Shiftmanager gebruikt de volgende gegevensverwerkingsovereenkomst met zijn klanten.
Scope and purpose of the Data Processing Agreement
The Contract concerns the acquisition of the software as a service and other related support services. This Data Processing Agreement governs the processing of Data. Hence the objective of this Data Processing Agreement is to ensure compliance with personal data legislation in force at this moment, including the safeguard for the protection of privacy and the fundamental human rights and freedoms in connection with Shiftmanager being granted access to process the Data. The tasks performed and supported by Shiftmanager mainly involve the processing, including storage of Data. In the course of providing the services to the Customer pursuant to this agreement, Shiftmanager may process Personal Data. Therefore, in consideration to the new GDPR, Shiftmanager agrees to comply with the following provisions.
“Shiftmanager” means the Shiftmanager entity, thus the Data Processor engaged in the processing of Personal Data, other than an employee of the Controller, which processes the Personal Data in behalf of the Customer (Data Controller).
“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of natural data. In this agreement, the “Controller” is the Customer of Shiftmanager.
“Personal Data” means any information relating to an identified or identifiable person. (“Data Subject”) An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, psychological, genetic, mental, economic, cultural or social identity of that natural person.
“Processing” means any operation or set of operations which is performed on personal data or a set of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Third party” means a natural person or a legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data.
“Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him/her.
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
“Supervisory Authority” means an independent public authority which is established by a Member State.
Data covered by the Data Processing Agreement
The Data Processing Agreement covers all Data relevant to the employees of the Controller, such as: name, address, phone number, bank account and other information relevant to horeca businesses. Thus, the processing includes personal data, which under the General Data Protection Regulation and WBP in The Netherlands constitute personal data. The Data also include data, which is not personal data as defined in the Dutch Law on data protection or in the Data Protection Regulation. Such data shall however for the purposes of this agreement be treated as personal data within the meaning of the Dutch Law and/or the General Data Protection Regulation on data protection.
Principles relating to processing of Personal Data
Shiftmanager will processes personal data as follows:
- Lawfully, fairly and in a transparent manner in relation to the data subjects;
- Collects for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- Accurate and, where necessary, kept up to date.
- Every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (“accuracy”).
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
- Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures (“integrity and confidentiality”).
The Controller shall be responsible for, and be able to demonstrate compliance with the above paragraph as well.
Processor’s rights and obligations
Shiftmanager as a Data Processor must:
- Act on the Controller’s documented instructions;
- Impose confidentiality obligations on all personnel who processes the relevant data;
- Ensure the security of the personal data that it processes;
- Abide by the rules regarding appointment of sub-processors;
- Implement measures to assist the controller with the rights of data subjects;
- Assist the controller in obtaining approval from DPO’s where required;
- At the controller’s election, either return or destroy the personal data at the end of the relationship;
- Compliance with the new GDPR.
Shiftmanager will assist the Customer in complying with its own obligations as a Data Controller only within the Shiftmanager platform. Where processing is based on consent, the Controller shall be able to demonstrate that the data subject has consented of his or her personal data.
For the performance of the obligations in relation to this Data Processing Agreement, Shiftmanager shall only appoint such employees who were informed about all relevant data privacy obligations and instructed to comply with data secrecy pursuant to the personal data in The Netherlands prior to performing their duties.
Controller’s rights and obligations
The Controller of personal data will:
- Bear primary responsibility for ensuring that its processing activities are compliant with EU Data Protection law;
- Where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers. They must determine their responsibilities in a transparent manner, through an agreement, unless the responsibilities are already determined by the Union or Member State Law to which the controllers are subject.
- must cooperate on request with DPO’s in the performance of their tasks;
- in the event of a breach, must report the breach to the DPA without undue delay, within 72 hours. Exception where the data breach is unlikely to result in any harm to data subjects. Must notify the data subjects without undue delay, if the breach is causing high risk to the data subject.
Shiftmanager must keep records of all categories of processing activities.
The following will be recorded by Shiftmanager:
- Information about the Customer (Controller) and any other data processors;
- Names of relevant data protection officers. (DPO’S)
- The categories of data processing carried out;
- Any transfers to third countries;
- The general technical and organizational security measures used.
Shiftmanager must provide such records, if requested by a supervisory authority. All contact details of a DPO must be published and communicated to the applicable supervisory authority.
Deletion or Return of Data
Upon instruction by the Controller and pursuant to the relevant provisions of statutory law and regulations, Shiftmanager shall facilitate the correction, deletion and blocking of Data processed on behalf of the Controller until these Data are ultimately deleted.
Upon termination of this Data Processing Agreement, Shiftmanager shall regardless of the legal reasons of the termination transfer any and all Data (including in e-mails, from communication servers, clients or production computers as well as all intermediate files created in the course of the data processing and manual files) to the Controller. After receiving a confirmation of the receipt of the Data, Shiftmanager shall delete the Data permanently or destruct the manual files. The deletion shall be confirmed in writing vis-à-vis by the Controller. Upon written instructions from the Controller, Shiftmanager shall carry out the deletion without prior transfer of the Data.
Transfers outside EEA
Shiftmanager may process the personal data in countries outside EU/EEA.
