Data Protection Addendum Agreement
This Data Protection Addendum (“Addendum”) forms part of the Customer Services Agreement (“Principal Agreement”) between:
(i) Levno Limited, being New Zealand Company Number 4072478) (Levno) acting on its own behalf and as agent for each Levno Affiliate; and
(ii) Levno’s Customer as described in the Principal Agreement, acting on its own behalf and as agent for each Customer Affiliate (“Customer”).
This Addendum governs the receipt, access, processing, and other activity as governed by Applicable Law regarding all Customer Personal Data received by Levno as the Processor, from the Customer or a Customer Group Member as defined below, each as the Controller.
In consideration of the mutual obligations set out in this Addendum, the parties agree that the terms and conditions set out below shall be added as an Addendum to the Principal Agreement.
1. Definitions
1.1 In this Addendum, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:
“Applicable Law” means: (a) New Zealand Privacy Law to the extent applicable; (b) EU Data Protection Law to the extent that the Customer Personal Data constitutes the Personal Data of an EU Data Subject; or (c) UK Data Protection Law to the extent that the Customer Personal Data constitutes the Personal Data of a person residing in the UK who has protection under that law; or (c) any other applicable law with respect to any Customer Personal Data in respect of which Customer is subject to, as notified by Customer and agreed in writing between the parties from time to time so as to form part of this Addendum or which otherwise applies to Levno;
“Customer Group Member” means Customer or any Customer Affiliate, each being a “Customer Entity”; and “Customer Affiliate” means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with Customer, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise;
“Customer Personal Data” means all Personal Data Processed by a Contracted Processor on behalf of a Customer Entity, as supplied by a Customer Entity (including its appointed users) as part of the Services and pursuant to the Principal Agreement;
“Contracted Processor” means Levno or a Subprocessor but excluding all employees and contractor personnel of Levno, and all Third Party Services Providers;
“EU Data Protection Law” means the GDPR, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time by the and laws implementing or supplementing the GDPR;
“GDPR” means EU General Data Protection Regulation 2016/679 once effective on 25 May 2018, including its equivalent provisions as may exist from time to time under UK Data Protection Law to the extent that UK Data Protection Law applies;
Levno Hosted Services Provider means the primary third-party hosted services provider used by Levno from time to time as a Subrocessor and who is identified as such in the Subprocessor List as described in clause 5.3 of this Addendum;
“Services” means the services and other activities to be supplied to or carried out by or on behalf of Levno for a Customer Entity pursuant to the Principal Agreement;
“Standard Contractual Clauses” or “SCC” means Standard Contractual Clauses under EU Data Protection Law, including the EU Commission’s Implementing Decision 2021/914 dated 4 June 2021 or any update to or replacement of that, or as is applicable from time to time under UK Data Protection Law (if that is the Applicable Law);
“Subprocessor” means any person (including any third party and any Levno Affiliate), appointed by or on behalf of Levno or any Levno Affiliate to Process Customer Personal Data but excludes all Third Party Services Providers; and
“Levno Affiliate” means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with Levno, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise.
New Zealand Privacy Law means the New Zealand Privacy Act 2020 as well as any regulations, applicable codes of conduct, administrative decisions, directives or orders made or issued under such legislation.
“Third Party Services Provider” means a third party provider of products, applications, services, software, networks, systems, directories, websites, databases and information which the Customer elects to obtain from that third party via optional links provided within the Services, or which Customer may itself otherwise elect to connect to or enable in conjunction with a Services, including, without limitation, any third party services which may be integrated directly into Customer’s platform by Customer or at Customer’s direction.
“UK Data Protection Law” means the data protection laws in force from time to time in the United Kingdom.
1.2 The terms, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing”, “Processor”, “Supervisory Authority” and any other terms used in GDPR and not expressly defined in this Addendum shall have the same meaning as in the GDPR, or UK Data Protection Law if applicable or other Applicable Law as may be applicable (or similar terms as used in such other Applicable Law), and their cognate terms shall be construed accordingly, unless otherwise required under Applicable Law.
