Data Processor Agreement
This Data Processor Agreement (“DPA”) is entered into by and between BitaBIZ ApS, a company registered in Denmark under CVR-Number 34084076, with its registered office at Emil Holms Kanal 14, 2300 Copenhagen, Denmark (“BitaBIZ”) and Customer, according to the Terms and Conditions (“Main Agreement”) for BitaBIZ Services or other written or electronic agreement between the parties (as applicable).
The DPA shall be given effect on the acceptance of Main Agreement.
This DPA forms part of the Main Agreement and sets out the terms that apply when BitaBIZ processes Personal Data as a processor pursuant to the Main Agreement. In this DPA, the Customer shall be a data controller and BitaBIZ ApS shall be a data processor.
When Customer renews or purchases a new subscription to BitaBIZ Services, the then-current DPA Terms will apply and will not change during Customer’s subscription.
The DPA Terms provide terms for BitaBIZ Services that are currently available. Earlier versions of the DPA Terms are available at the BitaBIZ website.
1. Purpose
1.1. The purpose of the DPA is to ensure that the processing of Personal Data is conducted in accordance with the Applicable Data Protection Legislation and with due respect for the rights and freedoms of individuals whose Personal Data are processed.
2. Definitions
“Adequate Country” means a country or territory recognized by the European Commission based on Article 45 of the GDPR as providing adequate protection for Personal Data.
“Applicable Data Protection Legislation” means all laws and regulations of the European Union (EU), the European Economic Area (EEA), their member states, and the United Kingdom, applicable to the processing of Personal Data under the Main Agreement, including (where applicable) the GDPR and the UK Data Protection Act.
“BitaBIZ Services” means BitaBIZ HR, scheduling, time- and absence-management system (“Ser-vice”), including the associated BitaBIZ mobile apps, Outlook app and Win10 app, and other inter-actions (e.g. customer service inquiries, user conferences, etc.) the Customer may have with BitaBIZ.
“Customer” means a business undertaking, private or public organization, or an individual who is subscribed to BitaBIZ Services.
“Customer Data” means any information that the Customer communicates with BitaBIZ related to the subscription to BitaBIZ Services.
“Data Protection Requirements” means the GDPR, Local EU/EEA Data Protection Laws, the UK Data Protection Act, and any applicable laws, regulations, and other legal requirements relating to (a) privacy and data security; and (b) the use, collection, retention, storage, security, disclosure, transfer, disposal, and other processing of any Personal Data.
“DPA Terms” means the terms in the DPA.
“GDPR” means the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data);
“Main Agreement” means the Terms and Conditions for BitaBIZ HR Services.
“Personal Data” means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Personal Data Breach” or “Breach” means a breach of security leading to the accidental or un-lawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
“Staff” means BitaBIZ management, all full time or part-time employees, contractors, project consultants, freelancers, or any person acting under the authority of BitaBIZ.
“Standard Contractual Clauses” means the standard data protection clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection, as described in Article 46 of the GDPR and approved by the European Commission.
“Sub-processor” means other processors used by BitaBIZ to process Personal Data, as described in Article 28 of the GDPR.
Lower case terms used but not defined in this DPA, such as “processing”, “controller”, “processor” and “data subject” will have the same meaning as set forth in Article 4 of the GDPR.
3. Duration
3.1.The DPA shall enter into force on the same day as the Main Agreement and shall expire at the latest three months after the subscription has expired.
3.2.This DPA can’t be terminated separately unless replaced by a new Data Processor Agreement.
4. Instructions
4.1.BitaBIZ shall solely process Personal Data on behalf of the Customer, which the Customer itself has created in the BitaBIZ HR, scheduling, time- and absence-management system in conjunction with the Customer’s administration of agreements with employees.
4.2.BitaBIZ may solely process personal data to the extent necessary to fulfill the subscription and according to the data controller’s written instructions and provisions of this DPA.
4.3.The Customer is responsible for ensuring that the processing of Personal Data, which BitaBIZ is instructed to perform, has a legal basis.
4.4.BitaBIZ has a duty to follow the instructions given by the Customer. If BitaBIZ believes an instruction is in violation of any Applicable Data Protection Legislation, BitaBIZ will promptly inform the Customer.