In addition, Shiftmanager can transfer personal data outside the EEA only if the party – that processes the data outside the EU/EEA, has provided appropriate safeguards for it and complies with the EU/EEA legislation. (EU model clauses or Binding Corporate Rules). Upon request, Shiftmanager shall notify the Controller as to which country or countries the personal data will be processed in.
Appointment of sub-processors
Shiftmanager is authorized within the framework of the Agreement to engage third parties, without the prior approval of the Controller being required. Upon request of the Controller, Shiftmanager shall inform the Controller about the third party/parties engaged.
Where the Controller agrees to the appointment of sub-processors must be appointed on the same terms as are set out in the contract between the controller and Shiftmanager and in accordance with Article 28 (1) – (2) of GDPR.
Shiftmanager and any sub-processors shall not process personal data, except in accordance with the instructions of the Controller, or the requirements of EU law or the national laws of Member States.
In the event that Shiftmanager believes that the Controllers instructions conflict with the requirements of the GDPR or other EU or Member State Laws, then Shiftmanager must immediately inform the controller. It is for the controller to issue new, revised instructions that are consistent with the applicable law.
Allocation of Liability for processing personal data
Shiftmanager shall only be responsible for processing the personal data under this Agreement, in accordance with the Controller’s instructions and under the (ultimate) responsibility of the Controller.
Shiftmanager is explicitly not responsible for other processing of personal data, including but not limited to processing for purposes that are not reported by the Controller to Shiftmanager, and processing by third parties and/or for other purposes.
Shiftmanager is held liable whenever the damaged caused by its processing activities only when:
- Did not complied with obligations under the GDPR for processors;
- Acted outside or contrary to lawful instructions of the Customer (Controller).
The Controller represents and warrants that it has express consent and/or a legal basis to process the relevant personal data. Furthermore, the Controller represents and warrants that the contents are not unlawful and do not infringe any rights of a third party. In this context, the Controller indemnifies Shiftmanager of all claims and actions of third parties related to the processing of personal data without express consent and/or legal basis under this Agreement.
Duty to report
In the event of a security leak and/or leaking of data, Shiftmanager shall, to the best of its ability, notify the Controller thereof with undue delay, after which the Controller shall determine whether or not to inform the Data Subjects and/or the relevant regulatory authorities. This duty to report applies irrespective of the impact of the leak. Shiftmanager will endeavor that the furnished information is complete, correct and accurate.
The report shall include the details regarding:
- The (suspected) cause of the leak;
- The (currently known and/or anticipated) consequences thereof;
- The (proposed) solution;
- The measures that have already been taken.
In accordance with GDPR, after being aware of any personal data breach, Shiftmanager will be required to notify the Customer about it. The notification will include information about:
- the nature of the personal data breach;
- categories and approximate number of data subjects concerned, and the categories and approximate number of personal data records concerned;
- communicate name and contact details of the DPO or other contact point that can provide further information;
- describe the consequences of the personal data breach;
- describe the measures taken or proposed to be taken and where possible, measures to mitigate its possible adverse effects.
Where such information cannot be provided totally, the information may be provided in phases without undue further delay.
Shiftmanager will endeavor to take adequate technical and organizational measures against loss or any form of unlawful processing (such as unauthorized disclosure, deterioration, alteration or disclosure of personal data) in connection with the performance of processing personal data under this Agreement.
Shiftmanager will endeavor to ensure that the security measures are of a reasonable level, having regard to the state of the art, the sensitivity of the personal data and the costs related to the security measures.
The Controller will only make the personal data available to Shiftmanager if it is assured that the necessary security measures have been taken. The Controller is responsible for ensuring compliance with the measures agreed by and between the parties.
Handling requests from involved parties
When a Data Subject submits a request to Shiftmanager to inspect or to improve, add to, change or protect their personal data as stipulated by WBP and GDPR, Shiftmanager will forward the request to the Controller and the request will then be dealt with by the Controller.
Shiftmanager may notify the Data subject thereof.
Non-Disclosure and confidentiality
All personal data received by Shiftmanager from the Controller and/or compiled by Shiftmanager within the framework of this Agreement is subject to a duty of confidentiality vis-à-vis third parties.
This duty of confidentiality will not apply in the event that the Controller has expressly authorized the furnishing of such information to third parties, where the furnishing of the information to third parties is reasonable necessary in view of the nature of the instructions and the implementation of this Agreement, or if there is a legal obligation to make the information available to a third party.
In order to confirm compliance with this Agreement, the Controller shall be at the liberty to conduct an audit by assigning an independent third party who shall be obliged to observe confidentiality in this regard. Any such Audit will follow Shiftmanager’s reasonable security requirements and it will not interfere unreasonably with Shiftmanager’s business activities.
The Audit may only be taken when there are specific grounds for suspecting the misuse of personal data, and no earlier than two weeks after the Controller has provided written notice to Shiftmanager.
The findings in respect of the performed Audit will be discussed and evaluated by the parties and, where applicable, implemented accordingly as the case may be by one of the parties or jointly by both parties.
The costs of the Audit will be borne by the Controller.
This Data Processing Agreement shall enter into force upon signature thereof and shall remain in force for as long as Shiftmanager processes on behalf of the Controller, or until the Contract expires/terminates, whichever is later.