This Data Processor Agreement (“DPA”) is entered into by and between BitaBIZ ApS, a company registered in Denmark under CVR-Number 34084076, with its registered office at Emil Holms Kanal 14, 2300 Copenhagen, Denmark (“BitaBIZ”) and Customer, according to the Terms and Conditions (“Main Agreement”) for BitaBIZ Services or other written or electronic agreement between the parties (as applicable).

The DPA shall be given effect on the acceptance of Main Agreement.

This DPA forms part of the Main Agreement and sets out the terms that apply when BitaBIZ processes Personal Data as a processor pursuant to the Main Agreement. In this DPA, the Customer shall be a data controller and BitaBIZ ApS shall be a data processor.

When Customer renews or purchases a new subscription to BitaBIZ Services, the then-current DPA Terms will apply and will not change during Customer’s subscription.

The DPA Terms provide terms for BitaBIZ Services that are currently available. Earlier versions of the DPA Terms are available at the BitaBIZ website.

1. Purpose

1.1. The purpose of the DPA is to ensure that the processing of Personal Data is conducted in accordance with the Applicable Data Protection Legislation and with due respect for the rights and freedoms of individuals whose Personal Data are processed.

2. Definitions

“Adequate Country” means a country or territory recognized by the European Commission based on Article 45 of the GDPR as providing adequate protection for Personal Data.

“Applicable Data Protection Legislation” means all laws and regulations of the European Union (EU), the European Economic Area (EEA), their member states, and the United Kingdom, applicable to the processing of Personal Data under the Main Agreement, including (where applicable) the GDPR and the UK Data Protection Act.

“BitaBIZ Services” means BitaBIZ HR, scheduling, time- and absence-management system (“Ser-vice”), including the associated BitaBIZ mobile apps, Outlook app and Win10 app, and other inter-actions (e.g. customer service inquiries, user conferences, etc.) the Customer may have with BitaBIZ.

“Customer” means a business undertaking, private or public organization, or an individual who is subscribed to BitaBIZ Services.

“Customer Data” means any information that the Customer communicates with BitaBIZ related to the subscription to BitaBIZ Services.

“Data Protection Requirements” means the GDPR, Local EU/EEA Data Protection Laws, the UK Data Protection Act, and any applicable laws, regulations, and other legal requirements relating to (a) privacy and data security; and (b) the use, collection, retention, storage, security, disclosure, transfer, disposal, and other processing of any Personal Data.

“DPA Terms” means the terms in the DPA.

“GDPR” means the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data);

“Main Agreement” means the Terms and Conditions for BitaBIZ HR Services.

“Personal Data” means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

“Personal Data Breach” or “Breach” means a breach of security leading to the accidental or un-lawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

“Staff” means BitaBIZ management, all full time or part-time employees, contractors, project consultants, freelancers, or any person acting under the authority of BitaBIZ.

“Standard Contractual Clauses” means the standard data protection clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection, as described in Article 46 of the GDPR and approved by the European Commission.

“Sub-processor” means other processors used by BitaBIZ to process Personal Data, as described in Article 28 of the GDPR.

Lower case terms used but not defined in this DPA, such as “processing”, “controller”, “processor” and “data subject” will have the same meaning as set forth in Article 4 of the GDPR.

3. Duration

3.1.The DPA shall enter into force on the same day as the Main Agreement and shall expire at the latest three months after the subscription has expired.

3.2.This DPA can’t be terminated separately unless replaced by a new Data Processor Agreement.

4. Instructions

4.1.BitaBIZ shall solely process Personal Data on behalf of the Customer, which the Customer itself has created in the BitaBIZ HR, scheduling, time- and absence-management system in conjunction with the Customer’s administration of agreements with employees.

4.2.BitaBIZ may solely process personal data to the extent necessary to fulfill the subscription and according to the data controller’s written instructions and provisions of this DPA.

4.3.The Customer is responsible for ensuring that the processing of Personal Data, which BitaBIZ is instructed to perform, has a legal basis.

4.4.BitaBIZ has a duty to follow the instructions given by the Customer. If BitaBIZ believes an instruction is in violation of any Applicable Data Protection Legislation, BitaBIZ will promptly inform the Customer.