1.3 The word “include” shall be construed to mean include without limitation, and cognate terms shall be construed accordingly. The terms used in this Addendum shall have the meanings set forth in this Addendum. Capitalised terms not otherwise defined herein shall have the meaning given to them in the Principal Agreement. Except where the context requires otherwise, references in this Addendum to the Principal Agreement are to the Principal Agreement as amended by, and including, this Addendum.
2. Commencement and Duration
2.1 This Addendum shall be legally binding once signed by both parties, being the date noted at the start of this Addendum, and will then continue to apply unless and until the later of:
a) the Principal Agreement terminates for any reason; and
b) each Contracted Processor ceases to process any Customer Personal Data.
3. Customer Rights, Obligations and Acknowledgements
3.1 The Customer acknowledges and accepts the provisions of the Levno Privacy Statement published on the Levno website located atwww.levno.com/privacy. That Privacy Statement includes a list of fundamental rights held by each Customer Entity Data Subject, which Levno agrees to abide by.
3.2 Each Customer Entity, as a Controller:
a) Instructs Levno and each Levno Affiliate (and authorises Levno and each Levno Affiliate to instruct each Contracted Processor) to:
i. Process Customer Personal Data; and
ii. in particular, transfer Customer Personal Data to any country or territory,as reasonably necessary for the provision of the Services and consistent with the Principal Agreement and in compliance with the obligations of Levno and Levno Affiliates as set out in this Addendum.
b) Warrants and represents at all times throughout the duration of this Addendum:
i. that it holds, at all times required pursuant to this Addendum and pursuant to the Applicable Law, all permits, consents and authorisations required from each Data Subject employed by or contracted to any Customer Entity or otherwise under the control of any Customer Entity or in association with a Customer Entity, and who is engaged with the Services in any way, in relation to the processing of that Data Subject’s Personal Data pursuant to the terms of this Addendum;
ii. that it is solely responsible for the accuracy of Customer Personal Data and the means by which (and associated lawfulness of) such Customer Personal Data is acquired and used as part of the Services, including as to the Processing by Levno in accordance with this Addendum, all in accordance with the Applicable Law, particularly with respect to the security, protection and disclosure of Customer Personal Data to Levno;
iii. that it is and will at all relevant times remain duly and effectively authorised to give the instruction set out in section 3.2(b) on behalf of each relevant Customer Affiliate;
iv. that, if GDPR forms part of the Applicable Law:
A. all Customer Personal Data will comply with GDPR Articles 5(1)(b) to (e) inclusive;
B. in respect of all Customer Personal Data, Article 6(1) of the GDPR is fulfilled by sub Article (b) of that Article (i.e. performance of a contract), and that to the extent that sub Article (a) of that Article 6(1) applies (i.e. consent), that it has complied with Article 7 and all other consent related provisions of GDPR;
C. the nature and scope of all Customer Personal Data is such that the following Articles of GDPR will not apply to this Addendum and are outside the scope of the responsibilities of Levno and each Levno Affiliate unless agreed otherwise in writing between the parties: 8, 9, 10, and 11;
D. that the Customer will act in compliance with all Controller-related obligations as set out in GDPR; and
E. without limiting clause 4 below, the Customer will work closely and efficiently with Levno and each Levno Affiliate (as may be required) to ensure that the rights of each Data Subject (i.e. as linked to the relevant applicable Customer Personal Data) under Applicable Law are upheld and so that due compliance occurs under Applicable Law.
c) Acknowledges and accepts that that, if GDPR forms part of the Applicable Law:
i. Article 35 of GDPR (Data Protection Impact Assessment) does not apply to this Addendum or to the Principal Agreement unless and until either Customer or Levno writes to the other of them setting out reasonable grounds for the application of this Article. If Articles 35 or 36 of GDPR do apply at any time, then the parties will work together in good faith to progress compliance by each party with those Articles.
