Data Processor Agreement ZIMAONE WORKPLACE
Published May 1, 2023
The parties
The customer
The customer is the organization (legal unit) that subscribes to ZimaOne Workplace. This part is filled in through the PDF version, which can be downloaded under “Billing information” under Settings or which can be requested from the supplier.
Thereafter, the customer is referred to as the “Data Controller”.
And
ZimaOne
Hereinafter, the supplier is referred to as the “Data Processor”
The Customer and the Supplier also refer separately as a Party and together as the Parties
1 BACKGROUND AND PURPOSE
1.1 The Parties have entered into this Agreement for the purposes of the Parties’ compliance with Article 28 (1). 3 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals regarding the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (Data Protection Regulation), which sets specific requirements for the content of a Data Processor Agreement.
1.2 The Data Processor offers a Cloud-based application marketed under the name ZIMAONE WORKPLACE (in this Data Processor Agreement referred to as the “Application”), which offers several functions and modules that allow collaboration via web, mobile and tablet. Here you can communicate, share knowledge, files, and documents.
1.3 The Data Processor Agreement has been entered into as a supplement to and as a consequence of the subscription agreement entered between the Parties (the “Subscription Agreement”) on the Data Controller’s use of the Application.
1.4 The Data Processor acts as the data processor for the Data Controller, as the Data Processor processes personal information for the Data Controller and its employees and users. Personal data means information about an identified or identifiable natural person, in accordance with Article 4 (1). 1 of Regulation (EU) 2016/679 of 27 April 2016 (Directorate-General for Data Protection “GDPR”).
1.5 The Data Processor Agreement and the Subscription Agreement are interdependent and cannot be terminated separately. However, without terminating the Subscription Agreement, the Data Processor Agreement may be replaced by another valid Data Processor Agreement.
1.6 This Data Processor Agreement takes precedence over any corresponding provisions in other Agreements between the Parties, including in the Subscription Agreement.
2 PROCESSING OF PERSONAL INFORMATION
2.1 The Data Processor is instructed to process personal data only for the purpose of providing the services specified in the Subscription Agreement. The Data Processor may not process or use personal data from the Data Controller for purposes other than those specified in the instructions, including the transfer of personal data to third countries or to an international organization, unless the Data Processor receives written instructions from the Data Controller, or is obliged to do so in under EU or Member State law. In that case, the Data Processor must inform the Data Controller in writing of such a legal requirement before processing, unless the relevant legislation prohibits such information in the interests of important societal interests, cf. GDP R, Article 28, para. Notwithstanding the foregoing provision, the Data Processor may process and / or use personal data about the individual registered person for such other purposes as are permitted by the data subject.
2.2 Notwithstanding the provision in pkt. 3.1 it is noted that the Application is a Cloud-based Application, which is used by the Data Controller’s self-service. The Data Processor’s liability is thus limited to ensuring that the Application does not in itself entail data collection, processing or storage that is contrary to applicable law, except to the extent otherwise stated in the Subscription Agreement or this Agreement but is not responsible for it. Actual use of the Application by data controllers or their employees or users, including if such use is in violation of applicable law or in violation of the Subscription Agreement or this Agreement. The processing of personal data must only take place in a technological environment which is under the control of the Data Controller, the Data Processor and / or subcontractors.
2.3 If the Data Controller has otherwise given permission for the transfer of personal data to a third country or to international organizations, the Data Processor must ensure that there is a legal basis for the transfer.
2.4 The Data Controller’s instructions that personal data must or may be transferred to a third country must appear from Appendices to the Agreement or in a separate written instruction from the Data Controller to the Data Processor. In such cases, the transfer must take place at the expense, risk, and responsibility of the Data Controller.
2.5 If the Data Controller considers an instruction from the Data Controller to be in breach of the GDPR or other data protection provisions in the EU or in the Member States, the Data Processor shall immediately inform the Data Controller thereof.
3 GENERAL OBLIGATIONS OF THE DATA PROCESSOR
3.1 The data processor must ensure that persons who are authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory confidentiality obligation.
3.2 The data controller shall take appropriate technical and organizational measures to prevent the processing of personal data.
(i) accidentally or unlawfully damaged, lost or altered
(ii) published or made available without permission, or
(iii) otherwise treated in violation of applicable laws, including the GDPR.
3.3 The Data Processor must also comply with the special data security requirements that apply to the Data Processor and other applicable data security requirements that are directly imposed on the Data Processor; including the data security requirements in the data processor’s home country or in the country where the data processing is to be performed.
