Data Processing Agreement
The following data processing agreement (hereinafter the “Data Processing Agreement” or this “Agreement”) is entered into between you (“the Controller”) and Flex Media (“the Processor”).
The Controller and the Processor are individually referred to as “Party” and collectively as the “Parties”.
Kuldyssen 10, 1. Fl.
Tel. +45 48 17 66 66
1. DEFINITIONS AND INTERPRETATION
As used and defined herein, the following terms have the following meanings:
“Data Protection Legislation” means the data protection legislation applicable at any given time in Denmark, including without limitation any statutes, rules and binding guidelines from public authorities applicable to the processing of Personal Data.
“Personal Data” means any kind of information relating to an identified or identifiable natural person. If confidential data other than Personal Data is processed under the Agreement, any reference to Personal Data includes also such other confidential data.
“Services” means the products and/or services to be supplied/provided by the Processor under the Contract (as defined below).
Any reference to a legislative provision will be deemed to include any subsequent re-enactment or amending provision.
2.1 This Agreement forms an integral part of the agreement concerning the provision of website development services, marketing services, maintenance services, support services, webhosting services, cloud services and/or other services provided to the Controller by or on behalf of the Processor in relation to the Controller´s website platform and/or marketing platform and/or other platform (hereinafter the “Contract”). As part of the provision of the Services, the Processor may process Personal Data on behalf of the Controller.
2.2 This Agreement has been entered into by the Parties in order to regulate any such processing of Personal Data by the Processor and to ensure that such processing is carried out in compliance with the Data Protection Legislation.
3. GENERAL REQUIREMENTS
3.1 The Processor may process the Personal Data only in compliance with this agreement and in compliance with the Controller’s documented written instructions for further processing.
3.2 The data processing operations performed by the Processor on behalf of the Controller under this Agreement is the processing of Personal Data that may occur in connection with the provision of the Services rendered under the Contract, including but not limited to website development services, marketing services, maintenance services, support services, webhosting services, cloud services and/or other services. The Personal Data processed under this Agreement is the data processed by the Controller on their website platform and/or marketing platform and/or other platform, including but not limited to customer data and transactional data. The Processor will not process special categories of Personal Data (Sensitive) and/or Personal Data relating to criminal convictions or offences on behalf of the Controller under this Agreement.
3.3 The Processor is entitled to process the Personal Data only for the purpose of providing the Services and only to such an extent and in such a manner as is necessary in order to provide the Services.
3.4 If the Processor is a legal person, the provisions of this Agreement apply to every employee of the Processor. The Processor guarantees that its employees comply with this Agreement.
4. PERSONAL DATA
In order to provide the services, the Processor has access to platforms owned by the Controller and/or the Controller’s Social Media and/or Marketing accounts and/or other platforms and accounts controlled by the Controller.
These systems give the Processor access to the following personal data, that the Processor can process under this agreement.
- IP addresses
- Telephone numbers
- E-mail addresses
- Webshop orders
- Website behaviour
The purpose for the processing, is for the Processor be able to deliver the services.
The data processed is the data of visitors to the Controllers website, the Controllers Mail list recipients, and/or pictures, videos and/or contact persons named by the Controller.
The Processing of the data continues as long as the contract is in force.
If the Processor is not storing data for the Controller, all the data is on the Controllers platforms and accounts, and as such the issue of location of storage of data rests with the Controller.
Upon termination of the agreement the Processor will delete usernames and passwords after 1 month. The processor is strongly advised to change these upon termination of this agreement.
If the Processor is not storing data for the Controller, the data is stored within the EU. The data will be deleted 1 month upon termination of the agreement.
5. DISCLOSURE OF PERSONAL DATA
5.1 The Processor may not in any way modify, amend or alter the contents of the Personal Data or disclose the Personal Data to any third party, unless
1) explicitly provided for in this Agreement;
2) the Controller has otherwise authorized and/or instructed the Processor in writing to do so; and/or
3) such disclosure is required by applicable legislation to which the Processor is subject.
5.2 If the disclosure falls within clause 5.1.3), the Processor must notify the Controller thereof before commencing the processing of the Personal Data, unless notification of the Controller is prohibited under Union law or the Member State law to which the Processor is subject.
6.1 The Processor must implement appropriate technical and organizational security measures to protect the Personal Data against unauthorized or unlawful processing and against accidental or unlawful loss, destruction, damage, alteration or disclosure.
