TRADING AND DATA PROCESSING AGREEMENT
Between the Parties: Penneo A/S
Company reg. no.: 35633766
Enghavevej 40, 4th floor
DK-1674 København V
(Hereinafter referred to as "Penneo")
(Hereinafter referred to as "the Customer").
Penneo and the Customer (hereinafter individually referred to as "Party" and collectively as the "Parties") has concluded this Trading and Data Processing Agreement (hereinafter the "Agreement"):
"The Customer" means a company, organisation or other legal entity, on behalf of which a employee of the company, organisation or other legal entity has accepted this Agreement either directly or by accepting the Penneo Order Confirmation.
"The Platform" means Penneo's systems and services.
1. APPLICATION AND SCOPE
1.1. The Agreement provides the Customer access to the Platform, enabling the Customer to access agreed services. Using the Platform the Customer is able to process documents and/or data for signature/approval according the chosen subscription type.
1.2. The Agreement applies to delivery of the Platform and additional services from Penneo to the Customer unless it has been expressly derogated from or modified by another written agreement and it can be established with certainty that the intention was to derogate from this agreement.
1.3. The Parties want to enter into cooperation where Penneo is to provide the Platform to the Customer.
1.4. The purpose of the Agreement is to lay down the conditions for the delivery of the Platform to the Customer.
2. THE PLATFORM
2.1. The Platform is made available to the Customer as Software as a Service ("SaaS") so that the Customer via the Internet and/or the Penneo API, can connect to Penneo’s server or a server at one of Penneo’s collaboration partners and get access to the Platform.
2.2. It is a condition for access to the Platform that the Customer delivers the Documents in standard PDF format. The documents which are returned by Penneo after the process in the Platform is finalized, will be in the format PAdES-PDF. The returned files contain all signature certificates, are locked for editing and are, at the time of return to the Customer and Third Party, activated for long-term storage (LTV).
3. TERM AND TERMINATION OF THE AGREEMENT
3.1. The Agreement takes effect on the date on which the customer accepts the Penneo Order Confirmation or otherwise accepts this Agreement ("Time of Commencement").
3.2. There is a period of commitment for access to the Platform (subscription) of 12 months as from the Time of Commencement.
3.3. Either Party may terminate the Agreement at a written notice of 3 months to expire at the end of the subscription period. If the Agreement is not terminated at the latest 3 months before the expiry of the subscription period, this gives rise to a new subscription period of 12 months.
3.4. Upon the expiry of the Data Retention period (depends on the subscription plan), Penneo undertakes to keep all the Customer’s Data, of which Penneo is in possession of, in an additional period of 90 days.
3.5. At any time during the period specified in sub-clause 3.4., the Customer has the right to supply the Customer’s Data or delete the Customer’s Data in full or in part from its account with Penneo. The Customer’s Data is supplied in the formats that are used in the system(s) of Penneo or its sub-suppliers and thus no processing/conversion of data is performed, unless otherwise expressly agreed between the Customer and Penneo.
3.6. Supply of the Customer’s Data in a processed or converted form may be agreed separately against payment.
4. PRICE AND PAYMENT TERMS
4.1. Prices for the Customer’s use of the Platform, onboarding and other services from Penneo are fixed in the Order Confirmation and/or invoice submitted by Penneo and accepted by Customer by either signing of the Order Confirmation or payment of the invoice.
Any discounts specified in the Order Confirmation or invoice only applies to the first year subscription period, unless otherwise specifically agreed.
4.2. Consultancy services can be agreed separately against payment of the Penneos applicable hourly rate at any time.
4.3. The prices are inclusive of the duties and taxes in force at the time of the commencement of the Agreement, apart from VAT.
4.4. Usage above the agreed maximum number of clients / employees / completed case files (depending on subscription package) is invoiced according to appendix 2. The Customer's use of the Platform must be in accordance with the subscriptions and additional services in clause. sub-clause 4.1. Any not agreed use of the Platform is considered a material breach in accordance with sub-clause 18.1.
4.5. The payment terms are net cash + 14 days from the invoice date at the place of payment specified by Penneo. Payment must be made without any fees and costs to Penneo. In the case of payment after the due date, the Customer must pay an interest rate of 1.5% per month on the balance overdue from the last date of punctual payment until payment is made. The Customer cannot deduct any amounts in the fee for the service originating from stated claims from other legal matters.
