Issues for insurance brokers when their clients enter into commercial contractsIntroduction It is the role of an insurance broker to ensure that their clients obtain adequate insurance cover to meet the needs of their individual circumstances and that of their businesses. However, what should a broker do if their clients come to them with lengthy or complex commercial contracts which propose a host of onerous insurance requirements? Firstly, it is up to the broker to decide whether it is within the scope of their expertise to advise their clients on contractual clauses relating to insurance. If the broker agrees to look at their clients’ contracts on their behalf and provide advice, then they need to be aware that their clients are entitled to rely on that advice and make commercial decisions accordingly. If that advice turns out to be incorrect and the client suffers a loss as a result, for example, by finding themselves under-insured or uninsured, then the broker may be exposed to a professional indemnity claim against them. Whilst it is part of a broker’s role to have a basic understanding of the legal and insurance implications of common contractual terms to allow them to place adequate cover on behalf of their clients, there will be many circumstances in which it will be in their clients best interests to obtain comprehensive legal advice and representation from an insurance lawyer. The key for brokers is to identify when they are out of their depth and when it is necessary to refer their clients to a suitably qualified legal professional. Duties of insurance brokers The obligations of an insurance broker are concisely summarised in Caldwell v JA Neilson Investments Pty Ltd  : “103 There is considerable authority to the effect that an insurance broker must use reasonable skill and care to ascertain its customer’s need by instructions or otherwise: see, for example, Provincial Insurance Australia Pty Ltd v Consolidated Wood Products Pty Ltd (1991) 25 NSWLR 541 at 555–556, Fanhaven Pty Ltd v Bain Dawes Northern Pty Ltd (1982) 2 NSWLR 57 at 62. A broker must use reasonable care and skill to procure the cover that the customer has asked for, either expressly or by implication. If the broker cannot obtain what is required, it must report in what respects it has failed and seek the customer’s alternative instructions Youell v Bland Welch & Co Ltd (The “Superhulls Cover” Case (No. 2))  2 Lloyds Rep 434 at 445, Harvest Trucking Company Ltd v P B Davis  2 Lloyds Rep 638; Aneco Reinsurance Underwriting Ltd (In Liq) v Johnson & Higgins Ltd  1 Lloyd’s Rep 565 at 590. (Emphasis added).” The above has been noted in recent authorities including the New South Wales Court of Appeal decision, Horsell International Pty Ltd v Divetwo Pty Ltd  . The duty for brokers to act with reasonable skill and care is significant. It includes having a reasonable knowledge of insurance law, at least to the extent necessary to ‘procure the cover that the customer has asked for, either expressly or by implication’. This concept is discussed in the case of Provincial Insurance Australia Pty Ltd v Consolidated Wood Products Pty Ltd (1991) , in which Kirby P (as his Honour then was) stated, “2. The foregoing duty [to exercise proper care and skill] does not extend to expounding the law to the insured. But it does extend to pointing out legal pitfalls which might arise in the course of effecting a valid insurance cover and in securing cover for the risk necessary to the insured’s disclosed or ascertained needs…” Accordingly, it is important for brokers to keep abreast of developments in insurance law so that they can properly advise their clients or, alternatively, identify when it is more appropriate to refer their clients to an insurance lawyer. The latter is advisable when the contract contains some of the types of difficult insurance clauses (such as, those discussed below); where the contract is lengthy or complex in nature; or where the broker has any doubt about their ability to provide accurate advice. If a broker is sued for professional negligence, the Courts will look at what a ‘reasonable broker’ would have done in the same circumstances . Discharging duties of insurance brokers There are some straightforward steps that brokers can take to discharge their duties owed to clients. Brokers should take reasonable steps to obtain a policy that meets their clients’ needs. To be able to do this, the broker must firstly understand their clients’ needs. This involves asking the right questions about their clients’ business operations and requesting copies of any contracts that their clients have entered into or are considering entering into. Such information is not always volunteered and may take a bit of probing. Once a policy has been obtained, brokers should draw their clients’ attention to any onerous or unusual terms and conditions contained in the policy. It is not acceptable for brokers to simply renew policies and send out policy wordings without any explanations. Rather, a