GDPR

1 Definitions

“The Data controller”: The Client
”The Data Processor”: Eazyproject A/S, Stændertorvet 4 1. sal, 4000 Roskilde, CVR-nr. 27660606
“Data Processing Agreement”: This agreement with any appendices and any later changes or additions
“Sub-Data Processor”: Any Data Processor such as the Data Processor, with the consent of the Data Controller, processes personal data of the Data Controller
“Sub-Processor Agreement”:
An agreement between the Data Processor and the Sub-Processor for the processing of data belonging to the Data Controller.

2 Background

The Data Processing Agreement is an integral part of the parties’ contractual relations, which deals with the storage of data for project management and time registration in the EazyProject system. Data is stored on servers located in data centers with primary location in Glostrup, Ballerup and Taastrup.

 

3 Legislation

3.1 The Data Processor guarantees that the Data Protection Act (Act No 502 of 23 May 2018) implementing the Personal Data Regulation (Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016), and – where relevant – that Order 528 of June 15, 2000 on security measures for the protection of personal data processed by the public administration will be complied with.

3.2 The Data Processor further guarantees that any. later changes of The Data Protection Act, the Personal Data Regulation and / or Executive Order No. 528 of 15 June 2000 will be complied with.

 

4 Powers of the Data Processor

4.1 The Data Processor acts solely on the instructions of the Data Controller, Appendix A, and is therefore not responsible for the data that the Data Controller enters into the system is legally obtained under the Personal Data Act, the Act replacing this or the Personal Data Regulation or that the rules for processing information, including disclosure, in the Personal Data Act, Law replacing this or the Personal Data Regulation is complied with.

4.2 The Data Processor may not make decisions relating to the personal data that the Data Controller has left to the Data Processor, and for example, the Data Processor cannot, without the prior consent of the Data Controller, delete, disclose or disclose personal data to a third party.

4.3 However, the Data Processor is entitled to disclose information in the following cases without the consent of the Data Controller:

  • that it is required by law or follows from a final judgment.
  • that it is required by binding effect by a stock exchange, authorized marketplace or administrative authority or,
  • that, the information is widely known or publicly available,

 

5 Processor statements

5.1 The Data Processor makes the following statements regarding the processing of personal data for the Data Controller:

  • The Data Processor will ensure that the Data Processor has set up the necessary technical and organizational security measures against the personal data that the Data Controller discloses to the Data Processor accidentally or illegally destroying, forfeiting or deteriorating and against coming to the knowledge of unauthorized persons, being abused or otherwise violated. with the Personal Data Act.

 

  • The data processor will ensure that the security through log-in and password procedures, firewalls and antivirus during the term of the agreement will reflect the current technical level, and be proportionate to implementation costs, given the nature, scope, context and purpose of the processing, and the risk to natural persons. rights and freedoms.

 

  • The Data Processor will ensure that only employees with a work-related purpose will have access to the information the Data Controller discloses to the Data Processor, and that all employees who work with personal data or can access personal data are subject to confidentiality and are committed to confidentiality.

 

  • The Data Processor will ensure that the Data Processor’s employees receive regular training and instruction in compliance with the security requirements necessary to ensure compliance with the required security requirements.

 

6 Data Processor Obligations

6.1 At the request of the Data Controller, the Data Processor will provide sufficient information for the Data Controller to check whether the above technical and organizational security measures have been taken or not.

6.2 Each year, the Data Processor will submit a statement to the Data Controller documenting that the Data Processor and any sub-processors meet the requirements of the Data Processing Agreement for security measures. The statement will be prepared on behalf of the Data Processor by an independent third party.

6.3 If the Data Controller wishes to inspect the parts of the Data Processor or any other data. under sub-processor systems and facilities relating to the data controller’s data, the data processor must give the data controller access to conduct this inspection. However, it is a prerequisite for this inspection that the Data Controller must submit to the Data Processor a description of the systems and data that the Data Controller wishes to view 14 days prior to the inspection. It is a prerequisite that the desired inspection can be carried out in such a way that the Data Processor may. subcomputers can maintain normal operation and if this fails to do so the request for inspection may be rejected.

The Data Controller will bear all costs for the requested inspection itself.

6.4 To the extent that the Data Processor’s possible sub-data processor, such as Google, Microsoft or other similar worldwide corporations does not give access to an inspection, this must be accepted by the Data Controller.

6.5 The Data Processor will, as soon as possible, forward any request regarding the data subjects’ rights to the Data Controller, in addition the Data Processor will assist the Data Controller in responding to any request regarding the data subject’s rights.

