1. BACKGROUND, PURPOSE AND SCOPE
1.1 As part of the Data Controller's conclusion of an agreement on hosting the Data Controller's e-mail
trading / website platform based on the Data Processor's Accumolo / Masterpiece solution, which
described in Appendix 1 to the Agreement, the Data Processor processes personal data, which
the Data Controller is responsible for.
1.2 The data processor must comply with the Personal Data Act (Act no. 429 of 31 May 2000 and later
amendments) with accompanying notices.
1.3 From 25 May 2018, instead of the Personal Data Act, the Data Processor must comply with the
scheme (Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the
natural persons in connection with the processing of personal data and on the free movement of
such information) and related acts as well as national legislation derived therefrom.
1.4 It is a requirement in both the Personal Data Act and the Personal Data Ordinance that between the
responsible and the data processor enter into a written agreement on the processing to be performed;
a so-called ‘data processor agreement’. This Agreement constitutes such data processor agreement.
2. PERSONAL INFORMATION COVERED BY THE AGREEMENT
2.1 This Agreement and related instructions cover all types of personal information as described in
Appendix 1 to the agreement will primarily be customer information in relation to the Data Responsibility
customers, and unless otherwise specified in Annex 1, there will be no sensitive
sondata. The personal data will primarily be processed in the Data Processor's Accumo-
lo / Masterpiece solution in order to process customers' orders.
3. GEOGRAPHICAL REQUIREMENTS
3.1 The Data Controller agrees that the Data Processor may process personal data
outside European Economic Cooperation (EEA), provided that the Data Processor guarantees
that the third country concerned has an adequate level of protection or that it
The Data Controller / Data Processor on behalf of the Data Controller enters into an agreement with the Data Controller
the sub-processor / sub-processor using the standards adopted by the EU Commission
standard contract provisions.
4.1 The scope of the tasks that the Data Controller must deliver and support means that in
pursuant to the Parties' agreement to host the Data Controller's e-commerce / website platform will
various forms of processing of personal data. The different types of treatment
The processing of personal data is described in Annex 1 to the Agreement.
4.2 The Data Processor only acts in accordance with documented instructions from the Data Controller. Database
the trader must ensure that the personal data transferred is not used for other purposes or
is handled in a different way than what appears from the Data Controller's instructions. All those for
the development of the e-commerce platform necessary and described treatments are considered
4.3 If an instruction in the Data Processor's opinion is in violation of the Personal Data Act or
The Personal Data Ordinance, the Data Processor must inform the Data Controller thereof.
4.4 This Agreement and related instructions include the categories of data subjects listed in
4.5 If the processing of personal data by the Data Processor takes place in whole or in part by
use of remote connection, including home workstations, the Data Processor shall
guidelines for the processing of personal data by employees using remote
connection, which must otherwise meet the requirements set out in the Agreement.
4.6 The Data Processor shall, as far as possible, assist the Data Controller in fulfilling the Data
obligations of respondents to respond to requests for the exercise of data subjects' rights,
including access, rectification, restriction or deletion if the relevant personal data
processed by the Data Processor. The Data Processor receives such an inquiry from it
registered, the Data Processor informs the Data Controller accordingly.
4.7 The Data Controller is responsible for all the Data Processor's costs for such assistance, cf.
4.6, including to the sub-processor. The Data Processor's assistance is settled to the Data Processor
clear the current hourly rate for such work.
5. USE OF SUBDATA PROCESSOR
5.1 The Data Controller gives the Data Processor consent to the use of sub-data processors,
provided that the conditions set out in the Agreement for this are met. The data processor notifies
the Data Controller of such sub-processors.
5.2 The Data Processor is under the Data Processor's instructions. The data processor has been entered into
written data processor agreement with the sub-data processor, in which it is ensured that
the Merchant meets requirements similar to those imposed on the Data Processor by the
under the Agreement.
5.3 Costs associated with establishing the contractual relationship with a sub-processor, including
there are costs for the preparation of a data processor agreement and the possible establishment of a basis
for transfer to third countries, is held by the Data Processor and is thus the Data Controller
5.4 Should the Data Controller wish to instruct sub-processors directly, this should
only take place after discussion with and via the Data Processor. If the Data Controller issues instructions
directly to sub-data processors, the Data Controller shall at the same time notify the
the loser about the instruction and the background to it. Where the Data Controller instructs
sub-processors directly, (a) the Processor is exempt from any liability and any consequential
of such instructions is the sole responsibility of the Data Controller; b) the Data Controller is responsible for
any costs that the instruction may entail for the Data Processor, including the Data Processor
the merchant is entitled to invoice the Data Controller with his usual hourly rate for al
working hours which such direct instruction may entail for the Data Processor and c) the Data
responsible party is personally liable to sub-processors for any costs, remuneration or
other payment to the sub-processor which the direct instruction may entail.
5.5 The data processor currently uses the sub-processors listed in Annex 1 to the Agreement
the technical operation of the services.
5.6 At the conclusion of this Agreement, the Data Controller accepts that the Data Processor is
entitled to change sub-processor, provided that: (a) any new sub-processor
complies with similar conditions as set out in this section. 5 to the current sub-
data controller and that (b) the Data Controller at the latest at any other sub-data processor
commencement of the processing of personal data by which the Data Controller is
responsible for, by the Data Processor is informed about the identity of the new sub-data processor.
6. PROCESSING AND DISCLOSURE OF PERSONAL INFORMATION
6.1 The Data Controller guarantees to have the necessary authority for the processing of personal data.
covered by this Agreement.
