1. Background
In the context of the Agreement, Motimate will process personal data on the Customer’s behalf. Thus, Motimate will act as a data processor, whereas the Customer acts as a data controller.
This data processing agreement (the “Data Processing Agreement”) sets out rights and obligations for Motimate and the Customer concerning the processing of personal data. The purpose of the Data Processing Agreement is to ensure adequate safeguards for the processing of personal data.
2. The scope of personal data
Motimate will process personal data related to the following categories of data subjects:
- employees and other personnel of the Customer.
Motimate will process the following personal data related to these data subjects:
- Account data: Including name, phone number, employee ID and email address, data about work situation (such as what store(s) the data subject work in and what position it has in the company
- Usage data: Including text and documents, pictures and videos, and likes and other reactions, that the Customer may share when using the Services
- Metadata: Including information about how the data subject use of functionality in the Services, the type and model of the device of the data subject, the unique device ID, the IP address of the device, the operating system, and the internet browser type that the data subject is using.
Due to the fact that Motimate may continuously work to improve the Services (software/applications), changes in the scope of personal data to be processed may occur. Motimate shall communicate such changes in its Privacy Policy. Material changes shall be discussed with the Customer before they are implemented. If the Customer disapprove such amendments, it may choose to terminate the Agreement in accordance with section 14 of the Terms and Conditions.
3. Ownership of personal data
The Customer retains the legal control of and ownership to, the personal data processed hereunder.
4. Obligations of Motimate
Motimate shall not process personal data given access to or generated in the context of the Agreement for any purpose other than as necessary to perform its obligations pursuant to the Agreement. Motimate shall not combine personal data concerning the personnel of the Customer with personal data concerning the personnel of its other customers.
For the avoidance of doubt, the paragraph above shall not prevent Motimate from using anonymous data (such as aggregated data, or usage data that cannot be linked to a specific data subject) for statistics, bug-fixing, improvements, etc.
Motimate shall ensure that the personal data is processed in accordance with applicable law. Motimate shall further adhere to any routines or instructions for the processing that are communicated by the Customer, provided that such routines and instructions will not cause disproportionate costs and inconvenience to Motimate. Motimate is entitled to refrain from adhering with such routines or instructions if it would involve processing of personal data in conflict with applicable data protection law.
Motimate shall publish a Privacy Policy in which the data subjects are given information on why and how their personal data is processed.
5. Use of sub-processors
Motimate may subcontract its operations and obligations under this Data Processing Agreement to a subcontractor.
Such sub-contracting shall be made by way of a written agreement with the sub-processor that imposes adequate data protection and privacy obligations on the sub-processor. Motimate remains responsible for the sub-processor’s obligations under such agreement.
Upon request by the Customer, Motimate shall provide the Customer with copies of agreements with sub-processors, unless so is prevented by confidentiality undertakings. If so, Motimate may conceal commercial provisions (prices, etc.) in such agreements and other provisions that does not relate to processing of personal data.
6. International data transfer
Personal data shall not be transferred to countries outside of the EEA without the prior written consent of the Customer.
Provided that consent is given to transfer data to countries outside of the EEA, any transfer performed by Motimate shall satisfy the requirements laid down in applicable data protection law. If requested by the Customer, EU standard contractual clauses (2010/87/EU) with processors outside of the EEA shall be concluded. The Customer entitles Motimate to conclude such EU standard contractual clauses in the name of and on behalf of the Customer (proxy), provided that no amendments of the clauses are made.
7. Technical and organisational security measures
Motimate shall implement and maintain throughout the term appropriate technical and organizational security measures to protect the personal data against unauthorized or unlawful processing and against accidental or unlawful destruction or accidental loss, damage, alteration, unauthorized disclosure or access. These measures shall ensure a level of security appropriate to the risk presented to the processing and the nature of the personal data to be protected (including the harm which might result from any accidental or unlawful destruction or accidental loss, damage, alteration, unauthorized disclosure or access to the personal data) having regard to the state of the art and the cost of their implementation.
Motimate shall, by itself or a third party, document its technical and organisational security measures. The documentation shall be made available to the Customer upon request.
Motimate shall only allow access to the personal data to personnel on a need-to-know basis. Motimate shall ensure that all personnel having access to the personal data are subject to adequate confidentiality obligations.
Motimate shall provide the Customer access to any documentation relating to the technical and organisational security measures, so that the Customer is able to fulfil his responsibility as Controller as set forth in applicable data protection law.
8. Security audits
The Customer, by a third party (such as an external auditor), is entitled to (and may allow the Supervisory Authority to) conduct an audit of the data-processing facilities utilized for the processing activities by Motimate. Motimate shall reasonably provide assistance in that respect, at the cost of the Customer. The Customer shall perform such audit without causing significant interruptions to Motimate’s regular operations.
Each party shall cover its own costs associated with audits.
9. Data breaches
Breaches of data security, including accidental or unlawful destruction or accidental loss, damage, alteration, unauthorized disclosure or access, shall be promptly notified to the Customer in writing. If the data breach has resulted in the unauthorized disclosure of personal data of a confidential nature, such notification shall be given to the Customer at latest within 36 hours from becoming aware of it.
The Customer is responsible for notifying the relevant supervisory authority about the Data Breach when applicable.
10. Requests from individuals
Unless otherwise agreed, Motimate shall direct all requests from data subjects regarding processing of personal data in the context of this Agreement to the Customer. Motimate shall reasonably assist the Customer in fulfilling its obligations towards individuals, at the cost of the Customer.
11. General notifications
Motimate shall promptly notify the Customer in writing of:
- changes in the security measures which do or may reasonably be expected to have an adverse effect on Motimate’s ability or to process the personal data in accordance with this Data Processing Agreement;
- requests from any supervisory authority requiring access to or personal data owned by the Customer.
12. Term and termination
This Data Processing Agreement will stay in force as long as Motimate processes or has access to personal data on behalf of the Customer in the context of the Agreement.
Upon termination, Motimate shall, at the choice and at the cost of the Customer, return all the personal data and the copies thereof to the Customer or shall destroy all the personal data and certify to the Customer that it has done so, unless legislation imposed upon Motimate prevents it from returning or destroying all or part of the personal data. In that case, Motimate warrants that it will guarantee the confidentiality of the personal data and will not actively process the personal data anymore.