Databehandlaravtal

1. THE PARTIES This agreement on collection, storage and use of documents and information (hereinafter the” Data Processing Agreement”) has been entered into by and between: WhistleSystem ApS hereby as “Supplier” VAT no. 41576561 Address: Roholmsvej 12A, 2620 Albertslund (the “Data Processor”, “we”, “our”, “us”. etc.) and The organization accepting this agreement. (the ”Data Controller”, “you”, “yours”, etc.) 2. DEFINITIONS 2.1. Terms and expressions with capital first letters used in the Data Processing Agreement shall have the meanings set out in the Service License Agreement signed between the Parties or in this Clause 2. Any other expression with capital first letters not hereby defined shall have the meanings set out in the GDPR. 2.2. “Confidential Information” means all information exchanges by the Parties, including but not limited to information of a technical, business, infrastructural or similar nature, irrespective of whether this information has been documented, except for information which is or will be made available in another way than through breach of the Data Processing Agreement and all Personal Data. 2.3. “Customer”, “you”, yours”, etc. shall mean a user or subscriber of Service provided by Data Processor. 2.4. “Data Subject” shall mean the identified or identifiable natural person to whom Personal Data refers. 2.5. “GDPR” shall mean the General Data Protection Regulation (EU Regulation 2016/679 of 27 April 2016 on the protection of natural persons regarding the processing of personal data and on the free movement of such data. In Denmark, GDPR is supplemented by the Act on supplementary provisions to the regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (Act No. 502 of 23 May 2018 as amended from time to time) (the “Data Protection Act”). Under the Data Processing Agreement, a reference to GDPR shall also be a reference to the Data Protection Act. 2.6. “Parties” shall mean Customer and Data Processor jointly and each a “Party”. 2.7. “Personal Data” shall mean any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Categories of Personal Data processed by the Data Processor under the Data Processing Agreement are set out in Appendix 1 to the Data Processing Agreement. 2.8. “Pre-Approved Subcontractors” shall be our subcontractors listed in Appendix 2 to the Data Processing Agreement, which has been approved by Customer. 2.9. “Services” shall mean all services rendered to you by us, including, but not limited to, our provision of license to use the Software and other IT tools or software programs developed by Data Processor, hosting of data, support services etc. 2.10. “Software” shall mean the WhistleSystem as a Service as defined in the Service License Agreement, including any schedules hereto. 2.11. “Third Party” shall mean a natural or legal person, public authority, agency or body other than the Data Subject, the Data Processor, the Customer and persons who, under the direct authority of the Data Processor or Customer, are authorized to process Personal Data. 3. SCOPE 3.1. The Data Processing Agreement concerns the Parties’ obligations related to our processing of Personal Data for the Customer in connection to the Customer’s use of our Services. 3.2. Under the Data Processing Agreement, the Customer shall decide for what purpose and by use of what tools Personal Data may be processed. 3.3. The Data Processing Agreement shall apply to all the Data Processor’s current and future Services to all companies within Customer’s group of companies, for whom we process Personal Data. 3.4. The categories of Personal Data processed by us under the Data Processing Agreement are set out in Appendix 1 to the Data Processing Agreement. 4. ORDER OF PRECEDENCE 4.1. The Data Processing Agreement signed in connection with the Service License Agreement shall prevail in case of any inconsistencies between the Data Processing Agreement and the Service License Agreement. 5. AUTHORISATION TO PROCESS PERSONAL DATA 5.1. We process Personal Data in accordance with the GDPR, including applicable Danish legislation issued according to the GDPR or as a supplement hereto. 5.2. By entering into the Data Processing Agreement, we are instructed by you to process Personal Data for the purpose of providing our Services to you. 5.3. We are not entitled to make use of Personal Data provided by you, for purposes other than fulfilment of the Data Processing Agreement. However, we are entitled to use anonymized data (that can no longer be categorized as “Personal Data”) for historical, statistical, scientific or similar purposes. 6. STORAGE OF PERSONAL DATA AND TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES 6.1. As a main rule, Data Processor’s operations are done within EU/EEA. However, our subcontractors may be located or process Personal Data outside the EU/EEA, including e.g. the US. Customer has provided its consent to Data Processor’s use of the Pre-Approved Subcontractors as subcontractors listed in Appendix 2 to the Data Processing Agreement. 6.2. Before transferring Personal Data to a third country or an international organization outside the EU/EEA, the Data Controller must assess whether such transfer of Personal Data ensures an adequate level of protection of the Personal Data and ensure that the transfer is in accordance with rules on transfers of personal data to third countries or international organizations according to the GDPR. 6.3. We will ensure that any subprocessing agreements between Data Processor and Pre-Approved Subcontractors outside the EU or EEA have adequate level of protection of the Personal Data and if necessary entered into pursuant to the EU Commission’s decision of 2010/87/EU regarding the standard model contract for transfer of personal data to countries outside the EU or EEA in addition to any permission from data protection authorities if legally required. 