DATA PROCESSING AGREEMENT
REGARDING THE DATA MANAGER’S USE OF THE DATA PROCESSOR DIGITAL CAB SYSTEMS AND SERVICES
To be concluded today [Dato]between
The Data Controller
CVR/VAT No [CVR-nummer][Adresse][Postnummer og by][Land][Kontaktperson og kontaktinformationer]
The Data Processor
DIGITAL CAB ApS
2800 Kgs. Lyngby
Both parties confirm that they have power of attorney to conclude the agreement
2 Background of the Data Processing Agreement
3 The Data Controller’s Obligations and Rights
4 The data controller is acting according to instructions
5 Instructions for processing personal data
6 Access to supervision and audit
8 Processing Security
9 Use of Other Data Processors
10 Assistance to the Data Controller
11 Notification of breach of personal data security
12 Deleting and retrieving information
13 Entry into force and termination
This agreement sets out the rights and obligations that apply when the Data Processor handles personal data on behalf of the Data Controller.
The agreement is designed for the parties to comply with Article 28 (1). 3 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27th April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (Data Protection Regulation),which sets specific requirements for the content of a data processing agreement.
The Data Processing company’s processing of personal data is done with a view to fulfilling the parties’ agreement concluded electronically via digitalcab.dk where the Data Controller has acceded to “DIGITAL CAB’s General Terms of Business” and this Data Processing Agreement.
The Data Processing Agreement and the “DIGITAL CAB’s General Terms of Business” are interdependent and cannot be terminated separately. However, the Data Processing Agreement may, without terminating the terms of business, be replaced by another valid data processing agreement.
The Data Processing Agreement is stored electronically by both parties.
This Data Processor Agreement does not release the Data Processor for any obligations that are directly imposed on the Data Processor under the Data Protection Regulation or any other law.
The Data Controller is responsible for the processing of personal data within the scope of the Data Protection Act including for the registered person.
The Data Controller therefore has both the rights and the obligations to make decisions on the purposes and the means for which treatment is required.
The Data Controller is responsible for, inter alia, the existence of a legal basis for the processing instructed by the Data Processor.
This Data Processor Agreement hereby constitutes the general and specific instructions of the Data Controller for the Data Processor, thus regulating the Data Processor’s processing of personal data on behalf of the Data Controller.
The Data Processor shall immediately inform the Data Controller if an instruction by the Data Processor is contrary to the data protection regulation or data protection provisions in other EU law or national law of the Member States.
The purpose of the Data Processor’s processing of personal data on behalf of the Data Controller is that the Data Controller may use the Data Processor systems and services owned and administered by the Data Processor as described in “DIGITAL CAB’s General Terms of Business“.
The Data Processor collects personal data to ensure efficient operation and ensure the best performance with our products and services.
The Data Processor does not collect data covered by Article 9 of the Data Protection Regulation on “Special categories of personal data”.
The personal data the Data Processor collects are:
- E-mail address or e-mail addresses
- IP number or IP numbers
- Telephone number or telephone numbers
The processing includes the following types of personal data about the data subjects:
- E-mail address or e-mail addresses
- IP number or IP numbers
- Telephone number or telephone numbers
The processing includes the following categories of registrars:
- The Data Controller’s customer contacts
- The Data Controller’s customers’ employees
- The Data Controller’s of customers and customers end users
- The Data Controller’s contacts
- The Data Controller’s employees
- The Data Controller’s end users
The Data Processor shall provide all information necessary for proving the compliance of the Data Processor with Article 28 of the Data Protection Regulation and this Agreement, for the Data Controller, and allows and contributes to audits.
The Data Controller may initiate a review of the Data Processor’s obligations once a year. If current legislation obliges the Data Processor to review more than once a year, the Data Processor is required to comply with the law.
The Data Controller must provide a detailed audit plan with a description of the scope, duration and notice to the start date of a minimum of 4 weeks prior to the proposed start date.
The Data Controller and Data Processor jointly decide if a third party is to conduct the audit. The Data Controller may allow the Data Processor to determine that the audit is performed by a neutral third party after the Data Processor’s choice, as multiple Data Controller’s Data appears in the Data Processor’s System.
