This Data Processing Agreement (“DPA”) is effective this <date>, forms part of the Application Service Agreement signed between <Company name> (“Licensee”) and actiTIME Inc. (“actiTIME”) for the purchase of online application services (the “Agreement”) to reflect the parties’ agreement with regard to the Processing of Personal Data of Licensee and applies where, and to the extent that, actiTIME processes Personal Data on behalf of Licensee when providing the Service under the Agreement. All capitalized terms not defined in this DPA shall have the meanings set forth in the Agreement.
“actiTIME” means the actiTIME entity which is a party to this DPA.
“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with actiTIME.
“Agreement” means the Application Service Agreement or other written or electronic agreement in the form of online terms and conditions contained on Order Forms entered into between Licensee and actiTIME for the provision of the Service to Licensee.
“Controller” means the entity which determines the purposes and means of the Processing of Personal Data.
“Controller Affiliate” means any of Licensee's Affiliate(s) (a) that are subject to applicable Data Protection Laws of the European Union, the European Economic Area and/or their member states, Switzerland and/or the United Kingdom, and (b) permitted to use the Services pursuant to the Agreement between Licensee and actiTIME, but have not signed their own Agreement and are not a “Licensee” as defined under the Agreement.
“Data Protection Laws” means all laws and regulations, including laws and binding regulations of the European Union, the European Economic Area and their member states, Switzerland and the United Kingdom, applicable to the Processing of Personal Data under the Agreement.
“Data Subject” means the identified or identifiable person to whom Personal Data relates.
“GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
“Information Security Policy” means actiTIME’s Information Security Policy, as updated from time to time, and accessible per request over email.
“Personal Data” means any information that relates to an identified or identifiable natural person, to the extent that such information is protected as personal data under applicable Data Protection Laws and is submitted as Licensee Data.
“Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Processor” means the entity which Processes Personal Data on behalf of the Controller.
“Sub-processor” means any entity engaged by actiTIME to Process Personal Data in connection with the Services.
Scope of This DPA
- This DPA applies where and only to the extent that actiTIME processes Licensee data on behalf of Licensee in the course of providing the Service to the Licensee pursuant to the Agreement.
Roles and Processing of Personal Data
- Role of the Parties: The parties agree that with regard to the Processing of Personal Data, Licensee is the Data Controller and actiTIME is a Data Processor acting on behalf of Licensee. actiTIME may engage Sub-processors pursuant to the requirements set forth in Section 5 “Sub-processors” below.
- Licensee Processing of Personal Data: Licensee agrees that (i) it shall comply with its obligations as a Data Controller under Data Protection Laws in respect of its processing of Licensee Data and any processing instructions it issues to actiTIME; and (ii) it has provided notice and obtained (or shall obtain) all consents and rights necessary under Data Protection Laws for actiTIME to process Licensee Data and provide the Services pursuant to the Agreement and this DPA. Licensee shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Licensee acquired Personal Data.
- actiTIME Processing of Personal Data: As a Data Processor, actiTIME will process Licensee’s Personal Data on behalf of and in accordance with Licensee’s documented lawful instruction (the “Instruction”) and shall treat Personal Data as confidential information.
- Licensee’s Instruction: The Instruction at the time of entering into this DPA is that actiTIME may only perform Processing of Personal Data for the following purposes: (i) Delivering the Services as described in the Agreement; and (ii) Complying with other reasonable instructions provided by Licensee (e.g., via a support ticket) where such instructions are consistent with the terms of the Agreement.
- Conflict with Applicable Law: actiTIME shall give notice without undue delay if actiTIME considers the at the time being Instruction to be in conflict with the Applicable Law.
- Third Party Platform: Licensee may utilize optional features or functionality, in Licensee’s sole discretion, provided by third party service providers ("Third Party Platform") in the course of using the Service. Licensee acknowledges that Third Party Platform will be Data Processor in respect of any Personal Data provided to the Third Party Platform by the Licensee. For clarity, such Third Party Platform is not a Sub-processor of actiTIME and not subject to the provisions of this DPA. In the case of Third Party Platform, once the Personal Data has left actiTIME systems and is under the processing responsibility of such Third Party Platform, actiTIME has no further responsibility for such Personal Data under this DPA.
- Details of Data Processing: The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this DPA are further specified in Exhibit A (Details of the Processing) to this DPA.
- Prohibited Data: Licensee shall not disclose (and shall not permit any data subject to disclose) any Sensitive Personal Data to actiTIME, for processing purposes that are not expressly disclosed in Exhibit A. Where Sensitive Personal Data is nevertheless submitted within Licensee Data, Licensee acknowledges that in such cases it shall be in breach of the Agreement (including this DPA) and accepts full responsibility for any subsequent liability arising from unauthorized or unlawful processing of the Sensitive Personal Data.
Rights of Data Subjects
- Licensee Data Controls: The Services provide Licensee with a number of controls that Licensee may use to retrieve, correct, delete or restrict Licensee Data, which Licensee may use to assist it in connection with its obligations under the GDPR, including its obligations relating to responding to requests from data subjects or applicable data protection authorities. To the extent Licensee, in its use or receipt of the Services, does not have the ability to correct, amend, block or delete Personal Data, as required by Data Protection Laws, actiTIME shall comply with any commercially reasonable request by Licensee to facilitate such actions to the extent actiTIME is legally permitted to do so.
- Data Subject Request: actiTIME shall, to the extent legally permitted, promptly notify Licensee if it receives a request from a Data Subject for access to, correction, amendment, deletion (“the right to be forgotten”), or objection to the Processing of that person’s Personal Data. actiTIME shall not respond to any such Data Subject request without Licensee’s prior written consent except to confirm that the request relates to Licensee. actiTIME shall provide Licensee with commercially reasonable cooperation and assistance in relation to handling of a Data Subject’s request for access to that person’s Personal Data, to the extent legally permitted and to the extent Licensee does not have access to such Personal Data through its use or receipt of the Services.
- Law Enforcement Requests: If a law enforcement agency sends actiTIME a demand for Licensee Data (for example, through a subpoena or court order), actiTIME shall attempt to redirect the law enforcement agency to request that data directly from Licensee. As part of this effort, actiTIME may provide Licensee’s basic contact information to the law enforcement agency. If compelled to disclose Licensee Data to a law enforcement agency, then actiTIME shall give Licensee reasonable notice of the demand to allow Licensee to seek a protective order or other appropriate remedy unless actiTIME is legally prohibited from doing so.
- Appointment of Sub-processors: Licensee acknowledges and agrees that (a) actiTIME’s Affiliates may be retained as Sub-processors; and (b) actiTIME and actiTIME’s Affiliates respectively may engage third-party Sub-processors in connection with the provision of the Services. Any such Sub-processors will be permitted to obtain Personal Data only to deliver the services actiTIME has retained them to provide, and they are prohibited from using Personal Data for any other purpose. A current list of Sub-processors for the Services, including the identities of those Sub-processors and their country of location, is provided in the Exhibit B of this DPA.
- Notification of New Sub-processors and Objection Right: actiTIME will provide Licensee with at least 30 days' notice if it intends to make any changes to its Sub-processors. Licensee may object in writing to actiTIME’s appointment of a new, or replacement of an old, Sub-processor within ten (10) calendar days of such notice, provided that such objection is based on reasonable grounds relating to data protection. In such event, the parties will discuss such concerns in good faith with a view to achieving resolution. If this is not possible, Licensee may suspend or terminate the Agreement (without prejudice to any fees incurred by Licensee prior to suspension or termination).
- Liability: actiTIME shall be liable for the acts and omissions of its Sub-processors to the same extent actiTIME would be liable if performing the services of each Sub-processor directly under the terms of this DPA, except as otherwise set forth in the Agreement.
- Security Measures: actiTIME has implemented and will maintain appropriate organizational and technical security measures to protect Licensee Data from Security Incidents and to preserve the security and confidentiality of the Licensee Data (“Security Measures”), as set forth in actiTIME’s Information Security Policy. actiTIME shall provide documentation for actiTIME’s Security Measures if requested by the Licensee in writing.
