1. BACKGROUND

1.1 On on the day of acceptance' Data Controller and Data Processor entered into an Agreement concerning Data Controller's use of the Licensed Software and the SaaS Services as defined in the Agreement.
1.2 As part of Data Processor's provision of Services (as defined below) to Data Controller under the Agree-ment, Data Processor will be processing personal data on behalf of Data Controller.
1.3 Applicable Data Protection Legislation (as defined below) requires that a written contract be entered into between a data controller and data processor, who processes personal data on behalf of the data controller, governing the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the data controller. Accordingly, the Parties have entered into this Data Processing Agreement (as defined below).
1.4 The Agreement and the Data Processing Agreement are interdependent and cannot be terminated separate-ly.
1.5 In the event of any inconsistency between the contents of the Agreement and the Data Processing Agree-ment in relation to data protection obligations, the Data Processing Agreement will prevail irrespective of any previous agreements between the Parties.

2. DEFINITIONS

2.1 Terms defined in the Agreement shall have the same meaning when used in this Data Processing Agree-ment, unless otherwise expressly stated herein.
2.2 In this Data Processing Agreement, unless the context otherwise requires:

1. "Agreement" has the meaning ascribed to it in clause 1.1.

2. "Data Processing Agreement" means this data processing agreement, including Appendix 1 and Ap-pendix 2.

3. "Data Protection Legislation" means all the laws and rules governing the processing and protection of personal data throughout the European Economic Area (EEA) as amended, supplemented and/or modi-fied from time to time, including the General Data Protection Regulation (as defined below), relevant na-tional legislation and, where relevant, the guidelines and rules issued by the Danish Data Protection Agency or other competent supervisory authorities in the EEA (including the national supervisory authori-ties).

4. "General Data Protection Regulation" means "Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)" as amended, supplemented and/or modified from time to time.

5. "Services" means the services and supplies provided by Data Processor as provider to Data Controller as customer under the Agreement. 2.3 The terms "personal data", "special categories of personal data", "process/processing", "controller", "proces-sor", "data subject", "supervisory authority", "pseudonymisation", "technical and organisational measures" and "personal data breach" as used in this Data Processing Agreement shall be understood in accordance with the Data Protection Legislation, including the General Data Protection Regulation.

3. PROCESSING OF PERSONAL DATA

3.1 Data Processor shall process personal data on behalf of Data Controller in accordance with the Data Protec-tion Legislation.
3.2 The personal data to be processed by Data Processor and the categories of data subjects are set out in Appendix 1 to this Data Processing Agreement.
3.3 Data Processor may only process the personal data on documented instructions from Data Controller, un-less required to do so pursuant to mandatory European Union rules and regulation or mandatory member state law to which Data Processor is subject. In that case, Data Processor must notify Data Controller of such legal requirement before the processing, unless the relevant law prohibits such notification on important grounds of public interest.
3.4 Notwithstanding clause 3.3, Data Processor will anonymize the personal data received from Data Controller in order to further develop the Services. The anonymization will be carried out on behalf of Data Controller.
3.5 Data Processor must ensure that the persons involved in the processing of personal data on behalf of Data Controller under the Data Processing Agreement have either committed themselves to confidentiality or are subject to a proper statutory duty of confidentiality and that they only process personal data in compliance with the Agreement, the Data Processing Agreement and the Data Protection Legislation.
3.6 Data Processor shall take the necessary steps to ensure that any person acting under the authority of Data Processor, and who has access to the personal data, does not process such personal data except on doc-umented instructions from Data Controller.
3.7 Data Processor shall, upon request from Data Controller, provide access to all necessary information in order for Data Controller to ensure compliance with the obligations laid down in the Data Protection Legisla-tion. Furthermore, Data Processor must allow and contribute to any audits, including inspections, conducted by Data Controller or an auditor authorized by Data Controller. Data Processor is entitled to receive separate compensation in this regard.
3.8 Data Processor must immediately notify Data Controller if, in Data Processor's opinion, an instruction from Data Controller is contrary to the Data Protection Legislation.

4. SECURITY MEASURES

4.1 Taking into account the state of art, the costs of implementation and the nature, scope, context and pur-poses of the processing as well as risk of varying likelihood and severity of the rights and freedoms of natu-ral persons, Data Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
4.2 Data Processor shall assist Data Controller by appropriate technical and organizational measures with the fulfilment of Data Controller's obligation to respond to requests for exercising the data subject's rights as laid down in the Data Protection Legislation. Data Processor shall be compensated for the time devoted in rela-tion to the assistance with responses to requests regarding the data subject's rights. The specific compen-sation will be agreed upon separately.
4.3 Data Processor shall notify Data Controller without undue delay after becoming aware of a personal data breach. Furthermore, Data Processor shall assist Data Controller in ensuring compliance with Data Control-ler's obligations (i) to document any personal data breach, (ii) to notify the applicable supervisory author-it(y/ies) of any personal data breach, and (iii) to communicate such personal data breaches to the applicable data subjects in accordance with Articles 33 and 34 of the General Data Protection Regulation.

