1.1 This DPA is between the Supplier and the Organization Owner and forms part of the Agreement referenced in subsections 2.1(c) and 2.3(c) of the Terms.
1.2 The purpose of the DPA is to supplement the Terms as respects the processing of Relevant Data and EU Standard Contractual Data Processing Clauses (SCC) in case the data is transferred between EU and third countries. The DPA does not concern any other data or the processing thereof. The Supplier's obligations under this DPA must be viewed accordingly, i.e., as only relating to the processing of Relevant Data and not applying in any other context.
2.1 The purposes of processing Relevant Data are determined by the Organization Owner or by the Owner jointly with other members of the Organization (or jointly with certain of such members or a particular member). As between the Parties, these purposes are determined by the Owner.
2.2 Consequently, and in line with the role allocation specified under section 13.2 of the Terms, the Parties acknowledge and agree that with regard to the processing of Relevant Data: (a) the Organization Owner is the 'controller' and the Supplier is the 'processor'; (b) the Supplier will, pursuant to article 6 below, authorise third parties identified in the Sub-processor List to perform certain processing operations under its responsibility (such parties being 'processors', too); (c) the Supplier and Sub-processors process these data on the Organization Owner's behalf and on his instructions.
2.3 As part of his obligations under section 11.5 of the Terms, the Owner shall be responsible for the accuracy, quality and legality of Relevant Data, the means by which the same are acquired and the instructions he provides as to the processing thereof.
3.1The Supplier will process Relevant Data only as necessary to carry out the Owner's instructions or as required by law to which the Supplier or the processing is subject (which includes any judicial, arbitral, administrative or otherwise mandatory order or judgment made, recognised or enforceable under that law).
3.2 The Organization Owner hereby instructs the Supplier to process Relevant Data: (a) as necessary in connection with the Service, which, particularly but without limitation, includes any processing that is (i) requested or initiated by Users in their use of the relevant Organization or Features in connection with that Organization, or (ii) otherwise required for the Supplier's performance of its obligations or rights under the Terms in relation to the Organization, Workspaces, or its respective users; and (b) for as long as the purposes described in subsection (a) warrant such processing.
3.3 For the avoidance of doubt, section 3.2: (a) sets out the Owner's current instructions as to the processing of Relevant Data; (b) does not prevent the Owner from giving further instructions (which shall be reasonable, lawful and documented) or the Supplier from processing Relevant Data as may be necessary in light of such further instructions; (c) does not restrict the Supplier from processing Relevant Data for as long as legally required (e.g., to comply with the GDPR or legal acts concerning taxation, accounting, financial reporting or counter-terrorism or -money laundering) and, if so required (but only to the extent required), exceeding the duration of processing warranted by the Owner's instructions. The Owner thus acknowledges and agrees that each operation that the Supplier performs on Relevant Data will continue until the Supplier is no longer legally obliged to perform the same.
4.1 Personal Data whose processing is permitted
The types of Personal Data that a User (including the Owner) is allowed to process as part of Organization Data are limited to those which the User is legally permitted to process. The Owner undertakes that Organization Data will not include, and neither he nor any other User who accesses the Organization (including any such Guest User) will use the Service for the processing of, Personal Data whose processing is legally prohibited.
4.2 Personal Data whose processing is restricted
The Owner acknowledges that the processing of certain types of Personal Data is restricted or limited under the GDPR and that non-compliance with the relevant restrictions or limitations may result in substantial penalties, including fines, being imposed on, or other punitive, remedial or compensatory measures being taken against, the Owner, the Supplier and the User involved in the processing (if different from the Owner).
4.3 Consequently, the Owner undertakes that, absent the Supplier's prior explicit consent, Organization Data will not include, and neither he nor any other User who accesses the Organization (including any such Guest User) will use the Service for the processing of, Personal Data that fall within either of the following categories: (a) 'special categories of personal data' (also known as 'sensitive information') as described for the time being in Article 9 of the GDPR, including particularly but without limitation genetic data, biometric data and data concerning health; (b) 'personal data relating to criminal convictions and offences or related security measures' as described for the time being in Article 10 of the GDPR.
