meta pixel

DATA PROCESSOR AGREEMENT

This Data Processing Agreement is between 

The company who Subscribe to the Service using an API or similar methodology,

(hereinafter referred to as ”the Data Processor” or the “Subscriber”) 

and

uQualio ApSCompany reg. no. DK39072858
Egedalsvej 9
3670 Veksø Sjælland
(hereinafter referred to as “uQualio”) 

1. The Purpose of the Agreement

1.1 In order to ensure compliance with the current rules governing the processing of personal data, particularly the General Data Protection Regulation (hereinafter “GDPR”), the Danish Data Protection Act, and related orders and instructions, the Parties have entered into this data processing agreement (hereinafter the ”Data Processing Agreement”).

1.2 The Data Processing Agreement complements uQualio’s Commercial Terms of Use (hereinafter the “Terms of Use”), so that the Terms of Use also apply to the processing of personal data unless the provisions of the Data Processing Agreement specifically regulate the subject matter.

2. The Extent of the Data Processing

2.1 uQualio offers a subscription service to a video eLearning platform (the “Service”) for companies and other international organizations (“Subscribers”). Once a Subscriber has subscribed to the Service, the employees of the Subscribers customers (the “Users”) have access to the Service available using an API. The Service is thus made available by the Subscriber to the Users.

2.2 uQualio is a sub-data processor regarding any personal data, cf. Appendix A, the Users uploads to the Service when creating a personal account, the Subscriber is a Data Processor and the Subscribers customer is Data Controller.

2.3 In case the Service is made available to the Subscribers employees or other direct users of the Subscriber (oppose to section 2.1 above where the users are the employees of the Subscribers customers) (the “Users”), uQualio is a Data Processor and the Subscriber is a Data Controller. The terms of this Data Processing Agreement apply equally in the case. 

2.4 As agreed with the Subscriber uQualio carries out the tasks established in the Terms of Use and this Data Processing Agreement on behalf of the Data Controller and will accordingly be granted access to personal data. uQualio exclusively processes data to fulfil its obligations according to the Terms of Use and is thus considered a sub-data processor.

2.5 The data processing covers the categories of data subjects (hereinafter the ”Data Subjects”) and types of personal data (hereinafter the ”Personal Data”) listed in Appendix A.

3. uQualio’s Obligations

3.1 uQualio is only permitted to process personal data on documented instructions from the Data Processor unless the processing is required under EU or Member State law to which uQualio is subject; in this case, uQualio shall inform the Data Processor of this legal requirement prior to processing unless that law prohibits such information on important grounds of public interest, cf. Article 28 (3)(a).

uQualio acts according to the Data Processor’s instructions and only to the extent necessary for uQualio to fulfill its obligations pursuant to the Terms of Use and the Data Processing Agreement.

3.2 Furthermore, uQualio is required to: 

a) Assist the Data Processor so the Data Processor can assist the Data Controller in ensuring compliance with the obligations pursuant to Articles 32 – 36 of the GDPR provided that the Data Processor is not capable of complying with the obligations without assistance from uQualio and taking into account the nature of the processing and the information available to uQualio. 

b) Assist the Data Processor so the Data Processor can assist the Data Controller in answering requests from the Data Subjects as described in Articles 15-22, using appropriate technical and organizational measures, in the fulfillment of the obligations resting upon the Data Controller. 

c) Notify the Data Processor of possible personal data breaches regarding Personal Data, cf. Article 33(2) of the Data Protection Regulation.

d) Notify the Data Processor of inquiries from the Danish Data Protection Agency to uQualio, if the inquiries concern processing activities covered by the Terms of Use and the Data Processing Agreement.

e) Notify the Data Processor if uQualio considers that the instruction from the Data Processor is in contravention of the legal requirements applicable to the processing.

4. Security of Processing

4.1 uQualio undertakes to implement appropriate technical and organizational security measures according to Article 32 of the GDPR to prevent accidental or illegal destruction, loss, or deterioration of Personal Data, and to prevent the Personal Data from being disclosed to unauthorized persons, misused, or otherwise treated in contravention of applicable legislative requirements. 

4.2 uQualio’s employees are subject to professional secrecy.

4.3. The technical and organizational security measures applicable upon entering into this Data Processing Agreement are specified in Appendix B.

5. Use of Sub-Sub-Processors

5.1 As a general authorization of the Data Processor uQualio is entitled to engage another processor (hereafter referred to as “Sub-Sub-Processor”).

5.2 uQualio’s use of Sub-Sub-Processors is based on written agreements that ensure the continuation of at least the same level of protection as the level specified in the Data Processing Agreement.

5.3 At the signing of the Data Processing Agreement, the Data Processor simultaneously authorizes uQualio’s use of the Sub-Sub-Processors which appear in Appendix C.

5.4 As a consequence of the general authorization, cf. section 5.1, the uQualio shall inform the Data Processor of any intended changes concerning the addition or replacement of Sub-Sub-Processors with a notice of 14 days, thereby giving the Data Processor the opportunity to object to such changes within 10 days. In case of an objection from the Data Processor, which uQualio cannot meet the content of, the Service as described in the Terms of Use will be considered terminated by the Data Processor.

6. International Transfers

6.1 uQualio will attempt to store and process Personal Data within the EU/EEA. There are two reasons for the possible transfer of Personal Data outside of EU/EEA:

a) The User accesses the Service from a country outside of the EU/EEA. Thereby the Personal Data is made available to the User outside the EU/EEA, even though the Personal Data is stored within the EU/EEA.

b) The Data Processor transfers and replicates Personal Data to a Sub-Sub-Processor’s data center outside the EU/EEA for performance reasons. 

