Data Processor Agreement
Last updated: May 18, 2018. Version 1.0
1.1 This agreement re processing of personal data (the ”Data Processor Agreement”) regulates Expeni IvS, Company registration no. 38916335 (the ”Data Processor”) processing of personal data on behalf of the customer (the ”Data Controller”) and is attached as Appendix A to the Expeni Terms of Service agreement (the ”Main Agreement”), in which the parties have agreed on the terms for the Data Processor’s delivery of services to the Data Controller (the ”Main Services”).
2.1 The Data Processor Agreement shall ensure that both the Data Controller and Data Processor comply with the applicable data protection and privacy legislation (the ”Applicable Law”), including in particular:
(i) The European Parliament and the Council’s Regulation 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data that entered into force on 24 May 2016 and will be applicable on 25 May 2018 (“GDPR”). Irrespective of the general use and reference to GDPR in this Data Processor Agreement, the parties are not obliged to comply with GDPR before 25 May 2018.
3. Processing of personal data
3.1 In connection with the Data Processor’s delivery of the Main Services to the Data Controller, the Data Processor will process certain categories and types of the Data Controller’s personal data on behalf of the Data Controller.
3.2 “Personal data” include “any information relating to an identified or identifiable natural person” as defined in GDPR, article 4 (1) (1) (the ”Personal Data”). The categories and types of Personal Data processed by the Data Processor on behalf of the Data Controller are listed in sub-appendix A. The Data Processor only performs processing activities that are necessary and relevant to performing the Main Services. The parties shall update sub-appendix A whenever changes occur that necessitate an update. Each party shall comply with the Applicable Law with respect to the processing of the Personal Data.
3.4 The Data Controller warrants to the Data Processor that it has the legal right to disclose all Personal Data that it does, in fact, disclose to the Data Processor under or in connection with this Data Processor Agreement.
4.1 The Data Processor may only act and process the Personal Data in accordance with the documented instruction from the Data Controller (the ”Instruction”). By entering into this Data Processor Agreement, the Data Controller instructs to process the Personal Data in the following ways:
- i) in accordance with the Applicable Law
- ii) process the Personal Data with the purpose of delivering the Main Services as described in the Main Agreement
iii) as further specified by the Data Controller’s normal use of the Main Services
- iv) as described in this Data Processor Agreement
4.2 The Data Controller guarantees that the Personal Data transferred to the Data Processor is processed by the Data Controller in accordance with the Applicable Law, including the legislative requirements re lawfulness of processing.
4.3 The Data Processor shall promptly inform the Data Controller if, in the opinion of the Data Processor, an instruction of the Data Controller relating to the processing of the Personal Data infringes the Applicable Law.
5. The Data Processor’s obligations
5.1.1 The Data Processor shall treat all the Personal Data as strictly confidential information. The Personal Data may not be copied, transferred or otherwise processed in conflict with the Instruction unless the Data Controller in writing has agreed hereto.
5.1.2 The Data Processor’s employees shall be subject to an obligation of confidentiality that ensures that the employees shall treat all the Personal Data under this Data Processor Agreement with strict confidentiality. This provision shall also apply after termination of the Data Processor Agreement.
5.2.1 Taking into account the available technology, resources and the cost of implementation, as well as the scope, context and purpose of the data processing, the Data Processor is required to take all reasonable measures, including technical and organizational, to ensure a sufficient level of security in relation to the risk and the category of the Personal Data to be protected.
5.2.2 The Data Processor shall also ensure that the Data Processor’s employees processing the Personal Data only process the Personal Data in accordance with the Instruction.
5.2.3 The Data Processor shall provide documentation for the Data Processor’s security measures if requested by the Data Controller in writing.
5.3 Data protection impact assessments and prior consultation
5.3.1 If the Data Controller requires information or assistance regarding security, documentation or information about how the Data Processor processes the Personal Data generally and such request contains information that goes beyond what is required by the Applicable Law, the Data Processor may require payment for such additional services.
5.4 Rights of the data subjects
5.4.1 If the Data Controller receives a request from a data subject for the exercise of the data subject’s rights under the Applicable Law and the correct and legitimate reply to such a request necessitates the Data Processor’s assistance, the Data Processor shall assist the Data Controller by providing the necessary information and documentation. The Data Processor shall be given reasonable time to assist the Data Controller with such requests in accordance with the Applicable Law.
5.4.2 If the Data Processor receives a request from a data subject for the exercise of the data subject’s rights under the Applicable Law and such request is related to the Personal Data of the Data Controller, the Data Processor must immediately forward the request to the Data Controller and must refrain from responding to the person directly.
5.5 Personal Data Breaches
5.5.1 The Data Processor shall give immediate notice to the Data Controller if a breach of the data security occurs, that can lead to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to, personal data transmitted, stored or otherwise processed re the Personal Data processed on behalf of the Data Controller (a “Personal Data Breach”).
5.5.2 The Data Processor shall have and maintain a register of all Personal Data Breaches. The register shall at a minimum include the following:
(i) A description of the nature of the Personal Data Breach, including, if possible, the categories and the approximate number of affected Data Subjects and the categories and the approximate number of affected registrations of personal data.
