Data Processing Agreement
This Data Processing Agreement (“DPA“) forms part of the Client Agreement between Timeclock 365 (“Timeclock 365 or Data Processor”) Ltd and customer (“Client or Data Controller “)
for the purchase of Services by Timeclock 365 (the “Services“) and related technical support to the Client (as amended from time to time) (the “Client Agreement“). This DPA reflects the parties’ agreement with respect to the terms governing the Data Processor’s processing and security of the Data Controller’s data (“Client Data”).
This DPA applies solely to the data described in this DPA and for any other data from or about the Data Controller or its users.
Whereas:
- By clicking “I Agree”, installing, accessing, or using the Service you indicate acceptance of this Agreement electronically. It is a prerequisite to use the Services that you agree to this Agreement.
- The Data Processor provides the Data Controller the Services described in Schedule 1.
- The Data Processor is solely the Processor of Personal Data as described under this Agreement. Timeclock 365 is the Data Controller of any and all Account Data.
- The Parties have agreed to enter into this Agreement to ensure compliance with the said provisions of the GDPR in relation to all processing of the Personal Data by the Data Processor for the Data Controller.
- Under EU Regulation
2016/679 General Data Protection Regulation (“the GDPR”) (Article 28, paragraph 3), the Data Controller is required to put in place an agreement in writing between the Data Controller and any organization which processes personal data on its behalf governing the processing of that data. - If the Client entity agreeing to this DPA is not a party to the Agreement between Timeclock 365 and Client, this DPA is not legally binding or valid.
- This DPA shall not replace any additional or comparable rights relating to the processing of Client Data in the Agreement.
- In the event of any discrepancies between the terms of this DPA and the Agreement with respect to the processing of Client Data, this DPA shall prevail and control the processing of Client Data.
- Definitions and interpretation
1.1. Definitions: In this DPA, the following terms shall have the following meanings:
- “Controller“, “processor“, “data subject“, “personal data (also referred to as Personal Information in the Agreement)” and “processing” (and “process“) shall have the meanings given in Applicable Data Protection Law.
- “Applicable Data Protection Legislation” means all applicable privacy and data protection laws including the GDPR and any applicable national implementing laws, regulations, and secondary legislation in Israel, as amended, replaced or updated from time to time, including the Privacy and Electronic Communications Directive 2002 (2002/58/EC) and the Privacy and Electronic Communications (EC Directive) Regulations 2003.
- “Account Data” means the Personal Data collected in connection with account-related data provided by you to Data Processor during the purchase, sign up, billing, or support of your account. Account Data includes contact information for Administrators, product feedback and surveys, information collected in connection with our events, training sessions, webinars, sales and marketing purposes, and de-identified technical data used for support and product maintenance.
- “Biometric Data” means any kind of computer data that is created during a biometric process. This includes samples, models, fingerprints, similarity scores and all verification or identification data excluding the individual’s name and demographics such as facial recognition technology on photographs collected through the Service.
- “Client” means the client entity that entered into the Agreement with Timeclock 365 for Timeclock365 Services as described in Schedule 1.
- “Client Data” means the Personal Data (also referred to as Personal Information in the Agreement) contained in: i) any data you upload or input into the Service, and ii) data generated or collected in the course of your configuration or use of the Service. Client Data does not include Business Relationship Data.
- “Timeclock 365” means Timeclock 365 Ltd or any other entity that directly or indirectly controls, is controlled by or is under common control with Timeclock 365 Ltd.
- “Security Incident” means “Personal Data Breach” as defined under the GDPR.
- “Services” means those services described in Schedule 1 which are provided by the Data Processor to the Data Controller and which the Data Controller uses for the purposes described in Schedule 1
- “Sub-processor” means a sub-contractor appointed by the Data Processor to process the Personal Data.
- “Sub-processing Agreement” means an agreement between the Data Processor and a Sub-Processor governing the Personal Data processing carried out by the Sub-Processor.
- Unless the context otherwise requires, each reference in this Agreement to:
- “writing”, and any cognate expression, includes a reference to any communication effected by electronic or facsimile transmission or similar means;
- a statute or a provision of a statute is a reference to that statute or provision as amended or re-enacted at the relevant time;
- “this Agreement” is a reference to this Agreement and each of the Schedules as amended or supplemented at the relevant time;
- a Schedule is a schedule to this Agreement; and
- a Clause or paragraph is a reference to a Clause of this Agreement (other than the Schedules) or a paragraph of the relevant Schedule.
