Our FAQ about GDPR
On this page, you get the answers to the GDPR questions our customers often ask. If you have any further questions, please do not hesitate to contact our support.
Q: When does TimeLog have a data processing agreement in place?
A: We have published our data processing agreement on our website which you can find a copy of here. The TimeLog responsible will always be able to access it directly in TimeLog.
Q: Is customer data separated in TimeLog?
A: Yes. Each customer has its own database, and the customers cannot access each other’s data.
Q: Does TimeLog have an R&D department outside EU?
A: Yes, we have an R&D department in Malaysia.
Q: Do TimeLog’s Malaysian developers have access to our personal data?
A: No, our Malaysian developers do not have direct access to your personal data.
There will be situations where they need to solve support tickets, and here it is required that they have access to your database to solve the issue. In these cases, we take a copy of your database on a test server, where all your data is anonymised. This means that no specific personal data will be visible. Instead, the original personal data will appear as Employee 1, Employee 2 etc. Phone numbers and address will not be visible.
When you send a screenshot for a support ticket, which our Malaysian developers need to solve the challenge, we technically send personal data outside of EU. Therefore we have a separate data processing agreement with our development partner so that we can live up to our responsibilities as a data processor and still provide the best service to our customers.
Q: Who is the data controller and who is the data processor?
A: The data responsible is the one collecting data, i.e. you. The responsible person is the link between TimeLog and you as customer regarding everything related to data protection and EU’s General Data Protection Regulation (GDPR).
The responsible contact will also be the one to receive news about changes related to data protection, e.g. change of sub data processors.
We are the data controller and our role is to handle data on your behalf.
Q: Do TimeLog want our employees to sign a contract? We are only interested in a data processing agreement between our company and TimeLog.
A: No, TimeLog does not want your employees to sign a contract. As you are collecting data about your employees, we recommend that you inform your employees that you are collecting data about them and why you do it. You should get consent to collect data about your employees.
GDPR is solely a process between you and your employees.
That said, we as data processor is obligated to guide you in how you should relate to GDPR. These recommendations will be part of our data processing agreement, so we live up to our responsibility as a data processor.
Q: How is the data processing agreement applicable to our subsidiaries using the same TimeLog site?
A: We only sign one data processing agreement with the main contract owner. This means that it is the main contract owner’s responsibility to manage your internal administration of which data you enter in TimeLog because you are the data controller.
Q: How can the data controller request further insight into data in TimeLog?
A: At TimeLog, it is only the data controller who can ask to gain insight into data in the TimeLog system. The insight may e.g. relate to deletion of data, import, export, and change of data. You can get more information here: System administration -> General settings -> Personal data protection.
If a different employee than the data controller requests insights into your data, we first inform the GDPR responsible contact and ask for his/her consent.
As a data controller, you need to contact us via e-mail firstname.lastname@example.org. You may expect up to four weeks processing time.