Note: This is just one example of our data processing agreement.
An agreement with your information can be downloaded when you are logged into the intellify Platform at: Team settings >>> Data Processing Agreement.
[Is inserted: Company, address, CVR-number]
[Contact person and contact information]
Hammerensgade 6, st.
1267 Copenhagen K,
The parties are hereinafter referred to as the "Data Controller" and "Data Processor" and "Part" or together "Parties".
By using the intellify platform and any module or function associated with the platform (referred to herein as "the Platform"), the Data Controller will be responsible for its processing of Personal Data on the Platform. The Data Processor will process personal data on behalf of the Data Controller. In order to ensure that the Parties fulfill their obligations under national data protection rules as well as European Parliament and Council Regulation (EU) 2016/279 (“GDPR”), the Parties have entered into this data processing agreement (the “Agreement”), which constitutes the instructions of the Data Controller to the Data Processor and thus regulates the Data Processor's processing of personal data on behalf of the Data Controller.
Both Parties confirm that they have the power of attorney / authority to sign the Agreement.
The definition of Personal Data, Specific Categories of Data (Sensitive Information), Processing, the data subject, Data Controller and Data Processor is the same as the relevant Personal Data Act, including GDPR.
The Agreement governs the Data Processor's Processing of Personal Data on behalf of the Data Controller, and describes how the Data Processor shall assist in the protection of privacy on behalf of the Data Controller and its data subjects through technical and organizational measures required under applicable data protection legislation, including GDPR of 25. May 2018.
The purpose of the Data Processor's Processing of Personal Data on behalf of the Data Controller is to ensure, the Data Controller's use of the Platform and the fulfillment of this Agreement.
The Agreement takes precedence over other conflicting provisions regarding the Processing of Personal Data as regards to the Terms and Conditions for use of the Platform or in other agreements between the Parties. The Agreement is valid as long as the Data Controller has an account on the Platform and the Data Processor must therefore process Personal Data on behalf of the Data Controller. However, this Agreement does not take precedence if the Parties have entered into another Data Processor Agreement, stating that the Data Processor Agreement takes precedence over this Agreement.
The Data Processor must process Personal Data solely on behalf of and following the instructions of the Data Controller. By entering into this Agreement, the Data Controller instructs to process Personal Data in the following ways: (i) in accordance with applicable law; (ii) to fulfill its obligations under the Subscription Terms of the Platform; and (iv) as described in this Agreement.
The categories of Data Subjects and Personal Information processed under this Agreement are described in Appendix A.
As part of being able to deliver the Platform, the Data Processor is obliged at all times to provide the Data Controller with good and competitive solutions that accompany the development. The Data Processor can offer better solutions tailored to the needs of each Data Provider by registering how the Data Controller and its representatives use the Platform. This enables the Data Processor to make a better version of the Platform, and generally provide better services and provide more relevant communication to the Data Controller and its representatives. The goal is for the Data Controller to solve as many challenges as possible in one place. To the extent that Personal information from the Platform is included in this work, it is processed in accordance with this Agreement and applicable law, and may be shared with companies in the intellify Group for the purpose of this work.
The Data Processor has no reason to believe that current legislation prevents the Data Processor from complying with the instructions set out above. The Data Processor shall, if it becomes aware of this, notify the Data Controller of instructions or other processing activities performed by the Data Controller which, in the Data Processor's opinion, contravene the applicable data protection law.
Taking into account the technology available and the cost of implementation, as well as the scope, context and purpose of the processing, the Data Processor is required to take all reasonable measures, including technical and organizational, to ensure an adequate level of security in relation to the risk and the category of Personal Information to be protected.
The Data Processor shall assist the Data Controller with appropriate technical and organizational measures where possible and taking into account the nature of the processing and the category of information available to the Data Processor to ensure compliance with the Data Controller's obligations under applicable Data Protection Laws, including assistance with respect to the fulfillment of requests by the Data Subjects as well as general compliance with the provisions of GDPR Articles 32-36.
The Data Processor must notify the Data Controller without unnecessary delay through the contact person stated in the Data Processor Agreement if the Data Processor becomes aware of a security breach.
Furthermore, the Data Processor shall, as far as possible and legally, notify the Data Controller if;
1. A request for access to Personal Information is received directly from the Data Subject
2. A request for access to Personal Data is received directly from state authorities, including the police
The Data Processor may not respond to such requests by the Data Subjects unless authorized by the Data Controller to do so. Further, the Data Processor will not disclose information about this Agreement to state authorities such as the police, including Personal Data, unless the Data Processor is required by law, such as a court order or similar.
If the Data Controller requires information or assistance regarding security measures, documentation or information on how the Data Processor processes Personal Data in general and such request contains information that goes beyond what is required by applicable Data Protection Laws, the Data Processor may require payment for such additional services.
The Data Processor and its employees must ensure confidentiality in relation to Personal Data processed under the Agreement. This provision shall also apply after termination of the Agreement.
Upon entering into this agreement, the Data Controller confirms that:
The Data Controller shall, using the Platform provided by the Data Processor, only process Personal Data in accordance with the requirements of the applicable Data Protection Law.
The Data Controller has a legal basis for processing and disclosing Personal Data to the Data Processor (including sub-processors used by the Data Processor).
The Data Controller is responsible for the accuracy, integrity, content of the reliability and legality of the Personal Data processed by the Data Processor.
