Data processing agreement
This data processing agreement is the basis for the processing of personal data that Rackbeat carries out on behalf of you as a customer. The data processing agreement comes into force when you register as a customer.
This data processing agreement has been entered into in accordance with
paragraph 3 in Art. 28 of the European Parliament and Council Regulation (EU) 2016/679 (“GDPR”) in order to regulate Rackbeat’s processing of personal data on behalf of you as a customer.
This data processing agreement is concluded between the Customer and Rackbeat.
The customer for Rackbeat takes on the role as data controller and is therefore in this data processor agreement referred to as ”the data controller”, whose data is processed by:
The data processor:
1799 København V
The parties are in the following respectively referred to as ” the data controller” and the ”data processor” and together the ”parties”.
1.1 The definition of “personal data”, “special categories of personal data” (sensitive data), “data processing”, “the data subject”, “data controller” and “data processor” is the same as stated in the GDPR.
1.2 The purpose of this data processing agreement is to ensure the parties’ compliance with applicable data protection legislation and to document the data controller’s instructions to the data processor. The purpose of the data processor’s processing of personal data on behalf of the data controller is to ensure the data controller’s use of Rackbeat as further described in Rackbeat’s terms and conditions.
1.3 This data processor agreement sets out the rights and obligations of the parties when the data processor processes personal data on behalf of the data controller.
1.4 This data processing agreement takes precedence over other conflicting provisions regarding the processing of personal data, as far as Rackbeat’s terms and conditions or other agreements applicable between the parties are concerned. The data processing agreement is valid between the parties as long as the data controller subscribes to Rackbeat and the data processor must therefore process personal data on behalf of the data controller.
1.5 This data processor agreement does not release the data processor from obligations imposed on the data processor under applicable data protection legislation.
2. RIGHTS AND OBLIGATIONS OF THE DATA CONTROLLER
2.1 The data controller is responsible for ensuring that the processing of personal data in connection with the use of Rackbeat takes place in accordance with GDPR art. 24, other EU law or national law as well as this data processing agreement.
2.2 The data controller has the right and duty to make decisions about for which purpose(s) and with which means personal data may be processed. To this end, it is solely under the control of the data controller what personal data is processed, including entered and generated in Rackbeat.
2.3 The data controller is responsible for ensuring that there is a lawful basis of processing behind the actual processing and transfer of personal data that the data processor is instructed to carry out, including transfer to the sub-processors that the data processor uses and which are listed here at all times.
2.4 The data controller is responsible for the accuracy, integrity, contents, reliability and lawfulness of the personal data processed by the data processor.
2.5 The data controller has fulfilled all mandatory requirements and duties in relation to reporting and obtaining permission from the relevant public authorities, regarding the processing of personal data.
2.6 The data controller has fulfilled its obligation to provide information to the data subjects regarding the processing of personal data in accordance with applicable data protection legislation.
2.7 The data controller confirms that the data processor has given the relevant guarantees with regard to the implementation of technical and organizational security measures to ensure the rights of the data subjects and their personal data, when entering into this data processing agreement.
3. THE DATA PROCESSOR ACTS ACCORDING TO INSTRUCTIONS
3.1 The data processor may only process personal data in accordance with documented instructions from the data controller, unless required by the EU or national law to which the data processor is covered by. By entering into this data processor agreement, the data controller instructs the data processor to process personal data in the following ways:
3.1.1 in accordance with applicable legislation;
3.1.2 to fulfill its obligations under Rackbeat’s terms and conditions.
3.1.3 as further specified by the data controller’s normal use of Rackbeat;
3.1.4 as described in this data processing agreement.
3.2 The data processor shall immediately inform the data controller if instructions given by the data controller, in the opinion of the data processor, contravene the GDPR or the applicable EU- or national law.
4. SECURITY OF PROCESSING
4.1 The data processor is obliged to ensure a high level of security. This takes place in the form of implementing relevant organizational, technical and physical security measures.
The implementation takes place taking into account the technology available and the costs of the implementation as well as the scope, context, and purpose of the processing to ensure a sufficient level of security that meets the risk and the category of personal data to be protected.
4.2 The data processor may only give access to personal data, which is processed on behalf of the data controller, to persons who have committed to confidentiality or are subject to an appropriate statutory duty of confidentiality – and only to the extent necessary. The duty of confidentiality must also apply after the termination of the data processing agreement.
4.3 Rackbeat has implemented several security measures and internal data protection policies to ensure confidentiality, integrity, resilience, and access to personal data. The following measures are particularly important:
4.3.1 Risk assessments of own security level in order to ensure that current technical and organizational measures are sufficient for the protection of personal data, including in accordance with GDPR art. 32 on processing security and GDPR art. 25 regarding privacy by design and default.
4.3.2 Effective encryption when transferring personal data via the Internet.
4.3.3 Limitation of access to personal data to the relevant persons required to comply with requirements and obligations in the data processing agreement.
4.3.4 Established controls to identify and report any breaches of personal data security.
4.3.5 Performing vulnerability scans and penetration tests on a regular basis to ensure that technical measures are implemented and tested.
4.3.6 Implemented procedures that ensure that changes in systems, databases, and networks are made consistently to ensure maintenance.
5. USE OF SUB-PROCESSORS
5.1 As part of delivering Rackbeat, the data processor uses sub-data processors. This data processor agreement constitutes the data controller’s prior general written approval of the data processor’s use of sub-processors. Such sub-processors may be other companies within the Visma group of which Rackbeat is a part of, or third-party suppliers in and outside the EU/EEA. The data processor’s sub-processors are listed in the current list of sub-processors.
