Data Processing Agreement 01.09.2023

Data Processing Agreement prepared in accordance with the Danish Data Protection Agency's Standard Contractual Clauses accepted by the European Data Protection Board.

Standard Contractual Clauses

In accordance with Article 28(3) of Regulation 2016/679 (the General Data Protection Regulation).

Customer

Address

ZIP code City                                                                                            

DK

CVR-nr.:

From now on referred to as the 'Data Controller.

and

WOBA ApS       

Landgreven 3

1301 København K

DK

CVR-nr.: 37609641

From now on referred to as the 'Data Processor.

Each is referred to as a 'Party' and collectively as the 'Parties.

 

Have agreed to the following Contractual Clauses ('Clauses') in order to comply with the data protection regulation and ensure the protection of the rights of data subjects.

 

 

 

 

 

 

 

 

  1. Content
  2. Præambel 
  3. The rights and obligations of the Data Controller. 
  4. The data processor acts according to instructions 
  5. Confidentiality
  6. Data processing security.
  7. Use of sub-processors
  8. Transfer of data to third countries or international organizations
  9. Assistance to the Data Controller 
  10. Notification of personal data security breaches 
  11. Deletion and return of information 
  12. Audit and inspection 
  13. Parties’ agreement on other terms 
  14. Commencement and termination
  15. Contacts at the Data Controller and the Data Processor

Appendix A Information about the processing

Appendix B Sub-processors

Appendix C Instructions regarding the processing of personal data

Appendix D Parties regulation of other matters

2.     Præambel

 

2.1    These Contractual Clauses ('Clauses') establish the rights and obligations of the Data Processor when processing personal data on behalf of the Data Controller.

 

2.2    These Clauses are designed to ensure the Parties' compliance with Article 28(3) of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons concerning the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC ('the data protection regulation').

 

2.3    In connection with the provision of the WOBA HR platform (from now on referred to as the 'System') in accordance with the executed contract, from now on referred to as the 'Main Agreement,' the Data Processor processes personal data on behalf of the Data Controller in accordance with these Clauses.

 

2.4    These Clauses take precedence over any similar provisions in other agreements between the Parties.

 

2.5    There are four appendices to the Clauses, and the appendices constitute an integral part of the Clauses.

 

2.6        Appendix A They contain detailed information about the processing of personal data, including the purpose and nature of the processing, the types of personal data, categories of data subjects, and the duration of processing.

 

2.7        Appendix B They include the conditions set by the Data Controller for the Data Processor's use of sub-processors and a list of sub-processors approved by the Data Controller.

 

2.8        Appendix C They contain the Data Controller's instructions regarding the Data Processor's processing of personal data, a description of the minimum-security measures that the Data Processor must implement, and the supervision process for the Data Processor and any sub-processors.

 

2.9        Appendix D They contain provisions regarding other activities that are not covered by the Clauses.

 

2.10      if standard contractual clauses, as referred to in Article 46(2)(c) and (d) of the data protection regulation, form the basis for the transfer of personal data as mentioned in Chapter V of the data protection regulation, they are attached as Appendices E and E1.

 

2.11      The Clauses with their attached appendices must be kept in writing, including electronically, by both Parties."

 

2.12      These Clauses do not exempt the Data Processor from obligations imposed on the Data Processor under the data protection regulation or any other legislation.

 

 

3.       "The rights and obligations of the Data Controller."

 

3.1    The Data Controller is responsible for ensuring that the processing of personal data complies with the data protection regulation (see Article 24 of the Regulation), data protection provisions in other EU laws or national laws of the Member States, and these Clauses.

 

3.2    The Data Controller has the right and obligation to make decisions regarding the purpose(s) and means of processing personal data.

 

3.3     The Data Controller is responsible, among other things, for ensuring that there is a legal basis for the processing of personal data that the Data Processor is instructed to carry out.

