
Data Processing Addendum (DPA)
This Data Processing Addendum (“DPA”) forms part of the Master Service Agreement or the Subscription Agreement or other written terms between Infomedia and the entity or person(s) identified as Customer in the relevant Agreement (“Customer”) for the purchase of services from Infomedia (defined in this DPA as “Services”) (the “Agreement”) and records the parties’ written agreement relating to the Processing of Personal Data (both as defined below).
DATA PROCESSING TERMS
1. DEFINITIONS AND INTERPRETATION
1.1. Definitions. The following definitions apply in this DPA:
Affiliates means, with respect to a legal entity, any other legal entity that directly or indirectly controls, is controlled by, or is under common control with that legal entity, where “control” means the power to direct or cause the direction of the management and policies of such legal entity, whether through the right to appoint or remove a majority of the board of directors (or equivalent governing body), ownership of voting securities, by contract, or otherwise.
Applicable Data Protection Laws means all laws and regulations applicable to the Processing of Personal Data under the Agreement, including: (a) the European Data Protection Laws; (b) the Swiss Data Protection Laws; (c) the UK Data Protection Laws; (d) the US Data Protection Laws; (e) the Canadian Data Protection Laws; (f) the Australian Data Protection Laws; (g) the New Zealand Data Protection Laws; and (f) any other applicable data protection, privacy or personal information laws or regulations in any other jurisdiction in which Customer Personal Data is processed under this Agreement, in each case as updated, amended, replaced or superseded from time to time.
Australian Data Protection Laws means: (a) Privacy Act 1988 (Cth), including the Australian Privacy Principles contained in Schedule 1 of that Act and the Notifiable Data Breaches Scheme under Part IIIC of that Act; (b) the Spam Act 2003 (Cth); (c) the Telecommunications (Interception and Access) Act 1979 (Cth), to the extent applicable to the Processing of Personal Data; and (d) any other applicable Australian federal or state laws or regulations relating to the to the Processing of Personal Data, in each case as updated, amended, replaced or superseded from time to time.
Canadian Data Protection Laws means: (a) Personal Information Protection and Electronic Documents Act (PIPEDA) (and any successor legislation, including the Consumer Privacy Protection Act (CPPA) if and when in force), (b) Québec’s Act respecting the protection of personal information in the private sector (as amended by Law 25), (c) Alberta’s Personal Information Protection Act, (d) British Columbia’s Personal Information Protection Act, and all subordinate legislation, binding regulations, and guidance issued thereunder, in each case as amended, replaced or superseded from time to time.
Controller means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
Customer Personal Data means any Personal Data provided by, or on behalf of, Customer to Infomedia in connection with the Services, and includes for the avoidance of doubt, any Personal Data included in the attachments provided by Customer or its Data Sharers in any technical support requests.
Data Sharer means any individual or entity, including but not limited to the Customer’s clients, customers, end users or other third parties, which are authorised by the Customer to submit, share, or otherwise provide Personal Data or other information to the Customer, and where such Personal Data or information may be Processed by Infomedia in connection with the Services.
Deidentified Data means data that cannot reasonably be used to infer information about, or otherwise be linked to, a data subject.
Europe means the Member States of the European Economic Area.
European Data Protection Laws means: (a) Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (the ”EU GDPR”); and (b EU Directive 2002/58/EC on Privacy and Electronic Communications, in each case as updated, amended, replaced or superseded from time to time.
Infomedia means the Infomedia group entity which is a party to this DPA, being the entity which is the party to the Agreement.
New Zealand Data Protection Laws means: (a) the Privacy Act 2020 (NZ), including the Information Privacy Principles contained therein and the mandatory privacy breach notification obligations under Part 6 of that Act; and (b) any other applicable New Zealand laws or regulations relating to the processing of personal information, in each case as updated, amended, replaced or superseded from time to time.
Personal Data Breach means any act or omission that compromises either the security, confidentiality or integrity of Customer Personal Data transmitted, stored or otherwise processed by Infomedia that is likely to create a risk to the privacy rights or harm to any individual. Without limiting the foregoing, a material compromise shall include unauthorised access to or disclosure or acquisition of Personal Data.
