Fastmail Data Protection Policy

DATED: 27 Sept 2021

This Data Protection Addendum Policy came into effect on 27 Sept 2021. It was updated in line with the latest recommendations from the European Data Protection Board (EDPB) after the Schrems II ruling.

We maintain copies of our previous policies online for archive purposes.

Section 1: The Fastmail Service

  1. Introduction

    The protection of Personal Data is of critical importance to Fastmail Pty Limited (ABN 31 142 646 580) (“Fastmail”).

    This Data Protection Policy (“DPP”) sets out the minimum requirements of Fastmail with respect to all of its customers in relation to the processing of EU/UK individual Personal Data and compliance with other applicable data protection laws (“Data Protection Laws”).

    This DPP comes/came into effect on 27 September 2021.

    The change from our previous Data Protection Addendum is that we have adopted the Standard Contractual Clauses published by the European Commission on 4 June 2021 in EDPB EDPS Joint Option 2/2021[1] (“Clauses”) in place of the standard contractual clauses previously published by the European Commission for cross-border data transfers.

    • Section 1 deals with introductory matters and matters specific to the Fastmail Service.

    • Section 2 sets out the Clauses where the Customer is a Controller (Exporter) and Fastmail is a Controller (Importer).

    • Section 3 sets out the Clauses where the Customer is the Controller (Exporter) and Fastmail is a Processor (Importer).

    • Section 4 sets out the Clauses where the Customer is the Processor (Exporter) and Fastmail is a Processor (Importer).

    • Section 5 sets out the Clauses where Customer is a Processor (Exporter) and Fastmail is a Controller (Importer).

    The Appendix contains the Annexes referred to in the Sections.

    This DPP aims to reproduce the Clauses as binding terms and, therefore, omits some commentary and footnotes which appear in EDPB EDPS Joint Option 2/2021. For the avoidance of doubt and notwithstanding any other provision of this DPP, the parties agreed to be bound by the Clauses applicable to their relationship as a Controller or Processor as mandated by the in EDPB EDPS Joint Option 2/2021 and to the extent guidance information or footnotes from the Clauses are relevant to interpreting these clauses, they are deemed included.

  2. Meaning of Terminology

    We use a number of defined terms in this DPP which will have the meaning set out in clause 10 of Section 1. Capitalized terms not otherwise defined in this DPP will have the meaning given to them in your Agreement. Except where the context requires otherwise, references in this DPP to your Agreement are to your Agreement as amended by, and including, this DPP.

  3. Processing of Customer Personal Data

    1. Each Party will comply with its respective obligation under Data Protection Laws in the provision and receipt of the Services under the Agreement and this DPP.

    2. In the provision of the Services:

      1. Fastmail is a Data Controller in relation to Account Information.

        1. Where Fastmail receives Account Information that is EU/UK individual Personal Data from Customer and Customer is a Controller, Section 2 of this DPP applies Controller to Controller Clauses.

        2. Where Fastmail receives Account Information that is EU/UK individual Personal Data from Customer and Customer is a Processor, Section 5 of this DPP applies Processor to Controller Clauses.

      2. Fastmail is a Data Processor in relation to:

        1. Account Information associated with accounts under control of the Customer where the Customer is an account administrator for third parties, a corporation or a reseller; and

        2. Communications data,

          1. Where Fastmail receives this Account Information and Communications data that is EU/UK individual Personal Data from Customer and Customer is a Controller, Section 3 of this DPP applies Controller to Processor Clauses.

          2. Where Fastmail receives this Account information and Communications data that is EU/UK individual Personal Data from Customer and Customer is a Processor, Section 4 of this DPP applies Processor to Processor Clauses.

    3. Customer:

      1. instructs Fastmail (and authorises Fastmail to instruct each Subprocessor) to:

        1. Process Customer Personal Data; and

        2. Transfer Customer Personal Data to any country or territory,

        as reasonably necessary for the provision of the Services and consistent with your Agreement; and

      2. warrants and represents that it is and will at all relevant times remain duly and effectively authorised to give the instruction set out in clause 3.3(a) on behalf of any Customer affiliate.