(ii) A description of the likely as well as actually occurred consequences of the Personal Data Breach.
(iii) A description of the measures that the Data Processor has taken or proposes to take to address the Personal Data Breach, including, where appropriate, measures taken to mitigate its adverse effects.
5.5.3 The register of Personal Data Breaches shall be provided to the Data Controller in copy if so requested in writing by the Data Controller or the relevant Data Protection Agency.
5.6 Location of the Personal Data
5.6.1 The Data Processor shall only process the Personal Data on the documented instructions of the Controller (including with regard to transfers of the Personal Data to any place outside the European Economic Area), as set out in this Data Processor Agreement or any other document agreed by the parties in writing.
5.6.2 Any transfer of the Personal Data to any third countries or international organizations in the future shall only be done to the extent such transfer is permitted by the Data Controller and done in accordance with the Applicable Law.
6. Sub-Processors and Data Transfers
6.1 As part of the operation of the Main Services, the Data Processor uses sub-processors (“Sub-Processors”). Such Sub-Processors may be other companies of the Data Processor or third party suppliers within and outside the EU / EEA. If a Sub-Processor is established outside or Personal Data is stored outside of the EU / EEA, the Data Processor authorizes to ensure a sufficient basis for transferring Personal Data to a third country on behalf of the Data Controller, including using the EU Commission Standard Contracts or in accordance with Privacy Shield.
6.2 The Data Processor is given general authorization to engage third-parties to process the Personal Data (“Sub-Processors”) without obtaining any further written, specific authorization from the Data Controller, provided that the Data Processor notifies the Data Controller in writing about the identity of a potential Sub-Processor (and its processors, if any) before any agreements are made with the relevant Sub-Processors and before the relevant Sub-Processor processes any of the Personal Data. If the Data Controller wishes to object to the relevant Sub-Processor, the Data Controller shall give notice thereof in writing within seven (7) calendar days from receiving the notification from the Data Processor. The absence of any objections from the Data Controller shall be deemed consent to the relevant Sub-Processor.
6.3 The Data Processor may terminate this Data Processor Agreement and/or Main Agreement, including with a shorter notice than usual, to ensure that the Personal Data submitted by or on behalf of the Data Controller is not processed against the Applicable Law by a Sub-Processor.
6.4 The Data Processor shall conclude a written sub-processor agreement with any Sub-Processors. Such an agreement shall at minimum provide the same data protection obligations as the ones applicable to the Data Processor, including the obligations under this Data Processor Agreement. The Data Processor shall on an ongoing basis monitor and control its Sub-Processors’ compliance with the Applicable Law. Documentation of such monitoring and control shall be provided to the Data Controller if so requested in writing.
6.5 The Data Processor is accountable to the Data Controller for any Sub-Processor in the same way as for its own actions and omissions.
6.6 The Data Processor is at the time of entering into this Data Processor Agreement using the Sub-Processors listed in sub-appendix B. If the Data Processor initiates sub-processing with a new Sub-Processor, such new Sub-Processor shall be added to the list in sub-appendix B under paragraph 2.
6.7 The Data Controller acknowledges and agrees that, in connection with the performance of the services under the Main Agreement, Personal Data will be transferred to third countries EEA / Non-EEA (European Economic Area). The Data Processor has implemented appropriate safeguards for such transfers pursuant to Article 46 of the GDPR.
7. The Data Controller’s obligations
7.1 The Data Controller warrants and undertakes that the Personal Data has been collected, processed and transferred in accordance with the laws applicable to the Data Controller. For instance the Applicable Law.
7.2 The Data Controller warrants and undertakes that it will respond to enquiries from data subjects and the authority concerning processing of the Personal Data.
7.4 The Data Controller is responsible for the accuracy, integrity, reliability and the legality of the Personal Data processed by the Data Processor.
7.5 The Data Controller has fulfilled all mandatory requirements and duties in relation to notification to, or obtaining permission from, the relevant public authorities regarding the processing of Personal Data.
7.6 The Data Controller has fulfilled his disclosure obligations to the data subject regarding the processing of Personal Data in accordance with the Applicable Law or any other applicable laws.
8. Remuneration and costs
8.1 The Data Controller shall remunerate the Data Processor based on time spent on performing the obligations under section 5.3, 5.4, 5.5 and 5.6 of this Data Processor Agreement based on the Data Processor’s hourly rates.
8.2 The Data Processor is also entitled to remuneration for any time and material used to adapt and change the processing activities in order to comply with any changes to the Data Controller’s Instruction, including implementation costs and additional costs required to deliver the Main Services due to the change in the Instruction. The Data Processor is exempted from liability for non-performance with the Main Agreement if the performance of the obligations under the Main Agreement would be in conflict with any changed Instruction or if contractual delivery in accordance with the changed Instruction is impossible. This could for instance be the case; (i) if the changes to the Instruction cannot technically, practically or legally be implemented; (ii) where the Data Controller explicitly requires that the changes to the Instruction shall be applicable before the changes can be implemented; and (iii) in the period of time until the Main Agreement is changed to reflect the new Instruction and commercial terms hereof.
