DATA PROCESSING AGREEMENT
RELATE for Teams
STANDARD CONTRACTUAL CLAUSES
Pursuant to Article 28(3) of Regulation 2016/679 (General Data Protection Regulation) with regard to the processing of personal data by the data processor
Between
[NAME]
CVR [CVR-NR]
[ADDRESS]
[ZIP CODE AND CITY]
[COUNTRY]
hereinafter “the controller”
and
PARETIFY ApS
CVR 41710497
Vestergade 29
DK-1456 Copenhagen K
Denmark, Denmark
hereinafter the “data processor”
each of which is a “party” and together constitute the “parties”
Have agreed the following standard contractual clauses (the clauses) in order to comply with the GDPR and ensure the protection of the privacy and fundamental rights and freedoms of natural persons
1.0 PREAMBLE
1.1 These clauses set out the rights and obligations of the data processor when processing personal data on behalf of the data controller.
1.2 These provisions are designed to ensure the Parties’ compliance with Article 28(3) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
1.3 In connection with the provision of PARETIFY RELATE, the data processor processes personal data on behalf of the data controller in accordance with these Terms.
1.4 The provisions take precedence over any similar provisions in other agreements between the parties.
1.5 There are four Appendixes to these clauses and the Appendixes form an integral part of the clauses.
1.6 Appendix A contains details of the processing of personal data, including the purpose and nature of the processing, the type of personal data, the categories of data subjects and the duration of the processing.
1.7 Appendix B contains the controller’s conditions for the processor’s use of sub-processors and a list of sub-processors that the controller has approved the use of.
1.8 Appendix C contains the data controller’s instructions regarding the data processor’s processing of personal data, a description of the minimum-security measures that the data processor must implement and how the data processor and any sub-processors are monitored.
1.9 Appendix D contains provisions regarding other activities not covered by the clauses.
1.10 The provisions and appendices shall be kept in writing, including electronically, by both parties.
1.11 These clauses do not release the Data Processor from any obligations imposed on the Data Processor under the GDPR or any other legislation.
2.0 RIGHTS AND OBLIGATIONS OF THE CONTROLLER
2.1 The controller is responsible for ensuring that the processing of personal data is carried out in accordance with the GDPR (see Article 24 of the GDPR), data protection provisions in other EU law or EEA Member State law and these clauses.
2.2 The controller has the right and obligation to decide for which purpose(s) and with which means personal data may be processed.
2.3 The controller is responsible for, among other things, ensuring that there is a legal basis for the processing of personal data that the data processor is instructed to perform.
3.0 THE DATA PROCESSOR ACTS ON INSTRUCTIONS
3.1 The data processor may only process personal data following documented instructions from the data controller, unless required by EU or Member State law to which the data processor is subject. This instruction shall be specified in Appendixes A and C. Subsequent instructions may also be given by the controller while processing personal data, but the instruction must always be documented and stored in writing, including electronically, together with these clauses.
3.2 The processor shall immediately inform the controller if, in its opinion, an instruction infringes this Regulation or data protection provisions of other Union or Member State law.
4.0 CONFIDENTIALITY
4.1 The data processor may only grant access to personal data processed on behalf of the data controller to persons who are subject to the data processor’s powers of instruction, who have committed to confidentiality or are subject to an appropriate statutory duty of confidentiality, and only to the extent necessary. The list of persons who have been granted access shall be reviewed on an ongoing basis. Based on this review, if access to personal data is no longer necessary, access may be closed, and the personal data shall no longer be accessible to these individuals.
4.2 The data processor shall, at the request of the data controller, be able to demonstrate that the persons concerned who are subject to the data processor’s powers of instruction are subject to the aforementioned duty of confidentiality.
5.0 PROCESSING SECURITY
5.1 Article 32 GDPR states that the controller and processor, considering the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, shall implement appropriate technical and organizational measures to ensure a level of protection appropriate to the risks.
The controller must assess the risks to the rights and freedoms of natural persons posed by the processing and implement measures to address those risks. Depending on relevance, this may include:
- Pseudonymization and encryption of personal data
- Ability to ensure the continued confidentiality, integrity, availability and resilience of processing systems and services
- ability to restore availability and access to personal data in a timely manner in the event of a physical or technical incident
- a procedure for regular testing, assessment and evaluation of the effectiveness of the technical and organizational measures to ensure the security of processing.
