Data Processor Agreement

Data Processor Agreement

made and entered into between

Your company
Company ID]
[Adress]
(the 'Controller')

and
Merc IT ApS
CVR no.: 29 78 56 43
Egelundsvej 18
5260 Odense S
(the 'Processor')

(The Controller and the Processor are collectively referred to as the 'Parties' and individually a 'Party')

Version 1.0, 9. May 2018

1. BACKGROUND AND PURPOSE

1.1 The Parties have agreed to the provision of certain services from the Processor to the Controller, as described in more detail in the Parties' separate agreement to this effect and appendix 1 to this agreement (the 'Primary Services').

1.2 In this connection, the Processor processes personal data on behalf of the Controller, and for that purpose, the Parties have entered into this agreement and underlying appendices (the 'Processor Agreement')

1.3 The purpose of the Processor Agreement is to ensure that the Processor complies with the personal data regulations in force from time to time, including in particular:
• the Danish Act on Processing of Personal Data (Act 2000-05-31 no. 429, as amended) • the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27. April 2016) when this takes effect.

2. SCOPE

2.1 The Processor is authorised to process personal data on behalf of the Controller on the terms and conditions set out in the Processor Agreement.

2.2 The Processor may only process personal data subject to documented instructions from the Controller ('Instructions').

2.3 The Instructions may be changed or concretised at any time by the Controller.

3. DURATION

3.1 The Processor Agreement applies until either (a) termination of the agreement(s) on provision of the Primary Services or (b) termination of the Processor Agreement.

4. PROCESSOR'S OBLIGATIONS

4.1 Technical and organisational security measures
4.1.1 The Processor is responsible for implementing necessary (a) technical and (b) organisational measures to ensure an appropriate security level. The measures must be implemented with due regard to the current state of the art, costs of implementation and the nature, scope, context and purposes of the processing and the risk of varying likelihood and severity to the rights and freedoms of natural persons. The Processor shall take the category of personal data described in appendix 1 into consideration in the determination of such measures.
4.1.2 Notwithstanding clause 4.1.1, the Processor shall implement the technical and organisational security measures as specified in the agreement(s) on provision of the Primary Services.
4.1.3 The Processor shall implement the suitable technical and organisational measures in such a manner that the processing by the Processor of personal data meets the requirements of the personal data regulation in force from time to time.

4.2 Employee conditions
4.2.1 The Processor shall ensure that employees who process personal data for the Processor have undertaken to observe confidentiality or are subject to an appropriate statutory duty of confidentiality.
4.2.2 The Processor shall ensure that access to the personal data is limited to those employees for whom it is necessary to process personal data in order to meet their obligations to the Controller.
4.2.3 The Processor shall ensure that employees processing personal data for the Processor only process such data in accordance with the Instructions.

4.3 Documentation for compliance with obligations
4.3.1 Upon written request, the Processor shall document to the Controller that the Processor:
a) meets its obligations under this Processor Agreement and the Instructions.
b) meets the provisions of the personal data regulation in force from time to time, in respect of the personal data processed on behalf of the Controller.
4.3.2 The Processor's documentation must be provided within reasonable time.

4.4 Security breach
4.4.1 The Processor shall notify the Controller of any personal data breach which may potentially lead to accidental or unlawful destruction, alteration, unauthorised disclosure of, or access to, personal data processed for the Controller ('Security Breach').
4.4.2 Security Breaches must be reported to the Controller without undue delay.
4.4.3 The Processor shall maintain a record of all Security Breaches. The record must as a minimum document the following:
a) the actual circumstances of the Security Breach,
b) the effects of the Security Breach, and
c) the remedial measures taken.
4.4.4 Upon written request, the record must be made available to the Controller or the supervisory authorities.

4.5 Assistance
4.5.1 The Processor shall to the necessary and reasonable extent assist the Controller in the performance of its obligations in the processing of the personal data covered by this Processor Agreement, including in connection with:
a) responses to data subjects on exercise of their rights;
b) Security Breaches;
c) impact assessments; and
d) prior consultation of the supervisory authorities.

5. SUB-PROCESSORS

5.1 The Processor may only use a third party for the processing of personal data for the Controller ('Sub-Processor') provided that it is specified in:
a) appendix 2 to this Processor Agreement; or
b) Instructions from the Controller.

