1. Background and Purpose
1.1.
The Data Controller has entered into an agreement (hereinafter "the Subscription") with the Data Processor, according to which the Data Processor processes personal data on behalf of the Data Controller.
The purpose of the Subscription is to enable the Data Controller to register and process information related to quality assurance and control, including agreement documents, notes, project documents, photos, etc., which are relevant to the Data Controller's business and which they register themselves.
1.2.
The Data Processor processes personal data of the Data Controller's employees who are in dialogue with the Data Controller. This includes first name, last name, telephone/mobile, and email address. This information is collected for individuals who are to receive invoices, newsletters, operational messages, and commercial news.
In addition, the Data Processor processes the following types of information in connection with the Data Controller's use of the system: texts, photos, locations, and other purpose-relevant material upon instruction from the Data Controller via the System.
The parties have assessed that the commercial relationship is of such a nature that the Data Processor in this context "processes" personal data on behalf of the Data Controller, among other things on the grounds that:
The Data Controller instructs the Data Processor on the purpose of the Data Processor's service and the aids to be used by the Data Processor in this context, cf. also Appendices 1 and 2. b)
The data controller is responsible for ensuring that the processing of personal data takes place in accordance with the General Data Protection Regulation, data protection provisions in other EU law or the national law of the Member States, and these provisions.
The data controller is responsible for, among other things, ensuring that there is a legal basis for the processing of personal data that the data processor is instructed to perform.
The Data Processor has no independent interest in collecting the personal data and only performs processing based on the content of the instructions.
The Data Controller may require that the Data Processor ceases processing the personal data and deletes any stored personal data, cf. section 11.
Processing of personal data takes place via a technical solution developed by the Data Processor (hereinafter "the System").
The Data Processor must perform a task that, in principle, could have been performed by the Data Controller themselves.
1.3.
The purpose of the Data Processing Agreement is to ensure that the Data Processor at all times complies with applicable personal data legislation in this context, including the Personal Data Act (Act No. 429 of 31/05/2000 with subsequent amendments) and the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 – hereinafter "the GDPR").
1.4.
The Data Processing Agreement sets out the rights and obligations that apply when the Data Processor processes personal data on behalf of the Data Controller. The Data Controller can at any time via login in the System view all the Personal Data processed in the System.
1.5.
Appendices 1-2 are attached to the Data Processing Agreement. The appendices function as an integral part of the Data Processing Agreement.
1.6.
The Data Processing Agreement follows the terms for termination of the Subscription, cf. section 1.1 and the associated General Terms and Conditions (hereinafter "the Terms and Conditions").
1.7.
The Terms and Conditions also apply generally in relation to the Data Processing Agreement. In case of doubt or conflict, the Data Processing Agreement shall prevail, unless otherwise specifically stated in the Data Processing Agreement.
1.8.
The Data Processing Agreement with associated appendices is kept in writing, including electronically, by both parties.
2. Instructions
2.1.
The Data Processor may only process personal data on documented instructions from the Data Controller, unless required to do so under EU or Member State law to which the Data Processor is subject; in such a case, the Data Processor shall inform the Data Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest, cf. GDPR art. 28, para. 3, point (a).
2.2.
This Data Processing Agreement, including the appendices, constitutes the instructions at the time of signature. Any subsequent additions or amendments to the instructions shall be entered into in writing.
2.3.
The Data Processor shall immediately inform the Data Controller if, in its opinion, an instruction infringes the GDPR or data protection provisions in other EU or Member State law.
2.4.
Unless otherwise stated in the Data Processing Agreement, the Data Processor may use all relevant aids, including IT systems.
3. General Security of Processing
3.1.
Unless otherwise stated in the Data Processing Agreement, the Data Processor may use all relevant aids, including IT systems. The Data Processor continually implements all measures required pursuant to Article 32 of the GDPR.
3.2.
Article 32 states, among other things, that appropriate technical and organisational measures must be implemented to ensure a level of security appropriate to the risks associated with the processing of personal data, taking into account:
The state of the art
The costs of implementation
3.2.1. The nature, scope, context and purposes of the processing in question (including taking into account the category of personal data in Appendix 1)
3.2.2. The risk of varying likelihood and severity for the rights and freedoms of natural persons
3.3.
