+45 71 74 11 15 info@timeguru.dk

Data Processing Agreement

Between

The data controller using TimeGuru.net 
(Henceforth as the data controller or the customer)

and

The data processor

TimeGuru A/S
CVR 38476270
Lille havelsevej 110
3310 Ølsted
Denmark

(Henceforth as the data processor or TimeGuru)

 

Content

  1. Table of Contents
  2. Background of the data processing agreement
  3. The data controller’s obligations and rights
  4. The data processor acts according to instructions
  5. Confidentiality
  6. Processing security
  7. Use of sub-processors
  8. Transfer of information to third countries or international organizations
  9. Assistance to the data controller
  10. Notification of breaches of personal data security
  11. Deletion and return of information
  12. Supervision and audit
  13. Agreements between the parties on other matters
  14. Commencement and termination
  15. Contact persons/contact points for the data controller and the data processor
  • Appendix A – Information on the processing
  • Appendix B – Conditions for the data processor’s use of sub-processors
  • Appendix C – Subject of the processing/instructions

2. Background of the data processing agreement

1. This agreement sets forth the rights and obligations that apply when the data processor processes personal data on behalf of the data controller.

2. The agreement is designed to ensure the parties’ compliance with Article 28(3) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the General Data Protection Regulation), which sets specific requirements for the content of a data processing agreement.

3. The data processor’s processing of personal data is carried out to fulfill the parties’ “main agreement”: the current subscription agreement.

4. The data processing agreement and the “main agreement” are interdependent and cannot be terminated separately. However, the data processing agreement can be replaced by another valid data processing agreement without terminating the “main agreement.”

5. This data processing agreement takes precedence over any similar provisions in other agreements between the parties, including the “main agreement.”

6. This agreement includes three appendices. The appendices function as an integral part of the data processing agreement.

7. Appendix A of the data processing agreement contains detailed information about the processing, including the purpose and nature of the processing, the type of personal data, the categories of data subjects, and the duration of the processing.

8. Appendix B of the data processing agreement contains the data controller’s conditions for the data processor’s use of any sub-processors, as well as a list of any sub-processors that the data controller has approved.

9. Appendix C of the data processing agreement contains detailed instructions on the processing that the data processor must carry out on behalf of the data controller (the subject of the processing), the minimum security measures that must be observed, and how the data processor and any sub-processors are supervised.

10. The data processing agreement and its associated appendices are stored in written form, including electronically, by both parties.

11. This data processing agreement does not release the data processor from obligations that are directly imposed on the data processor by the General Data Protection Regulation or any other legislation.

3. The data controller’s obligations and rights

1. The data controller is fundamentally responsible to the outside world (including the data subject) for ensuring that the processing of personal data is carried out within the framework of the General Data Protection Regulation and the Data Protection Act.

2. The data controller therefore has both the rights and obligations to make decisions about the purposes and the means by which processing may be carried out.

3. The data controller is, among other things, responsible for ensuring that there is legal authority for the processing that the data processor is instructed to carry out.

4. The data processor acts according to instructions

1.The data processor may only process personal data according to documented instructions from the data controller, unless required by EU law or the national law of member states to which the data processor is subject; in such cases, the data processor shall inform the data controller of this legal requirement before processing, unless the respective law prohibits such notification on important grounds of public interest, cf. Article 28, Section 3, point a.

2. The data processor shall immediately inform the data controller if, in the data processor’s opinion, an instruction is contrary to the General Data Protection Regulation or data protection provisions in other EU law or the national law of member states.

5. Confidentiality

1. The data processor ensures that only currently authorized persons have access to the personal data processed on behalf of the data controller. Therefore, access to the data shall be immediately revoked if the authorization is withdrawn or expires.

2. Only persons for whom it is necessary to have access to the personal data to fulfill the data processor’s obligations to the data controller may be authorized.

3. The data processor ensures that the persons authorized to process personal data on behalf of the data controller have committed themselves to confidentiality or are subject to an appropriate statutory duty of confidentiality.

4. The data processor must, upon request from the data controller, be able to demonstrate that the relevant employees are subject to the aforementioned duty of confidentiality.

6. Processing Security

1. The data processor implements all measures required under Article 32 of the General Data Protection Regulation, which, among other things, states that appropriate technical and organizational measures must be implemented to ensure a level of security appropriate to the risks, taking into account the state of the art, implementation costs, and the nature, scope, context, and purposes of the processing, as well as the varying likelihood and severity of risks to the rights and freedoms of natural persons.

