These Data Processing Terms ("Data Processing Terms") are entered into between the Client ("Client") as identified in Time Etc Ltd's Client Terms of Service ("Terms of Service") if you are located within the UK or Time etc USA Ltd's Terms Of Services ("Terms of Service") if you are located outside of the UK, and the freelancer virtual assistant identified as the Freelancer ("Freelancer") in Time Etc's Freelancer Terms. They apply to any processing by the Freelancer of personal data submitted direct to the Freelancer by the Client for the purposes specified by the Client in a Brief agreed with Time Etc pursuant to the Terms of Service.
The Client and the Freelancer acknowledge that:
- the Client has engaged Time etc Ltd or Time etc USA Ltd to provide it with services under the Terms of Service.
- the Freelancer provides virtual assistant and other services to Time etc Ltd or Time etc USA Ltd, as an independent contractor.
- The Freelancer may store and process materials of the Client submitted to it by the Client for the purposes of a Brief, which contain personal data.
- Time etc Ltd and Time etc USA Ltd do not act as the Client's data processor in respect of, and does not at any time process or come into custody or control of, any personal data of the Client in carrying out any Brief (as defined in the Terms of Service and the Freelancer Terms of Service).
- To the extent that the Client is a data controller of that personal data, the Freelancer acts as data processor in respect of that data.
In these Data Processing Terms:
Applicable Law means as applicable and binding on the Client, Freelancer and/or the Brief: (i) any law, statute, regulation, by-law or subordinate legislation in force from time to time to which a party is subject; (ii) the common law and laws of equity as applicable to the parties from time to time; (iii) any binding court order, judgment or decree; or (iv) any applicable direction, policy, rule or order that is binding on a party and that is made or given by any regulatory body having jurisdiction over a party or any of that party's assets, resources or business;
Appropriate Safeguards means such legally enforceable mechanism(s) for transfers of Personal Data outside the United Kingdom as may be permitted under Data Protection Laws from time to time;
Data Controller has the meaning given to that term (or to the term ‘controller') in Data Protection Laws;
Data Processor has the meaning given to that term (or to the term ‘processor') in Data Protection Laws;
Data Protection Laws means as applicable and binding on the Client, Freelancer and/or the Brief: (i) in the United Kingdom, the GDPR, and/or any corresponding or equivalent national laws or regulations; (ii) in member states of the European Union: the GDPR, once applicable, and all relevant member state laws or regulations giving effect to or corresponding with any of them; and (iii) any Applicable Laws replacing, amending, extending, re-enacting or consolidating any of the above Data Protection Laws from time to time;
Data Subject has the meaning given to that term in Data Protection Laws;
Data Subject Request means a request made by a Data Subject to exercise any rights of Data Subjects under Data Protection Laws;
GDPR means the General Data Protection Regulation (EU) 2016/679;
Personal Data has the meaning given to that term in Data Protection Laws;
Personal Data Breach means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Client Personal Data;
Processing has the meanings given to that term in Data Protection Laws (and related terms such as process have corresponding meanings);
Protected Data means Personal Data received by the Freelancer from the Client to the extent that it is processed by Freelancer on Client's behalf in connection with a Brief notified by Client to Time Etc;
Sub-Processor means another Data Processor engaged by Freelancer for carrying out processing activities in respect of the Protected Data on behalf of the Client; and
Supervisory Authority means any local, national or multinational agency, department, official, parliament, public or statutory person or any government or professional body, regulatory or supervisory authority, board or other body responsible for administering Data Protection Laws.
Specific interpretive provision(s)
In these Data Processing Terms:
(a) references to any Applicable Laws (including to the Data Protection Laws and each of them) and to terms defined in such Applicable Laws shall be replaced with or incorporate (as the case may be) references to any Applicable Laws replacing, amending, extending, re-enacting or consolidating such Applicable Law (including the GDPR and any new Data Protection Laws from time to time) and the equivalent terms defined in such Applicable Laws, once in force and applicable;
(b) a reference to a law includes all subordinate legislation made under that law; and
(c) references to "paragraph numbers" are to paragraphs of these Data Processing Terms.
Data processing provisions
1 Data Processor and Data Controller
1.1 The parties agree that, for the Client Personal Data, the Client shall be the Data Controller and Freelancer shall be the Data Processor.
1.2 Freelancer shall process Client Personal Data in compliance with the obligations of Data Processors under Data Protection Laws.
1.3 The Client shall comply with:
1.3.1 all Data Protection Laws in connection with the processing of Client Personal Data, the Brief and the exercise and performance of its respective rights and obligations under the Terms of Service with Time Etc, including maintaining all relevant regulatory registrations and notifications as required under Data Protection Laws; and
1.3.2 the terms of the Time Etc Terms of Service.
1.4 The Client warrants and undertakes that:
1.4.1 it shall ensure that Data Subjects are provided with appropriate information regarding the processing of their Personal Data, including by means of a transparent and easily accessible privacy notice; and
1.4.2 all instructions given by it to Freelancer in respect of Personal Data shall at all times be in accordance with all applicable laws including Data Protection Laws.
