You're on our Australia website
×
small logo
Group
Group

Employment Operating System

Start free
Request a demo

Hiring

Hire staff now

START FREE

Get instant access to talent. Skip job ads, save time and cut hiring costs

All-in-one hiring solution

Curated talent shortlists, AI hiring automation and more

Applicant Tracking System

Manage open roles, interviews and onboard in a few clicks

SmartMatch

Hire smarter with salary insights and candidate matches for every role

Employer of record

Hire the best talent across 150+ countries

HR and Payroll

Core HR

Manage employee data, compliance, and critical HR tasks in one place

Time & attendance

Automate and sync time tracking, timesheets, and rostering

HR advisory & representation

Expert-led advice, compliance checks, and representation in claims

Intelligent Payroll

Manage all payroll tasks from one place with AI-powered automation

Insights & analytics

Make data-driven decisions with easy reporting and dashboards

Employee Experience

Mobile app

Roll work, pay, savings, and benefits into one employee superapp

Learning

A comprehensive collection of courses tailored to your business

Benefits & perks

Engage and retain employees with platinum-level perks and benefits

Earned Wage Access

Give your team instant access to their pay, as soon as they earn it

Employee Assistance Program

Support employee wellbeing with a confidential support service

FEATURED

Why EmploymentOS?

Why EmploymentOS?

Intelligent tools to simplify operations
See Pricing
See all products
Case studies
Industry solutions
Integrations
Resources
Support

Employment Operating System

Become a partner

Hr & Payroll Partners

Join the partner network

Explore HR and Payroll partnership opportunities for your business

Referral partners

Get rewarded for referring Employment Hero solutions

Strategic Partners

Become a strategic partner

Build a high-impact partnership with Employment Hero

Superannuation partners

Streamline your super services with Hero Super

Partner Resources

Partner directory

Streamline payroll, HR and more with our trusted business partners

Learning

See how our partners solve employment for their clients

Hero Foundation

Supporting people into work
See Pricing
Industry solutions
Integrations
Hero Foundation

Employment Operating System

Manage Your Work

Work admin, sorted

Leave requests, timesheets, money and work perks, all in one easy app

Connect with your team

Celebrate wins, shoutout your teammates and stay across updates

Learning & development

Complete critical training, set personal goals and grow your career

Employee Perks

Earned Wage Access

Access your money as soon as you’ve earned it. No more waiting for payday

Offers and cashback

Save on essentials and earn cashback on day-to-day spending

Wellbeing

Build wellness at work with our Employee Assistance Program

From Anywhere

Employment Hero work app

Download the app to manage work, pay and perks on the go

Desktop login

Manage HR tasks, training and work admin from the web
Download the app

Employment Hero Work app

Download today and start saving
Resources
Support

Employment Operating System

Find a job

Find Your Next Role

Jobs find you

Find work faster with job matching and off-market opportunities

Explore open roles

Browse and apply to open jobs with 300K+ employers

Prep For Your Next Role

Benchmark your salary

See how much you should be getting paid with real-time salary insights

Job hunting tips and tricks

Make finding work easier with these resources, videos and interviews

From Anywhere

Employment Hero jobs site

Sign up and get matched to roles that suit your skills and experience

Employment Hero jobs app

The place to find casual retail and hospitality roles on the go
Get started

Employment Hero Jobs

Find your next role, today
Resources
Support

Data Processing Addendum

These are our data processing terms that apply between Employment Hero and the Customer

Contents

Overview

Background

1. Definition

1.1 Clarifications for this DPA

2. Data processing terms

2.1 General data processing terms

2.2 Sub-Processors

2.3 International transfer mechanisms

2.4 Data Breach

2.5 Audits and inspections

2.6 Return or deletion of Personal Data

2.7 Limitation on liability

2.8 Other general terms

Schedule 1 – Data Processing Information

Nature and purpose of processing operations

Categories of data subject

Categories of data

Categories of Personal Data

Special Categories of Personal Data

Duration of Processing

Schedule 1 – Data Processing Information

Nature and purpose of processing operations

Categories of data subject

Categories of data

Categories of Personal Data

Special Categories of Personal Data

Duration of Processing

Schedule 2 – Technical and Organisational Measures

Schedule 3 – Annexes to the EU SCCs and Appendices to the UK SCCs

Annex I/ Appendix 1:

A: List of parties

B: Description of transfers

C: Competent supervisory authority

Annex II/ Appendix 2: Technical and organisational measures

Annex III of the EU Standard Contractual Clauses

Overview

This Data Processing Addendum is current as of 19 July 2024 and explains our data processing activities carried out as a Data Processor on behalf of our Customers.

