Close this
Close this
Last Updated: 09/15/2023

Data Protection at Worky

Last Updated: 09/15/2023


This Data Processing Agreement (“DPA”) forms part of the Worky Agreement (including any associated Order Form, Statement of Work, or Master Service Agreement entered into therewith) by and between Client and Worky LLC (the “Agreement”). All capitalized terms not defined in this DPA will have the meanings set forth in the Agreement.


1. Definitions


“Controller”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Processing”, “Processor”, and “Supervisory Authority” will have the meanings given to them in the GDPR.


“Data Protection Laws” means the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (“GDPR”), and the e-Privacy Directive 2002/58/EC (as amended by Directive 2009/136/EC), their national implementations in the European Economic Area (“EEA”), and all other data protection laws of the EEA including laws of the European Union (“EU”), the United Kingdom (“UK”) and Switzerland, each as applicable, and as may be amended or replaced from time to time.


“Data Subject Rights” means all rights granted to Data Subjects by Data Protection Laws, including the right to information, access, rectification, erasure, restriction, portability, objection, the right to withdraw consent, and the right not to be subject to automated individual decision-making.


“International Data Transfer” means any transfer of Client Personal Data from the EEA, UK or Switzerland to an international organization or to a country outside of the EEA, UK, or Switzerland, and includes any onward disclosure of Client Personal Data to another recipient within that country, as well as any onward transfer of Client Personal Data from the international organization or the country outside of the EEA, UK, or Switzerland to another country outside of the EEA, UK, or Switzerland.


“Client Personal Data” means any Personal Data that is subject to Data Protection Laws, for which Client or Third-Party Controller is the Controller, and which is Processed by Worky to provide the Services to Client.


“Personnel” means any natural person acting under the authority of Worky.


“Sensitive Data” means any type of Personal Data that is designated as a sensitive or special category of Personal Data or otherwise subject to additional restrictions under Data Protection Laws.


“Standard Contractual Clauses” or “SCCs” mean the clauses annexed to the EU Commission Implementing Decision 2021/914 of June 4, 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (OJ L 199, 7.6.2021, p. 31-61), as amended or replaced from time to time.


“Sub-processor” means a Processor engaged by another Processor to carry out Processing on behalf of a Controller.


“Third-Party Controller” means a Controller for which Client is a Processor.


“UK Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner under Section 119A of the UK Data Protection Act 2018 (version B1.0, in force March 21, 2022), available at https://ico.org.uk/media/for-organisations/documents/4019483/international-data-transfer-addendum.pdf.


2. Scope and Applicability


The DPA applies to Processing of Client Personal Data by Worky to provide the Services.

The subject matter, nature, and purpose of the Processing, the types of Client Personal Data and categories of Data Subjects are set out in Appendix I and the Agreement.

Client is a Controller and appoints Worky as a Processor on behalf of Client. Client is responsible for compliance with the requirements of Data Protection Laws applicable to Controllers.


To the extent Client is a Processor on behalf of a Third-Party Controller, Client engages Worky as a Sub-processor to Process Client Personal Data on behalf of that Third-Party Controller. When Client is acting on behalf of Third-Party Controller(s), then Client: (i) is the single point of contact for Worky; (ii) must obtain all necessary authorizations from such Third-Party Controller(s); (iii) undertakes to issue all instructions and exercise all rights on behalf of such Third-Party Controller(s); and (iv) is responsible for compliance with the requirements of Data Protection Laws applicable to Processors.


Client acknowledges that Worky may Process Personal Data relating to the operation, support, or use of the Services for its own business purposes, such as billing, account management, data analysis, benchmarking, technical support, and product development. Worky is the Controller for such Processing and will Process such data in accordance with Data Protection Laws


3. Duration of this DPA


This DPA is effective for as long as Worky Processes Client Personal Data on behalf of Client.


4. Collecting, Processing and Subprocessing of Client Personal Data


Client Data Collection and Processing


Client will comply with its obligations under the Data Protection Laws in respect of its collecting and processing of Client Personal Data and any processing instructions it issues to Worky. Client represents that it has all rights, consents, and authorizations necessary for Worky to process Client Personal Data pursuant to Data Protection Laws and the Agreement.


