Data Processing Agreement
In accordance with Article 28(3) of Regulation (EU) 2016/679 (the General Data Protection Regulation).
Customer
Address:
ZIP code / City:
Country:
CVR no.:
Hereinafter referred to as the “Data Controller”
and
WOBA ApS
Frederiksborggade 20B, 1st floor
1360 Copenhagen K
Denmark
CVR no. 37609641
Hereinafter referred to as the “Data Processor”
The Data Controller and the Data Processor are each referred to as a “Party” and together as the “Parties.”
The Parties have agreed to the following data processing clauses (the “Clauses”) in order to comply with the General Data Protection Regulation and ensure the protection of the rights of data subjects.
Content
-
Transfer of data to third countries or international organisations
-
Contact persons for the Data Controller and the Data Processor
Appendix A – Information about the Processing
Appendix C – Instructions regarding the Processing of Personal Data
Appendix D – Parties’ regulation of other matters
1. Preamble
1.1 These Clauses establish the rights and obligations of the Data Processor when processing personal data on behalf of the Data Controller.
1.2 These Clauses are designed to ensure the Parties’ compliance with Article 28(3) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the “General Data Protection Regulation” or “GDPR”).
1.3 In connection with the provision of the WOBA HR platform (hereinafter referred to as the “System”) in accordance with the executed contract (hereinafter referred to as the “Main Agreement”), the Data Processor processes personal data on behalf of the Data Controller in accordance with these Clauses.
1.4 These Clauses take precedence over any similar provisions in other agreements between the Parties.
1.5 There are four appendices to these Clauses, and the appendices form an integral part of these Clauses.
1.6 Appendix A contains detailed information about the processing of personal data, including the purpose and nature of the processing, the types of personal data, categories of data subjects, and the duration of the processing.
1.7 Appendix B contains the conditions set by the Data Controller for the Data Processor’s use of sub-processors and a list of sub-processors approved by the Data Controller.
1.8 Appendix C contains the Data Controller’s instructions regarding the Data Processor’s processing of personal data, a description of the minimum security measures to be implemented by the Data Processor, and the supervision process for the Data Processor and any sub-processors.
1.9 Appendix D contains provisions regarding other activities not covered by these Clauses.
1.10 If Standard Contractual Clauses as referred to in Article 46(2)(c) and (d) GDPR form the basis for transfers of personal data pursuant to Chapter V GDPR, such clauses shall be attached as Appendix E and Appendix E1, where relevant.
1.11 These Clauses, together with their appendices, shall be kept in writing, including electronically, by both Parties.
1.12 These Clauses do not exempt the Data Processor from obligations imposed on the Data Processor under GDPR or any other applicable legislation.
2. The rights and obligations of the Data Controller
2.1 The Data Controller is responsible for ensuring that the processing of personal data complies with GDPR, data protection provisions in other applicable EU law or Member State law, and these Clauses.
2.2 The Data Controller has the right and obligation to determine the purpose(s) and means of the processing of personal data.
2.3 The Data Controller is responsible, among other things, for ensuring that there is a valid legal basis for the processing of personal data that the Data Processor is instructed to carry out, including where the processing involves confidential personal data, CPR numbers, or special categories of personal data under Article 9 GDPR.
3. The Data Processor acts under instructions
3.1 The Data Processor may only process personal data on documented instructions from the Data Controller unless required to do otherwise by EU law or the national law of the Member State to which the Data Processor is subject. Such instructions shall be specified in Appendices A and C. Subsequent instructions may also be given by the Data Controller during the processing of personal data, but such instructions must always be documented and kept in writing, including electronically, together with these Clauses.
3.2 The Data Processor shall immediately inform the Data Controller if, in the Data Processor’s opinion, an instruction infringes GDPR or data protection provisions in other applicable EU law or Member State law.
3.3 The Data Processor shall immediately notify the Data Controller if, at any point during the term of the Data Processing Agreement, the Data Processor processes personal data in violation of the documented instructions.
