This Data Processor Agreement, version GDPR-DPA-1.0-UK (“The Agreement”) are entered into on the date indicated in the Order Form between Worklife Barometer ApS (CVR-no. 35 39 55 39), Njalsgade 76, 2300 Copenhagen S (“Worklife Barometer”) and “the Customer” as indicated in the Order Form. WLB and the Customer are each designated as a “Party” and collectively as “the Parties”.
The agreement | Meaning the relevant client agreement, on which basis this data processor agreement is formed. |
The Data Protection Legislation | Meaning i) The European Parliament and Council directive 95/46/EF, the act on Processing of Personal Data (law 2000-05-31 no. 429 with later amendments) and ii) after 25th May 2018 The general data protection regulation (EU) 2016/679 as well as future legislation, regulating the processing of personal data. |
Data Processor Agreement | Meaning present Data Processor Agreement. |
1.1. The purpose of this agreement is to ensure, that the data protection regulation is complied with. The purpose of the fact that data processor is processing personal data on behalf of data responsible is described in appendix 1.
1.2. In case of any discrepancies between this data processor agreement and the agreement itself this data processor agreement takes precedence, unless otherwise stated directly in the agreement. Furthermore, the data processor agreement rescinds and replaces i) previously agreed data processor agreement(s) between the parties and/or ii) requirements in other agreements between the parties that regulates the same data processor relations, as this agreement.
1.3. If any relations in the data processor agreement and appurtenant instructions are later known to be invalid or is in dispute of the data protection regulations, the parties cannot, notwithstanding point 1.1, invoke this. Moreover, the data processor agreement must last and if necessary the parties will initiate negotiation with the intent to clarify, supplement or revise the relations in question.
2.1. Data responsible is responsible for the personal information, which data processor is processing on behalf of data responsible.
2.2. Data responsible is responsible for the fact that data processor can process personal information on behalf of data responsible, e.g. that the processing is legal. Data responsible has the rights and obligations that are given a data responsible in the data protection legislation.
3.1. The data processor is solely responsible for processing personal data on behalf of the data responsible according to terms described in the data processor agreement or if a documented instruction from data responsible has been submitted, according to section 5.
3.2. The data processor must keep a written (can be electronic) record of all categories of processing that is conducted on the behalf of the data responsible. As a minimum, this must include:
Name and contact information of the data processor, possible sub data processors, who is the data responsible, the data protection adviser as well as the data processor’s possible representative.
The categories of the processing that the data processor or their subs data processors conduct on behalf of the data responsible.
Provided any transfers of personal data to third-countries or international organisations are taking place, indication of the justification of this.
A description of the technical and organisational security measures taken in connection with the processing of personal data.
3.3. The data processor must free of costs at any given time provide the according to 3.2 written record to the data responsible or the data protection agency.
3.4. The data processor assists and aids the data responsible – on their request – by providing relevant information and documentation for the purpose of making it possible for data responsible to document the compliance with the legislative requirements for data responsible, e.g. right of insight, analysis of consequences etc. To provide such aid to the data responsible, as well as making amendments and/or expansions of the instruction, the data processor can demand remuneration for used time as well as increased costs. The hourly rate of this is stated on the data processors price list, which data responsible has been made familiar with.
3.5. If a registered person contacts the data processor with the intent of exercising his/her rights according to the data protection legislation against the data responsible, the data processor will pass on such a request – without unnecessary delay – to the data responsible for their action. The data processor assists the data responsible according to section 3.4.
4.1. The data processor is utilising subcontractors (sub data processors) for delivery of services, in accordance with the data processor agreement. The data responsible has by signing present agreement approved that the sub data processors listed in appendix 2 is being used.
4.2. The data responsible gives the data processor a general approval to utilise sub data processors provided that the following terms are fulfilled:
The data processor will always notify the data responsible of any possible planned additions or substitutions of sub data processors and give the data responsible the possibility of challenging such changes, within fair notice. The notification must be accompanied by a description in accordance with information in appendix 2 for already approved sub data processors, which gives the data responsible the groundwork to evaluate the relationship.
The use of sub data processors happens on the basis of a written agreement between the data processor and the sub data processors, which impose the same requirements on the sub data processors as on the data processor according to the data processor agreement, as well as the data protection legislation, so that the rights of the registered persons are secured. The data processor actively ensures that the sub data processor abide to such requirements.
The data responsible can at any given time demand documentation for the existents and content of the sub data processing agreement, apart from relations of confidential, commercial character, between the data processor and the sub data processor.
