Data Processing Agreement

Data Processing Agreement

1. Definitions and interpretation
   
   
1. As used and defined herein, the following terms have the following meanings:
2. “Data Protection Legislation” means the data protection legislation applicable at any given time in Denmark, currently Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), the Danish Data Protection Act (databeskyttelsesloven) and any other special national rules, including without limitation any statutes, rules and binding guidelines from public authorities applicable to the processing of Personal Data. 
3. “Personal Data” means any kind of information relating to an identified or identifiable natural person. If confidential data other than Personal Data is processed under the Agreement, any reference to Personal Data includes also such other confidential data. 
4. “Services” means the products and/or services to be supplied/provided by the Processor under the Contract (as defined below).
5. Any reference to a legislative provision will be deemed to include any subsequent re-enactment or amending provision.
   
   
2. Background
   
   
1. The Parties have entered into easyrate ApS’s Terms of Service (hereinafter the “Contract”). As part of the provision of the Services, the Processor will process Personal Data on behalf of the Controller.
2. The Parties now wish to enter into this Agreement in order to regulate the processing of the Personal Data by the Processor and to ensure that such processing is carried out in compliance with the Data Protection Legislation.
   
   
3. General requirements
   
   
1. The Processor may process the Personal Data only in compliance with the Controller’s documented written instructions only. The data processing tasks performed by the Processor on behalf of the Controller under this Agreement are set out in Appendix 1.
2. The Processor is entitled to process the Personal Data only for the purpose of providing the Services and only to such an extent and in such a manner as is necessary in order to provide the Services. 
3. If the Processor is a legal person, the provisions of this Agreement apply to every employee of the Processor. The Processor guarantees that its employees comply with this Agreement.
   
   
4. Disclosure of Personal Data
   
   
1. The Processor may not in any way modify, amend or alter the contents of the Personal Data or disclose the Personal Data to any third party, unless 1) explicitly provided for in this Agreement; 2)the Controller has otherwise authorised and/or instructed the Processor in writing to do so; and/or 3) such disclosure is required by applicable legislation to which the Processor is subject.
2. If the disclosure falls within clause 4.1.3), the Processor must notify the Controller thereof before commencing the processing of the Personal Data, unless notification of the Controller is prohibited under Union law or the Member State law to which the Processor is subject.
   
   
5. Security
   
   
1. The Processor must implement appropriate technical and organisational security measures to protect the Personal Data against unauthorised or unlawful processing and against accidental or unlawful loss, destruction, damage, alteration or disclosure.  
2. When determining the appropriate technical and organisational security measures, the Processor must take account of the current available technology and technological developments; the costs of implementation; the nature, scope, context and purposes of the processing; and the risks of varying likelihood and severity for rights and freedoms of natural persons. 
3. The Processor must comply with and ensure compliance by its employees with the special data security requirements applying to the Processor, including without limitation (i) all security measure requirements notified to the Processor in writing, (ii) the Processor’s own internal security standards, and (iii) the national security measure requirements of the country in which the Processor is established, or in the country where the data processing takes place.
4. The Processor must keep the Personal Data confidential. The Processor must take reasonable steps to ensure that every employee, agent or contractor who has access to the Personal Data is reliable and trustworthy, and that they are all subject to confidentiality undertakings, professional secrecy or statutory non-disclosure obligations. The Processor must also ensure in each case that access is strictly limited to those persons who need to access the relevant Personal Data to carry out the duties assigned to them by the Processor, and that this is strictly necessary for the provision of the Services, and that all such persons: (i) are informed of the confidential nature of the Personal Data; (ii) have received appropriate training in relation to the Data Protection Legislation; and (iii) are aware of the Processor’s obligations under this Agreement.
5. The physical location of the Processor’s servers, service centre, etc., used in connection with the data processing appears from Appendix 1 to this Agreement. Changes in the physical location must be notified in writing to the Controller no less than 30 days prior to such change.
   
