Introduction to Data Processing Agreement
This Data Processing Agreement (“DPA”) forms the basis for the relationship between you, the Customer, as Data Controller, and DAYquiri, the Service Provider, as Data Processor under Data Protection Legislation, specifically the General Data Protection Regulation (“GDPR”).
It is an important Agreement, forming the contractual basis for us processing data on your behalf. It explains how your data may be processed and its purpose. We process your personal data only as required and, on your instructions, as outlined in the Agreement.
Because of the volume of our customer base, it would be impossible to enter into individually signed agreements with each and all of our Users. We also hope that the ease of agreement to this DPA will ensure that the acceptance of the new Terms, to satisfy the GDPR, will be less time consuming for you as a busy business owner.
Data Processing Agreement
Customer name (hereinafter “the Customer” or “Data Controller”) [This information will be automatically filled in once you have completed your registration]
DAYquiri GmbH, Freier Platz 10, 8200 Schaffhausen, Switzerland (hereinafter “zistemo” or “Data Processor”)
each a “party”; together “the parties”,
HAVE AGREED to the terms of this Data Processing Agreement (hereinafter the “DPA” or “Agreement”) on Personal Data Protection regarding the processing of Personal Data when the Customer is acting as Data Controller and zistemo is acting as Data Processor, to fulfill the service obligations outlined in the Services Agreement (detailed below). As part of the fulfilment of those service obligations, zistemo will process certain Personal Data on behalf of the Data Controller, in accordance with the terms of this contract. Each party agrees and will ensure that the terms of this contract shall also be fully applicable to its Affiliates which may be involved in the processing operations of Personal Data for the project defined in the Services Agreement. Specifically, zistemo will ensure that all Sub-Processors operate within the same terms as this Agreement when processing Customer’s Personal Data.
Introduction and Definitions:
Personal Data is defined as any information relating to a data subject by which it can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person or legal entity (where applicable)
All other definitions referred to herein, including the terms Data Controller and Data Processor, are as determined by the relevant Data Protection laws, including EU General Data Protection Regulation 2016/679 of 27 April 2016 (hereinafter “GDPR”).
Sensitive Personal Data is not deemed to be processed under the Application Service offered by the Data Processor and so is excluded from the terms of this Agreement.
The purpose of zistemo’s processing of Personal Data for the Customer is to ensure the Customer’s full use of the Service and to allow this Agreement to be fulfilled. zistemo ensure that sufficient security of Personal Data is maintained at all times.
Both parties confirm their Authority to sign the Agreement by so doing.
Data Processor Responsibilities:
The Data Processor must handle all personal data on behalf of the Data Controller and following their instructions. By entering into this Agreement, zistemo (and any sub-processors whom the Data Processor has legal agreement for services with) is instructed to process Personal Data of the Customer:
- In accordance with all applicable data privacy laws
- To fulfil its obligations under the Terms for the Service Application
- as further instructed by the Data Controller
- as described in this Agreement
As part of providing the Application, the Data Processor is required to always provide the Customer with adequate solutions to accompany continued development of their business by using the service. The Data Processor tracks how the Customer use the Application in order to make the best suggestions, to provide relevant services at all times and to engage in sending the most accurate communications to aim towards continued ease of use and satisfaction. As far as the processing of personal data from the Application form part of this, they are processed only in accordance with this DPA and applicable law and are shared only as required to provide a better experience for the Customer.
If the data processor believes that an instruction of the data controller violates the GDPR or other data protection regulations, the data processor will inform the data controller immediately.
Taking into account the available technology and the cost of implementation, as well as the scope, context and purpose of the Processing, the Data Processor is required to take all reasonable measures, including technical and organizational measures, to ensure a sufficient level of security in relation to the risk and the category of Personal Data to be protected (art. 32 GDPR). The Data Processor shall assist the Data Controller with appropriate technical and organizational measures as required and taking into account the nature of the treatment and the category of information available to the Data Processor to ensure compliance with the Data Controllers obligations under applicable Data Protection laws (obligation to respond to applications according to Chapter III GDPR / art. 32-36 GDPR). The Data Processor shall notify the Data Controller without undue delay if the Data Processor becomes aware of a security breach.
In addition, the Data Processor shall, as far as possible and legally, inform the Data Controller if a request for information on data held is requested (Data Access Request) by any bodies to whom they should provide it. The Data Processor will respond to such requests once authorized by the Data Controller to do so. The Data Processor will also not disclose information about this Agreement unless the Data Processor is required by law to do so, such as by court order.
If the Data Controller requires information or assistance regarding the security of data, documentation or information about how the Data Processor processes Personal Data generally, they can request this information of the Processor.
The data processor, its employees and any Affiliates, shall ensure confidentiality in relation to Personal Data processed under the Agreement. This provision continues to apply after termination of the Agreement, regardless of the cause of termination.
Data Controller Responsibilities:
The Data Controller confirms, by signing this agreement, that they shall, when using the Application, be able to freely process their data once in line with all Data Protection legal requirements including GDPR. They are giving explicit consent to the processing of their Personal Data at all times when using the Service.
The Data Controller can revoke this consent at any stage, but by doing so terminates the Agreement in place and the Data Processor will no longer be able to provide Service.
The Customer has a legal basis for processing the Personal Data with the Data Processor (including any sub-processors) with the use of zistemo’s services.
The Data Controller is responsible at all times for the accuracy, integrity, content and reliability of the Personal Data Processed by the Data Processor. They have fulfilled all mandatory requirements in relation to notification to, or obtaining permission from, the relevant public authorities regarding the Processing of Personal Data. They have further fulfilled their disclosure obligations to the relevant authorities regarding the processing of Personal Data in accordance with all applicable data protection legislation.
