Agreed conditions for data processing
The Customer who adheres to these terms, and Npvision Group A/S, CVR no. 32840647 (Npvision Group), have entered into an agreement concerning Npvision Group’s supply of services, where Npvision Group is specifically entrusted to provide concrete processing of personal data.
Pursuant to the definitions in the EU General Data Protection Regulation (GDPR), Npvision Group will be the data processor for the Customer upon delivery of the agreed services.
The parties acknowledge that the EU General Data Protection Regulation (GDPR) and the Danish Data Protection Act apply to Npvision Group’s processing of personal data on behalf of the Customer.
The Data Processing Conditions are formulated with a view to the parties’ compliance with Article 28, Paragraph 3 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95 /46/EC (General Data Protection Regulation), when Npvision Group is the data processor for the Customer.
The Data Processing Conditions take effect from the moment the Customer accepts them and, from that point in time, the Data Processing Conditions replace any previous data processing agreement entered into between the parties.
The Data Processing Conditions supplement the parties’ agreement and have precedence over any conflicting terms.
Data processing agreement
The Data Processing Conditions constitute the parties’ Data Processing Agreement for the processing of personal data conceded by the Customer and undertaken by Npvision Group as part of delivery of the contracted services.
The Data Processing Conditions establish the rights and obligations that apply when Npvision Group carries out the processing of personal data on behalf of the Customer. The Data Processing Conditions also specify the overall security measures undertaken by Npvision Group.
For the processing activities that are entrusted to Npvision Group to perform for the Customer, Npvision Group is the data processor in accordance with the applicable data protection regulations, while the Customer is either the data controller or the data processor in accordance with the applicable data protection rules. The parties shall each comply with the obligations established under the applicable data protection regulation, and the Data Processing Conditions neither relieve Npvision Group nor the Customer of such obligations.
The Data Processing Conditions shall apply until Npvision Group has deleted the Customer’s data in accordance with the rules contained in these Data Processing Conditions. The Data Processing Conditions and the parties’ agreement are interdependent, and the agreements cannot be terminated separately.
Npvision Group’s special guarantees
Npvision Group guarantees the Customer that Npvision Group is reliable and possesses sufficient expertise and resources to implement the necessary measures to comply with the General Data Protection Regulation with regard to the processing activities, Npvision Group must carry out for Customer as per the Agreement.
The Customer’s special responsibility
The Customer is responsible for complying with the currently applicable General Data Protection Regulation in relation to the personal data entrusted to Npvision Group for processing. In particular, in relation to Npvision Group, the Customer is responsible for and guarantees that:
– The Customer has the necessary authority to process and entrust Npvision Group to process the personal data included in the services Npvision Group supplies to the Customer. In cases where the Customer is the data processor of the personal data entrusted to Npvision Group for processing, the Customer guarantees Npvision Group that the Customer’s instructions, such as they are expressed through these Data Processing Conditions and the parties’ agreement, and the use of Npvision Group and its sub-processors as secondary data processor, are authorised by the controller.
– The instructions given, under which Npvision Group will process personal data on behalf of the Customer, are legal.
The nature and purpose of the processing
The agreed nature of the processing is established by the parties for Npvision Group carrying out IT services for the Customer, including the deletion of personal data related to supply of the agreed services.
Npvision Group will thus process the entrusted personal data with the agreed purpose of supplying the agreed services.
Type of data
The entrusted data includes the types of personal data that the Customer entrusts to Npvision Group in connection with supplying the agreed services.
Processing involves common non-sensitive personal data, including names, e-mail addresses and telephone numbers, unless the controller has given explicit information in this respect.
Categories of registered persons
The categories of registered persons entrusted to Npvision Group for processing of personal data comprise the categories which the Customer entrusts to Npvision Group in connection with the provision of the contracted services.
The categories of registered persons may include the Customer’s employees and cooperation partners.
