Processor Agreement2019-03-14T19:14:03+00:00

Processor Agreement


(“the Controller“)


Wedoio Integrations Aps

CVR-Nr. 36 92 82 71

Fruebjregvej 3.

2100 Copenhagen Ø


(the “Data Processor”)

    1. The controller and the processor are collectively referred to as a “party” and together the “parties”
    • 1 background

      1. The controller has signed a subscription agreement (hereinafter “the subscription”) with the processor for the purpose of integration among the computer systems and services of the controller.
      2. The processor shall, in this respect, process personal data on behalf of the Controller, including the Through handling on the data processor’s servers.
      3. The processing takes place through one or more of the data Processor’s technical solutions (hereinafter “the system” or “systems”), ensuring the integration of the IT systems used by the controller in its business. The data controller may at any time via login into the system see all the personal data processed in the system.
      4. The purpose of the data processor is to ensure that the data processor complies with applicable data protection laws in this respect, including the Danish Data Protection Act (Act No 429 of 31/05/2000, as amended and the Personal Data Regulation ( Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 – hereinafter “personal data Regulation”).
      5. Data Processor The agreement sets out the rights and obligations that apply when the processor processes personal data on behalf of the Controller.
      6. Data processing agreement follows the conditions for termination/cancellation of the subscription, cf. Section 1.1 and the related trade conditions. The terms of trade also generally apply in relation to the processing agreement. In case of doubt or conflict, the data processor shall take precedence unless otherwise provided by the data processing agreement.
      7. For the Data processor The Agreement shall include annex 1-2. The Annexes act as an integral part of the data processing agreement.
      8. Data processor The agreement and its supporting documents shall be kept in writing, including electronically by both parties.
    • 2 Instructions

      1. The processor shall process personal data only on the basis of documented instructions from the Controller, unless required by union or Member State law to which the processor is subject; In such a case, the data processor shall inform the Controller of this legal requirement before processing, unless that court prohibits such notification for reasons of major public interest as referred to in paragraph 2. Personal Data Regulation art. 28 (3) (a).
      2. The script consists of 2 (two) parts:
      3. This data processor agreement including the attachments at the signature date.
      4. The integration process carried out by the processor in the system (and thus the processing of personal data) constitutes an instruction to the processor, the data processor being automatically based on the information, information and uploads received from the controllers, collecting, recording, organizing, systematizing, storing, adapting or modifying, retrieving, searching, using, transmitting, transmitting, disseminating or any other form of communication, compilation, restriction, erasure or destruction.
      5. The processor shall promptly inform the Controller if a script according to the processor’s opinion conflicts with the personal data regulation or the data protection provisions of other Union or Member States ‘ national law.
      6. Unless otherwise provided by the data processor, the processor shall use all relevant means, including IT systems.
    1. 3 General on processing safety

      1. The processor shall continuously implement all measures required under article 32 of the Personal data regulation.
      2. Article 32 states, inter alia, that appropriate technical and organisational measures are to be implemented to ensure a level of safety appropriate to the risks associated with the processing of personal data, taking into account:
      3. The current level
      4. Implementation costs
      5. The nature, scope, context and purpose of the processing in question (including taking into account the category of personal data in annex 1);
      6. The risks of varying probability and severity for the rights and freedoms of natural persons;
      7. For the purposes of the above, the processor shall, in all cases, implement at least the level of safety and the measures specified below in points 4, 5 and 6.
      8. The parties agree that these guarantees are sufficient at the time of conclusion of this data processing agreement, noting that the processor has, moreover, initiate other measures in internal procedures.
    1. 4 Physical Security

      1. The processor shall carry out security of physical premises.
    1. 5 Organizational security

      1. The processor shall ensure that only those persons who are currently authorised to do so have access to the personal data processed on behalf of the Controller. Access to the data must therefore be closed immediately if the authorisation is revoked or expires.
      2. Only persons for whom it is necessary to have access to the personal data shall be authorised to fulfil the data subject’s obligations towards the controller.
      3. The processor shall ensure that the persons authorized to process personal data on behalf of the Controller have committed themselves to confidentiality or are subject to an appropriate legal obligation of professional secrecy and that the employees comply with Data processing agreement.
      4. All employees are informed about and subject to internal procedures for how to handle security breaches.
    1. 6 Technical Security

      1. The processor only uses high-quality hardware and software that is continually updated, including anti-virus software, antihackingsoftware, and firewalls.
      2. All communication to/from the system is encrypted (HTTPS) and supports a 256/128 bit TLS connection.
      3. Access to the data processor’s internal IT systems is via encrypted login information, which ensures that unauthorised persons are not able to access. The data processor shall change with appropriate increments passwords in internal IT systems which ultimately provide access to the controller’s personal data.
      4. For the integration of the system with the data controller’s IT systems, the data processor receives the necessary passwords and access information. The Data processor deletes the information after the setup/integration of the subscription is complete, unless the parties enter into separate agreement for otherwise. The controller should also change the information.
      5. However, the data processor will save correspondence and logs for support to the controller in a “ticket”. To debug and have an overview of past history. The content of the “Ticket’en” will not be deleted unless the controller actively requests this.
    1. 7. Notification of personal data breaches

