Data Processing Agreement
Version dated 3/12-2021
1
Data Processing Agreement preamble
1.1
This Data Processing Agreement sets out the rights and obligations that apply to the Data Processor’s handling of personal data on behalf of the Data Controller.
1.2
This Data Processing Agreement has been designed to ensure the Parties’ compliance with Article 28, sub-section 3 of Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), which sets out specific requirements for the content of a data processing agreement.
1.3
The Data Processor’s processing of personal data shall take place for the purposes of fulfilment of the Parties’ main agreement for providing services between the Data Controller and Data Processor, hereinafter the ‘Master Agreement’.
1.4
The Data Processing Agreement and the Master Agreement shall be interdependent and cannot be terminated separately. The Data Processing Agreement may however – without termination of the Master Agreement – be replaced by an alternative valid data processing agreement.
1.5
This Data Processing Agreement shall take priority over any similar provisions contained in other agreements between the Parties, including the Master Agreement or any Terms and Conditions.
1.6
Three appendices are attached to this Data Processing Agreement. The Appendices form an integral part of this Data Processing Agreement.
1.7
Appendix A of the Data Processing Agreement contains details about the processing as well as the purpose and nature of the processing, type of personal data, categories of data subject and duration of the processing.
1.8
Appendix B of the Data Processing Agreement contains the Data Controller’s terms and conditions that apply to the Data Processor’s use of Sub-Processors and a list of Sub-Processors approved by the Data Controller.
1.9
Appendix C of the Data Processing Agreement contains instructions on the processing that the Data Processor is to perform on behalf of the Data Controller (the subject of the processing), the minimum security measures that are to be implemented and how inspection with the Data Processor and any Sub-Processors is to be performed.
1.10
The Data Processing Agreement and its associated Appendices shall be retained in writing as well as electronically by both Parties.
1.11
This Data Processing Agreement shall not exempt the Data Processor or Data Controller from their obligations to which they are subject pursuant to the General Data Protection Regulation or other legislation.
2.
The rights and obligations of the Data Controller
2.1
The Data Controller shall be responsible to the outside world (including the data subject) for ensuring that the processing of personal data takes place within the framework of the General Data Protection Regulation and the Danish Data Protection Act.
2.2
The Data Controller shall therefore have both the right and obligation to make decisions about the purposes and means of the processing of personal data.
2.3
The Data Controller shall be responsible for ensuring that the processing that the Data Processor is instructed to perform is authorised in law.
3.
The Data Processor acts according to instructions
3.1
The Data Processor shall solely be permitted to process personal data on documented instructions from the Data Controller unless processing is required under EU or Member State law to which the Data Processor is subject; in this case, the Data Processor shall inform the Data Controller of this legal requirement prior to processing unless that law prohibits such information on important grounds of public interest, cf. Article 28, sub-section 3, para a.
3.2
The Data Processor shall immediately inform the Data Controller if instructions in the opinion of the Data Processor contravene the General Data Protection Regulation or data protection provisions contained in other EU or Member State law or any relevant legislation with regards to the protection of Whistleblowers.
3.3
In the event that the Data Processor has informed the Data Controller that an instruction may be potentially unlawful, the Data Processor shall in no way be held liable if it refuses to act on these instructions which are contrary to EU law or Member State law or any other legal obligation of the Data Processor arising from EU law or Member State law.
3.4
If the Data Controller persists in the unlawful instruction, the Data Processor has the right to terminate the Master Agreement between the Data Controller and the Data Processor with immediate effect. In any case, if the Data Processor has informed the Data Controller of the potentially unlawful nature of its instructions, the Data Processor shall not be held liable, nor direct or indirect, for breaching any legislation, in the broadest sense and including any data protection legislation, for the execution of this instruction.
4.
Confidentiality
4.1
The Data Processor shall ensure that only those persons who are currently authorised to do so are able to access the personal data being processed on behalf of the Data Controller. Access to the data shall therefore without delay be denied if such authorisation is removed or expires.
4.2
Only persons who require access to the personal data in order to fulfil the obligations of the Data Processor to the Data Controller shall be provided with authorisation.
4.3
The Data Processor shall ensure that persons authorised to process personal data on behalf of the Data Controller have undertaken to observe confidentiality or are subject to suitable statutory obligation of confidentiality.
4.4
The Data Processor shall at the request of the Data Controller be able to demonstrate that the employees concerned are subject to the above confidentiality.
5.
