Data Processor Agreement

1. The processed personal data

1.1 This Agreement has been entered into in connection with the Parties' conclusion of agreement on the storage of data and drafting of tenders, proposal and other written outputs with the use of AI, including Appendices (the “Main Agreement”).

1.2 The Data Processor processes the types of personal data on behalf of the Data Controller in relation to the relevant data subjects and data types as specified in Appendix 1.

1.3 The Data Processor may initiate the processing of personal data on behalf of the Data Controller after the Agreement enters into force. The processing has the duration, which is specified in the instructions in Appendix 1 of the Agreement.

1.4 The Agreement and the Main Agreement are interdependent and cannot be terminated separately. However, the Agreement may be replaced with another valid data processor agreement without terminating the Main Agreement.

​

2. Obligations of the Data Processor

2.1 All processing by the Data Processor of the personal data provided by the Data Controller must be in accordance with instructions prepared by the Data Controller, and the Data Processor is, furthermore, obliged to comply with all data protection legislation in force from time to time, hereunder the General Data Protection Regulation and the data protection laws and provisions of a Member State. If EU law or law of a Member State, to which the Data Processor is subject to, stipulates that the Data Processor is required to process the personal data listed in clause 1.2, the Data Processor must inform the Data Controller of that legal requirement before processing the data. However, this does not apply if this legislation prohibits such information on important grounds of public interests. The Data Processor must immediately inform the Data Controller if, in the Data Processor’s opinion, an instruction infringes the General Data Protection Regulation or the data protection laws and provisions of a Member State.

2.2 The Data Processor must take all necessary technical and organisational security measures, including any additional measures, required to ensure that the personal data specified in clause 1.2 is not accidentally or unlawfully destroyed, lost or impaired or brought to the knowledge of unauthorised third parties, abused or otherwise processed in a manner which is contrary to Danish data protection legislation in force at any time. These measures are described in more detail in Appendix 1.

2.3 The Data Processor must ensure that employees authorised to process the personal data have committed themselves to confidentiality or are under appropriate statutory obligation of confidentiality.

2.4 If requested by the Data Controller, the Data Processor must state and/or document that the Data Processor complies with the requirements of the applicable data protection legislation, including documentation regarding the data flows of the Data Processor as well as procedures/policies for processing personal data.

2.5 Taking into account the nature of the processing, the Data Processor must, as far as possible, assist the controller by appropriate technical and organisational measures, for the fulfilment of the Data Controller’s obligation to respond to requests for exercising the data subject’s rights, as laid down in chapter 3 in the General Data Protection Regulation.

2.6 The Data Processor, or any other data processor (sub-data processor) must send requests and objections from data subjects to the Data Controller, for the Data Controller's further processing thereof. Unless the Data Processor is entitled to handle such request itself. If requested by the Data Controller, the Data Processor must assist the Data Controller in answering any such requests and/or objections.

2.7 The Data Processor must notify the Data Controller when there is an interruption in operation, a suspicion that data protection rules have been breached or other irregularities in connection with the processing of the personal data occur. The Data Processor’s deadline for notifying the Data Controller of a security breach is 2. daysfrom the moment the Data Processor becomes aware of a security breach. If requested by the Data Controller, the Data Processor must assist the Data Controller in relation to clarifying the scope of the security breach, including preparation of any notification to the Danish Data Protection Agency and/or data subjects.

2.8 The Data Processor must make all the necessary information available to the Data Controller, in relation to demonstrating compliance with article 28 of the General Data Protection Regulation and the Agreement. In this connection the Data Processor allows for and contributes to audits, including inspections, conducted by the Data Controller or another auditor mandated by the Data Controller.

2.9 In addition to the above, the Data Processor must assist the Data Controller in ensuring compliance with the Data Controller’s obligations under article 32-36 of the General Data Protection Regulation. This assistance will take the nature of the processing and the information available to the Data Processor into account.

​

3. Transfer of data to sub-data processors or third parties

3.1 The Data Processor must comply with the conditions laid down in article 28, paragraph 2 and 4 of the General Data Protection Regulation when using another data processor (sub-data processor). This implies that the Data Processor shall only use another data processor (sub-data processor) fulfilment of the Agreement with a prior specific or general written approval from the Data Controller. The Data Controller hereby grants the Data Processor a general authorisation to enter into agreements with sub-data processors. The Data Processor must notify the Data Controller of any changes concerning the addition or replacements of sub-data processors no later than 2 month [prior to the addition or replacement of the sub-data processor enters into force. The Data Controller can make reasonable and relevant objections against such changes within one month. If the Data Processor continues to wish to use a sub-data processor that the Data Controller has objected to, the Parties have the right to terminate the Agreement, cf. clause 5.

3.2 When the Data Controller has approved that the Data Processor can use a sub-data processor. The Data Processor must impose the same obligations on the sub-data processor as set out in the Agreement. This must be executed in a contract or another legal act under EU law or the law of a Member State. It must be ensured, e.g., that sufficient guarantees are provided from the sub-data processor to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the General Data Protection Regulation (“back-to-back” terms).

3.3 If the sub-data processor fails to fulfil its data protection obligations, the Data Processor remains fully liable to the Data Controller for the performance of the sub-data processor’s obligations.

3.4 Disclosure, transfer and internal use of the Data Controller’s personal data to third countries or international organisations may only take place in accordance with documented instructions from the Data Controller – unless this is stipulated by EU law or the law of a Member State to which the Data Processor is subject. If so, the Data Processor must notify the Data Controller of this legal requirement before processing, unless the law prohibits such notification for important grounds of public interests.

3.5 If the personal data stipulated in clause 1.2 is transferred to sub-data processors outside EU/EEA, it must, in the mentioned data processor agreement, be stated that the data protection legislation applicable in the Data Controller's country applies to sub-data processors. Furthermore, if the receiving sub-data processor is established within the EU/EEA, it must be stated in the mentioned data processor agreement that the receiving EU country's specific statutory requirements regarding data processors, e.g. concerning demands for notification to national authorities must be complied with.

3.6 The Data Processor is obliged to enter into written data processor agreements with sub-data processors within the EU/EEA. As for sub-data processors outside the EU/EEA, the Data Processor must ensure the sufficient transfer mechanisms and enter into a sub-data processor agreement by entering into standard agreements in accordance with the EU Commission’s Standard Contractual Clauses Decision 2021/914/EU of 4 June 2021.

3.7 If personal data is transferred to countries outside the EU/EEA without adequate security, the Data Processor must assist the Data Controller with the preparation of a transfer impact assessment (TIA).

3.8 At the time of the signature of this Agreement, the Data Processor engages the sub-data processors listed in Appendix 2.

​

4. Liability

4.1 The Parties’ liability is governed by the Main Agreement.

4.2 The Parties’ liability in damages under this Agreement is governed by the Main Agreement.

​

5. Effective date and termination

5.1 This Agreement becomes effective at the same time as the Main Agreement. In the event of termination of the Main Agreement, the Agreement will also be terminated. However, the Data Processor remains subject to the obligations stipulated in this Agreement, as long as the Data Processor processes personal data on behalf of the Data Controller.

5.2 Upon termination of the processing services the Data Processor is obliged to, upon request of the Data Controller, delete or return all personal data to the Data Controller, as well as to delete existing copies, unless retention of the personal data is prescribed by EU law or national law.

6. Governing law and jurisdiction

Any claim or dispute arising from or in connection with this Agreement must be settled by a competent court of first instance in the same jurisdiction

​