3.4 The relevant technical and organizational security measures shall be determined taking due account of:
(i) the current standards
(ii) the cost of their implementation; and
(iii) the nature, extent, context, and purpose of the data processing, as well as the risk of varying probability and severity of the rights and freedoms of natural persons.
3.5 The Data Processor shall, upon request, provide the Data Controller with sufficient information to enable the Data Controller to ensure that the Data Processor’s obligations under the Agreement are complied with, including that the relevant technical and organizational security measures have been implemented.
3.6 If the Data Controller requires the Data Processor to submit an audit report from an independent expert on the Data Processor’s compliance with the data security requirements under the Agreement, the Data Processor shall cause this to happen no later than the end of February each year for the period up to and including December of the previous year. The audit report shall, at the choice of the Data Processor, be prepared based on a recognized standard for such audit reports. Furthermore, the report must confirm that the Data Processor has all the necessary regulatory approvals necessary to perform the data processing tasks.
The cost of obtaining the audit report required by the Data Controller shall be borne by the Data Controller.
3.7 The Data Processor shall provide information regarding the provision of services to authorities or the Data Processor’s external advisers, including auditors, if this is necessary for the performance of their tasks in accordance with EU or Member State law.
3.8 The Data Processor shall grant authorities who, in accordance with EU or Member State legislation, have the right to access the Data Processor’s or Data Processor’s subcontractors’ facilities, or representatives of the authorities, access to the Data Processor’s physical facilities upon presentation of proper identification.
3.9 The Data Processor shall, without undue delay, after becoming aware of the information, notify the Data Controller in writing of:
(i) any request from authorities for the publication of personal data processed under the Agreement, unless expressly prohibited by the law of the EU or the Member States.
(ii) any suspicion or finding of (a) breach of security that results in the unintentional or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data transmitted, stored or otherwise processed by the Data Processor in under the Agreement or (b) other non-compliance with the Data Processor’s obligations under clause. 4.4 and pkt. 4.5 or
(iii) any request for access to the personal data, received directly from the data subjects or from third parties.
3.10 Considering the nature of the data processing, the Data Processor shall immediately assist the Data Controller in handling requests from data subjects in accordance with Chapter III of the GDPR, including requests for access, correction, blocking or deletion. The Data Controller shall also assist the Data Controller in implementing appropriate technical and organizational measures to fulfill the Data Controller’s obligation to respond to such requests.
3.11 The Data Controller shall assist the Data Controller in fulfilling the other obligations that may be incumbent on the Data Controller in accordance with EU or Member State legislation, where the assistance from the Data Processor is implied and where assistance from the Data Processor is necessary for the Data Controller to comply with his obligations. . This includes, but is not limited to, upon request, providing the Data Controller with all necessary information about an incident in accordance with section 4.9 (ii) and all necessary information for an impact assessment in accordance with Articles 35 and 36 of the GDPR.
3.12 The Data Processor has, in or through Appendix 1 to this Agreement, specified the subcontractors used, and the physical location of servers used to provide the data processing services. The Data Processor undertakes to keep the information about the physical location updated with one (1) month’s prior written notice to the Data Controller in the event of changes. Change of physical location does not require formal change of Appendix 1 prior written notice by email or email is sufficient.
3.13 If the Data Controller or one or more of his or her employees make a request to this effect, the Data Processor must delete all personal information about the individual employees or users. The data processor is, however, despite requirements for deletion, entitled to continue to store and process such personal data in accordance with the provisions of pkt. 10.9, just as deletion will not include information stored in backup repositories as part of the Data Processor’s usual backup procedures, provided that such backup repositories are not immediately available to the Data Processor’s staff and subcontractors.
4 GENERAL OBLIGATIONS OF THE DATA MANAGER
4.1 The Data Controller is the data controller and the Data Processor is the data processor in accordance with the GDPR in relation to the information that the Data Controller and / or its employees / users load / transfer to the Data Processor using the Application, cf. 3.2.
4.2 The Data Controller is responsible to the outside world (including the data subjects) for the processing of personal data within the framework of the GDPR, unless otherwise provided in the GDPR, Member State legislation or in this Agreement.
4.3 The Data Controller is responsible for ensuring that there is authority for the personal data processing that the Data Processor is instructed to carry out on behalf of the Data Controller. It is always the Data Controller’s responsibility to ensure that the Data Controller’s employees have given the necessary consent to the Data Processor’s receipt, processing and storage of personal data, and to ensure that the information transferred to the Data Processor is correct and up to date at all times.
