Select Page

Between:

The Customer (businesses, foundations, or associations)

[organization.name]
[person.name]
[deal.address]
[deal.zip_code] [deal.city]
CVR-nr. [deal.cvr]

(hereinafter ”Data Responsible”)

And:

MarketingPlatform ApS
Nørregade 12A
6600 Vejen
CVR-nr. 34 21 74 83

(hereinafter ”Data Processor”)

(The Data Responsible and Data Processor will hereinafter also be referred to as “Part”, and together as “the Parties”)

Today’s date: … [datetime.today] …… the following data processing agreement is issued.

1. BACKGROUND AND OBJECTIVES

1.1 The parties have agreed to provide certain services from the Data Processor to the Data Responsible, as described in more detail in the Data Processor’s Terms, which are accepted by the Customer. Appendix 1 to this agreement describes the services covered by this agreement (hereinafter “the Main Benefits”).

1.2 In this regard, the Data Processor processes personal data on behalf of the Data Responsible, for which purpose the Parties have entered into this data processing agreement, with appended documentation, (hereinafter “Data Processing Agreement”).

1.3 The Data Processing Agreement aims to ensure that the Data Processor complies with the pertinent regulation currently in force, specifically including:

  • Persondataloven (lov 2000-05-31 nr. 429 med senere ændringer) {The Danish Personal Data Act (Act 2000-05-31 No. 429, as amended)}, and
  • Persondataforordningen (Europa-Parlamentets og Rådets forordning (EU) 2016/679 af 27. april 2016) {Personal Data Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016)}, when it enters into force.
2. SCOPE

2.1 The Data Processor is authorised to process personal data on behalf of the Data Responsible under the terms set forth in the Data Processing Agreement.

2.2 The Data Processor may only process personal data in accordance with documented instructions from the Data Responsible (hereinafter “Instructions”) including the transfer of personal data to a third country or international organization, unless required by EU or national law of the Data Processor; in which case, the Data Processor shall inform the Data Responsible of this legal requirement prior to processing, unless the court concerned prohibits such notification for the sake of important societal interests. The Data Processing Agreement including appendices constitute the Instruction at the time of signature.

2.3 The Instructions may at any time be changed or further clarified by the Data Responsible.

2.4 To an extent where not otherwise specified by the Data Processing Agreement, the Data Processor may use all relevant aids, including IT systems.

3. DURATION

3.1 The Data Processing Agreement is valid until either:

a) The agreement(s) pertaining to the delivery of the Main Services ceases, or

b) The Data Processing Agreement is terminated or revoked.

3.2. Regardless of the Data Processor Agreement’s formal duration, the Data Processor Agreement shall continue to apply as long as the Data Processor de facto processes personal data on behalf of the Data Responsible.

4. OBLIGATIONS OF THE DATA PROCESSOR

4.1 Technical and organisational safety measures

4.1.1 The Data Processor is responsible for implementing the necessary technical and organisational measures to ensure an appropriate level of security. The measures must be implemented taking into account the current technical level, implementation costs and the nature, extent, composition and purpose of the treatment concerned, as well as the risks of varying probability and seriousness of the rights and freedoms of an actual person or persons. The Data Processor shall, inter alia, take into consideration the category of personal data described in Appendix 1 in determining these measures.

4.1.2 The Data Processor shall implement the appropriate technical and organisational measures in such a way that the Data Processor’s processing of personal data meets the requirements of the pertinent regulation currently in force.

4.2 Employee Obligations

4.2.1 The Data Processor must ensure that persons who process personal data for the Data Processor have committed to full confidentiality, or are subject to appropriate statutory confidentiality.

4.2.2 The Data Processor must ensure that access to personal data is limited to the persons for whom it is necessary to process personal data in order to fulfill the Data Processor’s obligations to the Data Responsible.

4.2.3 The Data Processor must ensure that persons handling personal data for the Data Processor only process these in accordance with the Instructions.

4.2.4 If the Data Processor considers that an instruction from the Data Responsible is in violation of the Personal Data Regulation or data protection provisions of other EU law or in the legislation of a Member State, the Data Processor must immediately, in writing, inform the Data Responsible thereof.

4.3 Documentation for and of compliance with obligations

4.3.1 The Data Processor shall, upon written request, document to the Data Responsible that the Data Processor is:

a) In compliance with its obligations under the Data Processing Agreement and the Instructions, and

b) In compliance with the provisions of the pertinent regulation currently in force as regards the personal data processed on behalf of the Data Responsible.

4.3.2 If the Data Responsible wishes to receive additional documentation pursuant to clause 4.3.1 the Data Responsible must clarify and specify which documentation is required.
However, the Data Processor is always required to provide all the information necessary for the Data Responsible to be able to prove compliance with regulatory requirements. In addition, the Data Processor must provide and contribute to audits, including inspections performed by the Data Responsible or other auditor authorised by the Data Responsible.

4.4 Security Breach

4.4.1 The Data Processor shall notify the Data Responsible of any personal data breach that may potentially lead to accidental or illegal destruction, loss, change, unauthorised disclosure of, or access to the personal data processed for the Data Responsible (hereinafter “Security breach”).