4.6. Invoices must be sent in electronic form to the following e-mail address or the EAN number provided to Penneo by the Customer.
4.7. Penneo has the right to invoice the renewal of the subscription plan up to 62 days (2 months) in advance of the renewal date.
4.8. Penneo may change the pricing with 4 months notice in advance of the next coming subscription period.
5. OPERATIONAL RELIABILITY AND SUPPORT
5.1. Penneo secures stable operation but is not liable for irregularities in operations caused by factors that are outside Penneo’s control. Penneo will restore normal operations as soon as possible.
5.2. Penneo ensures accessibility to the Platform during the term of the Agreement as stated below:
5.2.1. Uptime of 99.9%
5.2.2. The uptime is measured and calculated per calendar month based on service time 24/7. In the calculation of uptime, downtime of which notice has lawfully been given in pursuance of the Agreement or which has otherwise expressly been accepted by the Customer is not included.
5.2.3. The Customer can at any time see the status of Penneo’s uptime at status.penneo.com.
6. SECURITY REGULATIONS
6.1. All documents are stored in encrypted form and all communication to and from Penneo’s server(s) is encrypted and firewalls have been established to secure the Software. However, Penneo cannot provide any guarantee against hacker attacks which cause system failure and/or loss of data.
7. STORAGE AND BACKUP
7.1. The Customer’s Data and backup media are placed with Penneo’s sub-supplier (Amazon Web Platforms, Inc. ("AWS")). All Data is stored within the EU in EU (Dublin) Region and EU (Frankfurt) Region, respectively.
7.2. Penneo uses two backup strategies for separate data classes that are described in more detail in sub-clauses 7.3. and 7.4.:
The Customer’s data
7.3. The Customer’s data is stored at several separate physical locations. The Customer’s documents are versioned in order to being able to roll back changes. Deletion of documents including versioning can be made only by at least two persons jointly.
7.4. Penneo makes incremental backup of Systems data on a daily basis. Backups are kept for at least 14 days. All data in Penneo’s production environment is stored at at least two separate physical locations.
7.5. All the Customer’s documents are stored in the Platform according to the Data retention period in the subscription plan, unless the Agreement is terminated in the meantime. In that case, the provisions of sub-clauses 3.4 to 3.6 apply. The Customer’s documents are kept longer than the Data retention period, if a separate agreement has been concluded between the Customer and Penneo on such storage.
7.6. If a system failure - irrespective of the cause - results in loss of or damage to the Customer’s data, Penneo will after the failure/damage has been ascertained either on its own initiative or after having been contacted by the Customer start restoration of the Customer’s Data from the relevant backup location(s). During this period, the Customer’s data may be inaccessible for a maximum of 24 hours.
8.1. In order to provide the best possible service it is necessary periodically to extend/renew technical equipment and to make software updates etc. Therefore, Penneo carries out maintenance and updating of the Service from time to time.
8.2. The Customer is given notice of maintenance and/or updating via Penneo’s website.
8.3. Penneo’s API is offered in different versions. When a new version is issued, Penneo endeavours to ensure that the new version does not affect previous versions. However, Penneo cannot guarantee that new versions of APIs do not require new development at the Customer. In case where Penneo no longer supports an API version, Penneo must give notice of this at least 6 months before the API version in question is taken out of service.
8.4. In connection with maintenance, it may be necessary to suspend access to the Platform. Such suspensions will mainly be placed in the period from 21:00 – 06:00 CET. If it becomes necessary to suspend access to the Platform outside the period mentioned, notice will be given of this in advance unless technical or security reasons make it necessary to change the system with immediate effect.
9. FAULT REPORTING
9.1. If the Customer detects defects, failure or irregularities, the Customer can check whether the matter has been recorded at status.penneo.com.
9.2. If the matter has not already been recorded, the Customer must contact Penneo without undue delay; cf. sub-clause 9.3.
9.3. In the case of fault reporting, the Customer must describe the defect in writing by using Penneo’s online fault reporting procedure, called support, so that Penneo receives the necessary information to locate the defect immediately.
