Data Processing Agreement (Art 28 GDPR)

entered into by and between the Customer (hereinafter referred to as the "Controller") and Timesheet - Mobile Time Tracking OG, Untere Weißgerberstrasse 43 1/2, 1030 Vienna, Austria (hereinafter referred to as the "Processor"), together the "Parties".

Customer“ in this context means, on the one hand, independent individual users of our Services, such as freelancers or other persons who register for use independently of an employer or other organization ("Individual Customer"). In the case of companies, organizations, institutions, groups of persons or the like that track the working time of employees or other persons assigned to their Timesheet account and have acquired licenses for these persons for this purpose ("Enterprise Customers"), the respective company, organization, institution, group of persons or the like shall be deemed to be the Customer and thus the Controller.

1. General

  1. This Data Processing Agreement (hereinafter also referred to as the "DPA"), in addition to the Privacy Policy, governs the processing of personal data (hereinafter also referred to as the "Data") by the Processor within the scope of the contract concluded between the parties for the use of the Timesheet App and Services. Timesheet is a digital time tracking system. It is available as a web app accessible via the browser and as an Android and iOS app and enables both manual and automated time tracking through the use of Wi-Fi and geofencing technologies, as well as the management of working hours, project and team management, invoicing and the management of expenses and files (the "Services" or the "App").
  2. The provision of the commercial and legal conditions and a precise technical or professional description of the Services are not the subject of this DPA. This DPA shall ensure that the processing of Data in the context of the use of the Services complies with all applicable legal requirements, in particular in accordance with the General Data Protection Regulation ("GDPR") and the Austrian Data Protection Act (Datenschutzgesetz, "DSG"). All terms used in this DPA shall have the meaning defined in the Privacy Policy, the Terms and Conditions or subsidiarily in the GDPR or further subsidiarily in other applicable legal provisions.

2. Term

This DPA is entered into for the duration of the use of the Services or for the duration of the contract concluded between the Parties on the use of the Services.

3. Subject of the data processing

3.1 Purpose of the processing:

Processing and management of working hours and related project management, team management, invoicing, management of expenses and files. The purpose of the implementation is to assist the Controller in daily business operations and processes.

This agreement is to be understood as a supplement to the contract concluded for the use of the Services.

3.2 Data categories
3.2.1 User data:
  1. Enterprise Customers only: Name, profile picture (if provided) and language of license users.
  2. All content that is entered, provided, collected, or processed in any other form via the Services and its functions, such as, in particular, tracked time, breaks, teams, projects, tasks, expenses, notes, keywords, rates/hourly rates, invoices, automations, signatures, attachments, images and other uploads, provided that and only to the extent that this data is provided. This also includes all data and information made available based on individually selectable App permissions.
  3. Location of the end device used, connection or termination of the connection to a Wi-Fi network (Wi-Fi detection), iBeacon detection.
  4. Information transmitted by user-activated and connected or integrated third-party applications.
  5. Personal data of individual users, which other users provide in the context of the services, e.g., by making entries in their projects or tasks or as their employers.