The Data Controller has fulfilled all mandatory requirements and obligations in relation to notification or obtaining permission from the relevant public authorities as regards the processing of Personal Data.
The Data Controller has fulfilled its disclosure obligations to the Data Subjects regarding the processing of Personal Data in accordance with applicable data protection legislation.
The Data Controller agrees that the Data Processor has provided the relevant guarantees regarding the implementation of technical and organizational security measures to safeguard the rights of the Data Subjects and their Personal Information.
The Data Controller shall, when using the Platform, not process Sensitive information other than as specified in Appendix A.
The Data Controller must have an up-to-date list of the categories of Personal Data that it processes, this is especially true to the extent that such Processing contains Personal Sensitive Information.
As part of the operation of the Platform, the Data Processor uses subcontractors (“Data Sub-Processors”). Such Data Sub-Processors may be other companies within the intellify Group, or third-party suppliers in and outside the EU. The Data Processor's subcontractors are listed in the constantly updated list of Data Sub-Processors, which can be viewed here.
This Agreement constitutes the prior general and specific written approval of the Data Controller for the Data Processor's use of Data Sub-Processors.
If a Data Sub-Processor is established outside or Personal Data is stored outside the EU / EEA, the Data Controller authorizes the Data Processor to secure a sufficient basis for the transfer of Personal Data to third countries on behalf of the Data Controller, including using the EU Commission's standard contracts or in accordance with Privacy Shield.
The Data Controller must be informed before the Data Processor replaces its Data Sub-Processors. However, the Data Controller is only entitled to protest against a new Data Sub-Processor, which processes Personal Data on behalf of the Data Controller if it does not process data in accordance with applicable data protection legislation. In such a situation, the Data Processor must demonstrate compliance by giving the Data Controller access to the Data Processor's data protection assessment of the Data Sub-Processor. If there is still disagreement about the use of the Data Sub-Processor, the Data Controller may request the deletion of his account on the Platform and that the Data Controller's Personal Information is not processed by the Data Sub-Processor in question.
The Data Processor is required to ensure a high level of security in its products and services, which is ensured by relevant organizational, technical and physical security measures as required by information on security measures described in GDPR, Article 32.
Furthermore, the intellify Group's internal data protection policies aim to ensure confidentiality,
integrity, resilience and secure access to Personal Data. The following measures are particularly
Classification of Personal Data to ensure the implementation of security measures relevant to risk assessments.
Assessment of encryption and pseudonymization as risk-reducing factors.
Limit access to Personal Data to the relevant persons required to comply with the requirements and obligations of the Agreement or relevant to the Parties agreement on the use of the Platform.
Identify the security structure and how Personal Data is transferred between the Parties.
Conduct own security assessment to ensure that current technical and organizational measures are adequate for the protection of Personal Data, including Article 32 of the GDPR on processing security and Article 25 on Privacy by Design and Default.
Access to audit.
The Data Controller is entitled to initiate an audit of the Data Processor's obligations under the Agreement once a year. If the Data Controller is obliged to do so in accordance with current legislation, audits may be carried out more often than once a year. When requesting an audit, the Data Controller must provide a detailed audit plan with a description of the scope, duration and start date at least four weeks in advance of the proposed start date. It must be decided jointly between the Parties if a third party is to conduct the audit. However, the Data Controller may allow the Data Processor to decide that the audit for security reasons must be done by a neutral third party of the Data Processor's choice, in the case of a processing environment where multiple Data Controllers' data have been used.
If the proposed scope of the audit follows an ISAE, ISO or similar certification report conducted by a qualified third party auditor within the previous twelve months and the Data Processor confirms that there have been no material changes to the measures under audit, the Data Controller shall accept this audit instead of requesting a new revision of the measures already covered.
In any case, audits must be conducted during normal office hours at the appropriate facility in accordance with the Data Processor's policies and must not unduly interfere with the Data Processor's usual commercial activities.
The Data Controller is responsible for all costs associated with the request for audit. The Data Processor's assistance in connection with this, which exceeds the ordinary service that the Data Processor and / or the intellify Group must make available as a result of the applicable data protection legislation, is charged separately.
The Agreement is valid as long as the Data Processor processes Personal Data on behalf of the Data Controller in connection with the Data Controller's use of the Platform.
This Agreement will automatically terminate upon deletion of the Data Controller’s account on the Platform. Upon termination of the Account, the Data Processor will delete all Personal Information processed by the Data Processor on behalf of the Data Controller under the Agreement.
The Data Processor is entitled to retain Personal Data upon termination of the Agreement to the extent required by applicable law, which will then be in accordance with the technical and organizational security measures described in the Agreement.
Amendments to the Agreement must be included in a separate appendix to the Agreement.
If any of the provisions of the Agreement are invalid, this will not affect the remaining provisions. The Parties must replace invalid provisions with a legal provision that reflects the purpose of the invalid provision.
The agreement is governed by Danish law and any dispute must be presented to a Danish court.
Categories of Data Subjects and Personal Information processed under the Agreement
a. Categories of Data Subjects
The Data Controller’s end users
The Data Controller’s employees
The Data Controller’s contacts
The Data Controller’s customers and customers end users
The Data Controller’s customers employees
The Data Controller’s customers contacts
b. Categories of Personal Information
Social Security number (CPR)
Job category, information on salary, working hours, absence, pension, tax, bank account
Possibly other personal information necessary for the Data Controller to manage the employment relationship