DATA PROCESSING AGREEMENT
This is an agreement concerning the processing of Personal Data as part of Taimer’s CRM and business management software provided on an as a service basis (Service), as further specified in (i) the Terms of Service and (ii) the ordering document and all documents and schedules incorporated therein (collectively the Agreement) by and between Company and Taimer.
This Data Processing Agreement (DPA) is subject to the terms of the Agreement and an integral part thereof. Thus, the provisions regarding, inter alia, governing law and dispute resolution shall apply to this DPA. In the event of any conflict between the terms of the Agreement and the DPA, the relevant terms of this DPA shall prevail. This DPA shall be effective for the term of the Agreement.
In addition to the definitions set out elsewhere in this DPA, the Data Controller, Data Processor, Data Subject and Personal Data shall have the meanings set forth in the European Union’s General Data Protection Regulation ((EU) 2016/679).
ROLES OF THE PARTIES
In connection with Personal Data processed by Taimer in order to provide the Service and originating from the Company or the Users (Content), the Parties acknowledge that Company shall be the Data Controller liable to the Data Subjects for the processing of Personal Data by the Data Processor and Taimer shall be the Data Processor processing Personal Data on behalf of Company.
Company is responsible for compliance with its obligations as Data Controller under data protection laws, in particular for justification of any transmission of Personal Data to Taimer (including providing any required notices and obtaining any required consents), and for its decisions concerning the processing and use of any data in the Service.
Company warrants that:
(i)there is a valid legal ground for the processing, and any Personal Data transferred to Taimer are correct; and
(ii)to the extent required by applicable mandatory law, Company has provided appropriate notice to each individual and/or obtained from each individual his or her written consent for the use and processing of his or her Personal Data for the Service; and
(iii)to the extent required by applicable mandatory law, Company has submitted all and any registrations and/or notifications to the necessary data protection authorities having jurisdiction over Company’s activities in connection with using the Service; and
(iv)the processing of Personal Data in connection with the Service by Company is carried out in accordance with applicable data protection laws; and
(v)it shall give Taimer comprehensive, reasonable, written and lawful instructions on the processing. Performance of the Service in accordance with the Agreement shall be deemed to be in compliance with such written instructions.
Company shall inform Taimer of all such requirements under the mandatory applicable law that may be imposed on Taimer due to the provision of the Service to Company by Taimer.
With respect to Content that is outdated or inaccurate, Taimer shall use reasonable efforts to assist Company in deleting or rectifying such data in accordance with Company’s instructions.
PROCESSING OF PERSONAL DATA
In order to execute the Agreement and to perform the Service, Company authorizes and requests that Taimer process the following Personal Data:
Categories of Personal Data: Personal Data may include, without limitations, personal contact information such as name, company address, company telephone or mobile number, email address, and passwords; information on age, date of birth, employment details including employer name, job title and function, education, identification numbers, social security number and business contact details, and goods and services provided and other Personal Data that the Company chooses to process in the Service.
Categories of Data Subjects: Data Subjects include Company’s representatives and Users, as well as other employees, contractors, collaborators, partners, and customers of the Company.
The nature of the processing has been further described in the Agreement.
Taimer shall process Personal Data only for the provision of the Service and in accordance with Company’s reasonable written instructions, unless required to do so to comply with a legal obligation to which Taimer is subject. Taimer shall inform Company of such legal requirement before processing, unless that law prohibits such notification on important grounds of public interest. Taimer will inform Company if, in Taimer’s opinion, Company’s instructions breach data protection regulation. Company understands that Taimer is not obligated to provide legal advice to Company or to conduct legal research.
Taimer shall execute the processing without additional charge to the extent necessary for Taimer to comply with laws applicable to Taimer as a Data Processor in the provision of the Service. If Company gives additional instructions, which go beyond the Agreement, any associated costs for compliance with such instructions shall be borne by Company.
Taimer warrants that it will treat all Personal Data as strictly confidential and ensures that all its employees, and/or approved affiliates and sub-processors engaged in processing the Personal Data have signed an adequate confidentiality agreement and/or are under any other binding obligation of confidentiality.
Taimer shall implement commercially reasonable technical and organizational measures appropriate to the risk of the processing to protect Personal Data as required by law against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access. The technical and organizational measures may include, as appropriate, (i) pseudonymisation and encryption of Personal Data, (ii) being able to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and Services, (iii) being able to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident, and (iv) having a process in place for regularly testing, assessing and evaluating the effectiveness of the measures implemented to ensure the security of the processing. Taimer shall restrict access to Personal Data in the Service solely to such Taimer employees and subcontractors who need access to such content for purposes of providing the Service and Taimer undertakes to inform those having access to such content of the relevant confidentiality and security requirements.
Once per calendar year, on Company’s expense and in accordance with the Parties mutual agreement, Taimer shall make available all reasonable information necessary to demonstrate compliance with Taimer’s obligations as a processor, and allow for and contribute to audits, including inspections, conducted by Company or a third party auditor mandated by Company, and approved by Taimer, provided that Company notifies Taimer of its intention to conduct an audit no later than two (2) weeksprior to the audit. The audit shall be conducted during normal business hours and without interruption to Taimer’s ongoing business operations.
