Communic8
Solutions
All SolutionsEmployee EngagementEmployee ExperienceCommunicationsChange ManagementMergers & Acquisitions
FeaturesServicesResources
BlogCase Studies
Contact
Home
Legal
Data Processing Agreement

Data Processing Agreement

Last reviewed March 21, 2025

If We will be processing personal data from the EEA, Switzerland, or the United Kingdom on Your behalf, and You wish to execute a Data Processing Agreement (DPA) with Us, as required by the General Data Protection Regulation (GDPR), then You may do so by submitting a request to the email address below. Upon receipt of Your request, We will send You a GDPR DPA ready for execution. A sample agreement is provided below for informational purposes only.

DPA Request email address: support@communic8.com


Date of Agreement

This Data Processing Agreement is entered into on [date of execution]

Parties

Communic8 Group Pty Ltd ABN 26 139 494 054, with offices at Level 1/315 Brunswick St, Fortitude Valley, QLD 4006 Australia (the "Service Provider")

[Your company name here] ABN [Your company reference number] with offices at [Your company address] (the “Client”)

Recitals

A. The Service Provider agrees, or has agreed, and the Client agrees, or has agreed, to engage the Service Provider to provide to the Client access to the Communic8 Platform for the purpose of communicating within the Client organisation to employees or outside the Client organisation to Contacts (collectively, the "Cloud Services") under an agreement (the "Main Agreement").

B. The Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) ("NDB Law") that came into effect on 22 February 2018 established a Notifiable Data Breaches Scheme that requires among other things, APP Entities to assess suspected data breaches and notify individuals whose personal information is involved in a data breach that is likely to result in serious harm, and the Australian Information Commissioner. The purpose of this Data Processing Agreement is to outline how Communic8 Group Pty Ltd and the Client will approach actual, potential or suspected data breaches that may occur from time to time with respect to Personal Information 'held' by both Communic8 Group Pty Ltd and the Client ("Jointly Held Personal Information"). For the purposes of this Data Processing Agreement, the word 'held' (and other forms of that word) has the meaning that 'held' is given in the Privacy Act 1988 (Cth) (the "Privacy Act"). Communic8 Group Pty Ltd's policy is to investigate and properly address all suspected, actual or potential data breaches involving Jointly Held Personal Information to ensure that Communic8 Group Pty Ltd's legal obligations under the NDB Law are discharged.

C. Under the NDB Law, eligible data breaches are notifiable. A data breach is an eligible data breach for the purposes of the NDB Law if there is unauthorised access to or unauthorised disclosure of Jointly Held Personal Information, or a loss of Jointly Held Personal Information, and a reasonable person concludes that the access, disclosure or loss is likely to result in serious harm to one or more individuals to whom the Jointly Held Personal Information relates, and the entity that held the Jointly Held Personal Information has not been able to prevent the likely risk of serious harm to any of the individuals with remedial action.

D. The Service Provider and the Client jointly 'hold' personal data hosted by the Service Provider pursuant to the Main Agreement. The parties have agreed that any breaches of that jointly held personal data will be addressed pursuant to this Data Processing Agreement. This Data Processing Agreement does not apply to non-production environments of the Cloud Services if such environments are made available by the Service Provider, and the Client shall not store Personal Data in such environments.

E. The parties have also agreed that where the Service Provider processes personal data of the Client (or of any end-user of the Client) that is regulated by the General Data Protection Regulation (GDPR) (EU) 2016/679 (the "GDPR") (where the processing is within the territorial scope of the GDPR as set out in Article 3 thereof), this Data Processing Agreement will also govern their relationship for the purposes of the GDPR.

The Parties Agree as Follows:

1.Definitions and Interpretations

1.1 Definitions
In this Data Processing Addendum, the Service Provider and Client will each be referred to as a "party" and together the "parties" and any words starting with a capital letter shall have the meanings given to them in the Main Agreement unless otherwise defined in this Data Processing Addendum. Further, in this Data Processing Addendum the words "controller", "consent", "processor", "data subject", "personal data", "processing", and "process" shall have the meanings given to them in the GDPR.