Previous versions of this document can be found here.

Background

This Data Processing Addendum (‘DPA‘) forms part of the agreement between Employment Hero (and its Affiliates including Employment Innovations entities) (‘us‘, ‘we‘, or ‘our‘) and our Customers (‘you’ or ‘your‘). It reflects our agreement with you regarding the processing of your Customer Personal Data and acts as an addendum to the Employment Hero Platform Terms and Conditions, and/or any other terms and conditions that you agree to when receiving Services from us (the ‘Agreement‘).

When you enter into the Agreement, including this DPA, you do so to receive our Services, including the use of the Employment Hero Platform and/or the Employment Hero Work app.

1. Definition

In this DPA:

Affiliates means any corporation or other business entity controlling, controlled by or under common control with Employment Hero Pty Ltd. A current list of Affiliates is available here;

Applicable Law means all laws, regulations, orders, rules, judgments, directives, industry agreements or determinations in force from time to time applicable to a party and relevant to the Agreement or this DPA, including, without limitation the GDPR, the UK GDPR, Privacy Act 1988 (Cth), Personal Information Protection and Electronic Documents Act (PIPEDA), and Privacy Act 2020;

Customer means you, the specific party which has entered into the Agreement with us;

Customer Personal Data means Personal Data in respect of which you are the Data Controller, and we are the Data Processor; but which excludes Personal Data processed by us when acting as a Data Controller;

Data Breach means any accidental or unlawful acquisition, destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Personal Data;

Data Controller means the entity which alone or jointly with others determines the purposes and means of processing of Personal Data, it will be interpreted in accordance with the GDPR and the UK GDPR;

Data Processor means an entity which processes Personal Data on behalf of a Data Controller, it will be interpreted in accordance with the GDPR and the UK GDPR;

Data Protection Law means the GDPR, the UK GDPR, Directive 2002/58/EC concerning the processing of Personal Data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), any national laws or regulations implementing the foregoing Directives, any other privacy and data protection laws that may be applicable to the parties (including data privacy laws that are specific to the region in which you or our relevant Affiliate entity is based like Australia, Canada, and New Zealand), and any amendments to or replacements of such laws and regulations;

Data Subject has the meaning given to it in the GDPR and the UK GDPR;

EEA means the European Economic Area;

GDPR means in each case to the extent applicable to the processing activities: (i) Regulation (EU) 2016/679; and (ii) Regulation (EU) 2016/679 as amended by any legislation arising out of the withdrawal of the UK from the European Union;

Employment Hero means Employment Hero Pty Ltd, Employment Hero (UK) Ltd or the relevant Employment Hero Affiliate in your region (like New Zealand or Canada) which has entered into the Agreement with you for the provision of the Services;

Personal Data means any information relating to an identified or identifiable natural person and an identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Processing has the meaning given to it in Data Protection Law (the ‘GDPR’ and the ‘UK GDPR’) and ‘process’, ‘processes’ and ‘processed’ will be interpreted accordingly;

Relevant Country means all countries other than those (a) within the EEA and (b) countries in respect of which an adequacy finding under Article 25(6) of the European Data Protection Directive or Article 45 of the GDPR has been given;

Services means the provision of cloud-based and artificial intelligence powered human resources and payroll software services, EH Jobs app, Managed Payroll services, Global Teams Employer of Record services where we act on behalf of our Customer, Applicant Tracking System (ATS), financial services products, and/or other products and services provided by us and/or our Affiliates under the Agreement through our websites, platforms and apps where we act in the capacity of a Data Processor;

Standard Contractual Clauses mean:

  1. in respect of EU Personal Data, the EU Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to the GDPR, adopted by the European Commission under Commission Implementing Decision (EU) 2021/914 and made available on the European Commission website (or any replacement publication made on the website), including the text from modules two and three of such clauses and not including any clauses marked as optional (‘EU Standard Contractual Clauses’);
  2. in respect of UK Personal Data:
    • 2.1 the International Data Transfer Addendum to the EU Standard Contractual Clauses (‘UK Addendum‘) made available on the ICO website (or any replacement publication made on the website), issued by the Information Commissioner and laid before Parliament in accordance with s.119A of the Data Protection Act 2018 on 2 February 2022 but, as permitted by clause 17 of such addendum, the parties agree to change the format of the information set out in Part 1 of the UK Addendum so that:
      • 2.1.1 the details of the parties in table 1 of the UK Addendum will be as set out in Schedule 3 (with no requirement for signature);
      • 2.1.2 for the purposes of table 2 of the UK Addendum, the UK Addendum will be appended to the EU Standard Contractual Clauses (including the selection of modules and non-application of optional clauses as noted above); and
      • 2.1.3 the appendix information listed in table 3 of the UK Addendum is set out in Schedule 3.

Employment Hero Work app means the mobile application and its services provided to you (Customers and Users).

Sub-Processor means any entity which is engaged by us or by any other sub-processor of ours who may access or process Customer Personal Data;

UK GDPR means the GDPR as applicable as part of UK domestic law by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (as amended);

User means individual users of the Services including employees of your organisation.

1.1 Clarifications for this DPA

1.1.1 any words following the terms “like”, “include”, “for example” or any similar expression will be construed as illustrative and will not limit the sense of the words, description, definition, phrase or term preceding those terms;

1.1.2 references to Clauses and Schedules are, unless otherwise stated, references to the clauses of, and schedules to, this DPA; and

1.1.3 references to this DPA or any other agreement or document are to this DPA or such other agreement or document as it may be varied, amended, supplemented, restated, renewed, novated, or replaced from time to time.

2.Data processing terms

2.1 General data processing terms

2.1.1 Roles of the parties: You are the Data Controller and we are the Data Processor of the Customer Personal Data. We require certain Personal Data to set up and manage your account on our platforms and apps and to provide Services under the Agreement. We may also provide specific services and support relating to individuals where we determine the purposes for which, and means in which, the Personal Data is processed, and in these cases, we will process Personal Data as a Data Controller.

2.1.2 Scope of this DPA: This DPA only applies to the processing of Customer Personal Data by us in connection with the Services under the Agreement. The categories of Data Subjects and types of Customer Personal Data processed are set out in Schedule 1 of this DPA. Customer Personal Data is processed for the purpose of providing the Services and other purposes as identified in Schedule 1 of this DPA. We may process Customer Personal Data for the duration of the Agreement (or longer to the extent permitted by Applicable Law).

2.1.3 Legal compliance obligation: Each party agrees that in relation to this DPA, it is compliant with, and will remain compliant with all Applicable Law. You will make sure that you have provided notice to Data Subjects of the data processing activities carried out under this DPA. If you are based in UK and/or EU, then you will make sure that there is a valid lawful basis under the UK GDPR and/or GDPR for all Customer Personal Data that is disclosed in connection with the Agreement for the data processing activities envisaged by the Agreement.

2.1.4 Our rights and responsibilities: Other than for anything to the contrary in the Agreement, in relation to Customer Personal Data, we will:

  1. process Customer Personal Data only in accordance with your instructions as established in the Agreement or as you have provided to us in writing from time to time, given that these instructions are reasonable and subject to our right to charge additional sums at our current rates should the scope of the agreed services be exceeded. In addition to this, we may:
    1. process Customer Personal Data as required under Applicable Law and take reasonable steps to inform you of such a requirement before processing the data, unless the law prohibits this; and
    2.  process Customer Personal Data when analysing and/or providing support in relation to the Services, and carrying out measures to further develop and improve the Services for our customer base as a part of the ongoing delivery of Services, provided that necessary safety measures are put in place as may be required by Applicable Law;
  2. promptly notify you, if in our opinion, an instruction given to us by you infringes Data Protection Law;
  3. where applicable, make sure that access to Customer Personal Data is given to our (or our Sub-Processors’) personnel who are contractually bound to respect the confidentiality of this type of Customer Personal Data;
  4. implement appropriate technical and organisational measures to protect against unauthorised or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Customer Personal Data. These measures will be appropriate to the harm which might result from any unauthorised or unlawful processing, accidental loss, destruction, damage, or theft of Customer Personal Data, and having regard to the nature of the Customer Personal Data which is to be protected and is set forth in Schedule 1 of this DPA. You acknowledge that we may change the security measures through the adoption of new or enhanced security technologies, and you authorise us to make such changes provided that they do not materially diminish the level of protection. We make information about our most up-to-date security measures applicable to the Services available here;
  5. at your reasonable request and at your cost, to the extent that this is possible, assist you with your obligations to respond to requests from Data Subjects of Customer Personal Data looking to exercise their rights under Data Protection Law (to the extent that the Customer Personal Data is not accessible to you through the Services provided under the Agreement);
  6. at your reasonable request and at your cost, taking into account the nature of the processing and the information available to us, assist you with your obligations under Articles 32 to 36 of the GDPR; and
  7. at your written request, delete or return to you any Customer Personal Data within the agreed period of time after the end of the provision of the Services as set out in the Agreement (or within a reasonable period of time if the Agreement is silent on this point), unless Applicable Law requires storage of the Customer Personal Data.

