Data Processing Agreement

1.1 This DPA is between the Supplier and the Organization Owner and forms part of the Agreement referenced in subsections 2.1(c) and 2.3(c) of the Terms.

1.2 The purpose of this DPA is to supplement the Terms with respect to the processing of Relevant Data and the standard contractual clauses annexed to the European Commission’s Decision (EU) 2021/914 of 4 June 2021 currently found at https://eur-lex.europa.eu/eli/dec_impl/2021/914, as may be amended, superseded, or replaced, in case the data is transferred between EU and third countries. The DPA does not concern any other data or the processing thereof. The Supplier's obligations under this DPA must be viewed accordingly, i.e., as only relating to the processing of Relevant Data and not applying in any other context.

1.3 For the purposes of this DPA, any reference to “Owner” shall be understood as referring to the “Organization Owner” as defined in the Supplier’s Terms of Service.

2.1 The purposes of processing Relevant Data are determined by the Organization Owner or by the Owner jointly with other members of the Organization (or jointly with certain of such members or a particular member). As between the Parties, these purposes are determined by the Owner.

2.2 Consequently, and in line with the role allocation specified under section 13.2 of the Terms, the Parties acknowledge and agree that with regard to the processing of Relevant Data: (a) the Organization Owner is the 'controller' and the Supplier is the 'processor'; (b) the Supplier will, pursuant to article 6 below, authorise third parties identified in the Sub-processor List to perform certain processing operations under its responsibility (such parties being 'processors', too); (c) the Supplier and Sub-processors process these data on the Organization Owner's behalf and on his instructions.

2.3 As part of his obligations under section 11.5 of the Terms, the Owner shall be responsible for the accuracy, quality and legality of Relevant Data, the means by which the same are acquired and the instructions he provides as to the processing thereof.

3.1 The Supplier will process Relevant Data only as necessary to carry out the Owner's instructions or as required by law to which the Supplier or the processing is subject (which includes any judicial, arbitral, administrative or otherwise mandatory order or judgment made, recognised or enforceable under that law).

3.2 The Organization Owner hereby instructs the Supplier to process Relevant Data: (a) as necessary in connection with the Service, which, particularly but without limitation, includes any processing that is (i) requested or initiated by Users in their use of the relevant Organization or Features in connection with that Organization, or (ii) otherwise required for the Supplier's performance of its obligations or rights under the Terms in relation to the Organization, Workspaces, or its respective users; and (b) for as long as the purposes described in subsection (a) warrant such processing.

3.3 For the avoidance of doubt, section 3.2: (a) sets out the Owner's current instructions as to the processing of Relevant Data; (b) does not prevent the Owner from giving further instructions (which shall be reasonable, lawful and documented) or the Supplier from processing Relevant Data as may be necessary in light of such further instructions; (c) does not restrict the Supplier from processing Relevant Data for as long as legally required (e.g., to comply with the GDPR or legal acts concerning taxation, accounting, financial reporting or counter-terrorism or -money laundering) and, if so required (but only to the extent required), exceeding the duration of processing warranted by the Owner's instructions. The Owner thus acknowledges and agrees that each operation that the Supplier performs on Relevant Data will continue until the Supplier is no longer legally obliged to perform the same.

3.4 The operations that the Supplier performs on Relevant Data will include storage and such other operations as appropriate in light of this article 3 (e.g., retrieval, transmission, erasure, restriction and disclosure pursuant to the Owner's instructions or as required by law). Certain of these operations have been described in the Privacy Policy.

3.5 If the Supplier considers that an instruction from the Owner infringes applicable data protection laws, it shall promptly notify the Owner (unless prohibited by law) and suspend the relevant processing until the instruction is confirmed, modified, or withdrawn.

4.1 Personal Data whose processing is permitted

The types of Personal Data that a User (including the Owner) is allowed to process as part of Organization Data are limited to those which the User is legally permitted to process. The Owner undertakes that Organization Data will not include, and neither he nor any other User who accesses the Organization (including any such Guest User) will use the Service for the processing of, Personal Data whose processing is legally prohibited.

