.svg){kind=icon}
DATA PROCESSING ADDENDUM
This Data Processing Addendum (“DPA”) forms part of the Agreement between Customer and Worksome.
1. SUBJECT MATTER AND DURATION
1.1. Subject Matter. This DPA is intended to govern User’s provision and Worksome’s Processing of User Personal Data pursuant to the Agreement. All capitalized terms that are not expressly defined in this DPA will have the meanings given to them in the Agreement. If and to the extent language in this DPA conflicts with the Agreement, this DPA shall control.
1.2. Duration and Survival. This DPA will become binding upon the Effective Date of the Agreement and shall survive until expiration or termination of the Agreement or the return or deletion of User Personal Data in accordance with Section 6, whichever later.
2. DEFINITIONS
2.1. “Controller” means the person who, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
2.2. “User Personal Data” means User Data that is “personal data” or “personal information” under applicable Data Protection Law.
2.3. “Data Protection Law(s)” means all worldwide data protection and privacy laws and regulations applicable to User Personal Data, including, where applicable, EU/UK Data Protection Law and the California Consumer Privacy Act of 2018 (“CCPA”), as amended from time to time, including any related regulations and guidance provided or issued by the California Attorney General pertaining to same. For the avoidance of doubt, if Worksome’s processing activities involving User Personal Data are not within the scope of a Data Protection Law, such law is not applicable for purposes of this Agreement.
2.4. "EEA" means the European Economic Area.
2.5. "EU/UK Data Protection Law" means: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (the "EU GDPR"); (ii) the GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 and the UK Data Protection Act 2018 (collectively, the "UK GDPR"); (iii) the EU e-Privacy Directive (Directive 2002/58/EC); and (iv) any and all applicable national data protection laws made under, pursuant to or that apply in conjunction with any of (i), (ii) or (iii); in each case as may be amended or superseded from time to time.
2.6. “Process” or “Processing” means any operation or set of operations which is performed on User Personal Data or sets of User Personal Data, whether by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.
2.7. “Processor” means the person who, alone or jointly with others, Processes Personal Data on behalf of the Controller.
2.8. "Restricted Transfer" means: (i) where the EU GDPR applies, a transfer of Personal Data from the EEA to a country outside of the EEA which is not subject to an adequacy determination by the European Commission; and (ii) where the UK GDPR applies, a transfer of Personal Data from the United Kingdom to any other country which is not subject based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018, in case whether such transfer is direct or via onward transfer.
2.9. "SCCs" means: (i) where the EU GDPR applies, the contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council ("EU SCCs"); and (ii) where the UK GDPR applies, standard data protection clauses for processors adopted pursuant to Article 46(2)(c) or (d) of the UK GDPR ("UK SCCs").
2.10. “Security Incident(s)” means any unauthorized or unlawful breach of security leading to, or reasonably believed to have led to, the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to any User Data processed under or in connection with the Agreement, including but not limited to User Personal Data.
2.11. “Subprocessor(s)” means a third party engaged by Worksome to Process User Personal Data under the Agreement.
3. DATA USE AND PROCESSING
3.1. Documented Instructions. The parties acknowledge and agree that User is the Controller of User Personal Data and Worksome is the Processor of such User Personal Data. Worksome shall Process User Personal Data as a service provider strictly for the business purpose(s) agreed between the parties and as provided under the Agreement, this DPA, and any instructions expressly agreed upon by the parties in writing (together, the "Business Purpose"). User will not instruct Worksome to Process User Personal Data in violation of applicable law (including Data Protection Laws). Worksome has no obligation to monitor the compliance of User’s use of the Services with applicable law (including Data Protection Laws). However, Worksome will, unless legally prohibited from doing so, (i) inform User in writing if it reasonably believes that there is a conflict between User’s instructions and applicable law (including Data Protection Laws) or otherwise seeks to Process User Personal Data in a manner that is inconsistent with User’s instructions, and (ii) in such event, cease all Processing of the affected User Personal Data (other than merely storing and maintaining the security of the affected User Personal Data) until such time as User issues new instructions with which Worksome is able to comply. If this provision is invoked, Worksome will not be liable to User under the Agreement for failure to perform the Services until such time as the parties agree on new instructions.
3.2. Service Provider Certification. Worksome shall not: (a) sell the User Personal Data; (b) retain, use, or disclose User Personal Data for any purpose other than for the Business Purpose, including to retain, use, or disclose the personal information for a commercial purpose other than performing its Services under the Agreement; (c) retain, use, or disclose the User Personal Data outside of the direct business relationship between User and Worksome.
3.3. Authorization to Use Subprocessors. To the extent necessary to fulfill Worksome’s contractual obligations under the Agreement, User hereby authorizes Worksome to engage Subprocessors. A current list of Worksome’s Subprocessors can be found on Annex III. User acknowledges and agrees that Worksome’s use of such Subprocessors satisfies the requirements of this DPA.