7. CONFIDENTIALITY 7.1. The Parties accept, both for the duration of the Data Processing Agreement and subsequently, not to disclose any Confidential Information to a Third Party. This nondisclosure obligation shall not apply to information which (a) a Party is obliged to disclose under applicable law, regulations or stock exchange rules (b) information provided to the client of the Customer if such information originates from or regards such client of the Customer or (c) information which a Party document has been created by the Party itself. 7.2. The Parties shall ensure that employees and consultants who receive Confidential Information are obliged to accept a similar obligation regarding Confidential Information from the other Party and the cooperation in general in accordance with the Data Processing Agreement. 7.3. We will ensure that all people employed by us with access to Personal Data are familiar with the Data Processing Agreement and are subject to the provisions of the Data Processing Agreement. 8. APPROPRIATE TECHNICAL AND ORGANISATIONAL MEASURES 8.1. The Data Processor must, taking the risks related to the processing of Personal Data for the Customer into consideration, implement appropriate and reasonable technical and organizational measures to ensure a level of security that matches the risks of our data processing of Personal Data under the Data Processing Agreement, including reasonably ensuring a) pseudonymization and encryption of Personal Data; b) continuous confidentiality, integrity, availability and robustness of the processing systems and services for which the Data Processor is responsible; c) timely recovery of the availability of and access to Personal Data in case of a physical or technical incident; d) a procedure for regular testing, assessment and evaluation of the effectiveness of the technical and organizational measures to ensure processing security; e) that Personal Data is not accidentally or unlawfully destroyed, lost or impaired and against any unauthorized disclosure, abuse or in any other way is processed in violation of any applicable law on Personal Data. 8.2. The Customer shall determine the appropriate level of technical and organizational measures. However, Data Processor shall, upon prior written request from the Customer and within reasonable timelimit from such a request, provide the Customer with sufficient information to document that the abovementioned technical and organizational security measures have been taken. 9. DATA SUBJECTS’ RIGHTS 9.1. The Data Processor shall upon request from the Customer, at the cost of the Customer and without undue delay provide all reasonable assistance and information to the Customer related to request from Data Subjects concerning the Data Processor’s processing of Personal Data for the Customer, including requests related to exercising of the Data Subjects’ rights according to the GDPR. 9.2. Data Processor’s fees for assistance to the Customer is regulated in Clause 14.3. 10. DATA SECURITY BREACH 10.1. In case of a Data Security Breach for which the Data Processor (or any Pre-Approved Subcontractor) is responsible, the Data Processor shall inform the Customer hereof without undue delay and assist in what it is needed to stop the breach and minimize its effects. 11. USE OF SUBCONTRACTORS 11.1. The Data Processor may not use any subcontractors without Customer’s prior written approval. 11.2. Customer has provided its consent to Data Processor’s use of the Pre-Approved Subcontractors as subcontractors listed in Appendix 2 to the Data Processing Agreement. 11.3. The Data Processor must inform Customer of any plans to either add or replace Pre-Approved Subcontractors. No sub Data Processor may be added to the list of the Pre-Approved Subcontractors without Customer’s prior written approval. 11.4. If we use a subcontractor to carry out specific processing activities on behalf of the Customer, the same data protection obligations as are described in the Data Processing Agreement shall be imposed on the subcontractor in a written Agreement. 11.5. When we use a subcontractor to provide the Services to you under the Data Processing Agreement, we remain liable for the subcontractor’s actions or failures to act/breach on the same terms as for our own services. 11.6. All communication between Customer and the subcontractor shall go through the Data Processor. 12. CUSTOMER’S ACCESS TO PERSONAL DATA 12.1. During the term of the Data Processing Agreement, Customer has full access to any Personal Data being processed by the Data Processor for the Customer. The Customer will not have access to Personal Data processed by Data Processor for other customers. 12.2. If applicable, and Customer so requests, the Data Processor is obliged to keep a backup copy of Personal Data and additional information available in the Data Processor’s systems for up to thirty (30) days after the expiry or termination of the Data Processing Agreement. Provided such request has been made, the Customer may, until the expiration of such 30-day period and irrespective of the reason for the expiry of the Data Processing Agreement, request for an access to any Personal Data and additional information recorded in such backup copy. 12.3. Data Processor may only disclose Personal Data and information to Customer and/or to a third party appointed by Customer. 13. COOPERATION WITH THE SUPERVISORY AUTHORITY 13.1. The Data Processor must always provide supervisory authorities and Customer with the necessary access to and insight into the Personal Data which is being processed and the systems used. 13.2. The Customer and the Data Processor and, where applicable, their representatives, shall cooperate, on request, with the supervisory authority in the performance of its tasks. 14. ASSISTANCE, COSTS AND FEES 14.1. For all the assistance needed and/or to exercise its right to audit, Data Controller shall notify Supplier, in writing, with at least ten (10) calendar days in advance, specifying the audit or assistance needed, its purpose and the expected duration of the referred assistance or audit. Any expenses that Supplier might incur when requested to help Customer to exercise its rights as a Data Controller, including but not limited to the right to audit, review, inspect and/or to assist Customer to comply with its obligations as a Data Controller, shall be borne by the Customer. 