Introduction
The protection of Personal Data is of critical importance to Fastmail
Pty Limited (ABN 31 142 646 580) (“Fastmail”).
This Data Protection Policy (“DPP”) sets out the
minimum requirements of Fastmail with respect to all of its customers
in relation to the processing of EU/UK individual Personal Data and
compliance with other applicable data protection laws
(“Data Protection Laws”).
This DPP comes/came into effect on 27 September 2021.
The change from our previous Data Protection Addendum is that
we have adopted the Standard Contractual Clauses published by the
European Commission on 4 June 2021 in EDPB EDPS Joint Option
2/2021[1] (“Clauses”) in place of the standard
contractual clauses previously published by the European Commission for
cross-border data transfers.
-
Section 1 deals with introductory matters and matters specific
to the Fastmail Service.
-
Section 2 sets out the Clauses where the
Customer is a Controller (Exporter) and Fastmail is a Controller
(Importer).
-
Section 3 sets out the Clauses where the
Customer is the Controller (Exporter) and Fastmail is a Processor
(Importer).
-
Section 4 sets out the Clauses where the
Customer is the Processor (Exporter) and Fastmail is a Processor
(Importer).
-
Section 5 sets out the Clauses where
Customer is a Processor (Exporter) and Fastmail is a Controller
(Importer).
The Appendix contains the Annexes referred to in the Sections.
This DPP aims to reproduce the Clauses as binding terms and, therefore,
omits some commentary and footnotes which appear in EDPB EDPS Joint Option
2/2021. For the avoidance of doubt and notwithstanding any other provision
of this DPP, the parties agreed to be bound by the Clauses applicable to
their relationship as a Controller or Processor as mandated by the in EDPB
EDPS Joint Option 2/2021 and to the extent guidance information or footnotes
from the Clauses are relevant to interpreting these clauses, they are deemed
included.
Definitions
In this DPP, the following terms will have the following meaning:
“Agreement” means the Fastmail Customer Terms of Service.
“Account Information” means the personal details provided for the
purpose of creating and maintaining a Fastmail account and, where the
account holder is the Customer, facilitating communications with Fastmail,
invoicing and payment. Account information also includes statistical and
technical information associated with the account such as log files (IP,
to/from email address) user access information (via web, or client).
“Applicable Laws” means:
-
European Union or Member State laws with respect to any Customer
Personal Data in respect of which Fastmail is subject to EU Data
Protection Laws; and
-
any other applicable law with respect to any Customer Personal Data
in respect of which Fastmail is subject to any other Data Protection
Laws; together with all guidelines and other codes of practice
issued by an applicable data protection regulator or supervisory
authority;
“Fastmail and/or its Subprocessor” means Fastmail or any of its
Subprocessors;
“Clauses” means the EU model contractual clauses set out in Sections 2,
3, 4 and 5, amended as indicated (in square brackets and italics);
“Communication Data” means all email communications (including all
embedded and attached files) sent and received by its Customers;
“Customer” and “you” refers to the counterparty to this DPP who is
acquiring the right to use the Service and includes each one of your
relevant affiliates (unless otherwise stated);
“Customer Affiliate” means an entity that owns or controls, is owned or
controlled by or is or under common control or ownership with Customer,
where control is defined as the possession, directly or indirectly, of the
power to direct or cause the direction of the management and policies of an
entity, whether through ownership of voting securities, by contract or
otherwise;
“Customer Group Member” means Customer or any Customer affiliate;
“Customer Personal Data” means Account Data and Communication Data
including any EU/UK individual Personal Data Processed;
“Data Protection Laws” means EU Data Protection Laws and, to the extent
applicable, the data protection or privacy laws of any other country;
“EEA” means the European Economic Area;
“EU Data Protection Laws” means EU Directive 95/46/EC, as transposed
into domestic legislation of each Member State and as amended, replaced or
superseded from time to time, including by the GDPR and laws implementing or
supplementing the GDPR
“GDPR” means EU General Data Protection Regulation 2016/679;
“Restricted Transfer” means:
-
a transfer outside the EEA of Customer Personal Data from Fastmail
and/or its Subprocessor; or
-
an onward transfer of Customer Personal Data from Fastmail and/or
its Subprocessor to Fastmail and/or its Subprocessor (as applicable)
(e.g., Fastmail to its Subprocessor)
in each case, where such transfer would be prohibited by Data Protection
Laws (or by the terms of data transfer agreements put in place to address
the data transfer restrictions of Data Protection Laws) in the absence of
the Clauses to be established under this DPP.
For the avoidance of doubt, where a transfer of Personal Data is of a type
authorised by Data Protection Laws in the exporting country; for example, in
the case of transfers from within the European Union to the US under a
scheme approved by the EU Commission as ensuring an adequate level of
protection, or any other transfer which falls within a permitted derogation
under EU Data Protection Laws, such transfer will not be a Restricted
Transfer;
“Services” means the services and other activities to be supplied to or
carried out by Fastmail on behalf of Customer under your Agreement;
“Subprocessor” means any person (including any third party, but
excluding an employee of Fastmail or any of its sub-contractors) appointed
by or on behalf of Fastmail to process Personal Data received by Fastmail as
a Processor on behalf of Customer under your Agreement; and
The terms, “Commission”, “Controller”, “Data Subject”,
“Member State”, “Personal Data”, “Personal Data Breach”,
“Processing” and “Supervisory Authority” will have the same meaning
as in the GDPR, and their cognate terms will be construed accordingly.
The word “include” will be construed to mean include without limitation,
and terms will be construed accordingly.