Data processing agreement


  1. Background to the Data Processing Agreement
  2. The data controller's obligations and rights
  3. The data processor is acting according to instructions
  4. Confidentiality
  5. Security of processing
  6. Use of subcontractors
  7. Transfer of information to third countries or international organizations
  8. Assistance to the data controller
  9. Notification of breach of personal data security
  10. Deleting and retrieving information
  11. Supervision and audit
  12. Entry into force and termination

Appendix A Information about the treatment
Appendix B Conditions for the data processor's use of subcontractors List of subcontractors


1. Background
 
  1. This agreement sets out the rights and obligations that apply when the data processor handles personal data on behalf of the data controller.
  2. The agreement is designed for the parties to comply with Article 28 (1). 3 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (Data Protection Regulation ) which sets specific requirements for the content of a data processing agreement.
  3. The data processing company's processing of personal data is done in order to comply with the parties' "main agreement": "General Terms of Trade" concluded on the creation of an account at timeatweb.com.
  4. The Data Processing Agreement and the "main agreement" are interdependent and can not be terminated separately. However, the Data Processing Agreement may - without terminating the "main agreement" - be replaced by another valid data processing agreement.
  5. This data processing agreement takes precedence over any similar provisions in other agreements between the parties, including the "main agreement".
  6. For this agreement are two annexes. The attachments act as an integral part of the data processing agreement.
  7. The Data Processor's Appendix A contains details of the treatment, including the purpose and nature of the treatment, the type of personal data, the categories of registered and duration of treatment.
  8. The Data Processor's Appendix B contains the data controller's conditions for the data processor to make use of any sub-processors, as well as a list of any under-processed data that the data controller has approved.
  9. The data processing agreement and its attachments are stored electronically by both parties here at timeatweb.com.
  10. This data processor agreement does not release the data processor for any obligations that are directly imposed on the data processor under the Data Protection Regulation or any other law.

2. The data controller's obligations and rights
 
  1. The data controller is responsible for the processing of personal data within the scope of the Data Protection Act and the Data Protection Act as a starting point for the outside world (including the data subject).
  2. The data controller therefore has both the rights and the obligations to make decisions about the purposes and the means for processing.
  3. The data controller is responsible for ensuring that there is a legal basis for the processing that the data processor is instructed to perform.

3. The data processor is acting according to instructions
 
  1. The data processor may only process personal data according to documented instructions from the data controller, unless required under EU law or the national law of the Member States to which the data processor is subject; In that case, the data processor shall notify the data controller of this legal requirement before processing unless that court prohibits such notification for reasons of important social interests, cf. Article 28 (2). 3 (a).
  2. The data processor immediately informs the data controller if an instruction, in the opinion of the data processor, is contrary to the data protection regulation or data protection provisions in other EU law or national law of the Member States.

4. Confidentiality
 
  1. The data processor ensures that only the persons currently authorized to do so have access to the personal data processed on behalf of the data controller. Access to the information must therefore be immediately closed if the authorization is deprived or expired.
  2. Only persons authorized for access to personal data may be authorized to fulfill the data processor's obligations to the data controller.
  3. The data processor ensures that the persons authorized to process personal data on behalf of the data controller have committed themselves to confidentiality or are subject to appropriate statutory confidentiality.
  4. At the request of the data controller, the data processor should be able to demonstrate that the relevant employees are subject to the aforementioned confidentiality obligation.

5. Security of processing
 
  1. The data processor initiates all measures required by Article 32 of the Data Protection Regulation, which inter alia it is apparent that, taking into account the current level, the implementation costs and the nature, scale, coherence and purpose of the treatment concerned, as well as the risks of varying probability and seriousness of the rights and freedoms of natural persons, appropriate technical and organizational measures must be implemented to ensure a level of safety fits these risks.
  2. The above obligation implies that the data processor must carry out a risk assessment and then take measures to address identified risks. Among other things, the following measures may include, inter alia, the following:
    1. Pseudonymization and encryption of personal data
    2. Ability to ensure continued confidentiality, integrity, accessibility and robustness of treatment systems and services
    3. Ability to timely restore the availability of and access to personal data in case of a physical or technical incident
    4. A procedure for periodic testing, evaluation and evaluation of the effectiveness of technical and organizational measures to ensure treatment safety
       