14.2. With the exemptions set forth in Clause 14.1-14.3, costs related to the Data Processor’s obligations under the Data Processing Agreement are included in the fees paid by the Customer to the Supplier for the Customer’s use of the Services. 14.3. Notwithstanding Clause 14.1, we are entitled to charge a fee for our assistance to you in relation to your revision, inspection or audit of us as the Data Processor. The fee will be charged according to time spent by us with an hourly rate of 150 euros. The amount is subject to annual indexation according to the “Producer Price Index for Services” as published by Statistics Denmark. 14.4. We are, in addition to the fee mentioned in clause 14.3 above, entitled to a separate fee, for the following services: 14.4.1. Support to the Customer with answering of requests from Data Subjects. 14.4.2. Support to the Customer in connection with Privacy Impact Analysis (“PIAs”); 14.4.3. Implementation of special technical or organizational security measures upon the Customer’s request (provided, and only to the extent, that the Data Processor can implement the technical or organizational security measures in question). 14.5. The above mentioned fees will be charged in accordance with Clause 14.3. 15. LIABILITY 15.1. Subject to the terms of the Agreement signed between the Parties, the Parties’ liability related to processing of Personal Data under the Data Processing Agreement is regulated in accordance with the GDPR. 15.2. In no case claims for liability and indemnification shall in no case exceed five times (5x) the annual subscription fee agreed upon in the Agreement signed by the Parties. 15.3. We are not liable for any fines that you receive for breaches of the GDPR whether by ruling, judgment or similar measure by any court, government agency or supervisory authority. 16. WARRANTY: 16.1. By entering into the Data Processing Agreement, the Customer warrants and guarantees that we can lawfully process Personal Data for provision of Services for the Customer. The Customer agrees to hold us harmless from any claim for damages, compensation or other payments, which we are ordered to pay whether by ruling, judgment or similar measure by any competent court, government agency or supervisory authority, due the Customer’s breach of its obligations according to this clause. 17. EFFECTIVE DATE AND TERMINATION 17.1. The Data Processing Agreement is entered into by the Parties signature hereby and shall enter into force on the last Party signature’s date. 17.2. By subscribing to our Services, and thereby entering into the Data Processing Agreement, you confirm that you are authorized to legally act on behalf of the Customer and commit to terms of the Data Processing Agreement. 17.3. The Data Processing Agreement shall expire on the date of effective termination of the Customer’s use of the Data Processor’s Services. However, the terms of the Data Processing Agreement shall apply for as long as the Data Processor is processing Personal Data on behalf of the Customer. 17.4. After the Data Processing Agreement’s effective termination, we will delete or return the Personal Data that we have for you under the Data Processing Agreement within 12 months. If you wish to have your Personal Data returned to you, you must provide us with your request to return the Personal Data without undue delay and no later than thirty (30) days after the Data Processing Agreement’s effective termination. 18. CHANGES IN THE APPLICABLE DATA PROTECTION LEGISLATION 18.1. If a change in mandatory applicable data protection legislation applicable to the Customer or to the Data Processor requires the Data Processor to (i) sign on to any additional documentation for mandatory data protection compliance purposes, or (ii) implement additional technical and organizational measures to the ones listed herein, or (iii) accept additional obligations to those set out herein, and such requirement mentioned in (i) – (iii) above cause additional costs or risks for the Data Processor, the Parties agree to negotiate in good faith a fair adjustment of any applicable fees. If the Parties cannot agree on a fair adjustment of any applicable fees, the Data Processor is entitled to terminate the Services with thirty (30) days’ prior, written notice. 18.2. Clause 18.1 shall apply accordingly, in case (i) the Customer instructs the Data Processor to undertake services not foreseen in the Data Processing Agreement or (ii) where mandatory applicable data protection legislation applicable to the Customer or to the Data Processor or the relevant supervisory authority imposes obligations on the Data Processor in addition to those set out herein. 19. GOVERNING LAW AND LEGAL VENUE 19.1. The Data Processing Agreement is governed by Danish law with the Copenhagen City Court as its legal venue with the possibility of referral and appeal in accordance with the Danish Administration of Justice Act., United Nations Convention on Contracts for the International Sale of Goods (CISG) shall not apply to the Data Processing Agreement. Appendix 1 – Categories of Personal Data Categories of Personal Data I. The Data Processor shall on behalf of the Customer process the following categories of Personal Data: Personal Data for the administration and execution or the Agreement signed by the Parties: a. Contact information, including name, username, address, telephone number, email and working title b. Personal Data for invoice purposes c. Personal information reported in the system by the customer II. Special categories of Personal Data The Data Processor does not process special categories of Personal Data on behalf of the Customer unless this is reported in the system by the customer. Appendix 2 – Pre-Approved Subcontractors: