Trading & data processing agreement
Below, you can read our terms and conditions
TRADING AND DATA PROCESSING AGREEMENT
Between the Parties: Penneo ApS
Company reg. no.: 35633766
Enghavevej 40, 4. sal
DK-1674 København V
(Hereinafter referred to as “Penneo”)
Company reg. no.: XXXXXXXX
Street name and number
DK-Postal Code and city
(Hereinafter referred to as “the Customer”).
(Penneo and the Customer hereinafter individually referred to as “Party” and collectively as the “Parties”)
this Trading and Data Processing Agreement (hereinafter the “Agreement”) has been concluded.
1. APPLICATION AND SCOPE
1.1 The Agreement applies to sale of the Service from Penneo ApS (hereinafter “Penneo”) to the Customer unless it has been expressly derogated from or modified by another written agreement and it can be established with certainty that the intention was to derogate from this agreement.
1.2 The Parties want to enter into cooperation where Penneo is to provide the Service to the Customer.
1.3 The purpose of the Agreement is to lay down the conditions for Penneo’s provision of the Service to the Customer.
2. THE SERVICE
2.1 The Service (“the Service”) makes it possible to sign documents and make validations by means of electronic ID.
2.2 The Service (“the Service”) is offered as Software as a Service (“SaaS”) so that the Customer via the Internet and/or API calls can connect to Penneo’s server or a server at one of Penneo’s collaboration partners and get access to the Service.
2.3 It is a condition for access to the Service that the Customer delivers the Documents in standard PDF format. On the other hand, the documents that are returned by Penneo after all parties have signed them will be in the format PAdES-PDF. The returned files contain all signature certificates, are locked for editing and are, at the time of return to the Customer and Third Party, activated for long-term storage (LTV).
3. TERM AND TERMINATION OF THE AGREEMENT
3.1 The Agreement takes effect when the Agreement is signed by the Parties (“Time of Commencement”).
3.2 There is a period of commitment for the Service of 12 months as from the Time of Commencement.
3.3 Either Party may terminate the Agreement at a written notice of 3 months to expire at the end of the period of commitment. If the Agreement is not terminated at the latest 3 months before the expiry of the period of commitment, this gives rise to a new period of commitment of 12 months.
3.4 The signature package of the Agreement has a period of validity of 36 months. That means that all the signatures in the package chosen must have been used/activated within 36 months. Unused signatures may be transferred to a new period of commitment. If the Agreement ends, irrespective of the cause, before the expiry of the 36-month period, any unused signatures will lapse without compensation.
3.5 When a signature package is empty (all signatures are used), a new similar signature package is automatically invoiced to the Customer, unless otherwise agreed in writing.
3.6 Upon the expiry of the Agreement, Penneo undertakes to keep all the Customer’s Data of which Penneo is in possession for a period of 90 days.
3.7 At any time during the period specified in sub-clause 3.6., the Customer has the right to supply the Customer’s Data or delete the Customer’s Data in full or in part from its account with Penneo. The Customer’s Data is supplied in the formats that are used in the system(s) of Penneo or its sub-suppliers and thus no processing/conversion of data is performed, unless otherwise expressly agreed between the Customer and Penneo.
3.8 Supply of the Customer’s Data in a processed or converted form may be agreed separately against payment.
4. PRICE AND PAYMENT TERMS
4.1. Prices for the Customer’s use of the Service and connection/initiation and other services from Penneo are fixed in the price scheme below (which covers the initial order):
|Yearly subscription / Software licenseNumber of user: X-XX||X.XXX DKK|
|Signature package: XX signatures of XX DKK/pcs.||X.XXX DKK|
|Onboarding: Online setup or on premise workshop||X.XXX DKK|
|Total price upon signature of this agreement||X.XXX DKK|
|(all prices are exclusive of VAT)|
4.2 The prices are inclusive of the duties and taxes in force at the time of the commencement of the Agreement, apart from VAT.
4.3 Penneo may give notice of price changes with 3 months’ notice in the case of the introduction of new or increased Danish taxes and duties or amendments to the service provider agreement between Penneo and providers of electronic ID systems.