6. Use of subcontractors
 
  1. The data processor must comply with the conditions set out in Article 28 (1) of the Data Protection Regulation. 2 and 4, to use another data processor (subcontractors).
  2. The data processor must not use another data processor (subcontractors) to fulfill the data processing agreement without prior notice to the data controller that allows the data controller to object to such changes.
  3. The data controller's terms and conditions for the data processor's use of any subdcontractors are contained in Annex B of this Agreement.
  4. The data controller's possible authentication of specific subdcontractors commuters is listed in Appendix B of this Agreement.
  5. If the subcontractor does not comply with its data protection obligations, the data processor remains fully liable to the data controller for the fulfillment of the subcontractor's obligations.
 
7. Transfer of information to third countries or international organizations
 
  1. The data processor may only process personal data by documented instructions from the data controller, including as regards the transfer (transfer, transfer and internal use) of personal data to third countries or international organizations, unless required under EU law or the national law of the Member States as the data processor is subject to; In that case, the data processor shall notify the data controller of this legal requirement before processing unless that court prohibits such notification for reasons of important social interests, cf. Article 28 (2). 3 (a).
  2. Without the data controller's instruction or approval, the data processor - within the framework of the data processing agreement - can, among other things, does not;
    1. pass personal data to a data controller in a third country or in an international organization,
    2. leave the processing of personal data to a subdatabase in a third country,
    3. let the information process in another of the data processor's departments located in a third country.
       
8. Assistance to the data controller
 
  1. The data processor, taking into account the nature of the processing, shall, as far as possible, assist the data controller by appropriate technical and organizational measures, with the obligation of data controller to respond to requests for the exercise of the data subjects' rights as laid down in Chapter 3 of the Data Protection Regulation.

    This implies that, as far as possible, the data processor shall assist the data controller in connection with the data controller being responsible for ensuring compliance with:
    1. disclosure obligation for collecting personal data from the data subject
    2. disclosure obligation, whose personal data have not been collected by the data subject
    3. the registrant's insight
    4. right to rectification
    5. the right to delete ("the right to be forgotten")
    6. the right to limitation of treatment
    7. notification obligation in connection with the correction or deletion of personal data or limitation of treatment
    8. the right to data portability
    9. right of objection
    10. the right to object to the result of automatic individual decisions, including profiling
  2. The data processor assists the data controller in ensuring compliance with the data controller's obligations pursuant to Article 32-36 of the Data Protection Regulation, taking into account the nature of the processing and the information available to the data processor, cf. Article 28 3 (f).
    1. the obligation to implement appropriate technical and organizational measures to ensure a level of safety appropriate to the risks associated with treatment
    2. the obligation to report to the supervisory authority (Data Inspectorate) breach of personal data security without undue delay and, if possible, within 72 hours after the data controller has been notified of the breach unless it is unlikely that the breach of personal data security would endanger the rights of natural persons or freedoms.
    3. the obligation - without undue delay - to notify the data subject of personal data breach when such a breach is likely to entail a high risk of the rights and freedoms of natural persons
    4. the obligation to carry out an impact assessment on data protection if one type of treatment is likely to pose a high risk to the rights and freedoms of natural persons
    5. the obligation to consult the supervisory authority (Data Inspectorate) before processing if an impact assessment on data protection shows that the processing will lead to high risk in the absence of measures taken by the data controller to limit the risk
       
  3. Any possible regulation / settlement of the parties or the like in connection with the data processor's assistance to the data controller will appear from the parties' "main agreement".
     