4. Confidentiality
4.1 The Data Processor may only grant access to personal data processed on behalf of the Data Controller to persons acting under the authority of the Data Processor who have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, and only to the extent necessary. The list of persons granted access shall be reviewed periodically. Based on such review, access to personal data may be withdrawn if access is no longer necessary, and the personal data shall no longer be accessible to such persons.
4.2 Upon request from the Data Controller, the Data Processor must be able to demonstrate that the persons acting under the authority of the Data Processor are subject to the above duty of confidentiality.
5. Processing Security
5.1 Pursuant to Article 32 GDPR, the Data Controller and the Data Processor shall, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of the processing, as well as the risks of varying likelihood and severity to the rights and freedoms of natural persons, implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
The Data Controller shall assess the risks to the rights and freedoms of data subjects posed by the processing and implement measures to mitigate such risks. Depending on relevance, this may include:
5.1.1 Pseudonymisation and encryption of personal data.
5.1.2 The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services.
5.1.3 The ability to restore the availability of and access to personal data in a timely manner in the event of a physical or technical incident.
5.1.4 A process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
5.2 Pursuant to Article 32 GDPR, the Data Processor shall also—independently of the Data Controller—assess the risks to the rights of data subjects posed by the processing and implement measures to mitigate those risks. For the purpose of this assessment, the Data Controller shall provide the information necessary for the Data Processor to identify and assess such risks.
5.3 Furthermore, the Data Processor shall assist the Data Controller in fulfilling the Data Controller’s obligations under Article 32 GDPR by, among other things, providing the necessary information to the Data Controller concerning the technical and organisational security measures already implemented by the Data Processor in accordance with Article 32 GDPR, and any other information necessary for the Data Controller’s compliance with its obligations under Article 32 GDPR.
If mitigation of the identified risks, as assessed by the Data Controller, requires the implementation of additional measures beyond those already implemented by the Data Processor, the Data Controller shall specify the additional measures to be implemented in Appendix C.
6. Use of Sub-processors
6.1 The Data Processor shall comply with the conditions set out in Article 28(2) and (4) GDPR in order to engage another processor (a sub-processor).
6.2 The Data Processor may not engage a sub-processor for the performance of these Clauses without the prior general written authorisation of the Data Controller.
6.3 The Data Processor has the Data Controller’s general authorisation to use sub-processors. The Data Processor shall notify the Data Controller in writing of any intended changes concerning the addition or replacement of sub-processors with at least 30 days’ prior notice, thereby giving the Data Controller the opportunity to object to such changes before the sub-processor(s) in question are engaged. The list of sub-processors already approved by the Data Controller is set out in Appendix B.
6.4 Where the Data Processor engages a sub-processor to carry out specific processing activities on behalf of the Data Controller, the Data Processor shall impose on that sub-processor, by way of a contract or other legal act under EU or Member State law, the same data protection obligations as set out in these Clauses, thereby ensuring in particular that the sub-processor provides sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing meets the requirements of these Clauses and GDPR. The Data Processor is therefore responsible for ensuring that the sub-processor, at a minimum, complies with the obligations to which the Data Processor is subject under these Clauses and GDPR.
6.5 Copies of sub-processor agreements and any subsequent amendments thereto shall, upon the Data Controller’s request, be made available to the Data Controller to enable the Data Controller to verify that equivalent data protection obligations arising from these Clauses are imposed on the sub-processor. Provisions relating to commercial terms that do not affect the data protection content of the sub-processor agreement need not be disclosed to the Data Controller.
6.6 If a sub-processor fails to fulfil its data protection obligations, the Data Processor shall remain fully liable to the Data Controller for the performance of the sub-processor’s obligations. This shall not affect the rights of data subjects under GDPR, including Articles 79 and 82, against the Data Controller, the Data Processor, or the sub-processor.
