Data Processing Agreement
Standard Contractual Clauses
pursuant to Article 28(3) of Regulation 2016/679 (General Data Protection Regulation) for the purpose of the processing of personal data by the data processor.
between
the organization accepting this agreement.
hereinafter “the data controller”
and
WhistleSystem ApS
CVR: 41576561
Roholmsvej 12A
DK-2620 Albertslund
Denmark
hereinafter “the data processor”
each of which is a “Party” and together constitute the “Parties”
HAVE AGREED to the following Standard Contractual Clauses (the “Clauses”) in order to comply with the General Data Protection Regulation and ensure the protection of privacy and fundamental rights and freedoms of natural persons.
2. Content
Preamble.
Rights and obligations of the controller.
The Data Processor acts on instructions.
Confidentiality.
Security of processing.
Use of sub-processors.
Transfer to third countries or international organizations.
Assistance to the controller.
Notification of personal data breaches.
Deletion and return of information.
Audit, including inspection.
Agreement of the parties on other matters.
Entry into force and termination.
Contact persons at the Data Controller and the Data Processor.
Annex A: Information about the processing.
Annex B: Sub-processors.
Annex C: Instructions regarding the processing of personal data.
Annex D: Regulation of other matters by the parties.
2. Preamble
- These Provisions set out the rights and obligations of the data processor when processing personal data on behalf of the data controller.
- These provisions are designed to address the parties’ compliance with Article 28(3) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
- In connection with the provision of WhistleSystem, the Data Processor processes personal data on behalf of the data controller in accordance with these Provisions.
- The provisions shall prevail over any similar provisions of other agreements between the Parties.
- There are four Annexes to these Provisions and the Annexes form an integral part of the Provisions.
- Appendix A contains details of the processing of personal data, including the purpose and nature of the processing, the type of personal data, the categories of data subjects and the duration of the processing.
- Appendix B contains the data controller’s conditions for the data processor’s use of subcontracted data processors and a list of sub-processors for which the data controller has approved the use.
- Appendix C contains the data controller’s instructions regarding the data processor’s processing of personal data, a description of the security measures that the data processor must implement as a minimum and how to supervise the data processor and any subcontracted data processors.
- Annex D contains provisions relating to other activities not covered by the Provisions.
- The provisions and their annexes shall be kept in writing, including electronically, by both Parties.
- These Provisions do not release the Data Processor from obligations imposed on the Data Processor under the General Data Protection Regulation or any other legislation.
3. Rights and obligations of the controller
- The Data Controller is responsible for ensuring that the processing of personal data is carried out in accordance with the General Data Protection Regulation (see Article 24 of the Regulation), data protection provisions of other EU or Member State law and these Provisions.
- The data controller has the right and duty to make decisions about the purpose(s) and means of processing personal data.
- The data controller is responsible for, among other things, ensuring that there is a processing basis for the processing of personal data, which the data processor is instructed to carry out.
4. The data processor acts according to instructions
- The Data Processor may only process personal data on documented instructions from the Data Controller, unless required by Union or Member State law to which the Data Processor is subject. This instruction must be specified in Annexes A and C. Subsequent instructions may also be given by the data controller while personal data is being processed, but the instruction must always be documented and stored in writing, including electronically, together with these Provisions.
- The processor shall inform the controller without delay if, in its opinion, an instruction infringes this Regulation or data protection provisions of other Union or Member State law.
5. Confidentiality
- The Data Processor may only grant access to personal data processed on behalf of the Data Controller to persons who are subject to the Data Processor’s powers of instruction, who have committed themselves to confidentiality or are subject to an appropriate statutory duty of confidentiality, and only to the extent necessary. The list of persons who have been granted access must be reviewed on an ongoing basis. Based on this review, access to personal data may be closed if access is no longer necessary and the personal data shall no longer be accessible to these persons.
- At the request of the data controller, the data processor must be able to demonstrate that the persons concerned, who are subject to the data processor’s powers of instruction, are subject to the aforementioned duty of confidentiality.
