Data Processing Agreement

(‘DPA‘)

Data responsible & Data processor:

Databehandler:

RACKBEAT ApS

HAVNEGADE 53B, 1058 KØBENHAVN K, CVR: 39086409
Contact: GDPR@RACKBEAT.COM

Copenhagen 03/05-2020


This document includes Rackbeat ApS (hereafter called “Rackbeat”) Rackbeat’) processing of Person- and Client data, in accordance to the General Data Protection Regulation 25. may 2018. Rackbeat‘) ) behandling af Person- og Klient data iht. Databeskyttelsesfordringen af 25. maj 2018.

By using Rackbeat’s services or applications (herefter referred to as “services” or “application”) the data responsible will be accountable for the processing and handling of personal data, in the application. The data processor will be responsible for their handling of personal data, on behalf of the data responsible. To ensure that the parties comply to their obligations in accordance to the national data protection rights, and the European Parliament and the Council of the European union’s directive: (EU) 2016/279 (”GDPR”), The parties have entered this data handling agreement (“Agreement”) which contains the instructions from the data responsible to the data procceser and therefore, regulates the handling of peronal data on behalf of the data responsible.

The data handler will only handle person- and client data, in accordance with Rackbeat General Data Protection Regulation Policy.

The agreement regulates the data processors handling of personal data, on behalf of the data responsible, and describes how the data processor shall contribute to privacy protection on behalf of the Data responsible and this is documented through technical and organizational measures which are required by the applicable data protection law.

1. Definitions

”Client” betyder kunde hos Rackbeat.

”Client data” encompasses client-related data, such as rapports, files, documents, or other files hosted by Rackbeat with processing intent.

”Personal data ” means any information relating to an identified or identifiable natural person.

”Public data” means all information that accessible to the public, and can be accessed without consent.

”Confidential data” means all data that is not accessible to the public and can only be accessed by Rackbeat employees, or sub-contractors, in accordance with Rackbeat organizational structure.

2.Processing of personal data

2.1 Details about information processing
In connection with with the Data processors delivery of services and applications to the data responsible, the data processor will handle and survey different types and categories of data responsible’s personal data, on behalf of the data responsible.

2.2. Definitions
“Personal data” includes all information regarding an identified or identifiable natural person, as defined in GDPR, article 4, par. 1, (2) “(Personal Information”).

The data controller will have and maintain records over processing activities, in accordance with GDPR Art. 34 (2).

2.3 Registration of processing
The data controller will have and maintain records over processing activities, in accordance with GDPR Art. 34 (2).

2.4 The data processor’s information about the client
The data processor processes personal data, about the data responsible and its’ employees, in connection with the data processers sales, marketing and product development. This personal data is not covered in this data processing agreement, because the data processor is responsible for the mentioned personal data, and is thus referred to Rackbeat General Data Protection Regulation Policy. Rackbeat General Data Protection Regulation Policy, which is accessible on the website.

3. The responsibility of the client

Within the areas covered by the contract and in its usage of services and application, the data responsible is solely responsible for complying to the law’s requirements regarding data protection and privacy, especially in regards to transmission of personal information to the data processor and protection of personal data. In order to avoid any doubt, the data controller’s processes shall comply with the data protection lae, in regards to processing of personal data.

This DPA is the complete and final instruction for Rackbeat, in regards to processing personal data and compliance with data protection policy and any other processes, outside of the DPA’s usage requires a prior written agreement between the partides. Instructions must be stated in the agreement and can be changed at times, reinforced or replaced by the data controller, in separate written instructions (as individual instructions).

The data controller shall inform the data processor, without unnecessary delay about any errors or inconsistencies in connection with personal data processing legislation.

4. Data processor’s responsibility

4.1 Consistency with contract processes
The parties acknowledge and accept that the client is data is data controller of personal data and Rackbeat is processor of this data. Data processor shall only collect, process and use personal data within the scope set by the data controller’s instructions. If it is the data processor’s opinion, that an instruction violates the data privacy legislation, the data controller is immediately notified. If the data processor can not process personal data in compliance with data protection policy, due to a regulatory requirement in accordance with any applicable EU-legislation, the data processor will immediately notify the data controller about the legislation concerning the relevant processing, within the scope of what is permitted by the data protection law and stop all processing (except storing and maintaining the security of the personal data in question) until the data responsible issue new instructions that the data processor can adhere to.

If this stipulation is invoked, the data processor is not responsible for data processor in the agreement. for lacking implementation of the existing services, until data responsible issues new instructions regarding processing.

4.2. Security
The data processor shall make appropriate technical and organizational precautions, in order to sufficiently protect personal data against unintended or illegal destruction, loss, change, unauthorized release or access to personal data, as described in point 6 in “Rackbeat General Data Protection Regulation Policy”. Rackbeat General Data Protection Regulation Policy.. Rackbeat General Data Protection Regulation Policy..

