Data Processing Agreement
This Data Processing Agreement ("Agreement") is made and entered into between:
IntelliFinder A/S the (“Data Processor”)
Ørbækvej 266, 1 th
5220 Odense SØ
Company registration number: DK30282671
and the customer (“Data Controller”).
Definitions
Capitalized terms used in this Agreement shall have the meanings set forth below:
(a) “Data Controller” means the customer who enters into an agreement with Data Processor for the provision of the services.
(b) “Data Processor” means IntelliFinder.
(c) “Data Protection Laws” means all applicable laws and regulations relating to the processing of personal data, including without limitation the European Union General Data Protection Regulation 2016/679 (“GDPR”), and any national implementing laws, regulations and secondary legislation.
(d) “Data Subject” means the individual to whom personal data relates.
(e) “Personal Data” means any information relating to an identified or identifiable natural person.
(f) “Services” means the cloud-based tool for location-based project management tool provided by Data Processor to Data Controller.
(g) “Sub-Processor” means any third party engaged by Data Processor to process personal data on behalf of Data Controller.
Scope and Purpose
(a) Data Controller appoints Data Processor to process Personal Data on behalf of Data Controller for the provision of the Services.
(b) The duration of this Agreement shall be as long as the Data Controller is a customer of the Data Processor, unless otherwise terminated in accordance with the terms of this Agreement or the underlying agreement between the parties.
(c) Data Processor shall process Personal Data in accordance with Data Controller’s instructions and this Agreement.
(d) Data Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk presented by the processing, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing.
(e) Data Processor shall not be responsible for any Personal Data that is input into the Services by Data Controller or its authorized users.
Obligations of Data Processor
(a) Data Processor shall implement appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access.
(b) Data Processor shall not disclose Personal Data to any third party unless required by law, court order or regulatory requirement. If Data Processor is required to disclose Personal Data, Data Processor shall provide Data Controller with prompt notice of such requirement, unless prohibited by law.
(c) Data Processor shall notify Data Controller without undue delay, and in any event within 48 hours, after becoming aware of any Personal Data Breach affecting Personal Data processed on behalf of Data Controller.
(d) Data Processor shall assist Data Controller in complying with Data Controller’s obligations under Data Protection Laws insofar as such obligations relate to the processing of Personal Data under this Agreement, taking into account the nature of the processing and the information available to Data Processor.
(e) Data Processor will store all Personal Data in the European Economic Area (“EEA”) unless there is a written consent. See “Data Transfer”.
Sub-Processors
(a) Data Controller authorizes Data Processor to engage Sub-Processors to process Personal Data on behalf of Data Controller. Data Processor shall ensure that Sub-Processors are bound by obligations of confidentiality and data protection no less protective than those set forth in this Agreement.
(b) Data Processor shall remain fully liable for any acts or omissions of Sub-Processors that cause Data Processor to breach any of its obligations under this Agreement.
(c) Data Processor shall not replace or engage new Sub-Processors without the prior written consent of the Data Controller. The Data Processor shall provide the Data Controller with reasonable notice of any intended changes concerning the addition or replacement of Sub-Processors, thereby giving the Data Controller sufficient time to object to such changes. If the Data Controller does not provide written consent to the proposed Sub-Processor, the Data Processor shall not proceed with the engagement of that Sub-Processor.
Data Subject Rights
(a) Data Processor shall provide reasonable assistance to Data Controller in fulfilling its obligations under Data Protection Laws with respect to data subject rights, including without limitation, subject access requests, rectification, erasure, and restriction of processing.
(b) If Data Processor receives a request from a data subject to exercise its rights under Data Protection Laws in relation to Personal Data processed on behalf of Data Controller, Data Processor shall promptly notify Data Controller of the request.
(c) Data Processor shall not be responsible for fulfilling any data subject requests or responding to any data subject inquiries unless expressly agreed in writing by Data Processor and Data Controller.
(d) Data Processor shall not be liable for any claims, damages, liabilities, fines, penalties, costs and expenses (including reasonable attorneys' fees) arising from or related to data subject requests or inquiries. Data Controller shall be solely responsible for fulfilling its obligations under Data Protection Laws with respect to data subject requests or inquiries.
Data Transfer
(a) Data Processor may transfer Personal Data outside the European Economic Area (“EEA”) only with Data Controller’s prior written consent.
(b) If Personal Data is transferred outside the EEA, Data Processor shall ensure that appropriate safeguards are in place, including without limitation, standard contractual clauses approved by the European Commission or other safeguards as required by applicable Data Protection Laws.
Termination
(a) Upon termination or expiration of this Agreement, Data Processor shall promptly delete or return all Personal Data processed on behalf of Data Controller.
(b) Data Processor may retain Personal Data to the extent required by applicable law and only to the extent and for such period as required by applicable law.
Indemnification and Liability
(a) Data Processor shall indemnify and hold harmless Data Controller from any claims, damages, liabilities, fines, penalties, costs and expenses (including reasonable attorneys' fees) arising from any breach of this Agreement by Data Processor.
(b) Data Controller shall indemnify and hold harmless Data Processor from any claims, damages, liabilities, fines, penalties, costs and expenses (including reasonable attorneys' fees) arising from Data Controller's breach of this Agreement, negligence or willful misconduct.
(c) In no event shall either party be liable to the other party for any indirect, incidental, special, consequential or punitive damages, or any loss of profits, revenue, data or business opportunities, arising from or related to this Agreement, regardless of the legal theory under which such
liability is asserted, even if the party has been advised of the possibility of such damages.
Miscellaneous
(a) This Agreement constitutes the entire agreement between the parties with respect to the subject matter hereof and supersedes all prior or contemporaneous agreements, negotiations, understandings, representations and warranties.
(b) This Agreement may be amended or modified by IntelliFinder A/S (the “Data Processor”), provided that the customer (the “Data Controller”) is notified of any such changes.
(c) This Agreement shall be governed by and construed in accordance with the laws of the jurisdiction in which Data Controller is located.
(d) Any disputes arising out of or in connection with this Agreement shall be resolved in accordance with the dispute resolution provisions set forth in the underlying agreement between Data Processor and Data Controller.
Approved by:
IntelliFinder A/S
Adna Dzafic
Operations & Privacy Officer
privacy@intellifinder.dk
Date: 21. Aug. 2024