Security of processing
5.1
The Data Processor shall take all the measures required pursuant to Article 32 of the General Data Protection Regulation which stipulates that with consideration for the current level, implementation costs and the nature, scope, context and purposes of processing and the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Data Controller and Data Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
5.2
The above obligation means that the Data Processor shall perform a risk assessment and thereafter implement measures to counter the identified risk. Depending on their relevance, the measures may include the following:
a. Pseudonymisation and encryption of personal data
b. The ability to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services.
c. The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
d. A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
a. Pseudonymisation and encryption of personal data
b. The ability to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services.
c. The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
d. A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
5.3
The Data Processor shall in ensuring the above – in all cases – at a minimum implement the level of security and the measures specified in Appendix C to this Data Processing Agreement.
5.4
The Parties’ possible regulation/agreement on remuneration etc. for the Data Controller’s or the Data Processor’s subsequent requirement for establishing additional security measures shall be specified in the Parties’ Master Agreement or the Terms and Conditions of the Data Processor.
6.
Use of Sub-Processors
6.1
The Data Processor shall meet the requirements specified in Article 28, sub-section 2 and 4, of the General Data Protection Regulation in order to engage another processor (Sub-Processor).
6.2
The Data Processor shall therefore not engage another processor (Sub-Processor) for the fulfilment of this Data Processing Agreement without the prior specific or general written consent of the Data Controller.
6.3
In the event of general written consent, the Data Processor shall inform the Data Controller of any planned changes with regard to additions to or replacement of other data processors and thereby give the Data Controller the opportunity to object to such changes.
6.4
The Data Controller’s requirements for the Data Processor’s engagement of other sub-processors shall be specified in Appendix B to this Data Processing Agreement.
6.5
The Data Controller’s consent to the engagement of specific sub-processors, if applicable, shall be specified in Appendix B to this Data Processing Agreement.
6.6
When the Data Processor has the Data Controller’s authorisation to use a sub-processor, the Data Processor shall ensure that the Sub-Processor is subject to the same data protection obligations as those specified in this Data Processing Agreement on the basis of a contract or other legal document under EU law or the national law of the Member States, in particular providing the necessary guarantees that the Sub-Processor will implement the appropriate technical and organisational measures in such a way that the processing meets the requirements of the General Data Protection Regulation.
The Data Processor shall therefore be responsible – on the basis of a sub-processor agreement – for requiring that the sub-processor at least comply with the obligations to which the Data Processor is subject pursuant to the requirements of the General Data Protection Regulation and this Data Processing Agreement and its associated Appendices.
The Data Processor shall therefore be responsible – on the basis of a sub-processor agreement – for requiring that the sub-processor at least comply with the obligations to which the Data Processor is subject pursuant to the requirements of the General Data Protection Regulation and this Data Processing Agreement and its associated Appendices.
6.7
A copy of such a sub-processor agreement and subsequent amendments shall – at the Data Controller’s request – be submitted to the Data Controller who will thereby have the opportunity to ensure that a valid agreement has been entered into between the Data Processor and the Sub-Processor. Commercial terms and conditions, such as pricing, that do not affect the legal data protection content of the sub-processor agreement, shall not require submission to the Data Controller.
6.8
If the Sub-Processor does not fulfil his data protection obligations, the Data Processor shall remain fully liable to the Data Controller as regards the fulfilment of the obligations of the Sub-Processor.
7.
Transfer of data to third countries or international organisations
7.1
The Data Processor shall solely be permitted to process personal data on documented instructions from the Data Controller, including as regards transfer (assignment, disclosure and internal use) of personal data to third countries or international organisations, unless processing is required under EU or Member State law to which the Data Processor is subject; in such a case, the Data Processor shall inform the Data Controller of that legal requirement prior to processing unless that law prohibits such information on important grounds of public interest, cf. Article 28, sub-section 3, para a.
7.2
Without the instructions or approval of the Data Controller, the Data Processor therefore cannot – within the framework of this Data Processing Agreement:
a. disclose personal data to a data controller in a third country or in an international organisation
b. assign the processing of personal data to a sub-processor in a third country
c. have the data processed in another of the Data Processor’s divisions which is located in a third country
a. disclose personal data to a data controller in a third country or in an international organisation
b. assign the processing of personal data to a sub-processor in a third country
c. have the data processed in another of the Data Processor’s divisions which is located in a third country
7.3
The Data Controller’s instructions or approval of the transfer of personal data to a third country, if applicable, shall be set out in Appendix C to this Data Processing Agreement.
