This Data Processing Addendum forms part of the Agreement between Timewax and the Client. This Addendum will be in effect on the moment that Timewax and the Client enter into an agreement and shall expire when this agreement is terminated.
All capitalized terms that have not been defined in this Addendum shall have the meanings set forth in the Agreement. In the event of a conflict between the definitions of this Addendum and the Agreement, the definitions of this Addendum shall supersede and control.
1.1 Anonymization: irreversibly de-identifying Personal Data such that the Data Subject cannot be identified by using reasonable time, cost, and technology to identify that Data Subject.
1.2 Data Controller: the natural or legal person, public authority, agency or any other body, which alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
1.3 Data Processor: A natural or legal person, public authority, agency or any other body which processes Personal Data on behalf of a Data Controller.
1.4 Data Protection Laws: GDPR as well as any local data protection laws.
1.5 Data Subject: the identified or identifiable person to whom Personal Data relates.
1.6 EEA: European Economic Area.
1.7 GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
1.8 Personal Data: any information relating to an identified or identifiable natural person (Data Subject) who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
1.9 Personal Data Breach: a breach of leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, the Client’s Personal Data transmitted, stored or otherwise processed.
1.10 Processing: an operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of the data.
1.11 Pseudonymization: the Processing of Personal Data in such a manner that the Personal Data can no longer be attributed to a specific Data Subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the Personal Data are not attributed to an identified or identifiable natural person.
1.12 Sensitive Personal Data: Personal Data which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms merit specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms. Those Personal Data include data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
1.13 Sub-processor: any third party appointed by Timewax for the Processing of Personal Data of the Data Controller.
1.14 Supervisory Authority: an independent public authority which is established by a Member State pursuant to Article 51 of the EU GDPR.
1.15 Third country: any country outside EEA, except where that country is the subject of a valid adequacy decision by the European Commission on the protection of Personal Data in Third Countries.
2.1 With effect from 25 May 2018, Timewax will process Personal Data in accordance with the GDPR requirements directly applicable to the Services of Timewax.
2.2 In the Processing of Personal Data on the Timewax infrastructure, the role of Timewax will not transcend that of the Data Processor.
2.3 The Client is the Data Controller and has and maintains full control of the Personal Data.
2.4 The Client declares that it – if and to the extent applicable – will act in accordance with the GDPR and will comply with or fulfil its obligations under the relevant legislation.
2.5 The Client guarantees the legality of any use of Personal Data, processing, archiving, the purpose of the use and the exchange of Personal Data and/or any other use, such as resulting from the implementation of this agreement.
2.6 Timewax processes the Personal Data in a proper and careful manner and only processes the Personal Data in accordance with the provisions of this agreement, and the specific purposes and resources described in the SLA.
2.7 The maximum Personal Data which the parties expect to process concern employee number, first name, last name, email address, mobile phone and photo of the Employees, and other data that Users wish to enter into the Software.
2.8 The Client declares that the Personal Data supplied to Timewax for processing does not contain any Sensitive Personal Data.
2.9 Timewax shall not process, transfer, modify, amend or alter the Personal Data or disclose or permit the disclosure of the Personal Data to any third party other than in accordance with the Client’s documented instructions, unless processing is required by EU or Member State law to which Timewax is subject. Timewax shall, to the extent permitted by such law, inform the Client of that legal requirement before processing the Personal Data and comply with the Client’s instructions to minimize, as much as possible, the scope of the disclosure.
2.10 Timewax will process the Client’s Personal Data in the Software solely within the EEA and will not process Client’s Personal Data in the Software in, nor transfer to, a Third Country.
3.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Timewax shall implement appropriate technical and organizational measures to ensure a level of Personal Data security appropriate to the risk, including but not limited to:
b. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
c. the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
d. a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing.
3.2 In assessing the appropriate level of security, Timewax shall take into account the risks that are presented by Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise processed.
3.3 Timewax will at least annually have an independent party audit the implemented technical and organizational measures.
3.4 If the Client wants to further eliminate the ability to link the Personal Data to a Data Subject, the Client can apply Pseudonymization to Personal Data, for which the Client is responsible.
3.5 The Client is responsible for the process of Anonymization of Personal Data, which Timewax will facilitate by providing a Function in the Software.
3.6 Timewax shall take reasonable steps to ensure the reliability of any employee, contractor or Sub-processor who may have access to the Client’s Personal Data, ensuring in each case that access is strictly limited to those individuals who require access to the relevant Personal Data.
3.7 Timewax shall ensure that all individuals which have a duty to process Client’s Personal Data:
a. are informed of the confidential nature of the Client’s Personal Data and are aware of the obligations of Timewax under this agreement in relation to the Client’s Personal Data;
b. have received appropriate training on their responsibilities;
c. are subject to confidentiality undertakings or professional or statutory obligations of confidentiality;
d. are subject to user authentication and logon processes when accessing the Client’s Personal Data in accordance with this agreement and the applicable Data Protection Laws.