  4. Fastmail Personnel

    1. Fastmail will take reasonable steps to ensure that any of its (or its Subprocessors') employees, agents or contractors who have access to Customer Personal Data are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

    2. Customer will take all steps necessary, including without limitation providing appropriate fair collection notices and ensuring that there is a lawful basis for Fastmail (and its Subprocessors) to process Customer Personal Data, to ensure that the processing of Customer Personal Data by Fastmail (and its Subprocessors) in accordance with your Agreement is compliant with, and in accordance with, all Applicable Laws.

  5. Personal Data Breach

    1. Fastmail will, as soon as practical, upon becoming aware of a Personal Data Breach affecting Customer Personal Data, provide Customer with information (as and when available) to assist Customer in the Customer's endeavours to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.

    2. Fastmail will co-operate with Customer and take such reasonable commercial and practicable steps as are directed by Customer to assist in the investigation, prevention (as applicable), mitigation and remediation of each Personal Data Breach.

  6. Deletion or return of Customer Personal Data

    1. Subject to clauses 6.3 and 6.4, in the event the Customer explicitly requests their account be closed, Fastmail will promptly and in any event within 14 days of the date of cessation of any Services involving the processing of Customer Personal Data (the "Cessation Date"), delete and procure the deletion of all copies of those Customer Personal Data.

    2. Subject to clauses 6.3 and 6.4, in the event the Customer's account expires due to non-payment, Fastmail will between 30 days and 1 year of the date of cessation of any Services involving the processing of Customer Personal Data (the "Cessation Date"), delete and procure the deletion of all copies of those Customer Personal Data. The exact timeframe is dependent upon how long the Customer had an active account.

    3. Subject to clause 6.4, Customer may by written notice to Fastmail prior to 14 days of the Cessation Date require Fastmail to:

      1. provide a complete copy of all Customer Personal Data to Customer by secure file transfer in such format as is reasonably notified by Customer to Fastmail; and

      2. delete and procure the deletion of all other copies of Customer Personal Data processed by Fastmail.

    4. Fastmail maintains a record of your Customer Personal Data as reasonably necessary to deliver the Service and maintain the integrity and security of our platform. Fastmail may not retain Customer Personal Data except to the extent required by Applicable Laws and only to the extent and for such period as required by Applicable Laws and always provided that Fastmail will ensure the confidentiality of all such Customer Personal Data and will ensure that such Customer Personal Data is only processed as necessary for the purpose(s) specified in the Applicable Laws requiring its storage and for no other purpose.

  7. Data Subject identity verification

    Data subject wishing to exercise rights under this Policy must provide Fastmail with information reasonably requested to establish their identity and their relationship with the Personal Data that is the subject of their request.

  8. Restricted Transfers

    1. Subject to clause 8.2, the Customer (or relevant Customer affiliate) (as "Data Exporter") and each of Fastmail and /or its Subprocessors, as appropriate, (as "Data Importer") hereby enter into the clauses as applicable in accordance with clause 3.2 with effect

      1. on the later of:

        1. the Data Exporter becoming a party to them;

        2. the Data Importer becoming a party to them; and

        3. commencement of the relevant Restricted Transfer.

    2. Clause 8.1 will not apply to a Restricted Transfer unless its effect, together with other reasonably practicable compliance steps (which, for the avoidance of doubt, do not include obtaining consents from Data Subjects), is to allow the relevant Restricted Transfer to take place without breach of applicable Data Protection Laws.

  9. General Terms

    Order of precedence

    1. In the event of any conflict or inconsistency between this DPP and the Clauses, the Clauses shall prevail.

    2. Subject to clause 9.1, with regard to the subject matter of this DPP, in the event of inconsistencies between the provisions of this DPP and any other agreements between the parties, including your Agreement, the provisions of this DPP will prevail.

