This is how we process your data

Data Processor Agreement

Introduction

This Data Processor Agreement, version GDPR-DPA-1.0-UK (“The Agreement”) are entered into on the date indicated in the Order Form between Worklife Barometer ApS (CVR-no. 35 39 55 39), Njalsgade 76, 2300 Copenhagen S (“Worklife Barometer”) and “the Customer” as indicated in the Order Form. WLB and the Customer are each designated as a “Party” and collectively as “the Parties”.

Definitions

The agreement

Meaning the relevant client agreement, on which basis this data processor agreement is formed.

The Data Protection Legislation

Meaning i) The European Parliament and Council directive 95/46/EF, the act on Processing of Personal Data (law 2000-05-31 no. 429 with later amendments) and ii) after 25th May 2018 The general data protection regulation (EU) 2016/679 as well as future legislation, regulating the processing of personal data.

Data Processor Agreement

Meaning present Data Processor Agreement.

1. The Basis and Purpose of The Agreement

1.1. The purpose of this agreement is to ensure, that the data protection regulation is complied with. The purpose of the fact that data processor is processing personal data on behalf of data responsible is described in appendix 1.

1.2. In case of any discrepancies between this data processor agreement and the agreement itself this data processor agreement takes precedence, unless otherwise stated directly in the agreement. Furthermore, the data processor agreement rescinds and replaces i) previously agreed data processor agreement(s) between the parties and/or ii) requirements in other agreements between the parties that regulates the same data processor relations, as this agreement.

1.3. If any relations in the data processor agreement and appurtenant instructions are later known to be invalid or is in dispute of the data protection regulations, the parties cannot, notwithstanding point 1.1, invoke this. Moreover, the data processor agreement must last and if necessary the parties will initiate negotiation with the intent to clarify, supplement or revise the relations in question.

2. Rights and Obligations of The Data Responsible

2.1. Data responsible is responsible for the personal information, which data processor is processing on behalf of data responsible.

2.2. Data responsible is responsible for the fact that data processor can process personal information on behalf of data responsible, e.g. that the processing is legal. Data responsible has the rights and obligations that are given a data responsible in the data protection legislation.

3. Obligations of The Data Processor

3.1. The data processor is solely responsible for processing personal data on behalf of the data responsible according to terms described in the data processor agreement or if a documented instruction from data responsible has been submitted, according to section 5.

3.2. The data processor must keep a written (can be electronic) record of all categories of processing that is conducted on the behalf of the data responsible. As a minimum, this must include:

  • Name and contact information of the data processor, possible sub data processors, who is the data responsible, the data protection adviser as well as the data processor’s possible representative.

  • The categories of the processing that the data processor or their subs data processors conduct on behalf of the data responsible.

  • Provided any transfers of personal data to third-countries or international organisations are taking place, indication of the justification of this.

  • A description of the technical and organisational security measures taken in connection with the processing of personal data.

3.3. The data processor must free of costs at any given time provide the according to 3.2 written record to the data responsible or the data protection agency.

3.4. The data processor assists and aids the data responsible – on their request – by providing relevant information and documentation for the purpose of making it possible for data responsible to document the compliance with the legislative requirements for data responsible, e.g. right of insight, analysis of consequences etc. To provide such aid to the data responsible, as well as making amendments and/or expansions of the instruction, the data processor can demand remuneration for used time as well as increased costs. The hourly rate of this is stated on the data processors price list, which data responsible has been made familiar with.

3.5. If a registered person contacts the data processor with the intent of exercising his/her rights according to the data protection legislation against the data responsible, the data processor will pass on such a request – without unnecessary delay – to the data responsible for their action. The data processor assists the data responsible according to section 3.4.

4. The Data Processor’s Use of Subcontractors

4.1. The data processor is utilising subcontractors (sub data processors) for delivery of services, in accordance with the data processor agreement. The data responsible has by signing present agreement approved that the sub data processors listed in appendix 2 is being used.

4.2. The data responsible gives the data processor a general approval to utilise sub data processors provided that the following terms are fulfilled:

  • The data processor will always notify the data responsible of any possible planned additions or substitutions of sub data processors and give the data responsible the possibility of challenging such changes, within fair notice. The notification must be accompanied by a description in accordance with information in appendix 2 for already approved sub data processors, which gives the data responsible the groundwork to evaluate the relationship.

