Data Processing Agreement

BETWEEN:

The entity listed in the agreement in which this Data Processing Agreement is referenced pursuant to which such entity has procured services from WFS (the “Agreement”) (hereinafter to be referred to as: the “Data Controller”),

AND

The WorkForce Software entity which is a party to the Agreement, which is one of the following:

WorkForce Software Limited a company registered in England and Wales with registered company number 02016236 and whose registered office address is Precedent Drive, Rooksley, Milton Keynes, Buckinghamshire, England, MK13 8PP (hereinafter to be referred to as: the “Data Processor” or “WFS”).

OR

WorkForce Software, LLC, a limited liability company under the laws of the State of Delaware in the United States, having its registered office in Wilmington, Delaware at 2711 Centerville Road, Suite 400 and principal place of business in Livonia, Michigan at 38705 Seven Mile Road, Suite 300 (hereinafter to be referred to as: the “Data Processor” or “WFS”).

OR

WFS Australia Pty Limited (ACN 101 255 387) trading as WFS Australia having offices at Level 18, 111 Pacific Hwy, North Sydney, NSW 2060 (hereinafter to be referred to as: the “Data Processor” or “WFS”).

OR

WorkForce Software, Inc., Suite 1700, Park Place, 666 Burrard Street, Vancouver, BC V6C 2X8 (hereinafter to be referred to as: the “Data Processor” or “WFS”).

OR

WorkForce Software Limited, a company registered in New Zealand, having its registered office at 18 Viaduct Harbour Avenue, Auckland Central, Auckland, 1010 , New Zealand (hereinafter to be referred to as: the “Data Processor” or “WFS”).

OR

WorkForce Software PTE. LTD., 111 North Bridge Road, #07-11, Peninsula Plaza 179098, Singapore (hereinafter to be referred to as: the “Data Processor” or “WFS”)

OR

WorkForce Software WFS Sociedad De Responsabilidad Limitada, Parque Empresarial Fórum 1, Edificio E, 2do piso, Santa Ana, Costa Rica, 10903 (hereinafter to be referred to as: the “Data Processor” or “WFS”).

The Data Processor and the applicable Data Controller are referred to herein individually as a “Party” and collectively as the “Parties.”

THE PARTIES HEREBY AGREE AS FOLLOWS:

This Data Processing Agreement forms part of and is hereby incorporated into the Agreement by reference. Any capitalized terms not otherwise defined in this Data Processing Agreement shall have the meaning given to them in the Agreement. Except as modified below, the terms of the Agreement shall remain in full force and effect.

1. Subject matter of this Data Processing Agreement

1.1 This Data Processing Agreement applies to the Processing of Personal Data with respect to the Parties’ rights and obligations regarding data processing under the current Agreement by and between WFS and the Data Controller (“Services”).

1.2 The term “Data Protection Law” shall mean applicable data protection and privacy legislation, regulations and guidance as amended, adopted, or superseded from time to time, including but not limited to: the UK Data Protection Act 2018 (or all applicable legislation enacted in the United Kingdom in respect of the protection of personal data), Regulation (EU) 2016/679 (the “General Data Protection Regulation” or “GDPR“), the Privacy and Electronic Communications (EC Directive) Regulations 2003, the California Consumer Privacy Act (“CCPA”), New Zealand’s Privacy Act 2020, Australia’s Privacy Act 1988 (Cth), and Singapore’s Personal Data Protection Act 2012.

1.3 Any capitalized terms not otherwise defined in this Data Processing Agreement shall have the meaning given to them in the Agreement. Except as modified below, the terms of the Agreement shall remain in full force and effect. Other terms used in this Data Processing Agreement shall have meanings ascribed to them in GDPR, but shall apply irrespective of whether or not GDPR is applicable. This includes, but is not limited to, “Processing”, “Personal Data”, “Data Subject”, and “Personal Data Breach.”

1.4 Insofar as the Data Processor will be processing Personal Data subject to Data Protection Law on behalf of the Data Controller in the course of the performance of the Agreement with the Data Controller, the terms of this Data Processing Agreement shall apply.

1.5 In the event of a conflict between any provisions of the Agreement and the provisions of this Data Processing Agreement, the provisions of this Data Processing Agreement shall prevail.

1.6 An overview of the categories of Personal Data, the categories of Data Subjects, and the nature and purposes for which the Personal Data are being processed is provided in Exhibits D and E.

2. The Data Controller and the Data Processor

2.1 The Parties shall at all times comply with their respective obligations under the Data Protection Laws and this Data Processing Agreement in connection with the Processing of Personal Data.

2.2 The Data Controller will determine the scope, purposes, and manner by which the Personal Data may be accessed or Processed by the Data Processor.

2.3 The Data Processor will only Process the Personal Data to the extent that this is required for the provision of the Services or as otherwise needed to perform its obligations under the terms of the Agreement and this Data Processing Agreement, and otherwise in accordance with the documented instructions of the Data Controller. The Data Processor shall not sell or share Personal Data, or otherwise retain, use, or disclose the Personal Data for any purpose other than for the business purposes specified in Agreement, which shall include any documented instructions from the Data Controller. The Data Processor shall immediately notify the Data Controller if, in its opinion, any instruction infringes Data Protection Law, unless legally prohibited from doing so.

