Legal notice
DATA PROCESSING AGREEMENT
Pursuant to Article 28(3) of Regulation 2016/679 (the General Data Protection Regulation) with respect to the data processor's processing of personal data, between the organization hereinafter "the data controller" and subsequently "the data processor," each of which is a "party" and together constitute "the parties."
Metaceutic ApS
Vandtårnsvej 62A
2860 Søborg
Denmark
CVR: 40638350
Have agreed to the following standard contractual clauses (the Clauses), in order to comply with the General Data Protection Regulation and ensure the protection of privacy and fundamental rights and freedoms of natural persons.
Preamble
1. These Clauses set out the data processor's rights and obligations when processing personal data on behalf of the data controller.
2. These provisions are designed to enable the parties' compliance with Article 28(3) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
3. In connection with the delivery of the service, "Niomi app" and Niomi's website, the data processor processes personal data on behalf of the data controller, in accordance with these Clauses.
4. The Clauses take precedence over any corresponding provisions in other agreements between the parties.
5. Four annexes are attached to these Clauses, and the annexes form an integral part of the Clauses.
6. Annex A contains detailed information about the processing of personal data, including the purpose and nature of the processing, the type of personal data, the categories of data subjects, and the duration of the processing.
7. Annex B contains the data controller's conditions for the data processor's use of sub-processors and a list of sub-processors whose use the data controller has approved.
8. Annex C contains the data controller's instructions regarding the data processor's processing of personal data, a description of the security measures that the data processor must implement as a minimum, and how supervision of the data processor and any sub-processors is conducted.
9. Annex D contains provisions regarding other activities not covered by the Clauses.
10. The Clauses with associated annexes must be stored in writing, including electronically, by both parties.
11. These Clauses do not release the data processor from obligations imposed on the data processor under the General Data Protection Regulation or any other legislation.
The Data Controller's Rights and Obligations
1. The data controller is responsible for ensuring that the processing of personal data complies with the General Data Protection Regulation (see Article 24 of the Regulation), data protection provisions in other EU law or Member States' national law, and these Clauses.
2. The data controller has the right and duty to make decisions about the purpose(s) and means by which personal data may be processed.
3. The data controller is responsible for, among other things, ensuring that there is a legal basis for the processing of personal data that the data processor is instructed to carry out.
The Data Processor Acts on Instructions
1. The data processor may only process personal data on documented instructions from the data controller, unless required to do so by EU law or Member States' national law to which the data processor is subject. This instruction must be specified in Annexes A and C. Subsequent instructions may also be given by the data controller while processing of personal data is taking place, but the instruction must always be documented and stored in writing, including electronically, together with these Clauses.
2. The data processor shall immediately notify the data controller if, in the processor's opinion, an instruction violates this Regulation or data protection provisions in other EU law or Member States' national law.
Confidentiality
1. The data processor may only grant access to personal data processed on behalf of the data controller to persons who are subject to the data processor's authority to give instructions, who have committed themselves to confidentiality or are subject to an appropriate statutory obligation of confidentiality, and only to the extent necessary. The list of persons who have been granted access must be reviewed continuously. Based on this review, access to personal data can be revoked if access is no longer necessary, and the personal data must thereafter no longer be accessible to these persons.
2. Upon request from the data controller, the data processor must be able to demonstrate that the persons concerned who are subject to the data processor's authority to give instructions are subject to the above confidentiality obligation.
Processing Security
1. Article 32 of the General Data Protection Regulation states that the data controller and the data processor, taking into account the state of the art, implementation costs, and the nature, scope, context, and purposes of the processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, shall implement appropriate technical and organizational measures to ensure a level of security appropriate to these risks.
The data controller must assess the risks to the rights and freedoms of natural persons posed by the processing and implement measures to address these risks. Depending on their relevance, this may include:
- Pseudonymization and encryption of personal data
- The ability to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems and services
- The ability to restore the availability of and access to personal data in a timely manner in the event of a physical or technical incident
- A procedure for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures to ensure processing security
2. Under Article 32 of the Regulation, the data processor must, independently of the data controller, also assess the risks to the rights of natural persons posed by the processing and implement measures to address these risks. For this assessment, the data controller must make the necessary information available to the data processor to enable them to identify and assess such risks.
3. In addition, the data processor must assist the data controller with their compliance with the data controller's obligation under Article 32 of the Regulation by, among other things, making available to the data controller the necessary information regarding the technical and organizational security measures that the data processor has already implemented pursuant to Article 32 of the Regulation, and any other information necessary for the data controller's compliance with their obligation under Article 32 of the Regulation.
