... Skip to main content
Sign

Data Processing Agreement

Entered into between

 

Controller:
[Insert: Company, address, CVR no.]

Processor:
Design’R’us ApS
CVR no.: 36909676
Trigevej 9
8382 Hinnerup
(“the Processor”, collectively “the Parties” and individually a “Party”)

 


 

Appendices to the Data Processing Agreement

Appendix 1 The Main Service
Appendix 5 The Controller’s obligations
Appendix 6 Sub-processors

1 Background and Purpose

1.1 The Parties have agreed on the delivery of certain services from the Processor to the Controller, as further described in the Parties’ separate agreement in this regard and in Appendix 1 to this agreement (“the Main Services”).

1.2 In this connection, the Processor processes personal data on behalf of the Controller, which is why the Parties have entered into this agreement with underlying appendices (“the Data Processing Agreement”).

1.3 The purpose of the Data Processing Agreement is to ensure that the Processor complies with the data protection regulation applicable at any given time.

 

2 Scope of the Data Processing Agreement

2.1 The Processor is authorised to process the personal data described in further detail in Appendix 1 on behalf of the Controller, on the terms set out in the Data Processing Agreement.

2.2 The Processor may only process personal data on documented instructions from the Controller (“Instructions”). This Data Processing Agreement, including appendices, constitutes the Instructions at the time of signature. Until otherwise determined by the Controller, the Instructions mean that the Processor may carry out all processing necessary to deliver the Main Service.

2.3 To the extent that the data protection regulation applicable at any given time requires amendments to this Data Processing Agreement, the Parties agree that this shall result in renewed negotiation of the content of this Data Processing Agreement.

 

3 Duration of the Data Processing Agreement

3.1 The Data Processing Agreement applies until either (a) the agreement(s) on delivery of the Main Services cease(s) or (b) the Data Processing Agreement is terminated or rescinded.

 

4 The Processor’s obligations

4.1 Technical and organisational security measures
4.1.1 In connection with the Processor’s processing of personal data for the Controller, the Processor is responsible for implementing the necessary (a) technical and (b) organisational security measures.

4.1.2 The security measures must be implemented taking into account the current technical level, the costs of implementation, and the nature, scope, context and purpose of the processing in question, as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, and the types of personal data described in Appendix 1.

4.2

Employee matters

4.2.1 The Processor must ensure that employees who process personal data for the Processor have committed themselves to confidentiality or are subject to an appropriate statutory duty of confidentiality.

4.2.2 The Processor must ensure that access to the personal data is limited to the employees for whom it is necessary to process personal data in order to fulfil the Processor’s obligations towards the Controller.

4.2.3 The Processor must ensure that employees who process personal data for the Processor only process such data in accordance with the Instructions.

4.3 Demonstration of compliance
4.3.1 Upon request, the Processor shall make available to the Controller all information necessary to demonstrate compliance with the requirements of the Data Processing Agreement and shall allow for and contribute to audits, including inspections, carried out by the Controller or another auditor authorised by the Controller. Such a request shall be answered within a reasonable time.

4.3.2 With regard to clause 4.3.1, the Processor shall immediately inform the Controller if, in the Processor’s opinion, an instruction infringes data protection legislation or data protection provisions in other EU or national law.

4.4

Security breach

4.5 The Processor shall notify the Controller without undue delay if the Processor becomes aware that a personal data breach has occurred.
4.6 The notification must contain the factual circumstances of the personal data breach, its effects, and the remedial measures taken and planned.
4.7 Assistance
4.7.1 Taking into account the nature of the processing, the Processor shall, as far as possible, assist the Controller by appropriate technical and organisational measures in fulfilling the Controller’s obligation to respond to requests for the exercise of data subjects’ rights.

4.7.2 Taking into account the nature of the processing and the information available to the Processor, the Processor shall assist the Controller in ensuring compliance with the obligations relating to the Controller’s:

a) Security of processing,

b) Notification of personal data breaches to supervisory authorities,

c) Communication of personal data breaches to data subjects,

d) Data protection impact assessments, and

e) Prior consultations.