4.4 The Data Controller’s employees or users may – as far as information about themselves is concerned – both via the Data Processor’s website and via the App offered by the Data Processor, independently decide on the Data Processor’s processing of personal data for other purposes and in other ways than that resulting from this Agreement.
4.5 The Data Controller is aware of – and is obliged to make his employees and users aware of – that the Application is a Cloud-based solution, where the Data Processor makes use of IT systems, including servers made available to the data processor by third parties, and accepts that in connection with data collection, data processing and data storage using the Application, personal data is transferred to such third parties. Those of the Data Processor p.t. third-party solutions used, for which the exchange and processing of personal data may take place, are set out in Appendix 1.
4.6 The Data Controller is aware of and accepts that the Application offers an open API (“Application Programming Interface”), which enables others to develop Apps (software solutions) that can “talk” to the Application, including exchanging data on across the applications, so that the Data Controller and its employees and users, in addition to the functionalities available in the Application, may also choose to make use of functionalities in such other Apps offered by third parties.
The Data Processor does not independently exchange personal information with such Third Party Apps, but if the Data Controller or its employees or users choose to install and use such Apps from third parties, they also accept that the data that the Data Processor has received in connection with the use of the Application, may be transferred in whole or in part to the data processor of the selected Apps.
The Data Processor is without any responsibility for the App Provider’s processing and storage of such personal data, as the Data Controller’s or his employee’s acceptance of a third party’s App creates an independent legal relationship between the Data Controller and / or the employee in question on the one hand. as well as the data processor of that App on the other hand.
5 USE OF SUBDATA PROCESSORS
5.1 The Data Controller accepts that the Data Processor is entitled to make use of subcontractors for the collection, processing, and storage of personal data. The Data Processor is obliged to ensure that the sub-processors’ processing of personal data meets the requirements of this Agreement. This includes the Data Processor’s verification that the security measures put in place by the sub – data processor ensure at least the same level of protection as that required by the Data Processor under this Agreement.
If the Data Controller wishes to oppose the use of the subcontractors with whom the Data Processor has entered into an Agreement, the Data Processor is entitled to terminate the Subscription Agreement with the Data Controller and this Data Processor Agreement.
5.2 Before the Data Processor assumes a subcontractor, the Data Processor must enter into a written Agreement with the subcontractor, in which at least the same data protection obligations as stipulated in the Agreement must be imposed on the subcontractor.
5.3 The Data Processor remains fully liable to the Data Controller for the subcontractor’s fulfillment of its obligations. The fact that the Data Controller has given consent to the Data Processor’s use of subcontractors does not affect the Data Processor’s obligation to comply with the Agreement.
6 CONFIDENTIALITY
6.1 The data processor must keep personal information confidential.
6.2 The Data Processor may not pass on the personal data to third parties or make copies of personal data, unless it is strictly necessary for the performance of the Data Processor’s obligations to the Data Controller under the Agreement, and provided that the person to whom the personal data is passed is confidential. character and has agreed to keep the personal information confidential in accordance with this Agreement.
6.3 The Data Processor shall restrict access to personal information to employees and subcontractors for whom access to this data is necessary to fulfill the Data Processor’s obligations to the Data Controller.
However, the Supplier is entitled to continue to keep the information for as long and to the extent necessary as possible to fulfill a contract or to fulfill a legal obligation, as well as for the Supplier’s protection of its own interests, for example as documentation of fulfillment of the Supplier’s obligations. according to the Subscription Agreement and / or the Data Processor Agreement.
6.4 The Data Controller shall keep the confidential information received by the Data Processor confidential and may not illegally use or disclose confidential information.
7 AMENDMENTS AND TRANSFER
7.1 The Parties may at any time agree to amend this Agreement. Changes must be in writing.
7.2 The Data Processor may not transfer or otherwise transfer any of its rights or obligations under this Agreement without the prior written consent of the Data Controller.
8 NOTIFICATIONS OF BREACH OF PERSONAL DATA SECURITY
8.1 The Data Processor shall without undue delay notify the Data Controller after becoming aware that there has been a breach of the personal data security of the Data Processor or any sub-data processors. The Data Processor’s notification to the Data Controller must, if possible, take place no later than 48 hours after he has become aware of the security breach, so that the Data Controller can comply with his possible obligation to report the breach to the supervisory authority within 72 hours.
