Data Processor Agreement
1 BACKGROUND AND PURPOSE
1.1 NorthQ ApS, company reg.no. 31048850 (“the Processor”) provides various IT service to the customer (the “Controller”) as describes in the parties’ underlying agreement(s) concerning the Services (the “Services”).
1.2 The Processor processes personal data on behalf of the Controller as part of the performance of the Services. Accordingly, the parties have concluded this agreement (the “Data Processor Agreement”) which constitutes an integrated part of the parties’ agreement(s) concerning the Services. In case of conflict between any agreement between the Parties and this Data Processor Agreement, this Data Processor Agreement shall take precedence.
1.3 To the extent that the applicable data protection regulation entails a need to adjust the Data Processor Agreement, the parties agree that the content of this Data Processor Agreement shall be renegotiated between the Parties.
2.1 The Processor is authorized to process personal data on behalf of the Controller as part of the performance of the Services on the terms and conditions set out in this Data Processor Agreement.
2.2 The Processer is only allowed to process personal data pursuant to this Data Processor Agreement on behalf of the Controller and only to the extent the processing is necessary for delivering the Services.
2.3 The Processor is not allowed to process the personal data for its own purposes.
2.4 The Processor will process ordinary categories of personal data. This includes all personal data the Controller provides to the Processor, e.g. personal data uploaded to the Processor’s by the Customer when using the Services including GPS-data, data on electrical or gas consumption, price data concerning electrical or gas consumption, utility used and data on the Controllers buildings, addresses, ID number, contact information etc. No special or sensitive categories of personal data is processed.
2.5 To the extent the Processor becomes aware that special/sensitive categories of personal data has been provided to the Processor, such personal data will be deleted instantly and without prior notice to the Controller, unless the Processer receives instructions from the Controller allowing the Processer to process such categories of personal data.
2.6 The Processor will process personal data pertaining to all categories of data subjects on behalf of the Controller incl. citizens, and any other stakeholders, which may also include children, to extent such data is provided by the Controller.
2.7 The Processor may only process the personal data on the terms and conditions of the Controller’s instructions unless processing is otherwise required under EU law or national law applicable to the Processor. In this event, the Processor shall notify the Controller of the legal requirement before processing is carried out unless such notification would be in contravention to the law in question.
2.8 The Processor may anonymize data. Such anonymized data, may be used, without the instructions of the Controller and for the Processors own purposes.
3.1 This Data Processor Agreement shall be effective for the duration of the provision of the Services and shall terminate automatically when the Processor no longer processes personal data on be-half of the Controller as part of the Services.
3.2 Upon termination of the Data Processor Agreement, the Processor shall return to the Controller all personal data (if the Controller does not already have such data) and shall delete any existing copies unless EU law or national law requires the Processor to store the personal data.
3.3 Processor may keep any data which is not classified as personal data.
4 CONTROLLER’S OBLIGATIONS
4.1 The Controller is responsible for com-plying with applicable data protection law in relation to the personal data processed by the Processor on behalf of the Controller.
4.2 The Controller’s responsibility includes in particular the following, the compliance with which is warranted by the Controller:
The Controller has the necessary legal basis to process, and to permit the Processor to process, the personal data processed as part of the performance of the Services.
The specification of personal data in clause 2 of this Data Processor Agreement is exhaustive and no other personal data is being processed as part of the performance of the Services.
The instructions given are legal and sufficient for the Processor to fulfill its obligations.
5 PROCESSOR’S OBLIGATIONS
5.1 Security measures
5.1.1 The Processor shall initiate and implement appropriate technical and organizational measures to achieve a security level that matches the risks involved in the processing activities carried out by the Processor for the Controller.
5.1.2 The technical and organizational measures shall be determined, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing as well as the risk of varying likelihood and severity to the rights and freedoms of natural persons.
5.1.3 The Processor shall ensure that persons authorized to process the Controller’s personal data have committed them-selves to confidentiality or are subject to an appropriate statutory obligation of confidentiality.
5.2 Documentation for compliance with the processor’s obligations
5.2.1 The Processor shall make available to the Controller all information required to demonstrate compliance with the requirements of the Data Processor Agreement. The Processor shall give access and contribute to audits, including inspections, conducted by the Controller or another auditor authorized by the Controller. This clause can also be fulfilled by the Processors submission of an audit report.
5.2.2 The Processor shall notify the Controller immediately if, in the Processor’s view, an instruction to make information available or give access to audits or inspections is contrary to applicable Danish law or data protection provisions in other EU law or national law.
5.3 Notification of personal data breaches
5.3.1 The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach.
5.4 Assistance to the Controller
5.4.1 At the Controller’s request and taking into account the nature of the processing, the Processor shall assist the Controller by appropriate technical and organizational measures, with the fulfilment of the Controller’s obligation to respond to requests for exercising the data subjects’ rights as set out in the applicable legislation on the processing of personal data.