broker must explain the areas of exposure and uninsurable exposure and discuss major exclusions, cover restrictions and sub-limits. As mentioned above, it is also necessary for brokers to have a basic understanding of liability and insurance law and keep up-to-date with developments in the industry. In many cases, a broker can discharge their duty by simply advising their client to obtain legal advice. Insurance clauses commonly contained in commercial contractsLimits of Indemnity Many commercial contracts will stipulate what limits of indemnity the contracting parties need to have in place under their various insurance policies. However, these may be higher or lower than the client’s current levels of cover. Brokers should carefully compare the limits of indemnity stated under the contract against their clients’ existing policies to determine any gap in coverage. It is also important for brokers to consider whether the contractual limits of indemnity are reasonable in light of the work that their clients will be undertaking and the size of their business. It is often a good idea for brokers to speak directly to the insurers, prior to their clients agreeing to any contractual limits of indemnity, to ensure that they will be able to obtain adequate coverage, as required under the contract. Alternatively, the terms of the contract can be negotiated on behalf of the client. Indemnity Clauses An indemnity by one contracting party to another is merely an agreement that that party will cover any loss or damage suffered by the other party in certain circumstances. Indemnity clauses are often the most contentious clauses contained in commercial contracts, giving rise to disputes between contracting parties themselves and/or contracting parties and their insurers. For brokers, it is important to advise their clients that, by agreeing to comprehensive indemnity clauses in favour of third parties (such as, principal contractors, sub-contractors and other third parties), they may be prejudicing their insurer’s ability to exercise its rights of subrogation under the policy (that is, the insurer’s right to recover its losses from liable third parties in the name of the insured). In such cases, depending on the facts, an insurer may decide to decline liability for such losses on the basis that the insured has forfeited its rights of recovery. Indemnity clauses also tend to be at odds with policy exclusions for ‘contractually assumed liabilities’. Such exclusions generally state that the policy will not respond to the extent that the insured has assumed a greater liability than that which would otherwise apply at law. In other words, the insurer will ask: if you put the contract to one side, would the insured still be liable at law? This question is not often straightforward and may require a comprehensive legal analysis of tort and statute law. In order for brokers to protect their client’s interests, they can request an endorsement to the policy to ensure adequate coverage in line with their client’s contract. However, in many cases insurers will not agree to this or else they significantly increase the client’s premium to the extent that it is not affordable. Another option is for brokers to attempt to remove or negotiate the indemnity clause on behalf of their client or recommend that a lawyer be engaged for this task. In our experience, it is usually advisable for brokers to encourage their clients to seek legal advice where indemnity clauses are concerned. Contracting out of proportionate liability Proportionate liability is the principle whereby a liable party will only pay damages proportional to the extent of their own personal responsibility for the loss in question (which is mostly limited to certain types of economic loss). It operates throughout Australia, however, it may differ between states according to each states’ legislation. In general, the proportionate liability scheme favours potential defendants to legal proceedings because they will have a greater scope to limit their liability. It disadvantages potential claimants because, in order to recover their loss, they will need to pursue a claim against each and every liable party, rather than being able to recover 100% of their loss from any one liable party. In many cases, principal contracting parties may feel disadvantaged by the proportionate liability regime and seek to include a clause in their contracts to the effect that the parties agree to “contract out” of proportionate liability, that is, agree, to the extent permitted by law, that the proportionate liability regime in their applicable state will not apply. In many cases, such “contracting out” clauses can be disadvantageous for clients who are sub-contracting parties (although each situation must be examined individually), particularly if their insurance policies contain an exclusion for ‘contractually assumed liabilities’. To recap, such exclusions generally state that the policy will not respond to the extent that the insured has assumed