4.4 he payment terms are net cash + 14 days from the invoice date at the place of payment specified by Penneo. Payment must be made without any fees and costs to Penneo. In the case of payment after the due date, the Customer must pay an interest rate of 1.5% per month on the balance overdue from the last date of punctual payment until payment is made. The Customer cannot deduct any amounts in the fee for the service originating from stated claims from other legal matters.
4.5 Invoices must be sent in electronic form to the following e-mail address:
5. OPERATIONAL RELIABILITY AND SUPPORT
5.1. Penneo secures stable operation but is not liable for irregularities in operations caused by factors that are outside Penneo’s control. Penneo will restore normal operations as soon as possible.
5.2. Penneo ensures accessibility to the Service during the term of the Agreement as stated below:
5.2.1. Uptime of 99,9%;
5.2.2 The uptime is measured and calculated per calendar month based on service time 24/7. In the calculation of uptime, downtime of which notice has lawfully been given in pursuance of the Agreement or which has otherwise expressly been accepted by the Customer is not included
5.2.3 The Customer can at any time see the status of Penneo’s uptime at www.penneo.com under support, operating status; cf. sub-clauses 9.1. and 9.2.
6. SECURITY REGULATIONS
6.1. All documents are stored in encrypted form and all communication to and from Penneo’s server(s) is encrypted and firewalls have been established to secure the Software. However, Penneo cannot provide any guarantee against hacker attacks which cause system failure and/or loss of data.
7. STORAGE AND BACKUP
7.1. The Customer’s Data and back-up media are placed with Penneo’s sub-supplier (Amazon Web Services, Inc. (“AWS”)). All Data is stored within the EU in EU (Dublin) Region and EU (Frankfurt) Region, respectively.
7.2. Penneo uses two backup strategies for separate data classes that are described in more detail in sub-clauses 7.3. and 7.4.:
- The Customer’s data
- System data
7.3 The Customer’s data is stored at several separate physical locations. The Customer’s documents are versioned in order to being able to roll back changes. Deletion of documents including versioning can be made only by at least two persons jointly.
7.4 Penneo makes incremental backup of Systems data on a daily basis. Backups are kept for at least 14 days. All data in Penneo’s production environment is stored at at least two separate physical locations.
7.5 All the Customer’s documents are stored in the Service for 5 years from the time of creation unless the Agreement is terminated in the meantime. In that case, the provisions of sub-clauses 3.5 to 3.7 apply. Penneo guarantees only the protection of the evidential value of the documents for the period during which they are stored in the Service. The Customer’s documents are kept for more than the 5-year period only if a separate agreement has been concluded between the Customer and Penneo on such storage.
7.6 If a system failure - irrespective of the cause - results in loss of or damage to the Customer’s data, Penneo will after the failure/damage has been ascertained either on its own initiative or after having been contacted by the Customer start restoration of the Customer’s Data from the relevant backup location(s). During this period, the Customer’s data may be inaccessible for a maximum of 24 hours.
8.1. In order to provide the best possible service it is necessary periodically to extend/renew technical equipment and to make software updates etc. Therefore, Penneo carries out maintenance and updating of the Service from time to time.
8.2 The Customer is given notice of maintenance and/or updating via Penneo’s website.
8.3 Penneo’s API is offered in different versions. When a new version is issued, Penneo endeavours to ensure that the new version does not affect previous versions. However, Penneo cannot guarantee that new versions of APIs do not require new development at the Customer. In case where Penneo no longer supports an API version, Penneo must give notice of this at least 6 months before the API version in question is taken out of service.
8.4 In connection with maintenance, it may be necessary to suspend access to the Service. Such suspensions will mainly be placed in the period from 21:00 – 06:00 CET. If it becomes necessary to suspend access to the Service outside the period mentioned, notice will be given of this in advance unless technical or security reasons make it necessary to change the system with immediate effect.
9. FAULT REPORTING
9.1. If the Customer detects defects, failure or irregularities, the Customer can check whether the matter has been recorded at status.penneo.com.
