Between
(”The Data Controller”)
and
IEX ApS
CVR number 35527710
Roholmsvej 10R
2620 Albertslund
Denmark
(”The Data Processor”)
The Controller and the Processor are separately referred to as ”Part” and together as ”Parties”
1. Preamble
- The Controller has entered into an subscription agreement (”Subscription”) with the Processor for the purposes of conducting integration between the Controller’s IT systems and web shop.
- The Processor processes personal data on behalf of the Controller, for instance, through handling on the Processors servers.
- The data processing is handled via a technical solution (”System”) designed by the Processor that ensures the integration between the IT systems utilised by the Controller in his enterprise. The Controller can at all times via login in the System view all the personal data being processed in the System
- The purpose of this DPA is to ensure that the Processor at all times comply with existing legislation regarding processing of personal data, including the Act on Processing of Personal Data (Act No. 429 of 31 of May 2000 with later amendments) as well as the General Data Protection Regulation (Regulation 2016/679 of The European Parliament and of the Council of 27 April 2016 – hereafter ”GDPR”).
- This DPA sets out the rights and obligations that apply to the Data Processor’s handling of personal data on behalf of the Data Controller.
- The DPA is subject to the terms of cancellation/termination of the Subscription, cf. item 1.1 and the associated terms and conditions. The terms and conditions apply in general in relation to the DPA. In case of doubt or conflicting circumstances, the DPA shall take priority unless the DPA explicitly states otherwise.
- Attached to the DPA are Appendix 1-2. The Appendices form an integral part of this DPA.
- The DPA and its associated Appendices shall be retained in writing as well as electronically by both Parties.
2. Instructions
- The Processor shall solely be permitted to process personal data on documented instructions from the Data Controller unless processing is required under EU or Member State law to which the Data Processor is subject; in this case, the Processor shall inform the Controller of this legal requirement prior to processing unless that law prohibits such information on important grounds of public interest, cf. Article 28, sub-section 3, para a.
- The instruction consists of 2 (two) parts:
- This DPA including the appendices at the time of signature.
- The integration, the Processor makes in the System (and where the processing of sensitive data is done) represents an instruction to the Processor, as the Processor automatically from the informationer, and uploads, received from the Controller, carries out collection, registration, organizing, systematization, storage, adaptation or changing, recovery, search,use, disclosure by transmission, communication or any other kind of availability, collation or interconnecting, limitation, deletion or destruction.
- The Data Processor shall immediately inform the Data Controller if instructions in the opinion of the Data Processor contravene the GDPR or data protection provisions contained in other EU and Member State law.
- Unless otherwise stated in the DPA, the Processor may utilise all relevant aids, including IT system.
3. Security of processing
- The Data Processor shall take all the measures required pursuant to Article 32 of the GDPR.
- In Article 32, it appears, for instance, that appropriate technical and organisational measures shall be implemented to ensure a level of security appropriate to the risk with consideration for:
- The current level
- Implementation costs
- The nature, scope, context and purposes of the processing in question (including the consideration for the category of personal data in Appendix 1)
- The risk of varying likelihood and severity for the rights and freedoms of natural persons
- The Processor shall in ensuring the above – in all cases – at a minimum implement the level of security and measures specified below in Appendix 4, 5 and 6 to this DPA.
- The Parties agree upon the sufficiency of these guarantees at the time of commencement of this DPA, taking note, that the Processor otherwise has implemented measures in internal procedures.
When sending invoices through the integration (optional setting) the System connects through Google OAuth. The Systems use and transfer to any other app of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements.
4. Physical security
The Processor will carry out security of physical locations.
5. Organisational security
The Processor shall ensure that only those persons who are currently authorised to do so are able to access the personal data being processed on behalf of the Controller. Access to the data shall therefore without delay be denied if such authorisation is removed or expires.
Only persons who require access to the personal data in order to fulfill the obligations of the Processor to the Controller shall be provided with authorisation.
The Processor shall ensure that persons authorised to process personal data on behalf of the Controller have undertaken to observe confidentiality or are subject to suitable statutory obligation of confidentiality and that the employees comply with the DPA.
All employees are briefed on and subject to internal procedures as to how security breaches are handled.
6. Technical security
The Processor exclusively utilises hard- and software of high quality that continuously is updated, including antivirus software, antihacking software and firewalls.
All communication to/from the System is encrypted (https) and supports a 256/128 bit TLS connection.
Access to the Processor’s internal IT systems takes place via encrypted login data which ensures that unauthorized persons are denied access. In appropriate intervals, the Processor alters the login credentials in internal IT systems that ultimately grant access to the Controller’s personal data.