5.2 According to Article 32 of the Regulation, the processor shall – independently of the controller – also assess the risks to the rights of natural persons posed by the processing and implement measures to mitigate those risks. For the purposes of this assessment, the controller shall provide the processor with the necessary information to enable it to identify and assess such risks.
5.3 In addition, the data processor shall assist the data controller in its compliance with the data controller’s obligation under Article 32 of the Regulation by, inter alia, providing the data controller with the necessary information regarding the technical and organizational security measures already implemented by the data processor pursuant to Article 32 of the Regulation and any other information necessary for the data controller to comply with its obligation under Article 32 of the Regulation.
If addressing the identified risks requires, in the assessment of the controller, the implementation of additional measures to those already implemented by the processor, the controller shall specify the additional measures to be implemented in Appendix C.
6.0 USE OF SUB-PROCESSORS
6.1 The data processor must meet the conditions referred to in Article 28(2) and (4) of the GDPR to use another data processor (a sub-processor).
6.2 The Data Processor may not use a Sub-Processor to fulfill these clauses without prior general written approval from the Data Controller.
6.3 The Data Processor has the Data Controller’s general approval for the use of sub-processors. The Data Processor shall notify the Data Controller in writing of any planned changes regarding the addition or replacement of sub-processors with at least 10 working days’ notice, thereby giving the Data Controller the opportunity to object to such changes prior to the use of the sub-processor(s) in question. Longer notice periods for notification in relation to specific processing operations may be specified in Appendix B. The list of sub-processors already authorized by the controller can be found in Appendix B.
6.4 When the data processor uses a sub-processor to carrying out specific processing activities on behalf of the controller, the processor shall, through a contract or other legal act under Union or Member State law, impose on the sub-processor the same data protection obligations as those set out in these clauses, in particular providing appropriate guarantees that the sub-processor will implement the technical and organizational measures in such a way that the processing complies with the requirements of these clauses and the GDPR.
The Data Processor is therefore responsible for requiring the Sub-Processor to, as a minimum, comply with the Data Processor’s obligations under these clauses and the GDPR.
6.5 Sub-processor agreement(s) and any subsequent amendments thereto shall – at the request of the data controller – be sent in copy to the data controller, which thereby has the opportunity to ensure that similar data protection obligations arising from these clauses are imposed on the sub-processor. Provisions on commercial terms that do not affect the data protection law content of the sub-processor agreement shall not be sent to the controller.
6.6 In its agreement with the sub-processor, the data processor must include the data controller as a third party beneficiary in the event of the data processor’s bankruptcy so that the data controller can subrogate itself to the data processor’s rights and enforce them against sub-processors, which, for example, enables the data controller to instruct the sub-processor to delete or return the personal data.
6.7 If the sub-processor does not fulfill its data protection obligations, the processor remains fully liable to the controller for the fulfillment of the sub-processor’s obligations. This shall be without prejudice to the rights of data subjects resulting from the GDPR, in particular Articles 79 and 82 thereof, vis-à-vis the controller and the processor, including the sub-processor.
7.0 TRANSFER TO THIRD COUNTRIES OR INTERNATIONAL ORGANIZATIONS
7.1 Any transfer of personal data to third countries or international organizations may only be made by the data processor on the basis of documented instructions from the data controller and must always be in accordance with Chapter V of the General Data Protection Regulation.
7.2 Where the transfer of personal data to third countries or international organizations, which the processor has not been instructed to carry out by the controller, is required by Union or Member State law to which the processor is subject, the processor shall inform the controller of that legal requirement prior to processing, unless that law prohibits such notification for reasons of important public interest.
7.3 Without documented instructions from the data controller, the data processor may not within the scope of these clauses:
- transfer personal data to a controller or processor in a third country or an international organization
- entrust the processing of personal data to a sub-processor in a third country
- process the personal data in a third country
7.4 The controller’s instructions regarding the transfer of personal data to a third country, including any transfer basis in Chapter V of the General Data Protection Regulation on which the transfer is based, shall be specified in Appendix C.6.
7.5 These clauses shall not be confused with standard contractual clauses within the meaning of Article 46(2)(c) and (d) of the GDPR and these clauses shall not constitute a basis for the transfer of personal data within the meaning of Chapter V of the GDPR.
8.0 ASSISTANCE TO THE CONTROLLER
8.1. The data processor shall, taking into account the nature of the processing, assist the controller as far as possible by means of appropriate technical and organizational measures in fulfilling the controller’s obligation to respond to requests for the exercise of data subjects’ rights as set out in Chapter III of the GDPR.