These precautions includes but is not limited to:

  • Preventing unauthorized people from access to systems with the processing of personal data ( physical restriction of access – see Rackbeat GDPR Policy p. 8) Rackbeat GDPR Policy, pkt. 8)
  • Forebyggelse af, at Person data systemer bliver brugt uden tilladelse (logisk adgangskontrol).
  • To secure that people that are permitted to use a personal data system, only are granted access to such personal data, that they have rights to access in accordance with the rights of access, and that personal data under the processing, use or storage, can be read, copied, changed or deleted, without permission (data access control)
  • That personal data cannot be copied changed or deleted, without permission, during electronic transmission, transport or storage on storage media and that the devices for any transfer of personal data with the help of data transfer facilities, can be established and verified (data transfer control)
  • To secure the establishment of an accounting record, in order to document the scope and accountable for the collection of personal data changed or removed from personal data processing systems (restriction of access)
  • To secure that personal data is processed soley in accordance with the instructions ( control of instructions)
  • To secure that personal data is secured against unintended loss or destruction (restriction of accessibility)

4.3 Confidentiality
Databehandler skal sikre, at ethvert personale, som Databehandler bemyndiger til, at behandle Person data på vegne af denne, er underlagt fortrolighedsforpligtelser i relation til disse Person data. Fortrolighedsforpligtelsen fortsætter efter opsigelsen af de ovennævnte aktiviteter.

4.4 Loss of personal data
The data processor informs the data controller as fast as it is reasonable possible, following it has become evident that there has been a loss of any personal information, that concerns personal data. Per the request of the data controller, the data processor will immediately give, with reasonable aid, that is necesarry to enable the data controller to inform about the personal information breach to relevant goverment and/or affected data subjects, if the data controller is required to do so, according to data protection law.

4.5 Requests from data subjects
Databehandler vil yde rimelig bistand, herunder ved passende tekniske og organisatoriske foranstaltninger og under hensyntagen til arten af behandlingen, for at give Dataansvarlige mulighed for, at reagere på enhver anmodning fra Data emner (Klient data), der søger at udøve deres rettigheder i henhold til databeskyttelsesloven med hensyn til Personlig data (herunder adgang, rettelse, begrænsning, sletning eller overførsel af personlige data, alt efter hvad der er relevant), i det omfang loven tillader det.

If such a request is sent directly to the data processor, the data processor will promptly inform the data responsible and will potentially advise data subjects to send their request to the data responsible. Data responsible is solely responsible for reacting on potential data subject’s requests. Data responsible is solely responsible for reacting on potential data subject’s requests.

4.6 Subcontractors
Data processor have a right to use subcontractors to fulfill the obligations of the processor, which are defined in the contract with data responsible For this purpose, the data controller approves the sub-contractors engagement on behalf of data processors associated companies and third parties, which are referred to in Rackbeat GDPR (8). Rackbeat GDPR stk. 8.

If it is the data processor’s intent to instruct other subcontractors than those companies, that are referred to in Rackbeat GDPR (8), The data processor will inform about this in writing to the data controller, to give it the opportunity to oppose the engagement of the new subcontractors within 30 days of the written notification. The opposition must be based on reasonable grounds (e.g. if the data responsible demonstrate, that there are significant risks associated with the subcontractors’ protection of privacy) If the data controller and data responsible can not resolve such an issue, one of the parties can terminate the contract, by written information to the other party. Data responsible are eligible for receiving a refund of a potential pre-payed, but an unused license for the period after the actual dismissal.

Where the data processor engages sub-contractors, the data processor will enter a contract with the subcontract, which subject the subcontractor to the same liabilities as the data processor contained in this DPA.

4.7 Deletion and/or retrieval of personal data
To the extent that it required by the data protection law, the data processor will delete all personal data, following termination or end of the engagement (including copies thereof) processed in compliance with this DPA – see data storage. Rackbeat GDPR (7). If the data processor cannot delete personal data, due to technical or other reasons, the data processor will use precautions to ensure that personal data is blocked from any further processing. Rackbeat GDPR stk. 7. Hvis Databehandler ikke kan slette Personlige data af tekniske eller andre grunde, vil Databehandler anvende foranstaltninger for at sikre, at Personlige data er blokeret fra enhver yderligere behandling.

In connection with termination of the agreement or issuing of other instructions within a timeframe set by the data controller, can return deleted or stored data. Any potential additional associated costs, that occurs in regards to retrieval or deletion of personal data, following the termination or end of the agreement, is held by data controller.

5. Revision

The data responsible can prior to the beginning of the data processing and hereafter regularly, however max. 1 pr. year, revise the technical and organizational precautions that the data processor has applied.

The data controller shall in connection with a revision request, enclose a detailed revision plan that describes scope, duration and start date, min. four weeks prior to the suggested start date. It has to be jointly agreed between parties if a third party is to perform the revision. However, the data controller can let the data processor decide that for security reasons the revision can be performed by a neutral third party, of the choice of the data processor, if it regards a processing environment in which several data controllers data is used.

The data controller is responsible for all costs associated with a request for revision. The assistance of the data processor in this regard, which goes beyond normal service which the data processor should offer as a consequence of data protection law, is settled separately.

6. Duration

The data processor contract continues until the main contract or customer engagement ends.

7. Expiry

7.1 Termination of permittance to process personal data
Data processors permission to process personal data on behalf of data controller, is cancelled with the termination of this agreement.

7.2 Processing after expiry
The data processor shall continue handling personal information, up to three months following the resignation of the data processor agreement, to the extent that is necessary and required by the applicable law.

In the same period, the data processor has the right to include personal data in the data processor’s backup. Data processors handling of the data controller’s personal data in the three months following the termination of this data processing agreement is regarded as being in accordance with the instruction.

8. Changes

Changes to the agrement must be enclosed in a separate document.

Last updated April 2020 05-03-2020.