Processor agreement

Introduction

This Processor Agreement forms part of the Main Agreement between Forceweb B.V. (hereafter: “TimeChimp” or “Processor”) and the natural or legal person with whom TimeChimp enters into an agreement for the delivery and use of the TimeChimp software (hereafter: “Customer” or “Data Controller”). The Controller and the Processor are jointly referred to as the “Parties”.

The Parties have concluded an agreement for the use of TimeChimp software, to which the General Terms and Conditions of TimeChimp also apply (collectively: “Main Agreement”).

TimeChimp shall process personal data for the execution of the Main Agreement, on the Data Controller’s behalf. The Parties enter into this Agreement, which sets out their respective rights and obligations with regard to the processing of personal data (the “Processor Agreement”), in accordance with the applicable legislation. The Main Agreement and the Processor Agreement jointly determine the object and the duration of the Processing of personal data.

1. Definitions

The following terms shall have the meaning set out below:

  • Data Subject: the identifiable natural person whose Personal Data is processed.
  • Data breach: a security breach that inadvertently or unlawfully leads to the destruction, loss, alteration or unauthorised provision of or unauthorised access to transmitted, stored or otherwise processed data.
  • Personal data: all information about an identified or identifiable natural person that TimeChimp processes on behalf of the Data Controller in the context of the Main Agreement.
  • Employee(s): the persons who are authorised by the Parties to execute this Processing Agreement and who work under their authority.
  • Subprocessor: any third party engaged by the Processor to process personal data on behalf of the Processor without being subject to the direct authority of the Processor.
  • Applicable Legislation: laws or other (local) regulations, rules, guidelines or policies, instructions or recommendations of government authorities applicable to the processing of personal data, including any changes, replacements, updates or other subsequent versions thereof;
  • Processing: any manipulation or set of manipulations which are performed on Personal Data or on sets of Personal Data, whether or not by automated procedures, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of data.

2. Authorised processing operations

  • TimeChimp undertakes to process Personal Data only for the account of the Data Controller in the context of the activities as described in the Main Agreement. The Main Agreement and the Processor Agreement jointly determine the object and the duration of the Processing.
  • For the execution of the Main Agreement, the ongoing development of the Application and to support the Data Controller, TimeChimp may subject Personal Data for the entire duration of the Agreement to the following:
  • Saving, updating or modifying, consulting, using, blocking, deleting or destroying data.
  • TimeChimp processes the following types of Personal Data:
  • Names, addresses, places of residence, email, telephone numbers, bank details, IP addresses, location data, device types.
  • This Personal Data relates to the following categories of Data Subjects:
  • Customer relations of the Data Controller; current and former employees who are or were employed by the Data Controller.

3. Data Controller’s rights and obligations

  • The Data Controller shall make Personal Data available to TimeChimp. The Data Controller shall determine the purpose and means of the Processing. The Data Controller shall guarantee that the Processing of Personal Data, including its collection, is carried out in accordance with the relevant Applicable Legislation.
  • If the Employees of the Data Controller process Personal Data themselves, the responsibility for compliance with the Applicable Legislation falls under the Data Controller’s responsibility.

4. Data processing

  • TimeChimp may only process Personal Data strictly necessary for the execution of the Main Agreement. TimeChimp has no control over the purpose of the Processing of Personal Data.
  • TimeChimp shall only disclose personal data to employees and/or subprocessors who (need to) have access to personal data for the performance of obligations under the Main Agreement, unless otherwise required by Applicable Law.
  • TimeChimp does not process Personal Data at locations outside the European Economic Area.
  • Personal Data in backups enjoys the same protection as original Personal Data.
  • Timechimp guarantees that its Employees have access to Personal Data only to the extent necessary to carry out their duties within the scope of the commission to Process. TimeChimp shall inform its Employees about the obligations of this Processor Agreement.

5. Subprocessors

  • TimeChimp is authorised to use subprocessors for the performance of its service. Information about subprocessors can be obtained by the Data Controller upon request. The Data Controller may only refuse on good grounds. TimeChimp shall remain the point of contact for the Data Controller at all times.
  • TimeChimp guarantees that an agreement shall be concluded with engaged subprocessors, in which the same data protection guarantees are agreed as those set out in this Agreement. The Processor remains entirely responsible to the Data Controller for the Subprocessor’s compliance with its obligations.
  • In addition, personal data may be shared with subprocessors if use is made of additional services, with the express consent of the Data Controller.