8.
Assistance to the Data Controller
8.1
The Data Processor, taking into account the nature of the processing, shall, as far as possible, assist the Data Controller with appropriate technical and organisational measures, in the fulfilment of the Data Controller’s obligations to respond to requests for the exercise of the data subjects’ rights pursuant to Chapter 3 of the General Data Protection Regulation.
This entails that the Data Processor should as far as possible assist the Data Controller in the Data Controller’s compliance with:
a. notification obligation when collecting personal data from the data subject
b. notification obligation if personal data have not been obtained from the data subject
c. right of access by the data subject
d. the right to rectification
e. the right to erasure (‘the right to be forgotten’)
f. the right to restrict processing
g. notification obligation regarding rectification or erasure of personal data or restriction of processing
h. the right to data portability
i. the right to object
j. the right to object to the result of automated individual decision-making, including profiling
This entails that the Data Processor should as far as possible assist the Data Controller in the Data Controller’s compliance with:
a. notification obligation when collecting personal data from the data subject
b. notification obligation if personal data have not been obtained from the data subject
c. right of access by the data subject
d. the right to rectification
e. the right to erasure (‘the right to be forgotten’)
f. the right to restrict processing
g. notification obligation regarding rectification or erasure of personal data or restriction of processing
h. the right to data portability
i. the right to object
j. the right to object to the result of automated individual decision-making, including profiling
8.2
The Data Processor shall assist the Data Controller in ensuring compliance with the Data Controller’s obligations pursuant to Articles 32-36 of the General Data Protection Regulation taking into account the nature of the processing and the data made available to the Data Processor, cf. Article 28, sub-section 3, para f.
This entails that the Data Processor should, taking into account the nature of the processing, as far as possible assist the Data Controller in the Data Controller’s compliance with:
a. the obligation to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk associated with the processing
b. the obligation to report personal data breaches to the supervisory authority, the Danish Data Protection Agency, without undue delay and, if possible, within 72 hours of the Data Controller discovering such breach unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons
c. the obligation – without undue delay - to communicate the personal data breach to the data subject when such breach is likely to result in a high risk to the rights and freedoms of natural persons
d. the obligation to carry out a data protection impact assessment if a type of processing is likely to result in a high risk to the rights and freedoms of natural persons
e. the obligation to consult with the supervisory authority, the Danish Data Protection Agency, prior to processing if a data protection impact assessment shows that the processing will lead to high risk in the lack of measures taken by the Data Controller to limit risk
This entails that the Data Processor should, taking into account the nature of the processing, as far as possible assist the Data Controller in the Data Controller’s compliance with:
a. the obligation to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk associated with the processing
b. the obligation to report personal data breaches to the supervisory authority, the Danish Data Protection Agency, without undue delay and, if possible, within 72 hours of the Data Controller discovering such breach unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons
c. the obligation – without undue delay - to communicate the personal data breach to the data subject when such breach is likely to result in a high risk to the rights and freedoms of natural persons
d. the obligation to carry out a data protection impact assessment if a type of processing is likely to result in a high risk to the rights and freedoms of natural persons
e. the obligation to consult with the supervisory authority, the Danish Data Protection Agency, prior to processing if a data protection impact assessment shows that the processing will lead to high risk in the lack of measures taken by the Data Controller to limit risk
8.3
The Parties’ possible regulation/agreement on remuneration etc. for the Data Processor’s assistance to the Data Controller shall be specified in the Parties’ Master Agreement or the Terms and Conditions of the Data Processor.
9.
Notification of personal data breach
9.1
On discovery of personal data breach at the Data Processor’s facilities or a sub-processor’s facilities, the Data Processor shall without undue delay notify the Data Controller.
The Data Processor’s notification to the Data Controller shall take place as soon as possible, and at the latest within 48 hours, after the Data Processor has discovered the breach to enable the Data Controller to comply with his obligation, if applicable, to report the breach to the supervisory authority, the Danish Data Protection Agency, within 72 hours.
The Data Processor’s notification to the Data Controller shall take place as soon as possible, and at the latest within 48 hours, after the Data Processor has discovered the breach to enable the Data Controller to comply with his obligation, if applicable, to report the breach to the supervisory authority, the Danish Data Protection Agency, within 72 hours.
