Data Processing Agreement

1. BACKGROUND AND OBJECTIVES

1.1 The Parties have agreed to the delivery of specified services from the Data Processor to the Data Responsible, as further described in the Data Processor Terms, which are accepted by the Customer, and which are enclosed as Appendix 1 to this Agreement (hereinafter the “Main Services”).

1.2 In this regard, the Data Processor processes personal data on behalf of the Data Responsible, for which purpose the Parties have entered into this data processing agreement, with appended documentation, (hereinafter “Data Processing Agreement”).

1.3 The Data Processing Agreement aims to ensure that the Data Processor complies with the pertinent regulation currently in force, specifically including:

Persondataloven (lov 2000-05-31 nr. 429 med senere ændringer) {The Danish Personal Data Act (Act 2000-05-31 No. 429, as amended)}, and
Persondataforordningen (Europa-Parlamentets og Rådets forordning (EU) 2016/679 af 27. april 2016) {Personal Data Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016)}, when it enters into force.

2. SCOPE

2.1 The Data Processor is authorised to process personal data on behalf of the Data Responsible under the terms set forth in the Data Processing Agreement.

2.2 The Data Processor may only process personal data according to a documented instruction from the Data Responsible (hereinafter “Instructions”). The Data Processing Agreement including Appendices constitute the Instructions at the time of signature.

2.3 The Instructions may at any time be changed or further clarified by the Data Responsible.

2.4 To an extent where not otherwise specified by the Data Processing Agreement, the Data Processor may use all relevant aids, including IT systems.

3. DURATION

3.1 The Data Processing Agreement is valid until either:

a) The agreement(s) pertaining to the delivery of the Main Services ceases, or

b) The Data Processing Agreement is terminated or revoked.

4. OBLIGATIONS OF THE DATA PROCESSOR

4.1 Technical and organisational safety measures

4.1.1 The Data Processor is responsible for implementing the necessary technical and organisational measures to ensure an appropriate level of security. The measures must be implemented taking into account the current technical level, implementation costs and the nature, extent, composition and purpose of the treatment concerned, as well as the risks of varying probability and seriousness of the rights and freedoms of an actual person or persons. The Data Processor shall, inter alia, take into consideration the category of personal data described in Appendix 1.1 in determining these measures.

4.1.2 The Data Processor shall implement the appropriate technical and organisational measures in such a way that the Data Processor’s processing of personal data meets the requirements of the pertinent regulation currently in force.

4.2 Employee Obligations

4.2.1 The Data Processor must ensure that employees who process personal data for the Data Processor have committed to full confidentiality, or are subject to appropriate statutory confidentiality.

4.2.2 The Data Processor must ensure that access to personal data is limited to the employees for whom it is necessary to process personal data in order to fulfil the Data Processor’s obligations to the Data Responsible.

4.2.3 The Data Processor must ensure that employees handling personal data for the Data Processor only process these in accordance with the Instructions.

4.3 Documentation for and of compliance with obligations

4.3.1 The Data Processor shall, upon written request, document to the Data Responsible that the Data Processor is:

a) In compliance with its obligations under the Data Processing Agreement and the Instructions, and

b) In compliance with the provisions of the pertinent regulation currently in force as regards the personal data processed on behalf of the Data Responsible.

4.3.2 The Data Processor’s standard documentation can be found under Main Services (Appendix 1). Should the Customer wish to receive further documentation after item 4.3.1 of this agreement, the Customer shall clarify and specify what documentation is required.

4.4 Security Breach

4.4.1 The Data Processor shall notify the Data Responsible of any personal data breach that may potentially lead to accidental or illegal destruction, loss, change, unauthorised disclosure of, or access to the personal data processed for the Data Responsible (hereinafter “Security breach”).

4.4.2 A Security Breach must be notified to the Data Responsible without unnecessary delay.

4.4.3 The Data Processor must maintain a record of all security breaches. The inventory such a record must document the following as a minimum:

a) The facts pertaining to the Security Breach,

b) The impact of the Security Breach, and

c) The remedial action taken as a consequence of the Security Breach.

4.4.4. The record must be made available to the Data Responsible or any relevant Supervisory Authority or Ombudsman upon written request.

4.5 Assistance

4.5.1 The Data Processor shall, as appropriate and with due diligence, assist the Data Responsible in fulfilling his obligations in the processing of personal data covered by the Data Processing Agreement, including and in relation to:

a) answering registered persons exercising their pertinent rights,

b) Security Breaches,

c) Impact Assessments, and

d) Prior consultations with Supervisory Authorities and Ombudsmen.

4.5.2 The Data Processor shall, inter alia, provide the information to be included in a notification to the Supervisory Authority to the extent The Data Processor is the closest to this.

4.5.3 The Data Processor is entitled to due payment for time and consumed materials for assistance provided pursuant to this section (4.5).

5. OBLIGATIONS OF THE DATA RESPONSIBLE

5.1 The Data Responsible has the obligations as set out in Appendix 2.

6. THIRD PARTY DATA PROCESSORS

6.1 The Data Processor may use a third party for the processing of personal data for the Data Responsible (“Third Party Data Processor”) to the extent that this is stated in:

a) Appendix 3 of this Data Processing Agreement, or

b) Instruction from the Data Responsible.