 

5 The Controller’s obligations
5.1 The Controller has the obligations set out in Appendix 5 and in the agreement(s) on delivery of the Main Services.

 

6 Sub-processors

6.1 The Processor may only use a third party for the processing of personal data for the Controller (“Sub-processor”) to the extent stated in (a) Appendix 6 to this Data Processing Agreement, or (b) Instructions from the Controller.

6.2 The Processor and the Sub-processor must enter into a written agreement imposing on the Sub-processor the same data protection obligations as those imposed on the Processor, including pursuant to this Data Processing Agreement.

6.3 The Sub-processor shall also act solely on Instructions from the Controller.

6.4 If a Sub-processor does not comply with the Instructions, the Controller may prohibit the use of the relevant Sub-processor.

6.5 The Processor is directly liable for the Sub-processor’s processing of personal data in the same way as if the processing had been carried out by the Processor itself.

 

7 Transfer to third countries and international organisations

7.1 The Processor may only transfer personal data to a country outside the European Union or the EEA (a “Third Country”) or to international organisations to the extent stated in (a) this Data Processing Agreement, or (b) Instructions from the Controller.

7.2 Transfer of personal data may in all cases only take place if the Processor has ensured a necessary transfer basis, e.g. the European Commission’s Standard Contractual Clauses.

7.3 If, pursuant to the applied transfer basis, it is required that the Controller is a direct party to it, the Processor is authorised to carry this out on behalf of the Controller, e.g. by entering into an agreement using the European Commission’s Standard Contractual Clauses on behalf of the Controller. The Processor must inform the Controller as soon as possible if this authorisation is used.

7.4 Any regulation applicable pursuant to the transfer basis used shall take precedence over the regulation in this Data Processing Agreement, but only in relation to the processing that necessitates the transfer basis; all other processing is governed solely by this Data Processing Agreement.

7.5 When using SMTP2GO (Sand Dune Mail Ltd, New Zealand), transfer to a third country may occur, for example through access to data from the supplier’s organisation. Such transfers may be based on the European Commission’s adequacy decision for New Zealand (GDPR Article 45), and the Processor otherwise ensures the necessary transfer basis pursuant to clause 7.2.

 

8 Data processing outside the Instructions

8.1 The Processor may process personal data outside the Instructions in cases where this is required by EU law or national law to which the Processor is subject.

8.2 When processing personal data outside the Instructions, the Processor must notify the Controller of the reason for this. The notification must be given before the processing is carried out and must include a reference to the legal requirements forming the basis for the processing.

8.3 Notification is not required if such notification would be contrary to EU law or national law.

 

9 Remuneration and costs

9.1 The Processor is entitled to payment based on time spent and the Processor’s other associated costs for the services performed under the Data Processing Agreement at the Controller’s request. The services may include, but are not limited to, changes to the Instructions, assistance with notification of personal data breaches, provision of information, assistance with audits, cooperation with supervisory authorities and help with complying with requests from data subjects.

9.2 The Processor is entitled to payment based on time spent and the Processor’s other associated costs for the services performed under the Data Processing Agreement as a result of changes in the Controller’s circumstances. The services may include, but are not limited to, assistance with changes resulting from new risk assessments and impact assessments, as well as changes necessitated by the Controller being obliged by other legislation.

9.3 The remuneration is calculated according to the agreed hourly rates in the agreement(s) on delivery of the Main Services, and where no hourly rates have been agreed therein, according to the Supplier’s applicable hourly rates.

9.4 Notwithstanding the above, the Processor is not entitled to payment for assistance or implementation of changes to the extent that such assistance or change is a direct consequence of the Processor’s own breach of this Data Processing Agreement.

 

10 CHANGE of the Instructions

10.1 Prior to changes to the Instructions, the Parties shall, to the greatest extent possible, discuss and, where possible, agree on the implementation of the changes, including the implementation time and costs.

