Data Processing Addendum

Scope

This Data Processing Addendum (“DPA”) applies to the Processing of Personal Data by Seeing Machines on behalf of You when Seeing Machines provides services, technical support services or other professional services (“Services”). The Services are described in the relevant Seeing Machines agreement and the applicable purchase order for Services (collectively, “Agreement”). In the event of any conflict between the terms of the Agreement and this DPA, the terms of this DPA shall take precedence unless specified otherwise in the Agreement.

This DPA is between You and the Seeing Machines contracting entity specified under the Agreement (“Seeing Machines”) and, unless specified otherwise in the Agreement, is incorporated by reference into the Agreement.

Seeing Machines may with 30 days written notice make variations to this Addendum as required by any change in, or decision in, or enactment of Data Protection Laws, and upon receiving a variation You shall undertake all actions necessary to comply with the written notice.

Definitions

Any terms used but not defined in this DPA, such as “Controller”, “Consumer”, “Data Subject”, “Process/Processing”, “Processor” shall have the same meaning set out in the Agreement or applicable Data Protection Laws.

“You” means the end-user, customer, client or any entity whether incorporated or a natural person, who has entered into a written contract with Seeing Machines that is subject to this DPA.

“Affiliate” means any subsidiary of Seeing Machines Limited that may assist Seeing Machines in the processing of Your Personal Data under this DPA.

“Data Protection Laws” means: (a) the European Union General Data Protection Regulation 2016/679 (“GDPR”); (b) the Australian Privacy Act 1988 (CTH); and (c) any other applicable Personal Data law to which You or Seeing Machines are subject.

“EU Standard Contractual Clauses” means the contractual clauses annexed to the EU Commission Decision 2021/914/EU or any successor clauses approved by the EU Commission.

“Personal Data” means all information or an opinion created, obtained or made available to a Party relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular reference to an identifier such as name, identification number, location data, an online-identifier or to or to one or more factors specific to the physical physiological, genetic, mental, economic, cultural or social identity of that natural person.

“Personal Data Breach” means any unauthorised access, transmission, copying, alteration, storage or disclosure of Personal Data or misuse of Personal Data (whether accidental or deliberate).

“Sub-Processor” means any third party engaged to assist with the Processing of Personal Data for the performance of Services under the Agreement.

“UK IDTA Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses approved by the United Kingdom Information Commissioner’s Office.

Roles as Data Controller and Data Processor

For the purpose of this DPA and the applicable Data Protection Laws, You are the Data Controller of the Personal Data Processed by Seeing Machines in its performance of the Services under the terms of the Agreement. You are responsible for complying with your obligations as a Data Controller under applicable Data Protection Laws in providing Personal Data to Seeing Machines for the performance of the Services, including but not limited to obtaining any consents, providing any notices, or undertaking any other action as required under the applicable Data Protection Laws.

Seeing Machines is the Data Processor in regards to Personal Data provided by You, except when You act as a Processor of Personal Data, in which case Seeing Machines is a Sub-Processor. Seeing Machines is responsible for complying with its obligations under applicable Data Protection Laws that apply to its Processing of Personal Data under the Agreement and this DPA.

Processing of Personal Data

Seeing Machines and any persons acting under its authority under this DPA, including Sub-Processors and Affiliates as described under this DPA, will Process Personal Data only for the purposes of performing the Services in accordance with written instructions Seeing Machines receives from You as specified in the Agreement, this DPA and in accordance with applicable Data Protection Laws.

You acknowledge and agree that in certain circumstances, such as discovery related to legal proceedings, Seeing Machines may be required by law or court order to release Personal Data relating to You.

Data Subjects and Categories of Personal Data

In providing Seeing Machines’ Services, we collect and manage a range of data from different sources, including Personal Data about: our clients’ employees, contractors or agents; our distributors’ employees, contractors or agents; our suppliers’ employees, contractors or agents; other end users of our products and services; potential investors for marketing purposes; individuals, through digital services, such as social media or newsletters; and individuals that interact with us or our employees, such as by visiting our premises or phoning our staff.

