Definitions And Interpretation
1.1 Controller
The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data. For the purposes of this Policy, the Controller is Tapt.
1.2 Customer
The natural or legal person, public authority, agency or other body which uploads their Personal Data and uses the Products.
1.3 GDPR
EU General Data Protection Regulation 2016/679, Data Protection Act Chapter 586, and any subsidiary legislation, regulation, convention or directive.
1.4 Information Security Policy
Tapt’s Information Security Policy.
1.5 Personal Data
Any information relating to an identified or identifiable natural person that parties may Process.
1.6 Privacy Act
Privacy Act 1988 (Cth).
1.7 Privacy Law
Means singularly and collectively the GDPR and the Privacy Act.
1.8 Privacy Policy
The Controller’s Privacy Policy found at https://tapt.io/policies/privacy-policy.
1.9 Processing
Any activity or combination of activities which is performed on Personal Data, including collecting, recording, organising, storing, updating, amending, accessing, consulting, using, providing by way of forwarding, distributing or otherwise making available Personal Data. (Process has the same meaning as Processing).
1.10 Processor
A natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller.
1.11 Products
Tapt’s business card product, or other products developed by Tapt in the future, used for the purposes of voluntarily transferring Personal Data to another device as per https://tapt.io/.
1.12 Standard Contractual Clauses
The EU model clauses for Personal Data transfer from Controllers to Processors, per C2010-593 – Decision 2010/87EU and Article 26(2) of Directive 95/46/EC for the transfer of Personal Data to Processors established in third countries which do not ensure an adequate level of data protection.
1.13 Sub-processor
Any natural or legal person, public authority, agency or other body that is appointed by Tapt for the purposes of Processing the Personal Data on behalf of the Customer in accordance with item 5.
1.14 Terms of Service
Tapt’s “Terms of Service” for use of the Product found at https://tapt.io/policies/terms-of-service.
1.15 Interpretation In this Policy, unless the context requires otherwise:
(a) the singular includes the plural and vice-versa;
(b) headings are for convenience only, and do not affect interpretation;
(c) the words “including”, “for example”, “such as” or other similar expressions (in any form) are not words of limitation; and
(d) a reference to:
(i) a party includes its administrators, successors, substitutes by novation and assigns;
(ii) a person includes a body incorporated or unincorporated, partnership or any legal entity; and
(iii) any legislation or to any provision of any legislation includes variations, consolidations or replacements of that legislation and includes all regulations and other instruments issued under that legislation.
2. Purpose, Background And Acknowledgements
2.1 Purpose
The purpose of this Policy is to comply with the terms of the Privacy Law, provide sufficient guarantees that Tapt’s Processing of Personal Data will meet the requirements of the Privacy Law, and ensure the protection of the rights of Customers when Tapt Processes Personal Data on behalf of Customers.
2.2 Background
(a) Tapt provides the Product, resulting in the collection of Personal Data from its Customers.
(b) The Customer engages Tapt pursuant to the Terms of Service, which may involve the Processing of Personal Data on the Customer’s behalf.
(c) This Policy outlines the scope and requirements upon which Tapt must carry out the Processing of Personal Data on behalf of the Customer.
2.3 Acknowledgements
The Customer acknowledges and agrees that:
(a) with respect to the Processing of Personal Data, Tapt is a data Controller for the purposes of the GDPR;
(b) Tapt staff in the ‘Employee [Category 1]’ classification and above, in accordance with the Information Security Policy, may in limited circumstances rearrange or reformat data, including Personal Data. They will only be authorised to rearrange and reformat data for the sole purpose of improving usability of the Products, and must not affect the content of the Personal Data;
(c) nothing in this Policy is intended to create or imply any partnership, joint venture, agency, fiduciary relationship or other relationship between the data Controller and the Customer other than the contractual relationship expressly provided for in this Policy. Neither we nor the Customer will have, nor represent that it has, any authority to make any commitments of this kind on the other party’s behalf;
(d) except as varied by the terms in this Policy, the terms of the Terms of Service shall remain in full force and effect; (
e) the terms set out in this Policy shall be considered and added as an addendum to the Terms of Service and the Privacy Policy, and do not reduce the parties rights or obligations under the Terms of Service and/or Privacy Policy;
(f) nothing within the Policy relieves the parties of their own direct responsibilities and liabilities under the Privacy Law, Terms of Service or Privacy Policy; and
(g) any agreement signed between Tapt and a customer must be read in conjunction with the Terms of Service, Privacy Policy, Information Security Policy and the terms set out in this Policy.
3. Details Of Processing Of Personal Data
3.1 Acknowledgement
This item 3 includes certain details for the Processing of Personal Data as required by Article 28(3) of the GDPR.
3.2 Nature and purpose of Processing
The nature and purpose of Processing Personal Data, and how the Personal Data is used, is set out in the Privacy Policy. Additionally, Personal Data may be collected and stored to increase the range of services provided to Tapt Customers as new functionality and technology is developed beyond the current Products, unless the deletion of Personal Data is explicitly requested by a Customer as set out in item 4.2.
