Data Processing Agreement for [Company Name]

This agreement is made between [Company Name] – [Address] – [Postal Code] [City Name] (hereinafter referred to as the “Data Controller”) and ServicePoint A/S - Åbogade 15 - 8200 Århus N - CVR No. 26 61 64 09 (hereinafter referred to as the “Data Processor”) (collectively referred to as the “Parties” and individually as a “Party”).

The following data processing agreement (“Data Processing Agreement”) has been entered into regarding the Data Processor's processing of personal data on behalf of the Data Controller.

1 Background, Purpose, and Scope

1.1 As part of the Data Processor's provision of services in connection with the Hosting Agreement, the Data Processor processes personal data for which the Data Controller is responsible.

1.2 The Data Processor must comply with the Danish Data Protection Act (Act No. 421 of 31 May 2000, as amended) and related regulations.

1.3 From 25 May 2018, the Data Processor must instead comply with the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data) and related legislation, as well as any derived national legislation.

1.4 Both the Danish Data Protection Act and the General Data Protection Regulation require that a written agreement be made between the Data Controller and the Data Processor concerning the processing to be carried out; a so-called 'data processing agreement.' This Data Processing Agreement constitutes such a data processing agreement.

2 Personal Data Covered by the Agreement

2.1 The Data Processing Agreement and the associated instructions cover all types of personal data processed by the Data Controller pursuant to the Hosting Agreement entered into between the Parties. The following types of data may be included:

GENERAL INFORMATION

• All other information that is not sensitive data

SENSITIVE INFORMATION

• Information about race or ethnic origin
• Political, religious, or philosophical beliefs
• Trade union membership
• Health information
• Information about sexual relations and orientation
• Information about criminal offenses
• (In the future, also genetic and biometric data)

2.2 The categories of data subjects to whom the personal data relate may include, for example, users, employees, applicants, candidates, customers, consumers, patients, or similar.

3 Geographical Requirements

3.1 The processing of personal data carried out by the Data Processor on behalf of the Data Controller must only be performed by the Data Processor or subprocessors, as specified in section 5, within the European Economic Area (EEA). Under no circumstances is the Data Processor entitled to allow data processing outside the EEA without the written consent of the Data Controller.

4 Instructions

4.1 The primary data processing carried out by the Data Processor is the storage of data that the Data Controller entrusts to the Data Processor in connection with the Hosting Agreement. If the Data Controller requires other types of data processing that are not related to the standard services provided by the Data Processor, the Data Controller must provide the Data Processor with a clear, documented instruction.

4.2 The Data Processor only acts according to documented instructions from the Data Controller. The Data Processor must ensure that the entrusted personal data is not used for other purposes or processed in any other way than specified by the Data Controller's instructions. All processing necessary and described for the execution of the Hosting Agreement is considered documented.

4.3 If an instruction is deemed by the Data Processor to be in violation of the Danish Data Protection Act or the General Data Protection Regulation, the Data Processor must inform the Data Controller accordingly.

4.4 If the processing of personal data by the Data Processor is carried out wholly or partly using remote access, including home workplaces, the Data Processor must establish guidelines for the employees' processing of personal data using remote access, which must meet the requirements set out in the Agreement.

4.5 The Data Processor must, as far as possible, assist the Data Controller in fulfilling the Data Controller's obligations to respond to requests to exercise the data subjects' rights, including access, rectification, restriction, or deletion, if the relevant personal data is processed by the Data Processor. If the Data Processor receives such a request from the data subject, the Data Processor must inform the Data Controller.

4.6 The Data Controller is liable for all the Data Processor's costs in providing such assistance, as specified in section 4.5, including costs to subprocessors. The Data Processor's assistance is charged at the Data Processor's current hourly rate for such work.

5 Use of Subprocessors

5.1 The Data Controller consents to the Data Processor's use of subprocessors, provided that the conditions set out in the Agreement are met. The Data Controller can always view the Data Processor's subprocessors by logging into the Customer Center on the Data Processor's website.

