(GDPR) of 30/5 2018
This agreement is between The customer (you) & the company you represent, and XpressU Aps. The service agreement deals with the use of software named XpressU.
Please note the disticton between the company XpressU Aps and Software XpressU.
The customer and XpressU Aps can be mentioned as “the parties” and separately as “the part”
The customer and XpressU Aps have agreed upon the following data processing agreement on XpressU Iv’s processing of personal data on behalf of the Customer.
1. Background, purpose and scope
This agreement handles the purpose when XpressU Aps processes personal data on behalf of the Customer.
The agreement is designed for the parties to comply with Article 28 (2). 3 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free exchange of such information and repealing Directive 95/46 / EC (Data Protection Regulation) ), which sets specific requirements for the content of a data processing agreement.
2. Instructions
- The primary data processing performed by XpressU Aps is the retention of users of XpressU by the Customer. The customer and users can further edit parts of this data themselves.
- XpressU Aps may only process personal data in accordance with documented instructions from the Customer, except as required by EU or national law to which XpressU Aps is subject; in such case, XpressU Aps shall notify the Customer of this legal claim before processing, unless the court concerned prohibits such notification for the sake of important societal interests, cf. Art 28 (2). 3, point a.
- XpressU Aps shall immediately notify the Customer if an instruction in the opinion of XpressU Aps contravenes the Data Protection Regulation or data protection provisions of other EU or national law.
- XpressU Aps shall, as far as possible, assist the Customer in fulfilling the Customer’s obligations to respond to requests for the exercise of the data subjects’ rights, including access, rectification, limitation or deletion, if the relevant personal data is processed by XpressU Aps. If XpressU Aps receives such a request from the registered person, XpressU Aps will notify the Customer thereof.
- The customer is liable for all XpressU Iv’s costs for such assistance, including to subcontractors. XpressU Iv’s assistance is charged to XpressU Aps at any given hourly rate for such work.
3. XpressU Aps, use of subcontractors
- The Customer gives XpressU Iv’s consent to the use of subcontractors, provided that the conditions set out in the agreement are met. XpressU Iv’s subcontractors can be seen at the end of the document under the subcontractors section. Subcontractor is under XpressU Iv’s instructions. XpressU Aps has entered into a data processing agreement with a subcontractor in which it is ensured that the subcontractor meets the requirements corresponding to those made to XpressU Aps by the Customer pursuant to the agreement.
- Costs incurred in establishing the contractual relationship with a subcontractor, including costs for the preparation of a data processing agreement and the possible establishment of a basis for transfer to third countries, impose on XpressU Aps and thus the Customer is unauthorized.
- By signing this Agreement, the Customer accepts that XpressU Aps is entitled to switch subcontractors, provided that: a) any new sub-processor complies with the same conditions as set out in cl. And b) The Customer is informed by XpressU Aps at the latest at the commencement of any other sub-processor of the processing of personal data for which the Customer is responsible.
- Change of subcontractors must always be notified either via news on the website and / or e-mail to the contact person, as soon as possible.
4. Customer’s obligations and rights
- The customer is primarily responsible to the outside world (including the data subject) for the processing of personal data within the framework of the Data Protection Regulation and the Data Protection Act.
- The Customer warrants that it has the necessary legal authority to process the personal data covered by this data processing agreement and is responsible for compliance with the use of XpressU.
- The customer is responsible for providing the basis for the treatment that XpressU Aps is instructed to perform.
5. Security of processing
- XpressU Aps takes all measures required under Article 32 of the Data Protection Regulation.
- XpressU Aps shall take appropriate security measures against accidental or unlawful destruction, forfeiture or deterioration of personal data, as well as against personal information coming to the attention of unauthorized persons, misused or otherwise processed in contravention of the law, cf. 1.2 above.
- XpressU Aps, in agreement with the Customer, shall, as far as possible, assist the Customer in ensuring compliance with the obligations laid down in Article 32 of the Regulation (implementation of appropriate technical and organizational measures), 35 (conducting impact assessment on data protection) and 36 (prior consultation). In this connection, XpressU Aps is entitled to invoice the Customer at its usual hourly rate for all XpressU Aps working hours which such an agreement may entail for XpressU Aps, and the Customer is liable for any payment to a subcontractor.
- If it is in par. 5.3 Leads to enhanced security measures in relation to what has already been agreed between the parties pursuant to this Agreement, XpressU Aps implements such measures as far as possible provided that XpressU Aps receives payment thereof.
