Data processing agreement, version 2023-1

 

 

Standard contractual clauses

pursuant to Article 28(3) of Regulation 2016/679 (GDPR) for the processing of personal data by the processor 

between

Customer name, VAT: 

Address, zip code and city

hereinafter "the controller"

and

2people A/S, CVR 30102281

Rudolfgårdsvej 15B, 8260 Viby, Denmark

hereinafter the "Processor", each of which is a "Party" and together constitute the "Parties",

HAVE AGREED upon the following standard contractual clauses in order to comply with the GDPR and to ensure the protection of privacy and the fundamental rights and freedoms of natural persons.

1. Content

  1. Content
  2. Preamble
  3. Rights and obligations of the data controller
  4. The data processor acts on instructions
  5. Confidentiality
  6. Processing safety
  7. Use of sub-processors
  8. Transfer to third countries or international organizations
  9. Assistance to the controller
  10. Personal data breach notification
  11. Deletion and return of data
  12. Audit, including inspection
  13. Agreement of the parties on other matters
  14. Entry into force and termination
  15. Contact persons at the data controller and data processor

Appendix A Information about the processing

Appendix B Sub-processors

Appendix CInstructions for the processing of personal data

Appendix D The parties' regulation of other matters

2. preamble

  1. These Clauses set out the rights and obligations of the data processor when processing personal data on behalf of the data controller.
  2. These provisions are designed to ensure the Parties' compliance with Article 28(3) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
  3. In connection with the delivery of the 2people solution, the data processor processes personal data on behalf of the data controller in accordance with these Terms.
  4. The provisions take precedence over any similar provisions in other agreements between the parties.
  5. There are four annexes to these Regulations and the annexes form an integral part of the Regulations.
  6. Annex A contains details on the processing of personal data, including the purpose and nature of the processing, the type of personal data, the categories of data subjects and the duration of the processing.
  7. Appendix B contains the data controller's conditions for the data processor's use of sub-processors and a list of sub-processors that the data controller has approved the use of.
  8. Appendix C contains the data controller's instructions for the data processor's processing of personal data, a description of the security measures that the data processor must implement as a minimum and how the data processor and any sub-processors are supervised.
  9. Annex D contains provisions regarding other activities that are not covered by the Regulations.
  10. The provisions and their appendices must be kept in writing, including electronically, by both parties.
  11. These Clauses do not release the data processor from any obligations imposed on the data processor by the GDPR or any other legislation.

3. Rights and obligations of the data controller

1. The controller is responsible for ensuring that the processing of personal data is carried out in accordance with the General Data Protection Regulation (see Article 24 of the Regulation), data protection provisions in other EU or Member State law and national law and these Clauses.

2. The controller has the right and obligation to make decisions about the purpose(s) and means by which personal data may be processed.

3. The data controller is responsible for, among other things, ensuring that there is a legal basis for the processing of personal data that the data processor is instructed to carry out.

4. The data processor acts on instructions

1. The processor shall only process personal data on documented instructions from the controller, unless required by Union or Member State law to which the processor is subject. This instruction shall be specified in Annexes A and C. Subsequent instructions may also be given by the controller while processing personal data, but the instruction shall always be documented and kept in writing, including electronically, together with these Clauses.

2. The processor shall immediately inform the controller if, in its opinion, an instruction infringes this Regulation or data protection provisions of other Union or Member State law.

5. Confidentiality

1. The data processor may only grant access to personal data processed on behalf of the data controller to persons who are subject to the data processor's powers of instruction, who have committed themselves to confidentiality or are subject to an appropriate statutory duty of secrecy, and only to the extent necessary. The list of persons to whom access has been granted shall be reviewed on an ongoing basis. Based on this review, access to personal data may be closed if access is no longer necessary and the personal data shall no longer be accessible to these individuals.

2. The data processor shall, at the request of the data controller, be able to demonstrate that the persons concerned, who are subject to the data processor's powers of instruction, are subject to the above obligation of confidentiality.

6. Security of processing

1. Article 32 of the GDPR states that the controller and the processor, taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, shall implement appropriate technical and organizational measures to ensure a level of protection appropriate to those risks.

The controller shall assess the risks to the rights and freedoms of natural persons posed by the processing and implement measures to address those risks. Depending on their relevance, this may include:

a. Pseudonymization and encryption of personal data

b. Ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services

b. Ability to restore the availability of and access to personal data in a timely manner in the event of a physical or technical incident

d. A procedure for regularly testing, assessing and evaluating the effectiveness of the technical and organizational measures for ensuring the security of processing.