Client authorizes Worky, in providing the Services, to Process Client Personal Data in accordance with applicable laws.


Upon notice in writing to Client, Worky may terminate the Agreement if Worky has determined, or has reason to believe, that Client is not in compliance with Data Protection Laws as a Controller or Processor.


Worky Data Processing


Worky will comply with its obligations as a Processor under applicable Data Protection Laws and will process Client Personal Data to provide Services and in accordance with Client’s documented instructions. Client’s instructions are documented in this DPA and the Agreement. Client agrees that this DPA is its complete and final agreement with Worky in relation to the Processing or sub-processing of Client Personal Data.


Worky will comply with documented instructions of Client related to Processing Client Personal Data. Unless prohibited by applicable law, Worky will inform Client if Worky is subject to a legal obligation that requires Worky to Process Client Personal Data in contravention of Client ’s documented instructions.


Client may reasonably issue additional instructions as necessary to comply with Data Protection Laws. Worky may charge a reasonable fee to comply with any additional instructions.


Upon notice in writing, Client may terminate the Agreement if Worky declines to follow Client’s reasonable instructions that are outside the scope of, or changed from, those given or agreed to in this DPA, to the extent such instructions are necessary to enable Worky to comply with Data Protection Laws.


Sub-processing


Client hereby authorizes Worky to engage Sub-processors, including its subsidiaries. A list of Worky’s current Sub-processors is available upon request to privacy@worky.com. Subject to any applicable disclaimers or limitations of liability, Worky remains responsible for the acts, errors, or omissions of its sub-processors to the extent applicable to Worky’s obligations under this DPA.


Worky will enter into a written agreement with Sub-processors which imposes the same obligations as required by Data Protection Laws.


Worky will inform Client prior to any intended change to Sub-processors. Client may object to the addition of a Sub-processor based on reasonable grounds relating to a potential or actual violation of Data Protection Laws by providing written notice detailing the grounds of such objection within thirty (30) days following Worky’s notification of the intended change. Client and Worky will work together in good faith to address Client’s objection. If Worky chooses to retain the Sub-processor, Worky will inform Client at least thirty (30) days before authorizing the Sub-processor to Process Client Personal Data, and Client may immediately discontinue using the relevant parts of the Services, and may terminate the relevant parts of the Services within thirty (30) days.


5. Technical and Organizational Security Measures


Measures by Worky


Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, prior to the commencement of any processing, Worky shall implement, establish and maintain commercially reasonable technical and organizational security measures. Worky shall present and document such technical and organizational security measures for review by Client. Such technical and organizational security measures shall become the foundation of the Services and are subject to technical progress and development. Worky may, from time to time, modify such technical and organizational security measures, so long as such measures do not materially reduce the protection afforded to Client Personal Data, and are reasonably documented.


Measures by Client


Client is responsible for using and configuring the Services to enable Client to comply with Data Protection Laws, including implementing Client’s own appropriate and adequate technical and organizational measures. Client shall provide Worky with a copy of such measures and notify Worky in writing of any modifications. If Worky Developers use Client devices, laptops, or computers, Client shall present and document all technical and organizational security measure for review by Worky. Such technical and organizational security measures shall become the foundation of the Services and are subject to technical progress and development. Client may, from time to time, modify such technical and organizational security measures, so long as such measures are not reduced, and are appropriately documented.


Personnel


Worky will take steps to ensure that all Personnel authorized Worky to Process Client Personal Data are subject to an obligation of confidentiality.


Prohibited Data


Client acknowledges and agrees that the Agreement may prohibit the submission of certain types of Personal Data (such as financial or health information). Client represents and warrants that neither Client nor any entity acting for or on behalf of Client will submit to Worky any Client Personal Data which is regulated under the Health Insurance Portability and Accountability Act without a separate Business Associate Agreement. In such events, Worky will take reasonable and appropriate steps to notify Client of its receipt of any prohibited data.


6. Notification and Assistance


Worky will notify Client without undue delay after Worky becomes aware of a Personal Data Breach involving Client Personal Data.


