Data Processing Addendum (DPA) – For European Clients
Last Updated: November 1, 2020
This addendum (the “Data Processing Addendum”) governs TEAM’s Processing of any Personal Data pursuant to Terms where such Processing occurs in the European Economic Area, its member states, Switzerland, or the United Kingdom (as each capitalized term is defined below).
The following definitions apply to this Data Processing Addendum:
(a) Access Requests – requests made by a Data Subject to exercise any rights of Data Subjects under the Data Protection Legislation in relation to Personal Data.
(b) Appropriate Safeguards – such legally enforceable mechanism(s) for transfers of Personal Data as may be permitted under the Data Protection Legislation from time to time.
(c) Controller – has the meaning given to that term (or the term ‘data controller’) in the Data Protection Legislation.
(d) Data Breach – any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Personal Data.
(e) Data Protection Legislation – all applicable privacy and data protection laws including the General Data Protection Regulation ((EU) 2016/679) (“GDPR”) and any applicable national implementing laws, regulations and secondary legislation in England and Wales relating to the processing of Personal Data and the privacy of electronic communications, including the Data Protection Act 2018, Privacy and Electronic Communications Directive (2002/58/EC) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426).
(f) Data Subject – an identified or identifiable natural person.
(g) “TEAM” is TEAM Software, Inc., or its affiliate(s), the entity or entities providing the Services to you.
(h) Personal Data – any information relating to a Data Subject received by TEAM from you or on your behalf in connection with the performance of TEAM’s obligations as a Processor.
(i) Processor – The TEAM entity identified in the Order and acting as a processor (or ‘data processor’) as that term is defined in the Data Protection Legislation with respect to the Services.
(j) Processing – has the meaning given to that term in the Data Protection Legislation.
(k) Restricted Transfer – either a transfer of Personal Data from you to a Processor or an onward transfer of Personal Data from a Processor to a Processor (or between two establishments of a Processor), but only where such transfer would be prohibited by Data Protection Legislation (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Legislation) in the absence of the Standard Contractual Clauses to be established under Section 8.
(l) Services – the services and other activities to be supplied to or carried out by or on behalf of TEAM pursuant to the Terms;
(m) Sub-Processor – another TEAM entity or third party engaged by Processor in order to act as a processor (or ‘data processor’) as that term is defined in the Data Protection Legislation with respect to the Services.
(n) Standard Contractual Clauses means the clauses set forth in Annex 1, as they may be amended from time to time.
(o) Terms shall mean the principal agreement to which this Data Processing Addendum is attached and into which it is incorporated.
(p) You or Your shall refer to the TEAM client identified in the Terms.
This Data Processing Addendum shall survive termination or expiry of these Terms and continue:
(a) indefinitely in the case of Sections 1, 2 and 10; and
(b) until 12 months following the termination or expiry of these Terms in the case of all other Sections.
3. Controller and Processor
(a) You are the Controller in respect of any Personal Data, and you hereby instruct Processor to process Personal Data as necessary in order to provide the Services.
(b) You shall comply with all Data Protection Legislation in connection with the exercise and performance of your rights and obligations under these Terms, and Processor shall process the Personal Data in compliance with the obligations of Processors under the Data Protection Legislation.
(c) You warrant that:
(i) without prejudice to the generality of paragraph 3(b), you will ensure you have all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to Processor and/or lawful collection of the Personal Data by Processor on your behalf for the duration and purposes of the Terms;
(ii) all instructions given by you to Processor in respect of the Personal Data shall be in accordance with the Data Protection Legislation; and
(iii) you are satisfied that TEAM’s Processing operations are suitable to enable TEAM to process Personal Data, and that TEAM has sufficient expertise, reliability and resources to implement technical and organisational measures that meet the requirements of the Data Protection Legislation.
4. Instructions and Details of Processing
(a) Where TEAM processes Personal Data on your behalf, TEAM shall:
(i) process the Personal Data only in accordance with your documented instructions (unless required to do otherwise by the Data Protection Legislation);
(ii) notify you if the Data Protection Legislation require TEAM to process Personal Data other than in accordance with your documented instructions; and
(iii) notify you if TEAM believes that an instruction infringes the Data Protection Legislation.