8.3 If changes to the Applicable Law, including new guidance or courts practice, result in additional costs to the Data Processor, the Data Controller shall indemnify the Data Processor of such documented costs.
9. Breach and liability
9.1 The Main Agreement’s regulation of breach of contract and the consequences hereof shall apply equally to this Data Processor Agreement as if this Data Processor Agreement is an integrated part hereof.
9.2 Each party’s cumulated liability under this Data Processor Agreement is limited to the payments made under the Main Agreement in the 12 months before the occurrence of the circumstances leading to a breach of contract. If the Data Processor Agreement has not been in force for 12 months before the occurrence of the circumstances leading to a breach of contract, the limited liability amount shall be calculated proportionately based on the actual performed payments.
9.3 The limitation of liability does not apply to the following:
(i) Losses as a consequence of the other party’s gross negligence or wilful misconduct.
(ii) A party’s expenses and resources used to perform the other party’s obligations, including payment obligations, towards a relevant data protection agency or any other authority.
10.1 The Data processor Agreement shall remain in force until the Main Agreement is terminated.
11.1 The Data Processor’s authorization to process Personal Data on behalf of the Data Controller shall be annulled at the termination of this Data Processor Agreement.
11.2 The Data Processor will keep some records permanently if it is legally required to do so. We may keep some other records for an extended period of time. For example, it is currently best practice to keep financial records for a minimum period of 5 years to support audits or provide tax information. We may have legal obligations to retain some data in connection with our statutory obligations. The company is permitted to retain data in order to defend or pursue claims. In some cases the law imposes a time limit for such claims. We will retain some personal data for this purpose as long as we believe it is necessary to be able to defend or pursue a claim. In general, we will endeavour to keep data only for as long as we need it. This means that we will delete it when it is no longer needed. If Data Processor is unable to delete Personal Data for technical or other reasons, Data Processor will apply measures to ensure that Personal Data is blocked from any further processing to disclose the data.
11.3 Data Controller shall, upon termination or expiration of the Data Processor Agreement and by way of issuing an Instruction, stipulate, within a period of time set by Data Processor, the reasonable measures to return data or to delete stored data. Any additional cost arising in connection with the return or deletion of Personal Data after the termination or expiration of the Data Processor Agreement shall be borne by Data Controller.
- Personal Data
1.1 The Data Processor processes the following types of Personal Data in connection with its delivery of the Main Services:
- i) Name
- ii) Title
iii) Phone number
- iv) Email
- v) Address
- vi) Avatar / Photo
- vi) Personal data provided by the users in connection with their use of the Main Services (these personal data are not seen or accessed by the Data Processor unless the Data Processor after the request thereof from the Data Controller assists with support and bug fixing).
- Categories of data subjects
2.1 The Data Processor processes Personal Data about the following categories of data subjects on behalf of the Data Controller:
(i) Data Controller (Customer)
(ii) Data Controller’s Employees
(ii) Data Controller’s End Users (contractors, agents or any individual whose Personal Data is entered into the Main Services by or on behalf of the Data Controller)
(iv) Vendors of the Data Controller (Personal Data provided by the Data Controller or End Users in connection with their use of the Main Services)
(iv) Contacts of the Data Controller (Personal Data provided by the Data Controller or End Users in connection with their use of the Main Services)
1. Approved Sub-Processors
1.1 The following Sub-Processors shall be considered approved by the Data Controller at the time of entering into this Data Processor Agreement:
(1) Hosting supplier – LeaseWeb Netherlands: https://www.leaseweb.nl/
LeaseWeb Netherlands B.V., Luttenbergweg 8, 1101 EC Amsterdam, T +31 20 316 2880
(2) Hosting supplier – LeaseWeb Germany: https://www.leaseweb.com/
LeaseWeb Deutschland GmbH, Kleyerstraße 75-87, 60326 Frankfurt am Main, T +49 69 2475 2860
(3) Supplier of data backup: LeaseWeb Netherlands: https://www.leaseweb.nl/
(4) Payment Processor – PayPal
(5) Payment Processor – Stripe.com
(6) Email Provider – namecheap.com
(7) AnyMeeting.com – Intermedia
(8) Email Notices and newsletters – The Rocket Science Group, LLC d/b/a MailChimp
(9) Invoicing – Billy.dk – Denmark
(10) Email and Analytics Provider – Google Inc
(11) Source Code and Documentation Repository Provider – GitLab.com
(12) Live Chat Support – MyLiveChat.com
(13) Tasks management – Trello.com
(14) Atlassian Pty Ltd – Source tree, ticketing
(15) Amazon Web Services
(16) Capterra – Marketing – cookies and reviews
(17) Microsoft – Azure Hosting services, development softwares
2. New Sub-Processors
2.1 The following Sub-Processors have been added and communicated to the Data Controller prior to the relevant sub-processing:
(i) [insert when relevant]