If addressing the identified risks, in the data controller's assessment, requires implementation of additional measures beyond those that the data processor has already implemented, the data controller must specify the additional measures to be implemented in Annex C.
Use of Sub-processors
1. The data processor must comply with the conditions referred to in Article 28(2) and (4) of the General Data Protection Regulation to engage another processor (a sub-processor).
2. The data processor may therefore not engage a sub-processor to fulfill these Clauses without the prior written approval of the data controller.
3. The data processor may only engage sub-processors with the data controller's prior specific written approval. The data processor must submit the request for specific approval at least 30 days before engaging the sub-processor in question. The list of sub-processors that the data controller has already approved is set out in Annex B.
4. When the data processor engages a sub-processor to perform specific processing activities on behalf of the data controller, the data processor must, through a contract or other legal instrument under EU law or Member States' national law, impose on the sub-processor the same data protection obligations as those set out in these Clauses, thereby providing sufficient guarantees that the sub-processor will implement the technical and organizational measures in such a way that the processing meets the requirements of these Clauses and the General Data Protection Regulation.
The data processor is therefore responsible for requiring that the sub-processor, as a minimum, complies with the data processor's obligations under these Clauses and the General Data Protection Regulation.
1. Sub-processor agreement(s) and any subsequent amendments thereto shall, upon request by the data controller, be sent in copy to the data controller, thereby enabling the data controller to ensure that equivalent data protection obligations as follow from these Clauses are imposed on the sub-processor. Provisions on commercial terms that do not affect the data protection content of the sub-processor agreement need not be sent to the data controller.
2. The data processor must include the data controller as a third-party beneficiary in its agreement with the sub-processor in the event of the data processor's bankruptcy, so that the data controller can step into the data processor's rights and enforce them against sub-processors, such as enabling the data controller to instruct the sub-processor to delete or return personal data.
3. If the sub-processor fails to fulfill their data protection obligations, the data processor remains fully liable to the data controller for the fulfillment of the sub-processor's obligations. This does not affect data subjects' rights under the General Data Protection Regulation, including in particular Articles 79 and 82 of the Regulation, against the data controller and the data processor, including the sub-processor.
Transfer to Third Countries or International Organizations
1. Any transfer of personal data to third countries or international organizations may only be carried out by the data processor on the basis of documented instructions from the data controller and must always comply with Chapter V of the General Data Protection Regulation.
2. If transfer of personal data to third countries or international organizations that the data processor has not been instructed to carry out by the data controller is required under EU law or Member States' national law to which the data processor is subject, the data processor must inform the data controller of this legal requirement before processing, unless the law in question prohibits such notification on important grounds of public interest.
3. Without documented instructions from the data controller, the data processor may therefore not, within the framework of these Clauses:
- Transfer personal data to a data controller or data processor in a third country or international organization
- Assign processing of personal data to a sub-processor in a third country
- Process personal data in a third country
4. The data controller's instructions regarding transfer of personal data to a third country, including the possible transfer basis in Chapter V of the General Data Protection Regulation on which the transfer is based, must be specified in Annex C.6.
5. These Clauses should not be confused with standard contractual clauses as referred to in Article 46(2)(c) and (d) of the General Data Protection Regulation, and these Clauses cannot constitute a basis for transfer of personal data as referred to in Chapter V of the General Data Protection Regulation.
Assistance to the Data Controller
1. The data processor shall assist, taking into account the nature of the processing, as far as possible, the data controller by means of appropriate technical and organizational measures with the fulfillment of the data controller's obligation to respond to requests for the exercise of data subjects' rights as set out in Chapter III of the General Data Protection Regulation.