  • The use of sub data processors happens on the basis of a written agreement between the data processor and the sub data processors, which impose the same requirements on the sub data processors as on the data processor according to the data processor agreement, as well as the data protection legislation, so that the rights of the registered persons are secured. The data processor actively ensures that the sub data processor abide to such requirements.

  • The data responsible can at any given time demand documentation for the existents and content of the sub data processing agreement, apart from relations of confidential, commercial character, between the data processor and the sub data processor.

4.3. The data processor transfers the data responsible’s personal data to countries outside the eu/eea. The data processor ensures that a transfer policy is present, referring to appendix 2. The use of subcontractors located in unsafe third-countries must happen on the basis of a valid transfer policy, according to the data protection legislation.

5. Instructions

5.1. The data processor solely processes personal data in accordance with the data responsible’s at any given time applicable instructions. The data responsible’s instructions include any processing, which is necessary for the data processor’s delivery of services to the data responsible. Instructions from the data responsible that affect or amend the content of the agreed service will be handled in accordance with the requirements of the customer agreement.

5.2. The data processor will notify the data responsible if an instruction according to the date processor’s notion disputes the data protection legislation.

5.3. The data processor cannot refuse to obey to the data responsible’s instructions as a result of lacking payments of the data processor’s invoices etc., and the data processor has at no point in time the right to detain the data responsible’s personal data.

5.4. The data processor can only process personal data outside the instruction if it is required by eu- or national legislation that the data processor is subjected to. The data processor will notify the data responsible of the reason hereof unless such a notification will be in dispute of eu- or national legislation.

6. Technical and Organisational Security Measures

6.1. The data processor must – under consideration of the current technical level, costs of implementation and the character, extent, context and purpose of the processing in question as well as the risks of variable probability and severity of physical persons’ rights and fundamental freedom – complete appropriate technical and organisational precautions to, among other things, prevent:

  • Unpredictable or illegal destruction, loss, amendment;

  • Unauthorised transmission, access or abuse;

  • Other illegal processing, according to appendix 3 concerning security.

6.2. The data processor must be able to prove to the data responsible that the data processor has the necessary technical and organisational security measures in place. The parties agree that the submitted warrantees noted in appendix 3 are sufficient, at the time of entering this data processor agreement.

6.3. Without unreasoned delay and latest 24 hours after the data processor has become aware of a security breach, the data processor will notify the data responsible in written form. This orientation will as a minimum and as far as it is possible in light of the character of the incident include the following: 1) information on the sort of the ascertained security breach, 2) which categories of registered persons that are included, 3) approximate quantity of affected registered persons, hereunder the categories of the included personal data and quantity as well as which eliminating and/or minimising precautions the data processor has taken as cause of the ascertained security breach.

7. Transfers to Other Countries

7.1. Provided the personal data is transferred to an eu-member state it is the data processors responsibility that the at any given time applicable regulations on security measures, which are determined by the legislation in the concerned member state, is being complied to.

7.2. Moreover, the data processor is legitimate to complete transfers in accordance with the requirements established in section 4.3.

8. Confidentiality

8.1. The processing of personal data is performed under complete confidentiality between the data processor and the data responsible. Employees of the data processor, third-parties (e.g. Repairers) as well as sub data processors, who are employed to process personal data under the present data processor agreement must be bound to secrecy. Solely employees of the data processor who are authorised hereto, can access the personal data, which is being processed under the data processor agreement. The data processor must ensure that employees, who process personal data for the data processor has committed to confidentiality or is bound to a suitable statutory secrecy.

8.2. Notwithstanding point 13, the requirements on secrecy and confidentiality are applied without time limitation.

9. Control and Declarations

9.1. The data processor must on the request of the data responsible provide the data responsible with “all necessary information” for the data responsible to be able to detect if the data processor is complying with their obligations under the data processor agreement, hereunder that the necessary technical and organisational security measures are put into place.

9.2. “All necessary information” as a minimum meaning a description of the technical and organisational precautions taken as well as documentation making the data responsible able to be significantly convinced that these technical and organisational precautions have functioned consistently and as intended in the complete period the request of the data responsible is concerning.

