LET'S TALK STRATEGY IMPLEMENTATION: +1 (949) 670-9224 LET'S TALK: +1 (949) 670-9224
Skip to content
FREE trial
Book Meeting

Data Processing Agreement

The following Data Processing Agreement ("DPA") has been entered into by The Customer (as defined in the Terms and Conditions) (hereinafter “Data Controller”) as the data controller

and

The Provider (as defined in the Terms and Conditions) (hereinafter “Data Processor”) as the data processor(hereinafter individually referred to as a “Party” and jointly the “Parties”):

1. Personal data and data processing

1.1 As part of the Data Processor’s services to the Data Controller, the Data Processor will, on behalf of the Data Controller, process data relating to employees of the Data Controller. This is the sole category of data subjects (hereinafter the “Individuals”).

1.2 In the Decideact Solutions ApS terms and conditions, the Parties have mutually set out their understanding of the subject matter of the processing. The period for which the Customer Personal Data will be retained is more fully described in the DecideAct Solutions ApS terms and conditions and accompanying order forms.

1.3 The Data Processor processes, on behalf of the Data Controller, the following categories of personal data (hereinafter “Personal Data”) concerning the Individuals:

  • No Special categories of personal data e.g. racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership.
  • No Criminal records.
  • No National identification.
  • Only other General categories of personal data: Name, email, title, phone, device ID (if the application is installed on User’s (employee of the Customer) mobile device) and job-related data.

The Data Processor shall comply with all applicable Data Protection Laws in connection with the performance of this Addendum and the Processing of Personal Data. The Data Processor shall be solely responsible for compliance with applicable Data Protection Laws regarding the collection of and transfer to the Data Processor of Personal Data. Customer agrees not to provide the Data Processor with any data other than as agreed upon in Section. 1.2 and 1.3 of this Addendum.

1.4 The Data Processor processes, on behalf of the Data Controller, the Personal Data for the following purposes: Strategic implementation, governance and accountability. The DecideAct Solutions ApS terms and conditions, this Addendum, and the Data Controller’s use of the Services’ features and functionality are the Data Controller’s written instructions to DecideAct in relation to

1.5 Processing the Personal Data.
The processing by the Data Processor, on behalf of the Data Controller, of the Personal Data includes the following activities:

  • Initialize the service and insert Personal Data
  • Providing remote access to the Data Controller’s Customers of DecideAct Services
  • Storage of Personal Data, ensuring the accessibility, integrity and confidentiality of the systems

1.6 The Data Processor is responsible for storing the Personal Data within the EU/EEA and not transferring the Personal Data to countries outside the EU/EEA without the prior written acceptance of the Data Controller, except transfers that are subject to appropriate safeguards.

2. Instructions and confidentiality

2.1 The Data Processor may only process the Personal Data in compliance with documented instructions from the Data Controller, including transfer of Personal Data to any third country or international organization. If, in exceptional cases, the Data Processor is instructed to process Personal Data, including transferring Personal Data to a third country or an international organization, and this does not follow from the instructions of the Data Controller but is pursuant to EU or member state law to which the Data Processor is subject, then the Data Processor must notify the Data Controller of such legal requirements before commencing the processing unless such notification is prohibited on important grounds of public interest.

2.2 The Data Processor must ensure that employees or persons under the Data Processor’s authority, that are authorized to process Personal Data, have assumed a contractual confidentiality obligation or are subject to a statutory obligation of secrecy.

2.3 The Data Processor must ensure that access to the Personal Data is limited to employees with a work-related need.

2.4 The Data Processor shall notify the Data Controller without undue delay after becoming aware of a personal data breach, and follow the procedures in Article 33 of the EU Regulation 2016/679 on General Data Protection (“GDPR”).

3. Security etc.

3.1 To protect the Personal Data, the Data Processor must implement appropriate technical and organisational measures in such a manner that the processing meets the requirements set out in the GDPR. Such measures are determined and adjusted on a regular basis with due consideration for the current technical level, expenses, and the nature, scope, context and purposes of the processing and the risks to the rights of natural persons, cf. Article 32 of the GDPR.
3.2 The Data Processor must ensure that the Personal Data are deleted from every IT-system, archive etc. when continued storage no longer serves a fair purpose and as instructed by the Data Controller.

3.3 The Data Processor must inform and train relevant employees on confidentiality relating to the processing of Personal Data and must ensure that the processing is in compliance with the purposes of this Agreement and the instructions of the Data Controller.

