Data Processing Agreement

1. Background and Purpose

1.1 The data processor provides services relating to the operation, maintenance and/or development of WordPress websites on behalf of the data controller ("the Main Agreement"). In doing so, the data processor may access personal data stored on or processed via the data controller's website.

1.2 The purpose of this DPA is to ensure the parties' compliance with applicable data protection legislation and to document the data controller's instructions to the data processor, including establishing the rights and obligations that apply when the data processor processes personal data on behalf of the data controller.

1.3 This DPA and the Main Agreement are mutually dependent and cannot be terminated separately. However, this DPA may — without terminating the Main Agreement — be replaced by another valid data processing agreement.

1.4 This DPA takes precedence over any conflicting provisions concerning the processing of personal data, whether contained in the Main Agreement or in any other agreement between the parties.

1.5 This DPA does not exempt the data processor from obligations imposed directly on the data processor under GDPR or other applicable legislation.

2. Definitions

2.1 The terms "personal data", "special categories of personal data" (sensitive data), "processing", "data subject", "controller", "processor", "sub-processor", "personal data breach" and "supervisory authority" have the same meaning as in the General Data Protection Regulation.

2.2 For the purposes of this DPA, "the supervisory authority" means the Danish Data Protection Agency (Datatilsynet).

3. Rights and Obligations of the Data Controller

3.1 The data controller is responsible for ensuring that the processing of personal data takes place within the framework of GDPR, the Danish Data Protection Act and other applicable law, including that a valid legal basis exists for the processing that the data processor is instructed to carry out.

3.2 The data controller determines the purposes for which and the means by which personal data may be processed. The data controller has sole control over what personal data is stored on and processed via the website in respect of which the data processor provides services.

3.3 The data controller is responsible for the accuracy, integrity, content and lawfulness of the personal data processed, and for having complied with its information obligations towards data subjects.

3.4 The data controller confirms that, at the time of entering into this DPA, the data processor has provided sufficient guarantees that appropriate technical and organisational measures will be implemented, as set out in section 6.

4. The Data Processor Acts on Instructions

4.1 The data processor may only process personal data on documented instructions from the data controller, including as regards transfers of personal data to third countries, unless required to do so by EU law or national law to which the data processor is subject. In such a case, the data processor shall inform the data controller of the legal requirement prior to processing, unless such notification is prohibited by law.

4.2 The data controller's instructions consist of this DPA with annexes, the Main Agreement and the data controller's ordinary use of the services provided. Transfers of personal data to sub-processors outside the EU/EEA on the basis set out in section 8 and the sub-processor list are considered part of the documented instructions.

4.3 The data processor shall immediately notify the data controller if, in the data processor's assessment, an instruction infringes GDPR or other applicable data protection legislation.

5. Confidentiality

5.1 The data processor shall ensure that only persons necessary for the performance of the obligations under this DPA have access to the personal data processed on behalf of the data controller, and that access is terminated immediately upon the expiry or withdrawal of authorisation.

5.2 Persons with access to the personal data are subject to a duty of confidentiality, either by agreement or by an appropriate statutory obligation. The confidentiality obligation survives the termination of this DPA. The data processor shall be able to document this upon request.

6. Security of Processing

6.1 The data processor shall implement appropriate technical and organisational measures in accordance with Article 32 of GDPR, calibrated to the risk associated with the specific processing and taking into account the state of the art and the costs of implementation.

6.2 Relevant measures may include:

1. pseudonymisation and encryption of personal data, including encryption during transmission over the internet;
2. the ability to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services;
3. the ability to restore the availability of and access to personal data in a timely manner following a physical or technical incident;
4. a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures;
5. restriction of access to personal data to those persons necessary for the performance of this DPA.

7. Use of Sub-Processors

7.1 This DPA constitutes the data controller's prior general written authorisation for the data processor to engage sub-processors. The sub-processors in use at any given time are listed in the separate sub-processor list published at:

https://www.webfronten.dk/sub-processors/

7.2 The data processor shall notify the data controller of any intended change to the sub-processor list (addition or replacement) by updating the above page and sending notice to the data controller's registered email address at least 14 days before the change takes effect.

7.3 The data controller may, within the notice period, raise a reasoned objection to a new or replacement sub-processor on the grounds that the sub-processor does not process personal data in accordance with applicable data protection legislation. Where an objection is raised, the data processor shall demonstrate compliance, including by giving the data controller access to relevant documentation relating to the sub-processor in question. If no agreement is reached thereafter, the data controller may terminate the affected services on shorter notice than would otherwise apply, so that the data controller's personal data is not processed by the sub-processor in question.

7.4 The data processor shall, by contract, impose on each sub-processor the same data protection obligations as those incumbent on the data processor under this DPA, including the requisite guarantees of appropriate technical and organisational measures.

