Data processing agreement

This is an example of our data processing agreement. If you want a data processor appointment, contact NordicScreen Support.

Standard contractual clauses

pursuant to Article 28 (2). 3, of Regulation 2016/679 (the Data Protection Regulation) with a view to the processing of personal data by the data processor

between

Company Name:
CVR no .:
Address:
ZIP code
Town:
Country:

hereinafter “the data controller”

and

NordicScreen ApS
CVR 39553988
Normansvej 1
8920 Randers NV
Danmark
hereafter the “data processor”

each of which is a “party” and together constitute the “parties”.

Has agreed to the following standard contract provisions (the provisions) with a view to complying with the Data Protection Regulation and ensuring the protection of privacy and the fundamental rights and freedoms of natural persons.

 

Contents

1. Preamble 4

2. Rights and obligations of the data controller 4

3. The data processor acts according to instruction 5

4. Confidentiality 5

5. Security of treatment 5

6. Use of Sub-Processors 6

7. Transfer to third countries or international organizations

8. Assistance to the data controller 8

9. Notification of personal data breach 9

10. Deletion and Return of Information 10

11. Audit, including inspection 10

12. Other Parties’ Agreement 10

13. Entry into force and termination 10

14. Contacts of the data controller and data processor 11

Appendix A Treatment information 12

Appendix B Sub-Processors 14

Annex C Instructions on the processing of personal data 15

 

 

1. Preamble

 

1. These Provisions establish the rights and obligations of the data processor when processing personal data on behalf of the data controller.

2. These provisions are designed for the purposes of compliance by the Parties with Article 28 (2). 3 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free exchange of such information and repealing Directive 95/46 / EC (Data Protection Regulation) ).

3. In connection with the provision of the data processor’s solutions, the data processor processes personal data on behalf of the data controller in accordance with these Regulations.

4. The provisions take precedence over any similar provisions in other agreements between the parties.

5. There are three annexes to these Provisions and the annexes form an integral part of the Provisions.

6. Annex A contains details on the processing of personal data, including on the purpose and nature of the processing, the type of personal data, the categories of data subjects and the duration of the processing.

7. Appendix B contains the data processor’s use of sub-processors and a list of sub-processors approved by the data controller.

8. Appendix C contains the data processor’s processing of personal data, a description of the security measures that the data processor must as a minimum implement and how the data processor and any sub-processors are supervised.

9. The provisions and associated annexes shall be kept in writing, including electronically, by both parties.

10. These Provisions do not exempt the data processor from obligations imposed by the data processor under the Data Protection Regulation or any other legislation.

 

2. Rights and obligations of the data controller

1. The data controller is responsible for ensuring that the processing of personal data is carried out in accordance with the Data Protection Regulation (see Article 24 of the Regulation), the data protection provisions of other EU law or the national law of the Member States1 and these Regulations.

2. The data controller accepts the data processor’s processing of personal data as specified in Annex A.

3. The data controller is responsible, inter alia, for ensuring that there is a processing basis for the processing of personal data that the data processor is instructed to process.

 

[1] References to “Member State” in this provision shall be understood as referring to “EEA Member States”.

 

 

 

3. The data processor acts according to instructions

 

1. The data processor has, at the same time, used the data processor’s systems to instruct NordicScreen to process the information described in the agreement, unless required by EU or national law to which the data processor is subject. These instructions must be specified in Annexes A and C. Subsequent instructions may also be given by the data controller while processing personal data, but the instructions must always be documented and kept in writing, including electronically, together with these Regulations.

2. The data processor shall immediately notify the data controller if, in his opinion, an instruction is in breach of this Regulation or data protection provisions of other EU or national law.

 

4. Confidentiality

1. The data processor may only provide access to personal data processed on behalf of the data controller to persons who are subject to the data processor’s instructional powers who have undertaken confidentiality or are subject to an appropriate statutory duty of confidentiality, and only to the extent necessary. The list of persons and sub-processors who have been granted access must be reviewed on an ongoing basis. Based on this review, access to personal data can be closed if access is no longer necessary and personal data should no longer be accessible to these persons or sub-processors.