9.2
According to Clause 9.2., para b, of this Data Processing Agreement, the Data Processor shall – taking into account the nature of the processing and the data available – assist the Data Controller in the reporting of the breach to the supervisory authority, the Danish Data Protection Agency.
This may mean that the Data Processor is required to assist in obtaining the information listed below which, pursuant to Article 33, sub-section 3, of the General Data Protection Regulation, shall be stated in the Data Controller’s report to the supervisory authority, the Danish Data Protection Agency:
a. The nature of the personal data breach, including, if possible, the categories and the approximate number of affected data subjects and the categories and the approximate number of affected personal data records
b. Probable consequences of a personal data breach
c. Measures which have been taken or are proposed to manage the personal data breach, including, if applicable, measures to limit its possible damage
This may mean that the Data Processor is required to assist in obtaining the information listed below which, pursuant to Article 33, sub-section 3, of the General Data Protection Regulation, shall be stated in the Data Controller’s report to the supervisory authority, the Danish Data Protection Agency:
a. The nature of the personal data breach, including, if possible, the categories and the approximate number of affected data subjects and the categories and the approximate number of affected personal data records
b. Probable consequences of a personal data breach
c. Measures which have been taken or are proposed to manage the personal data breach, including, if applicable, measures to limit its possible damage
10.
Erasure and return of data
10.1
On termination of the processing services, the Data Processor shall be under obligation, at the Data Controller’s discretion, to erase or return all the personal data to the Data Controller and to erase existing copies unless EU law or Member State law requires storage of the personal data.
11.
Inspection and audit
11.1
The Data Processor shall make available to the Data Controller all information necessary to demonstrate compliance with Article 28 of the General Data Protection Regulation and this Data Processing Agreement, and allow for and contribute to audits, including inspections performed by the Data Controller or another auditor mandated by the Data Controller.
11.2
The procedures applicable to the Data Controller’s inspection of the Data Processor are specified in Appendix C to this Data Processing Agreement.
11.3
The Data Controller’s inspection of sub-processors, if applicable, shall as a rule be performed through the Data Processor. The procedures for such inspection are specified in Appendix C to this Data Processing Agreement.
11.4
The Data Processor shall be required to provide the supervisory authorities, which pursuant to applicable legislation have access to the Data Controller’s and Data Processor’s facilities, or representatives acting on behalf of such supervisory authorities, with access to the Data Processor’s physical facilities on presentation of appropriate identification.
12
The Parties’ agreement on other terms
12.1
(Separate) terms relating to the consequences of the Parties’ breach of this Data Processing Agreement, if applicable, shall be specified in the Parties’ Master Agreement or the Terms and Conditions of the Data Processor.
12.2
Regulation of other terms between the Parties shall be specified in the Parties’ Master Agreement or the Terms and Conditions of the Data Processor.
13.
General Terms
13.1
Each Party must keep this Data Processing Agreement and information it receives about the other Party and its business in connection with this Data Processing Agreement (“Confidential Information”) confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that:
(a) disclosure is required by law;
or
(b) the relevant information is already in the public domain.
(a) disclosure is required by law;
or
(b) the relevant information is already in the public domain.
13.2
All notices and communications given under this Data Processing Agreement must be in writing and will be delivered personally, to the contact points as set out in clause 15.
14.
Commencement and termination
14.1
This Data Processing Agreement shall become effective on the date of both Parties’ signature to this Data Processing Agreement.
14.2
Both Parties shall be entitled to require this Data Processing Agreement renegotiated if changes to the law or inexpediency of the provisions contained herein should give rise to such renegotiation.
14.3
The Parties’ agreement on remuneration, terms etc. in connection with amendments to this Data Processing Agreement, if applicable, shall be specified in the Parties’ Master Agreement or the Terms and Conditions of the Data Processor.
14.4
This Data Processing Agreement may be terminated according to the terms and conditions of termination, incl. notice of termination, specified in the Master Agreement or the Terms and Conditions of the Data Processor.
14.5
This Data Processing Agreement shall apply as long as the processing is performed. Irrespective of the termination of the Master Agreement and/or this Data Processing Agreement, the Data Processing Agreement shall remain in force until the termination of the processing and the erasure of the data by the Data Processor and any sub-processors.
15
Data Processor contacts/contact points
15.1
The Parties may contact each other using the following contacts/contact points:
Contact point of the Data Processor:
Fredrik Binow
CEO
support@walor.io
Please contact the CEO by email in the first instance.