For integrational application of the System with Controller’s IT systems, the Processor receives the necessary passwords and access information. The Processor erases data upon configuration/integration of the Subscription has been completed unless the Parties enter into an alternative valid agreement. The Controller ought to simultaneously change the data.
However, the Processor stores correspondence and log files concerning support for the Controller in a ”ticket”. In order to conduct error detection and survey previous records pertaining support, the contents of the ”ticket” is not erased unless the Controller actively solicits it.
7. Notification on personal data breach
On discovery of personal data breach at the Processor’s facilities or a sub-processor’s facilities, the Processor shall without undue delay notify the Controller.
Such security breach includes any breach that can potentially lead to accidental or unlawful destruction, loss, alteration, unauthorised transmission of or access to the personal data processed for the Controller (”Security Breach”).
The Processor shall maintain and store a register of all Security Breaches. The register shall at a minimum contain the factual circumstances surrounding the Security Breach, the effects and the measures made to limit its possible damage.
8. Use of sub-processors
The Processor shall meet the requirements specified in Article 28, sub-section 2 and 4, of the GDPR in order to engage another processor (Sub-Processor).
The Parties have agreed upon the Processor’s general engagement of Sub-Processors, cf. Appendix 2, wherein the already approved Sub-Processors are adduced.
The Processor shall inform the Controller of any planned changes with regard to additions to or replacement of other data processors and thereby give the Controller the opportunity to object to such changes.
The Processor shall ensure that the Sub-Processor is subject to at minimum the same data protection obligations as those specified in this DPA on the basis of a contract or other legal document, in particular providing the necessary guarantees that the Sub-Processor will implement the appropriate technical and organisational measures in such a way that the processing meets the requirements of the GDPR and any relevant legislation.
If the Sub-Processor does not fulfill his data protection obligations, the Processor shall remain fully liable to the Controller as regards the fulfilment of the obligations of the Sub-Processor.
9. Transfer of data to third countries or international organisations
The Processor shall solely be permitted to process personal data on documented instructions from the Controller, including as regards transfer (assignment, disclosure and internal use) of personal data to third countries or international organisations, unless processing is required under EU og Member State law to which the Controller is subject.
The Controller’s instructions or approval of the the transfer of personal data to a third country, if applicable, shall be set out in the Appendices or by separate instructions.
Without the instructions or approval of the Controller, the Processor therefore cannot – within the framework of this DPA – disclose personal data to a data controller in a third country or in an international organisation.
If data is transferred to a third country, the Processor will assist, without charge, the conclusion of the necessary agreements or the Controller will be issuing authorization to conclude the necessary agreements on the Controllers behalf on their expense.
10. Assistance to the controller
- The Processor, taking into account the nature of the processing, shall, as far as possible, assist the Controller with appropriate technical and organisational measures, in the fulfilment of the Controller’s obligations to respond to requests for the exercise of the data subjects’ rights pursuant to Chapter 3 of the GDPR.
- The Processor shall assist the Controller in ensuring the compliance with the Controller’s obligations pursuant to Articles 32-36 of the GDPR taking into account the nature of the processing and the data made available to the Processor, cf. Article 28, sub-section 3, para f.
- The Parties’ agreement on the payment for the Processor’s assistance to the Controller appears in item 12.
11. Erasure
The Processor shall not erase the Controller’s personal data (or other data) during the term of the Subscription unless the Controller requests the Processor.
On cessation of the Collaboration and associated processing of personal data, the Processor shall be under obligation, at the Controller’s discretion, to erase and return all the personal data to the Controller and to erase existing copies and password unless EU law or Member State law requires storage of the personal data.
Erasure of all forms of data at the Processor and Sub-Processors shall be conducted at latest 3 months after cessation of the Subscription and without notification. Premature erasure can be requested from the Processor.
12. Inspection and audit
- The Processor shall make available to the Controller all information necessary to demonstrate compliance with Article 28 of the GDPR and this DPA.
- The Processor allows for and contributes to audits, including inspections performed by the Controller or another expert (i.e. accountant or IT specialist) mandated by the Controller.
- The Processor shall – insofar as the Controller desires – once a year obtain a customary and recognised report (i.e. inspection report or IT report) from an independent, expert third party with regard to the Processor’s compliance with this DPA and its associated appendices. The report is compiled at the Controller’s expense and the Processor is entitled to receive a copy of the report. If in this occasion a report has been compiled within the latest 12 months, the Processor may offer the Controller to receive a copy of this instead.
- The Controller or the Controller’s representative shall in addition have access to inspecting, including physically inspecting, the processing at the Processor’s facilities when the Controller deems that this is required.