This means that the data processor must, as far as possible, assist the data controller in ensuring compliance with:
- 1. The obligation to provide information when collecting personal data from the data subject
- 2. The obligation to provide information if personal data has not been collected from the data subject
- 3. The right of access
- 4. The right to rectification
- 5. The right to erasure ("the right to be forgotten")
- 6. The right to restriction of processing
- 7. Notification obligation regarding rectification or erasure of personal data or restriction of processing
- 8. The right to data portability
- 9. The right to object
- 10. The right not to be subject to a decision based solely on automated processing, including profiling
1. In addition to the data processor's obligation to assist the data controller pursuant to Clause 6.3, the data processor shall also assist, taking into account the nature of the processing and the information available to the data processor, the data controller with:
2. The data controller's obligation to notify a personal data breach to the competent supervisory authority, the Danish Data Protection Agency, without undue delay and, where feasible, no later than 72 hours after becoming aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons
3. The data controller's obligation to communicate a personal data breach to the data subject without undue delay when the breach is likely to result in a high risk to the rights and freedoms of natural persons
4. The data controller's obligation to carry out, prior to processing, an assessment of the impact of the envisaged processing operations on the protection of personal data (a data protection impact assessment)
5. The data controller's obligation to consult the competent supervisory authority, the Danish Data Protection Agency, prior to processing where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the data controller to mitigate the risk
6. The parties must specify in Annex C the necessary technical and organizational measures by which the data processor must assist the data controller, and to what extent and scope. This applies to the obligations arising from Clauses 9.1 and 9.2.
Notification of Personal Data Breaches
1. The data processor shall notify the data controller without undue delay after becoming aware that a personal data breach has occurred.
2. The data processor's notification to the data controller must, where possible, occur no later than 24 hours after becoming aware of the breach, so that the data controller can comply with their obligation to notify the personal data breach to the competent supervisory authority, cf. Article 33 of the General Data Protection Regulation.
3. In accordance with Clause 9.2.a, the data processor must assist the data controller in notifying the breach to the competent supervisory authority. This means that the data processor must assist in providing the following information which, according to Article 33(3), must be included in the data controller's notification of the breach to the competent supervisory authority:
- The nature of the personal data breach, including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned
- The likely consequences of the personal data breach
- The measures taken or proposed to be taken by the data controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects
4. The parties must specify in Annex C the information that the data processor must provide in connection with assisting the data controller in their obligation to notify personal data breaches to the competent supervisory authority.
Deletion and Return of Data
1. Upon termination of services relating to processing of personal data, the data processor is obliged to either a) delete all personal data that has been processed on behalf of the data controller and confirm to the data controller that the data has been deleted, or b) return all personal data and delete existing copies, unless EU law or Member States' national law requires storage of the personal data.
The data processor undertakes to process personal data only for the purpose(s), during the period, and under the conditions prescribed by these rules.
Audit, Including Inspection
1. The data processor shall make available to the data controller all information necessary to demonstrate compliance with Article 28 of the General Data Protection Regulation and these Clauses, and allow for and contribute to audits, including inspections, conducted by the data controller or another auditor authorized by the data controller.
2. The procedures for the data controller's audits, including inspections, with the data processor and sub-processors are further specified in Annexes C.7 and C.8.
3. The data processor is obliged to provide supervisory authorities who, under applicable law, have access to the data controller's or data processor's facilities, or representatives acting on behalf of the supervisory authority, with access to the data processor's physical facilities upon proper identification.
The Parties' Agreement on Other Matters
1. The parties may agree on other provisions regarding the service concerning processing of personal data, such as liability for damages, as long as these other provisions do not directly or indirectly conflict with the Clauses or undermine the data subject's fundamental rights and freedoms under the General Data Protection Regulation.
Entry into Force and Termination
1. The Clauses enter into force on the date of signature by both parties.
2. Both parties may require the Clauses to be renegotiated if legislative changes or impracticalities in the Clauses give cause for this.
3. The Clauses are valid as long as the service concerning processing of personal data lasts. During this period, the Clauses cannot be terminated unless other provisions regulating the delivery of the service concerning processing of personal data are agreed between the parties.
4. If delivery of services concerning processing of personal data ceases and the personal data has been deleted or returned to the data controller in accordance with Clause 11.1 and Annex C.4, the Clauses may be terminated with written notice by both parties.
Signature, on behalf of:
The Data Controller / The Data Processor
ALI KAZEMI
CEO
Metaceutic ApS
Annex A: Information About the Processing
A.1. The purpose of the data processor's processing of personal data on behalf of the data controller:
The data processor's sole purpose is to "host" the data in connection with the use of the service "Niomi app" and the Niomi website. The data processor does not handle the data directly. The data is stored on secure servers with Amazon AWS servers, Ireland. The data processor uses Amazon's server hosting to host the service.
A.2. The data processor's processing of personal data on behalf of the data controller primarily concerns (nature of processing):
This solely involves indirect data handling. This means that the data processor solely permits use of the service, and users themselves have control over their data, as they can delete their activity directly on the platform or by deleting their entire profile/account. The data on AWS servers is anonymized and encrypted and secured with firewalls.
A.3. The processing includes the following types of personal data about data subjects:
Personal information.
