The best investment is in the skills of your employees - Peter Drucker
GDPR/Data Protection Agreement
Last Updated: 02/09/2024
Our services fully comply with EU/US data protection laws. We support GDPR's strong emphasis on data protection and security.
The myHR Data Processing Agreement (“DPA”) governs the processing of personal data when using myHR Services under the myHR Terms of Service. Unless otherwise agreed, myHR acts as a data processor (“Processor”) on behalf of the customer (“you”), the data controller (“Controller”). The Processor and Controller are collectively referred to as the “Parties.”
Considering that:
- The Controller has access to personal data of various clients (hereinafter: “Data Subjects”);
- The Controller requires the Processor to perform specific processing tasks as per the SaaS Agreement;
- The Controller determines the purpose and means of processing personal data governed by this DPA;
- The Processor agrees to comply with this DPA and Luxembourg legislation on data protection and privacy, including GDPR.
The Parties agree as follows:
1. Processing Objectives
- The Processor agrees to process personal data on behalf of the Controller per the conditions laid out in this DPA.
- Processing will be performed exclusively within the scope of the SaaS Agreement and for purposes agreed upon thereafter.
- The Processor shall not use personal data for any purpose other than those specified by the Controller.
- All personal data processed on behalf of the Controller remains the property of the Controller and/or the relevant Data Subjects.
- The Processor shall not make unilateral decisions regarding data processing, including sharing data with third parties or data retention.
2. Processor's Obligations
- The Processor shall comply with all applicable laws and regulations, including those related to data protection, such as GDPR.
- The Processor shall provide the Controller, upon request, with details regarding the measures taken to comply with this DPA and GDPR.
- The Processor's obligations under this DPA apply equally to any third party processing personal data under the Processor's instructions.
3. Transmission of Personal Data
- The Processor will not process or transfer personal data to countries outside the EU.
4. Allocation of Responsibility
- The Processor is responsible for processing personal data under this DPA, according to the Controller's instructions.
- The Processor is not responsible for any other processing, including processing not reported by the Controller or by third parties.
- The Controller warrants it has legal grounds to process the relevant personal data and indemnifies the Processor against related claims.
5. Engaging Third Parties or Subcontractors
- The Processor may engage third parties for processing within the framework of the agreement, without prior approval from the Controller.
- The Processor shall inform the Controller of any engaged third parties upon request.
- The Processor shall ensure that such third parties agree in writing to the same obligations between the Controller and the Processor.
6. Duty to Report
- In case of a security breach or data leak, the Processor shall notify the Controller without undue delay.
- The Controller will determine whether to inform the Data Subjects or relevant regulatory authorities.
- The Processor will ensure the information provided about the breach is complete, correct, and accurate.
- If required by law, the Processor shall cooperate in notifying the relevant authorities and/or Data Subjects.
- The Controller remains responsible for statutory obligations in this regard.
-
The duty to report includes the obligation to report the breach's occurrence, including:
- The (suspected) cause of the breach;
- The (currently known and/or anticipated) consequences;
- The (proposed) solution;
- The measures already taken.
7. Security
- The Processor shall implement adequate technical and organizational measures to protect personal data against unlawful processing.
- The Processor will ensure that security measures are reasonable, considering the data's sensitivity and associated costs.
- The Controller shall only provide personal data to the Processor once assured that necessary security measures are in place.
- The Controller is responsible for ensuring compliance with the security measures agreed upon by the Parties.
8. Handling Requests from Data Subjects
- If a Data Subject submits a request to the Processor regarding their personal data, the Processor will forward the request to the Controller.
- The Controller will handle the request, and the Processor may notify the Data Subject that their request has been forwarded.
9. Non-disclosure and Confidentiality
- All personal data received by the Processor from the Controller under this DPA is subject to confidentiality obligations.
- This confidentiality obligation does not apply if the Controller authorizes the disclosure or if there is a legal obligation to disclose.
10. Audit
- The Controller may conduct an audit to confirm compliance with this DPA by appointing an independent third party.
- Any audit must adhere to the Processor's security requirements and must not unreasonably interfere with the Processor's business activities.
- The audit may only be conducted when there are specific grounds for suspecting misuse of personal data.
- The audit can only be conducted after the Controller provides written notice to the Processor at least two weeks in advance.
- The audit findings will be discussed and evaluated by the Parties, and any necessary actions will be implemented accordingly.
- The Controller will bear the costs of the audit.
11. Duration and Termination
- This DPA is valid for the duration specified in the SaaS Agreement or for the duration of the cooperation between the Parties.
- This DPA may not be terminated mid-term.
- Any amendments to this DPA must be mutually agreed upon by the Parties.
- The Processor shall cooperate in amending this DPA in the event of new privacy legislation or regulations.
12. Miscellaneous
- This DPA and its implementation will be governed by and interpreted in accordance with the laws of Luxembourg.
- Any legal action arising under this DPA will be brought exclusively in courts located in Luxembourg, and the Parties consent to this jurisdiction.
-
In case of any inconsistency between documents, the following order of priority will apply:
- The contract signed between Processor and Controller;
- This Data Processing Agreement;
- Additional conditions, if applicable.
- Logs and measurements taken by the Processor shall be considered authentic unless the Controller provides convincing evidence to the contrary.