7. Transfer of data to third countries or international organisations
7.1 Any transfer of personal data to third countries or international organisations may only be carried out by the Data Processor on documented instructions from the Data Controller and shall always take place in compliance with Chapter V GDPR.
7.2 If transfer of personal data to a third country or an international organisation is required under EU law or Member State law applicable to the Data Processor, and such transfer has not been instructed by the Data Controller, the Data Processor shall inform the Data Controller of that legal requirement prior to processing unless such law prohibits such information on important grounds of public interest.
7.3 Without documented instructions from the Data Controller, the Data Processor may not, within the framework of these Clauses:
7.3.1 transfer personal data to a controller or processor in a third country or to an international organisation;
7.3.2 engage a sub-processor in a third country for the processing of personal data; or
7.3.3 process personal data in a third country.
7.4 The Data Controller’s instructions regarding transfers of personal data to a third country, including the transfer mechanism under Chapter V GDPR relied upon for such transfer, shall be specified in Appendix C.6.
7.5 These Clauses shall not be confused with Standard Contractual Clauses as referred to in Article 46(2)(c) and (d) GDPR, and these Clauses cannot in themselves constitute a valid basis for transfers of personal data under Chapter V GDPR unless the relevant Standard Contractual Clauses are attached as Appendix E, where applicable.
8. Assistance to the Data Controller
8.1 Taking into account the nature of the processing, the Data Processor shall assist the Data Controller, by appropriate technical and organisational measures, insofar as this is possible, in fulfilling the Data Controller’s obligation to respond to requests for the exercise of the data subject’s rights laid down in Chapter III GDPR.
This means that the Data Processor shall, to the extent possible, assist the Data Controller in ensuring compliance with:
8.1.1 the duty to provide information when personal data are collected from the data subject;
8.1.2 the duty to provide information where personal data have not been obtained from the data subject;
8.1.3 the right of access;
8.1.4 the right to rectification;
8.1.5 the right to erasure (“the right to be forgotten”);
8.1.6 the right to restriction of processing;
8.1.7 the notification obligation regarding rectification or erasure of personal data or restriction of processing;
8.1.8 the right to data portability;
8.1.9 the right to object; and
8.1.10 the right not to be subject to a decision based solely on automated processing, including profiling.
8.2 In addition to the Data Processor’s obligation to assist the Data Controller pursuant to Clause 5.3, the Data Processor shall also assist the Data Controller, taking into account the nature of the processing and the information available to the Data Processor, in relation to:
8.2.1 the Data Controller’s obligation to report personal data breaches to the competent supervisory authority without undue delay and, where feasible, no later than 72 hours after having become aware of the breach, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons;
8.2.2 the Data Controller’s obligation to communicate a personal data breach to the data subject without undue delay where the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons;
8.2.3 the Data Controller’s obligation to carry out a data protection impact assessment of the envisaged processing operations; and
8.2.4 the Data Controller’s obligation to consult the competent supervisory authority prior to processing where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the Data Controller to mitigate the risk.
8.3 The Parties shall in Appendix C specify the necessary technical and organisational measures by which the Data Processor shall assist the Data Controller and the extent of such assistance. This applies to the obligations arising under Clauses 8.1 and 8.2.
9. Notification of a personal data breach
9.1 The Data Processor shall notify the Data Controller without undue delay after becoming aware of a personal data breach.
9.2 The Data Processor’s notification to the Data Controller shall be made without undue delay after the Data Processor has become aware of the breach, thereby enabling the Data Controller to comply with its obligation to notify the competent supervisory authority pursuant to Article 33 GDPR.
