DATA PROCESSOR AGREEMENT
This Data Processing Agreement is between
The company who Subscribe to the Service using an API or similar methodology,
(hereinafter referred to as ”the Data Processor” or the “Subscriber”)
Company reg. no. 39072858
3670 Veksø Sjælland
(hereinafter referred to as “uQualio”)
1. The Purpose of the Agreement
1.1 In order to ensure compliance with the current rules governing the processing of personal data, particularly the General Data Protection Regulation (hereinafter “GDPR”), the Danish Data Protection Act and related orders and instructions, the Parties have entered into this data processing agreement (hereinafter the ”Data Processing Agreement”).
2. The Extent of the Data Processing
2.1 uQualio offers a subscription service to a video eLearning platform (the “Service”) for companies and other international organisations (“Subscribers”). Once a Subscriber has subscribed to the Service, the employees of the Subscribers customers (the “Users”) have access to the Service available using an API. The Service is thus made available by the Subscriber to the Users.
2.2 uQualio is a sub data processor regarding any personal data, cf. Appendix A, the Users uploads to the Service when creating a personal account, the Subscriber is a Data Processor and the Subscribers customer is Data Controller.
2.3 In case the Service is made available to the Subscribers employees or other direct users of the Subscriber (oppose to section 2.1 above where the users are the employees of the Subscribers customers) (the “Users”), uQualio is a Data Processor and the Subscriber is a Data Controller. The terms of this Data Processing Agreement apply equally in the case.
2.5 The data processing covers the categories of data subjects (hereinafter the ”Data Subjects”) and types of personal data (hereinafter the ”Personal Data”) listed in Appendix A.
3. uQualio's Obligations
3.1 uQualio is only permitted to process personal data on documented instructions from the Data Processor unless processing is required under EU or Member State law to which uQualio is subject; in this case, uQualio shall inform the Data Processor of this legal requirement prior to processing unless that law prohibits such information on important grounds of public interest, cf. Article 28 (3)(a).
3.2 Furthermore, uQualio is required to:
a) Assist the Data Processor so the Data Processor can assist the Data Controller in ensuring compliance with the obligations pursuant to Articles 32 - 36 of the GDPR provided that the Data Processor is not capable of complying with the obligations without assistance from uQualio and taking into account the nature of the processing and the information available to uQualio.
b) Assist the Data Processor so the Data Processor can assist the Data Controller in answering requests from the Data Subjects as described in Articles 15-22, using appropriate technical and organisational measures, in the fulfillment of the obligations resting upon the Data Controller.
c) Notify the Data Processor of possible personal data breaches regarding Personal Data, cf. Article 33(2) of the Data Protection Regulation.
e) Notify the Data Processor if uQualio considers that the instruction from the Data Processor is in contravention of the legal requirements applicable to the processing.
4. Security of Processing
4.1 uQualio undertake to implement appropriate technical and organizational security measures according to Article 32 of the GDPR to prevent accidental or illegal destruction, loss or deterioration of Personal Data, and to prevent the Personal Data from being disclosed to unauthorized persons, misused or otherwise treated in contravention of applicable legislative requirements.
4.2 uQualio’s employees are subject to professional secrecy.
4.3. The technical and organizational security measures applicable upon entering into this Data Processing Agreement are specified in Appendix B.
5. Use of Sub-Sub-Processors
5.1 As a general authorisation of the Data Processor uQualio is entitled to engage another processor (hereafter referred to “Sub-Sub-Processor”).
5.2 uQualio’s use of Sub-Sub-Processors is based on written agreements that ensure continuation of at least the same level of protection as the level specified in the Data Processing Agreement.
5.3 At the signing of the Data Processing Agreement, the Data Processor simultaneously authorize uQualio’s use of the Sub-Sub-Processors which appear from Appendix C.
6. International Transfers
6.1 uQualio will attempt to store and process Personal Data within EU/EEA. There are two reasons for the possible transfer of Personal Data outside of EU/EEA:
a) The User accesses the Service from a country outside of the EU/EEA. Thereby the Personal Data is made available to the User outside the EU/EEA, even though the Personal Data is stored within the EU/EEA.
b) The Data Processor transfers and replicates Personal Data to a Sub-Sub-Processor’s data centre outside the EU/EEA for performance reasons.
6.2 Currently uQualio does not transfer Personal Data outside the EU/EEA as described in clause 6.1 b), cf. Appendix C.
6.3 In case of uQualio’s transfer of the Personal Data to third countries, uQualio is responsible for ensuring a lawful basis for the transfer present at any time.
6.4 The transfer of Personal Data outside the EU/EEA as described in clause 6.1 a is based on Article 49(1)(b) or Article 49(1)(c) of the GDPR. Article 49(1)(b) regards the situation, where the transfer is necessary for the performance of a contract between the Data Subject and the Data Controller, and (c) regards the situation, where the transfer is necessary for the conclusion of a contract concluded in the interest of the Data Subject between the Data Controller and another natural or legal person.
6.5 If uQualio uses the EU Commission's Standard Contractual Clauses as the lawful basis to transfer Personal Data outside the EU/EEA, the Data Processor warrant that uQualio is entitled to complete the spaces and appendixes set out in the Standard Contractual Clauses on behalf of the Data Controller, but in addition to this the Standard Contractual Clauses shall remain unamended.
7. Audit and Inspections
7.1 On request from the Data Processor uQualio shall once a year make available all information necessary to demonstrate compliance with Article 28 of the GDPR and the obligations laid down in this Data Processing Agreement, including that uQualio has implemented the appropriate technical and organizational measures.
7.2 Once a year the Data Processor, or another auditor mandated by the Data Processor, shall at its own costs have the right to audit or carry out an inspection of uQualio's compliance with this Data Processing Agreement. uQualio undertakes – at a reasonable notice – to provide time and resources for such purpose and allow for and contribute to such inspections conducted by the Data Processor or an auditor mandated by the Data Processor.
7.3 Unless otherwise agreed uQualio decides the procedures of inspections, the type of audit report and which authorized, independent third party that shall carry out the audit and/or the inspection.
7.4 The Data Processor shall give uQualio a notice of at least 30 days, if the Data Processor wishes to audit or inspect uQualio's compliance cf. clause 7.1-7.2.
7.5 The Data Processor shall incur all costs related to the audit or inspection of the uQualio’s compliance with this Data Processing Agreement as described in this section 7. Furthermore, uQualio is entitled to invoice the Data Processor with his usual hourly rate for all uQualio's working hours as such audit or inspection may result in.
8. Commencement and Duration
8.2 Irrespective of clause 8.1, the data Processor Agreement is in force as long as the Data Processor processes the Personal Data.
9.1 At the termination of the Data Processing Agreement, uQualio shall return, transfer and/or delete the Personal Data according to uQualio’s Privacy and cookies policy.
9.2 uQualio may oppose deletion to the extent that this follows from an express legal obligation resting upon uQualio.
10. Choice of Law and Legal Venue
10.1 The Data Processing Agreement is subject to Danish law.
10.2 In the event of a dispute between the Parties in the course of the Data Processing Agreement, the Parties shall seek in good faith to negotiate an amicable solution. If a solution cannot be achieved from such negotiations, the dispute may be brought to court at the Danish courts.
11.1 Each of the Parties may request that the Data Processing Agreement be renegotiated in consequence of amended data protection legislation, which might significantly change the terms of the Data Processing Agreements by signature. The purpose of this clause is to change the wording of the Data Processing Agreement in accordance with the legislation.
Appendix A: Categories of Data Subjects and types of Personal Data
Appendix B: Technical and organizational security measures
Appendix C: Sub-Sub-Processors
Categories of data subjects and types of personal data
Categories of Data Subjects
The processing can include the following categories of Data Subjects:
The employees of the Data Processor’s customer
The employees or other direct users of the Subscriber
Types of Personal Data
The processing can include the following types of Personal Data about Data Subjects:
E-mail address or phone number.
Geographical location, language, browser type and version, operating system type and version, type of device and screen resolution.
Type of device, time zone, language, browser type, browser version, operation system type, operation system version, screen resolution and user ID.
Your name, user name, profile pictures, interests and hobbies and the content of your posts.
Test and learning results.
Communication content and metadata.
Information in connection with support.
Technical and organizational security measures
The subject of/instruction for the processing
Security of the processing
The level of security shall reflect that the processing involves processing of Personal Data on a smaller scale, and little to none processing of Personal Data which are subject to Article 9 of the GDPR on ‘special categories of personal data’, which is why a normal level of security should be established.
uQualio shall hereafter be entitled and under obligation to make decisions about the technical and organisational security measures that are to be applied to create the necessary (and agreed) level of data security.
uQualio shall however – in any event and at a minimum – implement the following measures that have been agreed with the Data Processor:
All Personal Data is stored encrypted on uQualio’s and Sub-Sub-Processors servers and is sent encrypted through the internet. All communication and data traffic are encrypted.
Only a limited number of uQualio’s employees have access to Personal Data, and only those who need to have access.
The system is protected against unauthorized external access.
Passwords are encrypted and salted, for the authentication process an industry-standard solution is used.
Back-up is performed regularly.
Infrastructure is set up to prevent, to the greatest possible extent, the system from failing.
The system is continuously updated to avoid any misuse, unauthorized access and to ensure that the systems does not contain known vulnerabilities.