6. Safety of processing
- Article 32 of the General Data Protection Regulation states that the controller and processor, taking into account the state of the art, the implementation costs and the nature, scope, context and purpose of the processing in question, as well as the risks of varying probability and severity for the rights and freedoms of natural persons, implement appropriate technical and organizational measures to ensure a level of protection appropriate to these risks.
The controller shall assess the risks to the rights and freedoms of natural persons posed by the processing and implement measures to address those risks. Depending on their relevance, it may include:
- Pseudonymization and encryption of personal data
- ability to ensure the ongoing confidentiality, integrity, availability and robustness of processing systems and services;
- ability to restore the availability of and access to personal data in a timely manner in the event of a physical or technical incident;
- a procedure for regular testing, assessment and evaluation of the effectiveness of technical and organizational measures to ensure the security of processing.
- According to Article 32 of the Regulation, the data processor – independently of the controller – must also assess the risks to the rights of natural persons that the processing constitutes and implement measures to address these risks. For the purpose of this assessment, the controller shall provide the data processor with the necessary information enabling it to identify and assess such risks.
- In addition, the Data Processor shall assist the Data Controller in its compliance with the Data Controller’s obligation under Article 32 of the Regulation by, among other things, making available to the Data Controller the necessary information regarding the technical and organizational security measures already implemented by the Data Processor pursuant to Article 32 of the Regulation and all other information necessary for the Data Controller’s compliance with its obligation under Article 32 of the Regulation Article 32 of the Regulation.
If, in the opinion of the Data Controller, mitigating the identified risks requires the implementation of additional measures than those already implemented by the Data Processor, the Data Controller shall specify the additional measures to be implemented in Appendix C.
7. Use of sub-processors
- The data processor must meet the conditions referred to in Article 28(2) and (4) of the General Data Protection Regulation in order to make use of another data processor (a subcontracted data processor).
- Thus, the Data Processor may not use a subcontracted data processor to comply with these Provisions without prior general written approval from the Data Controller.
The data processor has the data controller’s general approval for the use of subcontracted data processors. The Data Processor shall notify the Data Controller in writing of any planned changes concerning the addition or replacement of subcontracted data processors with at least 30 days’ notice, thereby giving the Data Controller the opportunity to object to such changes before using the subcontracted processor(s) concerned. Longer notice for notification in connection with specific processing activities may be specified in Appendix B. The list of sub-processors already approved by the data controller is set out in Appendix B.
- Where the processor makes use of a sub-processor in connection with carrying out specific processing activities on behalf of the controller, the processor shall, by means of a contract or other legal act under Union or Member State law, impose on the sub-processor the same data protection obligations as those laid down in these Provisions, providing in particular appropriate safeguards for: that the sub-processor will implement the technical and organizational measures in such a way that the processing complies with the requirements of these Regulations and the General Data Protection Regulation.
The Data Processor is therefore responsible for requiring the subcontracted Data Processor to comply with the Data Processor’s obligations under these Regulations and the General Data Protection Regulation as a minimum.
- Sub-data processing agreement(s) and any subsequent amendments thereto are sent – at the data controller’s request – a copy to the data controller, who thereby has the opportunity to ensure that corresponding data protection obligations arising from these Provisions are imposed on the sub-processor. Provisions on commercial terms that do not affect the data protection content of the sub-data processing agreement shall not be sent to the data controller.
- In its agreement with the subcontracted data processor, the data processor must include the data controller as a beneficiary third party in the event of the data processor’s bankruptcy, so that the data controller can take over the data processor’s rights and enforce them against subcontracted data processors, which e.g. enables the data controller to instruct the subcontracted data processor to delete or return the personal data.
- If the sub-processor fails to fulfil its data protection obligations, the data processor remains fully liable to the data controller for the fulfilment of the sub-processor’s obligations. This does not affect the data subjects’ rights arising from the General Data Protection Regulation, in particular Articles 79 and 82 thereof, vis-à-vis the data controller and processor, including the subcontracted processor.