a greater liability than that which would otherwise apply at law. Therefore, by contracting out of proportionate liability, an insured may, without realising, trigger the ‘contractually assumed liabilities’ exclusion, causing the policy not to respond. In such circumstances, brokers should consider either negotiating the terms of their clients’ contract on their behalf (or refer their clients to an insurance lawyer) or, alternatively, arrange separate “gap policies” or negotiate existing insurance policies so that adequate cover is provided. The ‘Joint Insured’ clause Brokers and their clients should also be aware of any clause that requires the client to name another contracting party as a ‘Joint Insured’ under their insurance policy. This means that both the client and the other contracting party will effectively share the same policy, cover limits and rights to make a claim. We tend to recommend against such clauses, depending on individual circumstances, as it is usually advisable for parties to arrange their own insurance so that they have a say in the terms of the policy and improve the prospects of the policy being enforceable. One of the biggest pitfalls with naming joint insureds is that all of the named insured entities are usually bound by the duties and obligations of the other named insureds under the insurance contract upon its terms. This means that if one party breaches the terms of the policy, the other party could, depending on the policy wording, be denied cover. For this reason, it is preferable for parties to arrange their own separate policies so that their coverage is not dependent upon the acts or omissions of another party. Another issue with the ‘Joint Insured’ clause is that insurers will generally only agree to such a clause if both parties have similar interests in the subject matter of the policy. Brokers will need to make enquiries with underwriters to ensure that sufficient coverage is able to be obtained to meet the insurance requirements stipulated in their client’s contract. If coverage is not readily available, then the terms of the contract should be revised on behalf of the client. Summary An insurance broker owes a duty to their clients to use reasonable care and skill when obtaining coverage for their clients. In many cases, brokers can discharge this duty by recommending where appropriate that their clients seek legal advice. LMI Legal offers a comprehensive contract review service should you or your clients require assistance. For further information, please contact us on (02) 8404 0550. Lauren WakelingDirector, LMI LegalAugust 2014
THE PROCESSING OF PERSONAL DATA: AGREEMENT
(GDPR and EU Standard Contractual Clauses)
This Agreement is made between:
You (including Your Authorised Affiliates) as Customer and as Controller of Personal Data
Us as Processor of Personal Data
for Your purchase from Continuity Coach Pty. Ltd. of Our online products and services (including any associated offline or mobile components), (the Services), and constitutes the Parties’ agreement with regard to the use of Our Website and the Processing of Personal Data.
All capitalised terms shall have the meanings set out within this Agreement.
In consideration of the mutual obligations set out below, the Parties hereby agree to the terms and conditions of this Agreement.
You enter into the Agreement on behalf of Yourself and, to the extent required under applicable Data Protection Laws and Regulations (including Applicable Laws as defined herein), in the name and on behalf of Your Authorized Affiliates, if and to the extent We process Personal Data for which such Authorized Affiliates qualify as Controller. For the purposes of this Agreement only, unless indicated otherwise, the term “Customer” shall include Customer and Authorized Affiliates.
The Parties acknowledge and agree, as regards the use of Our Website and Processing of Personal Data, to comply with the following provisions regarding Personal Data, and act reasonably and in good faith:
- Your Processing of Personal DataIn using Our Services and Website, You will Process Personal Data in accordance with the requirements of all relevant Data Protection Laws and Regulations and all Applicable Laws. That is, Your instructions for Processing of Personal Data shall comply with all such Laws and Regulations. You have sole responsibility for the accuracy, quality and legality (including obtaining all relevant consents) of Personal Data and the method You acquired Personal Data.
- Our Processing of Personal DataIn providing the Services to You under this Agreement, We may Process Personal Data on Your behalf. We shall treat Your Personal Data as confidential information and only Process Personal Data on Your behalf to allow You to assess and manage Your risks and in accordance with instructions You provide in writing to Us and/or by Your access and/or use of Our Services as agreed with Us. We do not engage sub-processors to undertake any of Our processing operations under this Agreement.