4.3. The data processor transfers the data responsible’s personal data to countries outside the eu/eea. The data processor ensures that a transfer policy is present, referring to appendix 2. The use of subcontractors located in unsafe third-countries must happen on the basis of a valid transfer policy, according to the data protection legislation.
5.1. The data processor solely processes personal data in accordance with the data responsible’s at any given time applicable instructions. The data responsible’s instructions include any processing, which is necessary for the data processor’s delivery of services to the data responsible. Instructions from the data responsible that affect or amend the content of the agreed service will be handled in accordance with the requirements of the customer agreement.
5.2. The data processor will notify the data responsible if an instruction according to the date processor’s notion disputes the data protection legislation.
5.3. The data processor cannot refuse to obey to the data responsible’s instructions as a result of lacking payments of the data processor’s invoices etc., and the data processor has at no point in time the right to detain the data responsible’s personal data.
5.4. The data processor can only process personal data outside the instruction if it is required by eu- or national legislation that the data processor is subjected to. The data processor will notify the data responsible of the reason hereof unless such a notification will be in dispute of eu- or national legislation.
6.1. The data processor must – under consideration of the current technical level, costs of implementation and the character, extent, context and purpose of the processing in question as well as the risks of variable probability and severity of physical persons’ rights and fundamental freedom – complete appropriate technical and organisational precautions to, among other things, prevent:
Unpredictable or illegal destruction, loss, amendment;
Unauthorised transmission, access or abuse;
Other illegal processing, according to appendix 3 concerning security.
6.2. The data processor must be able to prove to the data responsible that the data processor has the necessary technical and organisational security measures in place. The parties agree that the submitted warrantees noted in appendix 3 are sufficient, at the time of entering this data processor agreement.
6.3. Without unreasoned delay and latest 24 hours after the data processor has become aware of a security breach, the data processor will notify the data responsible in written form. This orientation will as a minimum and as far as it is possible in light of the character of the incident include the following: 1) information on the sort of the ascertained security breach, 2) which categories of registered persons that are included, 3) approximate quantity of affected registered persons, hereunder the categories of the included personal data and quantity as well as which eliminating and/or minimising precautions the data processor has taken as cause of the ascertained security breach.
7.1. Provided the personal data is transferred to an eu-member state it is the data processors responsibility that the at any given time applicable regulations on security measures, which are determined by the legislation in the concerned member state, is being complied to.
7.2. Moreover, the data processor is legitimate to complete transfers in accordance with the requirements established in section 4.3.
8.1. The processing of personal data is performed under complete confidentiality between the data processor and the data responsible. Employees of the data processor, third-parties (e.g. Repairers) as well as sub data processors, who are employed to process personal data under the present data processor agreement must be bound to secrecy. Solely employees of the data processor who are authorised hereto, can access the personal data, which is being processed under the data processor agreement. The data processor must ensure that employees, who process personal data for the data processor has committed to confidentiality or is bound to a suitable statutory secrecy.
8.2. Notwithstanding point 13, the requirements on secrecy and confidentiality are applied without time limitation.
9.1. The data processor must on the request of the data responsible provide the data responsible with “all necessary information” for the data responsible to be able to detect if the data processor is complying with their obligations under the data processor agreement, hereunder that the necessary technical and organisational security measures are put into place.
9.2. “All necessary information” as a minimum meaning a description of the technical and organisational precautions taken as well as documentation making the data responsible able to be significantly convinced that these technical and organisational precautions have functioned consistently and as intended in the complete period the request of the data responsible is concerning.
9.3. The information must be provided at least four weeks after the data responsible has raised the request.
9.4. The data responsible is legitimate to this once yearly or in case of an incident, as for INSTANCE a security breach that can give reason for a renewed request. Furthermore, the data processor can demand remuneration for the time spent and costs connected hereto. The hourly rate is stated in the data processor’s pricelist, which the data responsible has been made familiar with.
9.5. Furthermore, the data responsible has the right – at its own expense – to appoint an independent expert, who must have access to the data processor’s physical facilities for processing of personal data as well as receive the necessary information for performing an investigation on whether the data processor is complying with its requirements under the data processor agreement or not. There will not be gained remote access to such audits and access to possible sub data processors can solely be given with the restrictions that follows of the data processor’s agreement with the sub data processor concerning access to audits. The investigation can never concern IT- and security environments, e.g. disaster recovery and/or business continuity plans (“bcp”), besides the data processor’s confirmation of the existence of these. The expert must on the data processor’s request sign a customary confidentiality agreement and treat any information gathered at, or received directly from, the data processor with secrecy and can solely share the information with the data responsible. Provided neither Deloitte; PWC, EY or KPMG is appointed as independent expert, the choice of the independent expert must be previously approved by the data processor. The data responsible does at any given time have the right to complete further control measures, e.g. to limit the data processor’s access possibilities to the data responsible’s network and data. the data processor is entitled to remuneration for time spent and costs connected to this. The hourly rate is stated in the data processor’s pricelist, which the data responsible has been made familiar with.