   
6. Transfer of Personal Data to third countries
   
   
1. The Processor may not process or access the Personal Data from or transfer the Personal Data to any third country without the prior written consent of the Controller. 
2. If the Controller has given its written consent to a transfer of Personal Data to a third country, the Processor must ensure that the transfer is effected on a legal basis, e.g. the European Commission model contracts for the transfer of personal data to third countries, before such transfer may be made by the Processor.
   
   
7. Assistance
   
   
1. The Processor must assist the Controller in dealing with requests from data subjects in connection with the data subject’s exercise of his/her rights under the Data Protection Legislation, including without limitation requests for access, rectification, restriction of processing, deletion or data portability.
2. The Processor must, without undue delay after becoming aware thereof, notify the Controller in writing of any request from a data subject for the exercise of his/her rights received directly from the data subject or from a third party. 
3. The Processor must implement adequate technical and organisational measures to assist the Controller in the performance of its obligation to respond to such data subject requests. The Processor must provide all information requested by the Controller within the reasonable time stipulated by the Controller.
4. The Processor must, immediately upon becoming aware thereof, notify the Controller in writing of any suspected or confirmed (i) personal data breach; (ii) accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data processed by the Processor under this Agreement; or (iii) any other non-compliance with the Processor’s obligations under this Agreement. The Processor must cooperate with and provide assistance to the Controller in connection with the management of the personal data breach. All data recovery costs are payable by the Processor. 
5. The Processor must assist the Controller in complying with any other obligations imposed on the Controller under the Data Protection Legislation, including without limitation upon request providing the Controller with all necessary information required to make an impact assessment.
6. The Processor will be entitled to any separate remuneration for services rendered in relation to this clause 7 in accordance with the Processor’s standard hourly rates from time to time.
   
   
8. Sub-processing
   
   
1. The Processor may appoint any third-party to process Personal Data on behalf of the Processor (“Sub-Processor”) without the prior written consent of the Controller, provided that a two-month notice will be given in the event of such appointment.
2. The Processor’s appointments of Sub-Processors under clause 8.1 is conditional upon the Processor 1) carrying out adequate due diligence on each Sub-Processor to ensure that it is capable of providing the level of protection for the processing of Personal Data as is required by this Agreement and the Data Protection Legislation; 2) including terms in the contract between the Processor and each Sub-Processor which, at a minimum, impose the same obligations on the Sub-Processor as those imposed on the Processor under this Agreement; and 3) remaining fully liable to the Controller for any failure by any Sub-Processor to perform its obligations in relation to the processing of Personal Data.
3. The Controller is entitled, upon demand, to receive a list of the Sob-Processors at any time.
4. The Controller is entitled, upon demand, to receive a copy of those parts of the Processor’s contract with the Sub-Processor which concern the Sub-Processor’s obligations relating to the processing of Personal Data.
   
   
9. Compliance with legislation, etc.
   
   
1. The Controller is obliged to ensure that there is a legal basis for the processing of the Personal Data contained in the Controller’s instruction to the Data Processor set out in Appendix 1. If the Processor considers an instruction to constitute a breach of the Data Protection Legislation, the Processor must promptly notify the Controller thereof in writing.
2. The Controller acknowledges that the Processor is reliant on the Controller for direction as to the extent to which the Processor is entitled to use and process the Personal Data on behalf of the Controller. Consequently, the Processor will not be liable for any claim brought by a data subject arising from any action or omission by the Processor, to the extent that such act or omission resulted directly from performing the Services in accordance with the Controller’s instructions.
   
   
10. Compliance audits and statements
    
    
1. At the request of the Controller, the Processor must, within a reasonable time, provide all information necessary for the Controller, a third party auditor mandated by the Controller, or a public authority to verify compliance with this Agreement and/or the Data Protection Legislation.
2. The Processor is obliged to once a year with a reasonable written notice to cooperate in such compliance audit, inspection and/or review carried out by the Controller, a third party auditor mandated by the Controller, or by a public authority concerning the processing of Personal Data under this Agreement undertaken by the Processor and any Sub-Processors.
3. The Controller is entitled, at its own expense, to appoint an independent expert who is to have access to the physical facilities of the Processor where the Personal Data are processed and to receive the necessary information required to verify whether the Processor complies with its obligations under this Agreement and the Data Protection Legislation. At the request of the Processor, the independent expert must sign a usual confidentiality undertaking.
4. The Processor will not receive any separate remuneration for services rendered in relation to this clause 10 in accordance with the Processor’s standard hourly rates from time to time.
   