Worky will provide information relating to the Personal Data Breach as reasonably requested by Client to the extent such information is available to Worky. Worky will use reasonable efforts to assist Client in mitigating, where commercially reasonable and technically feasible, the adverse effects of a Personal Data Breach.


Taking into account the nature of the Processing, and the information available to Worky, Worky will assist Client, including, as appropriate, by implementing technical and organizational measures, with the fulfilment of Client ’s own obligations under Data Protection Laws to: (i) comply with requests to exercise Data Subject Rights; (ii) conduct data protection impact assessments and prior consultations with Supervisory Authorities; and (iii) notify a Personal Data Breach. Worky may charge a reasonable fee to Client for support services rendered in connection with this Section 7, which are not included in the description of the Services, and which are not attributable to failures on the part of Worky. If such support services reveal the failure of Worky to materially comply with its obligations under applicable Data Protection Laws or as otherwise set forth in this DPA, Worky and Client shall each bear their own costs related to assistance.


Worky’s notification of or response to a Personal Data Breach pursuant to this Section 7 will not be construed as an acknowledgement by Worky of any fault or liability with respect to such Personal Data Breach.


7. Deletion or Return


Pursuant to the Agreement, Worky will delete or return Client Personal Data that in its possession and control as set forth in the Agreement except to the extent Worky is required by law to retain any Client Personal Data. Client may request return of Client Personal Data up to thirty (30) days after termination of the Agreement. Unless required or permitted by applicable law, Worky will delete all remaining copies of Client Personal Data within thirty (30) days after returning Client Personal Data to Client. Worky will notify Client prior to deletion.


8. Cooperation, Supervision and Audit


Request for Data Protection


Upon notice from data subjects or data protection authorities (including requests from individuals seeking to exercise their rights under Data Protection Laws) to the extent regarding the Processing of Client Personal Data by Worky pursuant to the Agreement, Worky will forward such requests to Client. Unless legally required to do so, Worky will not respond to such communication without Client’s authorization. If Worky is required to respond to any request, Worky will notify Client and provide Client with a copy of the request, unless legally prohibited from doing so.


Client Requests


Worky will cooperate with Client, at Client’s sole cost and expense, to respond to any requests from individuals or data protection authorities relating to the processing of Client Personal Data under this DPA to the extent that Client may be unable to access relevant Client Personal Data.


Worky shall inform Client if Worky believes any instruction or request violates Data Protection Laws.


Client shall document immediately any oral instructions in text form.


Audit Requests


Worky audits its Technical and Organizational Security Measures against data protection and information security standards on a regular basis. Such audits are conducted by Worky’s internal team or a designated third party as engaged by Worky. Upon written request and subject to the confidentiality provisions of the Agreement, Worky will make available to Client all information necessary to demonstrate compliance with the obligations of this DPA and allow for and contribute to audits, including inspections, as mandated by a Supervisory Authority or reasonably requested by Client and performed by an independent auditor as agreed upon by Client and Worky.


Worky may request audits of Client’s Technical and Organizational Security Methods to ensure compliance with this DPA. Client will make available to Worky a summary of the most recent audit report and any other document reasonably required by Worky.


Either party requesting such audit information does so at their sole expense, and agrees to remunerate the other party of any costs associated with such audit requests.


Client’s request for an audit will not require Worky either to disclose to Client or its third-party auditor, or to allow Client or its third-party auditor to access:

  • Any data of any other client of Worky;
  • Worky’s internal accounting or financial information;
  • Any trade secrets of Worky or any client of Worky;
  • Any information that, in Worky’s reasonable opinion, could (i) compromise the security of Worky systems or premises; or (ii) cause Worky to breach its obligation under applicable law or its security and/or privacy obligations to any client or any third party; or
  • Any information that Client or its third-party auditor seeks to access for any reason other than the good faith fulfillment of Client’s obligation under Data Protection Laws.


9. International Data Transfers


Worky may transfer and process Client Personal Data as requested by Client in other locations around the world where Worky and its Sub-processors maintain operations as necessary to provide Services.