10.1. Provided amendments in the legislation or practices result in amendments to the data processor agreement, the data processor is entitled to make these amendments free of cost.
10.2. In case the amendments are due to the data responsible’s relations, hereunder the data responsible’s wish for protection of personal data at a level that exceeds the statutory and/or the relevant security level, the data processor can demand remuneration for time spent and increased costs.
10.3. The data processor must ensure that the sub data processors as far as possible is put under obligation of any amendments implied by point 10.1 and 10.2, according to point 4.2.
11.1. At the expiry of the agreement the present data processor agreement will concurrently expire. The data processor will hereafter perform deletion by anonymising all personal data that has been processed on behalf of the data responsible. furthermore, The data processor will delete all copies of information from backup in accordance with the data processor’s planned and systematic deletion of backup.
11.2. The data responsible is at its own costs – assisted by an independent third-party – entitled to oversee that all deletion, as described above has been completed, as informed by the data processor. The data processor is entitled to remuneration for time spent and costs connected to this. The hourly rate is stated in the data processor’s pricelist, which the data responsible has been made familiar with.
11.3. Notwithstanding section 11.1 the data processor is entitled to – in the extent necessary to be able to document delivery of services after the agreement, or defend itself against legal claims – to keep a copy of the data responsible’s personal data. in that case, The data responsible’s personal data can solely be processed for the noted purpose, and will cease, when these no longer last.
11.4. The data processor must also ensure that possible sub data processors will not be processing personal data after the expiry of the agreement, unless section 11.2 is can be applied.
12.1. The requirements on violation and responsibility of the agreement also applies to the data processor agreement.
13.1. Present data processor agreement entries into force at both parties’ physical or electronic signature and endures until the agreement expires.
13.2. Notwithstanding section 13.1 present data processor agreement will stay in force as long as the data processor is in possession of any of the data responsible’s personal data.
14.1. The data processing agreement is regulated by danish law.
14.2. It is agreed that all claims and any disputes, set on the data processor agreement, must be settled at the danish court.
15.1. Present data processor agreement is physically or electronically signed in 2 original copies, one for each of the parties.
The Personal Data the Data processor is processing on behalf of the Data responsible affects the categories of Personal Data that is transferred to the Data processor in an agreed way.
The item for data processing |
The Data Responsible’s employees are offered access to the Howdy platform with access to the modules the Data Responsible has purchased access to. |
The duration of the data processing |
The data processing commences when the Data Responsible hands over data to the Data Processor. The data processing ceases when:
|
The character of the processing |
The Data Processor receives, utilises and stores personal data from the Data Responsible. The data processing is used to offer the Data Responsible’s employees to use the Howdy platform. As part of this processing the employees receive an invitation to use the service on the provided e-mail. |
The purpose of the treatment |
The purpose of the processing is to offer the Howdy platform to the employees of the Data Responsible. |
Type of personal data |
As Data Processor, only the data that the Data Responsible provides is stored. This is typically: Personal data:
Organisational:
* marks the required information for setting up the agreement. |
The categories of the registered persons | Employees of the Data Responsible. |
This document lists the data processors and sub-processors, Worklife Barometer is using to deliver the Howdy solution.
This document lists the data processors and sub-processors, Worklife Barometer is using to deliver the Howdy solution.
For each (sub) data processor the following information is listed:
The following Data processors/sub-processors are used to deliver the Howdy solution:
The purpose of the processing and processing activities:
Microsoft Azure delivers PaaS (The platform, meaning; database, web server, etc.)
Exchanged data:
All data used and registered in connection to the Howdy solution is stored in Microsoft Azure hosting environment
Physical location:
Microsoft’s data centres in Europe (Holland and Ireland)
Transfer policy:
N/A. Data is processed inside the EU.
Security:
Read more about security, audit of Microsoft and see audit reports:
https://www.microsoft.com/en-us/trustcenter/compliance/soc
Microsoft Ireland Operations Limited is Microsoft’s data protection representative in the EU and can be contacted on the following address:
Microsoft Ireland Operations, Ltd.
