Data Processing Addendum
This Data Processing Addendum (“DPA”) applies to the Processing of Personal Data by Seeing Machines on behalf of You when Seeing Machines provides services, technical support services or other professional services (“Services”). The Services are described in the relevant Seeing Machines agreement and the applicable purchase order for Services (collectively, “Agreement”). In the event of any conflict between the terms of the Agreement and this DPA, the terms of this DPA shall take precedence unless specified otherwise in the Agreement.
This DPA is between You and the Seeing Machines contracting entity specified under the Agreement (“Seeing Machines”) and, unless specified otherwise in the Agreement, is incorporated by reference into the Agreement.
Seeing Machines may with 30 days written notice make variations to this Addendum as required by any change in, or decision in, or enactment of Data Protection Laws, and upon receiving a variation You shall undertake all actions necessary to comply with the written notice.
Any terms used but not defined in this DPA, such as “Controller”, “Consumer”, “Data Subject”, “Process/Processing”, “Processor” shall have the same meaning set out in the Agreement or applicable Data Protection Laws.
“You” means the end-user, customer, client or any entity whether incorporated or a natural person, who has entered into a written contract with Seeing Machines that is subject to this DPA.
“Affiliate” means any subsidiary of Seeing Machines Limited that may assist Seeing Machines in the processing of Your Personal Data under this DPA.
“Data Protection Laws” means: (a) the European Union General Data Protection Regulation 2016/679 (“GDPR”); (b) the Australian Privacy Act 1988 (CTH); and (c) any other applicable Personal Data law to which You or Seeing Machines are subject.
“EU Standard Contractual Clauses” means the contractual clauses annexed to the EU Commission Decision 2021/914/EU or any successor clauses approved by the EU Commission.
“Personal Data” means all information or an opinion created, obtained or made available to a Party relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular reference to an identifier such as name, identification number, location data, an online-identifier or to or to one or more factors specific to the physical physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Personal Data Breach” means any unauthorised access, transmission, copying, alteration, storage or disclosure of Personal Data or misuse of Personal Data (whether accidental or deliberate).
“Sub-Processor” means any third party engaged to assist with the Processing of Personal Data for the performance of Services under the Agreement.
“UK IDTA Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses approved by the United Kingdom Information Commissioner’s Office.
Roles as Data Controller and Data Processor
For the purpose of this DPA and the applicable Data Protection Laws, You are the Data Controller of the Personal Data Processed by Seeing Machines in its performance of the Services under the terms of the Agreement. You are responsible for complying with your obligations as a Data Controller under applicable Data Protection Laws in providing Personal Data to Seeing Machines for the performance of the Services, including but not limited to obtaining any consents, providing any notices, or undertaking any other action as required under the applicable Data Protection Laws.
Seeing Machines is the Data Processor in regards to Personal Data provided by You, except when You act as a Processor of Personal Data, in which case Seeing Machines is a Sub-Processor. Seeing Machines is responsible for complying with its obligations under applicable Data Protection Laws that apply to its Processing of Personal Data under the Agreement and this DPA.
Processing of Personal Data
Seeing Machines and any persons acting under its authority under this DPA, including Sub-Processors and Affiliates as described under this DPA, will Process Personal Data only for the purposes of performing the Services in accordance with written instructions Seeing Machines receives from You as specified in the Agreement, this DPA and in accordance with applicable Data Protection Laws.
You acknowledge and agree that in certain circumstances, such as discovery related to legal proceedings, Seeing Machines may be required by law or court order to release Personal Data relating to You.
Data Subjects and Categories of Personal Data
In providing Seeing Machines’ Services, we collect and manage a range of data from different sources, including Personal Data about: our clients’ employees, contractors or agents; our distributors’ employees, contractors or agents; our suppliers’ employees, contractors or agents; other end users of our products and services; potential investors for marketing purposes; individuals, through digital services, such as social media or newsletters; and individuals that interact with us or our employees, such as by visiting our premises or phoning our staff.
The categories of Personal Data that we may collect is identified in Table 1 below:
Table 1: Personal Data that may be Collected by the Seeing Machines Group
|Data Subject||Categories of Information||Purpose||Legal Basis|
|Our client’s (including their affiliate’s) employees or contractors||
|Our distributors’ and authorised third-parties’ employees and contractors||
|Our suppliers’, their employees and contractors||
|Individuals who engage with us in relation to marketing or corporate communication||
|Shareholders, board members and individuals who engage with Seeing Machines in relation to investment, or other corporate engagement||
|Individuals who visit our premises||
|Individuals who engage with our corporate digital services (i.e. visit our website) or email or telephone our employees||
1 In collecting this information, we may also obtain sensitive Personal Data about our client’s employees, as defined under data protection laws, such as, biometric data (i.e. facial images), data revealing racial or ethnic origin or data concerning a person’s health. This data is obtained as a result of in-vehicle video recording and images of the driver or operator and information about the drivers’ driving behaviour, such as fatigue and distraction events, but we do not record racial, ethnic or health data in our databases.
Subject to the terms of this DPA, You authorise Seeing Machines to engage Sub-Processors and Affiliates for the Processing of Personal Data.
For each Sub-Processor, Seeing Machines will:
- prior to the Sub-Processor Processing Personal Data, carry out reasonable due diligence to ensure that the Sub-Processor can provide the level of protection for Personal Data required under the Agreement, this DPA and applicable Data Protection Laws; and
- ensure that the agreement between Seeing Machines and Sub-Processor is governed by a written enforceable contract including terms which offer at least the same level of protection for Personal Data as those set out under the Agreement, this DPA and applicable Data Protection Laws.