Personal Data means information about an identified or identifiable natural person, or which otherwise constitutes “personal data”, “personal information”, “personally identifiable information” or similar terms as defined in Applicable Data Protection Law.
Processing (and Process, Processed, process and processed) means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
Processor means an entity which Processes Personal Data on behalf of the Controller.
Restricted Transfer means a transfer of Customer Personal Data that is subject to (a) European Data Protection Laws from a country within Europe to a country outside Europe that is not subject to an adequacy decision by the European Commission, (b) Swiss Data Protection Laws from Switzerland to a country outside Switzerland that is not subject to an adequacy recognition by the Swiss Federal Data Protection and Information Commissioner, (c) UK Data Protection Laws from a country within the UK to a country outside the UK that is not subject to an adequacy decision by the Information Commissioner’s Office as applicable.
SCCs means the standard contractual clauses annexed to the European Commission’s Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to the EU GDPR.
Special categories of personal data or sensitive data means any Customer Personal Data: (a) revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership; (b) that is genetic data, biometric data, data concerning health, or data concerning a natural person’s sex life or sexual orientation; and (c) relating to criminal convictions and offences.
Sub-processor means any processor engaged by Infomedia to assist in fulfilling its obligations with respect to providing the Services pursuant to the Agreement where such entity processes Customer Personal Data. Sub-processors may include Infomedia’s affiliates or other third parties.
Swiss Data Protection Laws means the Swiss Federal Act on Data Protection (as revised and in force from 1 September 2023) and its implementing ordinances, including the Data Protection Ordinance, in each case as updated, amended, replaced or superseded from time to time.
UK Addendum means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (version B1.0, in force 21 March 2022) issued by the Information Commissioner’s Office under S119(A)(1) of the UK’s Data Protection Act 2018, as amended, superseded or replaced from time to time.
UK Data Protection Laws means the EU GDPR as incorporated into UK law pursuant to Section 3 of the European Union (Withdrawal) Act 2018, together with the UK’s Data Protection Act 2018 and Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426), in each case as updated, amended, replaced or superseded from time to time.
UK means England, Scotland, Wales and Northern Ireland.
US Data Protection Laws means all data protection or privacy laws and regulations applicable to Customer Personal Data in force within the United States as updated, amended, replaced or superseded from time to time, including but not limited to, the California Consumer Privacy Act, as amended by the California Privacy Rights Act, and its implementing regulations (the “CCPA”), and any rules or regulations implementing the foregoing.
1.2. Interpretation.
1.2.1.Capitalised terms used but not defined in this DPA shall have the meanings given to them in the Agreement.
1.2.2.In the event of any conflict between this DPA and the Agreement, this DPA shall prevail to the extent of such conflict.
1.2.3.In the event of any conflict between the SCCs and the Agreement (including this DPA), the SCCs shall prevail to the extent of such conflict.
2. TERM
The term of this DPA coincides with the term of the Agreement and terminates upon expiration or earlier termination of the Agreement (or, if later, the date on which Infomedia ceases all Processing of Customer Personal Data).
3. PROCESSING OF PERSONAL DATA
3.1. Description of Roles. For the purposes of this DPA, the parties agree that for the purposes of the Agreement:
(a) Customer is either a Controller of Customer Personal Data, or a Processor of Customer Personal Data acting on the instructions of another Controller (i.e. a Data Sharer or Customer Affiliate when passing processing instructions to Infomedia); and
(b) Infomedia is a Processor (or where applicable a Sub-Processor) in respect of its processing of Customer Personal Data disclosed to Infomedia for the purpose of Infomedia providing the Services.
3.2. Prohibited Data. Customer will not disclose (and will not permit any Data Sharer to disclose) any special categories of personal data or sensitive data (including “Protected Health Information” as defined by the United States Health Insurance Portability and Accountability Act) to Infomedia for processing.