2. According to Article 32 of the Regulation, the processor shall - independently of the controller - also assess the risks to the rights of natural persons posed by the processing and implement measures to address those risks. For the purposes of this assessment, the controller shall provide the processor with the necessary information to enable the processor to identify and assess such risks.

3. In addition, the data processor shall assist the data controller in complying with the data controller's obligation under Article 32 of the Regulation by, inter alia, making available to the data controller the necessary information regarding the technical and organizational security measures already implemented by the data processor in accordance with Article 32 of the Regulation and any other information necessary for the data controller to comply with its obligation under Article 32 of the Regulation.

If addressing the identified risks requires - in the opinion of the controller - the implementation of additional measures to those already implemented by the processor, the controller shall specify the additional measures to be implemented in Annex C.

7. Use of sub-processors

1. The data processor must meet the conditions referred to in Article 28(2) and (4) of the GDPR in order to make use of another data processor (a sub-processor).

2. The data processor may not use a sub-processor to fulfill these Provisions without prior general written approval from the data controller.

3. The data processor has the data controller's general approval for the use of sub-processors. The data processor shall notify the data controller in writing of any planned changes regarding the addition or replacement of sub-processors with at least 90 days notice, thereby giving the data controller the opportunity to object to such changes prior to the use of the sub-processor(s) in question. Longer notice periods for notification in relation to specific processing operations may be specified in Annex B. The list of sub-processors already authorized by the controller is set out in Annex B.

4. Where the processor uses a sub-processor for the performance of specific processing activities on behalf of the controller, the processor shall impose on the sub-processor, by way of a contract or other legal act under Union or Member State law, the same data protection obligations as those set out in these Clauses, in particular providing appropriate guarantees that the sub-processor will implement the technical and organizational measures in such a way that the processing complies with the requirements of these Clauses and the GDPR.

The Data Processor is therefore responsible for requiring the Sub-Processor to at least comply with the Data Processor's obligations under these Clauses and the GDPR.

5. Sub-processor agreement(s) and any subsequent amendments thereto shall - at the request of the data controller - be sent in copy to the data controller, who thereby has the opportunity to ensure that similar data protection obligations as those arising from these Clauses are imposed on the sub-processor. Provisions on commercial terms that do not affect the data protection law content of the sub-processor agreement shall not be sent to the data controller.

6. The data processor shall include in its agreement with the sub-processor the data controller as a third party beneficiary in the event of the bankruptcy of the data processor, so that the data controller can subrogate to the data processor's rights and assert them against sub-processors, which, for example, enables the data controller to instruct the sub-processor to delete or return the personal data.

7. If the sub-processor fails to comply with its data protection obligations, the processor shall remain fully liable to the controller for the performance of the sub-processor's obligations. This shall be without prejudice to the rights of data subjects arising from the GDPR, in particular Articles 79 and 82 thereof, vis-à-vis the controller and the processor, including the sub-processor. 

8. Transfer to third countries or international organizations

1. Any transfer of personal data to third countries or international organizations may only be carried out by the data processor on the basis of documented instructions from the controller and shall always be in accordance with Chapter V of the GDPR.

2. Where the transfer of personal data to third countries or international organizations, which the processor has not been instructed to carry out by the controller, is required by Union or Member State law to which the processor is subject, the processor shall inform the controller of that legal requirement prior to processing, unless that law prohibits such information on important grounds of public interest.

3. Without documented instructions from the data controller, the data processor may not within the framework of these Provisions:

a. transfer personal data to a controller or processor in a third country or an international organization

b. entrust the processing of personal data to a sub-processor in a third country

c. process the personal data in a third country

4. The controller's instructions for the transfer of personal data to a third country, including the possible transfer basis in Chapter V of the GDPR on which the transfer is based, shall be set out in Annex C.6.

5. These Clauses shall not be confused with standard contractual clauses within the meaning of Article 46(2)(c) and (d) of the GDPR and these Clauses cannot constitute a basis for the transfer of personal data within the meaning of Chapter V of the GDPR.

9. Assistance to the controller

1. The processor shall, taking into account the nature of the processing, assist the controller as far as possible, by appropriate technical and organizational measures, in fulfilling the controller's obligation to respond to requests for the exercise of the rights of data subjects as laid down in Chapter III of the GDPR.

