Data Processing Addendum
In consideration of the mutual promises and covenants contained herein and other good and valuable consideration, the sufficiency of which is hereby acknowledged, TCP and Client agree as follows:
1.1 "Personal Data" means any information that can be used to identify, locate or contact an Employee or User.
1.2 "Subprocessor" mean any third party processor engaged by TCP for the purposes of processing Personal Data.
1.3 "Biometric Data", including biometric identifiers and biometric information, means a retina or iris scan, fingerprint, photograph, voiceprint, or scan of hand or face geometry, regardless of how it is captured, converted, stored, or shared, which is used to identify an individual.
2.1 To the extent that Client collects, captures, or otherwise obtains biometric data relating to an employee, Client must first (i) inform the employee in writing that Client is collecting, capturing, or otherwise obtaining the employee’s biometric data, and that Client is providing such biometric data to TCP; (ii) inform the employee in writing of the specific purpose and length of time for which the employee’s biometric data is being collected, stored, and used; and (iii) receive a written or electronic release by the employee authorizing Client to collect, store, and use the employee’s biometric data for the specific purposes disclosed by Client, and for Client to provide such biometric data to TCP.
4.1 Instructions. TCP will process certain categories and types of Personal Data only upon Client’s instructions and in accordance with applicable data protection laws (e.g. GDPR, BIPA). Client is responsible for ensuring that all Users who provide instructions are authorized to do so and agrees that TCP will only perform processing activities that are necessary and relevant to provide the Services.
4.2 Requests. Client will have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which is was obtained. Client agrees to adopt a balanced and reasonable policy for managing Subject Access Requests (SARs) and 3rd party disclosures which safeguard the rights of all data subjects and respects the original purpose of the data collection. Client, as Data Controller, will be responsible for receiving, investigating, documenting, and responding to all User and Employee requests for inspection or erasure of Personal Data.
4.3 Assistance. Should Client receive a request from a data subject for the exercise of the data subject’s rights under applicable data protection laws, and the correct and legitimate reply to such a request necessitates TCP’s assistance, TCP shall assist the Client by providing the necessary information and documentation. TCP shall be given reasonable time to assist the Client with such requests in accordance with the applicable law.
4.4 Confidentiality. TCP shall treat all Personal Data as strictly confidential information that may not be copied, transferred, or otherwise processed without the instruction of the Client. Transfer of Personal Data to another data controller or data processor (e.g. HRIS or Payroll application) is at the sole discretion of the Client and shall comply with applicable data protection laws.
Breaches of Security. TCP shall implement reasonable and appropriate security procedures consistent with prevailing industry standards and applicable data protection laws to protect Client Data from unauthorized access by physical and electronic intrusion. TCP will promptly report to Client any unauthorized access to Client Data upon discovery and in accordance with applicable data breach notification laws. TCP will use diligent efforts to promptly remedy any breach of security that permitted such unauthorized access. In the event notification to persons included in such Client Data is required, TCP and TCP’s third party breach notification contractor will control all breach notifications.
All other terms and conditions of the Licensing Agreement shall remain in full force and effect. In the event terms of this Amendment conflict with terms of the Licensing Agreement, the terms of this Agreement shall govern.