Attn: Data Protection
One Microsoft Place
South County Business Park
Leopardstown
Dublin 18
D18 P521
The purpose of the processing and processing activities:
Email service Howdy is using for email communication (invitations, reminders, resend password, and other similar services)
Exchanged data:
Email address, First name, Surname, Company, Partner, Type of Transaction, Message content, Pdf-file (Well-being reports)
Physical location:
1526 DeKalb Ave NE, Atlanta, GA 30307, USA
Transfer policy:
EU-U.S. PRIVACY SHIELD FRAMEWORK
https://www.privacyshield.gov/participant?id=a2zt0000000TO6hAAG&status=Active
Security:
Read more about security here: https://mailchimp.com/about/security
The purpose of the processing and processing activities:
The company Twilio delivers a telecom service (Text message, voice etc.), which Howdy uses for telecommunication (invitations, reminders, resend passwords, and other similar services.
Exchanged data:
Mobile phone number, Type of Transaction, Message content
Physical location:
375 Beale Street, Suite 300 | San Francisco, CA 94105
Transfer policy:
EU-U.S. Privacy Shield
https://www.privacyshield.gov/participant?id=a2zt0000000TNLbAAO&status=Active
Security:
Read more about security here: https://www.twilio.com/security
The purpose of the processing and processing activities:
The company Widgix LLC delivers an online survey tool, which WLB uses for sending out user surveys.
Please note that SurveyGizmo is not an integrated tool in the Howdy solution and is only used in agreement with the client.
Exchanged data:
First name, Email address and storage of answers
Physical location:
4888 Pearl East Cir. Suite 100, Boulder, CO 80301 USA
Transfer policy:
EU-U.S. Privacy Shield
https://www.privacyshield.gov/participant?id=a2zt0000000L0kSAAS&status=Active
Security:
Read more about security here: https://help.surveygizmo.com/help/surveygizmo-security-faq
The purpose of the processing and processing activities:
The company ZenDesk delivers an online support tool, which WLB uses to support the usual end-user support.
Please note that ZenDesk is not an integrated tool in the Howdy solution.
Exchanged data:
Information the end-user is sending per email as well as WLB’s case handling and further email exchange.
Physical location:
1019 Market St, San Francisco, CA 94103
Transfer policy:
EU-U.S. Privacy Shield
https://www.privacyshield.gov/participant?id=a2zt0000000TOjeAAG&status=Active
Security:
Read more about security here: https://www.zendesk.com/product/zendesk-security
The purpose of the processing and processing activities:
Logging of error messages etc.
Exchanged data:
IP address, unique ID (for identification)
Physical location:
USA
Transfer policy:
The European Commission’s standard contract
Security:
Read more about security here: https://raygun.com/security
The purpose of the processing and processing activities:
Amazon Web Services delivers PaaS (The platform, meaning; database, web server, etc.)
Exchanged data:
All data used and registered in connection to the Howdy solution can be stored in Amazon Web Services hosting environment.
Physical location:
Amazon’s data centres in Europe (Currently Germany, Ireland, England and France.) Read more here: https://aws.amazon.com/about-aws/global-infrastructure
Transfer policy:
N/A. Data is processed inside the EU.
Security:
Read more about security here: https://aws.amazon.com/security
This documents describes Worklife Barometer’s Information Security Policy, and the document “Manual on Information Security Policy for Worklife Barometer” describes how the Security Policy is implemented.
This documents describes Worklife Barometer’s Information Security Policy, and the document “Manual on Information Security Policy for Worklife Barometer” describes how the Security Policy is implemented.
The purpose of the Security Policy is to indicate to all employees and extern business partners that the use of information and information systems is subject to standards and guidelines. Particularly to be noticed is that Worklife Barometer’s core product Howdy is subject to the strictest requirements from the Danish Data Protection Agency, as personal information is being processed.
Worklife Barometer therefore wishes to maintain and continuously expand an IT security level that oblige to the legislation at any given time, as well as specific relations emphasised by the Data Protection Agency (up until 25thMay 2018) and as regulated under the General Data Protection Regulation after 25thMay 2018 (GDPR). To guarantee this, Worklife Barometer is cooperating with the company’s legal adviser, currently the legal company Lundgrens.
Maintenance and development of a high security level is an essential prerequisite for Worklife Barometer to achieve credibility.
To maintain Worklife Barometers credibility it must be ensured that information is being processed with the required confidentiality and that complete, accurate and timely processing of approved transactions take place.
