Data Processing Agreement

Pursuant to Article 28(3) of Regulation (EU) 2016/679 (the General Data Protection Regulation) concerning the Data Processor's processing of personal data between the Data Controller and Visma Plandisc A/S, CVR: 37204854, Axel Kiers Vej 5A, 8270 Højbjerg, Denmark (the "Data Processor").

1. PREAMBLE

1.1. These Clauses set out the rights and obligations of the Data Processor when processing personal data on behalf of the Data Controller.

1.2. These Clauses have been drafted to ensure the Parties' compliance with Article 28(3) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the General Data Protection Regulation).

1.3. In connection with the provision of licences for the Data Processor's solution(s) and service(s), the Data Processor processes personal data on behalf of the Data Controller in accordance with these Clauses.

1.4. These Clauses shall prevail over any corresponding provisions contained in other agreements entered into between the Parties.

1.5. Five (5) appendices are attached to and form an integral part of these Clauses. These Clauses and the associated appendices shall be retained in writing, including in electronic form, by both Parties.

1.6. These Clauses do not relieve the Data Processor of any obligations imposed on the Data Processor under the General Data Protection Regulation or any other applicable legislation.

2. THE DATA CONTROLLER'S RIGHTS AND OBLIGATIONS

2.1. The Data Controller shall be responsible for ensuring that the processing of personal data is carried out in compliance with the General Data Protection Regulation (see Article 24), data protection provisions laid down in other EU law or in the national law of the Member States, and these Clauses.

2.2. The Data Controller has the right and the obligation to decide for which purpose(s) and by which means the processing of personal data may be carried out.

2.3. The Data Controller shall be responsible, inter alia, for ensuring that there is a lawful basis for the processing of personal data which the Data Processor is instructed to carry out.

3. PROCESSING ON DOCUMENTED INSTRUCTIONS

3.1. The Data Processor shall process personal data only on documented instructions from the Data Controller, unless required to do so by Union law or Member State law to which the Data Processor is subject. Such instructions shall be specified in Appendices A and C. Subsequent instructions may also be given by the Data Controller while the processing of personal data is ongoing; however, such instructions shall always be documented and retained in writing, including in electronic form, together with these Clauses.

3.2. The Data Processor shall immediately inform the Data Controller if, in its opinion, an instruction infringes this Regulation or data protection provisions laid down in other Union law or in the national law of the Member States.

4. CONFIDENTIALITY

4.1. The Data Processor shall grant access to personal data processed on behalf of the Data Controller only to persons who are subject to the Data Processor's authority and who have committed themselves to confidentiality or are subject to an appropriate statutory duty of confidentiality, and only to the extent necessary. The list of persons granted access shall be reviewed on an ongoing basis. Based on such review, access to personal data shall be revoked where such access is no longer necessary.

4.2. Upon request from the Data Controller, the Data Processor shall be able to demonstrate that the persons subject to the Data Processor's authority are subject to the above-mentioned duty of confidentiality.

5. SECURITY OF PROCESSING

5.1. Article 32 of the General Data Protection Regulation provides that the Data Controller and the Data Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. The Data Controller shall assess the risks to the rights and freedoms of natural persons posed by the processing and implement measures to mitigate such risks. Depending on their relevance, such measures may include:

1. Pseudonymisation and encryption of personal data
2. The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services
3. The ability to restore the availability of and access to personal data in a timely manner in the event of a physical or technical incident
4. A process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational security measures

5.2. Pursuant to Article 32, the Data Processor shall also independently assess the risks posed by the processing and implement measures to mitigate such risks. The Data Controller shall provide the Data Processor with the necessary information enabling the Data Processor to identify and assess such risks.

5.3. The Data Processor shall assist the Data Controller in complying with its obligations under Article 32, inter alia by making available the necessary information regarding the technical and organisational security measures already implemented by the Data Processor.

6. USE OF SUB-PROCESSORS

6.1. The Data Processor shall comply with the conditions set out in Article 28(2) and (4) of the General Data Protection Regulation when engaging another processor (a sub-processor).

6.2. The Data Processor shall not engage a sub-processor for the performance of these Clauses without the prior general written authorisation of the Data Controller.

6.3. The Data Processor has the Data Controller's general authorisation to engage sub-processors. The Data Processor shall inform the Data Controller in writing of any intended changes concerning the addition or replacement of sub-processors at least ten (10) days in advance, thereby giving the Data Controller the opportunity to object to such changes prior to the engagement of the relevant sub-processor(s). The list of sub-processors already approved by the Data Controller is set out in Appendix B.

6.4. Where the Data Processor engages a sub-processor, the Data Processor shall impose the same data protection obligations on that sub-processor as those set out in these Clauses. Where a sub-processor fails to fulfil its data protection obligations, the Data Processor shall remain fully liable to the Data Controller for the performance of the sub-processor's obligations.