    Changes in Data Protection Laws

    1. This DPP may be varied and updated from time to time by Fastmail as a result of a change in Data Protection Laws, including any variation which is required to the Clauses.

    Severance

    1. Should any provision of this DPP be invalid or unenforceable, then the remainder of this DPP will remain valid and in force. The invalid or unenforceable provision will be either:

      1. amended as necessary to ensure its validity and enforceability, while preserving the parties' intentions as closely as possible or, if this is not possible;

      2. construed in a manner, as if, the invalid or unenforceable part had never been contained in this DPP.

  10. Definitions

    In this DPP, the following terms will have the following meaning:

    “Agreement” means the Fastmail Customer Terms of Service.

    “Account Information” means the personal details provided for the purpose of creating and maintaining a Fastmail account and, where the account holder is the Customer, facilitating communications with Fastmail, invoicing and payment. Account information also includes statistical and technical information associated with the account such as log files (IP, to/from email address) user access information (via web, or client).

    “Applicable Laws” means:

    1. European Union or Member State laws with respect to any Customer Personal Data in respect of which Fastmail is subject to EU Data Protection Laws; and
    2. any other applicable law with respect to any Customer Personal Data in respect of which Fastmail is subject to any other Data Protection Laws; together with all guidelines and other codes of practice issued by an applicable data protection regulator or supervisory authority;

    “Fastmail and/or its Subprocessor” means Fastmail or any of its Subprocessors;

    “Clauses” means the EU model contractual clauses set out in Sections 2, 3, 4 and 5, amended as indicated (in square brackets and italics);

    “Communication Data” means all email communications (including all embedded and attached files) sent and received by its Customers;

    “Customer” and “you” refers to the counterparty to this DPP who is acquiring the right to use the Service and includes each one of your relevant affiliates (unless otherwise stated);

    “Customer Affiliate” means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with Customer, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise;

    “Customer Group Member” means Customer or any Customer affiliate;

    “Customer Personal Data” means Account Data and Communication Data including any EU/UK individual Personal Data Processed;

    “Data Protection Laws” means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country;

    “EEA” means the European Economic Area;

    “EU Data Protection Laws” means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR

    “GDPR” means EU General Data Protection Regulation 2016/679;

    “Restricted Transfer” means:

    1. a transfer outside the EEA of Customer Personal Data from Fastmail and/or its Subprocessor; or
    2. an onward transfer of Customer Personal Data from Fastmail and/or its Subprocessor to Fastmail and/or its Subprocessor (as applicable) (e.g., Fastmail to its Subprocessor)

    in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws) in the absence of the Clauses to be established under this DPP.

    For the avoidance of doubt, where a transfer of Personal Data is of a type authorised by Data Protection Laws in the exporting country; for example, in the case of transfers from within the European Union to the US under a scheme approved by the EU Commission as ensuring an adequate level of protection, or any other transfer which falls within a permitted derogation under EU Data Protection Laws, such transfer will not be a Restricted Transfer;

    “Services” means the services and other activities to be supplied to or carried out by Fastmail on behalf of Customer under your Agreement;

    “Subprocessor” means any person (including any third party, but excluding an employee of Fastmail or any of its sub-contractors) appointed by or on behalf of Fastmail to process Personal Data received by Fastmail as a Processor on behalf of Customer under your Agreement; and

    The terms, “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing” and “Supervisory Authority” will have the same meaning as in the GDPR, and their cognate terms will be construed accordingly.

    The word “include” will be construed to mean include without limitation, and terms will be construed accordingly.

  1. EDPB EDPS Joint Opinion 2/2021 on the European Commission’s Implementing Decision on standard contractual clauses for the transfer of personal data to third countries for the matters referred to in Article 46(2)(c) of Regulation (EU) 2016/679.