Data processor agreement
Data processor: BitaBIZ
Data controller: Customer
- Basis for agreement
This Data Processor Agreement are entered into on the basis of “The General Data Protection Regulation (GDPR). Regulation (EU) 2016/679”.
The Data Processor Agreement concerns the Data Processor’s processing of personal data on behalf of the Data Controller in connection with the Data Controller’s subscription to the Data Processor’s HR, scheduling and absence management system.
The Data Processor Agreement will enter into force on the same day as the subscription. The Data Processor Agreement will expire at the latest three months after the subscription has expired.
Personal data is any form of information concerning an identified or identifiable physical person. Data of the Data Controller is all data that is classified as internal data, value details and personal data of both a general and confidential/sensitive nature.
Types of personal data that can be submitted for processing on the BitaBIZ service is decribed her: BitaBIZ Data we collect policy.
The Data Processor will solely act in accordance with the Data Controller’s instructions.
The Data Processor will solely process personal data on behalf of the Data Controller which the Data Controller itself has created in the Data Processor’s HR, time and absence registration system in conjunction with the Data Controller’s administration of agreements with employees.
Personal data may solely be processed by the Data Processor to the extent necessary to fulfil the subscription, and in accordance with the Data Controller’s instructions and provisions.
The Data Processor has a duty to follow the instructions given by the Data Controller. The instructions are documented in writing.
The Data Processor requires its personnel to observe an unconditional duty of secrecy concerning the information that is disclosed in conjunction with the work for the Data Controller.
- Data storage
The Data Processor is obliged to comply with the EU data protection legislation in force at any time.
The Data Processor must take the required technical and organisational security measures to prevent information from being accidentally or unlawfully destroyed, lost or diminished, and from being disclosed to unauthorised persons, misused or otherwise processed in conflict with the The General Data Protection Regulation (GDPR). Regulation (EU) 2016/679.
At the Data Controller’s request, the Data Processor must give the Data Controller sufficient information for the latter to be able to ensure that the specified technical and organisation security measures are taken. This includes information concerning where the Data Controller’s data is stored.
The Data Processor’s sub processors must comply with The General Data Protection Regulation (GDPR). Regulation (EU) 2016/679.
The Data Processor has implemented IT compliance and security measures that support a correct securing, storage and processing of personal data.
- Infringement of the Data Processor Agreement
Infringement of the Data Processor Agreement will be considered to be material breach of the subscription agreement.
If the Data Processor is unable to ensure correct processing of the Data Controller’s data in accordance with the Data Processor Agreement, the Data Processor must inform the Data Controller thereof without undue delay. Without undue delay, the Data Processor must thus report to the Data Controller if any security incident occurs which is of significance to IT security, and describe this in further detail.
On the expiry of the Data Processor Agreement, data that is registered in the Data Processor’s HR, time and absence registration system must be issued electronically to the Data Controller as agreed. In this regard, the Data Processor will be obliged to erase data, so that it is not possible to restore this data in the Data Processor’s IT systems.
On the written instructions of the Data Controller, the Data Processor must erase data or information of any type that has been disclosed to the Data Processor pursuant to the subscription. If the Data Controller so requests, the Data Processor will be obliged to store a back-up copy of such data and information for up to three months after the expiry of the subscription.