*This page is in English, to create a set of GDPR rules for all countries.
DATA PROCESSING AGREEMENT
Data Processing Agreement (“The Agreement”) between:
Your company (“The customer”); and Digital-servicebook.com ApS, Vordingborgvej 79,DK- 4700 Næstved DK-36726350 (“The supplier”)
A.1 The Data Processing Agreement has been entered between the parties, effective from May 2018, concerning the supplier’s delivery of services and benefits to the customer. The agreement is an addition to ”General terms and conditions” from Digital-servicebook.com and ”the conditions in the general Terms and Conditions from Digital-servicebook.com” are valid to the extent that the question isn’t covered by this agreement.
A.2 The supplier is a data processor for the customer, based on the in Appendix 1 described data processing tasks.
A.3 Personal information, which is processed by the supplier, is covered by the purposes for processing, the categories of personal data and the categories of registered individuals that are described in Appendix 1.
A.4 “Personal information” is understood as every kind of information about an identified or an identifiable, physical person, cf. Article 4 (1) in the Regulation (EU) 2016/679 from April 27., 2016 (“Personal Data Act”).
B: PROCESSING OF PERSONAL INFORMATION
B.1 The supplier solely processes personal information for the purpose of performing the in Appendix 1 described data processing tasks. The supplier cannot use or process the personal information for other purposes than described unless the supplier is required to by EU Law. If so, the supplier must notify the customer in writing about his legal obligation, before the processing is initiated unless the relevant legislation based on important community interests prohibits such a notification.
B.2 If the customer in the instructions in Appendix 1 or the customer specifically has given permission to the transfer of their personal information to a third party country or to international organizations, it is the supplier’s responsibility to ensure that there is a legal basis for transfer e.g. the EU Commission’s standard contract for transfer of personal information to third party countries.
B.3 If the supplier estimates that an instruction from the customer is in contrary to the Personal Data Act or the Data Protection rules in other EU law or the legislation in a Member State, the supplier must immediately in writing inform the customer about this.
C: REQUIREMENTS FOR THE SUPPLIER
C.1 The supplier must ensure that the persons, who process personal information, have committed to confidentiality or are subject to an appropriate statutory duty of confidentiality.
C.2 The supplier must take the necessary organizational and technical security measures against the personal information being processed contrary to the law including the Personal Data Act.
C.3 The supplier must comply with the specific demands for security measures which are valid for the customer, according to Appendix 1 and comply with the demands for security measures, which directly oblige the supplier, including the demands for security measures in the country, where the supplier is established or in the country, where the data processing takes place.
C.4 Determination of technical and organizational security measures must take place, considering the actual technical level, the nature of the processing and the purpose including the risks of varying probabilities and seriousness for physical persons’ rights and freedoms.
C.5 The supplier must on customer demand give the necessary information, allowing the customer to ensure that the supplier complies with his obligations according to the Agreement including being able to ensure that the necessary technical and organizational security measures are taken.
C.6 The customer has the right, at their own expense, to appoint an independent expert to investigate, if the supplier complies with his obligations according to the Agreement and to ensure that all necessary technical and organizational security measures have been established. The expert must at supplier’s request sign a normal confidentiality statement. The customer’s right to carry out an investigation at the supplier is limited to no more than one investigation per calendar year.
C.7 The supplier must deliver all requested information to the authorities, the customer’s external advisors including accountants in relation to the performance of the data processing task, to the extent that the information is necessary for them to carry out their task pursuant to EU-law or other legislation.
C.8 The supplier must assist the customer in the handling of any request from “a registered” according to Chapter III in the Personal Data Act, including requests for insight, correction, blocking or deletion. The supplier must furthermore implement appropriate technical and organizational measures to assist the customer with the fulfilment of the customer’s obligations to answer such requests.
D.1 The supplier can make use of subcontractors. The supplier must, before he uses a subcontractor, enter into a written agreement with the subcontractor, where the subcontractor as a minimum is subject to the same obligations as the supplier has been subject to according to the Agreement and including the duty to carry out appropriate technical and organizational measures to ensure that the processing fulfils the requirements in the Personal Data Act.
D.2 The customer has the right to obtain a copy of the supplier’s agreement with the subcontractor as regards to the provisions in the mentioned agreement that relates to the data protection obligations. The fact that the customer has notified consent to the supplier’s conclusion of an agreement with a subcontractor is without prejudice to the supplier’s duty to fulfil the Agreement.