8. Transfer to third countries or international organizations
- Any transfer of personal data to third countries or international organizations may only be carried out by the data processor on the basis of documented instructions from the data controller and must always take place in accordance with Chapter V of the General Data Protection Regulation.
- Where the transfer of personal data to third countries or international organizations which the processor has not been instructed to carry out by the controller is required by Union or Member State law to which the processor is subject, the processor shall inform the controller of this legal requirement prior to processing, unless that law prohibits such notification on important grounds of public interest.
- Thus, without documented instructions from the data controller, the data processor cannot, within the framework of these Provisions:
- transfer personal data to a controller or processor in a third country or an international organization;
- entrust the processing of personal data to a sub-processor in a third country;
- process the personal data in a third country;
- The data controller’s instructions regarding the transfer of personal data to a third country, including the possible transfer basis in Chapter V of the General Data Protection Regulation on which the transfer is based, must be specified in Annex C.6.
- These Clauses should not be confused with Standard Contractual Clauses within the meaning of Article 46(2)(c) and (d) of the General Data Protection Regulation, and these Clauses cannot constitute a basis for the transfer of personal data within the meaning of Chapter V of the General Data Protection Regulation.
9. Assistance to the controller
- Taking into account the nature of the processing, the Data Processor shall, as far as possible, assist the Data Controller by means of appropriate technical and organizational measures in fulfilling the Data Controller’s obligation to respond to requests for the exercise of the data subjects’ rights as laid down in Chapter III of the General Data Protection Regulation. This means that the data processor shall, as far as possible, assist the data controller in connection with the data controller ensuring compliance with:
- the obligation to provide information when personal data are collected from the data subject;
- the obligation to provide information if personal data have not been collected from the data subject;
- The right of access
- the right to rectification;
- the right to erasure (“right to be forgotten”)
- the right to restriction of processing;
- the notification obligation in connection with rectification or erasure of personal data or restriction of processing;
- the right to data portability;
- The right to object
- the right not to be subject to a decision based solely on automated processing, including profiling;
- In addition to the Data Processor’s obligation to assist the Data Controller in accordance with Clause 6.3., the Data Processor shall also, taking into account the nature of the processing and the information available to the Data Processor, assist the Data Controller with:
- the obligation of the data controller to notify the personal data breach to the competent supervisory authority, the Danish Data Protection Agency, without undue delay and, if possible, no later than 72 hours after becoming aware of it, unless it is unlikely that the personal data breach entails a risk to the rights or freedoms of natural persons;
- the obligation of the controller to notify the data subject without undue delay of a personal data breach where the breach is likely to result in a high risk to the rights and freedoms of natural persons;
- the obligation of the controller to carry out, prior to processing, an analysis of the impact of the intended processing operations on the protection of personal data (an impact assessment);
- the obligation of the data controller to consult the competent supervisory authority, the Danish Data Protection Agency, before processing, if a data protection impact assessment shows that the processing will lead to high risk in the absence of measures taken by the controller to limit the risk.
- The parties must specify in Appendix C the necessary technical and organizational measures by which the data processor shall assist the data controller and to what extent and to what extent. This applies to the obligations arising from Clauses 9.1. and 9.2.
10. Notification of personal data breaches
- The Data Processor informs the Data Controller without undue delay after becoming aware that a personal data breach has occurred.
- If possible, the data processor’s notification to the data controller must take place no later than 24 hours after the data controller has become aware of the breach, so that the data controller can comply with its obligation to report the personal data breach to the competent supervisory authority, cf. Article 33 of the General Data Protection Regulation.
- In accordance with Clause 9.2.a, the Data Processor shall assist the Data Controller in notifying the breach to the competent supervisory authority. This means that the data processor shall assist in providing the following information, which, according to Article 33(3), shall appear from the data controller’s notification of the breach to the competent supervisory authority:
- the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects concerned as well as the categories and approximate number of personal data records concerned;
- the likely consequences of the personal data breach;
- the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to limit its possible adverse effects.
