DATA PROCESSING AGREEMENT
1. PURPOSE AND DESCRIPTION OF PROCESSING
1.1 The Data Processing Agreement is intended to govern and regulate the Data Processor’s processing of personal data on behalf of the Data Controller.
1.2 The Agreement is regulated by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) and by the national data legislation.
1.3 The Data Processor processes various types of personal data concerning the Data Controller and the Data Con-troller's customers.
1.4 This is for the purpose of enabling the Data Processor to perform online marketing activities for and on behalf of the Data Controller.
1.5 The Data Controller defines what data the Data Processor receives, and is responsible for the transfer of these data, whereby River Online becomes the Data Processor, cf. the General Data Protection Regulation. The Data Con-troller is responsible for the personal data that the Data Controller instructs the Data Processor to process. The Data Controller is responsible for ensuring that the personal data that the Data Controller instructs the Data Processor to process are permitted to be processed by the Data Processor, including ensuring that the processing is necessary and relevant with regard to the Data Controller’s responsibilities.
1.6 The data are to be saved for the duration of the Agreement and for 6 months thereafter.
2. DATA PROCESSOR’S OBLIGATIONS
2.1 The Data Processor is only permitted to process the personal data transferred by the Data Controller in accord-ance with the purpose stated in pt. 1.4.
2.2 The Data Processor is to process personal data in accordance with best data processing practice, cf. the rules and regulations that are applicable at the time.
2.3 The Data Processor is to ensure that access to personal data is restricted to those employees who need such ac-cess for the purpose of their work. Employees must be required to maintain professional secrecy.
2.4 With due consideration to the current level of technology, the costs of implementation and the nature, scope, context and purpose of the processing concerned, as well as to the risks, of varying probability and gravity, to the rights of natural persons, the Data Processor is to implement suitable technological and organizational measures to ensure an adequate level of security in relation to such risks. This must be done in such a way that the processing satisfies the requirements set by personal data protection legislation and safeguards the rights of the persons whose data are registered.
2.5 The Data Processor shall without undue delay, on being notified of a breach of personal data security or confi-dentiality, notify the Data Controller thereof. At the request of the Data Controller, the Data Processor is to assist the Data Controller in investigating the breach of personal data security, including in association with notification thereof to the National Data Protection Agency and/or the persons whose data are registered.
2.6 The Data Processor shall, at the request of the Data Controller, give the latter sufficient information to allow the Data Controller to ensure that the requirements of the General Data Protection Regulation and the National Data Protection legislation are being complied with.
2.7 The Data Controller, or a third party appointed by the Data Controller, is to be permitted, with reasonable ad-vance notice, to gain access to the Data Processor’s systems that are used for processing covered by the Data Pro-cessing Agreement. The Data Controller may only demand access to those parts of the systems that contain the Data Controller’s data, and access may only be granted if the Data Controller or a third party appointed by the Data Con-troller is present at one of the Data Processor’s offices, and if at least one employee of the Data Processor partici-pates. The Data Controller is liable for the costs of this.
3. USE OF DATA SUB-PROCESSOR(S) AND DISCLOSURE
3.1 On entering into the collaboration between the Data Controller and the Data Processor, the Data Controller ac-cepts that the Data Processor utilizes data sub-processors.
3.2 The commissioning of a sub-processor requires that the sub-processor adhere to the data protection obligations and contractual terms and conditions that are specified in this Agreement, including that the sub-processor is to im-plement appropriate technological and organizational measures in such a way that the processing satisfies the re-quirements of the General Data Protection Regulation and the National Data Protection Act.
3.3. If the Data Processor assigns the processing of personal data for which the Data Controller is the data controller to data sub-processors, the Data Processor is to enter into a written data (sub-)processing agreement with each data sub-processor.
3.4. Each data sub-processing agreement is to oblige the data sub-processor to meet the same data protection obli-gations that the Data Processor must meet, including that the sub-processor must affirm that it is able to provide suf-ficient expertise, reliability and resources to be able to implement the appropriate technological and organizational measures such that processing by the data sub-processor at all times complies with the requirements of the General Data Protection Regulation and ensures protection of the rights of the persons whose data are registered.
3.5 The Data Controller may at any time request documented evidence from the Data Processor of the existence and content of the data sub-processing agreements with the data sub-processors that the Data Processor utilizes in rela-tion to compliance with its obligations to the Data Controller.
3.6 All communication between the Data Controller and a data sub-processor shall be made via the Data Processor.
3.7 If a data sub-processor does not meet its obligations, the Data Processor shall be fully liable to the Data Control-ler for meeting that data sub-processor's obligations.
4.1 All information provided or received in association with this Agreement is confidential information.
4.2 Confidential information is to be treated as strictly confidential and may not be used by or disclosed to any third party, except for the fulfillment of this Agreement or as required by the General Data Protection Regulation and/or national law.
4.3 On termination of this Agreement, the Data Processor is to delete all data and all material received in relation to the collaboration between the Data Controller and the Data Processor.
5. BREACH OF CONTRACT
5.1 In the event of material breach of contract by the Data Processor or Data Controller, the party not in breach of contract may terminate the Agreement. However, termination may occur no earlier than 20 working days after the party not in breach has sent written notification to the party in breach concerning the breach of contract and contain-ing a demand for its rectification within a period of no less than 5 working days.
5.2 If the breach is rectified within the stated deadline, cf. pt. 5.1 termination may not occur.
5.3 The Data Processor is liable for compensation in association with the general regulations of national law, but not for indirect losses or consequential damage etc., unless these are due to demonstrable intent or gross negligence.
6. START AND END OF AGREEMENT
6.1 The Data Processing Agreement shall become effective on 25th of May 2018.
6.2 The Data Processor is bound by the Data Processing Agreement for the duration of the period during which the Data Processor processes personal data on behalf of the Data Controller.
6.3 The Data Processing Agreement shall automatically lapse on termination of the collaboration between the Data Controller and the Data Processor or at such time the Data Processor no longer processes personal data on behalf of the Data Controller.
7. CHOICE OF LAW AND JURISDICTION
7.1 The Data Processing Agreement is governed by national Law.
7.2 Any claim and any dispute arising from or otherwise related to this Data Processing Agreement is to be resolved in the municipal court.
LOCATIONS, INCL. STATING THE COUNTRY OF PROCESSING
Banegårdspladsen 4, 1.
DK - 6000 Kolding
DK - 9200 Aalborg
Winterhuder Weg 80
DE – 22085 Hamburg