Data processor agreement
1. Basis for agreement
Applicable Data Protection legislation (like “The General Data Protection Regulation. Regulation EU 2016/679”) requires a written contract between a data controller and a data processor processing personal data on behalf of the Data controller.
This Data Processor Agreement concerns the Data Processor’s processing of personal data on behalf of the Data Controller in connection with the Data Controller’s subscription to the Data Processor’s HR, scheduling, time- and absence-management system.
The parties enter into this Data Processing Agreement.
Data processor: BitaBIZ APS, Company registration no: DK34084076
Data controller: The customer
The Data Processor Agreement will enter into force on the same day as the subscription. The Data Processor Agreement will expire at the latest three months after the subscription has expired.
3. Definition of personal data
Personal data is any form of information concerning an identified or identifiable physical person. Data of the Data Controller is all data that is classified as internal data, value details and personal data of both a general and confidential/sensitive nature.
The Data Processor will solely act in accordance with the Data Controller’s instructions.
The Data Processor will solely process personal data on behalf of the Data Controller which the Data Controller itself has created in the Data Processor’s HR, time and absence registration sys-tem in conjunction with the Data Controller’s administration of agreements with employees.
Personal data may solely be processed by the Data Processor to the extent necessary to fulfil the subscription, and in accordance with the Data Controller’s instructions and provisions.
The Data Processor has a duty to follow the instructions given by the Data Controller. The instruc-tions are documented in writing. If the Data Processor believe an instruction is in violation with any applicable data protection legislation the Data Processor will inform the Data Controller.
The Data Processor requires its personnel to observe an unconditional duty of secrecy concerning the information that is disclosed in conjunction with the work for the Data Controller.
5. Data storage
The Data Processor must take the required technical and organizational security measures to pre-vent information from being accidentally or unlawfully destroyed, lost or diminished, and from being disclosed to unauthorized persons, misused or otherwise processed in conflict with the The General Data Protection Regulation (GDPR). Regulation (EU) 2016/679.
At the Data Controller’s request, the Data Processor must give the Data Controller sufficient in-formation for the latter to be able to ensure that the specified technical and organization security measures are taken. This includes information concerning where the Data Controller’s data is stored.
The Data Processor’s sub processors must comply with The General Data Protection Regulation (GDPR). Regulation (EU) 2016/679.
The Data Processor has implemented IT compliance and security measures that support a correct securing, storage and processing of personal data.
6. Data Portability and Data Management
A) At any time, the Customer will be entitled to export all data and information that has been entered to and/or created in the system to Excel or similar database processing software. Tools to perform such data extracts must be available to the Customer at any time.
B) The customers have access to tools to respond to employee requests to delete personal information, if this information is no longer relevant.
C) The customer has access to an account admin role. The admin role can manage all account set-tings and BitaBIZ modules.
7. Infringement of the Data Processor Agreement
Infringement of the Data Processor Agreement will be considered to be material breach of the subscription agreement.
If the Data Processor is unable to ensure correct processing of the Data Controller’s data in ac-cordance with the Data Processor Agreement, the Data Processor must inform the Data Controller thereof without undue delay. Without undue delay, the Data Processor must thus report to the Data Controller if any security incident occurs which is of significance to IT security and describe this in further detail.
On the expiry of the Data Processor Agreement, data that is registered in the Data Processor’s HR, time and absence registration system must be issued electronically to the Data Controller as agreed. In this regard, the Data Processor will be obliged to erase data, so that it is not possible to restore this data in the Data Processor’s IT systems.
On the written instructions of the Data Controller, the Data Processor must erase data or infor-mation of any type that has been disclosed to the Data Processor pursuant to the subscription. If the Data Controller so requests, the Data Processor will be obliged to store a back-up copy of such data and information for up to three months after the expiry of the subscription.
These policies form an integral part of the Data Processing Agreement.
9.1 DATA REGISTERED, TYPE OF PERSONAL INFORMATION AND PROCESSING ACTIVITIES
The data processor’s processing of data relates to categories of data that are listed in the policy to the agreement: Data collect policy.
TYPE OF PERSONAL INFORMATION
The data processor’s processing of data relates, to the type of ordinary personal data specified in the policy to the agreement: Data collect policy.
The personal data will, among other things, be subject to the following basic processing:
– Registration of time, leave & absence (including sick days).
– Reporting of time, leave and absence data to various systems.
9.2 SECURITY MEASURES, BREACH OF SECURITY AND DATA PORTABILITY
The data processor’s security measures are specified in the policy to the agreement: Security Policy.
The data processor’s processing will, among other things, be subject to the following measures as specified in the Security policy:
– Introduce log-in and password procedures as well as set up and maintain firewalls and an-tivirus software.
– Ensure that only employees with work-related purposes have access to the personal data covered by the Data Processing Agreement.
– Store data so that they are not available to third parties.
– Ensure that buildings and systems used in connection with the data processing are secure, and that only high-quality hardware and software are used, which are updated continuous-ly.
– Follow and maintain an incident response plan
– Ensure build in settings and permission management
9.3 LIST OF SUB-PROCESSORS AND LOCATION FOR PERSONAL INFORMATION PROCESSING
The Data Processor is entitled to use the Sub-Data Processors specified in the policy to the agree-ment: Sub-processor policy.
LOCATION OF PROCESSING OF PERSONAL INFORMATION
The data processing takes place at the locations specified in the policy to the agreement: Sub-processor policy.
BitaBIZ Data Processor Agreement accompanies BitaBIZ terms & conditions (System2 25.05.2018).