2. The above obligation means that the data processor must conduct a risk assessment and subsequently implement measures to address identified risks. These measures may include, among others, the following, depending on what is relevant:

a. Pseudonymization and encryption of personal data.
b. Ability to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems and services.
c. Ability to timely restore the availability of and access to personal data in the event of a physical or technical incident.
d. A process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures to ensure processing security.

3. In relation to the above, the data processor must, in all cases, at a minimum implement the security level and measures specified in more detail in Appendix C of this agreement.

4. Any regulation/agreement between the parties regarding remuneration or similar in connection with the data controller’s or data processor’s subsequent requests for the establishment of additional security measures will be outlined in the parties’ “main agreement” or in Appendix D of this agreement.

7. Use of Sub-Processors

1. The data processor must comply with the conditions referred to in Article 28, Sections 2 and 4 of the General Data Protection Regulation to make use of another data processor (sub-processor).

2. The data processor may not use another data processor (sub-processor) to fulfill the data processing agreement without prior specific or general written approval from the data controller.

3. In the case of general written approval, the data processor must inform the data controller of any planned changes regarding the addition or replacement of other data processors, thereby giving the data controller the opportunity to object to such changes.

4. The data controller’s specific conditions for the data processor’s use of any sub-processors are outlined in Appendix B of this agreement.

5. The data controller’s potential approval of specific sub-processors is stated in Appendix B of this agreement.

6. When the data processor has the data controller’s approval to use a sub-processor, the data processor ensures that the sub-processor is subject to the same data protection obligations as those set out in this data processing agreement, through a contract or other legal document in accordance with EU law or the national law of member states, thereby providing the necessary guarantees that the sub-processor will implement appropriate technical and organizational measures in such a way that the processing meets the requirements of the General Data Protection Regulation.

Thus, the data processor is responsible for—through the conclusion of a sub-processor agreement—imposing on any sub-processor at least the obligations that the data processor itself is subject to under data protection regulations and this data processing agreement with its associated appendices.

7. The sub-processor agreement and any subsequent changes thereto shall be sent to the data controller in copy upon request, thereby allowing the data controller to ensure that a valid agreement has been concluded between the data processor and the sub-processor. Any commercial terms, such as prices, that do not affect the data protection content of the sub-processor agreement, do not need to be sent to the data controller.

8. The data processor must include the data controller as a beneficiary third party in the agreement with the sub-processor in the event of the data processor’s bankruptcy, so that the data controller can assume the data processor’s rights and enforce them against the sub-processor. For example, the data controller can instruct the sub-processor to delete or return information.

9. If the sub-processor does not fulfill its data protection obligations, the data processor remains fully responsible to the data controller for the fulfillment of the sub-processor’s obligations.

8. Transfer of Data to Third Countries or International Organizations

1. The data processor may only process personal data according to documented instructions from the data controller, including with regard to the transfer (disclosure, transmission, and internal use) of personal data to third countries or international organizations, unless required under EU law or the national law of member states to which the data processor is subject; in such a case, the data processor shall inform the data controller of this legal requirement before processing, unless the respective law prohibits such notification due to important public interest, in accordance with Article 28, Section 3, point a.

2. Without the data controller’s instruction or approval, the data processor cannot, within the framework of the data processing agreement, do the following, among other things:

a. Disclose personal data to a data controller in a third country or an international organization. 
b. Entrust the processing of personal data to a sub-processor in a third country. 
c. Have the data processed in another department of the data processor located in a third country.

3. The data controller’s potential instructions or approval for the transfer of personal data to a third country will be outlined in Appendix C of this agreement.

9. Assistance to the Data Controller

1. Taking into account the nature of the processing, the data processor assists the data controller as far as possible, through appropriate technical and organizational measures, in fulfilling the data controller’s obligation to respond to requests for the exercise of the data subjects’ rights as set out in Chapter 3 of the General Data Protection Regulation.

This implies that the data processor, as far as possible, shall assist the data controller in ensuring compliance with:

a. The duty to inform when collecting personal data from the data subject.
b. The duty to inform if personal data is not collected from the data subject.
c. The right of access by the data subject.
d. The right to rectification.
e. The right to erasure (“the right to be forgotten”).
f. The right to restriction of processing.
g. The obligation to notify in connection with the rectification or erasure of personal data or restriction of processing.
h. The right to data portability.
i. The right to object.
j. The right to object to the result of automated individual decisions, including profiling.

2. The data processor assists the data controller in ensuring compliance with the data controller’s obligations pursuant to Articles 32-36 of the General Data Protection Regulation, taking into account the nature of the processing and the information available to the data processor, in accordance with Article 28, Section 3, point f.

