Data Processing Addendum
Data Processing Addendum (DPA)
stipulated between
the Timetracker for Jira Cloud Applicantion Client, hereinafter referred to as Controller
and
Everit Kft. [company seat: 1137 Budapest, Katona József utca 17.; registration number: 01 09 901986; representative:], hereinafter referred to as Processor, jointly Contracting Parties with the following conditions:
Contractual background
The Contracting Parties have contracted by conduct for Timetracker for Jira Cloud application services on Altassian Marketplace (hereinafter referred to as Principal Agreement) which involve the processing of personal data as referred to at section A of this DPA. When processing personal data, Controller acts as data controller, Processor acts as data processor under the General Data Protection Regulation of the European Union (GDPR).
In order to protect the personal data of data subjects, to maintain trust of clients, and to comply effectively with the legal requirements of data protection, the Contracting Parties define the requirements for processing of personal data by the Processor as follows.
General Terms and Conditions for Data Processing
In respect of all personal data processed on behalf of the Controller the Processor undertakes to process such personal data solely to the extent strictly necessary for the purposes of the Principal Agreement and as defined under section A of this DPA.
The Processor shall not process these personal data for any other purpose, especially for its own purposes. In particular Processor shall not include personal data in any of its own products or services or in products or services offered to third parties.
The Processor shall keep and process personal data entrusted to it separately from other personal data processed on behalf of other controllers. All customer data is stored separately in a separate database for each Atlassian product instance. The stored data is not encrypted and stored in the same form as the Processor receives from Atlassian.
In addition to worklog data, the Processor does not synchronize any other records like the data of Issues or any personal information. However, the synchronized worklog comment might be containing sensitive information.
The Contracting Parties agree that the Processor shall not be entitled for reimbursement of any costs except for that agreed in the Principal Agreement incurred in fulfilling its obligations under this DPA.
1. Definitions
If the terms set out in this DPA do not contradict the terms below, they shall be understood as given in the Principal Agreement.
1.1. „Personal data” means any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
1.2. ‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
1.3. “GDPR” means the EU General Data Protection Regulation 2016/679
1.4. “NAIH” means the Hungarian National Authority for Data Protection and Freedom of Information
1.5. “Principal Agreement” means the service contract stipulated between the Contracting Parties, in which the Processor processes personal data in the context of “Timetracker for Jira Cloud” application on behalf of the Controller (hereinafter referred to as Application).
1.6. “Obligatory security measures” means the technical and organisational measures for which the processor undertakes to perform as defined in section D of this DPA.
2. Data processing compliance with legislation, responsibility
Processor undertakes to comply with all applicable data protection laws, in particular the GDPR, for data processing covered by this DPA. In the case of data processing by the Processor, the Processor shall be liable for any damage caused by the infringement the applicable data protection laws by the Processor, fines and damages shall be borne by the Processor. The Processor is obliged to pay to Controller any fine or compensation based on a final court decision under this section within 15 days after the receipt of the final decision, as previously agreed by the Contracting Parties.
The Controller shall be liable for the quality and lawfulness of collection of the customer data, included all personal data processed under Principal Agreement.
3. Data processing on instructions from the Controller
The Processor shall process the personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by law to which the Processor is subject. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information.
4. Obligatory security measures
4.1. Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing carried out during the implementation of the Principal Agreement, as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the Processor shall implement appropriate technical and organisational measures, in order to guarantee an adequate level of data security to the degree of risk.
The Processor takes the minimum security measures specified in section D of this DPA.
4.2. In assessing the appropriate level of security Processor takes into account in particular of the risks that are presented by processing, especially from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
4.3. In particular, the Processor ensures
the pseudonymisation and encryption of personal data;
the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
5. Confidentiality and secrecy
5.1. The Processor ensures that personal data are accessed only by persons for whom it is absolutely necessary for the performance of their duties under the Principal Agreement and section A of this DPA.
5.2. The Processor takes appropriate measures to ensure that any natural person acting under the authority of the Processor, who has access to personal data, does not process those data except on instructions from the Controller.