There is agreement between the parties that audit statements that comply with ISO, ISAE or similar certification reports may be used.
The audit statement is sent as soon as possible after it is obtained to the Data Controller for information.
Revision must take place during normal office hours at the Data Processor’s address and are planned so as to minimize the impact on the Data Processor’s usual commercial activities.
The Data Controller’s expenses incurred in connection with an audit are held by the Data Controller. However, the Data Processor is obliged to allocate the resources (essentially the time) necessary for the Data Controller to conduct his supervision.
The Data Processor’s assistance in connection with the audit, which is beyond the requirements of applicable data protection legislation, is settled separately for the Data Controller.
The Data Processor is obliged to provide authorities with access to the Data Controller’s and Data Processor’s facilities, or representatives acting on behalf of the Authority, access to the physical facilities of the Data Processor against duly authorized identification.
The Data Processor ensures that only the persons currently authorized to do so have access to the personal data processed on behalf of the Data Controller. Access to the information must therefore be immediately terminated if the authorization is deprived or expired.
Only persons for whom it is essential to have access to the personal data may be authorized to fulfill the Data Processor’s obligations to the Data Controller.
The Data Processor ensures that the persons authorized to process personal data on behalf of the Data Controller have committed to confidentiality or are subject to appropriate statutory confidentiality.
Databehandleren skal efter anmodning fra den Dataansvarlige kunne påvise, at de relevante medarbejdere er underlagt ovennævnte tavshedspligt.
The Data Processor may, at the request of the Data Controller, demonstrate that the relevant employees are subject to the aforementioned confidentiality obligation.
The Data Processor initiates all measures required by Article 32 of the Data Protection Regulation, which inter alia it is apparent that, taking into account the current level, the implementation costs and the nature, scale, coherence and purpose of the processing concerned, as well as the risks of varying probability and seriousness of the rights and freedoms of physical persons, appropriate technical and organizational measures must be implemented to ensure a level of safety that fits these risks.
In assessing the appropriate level of safety, particular account shall be taken of the risks posed by processing, in particular by accidental or illegal destruction, loss, alteration, unauthorized disclosure or access to personal data transmitted, stored or otherwise processed.
The level of security must at least reflect the processing of personal data covered by the Data Protection Regulation.
The personal data are classified to ensure the implementation of security measures relevant to a risk assessment.
The above obligation implies that the Data Processor must conduct a risk assessment and then take measures to address identified risks. Among other things, the following measures may include, inter alia, the following:
- Pseudonymization and encryption of personal data
- Ability to ensure continued confidentiality, integrity, availability and robustness of processing systems and services
- Ability to restore timely availability and access to personal data in case of a physical or technical incident
- A procedure for periodic testing, assessment and evaluation of the effectiveness of technical and organizational measures to ensure processing safety
- Encrypted data protection when transmitted including data can only be accessed over the Internet with a login
- Limitation of access to personal Information to relevant persons
The Data Processor is then entitled and obliged to make decisions about the technical and organizational security measures to be used to create the required level of security surrounding the information.
The data processor must comply with the conditions set out in Article 28 (1) of the Data Protection Regulation. 2 and 4, to use Another Data Processor.
This agreement constitutes the Data Controller’s general and specific approval that the Data Processor, as part of the Data Processor’s systems and services, makes use of Other Data Processors in order to fulfill the agreed service or order between the Data Controller and the Data Processor.
If Another Data Processor is established outside or personal data is stored outside the EU, the Data Controller hereby authorizes the Data Processor to secure a sufficient basis for transferring personal data to third countries on behalf of the Data Controller, including using the EU Commission Standard Contracts or in accordance with Privacy Shield.
The Data Processor’s Other Data Processors are displayed on the always updated list of Other Data Processors.
The data processor ensures that the Other Data Processors are imposed the same obligations as those set forth in this Data Processing Agreement.
The Data Processor is thus responsible for – through the conclusion of Another Data Processor Agreement – to impose any Other Data Processor at least the obligations that the Data Processor itself is subject to under the Data Protection Rules and this Data Processing Agreement.
