Terms of Service
Service Level Agreement
Data Protection Agreement
Terms of Use
Features
Data Protection Agreement
1. Purposeand Scope
The parties specified in Appendix I("Parties") have agreed to this data processing agreement("DPA") in order to ensure compliance with Art 28(3) and (4) GDPR.
This DPA applies to the processing of personaldata as specified in Appendix II.
Appendices I to IV are an integral part of thisDPA.
2. Interpretation
Where this DPA uses the terms defined in the GDPR, those terms shallhave the same meaning as in that regulation.
3. Hierarchy
In the event of a contradiction between this DPA and the provisions ofrelated agreements between the Parties existing at the time when this DPA isagreed or entered into thereafter, this DPA shall prevail.
4. Descriptionof Processing
The details of the processing operations, in particular the categoriesof personal data and the purposes of processing for which the personal data isprocessed on behalf of the controller, are specified in Appendix II.
5. Obligationsof the Parties
5.1. Instructions
Theprocessor shall process personal data only on documented instructions from thecontroller, unless required to do so by Union or Member State law to which theprocessor is subject. In this case, the processor shall inform the controllerof that legal requirement before processing, unless the law prohibits this onimportant grounds of public interest. Subsequent instructions may also be givenby the controller throughout the duration of the processing of personal data.These instructions shall always be documented.
Theprocessor shall immediately inform the controller if, in the processor’sopinion, instructions given by the controller infringe the GDPR or theapplicable Union or Member State data protection provisions.
5.2. Anonymization
The controllerauthorizes the processor and the processor is therefore entitled to anonymisethe processed data and utilise the anonymised data for statistical evaluations.For this purpose, any personal reference to the data is removed and cannot berestored.
5.3. Purpose Limitation
The processor shall process the personal data only for the specificpurpose(s) of the processing, as set out in Appendix II, unless it receivesfurther instructions from the controller.
5.4. Duration of the Processing
Processing by the processor shall only take place for the durationspecified in Appendix II.
5.5. Security of Processing
Theprocessor shall at least implement the technical and organisational measuresspecified in Appendix III to ensure the security of the personal data. Thisincludes protecting the data against a breach of security leading to accidentalor unlawful destruction, loss, alteration, unauthorised disclosure or access tothe data ("Personal Data Breach"). In assessing the appropriate levelof security, the Parties shall take due account of the state of the art, thecosts of implementation, the nature, scope, context and purposes of processingand the risks involved for the data subjects.
Theprocessor shall grant access to the personal data undergoing processing tomembers of its personnel only to the extent strictly necessary forimplementing, managing and monitoring of the contract. The processor shallensure that persons authorised to process the personal data received havecommitted themselves to confidentiality or are under an appropriate statutoryobligation of confidentiality.
5.6. Documentation and Compliance
The Partiesshall be able to demonstrate compliance with this DPA.
Theprocessor shall deal promptly and adequately with inquiries from the controllerabout the processing of data in accordance with this DPA.
Theprocessor shall make available to the controller all information necessary todemonstrate compliance with the obligations that are set out in this DPA andstem directly from the GDPR. At the controller’s request, the processor shallalso permit and contribute to audits of the processing activities covered bythis DPA, at reasonable intervals or if there are indications ofnon-compliance. In deciding on a review or an audit, the controller may takeinto account relevant certifications held by the processor.
The Partiesshall make the information referred to in this DPA, including the results ofany audits, available to the competent supervisory authority/ies on request.
5.7. Use of Sub-Processors
Theprocessor has the controller’s general authorisation for the engagement ofsub-processors listed in Appendix IV. The processor shall specifically informin writing the controller of any intended changes of that list through theaddition or replacement of sub-processors at least 14 days in advance, therebygiving the controller sufficient time to be able to object to such changesprior to the engagement of the concerned sub-processor(s). The processor shallprovide the controller with the information necessary to enable the controllerto exercise the right to object.
Where theprocessor engages a sub-processor for carrying out specific processingactivities (on behalf of the controller), it shall do so by way of a contractwhich imposes on the sub-processor, in substance, the same data protectionobligations as the ones imposed on the data processor in accordance with thisDPA. The processor shall ensure that the sub-processor complies with theobligations to which the processor is subject pursuant to this DPA and to theGDPR.
Theprocessor shall remain fully responsible to the controller for the performanceof the sub-processor’s obligations in accordance with its contract with theprocessor. The processor shall notify the controller of any failure by thesub-processor to fulfil its contractual obligations.