 

4.       The Data Processor acts under instructions.

 

4.1        The Data Processor may only process personal data upon documented instruction from the Data Controller unless required by EU law or the national law of the Member State to which the Data Processor is subject. This instruction shall be specified in Appendices A and C. Subsequent instructions may also be given by the Data Controller during the processing of personal data, but the instruction must always be documented and kept in writing, including electronically, along with these Clauses.

 

4.2        The Data Processor shall immediately inform the Data Controller if, in the Data Processor's opinion, an instruction is in violation of the data protection regulation or data protection provisions in other EU law or national law of the Member States.

 

4.3        The Data Processor shall immediately notify the Data Controller if, at any point during the term of the Data Processing Agreement, the Data Processor processes personal data in violation of the documented instruction.

 

5.       Confidentiality

 

5.1        The Data Processor may only grant access to personal data processed on behalf of the Data Controller to individuals who are subject to the Data Processor's instructions, have committed to confidentiality, or are subject to an appropriate statutory duty of confidentiality, and only to the extent necessary. The list of individuals granted access must be periodically reviewed. Based on this review, access to personal data can be revoked if it is no longer necessary, and the personal data shall no longer be accessible to these individuals.

 

5.2        The Data Processor, upon request from the Data Controller, must be able to demonstrate that the individuals subject to the Data Processor's instructions are bound by the aforementioned duty of confidentiality.

 

6.       Processing Security

 

6.1        Article 32 of the Data Protection Regulation establishes that the Data Controller and the Data Processor, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of the processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, shall implement appropriate technical and organizational measures to ensure a level of security appropriate to those risks.

 

The Data Controller must assess the risks to the rights and freedoms of data subjects posed by the processing and implement measures to mitigate these risks. Depending on their relevance, this may include:

 

6.1.1   Pseudonymization and encryption of personal data.

6.1.2      The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services.

 

6.1.3 The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.

 

6.1.4 A procedure for regular testing, assessment, and evaluation of the effectiveness of the technical and organizational measures to ensure processing security.

 

6.2     according to Article 32 of the data protection regulation, the Data Processor – independently of the Data Controller – must also assess the risks to the rights of data subjects posed by the processing and implement measures to mitigate these risks. For the purpose of this assessment, the Data Controller shall provide the necessary information to the Data Processor, enabling the Data Processor to identify and assess such risks.

6.3    Furthermore, the Data Processor shall assist the Data Controller in fulfilling the Data Controller's obligations under Article 32 of the data protection regulation, including providing the necessary information to the Data Controller regarding the technical and organizational security measures that the Data Processor has already implemented in accordance with Article 32 of the data protection regulation, and any other information necessary for the Data Controller's compliance with its obligations under Article 32 of the data protection regulation.

 

If the mitigation of the identified risks, as assessed by the Data Controller, requires the implementation of additional measures beyond those already implemented by the Data Processor, the Data Controller shall specify the additional measures to be taken in Appendix C.

 

7.       Use of Sub-processors

 

7.1    The Data Processor shall meet the conditions as outlined in Article 28(2) and (4) of the data protection regulation to engage another processor (a sub-processor).

7.2    Thus, the Data Processor may not engage a sub-processor for the purposes of these Clauses without prior general written authorization from the Data Controller.

7.3    The Data Processor has the Data Controller's general authorization for the use of sub-processors. The Data Processor shall notify the Data Controller in writing of any planned changes regarding the addition or replacement of sub-processors with at least 30 days' notice, thereby providing the Data Controller with the opportunity to object to such changes before the use of the sub-processor(s) in question. The list of sub-processors already approved by the Data Controller is detailed in... Appendix B.

7.4    When the Data Processor engages a sub-processor to carry out specific processing activities on behalf of the Data Controller, the Data Processor shall, through a contract or other legal document under EU law or the national law of the Member States, impose on the sub-processor the same data protection obligations as set out in these Clauses, thereby ensuring, in particular, that the sub-processor provides sufficient guarantees to implement the technical and organizational measures in such a way that the processing complies with the requirements of these Clauses and the data protection regulation. Therefore, the Data Processor is responsible for ensuring that the sub-processor, at a minimum, complies with the Data Processor's obligations under these Clauses and the data protection regulation.

