Data Processing Agreement
ziik.io (Chainintra ApS)
Njalsgade 21F, 6 Sal
2300 København S
Company registration no.: 36553081
(the "Data Processor")
Date: 19.09.2019 09:16
1.1 This agreement concerning processing of personal data (the ”Data Processing Agreement”) regulates the Data Processor’s processing of personal data on behalf of the Data Controller and is attached as an appendix to the Cooperation Agreement(cloud based social intranet), for date, see signed contract (the ”Main Agreement”), in which the parties have agreed on the terms for the Data Processor’s delivery of services to the Data Controller (the ”Main Services”).
1.2 If there are discrepancies between the rights and obligations under the Main Agreement and the Data Processing Agreement, the rights and obligations under the Data Processing Agreement shall prevail.
2.1 The Data Processing Agreement shall ensure that the Data Processor complies with the applicable data protection and privacy legislation (the ”Applicable Law”), including in particular Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) which entered into force on 24 May 2016 and will apply from 25 May 2018 (the “GDPR”) and any applicable national implementation laws.
3. Processing of personal data
3.1 In connection with the Data Processor’s delivery of the Main Services to the Data Controller, the Data Processor will process certain categories and types of personal data on behalf of the Data Controller.
3.2 ”Personal data” means “any information relating to an identified or identifiable natural person” as defined in article 4(1) of the GDPR that is processed under this Data Processing Agreement (the ”Personal Data”). The categories and types of Personal Data, categories of data subjects, the purposes of the processing and the processing activities performed by the Data Processor as well as the processing locations are listed in Sub-Appendix A. The parties shall update Sub-Appendix A whenever changes occur that necessitates an update.
3.3 The Data Processor shall have and maintain records of processing activities in accordance with article 30(2) of the GDPR.
4.1 The Data Processor shall only act and process the Personal Data in accordance with the documented instruction from the Data Controller (the ”Instruction”) unless the Data Processor is subject to EU law or national Member State law under which the Data Processor is obliged to process the Personal Data diKerently; in such a case, the Data Processor shall inform the Data Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest. The Instruction at the time of entering into this Data Processing Agreement is that the Data Processor may only process and store the Personal Data with the purpose of, and to the extent it is necessary for, provision and delivery of the Main Services as described in the Main Agreement and within the specifications described in Sub-Appendix A.
4.2 The Data Controller shall ensure that the Personal Data made available to the DataProcessor is processed in accordance with the Applicable Law, including the legislative requirements of lawfulness of processing and information to be provided to the data subject.
4.3 In the event that the Data Processor does not comply with this Data Processing Agreement, the Data Controller may instruct the Data Processor to stop further processing of the Personal Data with immediate effect.
4.4 The Data Processor shall immediately give notice to the Data Controller if the Data Processor considers the Instruction to conIict with the Applicable Law.
5.1 The Data Processor shall process the Personal Data as strictly confidential information. The Personal Data shall not be copied, transferred or otherwise processed except from the Instruction, unless the Data Controller in writing has agreed hereto.
5.2 The Data Processor’s employees that process the Personal Data shall be subject to an obligation of confidentiality that ensures that the employees shall treat the Personal Data with strict confidentiality.
6.1 The Data Processor shall implement the appropriate technical and organisational security measures as set out in the Data Processor Agreement and in the Applicable Law, including in accordance with article 32 of the GDPR.
6.2 The Data Processor’s security measures are further described in Sub-Appendix B.
6.3 The Data Processor shall provide documentation for the Data Processor’s security measures if requested by the Data Controller in writing.
7. Data protection impact assessments and prior consultation
7.1 If the Data Processor’s assistance is necessary and relevant, the Data Processor shall assist the Data Controller in preparing data protection impact assessments in accordance with article 35 of the GDPR along with any prior consultation in accordance with article 36 of the GDPR.