6. Inspection
- XpressU Aps provides information necessary to demonstrate XpressU Iv’s compliance with Article 28 of the Data Protection Regulation and this Agreement and provides and contributes to audits, including inspections carried out by the Customer or another authorized auditor. by the Customer.
- The customer’s supervision of any subcontractors is usually done through XpressU Aps.
- If the Customer wishes to conduct supervision, the Customer must always give XpressU Aps a notice of at least 30 days in such connection.
- If the Customer wishes to have an additional security audit report prepared, or if further supervision is required of XpressU Aps or the subcontractor’s personal data processing, including if the Customer wants a security audit report prepared at a specific time, this is agreed with XpressU Aps. XpressU Aps or its subcontractor may at any time require such a security audit report to be prepared in accordance with a recognized auditing standard (e.g., ISAE 3402 with reference to ISO 27002: 2014 or similar) by a generally recognized and independent third party dealing with such matters.
- Customer incurs all costs related to oversight of safety issues at XpressU Aps and in relation to subcontractors, including XpressU Aps is entitled to invoice the Customer at its usual hourly rate for all XpressU Aps working hours and any additional costs that such oversight may entail for XpressU That is, just as the Customer is liable for any payment to a subcontractor.
7. Security Breach of Personal Data
- If XpressU Aps becomes aware of a personal data breach which means a breach of security leading to accidental or unlawful destruction, loss, alteration and unauthorized disclosure or access to personal data transmitted, stored or otherwise processed, XpressU Aps is obliged, without undue delay, to seek to locate such a breach and to limit the damage sustained to the greatest extent possible and – to the extent possible – to recover any lost data.
- XpressU Aps is also obliged to notify the Customer without undue delay after becoming aware of a breach of the personal data security. XpressU Aps shall then, without undue delay, to the extent possible, give written notice to the Customer, which shall contain as far as possible:
- A description of the nature of the breach, including the categories and the approximate number of data subjects concerned and records of personal data.
- Name and contact information of the contact person at XpressU Aps.
- A description of the likely consequences of the breach.
- A description of the measures taken or proposed by XpressU Aps or its subcontractor to deal with the breach, including measures to mitigate its potential adverse effects.
- If it is not possible to give them in par. 7.2 information provided together, the information may be provided incrementally without undue delay.
- XpressU Aps is required to notify the Controlling Authority in the field of personal data within the time limits set for the breach of security.
- Similarly, subcontractors are required, without undue delay, to notify XpressU Aps in accordance with clause. 7.2 and 7.3.
8. Transfer of information to third countries or international organizations
- XpressU Aps may only process personal data in accordance with documented instructions from the Customer, including with regard to the transfer (transfer, disclosure and internal use) of personal data to third countries or international organizations, except as required by EU or national law, such as XpressU Aps is subject; in such case, XpressU Aps shall notify the Customer of this legal claim prior to processing, unless the court concerned prohibits such notification for the sake of important societal interests, cf. Art 28 (2). 3, point a.
9. Confidentiality
- XpressU Aps is required to keep the personal information confidential and is therefore only entitled to use the personal data as part of the fulfillment of its obligations and rights under this agreement.
- XpressU Aps must ensure that employees and any others, including subcontractors authorized to process the personal data covered by the agreement, are subject to a duty of confidentiality.
- XpressU Aps may not disclose information to third parties without the written consent of the Customer, unless such disclosure is made by law or by a binding request of a court or data protection authority, or as stated in this agreement.
10. Duration and Termination of the GDPR
- The Agreement comes into effect upon Customer acceptance, made upon initial login to XpressU.
- XpressU Aps is bound by this agreement as long as XpressU Aps processes personal data on behalf of the Customer.
- If XpressU Aps ceases to provide service (XpressU) to the Customer, the Customer must inform XpressU Aps in writing as soon as possible and within 14 days of the termination, how XpressU Aps should treat the personal data processed. Within 3 months of the termination of the data processing agreement, XpressU Aps is entitled to delete all personal data that has been processed on behalf of the Customer.
- Regardless of the termination of the data processing agreement, the agreement must 9 continue to take effect after the termination of the data processing agreement.
Subcontractors
Below is a description of which subcontractors can be used when your data is processed in XpressU.
Subcontractor | Location/country | Purpose |
Asana | USA* | CRM |
Intercom | USA* | Support og help desk |
E-conomic | Denmark | Invoicing |
Microsoft Azure | Denmark | Server and database hosting |
* Privacy Shield is the legal basis for processing data outside the EU