Data Processing Agreement

 

This Data Processing Agreement is between The Data Processor Meet2Talk Operations ApS, Company reg. no. 37815497, Skovvejen 2A, DK-8000C.

And The company who uses Meet2Talk, (hereinafter referred to as ”the Data Controller”),  and hereinafter jointly referred to as “the Parties”.

 

1. THE NATURE OF THE AGREEMENT

1.1 In order to ensure compliance with the current rules governing the processing of personal data, particularly the General Data Protection Regulation (hereinafter “GDPR”), the Danish Data Protection Act and related orders and instructions, the Parties have entered into this data processing agreement (hereinafter the ”Data Processing Agreement”).

1.2 The Data Processing Agreement complements the Data Processor’s Terms and Conditions (hereinafter “Terms and Conditions”), so that the Terms and Conditions also apply to the processing of personal data, unless the provisions of the Data Processing Agreement specifically regulate the subject matter.

 

2. THE EXTENT OF THE DATA PROCESSING

2.1 The Data Processor offers a subscription service (“Service”) for companies and other international organisations (“Subscribers”). Once a Subscriber has subscribed to the Service, employees and spouses of the Subscriber (“Users”) have access to the Service and the features available. The Service is thus made available by the subscribing companies to their employees and their spouses.

2.2 The Data Processor is a processor in regard to any documents, information, posts etc., cf. Appendix A, the Subscriber uploads on the Service for the benefit of the Users. The Subscribers are Data Controllers. All other circumstances (e.g. information submitted by Users on to the Service) that are not regulated by this Data Processing Agreement, are regulated by the Terms and Conditions and the Data Processors Privacy Policy.

2.3 Thus, the Data Processor carries out the tasks established in the Terms and Conditions and this Data Processing Agreement on behalf of the Data Controller and will accordingly be granted access to personal data. The Data Processor exclusively processes data to fulfil its obligations according to the Terms and Conditions and is thus considered a data processor.

2.4 The data processing covers the categories of data subjects (hereinafter the ”Data Subjects”) and types of personal data (hereinafter the ”Personal Data”) listed in Appendix A.

 

3. THE DATA CONTROLLER’S OBLIGATIONS

3.1 The Data Controller is at any time responsible for the lawfulness of the processing of Personal Data, which the Data Controller has collected and granted the Data Processor access to pursuant to the Terms and Conditions and the Data Processing Agreement.

 

4. THE DATA PROCESSOR’S OBLIGATIONS

4.1 The Data Processor shall solely be permitted to process personal data on documented instructions from the Data Controller unless processing is required under EU or Member State law to which the Data Processor is subject; in this case, the Data Processor shall inform the Data Controller of this legal requirement prior to processing unless that law prohibits such information on important grounds of public interest, cf. Article 28 (3)(a).

The Data Processor acts according to the Data Controller’s instructions and only to the extent necessary for the Data Processor to fulfil its obligations pursuant to the Terms and Conditions and the Data Processing Agreement.

4.2 Furthermore, the Data Processor is required to:

a)  Assist the Data Controller in ensuring compliance with the obligations pursuant to Articles 32 – 36 of the GDPR provided that the Data Controller is not capable of complying with the obligations without assistance from the Data Processor and taking into account the nature of the processing and the information available to the Data Processor.

b)   Notify the Data Controller of possible personal data breaches regarding Personal Data, cf. Article 33(2) of the Data Protection Regulation.

c)   Notify the Data Controller of inquiries from the Danish Data Protection Agency to the Data Processor, if the inquiries concern processing activities covered by the Terms and Conditions and the Data Processing Agreement.

d)  Notify the Data Controller if the Data Processor considers that the instruction from the Data Controller is in contravention of the legal requirements applicable to the processing.

 

5. THE DATA SUBJECT’S INDIVIDUAL RIGHTS

5.1 The Data Controller is at any time responsible for handling requests from the Data Subjects in accordance with the Data Subjects’ individual rights of freedom, as described in Articles 15-22 of the GDPR. This responsibility is naturally limited to the type of data and the category of Data Subjects described in Appendix A.

5.2 Considering the nature of the processing, the Data Processor is required to answer requests from the Data Subjects as described in Articles 15-22, using appropriate technical and organisational measures, in the fulfilment of the obligations resting upon the Data Controller.