6.2 When determining the appropriate technical and organizational security measures, the Processor must take account of the current available technology and technological developments; the costs of implementation; the nature, scope, context and purposes of the processing; and the risks of varying likelihood and severity for rights and freedoms of natural persons.
6.3 The Processor must comply with and ensure compliance by its employees with the data security requirements applying to the Processor, including without limitation (i) all security measure requirements notified to the Processor in writing, (ii) the Processor’s own internal security standards, and (iii) the national security measure requirements of the country in which the Processor is established, or in the country where the data processing takes place.
6.4 The Processor must keep the Personal Data confidential. The Processor must take reasonable steps to ensure that every employee, agent or contractor who has access to the Personal Data is reliable and trustworthy, and that they are all subject to confidentiality undertakings, professional secrecy or statutory non-disclosure obligations. The Processor must also ensure in each case that access is strictly limited to those persons who need to access the relevant Personal Data to carry out the duties assigned to them by the Processor, and that this is strictly necessary for the provision of the Services, and that all such persons:
(i) are informed of the confidential nature of the Personal Data; (ii) have received appropriate training in relation to the Data Protection Legislation; and (iii) are aware of the Processor’s obligations under this Agreement.
7. TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES
7.1 The Processor may process or access the Personal Data from or transfer the Personal Data to any third country in accordance with the requirements set out in clause 9.
7.2 If Personal Data is transferred to a third country, the Processor must ensure that the transfer is made on a legal basis, e.g. the European Commission model contracts for the transfer of personal data to third countries, before such transfer may be made by the Processor.
8.1 The Processor must assist the Controller in dealing with requests from data subjects in connection with the data subject’s exercise of his/her rights under the Data Protection Legislation, including without limitation requests for access, rectification, restriction of processing, deletion or data portability.
8.2 The Processor must, without undue delay after becoming aware thereof, notify the Controller in writing of any request from a data subject for the exercise of his/her rights received directly from the data subject or from a third party.
8.3 The Processor must implement adequate technical and organizational measures to assist the Controller in the performance of its obligation to respond to such data subject requests. The Processor must provide all information requested by the Controller within one month upon receipt of the request.
8.4 The Processor must, immediately upon becoming aware thereof, notify the Controller in writing of any suspected or confirmed (i) personal data breach; (ii) accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data processed by the Processor under this Agreement; or (iii) any other non-compliance with the Processor’s obligations under this Agreement. The Processor must cooperate with and provide assistance to the Controller in connection with the management of the personal data breach.
8.5 The Processor must assist the Controller in complying with any other obligations imposed on the Controller under the Data Protection Legislation, including without limitation upon request providing the Controller with all necessary information required to make an impact assessment.
8.6 The Processor will receive remuneration for the services rendered in relation to this clause 7 in accordance with the Processor’s standard hourly rates from time to time.
9.1 The Processor may appoint any third party to process Personal Data on behalf of the Processor (“SubProcessor”) without the prior written consent of the Controller.
9.2 The Processor’s appointments of Sub-Processors under clause 9.1 is conditional upon the Processor
1) carrying out adequate due diligence on each Sub-Processor to ensure that it can provide the level of protection for the processing of Personal Data as is required by this Agreement and the Data Protection Legislation;
2) including terms in the contract between the Processor and each Sub-Processor which, at a minimum, impose the same obligations on the Sub-Processor as those imposed on the Processor under this Agreement; and
3) remaining fully liable to the Controller for any failure by any Sub-Processor to perform its obligations in relation to the processing of Personal Data.
9.3 The Processer is obliged to inform the Controller of any intended changes concerning the addition or replacement of Sub-Processors. A comprehensive list of the Sub-Processors appointed by the Processor is available at www.flex-media.dk/gdpr
9.4 The Controller is entitled, upon demand, to receive a copy of those parts of the Processor’s contract with the Sub-Processor which concern the Sub-Processor’s obligations relating to the processing of Personal Data under this Agreement.
10. COMPLIANCE WITH LEGISLATION, LIABILITY ETC.
10.1 The Controller is obliged to ensure that there is a legal basis for the processing of the Personal Data contained in the Controller’s instructions to the Data Processor.
10.2 The Controller acknowledges that the Processor is reliant on the Controller for direction as to the extent to which the Processor is entitled to use and process the Personal Data on behalf of the Controller. Consequently, the Processor will not be liable for any claim brought by a data subject arising from any action or omission by the Processor, to the extent that such act or omission resulted directly from performing the Services in accordance with the Controller’s instructions.
