/or security assessments as required under applicable Data Protection Laws to transfer Personal Data to Third Countries and/or to third parties.

Section 5

Subprocessing

5.1

Each Party may engage or use Processors, provided that the arrangement with their Processor (if any), is governed by a written contract which includes terms that provide the same level of protection for Personal Data as those set out in this APAC Addendum. For the avoidance of doubt, each Party shall remain liable to the other Party for any and all acts or omissions by each Processor in relation to the Processing of Personal Data.

Section 6

Security Incidents or Data Breach

6.1

Each Party (“First Party”) shall as soon as practicable after becoming aware of, or suspecting:

  • a Security Incident or Data Breach relating to the other Party’s (“Second Party”) Personal Data and to the extent that such data can be reasonably identified by the First Party as having been affected by the Security Incident or Data Breach; or
  • any violation of the Data Protection Laws caused by First Party, its employees, or third party contracted by it relating to the Second Party’s Personal Data and to the extent that such data can be reasonably identified by the First Party as having been affected by such violation,

    but in any event within 24 hours of becoming aware or beginning to suspect, provide the Second Party with notice, including the nature, cause and consequences of such event, the remedial measures taken and to be taken, and further information and assistance as may be requested by the First Party in connection with the Security Incident or Data Breach.
6.2

First Party shall co-operate with the Second Party and take steps as are directed by the Second Party to assist in the investigation, mitigation, and remediation of each such Security Incident or Data Breach.

6.3

Each Party shall be responsible each for their own reporting requirements of Security Incidents or Data Breaches to relevant Supervisory Authorities and individuals as required by applicable Data Protection Laws.