6.2 Currently uQualio does not transfer Personal Data outside the EU/EEA as described in clause 6.1 b), cf. Appendix C.

6.3 In case of uQualio’s transfer of the Personal Data to third countries, uQualio is responsible for ensuring a lawful basis for the transfer present at any time. 

6.4 The transfer of Personal Data outside the EU/EEA as described in clause 6.1 a is based on Article 49(1)(b) or Article 49(1)(c) of the GDPR. Article 49(1)(b) regards the situation, where the transfer is necessary for the performance of a contract between the Data Subject and the Data Controller, and (c) regards the situation, where the transfer is necessary for the conclusion of a contract concluded in the interest of the Data Subject between the Data Controller and another natural or legal person. 

6.5 If uQualio uses the EU Commission’s Standard Contractual Clauses as the lawful basis to transfer Personal Data outside the EU/EEA, the Data Processor warrants that uQualio is entitled to complete the spaces and appendixes set out in the Standard Contractual Clauses on behalf of the Data Controller, but in addition to this, the Standard Contractual Clauses shall remain unamended.

7. Audit and Inspections

7.1 On request from the Data Processor uQualio shall once a year make available all information necessary to demonstrate compliance with Article 28 of the GDPR and the obligations laid down in this Data Processing Agreement, including that uQualio has implemented the appropriate technical and organizational measures.

7.2 Once a year the Data Processor, or another auditor mandated by the Data Processor, shall at its own costs have the right to audit or carry out an inspection of uQualio’s compliance with this Data Processing Agreement. uQualio undertakes – at a reasonable notice – to provide time and resources for such purpose and allow for and contribute to such inspections conducted by the Data Processor or an auditor mandated by the Data Processor.

7.3 Unless otherwise agreed uQualio decides the procedures of inspections, the type of audit report, and which authorized, independent third party that shall carry out the audit and/or the inspection.

7.4 The Data Processor shall give uQualio a notice of at least 30 days if the Data Processor wishes to audit or inspect uQualio’s compliance cf. clause 7.1-7.2.

7.5 The Data Processor shall incur all costs related to the audit or inspection of uQualio’s compliance with this Data Processing Agreement as described in this section 7. Furthermore, uQualio is entitled to invoice the Data Processor with his usual hourly rate for all uQualio’s working hours as such audit or inspection may result in. 

8. Commencement and Duration

8.1 The commencement and duration of the Data Processing Agreement comply with the Terms of Use.

8.2 Irrespective of clause 8.1, the data Processor Agreement is in force as long as the Data Processor processes the Personal Data.

9. Termination

9.1 At the termination of the Data Processing Agreement, uQualio shall return, transfer, and/or delete the Personal Data according to uQualio’s Privacy and cookies policy. 

9.2 uQualio may oppose deletion to the extent that this follows from an express legal obligation resting upon uQualio.

10. Choice of Law and Legal Venue

10.1 The Data Processing Agreement is subject to Danish law.

10.2 In the event of a dispute between the Parties in the course of the Data Processing Agreement, the Parties shall seek in good faith to negotiate an amicable solution. If a solution cannot be achieved from such negotiations, the dispute may be brought to court at the Danish courts.

11. Renegotiation

11.1 Each of the Parties may request that the Data Processing Agreement be renegotiated in consequence of amended data protection legislation, which might significantly change the terms of the Data Processing Agreements by signature. The purpose of this clause is to change the wording of the Data Processing Agreement in accordance with the legislation.

12. Appendixes

Appendix A: Categories of Data Subjects and Types of Personal Data

Appendix B: Technical and organizational security measures

Appendix C: Sub-Sub-Processors

Appendix A

Categories of data subjects and types of personal data 

Categories of Data Subjects

The processing can include the following categories of Data Subjects:

  • The employees of the Data Processor’s customer
  • The employees or other direct users of the Subscriber

Types of Personal Data

The processing can include the following types of Personal Data about Data Subjects:

  • E-mail address or phone number.
  • Geographical location, language, browser type and version, operating system type and version, type of device and screen resolution.
  • Type of device, time zone, language, browser type, browser version, operation system type, operation system version, screen resolution, and user ID.
  • Your name, user name, profile pictures, interests and hobbies, and the content of your posts.
  • Test and learning results.
  • Communication content and metadata.
  • Information in connection with support.

Appendix B

Technical and organizational security measures

The subject of/instruction for the processing

uQualio’s processing of Personal Data on behalf of the Data Processor shall be carried out by uQualio by making the Service available to the Data Processor and the Data Processor’s customers and their employees. The requirements for the Service and the instructions correspond to the Terms of Use. 

Security of the processing

The level of security shall reflect that the processing involves processing of Personal Data on a smaller scale, and little to none processing of Personal Data which are subject to Article 9 of the GDPR on ‘special categories of personal data’, which is why a normal level of security should be established. 

uQualio shall hereafter be entitled and under obligation to make decisions about the technical and organizational security measures that are to be applied to create the necessary (and agreed) level of data security.

uQualio shall however – in any event and at a minimum – implement the following measures that have been agreed with the Data Processor:

  • All Personal Data is stored encrypted on uQualio’s and Sub-Sub-Processors servers and is sent encrypted through the internet. All communication and data traffic are encrypted.
  • Only a limited number of uQualio’s employees have access to Personal Data, and only those who need to have access.
  • The system is protected against unauthorized external access.
  • Passwords are encrypted and salted, for the authentication process an industry-standard solution is used.
  • Back-up is performed regularly.
  • Infrastructure is set up to prevent, to the greatest possible extent, the system from failing.
  • The system is continuously updated to avoid any misuse, or unauthorized access and to ensure that the system does not contain known vulnerabilities. 

Appendix C

Sub-Sub-Processor

chart