Christensen Kjærulff

Data processing agreement

Background to the data processing agreement

This agreement sets out the rights and obligations that apply when the data processor processes personal data on behalf of the data controller.

The agreement is designed for compliance by the parties with article 28, paragraph 3 of EU Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (the General Data Protection Regulation), which sets specific requirements for the content of a data processing agreement.

The data processor's processing of personal data takes place in order to meet the contents of the engagement letter.

The data processing agreement and the engagement letter are interdependent and cannot be terminated separately. However, the data processing agreement may - without terminating the main agreement, cf. the engagement letter - be replaced by another valid data processing agreement.

This data processing agreement takes precedence over any similar provisions in other agreements between the parties, including the engagement letter.

This data processing agreement does not release the data processor from obligations imposed directly on the data processor by the General Data Protection Regulation or any other legislation.

Personal data comprised by the agreement

This agreement covers all types of personal data necessary for the purposes of the agreement between the parties, including civil registration numbers, names (both the customer's employees and the customer's customers), trade union, pension and account numbers, etc.

The category of data subjects will primarily include the data controller's employees, and depending on the task, also the data controller's customers or associates.

The collection of personal data takes place in order for the data processor to meet his obligations stipulated in the main agreement.

The data controller’s obligations and rights

Towards the outside world (including the data subject), the data controller generally has the responsibility for the processing of personal data taking place within the framework of the General Data Protection Regulation and the Danish Data Protection Act.

Consequently, the data controller has both the rights and the obligations to make decisions about, for what purposes and with which aids processing can take place.

Among other things, the data controller is responsible for ensuring that there is a legal basis for the processing that the data processor is instructed to do.

The data processor is acting according to instructions

The data processor may only process personal data according to documented instructions from the data controller unless required under EU law or the national law of the member states to which the data processor is subject. In that case, the data processor shall notify the data controller of this legal requirement before processing, unless the law in question prohibits such notification for reasons of important social interests, cf. article 28, paragraph 3(a).

The data processor shall promptly notify the data controller if, in the data processor’s opinion, an instruction is in breach of the General Data Protection Regulation or any data protection provisions of other EU law or national law of the member states.

Confidentiality

The data processor ensures that only those persons currently authorised to do so have access to the personal data processed on behalf of the data controller. Consequently, access to the information must be terminated immediately if the authorisation is withdrawn or expires.

Only such individuals may be authorised for whom it is necessary to have access to the personal data in order to meet the data processor's obligations to the data controller.

The data processor ensures that the persons authorised to process personal data on behalf of the data controller have committed themselves to confidentiality or are subject to appropriate statutory confidentiality.

At the request of the data controller, the data processor must be able to demonstrate that the relevant employees are subject to the above confidentiality obligation.

Security of processing

The data processor initiates all measures required by article 32 of the General Data Protection Regulation.

The application of sub data processors

The data processor must comply with the conditions set out in article 28, paragraphs 2 and 4 of the General Data Protection Regulation in order to make use of another data processor (sub data processor).

Thus, the data processor must not use another data processor (sub data processor) in order to meet the contents of the data processing agreement without prior specific or general written approval from the data controller.

When changing sub data processors, the data processor must notify the data controller that such a replacement takes place no later than 30 days before the sub data processors is replaced. The data controller has the possibility of objecting to such a replacement if the data controller has justified reasons.

When the data processor has the data controller's consent to use a sub data processors, the data processor undertakes to impose the same data protection obligations on the sub data processors as provided in this data processing agreement through a contract or another legal document under EU law or the national law of the member states, by which, particularly the necessary guarantees are provided that the sub data processors will implement the appropriate technical and organisational measures in such a way that the processing complies with the requirements of the General Data Protection Regulation.

If the sub data processor does not meet his data protection obligations, the data processor remains fully liable to the data controller for the performance of the sub data processor's obligations.

[At the entry into force of the data processing agreement, the data controller has approved the use of the following sub data processors:

Name

Company reg. no.