- The parties shall specify in Appendix C the information that the processor must provide in connection with its assistance to the data controller in its obligation to notify personal data breaches to the competent supervisory authority.
11. Deletion and return of information
- Upon termination of the services regarding the processing of personal data, the processor is obliged to erase all personal data that has been processed on behalf of the controller and confirm to the controller that the data has been deleted, unless Union or Member State law provides for the storage of the personal data.
The Data Processor undertakes to process the personal data only for the purpose(s), for the period and under the conditions prescribed by these rules.
12. Audit, including inspection
- The Data Processor makes available to the Data Controller all information necessary to demonstrate compliance with Article 28 of the General Data Protection Regulation and these Provisions and allows for and contributes to audits, including inspections, carried out by the Data Controller or another auditor authorized by the Data Controller.
- The procedures for audits, including inspections, by the Data Controller with the Data Processor and sub-processors are specified in Appendix C.7. and C.8.
- The Data Processor is obliged to grant supervisory authorities which, according to applicable law, have access to the Data Controller’s or Data Processor’s facilities, or representatives acting on behalf of the Supervisory Authority, access to the Data Processor’s physical facilities against proper identification.
13. Agreement of the parties on other matters
- The Parties may agree on other provisions relating to the service regarding the processing of personal data, such as liability, as long as these other provisions do not directly or indirectly conflict with the Provisions or impair the fundamental rights and freedoms of the data subject as a result of the General Data Protection Regulation.
14. Entry into force and termination
- The provisions shall enter into force on the date of signature by both Parties.
- Either party may request that the Provisions be renegotiated if changes in the law or inexpediency of the Provisions give rise to this.
- The provisions apply for the duration of the personal data processing service. During this period, the Provisions cannot be terminated unless other provisions regulating the provision of the service regarding the processing of personal data are agreed between the parties.
- If the provision of the services relating to the processing of personal data ceases and the personal data is deleted or returned to the data controller in accordance with Clause 11.1 and Annex C.4, the Provisions may be terminated with written notice by either party.
15. Contact persons at the data controller and processor
- The parties can contact each other via the contact persons below.
- The parties are obliged to inform each other on an ongoing basis of changes regarding contact persons.
The data controller’s contact person is the person submitting the ordering form and this person’s contact information unless changed by the data controller.
The contact person at WhistleSystem is:
Name Mark Vigild, WhistleSystem ApS
Position CEO
Telephone number 50708851
Email mv@whistlesystem.com
Annex A: Information about the processing
The data processor makes a whistleblower system available to the data controller and enables ongoing case management and anonymous dialogue with the whistleblower.
A.1. The purpose of the data processor’s processing of personal data on behalf of the data controller
The purpose is to ensure that the data controller has implemented the legally required whistleblower scheme in accordance with the Whistleblower Act. In addition, the controller must then ensure that whistleblower requests through the system are treated objectively and efficiently.
A.2. The data processor’s processing of personal data on behalf of the data controller primarily concerns (the nature of the processing)
The data processor provides a whistleblower system that supports the data controller’s objective and secure handling of whistleblower cases. This involves receiving reports, issuing an acknowledgement of receipt within 7 days, establishing dialogue with the whistleblower (if necessary), following up on reports on an ongoing basis, providing feedback to the whistleblower within 3 months, preventing unaffected access to information in the system, throughout the process guaranteeing the whistleblower’s confidentiality, assessing the nature of whistleblower reports, categorizing whether the report is within the scope of the Whistleblower Act and rejecting Reports that are not within the scope of the Act.
A.3. The processing includes the following types of personal data of the data subjects
The processing may include all types of personal data (general, confidential, and sensitive information) if these are included in the whistleblower report and the processing thereof.
A.4. The processing involves the following categories of data subjects:
The whistleblower and persons who may be included in the whistleblower report and the processing hereof.
A.5. The processing of personal data by the Data Processor on behalf of the Data Controller may commence after the entry into force of these Provisions. Treatment has the following duration:
The processing of personal data takes place as long as the service license agreement with WhistleSystem is active.
