SOME LEGAL THINGS
Data processing agreement
(“The Data Controller”)
Wedoio Integrations Aps
CVR no. 36928271
Kochsgade 31D, 2nd floor
5000 Odense C
(“The Data Processor”)
The Data Controller and the Data Processor are each referred to as a “Party” and together the “Parties”
1.1 The Data Controller has entered into a subscription agreement (hereinafter “the Subscription”) with the Data Processor with a view to making integration among the Data Controller's IT systems and services.
1.2 In relation to this, the Data Processor processes personal data on behalf of the Data Controller, e.g. via management of the Data Processor's servers.
1.3 The data processing takes place via one or more of the Data Processor's technical solutions (hereinafter “the System” or “Systems”), which ensures the integration between the IT systems that the Data Controller uses in his company. The Data Controller can at any time view all of the Personal Information that is processed in the System via the login in system.
1.4 The purpose of the Data Processing Agreement is to ensure that the Data Processor at all times complies with applicable personal data legislation in this connection, including the Law on the protection of personal data (Persondataloven, Act no. 429 of 31/05/2000 with subsequent amendments) and the General Data Protection Regulation (European Parliament and Council Regulation 2016/679 of 27 April 2016 - hereinafter the “Personal Data Ordinance”).
1.5 The Data Processing Agreement stipulates the rights and obligations that apply when the Data Processor processes personal data on behalf of the Data Controller.
1.6 The Data Processing Agreement follows the conditions for termination of the Subscription, cf. section 1.1 and the associated trading conditions. The trading conditions also apply in general in relation to the Data Processing Agreement. In case of doubt or contradicting cases, the Data Processing Agreement takes precedence, unless otherwise specifically stated in the Data Processing Agreement.
1.7 Appendix 1-2 belong to the Data Processing Agreement. The attachments work as an integral part of the Data Processing Agreement.
1.8 The Data Processing Agreement and associated attachments are kept in writing, including electronically by both parties.
2.1 The Data Processor may only process personal data in accordance with documented instructions from the Data Controller unless required by EU law or the national law of the Member States to which the Data Processor is subject; in that case, the Data Processor shall notify the Data Controller of this legal requirement before processing, unless the court in question prohibits such notification for reasons of important societal interests, cf. the Personal Data Ordinance art. 28, para. 3, letter a.
2.2 The instruction consists of 2 (two) parts:
2.3 This Data Processing Agreement includes the appendices at the time of signing.
2.4 The integration that the Data Processor makes in the System (and whereby the processing of personal data takes place) constitutes an instruction to the Data Processor, as the Data Processor automatically, based on the information and uploads received from the Data Controller, collects, registers, organizes, systematizes, stores, adapts or modifies, retrieves, searches, usees, transmits, distributes or collects, assembly or interconnection, restriction, deletion or destruction.
2.5 The Data Processor shall immediately notify the Data Controller if, in the Data Processor's opinion, an instruction is in breach of the Personal Data Regulation or data protection provisions of other EU law or the national law of the Member States.
2.6 Unless otherwise provided in the Data Processing Agreement, the Data Processor may use all relevant aids, including IT systems.
3. GENERALLY ABOUT SECURITY OF PROCESSING
3.1 The Data Processor shall take all necessary measures on an ongoing basis in accordance with Article 32 of the Personal Data Regulation.
3.2 Article 32 states, inter alia, that appropriate technical and organizational measures must be taken to ensure a level of security appropriate to the risks associated with the processing of personal data, taking into account:
3.3 The current level
3.4 Implementation costs
3.5 Nature, scope, coherence and purpose of the processing in question (including taking into account the category of personal data in Annex 1)
3.6 The risks of varying probability and severity for the rights and freedoms of natural persons
3.7 In connection with the above, the data processor shall - in all cases - implement at least the level of security and the measures specified below in points 4, 5 and 6.
