Data Processing Agreement
This is how we commit ourselves to our customers
On this page you find the Data Processing Agreement which describes how Personal Data is being processed when being a customer of shasaf. Please notice that contact information is filled in automatically when you approve the agreement in the application.
Contact person[Information about the contact person] and
Data Processor[shasaf ApS, Strandkærvej 30, 1., 8700 Horsens, Denmark, CVR-nr: 41154624]
Henceforth respectively referred to as “Controller”, “Processor”, or “Party” and collectively as the “Parties”.
By using the solution shasaf and any module or service in relation to the application (hereinafter the “Application”), the Data Controller is responsible for its processing of Personal Data in the Application. The Data Processor will process Personal Data on behalf of the Data Controller. In order to ensure that the Parties fulfill their obligations under national data protection rules as well as the European Parliament and Council Regulation (EU) 2016/279 (“GDPR”), the Parties have entered into this Data Processing Agreement (the “Agreement”), which constitutes the instruction from the Data Controller to the Data Processor and thus regulates the Data Processor’s processing of Personal Data on behalf of the Data Controller.
Both Parties confirm that the undersigned have the power of attorney to enter into this data processing agreement (“Agreement”).
This applies to the entire Agreement and in the relationship between the Data Controller and the Data Processor that demands arising from the EU GDPR as described in this Agreement and which do not follow from current legislation are only valid from 25 May 2018 where the GDPR applies from.
The definition of Personal Data, Special Categories of Personal Data (Sensitive Personal Data), Processing of Personal Data, Data Subject, Controller and Processor is equivalent to how the terms are used and interpreted in applicable privacy legislation, including the General Data Protection Regulation (GDPR) applicable for this Agreement and Europe from 25 May 2018.
The Agreement regulates the Processor’s Processing of Personal Data on behalf of the Controller, and outlines how the Processor shall contribute to ensure privacy on behalf of the Controller and its registered Data Subjects, through technical and organisational
measures according to applicable privacy legislation, including the GDPR. The purpose behind the Processor’s Processing of Personal Data on behalf of the Controller is to fulfill the Service Agreements and this Agreement. This Agreement takes precedence over any conflicting provisions regarding the Processing of Personal Data in the Service Agreements or in other former agreements made between the Parties. The Agreement is valid as long as the Data Controller uses the Application and the Data Processor must therefore process Personal Data on behalf of the Data Controller. However, this Agreement does not take precedence if the Parties have entered another Data Processing Agreement which takes precedence over this Agreement.
THE PROCESSOR’S OBLIGATIONS
The Processor shall only Process Personal Data on behalf of and in accordance with the Controller’s instructions. By entering into this Agreement, the Controller instructs the Processor to process Personal Data in the following manner;
i) only in accordance with applicable law,
ii) to fulfill all obligations according to the Service Agreement,
iii) as further specified via the Controller’s ordinary use of the Processor’s services and
iv) as specified in this Agreement.
As part of being able to deliver the Application, the Data Processor is obliged at all times to provide the Data Controller with good and competitive solutions that accompany the development. The Data Processor can offer better solutions tailored to the needs of the
individual Data Controller by registrering how the Data Controller and its representatives use the Application. This enables the Data Processor to make a better version of the Application and provide better services and more relevant communication to the Data Controller and its representatives. The Data Processor aims at making the Data Controller able to solve as many challenges as possible in one place. To the extent that Personal Data from the Application is included in this work, it is being processed in
accordance with this Agreement and any applicable law and may be shared with companies in the shasaf Group for the purpose of this work. The Processor has no reason to believe that legislation applicable to it prevents the Processor from fulfilling the instructions mentioned above. The Processor shall, upon becoming aware of it, notify the Controller of instructions or other Processing activities by the Controller which in the opinion of the Processor, infringes applicable privacy legislation. The categories of Data Subject’s and Personal Data subject to Processing according to this Agreement are outlined in Appendix A.
The Processor shall implement systematic, organisational and technical measures to ensure an appropriate level of security, taking into account the state of the art and cost of implementation in relation to the risk represented by the Processing, and the nature
of the Personal Data to be protected.