ii. Even if Levno or any Levno Affiliate is considered to be a joint controller under Article 26 of GDPR, that as between the parties to this Addendum, the relevant Customer Entity shall be deemed to be solely responsible as Controller for the purposes of GDPR or other Applicable Law.
d) Shall inform its Data Subjects:
i. about its use of data processors to Process their Customer Personal Data, including Levno; and
ii. that their Customer Personal Data may be Processed outside of the EU Member States.
e) Shall respond in reasonable time and to the extent reasonably practicable to enquiries by Data Subjects regarding the Processing of their Customer Personal Data by any Customer Entity as a Data Controller, and give appropriate instructions to Levno in a timely manner.
3.3 Customer and each Customer Entity undertakes to promptly inform Levno in writing regarding any communication received from any Supervisory Authority, or any attempt by a Data Subject to enforce his or her rights under Applicable Law as regards any Customer Personal Data.
3.4 Customer acknowledges and confirms for the purposes of Article 28(3) of GDPR that the Customer Personal Data is of a standard nature and does not fall within any special category, nor does any special category of Data Subject apply. Customer acknowledges and accepts the content of Appendix 1 (Details of Customer Personal Data Processed) to this Addendum.
4. Levno Obligations (as Processor)
4.1 Levno and each Levno Affiliate shall at all times throughout the duration of this Addendum:
a) act in compliance with all Processor-related obligations as set out in the Applicable Law, in particular, if GDPR forms part of the Applicable Law, in compliance with those provisions set out in Article 28(3) of GDPR, including so as to ensure that all Contracted Processors abide by the same obligations as Levno under this sub-clause at all times as required (and with Levno and each Levno Affiliate remaining liable to Customer at all times in terms of this Addendum);
b) not Process Customer Personal Data other than on the relevant Customer Entity’s documented instructions as set out in the Principal Agreement, including as expressly permitted by this Addendum or as otherwise reasonably required to provide the Service, unless Processing is required by the Applicable Law to which the relevant Contracted Processor is subject, in which case Levno or the relevant Levno Affiliate shall to the extent permitted by the Applicable Law inform the relevant Customer Entity of that legal requirement before the relevant Processing of that Customer Personal Data;
c) without limiting clause 3 above, work closely and efficiently with each Customer Entity (as may be required) to ensure that the rights of each Data Subject (i.e. as linked to the relevant applicable Customer Personal Data) under Applicable Law are upheld and so that due compliance occurs under Applicable Law; and
d) ensure that all persons authorised by Levno and each Levno Affiliate to process any Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality regarding that data, which comply with the Applicable Law.
4.2 Levno shall not transfer Customer Personal Data from inside any of the EU Member States or the United Kingdom to outside any of those jurisdictions (or permit that to occur) unless: i) Levno has first obtained the Customer’s prior written permission to do so; or ii) Levno takes such measures as are necessary to ensure the transfer is in compliance with the Applicable Law. Such measures may include (without limitation) transferring the Customer Personal Data to a recipient in a Country which has been formally declared under the Applicable Law as having adequate protection measures in place for Personal Data, or to a recipient that has achieved binding corporate rules in compliance with the Applicable Law, or to a recipient that has executed Standard Contractual Clauses adopted, approved or otherwise effective under the Applicable Law.
4.3 Levno warrants its compliance with the content of APPENDIX 2 (Technical and Organisational Security Measures) to this Addendum as at the date of this Addendum.
4.4 Levno shall immediately inform the Customer if, in Levno’s opinion, the Customer Entity’s Processing instructions infringe, or could infringe, any law or regulation. In such event, Levno is entitled to refuse Processing of Customer Personal Data that it believes to be in violation of any law or regulation.