9.2. If the matter has not already been recorded, the Customer must contact Penneo without undue delay; cf. sub-clause 9.3.
9.3. In the case of fault reporting, the Customer must describe the defect in writing by using Penneo’s online fault reporting procedure, called support, so that Penneo receives the necessary information to locate the defect immediately.
10.1. 24-hour support, end user assistance and software updates are included in the subscription price. Special support inquiries or individual system adaptations are invoiced separately. This applies to both support by telephone and written support.
11. LIABILITY AND LIMITATION OF LIABILITY
11.1. Each Party is liable for damages in accordance with the general rules of Danish law with the limitations set out below, always provided that the limitations apply only if the loss is not attributable to gross negligence or wilful intent on the part of the Party committing the tort.
11.2. Penneo disclaims liability for any indirect loss or consequential loss including, but not limited to, business interruption, loss of profits, loss of the Customer’s Data and goodwill with the Customer.
11.3. Apart from product liability (cf. sub-clause 11.4), the total amount of damages that the Customer can claim from Penneo in accordance with the Agreement is limited to the smaller of the following:
- the total payment that Penneo has received from the Customer in accordance with this Agreement at the time of the claim, or
- DKK 25,000 per claim per year..
11.4 Penneo is liable for product liability in accordance with the general rules of damages of Danish law. However, Penneo’s liability for damages in each case is limited to the amount which is paid out in accordance with Penneo’s product liability insurance in force at any time.
11.5 Penneo is obliged to maintain the customary and sound insurance level, including as a minimum product liability insurance and general liability insurance to cover Penneo’s liability in accordance with the Agreement.
12. THE RIGHT TO DATA
12.1. The Customer retains ownership of the Customer’s Data and the results of the processing of the Data.
12.2. Penneo cannot exercise a lien on the Customer’s Data.
13. PROCESSING OF THIRD PARTY DATA
13.1. For use of the Service, the Customer creates a profile including an account with Penneo and thereafter the Customer uploads documents and other data, including personal data, to its account with Penneo for use for signing the Customer’s documents (hereinafter collectively referred to as the “Customer’s Data”).
13.2. The third parties who are to sign the Customer’s documents (hereinafter “Third Party”) create an independent profile including an account with Penneo. The third party uploads its data, including personal data, to its account with Penneo in connection with signing of the Customer’s document(s) (hereinafter collectively referred to as the “Third Party Data”).
13.3. The Customer and all Third Parties receive a copy of the signed documents and the documents are stored and kept by Penneo. Both the Customer and all Third Parties have via their respective accounts with Penneo independent access to the signed documents at Penneo.
13.4. In the relation between the Customer and Penneo, Penneo is data processor and the Customer is data controller. Penneo and the Customer have concluded the data processing agreement attached as Appendix 1 (hereinafter the “Data Processing Agreement”) that regulates Penneo’s processing of the Data of the Customer that is personal data.
14. Force Majeure
14.1. If Penneo cannot provide its services in accordance with the Agreement as a result of force majeure, Penneo cannot be held liable for losses on account of that and the Customer cannot terminate the Agreement with immediate effect; cf. sub-clause 14.3, however.
14.2.Penneo must inform the Customer without undue delay if a force majeure situation arises. Force majeure is a matter on which Penneo has no influence and which Penneo cannot bypass with reasonable financial and practical measures. Force majeure is for example war, mobilisation, terrorist attack, failure/breakdown of public electricity supply, strike, fire, flood etc.
14.3. If the accessibility to the Service is essentially impossible due to force majeure and this lasts for more than 30 days, either Party may terminate the Agreement in writing with immediate effect but cannot in that connection advance any claims against the other Party.
15. INTELLECTUAL PROPERTY RIGHTS
15.1. The Customer has been advised that the Service is protected by copyright and the Customer acquires only a non-exclusive conditional right to use the Service. The right of use is conditional upon the Customer’s payment and observance of the Agreement and it has been expressly pointed out to the Customer that the right of use is limited in time so that it will automatically lapse on termination of the Agreement irrespective of the cause of termination. The right of use is non-transferable.