9.3 In accordance with Clause 8.2.1, the Data Processor shall assist the Data Controller in making the notification to the competent supervisory authority. This means that the Data Processor shall help provide the following information, insofar as available, as set out in Article 33(3) GDPR:
9.3.1 the nature of the personal data breach including, where possible, the categories and approximate number of data subjects concerned, and the categories and approximate number of personal data records concerned;
9.3.2 the likely consequences of the personal data breach; and
9.3.3 the measures taken or proposed to be taken by the Data Controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
9.4 The Parties shall in Appendix C specify the information that the Data Processor is required to provide in connection with its assistance to the Data Controller in fulfilling the Data Controller’s obligation to report personal data breaches to the competent supervisory authority.
9.5 The Data Processor shall not, without the Data Controller’s prior written approval regarding the content of such communication, disclose information about personal data breaches to the public or to third parties unless the Data Processor is under a legal obligation to do so. In such case, the Data Processor shall inform the Data Controller of the relevant legal obligation prior to such communication, unless such notification is prohibited by EU law or Member State law.
9.6 If a personal data breach is wholly or partly caused by an act or omission for which the Data Processor is responsible, the Data Processor shall bear the costs of notifying the authorities and informing data subjects to the extent that such notification or communication is required by law.
10. Deletion and return of information
10.1 Upon termination of the services relating to the processing of personal data, the Data Processor shall, at the choice of the Data Controller, either delete all personal data processed on behalf of the Data Controller and certify to the Data Controller that such deletion has taken place, or return all personal data to the Data Controller and delete existing copies, unless EU law or Member State law requires storage of the personal data.
Encrypted and anonymised question-and-answer data may be retained by the Data Processor for up to five (5) years after the cooperation with the Data Controller has ceased, unless the Data Controller requests deletion of such data. Such retention is made for the purpose of enabling the Data Processor, WOBA, to use such anonymised data for research and development purposes, provided that such data no longer constitute personal data under applicable law.
10.2 In the event of reasonable doubt after termination of the Data Processing Agreement as to whether the Data Processor has deleted all personal data, the Data Controller may request that the Data Processor, at the Data Controller’s expense, obtain an auditor’s statement confirming that the personal data have been deleted.
11. Audit, including inspection
11.1 The Data Processor shall make available to the Data Controller all information necessary to demonstrate compliance with Article 28 GDPR and these Clauses and shall allow for and contribute to audits, including inspections, conducted by the Data Controller or another auditor mandated by the Data Controller.
11.2 The procedures for the Data Controller’s audits, including inspections, of the Data Processor and sub-processors are further specified in Appendix C.7 and C.8.
11.3 The Data Processor shall be obliged to grant supervisory authorities, in accordance with applicable law, access to the Data Controller’s and the Data Processor’s facilities, or to representatives acting on behalf of the supervisory authority, upon presentation of proper identification.
12. The Parties’ agreement on other matters
12.1 The Parties may agree on other provisions concerning the service related to the processing of personal data, such as liability, provided that such provisions do not directly or indirectly conflict with these Clauses or diminish the fundamental rights and freedoms of data subjects under GDPR.
13. Commencement and termination
13.1 These Clauses shall enter into force on the date on which both Parties sign the Subscription Agreement.
13.2 Either Party may request that these Clauses be renegotiated if changes in applicable law or deficiencies in these Clauses give rise to such need.
13.3 These Clauses shall remain in force for the duration of the service related to the processing of personal data. During that period, the Clauses may not be terminated unless the Parties agree on other terms governing the processing of personal data.
13.4 If the provision of services relating to the processing of personal data ceases, and the personal data have been deleted or returned to the Data Controller in accordance with Clause 10.1 and Appendix C.4, these Clauses may be terminated by written notice from either Party.
13.5 Signature: This agreement shall be deemed entered into and signed simultaneously with the Main Agreement, shall take effect concurrently with the Main Agreement, and shall terminate concurrently with the Main Agreement.
On behalf of the Data Controller:
On behalf of the Data Processor:
14. Contact persons for the Data Controller and the Data Processor
14.1 The Parties may contact each other through the contact persons below, as well as the contact persons specified in the Main Agreement.