5.3 Unless otherwise agreed the Data Processor is not required to notify the Data Controller of requests from the Data Subjects.

 

6. SECURITY OF PROCESSING

6.1 The Data Processor undertakes to implement appropriate technical and organizational security measures according to Article 32 of the GDPR to prevent accidental or illegal destruction, loss or deterioration of Personal Data, and to prevent the Personal Data from being disclosed to unauthorized persons, misused or otherwise treated in contravention of applicable legislative requirements.

6.2 The Data Processor’s employees are subject to professional secrecy.

6.3 The technical and organizational security measures applicable upon entering into this Data Processing Agreement are specified in Appendix B.

 

7. USE OF SUB-PROCESSORS

7.1 As a general authorisation of the Data Controller the Data Processor is entitled to engage another processor (hereafter referred to “Sub-Processor”).

7.2 The Data Processor’s use of Sub-Processors is based on written agreements that ensure continuation of at least the same level of protection as the level specified in the Data Processing Agreement.

7.3 At the signing of the Data Processing Agreement, the Data Controller simultaneously authorize the Data Processor’s use of the Sub-Processors which appear from Appendix C.

7.4 As a consequence of the general authorisation, cf. section 1 , the Data Processor shall inform the Data Controller of any intended changes concerning the addition or replacement of Sub-Processors with a notice of 14 days, thereby giving the Data Controller the opportunity to object to such changes within 10 days. In case of an objection from the Data Controller, which the Data Processor cannot meet the content of, the Service as described in the Terms and Conditions will be considered terminated by the Data Controller.

 

8. INTERNATIONAL TRANSFERS

8.1 The Data Processor will attempt to store and process Personal Data within EU/EEA. There are two reasons for the possible transfer of Personal Data outside of EU/EEA:

a)  The User accesses the Service from a country outside of the EU/EEA. Thereby the Personal Data is made available to the User outside the EU/EEA, even though the Personal Data is stored within the EU/EEA.

b)  The Data Processor transfers and replicates Personal Data to a Sub-Processor’s data centre outside the EU/EEA for performance reasons.

8.2 Currently the Data Processor does not transfer Personal Data outside the EU/EEA as described in clause 8.1 b), cf. Appendix C.

8.3 In case of the Data Processor’s transfer of personal data to third countries, the Data Processor is responsible for ensuring a lawful basis for the transfer present at any time.

8.4 The transfer of Personal Data outside the EU/EEA as described in clause 8.1 a is based on Article 49(1)(b) or Article 49(1)(c) of the GDPR. Article 49(1)(b) regards the situation, where the transfer is necessary for the performance of a contract between the Data Subject and the Data Controller, and (c) regards the situation, where the transfer is necessary for the conclusion of a contract concluded in the interest of the Data Subject between the Data Controller and another natural or legal person.

8.5 If the Data Processor uses the EU Commission’s Standard Contractual Clauses as the lawful basis to transfer Personal Data outside the EU/EEA, the Data Processor is entitled to complete the spaces and appendixes set out in the Standard Contractual Clauses on behalf of the Data Controller, but in addition to this the Standard Contractual Clauses shall remain unamended.

 

9. CONTROL AND SUPERVISION

9.1 On request from the Data Controller the Data Processor shall once a year make available all information necessary to demonstrate compliance with Article 28 of the GDPR and the obligations laid down in this Data Processing Agreement, including that the Data Processor has implemented the appropriate technical and organizational measures.

9.2 Once a year the Data Controller, or another auditor mandated by the Data Controller, shall at its own costs have the right to audit or carry out an inspection of the Data Processor’s compliance with this Data Processing Agreement. The Data Processor undertakes – at a reasonable notice – to provide time and resources for such purpose and allow for and contribute to such inspections conducted by the Data Controller or an auditor mandated by the Data Controller.

9.3 Unless otherwise agreed the Data Processor decides the procedures of inspections, the type of audit report and which authorized, independent third party that shall carry out the audit and/or the inspection.

9.4 The Data Controller shall give the Data Processor a notice of at least 30 days, if the Data Controller wishes to audit or inspect the Data Processor’s compliance cf. clause 1-9.2.

9.5 The Data Controller shall incur all costs related to the audit or inspection of the Data Processor’s compliance with this Data Processing Agreement as described in this section 9. Furthermore, the Data Processor is entitled to invoice the Data Controller with his usual hourly rate for all the Data Processor’s working hours as such audit or inspection may result in.