1.2Interpretations
The rules of interpretation set out in the Main Agreement will apply to this Data Processing Agreement, except where inconsistent the Privacy Act, the GDPR and any other applicable data protection laws (collectively, "Data Protection Laws") in which case the interpretation provisions of the relevant Data Protection Laws will prevail. Further, in this Data Processing Agreement any reference to a subclause is a reference to the subclause of the clause in which the reference is made and the recitals to this Data Processing Agreement form part of the operative binding terms.

1.3Scope of this Agreement
This Data Processing Agreement only applies to personal data uploaded into the Cloud Services by the Client and/or any End-User for processing by the Service Provider on behalf of the Client.

1.4References to GDPR
In this Data Processing Agreement, any provision in the body or the Schedule which refers to an obligation of a party to comply with the GDPR, or the right of a party under the GDPR, only applies to the extent that the GDPR applies to the personal data and/or processing pursuant to Article 3 of the GDPR.

2.Term of this Data Processing Agreement

2.1 By executing this Data Processing Agreement and/or accessing, browsing and/or using the Service Provider's cloud based platform and the Cloud Services made available by the Service Provider through the platform, the Client will be deemed to have read, understood and wholly and unconditionally agreed to be legally bound by, and accepted, the terms and conditions set out in this Data Processing Agreement and agreed that the Main Agreement is varied to incorporate this Data Processing Agreement, such that this Data Processing Agreement is incorporated into and forms part of the Main Agreement by reference.

2.2 Except as set out in this Data Processing Agreement (and in any other previously agreed variations to the Main Agreement), the Main Agreement remains unaltered and in full force and effect.

2.3 This Data Processing Agreement will apply for the term of the Main Agreement and will automatically and immediately terminate upon termination or expiry of the Main Agreement for any reason.

3.Compliance with Data Protection Laws

3.1 Each party hereby agrees that it will comply with its obligations under all Data Protection Laws, including but not limited to, by collecting, holding, disclosing and processing personal data only in accordance with those laws, by maintaining all records and information required by any such laws and by appointing a Data Protection Officer where required pursuant to the GDPR.

3.2 With respect to personal data processed by the Service Provider (as a processor) on behalf of the Client (in the Client's capacity of a controller) ("Client Personal Data"), the Service Provider must at a minimum retain:

(a) records confirming the name and contact details of its personnel who are appointed to respond to questions about the Service Provider's processing activities, and where applicable the name and contact details of the Service Provider's data protection officer;
(b) the names and contact details of subprocessors who are appointed to process Client Personal Data;
(c) records of any countries to which Client Personal Data is transferred;
(d) records of and copies of the agreements with any subprocessors, including any upstream hosting suppliers;
(e) details of the categories of Client Personal Data processed;
(f) records of the technical and other security measures taken by the Service Provider as referred to in this Data Processing Agreement.

3.3 The Client must not provide any instructions to the Service Provider with respect to Client Personal Data which contravene any Data Protection Laws. The Service Provider will not have any obligation to process any such instructions or to process any personal data on behalf of the Client if doing so would contravene any Data Protection Laws. The Client must provide the Service Provider with any information and otherwise cooperate with the Service Provider, to the extent reasonably required by the Service Provider to comply with its obligations under Data Protection Laws.

3.4 Each party must take reasonable steps to ensure that its employees, agents and contractors comply with Data Protection Laws.

3.5 Each party acknowledges that this Data Processing Agreement does not set out all of the parties' obligations under Data Protection Laws.

4.Processing duration and de-identification

4.1 The Service Provider only process personal data of the Client or any End-User in its capacity as a processor, during the term of the Main Agreement, and following the Main Agreement only for the purposes of deleting or returning that personal data to the Client. At the choice of the Client, the Service Provider must delete or return to the Client all of the personal data uploaded and/or entered into the Cloud Services, or otherwise collected by the Service Provider, in the Service Provider's capacity as a processor; where the Client requires that personal data to be returned, it must be returned to the Client after the end of the provision of services relating to processing ("Processing Conclusion Date"), and the Service Provider must thereafter delete all then remaining existing copies of that personal data in the Service Provider's possession or control as soon as reasonably practicable, but in any event not more than 30 days after the Processing Conclusion Date, unless applicable law requires the Service Provider to retain the personal data in which case the Service Provider must notify the Client of that requirement and only use such retained data for the purposes of complying with those applicable laws.