2.1.5 Data storage: Personal Data that we hold will be stored and managed on secure data centres by our third-party storage provider. You can find out more about locations in which we store your data in our Privacy Policy.

2.2 Sub-Processors

2.2.1 Appointment of Sub-Processors: You agree that we may transfer Customer Personal Data or give access to Customer Personal Data to Sub-Processors for the purposes of providing the Services or other purposes identified in Schedule 1 of this DPA, provided that we comply with our requirements under this section of the DPA. We will remain responsible for our Sub-Processor’s compliance with the obligations of this DPA. We will make sure that any Sub-Processors, to whom we transfer Customer Personal Data, enter into written agreements with us requiring them to agree to terms no less protective, in any material respect, than this DPA.

2.2.2 List of current Sub-Processors and notice of updates to the list: A current list of Sub-Processors is available here and is deemed to be pre-approved by you. We can at any time and without justification either appoint a new Sub-Processor, or remove or change an existing Sub-Processor. If you subscribe for updates in regard to the Sub-Processor list by emailing privacy@employmenthero.com, you will be given prior written notice of additions to the Sub-Processor list by email, or via the Employment Hero Platform and the Employment Hero Work app. We recommend that you occasionally check our website, platforms, or apps for communications concerning updates to the Sub-Processor list.

2.2.3 Objections to Sub-Processors: If you do not legitimately object to changes to the Sub-Processor list within 30 days’ of being notified of a new Sub-Processor, the Sub-Processor list update is considered to be approved by you. Legitimate objections to the Sub-Processor list update must contain reasonable and documented data protection grounds relating to a Sub-Processor’s non-compliance with applicable Data Protection Law. In the event that you reasonably object to a new Sub-Processor, we will use reasonable efforts to make available to you a change in the Services or recommend a commercially reasonable change to your use of the Services. This will be done to avoid processing of Personal Data by the new Sub-Processor to whom you object without unreasonably burdening you. If we are unable to make these types of changes available to you within within a reasonable period of time, which will not exceed 60 days, you may, subject to the terms of the Agreement, terminate the applicable Services, which cannot be provided by us without the use of the objected-to new Sub-Processor with written notice to us.

2.2.4 Access to our agreements with Sub-Processors: We may, at our discretion, provide you with a copy of our agreements with Sub-Processors (subject to redaction of any confidential information and this being reasonable for us to do). These copies may be provided by us in a manner to be determined by us, only upon the written request by you via email to privacy@employmenthero.com, and at your sole expense.

2.3 International transfer mechanisms

2.3.1 If you are a EU or UK Customer, you acknowledge that, in relation to providing the Services, Customer Personal Data may be transferred to, or accessed from Australia or another Relevant Country. Where such transfer occurs, the Standard Contractual Clauses as specified in Schedule 3 of this DPA will apply and be incorporated as part of this DPA, with application of the UK Addendum for UK Customers.

2.3.2 We will not, and will make sure that none of our Affiliates or contractors, transfer, access or use EU or UK Personal Data in a Relevant Country other than in compliance with the terms of this DPA and the Standard Contractual Clauses (and as amended by the UK Addendum, where applicable). You agree to authorise the international transfers in application of Schedule 3, and the parties agree to comply with the obligations set out in the Standard Contractual Clauses as though they were set out in full in this DPA, with you as the ‘data exporter’ and us as the ‘data importer’, with the parties signature and dating of the Agreement being deemed to be the signature and dating of the Standard Contractual Clauses and with the Annexes and/or Appendices to the Standard Contractual Clauses being as set out in Schedule 3 to this DPA.