3.3. Processing in accordance with Customer Instructions. Infomedia shall process Customer Personal Data as necessary to perform its obligations under the Agreement and strictly in accordance with the documented lawful instructions of Customer (including the terms of the Agreement), or as otherwise agreed in writing by the parties (the “Customer Instructions”). Infomedia shall not use, disclose or otherwise process the Customer Personal Data for any other purpose other than the Customer Instructions, except where otherwise required by any law applicable to Infomedia, and shall not “sell” the Customer Personal Data within the meaning of the CCPA or otherwise. Infomedia shall notify Customer, without undue delay, if it becomes aware that Customer Instructions infringe Applicable Data Protection Laws.
3.4. Details of the Processing. Infomedia’s Processing of Customer Personal Data is performed in relation to the Services (subject matter). The categories of Personal Data, duration, nature and purpose of the Processing are detailed in Annex 1 to this DPA.
3.5. Security. Infomedia shall implement appropriate technical and organisational measures to protect Customer Personal Data against a Personal Data Breach and to preserve the security integrity, availability and confidentiality of Customer Personal Data. Such measures are available on request by emailing security@infomedia.com.au. Customer acknowledges that Infomedia’s security measures are subject to technical progress and development and that Infomedia may update or modify these from time to time, provided that such updates and modifications do not materially decrease the overall security of the Customer Personal Data during the Agreement Term.
3.6. Personal Data Breach. Upon becoming aware of a Personal Data Breach, Infomedia shall notify Customer without undue delay by written notice with all relevant details reasonably available of the Personal Data Breach to allow Customer to fulfil its data breach reporting obligations under Applicable Data Protection Laws. Infomedia shall take further reasonable steps to contain, investigate and mitigate the effects of the Personal Data Breach. Infomedia’s notification of or response to a Personal Data Breach in accordance with this Section 3.6 will not be construed as an acknowledgement by Infomedia of any fault or liability with respect to the Personal Data Breach.
3.7. Confidentiality. Infomedia shall take reasonable steps to ensure that it has appropriate policies and procedures in place in relation to any person that it authorises to process Customer Personal Data (including Infomedia’s employees, agents and Sub-processors) and to ensure that such persons are subject to a duty of confidentiality.
3.8. Deletion or return of Customer Personal Data. Upon written request from Customer, Infomedia shall within ninety (90) days, anonymise, delete or return to Customer all Customer Personal Data in its possession or control. Notwithstanding the foregoing, Infomedia may retain Customer Personal Data (i) as required by applicable laws or (ii) in accordance with its standard backup or record retention policies, provided that, in either case Infomedia shall isolate and protect the Customer Personal Data from further processing except to the extent required by such law until deletion is possible, and Infomedia will maintain the confidentiality of, and otherwise comply with the applicable provisions of this DPA with respect to, retained Customer Personal Data. Customer acknowledges that there may also be circumstances in which one or more of its Data Sharers are Data Sharers of one or more other customers and in such circumstances, Infomedia will continue to process the applicable Customer Personal Data related to such Data Sharer(s) until a written request from such Data Sharer(s) is received by Infomedia in accordance with this Section 3.8.
3.9. Cooperation and data subjects’ rights. Infomedia shall provide reasonable assistance to Customer (at Customer’s expense) to enable Customer to respond to: (a) any request from a data subject to exercise any of its rights under Applicable Data Protection Laws (including its rights of access, correction, objection, erasure, and data portability, as applicable); and (b) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party, in each case in respect of Customer Personal Data that Infomedia processes on Customer’s behalf. In the event that any request, correspondence, enquiry or complaint is made directly to Infomedia, Infomedia shall promptly notify Customer and provide it with a copy of the request, unless legally prohibited from doing so.
3.10. Data Protection Impact Assessment. Infomedia shall provide reasonable assistance to Customer (at Customer’s expense) with undertaking an assessment of the impact of processing Customer Personal Data, and with any consultations with a data protection authority, if and to the extent an assessment or consultation is required to be carried out under the Applicable Data Protection Laws.
