DATA PROCESSING AGREEMENT
1620 Copenhagen K
1.1 Evolution360 A/S supplies a full-service solution comprised of web analytics tools that allow the Client to gain insight into the users (individuals and companies) that visit and use the Client’s websites and online social media.
1.2 The Client wishes to use Evolution360 A/S’ system. For this purpose, Evolution360 A/S shall receive non-sensitive personal data, including names, postal addresses, e-mail addresses and phone numbers.
1.3 This Agreement describes Evolution360 A/S’ and the Client’s obligations with a view to meeting the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 regarding Data Processing Agreements (known as GDPR).
1.4 The Parties have entered this Agreement in connection with the Parties’ entering into an agreement regarding the Client's use of the Evolution360 A/S product, Evolution360 (”the General Agreement”). This and the General Agreement are interdependent and cannot be terminated separately. However, if this Agreement is replaced by another valid data processing agreement, there is no reason to terminate the General Agreement.
2. OBJECTIVES AND THE PARTIES’ STATUS
2.1 By agreement with the Client, Evolution360 A/S shall process personal data for the Client with a view to meeting the objectives stated in section 1. Evolution360 A/S may therefore solely process personal data that is necessary in order to supply the services stipulated in the General Agreement.
2.2 The Client is the Data Controller responsible for the personal data submitted to Evolution360 A/S. The Client is responsible for ensuring that Evolution360 A/S is permitted to process any personal data that is submitted to Evolution360 A/S.
2.3 The Parties agree that Evolution360 A/S is the Data Processor responsible for processing the personal data on the Client’s behalf. As Data Processor, Evolution360 A/S has the obligations assigned to a Data Processor in pursuance of the GDPR.
3. Evolution360 A/S’ CONTRACTUAL OBLIGATIONS
3.1 Evolution360 A/S shall process the personal data only on documented instructions from the Client, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by EU or Danish law; in such a case, Evolution360 A/S shall inform the Client of that legal requirement before processing, unless the law prohibits such information on important grounds of public interest.
3.2 Evolution360 A/S shall ensure that any person who acts under the authority of Evolution360 A/S and has access to personal data shall not process those data except on instructions from Evolution360 A/S and that such a person has committed himself/herself to confidentiality.
4. TECHNICAL AND ORGANISATIONAL SECURITY MEASURES
4.1 Evolution360 A/S shall take technical and organisational measures to prevent accidental or unlawful destruction, publication, loss, impairment, or unauthorised disclosure, misuse or other use in contravention of legal requirements. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, Evolution360 A/S shall, where relevant, implement the following measures (this list is not exhaustive): (i) the pseudonymisation and encryption of personal data, (ii) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services, (iii) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident, and (iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
4.2 Evolution360 A/S shall immediately inform the Client of a personal data breach of data processed on the Client's behalf.
5. DATA SUBPROCESSORS
5.1 Evolution360 A/S may not avail itself of the services of a Data Subprocessor except with the prior specific or general consent of the Client in writing. If general written consent is issued, Evolution360 A/S shall notify the Client of the planned engagement of additional or replacement of Subprocessors and thereby give the Client an opportunity to object to such changes.
5.2 If Evolution360 A/S transfers the processing of personal data for which the Client is responsible to a Data Subprocessor, Evolution360 A/S shall enter a Data Processing Agreement with the Data Subprocessor to ensure that the Data Subprocessor is subject to the same obligations as Evolution360 A/S is subject to in pursuance of this Agreement.
6. Evolution360 A/S’ SUPPORT
6.1 Taking into account the nature of processing, Evolution360 A/S shall as far as possible assist the Client by implementing appropriate technical and organisational measures to ensure that the Client complies with his obligations with regard to responding to requests to exercise the rights of natural persons.
6.2 Taking into account the nature of the processing and the data available to Evolution360 A/S, Evolution360 A/S shall assist the Client in adhering to the latter’s obligations established in the GDPR regarding security of processing (Article 32), notification of a personal data breach to Datatilsynet (The Danish Data Protection Authority) (Article 33), communication of a personal data breach to the data subject (Article 34), a data protection impact assessment (Article 35) and prior consultation with Datatilsynet (The Danish Data Protection Authority) (Article 36).
6.3 Evolution360 A/S shall provide the Client with all the information required to prove compliance with this Agreement and shall allow for and contribute to audits, including inspections, conducted by the Client or another auditor mandated by the Client.
6.4 Evolution360 A/S reserves the right to charge the Client per hour for any work done in connection with sections 6.1-6.3.
7. DATA ERASURE
7.1 Once cooperation with the Client is terminated, Evolution3600 A/S shall, at the Client’s discretion, either erase or return all personal data and any copies thereof to the Client unless EU Member State law stipulates that such personal data must be stored.