IT-systems are considered to be Worklife Barometer’s most critical resource. The focus is therefore on operation, security, quality, compliance with the law and that the systems are user-friendly, without unnecessarily difficult security arrangements.
An effective safeguard against IT-security threats must be installed, so that Worklife Barometer’s image and the employees’ safety and work conditions are secured in the best possible way. The protection must tackle natural as well as technical and human-induced threats. All persons are considered as being possible reasons for a breach of security; meaning that no group of people will be above the security regulations.
The objectives are therefore to:
All Worklife Barometer’s employees are explicitly made aware of Worklife Barometer’s Information Security Policy and all Data processors (who are not processing IT Services) used by Worklife Barometer are informed of the company’s Information Security Policy through Data Processor Agreements and Service Level Agreements (SLAs) (where necessary).
Rules and guidelines from the Information Security Policy are continuously incorporated in the relevant applicable rules of the Staff Policy.
The security concept includes the following:
The policy applies to all Worklife Barometer’s information related activities, whether these are performed by employees at Worklife Barometer or by Data processors used by Worklife Barometer.
The delegated security related responsibility and the connected authority for this policy is generically described/distributed into roles in “Manual on Information Security Policy for Worklife Barometer”.
Disasters are attempted to be avoided through a well-organised surveillance of the utilised IT services. The extent of these precautions is decided from an assessment of risk versus security costs and user-friendliness.
Worklife Barometer’s contingency plan includes the following areas:
The contingency plans must be continuously updated and tested – minimum once a year.
Employees violating the applicable Information Security Regulations in Worklife Barometer can be disciplinarily sanctioned. The detailed regulations on this area is determined in agreement with the current Staff Policy.
This technical fact sheet addresses the most common security and data protection questions as well as compliance standard, backup procedures and data accessibility.
This technical fact sheet addresses the most common security and data protection questions as well as compliance standard, backup procedures and data accessibility.
Data at Worklife Barometer is protected at many levels – From ensuring people cannot gain physical access to our servers to data encryption at your mobile device. We build on top of the best-in-class security practices of the Microsoft Azure Platform. Key words are:
For more information see: http://azure.microsoft.com/en-us/support/trust-center/security/
Our data center complies with a wide set of international recognized standards including:
For more information see: http://azure.microsoft.com/en-us/support/trust-center/compliance/
Data at Worklife Barometer is always replicated at minimum two other servers in our data centers, this ensures that in the event of a hardware failure the system will automatically be able to continue on new hardware without any data loss nor downtime for the system.
Furthermore, every night a backup of the data is copied to a secondary data center located in another geographical region. This ensures that the system can resume service in the unlikely event of major natural disaster.
Whenever data travels – inside the data center or on the Internet – encryption is applied. We use standard TLS 4096-bit encryption between our edge-facing servers and end-user client (mobile apps and web browsers).
Strong security measures are in place to ensure no-one gains unauthorized access to the Worklife Barometer Portal.
Information is only available on a need-to-know basis e.g. agents in a Response Center will only have access a person’s journal once a new case is opened. When the case is resolved then all access to that person’s journal is revoked as well.
End users may register their personal data though mobile apps or through a mobile-enabled website. Both systems uses email and a personal 4-digit PIN-code as authentication mechanism.
Whenever a user opens the App or Mobile Website a login prompt shows. Upon successful validation of credentials, the server exchanges the provided credentials with a cryptographically signed token, which gives access to the granted resources for 60 minutes before it expires. After expiry the token becomes invalid and the client must login again in order to obtain a new token.
These systems have a lower authentication level than e.g. the portal. This is to ease the user adoption and participation of the system. For that very same reason the system are “entry-only” systems. Below is a list of data available on these systems:
No health information is stored directly on the mobile devices.
All communication between the systems is encrypted (SSL/TLS RSA 2048 bits) end to end.
The Worklife Barometer Administration Portal is used to gain access to the administrative tasks for company administrators as well as Response Team personnel for handling calls to end users.
Access to this portal is protected by a personal e-mail and password and either an OTP (One-Time Password sent over SMS) or a TOTP (Time-based One-time Password attached to a personal device).
Upon successful validation of credentials, the server exchanges the provided credentials with a cryptographically signed token, which gives access to the granted resources for 12 hours before it expires. After expiry the token becomes invalid and the client must login again in order to obtain a new token.
Some actions performed in the portal may require reentry of credentials in order to complete the intended action.
All communication between the browser and Portal APIs are encrypted (SSL/TLS RSA 4096 bits) end to end.