Data processing agreement

Data processing agreement

1. Definitions and interpretation
   
   
1. As used and defined herein, the following terms have the following meanings:
2. "Data Protection Legislation" means the data protection legislation applicable in Denmark at any given time, currently Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), the Danish Data Protection Act (Databeskyttelsesloven) and other specific national rules, including but not limited to laws, regulations and binding guidelines from authorities applicable to the processing of personal data. 
3. "Personal Data" means any information relating to an identified or identifiable natural person. Where Confidential Information other than Personal Data is processed under the Agreement, any reference to Personal Data also includes such other Confidential Information. 
4. "Services" means the products and/or services to be delivered/provided by the Processor under the Agreement (as defined below).
5. Any reference to a statutory provision shall be deemed to include any subsequent re-enactment or amendment of provisions.
   
   
2. Background information
   
   
1. The parties have entered into easyrate ApS Terms of Use (hereinafter referred to as the "Agreement"). As part of the provision of the Services, the Processor will process personal data on behalf of the Controller.
2. The parties now wish to enter into this agreement in order to regulate the processor's processing of personal data and to ensure that such processing takes place in accordance with data protection legislation.
   
   
3. General requirements
   
   
1. The Data Processor may only process the Personal Data in accordance with the Data Processor's documented written instructions. The data processing tasks that the Data Processor performs on behalf of the Data Processor under this Agreement are set out in Schedule 1.
2. The Processor is entitled to process the Personal Data only for the purpose of providing the Services and only to the extent and in the manner necessary to provide the Services. 
3. If the Processor is a legal entity, the provisions of this Agreement apply to all employees of the Processor. The Processor warrants that its employees comply with this Agreement.
   
   
4. Disclosure of personal data
   
   
1. The Personal Data Processor shall not in any way alter, modify or change the content of the Personal Data or disclose the Personal Data to any third party, unless 1) otherwise expressly stated in this Agreement; 2) the Personal Data Processor has otherwise authorized and/or instructed the Personal Data Processor in writing to do so; and/or 3) such disclosure is required by applicable law to which the Personal Data Processor is subject.
2. If the disclosure falls under point 4.1.3), the processor must notify the controller prior to the commencement of the processing of the personal data, unless the notification of the controller is prohibited by Union or Member State law to which the processor is subject.
   
   
5. safety
   
   
1. The Processor shall implement appropriate technical and organizational security measures to protect the Personal Data against unauthorized or unlawful processing and against accidental or unlawful loss, destruction, damage, alteration or disclosure.  
2. When determining appropriate technical and organizational security measures, the processor must take into account the state of the art and technical developments, the costs of implementation, the nature, scope, context and purposes of processing, and the risks of varying likelihood and severity for the rights and freedoms of natural persons. 
3. The Processor must comply and ensure that its employees comply with the specific data security requirements applicable to the Processor, including but not limited to (i) any security measure requirements notified in writing to the Processor, (ii) the Processor's own internal security standards and (iii) the national security requirements of the country where the Processor is established or the country where the data processing takes place.
4. The Processor shall keep the Personal Data confidential. The Processor shall take reasonable steps to ensure that any employee, agent or contractor who has access to the Personal Data is reliable and trustworthy, and that they are all subject to confidentiality obligations, professional secrecy or statutory confidentiality obligations. The Processor shall also ensure in each case that access is strictly limited to those persons who need access to the relevant Personal Data to perform the tasks assigned to them by the Processor and that this is strictly necessary for the provision of the Services, and that all such persons: (i) are informed of the confidential nature of the Personal Data; (ii) have received appropriate training in relation to data protection legislation; and (iii) are aware of the Processor's obligations under this Agreement.
5. The physical location of the Processor's servers, service centers, etc. used in connection with the data processing is set out in Appendix 1 to this Agreement. Changes to the physical location shall be notified to the Processor in writing no later than 30 days prior to such change.
   
   
6. Transfer of personal data to third countries
   
   
1. The Processor shall not process or access the Personal Data from or transfer the Personal Data to any third country without the prior written consent of the Controller. 
2. If the controller has given its written consent to a transfer of personal data to a third country, the processor must ensure that the transfer is made on a lawful basis, e.g. European Commission Model Contract for the Transfer of Personal Data to Third Countries, before such transfer may be made by the processor.
   
   
7. Assistance
   
   
1. The processor shall assist the controller in handling requests from data subjects in connection with the exercise of their rights under data protection legislation, including but not limited to requests for access, rectification, restriction of processing, erasure or data portability.
2. The processor shall, without undue delay after becoming aware of it, inform the controller in writing of any request from a data subject to exercise their rights received directly from the data subject or from a third party. 
3. The processor shall implement appropriate technical and organizational measures to assist the processor in fulfilling its obligation to respond to such requests from the data subject. The processor shall provide any information requested by the processor within a reasonable time specified by the processor.
4. Processor shall, immediately upon becoming aware thereof, notify Controller in writing of any suspected or confirmed (i) Personal Data Breach; (ii) accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Personal Data processed by Processor under this Agreement; or (iii) any other failure to comply with Processor's obligations under this Agreement. The Processor shall cooperate with and assist the Controller in connection with the handling of the Personal Data Breach. All data recovery costs shall be paid by the Processor. 
5. The processor shall assist the controller in fulfilling any other obligations incumbent on the controller under data protection law, including, but not limited to, providing the controller, upon request, with all necessary information required to conduct a DPIA.
6. Processor shall be entitled to separate compensation for services performed pursuant to this clause 7 in accordance with Processor's standard hourly rates from time to time.
   