3.4. Worksome and Subprocessor Compliance. Worksome agrees to (i) enter into a written Agreement with Subprocessors regarding such Subprocessors’ Processing of User Personal Data that imposes on such Subprocessors data protection requirements for User Personal Data that are consistent with this DPA; and (ii) remain responsible to User for Worksome’s Subprocessors’ failure to perform their obligations with respect to the Processing of User Personal Data.
3.5. Confidentiality. Worksome will ensure that any person whom Worksome authorizes to Process User Personal Data on its behalf is subject to confidentiality obligations in respect of that User Personal Data.
3.6. User Personal Data Inquiries and Requests. To the extent User, in User’s use of the Services, does not have the ability to address a request from a data subject exercising their rights under applicable Data Protection Laws (e.g., access, deletion, etc.), Worksome shall, upon User’s request, use commercially reasonable efforts to assist User in responding to such data subject request. If a request relating to User Personal Data is sent directly to Worksome, Worksome shall use commercially reasonable efforts to promptly notify User of receiving such request and shall not respond to the request unless User has authorized Worksome to do so. To the extent legally permitted, User shall be responsible for any non-negligible costs arising from Worksome’s provision of assistance under this Section. User acknowledges that Worksome is reliant on User for direction as to the extent to which Worksome is entitled to Process User Personal Data on behalf of User in performance of the Services. Consequently, Worksome will not be liable under the Agreement for any claim brought by a data subject arising from any action or omission by Worksome, to the extent that such action or omission resulted from User’s instructions or from User’s failure to comply with its obligations under applicable law.
3.7. Data Protection Impact Assessment and Prior Consultation. Where required by Data Protection Laws, Worksome agrees to provide User with reasonable assistance, at User’s expense, solely to the extent that such assistance is necessary and relates to the Processing by Worksome of User Personal Data where, in User’s reasonable judgment, User is required under the Data Protection Laws to engage in a data protection impact assessment and/or prior consultation with the relevant data protection authorities.
3.8. Limitation on Disclosure of User Personal Data. To the extent legally permitted in each case, Worksome shall: (i) promptly notify User in writing upon receipt of an order, demand, subpoena, warrant, legal demand or other document purporting to request, demand or compel the production of User Personal Data to any non-data-subject third party, including, but not limited to the United States government for surveillance and/or other purposes; and (ii) not disclose User Personal Data to the third party without providing User at least forty-eight (48) hours’ notice, so that User may, at its own expense, exercise such rights as it may have under applicable laws to prevent, challenge or limit such disclosure to the extent permitted by applicable laws.
4. CROSS-BORDER TRANSFERS OF USER PERSONAL DATA
4.1. Cross-Border Transfers of User Personal Data. User authorizes Worksome and its Subprocessors to transfer User Personal Data across international borders, including from the EEA, Switzerland, and/or the United Kingdom to the United States.
4.2. Standard Contractual Clauses. The parties agree that, when the transfer of User Personal Data from User to Worksome is a Restricted Transfer, it shall be subject to the appropriate SCCs as follows:
4.2.1. in relation to User Personal Data that is protected by the EU GDPR, the EU SCCs will apply completed as follows:
4.2.1.1. Module Two and Module 3 will apply, as appropriate;
4.2.1.2. in Clause 7, the optional docking clause will apply;
4.2.1.3. in Clause 9, Option 2 will apply, and the time period for prior notice of subprocessor changes shall be as set out in Clause 3.5 of this DPA;
4.2.1.4. in Clause 11, the optional language will not apply;
4.2.1.5. in Clause 17, Option 1 will apply, and the EU SCCs will be governed by the laws of Denmark;
4.2.1.6. in Clause 18(b), disputes shall be resolved before the courts of Denmark;
4.2.1.7. Annex I of the EU SCCs shall be deemed completed with the information set out in Annex I to this DPA; and
4.2.1.8. Annex II of the EU SCCs shall be deemed completed with the information set out in Annex II to this DPA;
4.2.2. subject to paragraph 4.2.3 below, in relation to User Personal Data protected by UK GDPR, the EU SCCs will apply (in accordance with paragraph 4.2.1 above) but with the following modifications:
4.2.2.1. any references in the EU SCCs to "Directive 95/46/EC" or "Regulation (EU) 2016/679" shall be interpreted as references to the UK GDPR; references to specific Articles of "Regulation (EU) 2016/679" are replaced with the equivalent Article or Section of UK GDPR; references to "EU", "Union" and "Member State law" are all replaced with "UK"; Clause 13(a) and Part C of Annex II of the EU SCCs are not used; references to the "competent supervisory authority" and "competent courts" shall be interpreted as references to the Information Commissioner and the courts of England and Wales;
4.2.2.2. Clause 17 of the EU SCCs is replaced to state that "The Clauses are governed by the laws of England and Wales, and Clause 18 of the New EU SCCs is replaced to state "Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may bring legal proceedings against the data exporter and/or data importer before the courts of any county in the UK. The Parties agree to submit themselves to the jurisdiction of such courts;”
4.2.3. to extent that and for so long as the EU SCCs, as implemented in accordance with paragraphs 4.2.1 and 4.2.3 above and 4.2.4 below, cannot be used to lawfully transfer User Personal Data in compliance with the UK GPDR, the UK SCCs shall be incorporated by reference and form an integral part of this DPA and shall apply to transfers of User Personal Data governed by the UK GDPR. For the purposes of the UK SCCs:
4.2.3.1. Appendix 1 of the UK SCCs shall be deemed completed with the information set out in Annex I to this Agreement; and
4.2.3.2. Appendix 2 of the UK SCCs shall be deemed completed with the information set out in Annex II to this Agreement; and