- Details of the ProcessingThe subject matter of Processing of Personal Data by Us in performing the Services under this Agreement, as well as the duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this Agreement are specified in Schedule 1 (Details of the Processing of Your Personal Data) of this Agreement.
- Data Subject RequestTo the extent legally permitted, We shall promptly notify You if We receive a request from a Data Subject to exercise its right of access, right to rectification, restriction of Processing, right of erasure (that is, to be forgotten), data portability, object to Processing, or right not to be subject to automated individual decision making (“Data Subject Request”). Taking into account the nature of the Processing, We shall assist You with appropriate technical and organisational measures, as far as possible, to fulfil Your obligation to respond to a Data Subject Request under Data Protection Laws and Regulations. Also, to the extent that You, in using the Services, are unable to address a Data Subject Request, We shall on Your request, provide commercially reasonable efforts to assist You in responding to such Data Subject Request, to the extent We are legally permitted, and the response to such Data Subject Request is required under Data Protection Laws and Regulations. You are responsible for any costs of Our provision of such assistance to the extent legally permitted.
- ConfidentialityWe shall ensure that Our personnel engaged in Processing of Personal Data are informed of the confidential nature of that Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements. We shall also ensure such confidentiality obligations survive termination of Our relevant personnel’s engagement.
- ReliabilityWe shall take commercially reasonable steps to ensure the reliability of Our personnel engaged in Processing of Personal Data.
- Limitation of AccessWe shall ensure Our access to Personal Data is limited to the personnel requiring such access to perform their duties under this Agreement.
- Data Protection OfficerOur data protection officer, appointed under the Data Protection Laws and Regulations, may be reached at email: DPO@LMIGroup.com
- Security: controls for protection of Personal DataWe maintain physical, administrative and technical safeguards designed to protect the security (such as protection against: unauthorised or unlawful Processing accidental or unlawful destruction, loss or alteration or damage, unauthorised access or disclosure of Customer Data), as well as confidentiality and integrity of Customer Data, including Personal Data, in accordance with Schedule 2 (Standard Contractual Clauses). During the term of this Agreement, We will not materially decrease the overall security of the Services.
- Security: breach management and notificationWe maintain security incident management policies and procedures. We shall notify You without undue delay, after becoming aware of any accidental or unlawful destruction, loss, alteration, unauthorised access or disclosure of, Customer Data, including Personal Data, stored, transmitted or otherwise Processed by Us, of which We become aware (“Customer Data Incident”). We shall undertake reasonable endeavours to identify the cause of any Customer Data Incident and take such steps as We deem reasonable and necessary to remediate that cause (to the extent the remediation is within Our reasonable control). Our obligations shall not apply to incidents caused by You or Your Users.
- Return and Deletion of Customer DataTo the extent legally permitted, We shall return (where applicable) and delete all Customer Data within twelve (12) months from the expiry date of Our agreement with You or in accordance with any other timeframe and procedures which may be agreed with You.
- Additional Terms for Standard Contractual Clauses (SCC) Services
- Customers covered by the Standard Contractual Clauses (SCC)The SCC and the additional terms set out in this Clause (a) apply to: (i) the legal entity that has entered into the SCC as a data exporter and its Authorized Affiliates and, (ii) all Affiliates of Customer established within the European Economic Area, Switzerland and the United Kingdom, which have agreed to the SCC Services. For the purposes of the SCC and this Clause the above entities are deemed “data exporters”.
- InstructionsThis Agreement constitutes the Customer’s complete and final instructions at the time of entering the Agreement with Us for Processing Personal Data. Any other instructions must be agreed separately. For the purposes of Clause 5(a) of the SCC the following is deemed an instruction by the Customer to process Personal Data: (a) Processing pursuant to the Agreement; (b) Processing initiated by Users in using the SCC Services and (c) Processing to comply with other reasonable instructions provided by Customer (such as via email) which are consistent with the terms of the Agreement.
