Data Processing Addendum - Employee Surveys

This addendum was updated on 724 September 2024. This Addendum is supplemental to and forms part of the terms of use available at https://www.thecultureministry.com/privacy-policy

(1) The Culture Ministry (Connection Concepts Ltd), a company incorporated under the laws of New Zeland with its registered office at 15B Rose Rd Grey Lynn Auckland 1021 New Zealand (the "Service Provider"), acting on its own behalf and as agent for each Customer Affiliate; and

Hereinafter individually or collectively referred to as a “Party” or the “Parties”.

Background

(A) The Customer has engaged the Service Provider to provide services as stipulated in the Agreement. In the course of providing such services, the Service Provider may process Personal Data on behalf of the Customer.

(B) The Customer and the Service Provider hereby enter into this Addendum to set out their respective responsibilities in respect of the processing of Personal Data as part of the Services.

Agreed terms

1 DEFINITIONS AND INTERPRETATION

1.1 The following definitions apply in this Addendum:

Applicable Laws: (a) where a Data Controller is subject to EU Data Protection Laws in respect of (such part of) the Relevant Data, European Union or Member State laws; and (b) where a Data Controller is subject to any other Data Protection Laws in respect of (such part of) the Relevant Data, any other applicable laws.

Control: the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract, or otherwise.

Customer Affiliate: an entity that owns or Controls, is owned or Controlled by, or is or under common ownership or Control with the Customer.

Data Controller: the Customer or any Customer Affiliate.

Data Processor: the Service Provider or any Service Provider Affiliate.

Data Protection Laws: EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country.

Data Subject: as defined in paragraph (1) of Article 4 of the GDPR.

Data Subject Request: as defined in Clause 5.1(a) of this Addendum.

EEA: the European Economic Area.

EU Data Protection Laws: EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced, or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR.

GDPR: the EU General Data Protection Regulation 2016/679.

Member State: member state of the European Union.

Personal Data: as defined in paragraph (1) of Article 4 of the GDPR.

Personal Data Breach: as defined in paragraph (12) of Article 4 of the GDPR.

Processing: as defined in paragraph (2) of Article 4 of the GDPR.

Processing Personnel: personnel of a Data Processor engaged in the Processing of the Relevant Data.

Relevant Data: any Personal Data Processed by a Data Processor on behalf of a Data Controller as part of the Services, as further described in Annex 1.

Services: the services to be provided or carried out by or on behalf of the Service Provider for any Data Controller pursuant to the Agreement.

Service Provider Affiliate: an entity that owns or Controls, is owned or Controlled by, or is or under common ownership or Control with the Service Provider.

Subprocessor: any person appointed by or on behalf of the Service Provider or any Service Provider Affiliate to Process Personal Data on behalf of any Data Controller in connection with the Agreement. For the avoidance of doubt, employees of the Service Provider or any Service Provider Affiliate are not Subprocessors in this Addendum.

Supervisory Authorities: as defined in paragraph (21) of Article 4 of the GDPR, and Supervisory Authority means any one of them.

1.2 Annexes form part of this Addendum and shall have effect as if set out in full in the body of this Addendum. Any reference to this Addendum includes the annexes.

1.3 Clause, annex, appendix, and paragraph headings shall not affect interpretation of this Addendum.

1.4 A reference to a person includes a natural person or a corporate or unincorporated body (whether or not having a separate legal personality).

1.5 Unless the context otherwise requires, words in the singular include the plural and in the plural include the singular, and a reference to one gender includes a reference to other genders.

1.6 A reference to writing or written includes email.

1.7 Unless otherwise specified, any reference in this Addendum to a specific time refers to the time in Singapore.

1.8 References to statutory provisions or enactments shall include references to any amendment, modification, extension, consolidation, replacement, or re-enactment of any such provision or enactment (whether before or after the date of this Agreement), unless any such change imposes upon any Party any liabilities or obligations that are more onerous than as at the date of this Agreement.

2 PROCESSING OF RELEVANT DATA

2.1 The Data Controller hereby instructs the Data Processor to Process the Relevant Data (in particular, to transfer the Relevant Data to any country or territory) for the following purposes:

(a) to enable the Data Controller to use the Services;

(b) to comply with documented instructions provided by the Data Controller to the Data Processor (including via electronic communications); and

2.2 Details of the Processing of the Relevant Data are set out in Annex 1. The Customer may from time to time amend Annex 1 by giving notice in writing to the Service Provider.

2.3 The Data Processor will Process the Relevant Data in accordance with applicable Data Protection Laws and exclusively for the purposes set out in Clause 2.1, unless required under Applicable Laws, in which case the Data Processor will (to the extent permitted by Applicable Laws) inform the relevant Data Controller of such requirement prior to Processing.

2.4 The Data Processor will notify the Data Controller without undue delay if and when the Data Processor is of the view that an instruction for Processing the Relevant Data given by the Data Controller is not in compliance with Applicable Laws.

