entered into by and between the Customer (hereinafter referred to as the "Controller") and Timesheet - Mobile Time Tracking OG, Untere Weißgerberstrasse 43 1/2, 1030 Vienna, Austria (hereinafter referred to as the "Processor"), together the "Parties".
„Customer“ in this context means, on the one hand, independent individual users of our Services, such as freelancers or other persons who register for use independently of an employer or other organization ("Individual Customer"). In the case of companies, organizations, institutions, groups of persons or the like that track the working time of employees or other persons assigned to their Timesheet account and have acquired licenses for these persons for this purpose ("Enterprise Customers"), the respective company, organization, institution, group of persons or the like shall be deemed to be the Customer and thus the Controller.
This DPA is entered into for the duration of the use of the Services or for the duration of the contract concluded between the Parties on the use of the Services.
3. Subject of the data processing
3.1 Purpose of the processing:
Processing and management of working hours and related project management, team management, invoicing, management of expenses and files. The purpose of the implementation is to assist the Controller in daily business operations and processes.
This agreement is to be understood as a supplement to the contract concluded for the use of the Services.
3.2 Data categories
3.2.1 User data:
- Enterprise Customers only: Name, profile picture (if provided) and language of license users.
- All content that is entered, provided, collected, or processed in any other form via the Services and its functions, such as, in particular, tracked time, breaks, teams, projects, tasks, expenses, notes, keywords, rates/hourly rates, invoices, automations, signatures, attachments, images and other uploads, provided that and only to the extent that this data is provided. This also includes all data and information made available based on individually selectable App permissions.
- Location of the end device used, connection or termination of the connection to a Wi-Fi network (Wi-Fi detection), iBeacon detection.
- Information transmitted by user-activated and connected or integrated third-party applications.
- Personal data of individual users, which other users provide in the context of the services, e.g., by making entries in their projects or tasks or as their employers.
4. Processor’s duties
- The Processor declares that it has committed all persons entrusted with the data processing to maintain confidentiality prior to commencing their activities or that they are subject to an appropriate statutory confidentiality obligation. In particular, the confidentiality obligation of the persons entrusted with the data processing shall remain in force even after the termination of their activities and their leave from the Processor.
- The Processor declares that it has taken all necessary measures to ensure the security of the Processing pursuant to Art 32 GDPR. These measures are available upon request at any time and may be changed in the future but must not fall below the current level of protection. The Controller declares that these measures within the meaning of Art 32 GDPR ensure an adequate level of protection.
- The Processor shall take the technical and organizational measures to enable the Controller to fulfill the rights of data subjects under Chapter III of the GDPR (information, access, rectification and erasure, data portability, objection, as well as automated decision-making in individual cases) at any time within the statutory time limits and shall provide the Controller with all information necessary for this purpose. If a corresponding request is addressed to the Processor and the request indicates that the applicant mistakenly believes that the Processor is responsible for the data processing carried out by the Processor, the Processor shall immediately forward the request to the Controller and inform the applicant accordingly.
- The Processor shall assist the Controller in complying with the obligations set out in Articles 32 to 36 of the GDPR (data security measures, notifications of personal data breaches to the supervisory authority, notification of the data subject of a personal data breach, data protection impact assessment, prior consultation).
- The Processor undertakes to provide the Controller with the information necessary to monitor compliance with the obligations set out in this DPA. Primarily, the proof of compliance shall be provided by handing over certificates, confirmations or other documentation. Should reasonable doubt nevertheless arise as to compliance, the Controller shall be granted the right to inspect and control the data processing facilities with regard to the processing of the data provided by it, including through third parties appointed by the Controller. The costs for this shall in any case be borne by the Controller.
- Upon termination of this DPA, the Processor shall, at the Controller's discretion, either delete or release to the Controller in a commonly used format all processing results and records containing personal data of the Controller.
- The Processor shall inform the Controller without undue delay if it considers that an instruction given by the Controller violates Union or Member State data protection law.
5. Place of processing
- The Customer acknowledges that the provision of the contractual services may require the transfer or processing of personal data in/to countries outside the EEA. The provisions of this DPA shall also be the Customer's instructions with respect to transfers to third countries.
- The Processor undertakes to comply with standard contractual clauses as amended by Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council in the case of transfers of personal data to processors established in third countries that do not ensure an adequate level of data protection.
- The Processor is entitled to engage additional processors ("Sub-Processors"). The Processor currently uses the Sub-Processors listed under https://timesheet.io/en/sub-processors.
- The Processor is entitled to engage further Sub-Processors.
- The Processor shall notify the Controller of the intended additions or changes to the Sub-Processors in good time so that the Controller can prohibit them if necessary. The Processor shall conclude the necessary agreements within the meaning of Article 28 (4) GDPR with all Sub-Processors.
7. Controller‘s duties
- The Controller warrants that all personal data made available to the Processor shall be collected and made available in accordance with the applicable data protection laws and that it shall comply with all obligations in this respect, in particular with regard to informing the data subjects, obtaining the relevant consents, if any, as well as documentation and transparency.
- The Controller shall further ensure that all instructions given to the Processor in relation to the processing of Personal Data shall be in accordance with the applicable laws.
- The Controller shall indemnify and hold harmless the Processor in the event of any breach of these obligations.
8. Final provisions
- This DPA shall be governed by Austrian law to the exclusion of international private law and the UN Convention on Contracts for the International Sale of Goods. The place of jurisdiction shall be the locally and materially competent court at the registered office of the Processor.
- If any provision of this DPA is or becomes invalid or unenforceable, this shall not affect the validity of the remaining provisions. The Parties undertake to agree on a new, effective provision in place of the ineffective provision which comes as close as possible to the meaning and purpose of the ineffective provision. The same shall apply to gaps in this agreement.
- The liability of the Processor shall be limited to damage caused by Processing that did not comply with the obligations of the Processor under the GDPR and this Agreement or if the Processor acted outside or contrary to the lawful instructions of the Controller. Liability is also limited to gross negligence and intent and to three times the annual fee of the concluded contract.