9. Notification of breach of personal data security
 
  1. The Data Processor informs the data controller without undue delay after being aware that there has been a violation of the personal data security of the data processor or any subdatabase. The data processor's notification to the data controller should, if possible, be made within 24 hours after it has become aware of the violation so that the data controller is able to comply with its obligation to report the breach to the supervisory authority within 72 hours.
  2. In accordance with paragraph 10.2 (b) of this agreement, the data processor - in consideration of the nature of the processing and the information available to it - shall assist the data controller in reporting the breach of the supervisory authority. This may mean that the computer shall assist in providing the following information, as provided for in Article 33 (3) of the Data Protection Regulation. 3, shall be stated by the data controller's notification to the supervisory authority:
    1. The nature of the breach of personal data protection, including, where possible, the categories and the approximate number of registered persons, as well as the categories and the approximate number of personal data records concerned.
    2. Probable consequences of the breach of personal data security
    3. Measures taken or proposed to address the breach of personal data protection, including where appropriate, measures to limit its possible harmful effects
       
10. Deleting and retrieving information

Upon termination of the processing services, the data processor is obliged to delete or retrieve all personal data to the data controller, as well as to delete existing copies, unless the European Union or national law prescribes the retention of personal data.


11. Supervision and audit
 
  1. The data processor shall make available to the data controller all information necessary for detecting the compliance of the data processor with Article 28 of this Data Protection Regulation and this Agreement, allowing and contributing to audits, including inspections carried out by the data controller or other auditor authorized by the data controller.
  2. The data processor is required to provide authorities with access to the data controller and data processor facilities, or representatives acting on behalf of the Authority, access to the physical facilities of the data processor against duly credentials.

12. Entry into force and termination
 
  1. This agreement enters into force by the data controller's online authentication on this page.
  2. The agreement may be renegotiated by both parties if the law changes or inconsistencies in the agreement give rise to this.
  3. Any adjustment / agreement of the parties regarding remuneration, conditions or the like in connection with changes to this agreement will appear from the parties' "main agreement".
  4. Termination of the data processing agreement may be in accordance with the termination conditions, including. termination notice, as stated in the "main agreement".
  5. The agreement is valid for the duration of the treatment. Regardless of the termination of the "Main Agreement" and / or the Data Processing Agreement, the Data Processing Agreement will remain in force until termination of the processing and the deletion of the data by the data processor and any under-processing agents.


Appendix A Information about the treatment

The purpose of the data processor's processing of personal data on behalf of the data controller is: that the data controller can use the Time @ Web system, owned and managed by the data processor, to collect and process information about the data controller's employees, customers and suppliers.

The data processor's processing of personal data on behalf of the data controller is primarily about (the nature of the processing): that the data processor provides the Time @ Web system to the data controller, thereby storing personal data about the data controller's employees, customers and suppliers on the company's servers.

The processing includes the following types of personal data about the data subjects: Name, E-mail Address, Phone Number, Address, Payment Information, Subscription Number, Type of Membership, Login Information, Payment Terms, Order Information, Billing Information, Job Documentation, Timer Registration, Absence Registration.

The treatment includes the following categories of registrars: Persons who have or have had a subscription with the data controller. Persons created by the data controller (employees). Customers who the data controller has created.

The data processor's processing of personal data on behalf of the data controller may commence after the entry into force of this Agreement. The processing is not limited to time and time until the agreement is terminated or terminated by one of the parties.


Appendix B Conditions for the data processor's use of subdatabase and list of authorized subdatabases
 
  1. The data processor has the data manager's general authentication to use subdatabases. However, the data processor must notify the data controller of any planned changes regarding the addition or replacement of other data servers, thereby giving the data controller the opportunity to object to such changes. If the data controller opposes the changes, the data controller must notify the data processor within 1 month of receiving the notification. The data controller can raise objections only if the data controller has reasonable, concrete reasons for this.
  2. At the entry into force of the data processing contractor, the data controller has approved the use of the following subdatabases: Subcontractors list

    At the entry into force of the data processing contractor, the data controller has specifically approved the use of the above subdatabase for the particular treatment described for the party. The data processor can not, without the data controller's specific and written approval, apply the individual sub-processor to a "second" processing and agree or allow another sub-processor to complete the described processing.