Data Protection Agreement
An appendix to Moticheck SaaS Agreement and Terms of Service
Parties and Roles
Moticheck acts as the Processor of the data provided by the Customer, hereinafter referred to as the Controller. The Processor and Controller have entered into a comprehensive agreement (SaaS Agreement) wherein the Processor provides SaaS services to the Controller. For the execution of the SaaS Agreement, the Processor processes the personal data of the Users defined in the SaaS Agreement (Data Subjects). The parties are entering into this Data Processing Agreement (hereinafter referred to as the Agreement) to facilitate the performance of the SaaS Agreement and to ensure the protection of personal data in compliance with applicable laws, including the requirements outlined in the Regulation (EU) 2016/679 of the European Parliament and the Council (GDPR).
Types of Personal Data Processed
The Processor will process the following personal data of the Data Subjects:
- First and last name
- Email address and/or phone number
- Work position as an officer of the Controller
- Role as an officer of the Controller (manager, non-manager)
- Start date of employment (and/or other types of professional relationships) with the Controller
- Location (country)
- Language preferences
- Other parameters applied by the Controller to characterize Data Subject’s role and/or status in Controller (e.g., intern, part-time employee, disabled person, underage employee, rented workforce).
Data Subjects
The personal data processed pertains to employees of the Controller and individuals providing services to the Controller under a services contract (hereinafter referred to as staff), who are authorized to access and use the Service on behalf of the Controller under clause 3.3 of the SaaS Agreement.
Purpose of Processing
The processing aims to enable the Controller to engage Data Subjects to provide feedback on their employee experience and contribute to organizational and personal development using the SaaS Service.
Processing Activities
The personal data transferred will undergo the following basic processing activities:
- Sending out messages with feedback questions
- Sending out messages with reports
- Sending out messages concerning the setup of the service for the particular Data Subjects
- Sending out messages concerning the setup of the service for the Controller
- Combining results according to the organizational structure of the Controller, User roles, and applied filters
- Validating user rights using one-time-password or single sign-in options enabled by the Controller
- Managing access to the SaaS Service.
Processing of Personal Data
The Processor commits to processing the personal data of the Data Subjects in compliance with the Agreement, SaaS Agreement, applicable law, and reasonable standard instructions given by the Controller. In case of uncertainty about processing requirements, the Processor shall seek guidance from the Controller.
The Processor shall not retain, use, transfer to third parties, or process the personal data of the Data Subjects in any other manner than specified in the Agreement and SaaS Agreement, except when the Processor processes such personal data on a separate legal basis and as an independent controller. The Processor warrants that its IT solutions and measures enable the safe and secure use of data, restricting access to third parties. The Processor will promptly notify the Controller of any proceedings initiated concerning the processing of the personal data of the Data Subjects and provide detailed information upon request.
The Processor shall make reasonable efforts to limit third-party access to the personal data of the Data Subjects, especially clients and personnel without the respective access privileges.
If the Processor intends to introduce changes to its working processes that could significantly impact the processing of personal data, it shall notify the Controller promptly and support the Controller in fulfilling GDPR obligations resulting from such changes.
In the event of a personal data breach, the Processor shall promptly notify the Controller and assist the Controller in fulfilling notification obligations towards authorities. Upon termination of the Agreement or when the processing of personal data is no longer necessary, the Processor shall mask or anonymize all processed personal data unless otherwise required by law.
The Controller, in accordance with national laws and the terms of the professional relationship, decides the duration of processing. The Controller has the technical capability to delete personal data according to its regulations when no longer necessary for processing purposes. After deletion, the data will be automatically removed from backups within 365 days.
Upon consultation, the Controller has the right to carry out inspections or have them conducted by an auditor to verify the Processor’s compliance with this Agreement. The Processor shall provide necessary information upon request and facilitate audits, including inspections.
Obligations of the Processor
The Processor shall:
- Process personal data only based on documented instructions from the Controller (Article 29 GDPR).
- Ensure persons authorized to process personal data commit to confidentiality (Article 28(3)(b) GDPR).
- Implement measures pursuant to Article 32 of GDPR.
- Respect conditions for engaging another Processor per Article 28(2) GDPR.
- Assist the Controller with technical and organizational measures for fulfilling data subject rights (Article 28(3)(a) GDPR).
- Assist the Controller in ensuring compliance with obligations under Articles 32 to 36 of GDPR.
- At the Controller’s choice, delete or return all personal data after the end of service provision and provide necessary information for demonstrating compliance with obligations under Article 28 of GDPR.
- Allow and contribute to audits, including inspections, by the Controller or another auditor appointed by the Controller.
- Immediately inform the Controller if an instruction infringes GDPR or other Union or Member State data protection provisions (Article 28(3)(e) GDPR).
Sub-processors
The Processor may subcontract processing activities to third parties without prior consent from the Controller. If a subcontractor is used, a written agreement must be concluded, ensuring obligations equal to those stipulated in the Agreement and SaaS Agreement. The Processor must keep an exclusive list of sub-processors, remain liable for sub-processors acts and omissions regarding data protection, and enter into contractual arrangements binding sub-processors to provide the same level of data protection and information security as outlined in this Agreement. The Controller provides the Processor with general written authorization for engaging sub-processors and must be informed of any intended changes.
The list of sub-processors is located at https://moticheck.com/sub-processors
Requests by Data Subjects
The Processor shall establish adequate possibilities and processes for Data Subjects to exercise their rights. The application process shall ensure a clear understanding of the GDPR right the Data Subject wishes to exercise, with effective identity verification.
If a Data Subject wishes to exercise the right of access or rectification, the Processor shall independently grant the exercise of such rights, following the requirements set out in this Agreement. For other rights arising from GDPR, the Processor shall direct the Data Subject to the Controller.
In case of requests from supervisory authorities or other third parties not being Data Subjects, the Processor shall promptly notify the Controller and jointly agree on an action plan.
The Processor shall establish an adequate application process and a secure manner for providing information concerning the exercise of rights to Data Subjects.
Liability
The Processor shall be liable for damages resulting from actions or omissions concerning the processing of personal data by itself or its subcontractors. If a legitimate claim is submitted to the Controller based on the actions or omissions of the Processor or its subcontractor, the Processor shall indemnify the Controller.
Final Provisions
The Agreement is valid in accordance with the SaaS Agreement. All previous agreements connected to processing personal data that contradict this Agreement shall lapse upon its conclusion. In case of contradictions between the SaaS Agreement and this Agreement regarding the processing of personal data, this Agreement shall take precedence.
All amendments to the Agreement shall be made in writing. Notices related to the Agreement shall be forwarded to the email of the other party.
Updated February 2024