4.2 Notwithstanding subclause 1, where the personal data is not GDPR Data and is personal information for the purposes of the Privacy Act, within the 30 day period following the Processing Conclusion Date instead of destroying the personal information the Service Provider will take such steps as are reasonable in the circumstances to de-identify the applicable Client Personal Data where it no longer needs it for any purpose for which it may be used in accordance with this Data Protection Agreement or its Privacy Policy and the information is not contained in a Commonwealth record and the Service Provider is not required by Australian law (or a court or tribunal order) to retain it.

4.3 The Service Provider must not keep any Client Personal Data for longer than is necessary for the purposes for which the personal data is processed.

4.4 Where a party no longer needs personal data for any purpose for which it may be used or disclosed under the Australian Privacy Principles, the party must take reasonable steps to destroy the information or ensure that it is de-identified.

5.Responsibility for consents, authorisations and approvals

5.1 The Client warrants and represents that it consents to, approves and authorises, and that it has or will obtain (and will in any event, maintain for the term of the Main Agreement) any other necessary consents, approvals and authorisations including any authorisations by any End-Users, and those of third party controllers where the Client is a processor), with respect to any personal data uploaded into the Cloud Services by the Client and/or any End-User and/or otherwise collected by the Service Provider pursuant to this Data Processing Agreement, to the extent such consents, approvals and authorisations are necessary for the Service Provider to process that personal data for the purposes contemplated by this Data Processing Agreement.

5.2 Without limiting the foregoing provisions, the Client hereby warrants and represents to the Service Provider that all employees, customers and other end-users of the Client who use the Cloud Services on behalf of the Client ("End-Users") have authorised the Client to appoint the Service Provider as a processor (or sub-processor).

5.3 The Client must not provide the Service Provider with the personal data of any third party without the Service Provider's prior written consent ("Third Party Data"). If the Client provides the Service Provider with Third Party Data, the Client must notify the relevant third party of that fact together with any other information required by Article 14 of the GDPR.

5.4 The Client and any End-Users may withdraw any such consents, approvals and authorisations that they have provided as referred to in this clause. However, where such withdrawal occurs, the Service Provider shall have no further obligation to process any personal data on behalf of the person or entity that has so withdrawn the applicable consents, approvals and authorisations.

5.5 The withdrawal of any consents, approvals and authorisations by the Client or any End-User will not prevent the Service Provider from using personal data to which the consents, approvals and authorisations relate, for the purposes of complying with any applicable laws or enforcing any rights of the Service Provider.

5.6 Where the Client withdraws its consent to process Client Personal Data, the Service Provider may terminate the Main Agreement.

6. Relationship of the parties

6.1 Each party hereby agrees for the purposes of this Data Processing Agreement and the GDPR that, as between them, the Service Provider is the processor and the Client is the controller, in connection with any processing of personal data carried out by the Service Provider on behalf of the Client, as contemplated by this Data Processing Agreement.

6.2 However, the parties also hereby agree that the Service Provider has a legitimate interest in using any data entered into and/or uploaded into the Cloud Services by the Client and/or End-Users, and/or otherwise collected by the Service Provider pursuant to this Data Processing Agreement for the Service Provider's own legitimate purposes (including for billing, product development, debt recovery and sales and marketing purposes, and for the purposes of enforcing the Service Provider's rights) – and to the extent that the Service Provider uses such data for those purposes the Service Provider will be the controller for the purposes of the GDPR and any other Data Protection Laws.

6.3 Where the Service Provider is a controller in connection with personal data for the purposes of the GDPR, it will process that personal data in accordance with the GDPR and its Privacy Policy.

7. Client processing instructions

7.1 The Service Provider acknowledges that it will not process any Client Personal Data in its capacity as a processor, except pursuant to the Client's instructions (including with respect to data transfers) unless applicable law to which the Service Provider is subject requires other processing of that personal data by the Service Provider, in which case the Service Provider will inform the Client of that legal requirement (unless that law prohibits the Service Provider from doing so on important grounds of public interest).