4.4.2 A Security Breach must be notified to the Data Responsible without unnecessary delay.

4.4.3 The Data Processor must maintain a record of all security breaches. The inventory such a record must document the following as a minimum:

a) The facts pertaining to the Security Breach,

b) The impact of the Security Breach, and

c) The remedial action taken as a consequence of the Security Breach.

4.4.4. The record must be made available to the Data Responsible or any relevant Supervisory Authority or Ombudsman upon written request.

4.5 Assistance

4.5.1 The Data Processor shall, as appropriate and with due diligence, assist the Data Responsible in fulfilling his obligations in the processing of personal data covered by the Data Processing Agreement, including and in relation to:

a) Taking into account the nature of the processing, the Data Responsible will assist with the handling of requests by a data subject under Chapter III of the Personal Data Regulation. The Data Processor must implement appropriate technical and organisational measures to assist the Data Responsible in fulfilling his or her obligation to respond to such requests,

b) Security Breaches,

c) at the request of the Data Responsible, it shall provide all necessary information for the purpose of an impact assessment pursuant to articles 35-36, including

d) Prior consultations with Supervisory Authorities and Ombudsmen.

4.5.2 The Data Processor shall, inter alia, provide the information to be included in a notification to the Supervisory Authority to the extent The Data Processor is the closest to this.

4.5.3 The Data Processor is entitled to payment for time and consumed materials used in provision of assistance pursuant to this section 4.5, provided that the assistance is made at the prior request of the Data Responsible. However, the Data Processor cannot claim payment for assistance pursuant to 4.5.1.b to the extent, and in the event, that there are security breaches that occur with the Data Processor.

5. OBLIGATIONS OF THE DATA RESPONSIBLE

5.1 The Data Responsible must ensure that there is a legal basis for the personal data processing by the Data Processor on behalf of the Data Responsible.

6. THIRD PARTY DATA PROCESSORS

6.1 The Data Processor may use a third party for the processing of personal data for the Data Responsible (“Third Party Data Processor”) to the extent that this is stated in:

a) Appendix 2 of this Data Processing Agreement, or

b) Instruction from the Data Responsible.

6.2 The Third Party Data Processor must enter into a written agreement which imposes on the Third Party Data Processor the same data protection obligations as the Data Processor (including those under the Data Processing Agreement).

6.3 The Data Responsible shall provide, upon written request, all agreements covered by section 3 including those with any Third Party Data Processor.

6.4 The Third Party Data Processor only acts specifically in line with, and in relation to, the Instructions agreed with the Data Responsible. Unless otherwise specifically agreed, all communications with the Third Party Data Processor are handled by the Data Processor. Any changes or clarifications to the Instructions from the Data Responsible shall be immediately passed onto by the Data Processor to the Third Party Data Processor.

6.5 The Data Processor is directly responsible for ensuring the Third Party Data Processor’s processing of personal data in the same manner as if it were processed by the Data Processor itself.

7. THIRD COUNTRY OR INTERNATIONAL ORGANISATIONS

7.1 The Data Processor may only transfer personal data to third countries or international organisations insofar as this is stated in the Instructions from the Data Responsible.

7.2 Transfer of personal data may in all cases only be permitted to the extent permitted by the pertinent regulation currently in force.

7.3 To the extent that the transfer does not take place on the basis of a specific instruction from the Data Responsible, the Data Processor must ensure that a legal transfer basis for the transfer of personal data to a third country or to international organisations exists, whether this is in the form of standard EU Commission contracts for the transfer of personal data to third countries, or other legal basis.

8. DATA PROCESSING OUTSIDE THE SCOPE OF THE INSTRUCTIONS

8.1 The Data Processor may process personal information outside the scope of the Instructions in cases where required By EU law or pertinent national law to which the Data Processor is subject.

8.2 When processing personal data beyond the scope the Instructions, the Data Processor must notify the Data Responsible of the reason for this. The notification must be made before the operation is affected and must contain a reference to the legal obligations requiring the operation.

8.3 The notification must not be made if said notification is contrary to EU law or pertinent national law.

9. BREACH OF CONTRACT

9.1 Breach of contract(s) regarding the provision of the Main Services applies to this Data Processing Agreement as if this Data Processing Agreement was an integral part thereof.

In the event that the contracts(s) for the delivery of the Main Services does not hold, the general power(s) of applicable local law shall apply as a default to this Data Processing Agreement.

10. LIABILITIES AND LIMITATION OF LIABILITIES

10.1 The regulation of liability and liability limitations in MarketingPlatform’s Terms of Business applies also For this Data Processing Agreement as if this Data Processing Agreement was an integral part thereof.

11. FORCE MAJEURE

11.1 Regulation of force majeure in MarketingPlatform’s Terms of Business also applies to this Data Processing Agreement as if this Data Processing Agreement was an integral part thereof.

12. TERMINATION AND REVOCATION

12.1 This Data Processing Agreement can only be terminated or revoked in accordance with the terms of termination and revocation of MarketingPlatform’s Terms of Business.