      1. The Data Processor shall inform the Data Manager without undue delay after being aware that there has been a breach of the personal data security of the Data Processor or any Data Processor.
      2. Such security breach includes any breach that may potentially lead to accidental or illegal destruction, loss, change, unauthorized disclosure or access to personal data processed for the Data Security Officer (“Security breach”).
      3. The data processor must keep and keep a record of all security breaches. The inventory must contain at least the facts of the security breach, the effects and the remedial measures taken.

      1. The Data Processor shall fulfill the conditions referred to in Article 28 (2) and (4) of the Personal Data Regulation in order to make use of another processor (subprocessor).
      2. The parties have agreed that the Data Processor may generally use Subdatabase, cf. Appendix 2, where also the already approved Subdatabase Traders are listed.
      3. The Data Processor shall notify the Data Manager of any planned changes regarding the addition or replacement of other Data Processors, thereby giving the Data Manager the opportunity to object to such changes.
      4. The Data Processor imposes on the Data Processor the same data protection obligations as those set forth in this Data Processing Agreement through a contract or other legal document, so that the requirements for technical and organizational measures in the Personal Data Regulation and / or any applicable applicable regulation are at all times observed.
      5. If the Underdatabaser does not fulfill its data protection obligations, the Data Processor remains fully responsible to the Data Manager for fulfilling the Subdatabase’s obligations.

      1. The data processor may treat personal data only by documented instructions from the Data Manager, including as regards the transfer (transfer, transmission and internal use) of personal data to third countries or international organizations, unless the exceptions to the Personal Data Regulation and / or any other applicable applicable regulation are met.
      2. The Data Manager’s possible instruction or approval of the transfer of personal data to a third country shall be provided in the Annexes or separate instructions.
      3. If the Data Manager has not provided in the Annexes or in separate instructions an instruction or approval regarding the transfer of personal data to a third country or international organizations, the Data Processor may not, in the context of the Data Processing Agreement, make such a transfer.
      4. To the extent that transfer is made to a third country, the Data Administrator assists the Data Processor without payment to the Data Processor upon the conclusion of necessary agreements or the Data Administrator authorizes to enter into the necessary agreements on behalf of and at the expense of the Data Manager.

      1. The Data Processor, taking into account the nature of the processing, shall, as far as possible, assist the Data Manager through appropriate technical and organizational measures with the obligation of data controller to respond to requests for the exercise of the rights of data subjects as set out in Chapter 3 of the Personal Data Regulation.
      2. The Data Processor assists the Data Manager in ensuring compliance with the Data Responsibilities obligations under Article 32-36 of the Personal Data Regulation, taking into consideration the nature of the processing and the information available to the Data Processor, cf. Personal Data Regulation art. 28 (3) (f).
      3. De partijen ‘overeenkomst over betaling voor de dataprocessor’s assistentie aan de controller is uiteengezet in punt 12.
    1. 11 Deletion

      1. The Data processor shall not delete the personal data of the controller (or any other data) during the period of the subscription unless the controller instructs the processor to do so.
      2. Upon termination of the cooperation and associated processing of personal data, the processor shall, at the choice of the controller, delete or return all personal data to the controller, and delete any existing copies and passwords which May be stored by the processor on instructions from the Controller, unless EU law or national law provides for the storage of the personal data.
      3. Deletion of all data by the processor and sub-processors shall be based on a starting point within 3 months of the end of the subscription and without notice. Previous deletions may be made on request to the processor.
    1. 12 Supervision and auditing

      1. The processor shall make available to the controller, at the request of the Controller, all information necessary to demonstrate compliance by the processor with article 28 of the personal data regulation.
      2. The data processor shall provide, inter alia, The possibility and contribution to audits, including inspections by the controller or other expert (e.g. auditor or IT Specialist) authorised by the controller;.
      3. Where the controller so wishes, the processor shall obtain, once a year, a normal and recognised declaration (e.g. statement of Assurance or IT Declaration) by an independent, expert third party on the compliance of the data processor with this Data Processor agreement with associated documents. The declaration shall be drawn up for the account of the controller and the processor shall be entitled to receive a copy of the declaration. If a statement has been drawn up on this occasion within the last 12 months, the data processor may offer the controller the opportunity to receive a copy of it instead.
      4. In addition, the controller or a representative of the controller shall have access to supervise, including physical supervision, of the processor when the controller so wishes.
      5. Supervision is heralded with a minimum of one month. Together with the notice, the controller must send a detailed plan describing the scope, duration and start date of the supervision. The processor shall be obliged to dispose of the resources (mainly the time) necessary for the controller to carry out its supervision.
      6. The costs incurred by the processor in auditing and/or any other form of supervision (including internal time) shall be borne by the Controller and shall be settled in proportion to the time spent by the data processor originating.
      7. This also applies where the controller requests documents or other material supplied by the processor in order to verify compliance with the data processing agreement.
    1. 13 Defaults