15.2. The Customer is entitled to use the Service only for the Customer’s own enterprise.
15.3. The Customer agrees that it will respect the copyrights. The Customer is liable for the Customer’s employees’ and external advisors’ observance of the rights to the Service when it is used and the Customer is obliged to ensure that it is expressly pointed out to the Customer’s employees and external advisers that the Service is protected by copyright and may be used only in accordance with the terms of the Agreement.
16. CONFIDENTIALITY AND DUTY OF CONFIDENTIALITY
16.1. During the term of the Agreement and after termination of the Agreement, the Parties undertake not to disclose to any unauthorised person any information received from and about the other Party of which a Party learns in connection with the Agreement and provision of the Service to the Customer. The Parties may use such information only in accordance with the Agreement and must not disclose the information unless disclosure is required in accordance with legislation, a court order or an order from a public authority. The above does not apply to information that is generally known or publicly available and which is not according to Legislation subject to such limitations.
17. MARKETING AND COMMUNICATION BETWEEN THE PARTIES
17.1. Penneo is entitled to use the Customer as a reference, unless the Customer has expressly and in writing objected to this.
17.2. When signing the Agreement, the Customer gives Penneo the right to send service announcements and information which may contain newsletters and other marketing and information concerning the Service and Penneo’s other products and services at any given time by e-mail.
17.3. The Customer may at any time unsubscribe newsletters and other marketing.
17.4. E-mails that contain operational information are mandatory as they may be of importance for the Customer’s use of the Service.
17.5. An e-mail has arrived when it has been received in the recipient’s e-mail system and when under normal circumstances it will be accessible to the recipient. The fact that an e-mail is specifically not accessible owing to problems in the recipient’s e-mail system is thus the risk of the recipient. It is the responsibility of the Parties to give information about changes to the above contact information.
18. BREACH OF CONTRACT
18.1. In the event of material breach of the Agreement by one of the Parties, the non-breaching Party may terminate the Agreement forthwith if the matter has not been remedied within 10 working days from the written notice has been given to the Party committing the breach.
18.2. In the event of bankruptcy, reconstruction, restructuring, liquidation, compulsory dissolution, acceptance of a composition, a contractual arrangement with creditors or the like, the other Party is entitled to terminate the Agreement with immediate effect.
18.3. If the Customer does not pay for the Service in accordance with clause 4 of the Agreement, Penneo is entitled to disable access to the Service at a prior notice of 20 days. The Customer’s access is re-established only when amounts due have been received by Penneo.
18.4. If Penneo terminates the Agreement as a result of the Customer’s breach, including default on payment, Penneo is entitled to keep the prepayment already made. If the Customer terminates the Agreement as a result of Penneo’s breach the termination will be valid only for the future, and the Customer can only claim payment refunded as from the month in which the breach occurred.
19.1. The Parties agree that the Agreement has been concluded in accordance with Danish law and that any dispute between the Parties must be settled in accordance with Danish law.
19.2. The Parties shall endeavour to settle disputes amicably through negotiation. If a dispute cannot be settled amicably, both Parties are entitled to bring the matter before the Copenhagen City Court in the first instance.
20. OTHER PROVISIONS
20.1. If a provision in the Agreement is declared illegal, invalid or unenforceable, the provision must in spite of this be enforced to the greatest extent possible in accordance with current legislation so that the Parties’ original intention reflected. Such a provision does not af fect the lawfulness or validity of other provisions.
20.2. Any provision in the agreement which according to its nature extends beyond the time when the Agreement ends in full or in part shall continue to apply and be binding on the Parties.
21. CONFIRMATION AND SIGNATURE
21.1. The Agreement and the Data Processing Agreement enclosed as Appendix 1 are hereby confirmed by the Parties by the use of digital signature. The signers of the Agreement declare that they are authorised signatories in pursuance of the respective signing powers and rules on the right to make transactions. The printable and readable evidence of the signatures will appear from the last page of the finished document which will be submitted to all parties when all parties have signed.
