Da
Menu
Om os

DATA PROCESSING AGREEMENT

PARTIES

eflow A/S

Company registration no. 40463682

Baltorpbakken 16

2750 Ballerup

Denmark

("Processor")

and

You

("Controller")

(each a "Party", and collectively the "Parties")

1 DEFINITIONS AND INTERPRETATION

1.1 The DPA forms part of and uses the same definitions as set out in the EULA. In addition, the following words and expressions have the meanings stated below unless the context requires otherwise.

DPA:

this data processing agreement including any schedules, appendices and amendments hereto.

Data Protection Law:

the legislation, as amended, protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the Processing of Personal Data applicable to a controller in the EU or EEA country where the Controller is established, including but not limited to the GDPR. If the Controller is not established in an EU or EEA Country, Data Protection Law shall include the laws where the Processor is established, including but not limited to the GDPR.

Data Subject

an identified or identifiable natural person (an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person) as further described in Appendix A.

EEA

the European Economic Area.

Effective Date

the effective date of the EULA.

EU

the European Union.

EULA

the End User License Agreement concerning the use of the Eflow Product to which the DPA is a Schedule.

GDPR

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

Personal Data

any information, in whatever form, relating to a Data Subject which is Processed under the DPA.

Personal Data Breach

a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.

Process/Processing

any operation or set of operations which is performed upon Personal Data or on sets of Personal Data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Processing Operations

the processing operations described in Appendix A.

Sub-processor

as defined in clause 7.

1.2 Any words following the terms "including", "include", "in particular" or "for example" or any similar phrase will be construed as illustrative and will not limit the generality of the related general words.

1.3 Unless the context otherwise requires, words in the singular will include the plural and in the plural will include the singular.

2 PURPOSE AND BACKGROUND

2.1 The Processor Processes Personal Data on behalf of the Controller, as a part of carrying out the Processing Operations.

2.2 The purpose of the DPA is to:

(i) describe the terms and conditions for the Processor's Processing of Personal Data on behalf of the Controller as set out in Data Protection Law;

(ii) ensure the security and the protection of the Personal Data that the Processor Processes on behalf of the Controller;

(iii) ensure that all Processing of Personal Data is carried out in accordance with Data Protection Law; and

(iv) respect and secure the rights of the Data Subjects at any time.

2.3 The DPA applies to any Processing of Personal Data performed by the Processor in connection with the performance of the services to the Controller under the EULA.

2.4 The types of Personal Data which the Processor Processes and the categories of data subjects to whom the Personal Data relate under the DPA are set out in Appendix A.


3 INSTRUCTION

3.1 The Processor may only Process the Personal Data on documented instruction from the Controller, including with regard to transfers of personal data to a third country or an international organisation unless required to do so by mandatory EU or member state law to which the

Processor is subject; in such case, the Processor must inform the Controller of that legal requirement before processing, unless otherwise prohibited by law on important grounds of public interest.

3.2 The Processor is instructed to perform the Processing Operations as set out in Appendix A in accordance with the DPA.

4 OBLIGATIONS OF THE PROCESSOR

4.1 The Processor must:

  • a) immediately inform the Controller if, in its opinion, an instruction infringes Data Protection Law or other applicable EU or member state law;
  • b) taking into account the nature of the Processing, assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising the Data Subjects' rights as these are stated in the Data Protection Law, including without limitation the Data Subjects' rights laid down in the GDPR Chapter III;
  • c) assist the Controller in ensuring compliance with the Controller's obligations under GDPR articles 32-36 taking into account the nature of the Processing and the information available to the Processor;
    d) at the choice of the Controller, delete or return all the Personal Data to the Controller after the end of the term of the DPA, and delete existing copies unless EU or member state law requires storage of the Personal Data as further set out in clause 11;
  • e) make available to the Controller all information necessary to demonstrate compliance with the DPA and Data Protection Law and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller as further set out in clause 8;
  • f) comply with its obligations under Data Protection Law.