7.5 Where a sub-processor fails to fulfil its data protection obligations, the data processor shall remain fully liable to the data controller for the performance of that sub-processor's obligations.

8. Transfers to Third Countries

8.1 The data processor may transfer personal data to, or provide access to personal data for, sub-processors located in countries outside the EU/EEA, provided that the transfer takes place on a lawful transfer basis in accordance with Chapter V of GDPR. Transfer mechanisms used may include:

1. the EU–U.S. Data Privacy Framework (DPF), approved by the European Commission in July 2023;
2. Standard Contractual Clauses (SCCs) issued by the European Commission (2021);
3. an adequacy decision adopted by the European Commission.

8.2 The applicable transfer basis for each sub-processor is indicated in the sub-processor list referred to in section 7.1. Where a transfer mechanism requires the data controller to be a direct party to the transfer agreement, the data controller hereby authorises the data processor to enter into such agreement on the data controller's behalf and to ensure that a sufficient transfer basis is in place.

9. Assistance to the Data Controller

9.1 The data processor shall, to the extent possible and taking into account the nature of the processing and the information available to the data processor, assist the data controller in fulfilling its obligation to respond to requests from data subjects exercising their rights under Chapter III of GDPR, including rights of access, rectification, erasure, restriction, data portability and objection.

9.2 The data processor shall not itself respond to requests from data subjects unless authorised to do so by the data controller, and shall, to the extent possible and permitted by law, notify the data controller if a request for access is received directly from a data subject or from a public authority.

9.3 The data processor shall further assist the data controller with compliance with the obligations set out in Articles 32–36 of GDPR, including:

1. implementation of appropriate security measures;
2. notification of personal data breaches to the supervisory authority;
3. communication of high-risk breaches to affected data subjects;
4. carrying out data protection impact assessments (DPIAs) and prior consultations with the supervisory authority.

9.4 Remuneration for assistance provided under this section is governed by section 13.

10. Notification of Personal Data Breaches

10.1 The data processor shall notify the data controller without undue delay and, where possible, within 24 hours of becoming aware of a personal data breach involving personal data processed by the data processor on behalf of the data controller, so that the data controller can comply with its 72-hour reporting obligation to the supervisory authority.

10.2 The notification shall, to the extent possible, include information about the nature of the breach, the categories and approximate number of affected data subjects, the likely consequences, and the measures taken or proposed to address the breach.

11. Deletion and Return of Personal Data

11.1 Upon termination of the services, the data processor shall, at the data controller's choice, delete or return all personal data processed under this DPA, and delete existing copies, unless EU law or national law requires continued storage.

11.2 Deletion or return shall take place within 30 days of termination, unless otherwise agreed. Where personal data is retained after termination as required by law, this shall take place in accordance with the technical and organisational measures set out in section 6.

12. Audit and Inspection

12.1 The data processor shall make available to the data controller all information necessary to demonstrate compliance with Article 28 of GDPR and shall allow for and contribute to audits, including inspections, conducted by the data controller or an auditor mandated by the data controller. The data controller shall give the data processor reasonable advance notice of any audit.

12.2 Where the proposed scope of an audit is covered by an ISAE 3000, ISO or equivalent assurance report prepared by a qualified independent third party within the preceding twelve months, and the data processor confirms that there have been no material changes to the measures covered by that report, the data controller shall accept the report in lieu of requesting a new audit of the matters already covered.

12.3 Oversight of sub-processors is exercised, as a starting point, through the data processor. Assistance in connection with audits that goes beyond what is required under applicable data protection legislation shall be remunerated in accordance with section 13.

13. Remuneration

13.1 Assistance provided under this DPA at the data controller's request shall be remunerated on a time-and-materials basis at the hourly rate set out in the Main Agreement as in force from time to time. The data processor shall provide an estimate upon request before commencing any such work.

13.2 Neither party shall be entitled to remuneration for assistance or changes that are a direct result of that party's own breach of this DPA.

14. Liability

14.1 Liability for acts in breach of this DPA is governed by the liability and indemnification provisions of the Main Agreement. However, any financial caps on liability set out in the Main Agreement do not limit the data processor's liability under section 7.5 for a sub-processor's failure to fulfil its data protection obligations, nor any liability that cannot be limited under mandatory law.

15. Entry into Force, Duration and Termination

15.1 This DPA remains in force for as long as the data processor processes personal data on behalf of the data controller. Upon termination, section 11 on deletion and return of personal data applies.

15.2 The current version of this DPA is available on the data processor's website at all times. Material changes will be notified 30 days before taking effect by email to the data controller's registered email address.

16. Governing Law and Jurisdiction

16.1 This DPA is governed by Danish law. Any dispute arising out of this DPA shall be brought before the District Court of Glostrup as the court of first instance, unless mandatory rules on jurisdiction provide otherwise.