APPENDIX 1 TO TRADING AND DATA PROCESSING AGREEMENT
DATA PROCESSING AGREEMENT
A. BACKGROUND AND PURPOSE
a. The Data Controller (Customer Name) and the Data Processor (Penneo) have concluded a Trading and Data Processing Agreement (the Agreement) concerning the provision of digital services in the form of a Digital Signature and Validation Service (validation of Social Security Number and registration with the Central Business Register (Company reg. no.)) based on the Nordic electronic ID systems for which NemID or BankID is used on the commencement of the Agreement (hereinafter the “Service”).
b. In accordance with the Agreement, the Data Processor shall process personal data on behalf of the Data Controller in connection with the provision of the Service.
c. This Data Processing Agreement (hereinafter the “Data Processing Agreement”) lays down the terms and conditions for the Data Processor’s processing of the personal data (as defined in the Legislation; cf. sub-clause A.d.) which the Data Controller provides to the Data Processor in pursuance of the Agreement in connection with use of the Service (hereinafter the “Personal Data”). Unless otherwise expressly stated in the Data Processing Agreement, the other provisions of the Agreement shall apply.
d. The purpose of the Data Processing Agreement is to secure observance of the legislation on personal data in force at any time including the regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“General Data Protection Regulation”) that enters into force on 25 May 2018 (hereinafter collectively referred to as “the Legislation”).
B. TYPES OF PERSONAL DATA AND THE GENERAL OBLIGATIONS OF THE DATA PROCESSOR
a. The types of Personal Data and categories of data subjects that the Data Processor is to process for the Data Controller as part of the performance of the Agreement and the Data Processing Agreement are stated in clause Q.
b. It is only the Data Controller who decides which Personal Data is to be processed by the Data Processor and for which purposes this personal data may be processed.
c. The Data Processor processes the Personal Data only in accordance with instruction from the Data Controller.
d. The Data Processor must process the Personal Data in accordance with the Legislation in force at any time. The Data Controller must ensure that all Personal Data which the Data Controller provides to the Data Processor is provided via functions in the Service and is not sent via an insecure e-mail or in any other manner that is contrary to the Legislation.
e. In the event that the Danish Data Protection Agency makes an inquiry concerning the processing of the Personal Data, the Data Controller and the Data Processor must collaborate on answering questions, providing information or meeting requirements, if any.
C. LIST OF DATA PROCESSING ACTIVITIES
a. Not later than when the Personal Data Regulation enters into force, the Data Processor must keep a list of all categories of processing undertaken by the Data Processor on behalf of the Data Controller. The list, which is kept electronically, e.g. as log files, must contain:
i. The name and contact information of the Data Processor, Data Sub-Processors (cf. sub-clause D.a.), the Data Controller and a Data Protection Officer, if any;
ii. The categories of the processing that the Data Processor or Data Sub-Processors undertake on behalf of the Data Controller; and
iii. A general description of the technical and organisational security measures; cf. clause E.
b. The list must be available in writing, including electronically. At the request of the Data Controller or the Danish Data Protection Agency, the Data Processor must at any time make the list available to the Data Controller and/or the Danish Data Protection Agency.
D. THE DATA PROCESSORS´ USE OF DATA SUB-PROCESSORS
a. The Data Controller hereby consents to the Data Processor being entitled to use Data Sub-Processors (“Data Sub-Processors”) to provide the services of the Data Processor in accordance with the Agreement. It is the responsibility of the Data Processor that Data Sub-Processors meet their data protection obligations in accordance with the Legislation.
b. On the conclusion of the Agreement, the Data Processor makes use of Amazon Web Services, Inc. (“AWS”) as Data Sub-Processor for storage of the Personal Data. AWS makes use of authorised sub-suppliers for the provision of the service to the Data Processor. The Customer can find a link to the website of AWS with all information on AWS’s compliance with the General Data Protection Regulation at https://aws.amazon.com/compliance/gdpr-center/.
