About us



eflow A/S

Company registration no. 40463682

Baltorpbakken 16

2750 Ballerup






(each a "Party", and collectively the "Parties")


1.1 The DPA forms part of and uses the same definitions as set out in the EULA. In addition, the following words and expressions have the meanings stated below unless the context requires otherwise.


this data processing agreement including any schedules, appendices and amendments hereto.

Data Protection Law:

the legislation, as amended, protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the Processing of Personal Data applicable to a controller in the EU or EEA country where the Controller is established, including but not limited to the GDPR. If the Controller is not established in an EU or EEA Country, Data Protection Law shall include the laws where the Processor is established, including but not limited to the GDPR.

Data Subject

an identified or identifiable natural person (an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person) as further described in Appendix A.


the European Economic Area.

Effective Date

the effective date of the EULA.


the European Union.


the End User License Agreement concerning the use of the eflow Product to which the DPA is a Schedule.


Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

Personal Data

any information, in whatever form, relating to a Data Subject which is Processed under the DPA.

Personal Data Breach

a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.


any operation or set of operations which is performed upon Personal Data or on sets of Personal Data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Processing Operations

the processing operations described in Appendix A.


as defined in clause 7.

1.2 Any words following the terms "including", "include", "in particular" or "for example" or any similar phrase will be construed as illustrative and will not limit the generality of the related general words.

1.3 Unless the context otherwise requires, words in the singular will include the plural and in the plural will include the singular.


2.1 The Processor Processes Personal Data on behalf of the Controller, as a part of carrying out the Processing Operations.

2.2 The purpose of the DPA is to:

(i) describe the terms and conditions for the Processor's Processing of Personal Data on behalf of the Controller as set out in Data Protection Law;

(ii) ensure the security and the protection of the Personal Data that the Processor Processes on behalf of the Controller;

(iii) ensure that all Processing of Personal Data is carried out in accordance with Data Protection Law; and

(iv) respect and secure the rights of the Data Subjects at any time.

2.3 The DPA applies to any Processing of Personal Data performed by the Processor in connection with the performance of the services to the Controller under the EULA.

2.4 The types of Personal Data which the Processor Processes and the categories of data subjects to whom the Personal Data relate under the DPA are set out in Appendix A.


3.1 The Processor may only Process the Personal Data on documented instruction from the Controller, including with regard to transfers of personal data to a third country or an international organisation unless required to do so by mandatory EU or member state law to which the

Processor is subject; in such case, the Processor must inform the Controller of that legal requirement before processing, unless otherwise prohibited by law on important grounds of public interest.

3.2 The Processor is instructed to perform the Processing Operations as set out in Appendix A in accordance with the DPA.


4.1 The Processor must:

  • a) immediately inform the Controller if, in its opinion, an instruction infringes Data Protection Law or other applicable EU or member state law;
  • b) taking into account the nature of the Processing, assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising the Data Subjects' rights as these are stated in the Data Protection Law, including without limitation the Data Subjects' rights laid down in the GDPR Chapter III;
  • c) assist the Controller in ensuring compliance with the Controller's obligations under GDPR articles 32-36 taking into account the nature of the Processing and the information available to the Processor;
    d) at the choice of the Controller, delete or return all the Personal Data to the Controller after the end of the term of the DPA, and delete existing copies unless EU or member state law requires storage of the Personal Data as further set out in clause 11;
  • e) make available to the Controller all information necessary to demonstrate compliance with the DPA and Data Protection Law and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller as further set out in clause 8;
  • f) comply with its obligations under Data Protection Law.

4.2 The Processor may charge the Controller in accordance with the Processor's applicable time and material rates from time to time for costs held by the Processor in relation to the Processor's fulfilment of its obligations under clauses 4.1(b-e), 8, and 11 of the DPA.


Only the Controller will be responsible and liable for the Controller's compliance with applicable law as data controller.