You agree that in the provision of Services under the Agreement, the Sub-Processors listed in Seeing Machines Sub-Processor List are authorised to Process Personal Data in accordance with the Agreement. You must subscribe to receive notice of updates to the list of Sub-Processors by writing to firstname.lastname@example.org.
At least fourteen (14) days before authorising any new Sub-Processor to access Personal Data, Seeing Machines will update the list of Sub-Processors by written notice. Where Seeing Machines is a Processor (and not a Sub-Processor), the following applies:
- If, based on reasonable grounds related to the inability of such Sub-Processor to protect Personal Data, You do not approve of a new Sub-Processor, then Seeing Machines will use reasonable efforts to make available to You a change in the Service or recommend a commercially reasonable change to avoid processing of Your Personal Data by the new Sub-Processor.
- If, Seeing Machines is unable to recommend a commercially reasonable change, You may agree not to use (temporarily or permanently) the particular aspect of the Service that would involve the use of the Sub-Processor to process Your Personal Data.
- Unless agreed to otherwise with Seeing Machines, You shall remain obligated to make all payments required under any purchase order or other contractual obligation with Seeing Machines and shall not be entitled to any refund or return of payment from Seeing Machines.
International Transfer of Personal Data
Seeing Machines primarily store, collect and process Personal Data in Australia, European Economic Area (EEA) and the United States. In the case of Personal Data collected in the EEA, the Personal Data is stored on servers located within the EEA.
You authorise Seeing Machines to transfer and Process Personal Data in Australia, United Kingdom, EEA and United States of America as necessary to perform the Services. Notwithstanding the foregoing, Seeing Machines may require Personal Data to be transferred in other countries as necessary to perform the Services and you appoint Seeing Machines to perform any such transfer to process Personal Data as necessary to provide the Services. Seeing Machines will follow the requirements of this DPA regardless of where such Personal Data is stored or Processed.
Where the Processing involves the international transfer of Personal Data under applicable Data Protection Laws in the EEA to Seeing Machines, Affiliates or Sub-Processors in a jurisdiction: (i) that has not been deemed by the European Commission or the UK Information Commissioner’s Office to provide an adequate level of data protection, and (ii) there is not another legitimate basis for the international transfer of such Personal Data, such transfers will be subject to either the EU Standard Contractual Clauses and/or the UK IDTA Addendum (as applicable) or other data transfer arrangements available under applicable Data Protection Laws. For international transfers subject to:
- the EU Standard Contractual Clauses, the parties hereby deemed to have entered (and incorporated by reference) the EU Standard Contractual Clauses as applicable:
- the UK IDTA Addendum, the parties hereby deemed to have entered (and incorporated by reference) the UK IDTA Addendum.
For the purposes of the EU Standard Contractual Clauses and UK IDTA Addendum, You act as the Data Exporter on Your behalf and on behalf of any of Your entities, and Seeing Machines acts as the Data Importer on its own behalf and/or on behalf of its Affiliates.
Where the Processing involves the international transfer of Personal Data under other applicable Data Protection Laws to Seeing Machines, Affiliates or Sub-Processors, such transfers are subject to the data protection terms specified in this DPA and applicable Data Protection Laws.
Requests from Data Subjects
Seeing Machines will make available to You the Personal Data of your Data Subjects and the ability to fulfill requests by Data Subjects to exercise their rights under applicable Data Protection Laws consistent with Seeing Machine’s role as a Data Processor.
If Seeing Machines receives a request directly from Your Data Subject to exercise their rights under applicable Data Protection Laws, Seeing Machines will direct the Data Subject to You unless prohibited by law.
Seeing Machines shall implement and maintain appropriate administrative, technical, and organisational practices to protect Personal Data against any misuse or accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data. Seeing Machines seeks to continually strengthen and improve its security practices, and reserves the right to modify its security practices. Any modifications will not diminish the level of security during the term of Services.
Seeing Machines personnel are bound by appropriate confidentiality agreements and are required to take regular data protection trainings and comply with Seeing Machines’ privacy and security policies and procedures.
Personal Data Breach
Seeing Machines shall notify You without undue delay after becoming aware of a Personal Data Breach involving Your Personal Data held by Seeing Machines and provide reasonable assistance in the event of an investigation to the Personal Data Breach, each Party at its own costs.
You shall notify Seeing Machines on becoming aware of a Personal Data Breach in relation to Product Data and provide reasonable assistance in the event of an investigation related to the Personal Data Breach, each Party at its own costs.
You and Seeing Machines agree to provide reasonable mutual assistance with any data protection impact assessment, and prior consultations with applicable regulatory authorities which You or Seeing Machines considers to be required by Data Protection Laws, each Party at its own cost.
Return and Deletion of Personal Data
Notwithstanding the aforementioned, Seeing Machines maybe subject to Data Protection Laws or other laws to Process Personal Data, in which case Seeing Machines shall to the extent permitted by Data Protection Laws or other laws inform You before Processing the Personal Data.
Data Protection Officer
You may contact the Seeing Machines Data Protection Officer at email@example.com.
The term of this DPA shall coincide with the commencement of the Agreement and this DPA shall terminate automatically together with termination or expiry of the Agreement.