2 Instructions and details of processing
2.1 Insofar as Freelancer processes Client Personal Data on behalf of the Client, Freelancer:
2.1.1 unless required to do otherwise by Applicable Law, shall process the Client Personal Data only in accordance with the Client's documented instructions as set out in this paragraph 2 and Schedule 1 (Data processing details) (Processing Instructions);
2.1.2 if Applicable Law requires it to process Client Personal Data other than in accordance with the Processing Instructions, shall notify the Client of any such requirement before processing the Client Personal Data (unless Applicable Law prohibits such information on important grounds of public interest); and
2.1.3 shall inform the Client if Freelancer becomes aware of a processing instruction that, in Freelancer's opinion, infringes Data Protection Laws, provided that this shall be without prejudice to paragraphs 1.3 and 1.4.
2.2 The processing of Protected Data to be carried out by Freelancer comprise the processing set out in Schedule 1 (Data processing details), as may be updated from time to time by agreement between the parties.
3 Technical and organisational measures
3.1 Freelancer shall maintain appropriate technical and organisational measures for protection of the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Protected Data), confidentiality and integrity of Protected Data.
4 Using staff and other processors
4.1 The Client provides general written authorisation to Freelancer to engage Sub-Processors in order to perform the Brief. Freelancer shall notify the Client of any additions to its Sub-Processors. The Client shall be given the opportunity to object to any new Sub-Processor and state its grounds for doing so. The Client acknowledges that Sub-Processors are essential in order for Freelancer to provide services to Time Etc. in respect of the Brief and that objecting to the use of a Sub-Processor will prevent Freelancer from continuing to do so.
4.2 Freelancer shall:
4.2.1 prior to the relevant Sub-Processor carrying out any processing activities in respect of the Protected Data, appoint each Sub-Processor under a written contract substantially on the standard terms of business of that Sub-Processor, or containing materially the same obligations as under these Data Processing Terms, that is enforceable by Freelancer;
4.2.2 ensure each such Sub-Processor complies with all such obligations; and
4.2.3 remain fully liable for all the acts and omissions of each Sub-Processor which constitutes a breach of these Data Processing Terms as if they were its own.
4.3 Freelancer shall ensure that all its personnel authorised by it to process Protected Data are subject to an obligation to keep the Protected Data confidential (except where disclosure is required in accordance with Applicable Law).
5 Assistance with the Client's compliance and Data Subject rights
5.1 Freelancer shall refer all Data Subject Requests it receives to the Client within 7 days of receipt of the request.
5.2 Freelancer shall provide such reasonable assistance as the Client reasonably requires (taking into account the nature of processing and the information available to Freelancer) to the Client in ensuring compliance with the Client's obligations under Data Protection Laws with respect to:
5.2.1 security of processing;
5.2.2 data protection impact assessments (as such term is defined in Data Protection Laws);
5.2.3 prior consultation with a Supervisory Authority regarding high risk processing; and
5.2.4 notifications to the Supervisory Authority and/or communications to Data Subjects by the Client in response to any Personal Data Breach, provided the Client shall pay Freelancer's reasonable charges for providing the assistance in this paragraph 5.2, such charges to be calculated on a time and materials basis at Freelancer's then-current rates.
6 International data transfers
6.1 The Client agrees that Freelancer may transfer Protected Data to Sub-Processors in countries outside the United Kingdom, provided all such transfers shall (to the extent required under Data Protection Laws) be effected by way of Appropriate Safeguards and in accordance with Data Protection Laws.
7 Records, information and audit
7.1 Freelancer shall maintain, in accordance with Data Protection Laws binding on Freelancer, written records of all categories of processing activities carried out on behalf of the Client.
7.2 Freelancer shall, in accordance with Data Protection Laws, contribute and allow for audits and inspections either by (at its option): (i) making available to the Client interviews with the Freelancer or Freelancer personnel, and such reports, audits or other information in its possession as it considers appropriate, which the Client must treat confidentially under a non-disclosure agreement concluded between the Parties; or (ii) responding to a written security questionnaire submitted to it by the Client provided that the Client will not exercise this right more than once per year and will hold Freelancer's responses in confidence.
8 Breach notification
8.1 In respect of any Personal Data Breach involving Protected Data, Freelancer shall, without undue delay:
8.1.1 notify the Client of the Personal Data Breach; and
8.1.2 provide the Client with details of the Personal Data Breach;
8.1.3 co-operate with the Client to respond to the Personal Data Breach. Response may include: identifying key partners, investigating the Personal Data Breach, providing regular updates, and determining notice obligations.
9 Deletion or return of Protected Data and copies
9.1 Freelancer shall, at the Client's written request, either delete or return all the Protected Data to the Client within a reasonable time after the earlier of:
9.1.1 the end of the Brief; or
9.1.2 once processing by Freelancer of any Protected Data is no longer required for the purpose of the Brief, and delete existing copies (unless storage of any data is required by Applicable Law and, if so, Freelancer shall inform the Client of any such requirement).
DATA PROCESSING DETAILS
1 Subject-matter of processing:
Any personal data comprised within materials provided to Freelancer by the Client for the purposes of the Brief.
2 Duration of the processing:
For the duration of the Brief.
3 Nature and purpose of the processing:
To perform the Brief.
4 Type of Personal Data:
Any personal data comprised in the data provided to the Freelancer by the Client.
5 Categories of Data Subjects:
Any living individual identified in the Protected Data.