Unless otherwise defined herein, capitalized terms and expressions used in this Agreement shall have the following meaning:

1. “Agreement” means this Data Processing Agreement.
2. “Controller” is the party that determines the purposes and means of the Processing of Personal Data. For the purposes of this DPA, the User is the DATA CONTROLLER or represents DATA CONTROLLER.
3. “Data Protection Laws” means all applicable and binding privacy and data protection laws and regulations, including such laws and regulations of the European Union, the European Economic Area and their Member States, as applicable to the Processing of Personal Data under the Agreement including (without limitation) the GDPR as applicable to the Processing of Personal Data hereunder and in effect at the time of Processor’s performance hereunder.
4. “Data Subject” is the identified or identifiable natural person that the Personal Data is related to.
5. “Data Transfer” means an onward transfer of personal data from a Company or Data Controller to Data Processor, or making the data accessible, where neither sender nor recipient is a data subject, in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws);
6. “EEA” means the European Economic Area;
7. "GDPR” means the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data;
8. “Personal Data” means any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, to or with an identified or identifiable natural person or consumer, which is processed by Teamperature solely on behalf of the User, under this DPA and the Agreement between the User and Teamperature (Terms & Conditions).
9. “Terms & Conditions” means the electronic agreement that is entered into between the User and Teamperature for the provision of subscription Services to the User (Teamperature’s Terms and Conditions of Service + Teamperature’s Privacy Policy).
10. “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
11. “Processor” is the party that processes Personal Data on behalf of the Controller.
12. “Sensitive Data” means Personal Data that is protected under a special legislation and requires unique processing, such as “special categories of data”, “sensitive data” or other materially similar terms under applicable Data Protection Laws, which may include any of the following: information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offenses.
13. “Service or Service(s)” means the service Teamperature provides in pursuance to the Terms & Conditions.
14. “Standard Contractual Clauses” means the Standard Contractual Clauses between Controllers and Processors, and between Processors and Processors, as approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
15. “Subprocessor” means any third party- usually service providers- that processes Personal Data under the instruction or supervision of Teamperature.
16. ‘Third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data;
17. The terms, “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR, and their related terms shall be construed accordingly.

The subject-matter of Processing of Personal Data by Teamperature is the performance of the Service pursuant to the Terms & Conditions. The nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this DPA are further specified in ANNEX I (Details of Processing) to this DPA.

2.2. Roles of the Parties

The Parties acknowledge and agree that with regard to the processing of Personal Data, the User is the Controller and Teamperature is the Processor. In some circumstances, the User may be the Processor, in which case the User appoints Teamperature as the User’s sub-processor, which shall not change the obligations of either the User or Teamperature under this Data Processing Agreement, as Teamperature will remain a Processor with respect to the User in such event.

The personal data to which the DATA PROCESSOR will have access corresponds to the categories of personal data that are included in the files that the DATA CONTROLLER makes available in order to be able to comply with the contracted service as specified in ANNEX I.

DATA CONTROLLER in its use of the Service, and User’s instructions to the Processor, shall comply with Data Protection Laws. The User shall establish and have any and all required legal bases in order to collect, process and transfer to Processor the Personal Data, and to authorize the Processing by Processor, and for Processor’s Processing activities on User’s behalf.

The DATA CONTROLLER guarantees that the data provided to the DATA PROCESSOR has been lawfully obtained and is adequate, relevant and limited to the purposes of the processing.

If DATA PROCESSOR determines the purposes and means of the processing by himself, the DATA PROCESSOR will be considered to be the DATA CONTROLLER and will be obliged to comply with the applicable provisions of the regulations.

Teamperature, when Processing on the User’s behalf under the Agreement, shall Process Personal Data for the following purposes: 

(i) Processing in accordance with the Terms & Conditions and this DPA;
(ii) Processing for the User as part of its provision of the Service
(iii) Processing to comply with the User’s reasonable and documented instructions, where such instructions are consistent with the terms of the Terms & Conditions, regarding the way in which the Processing shall be performed;
(iv) Processingas required under the laws applicable to Processor, and/or asrequired by a court of competent jurisdiction or other competentgovernmental or semi-governmental authority, provided that Processorshall inform User of the legal requirement before Processing, unlesssuch law or order prohibit such information on important grounds ofpublic interest.