8. Rights of the data subjects
8.1 If the Data Controller receives a request for the exercise of a data subject’s rights under the Applicable Law and the correct and legitimate reply to such a request necessitates the Data Processor’s assistance, the Data Processor shall assist the Data Controller by providing the necessary information and documentation.
8.2 If the Data Controller requests the assistance of the Data Processor to respond to a data subject request, the Data Controller shall request so in writing and the Data Processor shall answer such a request with the relevant and necessary information and documentation as soon as possible and no later than 7 calendar days after the receipt of a request.
8.3 If the Data Processor receives a request directly from a data subject for the exercise of a data subjects rights under the Applicable Law and such request is related to the Personal Data, the Data Processor shall immediately forward the request to the Data Controller and must refrain from responding to the person directly.
9. Personal Data Breaches
9.1 The Data Processor shall give notice to the Data Controller if a personal data breach occurs, that can lead to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to the Personal Data (a “Personal Data Breach”). The Data Processor shall notify the Data Controller of a Personal Data Breach immediately and no later than 24 hours after being aware of the Personal Data Breach.
9.2 The Data Processor shall have and maintain records of all Personal Data Breaches. The records shall at a minimum include the following for each Personal Data Breach:
9.2.1 A description of the nature of the Personal Data Breach, including, if possible, the categories and the approximate number of affected Data Subjects and the categories of affected Personal Data.
9.2.2 A description of the likely as well as actually occurred consequences of the Personal Data Breach.
9.2.3 A description of the measures that the Data Processor has taken or proposes to take to address the Personal Data Breach, including, where appropriate, measures taken to mitigate its adverse effects.
9.3 The records of Personal Data Breaches shall be provided to the Data Controller in copy if so requested in writing by the Data Controller or the supervisory authority.
9.4 The Data Processor shall, on request, assist the Data Controller in drafting notification to the supervisory authority and/or the data subjects affected by the Personal Data Breach.
10. Documentation of compliance
10.1 The Data Processor shall on the Data Controller’s written request hereof provide documentation substantiating the following:
10.1.1 The Data Processor complies with its obligations under this Data Processing Agreement and the Instruction.
10.1.2The Data Processor complies with the Applicable Law in respect of the processing of the Personal Data.
10.2 The Data Processor’s documentation in connection with section 10.1 shall be provided within reasonable time after the receipt of the request.
10.3 The Data Processor is not obligated to initiate and undertake external audits of its compliance with the Data Processing Agreement on its own initiative.
10.4 Notwithstanding section 10.3, the Data Processor shall allow for and contribute to audits, inspections, etc. , to be conducted by the Data Controller, auditors mandated by the Data controller, or public authorities in Denmark or other competent jurisdictions, insofar such audits, inspections, etc. are necessary to verify the compliance of the Data Processor with this Data Processing Agreement and the Applicable Law. Any auditors performing said audit, inspections, etc. must have undertaken a duty of confidentiality either by written contract or by statutory law. The Data Controller shall notify the Data Processor 14 calendar days before such an audit. If an audit is carried out by a governmental authority directly at the Data Processor´s premises and relates to processing activities performed on behalf of the Data Controller, the Data Processor must inform the Data Controller hereof and participate in and facilitate such audits. If the audit is not performed due to actions or omissions by the Data Processors or its Sub-Processors, the Data Processor shall be entitled to invoice the Data Controller for its assistance with such audits.
11.1 The following shall apply for the Data Processor’s engagement of third parties to process the Personal Data (“Sub-Processors”): The Data Processor shall not without explicit written authorization from the Data Controller engage any Sub-Processor, except for those already authorized and specified in Sub-Appendix C, including replacing these. The Data Controller shall not deny an authorization or replacement of a Sub-Processor, unless there is specific and substantive reason for this.