7.2 The Service Provider may assume that the Client's final and complete documented instructions to the Service Provider to act as a processor on the Client's behalf with respect to the processing of personal data entered into or uploaded into the Services by the Client and any End-User are constituted by the following ("Client Instructions"):

(a) the Main Agreement (including this Data Processing Agreement incorporated into the Main Agreement
(b) the act of the Client and/or any End-Users' uploading and/or entering any personal data into the Cloud Services;
(c) any settings selected, and/or configurations made, by the Client or any End-Users in or of the Cloud Services;
(d) any reasonable written instructions provided by the Client to the Service Provider via email or through any communications tool facilitated by the Cloud Services which are expressly stated to be written instructions issued by the Client as controller to the Service Provider as processor, for the purposes of the GDPR; and
(e) the Client and relevant End-Users using the functionality of the Cloud Services to issue instructions to process personal data, such as, to delete personal data, export personal data or transfer personal data to a subprocessor.

7.3 The Service Provider will not process personal data on behalf of the Client, except where it is entitled to do so pursuant to the Australian Privacy Principles and any other applicable Data Protection Laws.

7.4 The Service Provider is not required to comply with the instructions of the Client with respect to the processing of personal data, where complying with the instructions would contravene any applicable law.

8. Whose personal data will the Service Provider process?

8.1 The Cloud Services are designed only to be used to process the following individuals' personal data: the Client; End-Users; employees and contractors of the Client; employees and contractors of End-Users; directors and officers of the Client; directors and officers of End-Users;.

8.2 However, the Cloud Services will automatically process any personal data uploaded or entered into them. The Service Provider may elect not to analyse all or any personal data uploaded or entered into the Cloud Services. It is the Client's responsibility to ensure that only personal data of individuals' that the Cloud Services is designed to process is uploaded or entered into the Cloud Services by the Client and any End-Users.

9. Types of Personal Data that will be processed

9.1 The types of personal data that will be processed by the Service Provider in connection with the Main Agreement is Any personal data that the Client or any End-User uploads or enters into the Cloud Services either manually or via their computer systems, smartphone devices and tablets, namely:

(a) names
(b) mobile numbers
(c) email addresses
(d) Country of residence, organisation, etc..

9.2 The Cloud Services will also process any other personal information that the Client or any End-User voluntarily enters or uploads into the Cloud Services. The Service Provider will process this personal data on behalf of the Client in the Service Provider's capacity as a processor in order to provide the Client and its End-Users with the Cloud Services.

9.3 The above operations and sets of operations which will be performed by the Service Provider on personal data or on sets of personal data (whether or not by automated means) will include collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data, but only as required for the purposes set out in this clause.

10. Processing of Special Categories of Personal Data

10.1 The Service Provider and the Client each agree that the Cloud Services are not to be used for processing of special categories of personal data without the prior written consent of both the Service Provider and the Client. The Client must not, and must procure that all End-Users will not, enter or upload any personal data that falls within the scope of special categories of personal data into the Cloud Services. Special categories of personal data are those revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, or genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation.

10.2 Notwithstanding subclause 1, the Service Provider may process any Personal Data when necessary for the establishment, exercise or defence of legal claims or in any of the other circumstances referred to in paragraph 2 of Article 9 of the GDPR.

11. Security

11.1 The technical and organisational measures that the Service Provider has implemented, and will continue to implement for the term of the Main Agreement to protect personal data against unauthorised or unlawful processing and against accidental loss, destruction or damage are as follows:

  • The Service Provider performs security testing (including penetration testing of the Cloud Services), and maintains other electronic (e-security) measures for the purposes of securing personal information, such as passwords, anti-virus management, multi-factor authentication and firewalls

  • The Service Provider maintains physical security measures in its buildings and offices such as door and window locks and visitor access management, cabinet locks, surveillance systems and alarms.

  • The Service Provider requires all of its employees and contractors to comply with privacy and confidentiality terms and conditions in their employment contracts and subcontractor agreements.

  • The Service Provider carries out security audits of its systems which seek to find and eliminate any potential security risks in the Service Provider's electronic and physical infrastructure as soon as possible.