3.3 Type of Personal Data being processed
The Personal Data being processed will be selected by each individual Customer, depending on the information they wish to display through their Products. The Personal Data collected is detailed in the Privacy Policy and may include:
(a) Personal Data (including name and job title);
(b) contact information (including phone number, email address, company name and company address); and
(c) other information (profile picture, notes, social profiles, custom links and files).
3.4 Categories of Customers being Processed
All Customers of Tapt Products.
3.5 Key Tapt staff accessing Personal Data
Please refer to Schedule 1 of the Information Security Policy which identifies the roles, responsibilities and areas of accountability for all staff within Tapt handling and accessing Personal Data.
4. Obligations Of The Parties
4.1 Obligations and Rights of the Customer
The obligations and rights of the Customer are set out in the Terms of Service, Privacy Policy and this Policy.
4.2 Tapt Obligations
Tapt shall:
(a) process Personal Data only in accordance with this Policy, the Terms of Service, Privacy Policy and Information Security Policy for the purpose of providing the Product to the Customer, unless otherwise required by law;
(b) assist any Customer requesting onboarding assistance and handle Personal Data in accordance with the Customer’s consent;
(c) promptly notify the Customer about:
(i) any legally binding request for disclosure of the Personal Data by a law enforcement authority at least 7 days before sending across the information, unless otherwise prohibited;
(ii) any accidental or unauthorised access to Personal Data, or other security breach; and
(iii) any request received directly from the Customer without responding to that request, unless it has been otherwise authorised to do so;
(d) inform the Customer immediately if it believes that any instructions received from the Customer would likely infringe the Privacy Law and any other applicable data protection law and regulations with respect to the Processing of Personal Data;
(e) aim to comply with the Notifiable Data Breaches Scheme (NDBS) guidelines on timelines for assessment and notification following a data breach;
(f) inform the Customer as soon as possible if it believes that a data processing breach has occurred, or will probably occur, providing the Customer with sufficient information to allow the Customer to meet its obligations under the Privacy Law and any other applicable data protection law;
(g) in the event of a data processing breach, co-operate with the Customer and take such reasonable commercial steps as are directed by the Customer to assist in the investigation, mitigation and remediation of each such breach;
(h) ensure that personnel authorised to Process the Personal Data on behalf of the Processor are bound by a contractual or statutory duty of confidentiality, and as much as possible limit the number of personnel who may access the Personal Data;
(i) take all appropriate technical and organisational measures to ensure the security of Processing;
(j) obtain the Customer’s prior specific or general written consent to engage any new sub-processors;
(k) impose on its sub-processors the data protection obligations set out in this Policy, the Terms of Service and the Privacy Policy between the Customer and Tapt by written contract;
(l) assist the Customer in ensuring compliance with its security and certain other obligations such as the notification of Personal Data breaches, taking into account the nature of the Processing and the information available to Tapt;
(m) at the Customer’s choosing, delete or return all Personal Data to the Customer upon completion of the Processing and return any existing copies of the data, unless otherwise required by law to store such data, in a timely manner and no less than 28 days from the Customer providing written notice to Tapt;
(n) cooperate with any relevant regulatory authorities of the Privacy Law in the performance of its tasks; and
(o) ensure relevant Tapt staff members who have access to Personal Data are provided periodic security awareness training.
5. Sub-Processing Of Personal Data
5.1 Authorisation
Tapt shall have the authority to appoint Sub-processors (which may include such entities already engaged by Tapt), subject to the conditions set out in item 5.3 being met.
5.2 Notice
(a) Tapt shall give the Customer 7 days prior written notice of the appointment of any new sub-processor, including full details of the Processing to be undertaken by the Sub-processor.
(b) If, within 5 days of receipt of the notice under item 5.2(a) above, the Customer notifies Tapt in writing of any objections (on reasonable grounds) to the proposed appointment, Tapt must not appoint (or disclose any Personal Data to) that proposed Sub-processor until reasonable steps have been taken to address the objections raised by the Customer.
(c) If the Customer fails to respond within 5 days of receipt of the notice under item 5.2(a) above, then the Customer shall be deemed to have authorised the appointment of the new Sub-processor.
5.3 Conditions
With respect to the appointment of a Sub-processor, Tapt shall:
(a) before the Sub-processor first Processes Personal Data, carry out adequate due diligence to ensure that the Sub-processor is capable of providing the level of protection for Personal Data as required by contractual obligation;
(b) ensure that the arrangement between Tapt and the Sub-processor is governed by a written contract including terms which offer at least the same level of protection for Personal Data as those set out in this Policy and meet the requirements of Article 28(3) of the GDPR;
(c) provide to the Customer for review such copies of third party agreements with Sub-processors (which may be redacted to remove confidential commercial information not relevant to the requirements of this Addendum) as the Customer may request from time-to-time; and
(d) provide to the Customer an up-to-date list of all Sub-processors used for the Processing of Personal Data as the Customer may request from time-to-time.