Sikker håndtering af dine persondata er en høj prioritering her hos NordicScreen. Derfor har vi høje sikkerhedsstandarder både indenfor det tekniske design af vores løsninger, til valg af underleverandører og til træning af vores medarbejdere. Vi gør alt dette for at forsikre dig om, at vi vil håndtere din data på en pålidelig og sikker måde, med respekt for dit privatliv. På denne side finder du Nordic Screens DPA, sammen med muligheden for at anmode om din egen signerede kopi af DPA’en.
Hos NordicScreen tilbyder vi en standard DPA til alle kunder.
Kontakt os hvis du vil have din egen signerede kopi.
Du finder en opdateret liste af NordicScreens underleverandører på underleverandør siden. Disse underleverandører bruges i forbindelse med levering af de services vi tilbyder.
NordicScreen leverer en standard databehandleraftale til alle kunder i relation til de services vi leverer. Databehandleraftalen er tilgængelig på følgende sprog:
– Engelsk (Primær)
Få tilsendt din egen signerede databehandleraftale ved at kontakte os via [email protected]
Alle opdateringer angående databehandleraftalen, ændringer i underleverandører og generelle betingelser vil blive sendt ud via vores nyhedsbrev Legal. Tilmeld dig og vær sikker på, at du får besked når der er nyt.
Her under kan du læse et engelsk eksempel på vores databehandleraftale. Ønsker du at læse en i på dansk, kan du anmode om at få en dansk version tilsendt jf. ovenstående afsnit Få din egen databehandleraftale.
2. THE RIGHTS AND OBLIGATIONS OF THE DATA CONTROLLER
3. THE DATA PROCESSOR ACTS ACCORDING TO INSTRUCTIONS
5. SECURITY OF PROCESSING
d. a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
6. USE OF SUB-PROCESSORS
7. TRANSFER OF DATA TO THIRD COUNTRIES OR INTERNATIONAL ORGANISATIONS
8. ASSISTANCE TO THE DATA CONTROLLER
d. the right to rectification
e. the right to erasure (‘the right to be forgotten’)
f. the right to restriction of processing
g. notification obligation regarding rectification or erasure of personal data or restriction of processing
h. the right to data portability
i. the right to object
j. the right not to be subject to a decision based solely on automated processing, including profiling
9. NOTIFICATION OF PERSONAL DATA BREACH
10. ERASURE AND RETURN OF DATA
11. AUDIT AND INSPECTION
12. THE PARTIES’ AGREEMENT ON OTHER TERMS
13. COMMENCEMENT AND TERMINATION
14. DATA CONTROLLER AND DATA PROCESSOR CONTACTS/CONTACT POINTS
The purpose of the data processor’s processing of personal data
Processing on behalf of the data controller shall mainly pertain to:
categories of data subject
The purpose of the data processor’s processing of personal information is to ensure the data controller’s access to the product(s) selected, see selected licenses, and to provide the data controller with support for the use of the solution.
Storage of personal data used for the data controller to access the system(s); storage of personal information that the data controller uploads to the systems, including information about meetings, events, etc. as well as storage of personal data in connection with the data processor providing the data controller with support for the system.
Employees of the data controller who are granted access to the products by the data controller.
Persons who appear from the information uploaded to the system by the data controller, e.g. the data controller’s customers.
A.1. The processing includes the following types of personal data about data subjects:
The processing includes the following types of personal data about data subjects
☒ Non-sensitive categories of personal data
Name, password, telephone number, mobile number, e-mail address, IP address, position, language, type of user in accordance with the data controller’s choice.
In addition, any personal data that the customer chooses to upload in connection with the use of the systems are processed, including information about meetings, events and information from the customer’s calendar system when using Q-Cal.
Special categories of personal data (tick the boxes)
☐ Racial or ethnic origin
☐ Political opinions
☐ Religious beliefs
☐ Philosophical beliefs
☐ Trade union membership
☐ Health data
☐ Sex life or sexual orientation
☐ Genetic or biometric data for the purpose of identification
☐ Criminal convictions and offenses
A.2. The data processor’s processing of personal data on behalf of the data controller may be performed when the Clauses commence. Processing has the following duration:
The processing takes place until the end of the month in which the customer relationship ends + 30 calendar days.
In connection with support for the system, the written documentation regarding the support case is stored for 2 years, in order to ensure traceability and documentation.