6.5. Upon the Data Controller's request, copies of sub-processing agreements and any subsequent amendments thereto shall be provided to the Data Controller. Provisions relating to commercial terms that do not affect the data protection content shall not be disclosed.

7. TRANSFERS TO THIRD COUNTRIES OR INTERNATIONAL ORGANISATIONS

7.1. Any transfer of personal data to third countries or international organisations shall only be carried out by the Data Processor on the basis of documented instructions from the Data Controller and shall in all cases be carried out in compliance with Chapter V of the General Data Protection Regulation.

7.2. Without documented instructions from the Data Controller, the Data Processor shall not, within the framework of these Clauses:

1. Transfer personal data to a data controller or data processor in a third country or an international organisation
2. Entrust the processing of personal data to a sub-processor located in a third country
3. Process personal data in a third country

7.3. These Clauses shall not be confused with standard contractual clauses as referred to in Article 46(2)(c) and (d) of the General Data Protection Regulation, and shall not constitute a valid transfer mechanism for the transfer of personal data pursuant to Chapter V of the General Data Protection Regulation.

8. ASSISTANCE TO THE DATA CONTROLLER

8.1. Taking into account the nature of the processing, the Data Processor shall assist the Data Controller in fulfilling the Data Controller's obligation to respond to requests for exercising the data subjects' rights laid down in Chapter III of the General Data Protection Regulation, including:

1. The duty to provide information where personal data are collected from the data subject
2. The duty to provide information where personal data have not been obtained from the data subject
3. The right of access
4. The right to rectification
5. The right to erasure ("the right to be forgotten")
6. The right to restriction of processing
7. The obligation to notify in connection with rectification or erasure of personal data or restriction of processing
8. The right to data portability
9. The right to object
10. The right not to be subject to a decision based solely on automated processing, including profiling

8.2. The Data Processor shall further assist the Data Controller with obligations relating to notification of personal data breaches, data protection impact assessments, and prior consultation with the competent supervisory authority, including the Danish Data Protection Agency.

9. NOTIFICATION OF A PERSONAL DATA BREACH

9.1. The Data Processor shall notify the Data Controller without undue delay after having become aware that a personal data breach has occurred.

9.2. Where possible, the Data Processor's notification to the Data Controller shall be made no later than twenty-four (24) hours after the Data Processor has become aware of the breach, so as to enable the Data Controller to comply with its obligation to notify the personal data breach to the competent supervisory authority pursuant to Article 33 of the General Data Protection Regulation.

9.3. The Data Processor shall assist the Data Controller in notifying the personal data breach to the competent supervisory authority, including by providing information regarding the nature of the breach, the likely consequences, and the measures taken or proposed to address the breach.

10. DELETION AND RETURN OF DATA

10.1. Upon termination of the Data Processor's services relating to the processing of personal data, the Data Processor shall be obliged to delete all personal data processed on behalf of the Data Controller and to confirm to the Data Controller that such data has been deleted, unless the Data Controller instructs the Data Processor otherwise or unless Union law or Member State law requires the storage of the personal data.

11. AUDIT, INCLUDING INSPECTIONS

11.1. The Data Processor shall make available to the Data Controller all information necessary to demonstrate compliance with Article 28 of the General Data Protection Regulation and these Clauses, and shall allow for and contribute to audits, including inspections, conducted by the Data Controller or another auditor authorised by the Data Controller.

11.2. Once annually and at its own expense, the Data Processor shall obtain an ISAE 3000 assurance report from an independent third party regarding the Data Processor's compliance with the General Data Protection Regulation and these Clauses. Audit statements shall be provided to the Data Controller without undue delay, unless already available on the Data Processor's website.

11.3. The Data Processor shall be obliged to grant supervisory authorities which, pursuant to applicable law, have access to the facilities of the Data Controller or the Data Processor access to the Data Processor's physical premises upon presentation of appropriate identification.

12. THE PARTIES' AGREEMENT ON OTHER MATTERS

12.1. The Parties may agree on other provisions relating to the service in connection with the processing of personal data, including, for example, provisions on liability, provided that such provisions do not directly or indirectly conflict with these Clauses or undermine the fundamental rights and freedoms of data subjects as set out in the General Data Protection Regulation.

13. ENTRY INTO FORCE AND TERMINATION

13.1. These Clauses shall enter into force on the date of signature by both Parties.

13.2. Either Party may request that these Clauses be renegotiated if changes in legislation or deficiencies in the Clauses give rise to such need.

13.3. These Clauses shall remain in force for as long as the service relating to the processing of personal data is provided. During this period, the Clauses may not be terminated unless other provisions governing the provision of the service are agreed between the Parties.

13.4. Where the provision of services ceases and the personal data have been deleted or returned to the Data Controller, these Clauses may be terminated by either Party upon written notice.