The DATA PROCESSOR undertakes to respect all the obligations that may apply to them as DATA PROCESSOR in accordance with the provisions of current legislation and any other provision or regulation that may be equally applicable to them.

The DATA PROCESSOR shall not use, apply or assign the data to which they have access for any purpose other than that of the processing or shall otherwise be in breach of this contract.

The DATA PROCESSOR shall make available to the DATA CONTROLLER the information necessary to demonstrate compliance with the contract, and shall allow the inspections and audits necessary to evaluate the processing.

Neither party shall be liable to the other party in contract, tort, negligence, breach of statutory duty or otherwise for any loss, damage, costs or expenses of any nature whatsoever incurred or suffered by that other party (a) of an indirect or consequential nature or (b) which consists of any economic loss of other loss of turnover, profits, business or goodwill. Nothing in this Agreement excludes liability for a party’s fraud or willful negligence.

The DATA PROCESSOR guarantees that the persons authorized to process have expressly and in writing undertaken to respect the confidentiality of the data or confirmed that they are subject to a legal obligation of confidentiality of a statutory nature.

The DATA PROCESSOR shall take measures to ensure that any person acting under their authority and having access to personal data can only process it following the instructions of the DATA CONTROLLER or is obliged to do so by virtue of the legislation in force.

The DATA PROCESSOR guarantees that the persons authorized to process have received the necessary training to ensure that the protection of personal data will not be put at risk.

The DATA PROCESSOR declares that they are up to date with regard to the obligations deriving from the data protection regulations, especially with regard to the implementation of security measures for the different categories of data and processing established in article 32 of the GDPR.

The DATA PROCESSOR ensures that such security measures are properly implemented and will cooperate with the DATA CONTROLLER to ensure compliance.

To subcontract with other companies, the processor must notify the controller in writing, clearly and unequivocally identifying the subcontractor company and its contact details. Subcontracting may proceed if the controller does not express opposition within 3 days from the processor's notification.

The DATA PROCESSOR, for their part, must analyze the possible risks and other circumstances that may have an impact on safety that may be attributable to them, and, if there are any, must inform the DATA CONTROLLER in order to evaluate their impact.

However, the DATA PROCESSOR ensures that, taking into account the current state of the art, the costs of application and the nature, scope, context and purposes of the processing, they will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk posed by the processing, including, where appropriate, among other things:

• Pseudonymization and encryption of personal data.

• Ensuring the continued confidentiality, integrity, availability and resilience of processing systems and services.

• Restoring availability and access to data quickly in the event of a physical or technical incident.

• Procedures for regular verification, evaluation and assessment of the effectiveness of technical and organizational measures to ensure the security of the processing.

The security breaches that the DATA PROCESSOR is aware of must be notified, without undue delay and within a maximum of 48 hours, to the DATA CONTROLLER for their knowledge and application of measures to remedy and mitigate the effects caused. Notification is not required where it is unlikely to pose a risk to the rights and freedoms of natural persons.

The security breach notification shall contain at least the following information:

• Description of the nature of the violation.
• Categories and approximate number of Persons Concerned affected.
• Categories and the approximate number of data registers affected.
• Possible consequences.
• Measures taken or proposed to remedy or mitigate the effects.
• Contact details where further information can be obtained (DPO, Data Protection Officer, etc.).

The DATA PROCESSOR  may not communicate the data to other recipients, except those authorized in this DPA, in the privacy policy and Law.

The transfer of data to public authorities in exercising their public service are not considered as data communications, so the authorization of the DATA CONTROLLER is not required if such transfers are necessary to achieve the purpose.

The DATA PROCESSOR may not transfer data to third countries or international organizations that do not offer GDPR compliance guarantees for international transfers (such as Standard Contractual Clauses, Commission Adequacy Decisions, BCRs and others expressly authorized).

DATA PROCESSOR is authorized by DATA CONTROLLER to appoint Third Party or Sub-processors provided that they ensure and maintain a data protection compliance status and capability equal to that maintained by Teamperature, to the extent applicable to the nature of the Services provided by such Sub-processor.