4.2.4. If any provision of this DPA contradicts the SCCs (directly or indirectly), the SCCs shall prevail.
4.2.5. The parties agree that, in the event where Data Protection Laws no longer allows the lawful transfer of User Personal Data to Worksome and/or requires an alternative transfer solution that complies with Applicable Privacy Law(s), Worksome will make an amendment to this DPA available to User to remedy such non-compliance and/or cease processing of User Personal Data without penalty.
5. INFORMATION SECURITY PROGRAM
5.1. Security Measures. Worksome shall implement and maintain commercially reasonable administrative, technical, and physical measures designed to protect User Personal Data. The safeguards will include measures designed to prevent unauthorized access, use, modification, or disclosure of such Personal Data.
5.2. Security Incidents. Notice. Upon becoming aware of a Security Incident, Worksome agrees to provide written notice to User within 72 hours. Where possible, such notice will include all details known to Worksome and required under Data Protection Laws for User to comply with User’s own notification obligations to regulatory authorities or individuals affected by the Security Incident, which may include, as applicable and if known, how the Security Incident occurred, the categories and approximate number of data subjects concerned, and the categories and approximate number of User Personal Data records concerned, the likely consequences of the Security Incident, and measures taken or proposed to be taken by Worksome to address the Security Incident, including, where appropriate, measures designed to mitigate its possible adverse effects. Worksome shall use commercially reasonable efforts to: (i) investigate and identify the cause of such Security Incident; (ii) remedy or mitigate the possible adverse effects of such Security Incidents, and (iii) reduce the likelihood that such Security Incident recurs. Worksome will not assess the contents of User Personal Data in order to identify information subject to any specific legal requirements or assess the applicability of any specific privacy, data protection, or cybersecurity requirement pertaining to such information. User is solely responsible for complying with Security Incident notification requirements applicable to User and fulfilling any third-party notification obligations related to any Security Incident, provided that, at User’s written request and subject to User paying Worksome’s reasonable fees (at then current rates) and expenses, Worksome will provide User with assistance reasonably necessary to enable User to notify relevant security breaches to the competent data protection authorities and/or affected data subjects, if User is required to do so under Data Protection Laws.
6. DATA DELETION
Upon termination or expiration of the Agreement, Worksome shall, upon User’s request, and subject to the limitations described in the Agreement, return to User (or make available for export in accordance with the Agreement) all User Personal Data in Worksome’s possession, or securely destroy such User Personal Data (excluding any back-up or archival copies which shall be deleted in accordance with Worksome’ data retention schedule), except where Worksome is required to retain copies under applicable laws, in which case Worksome will limit its processing of such User Personal Data except to the extent required by applicable laws.
7. PROCESSING DETAILS
7.1. Subject Matter. The subject matter of the Processing is the Services pursuant to the Agreement.
7.2. Duration. User Personal Data will be Processed for the duration of the Agreement, including any post-termination retention period.
7.3. Categories of Data Subjects. Data subjects whose User Personal Data will be Processed pursuant to the Agreement may include Employees, Suppliers, Users, Job Applicants, Consultants, Staffing Agencies, and/or Contractors.
7.4. Nature and Purpose of the Processing. The purpose of the Processing of User Personal Data by Worksome is the performance of the Services pursuant to the Agreement.
7.5. Types of User Personal Data. User represents and warrants to Worksome that User Personal Data does not and will not contain, and User has not and will not otherwise provide or make available to Worksome for Processing any sensitive Personal Data, including but not limited to financial information (e.g. credentials to any financial accounts or tax return data); health information (e.g. protected health information subject to the Health Insurance Portability and Accountability Act (HIPAA) or other information regarding an individual’s medical history, mental, or physical condition, or medical treatment or diagnosis by a health care professional, health insurance information, or genetic information); biometric information; passwords for online accounts (other than passwords necessary to access the Services); credit reports or consumer reports; any payment card information or cardholder data subject to the Payment Card Industry Data Security Standard; information subject to the Gramm-Leach-Bliley Act, Fair Credit Reporting Act, or similar laws, or the regulations promulgated thereunder; or any information that falls within any special categories of data (as defined under the EU/UK Data Protection Law or otherwise interpreted under the implementing laws of the EEA member states).