14. CONTACT PERSONS

14.1. The Data Processor may be contacted via the contact person listed below or through communication with the persons who are ordinarily involved in the contractual relationship between the Data Controller and the Data Processor.

14.2. The Parties shall be obliged to continuously inform each other of any changes relating to the contact persons.

On behalf of the Data Processor:
Privacy Team
privacy.plandisc@visma.com

Appendix A – Information on the Processing

A.1 PURPOSE OF PROCESSING

The processing of the Data Controller's personal data is carried out for the purpose of fulfilling the agreement entered into between the Data Processor and the Data Controller concerning the Data Processor's provision of its digital solution, which constitutes a virtual calendar solution.

A.2 NATURE OF PROCESSING

As the owner and provider of the solution, the Data Processor processes personal data in connection with the general operation of the solution, including hosting, display, organisation, receipt, transmission, structuring, adaptation, implementation, searching, processing, storage, recovery, deletion, restriction, maintenance, development, logging, support, troubleshooting, and other IT services related to the Data Processor's solution(s) and/or service(s) provided to the Data Controller pursuant to the agreement entered into between the Parties.

A.3 TYPES OF PERSONAL DATA

As a general rule, the Data Processor processes ordinary personal data (cf. Article 4(1) and Article 6 of the General Data Protection Regulation), such as name, telephone number, email address, and IP address. However, through use of the solution, the Data Controller may entrust the Data Processor with the processing of any type of personal data.

A.4 CATEGORIES OF DATA SUBJECTS

1. End users of the Customer

A.5 DURATION OF PROCESSING

The Data Processor's processing of personal data on behalf of the Data Controller may commence upon the entry into force of these Clauses. The processing is not time-limited and shall continue until these Clauses are terminated.

Appendix B – Sub-processors

B.1 APPROVED SUB-PROCESSORS

As of the entry into force of these Clauses, the Data Controller has approved the use of the following sub-processors:

1. Amazon AWS (LU26888617) – 38 avenue John F. Kennedy, L-1855 Luxembourg. Amazon Web Services (AWS) securely stores customer data via S3 Cloud Storage. Transfer mechanism: EU-U.S. Data Privacy Framework.
2. Microsoft Azure (IE8256796U) – South County Business Park, Leopardstown, Dublin 18, Ireland. Used as the hosting and infrastructure platform for the solution. Processing includes storage, processing, and operation of customer data in Microsoft's Swedish data centres.
3. WebHosting A/S (25674138) – Naverland 2, 2600 Glostrup, Denmark. Sends and receives emails from the solution via SMTP services.
4. Ipregistry (FR13983391012) – 1 Chemin des Rosiers, 06800 Cagnes-sur-Mer, France. Used to determine users' geographical locations (IP geolocation) to block access from sanctioned countries subject to international embargoes.
5. Orca Security Ltd. (13410414) – Cambridge House, Girton, Cambridgeshire, England. Used to secure the cloud infrastructure by analysing networks, services, and storage configurations, malware scanning, and managing access rights. All data is processed within the EU/EEA.

The Data Processor shall maintain an up-to-date list of sub-processors on the Data Processor's website. Copies of sub-processing agreements may be obtained via the website or upon written request to the Data Processor.

B.2 NOTICE PERIOD FOR CHANGES TO SUB-PROCESSORS

The Data Processor shall notify the Data Controller of any intended changes relating to the addition or replacement of sub-processors no later than ten (10) days prior to the intended commencement of the use of, or change to, the sub-processor. In special circumstances where shorter notice is required, the Data Processor shall notify the Data Controller as soon as possible. The Data Controller may only object where it has reasonable and substantiated grounds for doing so.

Appendix C – Instructions Regarding the Processing of Personal Data

C.1 SUBJECT MATTER / INSTRUCTIONS

The Data Processor's processing of personal data on behalf of the Data Controller consists of: operation, including hosting, display, organisation, receipt, transmission, structuring, adaptation, implementation, searching, processing, storage, recovery, deletion, restriction, maintenance, development, logging, support, troubleshooting, and other IT services related to the provision of the Data Processor's digital solution to the Data Controller pursuant to the agreement entered into between the Parties.

C.2 SECURITY OF PROCESSING

The agreed security level is: High.