5.2 The Processor and the Sub-Processor shall conclude a written agreement imposing the same data protection obligations on the Sub-Processor as those of the Processor (including in pursuance of this Processor Agreement).

5.3 Moreover, the Sub-Processor also acts only under the Instructions of the Controller. All communication with the Sub-Processor is handled by the Processor, unless otherwise specifically agreed. Any changed or concretised Instructions from the Controller must immediately be passed on by the Processor to the Sub-Processor.

5.4 The Processor is directly responsible for the Sub-Processor's processing of personal data in the same manner as had the processing been carried out by the Processor.

6. DATA PROCESSING OUTSIDE THE SCOPE OF THE INSTRUCTIONS

6.1 The Processor may process personal data outside the scope of the Instructions in cases where required by EU law or national law to which the Processor is subject.

6.2 If personal data are processed outside the scope of the Instructions, the Processor shall notify the Controller of the reason. The notification must be made before processing is carried out and must include a reference to the legal requirements forming the basis of the processing.

6.3 Notification should not be made if such notification would be contrary to EU law or national law.

7. FEES AND COSTS

7.1 The Parties are only entitled to payment for the performance of this Processor Agreement if specifically specified herein or in the agreement(s) on delivery of the Primary Services.

7.2 Regardless of the above requirements, a Party is not entitled to payment for assistance or implementation of changes to the extent that such assistance or change is a direct consequence of the Parties' breach of this Processor Agreement.

8. BREACH

8.1 The regulation of breach in the agreement(s) on delivery of the Primary Services also applies to this Processor Agreement as were this Processor Agreement an integral part thereof. If this is not considered in the agreement(s) on delivery of the Primary Services, the general remedies for breach laid down in applicable law will apply to this Processor Agreement.

9. LIABILITY AND LIMITATION OF LIABILITY

9.1 The regulation of liability and limitation of liability in the agreement(s) on delivery of the Primary Services also applies to this Processor Agreement as were this Processor Agreement an integral part thereof.

9.2 The Parties are liable according to the general rules of applicable law, subject, however, to the limitations set out in this section.

10. FORCE MAJEURE

10.1 The regulation of force majeure in the agreement(s) on delivery of the Primary Services also applies to this Processor Agreement as were this Processor Agreement an integral part thereof.

10.2 The Processor cannot be held liable for situations normally referred to as force majeure, including, but not limited to, war, riots, terrorism, insurrection, strike, fire, natural disasters, currency restrictions, import or export restrictions, interruption of traffic, interruption or failure of energy supply, public data systems and communication systems, long-term illness of key staff, virus and occurrence of force majeure at subcontractors.

10.3 Force majeure may only be asserted for the number of working days for which the force majeure situation lasts.

11. CONFIDENTIALITY

11.1 The regulation of confidentiality in the agreement(s) on delivery of the Primary Services also applies to this Processor Agreement as were this Processor Agreement an integral part thereof.

11.2 Information regarding the content of this Processor Agreement, the underlying Primary Services or the other Party's business which is either, in connection with the disclosure to the receiving Party, designated as confidential information, or which, by its nature or otherwise, should be considered as confidential, must be treated as confidential and subject to at least the same degree of care and discretion as the Party's own confidential information. Data, including personal data, are always confidential information.

11.3 However, the duty of confidentiality does not apply to information which is or becomes publicly available without this being the result of a breach of a Party's duty of confidentiality, or information which is already in the possession of the receiving Party without any similar duty of confidentiality or information which is developed independently by the receiving Party.

12. TERMINATION

12.1 Termination for cause or breach
12.1.1 The Processor Agreement may only be terminated according to the provisions on termination in the agreement(s) on delivery of the Primary Services.
12.1.2 Termination of this Processor Agreement is subject to – and allows for – simultaneous termination of the parts of the agreement(s) on delivery of the Primary Services that concern personal data processing pursuant to the Processor Agreement.