For example: Name (or domain name), email address, phone number, address, payment card information, and membership number in the form of the created account.
A.4. The processing includes the following categories of data subjects:
Personal information Payment information
A.5. The data processor's processing of personal data on behalf of the data controller may begin after these Clauses enter into force. The processing has the following duration:
From the start of the agreement until possible termination of the collaboration. After the end of collaboration, up to 3 months (90 days) may pass before all data is deleted.
Annex B: Sub-processors
B.1. Approved sub-processors:
Upon entry into force of the Clauses, the data controller has approved the use of the following sub-processors.
|
NAVN |
CVR |
ADRESSE |
BESKRIVELSE AF BEHANDLING |
|---|---|---|---|
Upon entry into force of the Clauses, the data controller has approved the use of the above-mentioned sub-processors for the described processing activity. The data processor may not, without the data controller's written approval, use a sub-processor for a processing activity other than that described and agreed, or use another sub-processor for this processing activity.
B.2. Notice for approval of sub-processors:
When using other subcontractors, 30 days' notice must be given.
Annex C: Instructions Regarding Processing of Personal Data
C.1. Subject matter of processing/instructions:
The data processor's processing of personal data on behalf of the data controller occurs by the data processor performing the following:
- Sets up URL on the data controller's website or on the data processor's website
- Grants access to the data controller, after which the data controller has full control over access to the individual's personal account
C.2. Processing security:
The security level must reflect.
For example: The processing involves a large amount of personal data covered by Article 9 of the General Data Protection Regulation on "special categories of personal data," which requires a high level of security.
The data processor is thereafter entitled and obligated to make decisions about which technical and organizational security measures should be implemented to establish the necessary (and agreed) security level.
However, the data processor must, in all circumstances and as a minimum, implement the following measures agreed with the data controller:
- Anonymization and encryption of user data
- Ensure ongoing confidentiality, integrity, availability, and robustness of processing systems and services, including ensuring that correct and lawful systems handle the data
- Under special circumstances, access to personal data may be required from the data controller. This may, for example, be during physical or technical incidents
- Ongoing testing of IT security and data access security occurs. The data processor ensures testing, assessment, and evaluation of the effectiveness of technical and organizational measures to ensure processing security
- Personal data cannot be accessed via the internet by anyone other than the data processor
- Transmission between server and front-end is instantaneous, encrypted, anonymous, and secure
- NB! The data controller is responsible for ensuring that its users treat their login information confidentially and out of reach of third parties. The data processor cannot be held accountable for users disclosing login and password to third parties
- At the data processor, only IT developers have access to the data. All logins from any developer are "logged," and all developers are subject to an IP agreement and NDA
- IT developers can access data from home workplaces but are subject to the same restrictions as described above
C.3. Assistance to the data controller:
The data processor must, as far as possible, within the scope and extent below, assist the data controller in accordance with Clauses 9.1 and 9.2 by implementing the following technical and organizational measures:
Assistance is provided for deletion of user data if the data controller itself does not have the ability to get users to delete their data. For example, if a user no longer wishes to be part of the platform or misuses their use of the platform.
C.4. Retention period/deletion routine:
Personal data is stored for up to 3 months (90 days), after which it is deleted by the data processor. NB! It is the data controller's duty to ensure that users delete their profile and thereby data themselves. If the data processor is instructed to delete users, the above rules apply, as described in section C.3 "Assistance to the data controller."
Upon termination of the service regarding processing of personal data, the data processor must either delete or return the personal data in accordance with Clause 11.1, unless the data controller, after signing these provisions, has changed the data controller's original choice. Such changes must be documented and stored in writing, including electronically, in connection with the provisions.
C.5. Locality for processing:
Processing of personal data covered by the Clauses cannot, without the data controller's prior written approval, take place at locations other than the following:
Metaceutic ApS
Vandtårnsvej 62A
2860 Søborg
Denmark
CVR: 40638350
Reservations are made for IT developers' home working days and if the data processor changes physical address.
C.6. Instructions regarding transfer of personal data to third countries:
The data processor handles the data controller's data on AWS servers, Amazon, Ireland.
The data processor handles the data in this way as this is the absolutely safest and most appropriate way to store data, partly because users must be able to access the Service from anywhere in the world without experiencing server delays.
If the data controller does not provide documented instructions in these Clauses or subsequently regarding transfer of personal data to a third country, the data processor is not authorized, within the framework of these Clauses, to make such transfers.
1. References to "member state" in these provisions should be understood as a reference to "EEA member states."