4.5.The Customer is responsible for ensuring that Personal Data processing takes place in compliance with the Applicable Data Protection Legislation.

4.6.The Customer has the right and obligation to make decisions about the purposes and means of processing.

5. Confidentiality

5.1.BitaBIZ is subject to a duty of confidentiality and shall observe professional secrecy in regard to the processing of Personal Data pursuant to Applicable Data Protection Legislation.

5.2.BitaBIZ shall ensure that only its employees who are required to process Customer’s Personal Data as part of their job are authorized to access and process Personal Data. On the basis of a periodical review, such access to Personal Data can be withdrawn if access is no longer necessary, and Personal Data shall consequently not be accessible anymore to those persons.

6. Security of processing

6.1.BitaBIZ shall implement appropriate technical and organizational measures to ensure a level of security appropriate for the risk of accidental or unlawful destruction, loss, alteration, un-authorized disclosure of or access to the Personal Data transmitted, stored or otherwise processed.

6.2.Pursuant to Article 32 GDPR, BitaBIZ will also evaluate the risks to the rights and freedoms of natural persons inherent in the processing and implement measures to mitigate those risks. To this effect, the Customer shall provide BitaBIZ with all information necessary to identify and evaluate such risks.

6.3.BitaBIZ shall assist the Customer in ensuring compliance with the data controller’s obligations pursuant to Articles 32 GDPR, by inter alia providing the Customer with information concerning the technical and organizational measures already implemented by BitaBIZ pursuant to Article 32 GDPR along with all other information necessary for the data controller to comply with the data controller’s obligation under Article 32 GDPR.

6.4.At the Customer’s request, BitaBIZ shall give the Customer sufficient information for the Customer to be able to ensure that the specified technical and organizational security measures are taken, including information concerning where the data controller’s data is stored.

7. Use of Sub-processors

7.1.The Customer understands that the effective operation of BitaBIZ Services may require the transfer of Personal Data to BitaBIZ Sub-processors. Thereby, the Customer grants a general authorization to BitaBIZ to appoint third parties as Sub-processors to support BitaBIZ Ser-vices’ performance.

7.2.The Customer acknowledges that Sub-processors may engage third-party processors to process Customer Data on BitaBIZ’s behalf.

7.3. BitaBIZ will maintain a list of Sub-processors available at https://www.bitabiz.dk/en/secu-rity/sub-processor-policy/. BitaBIZ may, by giving Customer reasonable notice, make changes to the Sub-processors’ list. BitaBIZ shall inform the Customer of any intended changes concerning the addition or replacement of Sub-processor(s), thereby allowing the Customer to object to such changes prior to the concerned Sub-processor(s) engagement. In order to receive such notification, the Customer needs to join the distribution list by sending an email to [email protected]

7.4. In case the Customer objects to the appointment or replacement of Sub-processor(s) on reasonable grounds relating to the protection of the Personal Data, it shall promptly notify BitaBIZ of such objections in writing, and the parties will seek to resolve the matter in good faith.

7.5.BitaBIZ shall impose on such Sub-processors data protection obligations that protect the Personal Data to the same or substantially similar standard provided by this DPA and at a mini-mum compliant with the EU Data Protection Legislation requirements

.

8. International transfers

8.1.The Customer authorizes the transfer of Personal Data to locations outside the EEA, subject to continued compliance with the GDPR and provisions of this Section throughout the duration of this DPA.

8.2.All transfers of Personal Data out of the EU/EEA or an Adequate Country, necessary to pro-vide the BitaBIZ Services, shall be governed by the Standard Contractual Clauses. 8.3.For the avoidance of doubt, BitaBIZ does not rely on the EU-U.S. Privacy Shield as a legal basis for transfers of Personal Data. Nonetheless, if Sub-processor processes data in the USA, the Sub-processor must adhere to the security obligations per EU-U.S. Privacy Shield Frame-work, which the US Department of Commerce will continue to administrate.

9. Assistance to the Data Controller

9.1. BitaBIZ will assist the Customer, insofar as this possible, in the fulfillment of the data controller’s obligations to respond to requests for exercising the data subjects’ rights laid down in Chapter III GDPR.