12.2 Effects of termination
12.2.1 The Processor's authority to process personal data on behalf of the Controller lapses on termination of the Processor Agreement for whatever reason.
12.2.2 The Processor may continue to process personal data for up to seven months after the termination of the Processor Agreement to the extent that this is necessary to take the required statutory measures. During the same period, the Processor is entitled to let the personal data be included in the Processor's usual backup procedure. The processing by the Processor during this period is assumed to comply with the Instructions.
12.2.3 The Processor and any Sub-Processors shall return all personal data processed by the Processor under this Processor Agreement to the Controller on termination of the Processor Agreement, provided that the Controller is not already in possession of the personal data. The Processor is then obliged to delete all personal data from the Controller. The Controller may request adequate information for such deletion.

13. DISPUTE RESOLUTION

13.1 The regulation of dispute resolution, including governing law and venue, in the agreement(s) on delivery of the Primary Services also applies to this Processor Agreement as were this Processor Agreement an integral part thereof.

13.2 The Processor Agreement is subject to Danish law with the exception of (a) rules leading to the use of law other than Danish law and (b) the UN Convention on Contracts for the International Sale of Goods (CISG).

13.3 Should any dispute arise in connection with the Processor Agreement or its performance, the Parties shall in a positive, cooperative and responsible spirit seek to initiate negotiations for the purpose of settling the dispute. If necessary, attempts must be made to transfer negotiations to executive level in the Parties’ respective organisations.

13.4 If the Parties are unable to solve the dispute by negotiation, the Parties are entitled to demand that the dispute be finally settled by the ordinary courts of law. The court in Odense, Denmark has been selected as venue. However, the referral arrangements of the Danish Administration of Justice Act to the High Court and the Maritime and Commercial Court still apply.

14. PRECEDENCE

14.1 In the event of any discrepancies between this Processor Agreement and the agreement(s) on delivery of the Primary Services, this Processor Agreement takes precedence, unless otherwise directly specified in the Processor Agreement.

APPENDIX 1: PRIMARY SERVICE

1. PRIMARY SERVICE

1.1 The Primary Service consists of consists of marketing, provision of access and support for the system budget123 and associated modules, where agreement conditions are described in the License Agreement for the system in question.

2. PERSONAL DATA

2.1 Types of personal data processed in connection with the delivery of the Primary Service:
a) General personal data, including
i) name,
ii) address,
iii) e-mail-address
iv) phone number
v) ip-address.

2.2 The category of registered identified or identifiable natural persons covered by the Processor Agreement:
a) The Controllers end user
b) The Controllers employee’s
c) The Controllers customers
d) The Controllers customers employee’s
e) The Controllers stakeholders
f) The Controllers customers stakeholders

APPENDIX 2: SUB-PROCESSORS

1. GENERAL

1.1 For the purpose of the Processor Agreement, the Controller hereby gives the Processor general written approval to use a Sub-Processor. The Processor shall notify the Controller in writing of the use of a Sub-Processor prior to commencement of the use. Similarly, the Processor shall notify the Controller when a Sub-Processor is no longer used.

1.2 The Processor is allowed to make objections to such a Sub-Processor if reasonably justifiable.

1.3 At the conclusion of the agreement, the following Sub-Processor are used in relation to the individual processes:

Hosting of systems

Supplier	Location	Function	Updated
Sentia / Athena IT-Group	Odense, Denmark	Hosting of servers with budget123, report123 and budget123 +.	09-05-2018
SendGrid	USA, Privacy Shield	Sending mail from the system to the user-created e-mail recipients.	09-05-2018
Scannet	Jutland, Denmark	Sending welcome email and receiving e-mail inquiries from customers and stakeholders.	09-05-2018

Marketing and support

Supplier	Location	Function	Updated
Firmafon	Denmark	Receiving support calls.	09-05-2018
Azure	Northern Europe	Hosting of websites - but not the products themselves budget123, report123 and budget123+.	09-05-2018
Pipedrive	USA, Privacy Shield	Lead management.	09-05-2018
Leadfeeder		Lead management.	09-05-2018
Mailchimp	USA, Privacy Shield	Newsletter publishing.	09-05-2018
Google	USA, Privacy Shield	Marketing and analysis.	09-05-2018
Teamviewer		Remote support and webinars.	09-05-2018

Administration

Supplier	Location	Function	Updated
e-conomic	EU	Shipping of invoices.	09-05-2018
Azure	Northern Europe	Document handling.	09-05-2018
Hornskov-Vindberg	EU	Debt collection. Recovery of claims.	09-05-2018