Data Processing Terms
Last updated 16 December 2024
This Data Processing Addendum (DPA) forms part of Gallagher’s Cloud Services General Terms (Terms and together the Agreement), entered between Gallagher Group Limited or one of its Affiliates (Gallagher), and the entity that is a party to the Terms (Customer, you).
This DPA sets out the terms on which Gallagher will process personal data on behalf of the Customer in connection with the Services provided by Gallagher.
1. Definitions
Affiliate: means, with respect to any entity, any other entity that directly or indirectly controls, is controlled by, or is under common control with such entity. For the purposes of this definition, “control” means the direct or indirect ownership of more than 50% of the voting securities or other ownership interests of an entity, or the power to direct or cause the direction of the management and policies of such entity, whether through ownership, by contract, or otherwise.
Data Protection Law: means all applicable laws and regulations relating to the processing, protection, or privacy of Personal Data, including but not limited to the Privacy Act 1988 (Cth) in Australia, UK General Data Protection Regulations and the UK Data Protection Act 2018, and EU General Data Protection Regulation (EU) 2016/679.
Notifiable Data Breach: means an unauthorised access, disclosure, or use of Personal Data that results in a likely risk of serious harm to the data subject that requires disclosure under the relevant Data Protection Laws.
Personal Data: means any information provided by the Customer, including but not limited to names, contact details, and photo images of the Customer’s users.
Processing: means any operation performed on Personal Data, including collection, recording, organisation, storage, alteration, retrieval, use, disclosure, and deletion.
Subprocessor: means third-party service providers involved in the processing of Personal Data, which may be updated and notified to you from time to time.
Services: means all cloud-based and ancillary services provided by Gallagher to Customer.
Standard Contractual Clauses or SCC: means the European Commission’s standard contractual clauses for the transfer of personal data from the European Union to third countries, as set out in the Annex to Commission Decision (EU) 2021/914.
UK Addendum: means an addendum to the Standard Contractual Clauses issued by the UK’s Information Commissioner’s Office, Version B1.0, in force as of 21 March 2022.
2. Roles and Responsibilities
2.1. Customer and Gallagher acknowledge that for the purpose of any applicable Data Protection Laws, the Customer is the data controller and Gallagher is the data processor.
2.2. Customer determines the purposes and means of processing Personal Data and is responsible for compliance with applicable Data Protection Law.
2.3. Gallagher processes Personal Data only in accordance with the Customer's instructions as outlined in this DPA and the Terms.
3. Processing of Personal Data
3.1. Gallagher will process Personal Data solely for the purposes of providing the Services, or as instructed by Customer.
3.2. Gallagher will not process Personal Data for any purpose other than as instructed by the Customer, except as required by law.
3.3. Gallagher will notify the Customer of any lawful request for access to Personal Data by a third party unless prohibited by law.
4. Subprocessing
4.1. Gallagher uses AWS as a Subprocessor to store Personal Data on servers located in Australia and the United States. Gallagher has a data processing agreement in place with AWS, ensuring equivalent data protection obligations as imposed under this DPA.
4.2. Gallagher uses Apple, Inc. as a Subprocessor to provide the Apple Wallet employee badge service. Apple, Inc. processes data in accordance with its Privacy Policy, which ensures equivalent data protection obligations as imposed under this DPA.
4.3. Gallagher will inform the Customer of any intended changes to its Subprocessors and give the Customer the opportunity to object.
5. Security Measures
5.1. Gallagher shall implement appropriate technical and organisational measures to protect Personal Data, including encryption in transit and at rest.
5.2. Where a transfer of Personal Data is subject to the Standard Contractual Clauses, the technical and organisational measures set out in Annex B of this DPA will apply.
5.3. Gallagher shall restrict access to Personal Data to authorised Gallagher employees and developers who require such access for the performance of their duties.
6. Data Retention and Deletion
6.1. The retention period for Personal Data is determined by the Customer.
6.2. Upon termination of the Customer’s subscription with Gallagher, or upon the Customer’s request, Gallagher shall delete all Personal Data in accordance with the Terms.
6.3. Responsibility for correcting or deleting any Personal Data resides with the Customer.
7. Cross-border Data Transfers
7.1. If the relevant Data Protection Laws restrict cross-border Personal Data transfers, the Customer will only transfer that Personal Data to Gallagher under the following conditions:
a) Gallagher, either through its location or participation in a valid cross-border transfer mechanism under the Data Protection Laws, may legally receive that Personal Data; or
b) The Customer obtained valid data subject consent to the transfer under the relevant Data Protection Law.
7.2. If any Personal Data transfer between the Customer and Gallagher requires execution of Standard Contractual Clauses in order to comply with the Data Protection Laws, the parties agree to the Standard Contractual Clauses, incorporating the information from Annexes A and B to this DPA, and additionally, for processing Personal Data of United Kingdom residents, the UK Addendum. The Customer will be the data exporter and Gallagher will be the data importer and the parties will take all other actions required to legitimize the transfer, including implementing any needed supplementary measures or supervisory authority consultations.
