DATA PROCESSING AGREEMENT

1. Scope of agreement

1.1

This Data Processing Agreement (hereafter ”Agreement”) relates to the processing of the personal data processed by the Data Processor on behalf of the Data Controller as the Data Processor is deemed able to provide the necessary guarantees that it will make the appropriate technical and organisational arrangements in order to comply with the regulations of the EU General Data Protection Regulation, the Danish Data Protection Act and ensure the protection of the rights of the data subject.
 

1.2 

This agreement relates to the responsibility of the Data Processor to comply with the obligations and safety requirements described in the regulation of the European Parliament and Council (EU 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and on the repealing of Directive 95/46/EC (General Data Protection Regulation), in particular paragraph 15-22, 28, 32-36, 40, 42-43 and the Danish Data Protection Act as a whole.

In the event of this agreement being entered into prior to 25 May 2018, Act no 429 of 31/05/2000 as amended on the processing of personal data (the Danish Act on Processing of Personal Data) will also apply, in particular section 42, cf. Section 41.
 

1.3

The personal data shall be the object of the processing, the nature and purpose of the processing, the type of personal data and the categories of the data objects are positively depicted in Appendix 1 to this Agreement thus becoming instructions from the Data Controller to the Data Processor.
 

1.4

The duration of the processing act shall coincide with the period for which this present Agreement is valid. The Agreement is valid from the time of both parties having signed the Agreement, cf. item 8.1, and untill termination of agreement or untill it be void due to termination of main agreement/contract.

This Agreement may be terminated by the Data Controller or the Data Processor respectively by means of a written 3 months notice from the first of the upcoming month.

2. Responsibilities of the Data Processor and Security

2.1

When acting on instructions issued by the Data Controller, the Data Processor acts on behalf of the Data Controller, and the instructions are to be documented prior to the processing taking place, unless the processing act is required by EU or national legislation, to which the Data Processor is subject.

In the latter case, the Data Processor must inform the Data Controller of the legal requirement prior to the processing act taking place, unless the legislation in question prohibits such disclosure for the sake of significant societal interests.
 

This requirement for instructions entails that the Data Processor is not to process personal data for other purposes than the ones determined by the Data Controller. In the event of the Data Processor not complying with this requirement, the Data Processor will be regarded as an independent Data Controller which must independently comply with the requirements of the regulation among others, including the provision of the basis for processing.
 

The documentation requirement that instructions must be documented is a reciprocal requirement meaning that both Data Controller as well as Data Processor must be able to document the instructions in order for the parties to ensure that the requirements for processing of personal data are complied with in any personal data processing act.
 

The instructions forming the basis for this Agreement are to be found in appendix 1, cf. item 1.3.
 

2.2

The Data Processor shall not process any information on the data objects for other purposes than those determined by the Data Controller and necessary for usage and operation of the Data Controller. Thus, the Data Processor may not process data for own purposes.
 

2.3

The Data Processor must without delay inform the Data Controller in the event of instructions to its belief being in violation of the EU General Data Protection Regulation, the Danish Act on Processing of Personal Data, the Danish Data Protection Act, the Danish Ministry of Justice’s executive order on security measures for the protection of personal data or any other data protection regulation in other EU or national legislation.
 

2.4

The Data Processor must take all necessary technical and organisational security measures against the accidental or illegal destruction, loss or deterioration of information, against information being disclosed to unauthorised persons, being misused or in any other way being used against regulations on the processing of personal data.

Considering the current level and costs related to its implementation, these security measures shall provide a sufficient security level taking into consideration the risks entailed by the processing and the nature of the personal data to be protected.
 

2.5

The Data Processor is independently obligated to comply with the requirements for processing security as this obligation according to Danish personal data legislation apply no matter contractual relationship between Data Processor and Data Controller.
 

2.6

Above security requirements also apply in the event of the Data Processor using home offices.
 

2.7

The Data Processor must ensure that only employees relevant to the processing act will be authorised for this and thereby obtain access to the personal data being processed.
 

2.8

As part of this Agreement, the Data Processor shall store the recorded personal data and shall in this connection accept responsibility for sufficient data security when processing data, cf. item 2.4 above.

2.9

On request from the Data Controller, the Data Processor shall assist the Data Controller in complying with its obligations in relation to the rights of the Data Object including answering requests from Data Subjects to obtain access to own information, delivery of Data Subjects’ information, corrections and deletion of information, limitations to processing of Data Subjects’ information and the Data Controller’s obligations relating to informing Data Subjects in the event of security breach.
 

2.10

The Data Processor must without delay notify the Data Controller of any security breach counting from the time when the Data Processor was aware or should have been aware of the personal data security being breached. Furthermore, the Data Processor must keep a record of security breaches including the actual circumstances of the breach, its effects and the measures taken.
 

The notification for the Data Controller shall as a minimum;
 

• describe the nature of the breach of personal data security including, if possible, the categories and the approximate number of affected data subjects together with the categories and the approximate number of affected personal data records,
   
• state name and contact information for the Data Protection Officer (DPO) or another point of contact where further information may be collected,
   
• describe the probable consequences of the breach of personal data security,
   
• describe the measures taken or suggested taken by the Data Processor in order to handle the breach of personal data security including where relevant the measures to limit the consequences.

