Data Processing Agreement

Background and introduction
The parties have entered into an agreement that includes that or those services which are specified in the Parties’ main agreement (“Agreement”), in which the Data Controller purchases goods or services from the Data Processor for internal use or for distributing to the Data Controller’s end users. This Data Processing Agreement is entered into as an appendix to the Agreement.

The Data Processing Agreement establishes the rights and obligations that applies when the Data Processor Processes Personal Data on behalf of the Data Controller, and the Data Processing Agreement is designed for the Parties’ compliance with Article 28(3) of the GDPR.

There are two appendixes to the Data Processing Agreement, which serve as integrated parts of the Data Processing Agreement:

  1. Appendix 3.3 contains the Data Controller’s instructions to the Data Processor on how the Data Processor may process Personal Data and the types of Personal Data com-prised by this Processing.
  2. Appendix 8.2 contains a description of the Data Processor's security measures.

1. Notifications
1.1 Notices issued pursuant to the Data Processing Agreement must be sent in writing by email. Any agreement between the Parties that in part or in full substitutes terms in this Data Processing Agreement must be concluded in writing before such agreement is valid.

2. Definitions and interpretation
2.1 The list below defines the listed terms used in the Data Processing Agreement. Regardless of whether a definition is expressed in singular, the definition also includes the plural and vice versa. References to appendixes, clauses and subclauses are understood as references to appendixes, clauses and subclauses of the Data Processing Agreement unless otherwise expressly or explicitly stated in or construed from the context.

Applicable Law

  • Means any of the following regulations to the extent that they are applicable to a Party: any statute, regulation, legislation, primary or secondary regulation, including applicable Danish law and any national legislation implementing Directive 95/46/EC of 24 October 1995 as well as the current GDPR, any binding court order or judgment, any applicable trade practice, policy or standard enforceable by law, and applicable instructions, policies, requirements, rules or orders issued by an authority.

Data Controller

  • Means the legal entity who determines the purposes and means of the Processing of Personal Data.

Data Processor

  • Means the legal entity who processes Personal Data on behalf of the Data Controller.

Data Subject

  • Means the physical person whose Personal Data is being Processed.

GDPR

  • Means Regulation (EU) 2016/679 of the European Parliament and the European Council of 27 April 2016 on the protection of natural persons with regard to the Processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

Personal Data

  • Means any information relating to an identified or identifiable natural person (the Data Subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier as defined in the GDPR and collected by the Data Controller, the Data Processor or any branches, representatives or the like affiliated to the Data Controller or the Data Processor.

Processing

  • Means any activity or range of activities which is performed on Personal Data or sets of Person Data whether or not by automated means and may include the transfer of Personal Data to any country within the European Union and within the European Economic Area as well as countries considered to be have a corresponding level of security.

Security Breach

  • Means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Personal Data transmitted, stored or otherwise processed.

Services

  • Means the services that the Data Processor must deliver to the Data Controller or that the Sub-Processor must deliver to the Data Processor in accordance with the Agreement.

Sub-Processor

  • Means a subcontractor appointed by the Data Processor to process Personal Data on behalf of the Data Controller under the instruction of the Data Processor.

Third Countries

  • Means any country outside the scope of the GDPR in the European Economic Area (EEA) with the exception of approved countries which the European Commission from time to time considers to have an adequate level of protection of Personal Data.

2.2 The appendixes to the Data Processing Agreement constitutes an integral part of the Data Processing Agreement and must be enforced accordingly, and any reference to the Data Processing Agreement includes the appendixes hereto.

2.3 A reference to "in writing" or "written" means email.

2.4 The headlines in the Data Processing Agreement are applied for the sake of clarity and for the use as references. Headlines will not affect the meaning or interpretation of the Data Processing Agreement.

3. Appointment of a Data Controller
3.1 Data Controller appoints EET as Data Processor in relation to the Data Processing Agreement.

3.2 In the event that one of the Parties is appointed as a data processor by a third party, this Data Processing Agreement must be used as the basis for the Data Processor being appointed as Sub-Processor. In this case, the third party becomes data controller, and the Data Processing Agreement’s Data Controller will become a data processor and the Data Processing Agreement's Data Processor will become a Sub-Processor.

