Data Processor Agreement
Last updated on August 13, 2020.
DATA PROCESSOR AGREEMENT
- Company Name: (Customer of Certainly)
- Company reg. no.:
- Contact for requests and notifications regarding this agreement:
(the "Data Controller")
Company Name: Certainly ApS
Company reg. no.: 38 07 07 70
Address: Søtorvet 5, 1. th, 1371 Copenhagen, Denmark
(the "Data Processor")
(Data Controller and Data Processor separately referred to as a "Party" and collectively the "Parties")
have concluded this data processor agreement (the "Agreement") regarding the Data Processor's processing of personal data on behalf of the Data Controller.
- Scope of the Agreement
- This Agreement is entered into by the Data Controller, however any affiliated company whether existing or future shall be considered a party to this Agreement as data controller and are entitled to rely on the rights of the Data Controller and the obligations of the Data Processor set out in the Agreement.
- Any future affiliated company will automatically become a party to this Agreement as set out in clause 1 without further actions being required. In the event of divestment of an affiliated company, whether directly or indirectly, by the Data Controller, the divested company shall be entitled to continue to rely on and benefit from this Agreement, as if the divested company was still an affiliate of the Data Controller, if the processing activities performed before the divestment continues after the divestment.
- This Agreement has been entered into in connection with the Parties' execution of an agreement regarding the Data Controllers use of the Data Processors Services on date even herewith (the "Main Agreement").
- The types of personal data which the Data Processor processes on behalf of the Data Controller in relation to the relevant data subjects are listed in Schedule 1.
- The Data Controller is entitled to delete and/or add additional types of personal data/data subjects to the above list by forwarding a new list of types of personal data/data subjects to the Data Processor.
- The Data Processor may only process personal data for purposes which are necessary in order to fulfil the Data Processor's obligations under the Main Agreement.
- The Data Processor is only entitled to process the personal data in accordance with the Data Controller's instructions, unless such processing is required pursuant to applicable legislation. In such case, the Data Processor shall inform the Data Controller of such legal requirement before the processing, unless the law prohibits such information on important legal grounds. The same applies for transfer of personal data to a third country (as defined under applicable data protection legislation).
- The Data Controller hereby instructs the Data Processor to carry out the processing activities mentioned in Schedule 1.
- The Data Processor shall immediately inform the Data Controller if, in the Data Processor's opinion, an instruction infringes applicable data protection legislation regarding processing of personal data, including the EU General Data Protection Regulation 2016/679 (GDPR).
- All processing by the Data Processor of the personal data provided by the Data Controller must be in accordance with instructions prepared by the Data Controller, and the Data Processor is obliged to comply with any applicable data protection legislation in force from time to time.
- The Data Processor must take all necessary technical and organizational security measures, including any additional measures, required to ensure that the personal data specified in clause 2 is not accidentally or unlawfully destroyed, lost or impaired or brought to the knowledge of unauthorized third parties, abused or otherwise processed in a manner which is contrary to applicable data protection legislation. Thus, the Data Processor must, among other things:
- introduce login and password procedures and set up and maintain a firewall and antivirus software;
- ensure that only employees with a work related purpose have access to the personal data;
- ensure that employees authorized to process the personal data have committed themselves to confidentiality or are under appropriate statutory obligation of confidentiality;
- store data storage media securely so that it is not accessible to third parties;
- ensure that buildings and systems used for data processing are secure and that only high-quality hardware and software, which is regularly updated is used;
- ensure that tests and waste material are destroyed in accordance with data protection requirements on the specific instruction of the Data Controller. In particular cases, to be determined by the Data Controller, such tests and waste material must be stored or returned; and
- ensure that employees receive proper training, adequate instructions and guidelines on the processing of the personal data. The Data Processor must ensure that the employees involved with the processing of the personal data are familiar with the security requirements.
- If so requested by the Data Controller, the Data Processor shall make available to the Data Controller all information necessary to demonstrate that the Data Processor complies with the requirements of the applicable data protection legislation, and the obligations under this Data Processor Agreement, including the implementation of necessary technical and organizational security measures.
- If the Data Processor processes personal data in another EU/EEA member state other than Denmark, the Data Processor must comply with any and all legislation concerning security measures in that member state.
- The Data Processor must notify the Data Controller immediately where there is an interruption in operation, a suspicion that data protection rules have been breached or other irregularities in connection with the processing of the personal data occur. In case of security breaches, the Data Processor shall inform the Data Controller hereof immediately and no later than 24 hours from the discovery of the breach. If requested by the Data Controller, the Data Processor shall assist the Data Controller in relation to clarifying the scope of the security breach, including preparation of any notification to the Danish Data Protection Agency and/or data subjects.
- Upon the request of the Data Controller, the Data Processor is obligated to assist the Data Controller in relation to completion of data protection impact assessments, including potential prior consultations with the Data protection Agency, taking into account the nature of processing and the information available to the Data Processor.
- The Data Controller is entitled, at its own expense, to have the Data Processor's processing of personal data reviewed annually by an independent third party.
