General Data Processing Agreement

 

TABLE OF CONTENTS

1. BACKGROUND AND OBJECTIVES
2. SCOPE
3. DURATION
4. OBLIGATIONS OF THE DATA PROCESSOR
5. OBLIGATIONS OF THE DATA RESPONSIBLE
6. THIRD PARTY DATA PROCESSORS
7. THIRD COUNTRIES AND INTERNATIONAL ORGANISATIONS
8. DATA PROCESSING OUTSIDE THE SCOPE OF THE INSTRUCTIONS
9. BREACH OF CONTRACT
10. LIABILITIES AND LIMITATIONS OF LIABILITY
11. FORCE MAJEURE
12. TERMINATION AND REVOCATION
13. EFFECT OF TERMINATION
14. PRECEDENCE

APPENDIX 1 – MAIN SERVICES
APPENDIX 2 – OBLIGATIONS OF THE DATA RESPONSIBLE
APPENDIX 3 – THIRD PARTY DATA PROCESSORS

Between

The Customer / Subscriber
In this agreement the Data Responsible

And:

eMailPlatform Canada Inc.
In this agreement the Data Processor

(The Data Responsible and Data Processor will hereinafter also be referred to as “Part”,
and together as “the Parties”)

This General Data Processing Agreement covering your eMailPlatform Online Subscription Agreement is between the entity you represent, or, if you do not designate an entity in connection with a Subscription purchase or renewal, you individually (“you” or “your”), and eMailPlatform (“eMailPlatform”,” Data Processor”, “we”, “us”, or “our”). It consists of the terms and conditions below, as well as the Online Services Terms, the SLAs, and the Offer Details for your Subscription or renewal (together, the “agreement”). It is effective on the date we provide you with confirmation of your Subscription or the date on which your Subscription is renewed, as applicable.

1. BACKGROUND AND OBJECTIVES

1.1. The Parties have agreed to the delivery of specified services from the Data Processor to the Data Responsible, as further described in the Data Processor Terms, which are accepted by the Customer, and which are enclosed as Appendix 1 to this Agreement (hereinafter the “Main Services”).

1.2. In this regard, the Data Processor processes personal data on behalf of the Data Responsible, for which purpose the Parties have entered into this data processing agreement, with appended documentation, (hereinafter “Data Processing Agreement”).

1.3. The Data Processing Agreement aims to ensure that the Data Processor complies with all applicable regulation currently in force, specifically including:

United States Can-Spam act PUBLIC LAW 108-187–DEC. 16, 2003
https://www.ftc.gov/sites/default/files/documents/cases/2007/11/canspam.pdf

Canadian CASL law
https://www.canada.ca/en/innovation-science-economic-development/news/2017/06/government_of_canadasuspendslawsuitprovisioninanti-spamlegislati.html

The Danish Personal Data Act (Act 2000-05-31 No. 429, as amended)

Personal Data Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016), when it enters into force.

General Data Protection Regulation – The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC
https://eugdpr.org/

PIPEDA – The Personal Information Protection and Electronic Documents Act in Canada
https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/

2. SCOPE

2.1. The Data Processor is authorised to process personal data on behalf of the Data Responsible under the terms set forth in the Data Processing Agreement.

2.2. The Data Processor may only process personal data according to Instructions from the Data Responsible. The Data Processing Agreement including Appendices constitute the directions in effect at the time of subscription.

2.3. The Instructions may at any time be changed or further clarified by the Data Responsible.

2.4. To an extent where not otherwise specified by the Data Processing Agreement, the Data Processor may use all relevant aids, including IT systems.

3. DURATION

3.1. The Data Processing Agreement is valid until either:

a) The agreement(s) pertaining to the delivery of the eMailPlatform subscription ceases, or
b) The Data Processing Agreement is terminated or revoked.

4. OBLIGATIONS OF THE DATA PROCESSOR

4.1. Technical and organisational safety measures

4.1.1. The Data Processor is responsible for implementing the necessary technical and organisational measures to ensure an appropriate level of security. The measures must be implemented taking into account the current technical level, implementation costs and the nature, extent, composition and purpose of the treatment concerned, as well as the risks of varying probability and seriousness of the rights and freedoms of an actual person or persons. The Data Processor shall, inter alia, take into consideration the category of personal data described in Appendix 1.1 in determining these measures.