5.2 The subprocessor is under the instruction of the Data Processor. The Data Processor has entered into a written data processing agreement with the subprocessor, ensuring that the subprocessor meets requirements equivalent to those imposed on the Data Processor by the Data Controller under the Agreement.

5.3 Costs associated with establishing the contractual relationship with a subprocessor, including costs for preparing the data processing agreement and any establishment of a basis for transfer to third countries, are borne by the Data Processor and are therefore not the responsibility of the Data Controller.

5.4 If the Data Controller wishes to instruct subprocessors directly, this should only occur after discussion with and through the Data Processor. If the Data Controller issues instructions directly to subprocessors, the Data Controller must notify the Data Processor of the instruction and the reason for it no later than at the same time. Where the Data Controller instructs subprocessors directly: a) the Data Processor is exempt from any responsibility, and any consequence of such instruction is solely the responsibility of the Data Controller, b) the Data Controller is liable for any cost that the instruction may cause for the Data Processor, including the Data Processor is entitled to invoice the Data Controller at its usual hourly rate for all working time that such direct instruction may entail for the Data Processor, and c) the Data Controller is solely responsible to the subprocessors for any cost, fee, or other payment to the subprocessor that the direct instruction may entail.

5.6 By entering into this Agreement, the Data Controller accepts that the Data Processor is entitled to change subprocessors, provided that a) any new subprocessor complies with equivalent conditions as those set out in this section 5 for the current subprocessor and b) the Data Controller is informed of the new subprocessor at the latest when the new subprocessor begins processing personal data for which the Data Controller is responsible, as reflected on the Data Processor's website.

6 Processing and Disclosure of Personal Data

6.1 The Data Controller guarantees that it has the necessary legal basis for the processing of the personal data covered by this Data Processing Agreement.

6.2 The Data Processor may not, without written consent from the Data Controller, disclose information to third parties, unless such disclosure is required by law or a binding request from a court or a data protection authority, or as stated in this Agreement.

7 Security

7.1 The Data Processor must take appropriate technical and organizational security measures to prevent personal data from being accidentally or unlawfully destroyed, lost, or degraded, and to prevent unauthorized access, misuse, or other processing in violation of the law, as referenced in sections 1.2 and 1.3 above.

7.2 The Security Executive Order (Executive Order No. 528 of 15 June 2000 on security measures for the protection of personal data processed for the public administration, as amended by Executive Order No. 201 of 22 March 2001) must also be complied with if the processing of personal data is for the public administration.

7.3 The Data Processor is always entitled to implement alternative security measures, provided that such security measures at least meet or provide greater security than those described in the Hosting Certificate and Appendix 1, and otherwise meet the security requirements set out in the Hosting Agreement. The Data Processor may not, without the prior written approval of the Data Controller, reduce the level of security.

7.4 If the Data Processor is established in another EU member state, the security measures required by the legislation of the EU member state where the Data Processor is established shall also apply to the Data Processor. Thus, if the Data Processor is established in another EU member state, the Data Processor must comply with both the security requirements of applicable Danish law and the security requirements of the Data Processor's home country. The same applies to subprocessors.

7.5 The Data Processor must, as far as possible, assist the Data Controller in ensuring compliance with the obligations in Articles 32 (implementation of appropriate technical and organizational measures), 35 (conducting a data protection impact assessment), and 36 (prior consultation) of the Regulation, as agreed with the Data Controller. In this context, the Data Processor is entitled to invoice the Data Controller at its usual hourly rate for all working time that such an agreement may entail for the Data Processor, and the Data Controller is liable for any payment to the subprocessor.

7.6 If the measures referred to in section 7.5 lead to increased security measures compared to what was already agreed between the Parties under this Agreement, the Data Processor will implement such measures as far as possible, provided that the Data Processor receives payment for them, as specified in section 7.7 below.

7.7 Costs associated with the implementation of such measures, as specified in section 7.6, are borne by the Data Controller and are therefore not the responsibility of the Data Processor.