c. The Data Processor notifies the Data Controller of any planned changes to the use of Data Sub-Processors, including the addition or replacement of Data Sub-Processors as well as the use of new Data Sub-Processors who are not subject to sub-clause D.b.
d. If the Data Controller cannot accept changes that are subject to sub-clause D.b. or sub-clause D.c., the Data Controller may terminate the Data Processing Agreement with a written notice of 14 days. Notwithstanding the provision in sub-clause 3.3. of the Agreement, the Agreement will automatically be terminated at the same time as the notice of termination of the Data Processing Agreement. The provisions of clause 3 of the Agreement will continue to apply without any changes. Payments made by the Customer are not refunded.
e. If a Data Sub-Processor is based in a third country outside the EU/EEA, it is the duty of the Data Processor to ensure that the Personal Data is kept within the EU/EEA and is not transferred to the third country in question unless transfer is necessary to comply with legislation in force that applies to the Data Processor or the Data Sub-Processors of the Data Processor or as a result of demands made by a competent public authority which are binding for the Data Processor or the Data Processor’s Data Sub-Processors. The Data Processor will give the Data Controller reasonable notice if such demands are made in relation to the Data Processor or the Data Sub-Processors of the Data Processor and will endeavour to enable the Customer to object or use relevant remedies unless the Data Processor or the Data Sub-Processors of the Data Processor is/are prevented from this in accordance with legislation in force.
E. INFORMATION SECURITY AND DATA PROTECTION REQUIREMENTS
a. The Data Processor must take the necessary technical and organisational security measures against Personal Data being accidentally or unlawfully destroyed, lost or impaired and against any unauthorised persons receiving the Personal Data, the Personal Data being abused or otherwise processed contrary to the Legislation. Such technical and organisational security measures include:
i. Certification, including that the Data Processor is certified in accordance with the ISAE 3000 standard by KPMG, which means that KPMG has audited the internal security policies and security procedures of the Data Processor with a view to optimum protection of the documents of the Data Controller;
ii.Network security, transmission and storage, including the establishment of a login and password procedure (two factor authentication) as well as firewalls and antivirus software. All documents are stored in encrypted form and all communication to and from the Data Processor’s server(s) is encrypted. The Data Processor observes the encryption standards that are defined by the National Institute of Standards and Technologies (NIST). The Data Processor uses only encryption algorithms that are approved by the Federal Information Processing Standards (FIPS) and recommended by NIST;
iii. Matters relating to employees, including that only employees who are authorised have access to the Personal Data and that employees receive relevant training, adequate instructions in and guidelines for the processing of the personal data; cf. also clause G.;
iv. Physical security, including that access to buildings and systems that are used in connection with the data processing is protected in an appropriate manner so that unauthorised third parties do not have access to them.
b. The Data Processor must implement and observe a security policy and guidelines for the processing of Personal Data in the Data Processor’s organisation that are in accordance with and meet the terms and conditions that appear from this Data Processing Agreement and/or the instruction of the Data Controller at any time.
c. The Data Processor evaluates the security level with a view to initiating any necessary measures to maintain sufficient data security at any time.
F. SECURITY INCIDENTS
a. The Data Processor must establish and implement procedures for the handling of breaches of the personal data security; cf article 4 (12) and article 33 (2) of the General Data Protection Regulation.
b. The Data Processor must without undue delay after having become aware of any data breach, inform the Data Controller in writing of the breach of the personal data security, including information on who has processed the data of the Data Controller and when with a view to enabling the Data Controller to have a criminal investigation performed.
c. In the event of breach of the personal data security, the Data Processor must without undue delay and not later than 36 hours after the Data Processor became aware of the breach of the personal data security inform the Data Controller in writing of the breach and as a minimum provide the following information:
i. A description of the nature of the breach of the personal data security, including - if possible - the categories and the approximate number of data subjects affected as well as the categories and the approximate number of entries of personal data affected;
ii. A description of the likely consequences of the breach of the personal data security;
iii. A description of the measures that the Data Processor has made or has proposed should be made to handle the breach of the personal data security, including measures to limit its potential adverse effects.
iv. The name and contact information of the Data Protection Officer, if such an Officer has been appointed, by the Data Processor, or another contact point where additional information can be obtained.
d. When and in so far as it is not possible to provide the information collectively, the information may be provided in stages without any undue further delay.
e. The Data Processor’s notifications to the Data Controller on a breach of the personal data security in accordance with this clause F does not mean that the Data Processor has thereby acknowledged being in breach of the Agreement or being liable for damages in relation to the Data Controller for the breach of the personal data security in question.