3.3. The Parties confirm and agree that the Personal Data processed under the Data Processing Agreement is proportional to the Parties' purpose of the Processing. Additional information, data categories and Data Subjects, etc. are listed in Appendix 3.3, which may be amended by the Parties by written submission of updated lists.

4. Obligations regarding the processing and protection of personal data
4.1 The Data Controller is responsible for ensuring proper legal basis for the Processing of Personal Data that the Data Processor is instructed to perform.

4.2 The Data Processor Processes general Personal Data, and the Data Processor confirms that the Personal Data is kept confidential. The Data Processor may only Process Personal Data to serve the purpose described in the Agreement and in accordance with the instructions given in Appendix 3.3. The Data Processor must ensure that any and all individuals employed by the Data Processor and who Processes Personal Data are bound by a duty of confidentiality or are subject to appropriate statutory confidentiality obligations.

4.3 The Data Processor is obligated to Process Personal Data at any time in accordance with Applicable Law and other privacy or data protection regulations and exclusively for the purpose and in the manner in which the Data Controller has instructed the Data Processor in writing. The Data Processor may not process Personal Data in any other way or for any other purposes. This means that the Data Processor has no influence on the purpose and conditions of the Processing of Personal Data and the Data Processor cannot make decisions on how to use the Personal Data the Data Processor receives, whether the Personal Data is to be transferred to third parties or how long to store the Personal Data.

4.4 Applicable Law obligates the Data Controller to ensure that the Data Processor provides the necessary warranties that the Data Processor has or will implement appropriate technical and organizational security measures to prevent unauthorized or unlawful Processing, accidental loss, destruction or damage to Personal Data, see the Data Processing Agreement’s clause 8, just as Applicable Law obligates the Data Controller to ensure that these measures are complied with. The Parties agree that the protection of privacy and the security of Personal Data being Processed are of great importance.

4.5 When requested to by the Data Controller, the Data Processor must to the best of its ability provide necessary information to the Data Controller so that the Data Controller can determine whether appropriate technical and organizational security measures have been implemented, including procedures for handling change requests, requests for additional information to be added to Personal Data, disposal or protection of Personal Data, procedures for handling breaches of security, implementation of impact assessments and completed changes to Personal Data made due to legitimate objections. In addition, the Data Processor must allow for and contribute to audits, including inspections of the Data Controller’s conditions, security measures and Processing, as set out in the Data Processing Agreement’s clause 9, regardless of whether this is carried out by the Data Controller or a third party appointed by the Data Controller.

4.6 When the Data Processor receives a request from a Data Subject, an authority or a third party regarding Processing, the Data Processor must notify the Data Controller of the request as soon as possible after the receipt of the request. In addition, the Data Processor must inform the Data Controller of any relevant information regarding the request. The Data Processor will not respond to any requests without having received a prior written consent from the Data Controller, unless there is legal basis for the response, such as a request made by the authorities, such as the police.

4.7 The Data Processor must ensure that any third party providing Services to the Data Processor and who comes into contact with Personal Data complies with the relevant terms of this Data Processing Agreement, including the rules for storing Personal Data, determined by the Parties from time to time and included in the instructions set out in Appendix 3.3. Any such agreements with third parties must be in writing.

5. Assistance to the data controller
5.1 Taking into account the nature of the Processing, the Data Processor will to the extent possible assist the Data Controller by using appropriate technical and organizational measures, see the Data Processing Agreement’s clause 8, in adhering to the Data Controller’s obligations to respond to requests from Data Subjects exercising their rights according to Applicable Law.

5.2 This implies that the Data Processor must to the extent possible assist the Data Controller in complying with the;

  1. Duty of disclosure when collecting Personal Data with the Data Subject;
  2. Duty of disclosure when Personal Data is not collected with the Data Subject;
  3. Data Subject’s right of access;
  4. Right to correction and deletion;
  5. Right to restriction of Processing;
  6. Duty of notification in connection to correction or deletion of Personal Data or restriction of Processing;
  7. Right to dataportability;
  8. Right to dispute

5.3 In addition, the Data Processor will assist the Data Controller in ensuring compliance with the Data Controller's obligations to:

  1. Conduct an impact assessment on data protection if a kind of Processing is likely to entail a high risk concerning the Data Subjects' rights and freedoms; and
  2. b. Consult the supervisory authority (the Danish Data Protection Agency) prior to Processing if an impact assessment reveals that the Processing will lead to high risk in the absence of measures taken by the Data Controller to limit the risk.

