Data Processing Agreement (DPA)


Version 2.0 – March 2026. Replaces version 1.0 of 27 March 2022.

1. Background and Purpose

This Data Processing Agreement (“DPA”) governs the processing of personal data carried out by Webfronten ApS, CVR no. 43010336, Fængselsvej 2, 2, 2620 Albertslund, Denmark (“the Data Processor”) on behalf of the customer (“the Data Controller”) in connection with the service agreement(s) entered into between the parties (“the Main Agreement”).

This DPA is designed to ensure compliance with Article 28(3) of the General Data Protection Regulation (GDPR) and sets out the rights and obligations applicable when the Data Processor processes personal data on behalf of the Data Controller.

This DPA and the Main Agreement are mutually dependent and cannot be terminated separately. However, this DPA may – without terminating the Main Agreement – be replaced by another valid data processing agreement. In the event of any conflict between this DPA and other agreements between the parties, this DPA shall prevail.

This DPA does not exempt the Data Processor from obligations imposed directly on the Data Processor by GDPR or other applicable legislation.

2. Subject Matter of Processing

The Data Processor provides services related to the operation, maintenance and/or development of WordPress websites on behalf of the Data Controller. In doing so, the Data Processor may access personal data stored on or processed via the Data Controller’s website.

The processing may include:

  • Access to web server and database for the purpose of technical maintenance, troubleshooting and updates
  • Access to the content management system (WordPress), including user data and form submissions
  • Configuration and operation of third-party services that process visitor or contact data
  • Log data and technical metadata generated by the hosting environment

The duration of processing corresponds to the term of the Main Agreement. Data subjects are typically visitors to the Data Controller’s website, newsletter subscribers and/or employees of the Data Controller with access to the website’s administration panel.

3. Obligations and Rights of the Data Controller

The Data Controller bears overall responsibility for ensuring that the processing of personal data takes place within the framework of GDPR and the Danish Data Protection Act, including that a valid legal basis exists for the processing that the Data Processor is instructed to carry out.

4. The Data Processor Acts on Instructions

The Data Processor may only process personal data based on documented instructions from the Data Controller, unless required to do so by EU law or the national law of a Member State to which the Data Processor is subject. In such cases, the Data Processor shall inform the Data Controller of the legal requirement prior to processing, unless such notification is prohibited by law.

The Data Processor shall immediately notify the Data Controller if, in the Data Processor’s opinion, an instruction infringes GDPR or other applicable data protection legislation.

5. Confidentiality

The Data Processor shall ensure that only authorised persons have access to the personal data processed on behalf of the Data Controller, and that access is terminated immediately upon expiry or withdrawal of authorisation.

All persons with access to personal data are subject to a duty of confidentiality, either by agreement or by statutory obligation. The Data Processor shall be able to document this upon request.

6. Security of Processing

The Data Processor shall implement appropriate technical and organisational measures in accordance with Article 32 of GDPR, calibrated to the risk associated with the specific processing. Relevant measures may include:

  1. Pseudonymisation and encryption of personal data
  2. Ensuring ongoing confidentiality, integrity, availability and resilience of processing systems
  3. The ability to restore the availability of and access to personal data in a timely manner following an incident
  4. A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures

7. Use of Sub-Processors

The Data Processor may engage sub-processors without requiring specific prior consent from the Data Controller for each engagement. The current list of sub-processors is published at:

https://www.webfronten.dk/sub-processors/

The Data Processor will notify the Data Controller of any intended changes to the sub-processor list (additions or replacements) by updating the above page and sending notice to the Data Controller’s registered email address at least 14 days before the change takes effect. The Data Controller has the right to raise a reasoned objection to the change within this period.

The Data Processor shall ensure that sub-processors are subject to data protection obligations equivalent to those imposed on the Data Processor under this DPA. The parties acknowledge that processing may take place under a sub-processor’s standard terms, provided that the Data Controller is informed of this via the sub-processor list referenced above.

8. Transfers to Third Countries

The Data Processor may transfer or provide access to personal data to sub-processors located in countries outside the EU/EEA, provided that the transfer takes place on a lawful transfer basis in accordance with Chapter V of GDPR. Applicable transfer mechanisms may include:

  • The EU–U.S. Data Privacy Framework (DPF), as approved by the European Commission in July 2023
  • Standard Contractual Clauses (SCCs) issued by the European Commission (2021)
  • An adequacy decision issued by the European Commission

The applicable transfer basis for each sub-processor is indicated in the sub-processor list. Where the transfer mechanism requires the Data Controller to be a direct party to the transfer agreement, the Data Processor is authorised to enter into such agreement on behalf of the Data Controller.

9. Assistance to the Data Controller

The Data Processor shall, to the extent possible, assist the Data Controller in fulfilling its obligations to respond to requests from data subjects exercising their rights under Chapter III of GDPR, including rights of access, rectification, erasure, restriction, data portability and objection.

The Data Processor shall further assist the Data Controller with compliance with the obligations set out in Articles 32–36 of GDPR, including:

  1. Implementation of appropriate security measures
  2. Notification of personal data breaches to the supervisory authority within 72 hours
  3. Communication of high-risk breaches to affected data subjects
  4. Carrying out data protection impact assessments (DPIAs) and prior consultations with the supervisory authority

Remuneration for such assistance is set out in section 12.

10. Notification of Personal Data Breaches

The Data Processor shall notify the Data Controller without undue delay, and where possible within 24 hours of becoming aware of a personal data breach, so that the Data Controller has the opportunity to meet its 72-hour reporting obligation to the supervisory authority (the Danish Data Protection Agency – Datatilsynet).

The notification shall, to the extent possible, include information about the nature of the breach, the categories and approximate number of affected data subjects, the likely consequences, and the measures taken or proposed to address the breach.

11. Deletion and Return of Data

Upon termination of the services, the Data Processor shall, at the Data Controller’s choice, delete or return all personal data processed under this DPA, and delete any existing copies, unless EU law or national law requires continued storage. Deletion or return shall take place within 30 days of termination, unless otherwise agreed.

12. Audit and Inspection

The Data Processor shall make available all information necessary to demonstrate compliance with Article 28 of GDPR and shall allow for and contribute to audits, including inspections, conducted by the Data Controller or an auditor mandated by the Data Controller. The Data Controller shall give reasonable advance notice of such audits.

Oversight of sub-processors is exercised, as a starting point, through the Data Processor.

13. Remuneration

Assistance provided under this DPA at the request of the Data Controller shall be remunerated on a time-and-materials basis at the applicable hourly rate set out in the Main Agreement. The Data Processor shall provide an estimate upon request before commencing the work.

Neither party shall be entitled to remuneration for assistance or changes that are a direct result of that party’s own breach of this DPA.

14. Term and Termination

This DPA remains in force for as long as the Data Processor processes personal data on behalf of the Data Controller. Upon termination, section 11 on deletion and return of data applies.

15. Limitation of Liability

The limitations of liability set out in the Main Agreement apply equally to this DPA.

16. Contact and Acceptance

Enquiries regarding this DPA should be directed to:

Webfronten ApS
Fængselsvej 2, 2, 2620 Albertslund, Denmark
CVR no. 43010336
Email: [email protected]
Phone: +45 27 28 33 12

This DPA is considered accepted when the Data Controller enters into a service agreement with Webfronten ApS, or upon written acceptance of the link to this page. Acceptance can be documented by email confirmation.

Scroll to Top