5.2 The data processor ensures that its sub-processors comply with the corresponding obligations and requirements described in this data processor agreement. The data controller must be informed no later than 30 days before the data processor takes a new sub-processor into use. The data controller has the right to protest against a new sub-processor who processes personal data on behalf of the data controller if this does not process data in accordance with applicable data protection legislation. In such a situation, the data processor must demonstrate compliance by giving the data controller access to the data processor’s data protection assessment and preparing documents on the use of the sub-processor. If there is still disagreement about the use of the sub-processor, the data controller can terminate its subscription with a shorter notice than usual to ensure that the personal data of the data controller is not processed by the new sub-processor in question.
6. TRANSFER TO THIRD COUNTRIES OR INTERNATIONAL ORGANIZATIONS
6.1 Any transfer of personal data to a third country or an international organization requires an implementation of the EU Commission’s Standard Contractual Regulations (EU SCC’s) or another valid transfer basis. The data controller gives the data processor authorization to ensure a sufficient basis for the transfer of personal data to a third country on behalf of the data controller.
7. ASSISTANCE TO THE DATA CONTROLLER
7.1 The data processor must, as far as possible, assist the data controller with appropriate technical and organizational measures, taking into account the nature of the processing and the category of information available to the data processor, to ensure compliance with the data controller’s obligations in accordance with applicable data protection legislation.
7.2 The data processor assists the data controller with compliance relating to GDPR art. 32-36, including and among other things, processing security, notification of breaches of personal data security to the supervisory authority, and notification of breaches of personal data security to the data subject, taking into account the nature of the processing and the information available to the data processor.
7.3 The data processor may not respond to requests from data subjects, unless the data processor is authorized by the data controller to do so. The data processor does not pass on information about this data processing agreement to government authorities such as the police, including personal data, unless the data processor is obligated to do so according to legislation in the form of a court order or the like.
7.4 Furthermore, the data processor must, as far as possible and legally, notify the data controller if:
7.4.1 A request for access to personal data is received directly from the data subject;
7.4.2 A request for access to personal data is received directly from the government or other authorities, including the police unless the data processor is instructed not to notify the data controller.
7.5 If the data controller requires information or assistance regarding security measures, documentation or information about how the data processor processes personal data in general, and such request contains information that goes beyond what is necessary according to applicable data protection legislation, the data processor may require payment for such additional services.
8. NOTIFICATION OF PERSONAL DATA BREACH
8.1 The data processor notifies the data controller without undue delay after becoming aware that there has been a breach of personal data security involving personal data that the data processor processes on behalf of the data controller.
9. RETURN AND DELETE/ANONYMIZE DATA
9.1 The data controller has the option of having its data returned (exported) when terminating the Rackbeat subscription. After terminating the subscription, the data processor will delete/anonymize all personal data that the data processor has processed on behalf of the data controller. This is done in accordance with current terms and conditions.
10. AUDIT, INCLUDING INSPECTION
10.1 The data controller is entitled to initiate an audit of the data processor’s obligations according to this data processor agreement.
10.2 If the proposed scope of the audit follows an ISAE 3000, ISO or similar declaration report carried out by a qualified third-party auditor within the preceding twelve months, and the data processor confirms that there have been no material changes in the measures that have been under audit, the data controller accepts this revision instead of requesting a new revision of the measures already covered.
10.3 If the data processor’s assistance in connection with auditing exceeds the general service that the data processor must provide as a result of applicable data protection legislation, this will be billed separately.
11. VALIDITY AND TERMINATION
11.1 This data processor agreement is valid as long as the data processor processes personal data on behalf of the data controller in connection with the data controller’s use of Rackbeat.
11.2 The data processor is entitled to retain personal data after termination of the data processing agreement to the extent necessary according to applicable law, which in such a case will be done in accordance with the technical and organizational security measures described in this data processing agreement.
12. CHANGES TO THE DATA PROCESSING AGREEMENT
12.1 The applicable version of the data processing agreement will be accessible on the website at all times. Significant changes are notified 30 days before they take effect via email. Use of Rackbeat after the update constitutes an acceptance of the data processing agreement.
13.1 Liability for actions contrary to the provisions of this data processing agreement is regulated by the liability and compensation provisions in the terms and conditions of Rackbeat. This also applies to any violation carried out by the data processor’s sub-processors.
14. CHOICE OF LAW AND JURISDICTION
14.1 This data processing agreement is subject to Danish law and any dispute arising from or in connection with this data processing agreement must be settled by the Copenhagen city court.
If you have any questions about data protection in Rackbeat, you are more than welcome to reach out by writing to: firstname.lastname@example.org
Appendix A – Categories of personal data and data subjects
A. Categories of personal data
a. The data controller has control over which categories of personal data are processed in Rackbeat, but may, among other things, include:
– Telephone number
In addition to the above, special categories of personal data (sensitive information) may be processed by the data processor, to the extent that the data controller processes such data in Rackbeat. However, this is outside the data processor’s control.
B. Categories of the data subjects
a. The data controller has control over which categories of data subjects are processed in Rackbeat, but may include, among other things:
– The data controller’s end users
– The data controller’s employees
– The data controller’s contact persons
– The data controller’s customers and customers’ end users
– The data controller’s customers’ employees
– The data controller’s customers’ contact persons