5.4 Any agreement between the Parties on remuneration or the like in connection with the Data Processor's assistance to the Data Controller will appear in the Agreement.

6. Third countries
6.1 The Data Processor Process Personal Data outside the European Economic Area. A list of Sub-Processors in Third Countries is available on the Data Processor’s website, see clause 7.1. The Data Processor must inform the Data Controller of any newly hired Sub-Processors in Third Countries from time to time by up-dating the list available on the Data Processor’s website and by forwarding alerts that changes have been made to the list. If a specific Processing is required under EU law, Applicable Law or the national law of a member state to which the Data Processor is subject the Data Processor must notify the Data Controller of the legal requirement before commencing the Processing unless such notification is prohibited by Applicable Law due to important public interests.

6.2 When the Data Processor Process Personal Data outside the European Economic Area, such Processing must be in accordance with Applicable Law and in accordance with any other instruction given by the Data Controller regarding the Processing.

7. Sub-processors
7.1 The Data Processor is entitled to use Sub-Processors. The Sub-Processors engaged by the Data Processor at the time of conclusion of the Data Processing Agreement are listed here. The list of Sub-Processors is always available to the Data Controller. When the Data Processor engages new Sub-Processors, the Data Processor updates the list. The newest updated list of Sub-Processors serves as integrated parts of the Data Processing Agreement at all times.

7.2 The Data Processor must ensure that any Sub-Processor undertake in writing to Process Personal Data as described in this Data Processing Agreement, which means that the Data Processor, at the request of the Data Controller, must provide any information necessary for the Data Controller to determine whether appropriate technical and organizational security measures have been taken, including procedures for inspection, procedures for implementing changes and additions, completing disposal or protection of Personal Data, as well as information regarding changes made due to legitimate objections.

8. Security measures
8.1 The Data Processor must incorporate all appropriate technical and organizational measures to protect Personal Data against accidental loss and any unlawful Processing. Taking into account the nature of these measures and the costs associated with their implementation, the measures must ensure an appropriate level of security considering the risks associated with the Processing of Personal Data and their nature. Such measures must always include at least measures:

  1. Ensuring a secure transfer of Personal Data between the Data Processor and third parties acting as Sub-Processors by using only encrypted transfer protocols such as HTTPS or SSL.
  2. Ensuring that only authorized personnel has access to Personal Data for the agreed purposes, including measures restricting access to Personal Data by creating a list specifying which predetermined computers based on IP addresses that have access to Personal Data;
  3. Whereby the Data Processor only allows its employees access to Personal Data through traceable accounts that can be traced by name and are logged sufficiently when used;
  4. Ensuring Personal Data against unauthorized and unlawful storage, Processing, access or disclosure;
  5. Systematizing repeated and periodic procedures for scanning, identifying and remedying unprecedented security issues on servers, workstations, networks, equipment and applications;
  6. The purpose of which are to identify weaknesses in relation to the Processing of Personal Data in the systems used to deliver the Service to the Data Controller.

8.2 A description of the Data Processor's measures is set out in Appendix 8.2.

8.3 The Data Processor must evaluate and improve the implemented technical and organizational measures where the requirements or technological developments requires so.

9. Access to audit
9.1 When the Data Controller makes a reasoned request, the Data Processor must provide the Data Controller with any and all necessary information enabling the Data Controller to assess whether and how the Data Processor complies with the Data Processing Agreement. This includes information regarding the security measures referred to in the Data Processing Agreement’s clause 8, information on back-up procedures, (attempting or suspected) hacking, etc.

9.2 The Data Controller or the Data Controller’s representative may perform an annual physical inspection at the Data Processor’s place of business to ensure the Data Processor’s compliance with this Data Processing Agreement

9.3 Any expenses incurred in connection with a physical inspection lies with the Data Controller. The Data Processor will be remunerated for the time and resources the Data Processor allocates to enabling the Data Controller to conduct the inspection.

