Data processing agreement

As an integral part of the Main Agreement, the following Data Processing Agreement pursuant to Article 28(3) of Regulation 2016/679 (General Data Protection Regulation) applies between the “Data Processor”:

Høgsbro + ApS
Baltic Kaj 1 4600 Køge
CVR no. 38243675

and

The Customer, hereinafter referred to as the “Controller”, each being a “Party” and together constituting the “Parties”.

The provisions

1.1 The parties have agreed on the following standard contractual clauses (hereinafter the “Clauses”), in order to comply with the General Data Protection Regulation and ensure the protection of the privacy and fundamental rights and freedoms of natural persons.

Preamble

2.1 These Clauses set out the rights and obligations of the processor when processing personal data on behalf of the controller.

2.2 These provisions are designed to ensure the Parties’ compliance with Article 28(3) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

2.3 In connection with the provision of the services agreed in Annex D, the Processor processes personal data on behalf of the Controller in accordance with these Clauses.

2.4 The provisions take precedence over any similar provisions in other agreements between the parties.

2.5. There are four annexes to these Clauses. The annexes form an integral part of the Clauses.

2.6 Annex A contains details of the processing of personal data, including the purposes and nature of the processing, the type of personal data, the categories of data subjects and the duration of the processing.

2.7 Annex B contains the controller’s conditions for the processor’s use of sub-processors and a list of sub- processors that the controller has approved the use of.

2.8 Annex C contains the data controller’s instructions regarding the data processor’s processing of personal data, a description of the minimum security measures that the data processor must implement and how the data processor and any sub-processors are monitored.

2.9. Annex D contains the parties’ regulation of other matters, including special instructions and delivery terms.

2.10. The Clauses and their appendices shall be kept in writing, including electronically, by both parties.

2.11. These Clauses do not release the Data Processor from any obligations imposed on the Data Processor under the GDPR or any other legislation.

Rights and obligations of the controller

3.1 The controller is responsible for ensuring that the processing of personal data is carried out in accordance with the GDPR (see Article 24 of the GDPR), data protection provisions of other EU or EEA Member State law and these Clauses.

3.2 The controller has the right and obligation to decide for which purpose(s) and with which means personal data may be processed.

3.3 The controller is responsible for, among other things, ensuring that there is a legal basis for the processing of personal data that the data processor is instructed to perform.

The data processor acts on instructions

4.1 The data processor may only process personal data following documented instructions from the data controller, unless required by EU or Member State law to which the data processor is subject. These instructions shall be specified in Annexes A, C and D. Subsequent instructions may also be given by the controller while processing personal data, but the instructions must always be documented and stored in writing, including electronically, together with these Clauses.

4.2 The processor shall immediately inform the controller if, in its opinion, an instruction infringes this Regulation or data protection provisions of other Union or Member State law.

Confidentiality

5.1 The data processor may only grant access to personal data processed on behalf of the data controller to persons who are subject to the data processor’s powers of instruction, who have committed themselves to confidentiality or are subject to an appropriate statutory duty of confidentiality, and only to the extent necessary. The list of persons who have been granted access shall be reviewed on an ongoing basis. Based on this review, if access to personal data is no longer necessary, access may be closed and the personal data shall no longer be accessible to these individuals.

5.2 At the request of the controller, the data processor must be able to demonstrate that the persons concerned, who are subject to the data processor’s instruction powers, are subject to the aforementioned duty of confidentiality.

Treatment safety

6.1 Article 32 GDPR states that the controller and processor, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, shall implement appropriate technical and organizational measures to ensure a level of protection appropriate to the risks.

The controller shall assess the risks to the rights and freedoms of natural persons posed by the processing and implement measures to mitigate those risks.

Depending on their relevance, it can include:

a) pseudonymization and encryption of personal data
b) Ability to ensure the continued confidentiality, integrity, availability and resilience of processing systems and services
c) ability to restore availability and access to personal data in a timely manner in the event of a physical or technical incident
d) a procedure for regular testing, assessment and evaluation of the effectiveness of the technical and organizational measures to ensure the security of processing.

6.2 According to Article 32 of the Regulation, the processor shall – independently of the controller – also assess the risks to the rights of natural persons posed by the processing and implement measures to mitigate those risks. For the purposes of this assessment, the controller shall provide the processor with the necessary information to enable it to identify and assess such risks.