Scope of processing activities
Npvision Group may only perform processing of the Customer’s personal data in accordance with the Customer’s instructions, which are documented through a written agreement, and which Npvision Group has accepted.
Upon the Customer’s acceptance of the Data Processing Conditions, the Customer instructs Npvision Group to undertake processing of the Customer’s personal data in connection with provision of the contracted services.
The Customer may, in addition, request that Npvision Group receives further written instructions for the processing of personal data for the Customer, and Npvision Group is entitled to accept or refuse these further instructions. However,Npvision Group must always accept an instruction to cease further processing, which means that Npvision Group will delete the Customer’s data, as stated under the section Handover and Deletion of Customer Data below.
Npvision Group will comply with the Customer’s instructions, which Npvision Group has approved unless such processing would be contrary to the applicable General Data Protection Regulation that Npvision Group is subject to. In such cases, Npvision Group must inform the Customer of this.
However, regardless of the Customer’s instructions, also with respect to deletion, Npvision Group is obliged to process the Customer’s data, if this is required pursuant to a legal obligation that Npvision Group is subject to. In such a case, the Customer will be informed of this before the processing takes place, unless such notification would be unlawful.
The customer thus determines the purpose and scope of the processing activities entrusted to Npvision Group.
Duration of processing activities
Npvision Group will process the Customer’s personal data, as long as Npvision Group is obliged to do so in accordance with the agreement. The Customer may also, in accordance with the section Handover and Deletion of Customer Data, instruct Npvision Group to delete the data at an earlier date.
Npvision Group implements all measures required pursuant to Article 32 of the General Data Protection Regulation. Npvision Group also implements appropriate technical and organisational security measures to protect the entrusted personal data against accidental or unlawful destruction, loss, change, unauthorised disclosure of or access to personal data.
Npvision Group may continuously change the implemented security measures, however through its changes in security measures,Npvision Group should strive to prevent the changes from leading to a general impairment of the security level.
However, Npvision Group implements security measures based upon an average view of what is suitable, and the parties therefore agree that between the parties, the Customer is responsible for assessing whether the measures taken are sufficient to ensure a level of security appropriate for the risk associated with the processing activities entrusted to Npvision Group. In the relationship between the parties, the Customer is responsible for the Customer’s own decisions about security, also including the Customer’s choice of equipment used and services, etc.
Reporting of security breaches
If Npvision Group becomes aware that a breach of personal data security has occurred with respect to Npvision Group’s services to the Customer, then Npvision Group must notify the Customer of the personal data security breach without undue delay after Npvision Group has become aware that such a breach has taken place.
Npvision Group shall, without undue delay, after becoming aware that there has been a breach in personal data security, take reasonable and proportionate steps to limit the damage of the breach.
Further to notification of the Customer, the Npvision Group must provide a description of the circumstances of the breach, the nature of the breach, what steps Npvision Group has taken or what plans they intend to implement in order to limit the damage caused by the breach, and what conditions Npvision Group believes the Customer should be particularly aware of in association with the breach so that the Customer can fulfil its obligations in the event of a security breach and within the time frame stipulated in the General Data Protection Regulation.
Notification may be sent via e-mail to the contact person specified by the Customer.
Npvision Group’s notification of the personal data security breach does not constitute an admission of guilt or liability with respect to any breach of personal data security that has occurred.
Upon request, Npvision Group will assist the Customer with ensuring compliance with the Customer’s obligations under Articles 33 and 34 of the General Data Protection Regulation, while taking into account the nature of the entrusted data and the information available to Npvision Group with respect to a personal data security breach which has occurred at Npvision Group.
Use of sub-processors
By accepting these Data Processing Conditions, the Customer gives its general approval to Npvision Group utilising other data processors (sub-processors).
