Last Updated: 5 April 2018
DATA PROCESSOR AGREEMENT
This agreement regarding processing of personal data (the "Data Processor Agreement") regulates FatDisco Ltd, Company registration no. 09472339 (the "Data Processor") processing of personal data of its Customers that agreed to the Terms of Service (Main Agreement) and signed up for FatDisco Storage (Main Services).
The Data Processor Agreement shall ensure that the Data Processor complies with the applicable data protection and privacy legislation (the "Applicable Law"), including in particular:
The European Parliament and the Council's Directive 95/46/EF of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data as implemented in Danish law with, among others, the Act on Processing of Personal Data (Act No. 429 of 31 May 2000).
The European Parliament and the Council's Regulation 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data that entered into force on 24 May 2016 and will be applicable on 25 May 2018 ("GDPR").
Irrespective of the general use and reference to GDPR in this Data Processor Agreement, the parties are not obliged to comply with GDPR before 25 May 2018.
PROCESSING OF PERSONAL DATA
In connection with the Data Processor's delivery of the Main Services to the Customer, the Data Processor will process certain categories and types of the Customer's personal data.
"Personal data" include "any information relating to an identified or identifiable natural person" as defined in GDPR, article 4 (1) (1) (the "Personal Data"). The categories and types of Personal Data processed by the Data Processor are listed in this agreement.
The Data Processor only performs processing activities that are necessary and relevant to perform the Main Services. The parties shall update this agreement whenever changes occur that necessitates an update.
The Data Processor shall have and maintain a register of processing activities in accordancewith GDPR, article 32 (2).
The Data Processor may only act and process the Personal Data in accordance with the documented instruction from the Data Controller (the "Instruction"). The Instruction at the time of entering into this Data Processor Agreement is that the Data Processor may only process the Personal Data with the purpose of delivering the Main Services as described in the Main Agreement.
The Data Processor shall give notice without undue delay if the Data Processor considers the at the time being Instruction to be in conflict with the Applicable Law.
THE DATA PROCESSOR'S OBLIGATIONS
Considering confidentiality, the Data Processor shall treat all the Personal Data as strictly confidential information. The Personal Data may not be copied, transferred or otherwise processed in conflict with the Instruction, unless the Data Processor is acquired in a process of sale. Should such occur, the Customer shall be informed in writing.
The Data Processor's employees shall be subject to an obligation of confidentiality that ensures that the employees shall treat all the Personal Data under this Data Processor Agreement with strict confidentiality.
Considering security, the Data Processor shall implement the appropriate technical and organizational measures as set out in this Agreement and in the Applicable Law, including in accordance with GDPR, article 32.
The Data Processor shall ensure that access to the Personal Data is restricted to only the employees to whom it is necessary and relevant to process the Personal Data in order for the Data Processor to perform its obligations under the Main Agreement and this Data Processor Agreement.
The Data Processor shall provide documentation for the Data Processor's security measures if requested by the Customer in writing.
Considering the rights of the data subjects. If the Data Processor receives a request from a data subject for the exercise of the data subject's rights under the Applicable Law and such request is related to the Personal Data of the Data Processor must immediately forward the request to the Customer directly.
Considering Personal Data Breaches. The Data Processor shall give immediate notice to the Customer if a breach of the data security occurs, that can lead to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to, personal data transmitted, stored or otherwise processed regarding the Personal Data of the Customer (a "Personal Data Breach").
The Data Processor shall have and maintain a register of all Personal Data Breaches. The register shall at a minimum include the following:
A description of the nature of the Personal Data Breach, including, if possible, the categories and the approximate number of affected Data Subjects and the categories and the approximate number of affected registrations of personal data.
A description of the likely as well as actually occurred consequences of the Personal Data Breach.
A description of the measures that the Data Processor has taken or proposes to take to address the Personal Data Breach, including, where appropriate, measures taken to mitigate its adverse effects.
The register of Personal Data Breaches shall be provided to the Customer in copy if so requested in writing by the Customer or the relevant Data Protection Agency.
Considering the documentation of compliance. The Data Processor shall after the Customer's written request hereof provide documentation substantiating that:
The Data Processor complies with its obligations under this Data Processor Agreement and the Instruction.
The Data Processor complies with the Applicable Law in respect of the processing of the Customer's Personal Data.
The Data Processor's documentation of compliance shall be provided within reasonable time.
Considering the location of the Personal Data. The Personal Data is only processed by the Data Processor at the Data Processor's addresses, including the office address and the relevant datacentres. The Data Processor does transfers the Personal Data to third countries as a measure of backup.
Any transfer of the Personal Data to any third countries or international organizations is done to the extent such transfer is permitted and done in accordance with the Applicable Law.
The Data Processor is given general authorization to engage third-parties (such as payment processing companies) to process the Personal Data ("Sub-Processors") without obtaining any further written, specific authorization from the Customer, provided that the Data Processor notifies the Customer in writing about the identity of a potential Sub-Processor (and its processors, if any) before any agreements are made with the relevant Sub-Processors and before the relevant Sub-Processor processes any of the Personal Data. If the Customer wishes to object to the relevant Sub-Processor, the Customer shall give notice hereof in writing within seven (7) calendar days from receiving the notification from the Data Processor. Absence of any objections from the Customer shall be deemed a consent to the relevant Sub-Processor.
The Data Processor shall conclude a written sub-processor agreement with any Sub-Processors. Such an agreement shall at minimum provide the same data protection obligations as the ones applicable to the Data Processor, including the obligations under this Data Processor Agreement. The Data Processor shall on an ongoing basis monitor and control its Sub-Processors' compliance with the Applicable Law. Documentation of such monitoring and control shall be provided to the Customer if so requested in writing.
The Data Processor is not accountable to the Customer for any Sub-Processor in the same way as for its own actions and omissions.
The Data Processor is at the time of entering into this Data Processor Agreement using the Sub-Processors listed in this agreement. If the Data Processor initiates sub-processing with a new Sub-Processor, such new Sub-Processor shall be added to the list in this agreement.
The Data Processor Agreement shall remain in force until the Main Agreement is terminated.
The Data Processor's authorization to process Personal Data of the Customer shall be annulled at the termination of this Data Processor Agreement.
The Data Processor shall continue to process the Personal Data for up to three months after the termination of the Data Processor Agreement to the extent it is necessary and required under the Applicable Law. In the same period, the Data Processor is entitled to include the Personal Data in the Data Processor’s backup. The Data Processor’s processing of the Customer's Personal Data in the three months after the termination of this Data Processor Agreement shall be considered as being in accordance with the Instruction.
Three months after the termination of this Data Processor Agreement, the Data Processor and shall delete the Personal Data processed under this Data Processor.
This excludes any Personal Data used for billing and tax calculation processes required under the Applicable Law.
The contact information for the Data Processor is provided in the Main Agreement.
The Data Processor processes the following types of Personal Data in connection with its delivery of the Main Services:
Ordinary contact information on relevant Customers.
Users of the Main Services: names, addresses, e-mails.
Personal data provided by the Customer in connection with their use of the Main Services.
CATEGORIES OF DATA SUBJECTS
The Data Processor processes Personal Data about the Customers.
The Data Processor has similar agreements with the following Sub-Processors:
Bright Market, LLC (https://fastspring.com)