2.4 The Data Controller warrants and undertakes that it has all necessary rights and legally required consents to provide the Personal Data to the Data Processor for the Processing to be performed in relation to the Services and otherwise in connection with the Agreement, and the Data Controller further warrants and undertakes that all Personal Data Processed by either Party under or in connection with this Data Processing Agreement has been obtained fairly and lawfully and, in all respects in compliance with Data Protection Law.

2.5 To the extent that the Data Controller is part of a group of companies, it confirms it has the authority to bind all entities in the group of companies to this Data Processing Agreement.

2.6 Where permitted by Data Protection Law, Data Processor may Process Personal Data: (i) for its internal uses to build or improve the quality of its services; (ii) to detect security Incidents; and (iii) to protect against fraudulent or illegal activity.

2.7 Data Processor may: (i) compile aggregated and/or de-identified information in connection with providing the Services, provided that such information cannot reasonably be used to identify Data Controller or any data subject to whom Personal Data relates (“Aggregated and/or De-Identified Data”); and (ii) use Aggregated and/or De-Identified Data for its lawful business purposes.

3. Confidentiality

3.1 Without prejudice to any existing contractual arrangements between the Parties, the Data Processor shall treat all Personal Data as confidential, and shall inform all its employees, staff, agents and/or approved sub-processors engaged in processing the Personal Data of the confidential nature of the Personal Data. The Data Processor shall ensure that all such persons or parties have signed an appropriate confidentiality agreement, are otherwise bound to a duty of confidentiality, or are under an appropriate statutory obligation of confidentiality.

4. Security

4.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Data Controller and Data Processor shall implement appropriate technical and organizational measures designed to ensure a level of security of the Processing of Personal Data appropriate to the risk. These measures shall include, at a minimum, the security measures described in Exhibit A.

5. Improvements to security

5.1 The Parties acknowledge that security requirements are constantly changing, and that effective security requires frequent evaluation and regular improvements of outdated security measures. The Data Processor will therefore evaluate the measures as implemented in accordance with Article 4 on an on-going basis in order to maintain compliance with the requirements set out in Article 4. The Parties will negotiate in good faith the cost, if any, to implement material changes required by specific updated security requirements set forth in Data Protection Law or by data protection authorities of competent jurisdiction.

5.2 Where an amendment to this Data Processing Agreement is required following or as part of an update to security measures, as per Section 5.1 above, or in light of changes to Data Protection Law, from time to time, the Parties shall negotiate as needed an amendment to this Data Processing Agreement in good faith.

6. Audit rights

6.1 Upon the Data Controller’s reasonable request, the Data Processor shall provide for review, all relevant and necessary material, documentation, and information as required in order to demonstrate the Data Processor’s compliance with the Data Protection Law and this Data Processing Agreement.

6.2 In the event that Data Controller reasonably believes that the information referred to in Article 1 indicate any material non-compliance by the Data Processor under the Data Protection Law and/or this Data Processing Agreement, then the Data Controller may give the Data Processor not less than thirty (30) days’ prior written notice of its intention to undertake an audit, which may include inspections of the Data Processor’s premises, provided that:

6.2.1 if a third party is to conduct the audit, the third party must not be a competitor of the Data Processor, and the third party must execute a written confidentiality agreement acceptable to the Data Processor or otherwise be bound by a statutory or legal confidentiality obligation;

6.2.2 such audit shall be limited to once per calendar year, unless the audit reveals material non-compliance with this Data Processing Agreement;

6.2.3 the audit must be conducted during regular business hours at the applicable facility, in a manner which does not unreasonably interfere with the Data Processor’s business activities; and

6.2.4 unless the Data Processor expressly agrees otherwise, the audit shall not exceed three (3) business days in duration.

6.3 Upon completion of the audit pursuant to Article 2, the Data Processor will provide the Data Controller with a copy of the audit report, which is subject to the confidentiality terms of the Agreement. The Data Controller may use the audit reports only for the purposes of meeting the Data Controller’s legal obligations pursuant to Data Protection Law and/or confirming compliance with the requirements of this Data Processing Agreement.

6.4 Each party will bear its own costs in relation to the provision of information or an audit conducted pursuant to this Article.

7. International Data Transfers

7.1 Data Controller authorizes the Data Processor to transfer Personal Data across international borders, including from the European Economic Area, Switzerland, and/or the United Kingdom to the United States. If Personal Data originating in the European Economic Area, the United Kingdom, and/or Switzerland is transferred by Data Controller to Data Processor in a country that has not been found to provide an adequate level of protection under applicable Data Protection Law, the parties agree that the transfer shall be governed by the Controller to Processor Standard Contractual Clauses (Module Two) provided by the European Commission pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“Controller to Processor Standard Contractual Clauses”), as supplemented by Exhibit B attached hereto, the terms of which are incorporated herein by reference. If Personal Data originating in the European Economic Area, the United Kingdom, and/or Switzerland is transferred by Data Processor to Data Controller in a country that has not been found to provide an adequate level of protection under applicable Data Protection Law, the parties agree that the transfer shall be governed by the Processor to Controller Standard Contractual Clauses (Module Four) provided by the European Commission (“Processor to Controller Standard Contractual Clauses”), as supplemented by Exhibit C attached hereto, the terms of which are incorporated herein by reference. Each Party’s execution of the Agreement shall be a signature to both the Controller to Processor Standard Contractual Clauses and the Processor to Controller Standard Contractual Clauses to the extent each set of clauses applies hereunder.