4.5.The Customer is responsible for ensuring that Personal Data processing takes place in compliance with the Applicable Data Protection Legislation.
4.6.The Customer has the right and obligation to make decisions about the purposes and means of processing.
5. Confidentiality
5.1.BitaBIZ is subject to a duty of confidentiality and shall observe professional secrecy in regard to the processing of Personal Data pursuant to Applicable Data Protection Legislation.
5.2.BitaBIZ shall ensure that only its employees who are required to process Customer’s Personal Data as part of their job are authorized to access and process Personal Data. On the basis of a periodical review, such access to Personal Data can be withdrawn if access is no longer necessary, and Personal Data shall consequently not be accessible anymore to those persons.
6. Security of processing
6.1.BitaBIZ shall implement appropriate technical and organizational measures to ensure a level of security appropriate for the risk of accidental or unlawful destruction, loss, alteration, un-authorized disclosure of or access to the Personal Data transmitted, stored or otherwise processed.
6.2.Pursuant to Article 32 GDPR, BitaBIZ will also evaluate the risks to the rights and freedoms of natural persons inherent in the processing and implement measures to mitigate those risks. To this effect, the Customer shall provide BitaBIZ with all information necessary to identify and evaluate such risks.
6.3.BitaBIZ shall assist the Customer in ensuring compliance with the data controller’s obligations pursuant to Articles 32 GDPR, by inter alia providing the Customer with information concerning the technical and organizational measures already implemented by BitaBIZ pursuant to Article 32 GDPR along with all other information necessary for the data controller to comply with the data controller’s obligation under Article 32 GDPR.
6.4.At the Customer’s request, BitaBIZ shall give the Customer sufficient information for the Customer to be able to ensure that the specified technical and organizational security measures are taken, including information concerning where the data controller’s data is stored.
7. Use of Sub-processors
7.1.The Customer understands that the effective operation of BitaBIZ Services may require the transfer of Personal Data to BitaBIZ Sub-processors. Thereby, the Customer grants a general authorization to BitaBIZ to appoint third parties as Sub-processors to support BitaBIZ Ser-vices’ performance.
7.2.The Customer acknowledges that Sub-processors may engage third-party processors to process Customer Data on BitaBIZ’s behalf.
7.3. BitaBIZ will maintain a list of Sub-processors available at https://www.bitabiz.dk/en/secu-rity/sub-processor-policy/. BitaBIZ may, by giving Customer reasonable notice, make changes to the Sub-processors’ list. BitaBIZ shall inform the Customer of any intended changes concerning the addition or replacement of Sub-processor(s), thereby allowing the Customer to object to such changes prior to the concerned Sub-processor(s) engagement. In order to receive such notification, the Customer needs to join the distribution list by sending an email to [email protected]
7.4. In case the Customer objects to the appointment or replacement of Sub-processor(s) on reasonable grounds relating to the protection of the Personal Data, it shall promptly notify BitaBIZ of such objections in writing, and the parties will seek to resolve the matter in good faith.
7.5.BitaBIZ shall impose on such Sub-processors data protection obligations that protect the Personal Data to the same or substantially similar standard provided by this DPA and at a mini-mum compliant with the EU Data Protection Legislation requirements
.
8. International transfers
8.1.The Customer authorizes the transfer of Personal Data to locations outside the EEA, subject to continued compliance with the GDPR and provisions of this Section throughout the duration of this DPA.
8.2.All transfers of Personal Data out of the EU/EEA or an Adequate Country, necessary to pro-vide the BitaBIZ Services, shall be governed by the Standard Contractual Clauses. 8.3.For the avoidance of doubt, BitaBIZ does not rely on the EU-U.S. Privacy Shield as a legal basis for transfers of Personal Data. Nonetheless, if Sub-processor processes data in the USA, the Sub-processor must adhere to the security obligations per EU-U.S. Privacy Shield Frame-work, which the US Department of Commerce will continue to administrate.
9. Assistance to the Data Controller
9.1. BitaBIZ will assist the Customer, insofar as this possible, in the fulfillment of the data controller’s obligations to respond to requests for exercising the data subjects’ rights laid down in Chapter III GDPR.