- Audits and CertificationsThe Parties agree that the audits described in Clause 5(f) and Clause 11(2) of the SCC shall be carried out in accordance with the following provisions: Upon the Customer’s request, and subject to the confidentiality obligations in the Agreement, We shall make available to Customer (or Customer’s independent, third-party auditor that is not a competitor of Ours and has signed a nondisclosure agreement reasonably acceptable to Us) information regarding Our compliance with the obligations under this Agreement. Following any notice by Us to the Customer of an actual or reasonably suspected unauthorised disclosure of Personal Data, upon Customer’s reasonable belief that We are in breach of Our obligations of protection of Personal Data under this Agreement or if such audit is required by the Customer’s Supervisory Authority, the Customer may contact Us via email: DPO@LMIGroup.com to request an audit at Our premises of the procedures relevant to the protection of Personal Data. Any such request shall occur no more than once annually, save for any actual or reasonably suspected unauthorised access to Personal Data. Customer shall reimburse Us for any time expended for such on-site audit at Our then-current professional services rates, which shall be provided to Customer on request. Before commencement of any such on-site audit, We and Customer shall mutually agree upon the audit’s scope, timing, and duration as well as reimbursement rate for which Customer shall be responsible. Reimbursement rates shall be reasonable, taking account of the resources expended by Us. Customer shall promptly notify Us with information regarding any non-compliance discovered in the course of an audit.
- Certification of DeletionThe Parties agree that the certification of deletion of Personal Data as described in Clause 11(1) of the SCC shall be provided by Us to Customer only upon Customer’s request.
- ConflictIn the event of any conflict or inconsistency between this Agreement and any of its Schedules (not including the SCC) and the SCC in Schedule 2 (refer above LINK), the SCC shall prevail.
- DefinitionsIn this Agreement, the following terms shall have the meanings set out below and similar terms shall be construed accordingly.Affiliate means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.Applicable Laws means (a) European Union or member state laws with respect to Personal Data which is subject to EU Data Protection Laws; and (b) any other applicable law with respect to Personal Data which is subject to any other Data Protection Laws.Authorized Affiliate means any of Customer’s Affiliate(s) which (a) is subject to the data protection laws and regulations of the European Union, the European Economic Area and/or their member states, Switzerland and/or the United Kingdom, and (b) is permitted to use the Services pursuant to the Agreement between Customer and Us, but has not signed an agreement with Us and is not a “Customer” as defined in the Agreement.
Continuity Coach Pty. Ltd. means Us as the Processor of Personal Data under this Agreement.
Controller means the entity which determines the purposes and means of Processing of Personal Data.
Customer Data means what is defined in the Agreement as Customer Data or Your Data.
Data Protection Laws and Regulations means all laws and regulations, including laws and regulations of the European Union, the European Economic Area and their member states, applicable to the Processing of Personal Data under this Agreement.
Data Subject means the individual to whom Personal Data relates.
GDPR means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons regarding the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
Parties means You and Us.
Personal Data means any information relating to (a) an identified or identifiable natural person and (b) an identified or identifiable legal entity (where such information is protected similarly as personal data or personally identifiable information under applicable Data Protection Laws and Regulations), where for each (a) or (b), such data is Customer Data.
Processing means any operation or set of operations which is performed upon Personal Data, whether by automatic means or otherwise, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
Processor means the entity which Processes Personal Data on behalf of the Controller.
Standard Contractual Clauses and SCC means the contractual clauses set out in Schedule 2 which are entered into by Customer and Us pursuant to the European Commission’s decision of 5 February 2010 on Standard Contractual Clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection.
Supervisory Authority means an independent public authority which is established by an EU member state pursuant to the GDPR.
We, Us, Our means Continuity Coach Pty. Ltd.
You, Your, Yours means the Customer and Controller and includes Your Users, related entities and Authorised Affiliate(s).
The terms “commission” and “member state” shall have the same meaning as in the GDPR, and their like terms shall be construed accordingly.