Through acceptance of a sub-processor, Npvision Group ensures that a written agreement is entered into with the sub-processor, through which it is ensured that:
a. the necessary guarantees are made that the sub-processor will implement the appropriate technical and organisational measures in a way that satisfies the requirements of the General Data Protection Regulation,
b. the sub-processor is subject to the same data protection obligations as those, which are established in these Data Protection Conditions, which is to say the requirements in the General Data Protection Regulation, Article 28 (3) must be complied with, and that
c. the sub-processor only processes the Customer’s personal data to the extent it is required to fulfil the delivery obligations the sub-processor has undertaken toward Npvision Group, and that processing is carried out in accordance with the agreed instructions.
If a sub-processor does not fulfil its data protection obligations, then Npvision Group remains fully liable toward the Customer for fulfilment of the sub-processor’s data protection obligations.
Npvision Group must ensure it has a continuous overview of sub-processors used. If the Customer has a documented need for this, then the Customer may request information from Npvision Group concerning the name of a specific sub-processor. If the Customer objects to a specific sub-processor, then the Customer may terminate its agreement with Npvision Group with either immediate effect or with effect from the end of the current calendar month at the point of cancellation. It is a prerequisite that notice of cancellation under this section is submitted to Npvision Group within 30 days of Npvision Group having informed the Customer of the data sub-processor used. Termination of the Agreement is the Customer’s sole remedy against Npvision Group in this situation.
Transfer of data
Npvision Group stores Customer data within the EU and personal data is not transferred to third countries.
However, Npvision Group may, as an exception, transfer the Customer’s data, including personal data to a third country or an international organisation when it is required pursuant to EU law or national law, to which the Npvision Group is subject to; in which case the Customer will be informed of this legal requirement prior to processing, unless the relevant law prohibits such notice for reasons of substantial public interest.
Assistance to the customer
Npvision Group is obliged to, following written request from the Customer, provide the customer with the following assistance:
Npvision Group will provide assistance to the Customer while taking into account the nature of the entrusted data, insofar as possible, by utilising appropriate technical and organisational measures to fulfil the Customer’s obligation to respond to requests for exercising the registered parties’ rights as defined in Chapter 3 of the General Data Protection Regulation. If Npvision Group receives a request directly from a registered or potentially registered party concerning exercising this party’s rights, then Npvision Group will immediately forward the inquiry to the Customer, who will then decide whether Npvision Group’s assistance shall be requested.
Npvision Group will also assist the customer by ensuring it complies with the Customer’s obligations under Articles 32 to 36 of the General Data Protection Regulation, while taking into account the nature of the data entrusted to Npvision Group and the information available to Npvision Group.
Npvision Group is entitled to separate remuneration for the assistance provided to fulfil the Customer’s requests under this section Assistance to the Customer. Compensation is calculated on the basis of the time Npvision Group has spent, as well as Npvision Group’s regular hourly rate for such work.
With regard to assistance required to meet the Customer’s obligations under the General Data Protection Regulation Articles 33-34, Npvision Group is not entitled to remuneration for fulfilment of the obligations Npvision Group has in accordance with the section Reporting of security breaches.
Handover and deletion of customer data
Unless the Customer has required otherwise, then Npvision Group will delete all personal data about the Customer, and Npvision Group will delete existing copies, unless Npvision Group is subject to a legal obligation which requires Npvision Group to store the personal data.
Npvision Group’s implementation of the Customer’s instructions to delete or handover the Customer’s information takes place in accordance with the General Data Protection Regulation and as fast as is practically possible.
If the Customer has demanded anything other than deletion the Customer permits Npvision Group to include the Customer’s data in a backup procedure from which the data will be deleted when the backup, in accordance with the Npvision Group’s backup procedure, is destroyed.
Liability and limitation of liability
For damages and other compensation that are to be paid to registered parties as a result of violation of the General Data Protection Regulation, Article 82 of the General Data Protection Regulation, and supplementary rules concerning the General Data Protection Regulation in use, the parties are separately liable to pay the portion of such amounts that corresponds to their part of the liability for the damage, taking these Data Processing Conditions into consideration. If necessary, the division of liability will be decided by the courts.