This implies that the data processor, taking into account the nature of the processing, shall assist the data controller in ensuring compliance with:

a. The obligation to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risks associated with the processing.
b. The obligation to report personal data breaches to the supervisory authority (the Danish Data Protection Agency) without undue delay and, if possible, no later than 72 hours after the data controller becomes aware of the breach, unless the personal data breach is unlikely to result in a risk to the rights or freedom of humans.
c. The obligation to notify the data subject(s) of personal data breaches without undue delay when such a breach is likely to result in a high risk to the rights and freedom of humans.
d. The obligation to carry out a data protection impact assessment if a type of processing is likely to result in a high risk to the rights and freedom of humans.
e. The obligation to consult the supervisory authority (the Danish Data Protection Agency) before processing, if a data protection impact assessment indicates that the processing will result in a high risk in the absence of measures taken by the data controller to mitigate the risk.

3. Any regulation/agreement between the parties regarding remuneration or similar matters in connection with the data processor’s assistance to the data controller will be outlined in the parties’ “main agreement” or in Appendix D of this agreement.

10. Notification of Personal Data Breaches

1. The data processor shall notify the data controller without undue delay after becoming aware that a personal data breach has occurred at the data processor or any sub-processor.

The data processor’s notification to the data controller should, if possible, occur no later than 24 hours after becoming aware of the breach, so that the data controller has the opportunity to comply with their potential obligation to report the breach to the supervisory authority within 72 hours.

2. In accordance with Section 10.2., point b, of this agreement, the data processor shall, taking into account the nature of the processing and the information available to them, assist the data controller in notifying the supervisory authority of the breach. This may mean that the data processor, among other things, must help provide the following information, which, according to Article 33, Section 3 of the General Data Protection Regulation, must be included in the data controller’s notification to the supervisory authority:

a. The nature of the personal data breach, including, if possible, the categories and approximate number of affected data subjects, as well as the categories and approximate number of affected records of personal data.
b. The likely consequences of the personal data breach.
c. Measures taken or proposed to be taken to address the personal data breach, including, where relevant, measures to mitigate its possible adverse effects

11. Deletion and Return of Data

1. Upon termination of the services related to processing, the data processor is obligated, at the choice of the data controller, to delete or return all personal data to the data controller, and to delete existing copies, unless EU law or national law prescribes the retention of personal data.

12. Supervision and Audit

1. The data processor shall make available to the data controller all information necessary to demonstrate the data processor’s compliance with Article 28 of the General Data Protection Regulation and this agreement, and shall allow for and contribute to audits, including inspections, conducted by the data controller or another auditor authorized by the data controller.

2. The detailed procedure for the data controller’s supervision of the data processor is outlined in Appendix C of this agreement.

3. The data controller’s supervision of any sub-processors is generally conducted through the data processor. The detailed procedure for this is outlined in Appendix C of this agreement.

4. The data processor is obligated to grant authorities, who under applicable law have access to the data controller’s and data processor’s facilities, or representatives acting on behalf of the authority, access to the data processor’s physical facilities upon proper identification.

13. The Parties’ Agreements on Other Matters

1. Any (special) regulation of the consequences of the parties’ breach of the data processor agreement will be outlined in the parties’ “main agreement.”

2. Any regulation of other matters between the parties will be outlined in the parties’ “main agreement.”

14. Commencement and Termination

1. This agreement enters into force upon the customer’s written acceptance thereof.

2. Termination of the data processor agreement follows termination of the TimeGuru subscription.

5. The agreement is valid as long as the processing continues. Regardless of the termination of the “main agreement” and/or the data processor agreement, the data processor agreement will remain in force until the termination of the processing and the deletion of the data by the data processor and any sub-processors.

15. Representatives

1. The customer provides contact details of the personal data controllers upon entering into the agreement.

2. TimeGuru’s data protection officer is: Nicolas Larsen, Phone +45 71 74 11 15, info@timeguru.dk.

Appendix A Information on the Processing

Purpose of the data processor’s processing of personal data on behalf of the data controller:
• So that the data controller can use the TimeGuru system, which is owned and managed by the data processor, to collect and process information about the data controller’s members, including employees, customers, and partners.

The data processor’s processing of personal data on behalf of the data controller primarily concerns (nature of the processing):
• Providing the TimeGuru system to the data controller and thereby storing personal data about the data controller’s members on the company’s servers or with Microsoft Azure. Microsoft is part of the EU-U.S. Data Privacy Framework.

The processing includes the following types of personal data about the data subjects:
Name, address, position/title, email, phone number, vacation days, absence days

The processing includes the following categories of data subjects:
Individuals who have or have had a connection with the data processor’s company, including employees, customers, suppliers, and partners.