 

10. COMING INTO FORCE AND DURATION OF THE AGREEMENT

10.1 The coming into force and duration of the Data Processing Agreement comply with the Terms and Conditions.

10.2 Irrespective of clause 10.1, the data Processor Agreement is in force as long as the Data Processor processes the personal data.

 

11. HANDLING OF DATA AFTER THE TERMINATION OF THE AGREEMENT

11.1 At the termination of the Data Processing Agreement, the Data Processor shall return, transfer and/or delete the Personal Data according to the Data Processors Privacy Policy.

11.2 The Data Processor may oppose deletion to the extent that this follows from an express legal obligation resting upon the Data Processor.

 

12. CHOICE OF LAW AND LEGAL VENUE

12.1 The Data Processing Agreement is subject to Danish law.

12.2 In the event of a dispute between the Parties in the course of the Data Processing Agreement, the Parties shall seek in good faith to negotiate an amicable solution. If a solution cannot be achieved from such negotiations, the dispute may be brought to court at the Danish courts.

 

13. RENEGOTIATION

13.1 Each of the Parties may request that the Data Processing Agreement be renegotiated in consequence of amended data protection legislation, which might significantly change the Terms and Conditions of the Data Processing Agreements by signature. The purpose of this clause is to change the wording of the Data Processing Agreement in accordance with the legislation.

 

14. APPENDIXES

Appendix A: Categories of Data Subjects and types of Personal Data

Appendix B: Technical and organizational security measures

Appendix C: Sub-Processors

 

APPENDIX A

Categories of data subjects and types of personal data

 

Categories of Data Subjects

The processing can include the following categories of Data Subjects:

  • The Data Controller’s employees when they are admin users
  • Any person who is mentioned in the documents, messages etc. the Data Controller’s admin users submit to the Service


Types of Personal Data
The processing can include the following types of Personal Data about Data Subjects:

  • Identification data and contact information, e.g. name, e-mail address, nationality, country/city of residence, occupation, job assignments etc.
  • Documents and information uploaded by the Data Controller’s admin users to share with employees and spouses/partners, including pictures and videos of Data Subjects
  • Information in posts made by Data Controllers’ admin users

 

APPENDIX B

Technical and organizational security measures

 

The subject of/instruction for the processing

The Data Processor’s processing of Personal Data on behalf of the Data Controller shall be carried out by the Data Processor by making the service “Meet2Talk” available to the Data Controller and the Data Controller’s employees and their spouses. The requirements for the service and the instruction correspond to the Terms and Conditions.


Security of the processing

The level of security shall reflect that the processing involves processing of Personal Data on a smaller scale, and little to none processing of Personal Data which are subject to Article 9 of the GDPR on ‘special categories of personal data’, which is why a normal level of security should be established.

The Data Processor shall hereafter be entitled and under obligation to make decisions about the technical and organisational security measures that are to be applied to create the necessary (and agreed) level of data security.

The Data Processor shall however – in any event and at a minimum – implement the following measures that have been agreed with the Data Controller:

  • All Personal Data is stored encrypted on the Data Processors and Sub-Processors servers and is sent encrypted over the internet. All communication and data traffic are encrypted. All data for card payments are sent over a secure encrypted connection.
  • Only a limited number of the Data Processor’s employees have access to Personal Data, and only those who need to have access. Access is only possible by two-factor authentication.
  • The system is protected against unauthorized external access.
  • Passwords are encrypted and salted, for the authentication process an industry-standard solution is used.
  • Back-up is performed regularly.
  • Infrastructure is set up to prevent, to the greatest possible extent, the system from failing.
  • The system is continuously updated to avoid any misuse, unauthorized access and to ensure that the systems does not contain known vulnerabilities.

 

APPENDIX C

Sub-Processors

 

Approved Sub-Processors

Name Company reg. no. (CVR no.) Address Description of processing Transfers outside the EU/EEA

Amazon Web Services

(AWS)

LU 26888617

 

Amazon Web Services EMEA SARL

38 avenue John F. Kennedy

L-1855 Luxembourg

 

Amazon Web Service (AWS) delivers the infrastructure to run the Service. This includes but is not limited to: servers, OSs, databases and infrastructure tools such as systems monitoring, VPN etc. Data is currently not transferred outside EU, cf. 8.1 b)