This Data Processor Agreement is entered on today’s date between:
[Name of Controller]
[Central Business Register]
Chili Security Denmark ApS
Central Business Register No. 35 84 18 65
Thomas B. Thriges Gade 42B, 1st floor
5000 Odense C
(collectively “the Parties”)
1. BACKGROUND, SCOPE AND PURPOSE
1.1 The Controller and the Processor have entered into an agreement of [date] (the “Main Agreement”) regarding the Processor’s delivery of services to the Controller.
1.2 The Processor delivers [an antivirus, safety, backup and cloud storage solution] to the Controller. When providing these services to the Controller, the Processor processes personal data for which the Controller is responsible, thus the Processor processes personal data on behalf of the Controller.
1.3 The scope of this Agreement is to govern the relationship between the Controller and the Processor as well as the Processor’s processing of personal data on behalf of the Controller.
1.4 This Agreement constitutes an appendix to the Main Agreement entered into between the Parties. In the event of conflicts between corresponding provisions in the agreements, this Agreement shall take precedence.
1.5 The Parties have entered into this Data Processor Agreement (“Agreement”) in order to fulfil the requirement of a written agreement between a data controller and a data processor of personal data as set out in section 28(3) of the EU General Data Protection Regula-tion 2016/679 (the “GDPR”).
2. PROCESSING OF DATA
2.1 The Processor may only process personal data under the instructions of the Controller and for the purpose of fulfilling the Main Agreement. The Controller’s instructions are stated in Appendix 1, thus the Processor may only process the categories of personal data and data regarding the data subjects listed in Appendix 1 as amended from time to time.
2.2 The Processor is not entitled to process the Controller’s personal data for any other purposes than the ones set forth in Appendix 1, as amended from time to time, unless the Controller has given prior written consent to the processing in question.
2.3 If the Processor finds that an instruction from the Controller constitutes a violation of the GDPR or any applicable data protection laws, the Processor must immediately notify the Controller.
2.4 The Controller is responsible for the personal data submitted to the Processor, thus the Controller is obligated to ensure the lawfulness of processing in accordance with GDPR art. 6.
2.5 Upon written request from the Controller, the Processor must present the necessary documentation proving that the processing of personal data is carried out in accordance with the applicable data protection laws and the GDPR, thus the Processor must keep records of its processing activities.
2.6 The Processor must assist the Controller in fulfilling its legal obligations under GDPR chapter 3 concerning the rights of the data subject. If the Processor receives a request from a data subject wishing to plead its rights in accordance with GDPR chapter 3, the Processor must inform the Controller of the request or objection without undue delay.
2.7 The Processor must delete personal data, copies and records thereof when it is no longer reasonably necessary in order for the Processor to perform its obligations under the Main Agreement. In any case the Processor deletes the personal data received from Controller, when the data has been stored with the Processor for [insert time period].
2.8 In some cases, the Controller may wish for the Processor to process personal data for a longer period than stated in clause 2.7. If the Controller wishes for the Processor to keep processing the personal data, it rests with the Controller to provide the Processor with the necessary documentation proving a substantiated purpose for the extended processing period.
3. USE OF SUB PROCESSORS
3.1 By signing this Agreement, the Controller hereby authorizes the Processor to use sub processors.
3.2 Upon the signing of this Agreement, the Processor uses the sub processors listed in Appendix 1.
3.3 Before the Processor engages a new sub processor or replaces a current sub processor, the Processor shall notify the Controller thereof and provide information about the new sub processor’s name and location for processing.
3.4 If the Controller has a reasonable basis to object to the Processor’s use of a new sub processor or replacement of a current sub processor, the Controller shall notify the Processor within 10 business days after receipt of the Processor’s notice.
3.5 The Processor ensures, that any sub processor engaged by the Processor to carry out specific processing activities on behalf of the Controller, is bound by data protection obligations no less stringent than the ones set forth in this Agreement.
3.6 If the sub processor fails to fulfil its data protection obligations, the Processor is liable to the Controller for the performance of the sub processor’s obligations.
3.7 Upon the Controller’s request, the Processor must provide the Controller with sufficient information to ensure the Controller, that the sub processors engaged by the Processor have taken the necessary technical and organizational security measures.
4.1 All employees employed by the Processors receive appropriate training, adequate instructions and guidelines for processing personal data.
4.2 The Processor must limit access to personal data to the relevant employees and ensure that these are authorized to process personal data.
4.3 The Processor must ensure that those of the Processor’s employees, who process personal data, are bound by adequate confidentiality obligations. Such obligations shall survive the termination of this Agreement.
5.1 The Controller is entitled to, at its own cost, take proportionate and commercially reasonable measures to validate the Processor’s compliance with this Agreement, either by conducting an audit itself or by using a third party to conduct an audit.
5.2 If the Controller takes on a third party to conduct the audit on behalf of the Controller, the Controller must ensure that the third party carrying out the audit enters into a non-disclosure agreement and that such third party takes necessary security measures when conducting the audit.
