Data processing Agreement (GDPR), also called the Personal Data regulation, applicable from D. 24/5 2018
The agreement is between
The customer(you) & the company you represent and XpressU Aps. The service agreement deals with the use of software named, XpressU.
Note the difference between the company name XpressU Aps and software XpressU.
The customer and XpressU Aps can be mentioned as "parties" and separately as "party"
The Customer and XpressU Aps have entered into the following data processing agreement for XpressU Ap's processing of personal data on behalf of the Customer.
1. Background, purpose and scope
- This Agreement establishes the rights and obligations that apply when XpressU Aps performs the processing of personal data on behalf of the Customer.
- The agreement is designed to respect the parties ' compliance with article 28, paragraph 3 of Regulation (EU) 2016/679 of The European Parliament and of the Council of 27 april 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such information, and repealing Directive 95/46/EC (Data Protection Regulation), which imposes specific requirements on the content of a data processing agreement.
- The primary data processing that XpressU Aps performs is the storage of users of XpressU at the Customer's premises. The customer and users can further edit parts of this data themselves.
- XpressU Aps may only process personal data on documented instructions from the Customer, unless required by EU or National law of the Member States to which XpressU Aps is subject; in this case, XpressU Aps shall inform the Customer of this legal requirement prior to processing, unless the court in question prohibits such notification for reasons of important public interest, as provided for in Article 11(2) of the Basic Regulation. Art 28(3)(a)
- XpressU Aps shall immediately inform the Customer if, in XpressU Ap's opinion, an instruction is in breach of the Data Protection Regulation or data protection provisions of other EU or Member States' national law.
- XpressU Aps shall, as far as possible, assist the Customer in fulfilling the Customer's obligations to respond to requests for the exercise of the data subject's rights, including access, rectification, limitation or deletion, if the relevant personal data is processed by XpressU Aps. If XpressU Aps receives such a request from the data subject, XpressU Aps informs the Customer accordingly.
- The Customer shall be liable for all XpressU Aps costs of such assistance, including to the subcontractor. XpressU Ap's assistance is settled at XpressU Aps at any time the hourly rate applicable for such work.
3. XpressU Aps, use of subcontractors(subdata processors)
- The customer consents XpressU Aps to the use of subcontractors, provided that the conditions laid down in the agreement are met.
XpressU Ap's subcontractors can be seen at the end of the document under the Subcontractors section
Subcontractor is under XpressU Ap's instructions. XpressU Aps has entered into a data processing agreement with the subcontractor, which ensures that the subcontractor meets the requirements of XpressU Aps by the Customer under the agreement.
- Costs associated with establishing the contractual relationship with a subcontractor, including the costs of drawing up the data processing agreement and the possible establishment of the basis for transfer to third countries, impose on XpressU Aps and are thus the Customer's outside national authority.
- Upon conclusion of this agreement, the Customer accepts that XpressU Aps is entitled to change subcontractors, provided that (a) any new subprocessor complies with the equivalent conditions set out in paragraph 4 to the current sub-processor, and b) The Customer will be informed by XpressU Aps at the latest at the start of any other subdata processor's commencement of the processing of personal data for which the Customer is responsible.
- Change of subcontractors must always be disclosed either via news on the website and/or e-mail to the contact person, in as good a time as possible.
4. Obligations and rights of the customer
- The customer is responsible for the processing of personal data within the framework of the GDPR and the Data Protection Act to the outside world (including the data subject).
- The customer warrants to have the necessary legal basis for processing the personal data covered by this processing agreement and is responsible for compliance with the use of Xpressu.
- The customer is responsible for the availability of the legal basis for the treatment that XpressU Aps is instructed to perform.
5. Security of processing
- XpressU Aps shall implement all measures required under Article 32 of the Data Protection Regulation.
- XpressU Aps shall take appropriate safeguards against the accidental or unlawful destruction, loss or deterioration of personal data and against the disclosure, misuse or otherwise processing of personal data in breach of the law, as referred to in Article 11(2) of Regulation (EC) No 1782/2003. 1.2 above.
- XpressU Aps shall, in agreement with the Customer, assist the Customer as far as possible in ensuring compliance with the obligations of Article 32 of the Regulation (implementation of appropriate technical and organisational measures), 35 (carrying out impact assessment on data protection) and 36 (prior consultation). In this respect, XpressU Aps is entitled to invoice the Customer at its usual hourly rate for all XpressU Ap's working time, which such an agreement might entail for XpressU Aps, just as the Customer is liable for any payment to the subcontractor.
- If, in accordance with paragraph 5.3, the measures referred to in paragraph 5.3 lead to enhanced security measures in relation to what has already been agreed between the Parties under this Agreement, XpressU Aps shall implement such measures as far as possible, provided that XpressU Aps receives payment for it.