   
8. Part processing
   
   
1. The Processor may appoint a third party to process Personal Data on behalf of the Processor ("Sub-Processor") without the prior written consent of the Processor, provided that two months' notice of such appointment procedure shall be given.
2. The Processor's appointment of sub-processors under clause 8.1 is conditional upon the Processor (1) performing adequate due diligence on each Sub-Processor to ensure that it can provide the level of protection for the Processing of Personal Data required by this Agreement and Data Protection Legislation 2) includes terms in the contract between the Processor and each Sub-Processor that, as a minimum, impose on the Sub-Processor the same obligations as those imposed on the Processor under this Agreement; and 3) remains fully liable to the Controller for any failure of a Sub-Processor to fulfill its obligations regarding the Processing of Personal Data.
3. The controller has the right to receive a list of processors at any time upon request.
4. The controller has the right to receive, upon request, a copy of the parts of the processor's contract with the sub-processor that relate to the sub-processor's obligations regarding the processing of personal data.
   
   
9. Compliance with legislation etc.
   
   
1. The controller is obliged to ensure that there is a legal basis for the processing of the personal data specified in the controller's instructions to the processor set out in Appendix 1. If the processor considers that an instruction constitutes a breach of data protection legislation, the processor shall immediately notify the controller in writing.
2. The Controller acknowledges that the Processor relies on the Controller for instructions regarding the extent to which the Processor is authorized to use and process the Personal Data on behalf of the Controller. Accordingly, the Processor shall not be liable for any claims brought by a data subject as a result of the Processor's act or omission, to the extent that such act or omission was a direct result of the performance of the Services in accordance with the Controller's instructions.
   
   
10. Compliance audits and statements
    
    
1. At the request of the controller, the processor shall, within a reasonable time, provide all information necessary for the controller, a third-party auditor appointed by the controller, or a public authority to verify compliance with this agreement and/or data protection legislation.
2. The Processor is obliged to cooperate once a year with reasonable written notice in any compliance audit, inspection and/or review conducted by the Processor, a third party auditor appointed by the Processor, or by a public authority in relation to the processing of Personal Data under this Agreement carried out by the Processor and any Sub-Processors.
3. The controller has the right to appoint an independent expert at its own expense to have access to the processor's physical premises where the personal data is processed and to obtain the information necessary to verify whether the processor is fulfilling its obligations under this agreement and data protection legislation. At the Processor's request, the Independent Expert shall sign a customary confidentiality undertaking.
4. Processor will not receive any separate compensation for services performed in connection with this clause 10 in accordance with Processor's standard hourly rates from time to time.
   
   
11. Duration and termination
    
    
1. This Agreement shall enter into force as of the effective date of this Agreement and shall remain in force until terminated. 
2. Either party has the right to terminate this agreement on the same terms and conditions that apply to the agreement.
3. This agreement shall apply between the parties for as long as the processor processes personal data on behalf of the controller.
4. Upon termination of this Agreement for any reason, the Processor shall 1) with the exception of paragraph 3) below, cease processing the Personal Data; 2) at the request of the Controller, (i) return to the Controller all Personal Data in its possession or control and all copies thereof, or (ii) destroy all copies thereof and certify to the Controller that it has done so, unless the Processor is prevented by applicable law or any public authority from destroying or returning all or part of the Personal Data, in which case the Processor shall keep such data confidential, continue to process it in accordance with the terms of this Agreement and not perform any processing other than as necessary to comply with the requirements of such applicable law or relevant public authority; and 3) upon the Controller's request for a specific fee, provide the Controller with necessary transition services, including cooperating in good faith and to the extent required. as quickly as possible to facilitate the transfer of the performance of the data processing to a new processor or back to the controller.
5. If the Processor has not received any instructions from the Controller to return or delete the Personal Data one month after the termination of this Agreement, the Processor has the right to delete the Personal Data.
6. Upon termination of this Agreement for any reason, clauses 5.4, 9.2, 11.3 and 16 shall continue in force indefinitely.
   
   
12. Mission statement
    
    
1. Except as set out in clause 8, the Processor shall not assign or otherwise transfer (or attempt to do so) any or all of the Processor's rights or obligations under this Agreement to any third party without the prior written consent of the Processor.
   
   
13. Full agreement
    
    
1. The parties agree that this Agreement constitutes the entire agreement and understanding between the parties with respect to the subject matter of this Agreement and supersedes all prior agreements between the parties with respect to the subject matter of this Agreement.
2. In the event of any discrepancy between the provisions of this Agreement and the provisions of the Contract or any other written or oral agreement between the parties, the provisions of this Agreement shall prevail. Notwithstanding the above, the provisions of this Agreement shall not apply where the Processor is subject to more stringent obligations, such as when using the European Commission model contract for the transfer of personal data to third countries.
   