4.1 Client acknowledges and agrees that Timewax may engage Sub-processors to process Personal Data in connection with the Services and that from time to time Timewax may appoint additional third parties as a Sub-processor.
4.2 A list of Sub-processors is available at the Timewax support site. Before enabling a new party as a Sub-processor, Timewax will add such a party to the list. The Client can subscribe to updates of the list via email and may object to such a party in writing within four (4) weeks of receipt of the aforementioned notice by Timewax.
a. If the Client reasonably objects to a Sub-processor, the Client shall provide Timewax with a written description of commercially reasonable alternative(s), if any, to such engagement, including without limitation modification to the Services;
b. If the Client does not object to the engagement of a third party in accordance within four (4) weeks of notice by Timewax, such third party will be deemed a Sub-processor.
4.3 Timewax shall, by way of contract or other legal act under European Union or European Union member state law (including without limitation approved codes of conduct and standard contractual clauses), ensure that every Sub-processor is subject to obligations regarding the Processing of Personal Data that are no less protective than those to which Timewax is subject under this Addendum.
4.4 Timewax shall be liable to Client for the acts and omissions of Sub-processors to the same extent that Timewax would itself be liable under this Addendum had it conducted such acts or omissions.
5.1 Taking into account the nature of the Processing, Timewax shall assist the Client by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Client’s obligation to respond to requests for exercising Data Subject rights as laid down in the GDPR.
5.2 Timewax shall promptly notify Client if it receives a request from a Data Subject to access, correct or delete that person’s Personal Data or if a Data Subject objects to the Processing thereof. Timewax shall not respond to a Data Subject without Client’s prior written consent except to confirm that such request relates to Client to which Client hereby agrees.
5.3 Timewax shall cooperate as requested by the Client to enable the Client to comply with any exercise of rights by a Data Subject under any Data Protection Laws with respect to Personal Data and comply with any assessment, enquiry, notice or investigation under any Data Protection Laws with respect to Personal Data or this agreement.
6.1 Timewax shall notify the Client without undue delay and, in any case, within thirty-six (36) hours upon becoming aware of or reasonably suspecting a Personal Data Breach. Such notification shall as a minimum:
a. Describe the nature of the Personal Data Breach, the categories and numbers of Data Subjects concerned;
b. Communicate the name and contact details of the Data Protection Officer at Timewax or other relevant contact from whom more information may be obtained;
c. Describe the estimated risk and the likely consequences of the Personal Data Breach;
d. Describe the measures taken or proposed to be taken to address the Personal Data Breach.
6.2 Timewax shall co-operate with the Client and take such reasonable commercial steps as are directed by the Client to assist in the investigation, mitigation and remediation of each Personal Data Breach.
6.3 In the event of a Personal Data Breach, Timewax shall not inform any third party without first obtaining the Client’s prior written consent, unless notification is required by EU or Member State law to which Timewax is subject, in which case Timewax shall, to the extent permitted by such law, inform the Client of that legal requirement, provide a copy of the proposed notification and consider any comments made by the Client before notifying the Personal Data Breach.
6.4 Timewax shall provide reasonable assistance to the Client with any data protection impact assessments which are required under Article 35 of GDPR and with any prior consultations to any Supervisory Authority of the Client which are required under Article 36 of GDPR, in each case solely in relation to Processing of the Client’s Personal Data by Timewax on behalf of the Client and considering the nature of the processing and information available to Timewax.
7.1 Timewax shall promptly at the Client’s request and, in any event, within 90 (ninety) calendar days of the termination of the agreement, securely wipe or erase all copies of Client’s Personal Data Processed by Timewax or transfer them back to the Client, including all (copies of) electronically stored Personal Data.
7.2 Timewax may retain Client’s Personal Data to the extent required by the European Union or Member State law, and only to the extent and for such period as required by the European Union or Member State law, and always provided that Timewax shall ensure the confidentiality of all such Client’s Personal Data and shall ensure that such Client’s Personal Data is only processed as necessary for the purpose(s) specified in the European Union or Member State law requiring its storage and for no other purpose.
8.1 The Processor shall be liable to the Client as a result of or in connection with this Addendum or from any other reason whatsoever insofar as parties have agreed this in the Agreement. The limitation of liability as agreed in the Agreement shall remain in full effect on the obligations as included in this Addendum, on the understanding that any same event can never lead to several claims for damages.
8.2 Notwithstanding Clause 8.1, the Processor indemnifies the Client against any claim and for all damage and/or fines of third parties, including the Dutch Data Protection Authority or individuals, with regard to obligations as set out in the Agreement and this Addendum.