Data Processing Agreement

Last updated: April 20, 2022

    The terms used in Agreement will have the same meaning as assigned to them below and in the Personal Data Protection Law, which among others imply that:
    1. “Timerise” means Timerise Sp. z o.o. with its registered office in Wroclaw, Poland, address: ul. Inowrocławska 21C/1, 53-653 Wroclaw, Poland, e-mail: [email protected], tax identification number (NIP): 8971890756;
    2. “Agreement” means this data processing agreement;
    3. “Main Agreement” means agreement under which you use the Services which Terms and Conditions are available at
    4. “Services” means Timerise services enabling Customer e.g. to use Platform.
    5. “Platform” means online booking platform created, developed and maintained by Timerise, which could be integrated into the customer’s website, used by end-users directly from the customer’s website.
    6. “Personal Data” means any information that, directly or indirectly, can identify a living natural person, to whom processing is entrusted under the Agreement;
    7. “Processing” means any operation or set of operations performed with regard to personal data, whether or not performed by automated means, for example collection, recording, organization, storage, adaptation or alteration, retrieval, gathering, use, disclosure by transmission, dissemination or otherwise making information available, alignment or combination, blocking, erasure or destruction;
    8. “Data Controller” means anyone who alone or jointly with others determines the purposes and means of the processing of personal data, that is, you as a customer using the Timerise’s Services;
    9. “Data Processor” means a anyone who processes personal data on behalf of the data controller, that is Timerise as provider of the Services you use;
    10. “Sub-Processor” means a sub-contractor that is engaged by Timerise. The sub-processor processes personal data on behalf of Controller in accordance with the sub-processor’s obligation to provide its services to Timerise;
    11. “GDPR” means Regulation (EU) 2016/679 of the European Parliament of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);
    12. “Force Majeure” means a situation beyond the reasonable control of the affected party, including, but not limited to, fires, floods, epidemics, including events associated with combating SARS-CoV-2 infection and the spread of the infectious disease caused by that virus, embargoes, war (whether war is declared or not), insurrections, riots, civil unrest, strikes, omissions or delays in the operation of any administrative body.

    1. The Controller entrus Timerise as the Processor of the processing of Personal Data, and therefore agrees to process the Personal Data in accordance with the GDPR and this Agreement.
    2. Personal Data entrusted by the Controller includes Personal Data of individuals using the Timerise Platform in connection with providing Services. The Personal Data entrusted under this Agreement are set out in Annex No. 1.
    3. Timerise will process Personal Data only for the term of the Main Agreement.
    4. Timerise and the Controller agree that there will be no case of automated decision-making performance using Personal Data.
    5. This Agreement constitutes the Controller’s documented instruction to process the Personal Data. Timerise will immediately inform the Controller, if the instruction constitutes a breach of the GDPR, this Agreement or other applicable data protections laws.

    1. The Controller declare by conclude this Agreement that:
      1. the Personal Data are processed in connection with the Controller’s business or statutory activities,
      2. the Controller have and adequate and valid legal basis for processing the Personal Data as required by the GDPR or other applicable data protections laws,
      3. there are no legal impediments preventing the entrustment of the Personal Data processing to Timerise in accordance with this Agreement.
    2. The Controller is obliged to promptly notify Timerise of any circumstances that may prevent it from properly performing this Agreement.

    1. Timerise will implement appropriate technical and organizational measures, taking into account the nature, scope, context and purposes of the processing and the risk of infringement of the rights of freedoms of natural persons of varying probability and seriousness, to ensure that the processing is carried out in accordance with the GDPR.
    2. Timerise will provide the Controller a description of the technical and organizational measures which Timerise uses, within 10 working days of the Controller’s request.
    3. The description of the technical and organizational measures is a trade and business secret of Timerise. The Controller is obliged to maintain confidentiality regarding the technical and organizational measures of Timerise.
    4. Timerise declares that it will allow persons to process Personal Data who will be acting under Timerise authority and whose access to Personal Data is necessary for the provision of the Services, and keep a record of such persons. In addition, persons authorized to process Personal Data will undertake to maintain confidentiality or be binding by an appropriate statutory obligation of confidentiality.

    1. Timerise assists the Controller, through appropriate technical and organizational measures, assist the Controller, to comply with obligation to respond to requests from the personal data subject in exercising their rights set out in Chapter III of the GDPR, within Timerise’s capabilities and taking into account the nature of the processing of Personal Data.
    2. Timerise assists the Controller to comply with the obligations set out in Articles 32 to 36 of the GDPR taking into account the nature of the processing and the information available to Timerise.
    3. Timerise is obliged to inform the Controller immediately of any proceeding concerning the Personal Data by courts or administrative authorities, decision or ruling, and of any check and inspections by supervisory authority concerning the Personal Data entrusted under this Agreement.
    4. Timerise cannot delete or modify Personal Data without the Controller’s documented instructions.

