Scope of the Agreement
- This Agreement is entered into by the Data Controller, however any affiliated company whether existing or future shall be considered a party to this Agreement as data controller and are entitled to rely on the rights of the Data Controller and the obligations of the Data Processor set out in the Agreement.
- This Agreement is entered into by the Data Controller, however any affiliated company whether existing or future shall be considered a party to this Agreement as data controller and are entitled to rely on the rights of the Data Controller and the obligations of the Data Processor set out in the Agreement.
The processed personal data
- This Agreement has been entered into in connection with the Parties' execution of an agreement regarding the Data Controllers use of the Data Processors Services on date even herewith (the "Main Agreement").
- The types of personal data which the Data Processor processes on behalf of the Data Controller in relation to the relevant data subjects are listed in Schedule 1.
- The Data Controller is entitled to delete and/or add additional types of personal data/data subjects to the above list by forwarding a new list of types of personal data/data subjects to the Data Processor.
Purpose and instructions
- The Data Processor may only process personal data for purposes which are necessary in order to fulfil the Data Processor's obligations under the Main Agreement.
- The Data Processor is only entitled to process the personal data in accordance with the Data Controller's instructions, unless such processing is required pursuant to applicable legislation. In such case, the Data Processor shall inform the Data Controller of such legal requirement before the processing, unless the law prohibits such information on important legal grounds. The same applies for transfer of personal data to a third country (as defined under applicable data protection legislation).
- The Data Controller hereby instructs the Data Processor to carry out the processing activities mentioned in Schedule 1.
- The Data Processor shall immediately inform the Data Controller if, in the Data Processor's opinion, an instruction infringes applicable data protection legislation regarding processing of personal data, including the EU General Data Protection Regulation 2016/679 (GDPR).
Transfer of data to other data processors or third parties
- The Data Processor is only entitled to transfer the personal data stipulated in clause 2 to other data processors or third parties in circumstances where it has received written instructions (e.g. by e-mail) from the Data Controller to this effect. The Data Processor is not entitled to disclose or transfer personal data to third parties or data processors without the prior written instruction of the Data Controller, unless such disclosure or transfer is stipulated by law. In such cases, the Data Processor shall inform the data Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
- Before transferring personal data to another data processor (sub-data processors), the Data Processor must ensure that such sub-data processor has executed a data processing agreement in which the sub-data processor undertakes vis-Ã -vis the Data Processor to be subject to the same data protection requirements as set out in this Agreement, including with respect to implementation of necessary technical and organizational security measures.
- If the personal data is transferred to foreign sub-data processors, it must, in the said data processing agreement, be stated that the data protection legislation applicable in the Data Controller's country applies to foreign sub-data processors. Furthermore, if the receiving sub-data processor is established within the EU, it must be stated in the said data processing agreement that the receiving EU country's specific statutory requirements regarding data processors, e.g. concerning demands for notification to national authorities, must be complied with. Before the personal data is transferred, the data processing agreement must be submitted to the Data Controller in order to ensure that it is in compliance with the terms of this Agreement.
- The Data Processor must, in its own name, enter into written data processing agreements with sub-data processors within the EU/EEA. As for sub-data processors outside the EU/EEA, the Data Processor must enter into standard agreements in accordance with Commission Decision 2010/87/EU of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under the European Parliament and the Council's Directive 95/46/EC ("Model Clauses").
- The Data Controller hereby authorises the Data Processor to enter into Model Clauses with sub-data processors outside the EU/EEA on behalf of and in the name of the Data Controller, provided, however, that the Data Controller has beforehand given instructions to that effect in accordance with clause 5.1 above.
- At the time of the signature of this Agreement, the Data Processor engages the sub-data processors listed in Schedule 2.
Liability
- One Party shall indemnify the Other Party against any claims, costs (including reasonable expenses for legal services), loss, liability, fines, expenses or damages incurred by one Party as a result of the Other Party's breach of this Agreement, including breach of the applicable legislation on the protection of personal data.
Effective date and termination
- This Agreement becomes effective on the date of signing hereof.
- Termination of the Main Agreement will result in the termination of this Agreement. However, the Data Processor remains subject to the obligations stipulated in this Agreement for as long as the Data Processor processes personal data on behalf of the Data Controller.
- In the event of the termination of the Agreement, the Data Controller is entitled to determine the media format to be used by the Data Processor when returning the personal data and to determine if personal data should instead be deleted.
Governing law and jurisdiction
- This Agreement is subject to Danish law.
- Any claim or dispute arising from or in connection with this Agreement must be settled by the Copenhagen city court.