8 Right of Supervision

8.1 At the request of the Data Controller, the Data Processor shall provide the Data Controller with sufficient information to ensure that the Data Processor has taken the necessary technical and organizational security measures.

8.2 If the Data Controller also wishes this to include the processing carried out by subprocessors, the Data Processor must be informed. The Data Processor will then obtain sufficient information from the subprocessor.

8.3 If the Data Controller wishes to conduct supervision as stated in this section 8, the Data Controller must always give the Data Processor at least 30 days' notice.

8.4 If the Data Processor has prepared a security audit report describing the security conditions at the subprocessor, the Data Controller is entitled to receive a copy thereof. A copy of such a security audit report can always be downloaded from the Data Processor's website.

8.5 If the Data Controller wishes to have another or additional security audit report prepared in addition to those mentioned in section 8.4, or if supervision of the Data Processor's or subprocessor's personal data processing is otherwise desired, including if the Data Controller wishes a security audit report prepared at a specific time, this must be agreed upon with the Data Processor. The Data Processor or subprocessor may at any time require that such a security audit report be prepared in accordance with a recognized audit standard (e.g., ISAE 3402 with reference framework to ISO 27002:2014 or similar) by a generally recognized and independent third party that deals with such matters.

8.6 The Data Controller bears all costs associated with the supervision of security conditions at the Data Processor and with respect to the subprocessor. The Data Processor is entitled to invoice the Data Controller at its usual hourly rate for all working time that such supervision may entail for the Data Processor, and the Data Controller is liable for any payment to the subprocessor.

9 Personal Data Breach

9.1 If the Data Processor becomes aware of a personal data breach, meaning a security breach that leads to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed, the Data Processor is obligated to, without undue delay, seek to locate such a breach and attempt to minimize the damage as much as possible, and to the extent possible, restore any lost data.

9.2 Furthermore, the Data Processor is obligated to, without undue delay, notify the Data Controller after becoming aware that a personal data breach has occurred. The Data Processor must then, without undue delay and to the extent possible, provide written notice to the Data Controller, which should include as much information as possible:

• A description of the nature of the breach, including the categories and approximate number of affected data subjects and data records of personal data.
• The name and contact details of the data protection officer.
• A description of the likely consequences of the breach.
• A description of the measures that the Data Processor or subprocessor has taken or proposes to take to address the breach, including measures to mitigate its possible adverse effects.

9.3 If it is not possible to provide the information listed in section 9.2 all at once, the information may be provided in stages without undue further delay.

9.4 Similarly, subprocessors are required to notify the Data Processor without undue delay in accordance with sections 9.2 and 9.3.

10 Confidentiality

10.1 The Data Processor must keep the personal data confidential and is therefore only entitled to use the personal data as part of fulfilling its obligations and rights under the Agreement.

10.2 The Data Processor must ensure that employees and any others, including subprocessors, who are authorized to process the personal data covered by the Agreement, are subject to a duty of confidentiality.

11 Duration and Termination of the Data Processing Agreement

11.1 The Agreement comes into effect upon the Parties' signing of the Hosting Agreement, electronic acceptance upon login to the Customer Center, or alternatively by separate signature below (if the Hosting Agreement was entered into before 1 March 2018).

11.2 In the event that the Hosting Agreement is terminated, for any reason, this Agreement will also terminate. However, the Data Processor is bound by this Agreement as long as the Data Processor processes personal data on behalf of the Data Controller, and the Data Controller must inform the Data Processor in writing as soon as possible and no later than 14 days after the termination of the Hosting Agreement, how the Data Processor should handle the processed personal data. 30 days after the termination of the Hosting Agreement, the Data Processor is entitled to delete all personal data that was processed under the terminated Hosting Agreement on behalf of the Data Controller.

12 Appendices

12.1 Appendix 1: Security Environment (for primary subprocessor: Interxion)

13 Signature

13.1 The above is hereby accepted with effect from the Parties' signature.

Tristan White
CEO, Senbee, Inc.

[Name]
[Title], [Company Name]

Latest update: July 3, 2024