3.4 In addition, the Data Processor must, as a minimum, take the following measures:

  1. Physical security: When equipment and mobile units are not used, the equipment and the units must be locked away and/or locked.
  2. Back-up copies: The Personal Data must be backed up routinely. Copies of the Personal Data must be stored separately and with due care in such a manner that the Personal Data can be restored. Instructions to delete Personal Data must include deletion of Personal Data backed up.
  3. Control of access: Access to the Personal Data must be limited by way of a technical control of access. User-ID and password must be personal and may not be assigned at any time. Procedures must be in place for the granting and removing of access.
  4. Logging: A log or similar over access to and processing of the Personal Data must be kept. A register must be available showing those persons who have had access and the processing the individual has conducted.
  5. Communication of data: Communication of the Personal Data must take place, using secure communication lines. Personal Data that are transferred outside a closed network controlled by the Data Processor must be protected by encryption.
  6. Destruction of hardware: When equipment or mobile units containing Personal Data are no longer used to process Personal Data, the Personal Data must be permanently deleted from the equipment, ensuring that the data cannot be restored.
4. Sub-processors

4.1 Data Controller hereby confirms its general written authorization for Data Processor’s use of the Sub-processors listed at https://www.decideact.net/sub-processors in accordance with Article 28 of the GDPR to assist it in providing the service and Processing Data provided that such Sub-processors:

  1. agree to act only on Data Processor’s instructions when processing the Personal Data (which instructions shall be consistent with Data Controllers Processing instructions to Data Processor)
  2. agree to protect the Personal Data to a standard consistent with the requirements of this DPA. Further, such protection obligations shall be imposed on that Sub-processor by way of a contract or other legal act under EU or Member State law.

4.2 Data Processor agrees and warrants to remain liable to Data Controller for the subcontracted processing services. Data Processor shall maintain an up-to-data list of the names and location of all Sub-processors at https://www.decideact.net/sub-processors and also available upon request to support@decideact.net. Data Processor shall update the list on its website of any Sub-processor to be appointed at least 30 days prior to the date on which the Sub-processor shall commence processing Personal Data. The Data Controller must sign up to receive email notifications of any such changes. The details of the sign-up process are described in the aforementioned URL.

4.3 In the event that Data Controller objects to the Processing of its Personal Data by any newly appointed Sub-processor as described in Section 4.2, it shall notify Data Processor within 30 days following the update of its online policy above. In such event, Data Processor will either (a) instruct the Sub-processor to cease any further processing of Data Controller’s Personal Data, in which event this DPA shall continue unaffected, or (b) allow Data Controller to terminate this DPA (and any related services agreement with Data Processor) immediately and provide it with a pro rata reimbursement of any sums paid in advance for Services to be provided but not yet received by Data Controller as of the effective date of termination. Section 7.2 applies upon termination.

4.4 Data-Controller’s Services includes possible integrations with Third Party Services, including, without limitation, certain Third Party Services which may be integrated directly into Data Controller’s account or instance in the Service. If Data Controller elects to enable, access or use such Third Party Services, its access and use of such Third Party Services is governed solely by the terms and conditions and privacy policies of such Third Party Services, and Data Processor does not endorse, is not responsible or liable for, and makes no representations as to any aspect of such Third Party Services, including, without limitation, their content or the manner in which they handle Service Data (including Personal Data) or any interaction between Data Controller and the provider of such Third Party Services. Data Processor is not liable for any damage or loss caused or alleged to be caused by or in connection with Data Controller’s enablement, access or use of any such Third Party Services, or Data Controller’s reliance on the privacy practices, data security processes or other policies of such Third Party Services. The providers of Third Party Services shall not be deemed Sub-processors for any purpose under this DPA.

5. Assistance to the Data Controller

5.1 The Data Processor must assist the Data Controller to ensure that all obligations under Art. 32-36 of the GDPR and other applicable data protection and information security legislation are met, i.e. security measures, notification of supervisory authorities, notification of individuals, preparation of data protection impact assessments and prior consultation of the supervisory authorities.

5.2 Taking into account the nature of the processing, the Data Processor must, to the extent possible and by means of appropriate technical and organisational measures, assist the Data Controller in meeting the Data Controller’s legal obligations to respond to requests for exercising the individuals’ rights laid down in Chapter III of the GDPR. The Data Processor must promptly notify the Data Controller of any communication from a Data Subject regarding the Processing of Personal Data provided by the Data Controller, or any other communication (including from a Supervisory Authority) relating to any obligation under the applicable Data Protection Laws in respect of the Personal Data provided by the Data Controller. The Data Processor will not respond to any such request or complaint unless expressly authorized to do so by the Data Controller or is otherwise required to respond under applicable Data Protection Laws. The Data Controller agrees to compensate the Data processor for time and for expenses incurred in connection with the performance of the Data Processor’s obligations under this Section. 5.2.