7.2 Data Processor agrees that it has provided true, complete, and accurate responses to the Data Transfer Impact Assessment Questionnaire attached hereto as Exhibit D. By executing the Agreement, Data Controller agrees that the responses to the Data Controller Data Transfer Impact Assessment Questionnaire attached hereto as Exhibit E are true, complete, and accurate.

7.3 Taking into account the information and obligations set forth in this Data Processing Agreement and, as may be the case for a Party, such Party’s independent research, to the Parties’ knowledge, the Personal Data originating in the European Economic Area, Switzerland, and/or the United Kingdom that is transferred pursuant to the Standard Contractual Clauses which apply under this Data Processing Agreement to a country that has not been found to provide an adequate level of protection under applicable Data Protection Law is afforded a level of protection that is essentially equivalent to that guaranteed by applicable Data Protection Law.

8. Personal Data Breach notification and assistance

8.1 When the Data Processor becomes aware of a Personal Data Breach, it shall promptly notify the Data Controller within 24 hours about the same, and shall reasonably cooperate with the Data Controller in order to enable the Data Controller to take suitable further steps in respect of the Personal Data Breach as required by Data Protection Law.

8.2 Any notifications made to the Data Controller pursuant to this Article 8 shall be addressed to the employee of the Data Controller whose contact details are provided in the Agreement.

9. Contracting with Sub-Processors

9.1 Except as permitted by Article 2 of this Data Processing Agreement, the Data Processor shall not subcontract its Processing of the Personal Data without the prior written authorisation of the Data Controller.

9.2 The Data Controller hereby authorises the Data Processor to: engage the sub-processors listed in https://workforcesoftware.force.com/customers/s/article/Third-parties-sub-processors-who-store-or-process-customer-data, as updated from time to time, to provide the Services. The Data Processor shall inform the Data Controller of any addition or replacement of such sub-processors giving the Data Controller an opportunity to object to such changes. If the Data Controller sends the Data Processor a written objection notice in a timely manner (but in any event within 30 days of being notified), setting forth a reasonable basis for objection, the Parties will make a good-faith effort to resolve Data Controller’s objection. In the absence of a resolution, the Data Processor will, subject to Article 3 below, make commercially reasonable efforts to provide Data Controller with the same level of service described in the Agreement, without using the proposed sub-processor to process Data Controller’s Personal Data. If the Data Processor’s efforts are not successful within a reasonable time, each party may terminate the portion of the service which cannot be provided without the sub-processor, and the Data Controller will be entitled to a pro-rated refund of the applicable service fees.

9.3 The Data Controller understands and acknowledges that the Data Processor has agreed upon certain prices and fees with the Data Controller based on the assumption that it would be able to utilize the sub-processors proposed at https://workforcesoftware.force.com/customers/s/article/Third-parties-sub-processors-who-store-or-process-customer-data, as updated from time to time. In the event Data Controller objects to Data Processor utilizing one or more of those sub-processors in accordance with Article 2, Data Processor reserves the right to increase any prices or fees previously agreed upon between the Parties.

9.4 Notwithstanding any authorisation by the Data Controller within the meaning of the preceding Article, the Data Processor shall remain fully liable vis-à-vis the Data Controller for the performance of any such sub-processor that fails to fulfill its data protection related obligations.

9.5 The Data Processor shall ensure that each sub-processor is bound by data protection obligations substantively equivalent to those imposed on the Data Processor as applicable under this Data Processing Agreement.

10. Returning or destruction of Personal Data

10.1 Upon termination of this Data Processing Agreement, upon the Data Controller’s written request the Data Processor shall, at the discretion of the Data Controller, either delete, destroy, or return all Personal Data to the Data Controller and destroy or return any existing copies.

11. Assistance to Data Controller

11.1 The Data Processor shall provide reasonable assistance to and comply with all reasonable instructions from Data Controller related to requests from individuals for exercising their data subject rights under the Data Protection Laws, as well as with requests, notices and other communications with an Information Commissioner or other relevant supervisory authority or regulator.

11.2 Taking into account the nature of processing and the information available to the Data Processor, the Data Processor shall provide commercially reasonable assistance to the Data Controller in ensuring compliance with its data security related obligations, as well as other Data Controller obligations under Data Protection Law that are relevant to this Data Processing Agreement, including notifications to a supervisory authority, other regulator, or to Data Subjects, the process of undertaking a Data Protection Impact Assessment, and with prior consultations with supervisory authorities.

12. Duration and termination

12.1 Unless expressly agreed otherwise, this Data Processing Agreement shall come into effect on the date on which the Agreement becomes effective.

12.2 Termination of this Data Processing Agreement shall not discharge the Data Processor from its confidentiality obligations pursuant to Article 3.

12.3 The Data Processor shall process Personal Data until the date of expiration or termination of the Agreement and whereupon this Data Processing Agreement shall automatically terminate without further action on the part of the Parties.

