DATA PROCESSOR AGREEMENT
Appendix to trade agreement between ideal shop ApS (The Data Processor) and buyer of webshop service (Data Controller)
(The Data Controller and The Data Processor are collectively called the "Parties" and separately a "Party")
ANNEX TO THE DATA PROCESSING AGREEMENT
Appendix 1 The main service
Appendix 2 Documentation of compliance with obligations
Appendix 3 Sub-data processors
Appendix 4 Transfer to third countries and international organizations
1. BACKGROUND AND PURPOSE
1.1. The parties have agreed to provide certain services from The Data Processor to The Data Controller, as described in more detail in the Parties' separate agreement to this effect and Appendix 1 to this agreement (the "Main Service").
2. In this connection, The Data Processor processes personal data on behalf of The Data Controller, for which reason the Parties have entered into this agreement with underlying appendices (the “Data Processor Agreement”)
The purpose of The Data Processor Agreement is to ensure that The Data Processor complies with the personal data law regulations in force at any given time, including in particular:
- The Data Protection Act
- the Personal Data Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016) when it takes effect.
4. SCOPE
5. The Data Processor is authorized to process personal data on behalf of The Data Controller on the terms set out in The Data Processor Agreement.
6. The Data Processor may only process personal data in accordance with documented instructions from The Data Controller ("Instructions"). This Data Processor Agreement incl. appendix constitutes the Instruction at the time of signing.
7. The Data Processor may, to the extent not otherwise provided in The Data Processor Agreement, use all relevant aids, including IT systems.
8. DURATION
9. The Data Processor Agreement is valid until either (a) the agreement on the delivery of the Main Services ceases or (b) The Data Processor Agreement is terminated.
10. DATA PROCESSOR'S OBLIGATIONS
10.1 Technical and organizational security measures
11. The Data Controller is responsible for implementing the necessary (a) technical and (b) organizational measures to ensure an appropriate level of security. The measures must be implemented taking into account the current technical level, the implementation costs and the nature, scope, composition and purpose of the treatment in question, as well as the risks of varying probability and seriousness for the rights and freedoms of individuals. The Data Processor must i.a. take the category of personal data described in Annex 1 into account when determining these measures.
12. The Data Processor implements the appropriate technical and organizational measures in such a way that The Data Processor's processing of personal data meets the requirements of the personal data law regulations in force at any given time.
12.1 Employee relations
13. The Data Processor shall ensure that employees who process personal data for The Data Processor have committed themselves to confidentiality or are subject to an appropriate statutory duty of confidentiality.
14. The Data Processor shall ensure that access to the personal data is limited to those employees for whom it is necessary to process personal data in order to be able to fulfill The Data Processor's obligations to The Data Controller.
15. The Data Processor must ensure that employees who process personal data for The Data Processor only process these in accordance with the Instructions.
15.1 Documentation of compliance with obligations
16. The Data Processor must, upon written request, document to The Data Controller that The Data Processor:
a) complies with its obligations under this Data Processor Agreement and the Instructions.
b) comply with the provisions of the Personal Data Regulations in force at any given time with regard to the personal data processed on behalf of The Data Controller.
17. The Data Processor's documentation must be done within a reasonable time.
18. The details of the obligations under clause 16 are described in Annex 2 to this Data Processor Agreement.
18.1 Security breach
19. The Data Processor shall notify The Data Controller of any breach of personal data security that could potentially lead to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to the personal data processed for The Data Controller ("Security Breach").
20. Security breaches must be reported to The Data Controller without undue delay and no later than within 24 hours.
20.1 Assistance
21. The Data Processor shall, to the extent necessary and reasonable, assist in The Data Controller's fulfillment of its obligations in processing the personal data covered by this Data Processor Agreement, including by:
a) guide The Data Controller when responding to individuals who the exercise these rights;
b) security breach,
c) impact assessments; and
d) prior consultations with the supervisory authorities.
22. SUBDATA PROCESSORS
23. The Data Processor may only use a third party for the processing of personal data for The Data Controller ("Sub-Data Processor") to the extent that this is stated in:
(a) Annex 3 to this Data Processor Agreement; or
b) Instructions from The Data Controller.