APPENDIX B AUTHORISED SUB-PROCESSORS
B.1. Approved sub-processors
On commencement of the Clauses, the data controller authorises the engagement of
the sub-processors that appeared on NordicScreen’s website at the time.
An updated list of sub-processors used can be found at any time on NordicScreen’s website.
The data controller shall on the commencement of the Clauses authorise the use of the abovementioned sub-processors for the processing described for that party. The data processor shall not be entitled – without the data controller’s explicit written authorisation – to engage a sub-processor for a ‘different’ processing than the one which has been agreed upon or have another sub-processor perform the described processing.
APPENDIX C – INSTRUCTION PERTAINING TO THE USE OF PERSONAL DATA
C.1. The subject of/instruction for the processing
The data processor’s processing of personal data on behalf of the data controller shall be carried out by the data processor performing the following:
The data controller creates an account in which the data controller’s administrator can create users who have permission to access the customer’s account. NordicScreen only accesses the information that the customer uploads to a system if the customer requests support and such access is necessary to provide such support, or if special operational conditions make it necessary, e.g. when handling threats.
C.2. Security of processing
The level of security shall take into account:
As only personal data of a non-sensitive nature are processed (Article 6), and at the same time, it has been assessed that the impact on the rights and freedoms of the data subject is low, it has been assessed that it is sufficient to establish a low level of security.
Subsequently, the data processor is entitled and obliged to make decisions about which technical and organizational security measures must be implemented to establish the necessary (and agreed) level of security.
However, in any case and as a minimum, the data processor must implement the following measures:
All communication on public networks must be encrypted.
Where possible, access to the system is done with a 2-factor login and may only be done using a personal username and password.
Any access and access attempts must be logged.
All servers must be backed up.
Through internal policies and internal supervision, NordicScreen ensures that all employees are aware of the security requirements that must be followed in order to achieve adequate processing security, including requirements that
· Personal data in print may not be brought along in connection with working from home
· Personal data may not be accessed in non-secure areas, including in public spaces
NordicScreen also ensures that employees can only access the system if they are authorized to do so and that the systems are accessed solely as part of the performance of the work.
NordicScreen follows internal policies and procedures for the secure storage of the information. The security level is continuously evaluated and audited internally at least once every year.
NordicScreen has locked rooms where key cards and code locks are required to gain access.
C.3. Assistance to the data controller
The data processor shall insofar as this is possible – within the scope and the extent of the assistance specified below – assist the data controller in accordance with Clause 9.1. and 9.2. by implementing the following technical and organisational measures:
At the data controller’s specific request and considering the nature of the processing, the data processor assists the data controller in fulfilling the data controller’s obligations regarding the exercise of the data subjects’ rights as set out in the personal data legislation.
Requests made by data subjects to exercise their rights must be passed on without undue delay to the data controller.
At the specific request of the data controller, considering the nature of the processing and considering what information is available to the data processor, the data processor assists the data controller in complying with its obligations, see Articles 32-36 of the General Data Protection Regulation:
· Processing safety
· Personal data breaches, including notification to data subjects
· Impact analysis
· Prior enquiries with supervisory authorities
C.4. Storage period/erasure procedures
Personal data is stored until the end of the month in which the license agreement expires + 30 days. After that, the information will be deleted.
Information included in any support cases is stored for 2 years after the support case is closed. After this, the information is deleted.
C.5. Processing location
Processing of the personal data under the Clauses cannot be performed at other locations than the following without the data controller’s prior written authorisation:
8920 Randers NV
Reference is made to the locations that appear from the list of sub-processors attached as Appendix B.
C.6. Instruction on the transfer of personal data to third countries
The data processor may transfer personal data to third countries in connection with the use of the approved sub-processors.
Transfer to third countries may potentially take place using sub-processors based in a third country, but where the personal data is stored in the EU.
Transfer to third countries will take place directly using individual sub-processors.
C.7. Procedures for the data controller’s audits, including inspections, of the processing of personal data being performed by the data processor
Once a year, the data processor prepares a report to the data controller, documenting that the agreed level of security has been maintained and that these provisions have been complied with. The report will be published on the https://nordicscreen.com/.
If the data controller should wish to receive an auditor’s statement or to carry out a physical inspection of the data processor, this is to be done at the data controller’s expense.