10.1. Software updates are included in the subscription price. Penneo offers several support options. Access to the different support options depends on the chosen subscription plan. Special support inquiries or individual system adaptations are invoiced separately. This applies to both support by telephone and written support.
11. LIABILITY AND LIMITATION OF LIABILITY
11.1. Each Party is liable for damages in accordance with the general rules of Danish law with the limitations set out below, always provided that the limitations apply only if the loss is not attributable to gross negligence or wilful intent on the part of the Party committing the tort.
11.2. Penneo disclaims liability for any indirect loss or consequential loss including, but not limited to, business interruption, loss of profits, loss of the Customer’s Data and goodwill with the Customer.
11.3. Apart from product liability (cf. sub-clause 11.4), the total amount of damages that the Customer can claim from Penneo in accordance with the Agreement is limited to the smaller of the following:
- the total payment that Penneo has received from the Customer in accordance with this Agreement at the time of the claim, or
- DKK 25,000 per claim per year.
11.4. Penneo is liable for product liability in accordance with the general rules of damages of Danish law. However, Penneo’s liability for damages in each case is limited to the amount which is paid out in accordance with Penneo’s product liability insurance in force at any time.
11.5. Penneo is obliged to maintain the customary and sound insurance level, including as a minimum product liability insurance and general liability insurance to cover Penneo’s liability in accordance with the Agreement.
12. THE RIGHT TO DATA
12.1. The Customer retains ownership of the Customer’s Data and the results of the processing of the Data.
12.2. Penneo cannot exercise a lien on the Customer’s Data.
13. PROCESSING OF THIRD PARTY DATA
13.1. For use of the Service, the Customer creates a profile including an account with Penneo and thereafter the Customer uploads documents and other data, including personal data, to its account with Penneo for use for signing the Customer’s documents (hereinafter collectively referred to as the "Customer’s Data").
13.2. The third parties who are to sign the Customer’s documents (hereinafter "Third Party") create an independent profile including an account with Penneo. The third party uploads its data, including personal data, to its account with Penneo in connection with signing of the Customer’s document(s) (hereinafter collectively referred to as the "Third Party Data").
13.3. The Customer and all Third Parties receive a copy of the signed documents and the documents are stored and kept by Penneo. Both the Customer and all Third Parties have via their respective accounts with Penneo independent access to the signed documents at Penneo.
13.4. In the relation between the Customer and Penneo, Penneo is data processor and the Customer is data controller. Penneo and the Customer have concluded the data processing agreement attached as Appendix 1 (hereinafter the "Data Processing Agreement") that regulates Penneo’s processing of the Data of the Customer that is personal data.
14.1. If Penneo cannot provide its services in accordance with the Agreement as a result of force majeure, Penneo cannot be held liable for losses on account of that and the Customer cannot terminate the Agreement with immediate effect; cf. sub-clause 14.3, however.
14.2. Penneo must inform the Customer without undue delay if a force majeure situation arises. Force majeure is a matter on which Penneo has no influence and which Penneo cannot bypass with reasonable financial and practical measures. Force majeure is for example war, mobilisation, terrorist attack, failure/breakdown of public electricity supply, strike, fire, flood etc.
14.3. If the accessibility to the Service is essentially impossible due to force majeure and this lasts for more than 30 days, either Party may terminate the Agreement in writing with immediate effect but cannot in that connection advance any claims against the other Party.
15. INTELLECTUAL PROPERTY RIGHTS
15.1. The Customer has been advised that the Service is protected by copyright and the Customer acquires only a non-exclusive conditional right to use the Service. The right of use is conditional upon the Customer’s payment and observance of the Agreement and it has been expressly pointed out to the Customer that the right of use is limited in time so that it will automatically lapse on termination of the Agreement irrespective of the cause of termination. The right of use is non-transferable.
15.2. The Customer is entitled to use the Service only for the Customer’s own enterprise.
15.3. The Customer agrees that it will respect the copyrights. The Customer is liable for the Customer’s employees’ and external advisors’ observance of the rights to the Service when it is used and the Customer is obliged to ensure that it is expressly pointed out to the Customer’s employees and external advisers that the Service is protected by copyright and may be used only in accordance with the terms of the Agreement.