5. SUB-PROCESSING

5.1 By signing this Data Processing Agreement, Data Controller agrees that Data Processor may engage Sub-Contractors to assist in providing the Services. The list of sub-contractors currently engaged in processing personal data (hereinafter referred to as Sub-Processors) and the countries and facilities in which the personal data is processed, is enclosed as Appendix 2 to this Data Processing Agreement.
5.2 Any additions and/or changes to the list will be notified to Data Controller via email to the following email address: [you company email]. If Data Controller wishes to object to the sub-processing, Data Controller shall state so in writing as soon as the before mentioned notification is received. Data Controller's objection must be specific and justifiable. Absence of any objections from Data Controller shall be considered as a consent to the sub-processing.
5.3 Data Processor shall ensure that the sub-processing is lawful and that any and all Sub-Processors under-take and are subject to the same terms and obligations as Data Processor as set out herein.
5.4 Data Processor warrants the legality of its Sub-Processors' processing of personal data. Data Processor shall remain responsible for all acts and omissions of its Sub-Processors, and the acts and omissions of those employed or engaged by Sub-Processors, as if such acts and omissions were performed by Data Processor itself.

6. TRANSFERS OF PERSONAL DATA TO A THIRD COUNTRY

By signing this Data Processing Agreement, Data Controller accepts that Data Processor may transfer per-sonal data to a third country, i.e. a country outside the EEA. Data Processor will be required to ensure that such transfer is at all times lawful, including i.e. that there is an adequate level of protection of the transfer of the personal data.

7. DATA PROCESSOR'S GENERAL OBLIGATIONS

7.1 Data Processor shall apply and comply with the Data Protection Legislation and shall not perform its obliga-tions under the Agreement and the Data Processing Agreement in such a way as to cause Data Controller to breach any of its obligations under applicable Data Protection Legislation.
7.2 Data Processor must assist Data Controller in ensuring compliance with any of Data Controller's obligations pursuant to the Data Protection Legislation, including for instance obligations pursuant to Article 35 (Data protection impact assessment) and Article 36 (Prior consultation) of the General Data Protection Regulation. Data Processor is entitled to receive separate compensation regarding such assistance and the specific compensation will be agreed upon separately.

8. LIABILITY

Data Processor shall only be liable for the damage caused by processing of personal data where Data Pro-cessor has not complied with obligations of the Data Protection Legislation that are specifically directed to data processors or where Data Processor has acted outside or contrary to lawful instructions of Data Con-troller. Data Processor's total liability towards Data Controller arising from breach of this Data Processing Agreement cannot exceed the total amount paid by Data Controller to Data Processor under the Agreement for the last twelve (12) months.

9. TERMINATION

9.1 This Data Processing Agreement shall automatically terminate upon any termination or expiration of the Agreement.
9.2 The Parties agree that at the termination or expiry of the Agreement and/or the Data Processing Agreement, Data Processor shall, at the choice of Data Controller, (i) return all data processed under the Agreement and/or the data Processing Agreement and any copies thereof to Data Controller, or (ii) delete all data pro-cessed under the Agreement and the Data Processing Agreement and certify to Data Controller that this has been done, including for avoidance of doubt delete such data from any computer, server, and/or any other storage device or media, unless European Union and/or member state law requires storage of such personal data.

10. JURISDICTION AND CHOICE OF LAW

This Data Processing Agreement shall be governed by Danish law. Any disputes arising out of or in connec-tion with the provisions of this Data Processing Agreement shall be submitted to a Danish court.

 

APPENDIX 1 – CATEGORIES OF DATA SUBJECTS, TYPES OF PERSONAL DATA AND PROCESSING ACTIVITIES

This appendix forms an integral part of the Data Processing Agreement and must be filled in by the Parties.

1.  CATEGORIES OF DATA SUBJECTS AND TYPES OF PERSONAL DATA

·       The data subjects are Data Controller's employees.

·       Data Processor processes all categories of personal data about Data Controller's employees in order to provide the Services, thus, Data Processor's processing activities constitute processing of:

o    Ordinary personal data such as name, employee ID no., email, telephone number etc. [Please insert further if relevant.]

o    Sensitive personal data such as data concerning health and/or trade union membership. [Please insert further if relevant.]

o    Data Controller's employees' CPR-numbers.

o    [Other]

 

2. PROCESSING ACTIVITIES

The definition of processing in the General Data Protection Regulation:

 "Processing" means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

 The personal data will for instance be subject to collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction etc.



Appendix 2 – LIST OF SUB-PROCESSORS AND LOCATION(S) FOR PROCESSING OF PERSONAL DATA

 

This appendix forms an integral part of the Data Processing Agreement and must be filled in by the Parties.

1. SUB-PROCESSOR(S)

Data Processor is entitled to use the following Sub-Processors:

Name CVR no. Adress Specifications of the
processing of personal data
The processing of data takes place
on the following location(s)
Microsoft 13612870 Kanalvej 7, 2800
Kongens Lyngby
All productions services run
in Azure.
Netherlands
Google 28866984 Sankt Petri Passage 52,
1165 København K
Some services such as speech
to text is handled by Google services.
Netherlands, Denmark,
Finland and Belgium
IBM 28866984 Kongevejen 495 B
2840 Holte
Some virtual machines for model
training are created in IBM Cloud.
Germany