   
11. Duration and termination
    
    
1. This Agreement takes effect on the effective date of the Contract and will remain in effect until the Contract is terminated. 
2. Both Parties are entitled to terminate this Agreement for convenience on the same terms as those which apply to the Contract.
3. This Agreement is to apply as between the Parties for as long as the Processor processes Personal Data on behalf of the Controller.
4. Upon termination of this Agreement, for whatever reason, the Data Processor must 1) with the exception of paragraph 3) below, cease processing the Personal Data; 2) as requested by the Controller, (i) return to the Controller all Personal Data which is in its possession or control and all copies thereof, or (ii) destroy all copies of the same and certify to the Controller that it has done so, unless the Processor is prevented by applicable law or any public authority from destroying or returning all or part of the Personal Data, in which case the Processor must keep such data confidential, continue to process them in accordance with the terms of this Agreement and must not perform any processing other than what is necessary in order to comply with the requirements of such applicable law or the relevant public authority; and 3) at the Controller’s request against a special charge, provide the necessary transitional services to the Controller, including cooperating in good faith and as quickly as possible to facilitate the transfer of the performance of the data processing to a new data processor or back to the Controller.
5. If the Data Processor has not received any instructions regarding the return or the deletion of the Personal Data from the Controller one month after the termination of this Agreement, the Data Processor is entitled to delete the Personal Data.
6. Upon termination of this Agreement, for whatever reason, clauses 5.4, 9.2, 11.3 and 16 will remain in effect indefinitely.
   
   
12. Assignment
    
    
1. Except as provided for in clause 8, the Processor may not assign or otherwise transfer any or all of the Processor’s rights or obligations under this Agreement to any third party (or attempt to do so) without the prior written consent of the Controller.
   
   
13. Entire agreement
    
    
1. The Parties agree that this Agreement constitutes the entire agreement and understanding between the Parties in respect of the subject matter hereof and supersedes any previous agreement between the Parties relating to the subject matter hereof.
2. In the event of any discrepancy between the provisions of this Agreement and the provisions of the Contract or any other written or oral agreements between the Parties, the provisions of this Agreement will prevail. Notwithstanding the above, the provisions of this Agreement will not apply where the Processor is subject to stricter obligations, e.g. when using the European Commission model contracts for the transfer of personal data to third countries.
   
   
14. Amendments
    
    
1. The terms, provisions, obligations or conditions of this Agreement may not be waived or amended except by a written instrument signed by both Parties.
2. If any provision of this Agreement is or becomes illegal, void, invalid or unenforceable, such provision must be severed from the other terms and conditions, which will continue to be valid and enforceable to the fullest extent permitted by law.
   
   
15. Notices
    
    
1. All notices required to be given under this Agreement must be in writing.
   
   
16. Governing law
    
    
1. This Agreement is governed by and will be construed in accordance with Danish law, without regard to its conflict of laws rules.
2. The proper venue for any disputes arising out of or relating to this Agreement will be the City Court of Copenhagen. 

Appendix 1 to the Data Processing Agreement

DESCRIPTION OF PROCESSING OF PERSONAL DATA

This appendix constitutes the Controller’s instruction to the Processor.

Subject-matter and duration of the processing

The Controller hereby instructs the Processor to identify, collect, aggregate, process and host personal data, mentioned in this Data Processing Agreement, received directly from the Controller through technical systems integrations of the codes provided by the Processor or manual import through the Processor’s platform or by using the API’s provided by the Processor and use this data with the purpose of analysing Controller’s users (Data Subjects) behaviour and delivery of the services. Delivery of services include but are not limited to communicate in the name of Data Controller with its users, in accordance to the Controller’s configuration of the Service.