E.1 The supplier must keep the personal information confidential.
E.2 The supplier cannot communicate personal information to anyone or take a copy of personal information unless this as absolutely necessary to carry out the supplier’s obligations towards the customer according to the Agreement and it is provided that the individual, who obtains the personal information is aware that the information is confidential and has agreed to keep the personal information confidential according to the Agreement.
E.3 The supplier can limit the access to personal information to the associates for whom it is necessary to have access to the personal information in order to be able to fulfil the supplier’s obligations towards the customer.
E.4 The supplier’s obligations according to point E consist without a time limit and no matter if the Parties’ cooperation has ended.
E.5 The customer must handle the confidential information that he receives from the supplier confidential and cannot exploit or disclose the information.
F: TRANSFER AND CHANGES
F.1 The parties can at any time agree to change/hand over the Agreement. The changes must take place in writing.
G DURATION AND TERMINATION OF THE AGREEMENT
G.1 The agreement enters into force by signature and is valid until the Data Processing Agreement is terminated or cancelled by one of the Parties.
G.2 Regardless of the Agreement’s formal contract period, the Agreement continues to apply, as long at the supplier processes the personal information that the customer is a data controller of.
G.3 In case of a termination of the Agreement, the supplier must loyally and quickly contribute to a transfer of the data processing to another supplier or to return the personal information to the customer.
G.4 The supplier must immediately after a request from the customer transfer or delete personal information that the supplier processes for the customer, unless EU-law or the legislation prescribes storage of the personal information.
This Appendix is an instruction to the supplier in connection with the supplier’s data processing for the customer.
The processing of personal information at Digital-Servicebook.com is described in the following.
Please notice that the supplier only processes the categories of personal information, where “Processing” is marked with a ”Yes”
|Purpose and the nature of data processing|
Categories of registered
|The purpose of processing personal information is that a workshop’s service records for a registered car can be made available on the Internet for the workshop, which the registered has chosen. The service records are updated by the chosen workshop.|
Mainly car owners, who have signed up at Digital-Servicebook.com Other persons who sign up at Digital-Servicebook.com
|Category of personal information|
|Special categories of personal information (cf. Article 9)||Racial or ethnic origin, Political opinions, religious or philosophical beliefs, Trade union relationships, Genetic information, Biometric information for the purpose of uniquely identifying an individual, Information concerning health sexlife or sexual orientation|
|Information on criminal matters (cf. Article 10)||Includes personal information concerning criminal convictions and offences or associated security measures|
|Confidential information||The registered person’s personal identification number|
|Confidential information||The registered person’s password for Digital-Servicebook.com|
|General personal information||The registered person’s E-mail|
The registered person’s Mobile number
The registered car – Plate Number & VIN
Service records related to the registered car:
Registrations in the service records: Only the pre-defined options at Digital-Servicebook.com can be used: Oil change, tire change and similar. No other possibilities for registration in the system – as e.g. free text.
Assistance to the data controller (the customer) cf. Chapter III in the Personal Data Act concerning:
- The obligation to inform about collection of personal information from the registered persons
- The obligation to inform, if personal information has not been collected from the registered person.
- The registered person’s right to access
- The right to correction.
- The right to deletion ”the right to be forgotten”.
- The right to limitation of processing.
- Notification obligation in connection with correction or deletion of personal information or limitation of processing.
- The right to data portability.
- The right to object.
- The right to object to the result of automated, individual decision-making including profiling (Please notice: Digital-Servicebook.com does not use automated decision-making and profiling)
Obligations towards the data controller (the customer) regarding security measures
cf. Article 32-36 in the Personal Data Act concerning:
- Implementation of appropriate technical and organizational measures in order to ensure the level of security which is in line with the risks of processing.
- Notification of any breach of the personal data security to the controlling authority (Datatilsynet) without any unnecessary delay and if possible no later than 72 hours after the fact that the data controller has become familiar with the breach unless it is unlikely that the breach of the personal data security involves a risk of a physical person’s rights or freedom.
- Without any unnecessary delay – to inform the registered person(s) about the breach on the personal data security, when such a breach is likely to involve a high risk of physical persons’ rights and freedom.
- Implementation of an impact assessment concerning data protection if a type of processing most likely will include a high risk of affecting physical persons’ rights and freedom.
- Consultation with the controlling authority (Datatilsynet) before processing, if an impact assessment concerning data protection shows that the processing will lead to a high risk in lack of precautions made by the data controller in order to limit the risk.