5.3. The Processor also undertakes that any person acting under the authority of the Processor, can only have access to the personal data if they have previously made a written commitment to confidentiality or are under an appropriate statutory obligation of confidentiality.
5.4. The Processor provides an adequate level of data protection training for persons involved in data processing operations and update their privacy awareness.
6. Engagement of subprocessors
6.1. The Processor will not engage another processor (subprocessor) without prior specific or general written authorisation of the Controller. The Processor provides the Controller with appropriate information on the details of the data processing to be used.
6.2. Where the Processor engages a subprocessor for carrying out specific processing activities on behalf of the Controller, the same data protection obligations shall be imposed on the subprocessor by way of a written contract as set out in the present DPA. The subprocessor shall provide sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the present DPA. Where the subprocessor fails to fulfil its data protection obligations, the Processor shall remain fully liable to the Controller for the performance of the subprocessor’s obligations.
6.3. The Processor shall contract with the subprocessor in a way that in the event of a personal data breach caused by the actions of subprocessor, if requested by the Controller, the Controller may, under the subprocessor’s contract with the Processor, take all appropriate measures for the protection of personal data.
7. Cooperation with the Controller
7.1. The Processor shall process the personal data only on instructions of the Controller. The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes any law.
7.2. Contracting Parties shall notify each other in writing without undue delay of any changes related to any information in section A of this DPA.
8. Exercising the rights of data subjects
8.1. The Processor assists the Controller with appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller’s obligation to respond to requests by data subjects to exercise their rights, in particular the right to information, access, rectification, erasure, be forgotten, restriction, data portability, objection, and not to be subject to automated decision-making.
8.2. In order to exercise the above mentioned rights under the GDPR, the Processor shall in particular take the following technical measures:
the ability to flag personal data in case it is necessary to retrieve, rectify, delete or transmit data concerning any natural person;
on request the ability to delete or block any personal data from being accessed;
8.3. On request from the Controller, Processor shall respond in writing within 5 (five) days.
8.4. Processor shall promptly notify the Controller if it receives a request directly from a data subject. The Processor is not authorised to give information about the data processing directly to the data subjects.
9. Dealing with personal data breaches
9.1. A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned.
9.2. The Processor undertakes to provide an adequate level of data protection training for persons involved in data processing operations and to regularly keep their knowledge on data protection requirements up to date.
9.3. The Processor shall take appropriate technical and organisational measures to avoid personal data breaches, to be able to detect them without undue delay and to determine their severity, and to be able to notify the Controller about the personal data breaches immediately, but not later than 24 hours after having become aware of them.
9.4. The Processor will notify the Controller about the data breach via e-mail.
The Processor’s notification shall at least:
a) describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
b) communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
c) describe the likely consequences of the personal data breach;
d) describe the measures taken or proposed to be taken by the Processor to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects;
e) the measures by which the data subjects concerned themselves can mitigate the risks arising from the personal data breach.
9.5. Without written authorisation from the Controller or any specific legislative provision the Processor shall not disclose any information to anyone – in particular to the data subjects, the press, or the NAIH.
9.6. If the Processor fails to comply with his notification obligation or does not notify the Controller contractually, the Controller may terminate the Principal Agreement.
9.7. The Processor undertakes, that in case of a personal data breach, if after the notification the Controller finds it necessary, without undue delay consults with the representatives of the Controller in order to mitigate the possible adverse effects, or if it is possible, to put an end to the personal data breach.
10. Data Protection Impact Assessment
Where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons, a data protection impact assessment shall be carried out. The Controller is responsible for the carrying-out of a data protection impact assessment to evaluate, in particular, the origin, nature, particularity and severity of that risk. Before starting to process data, the Processor shall make all necessary information available to the Controller to perform the data protection impact assessment at an appropriate level.