Client hereby authorizes Worky to perform International Data Transfers:

  • to any country subject to a valid adequacy decision of the EU Commission or the competent authorities, as appropriate;
  • to the extent authorized by Supervisory Authorities or by the competent authority on the basis of an organization’s binding corporate rules;
  • to any data importer with whom Worky has entered into SCCs.


By signing this DPA, Client and Worky hereby agree to include the provisions of module two (Controller to Processor) and, to the extent Client is a Processor on behalf of a Third-Party Controller, module three (Processor to Sub-processor) of the Standard Contractual Clauses (“SSC”) as listed under the GDPR, which are hereby incorporated into this DPA and completed as follows: the “data exporter” is Client ; the “data importer” is Worky; the optional docking clause in Clause 7 is implemented; Clause 9(a) option 2 is implemented and the time period therein is specified as thirty (30) days; the optional redress clause in Clause 11(a) is struck; Clause 17 option 1 is implemented and the governing law is the law of Belgium; the courts in Clause 18(b) are the Courts of Belgium; Annexes I and II to the SCCs are Appendixes I and II to this DPA respectively.


By signing this DPA, Client and Worky conclude the UK Addendum, which applies to International Data Transfers out of the UK in addition to the Standard Contractual Clauses, and which is hereby incorporated, and Part 1 of the UK Addendum is completed as follows: (i) in Table 1, the “Exporter” is Client and the “Importer” is Worky, their details and signatures are set forth in the Agreement; (ii) in Table 2, the first option is selected and the “Approved EU SCCs” are the Standard Contractual Clauses referred to in section 10.3 of this DPA; (iii) in Table 3, “Annex 1A” and “Annex 1B” to the “Approved EU SCCs” is Appendix I to this DPA and “Annex II” to the “Approved EU SCCs” is Appendix II to this DPA; and (iv) in Table 4, both the “Importer” and the “Exporter” can terminate the UK Addendum.


If Worky’s compliance with Data Protection Laws applicable to International Data Transfers is affected by circumstances outside of Worky’s control, including if a legal instrument for International Data Transfers is invalidated, amended, or replaced, then Client and Worky will work together in good faith to reasonably resolve such non-compliance. In the event that additional, replacement or alternative SCCs are approved by the Supervisory Authorities or the new version of UK Addendum is approved, Worky reserves the right to amend the Agreement and this DPA by adding to or replacing, the SCCs or UK Addendum that form part of it at the date of signature in order to ensure continued compliance with Data Protection Laws.


10. Notifications


Client will send all notifications, requests, and instructions under this DPA to Worky via email to: legal@Worky.com.


Worky will send all notifications under this DPA to Client’s contact indicated in the Agreement.


11. Limitations of Liability

To the extent permitted by applicable law, where Worky has paid compensation, damages, or fines, Worky is entitled to claim back from Client that part of the compensation, damages, or fines, corresponding to Client ’s part of responsibility for the compensation, damages or fines.


Parties agree that the total combined liability limit (including indemnifications of any kind) to one another shall be set as provided under the terms of the Agreement as executed between the Parties.


12. Miscellaneous


Worky may modify the terms of this DPA as provided in the Agreement. Worky will notify Client of any such changes and effectiveness of such changes in accordance with this DPA or the Agreement. Changes to this DPA include, but are not limited to, the following circumstances:

If required or ordered to do so by any supervisory, judicial, governmental, or regulatory entity.

As required to implement or adhere to standard contractual clauses, various codes of conducts, policies, rules, procedures and any other mechanisms as required under Data Protection Laws.

In the event of a conflict between the Agreement and this DPA with respect to the subject matter of this DPA, the terms of this DPA shall control to the extent of such conflict.

If any provision of this DPA is found by any court or administrative body of competent jurisdiction to be invalid or unenforceable, then the invalidity or unenforceability of such provision does not affect any other provision of this DPA, and all provisions not affected by such invalidity or unenforceability will remain in full force and effect.


APPENDIX I

DESCRIPTION OF THE TRANSFER


A. LIST OF PARTIES

Data exporter:


Name: Client

Contact person’s name, position and contact details

Activities relevant to the data transferred under these Clauses: Providing the Services as described in the Agreement.