- If the Data Processor, or another data processor which has received data, receives a request for access to the registered personal data from a data subject or his agent, or a data subject objects to processing of his/her personal data, or a data subjects exercises any other rights, the Data Processor must immediately send such request and/or objection to the Data Controller, for the Controller's further processing thereof, unless the Data Processor is entitled to handle such request itself. If requested by the Data Controller, the Data Processor shall assist the Data Controller in answering any such requests and/or objections.
For more info on the Data Processors security measures: certainly.io/data-policy
- The Data Processor is only entitled to transfer the personal data stipulated in clause 2 to other data processors or third parties in circumstances where it has received written instructions (e.g. by e-mail) from the Data Controller to this effect. The Data Processor is not entitled to disclose or transfer personal data to third parties or data processors without the prior written instruction of the Data Controller, unless such disclosure or transfer is stipulated by law. In such cases, the Data Processor shall inform the data Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
- Before transferring personal data to another data processor (sub-data processors), the Data Processor must ensure that such sub-data processor has executed a data processor agreement in which the sub-data processor undertakes vis-à-vis the Data Processor to be subject to the same data protection requirements as set out in this Agreement, including with respect to implementation of necessary technical and organizational security measures.
- If the personal data is transferred to foreign sub-data processors, it must, in the said data processor agreement, be stated that the data protection legislation applicable in the Data Controller's country applies to foreign sub-data processors. Furthermore, if the receiving sub-data processor is established within the EU, it must be stated in the said data processor agreement that the receiving EU country's specific statutory requirements regarding data processors, e.g. concerning demands for notification to national authorities, must be complied with. Before the personal data is transferred, the data processor agreement must be submitted to the Data Controller in order to ensure that it is in compliance with the terms of this Agreement.
- The Data Processor must, in its own name, enter into written data processor agreements with sub-data processors within the EU/EEA. As for sub-data processors outside the EU/EEA, the Data Processor must enter into standard agreements in accordance with Commission Decision 2010/87/EU of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under the European Parliament and the Council's Directive 95/46/EC ("Model Clauses").
- The Data Controller hereby authorises the Data Processor to enter into Model Clauses with sub-data processors outside the EU/EEA on behalf of and in the name of the Data Controller, provided, however, that the Data Controller has beforehand given instructions to that effect in accordance with clause 5.1 above.
- At the time of the signature of this Agreement, the Data Processor engages the sub-data processors listed in Schedule 2.
- In the event of amendments to the applicable data protection legislation, the Data Controller is entitled to amend the instructions set out in this Agreement on the giving of 2 (two) weeks' written notice when forwarding the new written instructions to the Data Processor. The Data Processor must however, at all times, comply with the applicable data protection legislation.
- One Party shall indemnify the Other Party against any claims, costs (including reasonable expenses for legal services), loss, liability, fines, expenses or damages incurred by one Party as a result of the Other Party's breach of this Agreement, including breach of the applicable legislation on the protection of personal data.
- This Agreement becomes effective on the date of signing hereof.
- Termination of the Main Agreement will result in the termination of this Agreement. However, the Data Processor remains subject to the obligations stipulated in this Agreement for as long as the Data Processor processes personal data on behalf of the Data Controller.
- In the event of the termination of the Agreement, the Data Controller is entitled to determine the media format to be used by the Data Processor when returning the personal data and to determine if personal data should instead be deleted.
- This Agreement is subject to Danish law.
- Any claim or dispute arising from or in connection with this Agreement must be settled by the Copenhagen city court.
Date & Place: _____________________
On behalf of the Data Controller:
Date & Place: _____________________
On behalf of the Data Processor:
Name: Henrik Fabrin
Title: CEO & Data Protection Officer
Types of personal data, data subjects and processing activities
End-users of the Processor's customer.
Types of personal data:
Basic consumer contact information including but not limited to full name, contact e-mail address and telephone number.
Data will be collected and processed in accordance to current agreement.
Sub-data processor 1:
Name: Amazon Web Services (AWS).
Location: Data Center in Frankfurt, Germany. Data Centers and Security aws.amazon.com/security.
Legal Transfer Mechanism: The agreement between the Data Processor and AWS enables the data to be stored within the EU and not to be transferred to another region. Please refer to this webpage: aws.amazon.com/compliance/eu-data-protection.
Assisting the Data Processor with: Hosting of technology and data.
Sub-data processor 2:
Name: Microsoft Azure.
Location: Data Center in North Europe, Ireland. Data Centers and Security azure.microsoft.com/en-us/global-infrastructure/locations.
EU Standard Contractual Clauses: The agreement between the Data Processor and Azure Cloud enables the data to be stored within the EU and not to be transferred to another region. Please refer to this webpage: microsoft.com/en-us/trust-center/privacy/data-location.
Assisting the Data Processor with: Hosting of technology and data.
Sub-data processor 3:
Name: Sentry (Registered company name: Functional Software, Inc).
Location: Data Centers and Security: sentry.io/security.
Legal Transfer Mechanism: For personal information that Sentry receive from the European Union, Sentry are using Standard Contractual Clauses and have also certified its compliance with the EU-U.S. Privacy Shield as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information from the EU countries. sentry.io/privacy.
Assisting the Data Processor with: Web development error monitoring for the Data Processor's internal use.