16. CONFIDENTIALITY AND DUTY OF CONFIDENTIALITY
16.1. During the term of the Agreement and after termination of the Agreement, the Parties undertake not to disclose to any unauthorised person any information received from and about the other Party of which a Party learns in connection with the Agreement and provision of the Service to the Customer. The Parties may use such information only in accordance with the Agreement and must not disclose the information unless disclosure is required in accordance with legislation, a court order or an order from a public authority. The above does not apply to information that is generally known or publicly available and which is not according to Legislation subject to such limitations.
17. MARKETING AND COMMUNICATION BETWEEN THE PARTIES
17.1. Penneo is entitled to use the Customer as a reference, unless the Customer has expressly and in writing objected to this.
17.2. When signing the Agreement, the Customer gives Penneo the right to send service announcements and information which may contain newsletters and other marketing and information concerning the Service and Penneo’s other products and services at any given time by e-mail.
17.3. The Customer may at any time unsubscribe newsletters and other marketing.
17.4. E-mails that contain operational information are mandatory as they may be of importance for the Customer’s use of the Service.
17.5. An e-mail has arrived when it has been received in the recipient’s e-mail system and when under normal circumstances it will be accessible to the recipient. The fact that an e-mail is specifically not accessible owing to problems in the recipient’s e-mail system is thus the risk of the recipient. It is the responsibility of the Parties to give information about changes to the above contact information.
18. BREACH OF CONTRACT
18.1. In the event of material breach of the Agreement by one of the Parties, the non-breaching Party may terminate the Agreement forthwith if the matter has not been remedied within 10 working days from the written notice has been given to the Party committing the breach.
18.2. In the event of bankruptcy, reconstruction, restructuring, liquidation, compulsory dissolution, acceptance of a composition, a contractual arrangement with creditors or the like, the other Party is entitled to terminate the Agreement with immediate effect.
18.3. If the Customer does not pay for the Service in accordance with clause 4 of the Agreement, Penneo is entitled to disable access to the Service at a prior notice of 20 days. The Customer’s access is re-established only when amounts due have been received by Penneo.
18.4. If Penneo terminates the Agreement as a result of the Customer’s breach, including default on payment, Penneo is entitled to keep the prepayment already made. If the Customer terminates the Agreement as a result of Penneo’s breach the termination will be valid only for the future, and the Customer can only claim payment refunded as from the month in which the breach occurred.
19.1. The Parties agree that the Agreement has been concluded in accordance with Danish law and that any dispute between the Parties must be settled in accordance with Danish law.
19.2. The Parties shall endeavour to settle disputes amicably through negotiation. If a dispute cannot be settled amicably, both Parties are entitled to bring the matter before the Copenhagen City Court in the first instance.
20. OTHER PROVISIONS
20.1. If a provision in the Agreement is declared illegal, invalid or unenforceable, the provision must in spite of this be enforced to the greatest extent possible in accordance with current legislation so that the Parties’ original intention reflected. Such a provision does not af fect the lawfulness or validity of other provisions.
20.2. Any provision in the agreement which according to its nature extends beyond the time when the Agreement ends in full or in part shall continue to apply and be binding on the Parties.
21. CONFIRMATION AND SIGNATURE
21.1. The Agreement and the Data Processing Agreement enclosed as Appendix 1 are hereby confirmed by the Parties by the use of digital signature. The signers of the Agreement declare that they are authorised signatories in pursuance of the respective signing powers and rules on the right to make transactions. The printable and readable evidence of the signatures will appear from the last page of the finished document which will be submitted to all parties when all parties have signed.
APPENDIX 1 TO TRADING AND DATA PROCESSING AGREEMENT
DATA PROCESSING AGREEMENT
A. BACKGROUND AND PURPOSE
a. The Data Controller and the Data Processor have concluded a Trading and Data Processing Agreement (the Agreement) concerning the provision of digital services in the form of a Digital Signature and Validation Platform (validation of Social Security Number and registration with the Central Business Register (Company reg. no.)) based on national electronic ID systems for which NemID or BankID is used on the commencement of the Agreement (hereinafter the “Platform”).
b. In accordance with the Agreement, the Data Processor shall process personal data on behalf of the Data Controller in connection with the provision of the Platform.
c. This Data Processing Agreement (hereinafter the “Data Processing Agreement”) lays down the terms and conditions for the Data Processor’s processing of the personal data (as defined in the Legislation; cf. sub-clause A.d.) which the Data Controller provides to the Data Processor in pursuance of the Agreement in connection with use of the Platform (hereinafter the “Personal Data”). Unless otherwise expressly stated in the Data Processing Agreement, the other provisions of the Agreement shall apply.
d. The purpose of the Data Processing Agreement is to secure observance of the legislation on personal data in force at any time including the regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“General Data Protection Regulation”) that entered into force on 25 May 2018 (hereinafter collectively referred to as “the Legislation”).