14.2 The Parties are obliged to keep each other informed of any changes to such contact persons.
Data Controller
Name:
Title:
Email:
Phone:
Data Processor
Name: Peter Engel Møller
Title: DPO
Email: pm@woba.io
Phone: +45 28 40 88 20
Appendix A – Information about the Processing
1. Purpose of the processing
1.1 The System is an HR platform that allows organisations to translate feedback from employee surveys into concrete action plans and preventive measures, creating real HR impact. The Data Controller may use Woba.io internally for conducting various HR-based surveys and assessments, including occupational health and safety (APV) surveys, well-being assessments, onboarding and exit surveys, leadership evaluations, and similar HR-related activities. Likewise, the Data Controller may record and process employee master data and related HR information, including, for example, sick leave, job function, age, organisational affiliation, employment-related identifiers, CPR number where necessary, and other relevant HR-related information made available by the Data Controller.
Where separately purchased or activated, the System may also include a whistleblower module for receiving, registering, investigating, and following up on whistleblower reports in accordance with the Data Controller’s instructions and applicable law.
2. Nature of the processing
2.1 The System is used to store, structure, combine, analyse, and otherwise process personal data about the Data Controller’s employees and other relevant data subjects, including their responses to various HR-based surveys and assessments and related employee master data uploaded or otherwise made available by the Data Controller.
2.2 Where separately purchased or activated by the Data Controller, the System may also include an AI-enabled module used as part of the services under the Main Agreement.
2.3 Where such AI-enabled module has been separately purchased or activated, the processing may include the use of AI-enabled tools or services for analysis, categorisation, summarisation, pattern identification, recommendation support, or similar functionality, solely as instructed by the Data Controller and only to the extent necessary for the provision of the services. Such use shall be subject to the restrictions and safeguards set out in Appendix C.
3. Types of personal data
3.1 Common personal data may be processed in the form of:
-
Name, email address, employee ID, organisational unit, department, team, area, title, manager, and similar organisational or employment-related information. These types of information are standard and may be necessary for the Data Controller’s use of Woba.
-
Responses to user surveys, occupational health and safety assessments, well-being surveys, onboarding and exit surveys, leadership evaluations, and other HR-related surveys, assessments, or workflows.
-
Other ordinary personal data and confidential HR-related information uploaded, entered, or otherwise made available by the Data Controller as part of its use of the System.
3.2 Confidential personal data may be processed where instructed by the Data Controller, including CPR numbers and other national identification numbers, to the extent necessary for the purposes of the Main Agreement and supported by a valid legal basis.
3.3 Special categories of personal data under Article 9 GDPR may be processed only where specifically instructed by the Data Controller and where the Data Controller has established a valid legal basis, including health-related information where such information qualifies as special categories of personal data under Article 9 GDPR, such as information relating to sick leave, stress indicators, occupational health and safety matters, or similar health-related conditions, as well as other Article 9 data uploaded or otherwise made available by the Data Controller.
3.4 Unless the whistleblower module has been separately purchased or activated by the Data Controller, the System is not intended to process personal data relating to criminal convictions and offences under Article 10 GDPR, and such information must not be uploaded to, entered into, or otherwise processed in the System.
3.5 Where the whistleblower module has been separately purchased or activated, the processing may also include information contained in whistleblower reports, including information relating to suspected unlawful conduct, serious wrongdoing, or other reportable matters, to the extent permitted by applicable law and instructed by the Data Controller.
4. Categories of data subjects
4.1 The Data Controller’s employees, including managers, and, where relevant, candidates, consultants, and other persons whose personal data the Data Controller chooses to process in the System in connection with HR-related activities. Where the whistleblower module has been separately purchased or activated, categories of data subjects may also include reporting persons, reported persons, witnesses, and other persons involved in or referred to in whistleblower reports or related case handling, to the extent such persons are internal to the Data Controller’s organisation.
