Data Processing Agreement

Annex 1 Main Service
Annex 2 Sub-Processors

1.1 The Parties have agreed that the Data Processor will provide certain services to the Data
Controller, as described in greater detail in a separate agreement between the Parties (the “Main
Agreement”) as well as in Annex 1 hereto (the “Main Service”).
1.2 In this connection, the Data Processor shall process personal data on the Data Controller’s behalf,
which is the reason why the Parties have entered into this Agreement and the annexes thereto
(the “Data Processing Agreement”).
1.3 The purpose of the Data Processing Agreement is to ensure that the Parties comply with the
personal data legislation applicable as at the date when the Data Processing Agreement was
signed or, in other words, with:
(i) The Danish Personal Data Act (Act no. 429 of 31 May 2000, as subsequently amended);
(ii) The General Data Protection Regulation (Regulation (EU) 2016/679 of the European
Parliament and of the Council of 27 April 2016), as soon as it takes effect on 25 May 2018.

2.1 The Data Processor is hereby authorised to process personal data on the Data Controller’s behalf,
on the terms and conditions provided for in the Data Processing Agreement.
2.2 The Data Processor may only process personal data subject to documented instructions issued by
the Data Controller (the “Instructions”). This Data Processing Agreement, including any and all
annexes hereto, forms the Instructions as of the date when it is signed.
2.3 The Instructions may be amended or elaborated on in greater detail by the Data Controller at
any time. Such amendments may be made in accordance with the change management process
agreed between the Parties, cf. the Main Agreement.

3.1 The Data Processing Agreement shall apply until the Main Agreement’s expiry.

4.1 Technical and Organisational Security Measures
4.1.1 The Data Processor is responsible for implementing the requisite (a) technical and (b)
organisational security measures. The measures shall be implemented with due consideration for
the current technical level, implementation costs, nature, scope, context and purposes of the
respective processing as well as the risk of varying likelihood and severity for the rights and
freedoms of natural persons and the types of personal data described in Annex 1.
4.1.2 Irrespective of subsection 4.1.1, the Data Processor shall implement the technical and
organisational security measures specified in Annex 2 hereto.
4.1.3 The Data Processor shall implement the appropriate technical and organisational measures in
such a way that the processing of personal data by the Data Processor meets the requirements
in the existing personal data legislation.
4.2 Employee Conditions
4.2.1 The Data Processor shall ensure that the employees who process personal data for the Data
Processor have pledged to observe confidentiality or are subject to an appropriate statutory
confidentiality obligation.
4.3 Proof of Compliance
4.3.1 The Data Processor shall provide, on request, all information necessary to demonstrate
compliance with the requirements in the Data Processing Agreement to the Data Controller and
shall allow for and contribute to audits, including inspections conducted by the Data Controller
or another auditor mandated by the Data Controller. Response to such a request shall be given
within a reasonable period of time.
With regard to subsection 4.3.1, the Data Processor shall immediately notify the Data Controller
if, in its opinion, an Instruction infringes on the data protection legislation or data protection
provisions of another EU or national data protection law.
4.4 Records of Processing Activities
4.4.1 Each of the Parties shall maintain records of processing activities to the extent required in
Article 30 of the General Data Protection Regulation.
4.5 Security Breaches
4.5.1 The Data Processor shall notify the Data Controller without undue delay after becoming aware
of a personal data breach.
4.5.2 Such notification shall contain the actual circumstances in connection with the personal data
breach, its effects and the remedial action taken and planned.
4.6 Assistance
4.6.1 At the Data Controller’s request, the Data Processor shall assist the Data Controller, to the extent
possible, with appropriate technical and organisational measures for the discharge of the Data
Controller’s obligation to respond to requests for exercising the rights of the data subjects.
4.6.2 With due consideration for the nature of the processing and the data available to the Data
Processor, the Data Processor shall assist the Data Controller with ensuring compliance with the
obligations concerning the Data Controller’s:
a) Security of processing;
b) Notification of a personal data breach to the supervisory authority;
c) Communication of a personal data breach to the data subject;
d) Data protection impact assessment; and
e) Prior consultation.

5.1 The Data Processor may only make use of a third party for the processing of personal data on the
Data Controller’s behalf (“Sub-Processor”) to the extent provided for in (a) Annex 2 to this Data
Processing Agreement or (b) the Instructions from the Data Controller.
5.2 The Data Processor and Sub-Processor shall enter into a written agreement that imposes on the
Sub-Processor the same data protection obligations to which the Data Processor is subject
(including in pursuance of this Data Processing Agreement).
5.3 Moreover, the Sub-Processor shall only act subject to Instructions issued from the Data
5.4 Where a Sub-Processor does not live up to the instructions, the Data Controller may forbid the
use of the respective Sub-Processor.

6.1 The Data Processor may process personal data outside the Instructions in cases where this is
required by EU or national law to which the Data Processor is subject.
6.2 In case of processing of personal data outside the Instructions, the Data Processor shall notify
the Data Controller of the reason for such processing. Such notice shall be given prior to the
processing and shall contain a reference to the legal requirements governing the processing.
6.3 Notice shall not be given if such notification will be in conflict with EU or national law.
7.1 General Provisions
7.2 Breach
7.2.1 Breaches are governed by the Main Agreement.
7.3 Liability and Limitation of Liability
7.3.1 Liability and limitation of liability are governed by the Main Agreement.
7.4 Force Majeure
7.4.1 Force majeure is governed by the Main Agreement.
7.5 Confidentiality
7.5.1 Confidentiality is governed by the Main Agreement.

8.1 Consequences of Expiry
8.1.1 The consequences of expiry are governed by the Main Agreement.
8.2 To the extent the Data Controller is not already in the possession of the personal data, the Data
Processor and its Sub-Processors, if any, shall return all personal data processed by the Data
Processor in accordance with this Data Processing Agreement to the Data Controller when the
Data Processing Agreement expires. Unless otherwise stipulated in the Main Agreement, the Data
Processor is subsequently obliged to delete all personal data received from the Data Controller.
The Data Controller may request the requisite documentation in proof that this has happened.

The dispute resolution provisions of the Main Agreement shall also find application for this Data
Processing Agreement as though this Data Processing Agreement were an integral part thereof