DATA PROCESSING AGREEMENT BETWEEN JOINT CONTROLLERS
This Data Processing Agreement ("DPA") between Joint Controllers shall apply to you, i.e. the contracting party signing up for an account at
WorkMotion Platform via our website www.workmotion.com and using our Internet HR tech platform (hereinafter “Platform”) and our digital
services as described in more detail in the Terms & Conditions (hereinafter “Client”) and WorkMotion Software GmbH, registered at Richard-
Ermisch-Str. 7, 10247 Berlin, Germany, (hereinafter “WorkMotion”)
Hereinafter collectively referred to as « Joint Controllers » or the « Parties », and individually referred to as « Party ».
This Data Processing Agreement is part of the WorkMotion T&C (“T&C”) for the use of the Platform
THE FOLLOWING HAS BEEN AGREED:
1. Definitions
All terms and expressions related to the protection of Personal Data that are
used in this DPA and identified by capital letters, whether used in singular or
in plural, shall be interpreted in accordance with Data Protection Regulation.
Joint Controllers: Client, WorkMotion
Joint Processing: the Personal Data Processing activity/ies which purposes
and means are jointly determined by the Joint Controllers, and described in
Annex 1. For the sake of simplicity, the term is used in the singular despite
the fact that it could cover several Joint Processing defined and implemented.
The Data Protection Regulation: any provision of a legislative or regulatory
nature, European or national, resulting in particular from Regulation (EU)
2016/679 of 27 April 2016 on the protection of natural persons with regard to
the Processing of Personal Data and on the free movement of such data, and
repealing Directive 95/46/EC (General Data Protection Regulation), as well
as any other EU or domestic regulations applicable in this field.
“Personal Data”, “Controller”, “Data Controller”, “Data Processor”,
“Data Subject”, “Personal Data Breach”, “Process”, “Processing”,
“Processor”, “Supervisory Authority” and “Third Country”, written in
singular or in plural, shall bear the respective meanings given to them in the
Data Protection Regulation.
2. Purpose of the DPA
The purpose of this DPA is to determine the respective obligations of the Joint
Controllers in order to ensure compliance with the Data Protection Regulation
when carrying out the Joint Processing.
The nature and purpose of the Joint Processing is related to the hiring,
onboarding, managing and paying international employees via the Platform.
Categories of Personal Data:
Contact data (e.g. email, phone number), Content data (e.g. texts,
photographs, videos), Payment data (e.g. bank account, payment history),
Usage data (e.g. access times, log files), Employee master data (e.g. names,
addresses, salary group, tax classification), Application data (e.g. names,
contact data, qualifications, application relevant data)
Special categories of Personal Data:
Personal data revealing religious or philosophical beliefs; Data concerning
health
Categories of Data Subjects:
Applicants, Employees, Freelancers
3. Duration of the DPA
This DPA enters into force upon acceptance by the Parties and shall apply
until the T&C will remain in force.
4. Obligations of the Joint Controllers
4.1. Compliance with the Data Protection Regulation by each Joint
Controller
The Joint Controllers recognise that they have full knowledge of the
obligations that apply to them pursuant to the Data Protection Regulation in
their role of Joint Controllers for the Joint Processing described in Annex 1.
For this reason, the Joint Controllers undertake to:
- respect and comply with these obligations in every country where the
Joint Processing is carried out;
- implement a register of the Joint Processing of Personal Data as required
under the Data Protection Regulation;
- document their compliance and make the documentation available to the
other Party upon simple request;
- inform each other of any proven or potential error, irregularity, omission
or alleged Personal Data Breach to Data Protection Regulation to which
the present DPA applies;
- update the conditions for carrying out the Joint Processing when needed,
having regards to the changes in the Data Protection Regulation.
Each Party undertakes to ensure its own compliance and the compliance of
its staff and its processors (where applicable) with the following obligations:
- to process Personal Data for the sole purposes of the Joint Processing;
- to ensure the confidentiality of Personal Data processed under this DPA;
- to make sure that the people authorised to process Personal Data:
o Only access the Personal Data necessary for the fulfilment of their
duties according to their roles and to the needs of the present DPA;
o Are subject to an adequate confidentiality obligation;
o Have received appropriate training in data protection.
- to communicate to the other Party, upon simple request and without
delay, all the information and documents proving compliance with its
obligations under the Data Protection Regulation;
- to define, adopt and keep updated the necessary technical and
organisational measures to ensure an appropriate level of data security
and confidentiality for the part of the Joint Processing that is under its
responsibility. The measures thus implemented are described in Annex
2;
- to define and adopt the internal procedures that are necessary for
complying with its obligations;
- to ensure, where appropriate, the deletion of Personal Data at the end of
the retention period.
4.2. Obligation of information
Each Joint Controller shall provide to Data Subjects the information required
by the Data Protection Regulation, according to the conditions and deadlines
prescribed by the Data Protection Regulation.
4.3. Managing Data Subjects’ rights
In this section, the term « rights » shall mean any right granted to Data
Subjects by the Data Protection Regulation, such as the right to access, to
rectify, to delete and, where appropriate, to limit, to make portable, to object
and to withdraw consent.
In compliance with the Data Protection Regulation, a Data Subject may
exercise their rights against each Joint Controller or against both Joint
Controllers.
Notwithstanding the above, the Parties agree that it shall fall upon:
- WorkMotion to follow up and to manage relations with Data Subjects
pursuant to any enquiries that are related to the Joint Processing,
according to the conditions and deadlines prescribed by the Data
Protection Regulation;
In order to allow for a correct management of enquiries, Client undertakes to:
- transfer without delay any request or enquiry that was directly received
to the Party that is responsible for managing enquiries (mentioned
above);
- where appropriate, provide all information relating to the part of the Joint
Processing that is under its responsibility, where such information is
necessary to the follow-up and the management of a Data Subject’s
request;
- ensure necessary measures are implemented.
4.4. Management of Data Breaches
Joint Controllers undertake to define and implement internal procedures
necessary to manage Personal Data Breach according to Data Protection
Regulation.
The Joint Controllers undertake to inform each other without delay of any
Personal Data Breach affecting the Joint Processing in whole or in part and