DATA PROCESSING AGREEMENT
The Parties:
Agency360 ApS
Vesterbrogade 149
1620 Copenhagen K
Denmark
and
The Client
1. BACKGROUND
1.1 Agency360 ApS supplies a full-service solution comprised of web analytics tools that allow the Client to gain insight into the users (individuals and companies) that visit and use the Client’s websites and online social media.
1.2 The Client wishes to use Agency360 ApS’ system. For this purpose, Agency360 ApS shall receive non-sensitive personal data, including names, postal addresses, e-mail addresses and phone numbers.
1.3 This Agreement describes Agency360 ApS’ and the Client’s obligations with a view to meeting the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 regarding Data Processing Agreements (known as GDPR).
1.4 The Parties have entered this Agreement in connection with the Parties’ entering into an agreement regarding the Client's use of the Agency360 ApS product, Agency360 (”the General Agreement”). This and the General Agreement are interdependent and cannot be terminated separately. However, if this Agreement is replaced by another valid data processing agreement, there is no reason to terminate the General Agreement.
2. OBJECTIVES AND THE PARTIES’ STATUS
2.1 By agreement with the Client, Agency360 ApS shall process personal data for the Client with a view to meeting the objectives stated in section 1. Agency360 ApS may therefore solely process personal data that is necessary in order to supply the services stipulated in the General Agreement.
2.2 The Client is the Data Controller responsible for the personal data submitted to Agency360 ApS. The Client is responsible for ensuring that Agency360 ApS is permitted to process any personal data that is submitted to Agency360 ApS.
2.3 The Parties agree that Agency360 ApS is the Data Processor responsible for processing the personal data on the Client’s behalf. As Data Processor, Agency360 ApS has the obligations assigned to a Data Processor in pursuance of the GDPR.
3. Agency360 ApS’ CONTRACTUAL OBLIGATIONS
3.1 Agency360 ApS shall process the personal data only on documented instructions from the Client, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by EU or Danish law; in such a case, Agency360 ApS shall inform the Client of that legal requirement before processing, unless the law prohibits such information on important grounds of public interest.
3.2 Agency360 ApS shall ensure that any person who acts under the authority of Agency360 ApS and has access to personal data shall not process those data except on instructions from Agency360 ApS and that such a person has committed himself/herself to confidentiality.
4. TECHNICAL AND ORGANISATIONAL SECURITY MEASURES
4.1 Agency360 ApS shall take technical and organisational measures to prevent accidental or unlawful destruction, publication, loss, impairment, or unauthorised disclosure, misuse or other use in contravention of legal requirements. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, Agency360 ApS shall, where relevant, implement the following measures (this list is not exhaustive): (i) the pseudonymisation and encryption of personal data, (ii) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services, (iii) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident, and (iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
4.2 Agency360 ApS shall immediately inform the Client of a personal data breach of data processed on the Client's behalf.
5. DATA SUBPROCESSORS
5.1 Agency360 ApS may not avail itself of the services of a Data Subprocessor except with the prior specific or general consent of the Client in writing. If general written consent is issued, Agency360 ApS shall notify the Client of the planned engagement of additional or replacement of Subprocessors and thereby give the Client an opportunity to object to such changes.
5.2 If Agency360 ApS transfers the processing of personal data for which the Client is responsible to a Data Subprocessor, Agency360 ApS shall enter a Data Processing Agreement with the Data Subprocessor to ensure that the Data Subprocessor is subject to the same obligations as Agency360 ApS is subject to in pursuance of this Agreement.
6. Agency360 ApS’ SUPPORT
6.1 Taking into account the nature of processing, Agency360 ApS shall as far as possible assist the Client by implementing appropriate technical and organisational measures to ensure that the Client complies with his obligations with regard to responding to requests to exercise the rights of natural persons.
6.2 Taking into account the nature of the processing and the data available to Agency360 ApS, Agency360 ApS shall assist the Client in adhering to the latter’s obligations established in the GDPR regarding security of processing (Article 32), notification of a personal data breach to Datatilsynet (The Danish Data Protection Authority) (Article 33), communication of a personal data breach to the data subject (Article 34), a data protection impact assessment (Article 35) and prior consultation with Datatilsynet (The Danish Data Protection Authority) (Article 36).
6.3 Agency360 ApS shall provide the Client with all the information required to prove compliance with this Agreement and shall allow for and contribute to audits, including inspections, conducted by the Client or another auditor mandated by the Client.
6.4 Agency360 ApS reserves the right to charge the Client per hour for any work done in connection with sections 6.1-6.3.
7. DATA ERASURE
7.1 Once cooperation with the Client is terminated, Agency360 ApS shall, at the Client’s discretion, either erase or return all personal data and any copies thereof to the Client unless EU Member State law stipulates that such personal data must be stored.