B. TYPES OF PERSONAL DATA AND THE GENERAL OBLIGATIONS OF THE DATA PROCESSOR
a. The types of Personal Data and categories of data subjects that the Data Processor is to process for the Data Controller as part of the performance of the Agreement and the Data Processing Agreement are stated in clause Q.
b. It is only the Data Controller who decides which Personal Data is to be processed by the Data Processor and for which purposes this personal data may be processed.
c. The Data Processor processes the Personal Data only in accordance with documented instruction from the Data Controller.
d. The Data Processor must process the Personal Data in accordance with the Legislation in force at any time. The Data Controller must ensure that all Personal Data which the Data Controller provides to the Data Processor is provided via functions in the Platform and is not sent via an insecure e-mail or in any other manner that is contrary to the Legislation.
e. In the event that an official national Data Protection Agency makes an inquiry concerning the processing of the Personal Data, the Data Controller and the Data Processor must collaborate on answering questions, providing information or meeting requirements, if any.
C. LIST OF DATA PROCESSING ACTIVITIES
a. The Data Processor must keep a list of all categories of processing undertaken by the Data Processor on behalf of the Data Controller. The list, which is kept electronically, e.g. as log files, must contain:
i. The name and contact information of the Data Processor, Data Sub-Processors (cf. sub-clause D.a.), the Data Controller and a Data Protection Officer, if any;
ii. The categories of the processing that the Data Processor or Data Sub-Processors undertake on behalf of the Data Controller; and
iii. A general description of the technical and organisational security measures; cf. clause E.
b. The list must be available in writing, including electronically. At the request of the Data Controller or an official national Data Protection Agency, the Data Processor shall make the list available to the Data Controller and/or an official national Data Protection Agency.
D. THE DATA PROCESSOR´S USE OF DATA SUB-PROCESSORS
a. The Data Controller hereby consents to the Data Processor being entitled to use Data Sub-Processors (“Data Sub-Processors”) to provide the services of the Data Processor in accordance with the Agreement. It is the responsibility of the Data Processor that Data Sub-Processors meet their data protection obligations in accordance with the Legislation.
b. On the conclusion of the Agreement, the Data Processor makes use of Amazon Web Platforms, Inc. (“AWS”) as Data Sub-Processor for storage of the Personal Data. AWS makes use of authorised sub-suppliers for the provision of the service to the Data Processor. The Customer can find a link to the website of AWS with all information on AWS’s compliance with the General Data Protection Regulation at https://aws.amazon.com/compliance/gdpr-center/.
c. The Data Processor notifies the Data Controller of any planned changes to the use of Data Sub-Processors, including the addition or replacement of Data Sub-Processors as well as the use of new Data Sub-Processors who are not subject to sub-clause D.b.
d. If the Data Controller cannot accept changes that are subject to sub-clause D.b. or sub-clause D.c., the Data Controller may terminate the Data Processing Agreement with a written notice of 14 days. Notwithstanding the provision in sub-clause 3.3. of the Agreement, the Agreement will automatically be terminated at the same time as the notice of termination of the Data Processing Agreement. The provisions of clause 3 of the Agreement will continue to apply without any changes. Payments made by the Customer are not refunded.
e. If a Data Sub-Processor is based in a third country outside the EU/EEA, it is the duty of the Data Processor to ensure that the Personal Data is kept within the EU/EEA and is not transferred to the third country in question unless transfer is necessary to comply with legislation in force that applies to the Data Processor or the Data Sub-Processors of the Data Processor or as a result of demands made by a competent public authority which are binding for the Data Processor or the Data Processor’s Data Sub-Processors. The Data Processor will give the Data Controller reasonable notice if such demands are made in relation to the Data Processor or the Data Sub-Processors of the Data Processor and will endeavour to enable the Customer to object or use relevant remedies unless the Data Processor or the Data Sub-Processors of the Data Processor is/are prevented from this in accordance with legislation in force.