ANNEX I
DATA PROCESSING DESCRIPTION
This Annex I forms part of the DPA and describes the processing that Worksome (as the Processor) will perform on behalf of the User (as the Controller).
1. LIST OF PARTIES
Controller(s) / Data exporter(s): [Identity and contact details of the controller(s) /data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union]
Name: User listed in the Worksome User Account.
Address: Address listed in the Worksome User Account.
Contact person’s name, position and contact details: Contact person listed in the Worksome User Account.
Activities relevant to the data transferred under these Clauses: Processing to carry out the Services pursuant to the Terms of Service and Agreement entered into between User and Worksome.
Signature and date: This Annex I shall automatically be deemed executed when User agrees to the Terms of Service and Privacy Policy.
Role (controller/processor): Controller
Processor(s) / Data importer(s): [Identity and contact details of the processor(s) /data importer(s), including any contact person with responsibility for data protection]
Name: Worksome ApS.
Address: Toldbodgade 35,1 1253 København, Denmark
Contact person’s name, position, and contact details: DPO@worksome.com
Activities relevant to the data transferred under these Clauses: Processing to carry out the Services pursuant to the Terms of Service and Agreement entered into between User and Worksome.
Signature and date: This Annex I shall automatically be deemed executed when User agrees to the Terms of Service
Role (controller/processor): Processor
2. DESCRIPTION OF PROCESSING/ TRANSFER
EU SCC Module: C2P (Module 2)
Categories of Data Subjects: The personal data transferred may concern the following categories of data subjects set forth in Section 7.3 of the DPA:
Employees, Suppliers, Users, Job Applicants, Consultants, and Contractors
Purpose(s) of the data transfer and further processing/ processing operations: The purpose of the transfer is the performance of the Services pursuant to the Terms of Service.
Categories of Personal Data: The personal data transferred concerns the categories of data as set forth in Section 7.5 of the DPA.
Sensitive data transferred (if applicable) and applied restrictions or safeguards: As set forth in Section 7.5 of the DPA, sensitive data are expressly excluded from the scope of the Services.
Frequency of the transfer: Continuous
Nature and subject matter of the processing: The subject matter of the Processing is the Services pursuant to the Terms of Service.
Duration of the processing: The duration of the data processing under this DPA is until the termination of the Terms of Service in accordance with its terms.
Retention period (or, if not possible to determine, the criteria used to determine the period): As above.
3. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance (e.g. in accordance with Clause 13 SCCs):
Where the EU GDPR applies, the Irish Data Protection Commissioner’s Office.
Where the UK GDPR applies, the UK Information Commissioner's Office.
ANNEX II
U.K. DPA ADDENDUM
This Annex II forms part of the DPA and applies in accordance with Section 4 ("Cross-Border Transfers of User Personal Data") of the DPA.
Start Date: The date of the Agreement.
Parties: Exporter (who sends the Restricted Transfer) ; Importer (who receives the Restricted Transfer)
Parties’ details:
Exporter Name: User listed in Worksome.
Address: Address listed in Worksome.
Contact person’s name, position and contact details: Contact person listed in Worksome.
Importer Name: Worksome entity listed in Agreement.
Address: Worksome address listed in Agreement.
Contact details: DPO@worksome.com,
Addendum EU SCCs: The version of the EU SCCs incorporated into the DPA, including the information provided in Section 4 (Cross-Border Transfers of User Personal Data) and the annexes to this DPA, with only the modules, clauses or optional provisions of the approved EU SCCs brought into effect for the purposes of this Addendum in section 4.2.1 of the DPA.
Appendix Information: See Annex I
Ending this Addendum when the Approved Addendum changes: Neither Party
Mandatory Clauses: Part 2: Mandatory Clauses of the UK Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses.
Describe the specific technical and organizational measures to be taken by Data Importer to be able to provide assistance to the Data Exporter:
Self-service system for deletion: Through the Worksome Platform, Users can delete their account and associated User Data.
ANNEX III
WORKSOME’S LIST OF SUBPROCESSORS
To provide our Services, Worksome engages the Subprocessors listed in the tables below. A Subprocessor is a third-party engaged by Worksome, and its applicable Affiliates, to process Customer Personal Data.
We use the following Subprocessors to host and run our Services: Worksome Subprocessors. These are third parties that store and process your data within our Services.