5.1 The Owner will determine who the Data Subjects are, or he may determine this jointly with other members of the Organization (or jointly with certain members or a particular member thereof). As between the Parties, the Owner shall be deemed to have determined the same.
5.2 The categories of Data Subjects include but may not be limited to: (a) Users having access to the Organization, including such Guest Users; (b) Users who interact with the Features applied via the Organization; (c) employees, contractors, consultants, associates and agents of (i) the Owner, (ii) the Subscriber of, or payer for, the Service Plan pertaining to the Organization, or (iii) the Users mentioned in the preceding subsections; and (d) parties with whom the Owner or the above Subscriber, payer or User does business or has other relations.
6.1 The Owner agrees that persons and entities on the Sub-processor List may be retained as Sub-processors (and authorises the Supplier to engage them), provided that each Sub-processor, insofar as relevant considering the processing operations it performs, assumes or is made subject to data protection obligations substantially similar to those set forth in this DPA (but in any event no less protective of Relevant Data than the DPA). These obligations may be either contractual or apply by operation of law. In the former case, the respective contract shall be in writing (which includes electronic form) or shall at least be made in a manner that identifies the parties and allows repeated reproduction of its terms.
6.2 The Owner instructs that if sub-processing of Relevant Data is to be carried out by an international organisation or in a country not participating in the European Economic Area (EEA) and not being the Swiss Confederation, then the sub-processing be performed: (a) by an organisation or in a jurisdiction (respectively) that ensures an adequate level of protection for the Relevant Data concerned, i.e., that the transfer of these data from the EEA be based on an 'adequacy decision' as per the GDPR; or, absent an adequacy decision (b) subject to such safeguards and other conditions as required under the GDPR; save if and to the extent that the requirement for an adequacy decision or safeguards has been legally derogated from. The transfer of Relevant Data from the EEA in compliance with the above instruction to a party identified in the Sub-processor List requires no further instruction by the Owner.
6.3 At least 10 days before authorising a third party not mentioned in the Sub-processor List to act as a Sub-processor the Supplier shall update the Sub-processor List made available online accordingly, i.e., at least 10 days before the engagement takes effect. Supplier undertakes to keep this list updated regularly to enable its Users to stay informed of the scope of sub-processing associated with the Services.
6.4 The Owner may reasonably object to the new sub-processor engagement by providing the Supplier notice to that effect (setting out his grounds for the objection) within 10 days of having been informed as per section 6.3. In case the Owner does so object, the Supplier will endeavour to provide him a commercially reasonable alternative not involving the processing the Owner objected to. Such an alternative may, e.g., consist in a modification to the Service or a change of Service Plan. If the Supplier is unable to provide the Owner with an alternative acceptable to him or (in its sole discretion) concludes that no alternative is feasible and respectively informs the Owner, and the objection is not withdrawn, then the relevant Organization shall be closed.
6.5 If the Owner does not object to the new sub-processor engagement in accordance with section 6.4, he shall be deemed to have authorised the engagement.
6.6 The Supplier shall be liable to the Owner for the acts and omissions of Sub-processors to the same extent that the Supplier would itself be liable under the Agreement were it to commit those acts or omissions.
7.1 The Supplier will maintain adequate technical and organisational measures to ensure such level of security in its processing of Relevant Data as appropriate in the given circumstances. Certain of these measures have been described in the Data Protection Policy.
7.2 The purpose of the above measures is to address in an appropriate manner: (a) the protection of Relevant Data against unauthorised or unlawful processing and against accidental loss, alteration or destruction; (b) the integrity and confidentiality of Relevant Data; (c) the availability and resilience of the Features pertinent to the processing of Relevant Data (to the extent such Features are authorised under the Service Plan the Owner enjoys); (d) the ability to restore the availability and access to Relevant Data in a timely manner after a Service failure; (e) the effectiveness of the means employed by the Supplier for ensuring the required level of security in its processing of Relevant Data.
