Data Processing Agreement

Table of Contents
1. Object2. Roles3. Details of processing4. Relevant Data5. Data subjects6. Sub-processors7. Security8. Supplier's assistance9. Return and deletion of data10. Demonstration of compliance

1. Object

1.1 This DPA is between the Supplier and the Customer and forms part of the Agreement referenced in subsection 2.1(a) of the Terms, specifically the Agreement between the Supplier and the Customer acting as the Workspace Owner.

1.2 The purpose of the DPA is to supplement the Terms as respects the processing of Personal Data forming part of Customer Data (“Relevant Data”). The DPA does not concern any other data or the processing thereof. The Supplier's obligations under this DPA must be viewed accordingly, i.e., as only relating to the processing of Relevant Data and not applying in any other context.

2. Roles

2.1 The purposes of processing Relevant Data are determined by the Customer or by the User jointly with other Users of the Customer (or jointly with certain of such members or a particular member). As between the Parties, these purposes are determined by the Customer.

2.2 Consequently, and in line with the role allocation specified under section 14.2 of the Terms, the Parties acknowledge and agree that with regard to the processing of Relevant Data: (a) the Customer is the 'controller' and the Supplier is the 'processor'; (b) the Supplier will, pursuant to article 6 below, authorise third parties identified in the Processors & Affiliates List to perform certain processing operations under its responsibility (such parties being 'processors', too); (c) the Supplier and Sub-processors process these data on the Customer’s behalf and on his instructions.

2.3 As part of his obligations under section 6.3 of the Terms, the Customer and User shall be responsible for the accuracy, quality and legality of Relevant Data, the means by which the same are acquired, and the instructions he provides as to the processing thereof.

3. Details of processing

3.1 The Supplier will process Relevant Data only as necessary to carry out the Customer’s instructions or as required by law to which the Supplier or the processing is subject (which includes any judicial, arbitral, administrative or otherwise mandatory order or judgment made, recognised or enforceable under that law).

3.2 The Customer hereby instructs the Supplier to process Relevant Data: (a) as necessary in connection with the Service, which, particularly but without limitation, includes any processing that is (i) requested or initiated by Users in their use of the relevant Features in connection with that Workspace, or (ii) otherwise required for the Supplier's performance of its obligations in relation to the Workspace or its users; and (b) for as long as the purposes described in subsection (a) warrant such processing.

3.3 For the avoidance of doubt, section 3.2: (a) sets out the Customer’s current instructions as to the processing of Relevant Data; (b) does not prevent the Customer from giving further instructions (which shall be reasonable, lawful and documented) or the Supplier from processing Relevant Data as may be necessary in light of such further instructions; (c) does not restrict the Supplier from processing Relevant Data for as long as legally required (e.g., to comply with the GDPR or legal acts concerning taxation, accounting, financial reporting or counter-terrorism or money laundering) and, if so required (but only to the extent required), exceeding the duration of processing warranted by the Customer’s instructions. The Customer thus acknowledges and agrees that each operation that the Supplier performs on Relevant Data will continue until the Supplier is no longer legally obliged to perform the same.

3.4 The operations that the Supplier performs on Relevant Data will include storage and such other operations as appropriate in light of this article 3 (e.g., retrieval, transmission, erasure, restriction and disclosure pursuant to the Customer’s instructions or as required by law). Certain of these operations have been described in the Privacy Policy.

4. Relevant Data

4.1 Personal Data whose processing is permitted

The types of Personal Data that a User (including the Customer) is allowed to process as part of Workspace are limited to those which the User is legally permitted to process. The Customer undertakes that Relevant Data will not include, and neither he nor any other User who accesses the Workspace will use the Service for the processing of, Personal Data whose processing is legally prohibited.

4.2 Personal Data whose processing is restricted

The Customer acknowledges that the processing of certain types of Personal Data is restricted or limited under the GDPR and that non-compliance with the relevant restrictions or limitations may result in substantial penalties, including fines, being imposed on, or other punitive, remedial or compensatory measures being taken against, the Customer, the Supplier and the User involved in the processing (if different from the Customer).

4.3 Consequently, the Customer undertakes that, absent the Supplier's prior explicit consent, Relevant Data will not include, and neither he nor any other User who accesses the Workspace will use the Service for the processing of, Personal Data that fall within either of the following categories: (a) 'special categories of personal data' (also known as 'sensitive information') as described for the time being in Article 9 of the GDPR, including particularly but without limitation genetic data, biometric data and data concerning health; (b) 'personal data relating to criminal convictions and offences or related security measures' as described for the time being in Article 10 of the GDPR.

5. Data subjects

5.1 The Customer will determine who the Data Subjects are, or he may determine this jointly with other Users in the Workspace (or jointly with certain members or a particular member thereof). As between the Parties, the Customer shall be deemed to have determined the same.

5.2 The categories of Data Subjects include but may not be limited to: (a) Participants; (b) Users having access to the Workspace; (c) Users who interact with the Features applied via the Workspace; (d) employees, contractors, consultants, associates and agents of (i) the Customer, as well as (e) parties with whom the Customer or the User does business or has other relations.

6. Sub-processors

6.1 The Customer agrees that persons and entities on the Processors & Affiliates List may be retained as Sub-processors (and authorises the Supplier to engage them), provided that each Sub-processor, insofar as relevant considering the processing operations it performs, assumes or is made subject to data protection obligations substantially similar to those set forth in this DPA (but in any event no less protective of Relevant Data than the DPA). These obligations may be either contractual or apply by operation of law. In the former case, the respective contract shall be in writing (which includes electronic form) or shall at least be made in a manner that identifies the parties and allows repeated reproduction of its terms.

6.2 The Customer instructs that if sub-processing of Relevant Data is to be carried out by an international organisation or in a country not participating in the European Economic Area (EEA) and not being the Swiss Confederation, then the sub-processing be performed: (a) by an organisation or in a jurisdiction (respectively) that ensures an adequate level of protection for the Relevant Data concerned, i.e., that the transfer of these data from the EEA be based on an 'adequacy decision' as per the GDPR; or, absent an adequacy decision (b) subject to such safeguards and other conditions as required under the GDPR; save if and to the extent that the requirement for an adequacy decision or safeguards has been legally derogated from. The transfer of Relevant Data from the EEA in compliance with the above instruction to a party identified in the Processors & Affiliates List requires no further instruction by the Customer.

6.3 At least 10 days before authorising a third party not mentioned in the Processors & Affiliates List to act as a Sub-processor the Supplier shall update the Processors & Affiliates List made available online accordingly, i.e., at least 10 days before the engagement takes effect. Supplier undertakes to keep this list updated regularly to enable its Customers and Users to stay informed of the scope of sub-processing associated with the Services.

6.4 The Customer may reasonably object to the new sub-processor engagement by providing the Supplier notice to that effect (setting out his grounds for the objection) within 10 days of having been informed as per section 6.3. In case the Customer does so object, the Supplier will endeavour to provide him a commercially reasonable alternative not involving the processing the Customer objected to. Such an alternative may, e.g., consist in a modification to the Service or a change of Service Plan. If the Supplier is unable to provide the Customer with an alternative acceptable to him or (in its sole discretion) concludes that no alternative is feasible and respectively informs the Customer, and the objection is not withdrawn, then the relevant Workspace shall be closed.

6.5 If the Customer does not object to the new sub-processor engagement in accordance with section 6.4, he shall be deemed to have authorised the engagement.

6.6 The Supplier shall be liable to the Customer for the acts and omissions of Sub-processors to the same extent that the Supplier would itself be liable under the Agreement were it to commit those acts or omissions.

7. Security

7.1 The Supplier will maintain adequate technical and organisational measures to ensure such level of security in its processing of Relevant Data as appropriate in the given circumstances. Certain of these measures have been described in the Security Policy.

7.2 The purpose of the above measures is to address in an appropriate manner: (a) the protection of Relevant Data against unauthorised or unlawful processing and against accidental loss, alteration or destruction; (b) the integrity and confidentiality of Relevant Data; (c) the availability and resilience of the Features pertinent to the processing of Relevant Data (to the extent such Features are authorised under the Service Plan the Customer enjoys); (d) the ability to restore the availability and access to Relevant Data in a timely manner after a Service failure; (e) the effectiveness of the means employed by the Supplier for ensuring the required level of security in its processing of Relevant Data.