  • The Service Provider implements passwords and access control procedures into its computer systems

  • The Service Provider has a Data Breach Response Plan in place

  • The Service Provider has data backup, archiving and disaster recovery processes in place

  • The Service Provider has processes in place to ensure integrity and resilience of systems, servers and personal data

11.2 The Client warrants and represents that (taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing of personal data by the Service Provider as referred to in this Data Processing Agreement, and the risks to individuals) the security measures referred to in subclause 2 provide a level of security appropriate to the risk in respect of the personal data to be processed by the Service Provider on behalf of the Client, as referred to in this Data Processing Agreement.

12. Confidentiality

12.1 The Service Provider must ensure that authorised persons appointed by the Service Provider to process personal data entered into and/or uploaded into the Cloud Services by the Client and/or any End-User, and/or captured by the Service Provider from them or their use of the Cloud Services or interaction with the Service Provider, have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

13. Sub-processing

13.1 The Service Provider will only engage new third parties to process personal data entered into and/or uploaded into the Cloud Services by the Client and/or any End-User for the Service Provider to process as a processor on behalf of the Client ("subprocessors") if the Client has authorised the Service Provider to do so pursuant to a specific or general written authorisation from the Client.

13.2 As at the date of this Data Processing Agreement, the Service Provider is authorised to continue to engage the subprocessors already engaged by the Service Provider as at the date of this Data Processing Agreement, to process personal data on behalf of the Client that is entered into and/or uploaded into the Cloud Services by the Client and/or any End-User.

13.3 In the case of general written authorisation, the Service Provider shall inform the Client of any intended changes concerning the addition or replacement of the Service Provider's subprocessors, thereby giving the Client the opportunity to object to such changes. If the Client objects to such changes, the parties must meet (physically or by telephone or online) within 7 days of the objection to discuss the changes. If the parties are unable to resolve any dispute about the changes, the Service Provider may terminate the Main Agreement.

13.4 Subject to subclause 3, the Service Provider must comply with Article 28(4) of the GDPR with respect to any subprocessors, including by ensuring that the Service Provider's contract with the subprocessors contains data protection obligations as referred to in Article 28(3) of the GDPR imposed on the subprocessors that, in particular, provide sufficient guarantees from the subprocessors to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the GDPR.

13.5 Notwithstanding the provisions of subclauses 2, 3 and 4 adherence of a subprocessor to an approved code of conduct as referred to in Article 40 of the GDPR or an approved certification mechanism as referred to in Article 42 of the GDPR may be used as an element by which to demonstrate sufficient guarantees as referred to in Article 28(4) of the GDPR.

13.6 If a subprocessor appointed by the Service Provider to process personal data entered into and/or uploaded into the Cloud Services by the Client and/or any End-User and to otherwise process personal data of the Client or any End-User fails to fulfil its data protection obligations, the Service Provider shall remain fully liable to the Client for the performance of that subprocessor's obligations.

14. International Transfers

14.1 The Service Provider must not transfer Client Personal Data which is the subject of the GDPR, to any country or organisation outside of the European Union, except:

(a) as reasonably necessary for the Service Provider to provide or procure the provision of the Cloud Services; or
(b) as instructed by the Client.

14.2 Unless otherwise agreed in writing by the Client, any transfer by the Service Provider of Client Personal Data which is the subject of the GDPR outside the European Union must not be made unless the Service Provider has taken such measures as are necessary to ensure the transfer complies with Data Protection Laws.

14.3 The Service Provider may transfer personal information for the purposes of the Privacy Act 1988 (Cth) (other than GDPR Data) to any country provided that it complies with Australian Privacy Principle 8 (Cross-border disclosure of personal information).

15. Cooperation between the Service Provider and the Client

15.1 Any request made by an End-User or by any other person whose data is held by the Service Provider on behalf of the Client, where such request is made directly to the Service Provider, is to be referred to the Client and the Client must action any such request.