- Legal EffectThis Agreement shall only become legally binding between the Parties when You have carefully considered and accepted all its provisions and You have provided your consent and acceptance via Continuity Coach Pty. Ltd.’s online registration process.As Processor, Continuity Coach Pty. Ltd. confirms that this Agreement commences upon the due and proper completion of Your online registration.
List of Schedules/Appendices
Schedule 1: Details of the Processing of Your Personal Data
Schedule 2: Standard Contractual Clauses
Appendix 1 to the Standard Contractual Clauses
Appendix 2 to the Standard Contractual Clauses
SCHEDULE 1 – DETAILS OF THE PROCESSING OF YOUR PERSONAL DATA
Nature and Purpose of Processing
Continuity Coach Pty Ltd (We/Us) will process Personal Data as necessary to perform the Services pursuant to this Agreement and as instructed by You, including the provision to You of Our online storage vault which enables You to:
- Input, record and manage Your data in a private and secure online environment.
- Enter details including Personal Data of Your employees and third parties for retrieval and use as and when You require, such as Your assignment of specific tasks to employees, the management and mitigation of Your business risks.
- Access Your own safe online environment for other purposes without the need to input Personal Data if required.
Duration of Processing
We will Process Personal Data for the duration of this Agreement, unless otherwise agreed with You in writing.
Categories of Data Subjects
You may submit Personal Data to Us (as determined and controlled by You in Your sole discretion) which may include (but is not limited to) Personal Data relating to the following categories of data subjects:
- You, Your business partners, vendors and subcontractors (who are natural persons);
- Employees or contact persons of Your customers, business partners, vendors and subcontractors;
- Employees, agents, advisors and contractors of Yours (who are natural persons); and
- Your Users, as authorized by You to use the Services.
Type of Personal Data
You may submit Personal Data to Us (as determined and controlled by You in Your sole discretion) which may include (but is not limited to) the following categories of Personal Data:
- First and Last name
- Contact information (company, email, phone, physical business address)
SCHEDULE 2 – STANDARD CONTRACTUAL CLAUSES
Standard Contractual Clauses (processors)
For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection
You, as Controller and Customer pursuant to the Agreement with Us and as fully identified by You on entering this Agreement via the details of Your online Registration
(the data exporter)
(the data importer)
each a “party”; together “the parties”,
HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.
DefinitionsFor the purposes of the Clauses:
- ‘personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘data subject’ and ‘supervisory authority’ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
- ‘the data exporter’ means the controller who transfers the personal data;
- ‘the data importer’ means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;
- ‘the applicable data protection law’ means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;
- ‘technical and organisational security measures’ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
Details of the transferThe details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.
Third-party beneficiary clause
- The data subject can enforce against the data exporter this Clause, Clause 4(b) to (h), Clause 5(a) to (e), and (g), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 11 as third-party beneficiary.
- The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 11, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
- The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.
Obligations of the data exporterThe data exporter agrees and warrants:
- that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;
- that it has instructed and throughout the duration of the personal data processing services will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the Clauses;
- that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2;
- that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
- that it will ensure compliance with the security measures;
- that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;
- to forward any notification received from the data importer pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;
- to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, unless the Clauses contain commercial information, in which case it may remove such commercial information; and
- that it will ensure compliance with Clause 4(a) to (h).
Obligations of the data importerThe data importer agrees and warrants:
- to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
- that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
- that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;
- that it will promptly notify the data exporter about:
- any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation,
- any accidental or unauthorised access, and
- any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;
- to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;
- at the request of the data exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;
- to make available to the data subject upon request a copy of the Clauses, unless the Clauses contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter.
- The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 by any party is entitled to receive compensation from the data exporter for the damage suffered.
- If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer of any of their obligations referred to in Clause 3, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity.
Mediation and jurisdiction
- The data importer agrees that if the data subject invokes against its third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:
- to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;
- to refer the dispute to the courts in the Member State in which the data exporter is established.