4.1.2. The Data Processor shall implement the appropriate technical and organisational measures in such a way that the Data Processor’s processing of personal data meets the requirements of the pertinent regulation currently in force.

4.2. Employee Relations

4.2.1. The Data Processor will ensure that employees who process personal data for the Data Responsible have committed to confidentiality or are subject to appropriate statutory confidentiality.

4.2.2. The Data Processor must ensure that access to personal data is restricted to the employees for whom it is necessary to process personal data in order to meet the Data Processor’s obligations to the Data Responsible.

4.2.3. The Data Processor will ensure that employees handling personal data for the Data Processor only process these in accordance with the Instructions.

4.3. Documentation for compliance with obligations

4.3.1. The Data Processor shall, upon written request, document to the Data Responsible that the Data Processor:

a. Is in compliance with its obligations under the Data Processing Agreement and the Instructions, and
b. Is in compliance with the provisions of the applicable regulation currently in force as regards the personal data processed on behalf of the Data Responsible.

4.3.2. The Data Processor’s standard documentation appears in the accepted Terms (Appendix 1). If the customer wishes to receive further documentation after item 4.3.1, the Customer shall specify and confirm what documentation is required. The Customer will cover all costs related to provision of documentation that is outside of what is in Appendix 1.

4.4. Security Breach

4.4.1. The Data Processor shall notify the Data Responsible of any personal data breach that may potentially lead to accidental or illegal destruction, loss, alteration, unauthorized disclosure or access to the personal data processed for the Data Responsible (hereinafter “Security breach”).

4.4.2. A Security Breach must be notified to the Data Responsible without unnecessary delay.

4.4.3. The Data Processor must maintain a record of all security breaches. The inventory of such a record must document the following as a minimum:

a. the facts about the security breach,
b. the impact of the security breach, and
c. the remedial measures taken.

4.4.4. The record must be made available to the Data Responsible or supervisory authorities upon written request.

4.5. Assistance

4.5.1. The Data Processor shall, as appropriate and with due diligence, assist the Data Responsible in fulfilling his obligations in the processing of personal data covered by the Data Processing Agreement, including and in relation to:

a. Answers to registered persons in exercising their rights,
b. Security Breaches,
c. Impact assessments, and
d. Prior consultation of the supervisory authorities.

4.5.2. The Data Processor shall, inter alia, provide the information that must be included in a notification to the supervisory authority to the extent that the Data Processor is the closest to it.

4.5.3. The Data Processor is entitled to indemnity and payment covering all time and expenses for assistance provided pursuant to this section 4.5.

5. OBLIGATIONS OF THE DATA RESPONSIBLE

5.1. The Data Responsible is obliged as set out in Appendix 2.

6. THIRD PARTY DATA PROCESSORS

6.1. The Data Processor may use a third party for the processing of personal data for the Data Responsible (“Third Party Data Processor”) to the extent that this is stated in:

a. Appendix 3 of this Data Processing Agreement, or
b. Under instruction from the Data Responsible.

6.2. The Third-Party Data Processor must enter into a written agreement which imposes on the Third-Party Data Processor the same data protection obligations as the Data Processor (including those under the Data Processing Agreement).

6.3. The Data Responsible shall provide, upon written request, all agreements covered by section 6.2 including those with any Third-Party Data Processor.

6.4. The Third-Party Data Processor only acts specifically in line with, and in relation to, the Instructions agreed with the Data Responsible. Unless otherwise specifically agreed, all communications with the Third-Party Data Processor are handled by the Data Processor. Any changes or clarifications to the Instructions from the Data Responsible shall be immediately passed onto to the Third-Party Data Processor by the Data Processor.

6.5. The Data Processor is directly responsible for ensuring the Third-Party Data Processor’s processing of personal data in the same manner as if it were processed by the Data Processor itself.

7. THIRD COUNTRIES AND INTERNATIONAL ORGANISATIONS

7.1. The data processor may only transfer personal data to third countries or international organisations to the extent that this is stated in the Instructions from the Data Responsible.

7.2. The transfer of personal data may in all cases only be done to the extent permitted by the applicable regulation currently in force.