3.8 The parties agree that these guarantees are sufficient at the time of entering into this Data Processing Agreement, noting that the Data Processor has otherwise initiated other measures in internal procedures.
4. PHYSICAL SECURITY
4.1 The data processor secures physical premises.
5. ORGANISATIONAL SECURITY
5.1 The Data Processor ensures that only the persons who are currently authorized to do so have access to the personal data that is processed on behalf of the Data Controller. Access to the information must therefore be shut down immediately if the authorization is revoked or expires.
5.2 Only persons for whom it is necessary to have access to the personal data in order to be able to fulfil the Data Processor's obligations to the Data Controller may only be authorized.
5.3 The Data Processor ensures that the persons authorized to process personal data on behalf of the Data Controller have committed themselves to confidentiality or are subject to an appropriate statutory duty of confidentiality and that the employees comply with the Data Processor Agreement.
5.4 All employees are informed of and subject to internal procedures for how security breaches are handled.
6. TECHNICAL SECURITY
6.1 The Data Processor uses only high-quality hardware and software that is continuously updated, including antivirus software, antihacking software and firewalls.
6.2 All communication to/from The system is encrypted (HTTPS) and supports a 256/128-bit TLS connection.
6.3 Access to the Data Processor's internal IT systems is via encrypted login information, which ensures that unauthorized persons cannot gain access. The Data Processor changes passwords in internal IT systems at appropriate intervals, which ultimately gives access to the Data Controller's personal information.
6.4 For use in integrating the System with the Data Controller's IT systems, the Data Processor receives the necessary passwords and access information. The Data Processor deletes the information after the setup/integration of the Subscription has been completed unless the Parties enter into a separate agreement to the contrary. The Data Controller should change the information at the same time.
6.5 However, the Data Processor stores correspondence and log files regarding support for the Data Controller in a “ticket”. To be able to perform troubleshooting and have an overview of the previous history regarding. support, the contents of the "ticket" will not be deleted unless the Data Controller actively requests it.
7. NOTIFICATION OF PERSONAL DATA BREACH
7.1 The Data Processor notifies the Data Controller without undue delay after becoming aware that there has been a breach of the personal data security of the Data Processor or any Sub-Data Processor.
7.2 Such security breach includes any breach that could potentially lead to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to the personal data processed by the Data Controller ("Security breach").
7.3 The data processor must keep a record of all security breaches. The list must contain at least the facts about the breach of security, the effects and the treatment measures taken.
8. USE OF SUB-DATA PROCESSORS
8.1 The Data Processor must meet the conditions referred to in Article 28 (1) of the Personal Data Regulation. 2 and 4, to make use of another Data Processor (Sub-Data Processor).
8.2 The parties have agreed that the Data Processor may generally use Sub-Data Processors, cf. Appendix 2, where the already approved Sub-Data Processors are also listed.
8.3 The Data Controller shall notify the Data Controller of any planned changes regarding the addition or replacement of other Data Processors and thereby give the Data Controller the opportunity to object to such changes.
8.4 The Data Processor imposes on the Sub-Data Processor at least the same data protection obligations as those stipulated in this Data Processor Agreement through a contract or other legal document so that the requirements for technical and organizational measures in the Personal Data Regulation and/or other relevant applicable regulations are observed at all times.
8.5 If the Sub-Data Processor does not fulfil its data protection obligations, the Data Processor remains fully responsible to the Data Controller for the fulfilment of the Sub-Data Processor's obligations.
9. TRANSFER OF INFORMATION TO THIRD COUNTRIES OR INTERNATIONAL ORGANIZATIONS
9.1 The Data Processor may only process personal data in accordance with documented instructions from the Data Controller, including with regard to the transfer (transfer, transfer and internal use) of personal data to third countries or international organizations unless the exceptions to this are met in the Personal Data Ordinance.
9.2 Any instructions from the Data Controller or approval of the transfer of personal data to a third country must appear in the Appendices or separate instructions.