15.2 The Service Provider will assist the Client in providing data subjects with access to personal data held by the Service Provider in its capacity as a processor on behalf of the Client, and by allowing the Client and data subjects to exercise their rights under the GDPR, and with other reasonable cooperation where and to the extent reasonably necessary to assist the Client with its responses to data subjects and data protection authorities, and otherwise where reasonably required by the Client to assist it with complying with its obligations under the GDPR, including but not limited to, by:

(a) taking into account the nature of the processing, assisting the Client by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Client's obligation to respond to requests for exercising a data subject's rights laid down in Chapter III of the GDPR;
(b) permitting and contributing to inspections and audits and the provision of information to verify the Service Provider's compliance with the GDPR;
(c) reporting breaches of personal data held by the Service Provider, where such data is held on behalf of the Client;
(d) assisting the Client in meeting its GDPR obligations in relation to the security of processing;
(e) the provision of information to the Client in connection with the Client's preparation of Data Protection Impact Assessments;
(f) assist the Client in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR taking into account the nature of processing and the information available to the Service Provider;
(g) making available to the Client all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and by allowing for and contributing to audits, including inspections, conducted by the Client or an auditor selected by the Client.

15.3 All such access and cooperation provided by the Service Provider referred to in subclause 2 will be at the cost of the Client payable at the Service Provider's standard hourly rates within 7 days of invoice, except where charging a fee for such access and cooperation is prohibited by applicable law.

15.4 The Service Provider must appoint a Data Protection Officer and notify the Client of the Data Protection Officer's name and contact details where required by Article 37 of the GDPR or any other Data Protection Laws.

15.5 Where required by Article 27 of the GDPR, the Client must designate in writing a representative in the European Union for the purposes of that Article.

16. Data breaches

16.1 Each party must comply with its obligations set out in the Schedule to this Data Processing Agreement in relation to any data breach of personal data held or otherwise processed for the purposes of this Data Processing Agreement, where the party is required to do so pursuant to Data Protection Laws.

17. Liability

17.1 To the extent permissible by applicable law, the exclusions and limitations of liability set out in the body of the Main Agreement will apply to this Data Processing Agreement and any claim or proceedings brought by either party under or in connection with this Data Processing Agreement.

18. Indemnity

18.1 Each party (the first party) must indemnify the other party from and against any loss or damage incurred by the other party as a result of the first party's breach of this Data Processing Agreement.

19. Processor Contact Details

19.1 The Service Provider's contact details are as follows:

Privacy Representative
Level 1/315 Brunswick St,
Fortitude Valley, QLD 4006
Australia

Email: privacy@communic8group.com

20. General

20.1 Amendment: This Data Processing Agreement represents the entire agreement of the parties with respect to its subject matter and may not be amended except by a written document executed by the parties. Notwithstanding the foregoing provisions of this paragraph, the Service Provider may amend this Data Processing Agreement by written notice to the Client ("Amendment Notice") if and to the extent the amendment is necessary to comply with Data Protection Laws or any amendments made to them, or the requirements of any applicable supervisory, government or regulatory authority, or to implement any standard clauses or comply with any certification or code of conduct approved by the European Commission or issued pursuant to the GDPR. If the Client does not agree with any Amendment Notice, it must notify the Service Provider by written notice of that fact within 7 days of the date of the Amendment Notice ("Objection Notice"). If the parties are unable to resolve the objection within 7 days from the date of the Objection Notice ("Dispute Resolution Period"), either party may terminate this Agreement for its convenience by written notice within 7 days of the expiry of the Dispute Resolution Period.

20.2 Assignment: Neither party may assign, transfer, licence or novate its rights or obligations under this Data Processing Agreement without the prior written consent of the other party.

20.3 Severability: If any provision of this Data Processing Agreement is deemed invalid by a court of competent jurisdiction, the remainder of this Data Processing Agreement shall remain enforceable. If a provision of this Data Processing Agreement conflicts with any Data Protection Law affecting the parties' commercial relationship, that provision will be severed and the remainder of this Data Processing Agreement will remain enforceable.

20.4 Relationship: The parties are independent contractors and this Data Processing Agreement does not create any relationship of partnership, joint venture, or employer and employee or otherwise.

20.5 Counterparts: This Data Processing Agreement may be executed in counterparts provided that no binding agreement shall be reached until the executed counterparts are exchanged.

20.6 Entire Agreement: This Data Processing Agreement and any terms implied herein by any applicable Data Protection Laws constitute the entire agreement between the parties and to the extent possible by law, supersedes all prior understandings, representations, arrangements and agreements between the parties, regarding its subject matter.

20.7 Applicable law: This Data Processing Agreement will be governed by and construed in accordance with the law of the Main Agreement. To the extent this Data Processing Agreement is inconsistent with any other provision of the Main Agreement, this Data Processing Agreement shall prevail.