The Data Controller is informed if the Data Processor wishes to replace or add Another Data Processor. The Data Controller may only oppose the new Other Data Processor who processes personal data on behalf of the Data Controller if the Data Processor does not comply with the same applicable data protection obligations as provided between the Data Controller and the Data Processor.
If the Other Data Processor does not comply with its data protection obligations, the original Data Processor remains fully liable to the Data Controller for the fulfillment of the Other Data Processor’s obligations. The Data Controller has access to the Data Processor Data Protection Evaluation of the Other Data Processor.
The Data Processor, taking into account the nature of the processing, shall, as far as possible, assist the Data Controller through appropriate technical and organizational measures, with the obligation of the Data Controller to answer requests for the exercise of the rights of the data subjects as laid down in Chapter 3 of the Data Protection Regulation.
This implies that the Data Processor shall, as far as possible, assist the Data Manager in ensuring that the Data Manager ensures compliance with:
- The disclosure obligation for collecting personal data from the data subject
- Disclosure obligation, whose personal data have not been collected by the data subject
- The data subject’s insight
- The right to rectification
- The right to delete (“the right to be forgotten”)
- The right to limit treatment
- Notification obligation in connection with the correction or deletion of personal data or limitation of treatment
- The right to data portability
- The right of objection
- The right to object to the result of automatic individual decisions, including profiling
The Data Processor assists the Data Controller to ensure compliance with the Data Controller’s obligations under Article 32-36 of the Data Protection Regulation, taking into account the nature of the processing and the information available to the Data Processor, cf. Article 28 3 (f).
This implies that, in consideration of the nature of the processing, the Data Processor shall assist the Data Controller in ensuring that the Data Controller ensures compliance with:
- The obligation to implement appropriate technical and organizational measures to ensure a level of safety that fits the risks associated with the processing
- The obligation to report to the supervisory authority (Data Inspectorate) breach of personal data security without undue delay and, if possible, within 72 hours after the Data Controller has been notified of the violation unless it is unlikely that the breach of personal data security will endanger the rights of physical persons and their freedom rights
- The obligation to – without undue delay – notify the registered data breach of personal data security when such a breach is likely to entail a high risk of the rights and freedoms of physical persons
- The obligation to conduct an impact assessment on data protection, if one type of processing is likely to entail a high risk of physical persons’ rights and their freedom rights
- The obligation to consult the supervisory authority (Data Inspectorate) before processing if an impact assessment on data protection shows that the processing will lead to high risk in the absence of measures taken by the data controller to limit the risk
The Data Processor shall inform the Data Controller without undue delay after being aware that there has been a breach of the personal data security of the Data Processor or any Other Data Processor.
The Data Processor, taking into account the nature of the processing and the information available, shall assist the Data Controller to report the breach to the supervisory authority.
This may mean that the Data Processor, among other things, shall assist in providing the following information, as provided for in Article 33 (3) of the Data Protection Regulation. 3, shall be stated by the Data Controller’s notification to the supervisory authority:
- The nature of the breach of personal data security, including, if possible, the categories and the approximate number of registered persons, as well as the categories and the approximate number of personal data records involved
- Probable consequences of the breach of personal data security
- Measures taken or proposed to address the breach of personal data security, including where appropriate, measures to limit its possible harmful effects
The personal information is stored with the Data Processor until the Data Controller requests that the information be deleted or returned. However, the Data Processor reserves the right to delete the Data Controller’s personal information 90 days after the Data Controller’s termination as a customer and is not required to store the Data Controller’s personal data after this time unless required by law.
The Data Processing Agreement will enter into force on May 25, 2018. Data processing agreements entered into after 25th of May 2018 will enter into force on the date of the Data Processing Agreement.
The Data Processing Agreement may be subject to renegotiation by both parties, if the law changes or inconsistencies in the agreement give rise to this.
The Data Processor’s processing of personal data on behalf of the Data Controller is not time-limited and lasts until the agreement is terminated or canceled by either party. Processing continues for the notice period.
Termination of the Data Processing Agreement shall be in accordance with the termination terms, including notice of termination, as stated in “DIGITAL CAB’s General Terms of Business“.