8. DATA PROCESSING OUTSIDE THE SCOPE OF THE INSTRUCTIONS

8.1. The Data Processor may process personal data outside the Instructions in cases where required by national law to which the Data Processor is subject.

8.2. When processing personal information outside the scope of the Instructions, the Data Processor must notify the Data Responsible of the reason(s) for this. This notification must be made prior to the action and must contain a reference to the legal requirements necessitating the action.

8.3. Notification shall not be made if said notification contravenes national or international law.

9. BREACH OF CONTRACT

9.1. The breach of contract(s) concerning the delivery of the Main Services also applies to this Data Processing Agreement as if this Data Processing Agreement was an integral part thereof.

In the event that the agreement(s) for the delivery of the Main Services does not hold, the applicable law’s general default powers shall apply to this Data Processing Agreement.

10. LIABILITY AND LIMITATIONS OF LIABILITY

10.1. The regulation of liability and limitation of liability in the agreed Terms (Appendix 1) also applies to this Data Processing Agreement as if this Data Processing Agreement was an integral part thereof.

11. FORCE MAJEURE

11.1. The regulation of force majeure in the agreed Terms (Appendix 1) also applies to this Data Processing Agreement as if this Data Processing Agreement was an integral part thereof.

12. TERMINATION AND REVOCATION

12.1. The Data Processing Agreement can only be terminated or revoked in accordance with the terms of termination and revocation of the agreed Terms and Conditions (Appendix 1).

13. EFFECT OF TERMINATION

13.1. The Data Processor’s authorisation to process personal data on behalf of the Data Responsible lapses at the end of the Data Processing Agreement, for whatever reason. Cancellation is governed by the notice of termination and revocation prescribed by the Terms (Appendix 1).

13.2. The Data Processor shall return, as in practice, as governed by the Terms and Conditions (Appendix 1), all personal data (except information enriched in the Data Processor Platform, and statistics and behavioural data) that the Data Processor has processed under this Data Processing Agreement to the Data Responsible at the end of the Data Processing Agreement, in the extent to which the Data Responsible is not already in possession of the personal data. The Data Processor is hereby obliged to delete all personal data from the Data Responsible within the time limits specified in the Terms and Conditions (Appendix 1). The Data Responsible may request the required documentation for this. In practice, this deletion is affected by revoking the Data Responsible’s access to the Data Processor platform.

The ongoing 90-120-day backup procedure that the Data Processor and Third-Party Data Processor continuously perform is exempt from this.

14. PRECEDENCE

14.1. In the event of a conflict between this Data Processing Agreement and the Terms (Appendix 1) for the provision of the Main Services, the Terms (Appendix 1) prevail, unless otherwise provided for directly by the Data Processing Agreement.

APPENDIX 1 – MAIN SERVICES

Link to eMailPlatform Terms of Use
www.emailplatform.com/en-us/terms-of-use/

APPENDIX 2 – OBLIGATIONS OF THE DATA RESPONSIBLE

1. OBLIGATIONS

1.1 The Data Responsible has the following obligations:

a) To ensure that the processing of personal data is fully legally compliant and in accordance with the Personal Data Act(s) in effect for the country you access eMailPlatform from, and that the agreed Terms (Appendix 1) are respected at all times.

APPENDIX 3 – THIRD PARTY DATA PROCESSORS

1. GENERAL

1.1. The Data Responsible hereby approves the Data Processor’s use of the following Third-Party Data Processor:

a) Sentia Solutions (physical infrastructure and hosting, including servers and security).
b) Google Cloud Platform

1.2. With the Data Processing Agreement, the Data Responsible indicates prior general approval for the Data Processor to make use of a Third-Party Data Processor.

1.3. The Data Responsible may object to such a Third-Party Data Processor to the extent that there are reasonable grounds for this.

2. SPECIAL TERMS & CONDITIONS

2.1. The Data Responsible accepts that the Data Processor uses standard applications,
solutions and hardware from e.g. Apple, Google and Microsoft.

 

North American Office:
eMailPlatform Canada Inc.,
1827 15 St SW Calgary,
Alberta Canada T2T 3Y7

+1-205-719-4444
info.us@emailplatform.com

 

eMailPlatform Group:
eMailPlatform ApS
Noerregade 12A
6600 Vejen
Denmark