4. Audits.
4.1. Compliance program. Infomedia shall maintain an audit program to monitor its compliance with its obligations relating Customer Personal Data and shall make available to the Customer information which demonstrates compliance with its obligations under Applicable Data Protection Laws as detailed in this Section 4.
4.2. Access to information. Upon written request from Customer at reasonable intervals, Infomedia shall: (a) supply a copy of its third party certifications to the Customer so Customer can verify Infomedia’s compliance with applicable standards, and this DPA; and (b) respond to reasonable written audit questions submitted to it by Customer (such responses will be in the manner and form that Infomedia generally makes such responses available to its customers), provided that Customer shall not exercise this right more than once per year. Customer agrees that Customer shall exercise its rights under Clause 8.9 of the SCCs by instructing Infomedia to comply with the audit measures described in this Section 4.
4.3. On-site audit. Solely to the extent that Infomedia cannot reasonably satisfy its compliance with this DPA through the provision of information under Section 4.2, Infomedia shall agree to a mutually agreed-upon audit plan with Customer that: (i) involves the use of an independent third party auditor; (ii) provides Infomedia with at least sixty (60) days written notice (unless Applicable Data Protection Law or a regulatory authority requires a shorter notice period); (iii) requests access only during business hours; (iv) accepts billing to Customer at Infomedia’s then-current rates; (v) occurs no more than once annually; (vi) restricts its findings to only Customer Personal Data; and (vii) obligates Customer, to the extent permitted by law or regulation, to keep confidential any information gathered that, by its nature, should be confidential. All such audits shall be conducted acting reasonably and in good faith and in a proportionate manner taking into account the nature of complexity of the Services and the compliance issue in question.
4.4. Auditors: Third-party auditors are to be engaged at the Customer’s expense, must not be competitors of Infomedia, and must enter into a suitable non-disclosure agreement with Infomedia prior to receiving any of Infomedia’s confidential information.
4.5. Audit scope: Customer acknowledges that the Services are provided in a multi-tenant cloud environment and on-site audits have the potential to impact on the provision of services to other customers. Customer agrees that Infomedia shall have the right to require that the audit scope is designed in a way which avoids or mitigates risks relating to the security, confidentiality and availability of the services and other customers’ data and any applicable service levels.
5. CUSTOMER OBLIGATIONS.
Without limiting Customer’s other obligations under the Agreement, Customer shall:
5.1. comply at all times with the Applicable Data Protection Laws in its processing of Customer Personal Data, including (but not limited to) when Customer discloses Customer Personal Data to Infomedia under the Agreement, and provides Infomedia with such cooperation, assistance and information as Infomedia may reasonably request to comply with its obligations under the Applicable Data Protection Laws;
5.2. ensure that any Customer Instructions it issues to Infomedia comply with the Applicable Data Protection Laws;
5.3. ensure that it has provided notice and obtained (or will obtain) all consents legal bases and rights necessary under Applicable Data Protection Laws to process Customer Personal Data (including, but not limited to, any special categories of data) and to enable Infomedia to provide the Services pursuant to the Agreement (including this DPA);
5.4. ensure that any Customer Personal Data provided to Infomedia is limited to only what is necessary in order for Infomedia to provide the Services and such Customer Personal Data is accurate and up-to-date to the best of Customer’s knowledge at the time that it is provided to Infomedia;
5.5. use all reasonable endeavours to promptly notify Infomedia upon becoming aware that Customer Personal Data has become inaccurate or out of date;
5.6. not do or permit to be done anything within its knowledge or control which may cause or otherwise result in Infomedia being in breach of the Applicable Data Protection Laws; and
5.7. be responsible for ensuring that its Processing instructions as set out in the Agreement and this DPA, including its authorisations to Infomedia for the appointment of Sub-processors in accordance with this DPA, have been authorised by the relevant Controller. Customer shall also be solely responsible for forwarding any notifications received from Infomedia to the relevant Controller where appropriate.