9.4 In addition, the Data Processor or a representative of the Data Processor may perform an annual physical inspection with any engaged Sub-Processors regarding the Sub-Processors’ compliance with this Data Processing Agreement. This inspection must be conducted according to the conditions mentioned above.

9.5 The Data Controller may choose to initiate and participate in a physical inspection with a Sub-Processor if the Data Controller finds it necessary. This may be relevant if the Data Controller finds that the Data Processor's inspection with a Sub-Processor has not provided the Data Controller with sufficient assurance that the Processing of Personal Data conducted by the Sub-Processor is in accordance with the Data Processing Agreement.

9.6 The Data Controller’s participation in an inspection with a Sub-Processor does not change the fact that the Data Processor is solely responsible for the Sub-Processor’s compliance with Applicable Law and Data Processing Agreement. The Data Processor’s liability cannot exceed an amount that corresponds to the Data Processor’s turnover the preceding calendar year under the Agreement, however the amount is in any case subject to a maximum of DKK 1,000,000.

9.7 In addition to this, the Data Controller may perform an audit of the Data Processor's compliance with the Data Processing Agreement once per calendar year. If a third party is to conduct the audit, the Data Controller must prepare a written confidentiality agreement with the third party to be approved by the Data Processor prior to the audit.

9.8 In order to request an audit, the Data Controller must submit a detailed plan for the proposed audit within four (4) weeks prior to the proposed dates of audit to the Data Processor describing the expected extent, duration and the start date of the audit. The Data Processor must then review the audit plan and notify the Data Controller of any considerations or questions, such as if the Data Controller requests information that may compromise the Data Processor's business, security, privacy, employment relationships or other relevant policies. The Data Processor and the Data Controller must jointly agree on a final plan for the audit.

9.9 If an audit is requested in an area addressed in an SSAE 16/ISAE 3402 Type 2, ISO, NIST, PCI DSS, HIPAA or similar audit report made by a qualified third party within the last twelve (12) months, and the Data Processor confirms that it has no knowledge of any material changes that may affect the outcome of the performed audit, the Data Controller agrees to approve these results instead of requesting an audit of the areas covered by the report.

9.10 The audit must be performed within normal opening hours at the location that is the subject of the Data Processor's obligations, and the audit must not interfere unnecessarily with the Data Processor’s business activities.

9.11 The Data Controller may only use the audit reports to comply with its legal obligations regarding audit or to confirm that the requirements of the Data Processing Agreement are met.

9.12 Any audit is performed at the Data Controller’s expense. If the Data Controller requests assistance from the Data Processor in connection with an audit, the assistance is considered a separate service provided by the Data Processor to the Data Controller if the assistance requires internal, external or other special resources. The Data Processor must obtain the Data Controller’s written approval and enter into an agreement regarding the payment of any related fees before an audit is conducted.

10. Security breach
10.1 In case of a Security Breach, the Data Processor must inform the Data Controller hereof without undue delay. If possible, the notification must be given no later than twenty-four (24) hours after the Security Breach is discovered so that the Data Controller is able to comply with its obligation to report the Security Breach to the relevant supervisory authority within seventy-two (72) hours. The Data Processor must not report any Security Breaches relating to Personal Data processed on behalf of the Data Controller.

10.2 The notification to the Data Controller must contain a description of:

10.2.1 The nature of the Security Breach and the measures that the Data Processor proposes to take or which the Data Processor has already taken to limit the negative consequences of the Security Breach,

10.2.2 The categories of Data Subjects, the approximate number of affected Data Subjects and the approximate number of affected registrations of Personal Data,

10.2.3 The detected and likely consequences of the Security Breach for the Processing of Personal Data and the measures taken or proposed to be taken by the Data Processor to remedy these consequences.

10.3 As soon as the Data Processor detects a Security Breach, the Data Processor must immediately take all necessary measures to limit the negative consequences of the Security Breach and to prevent repetition.

10.4 The Data Processor has a data contingency plan that allows the Data Processor to inform the Data Controller of the Security Breach and further allows the Parties to work efficiently to handle the incident.

10.5 If the Data Controller or Data Processor detects a Security Breach, the one Party will notify the other Party and both Parties will take all necessary measures in accordance with Applicable Law to prevent or limit further infringement or Security Breaches in relation to the Processing of Personal Data.