DATA PROCESSOR has the following list of third parties, in case the changes in the list of third parties is significantly modified it will specifically inform DATA CONTROLLER with all the necessary data to enable it to exercise its right of objection via email, if DATA CONTROLLER does not express his or her opposition within the term of 72 hours, the DATA PROCESSOR will be at liberty to carry out the contracting.

The DATA CONTROLLER understands that, due to the SaaS nature of the Service, it will not be possible to individualize the third parties or tools used, and therefore, the right to object entails the deletion of the account.

List of Third Parties:

The DATA PROCESSOR shall create, whenever possible and taking into account the nature of the processing, the technical and organizational conditions necessary to assist the DATA CONTROLLER in their obligation to respond to requests for the rights of the Person Concerned.

In the event that the DATA PROCESSOR receives a request for the exercise of said rights, they must immediately notify the DATA CONTROLLER and in no case later than five working days following the receipt of the request, together with other information that may be relevant to the resolution of the request.

When the data is processed only with the DATA PROCESSOR’s systems, they must respond to requests on behalf of the DATA CONTROLLER within the set time limit, allowing the Person Concerned to exercise their rights related to the data.

This includes rights of access, rectification, deletion, portability, limitation or opposition to processing, and, if applicable, the right not to be subject to automated individual decisions.

Subject to any section of the DPA and/or the Terms & Conditions dealing with the duration of the Processing and the consequences of the expiration or termination thereof, Teamperature will Process Personal Data pursuant to the DPA and Terms & Conditions for the duration of the Terms & Conditions, unless otherwise agreed upon in writing.

According to article 82 of the GDPR, the DATA PROCESSOR is liable to the DATA CONTROLLER for damages and losses caused to Persons Concerned or third parties, including administrative sanctions, arising from judicial or extrajudicial claims or from the Spanish Supervisory Authority's sanctioning procedures which are the result of non-compliance with the instructions accepted in this contract.

Once the services provided under this contract are completed and the User has requested the account deletion, the DATA PROCESSOR shall certify, at the discretion of the DATA CONTROLLER, the erasure of all personal data and any existing copies.

The erasure of data will not proceed when its conservation is required by a legal obligation, in which case the DATA PROCESSOR will continue to retain it, blocking the data and limiting its processing as long as responsibilities could ensue from its relationship with the DATA CONTROLLER.

The DATA PROCESSOR shall maintain the obligation of secrecy and confidentiality of the data even after the termination of the relationship which is the subject of this contract.

Unless other rules or laws apply, Courts of Madrid, Spain, shall have exclusive jurisdiction to settle any dispute or claim arising out of or in connection with this agreement or its subject matter or formation (including non-contractual disputes or claims).

Nature and Purpose of Processing

Teamperature will Process Personal Data as necessary for the following reasons:

1. Providing the Services to User;

2. Performing the Agreement, this DPA, and/or other contracts executed by the Parties;

3. Acting upon User’s instructions, where such instructions are consistent with the terms of the Agreement;

4. Sharing Personal Data with third parties in accordance with User’s instructions and/or pursuant to User’s use of the Services (e.g., integrations between the Services and any services provided by third parties, as configured by or on behalf of User to facilitate the sharing of Personal Data between the Services and such third party services);

5. Complying with applicable laws and regulations;

6. Any and all tasks related to any of the above.

Data subjects

The personal data transferred concerns the following categories of data subjects: The categories of data subjects whose personal data may be processed in connection with the Service provided are determined and controlled by the DATA CONTROLLER in its sole discretion and may include but are not limited to: Users, contacts and prospects of DATA CONTROLLER; employees, contractors and subcontractors by the client of DATA CONTROLLER.

Categories of data

The personal data transferred concern the following categories of data:

The categories of personal data are determined by the DATA CONTROLLER in its sole discretion and may include but are not limited to:

• Identification data
• Contact data
• Business data
• Seniority in the company
• Workplace type  (remote, on site, hybrid)
• Gender
• Familiarity with the team
• Commercial data
• Any other data incorporated in the documents that the User makes use of in the context of the service provision.