E. INFORMATION SECURITY AND DATA PROTECTION REQUIREMENTS
a. The Data Processor must take the necessary technical and organisational security measures against Personal Data being accidentally or unlawfully destroyed, lost or impaired and against any unauthorized persons receiving the Personal Data, the Personal Data being abused or otherwise processed contrary to the Legislation. Such technical and organisational security measures include:
i. Certification, including that the Data Processor is certified in accordance with the ISAE 3000 standard by KPMG, which means that KPMG has audited the internal security policies and security procedures of the Data Processor with a view to optimum protection of the documents of the Data Controller;
ii. Network security, transmission and storage, including the establishment of a login and password procedure (two factor authentication) as well as firewalls and antivirus software. All documents are stored in encrypted form and all communication to and from the Data Processor’s server(s) is encrypted. The Data Processor observes the encryption standards that are defined by the National Institute of Standards and Technologies (NIST). The Data Processor uses only encryption algorithms that are approved by the Federal Information Processing Standards (FIPS) and recommended by NIST;
iii. Matters relating to employees, including that only employees who are authorised have access to the Personal Data and that employees receive relevant training, adequate instructions in and guidelines for the processing of the personal data; cf. also clause G.;
iv. Physical security, including that access to buildings and systems that are used in connection with the data processing is protected in an appropriate manner so that unauthorized third parties do not have access to them.
b. The Data Processor must implement and observe a security policy and guidelines for the processing of Personal Data in the Data Processor’s organisation that are in accordance with and meet the terms and conditions that appear from this Data Processing Agreement and/or the instruction of the Data Controller at any time.
c. The Data Processor evaluates the security level with a view to initiating any necessary measures to maintain sufficient data security at any time.
F. SECURITY INCIDENTS
a. The Data Processor must establish and implement procedures for the handling of breaches of the personal data security; cf article 4 (12) and article 33 (2) of the General Data Protection Regulation.
b. The Data Processor must without undue delay after having become aware of any data breach, inform the Data Controller in writing of the breach of the personal data security, including information on who has processed the data of the Data Controller and when with a view to enabling the Data Controller to have a criminal investigation performed.
c. In the event of breach of the personal data security, the Data Processor must without undue delay and not later than 36 hours after the Data Processor became aware of the breach of the personal data security inform the Data Controller in writing of the breach and as a minimum provide the following information:
i. A description of the nature of the breach of the personal data security, including - if possible - the categories and the approximate number of data subjects affected as well as the categories and the approximate number of entries of personal data affected;
ii. A description of the likely consequences of the breach of the personal data security;
iii. A description of the measures that the Data Processor has made or has proposed should be made to handle the breach of the personal data security, including measures to limit its potential adverse effects.
iv. The name and contact information of the Data Protection Officer, if such an Officer has been appointed, by the Data Processor, or another contact point where additional information can be obtained.
d. When and in so far as it is not possible to provide the information collectively, the information may be provided in stages without any undue further delay.
e. The Data Processor’s notifications to the Data Controller on a breach of the personal data security in accordance with this clause F does not mean that the Data Processor has thereby acknowledged being in breach of the Agreement or being liable for damages in relation to the Data Controller for the breach of the personal data security in question.
G. HOME OFFICES
a. All workplaces at the Data Processor’s are laptop computers or the like. Irrespective of physical location, the access of the employees to the Platform and the systems of the Data Processor is protected in the same way. This means among other things that login and access to the Data Processor’s production environment always requires two-factor authentication and for the following operations at least two persons must work together:
- Changes of firewalls
- Granting or revoking privileges
- Access to backup
Access to the virtual infrastructure is only via encrypted channels. Access at OS level is via SSH and the primary purpose is to provide support to the software development process.
b. The Data Processor must lay down guidelines for the processing of Personal Data by employees.
