Data Processing Addendum

1. Purpose

This Data Processing Addendum (“DPA”) has been concluded between Appen Ltd. with
its principal place of business at Level 6, 9 Help Street, Chatswood, NSW Australia
2067 ("Appen") and Faqih Fakhruddin (the “Contractor”) and describes the terms and
conditions applicable to the processing of personal data by the Contractor on
behalf of Appen.

Unless otherwise stated in this DPA, the terms and conditions (including
definitions) of the Master Services Agreement for services concluded between Appen
and the Contractor (the “Agreement”) shall apply.

Some other helpful information for you on Data Privacy

As part of our efforts to help your understanding of, and compliance with, data
privacy legislation we have compiled a small business data privacy compliance
reference guide. Please click here to view.
2. Definitions

“Data Protection Law(s)” means (a) EU or EU Member State laws applicable to any
Appen Personal Data in respect of which the Contractor is subject including,
without limitation, the GDPR for so long as it remains in legal effect; and (b) any
other applicable law with respect to Appen Personal Data in respect of which the
Contractor is subject;

“GDPR” means the Regulation (EU) 2016/679 of the European parliament and the
Council of 27 April 2016 on the protection of natural persons with regard to the
Processing of Personal Data and on the free movement of such data, and repealing
Directive 95/46/EC, as transposed into domestic legislation of each Member State
and as amended, replaced or superseded from time to time, including by the GDPR and
laws implementing or supplementing the GDPR;

“Personal Data” means any information relating to an identified or identifiable

natural person;

“Personal Data Breach” means a breach of security leading to the accidental or

unlawful destruction, loss, alteration, unauthorised disclosure of, or access to,
Personal Data transmitted, stored or otherwise Processed; and