This means that the data processor must, as far as possible, assist the data controller in connection with the data controller's compliance with the data protection law:

  1. the obligation to provide information when collecting personal data from the data subject
  2. the obligation to provide information if personal data has not been collected from the data subject
  3. right of access
  4. the right to rectification
  5. the right to erasure ("right to be forgotten")
  6. the right to restriction of processing
  7. the notification obligation in connection with rectification or erasure of personal data or restriction of processing
  8. the right to data portability
  9. the right to object
  10. the right not to be subject to a decision based solely on automated processing, including profiling

2. in addition to the data processor's obligation to assist the controller pursuant to Clause 6.3, the data processor shall, taking into account the nature of the processing and the information available to the data processor, further assist the controller by

a. The controller's obligation to report a personal data breach to the competent supervisory authority, the Danish Data Protection Agency, without undue delay and, if possible, no later than 72 hours after becoming aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons

b. the controller's obligation to inform the data subject without undue delay of a personal data breach where the breach is likely to result in a high risk to the rights and freedoms of natural persons

c. the obligation of the controller to carry out a pre-processing analysis of the impact of the envisaged processing operations on the protection of personal data (an impact assessment)

d. The controller's obligation to consult the competent supervisory authority, the Data Protection Authority, prior to processing where a data protection impact assessment shows that the processing will lead to a high risk in the absence of measures taken by the controller to mitigate the risk.

3. The parties shall specify in Annex C the necessary technical and organizational measures with which the data processor shall assist the data controller and to what extent and scope. This applies to the obligations arising from Clauses 9.1 and 9.2.

10. Personal data breach notification

1. The data processor shall notify the data controller without undue delay after becoming aware that a personal data breach has occurred.

2. The data processor's notification to the data controller shall, if possible, be made no later than 48 hours after it has become aware of the breach, so that the data controller can comply with its obligation to notify the personal data breach to the competent supervisory authority, cf. Article 33 of the General Data Protection Regulation.

3. In accordance with Clause 9.2.a, the processor shall assist the controller in notifying the breach to the competent supervisory authority. This means that the processor shall assist in providing the following information, which according to Article 33(3) must be included in the controller's notification of the breach to the competent supervisory authority:

a. the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects affected and the categories and approximate number of personal data records affected

b. The likely consequences of the personal data breach

c. the measures taken or proposed to be taken by the controller to address the personal data breach, including, where applicable, measures to mitigate its possible adverse effects.

4. The parties shall specify in Annex C the information to be provided by the processor in connection with its assistance to the controller in its obligation to notify personal data breaches to the competent supervisory authority.

11. Deletion and return of data

1. Upon termination of the services relating to the processing of personal data, the data processor shall be obliged to return all personal data and delete existing copies, unless Union or Member State law provides for the retention of the personal data.

12. Auditing, including inspection

1. The data processor shall make available to the data controller all information necessary to demonstrate compliance with Article 28 of the GDPR and these Clauses and shall allow for and contribute to audits, including inspections, carried out by the data controller or another auditor authorized by the data controller.

2. The procedures for the controller's audits, including inspections, with the data processor and sub-processors are detailed in Appendices C.7. and C.8.

3. The data processor shall be obliged to grant access to the data processor's physical facilities to supervisory authorities that have access to the data controller's or data processor's facilities under applicable law, or representatives acting on behalf of the supervisory authority, against proper identification.

13. Agreement of the parties on other matters

1. The parties may agree on other provisions regarding the service relating to the processing of personal data, such as liability, as long as these other provisions do not directly or indirectly conflict with the Clauses or impair the fundamental rights and freedoms of the data subject arising from the GDPR.

14. Entry into force and termination

1. The provisions shall enter into force on the date of signature by both parties.

2. Both parties may demand renegotiation of the Terms and Conditions if changes in the law or inappropriateness of the Terms and Conditions give rise to this.

3. The Terms are valid for the duration of the personal data processing service. During this period, the Terms cannot be terminated, unless other provisions governing the provision of the Personal Data Processing Service are agreed between the parties.

4. If the provision of the Personal Data Processing Services ceases and the Personal Data has been deleted or returned to the Controller in accordance with Clause 11.1 and Appendix C.4, the Clauses may be terminated by either party upon written notice.

5. signature

On behalf of the data controller

Name:

Position:

Phone number:

E-mail:

Your signature

On behalf of the data processor

Name: Daniel Sørensen

Position:CEO

Phone number: +45 50 99 69 44

E-mail: daniel@2people.com

Your signature

15. contact persons at the controller and the processor

1. The parties can contact each other via the contact persons below.

2. the parties are obliged to keep each other informed of changes regarding contact persons.