6.2 The Data Processor may not pass on information without the written consent of the Data Controller.
to third parties, unless such disclosure follows from the law or from a
request from a court or data protection authority, or it appears from
7.1 The data processor shall take appropriate technical and organizational security measures
against the accidental or unlawful destruction, loss or deterioration of personal data, and
against them coming to the knowledge of unauthorized persons, being abused or otherwise treated in violation
with the legislation, cf. 1.2 and pkt. 1.3 above.
The data processor shall implement and maintain the security measures described in Annex 2.
and otherwise meet the requirements set out in the hosting agreement. The safety requirements set out in Annex 2
constitutes the Data Controller's requirements for security conditions at the Data Processor.
7.2 The data processor is always entitled to implement alternative security measures
provided that such precautionary measures at least comply with or
greater safety than the safety measures described in Annex 2 and otherwise comply
the security requirements set out in the hosting agreement. The Data Processor cannot, without the Data Controller
written prior approval of the party may impair the safety conditions.
7.3 The Data Processor shall, in further agreement with the Data Controller, as far as possible, assist it
Data controllers to ensure compliance with the obligations set out in Article 32 of the Regulation
implementation of appropriate technical and organizational measures), 35 (implementation of
sequence analysis on data protection) and 36 (prior consultation). In that regard,
The Data Processor is entitled to invoice the Data Controller with his usual hourly rate
for all of the Data Processor's working hours that such an agreement may entail for the Data Processor,
as the Data Controller is liable for any payment to the sub-processor.
7.4 If in pkt. 7.3 listed leads to stricter security measures in relation to it
already agreed between the Parties pursuant to this Agreement, the Data Processor shall implement, then
as far as it is
8. SUPERVISORY RIGHT
8.1 The Data Processor shall, at the request of the Data Controller, provide the Data Controller with sufficient
information so that it can ensure that the Data Processor has taken the necessary technical
and organizational security measures.
8.2 To the extent that the Data Controller also wants this to include the processing that takes place
with sub-data processors, the Data Processor is informed of this. The data processor obtains
then sufficient information from the sub-processor.
8.3 If the Data Controller wishes to carry out inspections, as stated in this section. 8, the Data
responsible always give the Data Processor a notice of at least 30 days in such connection.
8.4 If the Data Processor prepares a security audit report, which describes the security
the conditions of the sub-data processor, the Data Controller is entitled to receive
veret and copy thereof. A copy of such security audit report shall be sent upon request to
the Data Controller, if the Data Processor has one prepared.
8.5 If the Data Controller wishes to have a security audit report prepared, or that in
In addition, it is desired to supervise the personal data of the Data Processor or subprocessor
processing, including if the Data Controller wants a security audit report prepared
it at a specified time, this is agreed in more detail with the Data Processor. Database
the merchant or sub-data processor may at any time require such a security audit 5 our report is prepared in accordance with a recognized auditing standard (eg ISAE)
3402 with reference frame to ISO 27002: 2014 or similar) by a generally recognized and independent
dependent third party dealing with such matters.
8.6 The Data Controller bears all costs in connection with the supervision of security matters
at the Data Processor and in relation to the sub-data processor, including the Data Processor
entitled to invoice the Data Controller with his usual hourly rate for all Data Processing
the working hours of the teacher which such supervision may entail for the Data Processor,
liable for any payment to the sub-processor.
9. PERSONAL DATA SECURITY BREACH
9.1 If the Data Processor may become aware of a personal data security breach, whereby
means a breach of security leading to accidental or unlawful destruction, loss, alteration,
unauthorized disclosure of or access to personal data transmitted
right or otherwise processed, the Data Processor is obliged to without undue delay
to seek to locate such breach and to seek to limit the damage caused as far as possible,
as well as to the extent possible to re-establish any lost data.
9.2 The Data Processor is also obliged to notify the Data Processor without undue delay.
responsible after becoming aware that there has been a breach of personal data security.
The data processor must then, without undue delay, to the extent possible, provide written
equal notification to the Data Controller, which shall as far as possible contain:
a) A description of the nature of the breach, including the categories and the approximate
numbers of data subjects concerned and registrations of personal data.
b) Name and contact details of the data protection adviser.
c) A description of the likely consequences of the breach.
(d) A description of the measures taken by the Data Processor or sub-data processor
the Commissioner has taken or proposes to take to deal with the breach, including measures
to limit its potential harmful effects.
9.3 Insofar as it is not possible to give them in pkt. 9.2 information together, information
are communicated step by step without further delay.
9.4 Similarly, sub-data processors are required to notify Data Processors without undue delay.
the trader in accordance with pkt. 9.2 and 9.3.
10.1 The data processor must keep the personal data confidential, and is thus only entitled to
use the personal data as part of the fulfillment of its obligations and rights in accordance
hold to the Agreement.
10.2 The data processor shall ensure that the employees and any others, including sub-data
merchants authorized to process the personal data covered by the Agreement are required
duty of confidentiality.
11. DURATION AND TERMINATION OF THE DATA PROCESSOR AGREEMENT
11.1 The agreement enters into force upon the parties' conclusion of an agreement on hosting Accumolo / Masterpiece.
11.2 In the event that the hosting agreement for Accumolo / Masterpiece terminates, for whatever reason, the Agreement
len also. However, the Data Processor is bound by this Agreement for as long as the Data Processor
trades personal data on behalf of the Data Controller, the Data Controller as soon as possible
possible and no later than 14 days after the termination of the hosting agreement must inform the Data Processor in writing,
how the Data Processor must relate to the processed personal data. 30 days ef-
termination of the hosting agreement, the Data Processor is entitled to delete all personal data,
which has been processed under the terminated hosting agreement on behalf of the Data Controller.
Holstebro, March 12, 2018
MCB A / S