5. Duration of the processing
5.1 The Data Processor processes personal data for as long as the Main Agreement is in force. Systems may be restored to previous states in accordance with the Data Processor’s backup and disaster recovery procedures. The database may be restored to a point in time up to 14 days in the past.
Appendix B – Approved Sub-processors
At the commencement of the Data Processing Agreement, the Data Controller approves the use of the sub-processors listed in WOBA’s then-current sub-processor list made available to the Data Controller and published by WOBA as part of this Appendix B.
WOBA uses EU-based sub-processors that process data within the European Union and/or sub-processors that are subject to a valid transfer mechanism where relevant, including, where applicable, certification under the EU-U.S. Data Privacy Framework. https://www.dataprivacyframework.gov/s/
The current sub-processor list is available at:
https://helpcenter.woba.io/knowledge/3rd-party-services
1.3 At the commencement of these Clauses, the Data Controller approves the use of the sub-processor(s) for the processing activities described for each such sub-processor. The Data Processor may replace sub-processors. The Data Processor has the Data Controller’s general approval to engage sub-processors. The Data Processor shall give the Data Controller written notice of any intended changes concerning the addition or replacement of sub-processors with at least 30 days’ prior notice, thereby allowing the Data Controller to object to such changes before the relevant sub-processor(s) are engaged.
1.4 The Data Processor may not use a sub-processor for a materially different processing activity than the one described and agreed upon without the Data Controller’s written approval.
Appendix C – Instructions for the Processing of Personal Data
1. Subject Matter / Instructions of Processing
1.1 The Data Processor processes personal data solely for the purpose of providing the services under the Main Agreement.
1.2 The Data Processor may not process personal data for other purposes, including its own purposes.
1.3 Where the Data Controller instructs the Data Processor to process CPR numbers or special categories of personal data under Article 9 GDPR, such processing shall only take place to the extent necessary for performance of the Main Agreement and only on documented instructions from the Data Controller.
1.4 The Data Controller is solely responsible for ensuring that any instruction to process CPR numbers or special categories of personal data is supported by a valid legal basis under GDPR, the Danish Data Protection Act, and other applicable law.
1.5 Whistleblower module
Where the whistleblower module has been separately purchased or activated by the Data Controller, the Data Processor may process personal data contained in internal whistleblower reports, including, where applicable, personal data relating to criminal convictions and offences under Article 10 GDPR, solely for the purpose of providing the internal whistleblower services under the Main Agreement and only on documented instructions from the Data Controller and as permitted by applicable law.
1.6 Use of AI-enabled module
Where separately purchased or activated by the Data Controller, the Data Processor may use an AI-enabled module solely for the purpose of providing the services under the Main Agreement and only on documented instructions from the Data Controller.
1.7 Scope of AI processing
Where the AI-enabled module has been separately purchased or activated, the Data Processor may process personal data through AI-enabled tools or services only to the extent necessary for analysis, categorisation, summarisation, recommendation support, or similar service-related functionality comprised by the module.
1.8 No independent use or model training
Unless expressly instructed in writing by the Data Controller and permitted by applicable law, the Data Processor shall not use personal data processed under these Clauses, through the AI-enabled module or otherwise, for training, retraining, fine-tuning, testing, or improving any general-purpose, customer-independent, or third-party AI models.
1.9 AI sub-processors
Any AI-enabled tools or services used as part of the AI-enabled module shall be subject to the same restrictions and obligations as other sub-processors under these Clauses and shall be listed in Appendix B where applicable.
1.10 Data minimisation and de-identification for AI-enabled module
Where the AI-enabled module has been separately purchased or activated, the Data Processor shall ensure that special categories of personal data under Article 9 GDPR and other directly identifying personal data are not disclosed to or processed by the AI-enabled tools or services used as part of the module. Any processing by such AI-enabled tools or services shall take place only through a closed API integration controlled by the Data Processor, and only the minimum data necessary for the relevant functionality shall be disclosed. Only questions, answers, comments, and similar input data may be processed by such AI-enabled tools or services, and such data shall be anonymised or otherwise de-identified prior to such processing, as appropriate.