2. At the request of the data controller, the data processor shall be able to demonstrate that the persons and sub-processors who are subject to the data processor’s instructional powers are subject to the aforementioned duty of confidentiality.

 

 

5. Security of treatment

1. Article 32 of the Data Protection Regulation states that, taking into account the current technical level, the cost of implementation and the nature, scope, coherence and purpose of the processing and the risks of varying probability and seriousness of the rights and freedoms of natural persons, taking into account the current technical level, the data processor and organizational measures to ensure a level of protection appropriate to these risks.

The data controller must assess the risks to the rights and freedoms of individuals as the processing constitutes and implement measures to address these risks. Depending on their relevance, it may include:

a. Pseudonymization and encryption of personal data

b. Ability to ensure lasting confidentiality, integrity, availability and robustness of treatment systems and services

c. ability to timely restore access to and access to personal data in the event of a physical or technical incident;

d. a procedure for regular testing, assessment and evaluation of the effectiveness of technical and organizational measures to ensure treatment safety.

2. Under Article 32 of the Regulation, the data processor – independently of the data controller – must also assess the risks to the rights of natural persons which the processing constitutes and implement measures to address these risks. For the purpose of this assessment, the data controller must provide the necessary information to the data processor which enables him or her to identify and assess such risks.

3. In addition, the data processor shall assist the data controller with his or her compliance with the data controller’s obligation under Article 32 of the Regulation, in particular by: providing the necessary information to the data controller regarding the technical and organizational security measures already implemented by the data processor under Article 32 of the Regulation and any other information necessary for the data controller to fulfill his obligation under Article 32 of the Regulation.

6. Use of Sub-Processors

1. The data processor shall comply with the conditions referred to in Article 28 (2) of the Data Protection Regulation. 2 and par. 4, to make use of another data processor (a sub-data processor).

2. The data processor has the general approval of the data controller for the use of sub-data processors. The data processor must notify the data controller in writing of any planned changes concerning the addition or replacement of sub-data processing with at least 5 days’ notice, thereby allowing the data controller to object to such changes before using the sub-processing (s) referred to. Further notice of notification for specific processing activities can be given in Appendix B. The list of sub-processors that the data controller has already approved can be found in Appendix B.

3. Where the data processor makes use of a sub-processor in the performance of specific processing activities on behalf of the data controller, the data processor shall impose the same data protection obligations as the data processor through a contract or other legal document under EU or national law. This provision, in particular, provides the necessary guarantees that the sub-processor will implement the technical and organizational measures in such a way that the processing complies with the requirements of these Regulations and the Data Protection Regulation.

The data processor is therefore responsible for requiring the sub-processor to at least comply with the data processor’s obligations under these Regulations and the Data Protection Regulation.

4. Sub-processor agreements and any subsequent amendments thereto shall be sent – at the request of the data controller – in copy to the data controller, who thereby has the opportunity to ensure that corresponding data protection obligations arising from these Regulations are imposed on the sub-processor. Commercial terms that do not affect the data protection content of the Sub-Processor Agreement shall not be sent to the data controller.

5. If the sub-processor fails to fulfill its data protection obligations, the data processor remains fully responsible to the data controller for the fulfillment of the sub-processor’s obligations. This does not affect the data subjects’ rights under the Data Protection Regulation, in particular Articles 79 and 82 of the Regulation, vis-à-vis the data controller and the data processor, including the sub-processor.

 

7. Transfer to third countries or international organizations

1. Any transfer of personal data to third countries or international organizations may only be done by the data processor on the basis of documented instructions from the data controller and must always be done in accordance with Chapter V. of the Data Protection Regulation. When using NordicScreen systems, the data controller has given instructions to do so.

2. If the transfer of personal data to third countries or international organizations which the data processor has not been instructed to do by the data controller is required by EU law or the national law of the Member State to which the data processor is subject, the data processor shall notify the data controller of this legal claims before processing unless the court in question prohibits such notification for the sake of important societal interests.