The Processor shall assist the Controller by appropriate technical and organisational measures, insofar as possible and taking into account the nature of the Processing and the information available to the Processor, in fulfilling the Controller’s obligations under applicable privacy legislation with regards to request from Data Subjects, and general privacy compliance under the GDPR article 32 to 36.
The Processor will, by notifying the Controller without undue delay, enable the Controller to comply with the legal requirements regarding notification to data authorities or Data Subjects about incidents.
Further, the Processor will to the extent it is appropriate and lawful notify the Controller of;
i) requests for the disclosure of Personal Data received from a Data Subject,
ii) requests for the disclosure of Personal Data by governmental authorities, such as the police
The Processor will not respond directly to requests from Data Subjects unless authorised by the Controller to do so. The Processor will not disclose information tied to this Agreement to governmental authorities such as the police, hereunder Personal Data, except as obligated by law, such as through a court order or similar warrant.
If the Controller requires information or assistance regarding security measures, documentation or other forms of information regarding how the Processor processes Personal Data, and such requests exceed the standard information provided by the Processor to comply with applicable privacy legislation as Processor, the Processor may charge the Controller for such request for additional services. The Processor and its staff shall ensure confidentiality concerning the Personal Data subject to Processing in accordance with the Agreement. This provision also applies after the termination of the Agreement.
THE CONTROLLER’S OBLIGATIONS
The Controller confirms by the signing of this Agreement that:
• The Data Controller must, by using the Application made available by the Data Processor, only process Personal Data in accordance with the requirements of the applicable Data Protection Law.
• The Controller has legal authority to process and disclose to the Processor (including any subcontractors used by the Processor) the Personal Data in question.
• The Controller has the responsibility for the accuracy, integrity, content, reliability and lawfulness of the Personal Data disclosed to the Processor.
• The Data Controller has fulfilled all mandatory requirements and obligations in relation to notification or obtaining permission from the relevant public authorities as regards the processing of Personal Data.
• The Controller has fulfilled its duties to provide relevant information to Data Subjects and authorities regarding processing of Personal Data according to mandatory data protection legislation.
• The Data Controller agrees that the Data Processor has provided the relevant guarantees as to the implementation of technical and organizational security measures, to safeguard the rights of the Data Subjects and their Personal Data.
• The Controller shall, when using the services provided by the Processor under the Services Agreement, not communicate any Sensitive Personal Data to the Processor, unless this is explicitly agreed in Appendix A to this Agreement.
• The Data Controller must keep an updated list of the categories of Personal Data that is being processed. This is especially true to the extent that such processing differs from the categories of information set forth in Appendix A.
USE OF SUBCONTRACTORS AND TRANSFER OF DATA
As part of the delivery of the Application, the Processor will make use of subcontractors and the Controller gives its general consent to any usage of subcontractors. Such subcontractors can be other companies within the shasaf group or external third party
subcontractors in and outside the EU/EEA. The Processor shall ensure that subcontractors agree to undertake responsibilities corresponding to the obligations set out in this Agreement.
If the subcontractors are located outside the EU, the Controller gives the Processor authorisation to ensure proper legal grounds for the transfer of Personal Data out of the EU on behalf of the Controller, hereunder by entering into EU Model Clauses or transferring Personal Data in accordance with the Privacy Shield certification.
The Controller shall be notified in advance of any changes of subcontractors that Process Personal Data. If the Controller objects to a new subcontractor, the Processor and Controller shall review the documentation of the subcontractors compliance efforts in order to ensure fulfillment of applicable privacy legislation.
The Processor is committed to provide a high level of security in its products and services. The Processor provides its security level through organisational, technical and physical security measures, according to the requirements on information security measures outlined in the GDPR article 32.
Furthermore, shasaf’s internal data protection policies aim to ensure the confidentiality, integrity, resistance and access to Personal Data. The following measures are particularly important:
• Classification of Personal Data to ensure the implementation of security measures relevant to risk assessments.