The categories of Personal Data that we may collect is identified in Table 1 below:

Table 1: Personal Data that may be Collected by the Seeing Machines Group

Data Subject Categories of Information Purpose Legal Basis
Our client’s (including their affiliate’s) employees or contractors
  • Identification information (e.g. contact officer name for services, such as product installation or fatigue event notification; name; unique employee identifier; vehicle identifier).
  • Contact information (e.g. telephone number for a client’s contact officer to notify about fatigue events, email, location, company name).
  • Information about the performance of our client’s employees, including drivers or operators (e.g. video and still-images of the driver, as well as images from a forward-facing camera)1.
  • Information about the drivers’ driving behaviour (e.g. fatigue and distraction events).
  • Other fleet or vehicle monitoring information (e.g. GPS coordinates, shift times, or vehicle speed).
  • Internet service provider (ISP), system usage and related preferences, if our clients’ employees and sub-contractors accesses on-line services, reports or other electronic information.
To:

  • provide services to clients to detect, diagnose and mitigate driver fatigue or distraction, and other dangerous driving events,
  • enable configuration, testing, operation, warranty, repair and maintenance of our products and services,
  • provide reports to clients and distributors on specific driver or vehicle events, including video recordings of drivers or operators,
  • provide summary reports for clients and distributors, such as event duration or distance trends,
  • respond to inquiries, send notices, resolve disputes, and troubleshoot problems,
  • undertake our ongoing business operations, such as audit, fraud control or financial management,
  • enhance, improve, or modify our products and services, including for scientific research.
  • Performance of contract.
  • Agreement and consent of individuals.
  • Legitimate interest:
    • manage the relationship with and provide services to our clients,
    • delivery of training and/or certification,
    • communications,
    • improvement of our business processes, services and products,
    • scientific research,
    • compliance with legal obligations.
  • To safeguard our legitimate interests or that of a third party, so long as fundamental rights and freedoms are protected.
  • Activities essential for protecting vital interests of individuals (for example in an emergency).
Our distributors’ and authorised third-parties’ employees and contractors
  • Identification information (e.g. installers name for services, such as product installation scheduling; unique employee identifier).
  • Contact information (e.g. telephone number, email, location, company name).
  • Information on the performance of their employees (e.g. training accessed, certification).
  • Electronic identification information, internet service provider (ISP), system usage and related preferences, email address, when they contact us, undertake training, lodge a ticket, or access on-line services or information.
To:

  • enable them to manage end-to-end client relationships including providing technical and support services,
  • enable installation, configuration, testing, operation, warranty, repair and maintenance of Seeing Machine’s products and services,
  • enable access to our systems, training, certification, information products, and support services,
  • respond to inquiries, send notices, resolve disputes, and troubleshoot problems,
  • undertake our ongoing business operations, such as audit, fraud control or financial management,
  • enhance, improve, or modify our products and services, including for scientific research.
  • Performance of contract.
  • Agreement and consent of individuals.
  • Legitimate interest:
    • invoicing, sales and logistics,
    • marketing activities,
    • delivery of training and/or certification,
    • manage the relationship with and provide services to third parties,
    • communications,
    • improvement of our business processes, services and products,
    • scientific research,
    • compliance with legal obligations.
  • To safeguard our legitimate interests or that of a third party, so long as fundamental rights and freedoms are protected.
  • Activities essential for protecting vital interests of individuals (for example in an emergency).
  • Auditing and financial management.
Our suppliers’, their employees and contractors
  • Identification information (e.g. account manager’s name for services).
  • Contact information (e.g. telephone number, email, location [including home office information], company name).
  • Financial information, such as bank account details to enable payments (while usually company bank accounts, this may include Personal Data in certain instances such as sole traders).
  • Electronic identification information, internet service provider (ISP), system usage and related preferences, email address, when they contact us, access on-line services or information.
To:

  • facilitate the provision of services to Seeing Machine’s, such as supply of IT equipment,
  • manage our contracts,
  • respond to inquiries, send notices, resolve disputes, and troubleshoot problems,
  • undertake our ongoing business operations, such as audit, fraud control or financial management,
  • enhance, improve, or modify business processes.
  • Performance of contract
  • Legitimate interest:
    • invoicing, sales and logistics,
    • management of the relationship,
    • communications,
    • improvement of our business processes, services and products,
    • compliance with legal obligations.
Individuals who engage with us in relation to marketing or corporate communication
  • Identification information (e.g. name).
  • Contact information (e.g. email address, telephone number, company name).
  • Electronic identification information, internet service provider (ISP), system usage and reeled preferences, and email address, when they contact us, or access on-line information.
To:

  • inform individuals and organisations about our activities, including sending our newsletters or reports,
  • facilitate our activities as a public company, such as continuous disclosure,
  • respond to inquiries, send notices, resolve disputes, and troubleshoot problems,
  • undertake our ongoing business operations, such as audit, fraud control or financial management,
  • to ensure that content from our site is presented in the most effective manner for the individual and their computer.
  • Consent (i.e. newsletters, mailing lists).
  • Legitimate interest (i.e. to manage the relationship, the improvement of our business processes, marketing activities, communication, for any developments related to corporate restructuring).
Shareholders, board members and individuals who engage with Seeing Machines in relation to investment, or other corporate engagement
  • Share-holding related information, such as share offers and/or transactions (including in limited circumstances contact information).
  • Conflict of interest information in relation to board members.
  • Biographical information in relation to board members.
  • Electronic identification information, internet service provider (ISP), system usage and related preferences, and email address, when they contact us, or access on-line information.
To:

  • inform individuals and organisations about our corporate or shareholding activities,
  • facilitate our activities as a public company, including maintaining our share register and communicating with shareholders,
  • respond to inquiries, send notices, resolve disputes, and troubleshoot problems,
  • meet our corporate governance, shareholder, trading, disclosure and related obligations,
  • undertake our ongoing business operations, such as audit, fraud control or financial management,
  • to ensure that content from our site is presented in the most effective manner for the individual and their computer.
  • Consent (i.e. newsletters, mailing lists)
  • Legitimate interest (i.e. to manage the relationship, the improvement of our business processes, to provide financial and/or performance reports, for any developments related to markets and/or corporate restructuring).
Individuals who visit our premises
  • Identification information (e.g. name).
  • Contact information (e.g. address, telephone number).
  • Video and still-images of visitors to our premises.
To:

  • maintain the safety and security of our premises, information and assets,
  • to meet our legal obligations, such as those relating to health and safety.
  • Legitimate interest (i.e. security of our premises, the improvement of our business process, communications; to meet our legal obligations).
Individuals who engage with our corporate digital services (i.e. visit our website) or email or telephone our employees
  • Identification information (e.g. name).
  • Contact information (e.g. email address, telephone number).
  • Electronic identification information, internet service provider (ISP), system usage and related preferences, and email address, when they contact us, or access on-line information.
To:

  • ­to ensure that content from our site is presented in the most effective manner for the individual and their computer,
  • respond to inquiries, send notices, resolve disputes, and troubleshoot problems,
  • undertake our ongoing business operations, such as audit, fraud control or financial management.
  • Legitimate interest (i.e. security of our systems, the improvement of our business process, communications; to meet our legal obligations).

1 In collecting this information, we may also obtain sensitive Personal Data about our client’s employees, as defined under data protection laws, such as, biometric data (i.e. facial images), data revealing racial or ethnic origin or data concerning a person’s health. This data is obtained as a result of in-vehicle video recording and images of the driver or operator and information about the drivers’ driving behaviour, such as fatigue and distraction events, but we do not record racial, ethnic or health data in our databases.

Sub-Processing

Subject to the terms of this DPA, You authorise Seeing Machines to engage Sub-Processors and Affiliates for the Processing of Personal Data.

For each Sub-Processor, Seeing Machines will:

  • prior to the Sub-Processor Processing Personal Data, carry out reasonable due diligence to ensure that the Sub-Processor can provide the level of protection for Personal Data required under the Agreement, this DPA and applicable Data Protection Laws; and
  • ensure that the agreement between Seeing Machines and Sub-Processor is governed by a written enforceable contract including terms which offer at least the same level of protection for Personal Data as those set out under the Agreement, this DPA and applicable Data Protection Laws.

You agree that in the provision of Services under the Agreement, the Sub-Processors listed in Seeing Machines Sub-Processor List are authorised to Process Personal Data in accordance with the Agreement. You must subscribe to receive notice of updates to the list of Sub-Processors by writing to privacy@seeingmachines.com.

At least fourteen (14) days before authorising any new Sub-Processor to access Personal Data, Seeing Machines will update the list of Sub-Processors by written notice. Where Seeing Machines is a Processor (and not a Sub-Processor), the following applies:

  • If, based on reasonable grounds related to the inability of such Sub-Processor to protect Personal Data, You do not approve of a new Sub-Processor, then Seeing Machines will use reasonable efforts to make available to You a change in the Service or recommend a commercially reasonable change to avoid processing of Your Personal Data by the new Sub-Processor.
  • If, Seeing Machines is unable to recommend a commercially reasonable change, You may agree not to use (temporarily or permanently) the particular aspect of the Service that would involve the use of the Sub-Processor to process Your Personal Data.
  • Unless agreed to otherwise with Seeing Machines, You shall remain obligated to make all payments required under any purchase order or other contractual obligation with Seeing Machines and shall not be entitled to any refund or return of payment from Seeing Machines.

