Data Processing Agreement
Below you will find our "Data Processing Agreement", also known as a DPA.
Introduction
- This Data Processing Agreement sets out the rights and obligations that apply to the Data Processor's handling of personal data on behalf of the Data Controller.
- This Agreement has been designed to ensure the Parties' compliance with Article 28, sub-section 3 of Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of
personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation),
which sets out specific requirements for the content of data processing agreements.
- The Data Processor's processing of personal data shall take place for the purposes of fulfillment of the Services under the Terms and Conditions.
- This Data Processing Agreement shall take priority over any similar provisions contained in other agreements between the Parties, including the Terms and Conditions.
- Three appendices are attached to this Data Processing Agreement. The Appendices form an integral part of this Data Processing Agreement.
The Data Controller's rights and obligations
- The Data Controller shall be responsible to the outside world (including the data subject) for ensuring that the processing of personal data takes place within the framework of the General Data Protection Regulation and the Danish Data Protection Act.
- The Data Controller shall, therefore, have both the right and obligation to make decisions about the purposes and means of the processing of personal data.
- The Data Controller shall be responsible for ensuring that the processing that the Data Processor is instructed to perform is authorized in law.
- The Data Controller shall be solely responsible for any claim deriving from misuse (including but not limited to misuse under the Applicable Law) of the systems of the Data Controller.
- The Data Controller understands that the Data Processor is providing a technical service and that Data Controller retains all the responsability to ensure the Data Controller technology is used in accordance to the Applicable Law.
The Data Processor's acts according to instructions
- The Data Processor shall solely be permitted to process personal data on instructions from the Data Controller unless processing is required under EU or Member State law to which the Data Processor is subject; in this case,
the Data Processor shall inform the Data Controller of this legal requirement prior to processing unless that law prohibits such information on important grounds of public interest, cf. Article 28, sub-section 3, para a.
Confidentiality
- The Data Processor shall ensure that only those persons who are currently authorized to do so are able to access the personal data being processed on behalf of the Data Controller.
- Only persons who require access to the personal data in order to fulfill the obligations of the Data Processor to the Data Controller shall be provided with authorization.
- The Data Processor shall ensure that persons authorized to process personal data on behalf of the Data Controller have undertaken to observe confidentiality or are subject to the suitable statutory obligation of confidentiality.
Security of processing
- The Data Processor shall take all the measures required pursuant to Article 32 of the General Data Protection Regulation which stipulates that with consideration for the current level,
implementation costs and the nature, scope, context and purposes of processing and the risk of varying likelihood and severity for the rights and freedoms of natural persons,
the Data Controller and Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
- The above obligation means that the Data Processor shall implement measures to counter the identified risk. Depending on their relevance, the measures may include the following:
- Pseudonymization and encryption of personal data.
- The ability to provide ongoing confidentiality, integrity, availability, and resilience of processing systems and services.
- A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
- The Data Processor shall in ensuring the above - in all cases - at a minimum, implement the level of security and the measures specified in Appendix C to this Data Processing Agreement.
Use of sub-processors
- The Data Processor shall meet the requirements specified in Article 28, sub-section 2 and 4, of the General Data Protection Regulation in order to engage another processor (Sub-Processor).
- The Data Controller's consent to the engagement of specific sub-processors, if applicable, shall be specified in Appendix B to this Data Processing Agreement.
Transfer of data to third countries or international organizations
- The Data Controller guarantees that access to personal data of users within the GDPR framework will only be performed from states within the Union
- The Data Processor shall solely be permitted to process personal data on documented instructions from the Data Controller, including as regards transfer
(assignment, disclosure, and internal use) of personal data to third countries or international organizations unless processing is required under EU or
Member State law to which the Data Processor is subject. In such a case, the Data Processor shall inform the Data Controller of that legal requirement prior
to processing unless that law prohibits such information on important grounds of public interest, cf. Article 28, sub-section 3, para a.
- Without the instructions or approval of the Data Controller, the Data Processor, therefore, cannot :
- disclose personal data to a data controller in a third country or in an international organization.
- assign the processing of personal data to a sub-processor in a third country.
- have the data processed in another of the Data Processor's divisions which are located in a third country.
- The Data Controller's instructions or approval of the transfer of personal data to a third country, if applicable, shall be set out in Appendix C to this Data Processing Agreement.
Assistance to the Data Controller
- The Data Processor, taking into account the nature of the processing, shall, as far as possible, assist the Data Controller with appropriate technical and organizational measures,
in the fulfilment of the Data Controller's obligations to respond to requests for the exercise of the data subjects' rights pursuant to Chapter 3 of the General Data Protection Regulation.
This entails that the Data Processor should as far as possible assist the Data Controller in the Data Controller's compliance with:
- notification obligation when collecting personal data from the data subject.
- the right to erasure ('the right to be forgotten').
Notification of personal data breach
- On discovery of a personal data breach at the Data Processor's facilities or sub-processors facilities, the Data Processor shall, without undue delay, notify the Data Controller.
The Data Processor's notification to the Data Controller shall, if possible, take place within 24 hours after the Data Processor has discovered the breach to enable the Data Controller to comply with his obligation,
if applicable, to report the breach to the supervisory authority within 72 hours.