The Data Controller must have an accurate list of the categories of Personal Data it processes, particularly if such processing differs from the categories listed by the Data Processor in Appendix A.
The Data Controller hereby grants general consent to the commissioning of subcontractors in connection with the processing of data.
The Data Processor undertakes to inform the Data Controller of any change regarding the involvement or replacement of further subcontractors. Provided that the Data Controller does not object within two weeks, the involvement or replacement will be deemed approved. ln the case of an objection, the Data Processor may terminate the DPA subject to no less than two weeks’ notice. ln this case, the Data Processor is no longer obligated to provide those services that involve the processing of persona! customer data on behalf of the Data Controller. The remaining provisions of the Main Agreement remain unaffected by the termination of the DPA.
Furthermore, the Data Processor is obliged
- to ensure, by written agreement, that all subcontractors are in substance bound by the same obligations that apply to the Processor under this DPA.
- to assume liability to the Data Controller if a subcontractors fails to comply with his data protection obligations under the written agreement within the meaning of section a).
International Data Transfers
The Data Processor may process persona! data within the European Economic Area (“EEA”) or in countries where the European Commission decided that they ensure an adequate level of protection.
The Data Processor may only transfer persona! data to subcontractors established in countries that the European Commission does not deem to ensure an adequate level of data protection if the Data Processor ensures that the requirements set forth in Chapter V of the GDPR are complied with, in particular by concluding Module 3 of the Standard Contractual Clauses adopted by the EU Commission (Decision 2021/914/EU) with the subcontractors.
Should the Standard Contractual Clauses adopted by the EU Commission (Decision 2021/914/EU) be invalidated, replaced, annulled or otherwise designed in such a way that they no longer constitute adequate safeguards for data transfers to third countries, the Parties undertake to find an alternative solution that complies with the applicable data protection laws and ensures the lawfulness of transferring the persona! data to third countries.
Technical and Organizational Measures (TOM)
The Data Processor undertakes to take the necessary technical and organizational measures to ensure compliance with the applicable data protection laws and this DPA. An overview of technical and organizational measures taken by the Processor is included in Annex B. The Data Controller confirms that the technical and organizational measures provided in Annex B are adequate.
The Data Processor is obliged to notify the Data Controller of any significant changes to the technical or organizational measures. The Processor will ensure that such changes will not result in a lower level of protection.
Duration of the Agreement:
The agreement remains valid as long as the Data Processor processes Personal Data with the Data Processor’s use of the Service Application and unless it is replaced by another signed DPA which communicates its precedence over this Agreement.
Termination of the Agreement:
Upon termination of any subscription the data controller can also delete all his account’s data. Upon the execution of the data deletion procedure initiated by the data controller, the Data Processor deletes all Personal Data, except that which they are required to retain under any applicable legal requirements and in such case will be held in accordance with the technical and organizational safeguards within DAYquiri.
The Data Controller has full capability to retrieve all of their Personal Data within the Service Application. If the Data Controller requests data retrieval assistance, the associated costs shall be determined in agreement between the Parties and shall be based on the complexity of the requested process and the time to fulfil it in the chosen format.
Changes to the Agreement:
Changes to the Agreement must be enclosed in a separate Annex to the Agreement. If any of the provisions of the Agreement are deemed invalid, this does not affect the remaining provisions. The parties shall replace invalid provisions with a legal provision that reflects the purpose of the invalid provision.
The Data Controller is entitled to initiate a review of the Data Processor's obligations under the Agreement once a year. If the Data Processor is required to do so under applicable legislation, audits may be repeated once a year. A detailed audit plan must be provided detailing the scope, duration and start date at least four weeks prior to the proposed start date. The Parties decide together if a third party should conduct the audit. However, the Data Controller may allow the Data Processor to have the security review by a neutral third party of the Data Processor's choice if it is a processing environment where multiple data controller data is processed.
If the proposed scope of the audit follows an ISAE, ISO or similar certification report conducted by a qualified third-party auditor within the previous twelve months and the Data Processor confirms that there have been no material changes in the measures under review, this will satisfy any requests received within such time frame. Audits may not unreasonably interfere with the Data Processor's business as usual activities. The Data Controller is responsible for all costs associated with their request for audit review.
Responsibilities and Jurisdictions:
Liability for actions arising from breach of the provisions of this Agreement is governed by liability and compensation provisions in the Subscription Terms at section 13. This also applies to any violation by the Data Processor Sub-Processors. This Agreement is governed by the Courts of the United Kingdom who shall have exclusive jurisdiction to determine any dispute concerning same.
Categories of Personal Information and Usual Processing Categories
A. Purpose of processing
- Purpose of accounting
- Proper accounting
- Personnel administration
- Care and administration of employee data
- Care and administration of customer data
- Maintenance and management of supplier data
- Documentation of working hours
B. Categories of Personal Information
- Telephone number(s)
- Email address(es)
- Any account numbers and/or bank details
C. Usual Processing Categories
- The Data Controller’s Employees
- The Data Controller’s Employees Position
- The Data Controller’s Employees Department
- The Data Controller’s Employees Working Time(s)
- The Data Controller’s Employees Vacations
- The Data Controller’s Contacts (telephone/email/addresses/etc)
- The Data Controller’s Customers
- The Data Controller’s Banking information
- Their Customer’s Employees
- Their Customer’s Contacts (telephone/email/addresses/etc)
- Their Customer’s Customers
- Their Customer’s Customers Banking information
- Their Vendor’s Contacts (telephone/email/addresses/etc)
- Their Vendor‘s Customers Banking information
Annex B Technical and Organizational Measures “TOM”