- a “Party” or the “Parties” refer to the parties to this Agreement.
- The headings used in this Agreement are for convenience only and shall have no effect upon the interpretation of this Agreement.
- Words imparting the singular number shall include the plural and vice versa.
- References to any gender shall include the other gender.
- References to persons shall include corporations.
- Purpose limitation
Data Processor shall process the Client Data as a processor only as necessary to perform its obligations under the Client Agreement and strictly in accordance with the documented instructions of the Data Controller (the “Permitted Purpose”), except where otherwise required by any EU (or any EU Member State) law applicable to the Data Controller. In no event shall the Data Processor process the Client Data for its own purposes or those of any third party, save that the Data Processor may de-identify and aggregate Client Data (“Aggregated Data”) and may process Aggregated Data to maintain and improve the Data Processor’s products and services.
- Scope and Application of this Agreement
- The provisions of this Agreement shall apply to the processing of the Personal Data described in Schedule 2, carried out for the Data Controller by the Data Processor, and to all Personal Data held by the Data Processor in relation to all such processing whether such Personal Data is held at the date of this Agreement or received afterwards.
- In the event of any conflict or ambiguity, the following shall apply:
- Where there is any conflict or ambiguity between a provision contained in the body of this Agreement and any provision contained in a Schedule to this Agreement, the provision in the body of this Agreement shall prevail;
- Where there is any conflict or ambiguity between the terms of any invoice or other document annexed to this Agreement and any provision contained in a Schedule to this Agreement, the provision contained in the Schedule shall prevail;
- Where there is any conflict or ambiguity between a provision of this Agreement and a provision of the Service Agreement, the provision in this Agreement shall prevail; and
- Where there is any conflict or ambiguity between a provision of this Agreement and any executed Standard Contractual Clauses, the provisions of the executed Standard Contractual Clauses shall prevail.
- Provision of the Services and Processing Personal Data
- The Data Processor is only to carry out the Services, and only to process the Personal Data received from the Data Controller:
- for the purposes of those Services and not for any other purpose;
- to the extent and in such a manner as is necessary for those purposes; and
- strictly in accordance with the express written authorization and instructions of the Data Controller (which may be specific instructions or instructions of a general nature or as otherwise notified by the Data Controller to the Data Processor).
- The Data Controller shall retain control of the Personal Data and shall remain responsible for its compliance obligations under applicable Data Protection Legislation including, but not limited to, providing the required notices and obtaining any required consents, and for any and all processing instructions it gives to the Data Processor.
- The Data Processor is only to carry out the Services, and only to process the Personal Data received from the Data Controller:
- Data Protection Compliance
- All instructions given by the Data Controller to the Data Processor shall be made in writing and shall at all times be in compliance with applicable laws. The Data Processor shall act only on such written instructions from the Data Controller unless the Data Processor is required by law to do otherwise.
- The Data Processor shall promptly comply with any request from the Data Controller requiring theData Processor to amend, transfer, delete, or otherwise dispose of the Personal Data, or to cease, mitigate, or remedy any authorized processing.
- The Data Processor shall transfer all Personal Data to the Data Controller on the Data Controller’s request in the formats, at the times, and in compliance with the Data Controller’s written instructions.
- Both Parties shall comply at all times with Applicable Legislation and shall not perform their obligations under this Agreement or any other agreement or arrangement between themselves in such a way as to cause either Party to breach any of its applicable obligations under Applicable Legislation.
- The Data Controller hereby warrants, represents, and undertakes that the Personal Data and its use with respect to the Service Agreement and this Agreement shall comply with applicable Data Protection Legislation in all respects including, but not limited to, its collection, holding, and processing.
