DATA PROCESSING AGREEMENT
This Data Processing Agreement (the “DPA”), is entered into by
Teamscope’s customer identified on the account registration for Teamscope’s services (“Controller”)
Teamscope OÜ (“Processor”) registry code 14469427, legal address Harju county, Tallinn, Kentmanni 6-119, 10141
which governs the processing of personal data that the Processor processes on behalf of the Controller and what Controller provides to Processor.
This DPA is incorporated into the services contract (“Agreement”) previously executed by Controller and Processor.
“Controller’s Personal Data” means Personal Data that Processor processes on behalf of Controller or what Controller provides Processor in connection with its use of Controller’s services.
“Data Protection Requirements” means the General Data Protection Regulation, Local Data Protection Laws, any subordinate legislation and regulation implementing the General Data Protection Regulation.
“EU Personal Data” means Personal Data of which the sharing pursuant to this DPA is regulated by the General Data Protection Regulation and Local Data Protection Laws.
“General Data Protection Regulation” means the European Union Regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
“Local Data Protection Laws” means any subordinate legislation and regulation implementing the General Data Protection Regulation which may apply to this DPA.
“Personal Data” means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. It includes data that Controller chooses to provide to Processor.
“Personal Data Breach” means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Controller’s Personal Data.
“Privacy Laws” means all applicable laws, regulations, and other legal requirements relating to (a) privacy, data security, consumer protection, marketing, promotion, and text messaging, email, and other communications; and (b) the use, collection, retention, storage, security, disclosure, transfer, disposal, and other processing of any Personal Data.
“Process” and its cognates mean any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Sub-processor” means any entity which provides processing services to Processor in furtherance of Processor’s processing on behalf of Controller.
“Supervisory Authority” means Estonian Data Inspectorate.
NATURE OF DATA PROCESSING
Processor is a data processor, who processes data on behalf of the Controller. Controller is a data controller. Processor agrees to process Personal Data received under the DPA only for the purposes set forth in this DPA. For the avoidance of doubt, the categories of Personal Data processed are described in Annex A to this DPA.
COMPLIANCE WITH LAWS
The parties shall each comply with their respective obligations under all applicable Data Protection Requirements.
Controller agrees to:
- Provide instructions to Processor and determine the purposes and general means of Processor’s processing of Controller’s Personal Data in accordance with this DPA;
- Comply with its data protection, security and other obligations with respect to Controller’s Personal Data prescribed by Data Protection Requirements for data controllers by: (a) establishing and maintaining a procedure for the exercise of the rights of the individuals whose Personal Data are processed on behalf of Controller; (b) processing only data that has been lawfully and validly collected and ensuring that such data will be relevant and proportionate to the respective uses; and (c) ensuring compliance with the provisions of this DPA by its personnel or by any third-party accessing or using Controller’s Personal Data on its behalf.
- Controller is responsible for obtaining consent from data subjects, where applicable. Consent is an indication from the data subject to allow their Personal Data to be processed by Controller. Consent needs to be in a written or electronic form.
- Processor will:
- Process Controller’s Personal Data (i) only for the purpose of providing, supporting and improving Processor’s services, using appropriate technical and organizational security measures; and (ii) in compliance with the instructions received from Controller. Processor will not use or process the Controller’s Personal Data for any other purpose. Processor will promptly inform Controller if it cannot comply with the requirements under Sections 5-8 of this DPA, in which case Controller may terminate this DPA or take any other reasonable action, including suspending data processing operations;
- Inform Controller promptly if, in Processor’s opinion, an instruction from Controller violates applicable Data Protection Requirements;
- Take commercially reasonable steps to ensure that persons employed by it and other persons engaged to perform on Processor’s behalf comply with the terms of this DPA;
- Ensure that its employees, authorized agents and any Sub-processors are required to comply with and acknowledge and respect the confidentiality of the Controller’s Personal Data, including after the end of their respective employment, contract or assignment. The Processor and any person acting under its authority who has access to Controller’s Personal Data, shall not process that data unless upon instructions by the Controller, including the powers granted under this DPA, unless they are required to do so by law.
- Upon request, provide Controller with a summary of Processor’s privacy and security policies or other documented evidence that the Processor has implemented necessary technical and organisational measures;
- Inform Controller if Processor undertakes an independent security review.