The data processor’s processing of personal data on behalf of the data controller may commence after the entry into force of this agreement. The processing has the following duration:
The processing is not time-limited and lasts until the agreement is terminated or canceled by one of the parties.

Appendix B – Conditions for the Data Processor’s Use of Sub-processors and List of Approved Sub-processors

B.1 Conditions for the data processor’s use of any sub-processors:
The data processor has the general approval of the data controller to use sub-processors. However, the data processor must notify the data controller of any planned changes regarding the addition or replacement of other processors, thereby giving the data controller the opportunity to object to such changes. Such notification must be received by the data controller at least one month before the use or change is to take effect. If the data controller has objections to the changes, they must notify the data processor within two weeks of receiving the notification. The data controller can only object if they have reasonable, specific grounds for doing so.

B.2 Approved sub-processors:
 Upon the entry into force of the data processing agreement, the data controller has approved the use of the following sub-processors: Microsoft Danmark ApS, Kanalvej 7, 2800, Kongens Lyngby, Cvr.: DK13612870. Microsoft is part of the EU-U.S. Data Privacy Framework.

Upon the entry into force of the data processing agreement, the data controller has specifically approved the use of the above-mentioned sub-processors for the specific processing described next to each party. The data processor cannot – without the specific and written approval of the data controller – use the individual sub-processor for “other” processing than agreed or have another sub-processor carry out the described processing.

Appendix C – Instructions for the Processing of Personal Data

C.1 Subject/Instructions for Processing:
The data processor’s processing of personal data on behalf of the data controller occurs as follows:
• Providing the TimeGuru system to the data controller. See the subscription terms on the TimeGuru website for more details.

C.2 Processing Security:
The security level should reflect:
That the processing involves a limited amount of personal data regarding each individual and that personal data subject to Article 9 of the General Data Protection Regulation on “special categories of personal data” is processed minimally or not at all, therefore an appropriate level of security must be established.
The data processor is then entitled and obligated to decide which technical and organizational security measures should be used to create the necessary (and agreed) level of security around the data.
The data processor must, however, at a minimum, implement the following measures agreed with the data controller (based on the risk assessment conducted by the data controller):

All user data is linked to transaction data via unique keys, so that content from data tables cannot be used without knowing the unique key. User management is based on Microsoft’s identity management standard.
System development is subject to extensive testing and control, and work is done in a staging environment with development and quality assurance before release to production.
The systems are hosted online with Microsoft Azure and daily backups are performed. Data can be restored from daily backup and transaction logging at any time.
Procedures for processing security are tested periodically and randomly to ensure compliance.
Access to data, other than through the online solution, is subject to IP filtering and can only be performed from TimeGuru-approved locations.
It is required that all data is transferred encrypted.
Data is stored with Microsoft Azure Northern Europe.
Remote workplaces can only be used from TimeGuru-approved locations.
There is extensive logging at both user and administrative levels.

C.3 Storage Period/Deletion Routine:
During the subscription:
Personal data is stored by the data processor until the data controller requests the data be deleted or returned. After the subscription ends: up to 6 months or earlier.

C.4 Location of Processing:
Processing of personal data covered by the agreement cannot take place at other locations than the following without the prior written approval of the data controller:
Microsoft Azure, Northern Europe.

C.5 Instructions or Approval for Transfer of Personal Data to Third Countries:
Although data is stored in a data center within the EU, there may be transfers to third countries if Microsoft Corporation, USA, needs to support the operating environment. Microsoft is now part of the EU-U.S. Data Privacy Framework.

C.6 Detailed Procedures for the Data Controller’s Supervision of the Processing Conducted by the Data Processor:
The data controller or a representative of the data controller also has access to conduct an annual audit, including physical inspections. Any expenses incurred by the data controller in connection with a physical inspection are borne by the data controller. The data processor is obligated to allocate up to 2 hours annually. The data processor must annually and without separate payment arrange for the preparation of an audit statement concerning the data processor’s controls related to data protection and the processing of personal data. The audit statement must include a review of established controls and a report on their effectiveness, as well as the appointed third party’s comments. Audit statements are issued according to generally accepted standards, for example, ISAE 3000. The audit statement must be prepared by a competent third party, who must be subject to a usual confidentiality obligation. Audit statements can be downloaded from the data processor’s website immediately after the data processor has received them from the independent third party. The audit statements can, after further agreement, be sent to the data controller immediately after preparation.

C.7 Detailed Procedures for Supervision of the Processing Conducted by Any Sub-processors:
TimeGuru is subject to Microsoft’s standard terms applicable to Microsoft Azure. Refer to the Microsoft Trust Center. (See also the link in section C.5)

 

Denne side anvender cookies til at forbedre oplevelse.   Læs mere