Role (controller/processor): Controller, or Processor on behalf of Third-Party Controller

Data importer:


Name: Worky LLC

Address: 9 Prince Road, Parsippany, NJ 07054

Contact person’s name, position and contact details: Ran Mukherjee, General Counsel, legal@Worky.com


Activities relevant to the data transferred under these Clauses: Providing the Services as described in the Agreement.


Role (controller/processor): Processor on behalf of data exporter, or Sub-processor on behalf of Third-Party Controller


B. DESCRIPTION OF TRANSFER

Categories of Data Subjects whose Personal Data is transferred:


Data subjects include Clients and the individuals about whom data is provided to Worky via the Services by (or at the direction of) Client.


Categories of Personal Data transferred:


Data relating to Clients or other individuals provided to Worky via the Services, by (or at the direction of) Clients. The personal data transferred may include: name, username, password, email address, telephone and fax number, title and other business information, general information about interest in and use of Worky’s services, and demographic information.


Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures. Sensitive data is pseudonymized.


None anticipated.

The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis):


On a continuous basis during the duration of the Services.

Nature of the processing:


The Personal Data will be processed and transferred as described in the Agreement.

Purpose(s) of the data transfer and further processing:


The Personal Data will be transferred and further processed for the provision of the Services as described in the Agreement.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:


Personal Data will be retained for as long as necessary taking into account the purpose of the Processing, and in compliance with applicable laws, including laws on the statute of limitations and Data Protection Law.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:


For the subject matter and nature of the Processing, reference is made to the Agreement and this DPA. The Processing will take place for the duration of the Agreement.


C. COMPETENT SUPERVISORY AUTHORITY


Pursuant to Clause 13, the supervisory authority of the EEA country where (i) Client is established; or where (ii) the EU representative of Client is established; or where (iii) the data subjects whose personal data are transferred under the SCCs in relation to the offering of goods or services to them, or whose behavior is monitored, are located.


APPENDIX II

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA


Confidentiality

Electronic Access Control

No unauthorized use of the Data Processing and Data Storage Systems, e.g.: (secure) passwords, automatic blocking/locking mechanisms, two-factor authentication, encryption of data carriers/storage media

Internal Access Control (permissions for user rights of access to and amendment of data)

No unauthorized Reading, Copying, Changes or Deletions of Data within the system as approvals are managed centrally, e.g., rights authorization concept, need-based rights of access, logging of system access events

Isolation Control

The isolated Processing of Personal Data, which is collected for differing purposes, e.g., multiple Client support, sandboxing;

Employee Control

Employees are bound by written confidentiality agreements

Employees receive training on data privacy and data security

Pseudonymisation (Article 32 Paragraph 1 Point a GDPR; Article 25 Paragraph 1 GDPR)

The processing of Personal Data in such a method/way, that the data cannot be associated with a specific Data Subject without the assistance of additional Information, provided that this additional information is stored separately, and is subject to appropriate technical and organizational measures.

Integrity

Data Transfer Control

No unauthorized Reading, Copying, Changes or Deletions of Data with electronic transfer or transport, e.g.: Encryption, Virtual Private Networks (VPN), electronic signature;

Data Entry Control

Verification, whether and by whom personal data is entered into a Data Processing System, is changed or deleted, e.g.: Logging, Document Management

Job Control

Worky’s employees and contractors may only process Client and personal data strictly in accordance with the Agreement’s obligations and Client instructions.

Availability and Resilience

Availability Control

Prevention of accidental or willful destruction or loss, e.g.: Backup Strategy (online/offline; on-site/off-site), Uninterruptible Power Supply (UPS), virus protection, firewall, reporting procedures and contingency planning

Rapid Recovery

Procedures for Regular Testing, Assessment and Evaluation

Data Protection Management

Incident Response Management;

Data Protection by Design and Default (Article 25 Paragraph 2 GDPR)

Order or Contract Control

No third-party data processing as per Article 28 GDPR without corresponding instructions from Client, e.g.: clear and unambiguous contractual arrangements, formalized order management, strict controls, duty of pre-evaluation, supervisory follow-up check.