10.3 The limitations on the Processor’s liability applicable under the Contract are also applicable under this Agreement.
11. COMPLIANCE AUDITS AND STATEMENTS
11.1 At the request of the Controller, the Processor must, within a reasonable time, provide all information necessary for the Controller, a third-party auditor mandated by the Controller, or a public authority to verify compliance with this Agreement and/or the Data Protection Legislation.
11.2 The Processor is obliged to once a year with a written notice of no less than 8 weeks, to cooperate in such compliance audit, inspection and/or review carried out by the Controller, a third-party auditor mandated by the Controller, or by a public authority concerning the processing of Personal Data under this Agreement undertaken by the Processor and any Sub-Processors.
11.3 If the Processor considers an instruction under this clause 11 to constitute a breach of the Data Protection Legislation, the Processor must promptly notify the Controller thereof in writing.
11.4 Each calendar year, the Processor will deliver a statement prepared by the Processor which demonstrates that the requirements of the Data Protection Legislation are complied with. The statement will be made available to the Controller on www.flex-media.dk/gdpr.
11.5 If the statement indicates any failure in connection with the Processor’s processing of Personal Data to comply with the Data Protection Legislation, the Processor must without undue delay remedy such failure.
11.6 The Processor will receive remuneration for the services rendered in relation to this clause 11 in accordance with the Processor’s standard hourly rates from time to time, save for the services rendered under clauses 11.4 and 11.5 for which no separate remuneration applies.
12. DURATION AND TERMINATION
12.1 This Agreement takes effect on the effective date of the Contract and will remain in effect until the Contract is terminated.
12.2 Both Parties are entitled to terminate this Agreement for convenience on the same terms as those which apply to the Contract.
12.3 This Agreement is to apply as between the Parties for as long as the Processor processes Personal Data on behalf of the Controller.
12.4 Upon termination of this Agreement, for whatever reason, the Data Processor must
1) with the exception of paragraph 3) below, cease processing the Personal Data;
2) as requested by the Controller, (i) return to the Controller all Personal Data which is in its possession or control and all copies thereof, or (ii) destroy all copies of the same and certify to the Controller that it has done so, unless the Processor is prevented by applicable law or any public authority from destroying or returning all or part of the Personal Data, in which case the Processor must keep such data confidential, continue to process them in accordance with the terms of this Agreement and must not perform any processing other than what is necessary in order to comply with the requirements of such applicable law or the relevant public authority; and
3) at the Controller’s request against a special charge, provide the necessary transitional services to the Controller, including cooperating in good faith and as quickly as possible to facilitate the transfer of the performance of the data processing to a new data processor or back to the Controller.
12.5 If the Data Processor has not received any instructions regarding the return or the deletion of the Personal Data from the Controller one month after the termination of this Agreement, the Data Processor is entitled to delete the Personal Data.
12.6 Upon termination of this Agreement, for whatever reason, clauses 10.2, 12.3 and 17 will remain in effect indefinitely.
13.1 Except as provided for in clause 9, the Processor may not assign or otherwise transfer any or all of the Processor’s rights or obligations under this Agreement to any third party (or attempt to do so) without the prior written consent of the Controller.
14. ENTIRE AGREEMENT
14.1 The Parties agree that this Agreement constitutes the entire agreement and understanding between the Parties in respect of the subject matter hereof and supersedes any previous agreement between the Parties relating to the subject matter hereof.
14.2 In the event of any discrepancy between the provisions of this Agreement and the provisions of the Contract, the provisions of the Contract will prevail. Notwithstanding the above, the provisions of this Agreement will not apply where the Processor is subject to stricter obligations, e.g. when using the European Commission model contracts for the transfer of personal data to third countries.
15.1 The terms, provisions, obligations or conditions of this Agreement may not be waived or amended except by a written instrument signed by both Parties.
15.2 If any provision of this Agreement is or becomes illegal, void, invalid or unenforceable, such provision must be severed from the other terms and conditions, which will continue to be valid and enforceable to the fullest extent permitted by law.
16.1 All notices required to be given under this Agreement must be in writing or published at www.flex-media.dk/gdpr.
17. GOVERNING LAW
17.1 This Agreement is governed by and will be construed in accordance with Danish law, without regard to its conflict of laws rules.
17.2 Any disputes arising out of or relating to this Agreement must be settled by arbitration administered by the Danish Institute of Arbitration in accordance with the rules of arbitration procedure adopted by the Danish Institute of Arbitration and in force at the time when such proceedings are commenced.