5. Subprocessing
5.1 Each Customer Entity authorises Levno and each Levno Affiliate to appoint (and permit each Contracted Processor appointed in accordance with this section 5 to appoint) Contracted Processor(s) in accordance with this section 5 and any permissions or restrictions contained in the Principal Agreement or in this Addendum. The list of permitted Subprocessors shall be deemed to include those third-party suppliers of goods or services to any Customer Entity with which the Customer has a contract or arrangement with from time to time, and with whom Levno or any Levno Affiliate also has a contract or arrangement with from time to time.
5.2 Levno and each Levno Affiliate may continue to use those Subprocessors already engaged by Levno or any Levno Affiliate as at the date of this Addendum, on the basis that Levno confirms that such existing Subprocessors currently meet the obligations set in this Addendum in respect of all Subprocessors, including those set out in clause 4.2 above.
5.3 Without limiting clause 5.1, Levno shall maintain an up-to-date list of the names and locations of all Contracted Processors used for the Processing of Customer Personal Data at Levno’s Subprocessor web page (the “Subprocessor List”): https://www.levno.com/legal/subprocessors/ and also available on request to privacy@levno.com. Levno shall update the Subprocessor List,on its website, to include any Contracted Processor to be appointed, at least 30 days prior to the date on which the Contracted Processor shall commence processing Customer Personal Data. Customer confirms that clauses 5.2 and 5.3 constitute general written authorisation for the purpose of Articles 28(2) GDPR if applicable, and for the purpose of clause 4.2(i) above. In relation to the Levno Hosted Services Provider as described in the Subprocessor List:
a) if GDPR applies, and if that services provider receives Customer Personal Data in any country which does not have adequacy statuspursuant to Article 45(3) of GDPR, then the Standard Contractual Clauses as apply between that service provider and Levno as its customer, shall, for the purposes of Article 46(2) of GDPR, be deemed to also apply on a back-to-back basis between Levno and the Customer (for each Customer Entity) or on such other Standard Contractual Clause terms as Levno and the Customer may agree to in writing from time to time; and
b) any “subprocessor” as expressly identified in writing by that Levno Hosted Services Provider or by any other Contracted Processor, shall also constitute a Customer-approved Subprocessor for the purposes of this Addendum.
5.4 In the event the Customer objects to the Processing of its Customer Personal Data by any newly appointed Contracted Processor as described in section 5.3, it shall inform Levno within fourteen (14) calendar days of notice being given on reasonable grounds relating to the protection of Customer Personal Data. In such event, Levno shall have the right to cure the objection (if required) through one of the following options (to be selected at Levno’s sole discretion):
a) instruct the Contracted Processor to cease any further processing of the Customer’s Personal Data in which event this Addendum shall continue unaffected, or
b) take such corrective steps as may be required to address the Customer’s objection and to proceed to use the Contracted Processor with regard to Customer Personal Data so as to ensure compliance with this Addendum, or
c) Levno may cease to provide (or Customer may agree not to use, but subject to (b) above), temporarily or permanently, the particular aspect of the Service that would involve the use of the relevant Contracted Processor with regard to Customer Personal Data, subject to a mutual agreement of the parties to adjust the remuneration of the Service considering the reduced scope of the Services.
Any Customer objection to a Contracted Processor shall be submitted to Levno by following the directions set forth in the Subprocessor List.
If none of the above options are reasonably available and the objection has not been resolved to the mutual satisfaction of all parties (acting reasonably) within 30 days after Levno’s receipt of Customer’s objection, then either party may terminate this Addendum (and the Principal Agreement) immediately, by written notice to the other party, and Customer will be entitled to a pro-rata reimbursement of any sums paid in advance for Services to be provided but not yet received by Customer as of the effective date of termination.
