Data Processing Agreement
This Data Processing Agreement (“DPA”) is entered into between the following parties:
- Onboarding Group ApS, Vester Farigmagsgade 15, 1606 København V, Company reg. no. 36395516 (“ObG”)
- “The Customer”
ObG enters this DPA on behalf of itself and, to the extent required under applicable Data Protection Laws and Regulations, in the name and on behalf of its affiliates, if and to the extent ObG Processes Personal Data for such affiliates.
“Data Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data - in this instance, The Customer.
“Data Processor” means the entity which Processes Personal Data on behalf of the Data Controller - in this instance, ObG.
“Services” means measuring Onboarding by collecting data via e-mail surveys and presenting data in a dashboard in the system that requires a login.
- Review (measurement of recent arrived employees)
- Ongoing Dialogue (measurement and dialogue with all future employees)
- Dashboard (data visualization)
“Personal Data” means any individual element of information concerning the personal or material circumstances of an identified or identifiable individual.
“Processing” means processing of Personal Data (encompassing the storage, amendment, transfer, blocking or erasure of Personal Data) by ObG as the Data Processor acting on behalf of The Customer as the Data Controller.
“Sensitive Personal Data” is any Personal Data concerning social security number, ethnic or racial origin, political beliefs, religious or philosophical beliefs, finances, health, or union membership.
1. Scope of the Agreement
- The DPA forms part of the written or electronic agreement document between The Customer and ObG for the purchase of Services to reflect the parties’ agreement regarding the Processing of Personal Data.
- The parties acknowledge and agree that, regarding the Processing of Personal Data, The Customer is the Data Controller and ObG is a Data Processor for The Customer concerning the categories of Personal as further set out in Annex 1.
- ObG shall only Process Personal Data on behalf of and in accordance with The Customers instructions and shall treat Personal Data as confidential information.
2. The Customers obligations as the Data Controller
- The Customer warrants that the Personal Data is Processed for legitimate and objective purposes and that ObG is not Processing more Personal Data than required for fulfilling such purposes.
- The Customer is responsible for ensuring that a valid legal basis for Processing exists at the time of transferring the Personal Data to ObG, including that any consent of the relevant data subjects is given explicitly, voluntarily, unambiguously and on an informed basis.
- In addition, The Customer warrants that the data subjects to which the Personal Data pertains have been provided with sufficient information on the Processing of their Personal Data.
- The Customer will hold ObG harmless and indemnify it from any losses, fines or penalties, including attorney’s fees, resulting from a breach of these obligations.
3. ObG´s Obligations as Data Processor
- General obligations
- All Processing by ObG of Personal Data provided by The Customer must be in accordance with instructions prepared by The Customer and ObG is, furthermore, obliged to comply with any and all data protection legislation in force from time to time. If so requested by The Customer, ObG shall state and/or document that ObG complies with the requirements of the applicable data protection legislation.
- ObG shall keep Personal Data confidential and shall not disclose the Personal Data to third parties or take copies of Personal Data unless strictly necessary for the performance of ObG’s obligations towards The Customer according to the Agreement and on condition that Personal Data is only disclosed to ObG employees familiar with the confidential nature of the data and who will keep the Personal Data confidential in accordance with this Agreement.
- ObG must ensure that its employees comply with this Agreement and, to the extent reasonable, limit the access to Personal Data to employees and employees of ObG’s Group companies for whom access to said data is necessary to fulfil ObG’s obligations towards The Customer. ObG must ensure that employees authorized to process the Personal Data have committed themselves to confidentiality or are under appropriate statutory obligations of confidentiality.
- ObG must take all necessary technical and organisational security measures, including any additional measures, required to ensure that the Personal Data is not accidentally or unlawfully destroyed, lost or impaired or brought to the knowledge of unauthorised third parties, abused or otherwise processed in a manner which is contrary to the relevant data protection legislation in force from time to time.
- Upon the request of The Customer, ObG must provide The Customer with sufficient information to be able to ensure that ObG has taken the necessary technical and organisational security measures.
- ObG must notify The Customer where there is an interruption in operation, a suspicion that data protection rules have been breached, or other irregularities in connection with the Processing of the Personal Data. If requested by The Customer, ObG shall assist The Customer in relation to clarifying the scope of the security breach, including preparation of any notification to the relevant Data Protection Agency(-ies) and/or data subjects.
- Requests for correction, blocking and deletion of Personal Data
- To the extent The Customer, in its use or receipt of the Services, does not have the ability to correct, amend, block or delete Personal Data, ObG shall comply with any commercially reasonable request by The Customer to facilitate such actions to the extent ObG is legally permitted to do so.
- ObG shall, to the extent legally permitted, promptly notify The Customer if it receives a request from a data subject for access to, correction, amendment or deletion of that person’s Personal Data. ObG shall not respond to any such data subject request without The Customer’s prior written consent except to confirm the request. If requested by The Customer, ObG shall assist The Customer in answering any such requests and/or objections.