13. EFFECT OF TERMINATION

13.1 The Data Processor’s authorisation to process personal data on behalf of the Data Responsible lapses at the end of the Data Processing Agreement, for whatever reason. Termination is governed by the notice of termination and enforcement that is governed by the MarketingPlatform’s Terms of Business.

13.2 The Data Processor shall return, as in practice, and as governed by the MarketingPlatform’s Terms of Business, all personal data (except information enriched in the Data Processor Platform, and statistics and behavioural data) that the Data Processor has processed under this Data Processing Agreement to the Data Responsible at the termination of this Data Processing Agreement, to the extent that the Data Responsible is not already in possession of said personal data. The Data Processor is hereby obliged to delete all personal data from the Data Responsible within the time limits defined in MarketingPlatform’s Terms of Business. The Data Responsible may request the required documentation for this. In practice, this deletion is affected by deleting and revoking the Data Responsible’s access to the Data Processor platform.

An exception to this, is the ongoing 10 day backup procedure that the Data Processor and Third Party Data Processor is currently running.

14. PRECEDENCE

14.1 If there is any conflict between this Data Processing Agreement and the Terms (Appendix 1) regarding the Delivery of the Main Services, the Terms (Appendix 1) shall prevail, unless otherwise provided directly for by the Data Processing Agreement.

14.2 In the event of any discrepancy between the provisions of this Data Processing Agreement and other written or oral agreements concluded between the Parties, the provisions of this Data Processing Agreement shall take precedence. However, in the event of any discrepancy, the provisions of this Data Processing Agreement shall not take precedence to the extent that more stringent obligations are set for the Data Processor and / or its Sub-Data Processor using the Commission’s standard contracts for the transfer of personal data to third countries.

APPENDIX 1 – INFORMATION ABOUT PROCESSING

The Data Processor provides an e-mail marketing and marketing automation platform for the Data Responsible, which can be used for sending out newsletters and other marketing communications and operations in relation to its customers and potential leads. The platform is called MarketingPlatform.

The Data Processor’s processing of personal data on behalf of the Data Controller includes that the Data Processor makes the MarketingPlatform system available to the Data Responsible, and thereby stores master data for the Data Responsible on the company’s servers.

Usage includes processing the following types of personal data about the registered subscribers:
– general personal data

Processing includes but is not limited to the following categories of personal data:
– Name, e-mail address, telephone number, mobile number, address, customer number and other contact Information
– Purchase history information, including frequency and other information about product preferences
– Information on marketing preferences and permissions.

Processing includes the following categories of the registered subscribers:
Persons who are or have been dealing with the Data Responsible and/or persons who have consented to receive emails from the Data Responsible.

The Data Responsible can create and delete fields in the data model for themself, thus expanding or limiting the amount and type of personal data stored.

The Data Processor’s processing of personal data on behalf of the Data Responsible may commence after the Data Processor Agreement enters into force. The treatment has the following duration: The processing is not timed and lasts until the Data Processing Agreement is terminated or terminated by one of the Parties.

Notwithstanding the formal Data Processing Agreement, the Data Processing Agreement must remain in effect for as long as the Data Processor processes the personal data of the Data Responsible.

APPENDIX 2 – THIRD PARTY DATA PROCESSORS

1.THIRD-PARTY DATA PROCESSORS

1.1 The Data Responsible(s) hereby consent to the Data Processor using the following Third Party Data Processor:

a) Sentia Solutions A/S, Smedeland 32 2600 Glostrup, Denmark, CVR.nr. 25464737 (provides physical infrastructure and hosting, including servers and security).
b) Google Cloud Platform, server located within the EU with planned migration to Denmark as soon as this centre opens in 2020. CVR #28866984

1.2 With the Data Processing Agreement, the Data Responsible indicates prior written general approval for the Data Processor to make use of a Third Party Data Processor. The Data Processor must notify the Data Responsible in writing of the use of a Third-Party Data Processor prior to the commencement of the application with a 30-day notice. Correspondingly, the Data Processor shall notify the Data Responsible of termination of use of a Third Party Data Processor.

1.3 The Data Responsible may object to such a Third Party Data Processor to the extent that there are reasonable grounds for this.

2. SPECIAL TERMS & CONDITIONS

2.1 The Data Responsible accepts that the Data Processor uses standard applications (cloud hosting in the EU at Google only), solutions and hardware from e.g. Apple, Google and Microsoft. To the extent that such standard applications are used to process personal data on behalf of the Data Responsible and in the case of a Third-Party Data Processor for the Data Processor, the Data Processor is obliged to inform the Data Responsible thereof and to list the supplier under item 1.1. in Appendix 2. The Data Responsible has only accepted that the personal data processed on his behalf will be processed at locations listed under Annex 2, point 1.1 and the Data Processor’s location in Denmark. The acceptance under this point 2.1 is therefore not an acceptance that the personal data processed on behalf of the Data Responsible can be processed in other locations or transferred to countries outside the EU / EEA.

[index]
[index]