7.3 The Supplier further undertakes to: (a) ensure that the persons it authorises to process Relevant Data commit themselves to confidentiality (or will be under an appropriate statutory obligation of confidentiality) with respect to these data; and (b) notify the Customer without undue delay upon learning of any Personal Data breach that involves Relevant Data and may need to be communicated to the competent supervisory authority or the Data Subject(s) concerned.

8. Supplier's assistance

Data Subject's requests

8.1 The Customer acknowledges that it is his duty, not the Supplier's, to accept, respond to, and resolve Data Subjects' requests for exercising their rights and freedoms as data subjects in connection with Relevant Data ('data subject rights'), and facilitate the exercise of these rights and freedoms. If any such request is addressed directly to the Supplier, it will, to the extent legally permitted, redirect the request to the Customer without undue delay.

8.2 Upon the Customer’s request, and considering the nature of the Supplier's processing operations hereunder, the Supplier will, insofar as possible, take appropriate technical and organisational measures to reasonably assist the Customer in complying with his obligation to respond to Data Subjects' requests for exercising the following of their data subject rights under the GDPR: the right of access, right to rectification, right to erasure, right to restriction of processing, right to data portability, right to object, and the right not to be subject to automated individual decision-making.

8.3 Other compliance

Considering the nature of the Supplier's processing operations and the information available to it, the Supplier will, on the Customer’s request, reasonably assist the Customer in complying with the following of his controller obligations regarding the processing of Relevant Data (as arising under the GDPR), provided, and to the extent, these obligations apply to the Customer and the information he requires is not otherwise available to him: (a) using the Service in a manner compatible with the Customer’s obligation to ensure an appropriate level of security in his processing of Relevant Data; (b) notifying breaches of Relevant Data to the appropriate supervisory authority and the Data Subjects concerned and documenting these breaches; (c) conducting a data protection impact assessment concerning the processing of Relevant Data by means of the Service, and, where necessary, carrying out a review to assess whether processing is performed in accordance with the impact assessment; and (d) consulting with the relevant supervisory authority on matters related to the above data protection impact assessment or its subject.

8.4 Costs of assistance

To the extent legally permitted, the Customer shall incur all costs and expenses that may arise in connection with the assistance described in this article 8, including any fees associated with the provision of additional Features.

9. Return and deletion of data

9.1 After the completion of services relating to the processing of Relevant Data (i.e., upon permanent cessation of all Service in relation to the Workspace), the Supplier will: (a) at the Customer’s choice, either delete or return to him all Relevant Data then stored by the Supplier; and (b) delete copies of these Relevant Data, save if and to the extent the law requires that the data concerned be retained; provided that: (α) if the Customer elects to have the data returned, his respective request is made reasonably prior to the Workspace being closed (see section 8.8 of the Terms); and (β) if Relevant Data reasonably cannot be deleted, returned or retained separately from other data in the Workspace (as is likely to be the case with at least some Relevant Data), the Supplier will, as applicable, delete or return, and, if required, retain, the entire body of Workspace data then stored by the Supplier, with no obligation to organise, structure or otherwise process the same to separate Relevant Data therefrom or distinguish between Relevant Data and other Workspace data.

10. Demonstration of compliance

10.1 The Supplier shall maintain records sufficient to demonstrate its compliance with the DPA, and will retain these records as long as legally required.

10.2 Upon the Customer’s request and subject to such confidentiality and non-use commitments as the Supplier reasonably may suggest, the Supplier shall, no more than once a year: (a) make available to the Customer such of the above records as necessary, and any other information that reasonably may be required, to demonstrate the Supplier's compliance with its obligations under the DPA; and (b) if the provision of records and other information as per the preceding subsection is not sufficient for demonstrating the Supplier's compliance, allow the Customer (or his independent third-party auditor), upon reasonable notice and at a mutually agreeable time, to conduct an audit or inspection of the Supplier's practices in processing Relevant Data.

10.3 Any audit or inspection under subsection 10.2(b) shall be limited to what is necessary for verifying the Supplier's compliance with its obligations under this DPA, is to be conducted in a manner not unreasonably disruptive to the Supplier's and Sub-processors' business, and shall be at the Customer’s expense (including as to reasonable costs and expenses of the Supplier and Sub-processors, which the Customer undertakes to reimburse).

Last updated: July 1st 2023

More legal documents

FOR JOB CANDIDATES

Toggl Careers Privacy Statement