6.3 In addition, the data processor shall assist the controller in complying with its obligation under Article 32 of the Regulation by, inter alia, providing the controller with the necessary information regarding the technical and organizational security measures already implemented by the data processor pursuant to Article 32 of the Regulation and any other information necessary for the controller to comply with its obligation under Article 32 of the Regulation.

If addressing the identified risks – in the controller’s assessment – requires the implementation of additional measures beyond the measures already implemented by the processor, the controller shall specify the additional measures to be implemented in Annex C.

Use of sub-processors

7.1 The data processor must meet the conditions referred to in Article 28(2) and (4) of the GDPR to use another data processor (a sub-processor).

7.2 The Data Processor may not use a Sub-Processor to fulfill these Clauses without prior general written approval from the Data Controller.

7.3 The Processor has the Controller’s general approval for the use of sub-processors. The Data Processor shall notify the Data Controller in writing of any planned changes regarding the addition or replacement of sub-processors with at least 45 days’ prior notice, thereby giving the Data Controller the opportunity to object to such changes prior to the use of the sub-processor(s) in question. The list of sub-processors already approved by the controller is set out in Annex B.

7.4 Where the processor uses a sub-processor to carry out specific processing activities on behalf of the controller, the processor shall, by contract or other legal act under Union or Member State law, impose on the sub-processor the same data protection obligations as those set out in these Clauses, in particular providing appropriate guarantees that the sub-processor will implement the technical and organizational measures in such a way that the processing complies with the requirements of these Clauses and the GDPR.

The Data Processor is therefore responsible for requiring the Sub-Processor to at least comply with the Data Processor’s obligations under these Clauses and the GDPR.

7.5 The sub-processor agreement(s) and any subsequent amendments thereto shall – at the request of the data controller – be sent in copy to the data controller, which thereby has the opportunity to ensure that similar data protection obligations arising from these Clauses are imposed on the sub-processor. Provisions on commercial terms that do not affect the data protection law content of the sub-processor agreement shall not be sent to the controller.

7.6 If the sub-processor does not fulfill its data protection obligations, the processor remains fully liable to the controller for the fulfillment of the sub-processor’s obligations. This shall be without prejudice to the rights of data subjects resulting from the GDPR, in particular Articles 79 and 82 thereof, vis-à-vis the controller and the processor, including the sub-processor.

Transfer of data tit third countries or international organizations

8.1 Any transfer of personal data to third countries or international organizations may only be made by the data processor on the basis of documented instructions from the data controller and must always be in accordance with Chapter V of the General Data Protection Regulation.

8.2 Where the transfer of personal data to third countries or international organizations, which the processor has not been instructed to carry out by the controller, is required by Union or Member State law to which the processor is subject, the processor shall inform the controller of that legal requirement prior to processing, unless that law prohibits such notification for reasons of important public interest.

8.3 Without documented instructions from the data controller, the data processor may not within the framework of these Clauses:

a) transfer personal data to a controller or processor in a third country or an international organization
b) entrust the processing of personal data to a sub-processor in a third country
c) process the personal data in a third country

8.4 The controller’s instructions regarding the transfer of personal data to a third country, including the possible transfer basis in Chapter V of the GDPR on which the transfer is based, shall be specified in Annex C.6.

8.5 These Clauses shall not be confused with standard contractual clauses within the meaning of Article 46(2)(c) and (d) of the GDPR and these Clauses shall not constitute a basis for the transfer of personal data within the meaning of Chapter V of the GDPR.

Assistance to the controller

9.1 The data processor shall, taking into account the nature of the processing, assist the data controller as far as possible by means of appropriate technical and organizational measures in fulfilling the data controller’s obligation to respond to requests for the exercise of data subjects’ rights as set out in Chapter III of the GDPR.

This means that the data processor must, as far as possible, assist the data controller in connection with the data controller ensuring compliance with:

a) the information obligation when collecting personal data from the data subject
b) the obligation to provide information if personal data has not been collected from the data subject

c) the right of access
d) the right to rectification
e) the right to erasure (“right to be forgotten”)
f) the right to restriction of processing
g) the duty to inform in connection with rectification or erasure of personal data or restriction of processing
h) the right to data portability
i) the right to object
j) the right not to be subject to a decision based solely on automated processing, including profiling

9.2 In addition to the data processor’s obligation to assist the data controller pursuant to Clause 6.3, the data processor shall, taking into account the nature of the processing and the information available to the data processor, also assist the data controller with

a. the data controller’s obligation to report a personal data breach to the Danish Data Protection Agency without undue delay and, if possible, no later than 72 hours after becoming aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons

b. the controller’s obligation to notify the data subject without undue delay of a personal data breach where the breach is likely to result in a high risk to the rights and freedoms of natural persons

c. the controller’s obligation to analyze the impact of the intended processing operations on the protection of personal data prior to the processing (an impact assessment)

d. the controller’s obligation to consult the Data Protection Authority prior to processing if a data protection impact assessment shows that the processing will lead to high risk in the absence of measures taken by the controller to mitigate the risk.