- The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.
Cooperation with supervisory authorities
- The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
- The parties agree that the supervisory authority has the right to conduct an audit of the data importer which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.
- The data importer shall promptly inform the data exporter about the existence of legislation applicable to it preventing the conduct of an audit of the data importer pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5 (b).
Governing LawThe Clauses shall be governed by the law of the Member State in which the data exporter is established.
Variation of the contractThe parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.
Obligation after the termination of personal data processing services
- The parties agree that on the termination of the provision of data processing services, the data importer shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
- The data importer warrants that upon request of the data exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1.
These Contractual Clauses shall only become legally binding between the parties when the data exporter has carefully considered and accepted them and has provided its consent and acceptance via Continuity Coach Pty. Ltd.’s online registration process.
As the data importer, Continuity Coach Pty. Ltd. confirms its acceptance of the Contractual Clauses upon the data exporter’s due and proper completion of the online registration.
APPENDIX 1 TO THE STANDARD CONTRACTUAL CLAUSES
This Appendix forms part of the Clauses and must be completed and entered into by the parties via the data importer’s (Continuity Coach Pty. Ltd.’s) online registration process.
The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix.
The data exporter will access the data importer’s online storage vault service for any (or all) of the following purposes:
- Input, record and manage its data in a private and secure online environment.
- Enter details including personal data of its employees and third parties for retrieval and use as and when required, such as the assignment of specific tasks to employees, the management and mitigation of its business risks.
- Access its own safe online environment for other purposes without the need to input personal data if required.
The data importer (Continuity Coach Pty. Ltd.) is a provider of the abovementioned online storage vault service which processes personal data upon the instruction of the data exporter in accordance with the terms of the parties’ Agreement.
The personal data transferred concern the following categories of data subjects:
At the data exporter’s sole discretion and may include (but not limited to) Personal Data relating to:
- Prospects, customers, business partners, vendors and subcontractors of the data exporter (who are natural persons)
- Employees or contact persons of the data exporter’s customers, business partners, vendors and subcontractors
- Employees, agents, advisors, freelancers of the data exporter (who are natural persons), and their family members
- The data exporter’s Users authorised by the data exporter to use the Services
Categories of data
The personal data transferred concern the following categories of data: The data exporter may submit Personal Data to the Services, the extent of which is determined and controlled by the data exporter in its sole discretion, and which may include (but not limited to) the following categories of Personal Data:
- First and last name
- Contact information (company, email, phone, physical business address)
- Localisation data
The personal data transferred will be subject to the following basic processing activities:
The objective of Processing of Personal Data by data importer is the performance of the SCC Services pursuant to the Agreement.
The provisions of this Appendix 1 shall only become legally binding between the parties when the data exporter has carefully considered and accepted them and has provided its consent and acceptance via Continuity Coach Pty. Ltd.’s online registration process.
As the data importer, Continuity Coach Pty. Ltd. confirms its acceptance of the provisions of this Appendix 1 upon the data exporter’s due and proper completion of the online registration.
APPENDIX 2 TO THE STANDARD CONTRACTUAL CLAUSES
This Appendix forms part of the Clauses and must be completed and entered into by the parties via the data importer’s (Continuity Coach Pty. Ltd.’s) online registration process.
Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c):
- General Controls. Continuity Coach Pty. Ltd. shall implement measures designed to:
- deny unauthorised persons access to data-processing equipment used for processing Personal Data (equipment access control);
- prevent the unauthorised reading, copying, modification or removal of data media containing Personal Data (data media control);
- prevent the unauthorised input of Personal Data and the unauthorised inspection, modification or deletion of stored Personal Data (storage control);
- prevent the use of automated data-processing systems by unauthorised persons using data communication equipment used to process Personal Data (user control);
- ensure that persons authorised to use an automated data-processing system only have access to the Personal Data covered by their access authorisation (data access control);
- ensure that it is possible to verify which individuals Personal Data have been or may be transmitted or made available using data communication equipment (communication control);
- ensure that the functions of the system used to process Personal Data perform, that the appearance of faults in the functions is reported (reliability) and to prevent stored Personal Data from corruption by means of a malfunctioning of the system (integrity).