Category of processing

None

If the data processor intends to use other sub data processors, this is to take place by the approval from the data controller.]

or

[At the entry into force of the data processing agreement, the data controller has approved the use of sub data processors. A list of sub data processors used by the data processor can be obtained from the data processor. If the data processor intends to use other sub data processors, this is to take place by the approval from the data controller.]

Transfer of data to third countries/international organisations

The data processor may only process personal data according to documented instructions from the data controller, including transfer (handover, disclosure and internal use) of personal data to third countries or international organisations, unless required under EU law or the national law of the member states to which the data processor is subject. In that case, the data processor shall notify the data controller of this legal requirement before processing, unless the law in question prohibits such notification for reasons of important social interests, cf. article 28, paragraph 3(a).

Assistance to the data controller

By means of appropriate technical and organisational measures, the data processor shall as far as possible, the nature of the processing considered, assist the data controller in meeting the data controller’s obligations to respond to requests for the exercise of the data subjects' rights as laid down in article 3 of the General Data Protection Regulation.

The data processor assists the data controller in ensuring compliance with the data controller's obligations under the articles 32-36 of the General Data Protection Regulation, taking the nature of the processing and the data being available to the data processor into consideration, cf. article 28, paragraph 3(f). In this connection, the data processor may issue an invoice to the data controller for his administrative costs on a one-to-one basis.

Notification of breaches of personal data security

The data processor informs the controller without undue delay after having become aware that there has been a breach of personal data security by the data processor or any sub data processor.

The data processor's notification to the data controller must, if possible, take place no later than 12 hours after having become aware of the breach, enabling the data controller to comply with his or her obligation to report the breach to the supervisory authority within 72 hours.

Deletion and return of data

Upon termination of the processing services, the data processor is obliged to delete or return, of the data controller’s choice, all personal data to the data controller, as well as to delete existing copies, unless EU law or national law prescribes the retention of personal data.

Unless otherwise agreed, the data processor will, after termination of the agreement, delete the personal data after 30 days, unless Danish law requires otherwise.

Inspection and audit

The data processor makes available to the data controller all information necessary to demonstrate compliance of the data processor with Article 28 of the General Data Protection Regulation and this agreement, and allows and contributes to audits, including inspections by the controller or another auditor authorised by the data controller.

If the data controller wishes to conduct an inspection, the data controller must in such case always give the data processor a notice of at least 30 days.

If the data processor or the sub data processor has been issued a security statement (according to recognised international standard), describing the security conditions of the data processor/sub data processor, the data controller must first be satisfied with such conditions.

The data controller incurs all costs in connection with the inspection of the data processor and in relation to the sub data processors, including the data processor being entitled to invoice the data controller with his usual hourly rate for all the data processor's working time that such an inspection might cause the data processor, an likewise, the data controller is liable for any payment to the sub data processor.

Effective date and termination

This agreement shall become effective on both parties’ signature on the engagement letter.

Both parties may require the agreement to be renegotiated if changes in law or inconsistency in the agreement give rise to this.

Termination of the data processing agreement may be made in accordance with the terms of termination stated in the main agreement, including the term of notice.

The agreement applies as long as the processing is in progress. Irrespective of the termination of the main agreement and/or the data processing agreement, the data processing agreement will remain in effect until termination of the processing and the deletion of the data by the data processor and any sub data processors.

Copenhagen, July 5 2023.

CHRISTENSEN KJÆRULFF

STATE AUTHORIZED PUBLIC ACCOUNTANT COMPANY

We will continuously update the data processing agreement so that it fits current legislation.

Download our data processing agreement as PDF.

Network

Christensen Kjærulff has a wide network consisting of a large number of financial institutions, lawyers and consultants. Our skilled business partners help to ensure that we can give our customers the best qualified advice.

Nexia logo
Nexia International
Christensen Kjærulff is a member of Nexia, a leading, global network of independent accounting and consulting firms. Please see the “Member firm disclaimer” for further details.
RevisorGruppen Danmark logo
RevisorGruppen Danmark
We are a member of RevisorGruppen Danmark, which is an association of independent state-authorized audit firms that must ensure high quality and professional development in the work.