2.5 The Data Processor will implement and maintain appropriate technical and organisational measures to protect the Relevant Data against accidental or unlawful destruction or loss, alteration, or unauthorised disclosure or access, measures which will provide a level of security appropriate to the risk represented by the Processing and the nature of the Relevant Data. Details of such measures are set out in Annex 2. The Service Provider will regularly monitor compliance with these measures and may from time to time amend Annex 2 by giving notice in writing to the Customer.

2.6 Nothing in this Addendum relieves any Party of its own direct responsibilities and liabilities under applicable Data Protection Laws.

3 PROCESSING PERSONNEL

3.1 The Data Processor will ensure that the Processing Personnel:

(a) are aware of the confidential nature of the Relevant Data;

(b) have received appropriate training on their responsibilities; and

3.2 The Data Processor will ensure that the confidentiality obligations of the Processing Personnel will survive termination of his/her engagement.

3.3 The Data Processor will take commercially reasonable steps to ensure the reliability of all Processing Personnel.

4 SUBPROCESSING

4.1 The Data Processor may engage and may continue to engage Subprocessors in connection with the provision of the Services provided that such engagement is permitted under the Agreement and the obligations in Clause 4.2 are complied with. The Data Processor will, upon request by the Data Controller, provide a list to the Data Controller of Subprocessors currently engaged.

4.2 With respect to each Subprocessor, the Data Processor will:

(a) conduct adequate due diligence to ensure the Subprocessor is capable of providing the level of protection to the Relevant Data as required by the Agreement and this Addendum;

(b) procure that the Data Processor enters into a written contract with the Subprocessor to ensure that at least the same level of protection will be given to the Relevant Data as that required by the Agreement and this Addendum;

(c) provide copy of such written contract with the Subprocessor (which may be redacted to remove confidential commercial information not relevant to the requirements of this Addendum) as the Data Controller may request.

4.3 The engagement of additional Subprocessors, if permitted under the Agreement, is subject to prior consent by the Data Controller and compliance with the obligations in Clause 4.2. For the avoidance of doubt, where the Data Processor has entered into a data processing agreement with the Subprocessor that affords a level of protection equivalent to this Addendum, the consent by the Data Controller is deemed to have been given.

4.4 The Data Processor will give notice in writing to the proposed engagement of Subprocessor to the Data Controller. Any objection must be raised within five (5) business days, together with detailed grounds for objection. If the grounds for objection are not resolved, the Data Processor must not engage the proposed Subprocessor.

4.5 Where a Subprocessor fails to fulfill its data protection obligations, the Data Processor remains fully liable to the Data Controller for the performance of the Subprocessor's obligations.

5 DATA SUBJECT RIGHTS

5.1 The Data Processor will:

(a) promptly notify the Data Controller upon receiving any request from a Data Subject to exercise his/her rights in respect of any Relevant Data under Data Protection Laws (a “Data Subject Request”); and

(b) not respond to such request except on documented instructions of the Data Controller or as required by Applicable Laws to which the Data Processor is subject, in which case the Data Processor will (to the extent permitted by Applicable Laws) inform the Data Controller of such legal requirement before the Data Processor responds to such request.

5.2 If the Data Controller, in using the Services, is unable to address a Data Subject Request, the Data Processor will, upon the Data Controller's request and to the extent legally permitted to do so and if the response to such Data Subject Request is required under Data Protection Laws, provide commercially reasonable efforts to assist the Data Controller in responding to such Data Subject Request. Cost for such assistance will be borne by the Data Controller.

5.3 Taking into account the nature of the Processing of the Relevant Data, the Data Processor will assist the Data Controller by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Data Controller's obligations to respond to Data Subject Requests.

6 PERSONAL DATA BREACH

6.1 Upon the Data Processor (or any Subprocessor) becoming aware of a Personal Data Breach affecting the Relevant Data, the Data Processor will:

(a) notify the Data Controller without undue delay; and

(b) provide sufficient information to allow the Data Controller to meet its obligations under Data Protection Laws to report or inform Data Subjects of the Personal Data Breach.

6.2 The Data Processor will cooperate with the Data Controller and take such commercially reasonable steps as directed by the Data Controller to assist in the investigation, mitigation, and remedy of each Personal Data Breach. Cost for such assistance will be borne by the Data Controller.

7 DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION

7.1 Upon the request of a Data Controller, a Data Processor will provide reasonable cooperation and assistance to the Data Controller in data protection impact assessments relating to the Processing of the Relevant Data, provided that the Data Controller does not otherwise have access to the relevant information and to the extent that such information is available to the Data Processor.

7.2 Upon the request of a Data Controller, a Data Processor will provide reasonable cooperation and assistance to the Data Controller in any prior consultations with Supervisory Authorities (or other competent privacy authorities) relating to the Processing of the Relevant Data.