Find an overview of all of TimeChimp’s subprocessors.

6. Confidentiality

  • TimeChimp is obliged to maintain confidentiality with regard to the Personal Data processed on the Data Controller’s behalf. This duty of confidentiality applies in full to TimeChimp’s Employees and to any Subprocessors. The confidentiality obligation shall continue even after termination of the processor agreement.
  • This confidentiality obligation shall not apply if the Data Processor is obliged by the Supervisory Authority, a statutory provision or a court order to disclose this Personal Data, if the information is publicly known and if the data is provided on behalf of the Data Controller.

7. Safety precautions

  • TimeChimp shall take the necessary appropriate technical and organisational measures to ensure a level of security appropriate to the risk, so that Processing complies with Applicable Legislation and the rights of Data Subjects are guaranteed.
  • TimeChimp shall apply an adequate level of security, taking into account the latest technology, the costs of implementation and the nature, scope, context and purposes of processing. TimeChimp shall be responsible for applying and / or changing the security level if deemed necessary or required by law.
  • TimeChimp shall be responsible for installing and/or changing the level of security if this is deemed necessary under the Applicable Legislation or if requested by the Client. Any additional costs shall be borne by the Client, unless otherwise agreed.

8. Data breach notification

  • If TimeChimp detects a Data Breach, it shall notify the Data Controller immediately and at the latest within 48 hours after its detection. That notification shall describe or communicate at least the following:
  • The nature of the personal data breach, where possible specifying the categories of the Data Subjects and the Personal Data concerned;
  • The likely consequences of the Data Breach in relation to Personal Data; the measures taken by TimeChimp to address the Data Breach, including, where appropriate, the measures to mitigate any adverse consequences thereof.
  • TimeChimp shall also inform the Data Controller after a notification based on the previous article about the developments regarding the identified Data Breach.
  • The Data Controller shall assess whether it is necessary to inform the Supervisory Authority and/or the data subjects about the breach.
  • The Parties shall share the costs incurred in connection with a report to the supervisory authority and/or Data Subject.

9. Requests from data subjects or public authorities

  • TimeChimp shall assist the Data Controller to the extent possible with requests from Data Subjects. In the event that a data subject makes such a request to TimeChimp, TimeChimp shall forward the request to the Data Controller, and the Data Controller shall further process the request, unless explicitly agreed otherwise.
  • TimeChimp shall assist the Controller to the extent possible in responding to requests from government authorities.
  • Costs incurred by TimeChimp for the implementation of Articles 9.1 and 9.2 shall be reimbursed by the Controller, unless otherwise agreed.

10. Information requirement and audit

  • TimeChimp shall make available any information necessary to demonstrate that the obligations under this Agreement have been and are being fulfilled.
  • The Data Controller shall have the option of carrying out an audit or data protection impact assessment at its own expense at most once a year. TimeChimp shall extend all necessary cooperation to the Data Controller’s audits.

11. Intellectual property rights

  • All intellectual property rights to Personal Data and to the databases containing this Personal Data belong to the Data Controller. These intellectual property rights include copyright and sui generis.  TimeChimp only enjoys a limited right of use to the extent necessary to carry out the agreed Processing.

12. Duration and end of the agreement

  • The Processor Agreement shall enter into force at the time the Parties conclude the Main Agreement and shall be entered into for the duration of the Main Agreement.
  • The Parties cannot terminate the Processor Agreement prematurely.
  • The Processor Agreement shall end after and insofar as TimeChimp has deleted all Personal Data in accordance with Article 12.4. TimeChimp shall delete backups and copies, unless otherwise required by law.
  • Upon termination of the Main Agreement, all Personal Data processed shall remain available for three (3) months. The Data Controller is responsible for the timely export of Personal Data.

13. General provisions

  • This Processor Agreement is part of the Main Agreement. The rights and obligations arising from the Main Agreement and TimeChimp’s General Terms and Conditions therefore also apply to the Processor Agreement.
  • In the event of any discrepancies between the provisions in the Processor Agreement and the Main Agreement, the provisions of this Processor Agreement shall apply insofar as the provisions specifically relate to the Processing of Personal Data.
  • In accordance with TimeChimp’s General Terms and Conditions, Dutch law shall also apply to the Processing Agreement and disputes shall be brought before the competent court in Amsterdam; or, at the discretion of TimeChimp, before the competent court of the Data Controller’s place of residence.