      1. The regulation of remedies is governed by the terms and conditions of the contract under Point 1.7.
    1. 14 responsibilities and limitations of liability

      1. The parties are responsible in accordance with the general rules of applicable law, subject to the limitations set out in this section.
      2. The parties disclaim all liability for indirect loss and consequential damages, including loss of profits, loss of goodwill, loss of savings and income, including the cost of recovering lost revenue and loss of data.
      3. The parties ‘ liability for all cumulated claims under this data Processor agreement shall be limited to the total amount due in respect of the principal service for the 6-month period immediately preceding the tort.
      4. If the processing agreement has not been in force for 6 months, the amount of the agreed payment for the main services shall be determined in the period of the data processing agreement has been in force divided by the number of months the data processing agreement has been in force and then Multiplied by 6.
      5. The following are not covered by the limitation of liability in this paragraph 14:
      6. The other party’s grossly negligent or intentional acts.
      7. Expenditure and resource use in respect of the obligations of a party to a supervisory authority or the data subject, as well as fines imposed by a supervisory authority or a court, to the extent that such liability is caused by the non-performance of the other party.
    1. 15 Change

      1. The processor may, with 1 month’s notice and without cost, make changes to the Data processor agreement.
    1. 16 Duration and termination

      1. The processor agreement can be replaced by another valid data processor agreement. The processing agreement cannot be terminated or revoked separately during the term of the subscription.
      2. Regardless of the processor’s termination, point 5.3 of the agreement (the confidentiality of the employee), 11 (deletion/return), 14 (Liability and limitation of liabilities) and 17 (disputes) shall have effect after the termination of the agreement.
      3. The processor shall continue to process the personal data for up to three months after the termination of the data processing agreement to the extent necessary to carry out the necessary statutory measures as set out in article 5. See also point 11.2. During the same period, the data processor shall be entitled to include the personal data in the normal backup procedure of the processor.
      4. The processing of the processor during this period shall continue to be considered in compliance with the instructions in the Data Processor agreement.
    1. 17 disputes

      1. Handling of disputes related to the Data Processor agreement follows the terms of the subscription.
      2. If nothing else is agreed, the data processing agreement is governed by Danish law and the Parties are entitled to claim the dispute settled in the ordinary courts. The court in Glostrup was chosen as the Forum of jurisdiction at first instance.
  1. Annex 1

    1. 1 purpose

      1. This annex elaborates on the content of the Data Processor agreement with regard to the specific personal data processed on behalf of the Controller.
    1. 2 Types of personal data

      The agreement requires the processor to process the following categories of general personal data:

      • Name
      • Phone number
      • Email address
      • Address
      • Payment information
      • Type of subscription
      1. In addition, the following categories of sensitive personal data are treated as Paragraphs 1.2
        • Political, philosophical or religious beliefs
        • Union conditions
        • Racial or ethnic origin
        • Health information
        • Sexual relations or sexual orientation
        • Offence
        • Genetic or biometric data for the purpose of uniquely identifying a natural person;
    1. 3. The treatment includes the following categories of persons:

        • The data controller’s customers
        • Staff of the Controller
        • Members of the Controller
        • The owners of the data controller
        • The Controller’s business partners
    1. Annex 2

    1. 1 Sub Data processors

        1. The data processor shall have the general authorisation of the controller to make use of sub-data processors.
        2. However, the processor shall inform the Controller of any proposed changes to the addition or replacement of other data processors, thereby allowing the Controller to object to such changes.
        3. Such notification shall be received by the Controller at least 30 days before the application or change shall take effect.
        4. Where the controller has objections to the amendments, the Controller shall notify the processor within 14 days of receipt of the notification.
        5. The controller may object only if the controller has reasonable and specific reasons for doing so.
    1. 2 List of sub-data processors at the date of the conclusion of the contract

    1. Internal systems
    1. Microsoft Azure (Irland)
    1. Stripe
    1. Intercom
    1. Slack
    1. Trello
    1. Microsoft Office
    1. Atlassian (Jira, Bitbucket)
    1. Google
    1. Facebook
    1. Twitter
    1. Shop Systems
    1. WooCommerce
    1. ERP SystemsUniconta
By using our website, you agree to our cookie policy Ok