Annex B: Sub-processors
B.1. Approved sub-processors
Upon the entry into force of the Regulations, the Data Controller has approved the use of the sub-processors listed at the bottom of this document.
Upon the entry into force of the Regulations, the Data Controller has approved the use of the above-mentioned sub-processors for the described processing activity. The Data Processor may not – without the Data Controller’s written approval – make use of a subcontracted data processor for a processing activity other than the one described and agreed or make use of another sub-processor for this processing activity.
Annex C: Instructions regarding the processing of personal data
C.1. Subject-matter/instructions of the processing
The data processor’s processing of personal data on behalf of the data controller takes place by the data processor performing the following:
The data processor provides a whistleblower system that supports the data controller’s objective and secure handling of whistleblower cases. This involves receiving reports, issuing an acknowledgement of receipt within 7 days, establishing dialogue with the whistleblower (if necessary), following up on reports on an ongoing basis, providing feedback to the whistleblower within 3 months, preventing unaffected access to information in the system, throughout the process guaranteeing the whistleblower’s confidentiality, assessing the nature of whistleblower reports, categorizing whether the report is within the scope of the Whistleblower Act and rejecting Reports that are not within the scope of the Act.
C.2. Security of processing
The level of security shall reflect:
The processing may include personal data covered by Article 6 of the General Data Protection Regulation and Article 9 on the processing of “special categories of personal data”. In addition, the processing may also include criminal offences based on section 8 of the Danish Data Protection Act and social security numbers, cf. section 11 of the Danish Data Protection Act, which is why a high level of security must be established.
The data processor is then entitled and obliged to make decisions on which technical and organizational security measures must be implemented in order to establish the necessary (and agreed) level of security.
However, the Data Processor must – in any case and as a minimum – implement the following measures agreed with the Data Controller:
The data processor provides a solution that as a minimum ensures: the anonymity of the whistleblower, an organizationally high level of security and procedures that follow WhistleSystem’s ISO 27001 and ISO27701 certifications, full encryption throughout the process with decentralized encryption keys (data cannot be provided by data processors’ sub-processors, e.g. the database provider AWS, even though they were required by law – Schrems II compliant solution), two-factor authentication at login, redundant data storage in the EU (AWS in frankfurt, Germany), user management which ensures confidentiality and limited access to only administrators and users of the system.
All data is encrypted at all stages with the encryption techniques below:
Data is stored redundantly (on multiple independent servers) and encrypted at AWS in Frankfurt
Various incidents are logged in the system, which include which users handle a case / when, as well as whether a report has been seen by the anonymous whistleblower. The identity of employees is not logged. The information about this can be viewed in the system. No information about the whistleblower is collected beyond the information he or she provides.
C.3 Assistance to the controller
The Data Processor shall, as far as possible – within the scope and extent below – assist the Data Controller in accordance with Clauses 9.1 and 9.2 by implementing the following technical and organizational measures:
The data processor’s employees who handle data in the system must be trained in the correct handling of data, support of the data subjects’ rights and handling of security incidents in accordance with applicable law.
The Data Processor has implemented procedures for handling security incidents described in the Data Processor’s management system. Access to these can be given to the data controller upon request.
In case of security incidents that require notification to the Danish Data Protection Agency, the data processor has procedures and resources to assist the data controller in completing the following points for a notification to the Danish Data Protection Agency: the nature of the data breach, describe the likely consequences of the personal data breach, and describe the measures that have been taken or propose to be taken to handle the personal data breach, including, where appropriate, measures to limit its possible adverse effects.
The extent of the data processor’s assistance in the event of a data breach will depend on the degree to which it has access to the personal data processed by the data controller.
C.4 Storage period/deletion routine
Personal data is stored in accordance with the data controller’s deletion policy. When the data controller chooses to delete data in the system, data will be permanently deleted by the data processor after it cannot be regenerated from the rolling backup in 30 days.