10.6 If the Data Controller is subject to a duty to report the Security Breach, the Data Processor must assist and guide the Data Controller if requested by the Data Controller.

11. Liability
11.1 If the Data Processor fails to comply with its obligations or in another way breaches the Data Processing Agreement due to Data Processor's acts or omissions, the Data Processor is liable for any fines and financial loss suffered by the Data Controller.

11.2 Regardless of the Data Processing Agreement’s clause 11.11, the Data Processor is not liable for the Data Controller's acts and omissions. In addition, the Data Processor is not responsible for its own acts and omissions if they arise as a result of the Data Processor’s compliance with Applicable Law.

11.3 In this case the Data Controller is entitled to claim damages and compensation for costs incurred as a result of the non-compliance provided that the Data Processor’s non-compliance is not due to the Data Controller's violation of the Data Processing Agreement.

11.4 The Data Processor’s liability is limited as described in the Agreement’s clause 13.

12. Miscellaneous
12.1 The Data Processing Agreement remains in force as long as the Data Processor delivers the Services described in the Agreement to the Data Controller or as long as the Data Processor Processes Personal Data on behalf of the Data Controller.

12.2 Upon termination of the Data Processing Agreement, the Data Processor must when requested make a copy of all Personal Data that the Data Processor has Processed on behalf of the Data Controller available to the Data Controller and delete Personal Data upon request. If the Data Controller does not request a copy of the Personal Data made available, all Personal Data will then be deleted within three (3) months after the expiration of the Agreement.

12.3 The Data Processing Agreement’s clauses 12.1 and 12.2 take precedence over any equivalent provisions in other agreements between the Parties, including in the Agreement.

12.4 The Data Processing Agreement and the Agreement are interdependent and cannot be terminated separately. However, the Data Processing Agreement may be replaced by another valid Data Processing Agreement without terminating the Agreement. Regardless of a termination of the Parties' agreements, the provisions of the Data Processing Agreement will remain in force until the Data Processor has ceased Processing Personal Data on behalf of the Data Controller and until the Data Processor and any Sub-Processors have deleted all Personal Data comprised by the Data Processing Agreement.

13. Confidentiality
13.1 Any individual involved in the performance of this Data Processing Agreement, and consequently accesses Personal Data comprised by the Data Processing Agreement, which confidential nature they know of or should know of, and who are not already subject to a duty of confidentiality due to the individual’s position, profession or following statutory rules, are obligated to keep the Personal Data confidential.

13.2 The Data Processing Agreement’s Clause 13.1 does not apply where it follows from Applicable Law or otherwise as set out in the Data Processing Agreement’s clause 14.1 below that the individual is obligated to disclose the Personal Data in question.

13.3 The duty of confidentiality remains in force after the termination of the Data Processing Agreement.

14. Statutory disclosure
14.1 Unless otherwise required under Applicable Law, the Data Processor must promptly notify the Data Controller of any legal, administrative or arbitrational decisions made by a governance or administrative body or by a public authority that the Data Processor receives and which regards the Personal Data being Processed by the Data Processor on behalf of the Data Controller. Subject to the Data Controller’s request, the Data Processor must provide any information in the Data Processor’s possession to the Data Controller which may meet the third party's claim and any reasonable requested assistance enabling the Data Controller to respond to a similar claim within a reasonable period of time. The Data Controller acknowledges that the Data Processor is not responsible for participating directly towards the entity making such claim.

14.2 The Parties are obligated to keep each other informed in writing of any changes to the stated contact persons.

15. Applicable law and jurisdiction
15.1 This Data Processing Agreement follows the clauses set forth in the Agreement regarding applicable law and jurisdiction.

 

Appendix 3.3

Instruction to the Data Processor
This appendix constitutes the Data Controller's instruction to the Data Processor regarding the Data Processor's Processing of Personal Data on behalf of the Data Controller.

1. PROCESSING OF PERSONAL DATA

1.1.1 Collection of Personal Data is necessary for the Data Processor to meet its obligations under the purchase order the Data Controller has placed with the Data Processor’s salesman or placed digitally via the Data Processor’s web shop or via XML/EDI integration.