Name:

Position:

Phone number:

E-mail:

Name: Daniel Sørensen

Position: Managing Director

Phone number: +45 50 99 69 44

E-mail: daniel@2people.com

Annex A Information about the processing

A.1 The purpose of the data processor's processing of personal data on behalf of the data controller is

  • to support the data controller's need for personnel administration and personnel planning, including registration of specific employment relationships.
  • to collect, record, store, disclose and delete personal data as instructed by the controller. 
  • that the above collection, storage, disclosure and deletion of personal data only takes place via functions available on the 2people solution.
  • that the 2people solution is only made available to the persons identified by the data controller

A.2 The data processor's processing of personal data on behalf of the data controller primarily concerns

  • the collection, recording, storage, disclosure and erasure of personal data in a work-related context. 
  • Data includes employee master data, legal and personal documents, job descriptions, qualification descriptions, work processes, development goals and plans. 
  • there is no independent, disclosure or other processing of personal data other than that carried out on the instructions of the data controller 

A.3 The processing includes the following types of personal data of the data subjects:

The data processing will include the following types of personal data: 
X General personal data to the extent that the controller provides them to the 2people solution
X Sensitive personal data to the extent that the controller provides it to the 2people solution, including

Racial or ethnic background

Political, religious or philosophical beliefs

Genetic data

Biometric data where it is processed for the purpose of uniquely identifying a natural person

Trade union affiliation

Health conditions

Sexual relationships or sexual orientation

X Other information about purely private matters, to the extent that the data controller provides it to the 2people solution, including 

Information about criminal convictions and/or offenses

Significant social problems

Other purely private matters that do not fall under the category "sensitive information"


A.4 The processing includes the following categories of data subjects:

  • The data controller's employees, board of directors, owners, consultants and other persons that the data controller may provide information about in the 2people solution.

A.5 The Data Processor's processing of personal data on behalf of the Data Controller may commence after the entry into force of this Agreement. The processing has the following duration:

  • The processing is time-limited and lasts until the end of the contract.

Annex B Sub-processors

  • Authorized sub-processors

Upon entry into force of the Clauses, the Controller has authorized the use of the following sub-processors

Your name VAT: Address Location of data Description of treatment
Rackhosting ApS 15777176

Flaxseed 6C

2630 Taastrup

 

 

 DK Rack hosting is used for hosting the 2people solution's servers. 
Cloudflare Inc N/A 101 Townsend St, San Francisco, CA EU Cloudflare is used to secure the 2people solution against attacks and only processes IP addresses. 
Mailgun Technologies, Inc. N/A 112 E Pecan St, #1135. San Antonio, TX EU Mailgun is used to send emails from the 2people solution. 
Hubspot Inc.  N/A 25 First Street, 2nd Floor
Cambridge, MA 		EU HubSpot is used as a ticketing system and it is recommended that the data controller does not create tickets containing personal data.
Penneo A/S 29973334 Enghavevej 40 4, 1674 Copenhagen V DK Penneo is used as the digital signature provider in the 2people solution (optional to use)
Twoday A/S 29973334 Gærtorvet 1, 1799 Copenhagen V DK Addo Sign from Twoday is used as the digital signature provider in the 2people solution (optional to use)

Upon the entry into force of the Clauses, the data controller has authorized the use of the above-mentioned sub-processors for the described processing activity. The data processor may not - without the data controller's written approval - make use of a sub-processor for a processing activity other than the described and agreed or make use of another sub-processor for this processing activity.

B.2 Notification for approval of sub-processors

The data processor has the data controller's general approval to use sub-processors. However, the data processor shall notify the data controller of any planned changes regarding the addition or replacement of other data processors, thereby giving the data controller the opportunity to object to such changes. Such notification must reach the Data Controller at least 90 days before the use or change takes effect. If the data controller has objections to the changes, the data controller must notify the data processor within 60 daye after receipt of the notification. The data controller may only object if the data controller has reasonable, concrete reasons for doing so.

Annex C Instructions for the processing of personal data

C.1 Subject of the treatment/ instruction

The data processor's processing of personal data on behalf of the data controller takes place by the data processor performing the following:

  • The data processor makes the 2people solution available to the data controller, who gets access to agreed services on the 2people solution.

    C.2 Security of processing

    The Processor shall implement the following measures agreed with the Controller.

    C.2.1 Access Restriction and Authorization 

    • Access to personal data is limited to those employees who have a work-related need to process personal data in order to fulfill the Data Processor's obligations to the Data Controller. 

    C.2.2 Maintaining security measures

    • To ensure that data is not accidentally or illegally destroyed, lost, impaired, disclosed to unauthorized persons, misused or otherwise processed in violation of the applicable rules and regulations for the processing of personal data, the data processor implements and maintains a number of organizational, administrative and IT measures. 