International Data Transfers Out Of The EEA, UK And/Or SwitzerlandObligations
Customer (as Controller) to Employment Hero Affiliate (EEA, and/or Switzerland to Relevant Countries)If we (acting as a Processor) are based outside of the EEA, United Kingdom and/or Switzerland, and transfer of Customer Personal Data is made by you out of the EEA, United Kingdom and/or Switzerland to our Affiliates located in Relevant Countries, this transfer will be governed by Module Two (Controller-to-Processor) of the Standard Contractual Clauses, if you act as a Controller.
Customer (as Processor) to Employment Hero Affiliate (EEA, and/or Switzerland to Relevant Countries)If we (acting as a Processor) are based outside of the EEA, United Kingdom and/or Switzerland, and transfer of Customer Personal Data is made by you out of the EEA, United Kingdom and/or Switzerland to our Affiliates located in Relevant Countries, this transfer will be governed by Module Three (Processor-to-Processor) of the Standard Contractual Clauses, if you act as a Processor. 
Customer to Employment Hero Affiliate (United Kingdom to Relevant Countries)Transfers of Customer Personal Data out of the United Kingdom to our Affiliates (acting as sub-processors) located in Relevant Countries, will be governed by the applicable Module of the Standard Contractual Clauses as described in the two columns above (amended by the UK Addendum).
Employment Hero to Employment Hero Affiliate (United Kingdom to Relevant Countries)If we (acting as a Processor) are based within the United Kingdom, transfers of Customer Personal Data out of the United Kingdom to our Affiliates (acting as sub-processors) located in Relevant Countries, will be governed by Module Three (Processor-to-Processor) of the Standard Contractual Clauses as amended by the UK Addendum.
Employment Hero to Employment Hero Affiliate (EEA and/or Switzerland to Relevant Countries)If we (acting as a Processor) are based within the EEA, and/or Switzerland, transfers of Customer Personal Data out of the EEA, and/or Switzerland to our Affiliates (acting as sub-processors) located in Relevant Countries, will be governed by Module Three (Processor-to-Processor) of the Standard Contractual Clauses.
Employment Hero to Sub-Processor Transfers of Customer Personal Data out of the EEA, United Kingdom and/or Switzerland to our third-party Sub-Processors will be governed by data processing agreements, incorporating the Standard Contractual Clauses (as amended by the UK Addendum where applicable), that have been executed by us at a global level with the third-party Sub-Processors.

2.3.3 For the purposes of the EU Standard Contractual Clauses, the following will apply:

  1. Clause 9 OPTION 2: where applicable, general written authorisation will be required for the engagement of new Sub-Processors, subject to clause 2.2 of this DPA;
  2. Clause 17 (Governing law): the clauses will be governed by the laws of the Republic of Ireland; and
  3. Clause 18 (Choice of forum and jurisdiction) the courts of the Republic of Ireland will have jurisdiction

2.3.4 In the event that you give us consent to transfer Personal Data to a Relevant Country but a relevant European Commission decision or other valid adequacy method under applicable Data Protection Legislation, on which you have relied on in authorising the data transfer, is held to be invalid, or that any supervisory authority requires transfers of Personal Data made pursuant to such decision to be suspended, then the parties agree to discuss in good faith and facilitate use of an alternative transfer mechanism.

2.3.5 For transfer of Customer Personal Data out of countries other than the EEA, United Kingdom and/or Switzerland, we will meet its obligations under Applicable Laws when carrying out these transfers.

2.4 Data Breach

2.4.1 We will notify you in writing (including via email), without undue delay, if we become aware of a Data Breach that impacts you and requires notice to you under Applicable Law. We will take steps, within a reasonable timescale, to remedy the Data Breach and provide further information to you as may be reasonably required.

2.4.2 We will make reasonable efforts to identify the cause of any Data Breach and take steps as we deem necessary and reasonable to remediate the cause of the Data Breach to the extent the remediation is within our reasonable control.

