GDPR Policy

“Personal Data”

Any personal data (as defined in the Data Protection Legislation) processed as part of or in relation to the Services.


A data processor or processor (as defined in the Data Protection Legislation).


A natural or legal person, public authority, agency or another body, to which the personal data are disclosed (as further defined in the Data Protection Legislation).

Personal Data Protection

1.1 Information on personal data processing:

The parties acknowledge that the Personal Data provided by the Client or its staff members and representatives will be processed by Time is Ltd as a Controller, for the purpose of, or in connection with:

(i) compliance with the applicable legal, regulatory or professional requirements; (ii) addressing requests and communications from competent authorities; (iii) Contract administration, financial accounting, internal compliance and risk analysis, and client relationship purposes; (iv) utilization of systems and applications (hosted or internal) for information technology and information system services (the “ Purposes”).

The Personal Data may include data regarding the Client’s representatives, personnel, project team members, suppliers and contractors, as well as the Personal Data included in the information obtained by Time is Ltd in relation to the Contract.

For the Purposes indicated above, the Personal Data may be disclosed/transferred to and processed by the Recipients of Personal Data (including the Personal Data Controllers and Personal Data Processors) as indicated in the applicable Time is Ltd Privacy Notice. The transfers of personal data may include transfers outside of the European Economic Area (EEA) but only provided that the legal obligations as stipulated by the Data Protection Legislation for such transfers are fulfilled.

1.2 The above is a summary of the applicable Time is Ltd privacy notice (the “Privacy Notice”) and is not a complete reflection of the Privacy Notice, which is available at [add the link]. To the extent that it does not involve a disproportionate effort, the Client shall ensure that the Privacy Notice is brought to the attention of data subjects (its relevant staff members, representatives, contractors and clients).

1.3 Data Retention: The engagement documentation, including the Personal Data shall be retained for a period of 10 years following the expiration of the contractual relationship or as required by the relevant regulations or any other applicable laws and regulations.

1.4 Each party shall comply with the Data Protection Legislation when processing Personal Data. The Client confirms that all the Personal Data provided to Time is Ltd has been collected lawfully, fairly and in a transparent manner.

1.5 Without prejudice to Clauses above, the parties acknowledge and agree that when processing Personal Data as part of the Services, Time is Ltd will process such Personal Data as a Processor of the Client.

1.5.1 In such circumstances, the scope of the processing of Personal Data carried out by Time is Ltd as a Processor of the Client under this Contract is as follows:

Subject matter, nature and purpose of the processing: provision of Services under the Engagement Letter;

Duration: for the term of the Engagement Letter;

Types of Personal Data and categories of data subjects: first and middle names, surnames, business contact data and any information provided for the purpose of provision of the Services by the Client or by the data subjects (relevant staff members, representatives, contractors and clients directly).

1.5.2 Without prejudice to Clauses 1.1 to 1.4, Time is Ltd shall only process Personal Data upon the documented instructions of the Client provided herein, for the purpose stipulated in Clause 1.5 or as required or requested to process such Personal Data for other purposes by applicable law or regulatory authorities. In such circumstances, Time is Ltd shall provide prior notice to the Client unless the relevant law or regulatory authority prohibits the giving of notice on important grounds of public interest.

1.5.3 Time is Ltd shall inform the Client if (in Time is Ltd’s opinion) the Client’s instructions would be in breach of the applicable Data Protection Legislation and shall not follow the respective instruction of the Client. Both parties will make their best effort to reconcile the Client instructions to be in line with the Data Protection Legislation. If the Client’s instruction is not changed, Time is Ltd will be forced to terminate the Personal Data processing immediately, which may significantly affect the provision of Services to the Client (including termination of the Service provision). In this case, Time is Ltd shall be entitled to all fees as agreed in the Contract and to all the costs incurred in connection with the termination of Personal Data processing in accordance with Clause 1.5.3.

