Data processor agreement

Between:

The customer

And

UseFizzy Aps
(“Fizzy”)
Åbrinken 43
5220 Odense SØ
Danmark
CVR:

(“The Data Processor”)

The parties are hereinafter referred to respectively as the “Data Controller” and the “Data Processor”, and individually referred to as a “Party” and collectively as the “Parties”, have entered into this data processing agreement:

1. Introduction
When using the Fizzy the Butler system (collectively referred to as “the Application”), the Data Controller will be responsible for his Processing of Personal Data in the Application. The data processor will process personal data on behalf of the Data Controller. In order to ensure that the Parties meet their obligations under national data protection rules and the European Parliament and Council Regulation (EU) 2016/279 (“GDPR”), the Parties have entered into this data processing agreement (“Agreement”), which constitutes the instructions from the Data Controller to the Data Processor and thus regulates the Data Processor’s Processing of personal data on behalf of the Data Controller.

Both Parties confirm that they are authorized to sign the Agreement.

1.1. This agreement is entered into in connection with the Data Processor’s delivery of:

Online system for handling the following areas in a company:

Sales
Table booking system
Appointment management system
POS Systems
Newsletter platform system
Car auction system
Bid reduction system
Reports and Statistics

1.2. The data processor processes the types of personal data that appear in Annex 1 of this agreement on behalf of the Data Controller. The personal information concerns the categories of persons listed in Appendix 1.

1.3. The data processor may only process personal data that is necessary as part of providing the services.

1.4. Any instructions regarding the processing of personal data pursuant to this agreement must be submitted to the Data Processor.

2. Obligations of the data processor
2.1. The data processor may only process the personal data that the Data Controller has transferred in accordance with the Data Controller’s documented instructions, cf. section 1.1 and Annex 1 of the agreement.

2.2. The data processor is also obliged to comply with the data protection legislation in force at all times. The Data Processor immediately informs the Data Controller if an instruction in the Data Processor’s opinion is contrary to data protection legislation in EU law or the legislation of a Member State.

2.3. The data processor must implement all measures required in accordance with Article 32 of the Data Protection Regulation, including technical and organizational security measures. This includes measures against the personal data listed in Annex 1 being accidentally or illegally destroyed, lost or degraded, as well as against them coming to the knowledge of unauthorized persons, being misused or otherwise processed in breach of data protection legislation.

2.4. The data processor must ensure that the employees involved in processing the personal data have committed to confidentiality or are subject to an appropriate statutory duty of confidentiality.

2.5. The data processor assists the data controller as far as possible in fulfilling his obligation to respond to requests regarding the exercise of the data subject’s rights according to chapter 3 of the data protection regulation.

2.6. The data processor sends requests and objections from data subjects etc. to the Data Controller for the purpose of the Data Controller’s further processing. The data processor must, at the request of the Data Controller, assist the Data Controller with responding to the request and/or the objection.

2.7. The data processor is obliged to notify the Data Controller of operational disturbances, suspected breaches of data protection legislation or other irregularities in connection with the processing of the personal data. The Data Processor’s deadline for notifying the Data Controller of a security breach is 24 hours from the time the Data Processor becomes aware of a security breach. The data processor must, at the request of the Data Controller, assist the Data Controller in relation to clarifying the security breach, including in connection with any notification of the Danish Data Protection Authority and/or registered persons. The Data Controller bears the Data Processor’s possible costs associated with this.

2.8. The Data Processor makes available to the Data Controller all information necessary to demonstrate the Data Processor’s compliance with Article 28 of the Data Protection Regulation, the agreement and the data protection legislation in general. In this connection, the data processor allows for and contributes to audits and supervision, including inspections carried out by the Data Controller or another auditor authorized by the Data Controller. The Data Controller bears any costs associated with this.

2.9. In addition to the Data Controller listed above, the Data Processor assists the Data Controller in ensuring compliance with the Data Controller’s obligations under Articles 32-36 of the Data Protection Regulation.