3. Without documented instructions from the data controller, the data processor cannot, within the scope of these Regulations:

a. Transfer personal data to a data controller or data processor in a third country or international organization

b. entrust the processing of personal data to a sub-processor in a third country

c. process personal data in a third country

4. The data controller’s instruction on the transfer of personal data to a third country, including the possible transfer basis in Chapter V of the Data Protection Regulation, on which the transfer is based, shall be set out in Annex C.6.

5. These Provisions shall not be confused with the standard contract provisions referred to in Article 46 (2) of the Data Protection Regulation. The provisions of Article 2 (2) (c) and (d) may not constitute a basis for the transfer of personal data within the meaning of Chapter V of the Data Protection Regulation.


8. Assistance to the data controller

1. The data processor shall, taking into account the nature of the processing, assist the data controller, as far as possible, by means of appropriate technical and organizational measures, in compliance with the data controller’s obligation to respond to requests for the exercise of the data subjects’ rights as set out in Chapter III of the Data Protection Regulation.

This means that, as far as possible, the data processor must assist the data controller in ensuring that the data controller ensures compliance with:

a. the obligation to provide information when collecting personal data from the data subject

b. the duty of disclosure if personal data has not been collected from the data subject

c. the right of insight

d. the right to rectification

e. the right to delete (“the right to be forgotten”)

f. the right to restrict treatment

g. The obligation to notify in connection with rectification or deletion of personal data or limitation of processing

h. the right to data portability

i. the right to object

j. the right not to be subject to a decision based solely on automatic processing, including profiling

2. In addition to the data processor’s obligation to assist the data controller pursuant to Rule 6.3., The data processor shall, with due regard to the nature of the processing and the information available to the data processor, assist the data controller with:

a. Obligation of the data controller without undue delay and, if possible, within 72 hours of becoming aware of the breach of the personal data security to the competent supervisory authority, the Data Protection Authority, unless the breach of the personal data security is unlikely for the rights or liberties of individuals.

b. the obligation of the data controller to notify the data subject without notice of undue delay of breach of the personal data security, when the breach is likely to present a high risk to the rights and freedoms of natural persons;

c. the data controller’s obligation to conduct a pre-processing analysis of the impact of the intended processing activities on the protection of personal data (an impact assessment)

d. the data controller’s obligation to consult the competent supervisory authority, the Data Inspectorate before processing, if a data protection impact assessment shows that the processing will lead to high risk in the absence of measures taken by the data controller to limit the risk.

3. In Annex C, the Parties shall specify the necessary technical and organizational measures by which the data processor shall assist the data controller and the extent and extent. This applies to the obligations arising from Clause 9.1. and 9.2.

 

9. Notification of personal data breach

1. The data processor shall notify the data controller without undue delay after becoming aware that a personal data breach has been breached.

2. Where possible, the data processor’s notification to the data controller must be made within 72 hours of its being notified of the breach, so that the data controller can comply with his obligation to report the breach of the personal data security to the competent supervisory authority, in accordance with Article 33 of the Data Protection Regulation.

3. In accordance with Rule 9.2.a, the data processor shall assist the data controller in reporting the breach to the competent supervisory authority. This means that the data processor must assist in providing the following information, which in accordance with Article 33 (2). 3, shall be stated in the data controller’s notification of the breach to the competent supervisory authority:

a. the nature of the breach of personal data security, including, where possible, the categories and approximate number of data subjects affected, as well as the categories and approximate number of personal data records affected;

b. the likely consequences of the breach of personal data security

c. the measures taken or proposed by the data controller to deal with the breach of personal data security, including, where appropriate, measures to mitigate its potential adverse effects.

4. In Annex C, the Parties shall indicate the information to be provided by the data processor in connection with its assistance to the data controller in its obligation to report breaches of the personal data security to the competent supervisory authority.

10. Deleting and returning information

1. Upon termination of the personal data processing services, the data processor is required to delete all personal data processed on behalf of the data controller, unless EU or national law requires the storage of personal data.

The data processor undertakes to process the personal data solely for the purpose (s), for the period and under the conditions prescribed by these rules.