6. SUB-PROCESSORS.
6.1. General Authorisation. By entering into this DPA, Customer provides a general authorization for Infomedia to engage Sub-processors to process Customer Personal Data. Infomedia shall ensure that: (a) there is a written agreement in place with each Sub-processor that imposes terms and conditions that require the relevant Sub-processor to protect Customer Personal Data to the standard required by the Applicable Data Protection Laws and to the same standard as this DPA; and (b) it remains responsible to Customer for the performance of such Sub-processors data protection obligations under such terms and conditions.
6.2. Current Sub-Processors and notice of new Sub-Processors. Infomedia’s Sub-processor list is available to Customer on request by emailing security@infomedia.com.au. Customers can subscribe to notifications of new sub-processors by emailing security@infomedia.com.au. Infomedia shall notify subscribed Customers if it adds or replaces any new Sub-processors at least 30 days before the proposed addition or replacement to provide the Customer with the opportunity to raise any reasonable objections on grounds of data protection (e.g. concerns regarding the Sub-processor’s ability to comply with Applicable Data Protection Laws, security or location in a high-risk jurisdiction). Objections cannot be made for arbitrary reasons or those which do not relate to data protection. If Customer objects to the appointment of any new Subprocessor and Infomedia is unable to perform its Services without this new Subprocessor and cannot propose a suitable alternative Sub-processor, Customer shall as it sole and exclusive remedy have the right to terminate the Customer’s use of the only the Service(s) subject to the Sub-processing under the Agreement.
7. RESTRICTED TRANSFERS.
The parties agree that when the transfer of Customer Personal Data from Customer (as “data exporter”) to Infomedia (as “data importer”) is a Restricted Transfer and Applicable Data Protection Laws require that appropriate safeguards be put in place, it shall be subject to the SCCs, which shall be deemed incorporated into and form part of this DPA, as follows:
7.1. European Transfers
(a) In relation to Restricted Transfers of Customer Personal Data protected by the EU GDPR and processed by Infomedia as a Processor in accordance with Section 3 of this DPA, the SCCs shall apply and be completed as follows:
(i) Module Two will apply;
(ii) in Clause 7, the optional docking clause will apply;
(iii) in Clause 9(a), Option 2 will apply, and the time period for prior notice of Sub-processor changes is as set out in Section 6.2 of this DPA;
(iv) in Clause 11, the optional language will not apply;
(v) in Clause 17, Option 1 will apply, and the SCCs will be governed by the laws of Ireland;
(vi) in Clause 18(b), disputes will be resolved before the courts of Germany; and
(vii) the Annexes of the SCCs shall be populated with the information set out in the corresponding Annexes to this DPA;
7.2. United Kingdom Restricted Transfers
In relation to Restricted Transfers of Customer Personal Data protected by the UK GDPR, the SCCs will apply as completed in accordance with Sections 7.1 of this DPA and are deemed amended as specified by the UK Addendum, which is deemed executed by the parties and incorporated into and forming a part of this DPA. In addition, Tables 1 to 3 in Part 1 of the UK Addendum are deemed completed with the relevant information set out in Sections 7.1(a) and (b) of this DPA, as well as the Annexes to this DPA and Table 4 in Part 1 of the UK Addendum is deemed completed by selecting “neither party”. Any conflict between the terms of the SCCs and the UK Addendum will be resolved in accordance with Section 10 and Section 11 of the UK Addendum;
7.3. Swiss Restricted Transfers
In relation to Restricted Transfers of Customer Personal Data that is subject to Swiss Data Protection laws, the SCCs will apply in accordance with Sections 7.1(a) and (b) of this DPA, with the following amendments:
(a) any references to “Regulation (EU) 2016/670” will be replaced with references to the Swiss Data Protection Laws, and references to specific Articles of “Regulation (EU) 2016/679” will be replaced with the equivalent Article(s) or Section(s) of the Swiss Data Protection Laws;
(b) any references to “EU”, “Union”, “Member State” and “Member State Law” will be replaced with references to Switzerland and Swiss Law, as applicable;
(c) Clause 13 will be amended to provide that the Federal Data Protection and Information Commissioner (“FDPIC”) of Switzerland will have authority over data transfers governed by the Swiss Data Protection Laws;
(d) references to the “competent supervisory authority” and “competent courts” will be replaced with references to the FDPIC and competent courts in Switzerland, respectively;
(e) Clause 17 is amended to provide that the SCCs will be governed by the laws of Switzerland;
(f) Clause 18(b) is amended to provide that disputes will be resolved before the applicable courts of Switzerland; and
(g) All references to Member State will be interpreted to include Switzerland and Data Subjects in Switzerland are not excluded from enforcing their rights in their place of habitual residence in accordance with Clause 18(c) of the SCCs.