1.5.4 Time is Ltd shall only subcontract processing of Personal Data in accordance with the general written authorisation set out in Clause 1.5.9 and shall ensure that it has a written contract with any further Processors (sub-processors) it engages to process Personal Data. That contract must impose obligations on the Processor (sub-processor) equivalent to those in this Clause 1.5 and Time is Ltd shall ensure that such Processor (sub-processor) complies with those obligations. The further Processors or sub-processors in the context of this Clause 1.5.4 are solely the Subcontractors approved by the Client in the Engagement Letter/Contract or otherwise.

1.5.5 Upon termination of this Engagement Letter, and at the option of the Client, Time is Ltd shall promptly return or delete the Personal Data and confirm that it has done so (except where Time is Ltd is obliged by applicable law to retain a copy of such Personal Data). For the avoidance of doubt, nothing in this Clause 1.5.5 shall require Time is Ltd to delete copies of data that it holds on its own behalf as a Controller (in order to fulfil the Purposes based on law or legitimate interests of Time is Ltd as described in Clause 1.1 here-above).

1.5.6 Time is Ltd shall, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing, as well as the risk of the varying likelihood and severity of the rights and freedoms of natural persons, implement appropriate technical and organisational measures to protect Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, and shall ensure that any of its employees or agents or other persons who it provides access to the Personal Data are obliged to keep it confidential.

1.5.7 Time is Ltd shall notify the Client without undue delay after becoming aware of a personal data breach.

1.5.8 At the request of the Client, Time is Ltd shall: (i) make available information to demonstrate its compliance with this Clause 1.5; and/or (ii) allow an auditor nominated by Time is Ltd to carry out a documentary audit of that compliance on behalf of the Client. The Client shall pay the costs of the auditor in connection with any documentary audit and any reasonable costs incurred by Time is Ltd in connection with any such audit and/or the making available of any information to demonstrate Time is Ltd’s compliance with Clause 1.5.8

1.5.9 The Client provides a general authorisation to Time is Ltd to engage the Subcontractors and if necessary also other third parties to act as further Processors (sub-processors) of the Personal Data. Time is Ltd shall give the Client prior notice of any intended engagement of a third party as a further Processor (sub-processor). If the Client objects to that engagement of a third party, the Client may (within [30] days of such change) escalate to Time is Ltd for discussion its objection in accordance with the contact procedure agreed in the respective Contract.

1.5.10 The Client acknowledges that as the Personal Data Controller, it has primary responsibility for the processing of Personal Data as part of the Services and shall notify Time is Ltd of any assistance it requires pursuant to Articles 28(3)(a) to 28(3)(h) inclusive of the GDPR. The Client shall pay Time is Ltd for any reasonable costs incurred in providing such assistance within [30] days of receiving an invoice for such costs.

1.5.11 In its role of Personal Data Processor to the extent necessary to provide the Services, Time is Ltd may transfer Personal Data outside of the EEA where it has a lawful basis for that transfer under Articles 44-49 of the GDPR. In circumstances where Personal Data is subsequently transferred by Time is Ltd to another Time is Ltd Entity or Processor which is located outside of the EEA, Time is Ltd shall abide by, and ensure that the data transfers to other Time is Ltd Entities or Processors located outside of the EEA are conducted based on an adequacy decision of the Commission under Article 45 of the GDPR, or subject to one of the appropriate safeguards as set out in Article 46 of the GDPR.

1.6 The Client indemnifies Time is Ltd against all costs, expenses (including legal expenses), damages, loss (including loss of business or loss of profits), liabilities, demands, claims, actions or proceedings, which Time is Ltd may incur arising out of: (i) Time is Ltd’s compliance with any instruction given by the Client to Time is Ltd in relation to the processing of Personal Data (including instructions in connection with requests from individuals exercising their rights under the Data Protection Legislation and any instructions to retain, disclose, amend or otherwise process Personal Data); or (ii) any breach by the Client of Clauses 1.1-1.5.