24. The Data Processor and the Sub-Data Processor shall enter into a written agreement which imposes on the Sub-Data Processor the same data protection obligations as The Data Processor (including pursuant to this Data Processor Agreement).
25. In addition, the sub-data processor also acts solely on Instructions from The Data Controller. All communication with the Sub-Data Processor is handled by The Data Processor, unless otherwise agreed. Any amended or specified Instructions from The Data Controller must be passed on immediately by The Data Processor to the Sub-Data Processor.
26. If a Sub-Data Processor does not comply with the Instructions, The Data Controller may prohibit the use of that Sub-Data Processor.
27. The Data Processor is directly responsible for the Sub-Data Processor's processing of personal data in the same way as was processed by The Data Processor itself.
28. TRANSFER TO THIRD COUNTRIES AND INTERNATIONAL ORGANIZATIONS
29. The Data Processor may only transfer personal data to third countries or international organizations to the extent that this is stated in:
(a) Annex 4 to this Data Processor Agreement; or
b) Instructions from The Data Controller.
1.1 The transfer of personal data may in all cases only take place to the extent permitted by the personal data law regulations in force at any given time.
30. DATA PROCESSING OUTSIDE THE INSTRUCTIONS
31. The Data Processor may process personal data outside the Instructions in cases where this is required by EU law or national law to which The Data Processor is subject.
32. When processing personal data outside the Instructions, The Data Processor must notify The Data Controller of the reason for this. The notification must be made before the processing takes place and must contain a reference to the legal requirements on which the processing is based.
33. Notification shall not be given if the notification would be in conflict with EU or national law.
34. TERMINATION
34.1 Termination and Termination
35. The Data Processor Agreement may only be terminated in accordance with the terms of termination set forth in the General Terms and Conditions.
35.1 Effect of termination
36. The Data Processor's authorization to process personal data on behalf of The Data Controller lapses upon termination of The Data Processor Agreement, regardless of the reason.
37. The Data Processor may continue to process the personal data for up to three months after the termination of The Data Processor Agreement, to the extent necessary to take the necessary statutory measures. During the same period, The Data Processor is entitled to include the personal data in The Data Processor's usual backup procedure. The processing of The Data Processor during this period is still considered to take place in compliance with the Instructions.
38. DISPUTE RESOLUTION
39. The regulation of dispute resolution, incl. choice of law and venue, in agreement(s) on the provision of the Main Services also applies to this Data Processor Agreement, as if this Data Processor Agreement were an integral part thereof. In the event that the agreement(s) on the delivery of the Main Services does not take a position on this, the provisions in this section shall apply to this Data Processor Agreement.
40. The Data Processor Agreement is subject to Danish law with the exception of (a) rules that lead to the application of law other than Danish law and (b) the UN Convention on the International Sale of Goods (CISG).
41. In the event of disagreement in connection with The Data Processor Agreement or its implementation, the Parties shall, with a positive, cooperative and responsible attitude, seek to enter into negotiations with a view to resolving the dispute. If necessary, the negotiations must be sought to be raised at executive level in the Parties' organizations.
42. If the Parties are unable to reach a settlement by negotiation, the Parties shall have the right to have the dispute finally settled by an action before the ordinary courts. The court in Herning, Denmark has been chosen as the venue. However, the Code of Judicial Procedure's referral rules to the High Court and the Maritime and Commercial Court must continue to apply.
43. PRIORITY
44. If there is a conflict between this Data Processor Agreement and the agreement(s) on the provision of the Main Services, this Data Processor Agreement takes precedence, unless otherwise follows directly from The Data Processor Agreement
ANNEX 1
THE MAIN SERVICE
1. THE MAIN SERVICE
45. The Data Processor develops and maintains a hosted webshop system available to The Data Controller. Through this, The Data Controller has the opportunity to manage an online webshop, where he can sell goods and services to third parties.
46. PERSONAL INFORMATION
47. Types of personal data processed in connection with the provision of the Main Service include general personal data, including name, address, telephone number and email address.
48. The main service allows The Data Controller to collect additional personal information from its customers. If The Data Controller makes use of these options, this agreement will automatically cover all further collected personal information.
49. If the Main Service is changed or extended to collect personal information that is not in this appendix, this agreement will automatically cover all additional personal information collected.