For fines and other penalties imposed as a result of unlawful processing of personal data for the Customer by Npvision Group , the final internal distribution of such fines will be decided according to the same principles, regardless of who a fine is initially imposed on. The parties’ mutual sureties will also be taken into account.
Updating of Npvision Group records
Npvision Group is required to keep records of the categories of processing activities performed for the Customer in accordance with the General Data Protection Regulation, Article 30. The customer is obliged to inform Npvision Group of the name and contact details of any Customer representative and data protection consultant and update such information so that records can be properly kept by Npvision Group. The information the Customer must submit to Npvision Group with respect to the contact details are stated below under the Npvision Group’s contact information.
Duty of confidentiality
Npvision Group must ensure that the persons Npvision Group has authorised to process the Customer data, have committed themselves to confidentiality or are subject to a suitable legal duty of confidentiality. Npvision Group and anyone who performs work for Npvision Group, and who has access to Customer data, may only process this information as per the Customer’s instructions, which are accepted by Npvision Group, unless other processing is required by legislation or court order, to which Npvision Group is subject to.
Npvision Group may only authorise persons for whom it is necessary to have access to personal information in order to be able to fulfil Npvision Groups’ obligations toward the Customer. Npvision Group must continually assess authorisations and revoke access when authorisations expire or are terminated.
Inspection and auditing
Npvision Group makes all information that is necessary to demonstrate compliance with the requirements of the General Data Protection Regulation, Article 28, available to the Customer, as well as the requirements for Npvision Group, which are stipulated in the Data Processing Conditions. Npvision Group permits and contributes to audits, including inspections carried out by the Customer or another auditor authorised by the Customer.
The Customer may request a physical inspection of Npvision Group to be conducted. Requests must be submitted in writing to Npvision Group stating what the customer wants to be covered by the inspection. The parties must then agree to the more detailed circumstances and scope of the inspection, including the time when it is to be carried out and the form of reporting.
An inspection may solely be carried out by a person who is subject to Npvision Groups’ general security measures, and who has signed a confidentiality clause directly toward Npvision Group.
Npvision Group may object to one of the persons designated by the Customer carrying out the inspection if the designated person, as per the Npvision Group’s reasonable assessment, is not suited or qualified to carry out the inspection, including if the person (1) is not independent, (2) is a direct competitor to Npvision Group, or (3) is for some other reason otherwise obviously unfit to carry out the task.
If Npvision Group objects to the designated person, then the Customer must designate another person to carry out the inspection.
Monitoring of the sub-processors used by Npvision Group will take place through Npvision Group. However, the customer may also choose to initiate and participate in a physical inspection at the sub-processor’s premises. Here, monitoring must be carried out in compliance with the sub-processor’s set conditions for inspection.
Any costs incurred by Npvision Group and sub-processors in association with holding a physical inspection or an inspection by either Npvision Group or the sub-processor shall be borne by the Customer. Npvision Group and any sub-processors are further eligible for consideration for the time spent on the inspection, with the compensation being determined based on the current price list.
Changes to data processing conditions
Npvision Group can change these Data Processing Conditions with 90 days’ notice. Changes that need to be made which cannot wait for the expiration of such a notice period, can be made immediately. Information on the planned changes will be forwarded to the Customer. If the Customer does not wish to accept the announced changes, then the Customer may terminate its agreement. The customer has no additional powers as a consequence of the changes to the Data Processing Conditions.
Npvision Group’s contact details
The Customer’s inquiries to Npvision Group concerning data protection, also including requests for monitoring and inspection, must be sent to:
Niels Peter Holm (CEO), Npvision Group
The parties’ duty of retention
Npvision Group and the Customer are each obligated to electronically store their version of these Data Processing Conditions and the Agreement, as well as any other agreements and/or information that is of significance to, or that supplements these Data Processing Conditions.