Contact point of the Data Processor:
Fredrik Binow
CEO
support@walor.io
Please contact the CEO by email in the first instance.
15.2
The Parties shall be under obligation continuously to inform each other of changes to contacts/contact points.
Appendix A
Information about the processing
The purpose of the Data Processor’s processing of personal data on behalf of the Data Controller is:
The fulfilment of the Parties’ Master Agreement. This entails that the Data Controller and people working for or with the Data Controller can use the Whistleblower scheme, owned and managed by the Data Processor, which allows to process general personal data and information on potentially illegal or unethical activities relating to the working environment of the Data Controller.
The fulfilment of the Parties’ Master Agreement. This entails that the Data Controller and people working for or with the Data Controller can use the Whistleblower scheme, owned and managed by the Data Processor, which allows to process general personal data and information on potentially illegal or unethical activities relating to the working environment of the Data Controller.
The Data Processor’s processing of personal data on behalf of the Data Controller shall mainly pertain to (the nature of the processing):
that the Data Processor provides a system, owned and managed by the Data Processor, to the Data Controller and thereby processes personal data of people working for or with the Data Controller. After the receival of the information through a report, the Data Processor gives the Data Controller access to the information gathered, including personal data, in accordance with the requirements of confidentiality and impartiality laid down in relevant legislation on the protection of whistleblowers.
that the Data Processor provides a system, owned and managed by the Data Processor, to the Data Controller and thereby processes personal data of people working for or with the Data Controller. After the receival of the information through a report, the Data Processor gives the Data Controller access to the information gathered, including personal data, in accordance with the requirements of confidentiality and impartiality laid down in relevant legislation on the protection of whistleblowers.
The processing includes the following types of personal data about data subjects:
Name, location, department, gender, age and any other information reported through the System, owned and managed, by the Data Processor.
Name, location, department, gender, age and any other information reported through the System, owned and managed, by the Data Processor.
Processing includes the following categories of data subject:
- Employees from the Data Controller
- Job applicants at the Data Controller
- Paid or unpaid trainees from the Data Controller
- Volunteers at Data Controller
- Self-employed persons working for the Data Controller
- Shareholders of the Data Controller
- Members of the management, supervisory board or other governing board of the Data Controller
- Persons working under the supervision and direction of contractors, subcontractors and suppliers of the Data Controller
- The persons appointed by the Data Controller to receive any reports made through the System in order to conduct investigations.
- Employees from the Data Controller
- Job applicants at the Data Controller
- Paid or unpaid trainees from the Data Controller
- Volunteers at Data Controller
- Self-employed persons working for the Data Controller
- Shareholders of the Data Controller
- Members of the management, supervisory board or other governing board of the Data Controller
- Persons working under the supervision and direction of contractors, subcontractors and suppliers of the Data Controller
- The persons appointed by the Data Controller to receive any reports made through the System in order to conduct investigations.
The Data Processor’s processing of personal data on behalf of the Data Controller may be performed when this Data Processing Agreement commences. Processing has the following duration:
The service provided is not limited in time and lasts until the Master Agreement is terminated or cancelled by one of the parties.
The service provided is not limited in time and lasts until the Master Agreement is terminated or cancelled by one of the parties.
Appendix B
Terms of the Data Processor’s use of sub-processors and list of approved sub-processors
Terms of the Data Processor’s use of sub-processors, if applicable
The Data Processor has the Data Controller’s general consent to make use of sub-processors. However, the Data Processor shall inform the Data Controller of any planned changes concerning the addition or replacement of other processors, thereby giving the Data Controller the opportunity to object to such changes. Such notification shall be submitted to the Data Controller at least one month before the engagement of sub-processors or amendments coming into force. The Data Controller may object within 14 days of receipt of the notification only if the Data Controller has reasonable and specific grounds to do so.
The Data Processor has the Data Controller’s general consent to make use of sub-processors. However, the Data Processor shall inform the Data Controller of any planned changes concerning the addition or replacement of other processors, thereby giving the Data Controller the opportunity to object to such changes. Such notification shall be submitted to the Data Controller at least one month before the engagement of sub-processors or amendments coming into force. The Data Controller may object within 14 days of receipt of the notification only if the Data Controller has reasonable and specific grounds to do so.