1.1.2 Collected Personal Data is also being used to enhance the Data Processor’s products and services. Examples on such use includes the usability in the web shop, operational processes regarding sales, procurement, quotation, receipt of orders, distribution, complaints and customer service.

1.1.3 Collected Personal Data may under special circumstances be shared with third parties, be it systems suppliers in order to manage the Services set forth in clause 1.1.1 and 1.1.2 and manufacturers with the purpose of improving the Data Processor’s product range. A full list of third parties is available here.

1.2 The Data Subjects are:

  1. Individuals over the age of 18.
  2. Individuals under the age of 18.

2. CATEGORIES OF PERSONAL DATA

2.1.1 Individuals over the age of 18

  1. General Personal Data: Name, address, email, phone number, employment, title and IP-address.
  2. Sensitive Personal Data: No Sensitive Personal Data is Processed about individuals over the age of 18.

2.1.2 Individuals under the age of 18

  1. General Personal Data: Name, address, email, phone number, employment, title and IP-address.
  2. Sensitive Personal Data: No Sensitive Personal Data is Processed about individuals under the age of 18..

3. SECURITY OF PROCESSING

3.1 The security level of the Data Processor must reflect that the Processing involves a normal amount of general Personal Data, which is why a normal level of security must be established.

3.2 The Data Processor is entitled and obligated to initiate measures that is required in accordance with the GDPR article 32, where it among other things is stated that taking into consideration the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the appropriate technical and organizational measures must be implemented to ensure a level of security appropriate to the risk .

  1. The above obligation entails that the Data Processor must carry out a risk assessment and hereafter implement the measures to oppose the identified risks. This may include the following measures, depending on their relevance: pseudonymization and encryption.
  2. The ability to ensure continuous confidentiality, integrity, availability and robustness of the processing systems and services.
  3. The ability in due time to reestablish the accessibility of and access to Personal Data in case of a physical or technical incident.
  4. A procedure for periodically testing, assessment and evaluation of the effectiveness of the technical and organizational measures to ensure the security of processing. The Data Processor must in relation to the above, in any event as a minimum initiate the security level and the measures as specified in the Data Processing Agreement’s appendix 8.2.

4. STORAGE PERIOD AND DELETION

4.1 According to Applicable Law, Personal Data must not be stored for a longer period of time than what is necessary to fulfill the purpose of the Processing. Therefore, the Parties have agreed on the following:

4.2 The Data Processor must delete all Personal Data as soon as one of the following events occurs:

  • taking into account the Data Processing Agreement’s clause 4.6, when the Data subject has requested deletion of Personal Data, or
  • if this Data Processing Agreement ceases regardless for which reason and the deletion does not violate Applicable Law.

4.3 Personal Data is stored with the Data Processor until the Data Controller requests that it be deleted or returned. However, Personal Data will be deleted three (3) months after the expiration of the Agreement if the Data Controller has not requested the Personal Data handed over.

5. TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES

5.1 Personal Data is transferred to Third Countries. The engaged Sub-Processors in these Third Countries are available via the link in the Data Processor Agreement’s clause 7.1 and complies with the guidelines stated in the Data Processing Agreement’s clause 6.

 

Appendix 8.2

Security measures
The Parties agree that the security level reflects the types of Personal Data being Processed.

The Data Processor is entitled and obligated to make decisions on which technical and organizational security measures to be used to establish the necessary (and agreed) security level regarding the Personal Data. However, in any case and as a minimum, the Data Processor must implement the following measures as agreed with the Data Controller:

  • Classification of Personal Data to ensure that the relevant security measures are implemented in relation to the risk assessments.
  • Assessment of pseudonymization and encryption as risk reducing factors.
  • Limitation of access to Personal Data to the relevant people that is required access under this Data Processing Agreement or under the Agreement.
  • Operate and implement systems that can detect, restore, oppose and report events in relation to Personal Data.
  • Map out the security structure and how Personal Data is transferred between the Parties.
  • Undertake assessments of the Data Processor’s own security levels to ensure that current technical and organizational measures are sufficient to protect Personal Data, in accordance with GDPR article 32 regarding security of processing and article 25 regarding data protection by design and by default.