An undertaking in the form of a deed poll that can be given by an employee in relation to confidential information of the Company (including personal data of any customers, clients and subscribers of the Company)

How this document can help you

Employers may face fines for misuse of personal data, including under the Privacy Act 1988 (Cth) and the EU General Data Protection Regulatio (GDPR), where applicable. This undertaking is designed to make employees aware of the necessity to treat personal data and other confidential information of the employer confidential.

The Notificable Data Breaches Scheme

All Australian entities caught by the provisions of the Australian Privacy Act, have since 22 February 2018 been subject to the Notifiable Data Breaches Scheme, that requires eligible data breaches to be notified, and other steps to be taken, where data breaches occur that are likely to result in serious harm. The assessment, remediation, notification and other processes that need to be carried out are significant as are the penalties for non-compliance with the new privacy regime (up to $2.1 million for corporations). Australian entities can therefore no longer turn a blind eye when it comes to preparing for and acting when notifiable data breaches occur. These new laws are notable for cloud service providers which ‘hold’ personal information. Under the Australian Privacy Act, Australian entities can ‘hold’ personal information by having the possession of that information through physical or electronic possession and may also ‘hold’ personal information through having control of it – for example by having the right or power to deal with the personal information (despite not physically possessing or owning the medium on which it is stored). It is likely that most cloud services providers will be deemed to ‘hold’ personal information stored on their physical or virtual computer servers.

The EU General Data Protection Regulation (GDPR)

To add to the regulatory red tape that the new Australian laws provide, from 25 May 2018, a new regulation is coming into effect known as the EU General Data Protection Regulation (GDPR). The GDPR, although a regulation of the European Union (EU), has far reaching consequences for Australian organisations that provide goods or services not only to EU citizens – but to any persons while they are in the European Union and when monitoring the behaviour of persons in the EU. Non-compliance with the GDPR carries with it even bigger penalties – the greater of 4% of a company’s annual global turnover and €20 million.

Common questions

When does the Notifiable Data Breaches Scheme come into effect?

It already has. It came into effect on 22 February 2018.

Does the GDPR apply to Australian cloud providers?

Article 3 of the GDPR makes it clear that the GDPR applies to organisations that provide goods or services not only to European Union (EU) citizens – but to any persons while they are in the European Union. It also applies to the monitoring of the behaviour of any persons in the EU. This includes many Australian cloud service providers, including data hosting providers, software-as-a-service (SAAS) and other online platform operators who typically permit access to their cloud services by persons from anywhere in the World with an internet connection, including from Europe.

When does the GDPR come into effect?

25 May 2018.

Does the GDPR really prevent cloud providers from engaging upstream hosting providers? 

Yes, unless the GDPR is complied with when engaging them.

How much free legal advice does this template come with?

This template comes with 15 minutes of free telephone legal advice from Arnotts Technology Lawyers. During this time, Arnotts will answer any questions they can about the template, to the extent possible within the 15 minutes allocated.