5.2 The Controller warrants that the Controller has all necessary rights to Process all Personal Data and to let the Processor process the Personal Data on behalf of the Controller as set out in the EULA, including the DPA.

5.3 The Controller warrants that Processing of the Personal Data in accordance with the Controller's instructions will not violate Data Protection Law.

5.4 The Controller will promptly notify the Processor if it becomes aware that Processor's Processing Operations may be contrary to Data Protection Law.


6.1 The Processor will take all measures required pursuant to article 32 of the GDPR.

6.2 The Processor will implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks, that are presented by Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise Processed, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, including inter alia as appropriate:

  • a) the pseudonymisation and encryption of Personal Data;
  • b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  • c) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
  • d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the Processing.

6.3 The Processor must take steps to ensure that any natural person acting under the authority of the Processor who has access to the Personal Data does not Process the Personal Data except on instructions of the Controller, unless he or she is required to do so under Data Protection Law.

6.4 The Processor will implement security measures according to the specific requirements as set out in Appendix A to this DPA.


7.1 The Controller gives its general written authorisation for the Processor to engage other processors to perform Processing of the Personal Data ("Sub-processor"). The Processor must inform the Controller of any intended changes concerning the addition or replacement of Sub-processors, thereby giving the Controller the opportunity to object to such changes. If the Controller objects to the changes, the Processor may terminate the EULA, including the DPA, upon 1 months' written notice.

7.2 If the Processor makes use of Sub-processors in accordance with clause 7.1, the Processor must enter into a written agreement with each Sub-processor which imposes the same obligations on the Sub-processors as are imposed on the Processor under this DPA.

7.3 Where a Sub-processor fails to fulfil its data protection obligations under the data processing agreement referred to in clause 7.2, the Processor will remain fully liable to the Controller for the performance of the Sub-processor's fulfilment of its obligations.

7.4 The Controller has given its authorisation for the Processor to engage the Sub-processors listed in Appendix A to perform Processing of the Personal Data by the Effective Date.

7.5 The Controller has instructed the Processor to use or instruct its Sub-Processor to use Amazon Web Services EMEA SARL ("Amazon Web Services"), including its Sub-processors, as a Sub-processor on the terms set out on https://aws.amazon.com/agreeme... and https://d1.awsstatic.com/legal... which are hereby incorporated into the DPA by reference.

7.6 The Controller agrees that the agreement available on https://d1.awsstatic.com/legal... fulfils all Processor obligations under clause 7.2 in relation to Processor's and/or Processor's Sub-processor's use of Amazon Web Services, and its Sub-processors, as a Sub-processor when entered into between the Processor and/or Processor's Sub-processor and Amazon Web Services.

7.7 The Processor may update the web links provided in this clause 7 if the referenced documents are moved to other web addresses.


8.1 Upon request, the Controller is entitled to receive copies of auditor reports and security certificates covering Processor's Processing of the Personal Data (if any exists).

8.2 Upon request, the Controller (or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality appointed by the Controller) will be entitled to perform audits and inspections of the Processor's facilities and security practices directly related to the Processing of Personal Data under the DPA in order to monitor compliance with this DPA. Any audit request must be given with a reasonable written notice of no less than thirty 30 days, unless otherwise required by law or a relevant data protection agency.

For the avoidance of doubt, audits and inspections do not include access to information about the general cost structure of the Processor or to information concerning other customers of the Processor.

8.4 Upon request from the Controller, any persons participating in any audits or inspections under clause 8.2 must sign a non-disclosure agreement. Irrespective of whether a non-disclosure agreement has been signed or not, any information gathered or received from the Processor must be kept confidential and may under any circumstances only be shared with the Controller. The Controller may not disclose the information to any third party or use the information for any other purpose than to evaluate whether the Processor complies with the DPA.


9.1 The Processor must inform the Controller without undue delay if the Processor becomes aware of any Personal Data Breach.