9.3. The information must be provided at least four weeks after the data responsible has raised the request.

9.4. The data responsible is legitimate to this once yearly or in case of an incident, as for INSTANCE a security breach that can give reason for a renewed request. Furthermore, the data processor can demand remuneration for the time spent and costs connected hereto. The hourly rate is stated in the data processor’s pricelist, which the data responsible has been made familiar with.

9.5. Furthermore, the data responsible has the right – at its own expense – to appoint an independent expert, who must have access to the data processor’s physical facilities for processing of personal data as well as receive the necessary information for performing an investigation on whether the data processor is complying with its requirements under the data processor agreement or not. There will not be gained remote access to such audits and access to possible sub data processors can solely be given with the restrictions that follows of the data processor’s agreement with the sub data processor concerning access to audits. The investigation can never concern IT- and security environments, e.g. disaster recovery and/or business continuity plans (“bcp”), besides the data processor’s confirmation of the existence of these. The expert must on the data processor’s request sign a customary confidentiality agreement and treat any information gathered at, or received directly from, the data processor with secrecy and can solely share the information with the data responsible. Provided neither Deloitte; PWC, EY or KPMG is appointed as independent expert, the choice of the independent expert must be previously approved by the data processor. The data responsible does at any given time have the right to complete further control measures, e.g. to limit the data processor’s access possibilities to the data responsible’s network and data. the data processor is entitled to remuneration for time spent and costs connected to this. The hourly rate is stated in the data processor’s pricelist, which the data responsible has been made familiar with.

10. Amendments to The Data Processor Agreement

10.1. Provided amendments in the legislation or practices result in amendments to the data processor agreement, the data processor is entitled to make these amendments free of cost.

10.2. In case the amendments are due to the data responsible’s relations, hereunder the data responsible’s wish for protection of personal data at a level that exceeds the statutory and/or the relevant security level, the data processor can demand remuneration for time spent and increased costs.

10.3. The data processor must ensure that the sub data processors as far as possible is put under obligation of any amendments implied by point 10.1 and 10.2, according to point 4.2.

11. Deletion or Destruction of Personal Data

11.1. At the expiry of the agreement the present data processor agreement will concurrently expire. The data processor will hereafter perform deletion by anonymising all personal data that has been processed on behalf of the data responsible. furthermore, The data processor will delete all copies of information from backup in accordance with the data processor’s planned and systematic deletion of backup.

11.2. The data responsible is at its own costs – assisted by an independent third-party – entitled to oversee that all deletion, as described above has been completed, as informed by the data processor. The data processor is entitled to remuneration for time spent and costs connected to this. The hourly rate is stated in the data processor’s pricelist, which the data responsible has been made familiar with.

11.3. Notwithstanding section 11.1 the data processor is entitled to – in the extent necessary to be able to document delivery of services after the agreement, or defend itself against legal claims – to keep a copy of the data responsible’s personal data.  in that case, The data responsible’s personal data can solely be processed for the noted purpose, and will cease, when these no longer last.

11.4. The data processor must also ensure that possible sub data processors will not be processing personal data after the expiry of the agreement, unless section 11.2 is can be applied.

12. Violation and Responsibility

12.1. The requirements on violation and responsibility of the agreement also applies to the data processor agreement.

13. Entry Into Force and Duration

13.1. Present data processor agreement entries into force at both parties’ physical or electronic signature and endures until the agreement expires.

13.2. Notwithstanding section 13.1 present data processor agreement will stay in force as long as the data processor is in possession of any of the data responsible’s personal data.

14. Applicable Law and Jurisdiction

14.1. The data processing agreement is regulated by danish law.

14.2. It is agreed that all claims and any disputes, set on the data processor agreement, must be settled at the danish court.

15. Signatures

15.1. Present data processor agreement is physically or electronically signed in 2 original copies, one for each of the parties.

Appendixes

Appendix 1. The Processed Data

The Personal Data the Data processor is processing on behalf of the Data responsible affects the categories of Personal Data that is transferred to the Data processor in an agreed way.

Appendix 2. Data processors

This document lists the data processors and sub-processors, Worklife Barometer is using to deliver the Howdy solution.

Appendix 3. Information Security Policy

This documents describes Worklife Barometer’s Information Security Policy, and the document “Manual on Information Security Policy for Worklife Barometer” describes how the Security Policy is implemented.

Appendix 3.1. Protection & Privacy

This technical fact sheet addresses the most common security and data protection questions as well as compliance standard, backup procedures and data accessibility.