9.2.In the fulfillment of the obligation to assist the Customer, set forth in Article 9.1. of this Section, BitaBIZ shall provide the Customer with tools to export all data and information that has been entered to and/or created in the BitaBIZ HR, scheduling, time- and absence-management system to Excel or similar database processing software.

9.3.BitaBIZ shall provide the Customer with access to tools to respond to Data Subjects’ requests to rectify (Article 16 GDPR) and delete personal information (Article 17 GDPR). The Customer shall be provided with access to an account admin role, which enables the Customer to manage all account settings and BitaBIZ modules.

10. Notification of Personal Data Breach

10.1. In case of any Personal Data Breach, BitaBIZ shall notify the Customer without undue delay after becoming aware of the Breach.

10.2. Considering the nature of the processing as well as the information available to BitaBIZ, following a Personal Data Breach, BitaBIZ shall assist the Customer in ensuring compliance with the data controller’s legal obligations in connection with the notification of Personal Data Breaches to supervisory authorities and to data subjects, as further instructed by the Customer.

10.3. Further, following a Personal Data Breach considering the nature of processing and to the extent the information is available to BitaBIZ, BitaBIZ must immediately provide the Customer with appropriate and adequate information to enable the Customer to comply with any statutory obligations in data protection laws or in any applicable laws. Consequently, BitaBIZ must, upon request from the Customer, provide the following information:

(i) A description of the nature of the Breach, including, if possible, the categories and the ap-proximate number of affected data subjects and the categories and the approximate number of affected registrations of Personal Data.

(ii) Name and contact information of the data protection officer or another contact point from which further information may be obtained.

(iii) A description of the likely as well as actual consequences of the Breach (including updates if new information relating to the Breach arises).

(iv) A description of the measures that BitaBIZ has taken or proposes to take to address the Personal Data Breach, including, where appropriate, measures taken to mitigate its adverse effects.

10.4. If and to the extent that it is not possible to provide all the information mentioned under this Section, the information can be provided gradually on the condition that it does not cause any unnecessary delay.

11. Erasure and Return of Personal Data

11.1. On termination of the Main Agreement, all Personal Data created in the BitaBIZ HR, scheduling, time- and absence-management system processed by BitaBIZ on behalf of the Customer must be deleted, unless the applicable law requires the storage of such data.

11.2. For the avoidance of doubt and with reference to the Customer’s access to and control over the Personal Data entered or created in the BitaBIZ HR, scheduling, time- and absence-management system, the Customer is responsible for the extraction and deletion of such data.

12. Audit and Inspection

12.1. BitaBIZ shall make available to the Customer to demonstrate compliance with this DPA and the obligations under Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the Customer, following a security incident suffered by BitaBIZ, or upon the instruction of a data protection authority acting pursuant to Applicable Data Protection Legislation.

12.2. Customer must give BitaBIZ reasonable prior notice of such intention to audit, conduct its audit during regular business hours, and take all reasonable measures to prevent unnecessary disruption to BitaBIZ operations.

13. Infringement of the Data Processor Agreement

13.1. The infringement of the Data Processor Agreement will be a material breach of the Main Agreement.

13.2. If BitaBIZ is unable to ensure correct processing of Customer Data in accordance with the DPA, the Customer must inform BitaBIZ thereof without undue delay. Without undue delay, BitaBIZ must report to the Customer if any security incident occurs, which is of significance to IT security and describes this in further detail.

14. Limitation of Liability

14.1. The total aggregate liability to the Customer, of whatsoever nature, whether in contract, tort or otherwise, of BitaBIZ for any losses whatsoever and howsoever caused arising from or in any way connected with this DPA shall be subject to the limitation of liability set forth in the Main Agreement.

14.2. BitaBIZ shall never be liable to the Customer for indirect losses, including but not limited to losses arising from consequential damage, loss of earnings, loss of goodwill, loss of data, loss of profits, loss of business, third party losses or other indirect losses incurred by the Customer or by a third party.

15. Severability

15.1. In the event that any one or more of the provisions contained herein, or the application thereof in any circumstance, is held invalid, illegal or unenforceable, the validity, legality and enforceability of any such provision in every other respect and of the remaining provisions con-tained herein shall not be affected or impaired thereby.