13. Liability

13.1 Each Party’s total aggregate liability to the other arising out of or in connection with any breaches of applicable Data Protection Law and/or this Data Processing Agreement shall be subject to the exclusions and limitations of liability set out in the Agreement.

14. Miscellaneous

14.1 This Data Processing Agreement and the Agreement represent the entire agreement of the Parties with respect to the subject matter hereof, and supersedes all prior discussions, writings, communications, emails and/or agreements between the Parties and are intended to be the final expression of their agreement. Each Party acknowledges that, in entering into the Data Processing Agreement and the documents referred to in it, it does not rely on any statement, representation, assurance or warranty (“Representation”) of any person (whether a Party to this Data Processing Agreement or not) other than as expressly set out in the Data Processing Agreement or those documents. Each Party agrees that the only rights and remedies available to it arising out of or in connection with a Representation shall be for breach of contract. Nothing in this Article shall limit or exclude any liability for fraud or fraudulent misrepresentation.

14.2 All notices and other communications under this Data Processing Agreement shall be addressed to the Parties made by hand, courier, or first class pre-paid mail (either recorded delivery or registered) and will be deemed to have been communicated upon the date of actual delivery, provided that the Parties may agree to serve notices by ordinary first class pre-paid mail, fax and/or email. The addresses for service shall be as first stated in this Data Processing Agreement, or such other address that each Party may notify to the other in writing for such purpose.

14.3 The rights of any third party under this Agreement, whether pursuant to The Contracts (Rights of Third Parties) Act 1999 or otherwise, are hereby excluded.

14.4 An amendment or change to the terms of this Data Processing Agreement, will be effective when it is documented and agreed in writing by the Parties, and signed by and for and behalf of each of the Parties by their respective authorised signatories.

14.5 No failure or delay by either Party to exercise any right, power or remedy shall operate as a waiver of that right, power or remedy nor shall any partial exercise preclude any further exercise of the same, or of any other right, power or remedy.

14.6 This Data Processing Agreement is governed by the law of the jurisdiction as specified in the Agreement, and each party agrees to submit to the exclusive jurisdiction of the courts in that jurisdiction.

15. Notices

Contact information of the Privacy Officer and Data Protection Officer of the Data Processor:

First point of contact – Data Privacy Officer (for all WFS entities worldwide)

Privacy Officer
WorkForce Software, LLC
38705 Seven Mile Road, Suite 300
Livonia, MI 48152
United States of America
+1‐877‐493‐6723
[email protected]

Second point of contact – Data Protection Officer (for all WFS entities worldwide)

GRCI Law
Unit 3 Clive Court
Bartholomews Walk
Cambridgeshire Business Park
Ely
Cambridgeshire
CB7 4EA UK
[email protected]
+44 (0) 333 800 7000

 

EXHIBIT A: TECHNICAL AND ORGANISATIONAL MEASURES

This Exhibit is hereby incorporated by reference into this Data Processing Agreement.

Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

Measures of pseudonymisation and encryption of personal data

The Data Importer shall take steps to employ encryption on personal devices that store or access Personal Data and leverage provided pseudonymisation and encryption capabilities in WorkForce Suite and related software and systems to protect Personal Data.

Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services

The Data Importer shall take steps to secure endpoints used to access Personal Data with unique user IDs, strong passwords, hard drive encryption, anti-virus/anti-malware, automatic operating system updates, and routine software updates. Access to data shall be performed only over encrypted connections.

The Data Importer shall not bypass or interfere with any confidentiality, integrity, availability, and resilience capabilities in WorkForce Suite and related software and systems.

Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident

WorkForce Suite and related software and systems provide availability and access features; the Data Importer shall not bypass such functionality, and will leverage such functionality as appropriate;

Processes for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing

The Data Exporter shall periodically assess the effectiveness of technical and organisational measures of the Data Importer. The Data Importer shall periodically assess its compliance with the requirements in this Exhibit.

Measures for user identification and authorization

Where appropriate, the Data Importer shall use unique user IDs for Data Importer processing equipment (e.g., PCs, mobile devices) and strong, high entropy passwords. Data Importer shall leverage provided identification and authorization capabilities in WorkForce Suite and related software and systems to the extent applicable to protect Personal Data.

Measures for the protection of data during transmission

The Data Importer shall take steps to ensure that Personal Data is only accessed or transferred over an encrypted connection.

Measures for the protection of data during storage

Data Importer will take steps to ensure all storage devices, hard drives, storage area networks, and mobile devices that are used to process Personal Data have at least AES-256 encryption.

Measures for ensuring physical security of locations at which personal data are processed

Data Importer shall take steps to ensure personal data is only accessed from locations where there is appropriate technical and administrative controls to protect against unauthorized disclosure.

Measures for ensuring events logging

Data Importer shall take steps to enable event logging on all personal devices used to process Personal Data.

Measures for ensuring system configuration, including default configuration

Personal devices (laptops, PCs, mobile devices, etc.) used by Data Importer to process Personal Data shall be run only vendor-supported operating systems that are routinely patched.

Measures for internal IT and IT security governance and management

The Data Importer is solely responsible for security governance and management of systems, software, and processes under its control.

Measures for certification/assurance of processes and products

The Data Importer will provide reasonable evidence of compliance with applicable data protection and privacy legislation, and of compliance with required technical and organisational measures upon request of the Data Exporter.