7.3 The Supplier further undertakes to: (a) ensure that the persons it authorises to process Relevant Data commit themselves to confidentiality (or will be under an appropriate statutory obligation of confidentiality) with respect to these data; and (b) notify the Owner without undue delay upon learning of any Personal Data breach that involves Relevant Data and may need to be communicated to the competent supervisory authority or the Data Subject(s) concerned.
Data Subject's requests
8.1 The Owner acknowledges that it is his duty, not the Supplier's, to accept, respond to, and resolve Data Subjects' requests for exercising their rights and freedoms as data subjects in connection with Relevant Data ('data subject rights'), and facilitate the exercise of these rights and freedoms. If any such request is addressed directly to the Supplier, it will, to the extent legally permitted, redirect the request to the Owner without undue delay.
8.2 Upon the Organization Owner's request, and considering the nature of the Supplier's processing operations hereunder, the Supplier will, insofar as possible, take appropriate technical and organisational measures to reasonably assist the Owner in complying with his obligation to respond to Data Subjects' requests for exercising the following of their data subject rights under the GDPR: the right of access, right to rectification, right to erasure, right to restriction of processing, right to data portability, right to object, and the right not to be subject to automated individual decision-making.
8.3 Other compliance
Considering the nature of the Supplier's processing operations and the information available to it, the Supplier will, on the Owner's request, reasonably assist the Owner in complying with the following of his controller obligations regarding the processing of Relevant Data (as arising under the GDPR), provided, and to the extent, these obligations apply to the Owner and the information he requires is not otherwise available to him: (a) using the Service in a manner compatible with the Owner's obligation to ensure an appropriate level of security in his processing of Relevant Data; (b) notifying breaches of Relevant Data to the appropriate supervisory authority and the Data Subjects concerned and documenting these breaches; (c) conducting a data protection impact assessment concerning the processing of Relevant Data by means of the Service, and, where necessary, carrying out a review to assess whether processing is performed in accordance with the impact assessment; and (d) consulting with the relevant supervisory authority on matters related to the above data protection impact assessment or its subject.
8.4 Costs of assistance
To the extent legally permitted, the Owner shall incur all costs and expenses that may arise in connection with the assistance described in this article 8, including any fees associated with the provision of additional Features.
9.1 After the completion of services relating to the processing of Organization Data (i.e., upon permanent cessation of all Service in relation to the Organization), the Supplier will: (a) at the Owner's choice, either delete or return to him all Relevant Data then stored by the Supplier; and (b) delete copies of these Relevant Data, save if and to the extent the law requires that the data concerned be retained; provided that: (α) if the Owner elects to have the data returned, his respective request is made reasonably prior to the Organization being closed (see section 12.3 of the Terms); and (β) if Relevant Data reasonably cannot be deleted, returned or retained separately from other Organization Data (as is likely to be the case with at least some Relevant Data), the Supplier will, as applicable, delete or return, and, if required, retain, the entire body of Organization Data then stored by the Supplier, with no obligation to organise, structure or otherwise process the same to separate Relevant Data therefrom or distinguish between Relevant Data and other Organization Data.
10.1 The Supplier shall maintain records sufficient to demonstrate its compliance with the DPA, and will retain these records as long as legally required.
10.2 Upon the Organization Owner's request and subject to such confidentiality and non-use commitments as the Supplier reasonably may suggest, the Supplier shall, no more than once a year: (a) make available to the Owner such of the above records as necessary, and any other information that reasonably may be required, to demonstrate the Supplier's compliance with its obligations under the DPA; and (b) if the provision of records and other information as per the preceding subsection is not sufficient for demonstrating the Supplier's compliance, allow the Owner (or his independent third-party auditor), upon reasonable notice and at a mutually agreeable time, to conduct an audit or inspection of the Supplier's practices in processing Relevant Data.
10.3 Any audit or inspection under subsection 10.2(b) shall be limited to what is necessary for verifying the Supplier's compliance with its obligations under this DPA, is to be conducted in a manner not unreasonably disruptive to the Supplier's and Sub-processors' business, and shall be at the Owner's expense (including as to reasonable costs and expenses of the Supplier and Sub-processors, which the Owner undertakes to reimburse).
Last updated: May 23rd 2023
FOR JOB CANDIDATESToggl Careers Privacy Statement