2.10. The Data Controller gives the Data Processor a general power of attorney to enter into agreements with sub-processors. The data processor makes sure to impose the same data protection obligations on the sub-processor as those stipulated in the agreement. The data processor must, on behalf of the Data Controller, enter into written data processing agreements with sub-data processors within the EU/EEA. In relation to sub-processors outside the EU/EEA, the Data Processor must enter into standard agreements in accordance with the Commission’s decision 2010/87/EU of 5 February 2010 on standard contract provisions for the transfer of personal data to data processors established in third countries (“Standard Agreement”). If the sub-processor does not fulfill its data protection obligations, the Data Processor remains fully responsible to the Data Controller for the fulfillment of the sub-processor’s obligations. When entering into the agreement, the Data Processor uses the sub-processors listed in Appendix 2.

3. Deletion and termination
3.1. The personal information is stored as long as the Data Controller maintains its Subscription, after which it is deleted by the Data Processor. Upon termination of the subscription, the Data Processor is obliged, at the Data Controller’s choice, to delete or return all personal data to the Data Controller as well as to delete existing copies, unless EU law or national law prescribes the storage of the personal data.

3.2. The agreement is valid as long as the Data Processor processes personal data on behalf of the Data Controller.

4. Miscellaneous
4.1. Amendments to the Agreement must be attached in a separate annex to the Agreement. If any of the provisions of the Agreement are invalid, this will not affect the remaining provisions. The parties must replace invalid provisions with a legal provision that reflects the purpose of the invalid provision.

4.2. Liability for actions contrary to the provisions of this Agreement is regulated by the liability and compensation provisions in the conditions of use of Fizzy. This also applies to any violation committed by the Data Processor’s Sub-Data Processors.

4.3. The Data Controller is entitled to initiate an audit of the Data Processor’s obligations under the Agreement once a year. If the Data Controller is obliged to do so according to applicable legislation, an audit can be carried out more often than once a year. In connection with a request for an audit, the Data Controller must send a detailed audit plan with a description of scope, duration and start date at least four weeks before the proposed start date. It must be decided jointly between the Parties if a third party is to carry out the audit. However, the Data Controller may let the Data Processor decide that the audit for security reasons must be carried out by a neutral third party at the Data Processor’s choice, if it is a processing environment where the data of several Data Controllers is used.

If the proposed scope of the audit follows an ISAE, ISO or similar certification report carried out by a qualified third-party auditor within the preceding twelve months, and the Data Processor confirms that there have been no material changes to the measures under audit, it shall Data controllers accept this revision instead of requesting a new revision of the measures already covered.

In any event, auditing must take place during normal business hours at the relevant facility in accordance with the Data Processor’s policies and must not unreasonably interfere with the Data Processor’s usual commercial activities.

The Data Controller is responsible for all costs in connection with the request for revision. The Data Processor’s assistance in connection with this, which exceeds the general service that the Data Processor and/or Fizzy must provide as a result of applicable data protection legislation, will be billed separately.

5. Law and jurisdiction
5.1. This agreement is governed by Danish law.

5.2. Venue for any claim and any dispute arising from or otherwise connected with this agreement must be brought before Copenhagen City Court.

Appendix 1 – Categories of Personal Information and Registered
1. Categories of Registered and Personal Information processed in accordance with the Agreement

a. Categories of Registered

  • The Data Controller’s end users
  • Employees of the Data Controller
  • The Data Controller’s employees’ closest relatives
  • The Data Controller’s contact persons
  • The Data Controller’s customers and customers’ end users
  • Employees of the Data Controller’s customers
  • The Data Controller’s customer contact persons
  • Possibly.

b. Categories of Personal Information

  • Name
  • Title
  • Phone number
  • E-mail
  • Address
  • CPR number via EAN invoicing (treated as confidential information)
  • Etc.

Categories of Personal Information and Registered in connection with Salary
1. Categories of Registered and Personal Information processed in accordance with the Agreement

a. Categories of Registered

The Data Controller’s end users
Employees of the Data Controller
The Data Controller’s contact persons
Possibly.
b. Categories of Personal Information

Contact information, such as name, address

Job category, information on salary, working hours, absence, pension, tax, bank account

Possibly. other personal data that is necessary for the Data Controller to manage the employment relationship

Categories of Personal Information in connection with orders / orders online or through the checkout
1. Categories of Registered and Personal Information processed in accordance with the Agreement

a. Categories of Registered

  • The Data Controller’s customers and customers’ end users
  • Etc.

b. Categories of Personal Information

Contact information, such as name, address, telephone number, e-mail, any other information the customer chooses to provide in connection with their order

 

Other information such as collection or delivery date, amount

Possibly. other personal data that is necessary for the Data Controller to administer an order