This means that the data processor must, as far as possible, assist the data controller in ensuring compliance with:
- the information obligation when collecting personal data from the data subject
- the duty of disclosure if personal data has not been collected from the data subject
- the right of access
- the right to rectification
- the right to erasure (“right to be forgotten”)
- the right to restriction of processing
- the obligation to notify in connection with rectification or erasure of personal data or restriction of processing
- the right to data portability
- the right to object
- the right not to be subject to a decision based solely on automated processing, including profiling
8.2 In addition to the Data Processor’s obligation to assist the Data Controller under Clause 6.3, the Data Processor shall, considering the nature of the processing and the information available to the Data Processor, also assist the Data Controller with
- the obligation of the controller to report the personal data breach to the competent supervisory authority, the Danish Data Protection Agency, without undue delay and, where feasible, no later than 72 hours after having become aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons
- the controller’s obligation to notify the data subject without undue delay of a personal data breach where the breach is likely to result in a high risk to the rights and freedoms of natural persons
- the controller’s obligation to analyze the impact of the intended processing operations on the protection of personal data prior to processing (a data protection impact assessment)
- the controller’s obligation to consult the competent supervisory authority, the Danish Data Protection Agency, prior to processing if a data protection impact assessment shows that the processing would result in high risk in the absence of measures taken by the controller to mitigate the risk
8.3 The parties shall specify in Appendix C the necessary technical and organizational measures with which the data processor shall assist the data controller and to what extent and scope. This applies to the obligations arising from Clauses 9.1 and 9.2.
9.0 PERSONAL DATA BREACH NOTIFICATION
9.1 The Data Processor shall without undue delay notify the Data Controller after becoming aware that a personal data breach has occurred.
9.2 The Data Processor’s notification to the Data Controller shall, if possible, take place no later than 48 hours after it has become aware of the breach so that the Data Controller can comply with its obligation to notify the personal data breach to the competent supervisory authority, cf. Article 33 of the General Data Protection Regulation.
9.3 In accordance with Clause 9.2.a, the Processor shall assist the Controller in making the breach notification to the competent supervisory authority. This means that the processor shall assist in providing the following information, which, according to Article 33(3), shall be included in the controller’s notification of the breach to the competent supervisory authority:
- the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects affected, and the categories and approximate number of personal data records affected
- the likely consequences of the personal data breach
- the measures that the controller has taken or proposes to take to address the personal data breach, including, where applicable, measures to mitigate its possible adverse effects.
9.4 The parties shall specify in Appendix C the information that the Processor shall provide when assisting the Controller in its obligation to notify personal data breaches to the competent supervisory authority.
10.0 DELETION OF INFORMATION
10.1 Upon termination of the personal data processing services, the data processor is obliged to delete all personal data that has been processed on behalf of the data controller and confirm to the data controller that the data has been deleted
10.2 The Data Processor undertakes to process the personal data only for the purpose(s), for the period and under the conditions prescribed by these rules.
11.0 AUDIT, INCLUDING INSPECTION
11.1 The Data Processor shall provide the Data Controller with all information necessary to demonstrate compliance with Article 28 of the GDPR and these clauses and shall allow for and contribute to audits, including inspections, carried out by the Data Controller or another auditor authorized by the Data Controller.
11.2 The Data Processor shall be obliged to grant supervisory authorities that have access to the Data Controller’s or Data Processor’s facilities under applicable legislation, or representatives acting on behalf of the supervisory authority, access to the Data Processor’s physical facilities against proper identification.
12.0 AGREEMENT OF THE PARTIES ON OTHER MATTERS
12.1 The parties may agree on other provisions concerning the Service regarding the processing of personal data, such as liability for damages, as long as these other provisions do not directly or indirectly conflict with the clauses or impair the data subject’s fundamental rights and freedoms under the GDPR.
13.0 COMMENCEMENT AND TERMINATION
13.1 The Provisions shall enter into force on the date of signature by both parties hereto.
13.2 Either party may demand renegotiation of the clauses if changes in legislation or inadequacies in the clauses give rise to this.
13.3 The clauses are valid for the duration of the Personal Data Processing Service. During this period, the Terms cannot be terminated unless other provisions governing the provision of the Personal Data Processing Service are agreed between the parties.
13.4 If the provision of the Personal Data Processing Services ceases and the Personal Data has been deleted or returned to the Controller in accordance with Clause 11.1 and Schedule C.4, the clauses may be terminated with written notice by either party.