9.2.In the fulfillment of the obligation to assist the Customer, set forth in Article 9.1. of this Section, BitaBIZ shall provide the Customer with tools to export all data and information that has been entered to and/or created in the BitaBIZ HR, scheduling, time- and absence-management system to Excel or similar database processing software.
9.3.BitaBIZ shall provide the Customer with access to tools to respond to Data Subjects’ requests to rectify (Article 16 GDPR) and delete personal information (Article 17 GDPR). The Customer shall be provided with access to an account admin role, which enables the Customer to manage all account settings and BitaBIZ modules.
10. Notification of Personal Data Breach
10.1. In case of any Personal Data Breach, BitaBIZ shall notify the Customer without undue delay after becoming aware of the Breach.
10.2. Considering the nature of the processing as well as the information available to BitaBIZ, following a Personal Data Breach, BitaBIZ shall assist the Customer in ensuring compliance with the data controller’s legal obligations in connection with the notification of Personal Data Breaches to supervisory authorities and to data subjects, as further instructed by the Customer.
10.3. Further, following a Personal Data Breach considering the nature of processing and to the extent the information is available to BitaBIZ, BitaBIZ must immediately provide the Customer with appropriate and adequate information to enable the Customer to comply with any statutory obligations in data protection laws or in any applicable laws. Consequently, BitaBIZ must, upon request from the Customer, provide the following information:
(i) A description of the nature of the Breach, including, if possible, the categories and the ap-proximate number of affected data subjects and the categories and the approximate number of affected registrations of Personal Data.
(ii) Name and contact information of the data protection officer or another contact point from which further information may be obtained.
(iii) A description of the likely as well as actual consequences of the Breach (including updates if new information relating to the Breach arises).
(iv) A description of the measures that BitaBIZ has taken or proposes to take to address the Personal Data Breach, including, where appropriate, measures taken to mitigate its adverse effects.
10.4. If and to the extent that it is not possible to provide all the information mentioned under this Section, the information can be provided gradually on the condition that it does not cause any unnecessary delay.
11. Erasure and Return of Personal Data
11.1. On termination of the Main Agreement, all Personal Data created in the BitaBIZ HR, scheduling, time- and absence-management system processed by BitaBIZ on behalf of the Customer must be deleted, unless the applicable law requires the storage of such data.
11.2. For the avoidance of doubt and with reference to the Customer’s access to and control over the Personal Data entered or created in the BitaBIZ HR, scheduling, time- and absence-management system, the Customer is responsible for the extraction and deletion of such data.
12. Audit and Inspection
12.1. BitaBIZ shall make available to the Customer to demonstrate compliance with this DPA and the obligations under Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the Customer, following a security incident suffered by BitaBIZ, or upon the instruction of a data protection authority acting pursuant to Applicable Data Protection Legislation.
12.2. Customer must give BitaBIZ reasonable prior notice of such intention to audit, conduct its audit during regular business hours, and take all reasonable measures to prevent unnecessary disruption to BitaBIZ operations.
13. Infringement of the Data Processor Agreement
13.1. The infringement of the Data Processor Agreement will be a material breach of the Main Agreement.
13.2. If BitaBIZ is unable to ensure correct processing of Customer Data in accordance with the DPA, the Customer must inform BitaBIZ thereof without undue delay. Without undue delay, BitaBIZ must report to the Customer if any security incident occurs, which is of significance to IT security and describes this in further detail.
14. Limitation of Liability
14.1. The total aggregate liability to the Customer, of whatsoever nature, whether in contract, tort or otherwise, of BitaBIZ for any losses whatsoever and howsoever caused arising from or in any way connected with this DPA shall be subject to the limitation of liability set forth in the Main Agreement.
14.2. BitaBIZ shall never be liable to the Customer for indirect losses, including but not limited to losses arising from consequential damage, loss of earnings, loss of goodwill, loss of data, loss of profits, loss of business, third party losses or other indirect losses incurred by the Customer or by a third party.
15. Severability
15.1. In the event that any one or more of the provisions contained herein, or the application thereof in any circumstance, is held invalid, illegal or unenforceable, the validity, legality and enforceability of any such provision in every other respect and of the remaining provisions con-tained herein shall not be affected or impaired thereby.
16. Policies
16.1. Data Collect Policy, Cookie Policy, Information Security Policy, and Sub-processor Policy form an integral part of this DPA.