• Assessment of encryption and pseudonymization as risk reducing factors.
• Limiting access to Personal Data to the relevant persons required to comply with the requirements and obligations of the Agreement or pursuant to the Parties agreement on the use of the Application.
• Operation and implementation of systems that can detect, recover, prevent and report incidents in relation to Personal Data.
• Identify the security structure as well as how Personal Data is being transferred between the Parties.
• Conduct own security assessment to ensure that current technical and organizational measures are adequate for the protection of Personal Data, including Article 32 of the GDPR regarding security and Article 25 regarding Privacy by Design and Default.
The Controller may audit the Processor’s compliance with this Agreement up to once a year. If required by legislation applicable to the Controller, the Controller may request audits more frequently. To request an audit, the Controller must submit a detailed audit
plan at least four weeks in advance of the proposed audit date to the Processor, describing the proposed scope, duration, and start date of the audit. If any third party is to conduct the audit, it must as a main rule be mutually agreed between the Parties.
However, if the processing environment is a multitenant environment or similar, the Controller gives the Processor authority to decide, due to security reasons, that audits shall be performed by a neutral third party auditor of the Processor’s choosing.
If the requested audit scope is addressed in an ISAE, ISO or similar assurance report performed by a qualified third party auditor within the prior twelve months, and the Processor confirms that there are no known material changes in the measures audited, the Controller agrees to accept those findings instead of requesting a new audit of the measures covered by the report.
In any case, audits must be conducted during regular business hours at the applicable facility, subject to the Processors policies, and may not unreasonably interfere with the Processors business activities.
The Controller shall be responsible for any costs arising from the Controller’s requested audits. Requests for assistance from the Processor that exceed the standard service provided by the Processor and/or shasaf to comply with applicable privacy legislation, may be subject to fees.
TERM AND TERMINATION
This Agreement is valid for as long as the Processor processes Personal Data on behalf of the Controller according to the Service Agreements.
This Agreement is automatically terminated upon termination of the Service Agreement. Upon termination of this Agreement, the Processor will delete Personal Data processed on behalf of the Controller, according to the applicable clauses in the Service Agreement. If the Data Controller requests assistance with export of data, the costs associated shall be determined jointly by the Parties and be based on;
i) hourly rates for the time spent by the Processor and
ii) the complexity of the requested process and
iii) the selected format.
The Processor may retain Personal Data after termination of the Agreement, to the extent it is required by law, subject to the same type of technical and organisational security measures as outlined in this Agreement.
CHANGES AND AMENDMENTS
Changes to the Agreement shall be included in a new Appendix to this Agreement.
If any provisions in this Agreement become void, this shall not affect the remaining provisions. The Parties shall replace the void provision with a lawful provision that reflects the purpose of the void provision.
Liability for actions in violation of the provisions in this Agreement is governed by the liability clause in shasaf’s Terms and Conditions. This also applies to any infringement made by the Data Processor’s sub-processors.
GOVERNING LAW AND LEGAL VENUE
This Agreement shall be governed by and construed in accordance with the laws of Denmark. Any dispute between the Parties will be settled by a Danish court.
APPENDIX A – CATEGORIES OF PERSONAL DATA AND DATA SUBJECTS
1. Categories of Data Subject’s and Personal Data subject to Processing according to this Agreement
a. Categories of Data Subjects
i) The Data Controller’s end-users
ii) The Data Controller’s employees
iii) The Data Controller’s contact persons
iv) The Data Controller’s customers and their end-users
v) The employees of the Data Controller’s customers
vi) The contact persons of the Data Controller’s customers
b. Categories of Personal Data
ii) Telephone number
2. Types of sensitive Personal Data subject to Processing according to the Agreement
The Data Processor may process one or more of the following information on behalf of the Data Controller:
– Political, philosophical or religious beliefs
– Trade union affiliation
– Race or ethnic origin
– Health information
– Information about a person’s sexual relationship or sexual orientation
– Genetic or biometric data for the purpose of uniquely identifying a natural person