Approved sub-processors
The Data Controller shall on commencement of this Data Processing Agreement approve the engagement of the following sub-processors:
The Data Controller shall on commencement of this Data Processing Agreement approve the engagement of the following sub-processors:
The Data Controller shall on the commencement of this Data Processing Agreement specifically approve the use of the above sub-processors for the processing described for that party. The Data Processor shall not be entitled – without the Data Controller’s explicit written consent – to engage a sub-processor for ‘different’ processing than the one that has been agreed or have another sub-processor perform the described processing.
Appendix C
Instruction pertaining to the use of personal data
The subject of/instruction for the processing
The Data Processor’s processing of personal data on behalf of the Data Controller shall be carried out by the Data Processor performing the following:
The Data Controller and people working for or with the Data Controller can use the system provided by the Data Processor. This system allows any person working for or having a work-related relationship with the Data Controller to act as a whistle-blower with regards to matters of a serious nature which have occurred or have likely occurred within the company of the Data Controller. These reports are received and reviewed by the Data Processor, who is allowed to process general personal data and information on potentially illegal activities relating to the working environment of the Data Controller. The Data Processor can potentially ask the reporter to add any relevant information to the report. If a report is found to be not manifestly unfounded, it will be sent back to one of the Data Controller’s representatives, as agreed between the Data Processor and Data Controller. When the Data Processor gives the Data Controller access to the information gathered, including personal data, requirements of confidentiality and impartiality laid down in relevant legislation on the protection of Whistleblowers will be upheld.
The Data Processor’s processing of personal data on behalf of the Data Controller shall be carried out by the Data Processor performing the following:
The Data Controller and people working for or with the Data Controller can use the system provided by the Data Processor. This system allows any person working for or having a work-related relationship with the Data Controller to act as a whistle-blower with regards to matters of a serious nature which have occurred or have likely occurred within the company of the Data Controller. These reports are received and reviewed by the Data Processor, who is allowed to process general personal data and information on potentially illegal activities relating to the working environment of the Data Controller. The Data Processor can potentially ask the reporter to add any relevant information to the report. If a report is found to be not manifestly unfounded, it will be sent back to one of the Data Controller’s representatives, as agreed between the Data Processor and Data Controller. When the Data Processor gives the Data Controller access to the information gathered, including personal data, requirements of confidentiality and impartiality laid down in relevant legislation on the protection of Whistleblowers will be upheld.
Security of processing
The level of security must reflect a “high” level of security, seen that the processing of personal data covered by article 6 of the Data Protection Regulation, pertains to data which potentially relate to criminal convictions and offences, and whereby the unauthorised disclosure or access to these data could be harmful to the public interest, seen the processing of these data takes place in the context of a whistleblower reporting channel.
The Data Processor shall hereafter be entitled and under obligation to make decisions about the technical and organisational security measures that are to be applied to create the necessary (and agreed) level of data security.
The Data Processor must however in all cases and as a minimum implement the following measures agreed with the Data Controller (in the light of the risk assessment carried out by the Data Controller):
- All data entered into the system is maximally secured through Password protection, End-to-End Encryption, Multi-Factor Authentication and through a continuous focus on high quality, clean and secure code, code review, Quality Assurance (QA) environment and through manual and automated testing.
- All data is stored by Amazon Web Services in the EU. The data is stored on servers that are ISO 27001, ISO 27017, ISO 27018 and SOC 1, SOC 2 & SOC 3-certified. Amazon Web Services, which is a sub-processor of the Data Processor, therefore meets the highest level of security.
- To ensure the highest security, the Data Processor is also undertaking regular penetration tests from third-parties and other test to check potential vulnerabilities
The level of security must reflect a “high” level of security, seen that the processing of personal data covered by article 6 of the Data Protection Regulation, pertains to data which potentially relate to criminal convictions and offences, and whereby the unauthorised disclosure or access to these data could be harmful to the public interest, seen the processing of these data takes place in the context of a whistleblower reporting channel.
The Data Processor shall hereafter be entitled and under obligation to make decisions about the technical and organisational security measures that are to be applied to create the necessary (and agreed) level of data security.
The Data Processor must however in all cases and as a minimum implement the following measures agreed with the Data Controller (in the light of the risk assessment carried out by the Data Controller):
- All data entered into the system is maximally secured through Password protection, End-to-End Encryption, Multi-Factor Authentication and through a continuous focus on high quality, clean and secure code, code review, Quality Assurance (QA) environment and through manual and automated testing.
- All data is stored by Amazon Web Services in the EU. The data is stored on servers that are ISO 27001, ISO 27017, ISO 27018 and SOC 1, SOC 2 & SOC 3-certified. Amazon Web Services, which is a sub-processor of the Data Processor, therefore meets the highest level of security.