- The Data Processor hereby warrants, represents, and undertakes that:
- all of its personnel (including, but not limited to, its employees, agents, and sub-contractors) that will access the Personal Data are reliable, trustworthy, and have been suitably trained on the Data Protection Legislation as it relates to this Agreement;
- the Personal Data shall be processed by the Data Processor (and any Sub-Processors it may appoint) in compliance with Applicable Legislation and any and all other relevant laws, enactments, regulations, orders, standards, and other similar instruments;
- it has no reason to believe that applicable Data Protection Legislation in any way prevents it from complying with its obligations under the Service Agreement; and
- it will implement appropriate technical and organizational measures, including any additional measures required, to prevent the unauthorized and/or unlawful processing of the Personal Data and/or the accidental loss of, abuse of, destruction of, or damage to the Personal Data, ensuring levels of security that are appropriate and proportionate to the harm that may result from such processing, loss, or damage, to the nature of the Personal Data, and that are appropriate to ensure compliance with the Applicable Legislation and with its own Privacy Policy including.
- The Data Processor agrees to comply with any reasonable measures required by the Data Controller to ensure that its obligations under this Agreement are satisfactorily performed in accordance with any and all applicable legislation from time to time in force (including, but not limited to, the Data Protection Legislation) and any best practice guidance issued by applicable supervisory authority.
- The Data Processor shall provide all reasonable assistance at the Data Controller’s cost to the Data Controller in complying with its obligations under Applicable Legislation including if relevant GDPR with respect to the security of processing, the notification of personal data breaches, the conduct of data protection impact assessments, and in dealings with the applicable supervisory authority.
- When processing the Personal Data on behalf of the Data Controller, the Data Processor shall:
- not transfer any of the Personal Data to any third party without the written consent of the Data Controller and, in the event of such consent, the Personal Data shall be transferred strictly subject to the terms of a suitable agreement;
- not if applicable transfer any of the Personal Data to any territory outside of the European Economic Area (“EEA”) without the written consent of the Data Controller and, in the event of such consent, only if there is a legal basis for such transfer;
- process the Personal Data only to the extent, and in such manner, as is necessary in order to comply with its obligations to the Data Controller or as may be required by law (in which case, the Data Processor shall inform the Data Controller of the legal requirement in question before processing the Personal Data for that purpose unless prohibited from doing so by law);
- implement appropriate technical and organizational measures, as described in Schedule 2, and take all steps necessary to protect the Personal Data, and;
- if so requested by the Data Controller (and within the timescales required by the Data Controller) supply further details of the technical and organizational systems in place to safeguard the security of the Personal Data held and to prevent unauthorized access;
- Biometric Data
Certain parts of the Service make use of Biometric Data. Biometric Data can be subject to additional laws and regulations. Accordingly, in connection with the collection, retention, and use of Biometric Data, you agree that:
- The Data Controller is the controller of any Biometric Data collected through the Service. The Data Controller agrees to provide appropriate notice and obtain all consents and rights necessary for the Data Processor to process the Biometric Data on behalf of the Data Controller. The Data Controller recognize and agree that there are various laws that specifically govern the collection, use, and retention of Biometric Data, and understand that it is the sole responsibility of the Data Controller to comply with all applicable laws. From time to time, the Data Processor may provide reasonable assistance to the Data Controller with certain obligations, when applicable, such as assisting in responding to data subject requests and in providing relevant consent and disclosure language. Concerning assistance with consent and disclosure language, the Data Controller agrees that any such assistance does not constitute legal advice, is for informational purposes only, and that it is your ultimate responsibility to ensure compliance with all applicable law.
- Data Subject Rights, Complaints, and Personal Data Breaches
- The Data Processor shall at the Data Controller’s cost assist the Data Controller in complying with its obligations under the Applicable Legislation. In particular, the provisions of this Clause 5 shall apply to:
- the exercise by data subjects of their rights (including subject access rights, the rights to rectification and erasure of personal data, the rights to object to processing, restrict processing, and rights relating to automated processing), complaints, and personal data breaches; and
- notices served on the Data Controller by the relevant authority or any other applicable supervisory authority.
- The Data Processor shall notify the Data Controller immediately if it receives any complaint, notice, or other communication concerning the processing of the Personal Data (whether directly or indirectly) or either Party’s compliance with applicable Data Protection Legislation.