5.3 The Data Processor must notify the Data Controller of any personal data breaches without undue delay.

5.4 The Data Processor must immediately notify the Data Controller if the Data Processor believes that an instruction violates the General Data Protection Regulation or other data protection provisions in other EU law or member states’ national law.

6. Demonstration of compliance, audits etc.

6.1 The Data Processor must, upon request and without separate remuneration, make all information necessary available to the Data Controller to demonstrate compliance with the obligations of this Agreement, the GDPR and other special legislation.
6.2 The Data Processor must provide means and contribute to audits, including inspections performed by the Data Controller or auditors authorized by the Data Controller, the Danish public authorities, or another competent jurisdiction. The relevant auditor must be subject to confidentiality obligations, either under an agreement or law. The Data Controller agrees to pay the Data Processor for time and for expenses incurred in connection with any assistance provided in connection with this Section 6.2.

7. Term and termination

7.1 This DPA shall take effect when entered into and shall be in force until it is terminated by one of the Parties at 3 months’ notice.

7.2 Unless this DPA is superseded by another DPA, termination of this DPA will likewise result in termination of the Agreement.

7.3 Upon termination of this DPA, the Data Processor must return all Personal Data to the Data Controller or assign the Personal Data to a new Processor on the instruction of the Data Controller, cf. clause 5.5 of the Agreement. Thereafter, the Data Processor must delete all existing copies of the Personal Data immediately, unless EU or member state law prescribes requirements for the continued storage of the Personal Data.

7.4 If, following the termination of this DPA, there is uncertainty as to whether the Data Processor has deleted all the Personal Data, the Data Controller may request the Data Processor to, at the expense of the Data Controller, request an auditor’s statement stating that the data processing no longer takes place and that the Personal Data have been deleted.

8. DURATION

8.1 Notwithstanding clause 7, this DPA will remain in force as long as Data Processor processes Personal Data on behalf of Data Controller.

9. NO CONSEQUENTIAL DAMAGES

LIMITATION ON LIABILITY

9.1 UNDER NO CIRCUMSTANCES AND UNDER NO LEGAL THEORY (WHETHER IN CONTRACT, TORT, NEGLIGENCE OR OTHERWISE) WILL EITHER PARTY TO THIS DPA, OR THEIR AFFILIATES, OFFICERS, DIRECTORS, EMPLOYEES, AGENTS, SERVICE PROVIDERS, SUPPLIERS OR LICENSORS BE LIABLE TO THE OTHER PARTY OR ANY THIRD PARTY FOR ANY LOST PROFITS, LOST SALES OR BUSINESS, LOST DATA (BEING DATA LOST IN THE COURSE OF TRANSMISSION VIA DATA CONTROLLER’S SYSTEMS OR OVER THE INTERNET THROUGH NO FAULT OF DATA PROCESSOR), BUSINESS INTERRUPTION, LOSS OF GOODWILL, OR FOR ANY OTHER TYPE OF INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, CONSEQUENTIAL OR PUNITIVE LOSS OR DAMAGES, OR ANY OTHER INDIRECT LOSS OR DAMAGES INCURRED BY THE OTHER PARTY OR ANY THIRD PARTY IN CONNECTION WITH THIS DPA, OR THE SERVICES, REGARDLESS OF WHETHER SUCH PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF OR COULD HAVE FORESEEN SUCH DAMAGES.

9.2 NOTWITHSTANDING ANYTHING TO THE CONTRARY IN THIS DPA, THE SAAS AGREEMENT OR THE TERMS AND CONDITIONS, DATA PROCESSOR’S AGGREGATE LIABILITY TO DATA CONTROLLER OR ANY THIRD PARTY ARISING OUT OF THIS DPA AND ANY LICENSE, USE OR EMPLOYMENT OF THE SERVICE, SHALL IN NO EVENT EXCEED THE LIMITATIONS SET FORTH IN THE SAAS AGREEMENT OR THE TERMS AND CONDITIONS.

9.3 FOR THE AVOIDANCE OF DOUBT, THIS SECTION SHALL NOT BE CONSTRUED AS LIMITING THE LIABILITY OF EITHER PARTY WITH RESPECT TO CLAIMS BROUGHT BY DATA-SUBJECTS.

LAST UPDATED: December 20, 2023 by LRG-LBO, DecideAct