- Personnel. Continuity Coach Pty. Ltd. shall take reasonable steps to ensure that no person shall be appointed by Continuity Coach Pty. Ltd. to process Personal Data unless that person:
- is competent and qualified to perform the specific tasks assigned to him by Continuity Coach Pty. Ltd.;
- has been authorised by Continuity Coach Pty. Ltd.; and
- has been instructed by Continuity Coach Pty. Ltd. in the requirements relevant to the performance of the obligations of Continuity Coach Pty. Ltd. under these Clauses, in particular the limited purpose of the data processing.
- Copy Control. Continuity Coach Pty. Ltd. shall not make copies of Personal Data, provided, however, that Continuity Coach Pty. Ltd. may retain copies of Personal Data provided to it for backup and archive purposes.
- Security Controls. The Service includes a variety of security controls. These controls include:
- Unique User identifiers (User IDs) to ensure that activities can be attributed to the responsible individual.
- Controls to revoke access after several consecutive failed login attempts.
- The ability to specify the lockout time period.
- Controls on the number of invalid login requests before locking out a User.
- Controls to ensure generated initial passwords must be reset on first use.
- Controls to terminate a User session after a period of inactivity.
- Password history controls to limit password reuse.
- Password length controls.
- Password complexity requirements (requires letters and numbers).
- Email verification before resetting password.
- Security Procedures, Policies and Logging. The Services are operated in accordance with the following procedures to enhance security:
- User passwords are stored using a one-way hashing algorithm (SHA-256) and are never transmitted unencrypted.
- User access log entries will be maintained, containing date, time and User ID.
- Passwords are not logged under any circumstances.
- Processor’s personnel will not set a defined password for a User. Passwords are reset to a random value (which must be changed on first use) and delivered automatically via email to the requesting User.
- Intrusion Detection. Continuity Coach Pty. Ltd., or an authorised third party (subject to the terms of these Clauses), will monitor the Services for unauthorised intrusions using network-based intrusion detection mechanisms.
- User Authentication. Access to the Services requires a valid User ID and password combination, which are encrypted via SSL while in transmission. Following a successful authentication, a random session ID is generated and stored in the user’s browser to preserve and track session state.
- Incident Management. Continuity Coach Pty. Ltd. maintains security incident management policies and procedures. Continuity Coach Pty. Ltd. will promptly notify Customer in the event Continuity Coach Pty. Ltd. becomes aware of an actual or reasonably suspected unauthorised disclosure of Personal Data.
- Viruses. The Services will not introduce any viruses to Customer’s systems; however, the Services do not scan for viruses that could be included in attachments or other Personal Data uploaded into the Services by Customer. Any such uploaded attachments will not be executed in the Services and therefore will not damage or compromise the Service.
- Data Encryption. The Services use industry-accepted encryption products to protect Customer Data and communications during transmissions between a customer’s network and the Services, including 128-bit TLS Certificates and 2048-bit RSA public keys at a minimum. Additionally, Customer Data is encrypted during transmission between data centres for replication purposes.
- System Changes and Enhancements. Continuity Coach Pty. Ltd. plans to enhance and maintain the Services during the term of the Agreement. Security controls, procedures, policies and features may change or be added. Continuity Coach Pty. Ltd. will provide security controls that deliver a level of security protection that is not materially lower than that provided as of the Effective Date.
The provisions of this Appendix 2 shall only become legally binding between the parties when the data exporter has carefully considered and accepted them and has provided its consent and acceptance via Continuity Coach Pty. Ltd.’s online registration process.
As the data importer, Continuity Coach Pty. Ltd. confirms its acceptance of the provisions of this Appendix 2 upon the data exporter’s due and proper completion of the online registration.