In connection with the above, the Data Processor must—in all cases—as a minimum implement the security level and measures specified below in sections 4-7.
3.4.
The parties agree that these guarantees are sufficient at the time of entering into this Data Processing Agreement, noting that the Data Processor has also implemented other measures in internal procedures.
4. Physical Security
4.1.
The Data Processor processes data at its own business address and, in some cases, at employees' home addresses (see also Appendix 1)
4.2.
The Data Processor secures physical premises, including ensuring that the building and access routes to it are monitored via an alarm system outside opening hours.
5. Organisational Security
5.1.
The Data Processor ensures that only those persons who are currently authorised to do so have access to the personal data processed on behalf of the Data Controller. Access to the information must be closed immediately if the authorisation is withdrawn or expires.
5.2.
Only persons for whom access to the personal data is necessary to fulfill the Data Processor's obligations to the Data Controller may be authorised.
5.3.
The Data Processor ensures that the persons authorised to process personal data on behalf of the Data Controller have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality and that the employees comply with the Data Processing Agreement.
5.4.
The Data Processor continually verifies that only relevant persons at the Data Processor have access to process personal data.
5.5.
The Data Processor must be able to demonstrate that the persons concerned who are subject to the Data Processor's instructional authority are subject to the above confidentiality obligation.
5.6.
All employees are informed of and subject to internal procedures on how security breaches are handled.
6. Technical Security
6.1.
The Data Processor only uses high-quality hardware and software that is continually updated, including anti-malware software and firewalls.
6.2.
All communication to/from the System is encrypted (HTTPS) and supports a 256/128 bit TLS connection. Furthermore, communication occurs using an SSL certificate.
6.3.
Access to the Data Processor's internal IT systems occurs via login credentials, which ensure that unauthorized persons cannot gain access. The Data Processor changes passwords in internal IT systems, which ultimately provide access to the Data Controller's personal data, at appropriate intervals.
6.4.
For the purpose of integrating the System with the Data Controller's IT systems, the Data Processor receives the necessary passwords and access information. The Data Processor stores this information until the Subscription is terminated by one of the parties. The Data Controller should change the details at the same time (see also Appendix 1).
7. Notification of Personal Data Breach
7.1.
The Data Processor notifies the Data Controller, if possible within 72 hours and without undue delay, after becoming aware of a personal data breach at the Data Processor or any Sub-processor.
7.2.
Such a security breach includes any breach that potentially leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, the personal data processed for the Data Controller ("Security Breach").
7.3.
The Data Processor must keep a record of all Security Breaches. The record must contain at least the actual facts surrounding the Security Breach, its effects, and the remedial actions taken.
8. Use of Sub-processors
8.1.
The Data Processor must meet the conditions referred to in Article 28, paragraphs 2 and 4 of the GDPR, to make use of another data processor (Sub-processor).
8.2.
The parties have agreed that the Data Processor can generally use Sub-processors, cf. Appendix 2.
8.3.
The Data Processor imposes at least the same data protection obligations on the Sub-processor as those specified in this Data Processing Agreement through a contract or other legal document, so that the requirements for technical and organisational measures in the GDPR and/or other relevant applicable regulation are met at all times.
8.4.
If the Sub-processor fails to fulfill its data protection obligations, the Data Processor remains fully liable to the Data Controller for the performance of the Sub-processor's obligations (see also Appendix 2).
9. Transfer of Information to Third Countries or International Organisations
9.1.
The Data Processor only uses approved sub-processors, including with regard to the transfer (handing over, disclosure, as well as internal use) of personal data to third countries or international organisations, unless the exceptions to this in the GDPR and/or other relevant applicable regulation are met.
9.2.
To the extent that a transfer to a third country takes place, the Data Controller assists the Data Processor without compensation in entering into necessary agreements, or the Data Controller issues authorization to enter into the necessary agreements on the Data Controller's behalf and at their expense.
10.3.
The Data Controller must be notified of any non-instructed transfer prior to transfer to third countries, unless notification is not permitted.
10. Assistance to the Data Controller
10.1.