 

7.5    Sub-processor agreements and any subsequent amendments thereto are provided, upon the Data Controller's request, in a copy to the Data Controller, thus enabling the Data Controller to ensure that equivalent data protection obligations arising from these Clauses are imposed on the sub-processor. Provisions regarding commercial terms that do not affect the data protection content of the sub-processor agreement shall not be provided to the Data Controller.

 

7.6    If the sub-processor fails to fulfill its data protection obligations, the Data Processor remains fully liable to the Data Controller for the fulfillment of the sub-processor’s obligations. This does not affect the rights of data subjects as provided in the data protection regulation, including articles 79 and 82 of the Regulation, against both the Data Controller and the Data Processor, including the sub-processor.

 

8.       Transfer of data to third countries or international organizations

 

8.1   Any transfer of personal data to third countries or international organizations may only be carried out by the Data Processor based on documented instructions from the Data Controller and must always be in accordance with Chapter V of the data protection regulation.

8.2    If the transfer of personal data to third countries or international organizations, which the Data Processor has not been instructed to carry out by the Data Controller, is required under EU law or the national law of the Member State to which the Data Processor is subject, the Data Processor shall notify the Data Controller of this legal requirement before processing, unless the law in question prohibits such notification for reasons of important public interest.

 

8.3    Without documented instruction from the Data Controller, the Data Processor cannot, within the framework of these Clauses:

8.3.1.  Transfer personal data to a data controller or data processor in a third country or an international organization.

8.3.2   Entrust the processing of personal data to a sub-processor in a third country.

8.3.3   Process the personal data in a third country.

8.4    The Data Controller's instructions regarding the transfer of personal data to a third country, including the potential transfer basis in Chapter V of the data protection regulation upon which the transfer is based, shall be specified in Appendix...C.6.

8.5    These Clauses should not be confused with standard data protection clauses as referred to in Article 46(2)(c) and (d) of the data protection regulation, and these Clauses cannot serve as a basis for the transfer of personal data as referred to in Chapter V of the data protection regulation unless the standard contract clauses are attached in Appendix E.

 

9.       Assistance to the Data Controller

 

9.1    The Data Processor, considering the nature of the processing, assists the Data Controller, as far as possible, through appropriate technical and organizational measures, in fulfilling the Data Controller's obligation to respond to requests for the exercise of data subjects' rights as set out in Chapter III of the data protection regulation.

This means that, to the extent possible, the Data Processor must assist the Data Controller in

ensuring compliance with:

 

9.1.1   The obligation to provide information when collecting personal data from the data subject,

9.1.2   The obligation to provide information if personal data is not collected from the data subject,

9.1.3   The right of access,

9.1.4   The right to rectification,

9.1.5   The right to erasure ('right to be forgotten),

9.1.6   The right to restriction of processing,

9.1.7   The notification obligation in connection with correction or deletion of personal data or restriction of processing

9.1.8.   The right to data portability,

9.1.9   The right to object,

9.1.10 The right not to be subject to a decision based solely on automated processing, including profiling.

9.2    In addition to the Data Processor's obligation to assist the Data Controller as per Clause 6.3, the Data Processor further assists the Data Controller with the following, considering the nature of the processing and the information available to the Data Processor:

 

9.2.1   The Data Controller's obligation to report personal data breaches to the competent supervisory authority without undue delay and, where feasible, not later than 72 hours after becoming aware of the breach, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals.

9.2.2   The obligation of the data controller to promptly notify the data subject of a personal data breach when the breach is likely to result in a high risk to the rights and freedoms of individuals.

9.2.3  The data controller's obligation, before processing, to conduct an analysis of the intended processing activities' consequences for the protection of personal data (a data protection impact assessment).

