Last Updated: 25 March 2021
These Data Processing Terms apply to the Services supplied by MATTR Limited if you or your End Users access or use the Services in the European Economic Area or are otherwise subject to the GDPR or legislation implementing the GDPR.
The Data Processing Terms set out terms that apply to the Processing of your Personal Data and Personal Data of your End Users by MATTR as set out in clause 5.2 of the MATTR Customer Agreement.
In these Data Processing Terms:
- “Data Subject” means your End Users, employees, contractors and agents, who in each case are natural persons to the extent that they are identified or identifiable and, if you are a natural person, you;
- “Data Controller” means you (the party that has entered into the MATTR Customer Agreement);
- “Data Processor” means MATTR Limited; and
- other capitalised terms which are not defined in the Data Processing Terms have the meanings set out in the MATTR Customer Agreement.
To provide the Services to the Data Controller, the Data Processor will store and Process Personal Data of Data Subjects in accordance with these MATTR Data Processing Terms. Where there is any conflict or ambiguity between these Data Processing Terms and the MATTR Customer Agreement, these Data Processing Terms take priority.
Appointment of Data Processor
- Appointment. Data Controller appoints Data Processor to Process Personal Data in accordance with clause 1.2.
- Processing Details. Data Processor may Process the Personal Data of Data Subjects as follows:
- Duration of Processing. For the Duration of the Term in accordance with the MATTR Customer Agreement, for any period that the Data Processor is permitted to continue Processing to fulfil its obligations or exercise its rights under the MATTR Customer Agreement (e.g. to allow the Data Controller access to Your Content after termination), and for any longer period required by law (e.g. to maintain statutory records).
- Nature and Purpose of Processing. To provide any Services or Material to the Data Controller as contemplated by the MATTR Customer Agreement.
- Type of Personal Data. The Data Subject's:
- name, date of birth, customer identifier, email address, phone number, physical or postal address details, other contact details, bank account details and an IP address (to the extent that the Data Subject is identifiable from it);
- communications to the Data Processor or with other End Users (e.g. in community support forums); and
- any other personal data provided by Data Subjects or on their behalf to the Data Controller in connection with the Services – e.g. personal data that forms part of, or is disclosed by, a credential that the Data Subject submits to a Service for verification. This may include special category data.
- Categories of Data Subjects. As defined in the introduction to these Data Processing Terms.
Data Processor’s Obligations
- Processing in accordance with Data Controller’s instructions. Data Processor will only Process Personal Data on behalf of the Data Controller, and in accordance with the purpose set out in clause 1.2 and otherwise in accordance with the terms of these Data Processing Terms.
- Restrictions on Processing. Except as set out in these Data Processing Terms, the Data Processor is not entitled to Process the Personal Data for its own purposes.
- Technical and Organisation Security Measures. Data Processor implements technical and organisational security measures for the processing of personal data in accordance with the GDPR. On written request, MATTR will provide the Data Controller with information reasonably requested by Data Controller regarding security practices and policies.
- Data and security breach notification. Data Processor will, as soon as practicable, notify Data Controller about any breach of security resulting in the accidental or unlawful disclosure of, or access to, Personal Data or any accidental or unauthorised access or any other event affecting the integrity, availability or confidentiality of Personal Data in accordance with clause 5.4 of the MATTR Customer Agreement.
- Reasonable assistance in response to enquiries. Data Processor will provide reasonable assistance in response to enquiries from Data Controller or the Regulator relating to Data Processor’s Processing of Personal Data and abide by any specific advice of the Regulator to Data Processor regarding the Processing of such Personal Data.
- Evidence of compliance with Data Processing Terms. Data Processor will, upon written request from Data Controller, provide Data Controller with all information reasonably necessary to demonstrate Data Processor’s compliance with these Data Processing Terms.
- Reasonable assistance in connection with Applicable Data Protection Laws. Data Processor will provide reasonable assistance to Data Controller to enable that Data Controller to comply with obligations which arise as a result of:
- a Data Subject exercises their rights under Applicable Data Protection Law in respect of Personal Data Processed by Data Processor on behalf of Data Controller (such as rights to rectification, erasure, blocking, access their personal data, objection, restriction of processing, data portability, and the right not to be subject to automated decision making);
- Data Controller is required to deal or comply with any assessment, enquiry, notice or investigation by the Regulator; or
- Data Controller is required under Applicable Data Protection Law to carry out a mandatory data protection impact assessment or consult with the Regulator prior to Processing Personal Data entrusted to the Data Processor under these Data Processing Terms,
- Audits. Data Processor will permit Data Controller upon written notice, at a mutually convenient date and time and no more than once per year (or more frequently if required by law), to conduct an audit to confirm compliance with Data Processor’s obligations under these Data Processing Terms. Such audits must be carried out subject to the auditor having professional qualifications to carry out such an audit and agreeing to reasonable terms to protect the confidential information of the Data Processor. Access to the systems and processes of the Data Processor will be strictly limited to that which is necessary for the purpose of this clause 2.8 and subject to access being within the Data Processor’s control.