(b) TEAM’s Processing of Personal Data shall consist of storing and applying business process rules to data:
(i) including personal contact details, financial information including bank account details, National Insurance numbers, dates of birth, next of kin, qualifications and historic employment/work records including third party references, personal preferences, cases, incidents, proof of presence, photographs, voice recordings, work history and associated employment records, tasks and duties and related payment and billing records;
(ii) relating to your employees and representatives, employees of your subcontractors and agents, employees and representatives of your customers, candidates, victims, witnesses, suspects and offenders;
(iii) for the duration of these Terms and for a maximum period of 30 days thereafter in order to allow for an orderly wind-up and/or transfer and/or cessation of the relevant Services; and
(iv) for the purpose of performing its obligations under these Terms.
5. Technical and Organisational Measures
TEAM shall implement and maintain appropriate technical and organisational measures:
(a) to ensure a level of security appropriate to the risks to Data Subject rights and freedoms presented by the Personal Data being Processed, taking into account state of the art, the costs of implementation, and the nature, scope, context, and purposes of the Processing.
(b) to assist you insofar as is possible in the fulfilment of your obligations to respond to Access Requests relating to Personal Data, taking into account the nature of the Processing, including the fact that TEAM may not be able to access or manipulate some or all of the Personal Data.
6. Using Staff and Other Processors
(a) Processor shall:
(i) not engage any Sub-Processor for carrying out any Processing of Personal Data without your authorisation;
(ii) appoint Sub-Processors only under a written contract containing materially the same obligations as those incumbent upon Processor under the Terms and including, where necessary, Appropriate Safeguards; and
(iii) ensure that all Processor personnel authorised to process Personal Data are subject to binding statutory, ethical, professional, or written contractual obligations to keep the Personal Data confidential (except as otherwise required in accordance with the Data Protection Legislation).
(b) The Sub-Processors listed at https://teamsoftware.com/legal/ have been authorised by you. With respect to any new Sub-Processor that TEAM shall engage in the course of its business, TEAM will notify you of the prospective Sub-Processor prior to engaging that Sub-Processor, giving you an opportunity to object to that change. The services provided by each Sub-Processor are reviewed by TEAM to ensure compliance with industry best practice and a summary document describing each service is available on request.
7. Assistance With Your Compliance Obligations and Data Subject Rights
(a) TEAM shall refer all Access Requests it receives to you without undue delay and, in any event, TEAM shall endeavour to do so no later than 7 days after receipt.
(b) TEAM shall provide such reasonable assistance to you as you reasonably require (taking into account the nature of Processing and the information available to TEAM) to meet your compliance obligations under the Data Protection Legislation with respect to security of Processing, data protection impact assessments, prior consultation with a supervisory authority regarding high-risk Processing, and notification to the supervisory authority or communications to Data Subjects by you in response to a Data Breach, provided that you shall pay TEAM for providing any such assistance on a time and materials basis in accordance with TEAM’s then-current standard daily rates.
(c) TEAM will complete information security questionnaires or requests and seek similar information from Sub-Processors on your behalf upon request, provided always that both the frequency and nature of such requests are reasonable.
8. International Data Transfers
(a) You agree that Processor may transfer Personal Data to any country from which you or a Data Subject accesses the Personal Data in order to make that Personal Data available to you or that Data Subject on the basis of your express consent in accordance with the Data Protection Legislation or in accordance with the Standard Contractual Clauses.
(b) Processor may transfer Personal Data freely within the EEA, Switzerland, the United Kingdom, and any other jurisdiction which has been deemed to provide adequate safeguards for the protection of Personal Data pursuant to Data Protection Legislation.
(c) Except as provided in paragraph 8(a), Processor shall not transfer any Personal Data:
(i) relating to a Data Subject resident in the United Kingdom, to any country outside the United Kingdom; or
(ii) relating to a Data Subject resident in the European Union, but outside the United Kingdom, to any country outside the European Economic Area.