7.3. Gallagher will not transfer any Personal Data to another country unless the transfer complies with the relevant Data Protection Laws.
8. Notifiable Data Breaches
8.1. In the event of a Notifiable Data Breach, Gallagher will notify the Customer without undue delay.
8.2. Gallagher will cooperate with the Customer in fulfilling any notification or regulatory compliance requirements resulting from the Notifiable Data Breach.
9. Limitation of Liability
9.1. Gallagher cannot and does not guarantee that data breaches will not occur.
9.2. The Customer confirms they have cyber insurance in place to cover any costs associated with notification, regulatory compliance, or addressing the consequences of a data breach.
9.3. To the extent permitted by law, Gallagher’s liability for any costs incurred by the Customer as a result of a data breach, where Gallagher is found responsible, shall be subject to the liability cap in the Terms.
10. Termination
10.1. This DPA shall remain in force for the duration of the Customer's subscription to Services.
10.2. Upon termination of the subscription, Gallagher will delete or return all Personal Data in accordance with the Terms.
11. Governing Law
11.1. Except as otherwise provided herein, this DPA will be governed by laws local to the Data Subject and if the Data Subject is located in:
11.1.1. the United Kingdom, the laws of England and Wales will govern, with disputes resolved through the Information Commissioner’s Office.
11.1.2. the European Union, the laws of the Netherlands shall govern.
12. Miscellaneous
12.1. Gallagher reserves the right to amend this DPA as necessary to comply with changes in privacy law or service terms.
12.2. Any such amendments will be communicated to the Customer in a timely manner.
12.3. The provisions of this DPA are supplemental to the provisions of the Terms. In the event of inconsistencies between the provisions of this DPA and the provisions of the Terms, the provisions of this DPA shall prevail with respect to the subject matter of this DPA. Where and to the extent that Standard Contractual Clauses apply, if there is any conflict between this DPA and Standard Contractual Clauses, Standard Contractual Clauses will prevail.
ANNEX A
PERSONAL DATA PROCESSING PURPOSES AND DETAILS
For the purposes of Annex I of the Standard Contractual Clauses, the parties agree that the following details will apply.
A. List of parties
Module 2: Transfer Controller to Processor
Where Customer is the Controller and Gallagher is the Processor, then Customer is the data exporter and Gallagher is the data importer.
Module 3: Transfer Processor to Processor
Where Customer is a Processor and Gallagher is a Processor, then Customer is the data exporter and Gallagher is the data importer.
B. Description of transfer
Module 2: Transfer Controller to Processor
Module 3: Transfer Processor to Processor
Categories of data subjects whose personal data is transferred
- Employees
- Contractors
- Students
- Site visitors
Categories of personal data transferred
- Name
- Work email address
- Contact number
- Employer
No sensitive data is to be transferred, including but not limited to biometric data.
The frequency of the transfer
For SmartAccess and Apple Wallet Employee Badge, the Personal Data will be processed one time for each data subject.
For Command Centre Web, the processing of Personal Data for data subjects will be continuous.
Nature of the processing
Personal Data is subject to the following processing activities:
a) data transmission
b) data retrieval
c) data access
d) back up and restoration
e) monitoring and troubleshooting
f) storage
g) testing of the Services
Purposes of the data transfer and further processing
The business purposes for which Gallagher will process the Personal Data are for the purposes of providing the Services to the Customer, including but not limited to the following:
SmartAccess
Command Centre Web
Command Centre Mobile
Mobile Connect
Apple Wallet Employee Badge
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
Gallagher will process the Personal Data for the duration of the Services, unless otherwise instructed by the Customer.
For transfers to subprocessors:
The Services will be hosted on AWS servers in Australia and backed up on AWS servers in the United States for the duration of the Services, unless otherwise agreed.
C. Competent Supervisory Authority
The competent supervisory authority shall be the Dutch Data Protection Authority in the Netherlands in accordance with clause 13 of the Standard Contractual Clauses.
ANNEX B
For the purposes of Annex II of the Standard Contractual Clauses,
Technical and Organisational Data Security Measures:
Measures of pseudonymisation and encryption of personal data
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing
Measures for user identification and authorisation
Measures for the protection of data during transmission
Measures for the protection of data during storage
Measures for ensuring physical security of locations at which personal data are processed
Measures for ensuring events logging
Measures for ensuring system configuration, including default configuration
Measures for internal IT and IT security governance and management
Measures for certification/assurance of processes and products
Measures for ensuring data minimisation
Measures for ensuring data quality
Measures for ensuring limited data retention
Measures for ensuring accountability
Measures for allowing data portability and ensuring erasure