10.2 Unless otherwise agreed, the following applies:

a) The Processor must, without undue delay, initiate implementation of changes to the Instructions and ensure that such changes are implemented without undue delay in relation to the nature and scope of the changes.

b) An indicative estimate of the implementation time and costs must be communicated to the Controller without undue delay.

c) Changes to the Instructions shall only be deemed effective once the changes have been implemented, provided that the implementation is carried out in accordance with this clause 10.2, and unless the Controller explicitly states that this clause is to be deviated from.

d) The Processor is exempt from liability for failure to deliver the Main Services to the extent, including in terms of time, that such delivery would be contrary to the amended Instructions or delivery in accordance with the amended Instructions is impossible. This may, for example, be the case (i) where the changes cannot be implemented technically, practically or legally, (ii) where the Controller explicitly states that the changes must apply before implementation is possible, or (iii) during the period until the Parties have carried out any necessary changes to the agreement(s) in accordance with the amendment procedures therein.

 

11 Other provisions

11.1 General
11.1.1 The regulation of the matters dealt with in this clause 11 in the agreement(s) on delivery of the Main Services shall also apply to this Data Processing Agreement, as if this Data Processing Agreement were an integral part thereof. Only in cases where the agreement(s) on delivery of the Main Services do not address the matter shall the provisions in this clause 11 apply to this Data Processing Agreement.

11.2 Liability and limitations of liability
11.2.1 The Parties disclaim all liability for indirect losses and consequential damages, including operating losses, loss of goodwill, loss of savings and revenue, including expenses for recovering lost revenue, loss of interest, loss of data, as well as compensation and damages payable to data subjects and third parties.

11.2.2 The Parties’ liability for all accumulated claims pursuant to this Data Processing Agreement is limited to the total payments pursuant to the Main Services for the 12-month period immediately preceding the damaging act. If the Data Processing Agreement has not been in force for 12 months, the amount is calculated as the agreed payment for the Main Services during the period in which the Data Processing Agreement has been in force, divided by the number of months the Data Processing Agreement has been in force and then multiplied by 12.

11.2.3 The following are not covered by the limitation of liability in this clause 11.2:

a) Losses resulting from the other Party’s grossly negligent or intentional acts.

b) Claims for payment pursuant to Article 82(5) of Regulation (EU) 2016/679 of the European Parliament and of the Council, as well as compensation to the data subject pursuant to section 26 of the Danish Liability for Damages Act.

11.3 Force Majeure

11.3.1 The Processor cannot be held liable for circumstances generally considered to constitute force majeure, including, but not limited to, war, riots, terrorism, insurrection, strikes, fire, natural disasters, currency restrictions, import or export restrictions, disruption of general traffic and communication, interruption or failure of energy supply, public data systems and communication systems, prolonged illness among key employees, viruses, and the occurrence of force majeure at subcontractors.

11.3.2 Force majeure may only be invoked for the number of working days during which the force majeure situation lasts.

11.4 Confidentiality
11.4.1 Information concerning the content of this Data Processing Agreement, the underlying Main Services, and the other Party’s business, which either in connection with its disclosure to the receiving Party is designated as confidential information, or which by its nature or otherwise must clearly be regarded as confidential, shall be treated confidentially and with at least the same care and discretion as the Party’s own confidential information. Data, including personal data, always constitutes confidential information.

11.4.2 The confidentiality obligation does not, however, apply to information which is or becomes publicly available without this being due to a breach of a Party’s confidentiality obligation, or information which is already in the receiving Party’s possession without a corresponding confidentiality obligation, or information which has been independently developed by the receiving Party.

12 Termination

12.1 Termination and rescission
12.1.1 The Data Processing Agreement may only be terminated or rescinded in accordance with the provisions on termination and rescission in the agreement(s) on delivery of the Main Services.

12.1.2 Termination or rescission of this Data Processing Agreement may only take place together with, and entitles to, simultaneous termination or rescission of the parts of the agreement(s) on delivery of the Main Services that concern the processing of personal data pursuant to the Data Processing Agreement.