11. Audit, including inspection

1. The data processor shall make available to the data controller all information necessary to demonstrate compliance with Article 28 of the Data Protection Regulation and provide for and contribute to audits, including inspections carried out by the data controller or another auditor, is authorized by the data controller.

2. The procedures for the data controller’s audits, including inspections, with the data processor and sub-processors are set out in Annex C.

3. The data processor is obliged to grant regulators who have access to the data controller’s or data processor’s facilities, or representatives acting on behalf of the supervisory authority, access to the data processor’s physical facilities against proper credentials.


12. The parties agreement on other matters

1. The Parties may agree on other provisions regarding the service regarding the processing of personal data such as: liability as long as these other provisions do not directly or indirectly contravene the Provisions or prejudice the fundamental rights and freedoms of the data subject as a result of the Data Protection Regulation.

13. Entry into force and termination

1. The provisions shall enter into force on the date on which the terms of trade are accepted or the contract is concluded.

2. The provisions shall apply as long as the data processing service is provided. During this period, the Provisions cannot be terminated unless other provisions governing the provision of the service concerning the processing of personal data are agreed between the parties.

3. If the provision of the services relating to the processing of personal data ceases and the personal data has been deleted or returned to the data controller in accordance with Clause 11.1 and Annex C.4, the Terms may be terminated with written notice from both parties.


14. Contacts with the data controller and data processor

1. Data processor can be contacted via support channels in the solution.

2. The data controller is contacted by the registered administrator in the solutions or the contract manager. The data controller is obligated to keep this contact information up to date.


Appendix A Treatment information

A.1. The purpose of the data processor’s processing of personal data on behalf of the data controller

The purpose of the data processor’s processing of personal data on behalf of the data controller may include, but is not limited to: That the data controller can use the systems Q-Play, Q-Cal, Q-Desk and related subsystems, for digital signage, meeting rooms and check-in solutions that are relevant to the data controller. User accounts will receive relevant system status and notifications by email.

In principle, the data processor is allowed to submit marketing material (eg new products) to the selected administrators of the data controller. It will be possible for administrators to opt out of this marketing.

A.2. The data processor’s processing of personal data on behalf of the data controller is primarily about (the nature of the processing)

Retention of personal data about the users of the data controller, cf. Item A1.

 

A.3. The processing includes the following types of personal data about the data subjects

The processing may include, but is not limited to, the following types of personal information about the data subjects: Name, password, address, telephone number, mobile telephone number, e-mail address, IP address, job title, language, and type of user described by the data controller.

The data controller has the opportunity to load data into the solution through integrations and input. The data controller is responsible for what data is shared with the data processor. Depending on the functions used, intermediate storage may occur at the data processor. It is stored in clear text with data processor or sub-processor, when they are electronically moved over networks they will be encrypted.

NordicScreen processes a number of data in relation to. marketing of NordicScreen products. To determine who visits nordicscreen.com, cookies are used to maintain demographic and user-related statistics. This allows you to customize and create content and services that match your users’ interests and desires.

Traffic measurement and visitor statistics When you visit nordicscreen.com, both session cookies and permanent cookies are set. Anonymous information is recorded, such as how long you visit the website, what pages you visit, whether you have visited us before, which website you come from, what browser and operating system you use. We use cookies from Google Analytics and Google Tag Manager.

Behavior-based advertising
Sets both session cookies and permanent cookies that have a lifespan of up to 2 years. The purpose of gathering the information about your website behavior is to be able to target and segment marketing. We use cookies from Facebook and ActiveCampaign.

 

A.4. The treatment includes the following categories of registered 
Persons who want access to the system or must display specific data using the system. Processing may include, but is not limited to, the following categories of registrants: Users, Customers

 

A.5. The data processor’s processing of personal data on behalf of the data controller may commence after the entry into force of these Regulations. The treatment has the following duration

The processing can be done as soon as the data controller enters into a contract with Data Processor. This can be done by the person himself or via. dealer who has agreement with NordicScreen ApS. Personal data is deleted in the database 30 days after the customer supplier relationship ends.

 

Appendix B Sub-Processors

B.1. Approved sub-processors

At the entry into force of the Regulations, the data controller has approved the use of the following sub-data processors.