4. Processor’s duties

  1. The Processor is obliged to process the Data exclusively within the scope of the above-mentioned purposes and in accordance with the terms of this DPA and the documented instructions of the Controller. If the Processor receives an official order to release data of the Controller, the Processor shall, to the extent permitted by law, immediately inform the Controller thereof and refer the authority to the Controller. Likewise, the processing of Data for the Processor's own purposes shall require a written mandate. The description of the data processing and the Services in the General Terms and Conditions, the Privacy Policy and this DPA conclusively contain the instructions of the Controller with regard to the processing.
  2. The Processor declares that it has committed all persons entrusted with the data processing to maintain confidentiality prior to commencing their activities or that they are subject to an appropriate statutory confidentiality obligation. In particular, the confidentiality obligation of the persons entrusted with the data processing shall remain in force even after the termination of their activities and their leave from the Processor.
  3. The Processor declares that it has taken all necessary measures to ensure the security of the Processing pursuant to Art 32 GDPR. These measures are available upon request at any time and may be changed in the future but must not fall below the current level of protection. The Controller declares that these measures within the meaning of Art 32 GDPR ensure an adequate level of protection.
  4. The Processor shall take the technical and organizational measures to enable the Controller to fulfill the rights of data subjects under Chapter III of the GDPR (information, access, rectification and erasure, data portability, objection, as well as automated decision-making in individual cases) at any time within the statutory time limits and shall provide the Controller with all information necessary for this purpose. If a corresponding request is addressed to the Processor and the request indicates that the applicant mistakenly believes that the Processor is responsible for the data processing carried out by the Processor, the Processor shall immediately forward the request to the Controller and inform the applicant accordingly.
  5. The Processor shall assist the Controller in complying with the obligations set out in Articles 32 to 36 of the GDPR (data security measures, notifications of personal data breaches to the supervisory authority, notification of the data subject of a personal data breach, data protection impact assessment, prior consultation).
  6. The Processor undertakes to provide the Controller with the information necessary to monitor compliance with the obligations set out in this DPA. Primarily, the proof of compliance shall be provided by handing over certificates, confirmations or other documentation. Should reasonable doubt nevertheless arise as to compliance, the Controller shall be granted the right to inspect and control the data processing facilities with regard to the processing of the data provided by it, including through third parties appointed by the Controller. The costs for this shall in any case be borne by the Controller.
  7. Upon termination of this DPA, the Processor shall, at the Controller's discretion, either delete or release to the Controller in a commonly used format all processing results and records containing personal data of the Controller.
  8. The Processor shall inform the Controller without undue delay if it considers that an instruction given by the Controller violates Union or Member State data protection law.

5. Place of processing

  1. The Customer acknowledges that the provision of the contractual services may require the transfer or processing of personal data in/to countries outside the EEA. The provisions of this DPA shall also be the Customer's instructions with respect to transfers to third countries.
  2. The Processor undertakes to comply with standard contractual clauses as amended by Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council in the case of transfers of personal data to processors established in third countries that do not ensure an adequate level of data protection.

6. Sub-Processors

  1. The Processor is entitled to engage additional processors ("Sub-Processors"). The Processor currently uses the Sub-Processors listed under https://timesheet.io/en/sub-processors.
  2. The Processor is entitled to engage further Sub-Processors.
  3. The Processor shall notify the Controller of the intended additions or changes to the Sub-Processors in good time so that the Controller can prohibit them if necessary. The Processor shall conclude the necessary agreements within the meaning of Article 28 (4) GDPR with all Sub-Processors.

7. Controller‘s duties

  1. The Controller warrants that all personal data made available to the Processor shall be collected and made available in accordance with the applicable data protection laws and that it shall comply with all obligations in this respect, in particular with regard to informing the data subjects, obtaining the relevant consents, if any, as well as documentation and transparency.
  2. The Controller shall further ensure that all instructions given to the Processor in relation to the processing of Personal Data shall be in accordance with the applicable laws.
  3. The Controller shall indemnify and hold harmless the Processor in the event of any breach of these obligations.

8. Final provisions

  1. This DPA shall be governed by Austrian law to the exclusion of international private law and the UN Convention on Contracts for the International Sale of Goods. The place of jurisdiction shall be the locally and materially competent court at the registered office of the Processor.
  2. If any provision of this DPA is or becomes invalid or unenforceable, this shall not affect the validity of the remaining provisions. The Parties undertake to agree on a new, effective provision in place of the ineffective provision which comes as close as possible to the meaning and purpose of the ineffective provision. The same shall apply to gaps in this agreement.
  3. The liability of the Processor shall be limited to damage caused by Processing that did not comply with the obligations of the Processor under the GDPR and this Agreement or if the Processor acted outside or contrary to the lawful instructions of the Controller. Liability is also limited to gross negligence and intent and to three times the annual fee of the concluded contract.

Take Control Of Your Time

Integrate Timesheet into your business today. - No extensive set-up or software installation required.
Get Started For Free

Contact Us

Message us at any time, we’d love to hear from you.
Find us on Social Media
Stay connected with us on Social Media. You can find us on Facebook, Instagram, X, and LinkedIn.
Discover Our Helpful Resources
Find the answers to your technical questions by taking a look at our documentation. For further assistance, please contact us.

Want To Know More?

We’ll get back to you as soon as possible.