12.1.3 When the agreement(s) on delivery of the Main Services cease(s), the Data Processing Agreement shall continue to have effect until the personal data has been deleted or returned as described in clause 12.5.

12.2 Effect of termination
12.3 The Processor’s authorisation to process personal data on behalf of the Controller shall cease upon termination of the Data Processing Agreement, regardless of the reason.

12.4 The Processor may continue to process the personal data for up to three months after termination of the Data Processing Agreement to the extent necessary to carry out necessary statutory measures. During the same period, the Processor is entitled to include the personal data in the Processor’s usual backup procedure. The Processor’s processing during this period shall continue to be considered as taking place in compliance with the Instructions.

12.5 The Processor and its Sub-processors must return all personal data processed by the Processor under this Data Processing Agreement to the Controller upon termination of the Data Processing Agreement, to the extent that the Controller is not already in possession of the personal data. The Processor is thereafter obliged to delete all personal data from the Controller. The Controller may request necessary documentation that this has been done.

12.6 The Processor is entitled to anonymise the personal data in such a way that it cannot later be de-anonymised again, and thereafter use the anonymous data for its own purposes both during the term of this Data Processing Agreement and going forward.

12.7 Notwithstanding termination of the Data Processing Agreement, clauses 11.2, 11.4, 12.4, 12.6 and 13 of the agreement shall continue to have effect after termination of the Data Processing Agreement.

13 Dispute resolution

13.1 The Data Processing Agreement is governed by Danish law, with the exception of (a) rules leading to the application of law other than Danish law and (b) the United Nations Convention on Contracts for the International Sale of Goods (CISG).

13.2 If the Parties are unable to reach a solution through negotiation, the Parties are entitled to require the dispute to be finally decided by legal proceedings before the ordinary courts. However, the rules of referral in the Danish Administration of Justice Act to the High Court and the Maritime and Commercial High Court shall continue to apply.

14 Precedence

14.1 In the event of conflict between this Data Processing Agreement and the agreement(s) on delivery of the Main Services, this Data Processing Agreement shall take precedence, unless otherwise follows directly from the Data Processing Agreement.

15 Signatures

15.1 The contract is signed digitally by the Controller at
https://www.designrus.dk/persondatalovgivning, and is registered with a date stamp on the Processor’s website – www.designrus.dk

 


 

Appendix 1

The Main Service

 

1 Purpose and Main Service
1.1 The purpose of the processing pursuant to this Data Processing Agreement is to deliver the Main Service consisting of operation, hosting, maintenance and support of websites and related services, including sending emails on behalf of the Controller via SMTP services, including Mailjet and SMTP2GO, as well as necessary logging of delivery metadata for operation, security, troubleshooting and documentation.

2 Personal data
2.1 Types of personal data processed in connection with delivery of the Main Service:

a) Ordinary personal data, including name, email address, telephone number, position, company name, IP address, timestamps, user agent, content of enquiries, e.g. contact forms, as well as technical delivery data from email sending, e.g. status, bounces, error codes and delivery metadata.

b) As a general rule, the Processor is not instructed to process CPR numbers, special categories of personal data or information about criminal convictions and offences. If such information exceptionally occurs in free-text fields or in submitted material from the Controller, it is processed only to the extent strictly necessary to provide support and error handling, and planned processing requires a separate written agreement.

2.2 The categories of data subjects, identified or identifiable natural persons, covered by the Data Processing Agreement:

a) For example: employees

b) For example: clients

c) For example: customers

d) For example: children. If relevant, please indicate whether the children are aged 0-12 years or 13-18 years.

3. Retention period

3.1 Delivery and activity logs with email delivery providers are generally stored for a short period for troubleshooting and documentation. For SMTP2GO, as a general rule, Activity data is visible for 30 days and deleted after 35 days, unless the Controller gives written instructions for another retention period, e.g. extended storage or archiving.

3.2 Any extended storage or archiving of full email content, e.g. email body and attachments, is only activated following documented instructions from the Controller.