Measures for ensuring data minimization

The Data Importer, when appropriate, will work with the Data Exporter to determine what data is necessary for its processing to meet customer processing requirements.

Measures for ensuring data quality

The Data Importer, when appropriate, will work with the Data Exporter to determine appropriate data quality measures, which may include data input validation and business rules testing.

Measures for ensuring limited data retention

The Data Importer, when appropriate, will work with the Data Exporter to determine appropriate data retention options.

Measures for ensuring accountability

The Data Importer shall provide its staff responsible for processing Personal Data with unique IDs used to access its devices and applications to ensure accountability through access and change records in logs.

Measures for allowing data portability and ensuring erasure

The Data Importer will advise the Data Exporter on options for data portability (e.g., report options) and take steps to erase any temporary files under its control after the are no longer required.

 

Exhibit B: Additional Terms for the Controller to Processor Standard Contractual Clauses (Module Two)

This Exhibit B forms part of the Data Processing Agreement. Capitalized terms not defined in this Exhibit B have the meaning set forth in the Data Processing Agreement.

The Parties agree that the following terms will supplement the Controller to Processor Standard Contractual Clauses (Module Two):

  1. Swiss Transfers. The following text is added as a new Clause 1(e): To the extent applicable hereunder, these Clauses also apply mutatis mutandis to the Parties’ processing of personal data that is subject to the Swiss Federal Act on Data Protection. Where applicable, references to EU Member State law or EU supervisory authorities shall be modified to include the appropriate reference under Swiss law as it relates to transfers of personal data that are subject to the Swiss Federal Act on Data Protection.

  2. UK Transfers. The following text is added as a new Clause 1(f): To the extent applicable hereunder, these Clauses, as supplemented by the International Data Transfer Addendum to the EU Standard Contractual Clauses, issued by the Information Commissioner and laid before Parliament in accordance with s.119A of the Data Protection Act 2018 on 2 February 2022 (the “UK Addendum”) (but, as permitted by Clause 17 of the UK Addendum, the Parties agree to change the format of the information set out in Part 1 of the UK Addendum so that (i) the details of the Parties in Table 1 of the UK Addendum shall be as set out in number 8 of this Exhibit B (with no requirement for signature); (ii) for the purposes of Table 2 of the UK Addendum, the UK Addendum shall be appended to the Controller to Processor Standard Contractual Clauses (including the disapplication of optional clauses as noted at number 3 of this Exhibit B) and number 4 of this Exhibit B selects the option and timescales for Clause 9 of the UK Addendum; and (iii) the appendix information listed in Table 3 of the UK Addendum is set out in number 8-9 of this Exhibit B), also apply mutatis mutandis to the Parties’ processing of personal data that is subject to the UK Data Protection Laws (as defined in the UK Addendum).

  3. Optional Clauses. The text of Clause 7 and the optional wording at Clause 11(a) is deleted in its entirety and replaced with the following: Omitted.

  4. Subprocessors. Clause 9(a) shall read as follows:

    a) The data importer has the data exporter’s general authorisation for the engagement of sub-processor(s) from an agreed list. The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub-processors at least thirty (30) days in advance, thereby giving the data exporter sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the data exporter with the information necessary to enable the data exporter to exercise its right to object.

  5. Supervision. Clause 13(a) shall read as follows:

    a) Where the data exporter is established in an EU Member State, the following section applies: The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C, shall act as competent supervisory authority.

    Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679, the following section applies: The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority.

    Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679, the following section applies: The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, as indicated in Annex I.C, shall act as competent supervisory authority.

  6. Governing Law. Clause 17 shall read as follows: These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third- party beneficiary rights. The Parties agree that this shall be the law of Ireland.

  7. Choice of Forum and Jurisdiction Law. Clause 18(b) shall read as follows: (b) The Parties agree that those shall be the courts of Ireland.

  8. Annex I. Annex I shall read as follows:

    A. List of Parties
    Data Exporter:
    Name: Data Controller.
    Address: As set forth in the Agreement.
    Contact person’s name, position, and contact details: As set forth in the Agreement.
    Activities relevant to the data transferred under these Clauses: As set forth in Exhibit D of the Data Processing Agreement.
    Role: Controller.

    Data Importer:
    Name: WFS.
    Address: As set forth in the Agreement.
    Contact person’s name, position, and contact details: As set forth in the Agreement.
    Activities relevant to the data transferred under these Clauses: As set forth in Exhibit D of the Data Processing Agreement.
    Role: Processor.

    B. Description of the Transfer: As set forth in Exhibit D of the Data Processing Agreeement. (For clarity, each response required in Annex I, Section B shall be populated with the foregoing.)

    C. Competent Supervisory Authority: The supervisory authority mandated by Clause 13. If no supervisory authority is mandated by Clause 13, then the Irish Data Protection Commission (DPC), and if this is not possible, then as otherwise agreed by the parties consistent with the conditions set forth in Clause 13.

  9. Annex II. Annex II shall read as follows:
    Data importer shall implement and maintain appropriate technical and organisational measures designed to protect personal data in accordance with Exhibit A of the Data Processing Agreement. Pursuant to Clause 10(b), data importer will provide data exporter assistance with data subject requests in accordance with the Exhibit A.