- Processing in a Third Country. Where the Data Processor Processes Personal Data in any Third Country, it will ensure that any transfer of Personal Data to any Third Country will comply with Applicable Data Protection Laws.
Data Controller’s Obligations
- Warranties. Data Controller warrants that:
- the legislation applicable to it does not prevent Data Processor from fulfilling the instructions received from the Data Controller and performing Data Processor’s obligations under the MATTR Customer Service Agreement and these Data Processing Terms; and
- it has complied and continues to comply with the Applicable Data Protection Laws, in particular that it has obtained all necessary consents and given all necessary notices, and otherwise has a legitimate ground to disclose the Personal Data to Data Processor and enable the Processing of the Personal Data by the Data Processor as described in these Data Processing Terms and the MATTR Customer Service Agreement.
- Indemnity. Data Controller indemnifies and will hold harmless Data Processor on demand from and against all claims, liabilities, costs, expenses, loss or damage (including consequential losses, loss of profit and loss of reputation and all interests, penalties and legal and other professional costs and expenses) incurred by Data Processor in connection with any breach of this clause 3.
- Permitted sub-processors. Data Controller consents to the use of sub-processors for Processing and as specified at MATTR Data Sub-processors as updated from time to time. If Data Controller objects or does not agree to any such sub-processors, the Data Processor may terminate the MATTR Customer Agreement on written notice.
- Terms applicable to sub-processors. Data Processor will ensure it has a written contract in place with all sub-processors who perform Processing which contains obligations which permit effective control and oversight with respect to the Processing of Personal Data to ensure compliance with these Data Processing Terms.
- The Data Processor undertakes to the Data Controller to:
- hold all Personal Data in strict confidence; and
- ensure that employees, agents, officers, consultants, sub-processors, subcontractors and advisers authorised to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
- The obligation in clause 5.1 will not apply to a disclosure of Personal Data that is required by any law or regulation of any country with jurisdiction over the affairs of any Data Processor or required by any order of any court of competent jurisdiction.
Governing Law and Jurisdiction
- This Agreement will be governed by the Laws of New Zealand and each party consents to the non-exclusive jurisdiction of the New Zealand courts. Neither party is permitted to object to the transfer of any proceedings to New Zealand courts on any basis, including inconvenience.
- Termination. These Data Processing Terms terminate if the MATTR Customer Agreement terminates.
- Consequences of termination. Upon termination of the MATTR Customer Agreement and these Data Processing Terms, the Data Processor will manage all Personal Data in accordance with the MATTR Customer Agreement and Applicable Data Protection Laws, including with respect to the destruction or return of such Personal Data, and the ongoing security of any retained Personal Data.
Changes to Data Processing Terms
- Data Processor may make changes to these Data Processing Terms in accordance with the processes set out in clause 17 of the MATTR Customer Agreement (as if references to “this Agreement” were references to these Data Processing Terms).
Definitions and interpretation
- Definitions. The following terms will have the meaning set out below:
Applicable Data Protection Laws means the GDPR (as amended, consolidated, re-enacted or replaced from time to time).
GDPR means Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
MATTR Customer Agreement means the Agreement entered into between you and MATTR Limited as described in the Customer Agreement document (and including, for clarity, any applicable Service Terms and Service Level Agreements).
Personal Data means any information relating to a Data Subject that is subject to the GDPR or any legislation implementing the GDPR.
Process, Processed or Processing means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Regulator means the data protection supervisory authority which has jurisdiction over Data Controller’s Processing of Personal Data.
Third Countries means all countries outside of the scope of the data protection laws of the EEA, excluding countries approved as providing adequate protection for Personal Data by the European Commission from time to time, which at the date of these Data Processing Terms include Andorra, Argentina, Canada, Faroe Islands, Guernsey, Isle of Man, Israel, Japan, Jersey, New Zealand, Switzerland and Uruguay.