 

9.2.4 The data controller's obligation to consult the competent supervisory authority before processing, in cases where a data protection impact assessment indicates that the processing will result in high risk unless measures are taken by the data controller to mitigate the risk.

 

9.3    Parties shall in Appendix C specify the necessary technical and organizational measures by which the data processor shall assist the data controller and to what extent. This applies to the obligations arising from the provision... 9.1 og 9.2.

 

10.       Notification of a personal data breach

 

10.1      The data processor shall, without undue delay, notify the data controller once it becomes aware of a personal data breach.

 

10.2    The data processor's notification to the data controller shall be made without undue delay after becoming aware of the breach, allowing the data controller to fulfill its obligation to report the personal data breach to the competent supervisory authority, as per Article 33 of the data protection regulation.

 

10.3    In accordance with Clause... 9.2.1 The data processor is required to assist the data controller in making the notification to the competent supervisory authority. This means that the data processor must help provide the following information, as specified in Article 33(3) of the data protection regulation.

 

10.3.1 The nature of the personal data breach, including, if possible, the categories and approximate number of affected data subjects, as well as the categories and approximate number of affected records of personal data.

 

10.3.2    The likely consequences of the personal data breach.

10.3.3    The measures that the data controller has taken or proposes to take to address the personal data breach, including, if relevant, measures to mitigate its potential adverse effects.

 

10.4    Parties shall in Appendix C specify the information that the data processor is required to provide in connection with its assistance to the data controller in fulfilling its obligation to report personal data breaches to the competent supervisory authority.

.10.5    The data processor must not, without prior written agreement with the data controller regarding the content of such communication, disclose information about personal data breaches to the public or third parties unless the data processor is under a legal obligation to make such communication. In the latter case, the data processor must inform the data controller of the relevant legal obligation before communicating with the third party, unless EU law or the national law of the member state prohibits such notification.

 

10.6    If a personal data breach is wholly or partially caused by an action or omission for which the data processor is responsible, the data processor shall bear the costs of notifying the authorities and informing the data subjects to the extent that notification and/or communication is required.

 

 

 

11.       Deletion and return of information

 

11.1    Upon the termination of services related to the processing of personal data, the data processor is obligated, at the data controller's choice, to either delete all personal data processed on behalf of the data controller and confirm to the data controller that the data has been deleted or return all personal data and delete existing copies, unless EU law or the national law of member states prescribes the retention of such personal data.

 

          Encrypted and anonymized question-and-answer data are retained by the data processor for up to 5 years after the cooperation with the data controller has ceased unless the data controller requests their deletion. The period of up to 5 years serves the purpose that the data processor "WOBA" may use the data for research and development purposes.

 

11.2    In the event of reasonable doubt arising after the termination of the data processing agreement regarding whether the data processor has deleted all personal data, the data controller can request the data processor, at the data controller's expense, to obtain an auditor's statement confirming that the personal data has been deleted.

12.       Audit, including inspection.

 

12.1    The data processor shall make all information necessary to demonstrate compliance with the General Data Protection Regulation Article 28 and these provisions available to the data controller and allow for and contribute to audits, including inspections, conducted by the data controller or another auditor authorized by the data controller.

 

12.2    The procedures for the data controller's audits, including inspections, of the data processor and sub -processors are further detailed in Appendix. C.7 and C.8.

12.3    The data processor is obliged to grant supervisory authorities, in accordance with applicable legislation, access to the data controller's or data processor's facilities, or representatives acting on behalf of the supervisory authority, upon presentation of proper identification.

 

13.       The parties' agreement on other matters.

 

13.1      "The parties may agree on other provisions regarding the service related to the processing of personal data, such as liability, as long as these other provisions do not directly or indirectly conflict with the provisions or diminish the fundamental rights and freedoms of data subjects as provided by the data protection regulation."

 

14.       Commencement and Termination

 

14.1    The provisions come into effect on the date of both Parties' signing of the Subscription Agreement.

14.2    Both Parties may request the provisions to be renegotiated if changes in the law or deficiencies in the provisions necessitate it.