8. OVERSEAS TRANSFERS UNDER AUSTRALIAN AND NEW ZEALAND PRIVACY LAWS
8.1. In relation to transfers of Customer Personal Data subject to Australian Data Protection Laws to an overseas recipient, Infomedia will take reasonable steps to ensure that the overseas recipient does not breach the Australian Privacy Principles in respect of that Customer Personal Data, in accordance with Australian Privacy Principle 8.2, unless an exception under the Australian Data Protection Laws applies.
8.2. In relation to transfers of Customer Personal Data subject to New Zealand Data Protection Laws to an overseas recipient, Infomedia will take reasonable steps to ensure that the overseas recipient protects the Customer Personal Data in a manner that, overall, provides comparable safeguards to those required under the New Zealand Data Protection Laws, in accordance with Information Privacy Principle 12, unless an exception under the New Zealand Data Protection Laws applies.
8.3. For the purposes of Sections 8.1 and 8.2, where Infomedia has entered into contractual arrangements with overseas Sub-processors that impose data protection obligations equivalent to those required under the applicable Australian or New Zealand Data Protection Laws, Infomedia shall be deemed to have taken reasonable steps for the purposes of this Section.
9. US DATA PROTECTION LAWS
The following terms apply where Infomedia Processes Customer Personal Data subject to the US Data Protection Laws:
9.1. To the extent Infomedia ProcessesCustomer Personal Data as a Processor (or “Service Provider” as defined under the CCPA) on behalf of Customer, Infomedia will Process and protect such Customer Personal Data in accordance with the US Data Protection Laws and Customer Instructions, as necessary for the limited and specified purposes identified in Annex 1: Description of Processing.
9.2. Infomedia will not:
(a) retain, use, disclose or otherwise Process such Customer Personal Data for a commercial purpose other than Customer’s Instructions or as otherwise permitted under US Data Protection Laws;
(b) “sell” or “share” such Customer Personal Data within the meaning of US Data Protection Laws; and
(c) retain, use, disclose or otherwise Process such Customer Personal Data outside the direct business relationship with Customer and not combine such Customer Personal Data with personal data that it receives from other sources, except as permitted under US Data Protection Laws.
9.3. Infomedia will inform Customer if it determines that it can no longer meet its obligations under US Data Protection Laws
9.4. Customer may take reasonable and appropriate steps to stop and remediate any unauthorised Processing of Customer Personal Data.
9.5. To the extent Customer discloses or otherwise makes available Deidentified Data to Infomedia or to the extent Infomedia creates Deidentified Data from Customer Personal Data, in each case in its capacity as a Processor or Service Provider, Infomedia will maintain and use such Deidentified Data in a de-identified form and to not attempt to re-identify the Deidentified Data, or permit any third party to re-identify the Deidentified Data.
10. CANADIAN DATA PROTECTION LAWS
The following terms apply where Infomedia Processes Customer Personal Data subject to the Canadian Data Protection Laws:
10.1. Infomedia will Process and protect such Customer Personal Data in accordance with the Canadian Data Protection Laws and Customer Instructions, as necessary for the limited and specified purposes identified in Annex 1: Description of Processing.