- Maintain appropriate organisational and technical security measures (including with respect to personnel, facilities, hardware and software, storage and networks, access controls, monitoring and logging, vulnerability and breach detection, incident response, encryption of Controller’s Personal Data while in transit and at rest) to protect against unauthorized or accidental access, loss, alteration, disclosure or destruction of Controller’s Personal Data;
- Be responsible for the sufficiency of the security, privacy, and confidentiality safeguards of all Processor personnel with respect to Controller’s Personal Data and liable for any failure by such Processor personnel to meet the terms of this DPA;
- Take reasonable steps to confirm that all Processor personnel are protecting the security, privacy and confidentiality of Controller’s Personal Data consistent with the requirements of this DPA and
- Notify Controller of any Personal Data Breach by Processor, its Sub-processors, or any other third parties acting on Processor’s behalf without undue delay and in any event within 48 hours of becoming aware of a Personal Data Breach.
- Processor will inform Controller if Processor becomes aware of:
- Any non-compliance by Processor or its employees with Sections 5-8 of this DPA or the Data Protection Requirements relating to the protection of Controller’s Personal Data processed under this DPA;
- Any legally binding request for disclosure of Controller’s Personal Data by a law enforcement authority, unless Processor is otherwise forbidden by law to inform Controller, for example to preserve the confidentiality of an investigation by law enforcement authorities;
- Any notice, inquiry or investigation by a Supervisory Authority with respect to Controller’s Personal Data or
- Any complaint or request (in particular, requests for access to, rectification or blocking of Controller’s Personal Data) received directly from Controller’s data subjects. Processor will not respond to any such request without Controller’s prior written authorization.
- Processor will provide reasonable assistance to Controller regarding:
- Any requests from Controller’s data subjects in respect of access to or the rectification, erasure, restriction, portability, blocking or deletion of Controller’s Personal Data that Processor processes for Controller. In the event that a data subject sends such a request directly to Processor, Processor will promptly send such request to Controller. Such requests shall be fulfilled by the Processor in accordance with documented instructions by the Controller without undue delay.
- The investigation of Personal Data Breaches and the notification to the Supervisory Authority and Controller’s data subjects regarding such Personal Data Breaches
- Where appropriate, the preparation of data protection impact assessments and, where necessary, carrying out consultations with any Supervisory Authority.
Processor may claim a reasonable fee for support services which are not included in the description of the services and which are not attributable to failures on the part of the Processor.
- If Processor is required by Data Protection Requirements to process any Controller’s Personal Data for a reason other than providing the services described in the DPA, Processor will inform Controller of this requirement in advance of any processing, unless Processor is legally prohibited from informing Controller of such processing (e.g. as a result of secrecy requirements that may exist under applicable EU member state laws).
- If Processor intends to engage Sub-processors to help it satisfy its obligations in accordance with this DPA or to delegate all or part of the processing activities to such Sub-processors, Processor must (i) keep a list of Processor’s Sub-processors and obtain the prior written consent of Controller to such subcontracting (such consent should not be unreasonably withheld), except for the sub-processors listed in the Annex A; (ii) remain liable to Controller for the Sub-processors’ acts and omissions with regard to data protection where such Sub-processors act on Processor’s instructions; and (iii) enter into contractual arrangements with such Sub-processors binding them to provide the same level of data protection and information security to that provided for in this DPA.
LIABILITY AND AUDITS
- Any person who has suffered material or non-material damage as a result of an infringement of Data Protection Requirements, has the right to receive compensation for the damage suffered. The party responsible for the event giving rise to the damage must compensate the damage to the data subject.
- Controller shall be liable for the damage caused by processing which infringes the Data Protection Requirements. Processor shall be liable for the damage caused by processing only where it has not complied with obligations of the Data Protection Requirements specifically directed to processors or where it has acted outside or contrary to lawful instructions of the Controller.
- Controller or Processor shall be exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage.
- If a Supervisory Authority requires an audit of the data processing facilities from which Processor processes Controller’s Personal Data to ascertain or monitor Controller ‘s compliance with Data Protection Requirements, Processor will cooperate with such audit. Controller is responsible for all costs and fees related to such audit, including all reasonable costs and fees for any and all time Processor expends for any such audit, in addition to the rates for services performed by Processor.