 

14.3    The provisions remain in effect for the duration of the service related to the processing of personal data. During this period, the provisions cannot be terminated unless other provisions governing the delivery of the service related to the processing of personal data are agreed upon by the Parties.

 

14.4    If the provision of services related to the processing of personal data ceases, and the personal data has been deleted or returned to the data controller in accordance with provisions 11.1 and Annex C.4, the provisions can be terminated with written notice from both Parties.

 

 

 

 

 

 

 

 

14.5    Signature:

           This agreement is considered to be entered into and signed simultaneously with the Main Agreement takes effect concurrently with the Main Agreement and terminates concurrently with the Main Agreement.

On behalf of the Data Controller,

On behalf of the Data processor

 

15.       Contact persons for the Data Controller and the Data Processor.

 

15.1    The Parties can contact each other through the contact persons below, as well as the contact persons in the Main Agreement.

15.2    The Parties are obligated to regularly inform each other of any changes regarding the contact persons.

 

Data controller:

Name

Titel

mail

number

Data processor:

Peter Engel Møller

CSO

Pm@woba.io     

+4528408820

Annex A   Information about the Processing

 

1.1    The system is an HR platform that allows organizations to translate feedback from their employee surveys into concrete action plans and preventive measures, creating a real HR impact. The data controller can use Woba.io internally for conducting various HR-based surveys and assessments, including occupational health and safety (APV) surveys, well-being assessments, whistleblower surveys, onboarding and exit surveys, leadership evaluations, and more.

 

  1. The data processor's processing of personal data on behalf of the data   controller primarily concerns (the nature of the processing):

 

2.1     The system will be used to store and analyze personal data about the data controller's employees, including their responses to various HR-based surveys and assessments.

 

3.     The processing includes the following types of personal data about the data subjects:

 

3.1    Common personal data is processed in the form of:

         1) Name, email address, and organizational unit (e.g., department, team, or area). These three types of information are standard and a prerequisite for data controllers to use Woba.

         2) Responses to user surveys, occupational health and safety assessments, well-being surveys, etc.

         3) The system never requests any other personal data. It is not intended for the system to process social security numbers, sensitive personal information, or information about criminal convictions.

4.       The processing includes the following categories of data subjects:

 

4.1    The data controller's employees, including managers.

5.     The data processor's processing of personal data on behalf of the data controller can commence after the provisions come into effect. The processing has the following duration:

 

5.1    The data processor processes data for as long as the Main Agreement is in effect. Systems can be restored to any stage back in time without limitations. The database can be restored to any point in time, up to 14 days in the past.

Appendix B   Approved Subprocessors

 

  1. At the commencement of the data processing agreement, the data controller has approved the use of the following sub-processors. Woba utilizes EU-based sub-processors that exclusively process data within the borders of the European Union or sub-processors that have adopted the EU-U.S. Data Privacy Framework (EU-U.S. DPF).

https://www.dataprivacyframework.gov/s/

 

Company Name

CVR-nr.

Adresse

Beskrivelse af behandlingen

Sted for behandlingen

Aiven Oy

N/A

Helsinki, Finland

Aiven hosts the data processor's database.

The company is Finnish, and the data is hosted on servers provided by UpCloud, another Finnish company, and is physically located in Frankfurt, Germany.

Heroku (a Sales force Company)

N/A

The Landmark

@ 1 Market St.

Suite 300 San

Francisco, CA

94105, USA

Hosting of the platform (not data)

The company is American, and the data is located in the "Region: EU" in Frankfurt, Germany. Heroku is hosted by Amazon Web Services in the eu-central-1 region and falls under EU legislation.

Active Campaign LLC owner of “Postmark”

N/A

Active Campaign, LLC

1 N Dearborn St FL 5 Chicago, Illinois 60602-4349

 

The company is used as an email service to send out invitations for signing up or logging into Woba. Postmark does not store a complete address book but serves as a relay.