4.2 Personal Data whose processing is restricted

The Owner acknowledges that the processing of certain types of Personal Data is restricted or limited under the GDPR and that non-compliance with the relevant restrictions or limitations may result in substantial penalties, including fines, being imposed on, or other punitive, remedial or compensatory measures being taken against, the Owner, the Supplier and the User involved in the processing (if different from the Owner).

4.3 Consequently, the Owner undertakes that, absent the Supplier's prior explicit and written consent, Organization Data will not include, and neither he nor any other User who accesses the Organization (including any such Guest User) will use the Service for the processing of, Personal Data that fall within either of the following categories: (a) 'special categories of personal data' (also known as 'sensitive information') as described for the time being in Article 9 of the GDPR, including particularly but without limitation genetic data, biometric data and data concerning health; (b) 'personal data relating to criminal convictions and offences or related security measures' as described for the time being in Article 10 of the GDPR.

5.1 The Owner will determine who the Data Subjects are, or he may determine this jointly with other members of the Organization (or jointly with certain members or a particular member thereof). As between the Parties, the Owner shall be deemed to have determined the same.

5.2 The categories of Data Subjects include but may not be limited to: (a) Users having access to the Organization, including such Guest Users; (b) Users who interact with the Features applied via the Organization; (c) employees, contractors, consultants, associates and agents of (i) the Owner, (ii) the Subscriber of, or payer for, the Service Plan pertaining to the Organization, or (iii) the Users mentioned in the preceding subsections; and (d) parties with whom the Owner or the above Subscriber, payer or User does business or has other relations.

6.1 The Owner agrees that persons and entities on the Sub-processor List may be retained as Sub-processors (and authorises the Supplier to engage them), provided that each Sub-processor, insofar as relevant considering the processing operations it performs, assumes or is made subject to data protection obligations substantially similar to those set forth in this DPA (but in any event no less protective of Relevant Data than the DPA). These obligations may be either contractual or apply by operation of law. In the former case, the respective contract shall be in writing (which includes electronic form) or shall at least be made in a manner that identifies the parties and allows repeated reproduction of its terms.

6.2 The Owner instructs that if sub-processing of Relevant Data is to be carried out by an international organisation or in a country not participating in the European Economic Area (EEA) and not being the Swiss Confederation, then the sub-processing be performed: (a) by an organisation or in a jurisdiction (respectively) that ensures an adequate level of protection for the Relevant Data concerned, i.e., that the transfer of these data from the EEA be based on an 'adequacy decision' as per the GDPR; or, absent an adequacy decision (b) subject to such safeguards and other conditions as required under the GDPR; save if and to the extent that the requirement for an adequacy decision or safeguards has been legally derogated from. The transfer of Relevant Data from the EEA in compliance with the above instruction to a party identified in the Sub-processor List requires no further instruction by the Owner.

6.3 At least 10 days before authorising a third party not mentioned in the Sub-processor List to act as a Sub-processor the Supplier shall update the Sub-processor List made available online accordingly, i.e., at least 10 days before the engagement takes effect. Supplier undertakes to keep this list updated regularly to enable its Users to stay informed of the scope of sub-processing associated with the Services.

6.4 The Owner may reasonably object to the new sub-processor engagement by providing the Supplier notice to that effect (setting out his grounds for the objection) within 10 days of having been informed as per section 6.3. In case the Owner does so object, the Supplier will endeavour to provide him a commercially reasonable alternative not involving the processing the Owner objected to. Such an alternative may, e.g., consist in a modification to the Service or a change of Service Plan. If the Supplier is unable to provide the Owner with an alternative acceptable to him or (in its sole discretion) concludes that no alternative is feasible and respectively informs the Owner, and the objection is not withdrawn, then the relevant Organization shall be closed.

6.5 If the Owner does not object to the new sub-processor engagement in accordance with section 6.4, he shall be deemed to have authorised the engagement.

6.6 The Supplier shall be liable to the Owner for the acts and omissions of Sub-processors to the same extent that the Supplier would itself be liable under the Agreement were it to commit those acts or omissions.

7.1 The Supplier will maintain adequate technical and organisational measures to ensure such level of security in its processing of Relevant Data as appropriate in the given circumstances. Certain of these measures have been described in the Security Policy.