In the event of it not being possible to provide all abovementioned information at the same time, the information must be provided gradually without further or undue delay.

3. Sub-Processors

3.1

Data Processors may not use sub-processors whether or not the sub-processor is established within the EU/EEA unless the Data Processor has secured a specific written approval in advance or a general written approval from the Data Controller.

In the event of a general written approval, the Data Processor must notify the Data Controller on any planned changes relating to the engaging or replacing of sub-processors and thereby provide the Data Controller with the opportunity to object to such changes.
 

3.2

In the event of the Data Processor leaving the processing act of the Data Controller’s personal data or part hereof to a sub-processor for which the Data Controller has granted its approval beforehand or by means of a general written approval, the Data Processor shall enter into a written sub-processing agreement with the Sub-Processor.
 

3.3

As a minimum, the abovementioned sub-processing agreement shall require that the Sub-Processor be subject to the same data protection responsibilities as the Data Processor is subject to according to this Agreement, and the agreement shall be in writing including electronically.
 

In the event of the Sub-Processor not complying with its required data protection responsibilities, the Data Processor remain fully accountable towards the Data Controller for the compliance of the responsibilities of the Sub-Processor.

4. Transmission of personal data to other countries

4.1

The Data Processor or its Sub-Processor will not be allowed to transfer or allow transfer of personal data outside of national borders in order for the personal data to solely be processed nationally, unless the Data Controller has granted its approval for such transfer in writing or if such transfer is required by EU legislation or by national legislation of the member countries to which the Data Processor is subject. In the event of the latter, the Data Processor shall notify the Data Controller of such legislation prior to commencing the processing act unless said legislation prohibits such disclosure for the sake of significant societal interests.

5. Inspections and declarations

5.1

Upon request by the Data Controller, the Data Processor shall provide the Data Controller with sufficient information for the Data Controller to be able to ensure that the mentioned technical and organisational measures have been taken, assist in reporting breaches in personal data security to the Danish Data Protection Agency or the at any time current supervisory authority, assist the Data Controller in its obligation to draw up impact analyses including participating in preliminary hearings by the supervisory authority and assist in fulfilling the Data Controller’s responsibility to answer requests from Data Objects to exercise their rights.
 

5.2

Furthermore, it is agreed that the Data Processor once a year and free of cost will provide documentation that the security measures have been taken and that compliance with these are monitored. This shall take place in the form of a declaration drawn up by an independent third party and drawn up by a solicitor’s office [KSN1] [SN2] specialised in personal data legislation. The declaration must cover data processing by the Data Processor as well as any sub-processors. The first declaration shall be available no later than 12 months after entering into the agreement.
 

5.3

The Data Processor is obligated to disclose where the personal data of the Data Controller is stored with precise addresses. The Data Processor shall update this information to the Data Controller in the event of any changes.
 

5.4

The Data Processor is obligated to disclose which sub-processors are used if any. The Data Processor shall update this information to the Data Controller in the event of any changes.
 

5.5

In the event of the Data Controller and/or relevant public authorities, the Danish Data Protection Agency in particular, requesting to carry out an inspection of the abovementioned precautionary measures under this Agreement, the Data Processor and its sub-processors shall be obligated to make time and resources available for this free of cost.

6. Delivery and deletion of data

6.1

Upon termination of agreement, the Data Controller shall be entitled to having all data covered by the agreement delivered no matter reason for termination of agreement.
 

6.2

Delivery of data and information must happen in a readable format to the Data Controller and/or a third party selected by the Data Controller.
 

6.3

Upon written instructions given by the Data Controller, the Data processor must delete data or information of any kind - including any copies/back-ups, that has come into the supplier’s possession in pursuance of the Agreement unless storing of the personal data is prescribed by EU or national legislation.
 

6.4

The Data Processor must disclose documentation that the instructed deletion, cf. item 6.3, has been carried out.
 

6.5

The Data Processor must carry out the instructed deletion, cf. item 6.3, in accordance with current international standards for the used types of storing media (e.g. NIST 800-88). In the event of using third party for destruction of storing media, this must take place under the supervision of the Data Controller and according to the instructions of the Data Controller.
 

6.6

In the event of using sub-processors, these will also be obligated to carry out deletion and/or delivery of personal data according to the abovementioned items 6.1-6.5.

7. Confidentiality

7.1

The Data Processor and its employees shall adhere to unconditional confidentiality with regard to information about the Data Controller, the data subjects or the situation and data of others that they may obtain access to in connection with compliance with the Agreement. The Data Processor shall require the same confidentiality from any sub-processors, their employees and others that assist the Data Processor in connection with compliance with the Agreement and thereby obtain access to confidential data.
 

7.2

Confidentiality does not expire upon termination of the Agreement or upon employees’ end of employment.

8. Signatures

8.1

Consent to this Agreement is considered confirmed upon checking the relevant box on the online application for certification agreement.