9. Records, Information and Audit
TEAM shall, in accordance with Data Protection Legislation:
(a) maintain written records of all categories of Processing activities carried out on your behalf; and
(b) make available to you such information as is reasonably necessary to demonstrate TEAM’s compliance with the obligations of Processors under Data Protection Legislation, and allow for and contribute to audits, including inspections, by you for this purpose, subject to you:
(i) giving TEAM reasonable prior notice of such information request, audit and/or inspection being required by you;
(ii) ensuring that all information obtained or generated by you in connection with such information requests, inspections and audits is kept strictly confidential (save for disclosure to the supervisory authority or as otherwise required by applicable laws);
(iii) ensuring that such audit or inspection is undertaken during regular business hours of operation with minimal disruption to TEAM’s or any Sub-Processor’s business; and
(iv) paying TEAM for assisting with the provision of information and allowing for and contributing to inspections and audits on a time and materials basis in accordance with TEAM’s then-current standard daily rates.
10. Breach Notification
TEAM shall notify you without undue delay of any Data Breach involving Personal Data as required pursuant to Data Protection Legislation.
11. Deletion or Return of Personal Data
TEAM shall, at your written request, either delete, securely destroy, or return all the Personal Data to you in such form as you may reasonably request within 30 days after the earlier of either (a) the end of the performance of the relevant Services or, the end of the subscription, support period or rental period, whichever is sooner; or (b) once Processing by TEAM of any Personal Data is no longer required for the purposes of these Terms. TEAM shall also delete any existing copies of such Personal Data (unless such deletion would be prohibited by applicable laws or by TEAM’s then-current backup or archival purposes, in which case TEAM shall continue to protect the confidentiality of such copies as if they were subject to this Data Processing Addendum, or unless TEAM is a Controller in relation to that data at the relevant time).
12. Changes in Data Protection Laws
You or TEAM may propose any variations to this Data Processing Addendum which you or TEAM reasonably considers to be necessary to address the requirements of any Data Protection Legislation. If you or TEAM gives notice under this Section 12, the parties shall promptly discuss the proposed variations and negotiate in good faith with a view to agreeing and implementing those or alternative variations designed to address the requirements identified in such notice as soon as is reasonably practicable. Notwithstanding any contrary restriction in the Terms, neither you nor TEAM shall require the consent or approval of any of your or TEAM’s respective affiliates in order to amend this Data Processing Addendum pursuant to this Section 12.
ANNEX 1: STANDARD CONTRACTUAL CLAUSES
The controller to processor standard clauses adopted pursuant to EU Commission Decision 2010/87/EU, available at https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32010D0087, are incorporated into this DPA as if fully set forth herein, except that the standard contractual clauses shall yield to those provisions set forth below within this Annex. For the avoidance of doubt, Customer’s signature or other indication of assent with respect to the Order shall be deemed to constitute signature and acceptance of the Standard Contractual Clauses incorporated herein, as well as this Annex and its appendices.
Name and contact information of the data exporting organisation: Customer, as indicated on the Order.
(the data exporter)
Name and contact information of the data importing organisation: TEAM Software, Inc., and its affiliated companies, as set forth on the Order.
(the data importer)
each a ‘party’; together ‘the parties’,
HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.
APPENDIX 1 TO ANNEX 1: STANDARD CONTRACTUAL CLAUSES
This Appendix forms part of Annex 1 and shall be deemed to be signed by the respective parties as described in Annex 1.
The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix.
The data exporter is (please specify briefly your activities relevant to the transfer):
Data Exporter is Customer, as defined in the Order.
The data importer is (please specify briefly activities relevant to the transfer):
TEAM Software, Inc., and its affiliated companies, which provide workforce management and other human resources solutionsa upon the instruction of the data exporter in accordance with the terms of the Agreement.
Data subjects, categories of personal data, and processing operations
The data exporter has instructed the data importer to import, host, and process certain information in connection with its provision of the Services, as defined in the Order. The extent of personal data transferred pursuant to the Standard Contractual Clauses is a limited subset of contact information required in order to allow the data importer to administer its contractual relationship with the data exporter. This information includes the names, job titles, locations, email addresses, telephone numbers, and related contact information of individual employees of the data importer who interact with the data exporter with respect to those Services. No special categories of data will be transferred.
APPENDIX 2 TO ANNEX 1: STANDARD CONTRACTUAL CLAUSES
This Appendix forms part of Annex 1 and shall be deemed to be signed by the respective parties as described in Annex 1.
Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):
Data importer will maintain administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of personal data uploaded to the Platform, as described in the TEAM Platform Information Security Policy available at teamsoftware.com/legal, as updated from time to time, and made reasonably available by data importer upon request.