9.3 The parties shall specify in Annex C the necessary technical and organizational measures with which the data processor shall assist the data controller and to what extent and scope. This applies to the obligations arising from Clauses 9.1 and 9.2.

Personal data breach notification

10.1 The data processor shall notify the data controller without undue delay after becoming aware that a personal data breach has occurred.

10.2 The Data Processor’s notification to the Data Controller shall, if possible, take place no later than 24 hours after becoming aware of the breach so that the Data Controller can comply with its obligation to report the personal data breach to the Danish Data Protection Agency within 72 hours, cf. Article 33 of the General Data Protection Regulation.

10.3 In accordance with Clause 9.2.a, the data processor shall assist the data controller in notifying the breach to the Data Protection Authority. This means that the data processor shall assist in providing the following information, which, according to Article 33(3), shall be included in the controller’s notification of the breach to the competent supervisory authority:

a. the nature of the personal data breach, including, if possible, the categories and approximate number of data subjects affected and the categories and approximate number of personal data records affected

b. the likely consequences of the personal data breach

c. the measures that the controller has taken or proposes to take to address the personal data breach, including, where applicable, measures to mitigate its possible adverse effects.

10.4 The parties shall specify in Annex C the information to be provided by the processor in the context of its assistance to the controller in its obligation to notify personal data breaches to the competent supervisory authority.

Deletion and return of data

11.1 Upon termination of the personal data processing services, the processor shall be obliged to return or delete all personal data processed on behalf of the controller and confirm to the controller that the data has been returned or deleted, unless Union or Member State law provides for the storage of the personal data.

The data processor undertakes to process the personal data only for the purpose(s), for the period and under the conditions prescribed by these rules.

Audit, including inspection

12.1 The Processor shall make available to the Controller all information necessary to demonstrate compliance with Article 28 of the GDPR and these Clauses and shall enable and contribute to audits, including inspections, carried out by the Controller or another auditor authorized by the Controller.

12.2 The procedures for the controller’s audits, including inspections, of the data processor and sub- processors are detailed in Appendices C.7 and C.8.

12.3 The Data Processor shall be obliged to grant supervisory authorities that have access to the Data Controller’s or Data Processor’s facilities under applicable law, or representatives acting on behalf of the supervisory authority, access to the Data Processor’s physical facilities against proper identification.

The parties’ agreements on other matters

13.1 The parties may agree on other provisions regarding the Service and regarding the processing of personal data, such as liability for damages, as long as these other provisions do not directly or indirectly conflict with the Clauses or impair the data subject’s fundamental rights and freedoms under the GDPR.

Entry into force and termination

14.1 The provisions shall enter into force on the date of the parties’ conclusion of the agreement on the provision of the Services.

14.2 Either party may demand renegotiation of the Clauses if changes in legislation or inappropriateness in the Clauses give rise to this.

14.3 The Clauses are valid for the duration of the personal data processing service. During this period, the Terms cannot be terminated unless other provisions governing the provision of the Personal Data Processing Service are agreed between the parties.

14.4 If the provision of the Personal Data Processing Services ceases and the Personal Data has been deleted or returned to the Controller in accordance with Clause 11.1 and Appendix C.4, the Clauses may be terminated with written notice by either party.

 

Appendix A.
Information about the processing

A.1 The purpose of the data processor’s processing of personal data on behalf of the data controller is the provision of the services referred to in the main agreement.

A.2 When the data processor’s processing of personal data on behalf of the data controller

  • relates to payroll processing, it is primarily the following:
  • calculate employees’ salaries
  • make all calculations and reports to and initiate money transfers to SKAT, ATP, holiday and parental leave funds, pension funds etc. on behalf of the Customer
  • Reporting statistics to employers’ associations and Statistics Denmark on behalf of the Customer
  • Send payslips to employees’ digital mailboxes
  • store the Customer’s payslip in an electronic archive for 5 years after the end of the year in which the payslip is produced
  • Provide assistance with the startup and creation of the Customer and Employees
  • Provide HR, payroll support and consulting services when customers need help.