The Data Processor, taking into account the nature of the processing, assists the Data Controller as far as possible by appropriate technical and organisational measures, in fulfilling the Data Controller's obligation to respond to requests for exercising the data subjects' rights as laid down in Chapter 3 of the GDPR.
10.2.
The Data Processor assists the Data Controller in ensuring compliance with the Data Controller's obligations pursuant to Articles 32-36 of the GDPR, taking into account the nature of the processing and the information available to the Data Processor, cf. GDPR art. 28, para. 3, point (f).
10.3.
The parties' agreement regarding payment for the Data Processor's assistance to the Data Controller for this is set out in section 12.
11. Deletion
11.1.
The Data Processor does not delete the Data Controller's personal data (or other data belonging to the Data Controller) during the term of the Subscription, unless instructed to do so by the Data Controller.
11.2.
Deletion of all forms of data with the Data Processor and Sub-processors takes place as a rule no later than 30 days after the termination of the Subscription and without notification. Prior deletion can take place upon request to the Data Processor.
11.3.
Upon termination of the Subscription, the Data Processor is obliged, at the choice of the Data Controller, to delete or return all personal data to the Data Controller, as well as to delete existing copies, unless EU or national law prescribes storage of the personal data. Requests for deletion or return of personal data must be made in good time so that this can be completed at the latest upon termination of the Subscription.
12. Supervision and Audit
12.1.
The Data Processor makes all information necessary to demonstrate compliance with Article 28 of the GDPR and this agreement available to the Data Controller upon request.
12.2
The Data Processor, among other things, allows for and contributes to audits/inspections conducted by the Data Controller or another expert (e.g., auditor or IT specialist) authorized by the Data Controller.
12.3.
The Data Processor may—if the Data Controller so wishes—once a year issue a management statement regarding the Data Processor's compliance with this Data Processing Agreement with associated appendices. The statement is prepared at the Data Controller's expense, and the Data Processor is entitled to receive a copy of the statement. If a statement has been prepared in another context within the last 12 months, the Data Processor may offer the Data Controller to receive this instead.
12.4.
The Data Controller, a representative of the Data Controller, or a relevant supervisory authority has, upon presentation of sufficient identification, access to conduct supervision, including physical supervision, at the Data Processor's premises when the Data Controller so wishes.
12.5.
Supervision must be notified with at least one month's notice. Together with the notice, the Data Controller must send a detailed plan describing the scope, duration, and start date of the supervision. The Data Processor is obliged to allocate the resources (mainly time) necessary for the Data Controller to carry out its supervision.
12.6.
The Data Processor's costs in connection with auditing and/or other forms of supervision (including internal time) are borne by the Data Controller and are invoiced in accordance with the time spent by the Data Processor.
12.7.
This also applies if the Data Controller requests documents or other material to be delivered by the Data Processor in order to check that the Data Processing Agreement is being complied with.
13. Breach
13.1.
The regulation of remedies for breach follows the Terms and Conditions, cf. section 1.6.
14. Liability and Limitation of Liability
14.1.
The parties are liable in accordance with the general rules of applicable law, subject however to the limitations set out in this section.
14.2.
The parties disclaim any liability for indirect loss and consequential damages, including loss of business, loss of goodwill, loss of savings, interest, and revenue, including costs to recover lost revenue and loss of data.
14.3.
The parties' liability for all accumulated claims under this Data Processing Agreement is limited to the total payments due under the Main Service for the 6-month period immediately preceding the damaging event.
14.4.
If the Data Processing Agreement has not been in force for 6 months, the amount is calculated as the agreed payment for the Main Services in the period the Data Processing Agreement has been in force divided by the number of months the Data Processing Agreement has been in force and then multiplied by 6.
14.5.
The following are not covered by the limitation of liability in this section 14:
14.5.1 Loss resulting from the other Party's grossly negligent or intentional acts.
14.5.2. Costs and resource consumption in fulfilling a Party's obligations to a supervisory authority or the data subject, as well as fines imposed by a supervisory authority or a court, to the extent that such are caused by the other Party's breach.
15. Amendment
15.1.