13.5 Signature
On behalf of the data controller
[NAME]
[POSITION]
[PHONE NUMBER]
[E-MAIL]
Your signature
On behalf of the data processor
Christopher Sachse Aaris
CEO
+4542940142
christopher@PARETIFY.com
Your signature
14.0 CONTACT PERSONS AT THE CONTROLLER AND PROCESSOR
14.1 The parties can contact each other via the contact persons below.
14.2 The parties are obliged to continuously inform each other of changes regarding contact persons.
For the data controller:
[NAME]
[POSITION]
[PHONE NUMBER]
[E-MAIL]
For data processors
Morten Raahauge
CXO/COO
(+45) 6083 4946
morten@PARETIFY.com
APPENDIX A: INFORMATION ABOUT THE PROCESSING
The data processor collects from the data controller a number of information about the data controller’s employees in order to secure user access (login) to the system and through segmentation to facilitate accurate data visualization.
A1 Purpose of the data processor’s processing of personal data on behalf of the controller
The purpose of processing personal data is to ensure the controller’s ability to track employee engagement and to present data in a way that is meaningful to the organization while ensuring action orientation at any level, including individual level.
A2. The data processor’s processing of personal data on behalf of the data controller primarily concerns (the nature of the processing)
Setting up solution (system) for use by the controller.
A3. The processing includes the following types of personal data of the data subjects
The data processor collects the following information:
Regarding system access (login)
- First name
- Last name
In relation to segmentation
- Role/title
- Our team
- Department
- Division
- Manager (nearest)
- Country
- Location
- Gender
- Birthday (date/month/year)
- Seniority (employment date)
- Pay grade
- Monthly salary
- Type of employment
The only personally identifiable data (a, b and c) is collected to ensure system access (login).
Information regarding identification and segmentation is all optional and any disclosure of information is completely at the data controller’s own initiative and discretion. In other words, there is no requirement to provide a full data set to initiate a project.
A4. The processing includes the following categories of data subjects.
All persons included in the dataset are employees (workers) of the controller (in the controller’s organization).
A5. The data processor’s processing of personal data on behalf of the data controller may commence after the entry into force of these clauses. The processing has the following duration
As long as the controller maintains a customer (contractual) relationship with the processor.
APPENDIX B: SUB-PROCESSORS
B1. Approved sub-processors
Upon entry into force of the Regulations, the Controller has authorized the use of the following sub-processors (hosting):
Hetzner Online GmbH
Industriestr. 25
91710 Gunzenhausen
Germany
DE812871812
The Data Processor shall notify the Data Controller of any planned changes regarding replacement (substitution) of sub-processor(s) and thereby give the Data Controller the opportunity to object to such a change within 10 working days.
APPENDIX C: INSTRUCTIONS REGARDING THE PROCESSING OF PERSONAL DATA
C1 Subject matter/instruction of the treatment
The data processor’s processing of personal data on behalf of the data controller takes place by the data processor performing the following:
The Data Processor sets up the solution for use by the Data Controller based on the information provided by the Data Controller. The segmentation dataset (items 1-13 in Appendix A3) is updated on the last Thursday of each month to ensure that the solution correctly reflects the organizational structure at all times.
In the same workflow, datasets for employees who have left the controller’s organization are deleted. This includes all personally identifiable information used for login (items a, b and c in Appendix A3).
C2. Treatment safety
The data processor’s processing of personal data on behalf of the data controller must be carried out in a manner that ensures the lowest possible overall risk to the data subjects.
The risk of violations of the data subjects’ freedom and other rights is assessed to be low.
C.3 Retention period/deletion routine
Personal data is only stored for as long as the controller maintains a customer (contractual) relationship with the processor, after which it is deleted by the processor.
APPENDIX D: SECURITY BREACH NOTIFICATION
In the event of a data breach, the data processor must report the following information to the data controller within 24 hours:
Date and time
The personal data breach was detected on [date], [time]
The circumstances of the data breach
The breach is due to [the circumstances of the data breach]
Scope.
If it is possible to determine:
[Categories and the approximate number of registrants involved]
[Categories and approximate number of personal data involved]
Other information
At this stage, it is noted that [additional information that may be useful for the controller’s assessment of the implications of the data breach].
Handlers
In order to limit the scope and consequences of the breach, we have so far [actions taken by the Data Processor to address the personal data breach, including measures taken to limit any adverse effects].