Upon termination of the service regarding the processing of personal data, the data processor shall either delete or return the personal data in accordance with clause 11.1, unless the data controller – after signing these provisions – has changed the data controller’s original choice. Such changes shall be documented and kept in writing, including electronically, in relation to the provisions.”;
C.5 Location of treatment
The processing of the personal data covered by the Provisions may not take place at locations other than the following without the prior written consent of the data controller:
WhistleSystem’s local offices/workplaces within the EU.
C.6 Instructions on the transfer of personal data to third countries
If the data controller does not provide documented instructions in these Provisions or subsequently regarding the transfer of personal data to a third country, the data processor is not entitled to make such transfers within the framework of these Provisions.
The data processor guarantees that in connection with reporting in the whistleblower system and handling of cases, personal data will be transferred to third countries.
C.7 Procedures for audits, including inspections, by the data controller of the processing of personal data entrusted to the data processor
The Data Processor shall annually obtain, at its own expense, an inspection report from an independent third party regarding the Data Processor’s compliance with the General Data Protection Regulation, data protection provisions in other EU or Member State law and these Provisions.
It is agreed between the Parties that the following types of inspection reports may be used in accordance with these Provisions: ISO 27701
ISO 27701 SOA and certificate may be submitted without undue delay to the data controller for information. The controller may challenge the framework and/or methodology of the report and may, in such cases, request a new inspection report under different frameworks and/or using different methods.
Based on the findings of the report, the Controller is entitled to request the implementation of additional measures to ensure compliance with the General Data Protection Regulation, data protection provisions of other Union or Member State law and these Provisions.
In addition, the Data Controller or a representative of the Data Controller has access to conduct inspections, including physical inspections, with the premises from which the Data Processor processes personal data, including physical premises and systems used for or in connection with the Processing. Such inspections may be carried out whenever deemed necessary by the controller.
In addition to the planned supervision, the data controller may carry out an inspection at the data processor when the data controller deems it necessary.
Any expenses incurred by the data controller in connection with a physical inspection shall be borne by the data controller himself. However, the Data Processor is obliged to allocate the resources (mainly the time) necessary for the Data Controller to carry out its inspection.
C.8 Procedures for audits, including inspections, on the processing of personal data entrusted to sub-processors
The Data Processor shall annually obtain, at its own expense, an inspection report from an independent third party regarding the sub-processor’s compliance with the General Data Protection Regulation, data protection provisions in other EU law or Member States’ national law and these Provisions.
It is agreed between the Parties that the following types of inspection reports may be used in accordance with these provisions:
ISO 27701
The inspection report shall be transmitted without undue delay to the controller for information. The controller may challenge the framework and/or methodology of the report and may, in such cases, request a new inspection report under different frameworks and/or using different methods.
Based on the findings of the report, the Controller is entitled to request the implementation of additional measures to ensure compliance with the General Data Protection Regulation, data protection provisions of other Union or Member State law and these Provisions.
In addition, the Data Processor or a representative of the Data Processor has access to conduct inspections, including physical inspections, with the premises from which the subcontracted Data Processor processes personal data, including physical premises and systems used for or in connection with the Processing. Such inspections may be carried out when the Data Processor (or the Data Controller) deems it necessary.
Documentation of such inspections shall be provided without undue delay to the controller for information. The controller may contest the framework and/or methodology of the inspection and may, in such cases, request the conduct of a new inspection under different frameworks and/or using different methods.”
Annex D: Regulation of other matters by the parties
No further regulation
Approved Subcontractor | Scope and purpose of processing | Processing (and storage) locations (e.g. country/state) | Legal basis for transfer of Personal Data (if applicable) (e.g. EU Commission’s standard contractual clauses, EU-U.S. Privacy Shield Framework, BCR etc.) |
---|---|---|---|
AWS | Hosting Provider | EEA/EU | Adherence to standard Terms and Conditions |
iSphere ApS | Software development | EEA/EU | Adherence to standard Terms and Conditions |
Microsoft | Contract and document storage | EEA/EU | Adherence to standard Terms and Conditions |