5.3 Audits must be conducted during the Processor’s business hours and the Processor must be notified of planned audits no less than 30 days prior to the audit. The audit shall not grant the Controller access to the Processor’s trade secrets or proprietary information unless this is required in order for the Controller to comply with the applicable data protection law.
6. DATA TRANSFER
6.1 The Processor is not entitled to transfer or hand over data to third parties or sub processors without prior written instruction or consent hereto from the Controller, unless such transfer or handing over is provided by law.
6.2 By signing this Agreement, the Controller grants the Processor consent to process personal data outside the EU/EEA, provided that the Processor guarantees the existence of a sufficient legal basis for the transfer. The Processor must thus guarantee that the third country in question has an adequate level of protection or the Processor must, on behalf of the Controller, enter in to a separate data protection agreement with the sub processor, using the EU Commission’s Model Contracts for the transfer of personal data to third countries.
7. SECURITY MEASURES
7.1 The Processor must, while keeping in mind the state of the art and the cost of their implementation, take the necessary technical and organizational security measures to ensure a level of security in accordance with the GDPR and appropriate to the risk presented to the processing and the nature of the personal data to be protected. The Processor shall take into account the requirements set out in article 32 of the GDPR and the security measures shall thus include but not be limited to:
7.1.1 safeguarding personal data against being destroyed accidentally or illegally,
lost, altered, damaged or made known to unauthorized persons, misused or in
any other way illegally processed,
7.1.2 taking measures to prevent transfers to any unauthorized person or entity,
7.1.3 ensuring that records are maintained of access to personal data, and
7.1.4 taking measures to ensure personal data remains available.
7.2 The technical and organizational security measures taken by the Processor are stated in Appendix 2.
7.3 The Processor shall periodically asses data security risks related to the processing of personal data on behalf of the Controller.
7.4 Upon the Controller’s request, the Processor must provide the Controller with sufficient information to ensure the Controller, that the Processor has taken the necessary technical and organizational security measures.
8. BREACH OF DATA SECURITY
8.1 The Processor must notify the Controller of personal data security breaches, operational malfunctions or suspected security breaches relating to the processing of personal data without undue delay and within 24 hours after the security breach has been discovered, unless the Processor is able to demonstrate that the data security breach is unlikely to result in a risk to the rights and freedoms of data subjects.
8.2 The notification in clause 8.1 must (if relevant) contain:
8.2.1 a description of the data security breach including the categories and
approximate amount of data and data subjects concerned,
8.2.2 the name and contact details of the Processor’s data protection officer,
8.2.3 a description of the likely consequences of the data security breach,
8.2.4 a description of the measures taken or proposed to be taken by the
Controller to address the data security breach, including, where
appropriate, measures to mitigate its possible adverse effects.
Where and in so far as it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.
8.3 The Processor shall document any data security breaches. The documentation shall only include information necessary for the Controller to verify compliance with the applicable data protection law to the relevant supervisory authority.
8.4 The Controller alone is entitled to notify the relevant supervisory authority of the data security breach.
9. LIMITATION OF LIABILITY
9.1 Pursuant to article 82(2) of the GDPR, the Processor shall only be liable for damage caused by processing where the Processor has not complied with obligations of the GDPR specifically directed to processors or where the Processor has acted outside or contrary to this Agreement.
9.2 The Processor shall be exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage.
9.3 The Processor’s cumulative liability to the Controller or any other party for any loss or damages resulting from claims, demands or actions arising out of relating to this Agreement shall not exceed the total paid-in fee from the Controller to the Processor during the 12 months prior to the date where the claim is first brought against the Processor. The Processor is not liable to the Controller for any indirect losses.
10.1 Any amendments to this Agreement and the Appendixes must be in writing and signed by the Parties in order to be binding.
10.2 If the Controller changes the instructions given in Appendix 1 or the Main Agreement, or if the Controller requests that the Processor implement new or other technical and organizational security measures than the ones stated in Appendix 2, the Processor is, to the extent that such requests are not made due to circumstances for which the Processor is responsible, entitled to be reimbursed for its direct and documented costs in connection hereto.
11. TERM AND TERMINATION
11.1 This Agreement shall enter into force on the date of signing and shall remain in force for as long as the Processor processes personal data on behalf of the Controller.
11.2 Upon termination of the Main Agreement, this Agreement will be terminated accordingly.
11.3 If one of the Parties is in breach of this Agreement, the other Party shall serve the Party in breach a written notice of 10 business days to rectify the breach. If the Party in breach has not remedied the breach within 10 business days, the Party not in breach is entitled to terminate the Agreement with immediate effect.
11.4 Upon termination of this Agreement, the Processor must delete or return all personal data and copies thereof. The Processor is obliged to delete or return the personal data as requested, unless legislation imposed upon the Processor prevents it from deleting or returning all or parts of the personal data.