16. Policies

16.1. Data Collect Policy, Cookie Policy, Information Security Policy, and Sub-processor Policy form an integral part of this DPA.

DATA REGISTERED, TYPE OF PERSONAL INFORMATION AND PROCESSING ACTIVITIES

The data registered and processed by BitaBIZ is in accordance with Data Collect Policy and Cookie Policy. Such data may include Personal Data from any of the following categories:

  • Account registration and contact information data, such as: first and last name, company name, department, e-mail address, telephone number, billing information.
  • Authentication data, such as username and password.
  • Basic personal data and contact information, such as first name, last name, email address, gender, date of birth, address, postal code, city of residence, country of residence, mobile phone number).
  • HR and recruitment data such as hiring/ termination date, other recruitment information, job and position data, including worked hours, absence, sick days, salary, work permit details, availability, terms of employment, tax details, payment details, collective agreement, bank account number, passport and ID card number, driver’s license number, vehicle registration data, emergency contact details.
  • Unique identification numbers and signatures (for example, IP addresses, a unique identifier in tracking cookies or similar technology).
  • Commercial information (for example, subscription information, payment history).

Processing operations:

BitaBIZ time registration HR platform is built for the purpose of giving employers an overview of their employees by making time registration easy and convenient for the employees.

The data processing instructions regarding purpose and subject matter are, therefore, to process data in order to provide, deliver and improve the BitaBIZ Services and perform essential business operations related to BitaBIZ HR Services (which may include the detection, prevention, and resolution of security and technical issues). These include operating the BitaBIZ Services, maintaining and improving the performance of the BitaBIZ Services, including developing new features and providing customer support for customers using and leveraging our platform and services.

The Personal Data processed will be subject to the following basic processing activities:

a. Objective of data processing. The objective of data processing is the performance of BitaBIZ Services.

b. Scope and purpose of data processing. The scope and purpose of processing of Personal Data is registration of time, leave and absence (including sick days), and reporting of time, leave, and absence data to various systems.

c. Personal Data Access, Deletion or Return. BitaBIZ will provide Customer with the ability to correct and delete Personal Data registered in the BitaBIZ platform (see Section 9 of the DPA). Upon expiration or termination of the Main Agreement, the Customer is entitled to extract and delete the Personal Data subject to data processing.

SECURITY

BitaBIZ has implemented appropriate technical and organizational measures in accordance with the BitaBIZ Information Security Policy and will continue to maintain and update these.

Technical and organizational security measures. The technical and organizational security measures set forth in the Information Security Policy are hereby incorporated into this Annex 2 by this reference and are binding on BitaBIZ as if they were set forth in this Annex 2 in their entirety.

Security of processing will, among other things, be subject to the following measures:

  • Log-in and password procedures
  • Set up and maintain firewalls and antivirus software
  • Store data so that they are not available to third parties
  • Ensure that buildings and systems used in connection with the data processing are secure and that only high-quality hardware and software are used, which are updated continuously
  • Follow and maintain an incident response plan
  • Ensure build in settings and permission management
  • Ensure that only employees with work-related purposes have access to the personal data covered by the DPA.

Personnel. BitaBIZ requires its Staff to observe an unconditional duty of secrecy in regard to the processing of Personal Data.

BitaBIZ’ Staff will not process Customer Data and Personal Data without authorization. BitaBIZ’s Staff is obligated to maintain the confidentiality of Customer Data and Personal Data and this obligation continue even after their engagement ends. BitaBIZ shall ensure that personnel engaged in the processing (i) will process such data only on instructions from Customer or as described in this DPA, and (ii) will be obligated to maintain the confidentiality and security of such data even after their engagement ends. BitaBIZ shall provide periodic and mandatory data privacy and security training and awareness to its employees with access to Personal Data in accordance with applicable Data Protection Requirements and industry standards.

Vendors and Service Providers (“Sub-contractors”): In accordance with this DPA, BitaBIZ may appoint Sub-contractors. Sub-contractors will be permitted to obtain Personal Data only to deliver the services BitaBIZ has retained them to provide, and they are prohibited from using Personal Data for any other purpose.