Tes Data Processing Agreement
This Data Processing Agreement (DPA) forms parts of Tes’ General Terms of Business (Terms) between the Customer and Tes Global Limited, Tes Aus Global Pty Limited, and its subsidiaries and applies automatically to all Customers globally for all Products.
Nothing within this Agreement shall relieve either Party of their own direct responsibilities and liabilities under Applicable Data Protection Law.
| Parties' relationship | Controller to Processor |
| Parties' roles |
Customer will act as a Controller as defined in Clause 1.2 of this DPA Tes will act as a Processor as defined in Clause 1.2 of this DPA |
| Term | This DPA will commence on the final date of signature and will continue as mentioned in the Schedule and Terms of Business |
| Breach Notification Period | Without undue delay after becoming aware of a Personal Data Breach. |
| Notifications | Customer sub-processor notification. |
| Governing Law and Jurisdiction | The two parties agree that this Agreement shall be governed by, and construed exclusively, in accordance with the Laws and Courts of England and Wales and the Laws of New South Wales |
| Data Protection Laws | All applicable Data Protection Laws which apply to the processing of Personal Data |
| Data subjects | The individuals whose Personal Data will be processed as described in the Schedule and Terms of Business |
| Transfer Mechanism | Tes will not transfer or authorise personal data to be transferred to a different territory without written consent from the customer. |
|
Security measures. Technical and organisational measures to ensure the security of Personal Data |
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Tes shall implement and maintain technical and organisational security measures appropriate to the risks apparent to the rights and freedoms of data subjects whose personal data is processed by Tes on behalf on the Customer. In assessing the appropriate level of security, Tes has taken account of the risks that are presented by processing of Personal Data. |
1.1 Purpose The parties are entering into this Data Processing Agreement (DPA) for the purpose of processing Personal Data as defined in the Schedule and Terms of Business.
1.2 Definitions Under this DPA:
(a) Personal Data Breach – means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.
(b) Data Controllers – means the organisations which determine the purposes and means of Processing Personal Data
(c) Data Processor – means any legal entity Processing Personal Data on behalf of one or other of the Parties, but who is not an employee of that Party, and who processes such Personal Data under the terms of a formal, written contract.
(d) Data Protection Laws – means Data Protection Law and if applicable any Data Protection or Privacy Law of another country.
(e) Data Subject – means any living individual whose Personal Data is acquired and processed for the purposes and objectives of this Agreement.
(f) Delete – means to remove or obliterate Personal Data such that it cannot be recovered or restructured.
(g) EEA – means the European Economic Area.
(h) Personal Data – means any information relating to an identified or identifiable natural person (“data subject”), an identifiable natural person who can be identified, directly or indirectly.
(i) Services – means the activity carried out by Tes for the Customer.
(j) Special Category Data – means any Personal Data relating to the specific characteristics of the living individual, including their ethnic or racial identity, their political, ideological or religious preferences, or beliefs of a similar nature, their medical condition, sexual orientation, criminal record or trade union membership.
(k) Sub-processor – means any third-party or entity appointed by Tes to Process Customer Personal Data.
(l) Agreement – means this Data Processing Agreement and all Annexes.
(m) TOMs – means the technical and organisational measures as defined under the Applicable Data Protection Laws.
(n) Adequate Country – means a country or territory that is recognised under Data Protection Laws from time to time as providing adequate protection for processing Personal Data.
2.1 Customer obligations
(a) Customer instructs Tes to process Personal Data in accordance with this DPA and is responsible for providing all notices and obtaining all consents, licences and legal bases required to allow Tes to process Personal Data.
2.2 Tes' obligations Tes will:
(a) only process Personal Data in accordance with this DPA and Customer’s instructions (unless not legally required to do otherwise),
(b) not sell, retain, or use any Personal Data for any purpose other than as permitted by this DPA and the Schedule and Terms of Business,
(c) inform Customer immediately if (in its opinion) any instructions infringe Data Protection Laws,
(d) use the technical and organisational measures described in Annex 1 when processing Personal Data to ensure a level of security appropriate to the risk involved,
(e) notify Customer of any Personal Data Breach within the Breach Notification Period and provide assistance to Customer as required under Data Protection Laws,
(f) ensure that anyone authorised to process Personal Data is committed to confidentiality obligations,
(g) without undue delay, provide Customer with reasonable assistance with:
(i) Data Protection Impact Assessments,
(ii) responses to Data Subject Requests to exercise their rights under Data Protection Laws, and
(iii) engagement with supervisory authorities where applicable,
(h) if requested, provide Customer with information necessary to demonstrate its compliance with obligations under Data Protection Laws and this DPA,
(i) allow for audits at Customer reasonable request, provided that audits are limited to once a year and during business hours except in the event of a Personal Data Breach, and
(j) return Personal Data upon Customer written request or delete Personal Data at the end of the Term unless further retention is legally required.