“Processing” means any operation or set of operations which is performed upon

Personal Data, whether or not by automatic means, such as collection, recording,
organisation, structuring, storage, adaptation or alteration, retrieval,
consultation, use, disclosure by transmission, dissemination or otherwise making
available, alignment or combination, restriction, erasure or destruction, “Process”
and “Processed” shall have an equivalent meaning.
3. General
3.1 This DPA is a contract that governs the Processing by the Contractor of
Personal Data provided to the Contractor by Appen (or Appen’s employees,
subcontractors or affiliates on Appen’s behalf). This DPA specifies the terms and
conditions under which the Contractor Processes such Personal Data on behalf of
Appen when the Contractor is providing services to Appen.
3.2 The Parties’ intention is to conclude this DPA in order to comply with the
requirements of the GDPR and other Data Protection Laws.
3.3 Appen is the data controller (as defined by GDPR) of Appen’s Personal Data
Processed by the Contractor under the Agreement, and the Contractor is the data
processor (as defined by GDPR), who Processes the said Personal Data on behalf and
in accordance with the instructions of Appen under this DPA.
3.4 Annex A to this DPA sets out the categories of data subjects, categories of
Processing carried out by the Contractor, and the purpose for which the Contractor
Processes Appen’s Personal Data.
4. Appen's Instructions
4.1 Appen will provide the Contractor with written instructions on the Processing
of Personal Data, and the Contractor agrees to Process the Personal Data only in
accordance with such documented instructions received from Appen.
4.2 Appen will provide the Contractor with written instructions regarding
transfers of Personal Data to a third country, subject to paragraph 7 of this DPA.
4.3 The Contractor will notify Appen immediately (unless the applicable
legislation prohibits such notification), if the Contractor considers that the
written instructions given by Appen are in violation of the Data Protection Laws
applicable to the Contractor.
5. General Responsibilities of the Contractor
5.1 The Contractor must Process the Personal Data with due care and in compliance
with this DPA and the Data Protection Laws. The Contractor may not Process Personal
Data for any other purpose than what is stipulated in the Agreement and this DPA.
5.2 The Contractor will keep Personal Data confidential and will not disclose
Personal Data in any way to any third party without the prior written approval of
Appen, unless the disclosure is strictly necessary for the compliance with a
mandatory legal obligation.
5.3 The Contractor must implement and maintain appropriate physical, technical
and organisational measures and controls required by Data Protection Laws to ensure
sufficient security of Processing and to prevent Personal Data Breaches.
5.4 The Contractor will assist Appen with appropriate technical and
organisational measures that are necessary for Appen to fulfil its obligation to
respond to requests concerning the exercise of the data subject's rights relating
to Personal Data under the Data Protection Laws.
5.5 If a Party receives a request concerning the use of a data subject’s rights
relating to Personal Data, the Party receiving the request must notify the other
Party of the request without undue delay after the receipt of the request if its
fulfilment requires any actions from the other Party.
5.6 The Contractor may fulfil a request referred to in 5.5 above only upon
Appen’s written request or confirmation for the actions to be taken. The Contractor
will comply with Appen’s further instructions relating to fulfilment of such
request. The Contractor will upon Appen’s request provide Appen with the necessary
documentation to confirm that the Contractor has fulfilled Appen’s request
appropriately.
5.7 If the data subject’s request concerns the right of access to data, the
Contractor will, upon Appen’s request, provide Appen with a copy of the data
subject’s Personal Data undergoing Processing.
5.8 The Contractor will assist Appen in ensuring compliance with the following
obligations under the GDPR as may be requested by Appen from time to time:
(a) notification of Personal Data Breaches to supervisory authorities and the
data subjects;
(b) participating in any data protection impact assessment at request of
Appen; and
(c) participating in any prior consultation of the supervisory authority at
request of Appen.
5.9 The Contractor will make available to Appen, upon Appen’s request, such
information that is necessary to demonstrate compliance with the obligations laid
down in the Data Protection Laws relating to the Personal Data.
6. Data Security
6.1 The Contractor shall implement appropriate and adequate technical and
organisational measures, in line with good industry practice, to protect the
Personal Data and to ensure an appropriate and adequate level of security so that
Personal Data are Processed in accordance with the requirements set out in this DPA
and the Data Protection Laws.
6.2 The Contractor must ensure that the persons Processing Personal Data have
committed themselves to confidentiality obligations both during and after the
Processing, or are under an appropriate statutory obligation of confidentiality.
6.3 The Contractor will ensure that only the relevant employees have access to
the Personal Data Processed under this DPA. The Contractor will implement necessary
measures to ensure that the said persons only Process Personal Data in accordance
with this DPA and Appen’s written instructions.
6.4 Subject to paragraph 4 of this DPA, the Contractor undertakes to comply with
the instructions that Appen may communicate in writing and any regulatory
information security requirements applicable to the Contractor’s operations.
6.5 At Appen’s written request, the Contractor will provide Appen with a written
report on the implementation of the aforementioned measures and instructions.
6.6 If Appen at any time considers that the measures implemented by the
Contractor are insufficient for ensuring the protection of Personal Data in
accordance with the Personal Data Legislation, the Contractor will implement the
additional measures proposed by Appen and agreed between the Parties to ensure the
data security, subject to the Parties agreeing on the compensation or division of
the increased costs caused by such additional measures.
7. Transfers of Personal Data
7.1 The Contractor is not entitled to transfer Personal Data outside the EU or
the EEA without Appen’s explicit prior written consent. In case the Contractor
transfers Personal Data outside the EU or the EEA at Appen’s written request or
prior written consent, Appen and the Contractor will agree on any required
contractual and other measures before the transfer of the Personal Data, which
shall as a minimum contain those set out in paragraph 7.3 below. The same
requirement applies to any subcontractors used by the Contractor.
7.2 The Contractor will notify Appen upon request of the countries in which
Personal data will be Processed (including the countries from which the Personal
Data can be accessed).
7.3 Where the Contractor requests Appen’s consent pursuant to paragraph 7.1, for
example, where the Contractor or its subcontractors are located, or has its servers
located, outside of the EEA, Appen’s consent shall be subject to:
(a) the Contractor taking all steps necessary to ensure an adequate level of
protection to any Personal Data that is transferred, which may include entry into
appropriate contractual arrangements with such non-EEA recipient for the transfer
of Personal Data to applicable third countries outside the EEA as adopted and