Schedule

Action the parties must take following a suspected, potential or actual eligible data breach

1. Action to be taken for the purposes of the Privacy Act 1988 (Cth)

1.1 If there is a suspected, potential or actual eligible data breach ("Breach"), the party that detects the Breach (the "Detecting Party") must immediately notify the other party of the Breach by email with full particulars of the Breach. The email addresses for the purposes of this subclause are as follows:

(a) Communic8 Group Pty Ltd: [Our company contact email]
(b) Client: [Your company contact email]

1.2 Upon the Detecting Party detecting the Breach, it must also carry out the following actions:

(a) Step 1: Contain and assess the data breach. The first action that must be taken in response to a suspected, actual or potential data breach is to firstly conduct a preliminary assessment and/or investigation to determine whether or not there has been a data breach or whether one is likely to occur, and then contain the breach to prevent further unauthorised access or disclosure or loss of information. If the Detecting Party is aware of reasonable grounds for suspecting a Breach occurred, the Detecting Party must immediately lock down any potential avenues for further similar data breaches whether or not it is ultimately proven that a suspected data breach actually occurred. In some cases, it may be impossible to determine whether there has been a data breach, particularly where relevant records confirming the breach have been destroyed or are otherwise unavailable. Even so, the Detecting Party must immediately lock down any potential avenues for further data breaches. Similarly, the Detecting Party must do everything possible to prevent the data breach from occurring. The Detecting Party is to engage all relevant IT, security and managerial personnel to contain any suspected or potential data breaches. Where an actual data breach has occurred, the Detecting Party must similarly engage all relevant IT, security and managerial personnel to contain the breach. Once a Breach is properly contained, the Detecting Party must determine if a data breach has occurred that requires notification under the NDB Law. The NDB Law requires that only eligible data breaches must be notified. If the Detecting Party becomes aware of reasonable grounds that indicate that has been an eligible data breach, the Breach is required to be notified to the relevant individuals at risk of serious harm and the Australian Information Commissioner.
(b) Step 2: Notify insurers. Each party must promptly notify its insurers from which it has obtained any Cyber Liability Insurance policy of the Breach.
(c) Step 3: Determine if an eligible data breach has occurred. For the purposes of the NDB Law and this Data Processing Agreement, an eligible data breach occurs if the following 3 criteria are satisfied:

(i) there is unauthorised access to or unauthorised disclosure of Jointly Held Personal Information, or a loss of Jointly Held Personal Information;
(ii) the Breach is likely to result in serious harm to one or more individuals; and
(iii) the Detecting Party has not been able to prevent the likely risk of serious harm with remedial action.