2. Data Processing Security
2.1 Taking into account the nature, scope, context, and purpose of the processing, as well as the risks to the rights and freedoms of data subjects, the Data Processor shall implement an appropriate level of security.
2.2 The Data Processor is entitled and obliged to make decisions as to which technical and organisational security measures are to be implemented in order to establish the necessary and agreed level of security.
2.3 The Data Processor shall, however, as a minimum, implement the following measures agreed with the Data Controller:
Security measures
Technical measures
As personal data is hosted on external managed servers rather than physically stored at the Data Processor’s own premises, the Data Processor implements security measures in relation to Woba including, among other things, hosting of data within the EU/EEA, encryption of data in transit and at rest, backups on external servers located within the EU/EEA, and measures to ensure that sub-processors apply appropriate procedures for the secure disposal of outdated hardware and related equipment.
At Woba’s physical offices, firewall protection and user access management are implemented as described in the Woba Access Control Matrix. Guidelines regarding equipment use and access are set out in the Information Security Policy and may be made available upon request.
Physical measures
The Data Processor uses sub-processors with a documented and appropriate level of information security, including ISO 27001 certification where relevant, for sub-processors handling, among other things, the Data Processor’s database and hosting environment, thereby supporting an appropriate level of physical and environmental security for personal data. This includes, for example, access control to hosting centres, fire suppression, monitoring, and fail-over systems.
Organisational measures
The Data Processor’s employees are instructed and trained upon commencement of employment regarding the provisions of this Agreement and the Data Processor’s internal policies, as relevant to their role and responsibilities. If the Data Processor’s policies are updated or expanded, employees shall be informed as soon as reasonably possible and no later than one month thereafter. Annual awareness training is conducted for all relevant employees regarding such policies, and employees are subsequently tested on their understanding thereof. Access to the System is granted on a least privilege basis, thereby limiting access to the extent necessary for the performance of the employee’s duties.
Additional safeguards for CPR numbers and Article 9 data
Where the processing includes CPR numbers or special categories of personal data under Article 9 GDPR, the Data Processor shall apply heightened safeguards as appropriate, including stricter access limitation, logging of relevant access, increased control of exports, and masking or limitation of display where feasible and relevant.
3. Assistance to the Data Controller
3.1 To the extent possible, the Data Processor shall, within the scope and extent set out below, assist the Data Controller in accordance with Clauses 8.1 and 8.2 by implementing the following technical and organisational measures:
3.1.1 If the Data Controller receives a request regarding the exercise of a data subject’s rights under applicable data protection law, and such request requires assistance from the Data Processor in order to respond, the Data Processor shall assist the Data Controller by providing necessary and relevant information and documentation, as well as appropriate technical and organisational measures.
3.1.2 If the Data Controller requires assistance from the Data Processor in order to respond to a request from a data subject, the Data Controller shall submit a written request for assistance to the Data Processor, and the Data Processor shall provide the necessary assistance or documentation without undue delay after receipt of such request. It is acknowledged that, to the extent relevant, the Data Processor may involve the sub-processor(s) listed in Appendix B or sub-processors subsequently added to the Data Processing Agreement in accordance with these Clauses.
3.1.3 If the Data Processor receives a request to exercise rights under applicable data protection law from someone other than the Data Controller, and the request concerns personal data processed on behalf of the Data Controller, the Data Processor shall promptly forward the request to the Data Controller.
4. Retention Period / Deletion Procedures
4.1 The Data Processor retains personal data for as long as the Main Agreement is in force, after which the Data Processor shall delete all personal data and other information processed on behalf of the Data Controller, subject to Clause 10.1 of the Clauses and any applicable legal retention obligations.
