Our FAQ about GDPR

On this page, you get the answers to the GDPR questions our customers often ask. If you have any further questions, please do not hesitate to contact our support.

Q: When does TimeLog have a data processing agreement in place?

A:  We have published our data processing agreement on our website which you can find a copy of here. The TimeLog responsible will always be able to access it directly in TimeLog.

Q: Is customer data separated in TimeLog?

A: Yes. Each customer has its own database, and the customers cannot access each other’s data.

Q: Does TimeLog have an R&D department outside EU?

A: Yes, we have an R&D department in Malaysia.

Q: Do TimeLog’s Malaysian developers have access to our personal data?

A: No, our Malaysian developers do not have direct access to your personal data.

There will be situations where they need to solve support tickets, and here it is required that they have access to your database to solve the issue. In these cases, we take a copy of your database on a test server, where all your data is anonymised. This means that no specific personal data will be visible. Instead, the original personal data will appear as Employee 1, Employee 2 etc. Phone numbers and address will not be visible.

When you send a screenshot for a support ticket, which our Malaysian developers need to solve the challenge, we technically send personal data outside of EU. Therefore we have a separate data processing agreement with our development partner so that we can live up to our responsibilities as a data processor and still provide the best service to our customers.

Q: Who is the data controller and who is the data processor?

A: The data responsible is the one collecting data, i.e. you. The responsible person is the link between TimeLog and you as customer regarding everything related to data protection and EU’s General Data Protection Regulation (GDPR). 

The responsible contact will also be the one to receive news about changes related to data protection, e.g. change of sub data processors. 

We are the data controller and our role is to handle data on your behalf.

Q: Do TimeLog want our employees to sign a contract? We are only interested in a data processing agreement between our company and TimeLog.

A: No, TimeLog does not want your employees to sign a contract. As you are collecting data about your employees, we recommend that you inform your employees that you are collecting data about them and why you do it. You should get consent to collect data about your employees.

GDPR is solely a process between you and your employees.

That said, we as data processor is obligated to guide you in how you should relate to GDPR. These recommendations will be part of our data processing agreement, so we live up to our responsibility as a data processor.

The above information is completed based on the Confederation of Danish Industry’s, The Danish ICT Industry Association’s (IT-Branchen) and The Danish Data Protection Agency’s websites.

Q: How is the data processing agreement applicable to our subsidiaries using the same TimeLog site?

A: We only sign one data processing agreement with the main contract owner. This means that it is the main contract owner’s responsibility to manage your internal administration of which data you enter in TimeLog because you are the data controller.

Q: How can the data controller request further insight into data in TimeLog?

A: At TimeLog, it is only the data controller who can ask to gain insight into data in the TimeLog system. The insight may e.g. relate to deletion of data, import, export, and change of data. You can get more information here: System administration -> General settings -> Personal data protection.

If a different employee than the data controller requests insights into your data, we first inform the GDPR responsible contact and ask for his/her consent.

As a data controller, you need to contact us via e-mail support@timelog.com. You may expect up to four weeks processing time.

Q: What is the process for data flows from collection to deletion of data? The following processes are described: collection, storage, access, purpose, sharing, transfer and deletion.

A: Example of a data flow.

Collection: Employees track time either via browser, TimeLog Mobile or TimeLog for Desktop. User log-in can be controlled by AD two-factor authentication (SSO).

Storage: Data is stored on Microsoft SQL severs in a virtual server environment operated by TimeLog’s hosting partner GlobalConnect. Our customers have their own databases.

Access: At TimeLog, only the data responsible can ask for insights into data in the TimeLog system. The insights could e.g. be about data deletion, import, export or scripting of data. You can read more here: System administration -> General settings -> Personal data protection.

If a different employee than the data controller requests insights into your data, we first inform the GDPR responsible contact and ask for his/her consent.

Purpose: Leadership, project management and HR staff use data for salary management. Users can be across the world and gain access to data via a browser. TimeLog is a full role based system, controlling that only users allowed to see specific data will see it.

Sharing: TimeLog has an R&D department in Malaysia. There may be situations where our Malaysian developers need to solve support tickets. This requires access to your database to solve the issue. In these cases, we take a copy of your database on a test server, where all your data is anonymised. This means that no specific personal data will be visible. Instead, the original personal data will appear as Employee 1, Employee 2 etc. Phone numbers and adresses will not be visible.

Transfer: Data is transferred over HTTPS to the database servers located in two physical locations in Copenhagen, Denmark.

Deletion: TimeLog has a built-in automatic anonymisation and deletion process, which will anonymise and delete data defined by the DPO (Data Protection Officer).

When a customer terminates their contract with TimeLog, we keep the database inactive for six months and then the data is deleted automatically. In the first month, the data is kept in the production environment.

 The GDPR responsible at the customer has the option to ask for deletion of data earlier than six months.

Q: Which systems do you use to collect and store personal data?

A: Data is stored on a SQL server located on a VM Ware environment. The server is operated by our Danish hosting provider; Global Connect (private cloud). GlobalConnect runs their services from multiple physical locations in Copenhagen, Denmark. The data responsible at TimeLog has access to and maintains the application layer and up, while Global Connect maintains the operations system and down in the stack. You can read more about Global Connect’s GDPR compliance in this ISAE 3402 declaration. The declaration covers the period from 01 January to 31 December 2020. The declaration contains the description on security controls, their structure and operational effectiveness related to data center solutions in Denmark and Germany. 

Time tracking can be done through iOS app, Android app, Desktop app (electron), an Outlook app (optional) and various web browsers. Login can be controlled using SSO.

Q: Where can I read more about what you do with my personal data?

A: You can read more about it in our data processor agreement and our privacy policy.

The above information is completed based on the Confederation of Danish Industry’s, The Danish ICT Industry Association’s (IT-Branchen) and The Danish Data Protection Agency’s websites.