10.1 The Processor will ensure that persons authorised to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.


11.1 Upon request from the Controller and no later than by termination of the DPA (as further set out in Appendix A), the Processor must either, at the Controller's discretion, return or delete Personal Data comprised by this DPA, including any copies – both physical and electronic – that may exist including any Personal Data transferred to Sub-processors in accordance with clause 7.


12.1 The DPA will take effect upon the Effective Date and will remain in force until the latest of; (i) as long as the Processor delivers services to the Controller under the EULA; or (ii) as long as the Processor Processes Personal Data on behalf of the Controller.


13.1 As the DPA is a part of the EULA, all terms of the EULA apply to the DPA, including, for the avoidance of doubt, clauses under the headline Breach and liability. In case of inconsistencies between the EULA and the DPA, the DPA will prevail.

13.2 Each Party is entitled to require renegotiation of the DPA if changes to the law or inexpediency of the provisions contained herein should give rise to such renegotiation.


In connection with the Processor's Processing of Personal Data, the Controller gives the Processor the instruction to Process Personal Data for the purposes set out in this Appendix A.


The Processor is making a cloud-based platform available to the Controller which has been granted a license to access the eflow Product on the Processor's or a Sub-processor's servers. The Processor will Process Personal Data on behalf of the Controller for the purpose of providing the eflow Product as set out in the EULA, including the following:

  • Provision of access for the Controller to the eflow Product and enabling the Controller's use of the eflow Product.


The eflow Product includes integrations for the export of data (including Personal Data) to the Controller's other processors and/or third parties. If enabled by the Controller, the eflow Product will transfer data (including Personal Data) from the eflow Product to such other processors and/or third parties. The eflow Product currently include integrations for the export of data to:

  • Visma e-conomic
  • If the Controller has granted access to the eflow Product to the Controller's customers, the Controller's customers


The Categories of Data Subjects are:

  • Employees of the Controller working with the eflow Product
  • Customers of the Controller


The types of Personal Data are:

Regarding employees of the Controller:

  • Name
  • E-mail address
  • Work time
  • Dates of periods of absence from work
  • Dates of periods of holidays
  • Dates of periods of sickness (only relevant dates, i.e. not any data regarding conditions, type of sickness or other health data)

Regarding customers of the Controller:

  • Car license plate
  • Car chassis number
  • Car type
  • Service made on car
  • Insurance company


The Processor will delete the data processed under the DPA from its servers within 90 days after the effective date of termination of the agreement enabling Controller's access to the eflow Product.


The Processor shall implement the following security measures that have been agreed with the Controller:

  • Only relevant personnel shall be granted access to the system and to the Personal Data.
  • Access to the data online shall be restricted with a password.
  • Information about ownership of cars will remain with the Controller, ensuring that eflow is normally not able to identify any of the car owners based on the data which has been put in the system.
  • The system shall regularly be backed-up ensuring the ability to restore the availability and access to
  • Personal Data in a timely manner.
  • The system shall be regularly tested, assessed and evaluated for the purpose of ensuring continuous security.
  • The system encrypts data in transit, including (but not necessarily limited to) the use of AES256 encryption.
  • Access to Processor's facilities requires a key or key token.
  • Outside normal business hours, an alarm system is enabled at Processor's facilities.
  • Video surveillance is installed at Processor's facilities.


The Controller has currently given its consent to the Processor's use of the following Sub-processors:

Company (name, registration no. and address)

Amazon Web Services EMEA SARL
5 rue Plaetis
L-2338 Luxembourg

Description of processing:

Data center and cloud provider of virtual computer power and software services.

Quantity Digital
Murervej 7B
6710 Esbjerg V

Description of processing:

Development of and support on the eflow platform.

Support profile image
Welcome, how can we help you?
Send message
Call me
Get a call
We have received your request, and will get back to you as soon as possible.
We have encountered an error while submitting the form. Please try again.
Send message
We have received your request, and will get back to you as soon as possible.
We have encountered an error while submitting the form. Please try again.