- In case of a personal data breach at the Data Processor's facilities or sub-processors facilities, The Data Processor shall -
taking into account the nature of the processing and the data available - assist the Data Controller in the reporting of the breach to the supervisory authority.
This may mean that the Data Processor is required to assist in obtaining the information listed below which, pursuant to Article 33, sub-section 3, of the General Data Protection Regulation,
shall be stated in the Data Controller's report to the supervisory authority:
- The nature of the personal data breach, including, if possible, the categories and the approximate number
of affected data subjects and the categories and the approximate number of affected personal data records.
- Probable consequences of a personal data breach.
- Measures which have been taken or are proposed to manage the personal data breach, including, if applicable, measures to limit its possible damage.
Erasure and return of data
- On termination of the processing services, the Data Processor shall be under obligation, at the Data Controller's discretion,
to erase or return all the personal data to the Data Controller and to erase existing copies unless EU law or Member State law requires storage of the personal data.
Commencement and termination
- This Data Processing Agreement shall become effective on the date in which the Data Controller starts using the services of the Data Processor for Newsletter and Contact Form management, including the supply of the Data Processor Privacy Policy information.
- The Data Processor is allowed to unilaterally review this agreement if changes are required to update it to comply with the Applicable Law.
- This Data Processing Agreement may be terminated according to the terms and conditions of termination, incl. notice of termination, specified in the Terms and Conditions.
- This Data Processing Agreement shall apply as long as the processing is performed. Irrespective of the termination of the Terms and Conditions and/or this Data Processing Agreement,
the Data Processing Agreement shall remain in force until the termination of the processing and the erasure of the data by the Data Processor and any sub-processors.
Data Controller's and Data Processor's Contacts/contact points
- The Parties may contact each other using the registered contact information in connection with the digital approval of this agreement.
- The Parties shall be under obligation continuously to inform each other of changes to contacts/contact points.
Appendices
A. Information about the processing
The purpose of the Data Processor's processing of personal data on behalf of the Data Controller is:
That the Data Controller is able to access the services on Lnk.Bio properties, which is owned and managed by the Data Processor to collect and process data about the Data Controller's Data Subjects.
The Data Processor's processing of personal data on behalf of the Data Controller shall mainly pertain to (the nature of the processing):
The use of Lnk.Bio properties will include, but not be limited to, collecting personal data from visitors (Data Subjects).
The Data Controller will, with the Data Processor, have restricted access to the encrypted data stored on behalf of the Data Controller.
Data Subjects will have access to their own data in respect to the applicable laws of GDPR.
Processing includes the following categories of Data Subject:
Email, Full Name, Contact information, as actively provided by the Data Subject when signing up for the Newsletter of the Data Controller or sends a contact request to the Data Controller using the Data Processor technology.
The Data Processor's processing of personal data on behalf of the Data Controller may be performed when this Data Processing Agreement commences. Processing has the following duration:
Processing shall not be time-limited and shall be performed until this Data Processing Agreement is terminated or canceled by one of the Parties.
B. Terms of the Data Processor's use of sub-processors and list of approved sub-processors
Terms of the Data Processor's use of sub-processors, if applicable:
The Data Processor has the Data Controller's general consent for the engagement of sub-processors following this agreement.
Sub-Processors:
The Data Processor may use the following Subprocessors to host Customer Data or provide other infrastructure that helps with the delivery of our Services:
Amazon Web Services, Inc. (US (Oregon), EU (Ireland) Region Datacenters)
C. Instruction pertaining to the use of personal data
The subject of/instruction for the processing:
The Data Processor's processing of personal data on behalf of the Data Controller shall be carried out by the Data Processor performing the following:
- Collecting subscription to the Email Newsletter of the Data Controller;
- Collecring contact requests for the Data Controller;
- Sending the Email Newsletter of the Data Controller.
Storage period/erasure procedures:
Personal data is stored with the Data Processor until the Data Controller requests that the data is erased or returned. In the event of a request to erase, delete or terminate the agreement,
the personal data is anonymized within 30 days after the expiry of the agreement, unless legal grounds call for maintenance of this personal data on the company server.
Processing location
Processing of the personal data under this Data Processing Agreement cannot be performed at other locations than the following without the Data Controller's prior written consent:
Collection:
Amazon Web Services, Inc. (US (Virginia), EU (Ireland), AP (Sydney & Tokyo) Region Datacenters)
Processing and Storage:
Amazon Web Services, Inc. (EU (Ireland) Region)
Definitions
Applicable Laws means laws, rules, directives, regulations issued or enacted by any government entity (including any domestic or foreign, supra-national, state, county, municipal,
local, territorial or other government, which includes to the extent applicable, Directive 95/46/EC, Directive 2002/58/EC,
European Commission decisions and guidance) each as transposed into domestic legislation of each Member State or other country and as amended,
replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR, and any industry self-regulatory
principles that are applicable in the location or region where the Services are provided or received, related to the Processing of Personal Data or the interception, recording or monitoring of communications;
GDPR means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of
Personal Data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);
The terms, “Commission”, “Controller”, “Data Controller”, “Data Processor”, “Data Subject”,
“Member State”, “Personal Data”, “Personal Data Breach”, and “Processing” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.