- Updates to Security Measures: Licensee acknowledges that the Security Measures are subject to technical progress and development and that actiTIME may update or modify the Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services purchased by the Licensee.
- Personnel: actiTIME shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and are subject to obligations of confidentiality and such obligations survive the termination of that persons’ engagement with actiTIME.
- Access Restriction to Authorized Personnel: actiTIME shall ensure that actiTIME’s access to Personal Data is limited to those personnel who require such access to perform its obligations under the Agreement.
- Licensee Responsibilities: Notwithstanding the above, Licensee agrees that:
- Licensee is responsible for reviewing the information made available by actiTIME relating to data security and making an independent determination as to whether the Services meet Licensee’s requirements and legal obligations under Data Protection Laws.
- Except as provided by this DPA, Licensee is responsible for its secure use of the Service, including securing its account authentication credentials, protecting the security of Licensee Data when in transit to and from the Service and taking any appropriate steps to securely encrypt or backup any Licensee Data uploaded to the Service.
Licensee Data Incident Management and Notification
- Incident Notification: If actiTIME becomes aware of any unlawful access to any Licensee Personal Data stored on actiTIME’s equipment or in actiTIME’s facilities, or unauthorized access to such equipment or facilities that can lead to loss, disclosure, or alteration of Licensee Personal Data (“Security Breach”), actiTIME will promptly: (a) notify Licensee of the Security Breach; (b) investigate the Security Breach and provide Licensee with information about the Security Breach; and (c) take reasonable steps to mitigate the effects and to minimize any damage resulting from the Security Breach.
- Delivery of Notification: Notification(s) of Security Breaches, if any, will be delivered to one or more of Licensee’s business, technical or administrative contacts by any means actiTIME selects, including via email. It is Licensee’s sole responsibility to ensure it maintains accurate contact information on actiTIME’s support systems at all times.
- Limitation of Liability: Licensee agrees that:
- An unsuccessful Security Breach attempt will not be subject to this Section. An unsuccessful Security Breach attempt is one that results in no unauthorized access to Licensee Personal Data or to any of actiTIME’s equipment or facilities storing Licensee Personal Data, and may include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond IP addresses or headers) or similar incidents; and
- actiTIME’s notification of or response to a Security Breach under this Section is not and will not be construed as an acknowledgement by actiTIME of any fault or liability with respect to the Security Breach.
- actiTIME’s obligations herein shall not apply to incidents that are caused by Licensee, Licensee’s Authorized Users and/or any Non-actiTIME Products.
Return and Deletion of Licensee Data
- Upon termination of the Services for which actiTIME is processing Personal Data, actiTIME shall, upon Licensee’s request, return Licensee Data to Licensee and/or delete Licensee Data in accordance with actiTIME’s procedures and Data Protection Laws and/or consistent with the terms of the Agreement, unless applicable law prevents it from returning or destroying all or part of Licensee Data. actiTIME agrees to preserve confidentiality of any retained Licensee Data and will only actively process such Licensee Data after such date in order to comply with the laws it is subject to.
- Contractual Relationship: The parties acknowledge and agree that, by executing the Agreement, the Licensee enters into the DPA on behalf of itself and, as applicable, in the name and on behalf of its Authorized Affiliates, hereby establishing a separate DPA between actiTIME and each such Authorized Affiliate subject to the provisions of the Agreement and this Section 8. Each Authorized Affiliate agrees to be bound by the obligations under this DPA and, to the extent applicable, the Agreement. For the avoidance of doubt, an Authorized Affiliate is not and does not become a party to the Agreement, and is only a party to the DPA. All access to and use of the Services and Content by Authorized affiliates must comply with the terms and conditions of the Agreement and any violation of the terms and conditions of the Agreement by an Authorized Affiliate shall be deemed a violation by Licensee.