8 RETURN OR DELETION OF DATA

8.1 Upon the cessation of the Services, the Data Processor will:

(a) at the choice of the Data Controller, return all Relevant Data to the Data Controller or delete all Relevant Data within twelve (12) month(s) from the date of cessation of the Services; and

(b) delete all existing copies of the Relevant Data, except that the Data Processor may retain Relevant Data to the extent required by Applicable Laws and only to the extent and for such period as required by Applicable Laws, and provided always that the Data Processor will ensure the confidentiality of the Relevant Data and will ensure that the Relevant Data will only be Processed as necessary for purposes specified in the Applicable Laws.

8.2 Upon request, the Data Processor will provide written certification to the Data Controller that it (and each Service Provider Affiliate) has fully complied with the obligations under this clause.

9 AUDIT

9.1 If and when a Data Processor is subject to an audit, inspection, or other oversight measure taken by any Supervisory Authority that relates to the Processing of the Relevant Data, the Data Processor will promptly notify the Data Controller.

9.2 Upon a Data Controller's request, with reasonable prior notice and subject to confidentiality obligations, a Data Processor will make available all information necessary to demonstrate the Data Processor's compliance with the obligations set out in this Addendum, provided that the Data Controller will bear the costs for such audit and will take reasonable steps to avoid or minimise disrupting the Data Processor's premises, personnel, and business.

10 ORDER OF PRECEDENCE

In the event of any conflict or inconsistency between this Addendum and any other agreements between the Parties (including the Agreement), this Addendum will prevail.

11 CHANGES IN DATA PROTECTION LAWS

11.1 Upon any change in Data Protection Laws, the Data Controller will propose variations to this Addendum to address the requirements of any new or amended Data Protection Laws.

11.2 Upon the proposal of any variations pursuant to Clause 11.1, the Parties will negotiate in good faith with a view to agreeing and implementing such variations to address the requirements of any new or amended Data Protection Laws as soon as reasonably practicable.

12 AUTHORITY

12.1 The Service Provider warrants and represents that it is and will at all relevant times remain duly and effectively authorised to enter into this Addendum for and on behalf of each Service Provider Affiliate.

12.2 The Customer warrants and represents that it is and will at all relevant times remain duly and effectively authorised to enter into this Addendum for and on behalf of each Customer Affiliate.

13 SEVERANCE

13.1 If any provision of this Addendum is or becomes invalid, illegal, or unenforceable, it shall be deemed modified to the minimum extent necessary to make it valid, legal, and enforceable. If such modification is not possible, the relevant provision shall be deemed deleted. Any modification to or deletion of a provision under this clause shall not affect the validity and enforceability of the rest of this Addendum.

13.2 If any provision of this Addendum is invalid, illegal, or unenforceable, the Parties shall negotiate in good faith to amend such provision so that, as amended, it is legal, valid, and enforceable, and, to the greatest extent possible, achieves the intended commercial result of the original provision.

14 FORCE AND EFFECT

14.1 Save as supplemented or amended by this Addendum, the provisions of the Agreement shall remain in full force and effect and shall be read and construed with this Addendum as one document.

14.2 All references in the Agreement to the “Agreement” shall be read and construed as references to the Agreement as supplemented and amended by this Addendum.

15 AMENDMENT OF THIS ADDENDUM

No variation of this Addendum shall be effective unless in writing and signed by the Parties.

16 COUNTERPARTS

This Addendum may be executed in any number of counterparts, each of which when executed shall constitute a duplicate original, but all the counterparts shall together constitute the one Addendum.

17 GOVERNING LAW AND JURISDICTION

The provisions on governing law and jurisdiction of the Agreement will apply to the provisions of this Addendum.

This Addendum has been entered into on the date stated at the beginning of it.

ANNEX 1 - DETAILS OF PROCESSING SALARY SURVEY

Subject matter: Job details, organisational and salary data related to diversity and inclusion roles

Duration: The open survey period and subsequent period of assessing data and producing a report

Types of data: Gender, age category , salary, work experience

Categories of data subject: people working in diversity & inclusion and related functions, clients and prospective clients

Obligations of the Customer: to agree with and comply with all relevant and applicable laws for collecting and processing personal data

Rights of the Customer: You have rights as set out in the applicable legislation including requests for deletion or return of all personal data after the end of the services, unless storage of personal data is required by law.

ANNEX 2 TECHNICAL AND ORGANISATIONAL MEASURES SALARY SURVEY

The Culture Ministry is using Survey Sparrow to collect data for the purposes of a salary survey. You can view Survey Sparrows data privacy and processing documents here:
https://surveysparrow.com/legal/dpa/
https://surveysparrow.com/legal/gdpr/
https://surveysparrow.com/legal/ccpa/

The Culture Ministry will not be processing any personal identifiable information as part of the salary survey

If you have additional questions or require more information about our Privacy Policy, do not hesitate to contact us.