2.4.3 Our assistance under this clause which exceeds any obligations set out by Applicable Law will be chargeable, as incurred, at our current rates unless you demonstrate that that type of assistance is required because of a failure by us to comply with our obligations under this DPA.

2.4.4 The obligations under this clause will not apply to Data Breach that are caused by you or your personnel.

2.5 Audits and inspections

2.5.1 To the extent required by Applicable Law, and upon written request from you within reasonable intervals between each request and at your cost and expense, we will, audit the security of our processes and computing environment that we use in handling Customer Personal Data. This audit will be performed no more than once annually and it may be performed by independent third-party security professionals as chosen by us (in which case such choice is made at our expense). In the event that we have recently acted in respecting such rights for another customer, or undergone any type of audit that would provide the relevant information needed by you, we will provide you with a summary of those recent audit results.

2.5.2 We will respond, no more frequently than annually, to any reasonable security questionnaire provided by you which seeks to assist your assessment of our compliance with the security obligations under this DPA and which may be applicable to the Services. The responses to these questionnaires and any supporting evidence provided by us will be considered confidential information.

2.5.3. If you want to change this instruction regarding exercising the audit rights or the provision of information to demonstrate compliance with Article 28 of the GDPR, then you have the right to change this instruction to the extent required to ensure compliance, which must be requested in writing via email to privacy@employmenthero.com, in which case we will have no obligation to provide commercially confidential information.

2.6 Return or deletion of Personal Data

2.6.1 At the end of the Services, at your written request, we must securely destroy, or return Customer Personal Data to you, and delete existing copies unless Applicable Law requires storage of such Customer Personal Data.

2.6.2 We may provide written a certification of deletion regarding deletion of your Customer Personal Data if you request it in writing via email to privacy@employmenthero.com, and only provided that you have a right to receive a certification of deletion under Applicable Law.

2.7 Limitation on liability

2.7.1 The parties acknowledge and agree that our total cumulative liability, together with our Affiliates, arising out of or in relation to this DPA is subject to the liability sections of the Agreement (namely the applicable sections of the Employment Hero Platform Terms and Conditions and/or any other specified terms and conditions of an Agreement entered into between you and us).

2.7.2 Our and our Affiliates’ total liability for all claims from you and all of your affiliates arising out of or in relation to the Agreement and the DPA, will apply in the aggregate for all claims under both the Agreement and all DPAs established under the Agreement, including by you and your Affiliates, and will not be understood to apply individually and severally to you and/or to any of your affiliates that is a contractual party to any such DPA.

2.8 Other general terms

2.8.1 Conflict: In the event of any conflict or inconsistency between the body of this DPA and any of its Schedules (not including the specifications of the Standard Contractual Clauses), and the Standard Contractual Clauses specified in Schedule 3, the Standard Contractual Clauses will prevail (unless this would result in the invalidity of this DPA under Data Protection Laws (in which case the relevant term(s) of this DPA will prevail).

2.8.2 Changes to this DPA: We reserve the right to make any updates or changes to this DPA to reflect changes in our Services, information practices, operational requirements, or changes to laws and regulations. You should periodically review this DPA to see any amendments that have been made. If we make any significant changes to this DPA, we may provide notice to you via email or by other means of communication like in-platform or in-app notifications.

Schedule 1 – Data Processing Information

Nature and purpose of processing operations

The nature of processing is the collection, recording, organisation, storage, adaptation, use, disclosure, or transfer of Customer Personal Data.

The Customer Personal Data will be processed for the purpose of providing, and further improving the Services provided by us. This primarily includes the provision of:

  • Employment Hero HR and Payroll platform,
  • Managed Payroll services;
  • Applicant Tracking System; and
  • Global Teams Employer of Record services (if we act as a Processor)

Categories of data subject

You (the Customers), Users and other persons authorised to use the Services by Customer of the Services provided by us and our Affiliates.