5.5 In addition, where the Services provide links to integrations with Third Party Service Providers, and the Customer elects to enable, access or use such third party services, then the Customer Entity’s access to and use of such third party services will be governed solely by the terms and conditions and privacy policies of such Third Party Service Provider(s), and Levno does not endorse, and is not responsible or liable for, and makes no representations as to any aspect of such Third Party Service Providers, including, without limitation, their content or the manner in which the Third Party Service Provider handles Customer Personal Data or any interaction between the Customer (or its Data Subject) and the Third Party Service Provider. Levno is not liable for any damage or loss caused or alleged to be caused by or in connection with the Customer Entity’s enablement, access or use of any such Third Party Service Providers, or the Customer’s reliance on the privacy practices, data security processes or other policies of such Third Party Service Providers. Customer shall indemnify Levno and all Levno Affiliates and hold them harmless against all loss suffered by any of them arising from the excluded scope of Levno’s liability as described in this clause, and which arises in connection with Customer Personal Data.
5.6 Levno and each Levno Affiliate shall ensure that each Contracted Processor agrees to protect the Customer Personal Data to a standard consistent with the requirements of this Addendum, as applicable to Processing of Customer Personal Data carried out by that ContractedProcessor.
5.7 Levno may replace a Contracted Processor if the reason for the change is beyond Levno’s reasonable control. In such instance, Levno shall notify Customer of the replacement as soon as reasonably practicable, and Customer shall retain the right to object to the replacement Contracted Processor pursuant to Section 5.4 above. Any replacement Contracted Processor must be such that Levno fulfils its obligations as set out in this Addendum.
6. Authority
6.1 Levno warrants and represents that, before any Levno Affiliate Processes any Customer Personal Data on behalf of any Customer Entity, Levno’s entry into this Addendum as agent for and on behalf of that Levno Affiliate will have been duly and effectively authorised (or subsequently ratified) by that Levno Affiliate.
6.2 Customer warrants and represents that, before any Customer Personal Data is transferred to Levno or any Levno Affiliate any Customer Entity, Customer’s entry into this Addendum as agent for and on behalf of that Customer Entity will have been duly and effectively authorised (or subsequently ratified) by that Customer Entity.
7. Data Subjects & any Customer Personal Data Breach
7.1 Each party shall:
a) promptly notify the other party if they (or any party affiliated to them) receives a compliant or request from a Data Subject under any Applicable Law in respect of Customer Personal Data processed by a Contracted Processor relating to this Addendum; and
b) ensure that it does not respond to that request except on the documented instructions of Customer or the relevant Customer Affiliate (to be reasonably agreed between the parties) or as required by the Applicable Law, in which case Levno shall to the extent permitted by theApplicable Law, inform Customer of that legal requirement before Levno or the Contracted Processor responds to the request.
7.2 Each party shall notify the other in writing without undue delay upon becoming aware of a Personal Data Breach affecting Customer Personal Data, providing sufficient information to allow each Customer Entity or any other party to meet any obligations to report or inform Data Subjects, or any Supervisory Authority, of the Personal Data Breach under the Applicable Law.
7.3 Each party shall co-operate with the other party (and each Customer Entity or each Contracted Processor or Levno Affiliate as is relevant) and take such commercial steps as are reasonably required to assist the other party in the investigation, mitigation and remediation of each such Personal Data Breach.
8. Audit rights
8.1 To the extent that the Applicable Law allows any Customer Entity to conduct any audit of any Contracted Processor, the following provisions will apply:
a) Reasonable advance written notice of not less than twenty working days (for the Contracted Processor) must be given, and which must also state the reasons, the scope, and the specific Applicable Law supporting the request;
b) The parties must then, in good faith and acting reasonably, discuss and agree how and when the audit will take place, and will be subject to any Contracted Processor’s legal rights in the context of such audit request;
c) The audit must be conducted by appropriately qualified and experienced third party personnel of reputable standing, and who are reasonable acceptable to both parties (including Customer and Levno);
d) The audit must minimise disruption to the relevant Contracted Processor(s);
e) The audit will be conducted at the sole cost of the Customer or the applicable Customer Entity (and not Levno or the Contracted Processor or any Levno Affiliate), unless the reasonable written conclusions of any audit are that any Contracted Processor is in material breach of this Addendum.