The Detecting Party must consider the above criteria when determining whether an eligible data breach has occurred. For the purposes of the NDB scheme, serious harm is deemed to have occurred or be likely to occur if a reasonable person would consider that it has so occurred or is likely to occur. Serious harm is not defined in the Privacy Act, but in the context of a Breach it may include among other things serious psychological, physical, emotional, financial or reputational harm. Some of the matters that may inform a decision that serious harm has occurred include the sensitivity of the Jointly Held Personal Information that was the subject of the Breach, the type of Jointly Held Personal Information lost, accessed or disclosed, and whether the Jointly Held Personal Information was encrypted.
The NDB Law requires entities subject to the Privacy Act to investigate suspected eligible data breaches when they are aware that there are reasonable grounds to suspect that there may have been an eligible data breach but the entity is not aware whether or not there has been an actual eligible data breach. The NDB Law requires such entities to carry out a reasonable and expeditious assessment of whether there are reasonable grounds to believe that the relevant circumstances amount to an eligible data breach of the entity. Therefore, if the Detecting Party suspects that a Breach may have occurred, it must take all reasonable steps to ensure that an assessment is completed expeditiously and in any event within thirty (30) days after it becomes aware of the reasonable grounds to suspect that there may have been an eligible data breach for the purpose of the NDB Law. The Detecting Party must keep the other party informed at all times while the Detecting Party is undertaking any assessment of a suspected eligible data breach, and must notify the other party by email (to the address referred to in clause 1.1 of this Schedule) if the Detecting Party becomes aware of reasonable grounds that indicate that an actual eligible data breach has occurred with full particulars of the eligible data breach.
(d) Step 4: remedial action. Under the NDB Law, where there is an eligible breach of jointly held information, a party must use its best endeavours to take positive steps to address the eligible breach in a timely manner, which results in the eligible data breach not being likely to cause serious harm. In circumstances where personal information is lost but the remedial action removes the likelihood of it causing serious harm, the NDB Law provides that the eligible data breach will be taken to have not occurred. The parties agree that if a Breach occurs involving Jointly Held Information, the Client and Communic8 Group Pty Ltd must each use their respective best endeavours to take positive steps to address the Breach in a timely manner, which results in the eligible data breach not being likely to cause serious harm. Each party must keep the other party informed at all times while that remedial action is being undertaken, and must notify the other party if the remedial action has removed the likelihood of the Breach causing serious harm. If Communic8 Group Pty Ltd forms the opinion in its absolute discretion that the Client has not completed an expeditious assessment of the Breach and/or has not expeditiously carried out remedial action that may result in the Breach not being likely to cause serious harm, Communic8 Group Pty Ltd may notify the Client that Communic8 Group Pty Ltd requires the Client to notify the Breach pursuant to paragraph (e) below ("Notification Demand"). If Communic8 Group Pty Ltd issues a Notification Demand, the Client must notify all relevant individuals and the Office of the Information Commissioner pursuant to paragraph (e) below within twenty-four (24) hours of the Notification Demand (time being of the essence) notwithstanding that paragraph may require the notifications to be issued within a different period of time.
(e) If an eligible data breach of Jointly Held Personal Information has occurred for the purposes of the NDB Law (that has not been remedied in accordance with paragraph (d)), the Client must as soon as possible:

(i) notify the Australian Information Commissioner of the eligible data breach; and
(ii) notify relevant individuals of whom the Jointly Held Personal Data relates to of the eligible data breach,

in accordance with the NDB Law.

2. Action to be taken by the Client for the purposes of the GDPR

2.1 This clause 2 applies to personal data held or otherwise processed by the Service Provider as a processor on behalf of the Client.

2.2 In the case of a personal data breach, the Service Provider must notify the Client of a data breach that it becomes aware of without undue delay. The Client shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55 of the GDPR, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.

2.3 Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.

2.4 The notification referred to in subclauses 1 and 3 shall at least:

(a) describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
(b) communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
(c) describe the likely consequences of the personal data breach;
(d) describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

2.5 Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.

2.6 The Client shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. That documentation shall enable the supervisory authority to verify compliance with Article 33 of the GDPR.

2.7 When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the Client shall communicate the personal data breach to the data subject without undue delay.

2.8 The communication to the data subject referred to in subclause 1 shall describe in clear and plain language the nature of the personal data breach and contain at least the information and measures referred to in points (b), (c) and (d) of Article 33(3) of the GDPR.

2.9 The communication to the data subject referred to in subclause 1 shall not be required if any of the following conditions are met:

(a) the Client has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption
(b) the Client has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects referred to in subclause 1 is no longer likely to materialise;
(c) it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.

2.10 If the Client has not already communicated the personal data breach to the data subject, the supervisory authority, having considered the likelihood of the personal data breach resulting in a high risk, may require it to do so or may decide that any of the conditions referred to in subclause 9 are met.

Signed as an agreement.

Signed by [Your company name here] by its authorised representative:

Name of Authorised Representative:


Signature:


Company Position:


Date:


Signed by Communic8 Group Pty Ltd by its authorised representative:

Name of Authorised Representative:


Signature:


 

Company Position:


Date:


Communication has always been important.
But in a modern world, the way we do it has to change.

Communic8 is the enterprise solution for:

Change Management
Communications
Integration
Mobility

Experience The World’s Most Complete
Communications Platform Today

OR - reach out to our sales team here.

Communic8 Logo
FacebookTwitterLinkedInInstagram
Links
Solutions
Features
Services
Case studies
Blog
Get In Touch
Request Demo
Contact Us
Privacy and Legal
Communic8 Logo
FacebookTwitterLinkedInInstagram
© 2025 Communic8 Group Pty Ltd. All rights reserved