8.2 The data processor shall – considering the nature of the processing and the information available to it – assist the Data Controller in notifying the breach to the supervisory authority. This may mean that the Data Processor i.e. shall assist in providing the information below, in accordance with GDPR Article 33 (1). 3, to the responsible data controller:
(i) The nature of the breach of personal data security, including, if possible, the categories and the number of data subjects concerned, as well as the categories and the number of personal data records concerned.
(ii) Likely consequences of the breach of personal data security.
(iii) Measures taken or proposed to be taken to deal with the breach of personal data security, including, where appropriate, measures to limit its potential harmful effects.
9 DURATION AND TERMINATION OF THE AGREEMENT
9.1 The Agreement enters into force when it is signed by both parties and remains in force until terminated by one of the parties.
Upon termination or termination of the Subscription Agreement by a Party, this is considered a simultaneous termination or termination of this Data Processor Agreement, and in the event of termination or termination of this Data Processor Agreement, this is considered a simultaneous termination or termination of the Subscription Agreement.
9.2 Each party may terminate the Agreement with 3 months’ written notice.
9.3 Irrespective of the term of the Agreement, the Agreement is valid as long as the Data Processor processes the personal information for which the Data Controller is the data controller.
9.4 In the event of termination of the Agreement, the Data Processor shall, regardless of the reason, provide the necessary transfer services to the Data Controller. The Data Processor is obliged to assist loyally and as quickly as possible in transferring personal data to another provider or returning them to the Data Controller, and is, regardless of the reason for the termination of the Agreement, entitled to remuneration for such transfer services.
9.5 At the request of the Data Controller, the Data Processor shall immediately transfer or delete personal data which the Data Processor processes for the Data Controller, unless EU or Member State legislation requires the storage of personal data.
9.6 Upon termination of the Data Processor Agreement, the Data Processor stores the received information generated via the Application based on the information received for a period of 6 months after the termination of the Data Processor Agreement, after which the information is permanently deleted, cf. 10.9.
9.7 Upon termination of the Data Processor Agreement, the Data Controller is entitled to receive a copy of the personal information transferred to the Data Processor. The information must be provided to the Data Controller in the readable digital format generated by the Application.
9.8 Similarly, the Data Controller’s employees may at any time download electronic copies and / or make physical downloads generated for each of them through the use of the Application, provided that access to them ceases at the earliest of the following two times: ( i) 6 months after the termination of the Data Processor Agreement, or (ii) 6 months after the Data Controller has notified the Data Processor that the employee in question has resigned from his position with the Data Controller.
9.9 Notwithstanding the provisions of pkt. 10.6 and / or in pkt. 10.8 the Data Processor is entitled to continue to store the personal data for as long and to the extent necessary as possible to fulfill a contract or to fulfill a legal obligation, as well as for the Data Processor’s protection of its own interests, for example as documentation of fulfillment of the Data Processor’s obligations. according to the Subscription Agreement and / or the Data Processor Agreement.
10 PRIORITY
10.1 If any of the provisions of the Agreement is in conflict with the provisions of any other written or oral agreement entered into between the Parties, the provisions of the Agreement shall prevail. The requirements in the Agreement’s clause. 4 does not apply, however, to the extent that the Parties in another Agreement may have stipulated stricter obligations for the Data Processor. Furthermore, the Agreement does not apply if the EU Commission’s Standard Contract Provisions for the transfer of personal data to third countries have been concluded, and such provisions contain stricter obligations for the Data Processor and / or its subcontractors.
10.2 This Agreement does not stipulate the Data Controller’s remuneration to the Data Processor for the Data Processor’s services in accordance with the Agreement.
11 CHOICE OF LAW AND DISPUTES
11.1 This Data Processor Agreement and any dispute that may arise therefrom are subject to Danish law, except for any international private law regulation.
11.2 Any dispute between the Parties arising out of this Agreement shall be settled in accordance with the dispute settlement provisions set forth in the Subscription Agreement between the Parties.
Appendix 1
Subcontractor and third party systems used in the Application.
Name Function
ManDrillApp.com Delivery of system mails / messages
Gatewayapi.com Delivery of SMS messages
Google Inc. Analysis, statistics, map data
WorldWeatherOnline.com Weather Forecast
Timeanddate.com Hours and Holidays
No personal data is sent or stored in these 3rd party apps.
This list can and will be expanded as new functions and modules are implemented in the Application.