When the data processor’s processing of personal data on behalf of the data controller relates to accounting and legal bookkeeping, it is primarily the following:

  • Bookkeeping of financial vouchers, daily corresponding statement and daily reconciliation of client accounts.
  • Creating payments in the bank
  • Accounting for creditors
  • Assistance with invoicing
  • Follow-up and control of debtor payments
  • Assistance with collecting documents from employees
  • Accounting and reconciliation of intercompany accounts
  • Preparing and submitting VAT returns

When the data processor’s processing of personal data on behalf of the data controller is about controlling, it is primarily about the following:

  • Accounting and depreciation of fixed assets and maintenance of fixed asset registers
  • VAT visibility, VAT reconciliation and VAT reporting
  • Preparation of monthly balances, including reconciliations of relevant accounts and cover letters
  • Assistance in creating procedure descriptions in the finance function
  • Annual Client Statement, year-end closing and auditor preparation

A.3. The processing includes the following types of personal data of the data subjects.

General personal data:

  • Contact information, such as name, address, email, phone
  • Job category, information about salary, working hours, absence, pension, tax, bank account
  • Holiday settlement
  • Pension settlement
  • Tax settlement
  • Account details
  • Employee number

Confidential personal data:

  • Union membership, in special situations where the employee’s union dues are deducted from their salary
  • CPR number

Sensitive and special personal data:

  • Health information, in special situations where the employee must be compensated for medical certificate expenses

A.4. The processing includes the following categories of data subjects

Categories of data subjects included in the processing:

  • Current and former employees of the controller (Customer)
  • The data controller’s (Customer’s) suppliers and business partners (contact persons)
  • Board members (contact persons) of the controller (Customer)
  • The controller’s (Customer’s) clients/customers

A.5. This Agreement shall apply for as long as the Processor processes personal data on behalf of the Controller in accordance with the supply agreement (the Agreement)

 

Appendix B.
Sub-processors

B.1 If the Data Processor’s performance of tasks for the Data Controller takes place exclusively in the Data Controller’s systems, the Data Controller is responsible for the security of the IT systems used. In such cases, the Data Processor may not – without the Data Controller’s specific written approval – use sub-processors.

The Data Processor shall ensure that the Data Processor’s employees comply with the organizational and technical security measures laid down at any time. At the time of entering into the agreement, the measures listed in Appendix C apply.

B.2 Approved sub-processors

If the data processor’s performance of tasks for the data controller takes place in the data processor’s systems, the data controller has approved the use of the above-mentioned sub-processors for the processing activity and scope of agreement described in the main agreement when the Provisions enter into force.

The data processor may not – without the data controller’s specific written approval – use a sub-processor for a processing activity other than the agreed one or use another sub-processor for this processing activity.

B.2 Notification for approval of sub-processors

The Data Processor shall notify the Data Controller in writing of any planned changes regarding the addition or replacement of sub-processors, thereby giving the Data Controller the opportunity to object to such changes. Such notification shall be made with 1 month’s notice to the 1st of a month. If the controller has objections to the changes, the controller shall notify the data processor in writing. The data controller may only object if the data controller has reasonable, concrete reasons to do so. Objection to the addition or replacement of sub-processors shall not have a suspensive effect on the implementation thereof. If the data controller has objections, both the data controller and the data processor are entitled to terminate the Agreement in writing with effect from the time of commissioning of new sub-processors so that the change will not take effect vis-à-vis the data controller.

 

Appendix C.
Instruction regarding the processing of personal data

C.1. Subject of processing / instructions
The data processor’s processing of personal data on behalf of the data controller takes place by the data processor performing the processing described in the main agreement

C.2 Processing security
The Data Processor is entitled and obliged to make decisions on which technical and organizational security measures to implement in order to establish the necessary (and agreed) security level.

The Data Processor shall implement all measures required under Article 32 of the General Data Protection Regulation, which states, inter alia, that a high level of security shall be implemented, taking into account the current level, implementation costs and the nature, scope, context and purposes of the processing concerned, as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons.

The security level must reflect:
The processing mainly includes general personal data, cf. GDPR Article 6, and in some cases CPR numbers of the controller’s employees. Only in very few cases, special categories of personal data are processed, cf. GDPR Article 9, in the form of health data of the controller’s employees.

