Data Processing Agreement

 

Version No.: V1.0

Last Revision Date:2021-10

Effective Date: 2021-10

 

Preface

You are welcome to use BioTime software and services!

ZKTeco understands the importance of personal data and will do everything possible to ensure its safety and reliability of your personal data. We are committed to preserving your trust in us by protecting your personal information based on the following principles: responsibility in accordance with authority, purpose specification, informed consent, minimal necessary, security safeguard, subject participation, openness and transparency, etc. ZKTeco also commits to protect your personal information by implementing appropriate security measures in accordance with industry accepted security standards.

Please read carefully and fully understand the contents of each clause. Users do not right to download, install or use the software and related services, unless they have read and agreed to all the terms of this Agreement. Users who have downloaded, installed or used BioTime software, or logged into their account, will be deemed that they have read and agreed to be bound by this Agreement.

I            Scope of application

This Agreement governs the downloading, installation, and use of ZKTeco's software and related services by and between users and ZKTeco. "ZKTeco" refers to Xiamen ZKTeco Information Technology Co., Ltd. and its affiliates providing related services (hereinafter referred to as "We"). "Users" refer to individuals or organizations that register, log in and use the software and services, and have obtained relevant management authority (hereinafter referred to as “You”).

II         Scope of data processing

Our provision of related services to you may involve collection of personal data, please refer to the table below for details.

Business Scenarios

Business Activities

Data Inventory

Types of Data Subject

Data Processing Activities Involved and Purpose of Use

We will provide remote or on-site technical support to users.

 

We may have access to users' personal data during the process of software implementation, operation and maintenance.

Personnel Module: Employee ID, Department (Required), Name, Gender, Position, Hired Date, Birthday, Various Document Information (Document Photo, ID Number, Passport, Drivers License, etc.), Address, Office Tel, Mobile, National, Email, Card Number, Password, Fingerprint, Palm, Face, Bio-Photo, Salary Information (Not Required);

Attendance Module: Location Information Uploaded from Mobile APP (Required) and Attendance Photos (Not Required);

Salary Module: Employee Salary Information (Not Required);

Visitor Module: Visitor Certificate Type, Certificate Number (Required), Visitor Code (Automatically Generated by the System), Name, Gender, Card Number, Password, Fingerprint, Palm, Bio-Photo (Not Required);

MTD Module: Body Temperature Information;

System Module: System User Name, Login Password (Required), Name, Email, Fingerprint.

Users

Involving the storage, analysis, and deletion of personal data which are used for business information display and analysis, including display, updating, data maintenance, personal marking, security tracing, business requirements, research, basic maintenance and account management.

Customers submit questions/requirement feedback online

Customers may submit online feedback on software problems or requirement that occur during the use of the software

User Name (Name/Nickname/Alias/Code), Email, Country.

User

Involving the collection of personal data.


III      Definition

Unless otherwise agreed by the parties, the terms herein are defined in the alphabetical order as follows.

(1)           "Data Subject" refers to a natural person whose identity has been or can be determined. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

(2)           "EU Standard Contractual Clauses" refer to the relevant standard contractual clauses in the General Data Protection Regulation (16/79/EC, starting from Article 44) (and under Article 26(2) of Data Protection Directive 95/46/EC) governing the transfer of personal data to processors established in third countries/jurisdictions that cannot ensure adequate data protection. These clauses have been published on the relevant website of the EC and are subject to amendment or updating at any time.

(3)           "Personal Data" refers to any information relating to an identified or identifiable natural person ("data subject");

(4)           "Personal Data Breach" refers to, under local privacy laws, a breach of security, including but not limited to behaviors leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

(5)           "Privacy Laws” refer to any and all applicable laws and/or regulations regarding security and protection of personal data (such as GDPR or any applicable privacy laws in other countries) and any and all laws and regulations implemented or enacted based on such laws and regulations, as well as the amendments, updated or reissued versions thereof.

(6)           "Regulatory Bodies" refer to government departments, regulatory authorities, statutory bodies and other institutions that have the authority to supervise, investigate or affect matters related to data security and personal data and privacy protection in accordance with laws, rules, regulations, codes of conduct or other documents.

(7)           "Services" refer to personal data processing services provided by ZKTeco in accordance with the specific service agreement and other contracts concluded with users.

(8)           "Sub-processor" refers to an organization or individual which processes personal data other than ZKTeco and related institutions.

IV      Data processing requirements

(1) Data processing principle

We will process personal data in accordance with the general principles of "lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation minimization, integrity and confidentiality, and accountability". We will only carry out data processing pursuant to your instructions and within the scope and for the purpose as agreed herein. When we believe that your instructions violate any applicable privacy laws, we will notify you immediately. We will fully support you in protecting the rights of the data subject, such as the rights of access, correction and deletion.

(2) Processing of special types of personal data

We will not process any personal data that may reveal the racial or ethnic origin, political opinions, or membership in trade unions or the only biological data that can identify a natural person in any manner that violates applicable privacy laws.

(3) Cross-border transfer of personal data

By default, we will not transfer personal data across borders. We will only transfer personal data across borders if you request it in compliance with applicable privacy laws. Where appropriate, we will enter in accordance with the local privacy laws and with the consent of the data subject (if necessary), conclude a data transfer agreement or a standard contract (for the contract template, refer to the EU Standard Contractual Clauses) with you, to ensure that both parties agree to perform their obligations in relation to cross-border personal data transfer.

 

(4) Data security

During the process of processing personal data, we will, in accordance with applicable privacy laws and your requirements, will adopt effective technical and organizational measures to ensure that personal data that is likely to be accessed during data processing is kept confidential at a level not inferior to that of our own information, and without your written consent, we will not disclose your personal data to any third party to prevent possible breach.

(5) Data breach emergency response mechanism

  1. If we discover a personal data breach, we will send you a written notice within twenty-four (24) hours, fulfilling our obligation to notify regulatory bodies and data subjects in accordance with applicable privacy laws. The following information will be included in such a notice:

(1)           A summary of the impact of personal data breach, including but not limited to, a description of the nature of personal data breach, the type and number of data subjects, and any relevant personal data processing records.

(2)           The possible risks and consequences of personal data breach.

(3)           Actions we've taken or suggestions we've made in response to a data breach.

(4)           Our data protection officers contact information: product.biotime@zkteco.com.

(5)           Any other personal data breach-related information that you may reasonably request.

(6)           If all of the above information cannot be provided at once, it will be provided in stages over the next thirty-six (36) hours or within the time frame you specify.

  1. In the event of a personal data breach, we will investigate, identify, prevent, and mitigate the impact as soon as possible, and will take necessary remedial measures with your consent.

(6) Introduction of sub-processors

  1. Without your consent, we will not subcontract or outsource any personal data processing business to any sub-processor.
  2. According to requirements of applicable laws, we shall sign a data processing agreement with the sub-processor and conduct due diligence on it. We will pass on your requirements to the sub-processor and be liable for any negative impact or adverse consequences caused by the data processing behavior of the sub-processor or any third party designated by it.

(7) Deletion of personal data

Unless otherwise required or prescribed by privacy laws, we will, delete all personal data relating to you at your request after we have fulfilled our obligations under the applicable agreement between us, and we will prove to you that we have done so.

V. Responsibilities

As a data controller, you are responsible for ensuring that applicable privacy laws are followed. You must determine whether the processing of personal data stored on the software is legal. You must ensure that any personal data you provide to us is lawful.

VI. Power of inspection

Once a year, you may inspect our compliance with the terms of the applicable agreements and this Agreement.

VII. Governing law

This Agreement shall be governed by the laws of the member countries where users are located.