Upon termination of this Agreement, the Personal Data must be deleted irretrievably so that it is no longer possible to uniquely identify natural persons. 

Nature and purpose of the processing

The Processor is permitted to collect and process the Personal Data for the following purpose(s):

(i) calculating profit overview as well as similar services as described in the Contract and at easyrate ApS’s website,

(ii) delivery of conversion & event data to optimized ads via Facebook, Instagram, Google, Bing ad networks and similar,

(iii) any other purposes instructed by the Controller in writing.

Categories of Personal Data

The processing includes Personal Data of the categories described off below. The security measures put in place by the Processor and any Sub-Processors must provide a level of security appropriate to the risk represented by the sensitivity of the Personal Data.

- Ordinary personal data (Article 6 of the General Data Protection Regulation):
- Identifier (email address, first & last name or addresses)
- Device IP address (stored in anonymized format)
- Device screen resolution, operating system, browser type
- Geographic location
- Pages visited
- Orders
- Referring URL’s and domains

Categories of data subjects

- Online customers of the Controller.


Location(s) of data processing facilities

- Any location of Sub-Processors (as described below)


Sub-Processors

The Controller consents to the use of the following Sub-Processors:


Sub-Processor Processing location (country)

Server4you Germany
Amazon AWS Ireland

The Processor will share the Personal Data with ad networks such as Facebook, Instagram, Google, Bing in accordance to the Controller’s configuration of the Service. The Controller is responsible for its own relationship with these ad networks, hence these are not considered Sub-Processors.

Appendix 2 to the Data Processing Agreement
DESCRIPTION OF THE TECHNICAL AND ORGANISATIONAL SECURITY MEASURES

This appendix contains a description of the technical and organisational security measures which the Processor is obliged, under the Data Processing Agreement, to implement, comply with and ensure compliance with by its Sub-Processors.

The Processor must as a minimum implement the following technical and organisational security measures to ensure an adequate level of protection.

In addition to the above, following specific security measures are implemented: 

• Access and identification management (IAM). In addition, roles with excessive access rights are clearly defined and are only assigned to limited specific members of staff. 
• IT resources are reviewed and updated at least on an annual basis. 
• Change management procedures
• Procedures for reporting and handling data breaches, including recording of data breaches along with details regarding the event and subsequent mitigation actions performed. In addition, specific personnel with the necessary responsibility, authority and competence to manage business continuity in the event of an incident/personal data breach is nominated. 
• All employees understand their responsibilities and obligations related to the processing of personal data. Roles and responsibilities are clearly communicated during the pre-employment and/or induction process. Employees involved in processing of personal data are bound to specific confidentiality clauses (under their employment contract or other legal act). 
• Training of employees. 
• User passwords are stored in a “hashed” form. 
• Logging of relevant IT systems. 
• Database and applications servers are configured in a secure manner and only process the personal data that are actually needed to process in order to achieve its processing purposes. 
• Whenever access is performed through the internet, communication is encrypted through cryptographic protocols (TLS/SSL), unless the controller requests otherwise. 
• The network of the information system is segregated from the other networks of the processor and where relevant, access to the IT system is performed only by pre-authorized devices. 
• Full backups are carried out regularly. 
• Where deemed relevant, secure development practices, frameworks or standards are followed, and secure coding standards and practises are followed. Information about technical vulnerabilities of the information system is obtained. 
• Multiple passes of software-based overwriting are performed on all server media before being disposed. 
• The physical perimeter of the IT system infrastructure is not accessible by non-authorized personnel. 

‍Please note that easyrate ApS may use financial data about your business on a pseudonymized level to generate aggregated statistical information. The aggregated statistical information may be shared with third parties (including publicly), but neither your company nor information about your company will be identifiable. Further, as this data concerns company financial data, it falls outside the scope of the Data Processing Agreement mentioned above.