9. Return and destruction of Customer Personal Data
9.1 Upon the termination of Customer access to and use of the Service, Levno will, up to thirty (30) days following such termination, permit Customer to export their Customer Personal Data, at their expense, in accordance with the capabilities of the Service. Following such period, Levno shall have the right to delete all Customer Personal Data stored or Processed by Levno on behalf of Customer in accordance with Levno’s deletion policies and procedures, save to the extent that Levno is required by any Applicable Law to retain some or all of the Customer Personal Data. In such event Levno shall extend the protections of this Addendum to such Customer Personal Data and limit any further processing of such Customer Personal Data to only those limited purposes that require the retention for so long as Levno maintains the Customer Personal Data.
10. Liability
10.1 The liability provisions contained in the Principal Agreement will apply also to this Addendum other than to the extent that any Applicable Law requires otherwise and does not permit the parties to contract out of that requirement.
10.2 If and to the extent that any Customer Entity or any Contracted Processor or any Levno Affiliate becomes liable (by Court, Tribunal, Arbitration or other similar order from a competent authority with valid jurisdiction) to any Data Subject or other third party in respect of any breach of any Applicable Law then the obligations of each party stated in this Addendum shall be used to fairly and reasonably apportion the proportional bearing of that liability as between the relevant parties. If the parties are unable to reach agreement in this regard, apportionment shall be determined in accordance with the dispute resolution provisions of the Principal Agreement or if none, then as contained in this Addendum.
11. General Terms
11.1 The parties to this Addendum hereby submit to the choice of jurisdiction stipulated in the Principal Agreement with respect to any disputes or claims howsoever arising under this Addendum, including disputes regarding its existence, validity or termination or the consequences of its nullity.
11.2 This Addendum and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the Principal Agreement, subject always to the correct application of the Applicable Law as required by this Addendum.
11.3 In the event of any conflict between a provision of this Addendum and any provision contained in the Principal Agreement regarding the protection of Customer Personal Data, then the provision of this Addendum shall prevail.
11.4 Either party may by at least 30 (thirty) calendar days’ written notice to the other party from time to time:
a) suggest any variations to this Addendum in order to comply with any change to Applicable Law, including as a result of the decision of a competent authority under that Applicable Law; or
b) propose any other variations to this Addendum which either party reasonably considers to be necessary to address the requirements of any Applicable Law.
11.5 If notice is given under section 11.4, then each party shall promptly co-operate to ensure that equivalent variations are openly discussed and that all reasonable and necessary changes are made to this Addendum as a result.
11.6 Neither Customer nor Levno shall require the consent or approval of any Customer Affiliate or Levno Affiliate to amend this Addendum pursuant to clause 11.5 or otherwise.
11.7 Should any provision of this Addendum be deemed by a competent Court or other tribunal to be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
IN WITNESS WHEREOF, this Addendum is entered into and becomes a binding part of the Principal Agreement with effect from the date first set out above.
APPENDIX 1 : DETAILS OF CUSTOMER PERSONAL DATA PROCESSED
Categories of Data Subjects
Customer-related Data Subjects will be adult farming or business persons who relate to the fulfilment of one or more of the following functions comprising the Services, the extent of which is determined by Customer at its sole discretion: Customer business owners, directors, managers, employees, contractors, agents and /or nominated 3rd parties to the extent permitted by the Customer.
Type of Personal Data
Customer or its End Users may submit Customer Personal Data to the Service, the extent of which is determined by Customer at its sole discretion, and which may include, but is not limited to the following categories of Personal Data:
- First and last name
- Job Position Title
- Employer information
- Contact information (company, email, phone, physical business address)
- Business or farm site address location information
- Device data which could in certain circumstances constitute Personal Data
- Professional life data (if supplied by data subject)
- Personal life data (if supplied by data subject)
- Connection data
- Localisation data