USA

Google

N/A

1600 Amphitheatre Parkway, Mountain View,

CA 94043, USA

The data processor uses Gmail for support or other email communication.

EU

 

1.3      At the commencement of the provisions, the data controller approves the use of the sub-processor (s) for the processing described for that particular sub-processor. The data processor can replace sub-processors. The data processor has the data controller's general approval for the engagement of sub-processors. The data processor must provide written notice to the data controller of any planned changes regarding the addition or replacement of sub-processors with at least 30 days' notice, thereby allowing the data controller to object to such changes before the use of the sub-processor(s) in question.

 

1.4        The data processor is not allowed to use a sub-processor for a different processing activity than the one described and agreed upon without the data controller's written approval.

Appendix C   Instructions for the Processing of Personal Data

 

1.       Subject Matter/Instruction of Processing

 

1.1    The data processor processes personal data solely to provide the service by the Main Agreement.

1.2    The data processor is not allowed to process personal data for other purposes, including its own purposes.

2.       Data Processing Security

 

2.1    Taking into account the nature, scope, context, and purpose of the processing, as well as the risk to the rights and freedoms of data subjects, the data processor shall implement an appropriate level of security.

2.2    The data processor is then entitled and obliged to make decisions about which technical and organizational security measures are to be implemented to establish the necessary (and agreed-upon) level of security.

2.3    The data processor shall, however, under all circumstances and as a minimum, implement the following measures, which have been agreed upon with the data controller:

 

Security measures

 

Technical measures

Since data is not physically stored with the data processor but only exists on external managed servers, the data processor's fulfillment of its obligations regarding security in Woba is described in the preceding provisions of this agreement. This includes data storage in Frankfurt (within the EU and in compliance with GDPR), data encryption in transit and at rest, backups on external servers (also in Frankfurt), and ensuring that subcontractors adhere to the guidelines for secure disposal of outdated hardware, etc. At Woba's physical location, there is a firewall and user rights administration in the 'Woba Access Control Matrix.' Clear guidelines for equipment use and access are described in the 'Information Security Policy' and can be provided upon request.

Physical measures

The Data Processor requires ISO 27001 certification for its subcontractors' handling of, among other things, the Data Processor's database, and system hosting, ensuring proper physical security of the Data Processor's data. This includes access control to hosting centers, fire suppression, monitoring, and fail-over systems.

Organisationen measures

The Data Processor's employees are instructed and trained upon their employment regarding the provisions of this agreement and the Data Processor's internal policies in all respects. If the Data Processor's policies are updated or expanded, the Data Processor's employees are instructed about this as soon as possible and no later than one month thereafter. Annual awareness training is conducted for all employees on the comprehensive policies, and employees are subsequently tested on their understanding of the policies. Access to the system is granted to the Data Processor's employees on a 'least privilege' basis, minimizing access to the greatest extent possible.

 

 

3.       Assistance to the Data Controller

 

3.1    To the extent possible, the data processor, within the scope and extent outlined below, shall assist the data controller by Provisions 9.1 and 9.2 by implementing the following technical and organizational measures:

3.1.1     If the data controller receives a request regarding the exercise of a data subject's rights in accordance with applicable data protection laws, and it requires assistance from the data processor to respond to the request, the data processor shall assist the data controller with the necessary and relevant information and documentation, as well as appropriate technical and organizational security measures.

 

3.1.2 If the data controller requires the assistance of the data processor to respond to a request from a data subject, the data controller shall send a written request for assistance to the data processor, and the data processor shall, in response to such request, provide the necessary assistance or documentation without undue delay upon receiving the request. It is noted that to provide this assistance to the extent relevant, the data processor may use the sub-processor (s) listed in Appendix B or another sub-processor added to the Data Processing Agreement in accordance with the provisions.

 

3.1.3     If the data processor receives a request to exercise rights under applicable data protection laws from someone other than the data controller, and the request pertains to personal data processed on behalf of the data controller, the data processor shall promptly forward the request to the data controller.