7.2 The purpose of the above measures is to address in an appropriate manner: (a) the protection of Relevant Data against unauthorised or unlawful processing and against accidental loss, alteration or destruction; (b) the integrity and confidentiality of Relevant Data; (c) the availability and resilience of the Features pertinent to the processing of Relevant Data (to the extent such Features are authorised under the Service Plan the Owner enjoys); (d) the ability to restore the availability and access to Relevant Data in a timely manner after a Service failure; (e) the effectiveness of the means employed by the Supplier for ensuring the required level of security in its processing of Relevant Data.

7.3 The Supplier further undertakes to: (a) ensure that the persons it authorises to process Relevant Data commit themselves to confidentiality (or will be under an appropriate statutory obligation of confidentiality) with respect to these data; and (b) notify the Owner without undue delay upon learning of any Personal Data breach that involves Relevant Data and may need to be communicated to the competent supervisory authority or the Data Subject(s) concerned.

Data Subject's requests

8.1 The Owner acknowledges that it is his duty, not the Supplier's, to accept, respond to, and resolve Data Subjects' requests for exercising their rights and freedoms as data subjects in connection with Relevant Data ('data subject rights'), and facilitate the exercise of these rights and freedoms. If any such request is addressed directly to the Supplier, it will, to the extent legally permitted, redirect the request to the Owner without undue delay.

8.2 Upon the Organization Owner's request, and considering the nature of the Supplier's processing operations hereunder, the Supplier will, insofar as possible, take appropriate technical and organisational measures to reasonably assist the Owner in complying with his obligation to respond to Data Subjects' requests for exercising the following of their data subject rights under the GDPR: the right of access, right to rectification, right to erasure, right to restriction of processing, right to data portability, right to object, and the right not to be subject to automated individual decision-making.

8.3 Other compliance

Considering the nature of the Supplier's processing operations and the information available to it, the Supplier will, on the Owner's request, reasonably assist the Owner in complying with the following of his controller obligations regarding the processing of Relevant Data (as arising under the GDPR), provided, and to the extent, these obligations apply to the Owner and the information he requires is not otherwise available to him: (a) using the Service in a manner compatible with the Owner's obligation to ensure an appropriate level of security in his processing of Relevant Data; (b) notifying breaches of Relevant Data to the appropriate supervisory authority and the Data Subjects concerned and documenting these breaches; (c) conducting a data protection impact assessment concerning the processing of Relevant Data by means of the Service, and, where necessary, carrying out a review to assess whether processing is performed in accordance with the impact assessment; and (d) consulting with the relevant supervisory authority on matters related to the above data protection impact assessment or its subject.

8.4 Costs of assistance

To the extent legally permitted, the Owner shall incur all costs and expenses that may arise in connection with the assistance described in this article 8, including any fees associated with the provision of additional Features.

9.1 After the completion of services relating to the processing of Organization Data (i.e., upon permanent cessation of all Service in relation to the Organization), the Supplier will: (a) at the Owner's choice, either delete or return to him all Relevant Data then stored by the Supplier; and (b) delete copies of these Relevant Data, save if and to the extent the law requires that the data concerned be retained; provided that: (α) if the Owner elects to have the data returned, his respective request is made reasonably prior to the Organization being closed (see section 12.3 of the Terms); and (β) if Relevant Data reasonably cannot be deleted, returned or retained separately from other Organization Data (as is likely to be the case with at least some Relevant Data), the Supplier will, as applicable, delete or return, and, if required, retain, the entire body of Organization Data then stored by the Supplier, with no obligation to organise, structure or otherwise process the same to separate Relevant Data therefrom or distinguish between Relevant Data and other Organization Data.

10.1 The Supplier shall maintain records sufficient to demonstrate its compliance with the DPA, and will retain these records as long as legally required.