THE OBLIGATION OF THE DATA PROCESSOR TO ASSIST THE DATA CONTROLLER
a. In consideration of the nature of processing and the Personal Data that is to be processed by the Data Processor, the Data Processor must assist the Data Controller in securing observance of the provisions of the Legislation on the rights of data subjects as regards Personal Data. In this connection, the Data Processor must by means of suitable technical and organisational measures assist the Data Controller with the handling of inquiries from a data subject, including but not limited to a request for access, correction, blocking or deletion of Personal Data. In so far as the Data Controller can itself handle inquiries from a data subject via functions in the Platform, the Data Controller must make use of these.
b. Furthermore, in consideration of the nature of processing and the Personal Data that is to be processed by the Data Processor, the Data Processor must assist the Data Controller in observing other obligations that are imposed on the Data Controller in accordance with the Legislation where this is contemplated or is necessary for the Data Controller to meet its obligations. As part of this, the Data Processor must assist the Data Controller in ensuring observance of among other things the obligations in pursuance of articles 32-36 of the General Data Protection Regulation.
I. AUDIT AND AUDIT OPINION
a. At the request of the Data Controller, the Data Processor must give the Data Controller such information as is necessary for the Data Controller to ensure that the Data Processor and its Data Sub-Processors comply with the requirements that are laid down in the Data Processing Agreement, including that they have taken the necessary technical and organisational security measures and that the measures are observed.
b. At the written request of the Data Controller, the Data Processor must provide documentation that the security measures have been implemented at the Data Processor’s.
c. The Data Controller can via an auditor or another trusted party who is approved by the Data Controller and the Data Processor perform an audit (within normal working hours) that the Data Processor meets its obligations.
d. Once a year, the Data Processor gives the Data Controller access to the audit opinions ISAE 3000 (type 2). The opinions/declaration must be given after the end of each calendar year so that it is available to the Data Controller no later than on 31 March.
e. In addition, the Data Controller is entitled for its own account to have an independent third party make an annual audit of the Data Processor’s processing of Personal Data.
f. The Data Processor is obliged to allow authorities who in accordance with the legislation in force at any time have access to the facilities of the Data Controller and the Data Processor or representatives who act on behalf of the authority access to the physical facilities of the Data Processor against due identification and the prior signing of a non-disclosure declaration.
J. OBLIGATIONS AND RESPONSIBILITIES OF THE DATA CONTROLLER
a. It is the responsibility of the Data Controller to ensure that the necessary basis in accordance with the Legislation for the processing of Personal Data is available and in connection with the processing of Personal Data the Data Controller must observe and comply with the Legislation.
b. The Data Controller must observe the security instructions in force at any time on which the Data Processor may provide information to the Data Controller concerning access to and use of the Platform.
c. The Data Controller must indemnify the Data Processor for legal proceedings, claims, costs (including reasonable expenses for legal assistance), losses, liability, expenses or damage that is/are a consequence of the Data Controller’s non-observance of the Legislation or the security instructions provided by the Data Processor concerning access to or use of the Platform, or any other breach of this Data Processing Agreement. Reference is also made to clause N.c.
K. COSTS AND PAYMENT
a. The Data Processor is only entitled to demand payment for Platforms that the Data Processor provides to the Data Controller in accordance with this Data Processing Agreement with the prior acceptance of the Data Controller.
L. AMENDMENTS TO THE DATA PROCESSING AGREEMENT
a. Each Party may at any time with a reasonable prior written and reasoned notice demand amendments to the Data Processing Agreement if the amendment is necessary to observe the Legislation in force at any time.
b. The Data Processing Agreement may furthermore at any time be adjusted at a written notice of 30 (thirty) calendar days if the Data Controller wants to adjust the types of Personal Data or the categories of data subjects stated in clause Q.
c. If there is a significant change to or adjustment of the Data Processing Agreement in pursuance of clause L.a. or clause L.b. to the disadvantage of the Data Processor, the Data Processor may terminate the Data Processing Agreement at a notice of 3 months to expire at the end of a month, notwithstanding sub-clause 3.3. of the Agreement. Payments made by the Customer are not refunded.