4.2 The Processor may charge the Controller in accordance with the Processor's applicable time and material rates from time to time for costs held by the Processor in relation to the Processor's fulfilment of its obligations under clauses 4.1(b-e), 8, and 11 of the DPA.
5 OBLIGATIONS OF THE CONTROLLER
5.1 Only the Controller will be responsible and liable for the Controller's compliance with applicable law as data controller.
Page 5 of 10
5.2 The Controller warrants that the Controller has all necessary rights to Process all Personal Data and to let the Processor process the Personal Data on behalf of the Controller as set out in the EULA, including the DPA.
5.3 The Controller warrants that Processing of the Personal Data in accordance with the Controller's instructions will not violate Data Protection Law.
5.4 The Controller will promptly notify the Processor if it becomes aware that Processor's Processing Operations may be contrary to Data Protection Law.
6 SECURITY MEASURES
6.1 The Processor will take all measures required pursuant to article 32 of the GDPR.
6.2 The Processor will implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks, that are presented by Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise Processed, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, including inter alia as appropriate:
a) the pseudonymisation and encryption of Personal Data;
b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
c) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the Processing.
6.3 The Processor must take steps to ensure that any natural person acting under the authority of the Processor who has access to the Personal Data does not Process the Personal Data except on instructions of the Controller, unless he or she is required to do so under Data Protection Law.
6.4 The Processor will implement security measures according to the specific requirements as set out in Appendix A to this DPA.
7 SUB-PROCESSORS
7.1 The Controller gives its general written authorisation for the Processor to engage other processors to perform Processing of the Personal Data ("Sub-processor"). The Processor must
Page 6 of 10
inform the Controller of any intended changes concerning the addition or replacement of Sub-processors, thereby giving the Controller the opportunity to object to such changes. If the Controller objects to the changes, the Processor may terminate the EULA, including the DPA, upon 1 months' written notice.
7.2 If the Processor makes use of Sub-processors in accordance with clause 7.1, the Processor must enter into a written agreement with each Sub-processor which imposes the same obligations on the Sub-processors as are imposed on the Processor under this DPA.
7.3 Where a Sub-processor fails to fulfil its data protection obligations under the data processing agreement referred to in clause 7.2, the Processor will remain fully liable to the Controller for the performance of the Sub-processor's fulfilment of its obligations.
7.4 The Controller has given its authorisation for the Processor to engage the Sub-processors listed in Appendix A to perform Processing of the Personal Data by the Effective Date.
7.5 The Controller has instructed the Processor to use or instruct its Sub-Processor to use Amazon Web Services EMEA SARL ("Amazon Web Services"), including its Sub-processors, as a Sub-processor on the terms set out on https://aws.amazon.com/agreeme... and https://d1.awsstatic.com/legal... which are hereby incorporated into the DPA by reference.
7.6 The Controller agrees that the agreement available on https://d1.awsstatic.com/legal... fulfils all Processor obligations under clause 7.2 in relation to Processor's and/or Processor's Sub-processor's use of Amazon Web Services, and its Sub-processors, as a Sub-processor when entered into between the Processor and/or Processor's Sub-processor and Amazon Web Services.
7.7 The Processor may update the web links provided in this clause 7 if the referenced documents are moved to other web addresses.
8 AUDITS
8.1 Upon request, the Controller is entitled to receive copies of auditor reports and security certificates covering Processor's Processing of the Personal Data (if any exists).
8.2 Upon request, the Controller (or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality appointed by the Controller) will be entitled to perform audits and inspections of the Processor's facilities and security practices directly related to the Processing of Personal Data under the DPA in order to monitor compliance with this DPA. Any audit request must be given with a reasonable written notice of no less than thirty 30 days, unless otherwise required by law or a relevant data protection agency.
Page 7 of 10
8.3 For the avoidance of doubt, audits and inspections do not include access to information about the general cost structure of the Processor or to information concerning other customers of the Processor.
8.4 Upon request from the Controller, any persons participating in any audits or inspections under clause 8.2 must sign a non-disclosure agreement. Irrespective of whether a non-disclosure agreement has been signed or not, any information gathered or received from the Processor must be kept confidential and may under any circumstances only be shared with the Controller. The Controller may not disclose the information to any third party or use the information for any other purpose than to evaluate whether the Processor complies with the DPA.
9 PERSONAL DATA BREACH
9.1 The Processor must inform the Controller without undue delay if the Processor becomes aware of any Personal Data Breach.

Supports profilbillede
Velkommen, hvordan kan vi hjælpe dig?
Send besked
Ring mig op
Luk
Bliv ringet op
Vi har modtaget din anmodning og vender tilbage til dig så hurtigt som muligt.
Vi er stødt på en fejl under indsendelsen af formularen. Prøv igen.
Luk
Send besked
Vi har modtaget din anmodning og vender tilbage til dig så hurtigt som muligt.
Vi er stødt på en fejl under indsendelsen af formularen. Prøv igen.