10.2 Upon the Organization Owner's request and subject to such confidentiality and non-use commitments as the Supplier reasonably may suggest, the Supplier shall, no more than once a year: (a) make available to the Owner such of the above records as necessary, and any other information that reasonably may be required, to demonstrate the Supplier's compliance with its obligations under the DPA; and (b) if the provision of records and other information as per the preceding subsection is not sufficient for demonstrating the Supplier's compliance, allow the Owner (or his independent third-party auditor), upon reasonable notice and at a mutually agreeable time, to conduct an audit or inspection of the Supplier's practices in processing Relevant Data.

10.3 Any audit or inspection under subsection 10.2(b) shall be limited to what is necessary for verifying the Supplier's compliance with its obligations under this DPA, is to be conducted in a manner not unreasonably disruptive to the Supplier's and Sub-processors' business, and shall be at the Owner's expense (including as to reasonable costs and expenses of the Supplier and Sub-processors, which the Owner undertakes to reimburse).

This Addendum A applies only where the Supplier is Toggl OÜ and the Organization Owner is established outside the European Economic Area.

1. Where the European Commission has adopted an adequacy decision for the Organization Owner’s jurisdiction, transfers of Relevant Data to the Organization Owner are made on the basis of that adequacy decision.
2. In the absence of an adequacy decision, the Parties incorporate by reference the EU Standard Contractual Clauses annexed to Commission Implementing Decision (EU) 2021/914, Module 4 (Processor to Controller) (the “SCCs”), which shall apply to transfers of Relevant Data from the Supplier (as data exporter) to the Organization Owner (as data importer). The SCCs will take precedence over the DPA to the extent of any conflict.
3. For the SCCs: Clause 7 (Docking clause): does not apply; Clause 11 (Redress): optional language does not apply; Clause 17 (Governing law): laws of Estonia; Clause 18 (Forum and jurisdiction): courts of Estonia.
4. For the purposes of Module 4 of the SCCs, the Parties agree that Annex I is deemed completed as follows: the data exporter is Toggl OÜ, acting as Processor; the data importer is the Organization Owner, acting as Controller, with its name and contact details as provided in the Organization Owner’s Service account/billing profile. The activities relevant to the transfer, the categories of data subjects, the types of Personal Data, the frequency, the nature and purpose of the processing, and the retention are those described in sections 3–5 and 9 of the DPA and the Documentation.

Sections 1–9 of this Addendum B apply additionally, to the extent the Supplier processes CCPA Covered Data.

“CCPA Covered Data” shall mean Relevant Data that is subject to the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (together, “CCPA”).

1. Where the Supplier processes CCPA Covered Data, the Organization Owner is a “business” and the Supplier is a “service provider”, as defined under the CCPA.
2. Unless explicitly stated otherwise, in sections 1–10 of the DPA the term "controller" shall be read to include "business", the term "processor" shall be read to include "service provider", the term "Data Subject" shall be read to include "consumer" and the terms "Relevant Data" and “Personal Data” shall be read to include "personal information", each as defined under the CCPA.
3. As a service provider, the Supplier will process CCPA Covered Data only for the business purposes set forth in the Terms of Service and in the DPA.
4. As a service provider, the Supplier undertakes not to: (i) sell or share CCPA Covered Data; (ii) retain, use or disclose CCPA Covered Data for any purpose other than making the use of Services possible or as otherwise may be permitted for service providers under the CCPA; (iii) retain, use or disclose CCPA Covered Data outside of the direct business relationship between the User and the Supplier; (iv) combine CCPA Covered Data that the Supplier receives from the User, or on their behalf, with personal information that the Supplier receives from, or on behalf of, another person or persons, or collects from its own interactions with consumers, unless such combination is required to perform any business purpose as permitted by the CCPA, including any regulations thereto, or by regulations adopted by the California Privacy Protection Agency;
5. Supplier will: (i) comply with obligations applicable to the Supplier as a service provider under the CCPA; (ii) provide CCPA Covered Data with the same level of privacy protection as is required by the CCPA, provided, however, that the Organization Owner is responsible for ensuring that they have complied, and will continue to comply, with the requirements of the CCPA in their use of the Services and their own processing of CCPA Covered Data; (iii) notify the Organization Owner without undue delay if the Supplier makes a determination that it can no longer meet its obligations as a service provider under the CCPA; (iv) provide the Organization Owner with reasonable additional and timely assistance in complying with their obligations with respect to consumer requests under the CCPA in line with the procedure described in section 8 of the DPA; (v) observe the conditions for the engagement of Sub-processors including by ensuring that the Supplier enters into a written agreement that complies with the CCPA, regarding, without limitation, the contractual requirements for service providers and contractors, with each such Sub-processor that the Supplier engages to process CCPA Covered Data.
6. The Organization Owner has the right to take reasonable and appropriate steps: (i) to help ensure that the Supplier uses CCPA Covered Data in a manner consistent with the Supplier’s obligations under the CCPA; (ii) to stop and remediate unauthorized use of CCPA Covered Data. To exercise these rights, the Organization Owner shall contact the Supplier under privacy[at]toggl.com.
7. The Organization Owner has the right to monitor the Supplier’s compliance with the DPA and the CCPA by using any of the means and methods described in section 10 of the DPA.
8. The Supplier certifies that it understands and will comply with its obligations as a service provider under the CCPA.
9. The Supplier acknowledges and confirms that it does not receive Relevant Data as consideration for any Services provided to the Customer.