 

4.       "Retention Period/Deletion Procedures"

 

4.1        The data processor retains data for as long as the Main Agreement is in effect, after which the data processor deletes all personal data and other information processed on behalf of the data controller.

 

5.       Location of Processing

 

5.1     The processing of personal data covered by the provisions cannot occur at locations other than the following without the prior written approval of the data controller:

 

           At the data processor itself and approved sub-processors as described in Appendix B.

 

6.       Instructions for the Transfer of Personal Data to Third Countries

 

6.1    The data processor does not transfer personal data to third countries or international organizations unless they are listed in Appendix B.

 

6.2    The transfer of personal data can only take place in accordance with these provisions following instructions from the data controller and to the extent permitted by applicable data protection laws.

6.3    If, in accordance with these provisions, the Data Processor transfers personal data to sub-processors in third countries outside the EU/EEA, the Data Processor must independently ensure a legal basis for the transfer in accordance with Chapter V of Regulation (EU) 2016/679.

6.4    If the transfer of personal data to third countries outside the EU/EEA occurs in connection with the data processor's transfer to sub-processors, the data processor is authorized, according to the agreement's provisions, to enter into the standard contractual clauses adopted by the European Commission with its sub-processors on behalf of the data controller, provided that all data protection law rules regarding transfer and processing are complied with. If the data controller itself is a data processor, and the data processor is a sub-processor of the data relating to the data controller's ultimate contractual partner(s), the data controller must obtain consent from the ultimate contractual partner in the standard contract terms. The above applies only if sub-processors are no longer certified under the Data Privacy Framework.

 

7.     Procedures for the Data Controller's Audits, Including Inspections, of the Processing of Personal Data Entrusted to the Data Processor

 

7.1    Upon written request from the data controller, the data processor must, to the data controller, document that the data processor has

7.1.1   complies with the obligations in accordance with these Provisions and the Instructions, and

7.1.2   complies with the relevant articles of the data protection regulation regarding the personal data processed on behalf of the data controller.

7.2    In accordance with Provision C.7.1, the data processor's documentation must be sent to the data controller within a reasonable time after receiving the request.

7.3    The data processor provides all the information necessary to demonstrate compliance with this agreement to the data controller and allows for and contributes to audits, including inspections, conducted by the data controller or another auditor authorized by the data controller.

         The data processor is obliged to grant access to the data controller's and data processor's facilities to authorities that, in accordance with the applicable legislation at any given time, have access, or to representatives acting on behalf of the authority, provided they have proper identification.

 

8.     Procedures for audits, including inspections, of the processing of personal data entrusted to sub-processors

 

8.1    It is the Data Processor's responsibility to inspect/conduct control visits at the sub-processors. The Data Processor shall provide documentation of completed inspections/control visits to the Data Controller upon request.

 

8.2    The potential costs incurred by the Data Processor and the sub-processor according to Provision C.8.1 are of no concern to the Data Controller.

Annex D   Regulation of Other Matters by the Parties

  1. Transfer

1.1       The Data Processor cannot transfer its rights and obligations under the Data Processing Agreement without prior consent from the Data Controller, with the following exception: The Parties may, in whole or in part, assign the Agreement to

  1. an affiliated company of the Processor, or,
  2. ii) to an unrelated third party, to the extent such transfer is part of a transaction, restructuring, divestiture, merger, acquisition, or the like involving the respective Party. In such cases, the Processor must ensure that the rights of the Data Controller are not adversely affected and inform the Data Controller of this transfer.

2.       Breach of Contract

 

2.1        It is considered a material breach of the Main Agreement if the Data Processor fails to fulfill the obligations according to the Data Processing Agreement or the applicable data protection rules in force for the Data Processor at any given time. The Data Controller is then entitled to terminate all agreements for data processing performed by the Data Processor on behalf of the Data Controller, without notice.

 

3.       Jurisdiction and Choice of Law

 

3.1        The Data Processing Agreement is governed by the Master Agreement concerning the choice of law and jurisdiction.