10.2. Infomedia will not:
(a) collect, use, or disclose such Customer Personal Data for any purpose other than those specified in the Customer Instructions or as otherwise permitted under Canadian Data Protection Laws;
(b) sell, share, or otherwise disclose such Customer Personal Data to any third party except as required to perform the Services, as directed by Customer, or as required by applicable law; and
(c) use such Customer Personal Data outside of its direct business relationship with Customer, or combine such Customer Personal Data with personal data received from other sources, except as permitted under Canadian Data Protection Laws.t
10.3. Infomedia will inform Customer if it determines that it can no longer meet its obligations under Canadian Data Protection Laws, and Customer may take reasonable and appropriate steps to stop and remediate any unauthorised Processing of such Customer Personal Data.
11. THIRD PARTY REQUESTS.
Except to the extent prohibited or limited by law, Infomedia will promptly notify the Customer of any valid and enforceable legal process or governmental request requiring disclosure of Customer Personal Data. If Infomedia receives an inquiry or information request from any other third party (including a regulator or data subject) relating to the Processing of Customer Personal Data, to the extent it is permitted to do so by law, Infomedia will refer the inquiry to the Customer and will not disclose any information unless legally required to do so.
12. EXCLUSIONS AND LIMITATIONS OF LIABILITY.
Notwithstanding anything to the contrary in the Agreement or this DPA, the liability of each party and each party’s Affiliates under this DPA shall be subject to the exclusions and limitations of liability set out in the Agreement.
ANNEX 1 DESCRIPTION OF THE PROCESSING ACTIVITIES / TRANSFER
ANNEX 1A: LIST OF PARTIES
Data exporter
Name: Customer (as identified in the Agreement).
Address: Customer’s address (as identified in the Agreement).
Contact Person’s name, position and contact details: Customer Contact Name and corresponding details (as identified in the Agreement).
Activities relevant to the transfer: Refer to Annex 1B below.
Role: Controller
Data importer
Name: The Infomedia contracting entity (as identified in the Agreement).
Address: The Infomedia contracting entity’s address (as identified in the Agreement).
Contact Person’s position and contact details: Data Protection Officer, privacy@infomedia.com.au
Activities relevant to the transfer: Refer to Annex 1B below.
Role: Processor
ANNEX 1B: DESCRIPTION OF PROCESSING / TRANSFER
Categories of data subjects
Customer may submit Personal Data in connection with the Services, the extent and nature of which is decided by the Customer in its sole discretion, which may include but is not limited to Personal Data relating to:
- Individuals who are, or are the contacts for, Data Sharers
- Individuals who are, or are the contacts for, potential customers, customers, business partners and suppliers to the Customer and Data Sharers
- Employees, contractors, agents, advisors and other personnel engaged by the Customer and Data Sharers
Categories of personal data
Customer may submit Personal Data in connection with the Services, the extent and nature of which is decided by the Customer in its sole discretion, which may include but is not limited to Personal Data relating to:
- First and last names
- Job titles
- Employer information
- Contact information including email, phone and physical address
- ID data
- Vehicle information, including vehicle usage history and related data
- Localisation data
Special categories of personal data
None
Frequency of the transfer
Continuous.
Nature and purpose of the processing
The nature of processing of personal data is to enable the provision of the Services and related support as set out in the Agreement and related documentation.
Purpose of the processing
Infomedia will process the Personal Data in accordance with the Customer’s documented instructions to: (a) provide, support and improve the Services; (b) enforce the Agreement; and (c) comply with its legal obligations.
Duration of the processing
Processing of the personal data will continue for the duration of the Agreement together with any permitted period of use post termination or expiry.
ANNEX 1C: COMPETENT SUPERVISORY AUTHORITY
The data exporter’s competent supervisory authority will be determined in accordance with the Applicable Data Protection Laws.
ANNEX 2
TECHNICAL AND ORGANISATIONAL SECURITY MEASURES
Infomedia implements a variety of technical and organisational security measures, the details of which are set out in the Infomedia Compliance Guide.
ANNEX 3
LIST OF SUB-PROCESSORS
Infomedia’s Sub-processor list is available to Customer on request by emailing security@infomedia.com.au.
Last Modified May 2026