DATA PROCESSING AGREEMENT
signed by and between
Postcode and city
(Hereinafter referred to as the “Data Controller”)
CVR no. DK26360714
Rued Langgaards Vej 7
2300 København S
(Hereinafter referred to as the “Data Processor”. The two parties are hereinafter collectively referred to as the “Parties” and individually as the “Party”)
ANNEXES TO THE DATA PROCESSING AGREEMENT
Annex 1 Main Service
Annex 2 Sub-Processors
1 BACKGROUND & PURPOSE
1.1 The Parties have agreed that the Data Processor will provide certain services to the Data Controller, as described in greater detail in a separate agreement between the Parties (the “Main Agreement”) as well as in Annex 1 hereto (the “Main Service”).
1.2 In this connection, the Data Processor shall process personal data on the Data Controller’s behalf, which is the reason why the Parties have entered into this Agreement and the annexes thereto (the “Data Processing Agreement”).
1.3 The purpose of the Data Processing Agreement is to ensure that the Parties comply with the personal data legislation applicable as at the date when the Data Processing Agreement was signed or, in other words, with:
(i) The Danish Personal Data Act (Act no. 429 of 31 May 2000, as subsequently amended);
(ii) The General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016), as soon as it takes effect on 25 May 2018.
2.1 The Data Processor is hereby authorised to process personal data on the Data Controller's behalf, on the terms and conditions provided for in the Data Processing Agreement.
2.2 The Data Processor may only process personal data subject to documented instructions issued by the Data Controller (the “Instructions”). This Data Processing Agreement, including any and all annexes hereto, forms the Instructions as of the date when it is signed.
2.3 The Instructions may be amended or elaborated on in greater detail by the Data Controller at any time. Such amendments may be made in accordance with the change management process agreed between the Parties, cf. the Main Agreement.
3.1 The Data Processing Agreement shall apply until the Main Agreement’s expiry.
4 DATA PROCESSOR'S OBLIGATIONS
4.1 Technical and Organisational Security Measures
4.1.1 The Data Processor is responsible for implementing the requisite (a) technical and (b) organisational security measures. The measures shall be implemented with due consideration for the current technical level, implementation costs, nature, scope, context and purposes of the respective processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons and the types of personal data described in Annex 1.
4.1.2 Irrespective of subsection 4.1.1, the Data Processor shall implement the technical and organisational security measures specified in Annex 2 hereto.
4.1.3 The Data Processor shall implement the appropriate technical and organisational measures in such a way that the processing of personal data by the Data Processor meets the requirements in the existing personal data legislation.
4.2 Employee Conditions
4.2.1 The Data Processor shall ensure that the employees who process personal data for the Data Processor have pledged to observe confidentiality or are subject to an appropriate statutory confidentiality obligation.
4.3 Proof of Compliance
4.3.1 The Data Processor shall provide, on request, all information necessary to demonstrate compliance with the requirements in the Data Processing Agreement to the Data Controller and shall allow for and contribute to audits, including inspections conducted by the Data Controller or another auditor mandated by the Data Controller. Response to such a request shall be given within a reasonable period of time.
With regard to subsection 4.3.1, the Data Processor shall immediately notify the Data Controller if, in its opinion, an Instruction infringes on the data protection legislation or data protection provisions of another EU or national data protection law.
4.4 Records of Processing Activities
4.4.1 Each of the Parties shall maintain records of processing activities to the extent required in Article 30 of the General Data Protection Regulation.
4.5 Security Breaches
4.5.1 The Data Processor shall notify the Data Controller without undue delay after becoming aware of a personal data breach.
4.5.2 Such notification shall contain the actual circumstances in connection with the personal data breach, its effects and the remedial action taken and planned.
4.6.1 At the Data Controller’s request, the Data Processor shall assist the Data Controller, to the extent possible, with appropriate technical and organisational measures for the discharge of the Data Controller's obligation to respond to requests for exercising the rights of the data subjects.
4.6.2 With due consideration for the nature of the processing and the data available to the Data Processor, the Data Processor shall assist the Data Controller with ensuring compliance with the obligations concerning the Data Controller’s:
a) Security of processing;
b) Notification of a personal data breach to the supervisory authority;
c) Communication of a personal data breach to the data subject;
d) Data protection impact assessment; and
e) Prior consultation.
5.1 The Data Processor may only make use of a third party for the processing of personal data on the Data Controller’s behalf (“Sub-Processor”) to the extent provided for in (a) Annex 2 to this Data Processing Agreement or (b) the Instructions from the Data Controller.
5.2 The Data Processor and Sub-Processor shall enter into a written agreement that imposes on the Sub-Processor the same data protection obligations to which the Data Processor is subject (including in pursuance of this Data Processing Agreement).
5.3 Moreover, the Sub-Processor shall only act subject to Instructions issued from the Data Controller.
5.4 Where a Sub-Processor does not live up to the instructions, the Data Controller may forbid the use of the respective Sub-Processor.
6 DATA PROCESSING OUTSIDE THE INSTRUCTIONS
6.1 The Data Processor may process personal data outside the Instructions in cases where this is required by EU or national law to which the Data Processor is subject.
6.2 In case of processing of personal data outside the Instructions, the Data Processor shall notify the Data Controller of the reason for such processing. Such notice shall be given prior to the processing and shall contain a reference to the legal requirements governing the processing.
6.3 Notice shall not be given if such notification will be in conflict with EU or national law.
7 MISCELLANEOUS PROVISIONS
7.1 General Provisions
7.2.1 Breaches are governed by the Main Agreement.
7.3 Liability and Limitation of Liability
7.3.1 Liability and limitation of liability are governed by the Main Agreement.
7.4 Force Majeure
7.4.1 Force majeure is governed by the Main Agreement.
7.5.1 Confidentiality is governed by the Main Agreement.
8.1 Consequences of Expiry
8.1.1 The consequences of expiry are governed by the Main Agreement.
8.2 To the extent the Data Controller is not already in the possession of the personal data, the Data Processor and its Sub-Processors, if any, shall return all personal data processed by the Data Processor in accordance with this Data Processing Agreement to the Data Controller when the Data Processing Agreement expires. Unless otherwise stipulated in the Main Agreement, the Data Processor is subsequently obliged to delete all personal data received from the Data Controller. The Data Controller may request the requisite documentation in proof that this has happened.
9 DISPUTE RESOLUTION
The dispute resolution provisions of the Main Agreement shall also find application for this Data Processing Agreement as though this Data Processing Agreement were an integral part thereof.
Copenhagen, May 23 2018
For the Data Controller
For the Data Processor
1 PURPOSE AND MAIN AGREEMENT
1.1 Main Agreement shall mean: ABC Enterprise Contract/ABC Software Contract
2 PERSONAL DATA
2.1 Personal data that may be processed in relation to the Main Agreement:
a) Personal data:
Types of personal data
- Name, address, phone no., email, etc
- Journal ID
- Purchase ordres, etc
- IP address
b) Sensitive personal data: NONE
1 GENERAL PROVISIONS
1.1 The Data Controller hereby grants consent to the use of the following sub-processors by the Data Processor:
5 Millington Road
Hyde Park Hayes
1.2 The Data Processor may not use any other Sub-Processors without the Data Controller’s prior specific written consent.
1.3 The Data Controller may not refuse to approve the addition or replacement of a Sub-Processor, unless there is a specific factual justification for this, and shall give notice of such an objection within  days.
Clik below to download a copy of the Data Processing Agreement