6.2 The Third Party Data Processor must enter into a written agreement which imposes on the Third Party Data Processor the same data protection obligations as the Data Processor (including those under the Data Processing Agreement).

6.3 The Data Responsible shall provide, upon written request, all agreements covered by section 6.2 including those with any Third Party Data Processor.

6.4 The Third Party Data Processor only acts specifically in line with, and in relation to, the Instructions agreed with the Data Responsible. Unless otherwise specifically agreed, all communications with the Third Party Data Processor are handled by the Data Processor. Any changes or clarifications to the Instructions from the Data Responsible shall be immediately passed onto by the Data Processor to the Third Party Data Processor.

6.5 The Data Processor is directly responsible for ensuring the Third Party Data Processor’s processing of personal data in the same manner as if it were processed by the Data Processor itself.

7. THIRD COUNTRY OR INTERNATIONAL ORGANISATIONS

7.1 The Data Processor may only transfer personal data to third countries or international organisations insofar as this is stated in the Instructions from the Data Responsible.

7.2 Transfer of personal data may in all cases only be permitted to the extent permitted by the pertinent regulation currently in force.

8. DATA PROCESSING OUTSIDE THE SCOPE OF THE INSTRUCTIONS

8.1 The Data Processor may process personal information outside the scope of the Instructions in cases where required By EU law or pertinent national law to which the Data Processor is subject.

8.2 When processing personal data beyond the scope the Instructions, the Data Processor must notify the Data Responsible of the reason for this. The notification must be made before the operation is affected and must contain a reference to the legal obligations requiring the operation.

8.3 The notification must not be made if said notification is contrary to EU law or pertinent national law.

9. BREACH OF CONTRACT

9.1 Breach of contract(s) regarding the provision of the Main Services applies to this Data Processing Agreement as if this Data Processing Agreement was an integral part thereof. In the event that the contracts(s) for the delivery of the Main Services does not hold, the general power(s) of applicable local law shall apply as a default to this Data Processing Agreement.

10. LIABILITIES AND LIMITATION OF LIABILITIES

10.1 The regulation of liability and liability limitations in the agreed Terms (Appendix 1) applies also For this Data Processing Agreement as if this Data Processing Agreement was an integral part thereof.

11. FORCE MAJEURE

11.1 Regulation of force majeure in the agreed Terms (Appendix 1) also applies to this Data Processing Agreement as if this Data Processing Agreement was an integral part thereof.

12. TERMINATION AND REVOCATION

12.1 This Data Processing Agreement can only be terminated or revoked in accordance with the terms of termination and revocation of the Terms and Conditions (Appendix 1).

13. EFFECT OF TERMINATION

13.1 The Data Processor’s authorisation to process personal data on behalf of the Data Responsible lapses at the end of the Data Processing Agreement, for whatever reason. Termination is governed by the notice of termination and enforcement that is governed by the Terms (Appendix 1).

13.2 The Data Processor shall return, as in practice, and as governed by the Terms (Appendix 1), all personal data (except information enriched in the Data Processor Platform, and statistics and behavioural data) that the Data Processor has processed under this Data Processing Agreement to the Data Responsible at the termination of this Data Processing Agreement, to the extent that the Data Responsible is not already in possession of said personal data. The Data Processor is hereby obliged to delete all personal data from the Data Responsible within the time limits defined in the Terms (Appendix 1). The Data Responsible may request the required documentation for this. In practice, this deletion is affected by deleting and revoking the Data Responsible’s access to the Data Processor platform.

An exception to this, is the ongoing 90-120 day backup procedure that the Data Processor and Third Party Data Processor is currently running.

14. PRECEDENCE

14.1 If there is any conflict between this Data Processing Agreement and the Terms (Appendix 1) regarding the Delivery of the Main Services, the Terms (Appendix 1) shall prevail, unless otherwise provided directly for by the Data Processing Agreement.

APPENDIX 1 – MAIN SERVICES

Link to the eMailPlatform Terms Of Use.

APPENDIX 2 – OBLIGATIONS OF THE DATA RESPONSIBLE

1. Obligations

1.1 The Data Responsible has the following obligations:

a) To ensure that the processing of personal data is fully legal compliant and in accordance with the Personal Data Act, and that the agreed Terms (Appendix 1) are respected at all times.

APPENDIX 3 – THIRD PARTY DATA PROCESSORS

1. General Conditions

1.1 The Data Responsible(s) hereby consent to the Data Processor using the following Third Party Data Processor:

a) Sentia Solutions A/S, Smedeland 32 2600 Glostrup, Denmark, CVR.nr. 25464737 (provides physical infrastructure and hosting, including servers and security).

1.2 With the Data Processing Agreement, the Data Responsible indicates prior written general approval for the Data Processor to make use of a Third Party Data Processor. The Data Processor must notify the Data Responsible in writing of the use of a Third Party Data Processor prior to the commencement of the operation. Correspondingly, the Data Processor shall notify the Data Responsible of termination of use of a Third Party Data Processor.

1.3 The Data Responsible may object to such a Third Party Data Processor to the extent that there are reasonable grounds for this.

2. Special Terms & Conditions

2.1 The Data Responsible accepts that the Data Processor uses industry standard applications, solutions and hardware from, for example, Apple, Google and Microsoft.