Operator (data processing) agreement

Between Werktyd (“Operator”) and the registered business using it (“Responsible Party”). Template — have it reviewed by your attorney before relying on it.

1. Roles. The Responsible Party determines the purpose; the Operator processes employee attendance data only on the Responsible Party’s documented instructions (POPIA ss.20–21).
2. Purpose limitation. Processing is limited to time-and-attendance. No secondary use; no sale of data.
3. Security. The Operator applies reasonable safeguards (POPIA s.19): identifying data encrypted at rest, access control, audit logging, and biometric data stored as numeric templates only (no raw photographs).
4. Sub-operators. Hosting is in Germany (EU/GDPR). The Operator stays responsible for its sub-operators.
5. Cross-border transfer. The Responsible Party authorises EU processing, relying on GDPR adequacy under POPIA s.72, disclosed in the worker notice.
6. Breach. The Operator notifies the Responsible Party without undue delay of any security compromise so it can meet its POPIA s.22 duties.
7. Data-subject rights. The Operator assists the Responsible Party with access, correction, deletion and objection requests.
8. Retention & deletion. Biometric templates are deleted on a worker’s termination (after a short buffer); time records are kept per the BCEA (3 years) then deleted. On termination of this agreement, data is returned or deleted.

© Werktyd. This is a template, not legal advice.