    C.2.2.1 Instruction of employees

    • Employees are instructed in the purpose and workflows of data processing. The data processor ensures that employees are informed of their duty of confidentiality.

    C.2.2.2.2 Access control and user access management

    • Only employees who need it will be set up as users with access to 2people a/s' network and systems. Upon termination of an employee's employment, the employee's user access will be blocked or terminated as soon as possible.

    C.2.2.2.3 Network and communication security

    • 2people a/s uses firewalls to protect systems and networks. 
    • If communication between users and systems takes place over open networks, the communication is encrypted.

    C.2.2.2.4 Operating procedures and responsibilities

    • Configuration files, application code and data are backed up at appropriate intervals. Periodic testing is done to ensure that data can be restored from backups. 
    • All relevant events in the systems are logged. Logging focuses on user actions, errors that occur and information that can be used to diagnose problems or answer customer questions.  

    C.3 Assistance to the controller

    The Processor shall assist the Controller to the extent possible in accordance with Clauses 9.1 and 9.2.

    C.4 Retention period/deletion routine 

    • 30 days before the termination of the subscription to the 2people solution, the data controller must notify whether data is to be deleted or data is to be taken back to the data controller.
    • In cases where data is returned to the data controller upon termination, the data processor shall delete all copies of data. The data processor must ensure that subcontractors comply with the data controller's instructions upon termination.
    • If the controller does not instruct the processing of data upon termination, data is automatically deleted after 12 months at the latest. 

    C.5 Location of treatment

    Processing of the personal data covered by the Agreement may not, without the prior written consent of the Controller, take place in locations other than the following:

    • Data processing will take place from the data processor's office in Aarhus at Åbogade 15, 8200 Aarhus N, as well as via remote access. 
    • Addresses of sub-processors listed in Appendix B.

    C.6 Instructions for the transfer of personal data to third countries

    If the controller does not provide in these Clauses or subsequently a documented instruction regarding the transfer of personal data to a third country, the processor is not entitled to make such transfers within the framework of these Clauses.

    C.7 Detailed procedures for the controller's supervision of the processing carried out by the processor

    Once a year, upon request, the Data Processor shall make a self-assessment report available to Data Controller customers who wish to supervise the Data Processor. The report contains the same control objectives as stated in FSR and the Danish Data Protection Agency's standard on an ISAE 3000 statement on personal data. 

    In addition, the subcontractor's ISAE 3402 declaration is made available to the controller. 

    In addition, the data controller or a representative of the data controller may conduct a physical inspection of the premises from which the data processor processes personal data, including physical premises and systems used for or in connection with the processing, in order to determine the data processor's compliance with the GDPR, data protection provisions in other Union or Member State law and these Clauses.

    Any costs incurred by the data controller in connection with a physical inspection shall be borne by the data controller itself. However, the data processor is obliged to allocate the resources (mainly the time) necessary for the data controller to carry out its inspection

    C.8 Procedures for audits, including inspections, of the processing of personal data entrusted to sub-processors 

    Based on a risk assessment of the processing of personal data carried out by the sub-processor, the Data Processor shall carry out appropriate supervision of sub-processors. Depending on the outcome of the risk assessment, one or more of the following supervision concepts may be used. The method for performing the risk assessment and the supervision concepts are based on the Danish Data Protection Agency's guidance on supervision of data processors. 

    • Concept 1 - Do nothing unless you become aware that something is wrong with the processor.
    • Concept 2 - The data processor confirms - preferably in writing - to you that all requirements in the data processing agreement are still being met.
    • Concept 3 - The Data Processor provides you annually - either directly or via its website - with a written status of matters covered by the Data Processing Agreement and other relevant areas (e.g. organizational or product changes)."
    • Concept 4 - The data processor has a relevant and up-to-date certification or follows a so-called code of conduct relevant to your processing activities.
    • Concept 5 - An independent third party has conducted a documented audit of the processor in an area that also covers your processing activities.
    • Concept 6 - You, or together with others, carry out a documented supervision of the processor.

    The Processor will always, if possible, apply concepts 5 and 4 as these audits are performed by an independent third party and thus represent the highest level of assurance. As a general rule, auditor's statements are obtained where possible. 

    Annex D The parties' regulation of other matters

    To the extent that the data processor's obligations to assist the data controller in fulfilling the data controller's obligations result in extraordinary resource consumption by the data processor, the data processor is entitled to reasonable payment for this. Any supplementary regulation/agreement between the parties on remuneration or the like in connection with the data processor's assistance to the data controller will appear from the parties' Purchase Agreement. Settlement will generally be based on a calculation of time spent.