4. Certifications and Audits
- ObG is obliged once per year to obtain and forward an audit report from an independent expert regarding ObG's compliance with its obligations under the Agreement at its own costs. The audit report must be issued based on a recognised standard for such audit reports.
- The Customer (or The Customer’s independent, third-party auditor) is entitled, at its own cost, to request information regarding ObG’s compliance with the obligations set forth in this DPA in the form of the third-party certifications and/or audits on-site at ObG. Any appointed auditor shall, upon ObG’s request, sign a non-disclosure agreement and treat all information obtained or received from ObG confidentially, and may only share the information with The Customer.
- Before the commencement of any such on-site audit, The Customer and ObG shall mutually agree upon the scope, timing, and duration of the audit in addition to the reimbursement rate for which The Customer shall be responsible. The Customer shall reimburse ObG for any time spent by ObG on audits, at The Customers then-current professional services rates, unless such audit reveals any serious breach(es) of ObG’s obligations under this Agreement, in which case The Customer will bear all costs of such audit.
5. ObG’s use of Sub-data processors
- ObG is not entitled to disclose or transfer Personal Data to third parties or data processors without the prior written instruction of The Customer, unless such disclosure or transfer is stipulated by law.
- At the time of the Agreement, ObG uses the sub-data processors set out in Annex 2. By signing this DPA, The Customer agrees to ObG’s use of these sub-data processors.
- ObG is liable for the data processing activities performed by the sub-data processor on behalf of The Customer where such data processing activities are subject this DPA. ObG must ensure that such sub-data processor has executed a data processor agreement in which the sub-data processor undertakes vis-à-vis ObG to be bound by terms similar to the requirements under this DPA. As for sub-data processors outside the EU/EEA, ObG must enter into standard agreements in accordance with Commission Decision 2010/87/EU of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under the European Parliament and the Council’s Directive 95/46/EC ("Model Clauses").
- ObG undertakes to inform The Customer of any intended changes concerning the addition or replacement of a sub-data processor by providing a prior written notice of two months to The Customer.
- The parties are liable for compensation in accordance with the general rules of Danish law on liability in damages. None of the parties are entitled to claim damages for any indirect or consequential loss, irrespective of whether The Customer, ObG or any third parties suffer such indirect or consequential loss. Any loss of business opportunities, loss of profits, operating loss, loss of revenue, goodwill and data, including loss in connection with the retrieval of data, must at all times be deemed to constitute indirect/consequential loss.
7. Term and Termination of the Agreement
- The Agreement is valid for as long as ObG Processes Personal Data on behalf of The Customer.
- In the event of breach of this Agreement, The Customer can instruct ObG to stop further handling of the information with immediate effect.
- If the written or electronic agreement between ObG and The Customer for the purchase of Services from ObG is terminated for any reason, this DPA shall also terminate. Upon termination of this Agreement, ObG is obliged to delete all Personal Data received on behalf of The Customer and covered under this Agreement.
8. Choice of law and legal venue
- This Agreement will be governed by and construed in accordance with the laws of the Kingdom of Denmark, except for its conflicts of law rules and principles. In the event of any suit or proceeding arising out of or related to this Agreement, the courts of Denmark will have exclusive jurisdiction and the parties will submit to the jurisdiction of those courts.
- Any provision of this Agreement that is prohibited or unenforceable in any jurisdiction is ineffective to the extent of that prohibition or unenforceability in that jurisdiction. The validity, enforceability, or legality of the remaining provisions will not be affected.
By signing below, each party acknowledges that it has carefully read and agrees to be bound by the terms of this Agreement. This Agreement will become effective on the last date signed.
Onboarding Group ApS
This Annex constitutes The Customers instruction to ObG in connection with the ObG's data processing for The Customer, and is an integrated part of the Agreement.
The processing of personal data
- a) Purpose and nature of the processing operations
ObG is measuring onboarding for The Customer
- b) Categories of data subjects
- Hiring Manager
- c) Categories of personal data
- Name, title, e-mail, phone number
- Name, e-mail, hire date, employment division, employment department, managers name, managers e-mail
- Name, e-mail
- d) Special categories of data
[Insert a description of the special categories of data for each category of data subjects. Special categories of data concern data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data when processed for the purpose of unique identification of a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation and personal data about criminal convictions and offences.]
Re b) I: None
Re b) II: None
Re b) III: None
- e) Location(s), including name of country/countries of processing
Onboarding Group ApS, Vester Farimagsgade 15, København, 1606, Denmark
- f) Special requirements to security measures that apply to The Customer
- Microsoft Azure, Northern Europe (https://azure.microsoft.com/en-us/regions/)
- Mailchimp (https://mailchimp.com/)
- Embrace-IT Aps (http://embrace-it.com/)