9.3 If the Data Controller has not specified in the Appendices or in separate instructions an instruction or approval regarding the transfer of personal data to a third country or international organizations, the Data Processor may not make such a transfer within the framework of the Data Processing Agreement.
9.4 To the extent that a transfer takes place to a third country, the Data Controller assists the Data Processor free of charge in concluding necessary agreements, or the Data Controller issues an authorization to enter into the necessary agreements on behalf of the Data Controller and on his behalf.
10. ASSISTANCE TO THE DATA MANAGER
10.1 The Data Processor assists, taking into account the nature of the processing, as far as possible the Data Controller by appropriate technical and organizational measures in compliance with the Data Controller's obligation to respond to requests for the exercise of data subjects' rights as set out in Chapter 3 of the Personal Data Regulation.
10.2 The Data Processor assists the Data Controller in ensuring compliance with the Data Controller's obligations pursuant to Articles 32-36 of the Personal Data Ordinance, taking into account the nature of the processing and the information available to the Data Processor, cf. the Personal Data Ordinance art. 28, para. 3, letter f.
10. 3 The parties' agreement on payment for the Data Processor's assistance to the Data Controller for this is stated in section 12.
11.1 The Data Processor does not delete the Data Controller's personal information (or other data) during the term of the Subscription unless the Data Controller instructs the Data Processor about this.
11.2 Upon termination of the Cooperation and the associated processing of personal data, the Data Processor shall, at the Data Controller's choice, delete or return all personal data to the Data Controller, as well as delete existing copies and passwords that may be stored with the Data Processor following instructions from the Data Controller, unless EU- the court or national law prescribes the storage of personal data.
11.3 Deletion of all types of data at the Data Processor and Sub-Data Processors generally takes place no later than 3 months after the end of the Subscription and without notice. The previous deletion can be done at the request of the Data Processor.
12. SUPERVISION AND AUDIT
12.1The Data Processor shall make available to the Data Controller all information necessary to demonstrate the Data Processor's compliance with Article 28 of the Personal Data Regulation and this Agreement.
12.2 The data processor provides i.a. opportunity for and contributes to audits, including inspections carried out by the Data Controller or another expert (eg auditor or IT specialist) authorized to do so by the Data Controller.
12.3 The Data Processor shall - if the Data Controller so wishes - once a year obtain a customary and recognized statement (eg audit statement or IT statement) from an independent, expert third party regarding the Data Processor's compliance with this Data Processor Agreement with accompanying appendices. The declaration is prepared at the expense of the Data Controller and the Data Processor is entitled to receive a copy of the declaration. If a statement has been prepared on this occasion within the last 12 months, the Data Processor may offer the Data Controller to receive a copy of this instead.
12.4 In addition, the Data Controller or a representative of the Data Controller has access to supervise, including physical supervision, at the Data Processor when the Data Controller so wishes.
12.5 Supervision is notified with a minimum of one month. Together with the notification, the Data Controller must send a detailed plan with a description of the scope, duration and start date of the audit. The Data Controller is obliged to allocate the resources (mainly the time) necessary for the Data Controller to carry out his supervision.
12.6 The Data Processor's expenses in connection with auditing and/or other forms of supervision (including internal time) are borne by the Data Controller and are settled in relation to the time spent by the Data Processor.
12.7 This also applies if the Data Controller requests documents or other material handed over from the Data Processor in order to check that the Data Processor Agreement is complied with.
13.1 The regulation of default rights follows the trading conditions associated with the Subscription, cf. section 1.7.
14. LIABILITY AND LIMITATION OF LIABILITY
14.1 The parties are liable in accordance with the general rules of applicable law, however, with the limitations that follow from this section.
14.2 The parties disclaim any liability for indirect losses and consequential damages, including operating losses, loss of goodwill, loss of savings and income, including expenses to recover lost income and loss of data.