G. HOME OFFICES
a. All workplaces at the Data Processor’s are laptop computers or the like. Irrespective of physical location, the access of the employees to the Service and the systems of the Data Processor is protected in the same way. This means among other things that login and access to the Data Processor’s production environment always requires two-factor authentication and for the following operations at least two persons must work together:
- Changes of firewalls
- Granting or revoking privileges
- Access to backup
Access to the virtual infrastructure is only via encrypted channels. Access at OS level is via SSH and the primary purpose is to provide support to the software development process.
b. The Data Processor must lay down guidelines for the processing of Personal Data by employees.
H. THE OBLIGATION OF THE DATA PROCESSOR TO ASSIST THE DATA CONTROLLER
a. In consideration of the nature of processing and the Personal Data that is to be processed by the Data Processor, the Data Processor must assist the Data Controller in securing observance of the provisions of the Legislation on the rights of data subjects as regards Personal Data. In this connection, the Data Processor must by means of suitable technical and organisational measures assist the Data Controller with the handling of inquiries from a data subject, including but not limited to a request for access, correction, blocking or deletion of Personal Data. In so far as the Data Controller can itself handle inquiries from a data subject via functions in the Service, the Data Controller must make use of these.
b. Furthermore, in consideration of the nature of processing and the Personal Data that is to be processed by the Data Processor, the Data Processor must assist the Data Controller in observing other obligations that are imposed on the Data Controller in accordance with the Legislation where this is contemplated or is necessary for the Data Controller to meet its obligations. As part of this, the Data Processor must assist the Data Controller in ensuring observance of among other things the obligations in pursuance of articles 32-36 of the General Data Protection Regulation.
c. The Data Processor is entitled to demand payment for services in accordance with this clause H only in accordance with the prices specified at www.penneo.com.
I. AUDIT AND AUDIT OPINION
a. At the request of the Data Controller, the Data Processor must give the Data Controller such information as is necessary for the Data Controller to ensure that the Data Processor and its Data Sub-Processors comply with the requirements that are laid down in the Data Processing Agreement, including that they have taken the necessary technical and organisational security measures and that the measures are observed.
b. At the written request of the Data Controller, the Data Processor must provide documentation that the security measures have been implemented at the Data Processor’s.
c. The Data Controller can via an auditor or another trusted party who is approved by the Data Controller and the Data Processor perform an unannounced audit (within normal working hours) that the Data Processor meets its obligations including a audit of and possibly follow-up on user access and rights.
d. Once a year, the Data Processor gives the Data Controller access to the audit opinions ISAE 3000 (type 2) as well as access to the declaration of observance of the Legislation in force. The opinions/declarations must be given after the end of each calendar year so that they are available to the Data Controller not later than on 31 March.
e. In addition, the Data Controller is entitled for its own account to have an independent third party make an annual audit of the Data Processor’s processing of Personal Data.
f. The Data Processor is obliged to allow authorities who in accordance with the legislation in force at any time have access to the facilities of the Data Controller and the Data Processor or representatives who act on behalf of the authority access to the physical facilities of the Data Processor against due identification and the prior signing of a non-disclosure declaration.