International Transfer of Personal Data

Seeing Machines primarily store, collect and process Personal Data in Australia, European Economic Area (EEA) and the United States. In the case of Personal Data collected in the EEA, the Personal Data is stored on servers located within the EEA.

You authorise Seeing Machines to transfer and Process Personal Data in Australia, United Kingdom, EEA and United States of America as necessary to perform the Services. Notwithstanding the foregoing, Seeing Machines may require Personal Data to be transferred in other countries as necessary to perform the Services and you appoint Seeing Machines to perform any such transfer to process Personal Data as necessary to provide the Services. Seeing Machines will follow the requirements of this DPA regardless of where such Personal Data is stored or Processed.

Where the Processing involves the international transfer of Personal Data under applicable Data Protection Laws in the EEA to Seeing Machines, Affiliates or Sub-Processors in a jurisdiction: (i) that has not been deemed by the European Commission or the UK Information Commissioner’s Office to provide an adequate level of data protection, and (ii) there is not another legitimate basis for the international transfer of such Personal Data, such transfers will be subject to either the EU Standard Contractual Clauses and/or the UK IDTA Addendum (as applicable) or other data transfer arrangements available under applicable Data Protection Laws. For international transfers subject to:

  • the EU Standard Contractual Clauses, the parties hereby deemed to have entered (and incorporated by reference) the EU Standard Contractual Clauses as applicable:
    • Module Two where You are a Controller and Seeing Machines is a Processor; or
    • Module Three where You and Seeing Machines are both Processors.
  • the UK IDTA Addendum, the parties hereby deemed to have entered (and incorporated by reference) the UK IDTA Addendum.

For the purposes of the EU Standard Contractual Clauses and UK IDTA Addendum, You act as the Data Exporter on Your behalf and on behalf of any of Your entities, and Seeing Machines acts as the Data Importer on its own behalf and/or on behalf of its Affiliates.

Where the Processing involves the international transfer of Personal Data under other applicable Data Protection Laws to Seeing Machines, Affiliates or Sub-Processors, such transfers are subject to the data protection terms specified in this DPA and applicable Data Protection Laws.

Requests from Data Subjects

Seeing Machines will make available to You the Personal Data of your Data Subjects and the ability to fulfill requests by Data Subjects to exercise their rights under applicable Data Protection Laws consistent with Seeing Machine’s role as a Data Processor.

If Seeing Machines receives a request directly from Your Data Subject to exercise their rights under applicable Data Protection Laws, Seeing Machines will direct the Data Subject to You unless prohibited by law.

Security

Seeing Machines shall implement and maintain appropriate administrative, technical, and organisational practices to protect Personal Data against any misuse or accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data. Seeing Machines seeks to continually strengthen and improve its security practices, and reserves the right to modify its security practices. Any modifications will not diminish the level of security during the term of Services.

Seeing Machines personnel are bound by appropriate confidentiality agreements and are required to take regular data protection trainings and comply with Seeing Machines’ privacy and security policies and procedures.

Personal Data Breach

Seeing Machines shall notify You without undue delay after becoming aware of a Personal Data Breach involving Your Personal Data held by Seeing Machines and provide reasonable assistance in the event of an investigation to the Personal Data Breach, each Party at its own costs.

You shall notify Seeing Machines on becoming aware of a Personal Data Breach in relation to Product Data and provide reasonable assistance in the event of an investigation related to the Personal Data Breach, each Party at its own costs.

Assistance

You and Seeing Machines agree to provide reasonable mutual assistance with any data protection impact assessment, and prior consultations with applicable regulatory authorities which You or Seeing Machines considers to be required by Data Protection Laws, each Party at its own cost.

Return and Deletion of Personal Data

Seeing Machines will delete Personal Data consistent with the Agreement and as described under the Seeing Machines Privacy Policy.

Notwithstanding the aforementioned, Seeing Machines maybe subject to Data Protection Laws or other laws to Process Personal Data, in which case Seeing Machines shall to the extent permitted by Data Protection Laws or other laws inform You before Processing the Personal Data.

Data Protection Officer

You may contact the Seeing Machines Data Protection Officer at privacy@seeingmachines.com.

Term

The term of this DPA shall coincide with the commencement of the Agreement and this DPA shall terminate automatically together with termination or expiry of the Agreement.