- To ensure the highest security, the Data Processor is also undertaking regular penetration tests from third-parties and other test to check potential vulnerabilities
Storage period/erasure procedures
The information is stored for the period permitted by law, and will be deleted when it is no longer needed or relevant for the purpose for which it was collected. Personal data which are manifestly not relevant for the handling of a specific report shall not be collected or, if accidentally collected, shall be deleted without undue delay. The period depends on the nature of the information and the background of storage. It is therefore not possible to specify a general time frame for when information is returned. In any case, personal data will be deleted within two months after the purpose for collecting or processing these data has ended or after the end of the relationship between the Data Processor and the Data Controller, unless otherwise prescribed by law.
The information is stored for the period permitted by law, and will be deleted when it is no longer needed or relevant for the purpose for which it was collected. Personal data which are manifestly not relevant for the handling of a specific report shall not be collected or, if accidentally collected, shall be deleted without undue delay. The period depends on the nature of the information and the background of storage. It is therefore not possible to specify a general time frame for when information is returned. In any case, personal data will be deleted within two months after the purpose for collecting or processing these data has ended or after the end of the relationship between the Data Processor and the Data Controller, unless otherwise prescribed by law.
Processing location
Processing of the personal data under this Data Processing Agreement cannot be performed at other locations than the following without the Data Controller’s prior written consent. Processing will take place in Copenhagen, Denmark and any other locations mentioned under B.2.
Processing of the personal data under this Data Processing Agreement cannot be performed at other locations than the following without the Data Controller’s prior written consent. Processing will take place in Copenhagen, Denmark and any other locations mentioned under B.2.
Instruction for or approval of the transfer of personal data to third countries
If the Data Controller does not by written notification provide instructions or consent pertaining to the transfer of personal data to a third country, the Data Processor shall not be entitled within the framework of this Data Processing Agreement to perform such transfer.
If the Data Controller does not by written notification provide instructions or consent pertaining to the transfer of personal data to a third country, the Data Processor shall not be entitled within the framework of this Data Processing Agreement to perform such transfer.
Procedures for the Data Controller’s inspection of the processing being performed by the Data Processor
The Data Controller or a representative of the Data Controller may carry out a physical inspection of the compliance with this Data Processing Agreement at the Data Processor's premises on a regular basis during normal business hours.
In addition to the scheduled inspection, the Data Processor may be inspected whenever, in the opinion of the Data Controller, the need arises. Such need shall be based on substantiated and reasoned concern.
10 working days’ notice shall be given for such supervision.
Any costs incurred by the Data Controller in connection with a physical inspection shall be borne by the Data Controller. However, the Data Processor shall be obliged to provide the resources, such as time, necessary for the Data Controller to carry out the inspection.
The Data Controller or a representative of the Data Controller may carry out a physical inspection of the compliance with this Data Processing Agreement at the Data Processor's premises on a regular basis during normal business hours.
In addition to the scheduled inspection, the Data Processor may be inspected whenever, in the opinion of the Data Controller, the need arises. Such need shall be based on substantiated and reasoned concern.
10 working days’ notice shall be given for such supervision.
Any costs incurred by the Data Controller in connection with a physical inspection shall be borne by the Data Controller. However, the Data Processor shall be obliged to provide the resources, such as time, necessary for the Data Controller to carry out the inspection.
Procedures for inspection of the processing being performed by sub-processors, if applicable
If any doubt exists about the Sub-Processor's compliance with this Data Processing Agreement and its associated Appendices, the Data Processor shall obtain an independent third-party audit opinion on the sub-processor’s compliance with this Data Processing Agreement and its annexes.
The inspection report shall without delay be submitted to the Data Controller for information.
The Data Processor shall be remunerated for the costs of this audit opinion by the Data Controller, unless the doubt which has led to this audit report finds its origin in substantiated and reasoned concern.
If any doubt exists about the Sub-Processor's compliance with this Data Processing Agreement and its associated Appendices, the Data Processor shall obtain an independent third-party audit opinion on the sub-processor’s compliance with this Data Processing Agreement and its annexes.
The inspection report shall without delay be submitted to the Data Controller for information.
The Data Processor shall be remunerated for the costs of this audit opinion by the Data Controller, unless the doubt which has led to this audit report finds its origin in substantiated and reasoned concern.