The Data Processor may, with 1 month's notice and without cost, make amendments to the Data Processing Agreement.
16. Duration and Termination
16.1.
The Data Processing Agreement may be replaced by another valid Data Processing Agreement. The Data Processing Agreement cannot be terminated or dissolved separately during the term of the Subscription.
16.2.
Regardless of the termination of the Data Processing Agreement, sections 5.3 (employee confidentiality), 11 (deletion/return), 14 (liability and limitation of liability), and 17 (disputes) shall remain in effect after the termination of the Data Processing Agreement.
16.3.
The duration of the Data Processing Agreement extends from the conclusion of the agreement to the termination of the subscription Page 10 of 12
16.4.
The Data Processor may continue to process the personal data for up to three months after the termination of the Data Processing Agreement to the extent necessary to perform necessary statutory measures, cf. also section 11.2. During the same period, the Data Processor is entitled to include the personal data in the Data Processor's usual backup procedure.
16.5.
The Data Processor's processing during this period is still considered to take place in compliance with the instructions in the Data Processing Agreement.
17. Disputes
17.1
The handling of disputes related to the Data Processing Agreement follows the Terms and Conditions.
17.2.
Unless otherwise agreed, the Data Processing Agreement is subject to Danish law, and the Parties are entitled to request the dispute settled by the ordinary courts. The City Court of Aarhus is chosen as the venue in the first instance.
Appendix 1
(Information about the processing)
The processing includes a small amount of personal data covered by Article 9 of the GDPR but does not include processing of "special categories of personal data", which is why pseudonymization and encryption of personal data are not performed. The Data Processor exclusively uses the latest standard within encryption and SSL during the transmission of personal data.
To access data, it is required that the data controller is authenticated through our OAuth authentication server, which secures the relationship between the client and the server. Data is stored exclusively on Microsoft Azure's servers, and the terms for this are described in the sub-processor's data processor agreement.
The Data Processor logs personal data in connection with logins, but since location and/or IP addresses are not logged, this is not considered a risk with regard to sensitive personal data. Location is logged exclusively in connection with the user creating photo registrations in the System, but since it is assumed that the user is at a workplace in this case, this is also not considered a risk.
Employees of the Data Processor are not permitted to log on to publicly accessible networks in the event of eventual remote work. For all data processing outside the company's physical location, logins must be made to the company's internal systems or Azure servers via an IP address at the office via VPN connection.
1. Purpose
The purpose of the Subscription is the registration of quality assurance, deficiencies, inspection notes, technical inquiries, various project documents, photos, notes, etc., as well as the further dissemination of data to the Data Controller (including personal data). Data is generated by the Data Controller themselves.
2. The Processing
The Data Processor processes personal data / employee details (name, telephone, and email). In addition, their location and the time of registrations are logged. The registrations are subsequently stored and forwarded to the Data Controller via the System.
3. The processing covers the following categories of persons
Employees of the Data Controller
Subcontractors of the Data Controller
Other project participants created by the Data Controller in their projects.
4. Types of Personal Data
The Data Processor generally processes the following personal data:
Name
Mobile number
Email
Time and location of a registration
Appendix 2
(Sub-processors)
General Approval
1. The Data Processor has the Data Controller's general approval to make use of Sub-processors.
2. The Data Processor carries out annual supervision of the Sub-processors used by acquiring written information to ensure that the Sub-processors used are subject to and comply with at least the same obligations as the Data Processor. However, the Data Processor must notify the Data Controller of any planned changes regarding the addition or replacement of other Data Processors, thereby giving the Data Controller the opportunity to object to such changes.
3. Such notification must be received by the Data Controller at least 30 days before the use or change is to take effect.
4. If the Data Controller has objections to the changes, the Data Controller must notify the Data Processor within 14 days of receiving the notification.
5. The Data Controller may only object if the Data Controller has reasonable, specific reasons for doing so.
Sub-processors at the conclusion of the Data Processing Agreement
The Data Processor uses only approved sub-processors, and the Data Processor can at any time at the request of the Data Controller forward a list of approved sub-processors used, containing a copy of the agreement entered into with the sub-processor as well as the basis and instruction for the transfer.