11. Audit
11.1. In order to demonstrate compliance with this DPA the Processor shall allow for and contribute to audits, including inspections conducted by the Controller. In the course of the audit, the Processor shall ensure access to documents proving the lawfulness of its data processing activities, and the Processor shall allow the Controller to make copies of them, and make the written or personal contact possible with the persons involved in the data processing. The Controller in due time before starting the audit shall notify the Processor about the audit.
11.2. Instead of the audit conducted by the Controller, at the choice of the Controller, the Processor’s processing activity can also be verified by an external auditor mandated by the Controller. In this case the Processor shall cooperate similarly with the external auditor.
11.3. Neither the audit performed by the Controller, nor the external audit performed by a third party shall interfere unnecessarily with the operation of the Processor.
11.4. The expenses of the audit are borne by the Controller, except if audits are needed because the Controller has a well-founded suspicion that the Processor or subprocessor does not process the data in accordance with this DPA and the audit confirms the the Controller’s suspicion.
12. Transfers of personal data outside the European Economic Area (EEA)
12.1. The Processor declares that it processes all personal data exclusively in a Member State of the European Union or in a state that is a party to the Agreement on the European Economic Area.
12.2. The Processor shall transfer personal data outside the European Economic Area - including the case of cloud services on servers used outside the EEA - solely on documented instructions or written permission from the Controller.
13. Erasure and return of the data
After the completion of the processing on behalf of the Controller, the Processor should, at the choice of the Controller, return or delete all personal data and their copies and attest the deletion of the personal data, unless there is a requirement to store the personal data under a law to which the Processor is subject. In case of such legal requirements the Processor shall notify the Controller in writing of its legal obligation and of the envisaged period of the data processing.
In case the Controller decides to delete the Application, the Processor ensures that all data is deleted from his servers and as the backups are stored separately for each customer, data will be deleted from all of backups of the Processor, too.
After the termination of the Principal Agreement customer account information is retained by Processor for 30 days, after this period account information is unrecoverable deleted.
14. Contact with third parties
The Processor commits himself not to disclose information about data processing under this DPA to anyone without specific and written authorisation from the Controller or specific legislative obligation.
15. Limitations of Liability of the Processor
Liability of the Processor under this DPA will not exceed the amount the Controller actually pay the Processor under the Principal Agreement for the service that gave rise to the claim during the 12 months before the liability arose.
16. Breach of contract
Severe breaches of the essential contractual obligations set out in this DPA committed by the Processor or by a subprocessor shall be deemed to be a serious breach of the Principal Agreement’s obligations, and the Controller has the right to terminate the Principal Agreement with reference to the breach of contract.
17. Jurisdiction
This agreement and any dispute or claim (including non-contractual disputes or claims) in connection with this agreement shall be governed by the laws of Hungary and shall be subject to the exclusive jurisdiction of the courts of Hungary.
A. Records of processing activities performed by the Processor
The subject matter of the data processing - The nature and purpose of the data processing
After installing the Timetracker for Jira Cloud application, the users, as employees can track their worked hours on a dedicated page and functionality in Jira. Each employee can submit their date and time and the duration of their work with additional description about what they worked on. Timetracker for Jira Cloud also provides reporting options to analyse team's work. Employees, who have the necessary permission can query logged work of other employees and create custom reports.
The period of the data processing
In case the Controller decides to delete the Application, all data will be deleted from the servers of the Processor and as the backups are stored separately for each customer (controller), all data will be deleted from all of Processor's Backups, too. After the termination of the Principal Agreement customer account information is retained by Processor for 30 days, after this period Account information is unrecoverable deleted.
Type of the personal data
User/account ID (identification number of the user), worklog description, daily working hours of the employee, information registered by employees with the worklog.
Categories of the data subjects
Employees, who manage their working hours as users in a given Jira application.
B. List of the approved subprocessors
The Processor can engage the following subprocessor(s):
Amazon Web Services EMEA SARL [company seat: 38 Avenue John F. Kennedy, L-1855, Luxembourg]
https://d1.awsstatic.com/legal/aws-gdpr/AWS_GDPR_DPA.pdf