DATA PROCESSOR AGREEMENT
Appendix to trade agreement between ideal shop ApS (The Data Processor) and buyer of webshop service (Data Controller)
(The Data Controller and The Data Processor are collectively called the "Parties" and separately a "Party")
ANNEX TO THE DATA PROCESSING AGREEMENT
Appendix 1 The main service
Appendix 2 Documentation of compliance with obligations
Appendix 3 Sub-data processors
Appendix 4 Transfer to third countries and international organizations
1. BACKGROUND AND PURPOSE
1.1. The parties have agreed to provide certain services from The Data Processor to The Data Controller, as described in more detail in the Parties' separate agreement to this effect and Appendix 1 to this agreement (the "Main Service").
2. In this connection, The Data Processor processes personal data on behalf of The Data Controller, for which reason the Parties have entered into this agreement with underlying appendices (the “Data Processor Agreement”)
The purpose of The Data Processor Agreement is to ensure that The Data Processor complies with the personal data law regulations in force at any given time, including in particular:
- The Data Protection Act
- the Personal Data Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016) when it takes effect.
5. The Data Processor is authorized to process personal data on behalf of The Data Controller on the terms set out in The Data Processor Agreement.
6. The Data Processor may only process personal data in accordance with documented instructions from The Data Controller ("Instructions"). This Data Processor Agreement incl. appendix constitutes the Instruction at the time of signing.
7. The Data Processor may, to the extent not otherwise provided in The Data Processor Agreement, use all relevant aids, including IT systems.
9. The Data Processor Agreement is valid until either (a) the agreement on the delivery of the Main Services ceases or (b) The Data Processor Agreement is terminated.
10. DATA PROCESSOR'S OBLIGATIONS
10.1 Technical and organizational security measures
11. The Data Controller is responsible for implementing the necessary (a) technical and (b) organizational measures to ensure an appropriate level of security. The measures must be implemented taking into account the current technical level, the implementation costs and the nature, scope, composition and purpose of the treatment in question, as well as the risks of varying probability and seriousness for the rights and freedoms of individuals. The Data Processor must i.a. take the category of personal data described in Annex 1 into account when determining these measures.
12. The Data Processor implements the appropriate technical and organizational measures in such a way that The Data Processor's processing of personal data meets the requirements of the personal data law regulations in force at any given time.
12.1 Employee relations
13. The Data Processor shall ensure that employees who process personal data for The Data Processor have committed themselves to confidentiality or are subject to an appropriate statutory duty of confidentiality.
14. The Data Processor shall ensure that access to the personal data is limited to those employees for whom it is necessary to process personal data in order to be able to fulfill The Data Processor's obligations to The Data Controller.
15. The Data Processor must ensure that employees who process personal data for The Data Processor only process these in accordance with the Instructions.
15.1 Documentation of compliance with obligations
16. The Data Processor must, upon written request, document to The Data Controller that The Data Processor:
a) complies with its obligations under this Data Processor Agreement and the Instructions.
b) comply with the provisions of the Personal Data Regulations in force at any given time with regard to the personal data processed on behalf of The Data Controller.
17. The Data Processor's documentation must be done within a reasonable time.
18. The details of the obligations under clause 16 are described in Annex 2 to this Data Processor Agreement.
18.1 Security breach
19. The Data Processor shall notify The Data Controller of any breach of personal data security that could potentially lead to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to the personal data processed for The Data Controller ("Security Breach").
20. Security breaches must be reported to The Data Controller without undue delay and no later than within 24 hours.
21. The Data Processor shall, to the extent necessary and reasonable, assist in The Data Controller's fulfillment of its obligations in processing the personal data covered by this Data Processor Agreement, including by:
a) guide The Data Controller when responding to individuals who the exercise these rights;
b) security breach,
c) impact assessments; and
d) prior consultations with the supervisory authorities.
22. SUBDATA PROCESSORS
23. The Data Processor may only use a third party for the processing of personal data for The Data Controller ("Sub-Data Processor") to the extent that this is stated in:
(a) Annex 3 to this Data Processor Agreement; or
b) Instructions from The Data Controller.
24. The Data Processor and the Sub-Data Processor shall enter into a written agreement which imposes on the Sub-Data Processor the same data protection obligations as The Data Processor (including pursuant to this Data Processor Agreement).
25. In addition, the sub-data processor also acts solely on Instructions from The Data Controller. All communication with the Sub-Data Processor is handled by The Data Processor, unless otherwise agreed. Any amended or specified Instructions from The Data Controller must be passed on immediately by The Data Processor to the Sub-Data Processor.
26. If a Sub-Data Processor does not comply with the Instructions, The Data Controller may prohibit the use of that Sub-Data Processor.
27. The Data Processor is directly responsible for the Sub-Data Processor's processing of personal data in the same way as was processed by The Data Processor itself.
28. TRANSFER TO THIRD COUNTRIES AND INTERNATIONAL ORGANIZATIONS
29. The Data Processor may only transfer personal data to third countries or international organizations to the extent that this is stated in:
(a) Annex 4 to this Data Processor Agreement; or
b) Instructions from The Data Controller.
1.1 The transfer of personal data may in all cases only take place to the extent permitted by the personal data law regulations in force at any given time.
30. DATA PROCESSING OUTSIDE THE INSTRUCTIONS
31. The Data Processor may process personal data outside the Instructions in cases where this is required by EU law or national law to which The Data Processor is subject.
32. When processing personal data outside the Instructions, The Data Processor must notify The Data Controller of the reason for this. The notification must be made before the processing takes place and must contain a reference to the legal requirements on which the processing is based.