5.4.2 At the Controller’s request and taking into account the nature of the processing and the information available to the Processor, the Processor shall also assist the Controller with ensuring compliance with the Controller’s obligations to:
a) implement appropriate technical and organizational measures;
b) notify the supervisory authorities of personal data breaches;
c) communicate a personal data breach to data subjects;
d) carry out data protection impact assessments; and
e) perform prior consultations of the supervisory authority.
6.1 The Processor is entitled to receive payment for time spent as well as other direct costs incurred by the Processor relating to assistance and services provided by the Processor at the request of the Controller. Such assistance and services may include but is not limited to assistance with reporting a security breach, provision of data to data subjects, audits, cooperation with supervisory authorities and assistance for compliance with request from data subjects.
6.2 The Processor is entitled to receive payment for time spent as well as other direct costs incurred by the Processor relating to changes in the Controller’s circumstances or the instructions. The costs may include but is not limited to changes as a result of new risk assessments and impact assessments as well as changes necessitated due to the Controller is being subject to law or than Danish law.
6.3 The compensation is calculated in accordance with the agreed hourly rate in the agreement(s) regarding delivery of the Service. Where no agreement regarding hourly rate has been made, the compensation is calculated in accordance with the Processor’s generally applied hourly rates.
6.4 Notwithstanding anything to the contrary in this clause 6, a party does not have the right to claim compensation for assistance or implementation of changes to the extend where such assistance or changes are a direct consequence of the party’s own breach of this Data Processor Agreement.
7 USE OF ANOTHER PROCESSOR
7.1 The Processor may use another processor (a sub-processor) without the Controller’s prior approval.
7.2 An updated list of sub-processors can be found either on the Processor’s website or made available through the IT solution provided by the Processor. Such list can also be provided by request to the e-mail address firstname.lastname@example.org. Further, any updates to the sub-processors will be notified to the Controller, e.g. via e-mail, newsletters, system notification etc. The Controller may object against the addition or substitution of a sub-processor to the extent the Controller has a reasonable basis for such objection.
7.3 Where the Processor engages a sub-processor, the same data protection obligations as set out in this Data Processor Agreement shall be imposed on that other sub-processor by way of a contract, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the general data protection regulation. Notwithstanding the foregoing, the Controller accepts that the processing of data by the sub-processor may be subject to the standard terms and conditions that applies to such sub-processor, provided that the Controller is informed hereof. Such information regarding the sub-processors can be found on the Processor’s website, the IT solution provided by the Processor or otherwise provided to the Controller.
7.4 The Processor is fully liable to the Controller for the performance of the sub-processor’s obligations.
8 DATA EXPORT
8.1 The Processor will seek to keep all personal data within the European Union or EEA; it is not the intention of the Processor to export data. However, the Controller accepts that the Processor may transfer personal data to a country outside the European Union or EEA – provided that the Processor, prior to the transfer, has secured the necessary lawful basis for such transfer - or that the Controller has instructed the Processor to do so (e.g. by using the services provided by the Processor to send information to recipients outside of the EU or EEA), in which case the Controller is responsible for securing the necessary lawful basis.
8.2 If the Controller under the employed transfer basis is required to be a direct contractual party to an agreement, e.g. the EU Commission’s model con-tracts for the transfer of personal data to third countries, the Processor shall be authorized to conclude such agreement on behalf of the Controller. The content of this Data Processor Agreement shall not be deemed to change the content of such transfer basis, incl. the EU Commission’s model contracts.
9.1 The Processor may amend this Data Processor Agreement by giving 90 days prior written notice, such notice to include the amendment(s). If the Controller does not wish to be bound by the amended Data Processor Agreement, the Controller shall terminate the affected part(s) of the parties’ agreement(s) concerning the Services for convenience, by giving written notice hereof prior to the end of the Processor’s notice period with effect at the expiry of such notice period.
10 LIMITATIONS OF LIABILITY
10.1 The limitation of liability in the under-lying agreement(s) concerning the Services applies to the Processor’s processing of the personal data under this Data Processor Agreement, incl. with regard to art. 82(5) of the general data protection regulation.
11 DISPUTES AND CHOICE OF LAW
11.1 This Data Processor Agreement is subject to the laws of Denmark, except for (a) Danish International Private Law principles leading to the application of law other than Danish law and (b) the United Nations Convention on Contracts for the International Sale of Goods (CISG).
11.2 Any dispute arising out of or in connection with this Data Processor Agreement which is not resolved by negotiation shall be settled by a competent court at the Processor’s venue.
Published on 01.09.2018
Revised on 23.10.2018