ASSISTANCE, INFORMATION OBLIGATIONS AND INCIDENT MANAGEMENT
Taimer shall, taking into account the nature of the processing and the information and technical means available, assist Company in (i) ensuring compliance with its legal obligations, such as data security, data breach notification, data protection impact assessment and prior consulting obligations, and (ii) responding to requests for exercising the Data Subject's rights. On Company’s written request, Taimer shall make available to Company reasonably all such information it possesses, which are, in accordance with Article 28 of the General Data Protection Regulation ((EU) 2016/679), necessary to demonstrate compliance with the obligations regarding the use of a data processor. Taimer has the right to invoice the reasonable costs incurred as a result of the aforementioned assistance and provision of data.
PERSONAL DATA BREACHES
In case Personal Data is accidentally, unlawfully or without proper authorization destroyed, lost, altered, disclosed or accessed, or the confidentiality, integrity or availability of Personal Data is endangered by any other event (Personal Data Breach), Taimer shall, after having become aware of a Personal Data Breach, notify Company without undue delay. Such notification shall be made in writing or any other means Taimer finds reasonable.
Taimer shall retain documentation of Personal Data Breaches, and retain such documentation for a reasonable time, however as a minimum for six months from the termination of this DPA.
SUB-PROCESSOR AND AFFILIATES
Some or all of Taimer’s obligations under the Agreement may be performed by affiliates and sub-processors of Taimer. This DPA includes a general written authorisation of Company for Taimer to subcontract the performance of whole or parts of the Service to a third party in accordance with this DPA. Taimer shall use all reasonable efforts to procure that its sub-processors are bound in writing by the same or equal obligations as Taimer under this DPA, and shall supervise compliance thereof.
Taimer maintains a list of subcontractors that may process the Content and will provide a copy of that list to Company upon written request. Taimer shall inform Company of the engagement of a new sub-processor. If Company does not object to the engagement of the sub-processor in question in writing within one (1) week after having received notice thereof, Company shall be deemed to have accepted the sub-processor in question. If Company objects to the use of a new sub-processor, Taimer shall be entitled to, for each service, without consequences for Taimer, decline the Service. For the avoidance of doubt, Company has accepted all sub-processors used by Taimer at the time this co-operation agreement comes into force.
LOCATION AND TRANSFER OF DATA
In connection with the Service, Taimer may transfer Content to recipients in countries outside of the European Economic Area, where the laws may not provide the same level of data protection as the country in which Content was initially collected.
Taimer will take steps to provide adequate protection, as required in the applicable data protection laws in force from time to time, with respect to Personal Data sent outside of the European Economic Area.
RETURN AND DELETION OF PERSONAL DATA
Following the termination of the Agreement and the Service, Taimer will return or otherwise make available for retrieval Content then in the Service.
Upon termination of the Agreement, Taimer will promptly delete all copies of Content, unless any legislation imposed upon Taimer, Taimer’s employees, Taimer’s affiliates or subcontractors prevent it from returning or destroying all or part of Content received. In that case, Taimer warrants that it will not actively process Content after the termination of the Agreement, and will otherwise comply with its obligations pursuant to these Data Processing Terms.
USE OF ANALYTICS
Taimer may (i) compile statistical and other information related to the performance, operation and use of the Service, and (ii) use data from the Service environment in aggregated form to create statistical analyses, and for research and development purposes (jointly as Analyses). Taimer may make Analyses publicly available; however, Analyses will not incorporate Content or confidential information in a form that could serve to identify Company or any Data Subject, and Analyses do not constitute Personal Data. Taimer retains all intellectual property rights in Analyses.
ENQUIRIES AND DISCLOSURES
In the event of a dispute or claim brought by a Data Subject or an authority against Taimer concerning the processing of Personal Data, or if Taimer is required by law or a non-appealable judgment or other resolution issued by any competent court, supervisory authority or similar administrative organ to disclose any information or Personal Data in connection with the provision of the Service, whether partly or wholly, or provide other specific answers to such entity (together, Enquiry), Taimer agrees to give preliminary notice to the Company of any such Enquiry and its circumstances, unless prohibited to do so by law to which Taimer is subject.
As a general rule, Company will respond to Enquiries and requests from Data Subjects and authorities concerning processing of Content by Taimer, unless the Enquiry provides that Taimer shall respond and the national data protection laws do not allow deviating from such position either. Taimer shall inform Company of any requests from Company’s Data Subjects and supervisory authorities. Taimer has the right to invoice the reasonable costs incurred as a result of the aforementioned assistance and provision of data.
LIMITATION OF LIABILITY
The Parties acknowledge that the division of the Parties’ liability related to administrative fines and/or damages imposed by a supervisory authority or a court under these personal data processing terms is based on each Party’s obligation to fulfil its own duties under the data protection legislation. Therefore, each Party is liable for the administrative fines and/or damages that are imposed by a supervisory authority or a court and that have been imposed on it for infringements of data protection legislation caused by the Party in question. A Party’s liability for any direct damage that is incurred by the other Party under the Agreement and that results from the Party’s breach of these personal data processing terms is limited to the amount corresponding to the charges paid by Company to Taimer under the Agreement during the year preceding the event giving rise to liability. The Parties are not liable for any indirect or consequential damage.