- Upon consultation with the Processor, the Controller has the right to carry out inspections or to have them carried out by an auditor to be designated on a case-by-case basis. The auditor shall have the right to assess the Processor’s compliance with this DPA in his business operations by means of random checks, which are ordinarily to be announced in advance.
- Processor shall allow the Controller to verify compliance with its obligations as provided by the General Data Protection Regulation. Processor undertakes to give the Controller the necessary information on request and, in particular, to demonstrate the implementation of the technical and organisational measures.
- Processor may charge a reasonable fee to the Controller for enabling inspections.
EU Personal Data will be processed and used exclusively within the territory of a member state of the European Union or the European Economic Area and any movement of EU Personal Data to a non-EU country requires the prior written consent of Controller and shall only be carried out at the specific conditions set forth by Article 44 et seq. GDPR.
DATA RETURN AND DELETION
Processor shall not create copies or duplicates of Controller’s Personal Data without the Controller’s knowledge and consent, except for backup copies as far as they are necessary to ensure orderly data processing, as well as data required to meet regulatory data retention requirements.
The parties agree that on the termination of the data processing services or upon Controller’s reasonable request, Processor shall, and shall cause any Sub-processors to, at the choice of Controller, return all the Controller’s Personal Data and copies of such data to Controller or securely destroy them and demonstrate to the satisfaction of Controller that it has taken such measures, unless Data Protection Requirements prevent Processor from returning or destroying all or part of the Controller’s Personal Data disclosed. In such case, Processor agrees to preserve the confidentiality of the Controller’s Personal Data retained by it and that it will only actively process such Controller’s Personal Data after such date in order to comply with applicable laws.
THIRD PARTY DATA PROCESSORS
Controller acknowledges that in the provision of some services, Processor on receipt of instructions from Controller, may transfer Controller’s Personal Data to and otherwise interact with third party data processors. Controller agrees that if and to the extent such transfers occur, Controller is responsible for entering into separate contractual arrangements with such third-party data processors binding them to comply with obligations in accordance with Data Protection Requirements. For avoidance of doubt, such third-party data processors are not Sub-processors.
This DPA shall remain in effect as long as Processor carries out Personal Data processing operations on behalf of the Controller or until the termination of the Agreement. All Personal Data has to be returned or deleted in accordance with Section 8 above.
This DPA shall be governed by the laws of Estonia and any action or proceedings related to this DPA (including those arising from non-contractual disputes or claims) will be brought in Harju County Court, Tallinn, Estonia.
DESCRIPTION OF THE PROCESSING
- Data Subjects. The personal data processed concerns the following categories of data subjects:
- Controller’s employee
- Controller’s candidates
- Purposes of the processing. The processing is intended to enable Controller to do following:
- Use the Teamscope application for team assessment, candidate evaluation, onboarding, and leadership development purposes.
- Categories of Data. The personal data processed concerns the following categories of data.
Personal data from the reports based on questionnaires as available in https://teamscope.io/.
- Recipients. The personal data processed may be disclosed only to the employees and representatives of Processor, who have a legitimate business purpose for the processing of such personal data.
- Infrastructure providers and sub-processors
Infrastructure providers and sub-processors are Google LLC, Microsoft Corporation
- Data Retention
Upon termination of the employment contract, the Controller must inform the Processor and request to have the personal data (including the questionnaires and reports) of such employee to be deleted. Upon request from the employee during the work relationship, the Controller shall also inform the Processor and request to have the personal data of such employee to be deleted.
If the candidate is not hired, the personal data (including the questionnaires and reports) of such candidate, shall be retained for a year according to the Equal Treatment Act § 25. If the time limit of one year is exceeded, the Controller must inform the Processor and request to have personal data of such candidate deleted.
If there is a labour dispute arising out of the employment relationship, then the time-limit for retaining personal data (including reports and questionnaires) with the Processor is four months as of the time the employee became or should have become aware of the violation of his or her rights. If the time limit of four months is exceeded, the Controller must inform the Processor and request to have personal data of such employee deleted.
- Additional Useful Information
The Privacy Notice for the employees and candidates is available at the Processor’s website https://teamscope.io/privacy-policy/.
- Contact Information
Contact points for data protection enquiries:
Processor’s email: firstname.lastname@example.org
Processor: Signatory to the DPA between the parties
Controller: Signatory to the DPA between the parties