The Processor shall ensure that it has internal policies and procedures in place to fulfill appropriate organizational measures:

Information security, including:

  • Overall IT guidelines and requirements for information security
  • Implemented IT contingency plan
  • Process for auditing internal security procedures
  • Process for asset management
  • Password policy
  • Designated Data Protection Manager
  • Access control; including restricting access to data based on work-related needs
  • Encrypting or anonymizing data
  • Network protection and partitioning
  • Established secure forms of communication.
  • Register of assets and their classification
  • Protection of physical access routes to the processor’s locations

Employee safety, including:

  • Background check
  • Non-disclosure agreements and confidentiality
  • GDPR training and ongoing awareness training
  • Active access restriction (privacy by default)
  • Employee instruction
  • Homeworking procedures, including guidelines for remote information security

The Data Processor must also ensure that it has implemented appropriate technical security measures and appropriate operational security, including:

  • Implemented processes to handle development and change management
  • Backup and logging
  • Monitoring and protecting against technical vulnerabilities
  • Process for safe development and continuous follow-up
  • Process to ensure that suppliers fulfill the same obligations as set out in this Data Processing Agreement
  • Incident response process and process for notifying the controller.
  • Process for identifying regulatory or contractual requirements.
  • Development, Test and Production environments are separate.
  • Development and testing is done by different people.
  • Capacities are continuously adjusted and monitored to maintain operations.

C.3. Retention period / deletion routine
Upon termination of the personal data processing service, the data processor shall either delete or return the personal data in accordance with clause 11.1, unless otherwise required by law.

C.S. Location of treatment
Processing of personal data under the agreement may not take place anywhere other than at the data processor’s pre-approved locations and approved sub-processors’ locations.

C.6. Instructions for the transfer of personal data to third countries
The data processor does not transfer personal data to third countries, except to the generally approved sub- processors listed in Annex B

If the controller does not provide in these Clauses or subsequently a documented instruction regarding the transfer of personal data to a third country, the data processor is not entitled to make such transfers within the framework of these Clauses.

C.7 Audits, including inspections, by the Data Controller of the processing of personal data entrusted to the Data Processor shall take place as follows:

The Data Processor shall once a year, at its own expense, obtain a statement/inspection report from an independent third party regarding the Data Processor’s compliance with the General Data Protection Regulation, data protection provisions in other EU law or Member States’ national law and these Clauses.

It is agreed between the parties that the following type of management statement can be used:

“Your name
Address
Contact person/ possible DPO
Phone number
E-mail address

confirms that it has reviewed the technical and organizational security measures that the data processor has informed the data controller in connection with the conclusion of this data processing agreement.”

The statement may be provided on request without undue delay to the controller for information purposes. The controller may contest the framework and/or methodology of the statement and may in such cases request a new statement under a different framework and/or using a different methodology.

Based on the results of the declaration, the controller is entitled to request the implementation of further measures to ensure compliance with the GDPR, data protection provisions of other EU or Member State law and these Clauses.

In addition, the controller or a representative of the controller shall have the right to carry out inspections, including physical inspections, of the premises from which the processor processes personal data, including physical premises and systems used for or in connection with the processing. Such inspections may be
carried out whenever the controller deems it necessary, The assessment shall be based on facts and not on hunches. Physical inspection requires prior agreement with the data processor, and with a minimum of 3 weeks’ notice so that the data processor is prepared to allocate the necessary resources for it.

Any costs associated with a physical inspection shall be borne by the controller itself. The Processor shall allocate the resources necessary for the Controller to carry out its inspection.

C.8 The data processor’s audits, including inspections, of the processing of personal data that has been entrusted to the sub-processor shall be carried out in the same way as the data controller’s audits of the data processor, see section C.7.

C.9. The information that the data processor must provide in connection with its assistance to the data controller in its obligation to report personal data breaches to the Danish Data Protection Agency:

a. the nature of the personal data breach, including, if possible, the categories and approximate number of data subjects affected and the categories and approximate number of personal data records affected

b. the likely consequences of the personal data breach

c. the measures that the controller has taken or proposes to take to address the personal data breach, including, where applicable, measures to mitigate its possible adverse effects.

Appendix D.
The parties’ regulation of other matters

Materials and data are stored in the Data Processor’s Onedrive and deleted after 5 years. See also the main agreement between the parties.