M. HANDLING OF DATA AFTER TERMINATION OF THE DATA PROCESSING AGREEMENT
a. Upon termination of the Data Processing Agreement, irrespective of the cause, the provisions of sub-clauses 3.4 - 3.6 of the Agreement apply.
b. If doubt arises after the termination of the Data Processing Agreement as to whether all Personal Data has been deleted, the Data Controller can request that the Data Processor obtain an audit opinion (on the account for the Data Controller) to the effect that the Personal Data has been deleted from the IT systems of the Data Processor.
a. If the Data Processor receives notice from the Data Controller, or the Data Controller learns of non-compliance of requirements according to the Legislation or the instruction of the Data Controller for processing of Personal Data, the Data Processor must without undue delay remedy the non-compliance.
b. Generally, the provisions of clause 18 of the Agreement apply with the necessary changes in the case of a Party’s breach of the Data Processing Agreement.
c. A Party is obliged to indemnify the other Party for expenses and use of resources in connection with the fulfillment of the obligations of a Party in relation to a supervisory authority or the data subject as well as fines imposed by a supervisory authority or a court in so far as these are caused by the breach of the other Party.
O. NON-DISCLOSURE DECLARATION
a. The Data Processor ensures that its employees who are given access to information from the Data Controller have signed a non-disclosure declaration to the effect that they are under an obligation to maintain confidentiality in relation to unauthorised persons as regards their access to the data of the Data Controller. The duty of confidentiality applies both during their employment and after termination of their employment.
b. The Data Processor must ensure that Data Sub-Processors, employees and others who assist the Data Processor in connection with performance of the Agreement and the Data Processing Agreement are subject to obligations that correspond to the obligations in this Agreement.
P. OTHER PROVISIONS
a. In case of any discrepancy between the Data Processing Agreement and the Trading Agreement, the Data Processing Agreement takes precedence.
Q. CATEGORIES OF PERSONAL DATA AND DOCUMENTS
a. The Agreement may include all categories of personal data and all categories of data subjects whose personal data the Data Processor is to process as part of the performance of the Agreement.
b. In order for the Platform to function in accordance with clause 2 in the Agreement the following personal data will be processed each time an employee of the Data Controller or a third party signs a document:
- e-mail address,
- Electronic ID informations, and
- social security number, if this is chosen by the Data Controller for each document send for signing to a third party.
c. The categories of data subjects, whose personal data will be processed by the Data Processor as part of this Agreement, includes third parties, cf. the Agreement clause 13, and the Data Controllers employees, who sign documents by using the Platform.
APPENDIX 2 TO TRADING AND DATA PROCESSING AGREEMENT
Extension of the Platform, use in excess of the subscription plan and data retention
1. ADDITIONAL USE
1.1. The Customer is at any time allowed to exceed the number of clients / employees / completed casefiles included in the subscription plan. This can either be done without prior agreement ("additional use") or by agreement on extending the Platform by purchase of Platform Fee.
a. Purchase of Platform Fee provides the Customer an extension of the Platform to add a certain additional number of clients / employees / completed casefiles (depending on subscription plan) in addition to the number of clients / employees / completed casefiles included in the subscription plan. Invoicing of Platform Fee takes place simultaneously with the purchase, regardless of when during a subscription period the purchase is agreed. When entering into this Agreement, the price for such Platform extension is equal to the agreed price per client / employee / completed casefile specified in sub-clause 4.1 + 10%. Invoicing of the Platform Fee is done for a full subscription period, regardless of when during a subscription period the Platform fee is agreed. Upon renewal, the additional clients / employees / completed casefiles are included in the subscription plan at standard price with no additional charge of 10%.
b. Additional use on the Platform without prior agreement is invoiced at the end of the subscription period at the agreed price per client / employee / completed casefile specified in sub-clause 4.1. + 25%. Invoicing of the additional use is done for a full subscription period, regardless of when during a subscription period the additional use has begun. Upon renewal, the additional clients / employees / completed casefiles are included in the subscription plan at standard price with no additional charge of 25%.
1.2. The above-mentioned prices for extension of the Platform - both Platform Fee and additional use - cover the entire use of the system and additional services according to the Customer's subscription plan.
2. DATA RETENTION
2.1. The Customer's data and documents are stored until the Customer deletes the data and/or documents or request Penneo to delete. Data retention is included in the subscription price for the Platform for 5 years.
After the expiry of the data retention period of 5 years, Penneo is entitled to invoice the Customer for the storage of Customer's documents etc. in the Platform. At the Time of Commencement of this Agreement, the price for data retention is equal to EUR 1.00 per client per year / EUR 1.00 per employee per year / EUR 1.00 per commenced 100 completed casefiles.