5.8. International Transfers
Any transfer of data to a third country or an international organisationby the processor shall be done only on the basis of documented instructionsfrom the controller or in order to fulfill a specific requirement under Unionor Member State law to which the processor is subject and shall take place incompliance with Chapter V of the GDPR.
6. Assistanceto the Controller
The processor shall assist the controller in fulfilling its obligations to respond to data subjects’ requeststo exercise their rights, taking into account the nature of the processing.
The processor shall furthermore assist thecontroller in ensuring compliance with the following obligations, taking intoaccount the nature of the data processing and the information available to theprocessor:
the obligation to carry out an assessment ofthe impact of the envisaged processing operations on the protection of personaldata ("Data Protection Impact Assessment") where a type of processingis likely to result in a high risk to the rights and freedoms of naturalpersons;
the obligation to consult the competentsupervisory authority/ies prior to processing where a Data Protection ImpactAssessment indicates that the processing would result in a high risk in theabsence of measures taken by the controller to mitigate the risk;
the obligations in Art 32 GDPR.
7. Notificationof Personal Data Breach
In the event of a Personal Data Breach, the processor shall cooperatewith and assist the controller for the controller to comply with itsobligations under Art 33 and 34 GDPR, where applicable,taking into account the nature of processing and the information available tothe processor.
8. Termination
Following termination of this DPA, the processor shall, at the choice ofthe controller, delete all personal data processed on behalf of the controllerand certify to the controller that it has done so, or, return all the personaldata to the controller and delete existing copies unless Union or Member Statelaw requires storage of the personal data. Until the data is deleted orreturned, the processor shall continue to ensure compliance with this DPA.
9. APPENDIX I: LIST OF PARTIES
APPENDIX I: LIST OF PARTIES
Processor:
Kanbert Software GmbH, Getreidemarkt 1/10 1060 Vienna, Austria;
FN 553710f
Jürgen Kerner, Data Privacy Officer, dataprivacy@kanbert.com
APPENDIX II: DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is processed:
Customer and its Employees, former employees, interested parties, contact persons of customers; suppliers and their contacts
Categories of personal data processed:
Name, CustomerID, contact details, employment application data, working time recording, vacations, sick leave, function, Email addresses, Login data, contact data, financial data; IP address; Time of visit.
Sensitive data processed:
sick leave data, maternity protection times
Nature of the processing:
Collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of data
Purpose(s) for which the personal data is processed on behalf of thecontroller:
Provisioning of services as stipulated in the Agreement
Duration of the processing:
General corresponds to the term of the Agreement
APPENDIX III: TECHNICAL AND ORGANISATIONALMEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITYOF THE DATA
Description of the technical and organisational security measuresimplemented by the processor:
Physical Access Control (To prevent unauthorized persons from having access to data, all data centers are secured by:
· documented key administration
· Biometricals
· Alarms
Data Access Control (To prevent unauthorized persons from accessing our data systems)
· strong password policy
· Firewalls
· Logging of software incidents
· Authorization process for employees
· Revoking of access rights after expiry of authorization
Data Transmission Control (To prevent personal data from being read, copied, modified or removed without authorization during transmission)
· Using secure protocols (SSL, TLS)
· Process for disposal of data storage devices
· Using secure protocols for remote work (SSH, VPN).
Input Control (To prevent unauthorized input, modification or removal of data into our data processing)
· Employees have access based on their roles
· Authorizations are approved by authorized individuals only
Availability Control (To prevent data from being lost)
· Backups are in place
· Recovery plans are in place and tested
· All systems are monitored 24x7 to detect errors.
APPENDIX IV – LIST OF SUB-PROCESSORS
The controller has authorised the use of the following sub-processors:
Purpose
Entity Name
Entity Type
Processing Country
Cloud Infrastructure for the Product
Digimagical GmbH
Cloud Service Provider
Austria, Germany
Availabilty Monitoring
Immutable VOF
OhDear
Cloud Service Provider
Europe
Performance Monitoring
Functional Software, Inc. d/b/a Sentry
Cloud Service Provider
Worldwide,
SCC Standard European Model Clauses signed
Service Desk System
FrontApp Ireland Limited, 21-23 City Quay, 4th Floor, Dublin 2, D02 FP21, Ireland
Cloud Service Provider
Worldwide,
SCC Standard European Model Clauses signed
Payment Provider
Stripe Technology Europe, The One Building, 1, Lower Grand Canal Street, Dublin 2, Ireland
Cloud Service Provider
Worldwide,
SCC Standard European Model Clauses signed