  10. Clarifying Terms. The Parties agree that: (i) the certification of deletion required by Clause 8.5 and Clause 16(d) of the Controller to Processor Standard Contractual Clauses will be provided upon Data Controller’s written request; (ii) the measures Data Processor is required to take under Clause 8.2(a) of the Controller to Processor Standard Contractual Clauses will only cover Data Processor’s impacted systems; (iii) the termination right contemplated by Clause 14(f) and Clause 16(c) of the Controller to Processor Standard Contractual Clauses will be limited to the termination of the Controller to Processor Standard Contractual Clauses, in which case, the corresponding Processing of Personal Data affected by such termination shall be discontinued unless otherwise agreed by the parties; (iv) unless otherwise stated by Data Processor, Data Controller will be responsible for communicating with data subjects pursuant to Clause 15.1(a) of the Controller to Processor Standard Contractual Clauses; (v) the information required under Clause 15.1(c) will be provided upon Data Controller’s written request; (vi) the audit described in Clause 8.9 of the Controller to Processor Standard Contractual Clauses shall be carried out in accordance with Section 6 of the Data Processing Agreement; (vii) Data Processor may engage Sub-Processors using the Processor to Sub-processor Standard Contractual Clauses (Module Three) provided by the European Commission pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (and the UK Addendum, if applicable) or any other adequacy mechanism, provided that such adequacy mechanism complies with applicable data protection laws and such use of Sub-Processors shall not be considered a breach of Clause 9 of the Controller to Processor Standard Contractual Clauses; and (viii) notwithstanding anything to the contrary, Data Controller will reimburse Data Processor for all costs and expenses incurred by Data Processor in connection with the performance of Data Processor’s obligations under Clause 15.1(b) and Clause 15.2 of the Controller to Processor Standard Contractual Clauses without regard for any limitation of liability set forth in the Agreement.

 

Exhibit C: Additional Terms for the Processor to Controller Standard Contractual Clauses (Module Four)

This Exhibit C forms part of the Data Processing Agreement. Capitalized terms not defined in this Exhibit C have the meaning set forth in the Data Processing Agreement.

The Parties agree that the following terms will supplement the Processor to Controller Standard Contractual Clauses (Module Four):

  1. Swiss Transfers. The following text is added as a new Clause 1(e): To the extent applicable hereunder, these Clauses also apply mutatis mutandis to the Parties’ processing of personal data that is subject to the Swiss Federal Act on Data Protection. Where applicable, references to EU Member State law or EU supervisory authorities shall be modified to include the appropriate reference under Swiss law as it relates to transfers of personal data that are subject to the Swiss Federal Act on Data Protection.

  2. UK Transfers. The following text is added as a new Clause 1(f): To the extent applicable hereunder, these Clauses, as supplemented the International Data Transfer Addendum to the EU Standard Contractual Clauses, issued by the Information Commissioner and laid before Parliament in accordance with s.119A of the Data Protection Act 2018 on 2 February 2022 (the “UK Addendum”) (but, as permitted by Clause 17 of the UK Addendum, the Parties agree to change the format of the information set out in Part 1 of the UK Addendum so that (i) the details of the Parties in Table 1 of the UK Addendum shall be as set out in number 8 of this Exhibit C (with no requirement for signature); (ii) for the purposes of Table 2 of the UK Addendum, the UK Addendum shall be appended to the Processor to Controller Standard Contractual Clauses (including the disapplication of optional clauses as noted at number 3 of this Exhibit C) and number 4 of this Exhibit C relates to the treatment of Clause 9 of the UK Addendum; and (iii) the appendix information listed in Table 3 of the UK Addendum is set out in number 8 of this Exhibit C), also apply mutatis mutandis to the Parties’ processing of personal data that is subject to the UK Data Protection Laws.

  3. Optional Clauses. The text of Clause 7 and the optional wording at Clause 11(a) is deleted in its entirety and replaced with the following: Omitted.

  4. Subprocessors. The text of Clause 9 is deleted in its entirety and replaced with the following: Omitted.

  5. Supervision. The text of Clause 13 is deleted in its entirety and replaced with the following: Omitted.

  6. Governing Law. Clause 17 shall read as follows: These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third- party beneficiary rights. The Parties agree that this shall be the law of Ireland.

  7. Choice of Forum and Jurisdiction Law. Clause 18(b) shall read as follows: (b) The Parties agree that those shall be the courts of Ireland.

  8. Annex I. Annex I shall read as follows:

    A. List of Parties
    Data Exporter:
    Name: WFS.
    Address: As set forth in the Agreement.
    Contact person’s name, position, and contact details: As set forth in the Agreement.
    Activities relevant to the data transferred under these Clauses: As set forth in Exhibit E of the Data Processing Agreement.
    Role: Processor.

    Data Importer:
    Name: Data Controller
    Address: As set forth in the Agreement.
    Contact person’s name, position, and contact details: As set forth in the Agreement.
    Activities relevant to the data transferred under these Clauses: As set forth in Exhibit E of the Data Processing Agreement.
    Role: Controller.

    B. Description of the Transfer: As set forth in Exhibit E of the Data Processing Agreement. (For clarity, each response required in Annex I, Section B shall be populated with the foregoing.)