J. OBLIGATIONS AND RESPONSIBILITIES OF THE DATA CONTROLLER
a. It is the responsibility of the Data Controller to ensure that the necessary basis in accordance with the Legislation for the processing of Personal Data is available and in connection with the processing of Personal Data the Data Controller must observe and comply with the Legislation.
b. The Data Controller must observe the security instructions in force at any time on which the Data Processor may provide information to the Data Controller concerning access to and use of the Service.
c. The Data Controller must indemnify the Data Processor for legal proceedings, claims, costs (including reasonable expenses for legal assistance), losses, liability, expenses or damage that is/are a consequence of the Data Controller’s non-observance of the Legislation or the security instructions provided by the Data Processor concerning access to or use of the Service, or any other breach of this Data Processing Agreement. Reference is also made to clause N.c.
K. COSTS AND PAYMENT
a. The Data Processor is entitled to demand payment for Services that the Data Processor provides to the Data Controller in accordance with this Data Processing Agreement only in accordance with the prices specified at www.penneo.com.
L. AMENDMENTS TO THE DATA PROCESSING AGREEMENT
a. Each Party may at any time with a reasonable prior written and reasoned notice demand amendments to the Data Processing Agreement if the amendment is necessary to observe the Legislation in force at any time.
b. The Data Processing Agreement may furthermore at any time be adjusted at a written notice of 30 (thirty) calendar days if the Data Controller wants to adjust the types of Personal Data or the categories of data subjects stated in clause Q.
c. If there is a significant change to or adjustment of the Data Processing Agreement in pursuance of clause L.a. or clause L.b. to the disadvantage of the Data Processor, the Data Processor may terminate the Data Processing Agreement at a notice of 3 months to expire at the end of a month, notwithstanding sub-clause 3.3. of the Agreement. Payments made by the Customer are not refunded.
M. HANDLING OF DATA AFTER TERMINATION OF THE DATA PROCESSING AGREEMENT
a. Upon termination of the Data Processing Agreement, irrespective of the cause, the provisions of sub-clauses 3.6 - 3.8 of the Agreement apply.
b. If doubt arises after the termination of the Data Processing Agreement as to whether all Personal Data has been deleted, the Data Controller can request that the Data Processor obtain an audit opinion (on the account for the Data Controller) to the effect that the Personal Data has been deleted from the IT systems of the Data Processor.
a. If the Data Processor receives notice from the Data Controller, or the Data Controller learns of non-compliance of requirements according to the Legislation or the instruction of the Data Controller for processing of Personal Data, the Data Processor must without undue delay remedy the non-compliance.
b. Generally, the provisions of clause 18 of the Agreement apply with the necessary changes in the case of a Party’s breach of the Data Processing Agreement.
c. A Party is obliged to indemnify the other Party for expenses and use of resources in connection with the fulfilment of the obligations of a Party in relation to a supervisory authority or the data subject as well as fines imposed by a supervisory authority or a court in so far as these are caused by the breach of the other Party.
O. NON-DISCLOSURE DECLARATION
a. The Data Processor ensures that its employees who are given access to information from the Data Controller have signed a non-disclosure declaration to the effect that they are under an obligation to maintain confidentiality in relation to unauthorised persons as regards their access to the data of the Data Controller. The duty of confidentiality applies both during their employment and after termination of their employment.
b. The Data Processor must ensure that Data Sub-Processors, employees and others who assist the Data Processor in connection with performance of the Agreement and the Data Processing Agreement are subject to obligations that correspond to the obligations in these agreements.
P. OTHER PROVISIONS
a. In case of any discrepancy between the Data Processing Agreement and the Trading Agreement, the Data Processing Agreement takes precedence.
Q. CATEGORIES OF PERSONAL DATA AND DOCUMENTS
a. The Agreement may include all categories of personal data and all categories of data subjects whose personal data the Data Processor is to process as part of the performance of the Agreement.
b. In order for the Service to function in accordance with clause 2 in the Agreement the following personal data will be processed each time an employee of the Data Controller or a third party signs a document:
- e-mail address,
- Electronic ID informations, and
- social security number, if this is chosen by the Data Controller for each document send for signing to a third party.
c. The categories of data subjects, whose personal data will be processed by the Data Processor as part of this Agreement, includes third parties, cf. the Agreement clause 13, and the Data Controllers employees, who sign documents by using the Service.