- The Data Processor shall, at the Data Controller’s cost, cooperate fully with the Data Controller and assist as required in relation to any complaint, notice, communication, or data subject request, including by:
- providing the Data Controller with full details of the complaint, notice, communication, or request;
- providing the necessary information and assistance in order to comply with the complaint, notice, communication, or request;
- providing the Data Controller with any Personal Data it holds in relation to a data subject (within the timescales required by the Data Controller); and
- providing the Data Controller with any other information requested by the Data Controller.
- The Data Processor shall promptly and without undue delay notify the Data Controller if any of the Personal Data is lost or destroyed, or becomes damaged, corrupted, or otherwise unusable.
- The Data Processor shall notify the Data Controller immediately if it becomes aware of any accidental, unauthorised, or unlawful processing of the Personal Data, or of any personal data breach. The following information shall also be provided to the Data Controller without undue delay:
- a full description of the nature of the event, including the category or categories of Personal Data concerned, the category or categories of data subject concerned, and the approximate number of both Personal Data records and data subjects involved;
- details of the likely consequences; and
- details of the measures taken or planned, to address the event, including those intended to mitigate possible adverse effects.
- Immediately following any event under sub-Clause 5.6, the Data Controller and the Data Processor shall jointly investigate that event. In particular, the Data Processor shall, at the Data Controller’s cost cooperate fully with the Data Controller and assist as required, including by:
- assisting with any investigation;
- providing the Data Controller with access to any premises, facilities, and/or operations involved;
- facilitating interviews with any of the Data Processor’s personnel, former personnel, and any other individuals involved;
- providing or making available to the Data Controller any and all relevant records, logs, files, reports, and other documentation and materials required to comply with the Data Protection Legislation or other such materials reasonably required by the Data Controller; and
- taking all reasonable steps, promptly, to mitigate the effects of the event and to minimize any damage arising from it.
- The Data Processor shall not inform any third party of any Personal Data breach without the prior written consent of the Data Controller unless it is required to do so by law.
- The Data Controller shall have the sole right to determine the following:
- whether or not to notify Personal Data breaches to data subjects, the relevant authorities or other applicable supervisory authorities, regulators, law enforcement agencies, or others, as required by law or at the Data Controller’s discretion; and
- whether or not to offer a remedy to affected data subjects and, where such a remedy is to be offered, nature and extent thereof.
- The Data Processor shall at the Data Controller’s cost assist the Data Controller in complying with its obligations under the Applicable Legislation. In particular, the provisions of this Clause 5 shall apply to:
- International transfers
The Data Processor shall not transfer the Client Data (nor allow the Client Data to be transferred) outside of the European Economic Area (“EEA”) unless (a) it has first obtained Client’s prior consent, or (b) it takes such measures as are necessary to ensure the transfer is in compliance with Applicable Data Protection Law. Such measures may include (without limitation) transferring the Client Data to a recipient in a country that the European Commission has decided provides adequate protection for personal data to a recipient that has executed standard contractual clauses adopted or approved by the European Commission.
- Data Processor’s Personnel
- The Data Processor shall ensure that all personnel who are to access and/or process any of the Personal Data:
- are aware both of the Data Processor’s duties and obligations, and of their own individual duties and obligations under this Agreement and the Data Protection Legislation;
- have been given suitable training on applicable Data Protection Legislation with respect to the handling of Personal Data and how the Data Protection Legislation applies to their particular duties; and
- are contractually obliged to keep the Personal Data strictly confidential and shall not permit any person to process Personal Data who is not under such a duty of confidentiality.
- Shall ensure that Personal Data is only being processed according to the necessary purpose.
- The Data Processor shall ensure that all personnel who are to access and/or process any of the Personal Data:
- Security
The Data Processor shall implement suitable technical and organizational security measures in order to protect the Personal Data against unauthorized or unlawful access, processing, disclosure, copying, alteration, storage, reproduction, display, or distribution; and against loss, destruction, or damage, whether accidental or otherwise. Such measures shall include, but not be limited to, those set out in Schedule 2.
- Appointment of Sub-Processors
- The Data Processor shall not sub-contract any of its obligations or rights under this Agreement without the prior written consent of the Data Controller.
- The Data Processor shall maintain control over all Personal Data transferred to any Sub-Processor.
- In the event that a Sub-Processor fails to meet its obligations under any Sub-Processing Agreement, the Data Processor shall remain fully liable to the Data Controller for failing to meet its obligations under this Agreement.