The Data Processor shall, as a minimum, implement the following measures:

1. Pseudonymisation and encryption of personal data where required by the nature and scope of processing. Encryption shall always be applied for any transmission of confidential and sensitive personal data via external communication networks.
2. Annual risk assessments for each processing system, with mitigating measures implemented based on results.
3. Access restricted to persons with a legitimate business purpose, with regular access rights reviews. Employees shall at all times be aware of and have received sufficient training regarding the purposes of the processing and their duty of confidentiality.
4. Multi-factor authentication for all access to personal data via the internet, via secure, encrypted connections.
5. Encrypted communication channels and VPN or equivalent security technology for remote access.
6. Regular backups and effective contingency plans for restoration of personal data within a reasonable timeframe in the event of operational disruptions.
7. Automated logging of all processing of personal data. Logs shall contain information regarding the time of access, user identity, type of use, and identification of the data subject concerned. Log data shall be retained for a minimum of twelve (12) months.
8. Personal data encrypted at rest, with access restricted to authorised persons through controlled access procedures.
9. Formal change management procedures ensuring that any changes are duly authorised, tested, and approved prior to implementation. Critical security updates shall be implemented without undue delay.
10. Appropriate physical security measures at all locations where personal data are processed, including protection against fire, water damage, theft, and vandalism.

C.3 ASSISTANCE TO THE DATA CONTROLLER

The Data Processor shall notify the Data Controller without undue delay of any data subject request received. The Data Processor shall not respond directly to such requests. Upon the Data Controller's request, the Data Processor shall assist the Data Controller in fulfilling its obligations with respect to data subjects' rights under applicable data protection law.

In the event of a personal data breach, the Data Processor shall provide the relevant information to the Data Controller within twenty-four (24) hours after becoming aware of the breach, and shall assist the Data Controller in notifying the competent supervisory authority and, where applicable, communicating the breach to affected data subjects.

The Data Processor shall assist the Data Controller by providing the information necessary to carry out required risk assessments and, upon request, data protection impact assessments under Articles 35 and 36 of the General Data Protection Regulation.

C.4 RETENTION PERIOD / DELETION PROCEDURES

Personal data shall be stored by the Data Processor until the Data Controller requests deletion or return of the data. Upon termination of the service or these Clauses, the Data Processor shall delete the personal data, unless the Data Controller instructs otherwise. Any such changes shall be documented and retained in writing together with these Clauses.

C.5 LOCATION OF PROCESSING

Processing of personal data covered by these Clauses shall not take place at locations other than those specified in this Data Processing Agreement and the addresses of the engaged sub-processors as set out in Appendix B, without the Data Controller's prior written approval.

C.6 INSTRUCTIONS REGARDING TRANSFERS TO THIRD COUNTRIES

Without documented instructions from the Data Controller, the Data Processor shall not transfer personal data to a third country, unless the transfer is made to an authorised sub-processor listed in Appendix B. Any transfer mechanism shall comply with Chapter V of the General Data Protection Regulation, and the applicable transfer mechanisms are set out in Appendix B.

The Data Processor shall notify the Data Controller of any request received from a public authority in a third country for disclosure of personal data covered by these Clauses, and shall, to the extent permitted under Union law or Member State law, oppose such disclosure.

C.7 PROCEDURES FOR AUDITS AND INSPECTIONS

Once annually and at its own expense, the Data Processor shall obtain an ISAE 3000 assurance report from an independent third party. Audit statements and/or inspection reports shall be provided to the Data Controller without undue delay, unless already available on the Data Processor's website. The Data Controller may request additional measures based on audit results. The Data Controller, or an authorised representative, shall also be entitled to conduct inspections of the Data Processor's physical facilities where personal data are processed.

Appendix D – Regulation of Other Matters Between the Parties

D.1 LIABILITY AND BREACH

The Parties' agreement on liability, including limitation of liability, is set out in the agreement entered into between the Data Processor and the Data Controller regarding the Data Processor's provision of the digital solution to the Data Controller, provided that such agreement does not directly or indirectly conflict with these Clauses or diminish the fundamental rights and freedoms of data subjects.

D.2 DELETION AND RETURN OF DATA

No later than 30 days after the processing of personal data has ceased, the Data Controller shall notify the Data Processor whether all personal data are to be deleted or returned. Where personal data are to be returned to the Data Controller, the Data Processor shall also delete any remaining copies, including from sub-processors.

If the Data Controller has not notified the Data Processor within 30 days after a reminder has been sent, the Data Processor shall be entitled, without further notice, to delete the personal data.

D.3 FEES

Unless otherwise expressly agreed in this Data Processing Agreement, the Data Processor shall perform its obligations without separate remuneration. If the Data Controller's requests result in additional work exceeding a reasonable time expenditure (5 hours), the Data Processor may charge for the time spent, subject to further agreement between the Parties.

Appendix E – The Data Processing Chain

The Data Processor undertakes to maintain an up-to-date and accessible overview of all sub-processors. The Data Controller may at any time review such overview.

The Data Processor further undertakes to comply with the forthcoming harmonisation of a common European standardised format for the specification of data processing chains and shall implement such format without undue delay upon its adoption and publication at EU level.

Data Processor: Visma Plandisc A/S, CVR: 37204854, System: Plandisc. Sub-processors: Amazon AWS, WebHosting A/S, Ipregistry, Orca Security Ltd. (see Appendix B for full details).