6.6 In the event that the Data Processor is met with a third party claim on the basis of the Data Processor’s processing of personal data pursuant to the Data Processor Agreement, the Data Processor will submit this requirement to the Data Controller without undue delay.

6.7 The Data Processor will inform the Data Controller in writing immediately after becoming aware of any disruptions, suspected data breach rules or other irregularities in the processing of personal data. In the case of data breaches, the information must contain as a minimum information on the nature of the breach detected, the categories of persons (data subjects) covered and the number, and the measures taken by the Data Processor in connection with the breach that was found. The Data Processor is required to provide reasonable assistance to the Data Protection Officer in connection with notifications of security breaches to the Data Inspectorate and the data subjects.

 

7 During Data Processing Contracts

7.1 The Data Controller grants the Data Processor consent to the use of sub-data processors, provided that the conditions set out in the Agreement are met.

7.2 Appendix B shows the sub-processor (s) The data processor uses at the conclusion of the agreement. If the Data Processor plans to change the sub-processor / sub-processor, the Data Processor will notify the Data Controller at 5 weeks’ notice. If the Data Controller does not object, the new sub-processor (s) shall be considered as approved by the Data Controller.

7.3 If the Data Processor, with the consent of the Data Controller, discloses personal data covered by the Data Processing Agreement to a third party in order for a third party to process the data on behalf of the Data Processor, the Data Processor must enter into an agreement between the Data Processor and a third party – a sub-processor agreement in the Data Processor agreement with the sub processor. .

7.4 In the event that the Data Processor enters into a Sub-Processor Agreement with a foreign Sub-Processor, the Processor will ensure that this Sub-Processor Agreement states that the Data Protection Officer’s country’s data protection law applies to the foreign Sub-Processor. If the receiving Sub-Processor is established within the EU, the Processor shall ensure that the said Sub-Processor Agreement specifies that the receiving EU Member State’s specific regulatory requirements regarding Data Processor must be complied with.

7.5 The data processor will not use sub-data controllers established outside the EU without explicit consent.

 

8 Entry into force and termination

8.1 The Agreement enters into force when both parties have signed the Agreement

8.2 In the event of termination of the agreement regarding project management and time registration in the system EazyProject terminates this agreement at the same time. However, the Data Processor is required by the Data Processor Agreement as long as the Data Processor processes personal data on behalf of the Data Controller.

8.3 Upon termination of the Agreement, the Data Processor will immediately return all personal data processed on behalf of the Data Controller or if the Data Controller gives written instructions in this regard to delete the information.

 

9 Choice of law and venue

9.1 The Data Processing Agreement is governed by Danish law and any conflict arising from the agreement must be dealt with by the Court in Roskilde.

Annex A to the Agreement

1 General description of purposes and treatment activities (instructions)

In connection with the Data Processor processing the Personal Data on behalf of the Data Controller, the Data Controller gives instructions on the Processing of the following Personal Data for the following purposes:

  • The Data Processor Processes the Personal Information storing data for use in project management and time recording in the EazyProject system.

 

2 Categories of Registered

The categories of the data subjects may be adjusted from time to time, to the extent that such Processing and Purpose may be included in the general description.

(i) Data subjects: Employees, including former employees

 

3 Categories of Personal Information

Description of the categories of Personal Information associated with each category of the Registered.

(i) Name, Standard Time, All Absence (maternity leave, sick leave, walk-off, etc.),
Salary / employee no., Vacation (holiday-free, day of care, etc.) Working hours (used hours worked by assignments), employee expenses (allowance)

 

4 Access to personal data

The following persons at the Data Processor have access to the Personal Data:

  • Supporters
  • Developers (where it is necessary to check or monitor whether the programs are working properly)
  • Leaders

 

5 Storing data

If cooperation is terminated, the Customer’s system and data will be deleted.

Backup of data will be included as part of the total system backup and will be able to be restored for payment and only at the request of the Data Controller for up to one year after the termination of cooperation. Backup data is stored for up to one year.

 

Annex B to the Agreement

Sub-Processors Processing Personal Data covered by the Agreement and scope and purpose:

Company name, CVR no. address, contact information and contact information on any DPO (if applicable).

Scope and purpose of the Treatment.

Sentia Danmark A/S, Cvr. 10008123,
Lyskær 3, 2730 Herlev. Kennet La Cour

Networking, Physical servers, Backup, Internet connection, Operation of basic software / system