  9. Clarifying Terms. The parties agree that: (i) the information required by Clause 8.1(d) of the Processor to Controller Standard Contractual Clauses will be provided upon Data Controller’s written request, and (ii) the audit described in Clause 8.3(b) of the Processor to Controller Standard Contractual Clauses shall be carried out in accordance with Section 6 of this Data Processing Agreement.

 

Exhibit D: Data Processor Data Transfer Impact Assessment Questionnaire

This Exhibit D forms part of the Data Processing Agreement. Capitalized Data Processing Agreement not defined in this Exhibit D have the meaning set forth in the Data Processing Agreement.

  1. What countries will Personal Data that is transferred outside of the European Economic Area, Switzerland, and/or the United Kingdom be stored in or accessed from? If this varies by region, please specify each country for each region.
     
    a. Answer: Personal Data may be transferred to the United States, Mexico, Pakistan, India, Chile, Germany, Canada, Brazil, Columbia, United Kingdom, Belgium, Australia, Canada, Costa Rica, Singapore, and other locations as notified to Data Controller from time-to-time.

  2. What are the categories of data subjects whose Personal Data will be transferred outside of the European Economic Area, Switzerland, and/or the United Kingdom?

    a. Answer: Data Controller’s employees, contractors, contingency workers, and other personnel.

  3. What are the categories of Personal Data transferred outside of the European Economic Area, Switzerland, and/or the United Kingdom?

    a. Answer: All components of WorkForce or WFS Suite require: Employee ID, name, Login ID, IP address (may be collected as part of normal system and application logging), user experience (tracking or replay). Optional data: Employee photograph.

    Components of WorkForce or WFS Suite may process additional required and optional data:

    Time and Attendance
    Required data: Manager ID, business contact information
    Optional data: work hours/schedules, personal contact information, pay rates/salary, labor categorization (e.g., full-time/part-time, exempt/nonexempt), union or other collective bargaining agreement. Some customers may be subject to regulations that require data such as pregnancy and student status, labor distribution information (projects, products, etc.)

    Absence, Leave and Accommodations
    Required: customers may be subject to regulations that require data such as pregnancy and student status, reasons for leave, and/or attached eligibility/certification forms, as well as pertinent details around eligibility for regulated leaves.
    Optional data: the software can be configured to collect optional additional information.

    Scheduling
    Required: username/password, employee/card/staff ID and name.
    Optional: Date of birth, store name, qualifications, next of kin, gender, tax file number, personal contact information including home phone, home address, personal email, sensitive employment data e.g., pay rates/salary/shift incentives, IP address, geolocation.

    WorkForce Experience
    Required: employee name, job title, work email address, username, and IP address.
    Optional: photo, password (if SSO is not used), and preference data. Users may post photos and text of their choosing.

    Data Capture
    Required: Worktime and device
    Optional: Labor distribution date (projects, products, etc.) and geolocation data. Customer using data collection devices (“clocks”) may optionally collection biometric information.

  4. Will any Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences be transferred outside of the European Economic Area, Switzerland, and/or the United Kingdom? If so, are there any restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures?
     
    a. Answer: As necessary to provide the Services under the Agreement. For example, some customers may choose to use data collection devices that use biometric data for authentication, or trade union in order to correctly process payroll data based on union collective bargaining agreements, or health data to justify leave or absences.

  5. What business sector is Data Processor involved in

    a. Answer: Workforce management.

  6. Broadly speaking, what are the services to be provided and the corresponding purposes for which Personal Data is transferred outside of the European Economic Area, Switzerland, and/or the United Kingdom?

    a. Answer: The Data Processor provides a SaaS-based workforce management solution to the Data Controller which stores and processes personal data related to time and attendance and/or labor scheduling. Data may be provided directly by the Data Controller or collected by the Data Processor directly from Data Controller’s personnel through the services. The Data Processor may also provide configuration and support services to the Data Controller.

  7. What is the frequency of the transfer of Personal Data outside of outside of the European Economic Area, Switzerland, and/or the United Kingdom? E.g., is Personal Data transferred on a one-off or continuous basis?

    a. Answer: Continuously through the term of the Agreement.

  8. When Personal Data is transferred outside of the European Economic Area, Switzerland, and/or the United Kingdom to Data Processor, how is it transmitted to Data Processor? Is the Personal Data in plain text, pseudonymized, and/or encrypted?

    a. Answer: Data Processor uses the technical and organizational measures described in Exhibit A to safeguard Personal Data.

  9. What is the period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period?
     
    a. Answer: Data Processor will retain Personal Data through the term of the Agreement.
  10. Please list the Subprocessors that will have access to Personal Data that is transferred outside of the European Economic Area, Switzerland, and/or the United Kingdom:

    a. Answer: as described in https://workforcesoftware.force.com/customers/s/article/Third-parties-sub-processors-who-store-or-process-customer-data

  11. Is Data Processor subject to any laws in a country outside of the European Economic Area, Switzerland, and/or the United Kingdom where Personal Data is stored or accessed from that would interfere with Data Processor fulfilling its obligations under either of the attached set(s) of Standard Contractual Clauses? For example, FISA 702 or U.S. Executive Order 12333. If yes, please list these laws.

    a. Answer: As of the effective date of the Data Processing Agreement, no court has found Data Processor to be eligible to receive process issued under the laws contemplated by Question 11, including FISA Section 702 and no such court action is pending.