6. Prudential Rights
- XpressU Aps provides the Customer with information necessary to demonstrate XpressU Ap's compliance with Article 28 of the Data Protection Regulation and this Agreement and allows and contributes to audits, including inspections by the Customer or another auditor authorized by the Customer.
- The customer's supervision of any subcontractors is generally done through XpressU Aps .
- If the Customer wishes to carry out supervision, the Customer must always give XpressU Aps a notice of at least 30 days in such a connection.
- If the Customer wishes to have a further security audit report prepared, or otherwise, supervision of XpressU Aps or subcontractor's personal data processing, including if the Customer wants the security audit report prepared at a specified time, this is agreed with XpressU Aps. XpressU Aps or subcontractor may at any time require such a security audit report to be prepared in accordance with a recognised audit standard (e.g. ISAE 3402 with reference framework to ISO 27002:2014 or similar) by a generally recognised and independent third party dealing with such matters.
- The Customer incurs all costs related to the supervision of security matters at XpressU Aps and in relation to the subcontractor, including XpressU Aps is entitled to invoice the Customer at its usual hourly rate for all XpressU Ap's working time as well as additional costs incurred that such supervision might entail for XpressU Aps, and the Customer is liable for any payment to the subcontractor.
7. Personal Data breach
- If XpressU Aps become aware of a personal data breach, where the risk is a breach of security leading to accidental or unlawful destruction, loss, alteration and unauthorised disclosure or access to personal data transmitted, stored or otherwise processed, XpressU Aps shall be obliged to seek, without undue delay, to locate such breach and to limit damage to the fullest extent possible and, to the extent possible, to recover any lost data.
- XpressU Aps is also obliged to notify the Customer without undue delay after becoming aware of a breach of personal data security. XpressU Aps shall then, without undue delay, notify the Customer in writing without undue delay, which shall include, as far as possible,:
- A description of the nature of the breach, including the categories and approximate number of data subjects and records of personal data concerned.
- Name and contact details of the contact person at XpressU Aps .
- A description of the likely consequences of the breach.
- A description of the measures taken or proposed by XpressU Aps or subcontractor to deal with the breach, including measures to limit its possible adverse effects.
- In so far as it is not possible to give the information listed in paragraph 7.2 together, the information may be disclosed in a step without undue delay.
- XpressU Aps is obliged to notify the controlling authority in the field of personal data within the specified time limits regarding the security breach.
- Similarly, subcontractors are required to notify XpressU Aps without undue delay in accordance with paragraphs 7.2 and 7.3.
8. Transfer of information to third countries or international organisations
- XpressU Aps may only process personal data on documented instructions from the Customer, including as regards the transfer (transfer, transfer and internal use) of personal data to third countries or international organisations, unless required by EU law or the national law of the Member States to which XpressU Aps is subject; in this case, XpressU Aps shall inform the Customer of this legal requirement prior to processing, unless the court in question prohibits such notification for reasons of important public interest, as provided for in Article 11(2) of the Basic Regulation. Art 28(3)(a)
9. Professional secrecy and confidentiality
- XpressU Aps is required to keep the personal data confidential and is therefore only entitled to use the personal data in the performance of its obligations and rights under this Agreement.
- XpressU Aps shall ensure that employees and any other, including subcontractors, who are authorized to process the personal data covered by the agreement are subject to professional secrecy.
- XpressU Aps may not disclose information to third parties without the written consent of the Customer, unless such disclosure is the result of the law or of a binding request by a court or data protection authority, or as stated in this Agreement.
10. Duration and termination of the data processing agreement
- The agreement enters into force upon customer's acceptance, which is made at first login in Xpressu.
- XpressU Aps is bound by this Agreement as long as XpressU Aps processes personal data on behalf of the Customer.
- If XpressU Aps ceases to provide service(XpressU)to the Customer, the Customer must inform XpressU Aps in writing as soon as possible and within 14 days of termination of the process how XpressU Aps will relate to the processed personal data. No later than 3 months after the termination of the data processing agreement, XpressU Aps is entitled to delete all personal data that has been processed on behalf of the Customer.
- Notwithstanding the termination of the data processing agreement, Clause 9 of the Agreement shall continue to have effect after termination of the data processing agreement.
Below it is described which subcontractors can be used when your data is processed in Xpressu.
|Sub Data Processor||Location/Country||Purpose|
|Asana||UNITED STATES||Customer Management and Newsletters|
|Intercom||UNITED STATES||Support and Help Portal|
|Microsoft Azure||Denmark||Server and Database Hosting|
* Privacy Shield is the legal basis for processing data outside the EU