12. GOVERNING LAW AND DISPUTES
12.1 This Agreement is governed by the GDPR and Danish law.
12.2 Any disputes arising from this Agreement must be settled by the District Court of Odense.
13. SIGNATURES AND COPIES
Date: ___ / ___
On behalf of the Controller:
Date: ___ / ___
On behalf of the Processor:
This appendix constitutes a part of the Agreement and must be filled out by the Parties.
The personal data processed by the Processor on behalf of the Controller concerns the following categories of data subjects:
[End-users of the services provided by the Controller’s customers, i.e. users or consumers of TV-, broadband and telephony services.]
CATEGORIES OF PERSONAL DATA
The Processor processes the following categories of personal data on behalf of the Controller:
[The Processor does not process any special categories of personal data on behalf of the Controller.
The Processor processes general categories of personal data such as contact information etc.]
The following processing activities will be carried out by the Processor on behalf of the Controller:
[Describe processing activities.]
PRE-APPROVED SUB PROCESSORS
The following sub processors used by the Processor are pre-approved by the Controller:
Entity name and address Entity type Entity Country
BeyondTrust Coporation Access management EU, USA (US-EU privacy
11695 Johns Creek Parkway service Shield, SCC)
USA – Georgia 30097
HeroBase A/S Business phone EU
Tobaksvejen 25, 2. Th. software
Bitdefender Antivirus software Romania, Ireland,
24 Delea Veche Street provider USA (US-EU Privacy Shield)
Building A, district 2
MailChimp E-mail service provider EU, USA (US-EU Privacy
The Rocket Science Group LLC Shield, SCC where applicable)
675 Ponce de Leon Ave NE
USA – Georgia 30308
ActiveCampaign, LLC. E-mail service provider EU, USA (US-EU Privacy
1 North Dearborn St., 5th floor Shield, SCC where applicable)
USA – Illinois 60602
Acronis EFSS Solution Provider Denmark, EU, Switzerland
Rheineweg 9 Cloud (data stored in ECIT)
ECIT Hosting provider Denmark, EU
Dixa Aps, EU
Vimmelskaftet 41A, 1 Sal, 1161 København
The processing of personal data by the Processor on behalf of the Controller will take place in the following location:
For the Processor: Denmark
For the pre-approved sub processors: Denmark, Romania, Ireland, EU, USA (certified under the US-EU Privacy Shield, SCC where applicable)
This appendix constitutes a part of the Agreement and must be filled out by the Parties.
The Parties have agreed to the following security measures to be taken in connection with the Processors processing of personal data on behalf of the Controller:
PHYSICAL ACCESS CONTROL
Measures to prevent physical access of unauthorized persons to IT systems that handle personal data:
Buildings and systems used for data processing are safe. Data processing media is stored properly and is not available to unauthorized third parties, thus such media is kept locked when unattended. The Processor only uses high quality hard- and software and continues to update these if relevant.
SYSTEM ACCESS CONTROL
Measures to prevent unauthorized persons from using IT systems:
The Processor keeps partial network logs and a log of detection of intrusion.
DATA ACCESS CONTROL
Measures to ensure that the Processor’s employees only have access to the personal data pursuant to their access rights:
The access to personal data is role based. Access to databases are IP restricted. The Processor has introduced log-in and password procedures ensuing that only employees with access rights have access to personal data. The Processor keeps a list of employees that have access to the Controller’s data, and only key employees have access to databases.
TRANSMISSION ACCESS CONTROL
Measures to ensure that personal data cannot be read, copied, altered or deleted by unauthorized persons during electronic transmission or during transport or storage on data media and that those areas can be controlled and identified where transmission of personal data is to be done via transmission systems:
All data submitted by the Controller is encrypted upon transfer to the Processor. All data is encrypted on storage.
ENTRY CONTROL AND TRACEABILITY
Measures to ensure that it can be subsequently reviewed and determined if and from whom personal data was entered, altered or deleted in the IT systems, as well as measures to ensure the accountability and traceability of the processing of personal data:
The Processor keeps partial network logs and a log of detection of intrusion. All logs are stored for a minimum of 30 days. The logs contain information on who accessed data, from which IP address the data was accessed, which data were accessed and when data was accessed. The Processor performs internal audits to ensure, that all security measures stated in this Appendix are taken and that each new feature or amendment to services provided by the Processor live up to these standards.
Measures to ensure that personal data is protected against accidental destruction or loss:
The Processor has set up and maintained web application firewall and antivirus software as well as back-up procedures as layers of security. The Processor maintains a recovery processes to allow for continuation of data processing and to provide and effective and accurate recovery of personal data.
Measures to provide a description of any procedures established to ensure an adequate level of transparency to the Controller regarding the Processor and sub processors processing of personal data:
The Controller will always be able to request access to data submitted to the Processor.
Measures to ensure that the Controller is allowed to access, rectify, delete, block and manage objections to the processing of personal data:
The Controller is able to download data submitted by the Controller to the Service provided by the Processor. If the Controller wishes to rectify, delete or block data or in any other way wishes to manage objections to the processing of personal data, the Processor must notify the Processor of such wishes, in such cases where the Controller is not able to carry out the action itself.