11.2 The Data Processor shall conclude a written sub-processor agreement with any SubProcessor. Such an agreement shall at minimum provide the same data protection and security obligations as the ones applicable to the Data Processor in accordance with this Data Processing Agreement and the Main Agreement. The Data Processor shall on an ongoing basis monitor and control its Sub-Processors’ compliance with such data protection obligations, and the documentation hereof shall be provided to the Data Controller if so requested in writing.
11.3 The Data Processor is accountable to the Data Controller for any Sub-Processor’s processing of the Personal Data in the same way as for its own actions and omissions.
11.4 The Data Processor is at the time of entering into this Data Processing Agreement using the Sub-Processors listed in Sub-Appendix C. If the Data Processor initiates sub-processing with a new Sub-Processor, such new Sub-Processor shall be added to the list in Sub-Appendix C under paragraph 2.
12. Location of the Personal Data
12.1 The Personal Data shall only be processed by the Data Processor at the locations specified in Sub-Appendix A. The Data Processor shall not transfer the Personal Data to third countries or to international organisations in third countries.
12.2 Any transfer of the Personal Data shall only be done in accordance with this Data Processing Agreement, including the Instruction and the Applicable Law
13. Remuneration and costs
13.1 The Data Processor's compliance with this Data Processor Agreement and time and material spent in connection herewith, shall only be separately payable if specified herein. The Parties agree that the Data Processor shall be entitled to invoice the Data Controller for used time and materials for performing works under the following clause(s) in the Data Processing Agreement:
a) 7 (assistance with the Data Controller's provision of data protection impact assessments)
b) 8 (assistance with the Data Controller's compliance with the data subjects' rights)
c) 10.1 and 10.2 (documentation of compliance with the Data Processor Agreement and the Applicable Law based on requests from the Data Controller)
d) 10.4 (payment covering the Data Processor's and its Sub-Processors' expenses to audits initiated and performed by the Data Controller or its external auditors)
e) 10.3 (payment covering the Data Processor's direct and documented expenses in connection with audits initiated and performed by the Data Processor or external auditors appointed by the Data Processor)
13.2 The Data Processor is entitled to payment for the time and materials necessitated by and used to comply with any changes to the Instruction, when those changes are made by the Data Controller and are not a direct result of changes in Applicable Law. This includes implementation costs and increased costs for delivery of the Main Services.
13.3 If there are changes in the Applicable Law, including the interpretations hereof and issued guidelines from the relevant and applicable data protection agencies, any increased costs shall be born by each party respectively.
14. Breach and liability
14.1 The Data Processor is not liable for non-delivery or delay of the Main Services in so as its delivery will be in violation of the modified Instruction or delivery in accordance with the modified Instruction is impossible. This may, for example, be the case,
(i) where the modifications cannot be technically, practically or legally implemented, or
(ii) where the Data Controller explicitly states that the modifications must apply before implementation is possible.
14.2 Breach and liability shall be governed by the Cooperation Agreement and the Data Processor Agreement, but the liability shall be limited by the payment to the Data Processor for the last 12 months.
15.1 The Data Processing Agreement shall remain in force for as long time as the Data Processor processes the Personal Data.
16.1 This Data Processing Agreement shall remain effective for as long as the Data Processor processes Personal Data on behalf of the Data Controller.
16.2 The Data Processor may continue to process the Personal Data for up to three months after the termination of the Data Processing Agreement to the extent it is necessary and required under the Applicable Law. In the same period, the Data Processor is entitled to include the Personal Data in the Data Processor’s backup. The Data Processor’s processing of the Data Controller’s Personal Data in the three months after the termination of this Data Processing Agreement shall be considered as being in accordance with the Instruction.
16.3 At the termination of this Data Processing Agreement, the Data Processor and its Sub-Processors shall, at the Data Controller’s choice, return or delete the Personal Data processed under this Data Processing Agreement, provided that the Data Controller is not already in possession of the Personal Data. At the Data Controllers’ written request, the Data Processor shall delete all the Personal Data, except when EU-Member State legislation or national legislation stipulate otherwise. The Data Processor shall provide documentation for such deletion to the Data Controller upon request.