approved by the EU Commission or competent data protection regulatory authority in
accordance with applicable Data Protection Laws (Standard Data Protection Clauses)
or third party self-certification under the EU-United States Privacy Shield Program
(as may be evolved, superseded or replaced from time to time), for which purpose,
Appen shall grants to the Contractor a mandate to enter into the Standard Data
Protection Clauses with approved subcontractors on behalf of Appen; and
(b) the Contractor working with Appen, as Appen requires, and at no
additional cost, to apply for and obtain any permit, authorisation or consent that
may be required under Applicable Data Protection Law in respect of the
implementation of this paragraph 7.3.
7.4 As between the Contractor and Appen, the Contractor shall remain liable for
acts or omissions of any third-party processor appointed by the Contractor pursuant
to paragraph 7.3.
7.5 Appen may, at any time on not less than 30 days’ notice, revise this
paragraph 3 by replacing it with any applicable controller to processor standard
clauses or similar terms forming part of an applicable certification scheme (which
shall apply when replaced by attachment to this agreement).
8. Subcontractors
8.1 The Contractor is not entitled to use subcontractors in the Processing of
Personal Data without Appen’s prior written consent (to which the provisions of
paragraph 7 shall apply where any such subcontractor is located or carries out any
of its Processing activities outside of the EEA). The Contractor shall be
responsible that its subcontractors Process the Personal Data in accordance with
this DPA and the Data Protection Laws. The Contractor will inform Appen of any
intended changes (taking place after conclusion of this DPA) concerning the
subcontractors and will give Appen opportunity to object to such changes.
8.2 The Contractor is responsible for ensuring that its subcontractors Process
the Personal Data in accordance with this DPA. The Contractor must especially
ensure that each subcontractor implements all the appropriate physical, technical
and organisational measures and controls so that the Personal Data are Processed in
accordance with this DPA and the Data Protection Laws.
8.3 The Contractor will, at Appen’s written request, provide Appen with a written
confirmation on how the Contractor has ensured that its subcontractors comply with
the aforementioned obligations.
9. Personal Data and Data Security Breaches
9.1 In the case of a Personal Data Breach, the Contractor will notify Appen of
the Breach without undue delay and not later than 24 hours after having become
aware of it.
9.2 When notifying Appen of a Personal Data Breach, or immediately after such
notification, the Contractor will provide Appen with the following information:
(a) a description of the Personal Data Breach, including when possible the
categories and approximate number of data subjects concerned, and the categories
and approximate number of Personal Data records concerned;
(b) the contact information of the Contractor’s contact point where more
information can be obtained; and
(c) a description of the measures taken by the Contractor to address the
Personal Data Breach and the measures taken to mitigate the adverse effects of the
Personal Data Breach.
9.3 The Contractor undertakes to provide Appen any additional information
reasonably requested by Appen regarding such Personal Data Breach for example for
the purpose of notifying the supervisory authority and the data subjects of the
Personal Data Breach.
9.4 The Contractor will implement necessary measures to prevent or mitigate the
adverse effects of a Personal Data Breach.
9.5 The Contractor will document all Personal Data Breaches, including
circumstances concerning the Breach, and the remedial measures taken. The
Contractor will provide Appen with the documentation on Appen’s written request.
10. Records of Processing Activities
10.1 10.1 The Contractor must maintain a record of the Processing activities
carried out on behalf of Appen. The record will contain the following information
(as required by the GDPR):
(a) the name and contact details of Appen, the Contractor and the
Contractor’s contact person and information about possible subcontractors;
(b) the categories of Processing carried out on behalf of Appen;
(c) information on transfers of Personal Data outside the EU or EEA,
including the said third countries; and
(d) a description of the technical and organisational safety measures
implemented by the Contractor in accordance with paragraph 5 of this DPA.
10.2 The Contractor will provide Appen with the record on Appen’s written request.
11. Right to Audit
11.1 The Contractor will provide Appen with all information reasonably requested
by Appen to demonstrate the Contractor’s compliance with the requirements of this
DPA (including any implementation of the appropriate technical and organisational
measures).
11.2 During the term of this DPA, Appen or an independent third-party auditor
appointed by Appen will have the right to audit the Contractor’s compliance with
the obligations under this DPA (including any implementation of the appropriate
technical and organisational measures).
11.3 Appen must notify the Contractor of the audit at least 14 days in advance.
The Contractor will always allow the regulatory authority supervising Appen’s
business to conduct audits targeted at Appen’s obligations as data controller. The
relevant parts of this paragraph 11 will be applied to such audits.
11.4 The subject of the audit will be the Contractor’s documentation, processes
and controls related to information security and the Processing of Personal Data
and other information necessary to evaluate the Contractor’s compliance with this
DPA. The Contractor will participate in and contribute to the audit to the extent
necessary. The Contractor will also, on Appen’s request, participate in a
supervisory authority’s audit targeted at Appen and provide the supervisory
authority with the required information to conduct such audit. Both Appen and the
Contractor agree to cooperate, on request, with the supervisory authority in the
performance of its tasks.
11.5 Each Party will bear its own costs resulting from the audit and Appen will
bear the costs for the use of third-party auditor. If the audit reveals a material
non-compliance with this DPA or Data Protection Laws, the Contractor will cover all
the costs of the audit, including the third-party auditor’s fees.
12. Term and Termination of the Processing of Personal Data
12.1 The Contractor will Process Personal Data as long as it is necessary for the
Contractor in order to provide services to Appen under an addendum concluded
between the Parties. The Contractor undertakes, in accordance with Appen’s written
request and without undue delay, to delete the Personal Data or return the Personal
Data to Appen (or to a third party appointed by Appen) in agreed, generally
accepted format.
12.2 The Contractor will return or delete the Personal Data upon termination of
this DPA, including all existing copies of the Personal Data in its possession,
unless the Contractor is required to store the said Personal Data under mandatory
law or regulation.
12.3 The Contractor undertakes not to Process Personal Data after it has been
successfully transferred to Appen or a third party appointed by Appen, or after it
has been successfully removed. The Contractor may however continue to store and
access Personal Data as provided by paragraph 12.2 above.
13. Governing Law and Jurisdiction
This DPA and any dispute or claim (including non-contractual disputes or
claims) arising out of or in connection with it or its subject matter or formation
shall be governed by and construed in accordance with the law of England and Wales.