  12. Has Data Processor ever received a request from public authorities for information pursuant to the laws contemplated by Question 11 above (if any)? If yes, please explain.

    a. Answer: As of the effective date of the Data Processing Agreement, Data Processor has not received any national security orders of the type described in Paragraphs 150-202 of the judgment in the CJEU Case C-311/18, Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems, nor is Data Processor aware of any such orders in progress.

  13. Has Data Processor ever received a request from public authorities for Personal Data of individuals located in European Economic Area, Switzerland, and/or the United Kingdom? If yes, please explain.
     
    a. Answer: No.

  14. What safeguards will Data Processor apply during transmission and to the processing of Personal Data in countries outside of the European Economic Area, Switzerland, and/or the United Kingdom that have not been found to provide an adequate level of protection under applicable Data Protection Laws?

    a. Answer: Those safeguards set forth in Exhibit A.

 

Exhibit E: Data Controller Data Transfer Impact Assessment Questionnaire

This Exhibit E forms part of the Data Processing Agreement. Capitalized terms not defined in this Exhibit E have the meaning set forth in the Data Processing Agreement.

Throughout the term of the Agreement, Data Controller will promptly notify Data Processor’s Designated POC within ten (10) business days if there are material changes to the responses set forth in this Exhibit E following the effective date of the Agreement, and work with Data Processor to update Data Controller’s responses set forth in this Data Controller Data Transfer Impact Assessment Questionnaire.

  1. What countries will Personal Data that is transferred outside of the European Economic Area, Switzerland, and/or the United Kingdom be stored in or accessed from by Data Controller? If this varies by region, please specify each country for each region.
     
    a. Answer: Those countries where Data Controller conducts its business activities, which may include, but are not limited to, the United States.

  2. What are the categories of data subjects whose Personal Data will be transferred outside of the European Economic Area, Switzerland, and/or the United Kingdom?

    a. Answer: Data subjects whose Personal Data will be provided by Data Processor pursuant to the Processor to Controller Standard Contractual Clauses which may include, but are not limited to, those data subjects contemplated by Data Processor’s response to Question 2, Exhibit D.
  3. What are the categories of Personal Data transferred outside of the European Economic Area, Switzerland, and/or the United Kingdom?

    a. Answer: Personal Data that will be provided by Data Processor pursuant to the Processor to Controller Standard Contractual Clauses, which may include, but is not limited to, the Personal Data contemplated by Data Processor’s response to Question 3, Exhibit D.
  4. Will any Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences be transferred outside of the European Economic Area, Switzerland, and/or the United Kingdom? If so, are there any restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures?

    a. Answer: This data will be transferred to Data Controller as necessary to provide the Services under the Agreement. For example, some customers may choose to use data collection devices that use biometric data for authentication, or trade union in order to correctly process payroll data based on union collective bargaining agreements.

  5. What is the nature and purpose for which Personal Data is transferred outside of the European Economic Area, Switzerland, and/or the United Kingdom by Data Processor to Data Controller?
     
    a. Answer: Personal Data is transferred outside of the European Economic Area, Switzerland, and/or the United Kingdom so that Data Controller can operate its business.

  6. What is the frequency of the transfer of Personal Data outside of outside of the European Economic Area, Switzerland, and/or the United Kingdom? E.g., is Personal Data transferred on a one-off or continuous basis?

    a. Answer: Personal Data is transferred by Data Processor to Data Controller in accordance with the standard functionality of the Services, or as otherwise agreed upon by the parties.

  7. When Personal Data is transferred outside of the European Economic Area, Switzerland, and/or the United Kingdom to Data Controller, how is it transmitted to Data Controller? Is the Personal Data in plain text, pseudonymized, and/or encrypted?

    a. Answer: Personal Data is transferred and made available to Data Controller directly through the Services, accessible only to Data Controller’s authorized users.

  8. What is the period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period?

    a. Answer: Data Controller will retain Personal Data in accordance with the applicable Data Controller privacy notice or policy that governs such Personal Data.

  9. Please list the Data Controller subprocessors that will have access to Personal Data that is transferred outside of the European Economic Area, Switzerland, and/or the United Kingdom.

    a. Answer: Those subprocessors involved in the operation of Data Controller’s business.

  10. Is Data Controller subject to any laws in a country outside of the European Economic Area, Switzerland, and/or the United Kingdom where Personal Data is stored or accessed from that would interfere with Data Controller fulfilling its obligations under the Processor to Controller Standard Contractual Clauses? For example, FISA Section 702. If yes, please list these laws.
     
    a. Answer: As of the effective date of the Agreement, no court has found Data Controller to be eligible to receive process issued under the laws contemplated by Question 10, including FISA Section 702 and no such court action is pending.

  11. Has Data Controller ever received a request from public authorities for information pursuant to the laws contemplated by Question 10 above (if any)? If yes, please explain.

    a. Answer: No

  12. Has Data Controller ever received a request from public authorities for Personal Data of individuals located in European Economic Area, Switzerland, and/or the United Kingdom? If yes, please explain.

    a. Answer: No

Last Updated: 04/2022