   
14. Add-ons
    
    
1. The terms, provisions, obligations or conditions of this Agreement may not be waived or modified except by a written instrument signed by both parties.
2. If any provision of this Agreement is or becomes illegal, invalid or unenforceable, such provision must be severed from the remaining terms, which will continue to be valid and enforceable to the fullest extent permitted by law.
   
   
15. Announcements
    
    
1. All notices required under this Agreement must be in writing.
   
   
16. Applicable law
    
    
1. This Agreement shall be governed by and construed in accordance with Danish law, without regard to its conflict of law rules.
2. The competent court for any disputes arising out of or in connection with this Agreement shall be Copenhagen District Court. 

Appendix 1 to the data processing agreement

DESCRIPTION OF THE PROCESSING OF PERSONAL DATA

This appendix constitutes the controller's instructions to the processor.

Object and duration of the processing

The Controller hereby instructs the Processor to identify, collect, aggregate, process and store personal data, as specified in this Data Processing Agreement, received directly from the Controller through technical system integrations of the codes provided by the Processor or manual import via the Processor's platform or by using the APIs provided by the Processor and use this data for the purpose of analyzing the behavior of the Controller's users (data subjects) and service delivery. Service delivery includes but is not limited to communicating in the name of the controller with its users, in accordance with the controller's configuration of the Service.

Upon termination of this Agreement, the Personal Data shall be irrevocably deleted so that it is no longer possible to uniquely identify natural persons.

Nature and purpose of the processing

The data processor is entitled to collect and process the personal data for the following purposes:

(i) calculation of profit overview and similar services as described in the Agreement and on the easyrate ApS website,

(ii) delivery of conversion and event data to optimized ads via Facebook, Instagram, Google, Bing ad networks and similar,

(iii) other purposes specified in writing by the data controller.

Categories of personal data

The processing involves personal data in the categories described below. The security measures implemented by the processor and any sub-processors must provide a level of security appropriate to the risk represented by the sensitivity of the personal data.

- Basic personal data (Article 6 of the General Data Protection Regulation):
- Identifiers (email address, first and last name or addresses)
- IP address of the device (stored in anonymized format)
- Device screen resolution, operating system, browser type
- Geographical location
- Pages visited
- Orders placed
- Referring URLs and domains

Categories of registrants

- Online customers of that controller.


Location(s) of data processing facilities

- All subcontractor locations (as described below)


Sub-processors

The Controller consents to the use of the following sub-processors:


Sub-processor processing location (country)

Server4you Germany
Amazon AWS Ireland

The Processor will share the Personal Data with advertising networks such as Facebook, Instagram, Google and Bing in accordance with the Controller's configuration of the Service. The Controller is responsible for its own relationship with these advertising networks, and they are therefore not considered sub-processors.

Appendix 2 to the data processing agreement
DESCRIPTION OF THE TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

This appendix contains a description of the technical and organizational security measures that the Data Processor under the Data Processing Agreement is obliged to implement, follow and ensure that its Sub-Processors follow.

The Processor shall as a minimum implement the following technical and organizational security measures to ensure an adequate level of protection.

In addition to the above, the following specific security measures are implemented:

• Access and identification management (IAM). Furthermore, roles with excessive access rights are clearly defined and only assigned to a limited number of specific employees. 
• IT resources are reviewed and updated at least once a year. 
• Change management procedures
• Procedures for reporting and handling data breaches, including data breach registration along with details of the incident and subsequent actions taken. In addition, specific personnel are designated with the necessary responsibility, authority and competence to manage business continuity in the event of an incident/data breach. 
• All employees understand their responsibilities and obligations in relation to the processing of personal data. Roles and responsibilities are clearly communicated during the hiring process and/or induction process. Employees involved in processing personal data are bound by specific confidentiality clauses (according to their employment contract or other legal document). 
• Training of employees. 
• User passwords are stored in a "hashed" form. 
• Logging of relevant IT systems. 
• Database and application servers are configured in a secure manner and process only the personal data that is actually needed to achieve the processing purposes. 
• When accessed via the internet, communication is encrypted using cryptographic protocols (TLS/SSL), unless the controller requests otherwise. 
• The information system network is separated from the processor's other networks and, where applicable, the IT system is only accessed via pre-authorized devices. 
• Full backups are performed regularly. 
• Where relevant, secure development practices, frameworks or standards are followed, and secure coding standards and practices are followed. Information about technical vulnerabilities in the information system is collected. 
• Multiple rounds of software-based overwriting are performed on all server media before they are discarded. 
• The physical environment of the IT system infrastructure is not accessible to unauthorized personnel. 

Please note that easyrate ApS may use financial data about your company on a pseudonymized level to generate aggregated statistical information. The aggregated statistical information may be shared with third parties (including publicly), but neither your company nor information about your company will be identifiable. Furthermore, as this data relates to company financial data, it falls outside the scope of the aforementioned data processing agreement.