- Term and Termination
- This Agreement shall remain in full force and effect:
- for as long as the Service Agreement remains in effect; or
- for as long as the Data Processor retains any Personal Data relating to the Service Agreement in its possession or control,
- This Agreement shall remain in full force and effect:
whichever period is longer.
- Where any provision of this Agreement, whether expressly or by implication, either comes into force or continues in force on or after the termination of the Service Agreement in order to protect the Personal Data, that provision shall remain in full force and effect.
- If any change to the Data Protection Legislation prevents either Party from fulfilling any of its obligations under the Service Agreement, the processing of the Personal Data shall be suspended until such processing can be made to comply with the Data Protection Legislation, as amended.
- Deletion and/or Disposal of Personal Data
- The Data Processor shall, at the written request of the Data Controller, delete (or otherwise dispose of) the Personal Data or return it to the Data Controller in the format(s) reasonably requested by the Data Controller within a reasonable time after the earlier of the following:
- the end of the provision of the Services under the Service Agreement;
- the termination of the Service Agreement; or
- If the Data Processor is required by law, government, or other regulatory body to retain any documents or materials that the Data Processor would otherwise be required to return, delete, or otherwise dispose of under this Agreement, the Data Processor shall notify the Data Controller in writing of the requirement. Such notice shall give details of all documents or materials that the Data Processor is required to retain, the legal basis for that retention, and the timeline for deletion and/or disposal at the end of the retention period.
- The Data Processor shall, at the written request of the Data Controller, delete (or otherwise dispose of) the Personal Data or return it to the Data Controller in the format(s) reasonably requested by the Data Controller within a reasonable time after the earlier of the following:
- Legal disclosure
If the Data Processor reasonably believes it is required by a subpoena, court order, agency action, or any other legal or regulatory requirement, to disclose any Client Data, we will provide you with notice and a copy of the demand as soon as practicable, unless we are prohibited from doing so pursuant to applicable law or regulation.
- Law and Jurisdiction
- This Agreement (including any non-contractual matters and obligations arising therefrom or associated therewith) shall be governed by, and construed in accordance with, the laws of Israel.
- Any dispute, controversy, proceedings, or claim between the Parties relating to this Agreement (including any non-contractual matters and obligations arising therefrom or associated therewith) shall fall within the jurisdiction of the courts of Israel.
- Miscellaneous
This DPA, including the terms of the underlying Client Agreement, is the entire agreement between the Data Processor ad the Data Controller and replaces all prior understandings, communications, and agreements, oral or written, regarding its subject matter. If any court of law, having jurisdiction, rules that any part of this DPA is invalid, that section will be removed without affecting the remainder of the DPA. The remaining terms will be valid and enforceable.
SIGNED for and on behalf of the Data Controller by:
<<Name and Title of person signing for the Data Controller>>
__________________________________________________
Authorized Signature
Date: ____________
SIGNED for and on behalf of the Data Processor by:
<<Name and Title of person signing for the Data Processor>>
__________________________________________________
Authorized Signature
SCHEDULE 1
Services
The Data Processor is operating Timeclock365 which is a technology platform owned and operated by the Data Processor providing help to organizations to manage their workforce time, attendance, projects, tasks, and property, such as vehicles and packages. The Data Processor uses a mobile App, physical clock Devices, and a cloud platform, accessible to end-users through the App and a dedicated web Portal. Timeclock365 enables Clients to manage their workforce, pay their employees and contractors, and perform other functions related to workforce management. Any person using the Timeclock 365 App, Devices, or Portal is an End User.
Our Clients decide the purposes for which they use Timeclock365, as well as the means for collecting data from Timeclock365’s magnitude of features. We process the data on our Clients’ behalf and according to their instructions. Our Clients control the data processed on their behalf on Timeclock365. Any person (natural or legal) regarded, as a Client will for the purposes of this agreement are referred to as the Data Controller.
SCHEDULE 2
- Technical and Organisational Data Protection Measures
- The Data Processor shall ensure that in respect of all Personal Data it receives from or processes on behalf of the Data Controller, it maintains security measures to a standard appropriate to:
- the harm that might result from unlawful or unauthorized processing or accidental loss, damage, or destruction of the Personal Data; and
- the nature of the Personal Data.