Data Processing Agreement (DPA)

This Data Processing Agreement ("DPA") forms part of the agreement between T-Systemm ("Processor") and the subscribing organization ("Controller") and governs the processing of personal data in connection with the Service. This DPA is designed to comply with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and other applicable data protection laws.

1. Definitions

• "Personal Data" — any information relating to an identified or identifiable natural person processed through the Service
• "Processing" — any operation performed on Personal Data, including collection, storage, retrieval, use, and deletion
• "Data Subject" — the individual to whom the Personal Data relates (typically the Controller's employees)
• "Sub-processor" — a third party engaged by T-Systemm to process Personal Data on behalf of the Controller

2. Scope and Purpose of Processing

2.1 Categories of Data Subjects

Employees, contractors, and other personnel of the Controller whose compensation data is uploaded to the Service.

2.2 Types of Personal Data

• Names, job titles, department assignments
• Employment dates and tenure
• Base salary and compensation figures
• Performance metrics (as provided by Controller)
• Calculated bonus and variable pay amounts

2.3 Purpose

Processing is performed solely to provide the compensation distribution and calculation services as described in the Terms of Service, and as instructed by the Controller.

3. Obligations of the Processor

T-Systemm shall:

• Process Personal Data only on documented instructions from the Controller
• Ensure that persons authorized to process Personal Data are bound by confidentiality obligations
• Implement appropriate technical and organizational measures to ensure data security (see Security Overview)
• Assist the Controller in responding to Data Subject requests (access, rectification, erasure, portability)
• Assist the Controller in fulfilling obligations related to data breach notification
• Delete or return all Personal Data upon termination of the Service, at the Controller's choice
• Make available all information necessary to demonstrate compliance and allow for audits

4. Obligations of the Controller

The Controller shall:

• Ensure that the processing of Personal Data through the Service has a valid legal basis
• Provide all necessary notices to and obtain all necessary consents from Data Subjects where required
• Ensure that instructions given to T-Systemm comply with applicable data protection laws
• Be responsible for the accuracy and lawfulness of the Personal Data provided

5. Sub-processors

The Controller grants general authorization for T-Systemm to engage Sub-processors. A current list is maintained at /subprocessors/. T-Systemm will:

• Notify the Controller of any intended additions or replacements of Sub-processors at least 30 days in advance
• Impose the same data protection obligations on Sub-processors as contained in this DPA
• Remain fully liable to the Controller for the Sub-processor's performance

If the Controller objects to a new Sub-processor, it may notify us within 14 days. We will work to find an alternative; if none is feasible, the Controller may terminate the affected Service component.

6. Data Breach Notification

T-Systemm will notify the Controller of any confirmed Personal Data breach without undue delay, and in any event within 48 hours of becoming aware of the breach. The notification will include:

• Nature of the breach, including categories and approximate number of affected Data Subjects
• Name and contact details of the T-Systemm point of contact
• Likely consequences of the breach
• Measures taken or proposed to address the breach

7. International Transfers

Where Personal Data is transferred outside the EEA, T-Systemm relies on Standard Contractual Clauses (SCCs) as adopted by the European Commission (Decision 2021/914). EU data residency options are available for Enterprise clients.

8. Data Retention and Deletion

Upon termination of the Service or upon written request, T-Systemm will:

• Provide a full data export in a standard machine-readable format (CSV/JSON)
• Delete all Personal Data from production systems within 30 days
• Delete Personal Data from backups within 90 days

9. Audits

The Controller may audit T-Systemm's compliance with this DPA, subject to reasonable notice (at least 30 days), during business hours, and no more than once per year. T-Systemm may provide third-party audit reports or certifications as an alternative to on-site audits.

10. Term and Termination

This DPA remains in effect for the duration of the Service agreement. Data processing obligations survive termination until all Personal Data has been deleted or returned as specified in Section 8.

11. Contact

For DPA-related inquiries: privacy@t-systemm.net