33. Notification shall not be given if the notification would be in conflict with EU or national law.
34.1 Termination and Termination
35. The Data Processor Agreement may only be terminated in accordance with the terms of termination set forth in the General Terms and Conditions.
35.1 Effect of termination
36. The Data Processor's authorization to process personal data on behalf of The Data Controller lapses upon termination of The Data Processor Agreement, regardless of the reason.
37. The Data Processor may continue to process the personal data for up to three months after the termination of The Data Processor Agreement, to the extent necessary to take the necessary statutory measures. During the same period, The Data Processor is entitled to include the personal data in The Data Processor's usual backup procedure. The processing of The Data Processor during this period is still considered to take place in compliance with the Instructions.
38. DISPUTE RESOLUTION
39. The regulation of dispute resolution, incl. choice of law and venue, in agreement(s) on the provision of the Main Services also applies to this Data Processor Agreement, as if this Data Processor Agreement were an integral part thereof. In the event that the agreement(s) on the delivery of the Main Services does not take a position on this, the provisions in this section shall apply to this Data Processor Agreement.
40. The Data Processor Agreement is subject to Danish law with the exception of (a) rules that lead to the application of law other than Danish law and (b) the UN Convention on the International Sale of Goods (CISG).
41. In the event of disagreement in connection with The Data Processor Agreement or its implementation, the Parties shall, with a positive, cooperative and responsible attitude, seek to enter into negotiations with a view to resolving the dispute. If necessary, the negotiations must be sought to be raised at executive level in the Parties' organizations.
42. If the Parties are unable to reach a settlement by negotiation, the Parties shall have the right to have the dispute finally settled by an action before the ordinary courts. The court in Herning, Denmark has been chosen as the venue. However, the Code of Judicial Procedure's referral rules to the High Court and the Maritime and Commercial Court must continue to apply.
44. If there is a conflict between this Data Processor Agreement and the agreement(s) on the provision of the Main Services, this Data Processor Agreement takes precedence, unless otherwise follows directly from The Data Processor Agreement
THE MAIN SERVICE
1. THE MAIN SERVICE
45. The Data Processor develops and maintains a hosted webshop system available to The Data Controller. Through this, The Data Controller has the opportunity to manage an online webshop, where he can sell goods and services to third parties.
46. PERSONAL INFORMATION
47. Types of personal data processed in connection with the provision of the Main Service include general personal data, including name, address, telephone number and email address.
48. The main service allows The Data Controller to collect additional personal information from its customers. If The Data Controller makes use of these options, this agreement will automatically cover all further collected personal information.
49. If the Main Service is changed or extended to collect personal information that is not in this appendix, this agreement will automatically cover all additional personal information collected.
DOCUMENTATION OF COMPLIANCE WITH OBLIGATIONS
As part of The Data Processor's demonstration to The Data Controller of compliance with its obligations under clause 15.1 of The Data Processor Agreement, the following points must be performed and complied with.
1. GENERAL DOCUMENTATION TO The Data Controller
50. The Data Processor is obliged, upon written request, to send the following general documentation to The Data Controller:
a) A statement by The Data Processor's management that The Data Processor, during its processing of personal data on behalf of The Data Controller, continuously ensures compliance with its obligations under this Data Processor Agreement.
b) A description of which control measures The Data Processor has initiated and implemented to measure and control the impact of the established management system for information security and for the processing of personal data as well as performance measurements therefrom.
51. The general documentation must be handed out no later than five working days after The Data Controller has submitted his written request to The Data Processor, unless otherwise specifically agreed. The Data Processor's preparation of documentation is at the expense of The Data Controller.
53. The Data Processor shall, upon written request, contribute to and provide access to the audit.
54. Audits must be performed by an independent third party selected by The Data Controller and approved by The Data Processor. The Data Processor may not reject a proposed third party without reasonable cause. The independent third party must agree to a customary declaration of confidentiality vis-à-vis The Data Processor. Request for audit must be made with at least 14 days notice.
55. The Data Processor is entitled to payment after the elapsed time and consumed materials for assistance pursuant to this item 52
57. The above points shall not be considered exhaustive and The Data Processor is therefore obliged to take such additional actions and actions as are necessary to demonstrate The Data Processor's obligation under clause 10 of The Data Processor Agreement.
58. The Data Processor is not obliged to follow a request from The Data Controller if the request is contrary to the personal data law regulation. The Data Processor must notify The Data Controller to the extent that it is The Data Processor's assessment that this is the case.
59. With The Data Processor Agreement, The Data Controller gives his prior general written approval for The Data Processor to make use of a Sub-Data Processor. The Data Processor must notify The Data Controller in writing of the use of a Sub-Data Processor prior to the commencement of use. Similarly, The Data Processor must notify The Data Controller of the cessation of use of a Sub-Data Processor.
60. The Data Controller has the opportunity to raise objections against such a Sub-Data Processor to the extent that there are reasonable grounds for doing so.
TRANSFER TO THIRD COUNTRIES AND INTERNATIONAL ORGANIZATION
61. Personal data may not be processed by The Data Processor or a Sub-Data Processor in a country outside the European Union or the EEA (a “Third Country”), or an international organization, unless The Data Controller gives specific permission to do so.
62. The Data Controller must notify The Data Controller of the transfer before it takes place.
63. SPECIAL TERMS
64. The Data Controller accepts that The Data Processor uses server hosting from international companies as long as personal data is on servers that are physically located in the EU