Categories of data

This data primarily includes data relevant for processing carried out in the provision of the Services including:

Categories of Personal Data

  • Business account information including business name and details, logos and information relating to representatives of the business;
  • Individual account information including name, date of birth, age, gender, sex, marital status, profile photo;
  • Contact information including residential and/or postal address, email address, telephone number, and social media handles;
  • Payroll information including information relating to payroll processing, salary and other compensation, timesheets and bank account information;
  • General business information including information relating to employees’ and the businesses goals, accomplishments, training and development, awards and performance, feedback and reviews, onboarding and offboarding details, and implementation process information;
  • Employment related information including occupation or job title, information relating to current and former employers, key dates relating to the current role and/or past roles, superannuation information, salary and/or pension details including documents such as payslips and payment summaries, timesheets, performance reviews and workplace engagement information, workplace issues and incident information citizenship and visa status for work eligibility purposes, emergency contact information, and tax information;
  • Recruitment related information including job vacancy details, profile photo, company details relevant to the job posting such as work location and contact emails, and the name and contact details of any personnel involved in the recruitment process; and
  • Job application related information including name, contact email, job seeker profiles, CV, cover letter, profile photo, work preferences, salary expectations, education history, work history, qualifications, languages, and references.

Special Categories of Personal Data

  • You or users of the Services may submit Special Category Personal Data to the platform or app at their discretion, or we may collect such data with prior consent for the purpose of providing its Services to you or relevant end-users. 
  • This data primarily includes:
    • sensitive information provided in compliance documentation stored on the Services by you or end-users;
    • ID documents and information provided within such documents that may include details about ethnicity or race, religious beliefs;
    • health information such as disability information, health status relevant to administration of long-term disability or other medical benefit programs, vaccination history, medical reports, return or work/adjustment reports and workplace injury reports; and
    • work eligibility information such as immigration status, visa status and details, and criminal history and background.

Duration of Processing

We will process Customer Personal Data for the duration of the Agreement (or longer to the extent permitted by Applicable Law).

Schedule 2 – Technical and Organisational Measures

The Technical and Organisational Measures are detailed in our Security Centre and Security Portal.

The Customer Personal Data will be processed for the purpose of providing, and further improving the Services provided by us. This primarily includes the provision of:

Schedule 3 – Annexes to the EU SCCs and Appendices to the UK SCCs

Annex I/ Appendix 1:

A: List of parties

Data exporter:

Name: Customer

Activities relevant to the data transferred under these Clauses: Provision of the Services, all data processing categorised as ‘C2P’ where the Controller is located inside, and the Processor is located outside the EU/EEA or the UK.

Role (controller/processor): controller

Data importer:

Name: Employment Hero

Address: Set forth in the applicable Customer Services Agreement

Contact email: privacy@employmenthero.com

Activities relevant to the data transferred under these clauses: Provision of the Services and all data processing categorised as ‘C2P’, where the Controller is located inside, and the Processor is located outside the EU/EEA or the UK.

Role (controller/processor): processor

B: Description of transfers

MODULE TWO: CONTROLLER TO PROCESSOR

Nature of Processing: See Schedule 1 above..

Purpose of Processing: See Schedule 1 above.

Categories of Data Subjects: See Schedule 1 above.

Categories of Personal data Transferred: See Schedule 1 above.

Sensitive data transferred (if applicable): See Schedule 1 above.

Frequency of transfer: Continuous.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period (EU standard contractual clauses only): in accordance with relevant data retention/deletion obligations.

For transfers to sub- processors, the subject matter, nature and duration of the processing (EU standard contractual clauses only): As set out in Schedule 1.

C: Competent supervisory authority

Irish Data Protection Commission

21 Fitzwilliam Square

South Dublin 2

Republic of Ireland

D02 RD28

dpo@dataprotection.ie

Annex II/ Appendix 2: Technical and organisational measures

Data importer has implemented and will maintain appropriate technical and organisational measures to protect Customer Personal Data (as defined in the DPA) against the unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, Personal Data. The measures described in Schedule 2 of the DPA are hereby incorporated into this Appendix 2 by this reference and are binding on the data importer as if they were set forth in this Appendix 2 in their entirety.

Annex III of the EU Standard Contractual Clauses

List of Sub-Processors

You can find a list of all Employment Hero Sub-Processors here.

List of Employment Hero Affiliates

Republic of Ireland

You can find a list of all Employment Hero Affiliates here.

Company

About us

Careers

Become a partner

Media Centre

Get in Touch

Contact Us

Sales

HR Login

Support

Service Centre

Help Centre

Implementation Hub

Pick your region

Australia

New Zealand

United Kingdom

Singapore

Malaysia

Canada

Product

Products

Solutions

Integrations

Quick Demos

Employment Hero work app

Connect