2.3 Warranties. The parties warrant that they and any staff and/or subcontractors will comply with their respective obligations under Data Protection Laws for the Term.
3.1 Use of sub-processors Customer authorises Tes to engage other processors (referred to in this section as sub-processors) when processing Personal Data. Tes’ existing main sub-processors are listed in Annex 2.
3.2 Sub-processor requirements Tes will:
(a) ensure all of its sub-processors comply with terms equivalent to those of Tes in this DPA;
(b) enter into a written Agreement and ensure appropriate safeguards are in place before transferring Personal Data to its sub-processor;
(c) be liable for any acts, errors, or omissions of its sub-processors as if they were a party to this DPA; and,
(d) restrict the sub-processors access to Customer Data only to the data necessary to provide the services requested by Customer.
3.3 Notifications From time-to-time Tes may appoint new sub-processors, and will notify Customers of these changes through updating the Privacy Notice within a reasonable time period.
4.1 Instructions Tes may transfer Personal Data to a different territory only on documented instructions from Customers, unless otherwise required by Law.
5.1 Data Subject Rights Taking into account the nature of the processing, Tes shall assist Customer to fulfil its obligations, as reasonably understood by Customer to respond to requests to exercise Data Subject Rights under the Data Protection Laws. Tes shall:
(a) promptly notify Customer if it receives a request from a Data Subject under Appliable Data Protection Laws;
(b) ensure that it does not respond to that request except on the documented instructions of the Customer or as required by Applicable Laws to which Tes is subject to, in which case Tes shall to the extent permitted by Applicable Data Protection Laws inform Customer of that legal requirement before responding to the request.
5.2 Personal Data Breach
(a) Tes shall notify Customer without undue delay upon becoming aware of a Personal Data Breach affecting Customer Personal Data, providing Customer with sufficient information to allow the Customer to meet its obligations to report or inform Data Subjects and relevant authorities of the Personal Data Breach under the Data Protection Laws.
(b) Tes shall co-operate with the Customer and take reasonable commercial steps as are directed by Customer to assist in the investigation, mitigation, and remediation of a Personal Data Breach.
5.3 Deletion or return of Customer Personal Data Tes shall promptly and in any event within 30 days of the end date of the contract, as described in the Schedule and General Terms of Business, return and delete Customer Personal Data, unless otherwise stated below.
5.4 Audit Rights
(a) Tes shall make available to the Customer on request all information which is reasonably required to demonstrate compliance with this Agreement, and shall allow for and contribute to audits, including inspections, by the Customer or an auditor mandated by the Customer in relation to the processing of Customer Personal Data.
(b) Tes shall, upon reasonable notice and at no cost to itself, allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer.
(c) The Customer shall, within one working day of the completion of any report, or their receipt of a report from their mandated auditor, provide said report or other document created in conjunction with any audit, at no cost to Tes in a machine-readable format free from any and all redactions or omissions thereby enabling Tes the reasonable opportunity to provide further evidence or query where applicable.
(d) In an event that any instruction provided by a Customer infringes the Applicable Data Protection Laws, Tes shall, in a reasonable time frame, notify the Customer of said infringement.
(e) In an event that any instruction provided by the Controller infringes the Applicable Data Protection Laws, Customer shall in a reasonable time frame notify Tes of said infringement.
5.5 Confidentiality Tes will ensure all employees and contractors authorised to process Personal Data on behalf of Customer have committed themselves to a level of confidentiality appropriate to the activities for which they are employed or engaged to undertake.
5.6 Entire Agreement This DPA supersedes all prior discussions and Agreements and constitutes the entire Agreement between the parties with respect to its subject matter, with neither party reliant upon any statement or representation of any person in entering into this DPA.
5.7 Termination
(a) This DPA will remain in full force until the termination in line with the termination requirements under the General Terms of Business,
(b) Any material amendments and updates to this DPA must be communicated in writing by Tes to the Customer.
(c) In any event that Applicable Data Protection Laws and where applicable any ancillary Laws change in a way that renders the Agreement inadequate, both parties agree to negotiate, in good faith to review this Agreement in light of the new Law.
5.8 Assignment Neither party can assign this DPA to another Party without the other Party's consent.
5.9 Waiver If a Party fails to enforce a right under this DPA, that is not a waiver of that right at any time.