    1. Timerise will provide the Controller with access to all information required to verify that the obligations set out in this Agreement are complied with Timerise, taking into account the limitations imposed by trade and business secrets of Timerise and Sub-processors.
    2. If the Controller uses third party services to perform the audit, this third party cannot be a Timerise competitor. In addition the Controller is obliged to undertake this third party to maintain confidentiality with respect to all information about Timerise which are trade and business secrets.
    3. The Controller is obliged to inform Timerise about the planned audit no later than fourteen (14) business days before audit. The notic about planned audit should include the planned scope of this audit.
    4. The conduct of an audit must not impose an undue burden on Timerise. In particular, an audit must not be conducted outside of Timerise’s normal business hours or take longer than three (3) business days.
    5. An audit will not be conducted more frequently than once per year, unless the need for an additional audit arises as a result of a violation of personal data protection by Timerise.
    6. In case if an audit consists of providing information relating to the processing of Personal Data on the Controller’s request, Timerise will provide necessary information no later than seven (7) business days of receiving such request.
    7. The audit will be documented by a protocol signed by both Parties. In case if the Controller identified concerns about processing of Personal Data, the Controller is entitled to make recommendations. Timerise will implement the necessary remedies if it is justified and relate to Timerise’s undisputed obligations.
    8. The Controller bears all costs of an audit.
    9. If the Controller breaches its obligations indicated on Section 6, Timerise will be entitled to refuse to allow the audit to take place, which will not constitute a breach of performance of this Agreement and the Controller will not be entitled to any claims on this.

    1. Timerise receives a general authorization to engage Sub-Processors to process Personal Data entrusted to Timerise under this Agreement.
    2. Sub-Processors involved at the time of the conclusion of this Agreement are listed in Appendix No. 2.
    3. Timerise is obliged to inform the Controller about any plans regarding the involvement of new Sub-Processors. The Controller can oppose such changes within five (5) business days from the moment of obtaining information from Timerise.
    4. The Controller declares that it has a knowledge that objecting to a change of Sub-Processors: (i) may result in Timerise’s inability to continue to perform the Services, of which Timerise will inform the Controller immediately; (ii) entitles Timerise to terminate the Main Agreement and/or this Agreement on 14 days’ notice without negative legal consequences of such termination. During the notice period, Timerise will not use the Sub-Processors to which the objection has been raised.
    5. Timerise will ensure that Timerise uses only such Sub-Processors that provide sufficient guarantees to implement appropriate the requirements of GDPR and this Agreement.

    1. If Timerise becomes aware of a Personal Data breach, Timerise is obliged to inform the Controller within the next 48 hours.
    2. The notification should include:
      1. a description of the nature of the Personal Data breach, including, to the extent possible, indicating the categories and approximate number of data subjects and the categories and approximate number of Personal Data records affected by the breach;
      2. the name and contact details of a person from whom further information may be obtained;
      3. a description of the possible consequences of the Personal Data breach;
      4. a description of the measures which Timerise have taken or propose to take to remedy and minimize the consequences of the Personal Data breach.
    3. If, and to the extent that, information cannot be provided at time indicated above, it may be provided sequentially without undue delay.
    4. Timerise is obliged to maintain a record of Personal Data breaches.

    1. Timerise’s liability for damage caused by the processing of Personal Data will be limited to three thousand (3,000) EUR.
    2. Neither Party will be liable to the other Party, nor will it be deemed to have failed or failed to comply with its obligations under this Agreement by reason of a failure to perform, or a delay in performing, any obligation under this Agreement where such failure or delay is caused or arises from Force Majeure, provided, however, that the Party concerned will make reasonable efforts to avoid or remedy such failure or delay and will continue to perform the obligation under this Agreement with reasonable disposition when it has done so. Each Party will promptly inform the other Party of any delay or non-performance caused by Force Majeure. The Parties will endeavor to resolve the delay or non-performance as specified above.

    1. If the Controller process Personal Data of individuals who are residents of the State of California, USA (“Resident”) within the meaning of the California Consumer Privacy Act (“CCPA”) and transfer such data to Timerise as the Processor under this DPA and the Main Agreement, the Controller must notify Timerise about that fact before we start to processing the Personal Data.
    2. Timerise will not collect, store, use or disclose Resident’s Personal Data except as necessary to fulfill the Controller’s business purpose according to the Main Agreement or the CCPA.
    3. Timerise will also not sell Resident’s Personal Data to anyone.
    4. Timerise will not be liable for the Controller’s violations under the CCPA.

    1. In the event that Timerise is in breach of its obligations under this Agreement and fails to remedy the deficiency within fourteen (14) days of Timerise being notify of the breach, or within the time period agreed between Parties, the Controller has the right to terminate this Agreement with immediate effect or the longer period of notice notified by Controller.
    2. When the Agreement expires or terminates, Timerise will, based on Controller’s instructions, delete or return to Controller, in a manner acceptable to Controller, all personal data, and delete existing copies unless storage of personal data is required under GDPR or other applicable laws, within fourteen (14) days.
    3. Timerise is entitled to process Personal Data in anonymized form, as it is no longer Personal Data within the meaning of the GDPR.

    1. The remuneration due to Timerise under the Main Agreement also includes performance of Timerise’s obligations under this Agreement.
    2. This Agreement will become effective as of the date of the Main Agreement being an integral part of it.
    3. Any changes to this Agreement must be made in at least electronic form, otherwise being null and void.
    4. Appendixes to this Agreement are its integral part:
      1. Appendix No. 1 – a list of Personal Data that is entrusted to us under this Agreement,
      2. Appendix No. 2 – a list of Sub-Processors.
    5. The Controller represents and warrants that the person acting on behalf of the Controller, including the person which concluded this Agreement, is the person authorized to represent the Controller and conclude this Agreement.
    6. If any provision of this Agreement is invalid or ineffective, the remaining part of this Agreement provisions will be binding and in effect despite this fact.
    7. This Agreement is governed by Polish law, as well as the Polish courts will solve any disputes arising out of it.
    8. The Parties undertake to settle any disputes amicably within 30 days. If it is not possible to settle the dispute amicably, the common court of law with jurisdiction over Timerise’s registered office will be competent to hear the case.