- Communication: The Licensee that is the contracting party to the Agreement shall remain responsible for coordinating all communication with actiTIME under this DPA and be entitled to make and receive any communication in relation to this DPA on behalf of its Authorized Affiliates.
European Specific Provisions
- With effect from 25 May 2018, actiTIME will Process Personal Data in accordance with the GDPR requirements directly applicable to actiTIME's provision of its Services.
- Upon Licensee’s request, actiTIME shall provide Licensee with reasonable cooperation and assistance needed to fulfill the Licensee’s obligation under the GDPR to carry out a data protection impact assessment related to Licensee’s use of the Service, to the extent Licensee does not otherwise have access to the relevant information, and to the extent such information is available to actiTIME. actiTIME shall provide reasonable assistance to Licensee in the cooperation or prior consultation with the Supervisory Authority, to the extent required under the GDPR.
- The undertaking of the contractually agreed processing of personal data shall be carried out in accordance with the Agreement within a Member State of the European Union (EU) or within a Member State of the European Economic Area (EEA) or outside the EU/EEA, provided that actiTIME, any of its Affiliates and Sub-Processors shall ensure compliance with EU Data Protection Regulations by appropriate measures.
- The parties agree that this DPA shall replace and supersede any existing DPA the parties may have previously entered into in connection with the Service.
- Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect, including, but not limited to, the mutual indemnities provided by the parties. If there is any conflict between this DPA and the Agreement, this DPA shall prevail to the extent of that conflict.
- For the avoidance of doubt, any claim or remedies the Licensee may have against actiTIME, any of its Affiliates and their respective employees, agents and sub-processors arising under or in connection with this DPA, including: (i) for breach of this DPA; (ii) as a result of fines (administrative, regulatory or otherwise) imposed upon Licensee; and (iii) under EU Data Protection Law, including any claims relating to damages paid to a data subject, will be subject to any limitation of liability provisions (including any agreed aggregate financial cap) that apply under the Agreement. Licensee further agrees that any regulatory penalties incurred by actiTIME in relation to the Licensee Data that arise as a result of, or in connection with, Licensee’s failure to comply with its obligations under this DPA or any applicable Data Protection Laws shall count toward and reduce actiTIME’s liability under the Agreement as if it were liability of the Licensee under the Agreement.
- No one other than a party to this DPA, their successors and permitted assignees shall have any right to enforce any of its terms.
- This DPA will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by applicable Data Protection Laws.
- This DPA will terminate simultaneously and automatically with the termination or expiry of the Agreement.
In witness whereof, this <date>
On behalf of <Company name>, terms of this DPA were accepted by <Name> (<Email>).
Description of Processing Activities
The subject matter of the data processing under this DPA is the Licensee Data.
Purpose of Processing
The purpose of the data processing under this DPA is the provision of the Service to the Licensee.
Duration of Processing
Subject to Section 11 of the DPA, actiTIME will process Personal Data for the duration of the Agreement, unless otherwise agreed upon in writing.
Categories of Data Subjects
Licensee may submit Personal Data to the Services, the extent of which is determined and controlled by Licensee in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects:
- Employees, agents, consultants, contractors of Licensee
- Licensee’s Users authorized by Licensee to use the Services
- Third parties with which Licensee conducts business
Types of Personal Data
Licensee may submit Personal Data to actiTIME through the Services, the extent of which is determined and controlled by Licensee in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:
- Identification and contact data (first and last name, business address, email address, contact details)
- Employment data (employer, job title, position, geographic location, working schedule)
- Absence information (absence type, absence duration, absence balance)
- Online information (IP address)
actiTIME uses certain Sub-Processors to assist it in providing its services. Currently, actiTIME production systems for the Services are located in co-location facilities in the United States and the European Union. Licensee accounts are established in one of these regions based on where the Licensee is located. Other Sub-Processors may be engaged in processing Licensee Data for non-storage purposes.
The following table describes the countries and legal entities engaged in the processing of Licensee Data by actiTIME:
Cloud Infrastructure Services
Cloud Infrastructure Services
Data Storage Services