 


 

Appendix 5

The Controller’s obligations

 

1 Obligations
1.1 The Controller has the following obligations

1.1.1 The Controller is responsible for complying with the data protection legislation applicable at any given time in relation to the personal data entrusted to the Processor for processing. In this respect, the Controller is particularly responsible for and warrants that:

  • The specification in Appendix 1 is exhaustive and that the Processor can act accordingly, including in relation to determining necessary security measures.
  • The Controller has the necessary legal basis to process and to entrust the Processor with processing the personal data processed in connection with delivery of the Main Services.
  • The issued Instructions, pursuant to which the Processor must process personal data on behalf of the Controller, are lawful.

1.1.2 The Controller shall inform the Processor in writing of any completed impact assessments that are relevant to the entrusted processing activities, and the Controller shall at the same time provide the Processor with necessary insight into the assessment so that the Processor can fulfil its obligations under the Data Processing Agreement.

1.1.3 The Controller shall otherwise inform the Processor of matters relevant to the Processor’s performance of its obligations under the Data Processing Agreement, including, among other things, the Controller’s ongoing risk assessment, to the extent relevant to the Processor.

1.1.4 The Controller shall also inform the Processor if the data protection legislation applicable at any given time in relation to the personal data entrusted to the Processor for processing includes legislation other than Act no. 429 of 31/05/2000, as subsequently amended, on the processing of personal data (the Danish Data Protection Act) or Regulation (EU) 2016/679 of the European Parliament and of the Council, including subsequent adaptations of Danish law resulting from this regulation.

1.1.5 The Controller shall assist the Processor in entering into agreements with Sub-processors to the extent necessary, including to ensure a transfer basis for third countries.

 


 

Appendix 6

Sub-processors

 

1. General
1.1 The Controller hereby gives its prior general written approval for the Processor to use the Sub-processors listed below for delivery of the Main Service:

a) Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany
Purpose: Hosting, server operation and backup in connection with operation of websites and related services.

b) Sinch AB (publ) / Sinch Email (Mailjet)
Purpose: Sending emails (SMTP), delivery logging, statistics and troubleshooting.
Data location: Mailjet states that data is stored in the EU (Frankfurt, Germany and Saint Ghislain, Belgium).
DPA and sub-processors: Sinch DPA and Sinch sub-processor list (applies to relevant services and regions).

c) SMTP2GO (Sand Dune Mail Ltd), 96-106 Manchester Street, Christchurch 8011, New Zealand
Purpose: Sending emails (SMTP), delivery logging and troubleshooting.
Data location: For EU and UK customers, processing may take place via an EU data centre in Amsterdam (local processing via EU/UK servers).
Sub-processors: SMTP2GO sub-processor list.
DPA: Available in the SMTP2GO dashboard (Settings > Display Settings).

1.2 The Processor may add or replace Sub-processors when this is necessary for delivery of the Main Service. The Processor must give the Controller written notice at least 30 days before a new Sub-processor is used or an existing one is replaced, unless the change is due to circumstances outside the Processor’s control, e.g. termination by a supplier.

1.3 The Controller may submit a written objection to the change within 14 days after receiving notice if there are objective grounds. The Parties shall then cooperate loyally to find a solution, e.g. an alternative supplier or a changed setup. If no solution can be found, the Controller may terminate the part of the Main Service that necessitates the relevant Sub-processor.

1.4 The Processor shall ensure that each Sub-processor is subject to written obligations that at least correspond to the Processor’s obligations under this Data Processing Agreement.

1.5 The Controller may only withhold such approval if there are specific and reasonable grounds for doing so.

1.6 The Controller hereby gives its prior general written approval for the Processor to use a Sub-processor. The Processor must notify the Controller in writing of the addition or replacement of a Sub-processor before its use begins. Similarly, the Processor must notify the Controller of the cessation of use of a Sub-processor.

1.7 The Controller has the opportunity to object to such Sub-processor to the extent that there is a reasonable ground for doing so.