Sections 10–12 of this Addendum B apply additionally, to the extent the Supplier processes US State Privacy Laws Covered Data.

“US State Privacy Laws Covered Data” shall mean Relevant Data that is subject to: (i) the Virginia Consumer Data Protection Act; (ii) the Colorado Privacy Act; (iii) the Connecticut Data Privacy Act; (iv) the Utah Consumer Privacy Act; (v) the Oregon Consumer Privacy Act; (vi) the Texas Data Privacy And Security Act; (vii) the Montana Consumer Data Protection Act; (viii) any other applicable US state law relating to the protection of personal data, based on which the Organization Owner is a controller of personal data and the Supplier is a processor of personal data, provided that the terms and conditions of this Addendum B meet the requirements set forth in such other state laws (collectively, “US State Privacy Laws”).

10. Unless explicitly stated otherwise, in sections 1–10 of the DPA the term "controller" shall be read to include "business", the term "processor" shall be read to include "service provider", the term "Data Subject" shall be read to include "consumer" and the terms "Relevant Data" and “Personal Data” shall be read to include "personal data", each as defined under the US State Privacy Laws.
11. Supplier will: (i) adhere to the Organization Owner’s instructions regarding the processing of US State Privacy Laws Covered Data; (ii) provide the Organization Owner with necessary information to enable them to conduct and document data protection assessments as may be required pursuant to the US State Privacy Laws in line with the procedure described in section 8 of the DPA; (iii) make available to the Organization Owner, upon your reasonable request, all information in Supplier’s possession necessary to demonstrate its compliance with its obligations as a processor under the US State Privacy Laws in line with the procedure described in section 10 of the DPA; (iv) undertake that each person processing US State Privacy Laws Covered Data is subject to a duty of confidentiality with respect to such data; (v) delete all US State Privacy Laws Covered Data in line with section 9 of the DPA, unless retention of US State Privacy Laws Covered Data is required by law; (vi) arrange for a qualified and independent assessor to conduct an assessment of its policies and technical and organizational measures implemented in support of its obligations under this Addendum B, cooperate with the assessor in their assessment, as well as provide a report of such assessment to the controller upon request in line with section 10 of the DPA; (vii) observe the conditions for the engagement of Sub-processors including, without limitation, by ensuring that the Supplier enters into a written agreement that complies with the US State Privacy Laws with each such Sub-processor that the Supplier engages to process US State Privacy Laws Covered Data and that the Supplier gives the controller the opportunity to object against the involvement of a new subprocessor in line with section 6.4 of the DPA.
12. Taking into account the nature of processing and the information available to the Supplier, by appropriate technical and organizational measures, insofar as this is reasonably practicable, the Supplier shall: (i) help the Organization Owner fulfill their obligation to respond to consumer rights requests made pursuant to the US State Privacy Laws in line with the procedure described in section 8.2 of the DPA; (ii) assist the Organization Owner in meeting its obligations in relation to the security of processing the personal data and in relation to the notification of a breach of security regarding the Services, including in particular by providing relevant notices in line with section 7.3 of the DPA.