17.1 The contact information for the Data Processor and the Data Controller is provided in the Main Agreement.
18.1 Both parties agree and guarantee that this Data Processing Agreement is entered into and accepted by persons that are authorised and have the necessary mandate to do so
1. Personal Data
1.1 The Data Processor processes Personal Data in connection with its delivery of the Main Services. The processed Personal Data includes, but is not limited to, the following types of Personal Data:
Name, telephone number, email, varying personal data that the customer or customers customer issues or registers without the company's active processing and identification thereof
2.1 The Data Processor processes Personal Data with the following purposes:
that the Data Controller (Customer) can use Ziik's platform, which is owned and administered by the Data Controller (the Customer), to streamline internal communication and knowledge sharing. Ziik only provides the platform and the Customer owns all data.
3. Data subjects
3.1 The Data Processor processes Personal Data on the following categories of data subjects on behalf of the Data Controller:
customers, employees of the customer, customer's customer and their employees, suppliers (when supplier is an individual or a sole proprietor), Supplier's employees (when supplier is a company), business partner (when business partner is an individual or a sole proprietor), employees of the business partner (when the business partner is a company)
4. Processing activities
4.1 The Data Processor processes the Personal Data by performing the following processing activities:
Delivering the company's service (a cloud based social intranet)
5.1 The Data Processor shall process the Personal Data at the following locations:
Copenhagen, Denmark (Main office)
1.1 This description of the technical and organisational security measures (the “Description of Security Measures”) is prepared to demonstrate the Data Processor’s established security measures, implemented in accordance with article 32 of the GDPR or security measures to be established before the processing of the Personal Data.
2. Organisational security
2.1 The Data Processor has implemented the following organisational security measures:
a) All employees of the Data Processor are subject to confidentiality obligations that apply to all processing of Personal Data.
b) The employee access to Personal Data is limited, so that only the relevant employees have access to the necessary Personal Data.
c) The employees of the Data Processor that have access to special categories of personal data or critical IT systems have undergone a security clearance before they were employed.
d) The Data Processor has documentable process descriptions for the processing of Personal Data.
e) The Data Processor has an IT security policy.
f) The Data Processor has established procedures that ensure proper deletion or continuous conHdentiality when hardware is repaired, serviced or disposed.
3. Technical and logical security
3.1 The Data Processor has implemented the following technical and logic security measures:
3.1.1 a) The Data Processor uses logical access control with username and password or other unique authorization.
b) The Data Processor regularly makes backups.
c) The Data Processor uses Firewall that is updated regularly.
d) The Data Processor uses antivirus programs that are updated regularly.
e) The Data Processor's websites and web forms uses SSL certificates/HTTPS (Hyper Text Transfer Protocol Secure).
f) The Data Processor logs and controls unauthorized or repeated failed login attempts.
3.1.2 The Data Processor has also implemented 2-factor authentication.
4. Physical security
4.1 The Data Processor have implemented the following physical security measures:
a) The Data Processor's devices (including PCs, servers, etc.) are secured behind locked doors
b) The Data Processor uses fire alarms and smoke detectors to detect and prevent fires.
1. Approved Sub-Processors
1.1 The following Sub-Processors shall be considered approved by the Data Controller at the time of entering into this Data Processing Agreement on the terms of this Data Processing Agreement and the Applicable Law:
Linode, Servers, firstname.lastname@example.org
Close.io, CRM tool, email@example.com
E-conomic, Accounting tool, firstname.lastname@example.org
Stripe, Billing service, email@example.com
Campaign Monitor, Newsletters, firstname.lastname@example.org
Zapier, Integration tool, email@example.com
2. New Sub-Processors
2.1 New Sub-Processors may be used by the Data Processor by adding and updating these in a separate document in continuation of this Sub-Appendix C, which shall be sent for information or approval by the Data Controller before a new Sub-Processor is used.