14.3 The parties' liability for all cumulated claims under this Data Processing Agreement is limited to the total payments due under the Main Benefit for the 6-month period immediately preceding the tortious act.
14.4 If the Data Processing Agreement has not been in force for 6 months, the amount is calculated as the agreed payment at the Main Benefits during the period the Data Processor Agreement has been in force divided by the number of months the Data Processor Agreement has been in force and then multiplied by 6.
14.5 The following are not covered by the limitation of liability in this clause 14:
14.6 Loss as a result of gross negligence or willful misconduct by the other Party.
14.7 Expenditure and resource consumption in fulfilling a Party's obligations to a supervisory authority or the data subject as well as fines imposed by a supervisory authority or a court, insofar as such are caused by the other Party's default.
15.1 The Data Processor may, with 1 month's notice and free of charge, make changes to the Data Processing Agreement.
16. DURATION AND TERMINATION
16.1 The Data Processing Agreement may be replaced by another valid Data Processing Agreement. The Data Processing Agreement may not be terminated or terminated separately during the term of the Subscription.
16.2 Notwithstanding the termination of the Data Processing Agreement, clauses 5.3 of the agreement (employees' confidentiality), 11 (deletion/return), 14 (liability and limitation of liability) and 17 (disputes) shall have effect after the termination of the Data Processing Agreement.
16.3 The Data Processor may continue to process the personal data for up to three months after the termination of the Data Processing Agreement to the extent necessary to take the necessary statutory measures, cf. otherwise section 11.2. During the same period, the Data Processor is entitled to include the personal data in the Data Processor's usual backup procedure.
16.4 The Data Processor's processing during this period is still considered to take place in compliance with the instructions in the Data Processing Agreement.
17.1 Handling of disputes related to the Data Processing Agreement follows the Subscription's trading conditions.
17.2 Unless otherwise agreed, the Data Processing Agreement is subject to Danish law and the Parties are entitled to demand that the dispute be settled in the ordinary courts. The court in Glostrup has been chosen as the venue in the first instance.
18. SUBSCRIPTION PERIOD
18.1 The subscription runs from the day ordered and accepted for a period of one year. The subscription automatically renews, if it has not been cancelled by the customer 3 months before the end of a subscription period.
19. CHANGES IN CONDITIONS
19.1 WEDOIO reserves the right, with simultaneous notice to amend these terms and conditions.
1.1 This appendix elaborates on the content of the Data Processing Agreement with regard to the specific personal data that is processed on behalf of the Data Controller.
2. TYPES OF PERSONAL DATA
2.1 The agreement implies that the Data Processor processes the following categories of general personal data:
Type of Subscription
In addition, the following categories of sensitive personal information are processed, cf. section 1.2
Political, philosophical or religious beliefs
Trade union relations
Race or ethnic origin
Sexual relations or sexual orientation
Genetic or biometric data to identify a natural person
3. THE TREATMENT INCLUDES THE FOLLOWING CATEGORIES OF PERSONS
The Data Controller's customers
Employees of the Data Controller
Members of the Data Controller
Owners of the Data Controller
The Data Controller's partners
1. SUB-DATA PROCESSORS
1.1 The Data Processor has the Data Controller's general approval to make use of Sub-Data Processors.
1.2 The Data Processor shall, however, notify the Data Controller of any planned changes regarding the addition or replacement of other Data Processors and thereby give the Data Controller the opportunity to object to such changes.
1.3 Such notification must be received by the Data Controller at least 30 days before the application or change is to take effect.
1.4 If the Data Controller has objections to the changes, the Data Controller must notify the Data Processor within 14 days of receiving the notification.
1.5 The Data Controller may only object if the Data Controller has reasonable, concrete reasons for this.
2. LIST OF SUB-DATA PROCESSORS AT THE CONCLUSION OF THE DATA PROCESSING AGREEMENT
Microsoft Azure (Ireland)