- Inspection occur with a minimum of one months notice. Along with the notice, the Controller shall send a detailed plan with a description of scope, duration and the inspection starting date. The Processor shall, however, be under obligation to set aside the resources (mainly time) required for the Controller to be able to perform the inspection.
- The Processor’s costs related to an audit and/or other forms of inspection (including internal time) shall be at the expense of the Controller and shall be settled in relation to the Processor’s time consumption.
- This equally applies if the Controller requests documents or other material be handed over from the Processor for the purpose of controlling compliance with the DPA.
13. Breach of contract
The regulation of remedies follows the terms and conditions associated with the Subscription, cf. item 1.7.
14. Liability and limitation of liability
The Parties shall be responsible in accordance with the applicable rules of the law, subject to the limitations set forth in this section.
The Parties renounce any responsibility of indirekte losses and collateral damage, consequential loss, loss of goodwill, loss of savings and earnings including expenses for reclaiming lost earnings and loss of data.
The Parties’ responsibility of all the cumulated claims with regards to this DPA is limited to the aggregated due payments in accordance with the main service for the 6 months period that precedes the harming act.
If the DPA has not been in operation for 6 months, the amount is calculated as the agreed upon payment of the services the period that the DPA has been in operation divided by the amount of months the DPA has been in operation and then multiplied by 6.
The following is not subject to the limitation of liability in this item 14:
Loss as a consequence of the gross negligence or intentional actions of the other Party.
Expenses and resource consumption at fulfilment of a Party’s obligations towards a supervisory authority or the registered as well as bøder imposed by a supervisory authority or a court of lay, in the extent that such entities have been prompted by the other Party’s negligence.
15. Changes
The Processor may without costs and with 1 month’s notice change the contents of the DPA.
16. Commencement and termination
The DPA may be replaced by an alternative valid DPA. The DPA shall not be terminated or cancelled separately in the Subscription’s term.
Regardless of the DPA’s cessation the agreement’s items 5.3 (confidentiality of employees), 11 (erasure/return), 14 (ansvar og ansvarsbegrænsning) and 17 (disputes) take effect after the DPA’s cessation.
The Processor can process and store the personal data in up till 3 months after the DPAs expires to the extent necessary to take the necessary statutory measures, cf. and item 11.2. In this period, the Processor has the right to let the data be included in their backup procedure.
During this period, The Processors handling is still considered to be in compliance with the instructions in the DPA.
17. Disputes
Handling of disputes related to the DPA are subject to the terms and conditions of the Subscription.
Unless otherwise agreed, the DPA is subject to Danish law and the Parties are entitled to demand the dispute settled by the common courts of law. The Court of Glostrup has been chosen as venue of the first instance.
Appendix 1
Purpose
This appendix elaborates on the contents of the DPA including as regards to the concrete personal data that is processed on behalf of the Controller.
Types of personal data
- The agreement entails that the Processor processes the following categories of common personal data:
- Name
- Telephone number
- Email address
- Address
- Payment details
- Type of Subscription
- Furthermore, the following categories of sensitive personal data are processed, cf. item 1.2
- Political, philosophical or religious conviction
- Circumstances surrounding union affiliation
- Race or ethnicity
- Health data
- Sexual relations or sexual orientation
- Criminal circumstances
- Genetic or biometric data with the sole purpose to identify a natural person
The processing includes the following categories of persons
- The Controller’s customers
- The Controller’s employees
- The Controller’s members
- The Controller’s owners
- The Controller’s collaborators
Appendix 2
Sub-processors
The Processor has the Controller’s general consent for the engagement of Sub-Processors.
The Processor shall, however, inform the Controller of any planned changes with regard to additions to or replacement of other data processors and thereby give Controller the opportunity to object to such changes.
Such notification shall be submitted to the Controller a minimum of 30 days prior to the engagement of sub-processors or amendments coming into force.
If the Data Controller should object to the changes, the Controller shall notify the Data Processor of this within 14 days of receipt of the notification.
The Controller shall only object if the Controller has reasonable and specific grounds for such refusal.
List of sub-processors at the commencement of the DPA
Internal systems:
e-conomic
Nordea
Atlassian
Google Workspace (calendar and email)Hosting:
Amazon Web Services
Google Cloud Platform
HetznerSocial media and marketing:
Google (website only, see cookie policy)
Facebook (website only, see cookie policy)
MailchimpSubscription and payment:
Reepay
ePay/Bambora
Stripe
ClearhausSupportsystems:
Intercom
Slack
3CX (JED ApS)