5. Location of Processing
5.1 The processing of personal data covered by these Clauses may not take place at locations other than the following without the Data Controller’s prior written approval:
At the Data Processor itself and at approved sub-processors as described in Appendix B.
6. Instructions for the Transfer of Personal Data to Third Countries
6.1 The Data Processor does not transfer personal data to third countries or international organisations unless such transfers are described in Appendix B or otherwise instructed by the Data Controller.
6.2 Transfer of personal data may only take place in accordance with these Clauses, on the documented instructions of the Data Controller, and to the extent permitted by applicable data protection law.
6.3 If, in accordance with these Clauses, the Data Processor transfers personal data to sub-processors in third countries outside the EU/EEA, the Data Processor shall ensure that a valid transfer mechanism under Chapter V GDPR is in place.
6.4 If transfer of personal data to third countries outside the EU/EEA takes place in connection with the Data Processor’s use of sub-processors, the Data Processor is authorised, in accordance with these Clauses, to enter into the European Commission’s Standard Contractual Clauses with such sub-processors on behalf of the Data Controller, provided that all applicable rules governing transfer and processing are complied with. If the Data Controller itself acts as a processor, and the Data Processor acts as a sub-processor of personal data relating to the Data Controller’s ultimate contractual partner(s), the Data Controller shall obtain any necessary authorisation from such ultimate contractual partner(s), where required. The above applies only if the relevant sub-processor is not otherwise covered by a valid transfer mechanism.
7. Procedures for the Data Controller’s Audits, including Inspections, of the Processing of Personal Data entrusted to the Data Processor
7.1 Upon written request from the Data Controller, the Data Processor shall provide documentation demonstrating that the Data Processor:
7.1.1 complies with its obligations under these Clauses and the instructions;
7.1.2 complies with the relevant provisions of GDPR in relation to the personal data processed on behalf of the Data Controller.
7.2 The documentation referred to in Clause C.7.1 shall be submitted to the Data Controller within a reasonable time after receipt of the request.
7.3 The Data Processor shall provide all information necessary to demonstrate compliance with this Agreement to the Data Controller and shall allow for and contribute to audits, including inspections, conducted by the Data Controller or another auditor mandated by the Data Controller.
The Data Processor shall be obliged to grant access to the facilities of the Data Controller and the Data Processor to authorities which, under applicable law, are entitled to such access, or to representatives acting on behalf of such authority, provided that they present proper identification.
8. Procedures for audits, including inspections, of the processing of personal data entrusted to sub-processors
8.1 It is the Data Processor’s responsibility to inspect and/or carry out control visits with sub-processors. The Data Processor shall provide documentation of completed inspections and/or control visits to the Data Controller upon request.
8.2 Any costs incurred by the Data Processor and the sub-processor(s) pursuant to Clause C.8.1 shall not be borne by the Data Controller unless otherwise agreed.
Appendix D – Regulation of Other Matters by the Parties
1. Transfer
1.1 The Data Processor may not assign its rights and obligations under the Data Processing Agreement without the prior consent of the Data Controller, except that either Party may, in whole or in part, assign the Agreement to:
i) an affiliated company of that Party; or
ii) an unrelated third party, where such transfer takes place as part of a transaction, restructuring, divestiture, merger, acquisition, or similar corporate event involving the relevant Party.
In such cases, the Data Processor shall ensure that the rights of the Data Controller are not adversely affected and shall inform the Data Controller of such transfer.
2. Breach
2.1 It shall constitute a material breach of the Main Agreement if the Data Processor fails to fulfil its obligations under the Data Processing Agreement or the applicable data protection rules in force for the Data Processor from time to time. In such event, the Data Controller shall be entitled to terminate all agreements relating to processing carried out by the Data Processor on behalf of the Data Controller without notice.
3. Jurisdiction and choice of law
3.1 This Data Processing Agreement shall be governed by the choice of law and jurisdiction provisions set out in the Main Agreement.