Updated list of sub-processors can be found at
https://nordicscreen.com/subcontractors/

 

At the entry into force of the Regulations, the data controller has approved the use of the aforementioned sub-data processors for the described processing activity. The data processor may not – without notice from the data controller – make use of another sub-processor for this processing activity.


B.2. Sub-Processor Approval Notification Sub-Processor 

Replacement can be done with 5 days notice.

 

Appendix C Instructions for processing personal data

C.1. The subject / instruction of the treatment

The data processor’s processing of personal data on behalf of the data controller takes place by the data processor performing the following:

Data Processor provides products including service subscriptions purchased by the data controller.

 

C.2. Security of processing

The level of security must reflect:

In principle, the data processor only stores personal data that is user account information and therefore not personal data covered by Article 9. of the Data Protection Regulation. The data controller is responsible for ensuring that data shared with the data processor does not violate the Data Protection Regulation.

The data processor is then justified and obliged to make decisions about the technical and organizational security measures that must be implemented to establish the necessary (and agreed upon) level of security.

However, the data processor must – in any case and at least – implement the following measures agreed with the data controller:

All communications on public networks will be encrypted, backed up by all servers and access to the system requires using a personal username and password. Access or attempt to access the system is logged in the database.

NordicScreen has a requirement for continuous evaluation of all internal processes. Focusing on ensuring quality and efficiency.

All data processing staff must change codes to personal data systems once a year. In addition, personal data may only be accessed from hardware provided by the data processor. There are complexity requirements for passwords for computer and telephone access.

The personnel handbook describes the risks of opening personal data in the public space and advises employees not to do so. Should it still be necessary, employees should exercise extra care and take necessary precautions.

NordicScreen is headquartered in the Network House N1, Normansvej 1, Randers SV, Denmark. The shell lock consists of access control consisting of key card and code lock. For some offices there is access control with the Key Card. Employee access is limited to individual departments with affiliated relationships with. The network house N1 has video surveillance outside / inside.

Employees are not allowed to bring personal information on paper or any other form of home office printing. In addition, all employees are required to read the staff manual before starting the company and keep abreast of any changes. Requirements for the use of a home office are described here, including a focus on data security.

NordicScreen strives for all systems with personal data to offer appropriate log function.

 

C.3 Assistance to the data controller

The data processor shall, as far as possible – to the extent and extent below – assist the data controller in accordance with Regulations 9.1 and 9.2 by implementing the following technical and organizational measures:

The duty of data processors to provide data portability is complied with by the customer having access to the API on Q-Play. However, it is the customer’s responsibility to retrieve data via the API before the end of the customer relationship. Information stored in the middle of data controllers is deleted within 30 days of the end of the customer relationship.

Information in Q-Cal and Q-Desk, which is stored in the middle of data controllers, is deleted within 30 days after the end of customer relationship. The data controller is responsible for and ordering data exports via the data processor’s support function.

 

C.4 Retention period / deletion routine
Personal information is stored for 30 days, after which it is deleted at the data processor.

C.5 Procedures for the data controller’s audits, including inspections, with the processing of personal data left to the data processor

The data processor may, on behalf of the data controller, obtain an audit statement / inspection report from an independent third party concerning the data processor’s compliance with the Data Protection Regulation, data protection provisions of other EU or national law and these Regulations.

Audit statement / inspection report is sent to the data controller for information without undue delay. The data controller may challenge the scope and / or methodology of the audit statement / inspection report and in such cases may request a new audit statement / inspection report under another framework and / or using another method.

Based on the findings of the Statement of Assurance / Inspection Report, the data controller is entitled to request the implementation of additional measures to ensure compliance with the Data Protection Regulation, data protection provisions of other EU or national law and these Regulations.

C.6 Procedures for audits, including inspections, with the processing of personal data left to sub-processors

The data processor is responsible for the subcomputer following good / standard practices for the processing of personal data. The data processor is responsible for ongoing supervision and that good and standard practices are followed.

 

These terms are valid from May 20, 2020, replacing all previous versions.

Condition version:

V.1.2