JUSTGO DATA PROCESSING ADDENDUM

This Addendum details the processing of Personal Data by JustGo on behalf of the Customer in connection with the Agreement.

1.1  Scope. These terms apply to the actions of JustGo only to the extent that it processes Personal Data on behalf of the Customer in connection with providing the Services.

1.2  Definations. For the purposes of these terms, any reference to “Personal Data”, “special category personal data”, “process”, “data subject”, “data controller” and “data processor” shall have the meanings given to them in the Data Protection Legislation. “UK IDTA” means the form of the International Data Transfer Agreement version 1.0 issued by the Information Commissioner’s office under section 119 (A) of the Data Protection Act 2018.

1.3 Data processing. The Parties understand and acknowledge that in processing data as part of the Services, JustGo may process Personal Data on behalf of the Customer. Annex 1 of this Addendum (Data Processing Information) sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the types of personal data processed by JustGo and categories of data subjects whose Personal Data are processed.

1.4 Our obligations to protect Personal Data. JustGo shall:

• process all Personal Data supplied or provided by the Customer or collected or otherwise obtained on the Customer’s behalf only on documented instructions from the Customer, unless required to do so by applicable law or regulation to which JustGo is subject in which case JustGo shall promptly and to the maximum extent permitted, inform the Customer of that legal requirement before processing;
• promptly inform the Customer if, in its reasonable opinion, any Customer instruction infringes the Data Protection Legislation;
• take all such steps necessary to ensure that any persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
• take all measures required pursuant to article 32 of the GDPR and the UK GDPR (as applicable), including (without limitation) implementing and maintaining appropriate administrative, physical, technical and organisational measures to protect any Personal Data accessed or processed by it pursuant to this Agreement against unauthorised or unlawful processing or accidental loss, destruction, damage or disclosure and any other standards required by law or regulation that are directly applicable;
• taking into account the nature of the processing, and at the Customer’s cost, provide reasonable assistance to the Customer by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Customer obligation(s) to respond to requests for exercising the data subject’s rights. Where any such request is submitted to JustGo, it shall promptly notify the Customer of the same;
• taking into account the nature of the processing and the information available, provide reasonable assistance to the Customer to enable it to comply with its obligations in relation to the security of processing, data breach notifications, data protection impact assessments and prior consultations with supervisory authorities;
• upon termination of the Agreement and at the election of the Customer, either promptly return all the personal data to the Customer and delete any copies of such Personal Data, or destroy and delete such Personal Data in accordance with the Customer’s written instructions, unless required by applicable law or regulation to retain them;
• upon becoming aware of any accidental, unauthorised or unlawful destruction, loss, alteration, or disclosure of, or access to the Personal Data that is processed by or on behalf of the Customer in the course of providing the Services (a “Security Incident“), without undue delay, notify the Customer in writing and provide reasonable assistance to the Customer (at the Customer’s sole expense) in relation to the containment and management of the Security Incident; and
• make available to the Customer all information necessary to demonstrate compliance with the obligations provided by this Data Processing Addendum and allow for and contribute to audits (at Customer’s sole cost and expense) including inspections, conducted by the Customer or another auditor mandated by the Customer.

1.5  Sub-contractors and transfers- JustGo:

• shall not process or transfer Personal Data outside of the European Economic Area, the United Kingdom (or any country deemed adequate by a regulatory body empowered under GDPR and UK GDPR to make such finding) without putting in place adequate protection for the Personal Data to enable compliance with Data Protection Legislation. If required for the cross-border transfers of Personal Data, the parties shall execute supplemental terms, including, but not limited to, the UK IDTA, or an updated version of the UK IDTA or other lawful transfer mechanism that provides equivalent protection (“Standard Clauses”). The Customer authorises JustGo to execute the Standard Clauses on its behalf as agent for the Customer, as needed, to ensure that cross-border transfers of Personal Data can take place with sufficient protection to ensure compliance with Data Protection Legislation;
• is authorised to engage its current sub- contractors to process Personal Data of the Customer, to the extent necessary (a list of whom are set out in Annex 2), and shall promptly inform the Customer of any intended changes concerning the addition or replacement of sub-processors thereby allowing the Customer a reasonable opportunity to object to such changes; and
• shall ensure that, in any case where a sub processor is instructed, it enters into a contract with the sub processor which imposes substantially the same data protection obligations as are included in this Addendum. For the avoidance of doubt, JustGo shall remain fully liable to the Customer for the acts and omissions of its appointed sub processors;

Annex 1

Data Processing Information

Subject matter of the processing

The processing relates to the hosting of personal data in the Cloud Services and the Application.

Nature and purpose of the processing

To enable the provision of the Cloud Services to the Customer and its Authorised Users and to facilitate efficient transactions with third parties

Duration of the processing

The processing will last for the duration of the Agreement and for such period after the expiry or termination of the Agreement as is necessary to allow JustGo to comply with its legal obligations.

Types of personal data

• Name;
• Date of birth;
• Gender;
• Contact information such as addresses, email addresses and telephone numbers
• Demographic information such as postcode, preferences and interests
• Special category personal data (information about race and ethnic origin, religious, disability or sexuality)
• Relevant qualification and credential information;
• Photographs, proofs of ID and other supporting information;
• IP address (automatically collected); and
• A list of URLs starting with a referring site, your activity on the Cloud Services and the site you exit to (automatically collected)

Categories of data subjects

The Personal Data transferred concern the following categories of data subjects:

Any persons whose personal data is stored in the Cloud Services with the permission of the Customer.

Annex 2

Sub-Processors

The below is a list of JustGo’s sub-processors as of commencement of this Agreement.

To access our New Zealand privacy policy, please click here.