Data processor agreement

Entered between

The customer
The address most recently provided by the customer
The postcode most recently provided by the customer
The city most recently provided by the customer
The country most recently provided by the customer
The CVR no. most recently provided by the customer.
(hereinafter referred to as the Data Controller)

And

taplink ApS
Vesterbrogade 25
8000, Aarhus C
Denmark
(hereinafter referred to as the Data Processor)

1. Declaration of intent

1.1. The data processor declares upon entering into this agreement that it will implement the appropriate technical and organizational measures in such a way that the processing meets the requirements of the data protection regulation and ensures the protection of the data subjects' rights.

2. Object of the agreement

2.1. The processing relates to one or more of the processing activities below, depending on what follows from the main agreement.

2.2. In the event of acquisitions that are not already regulated in this agreement, the agreement will be supplemented with the relevant provisions in the form of an appendix or a new data processing agreement, without this affecting the legal effect of the agreements already entered into. It is hereby agreed that the supplementary provisions regarding the processing of personal data will be forwarded to the Data Controller and will apply 30 days after transmission, unless the Data Controller objects in writing to kundeservice@taplink.dk .

2.3. Changes to the agreement that result from changes in the legal situation, including changes in the law, relevant judgments and relevant supervisory decisions, are made without prior notice. The Data Controller is notified of such changes no later than 30 days after they are posted online on taplink's website.

2.4. Treatment activities:

2.4.1. Review card

2.4.1.2. The duration of the treatment follows the main contract
2.4.1.2. The treatment consists of collection
2.4.1.3. The processing includes contact information
2.4.1.4. Personal data about Data Controllers is processed
2.4.1.5. Processing does not include the transfer of personal data to third countries and the processing does not include the transfer of personal data to international organizations either.

2.4.2. Stands for reviews

2.4.2.2. The duration of the treatment follows the main contract
2.4.2.2. The treatment consists of collection
2.4.2.3. The processing includes contact information
2.4.2.4. Personal data about Data Controllers is processed
2.4.2.5. Processing does not include the transfer of personal data to third countries and the processing does not include the transfer of personal data to international organizations either.

3. Instructions

3.1. The data processor may only process personal data according to documented instructions from the Data Controller, including, for example, the main agreement and the general terms and conditions.

3.1. The requirement for the Data Controller's written instructions for the Data Processor's processing under Section 3.1 can only be disregarded if it is required under EU law or the national law of the Member States to which the Data Processor is subject.

3.2. If the Data Processor applies Section 3.2, the Data Processor informs the Data Controller of this legal requirement as soon as possible before the processing, unless the law in question prohibits such notification for reasons of important societal interests.

4. The rights of the data subjects

4.1 The Data Controller is responsible for compliance with the Data Protection Regulation, including responding to requests for the exercise of data subjects' rights as set out in Chapter III of the Data Protection Regulation.

4.2 Taking into account the nature of the processing, the Data Processor assists the Data Controller as far as possible by means of appropriate technical and organizational measures, with the fulfillment of the Data Controller's obligation to respond to requests for the exercise of data subjects' rights as laid down in Chapter III of the Data Protection Regulation.

5. Security

5.1. The Data Processor assists the Data Controller in ensuring compliance with the obligations pursuant to Articles 32-36, taking into account the nature of the processing and the information available to the Data Processor.

5.2. The data processor implements all measures required according to
Article 32 of the Data Protection Regulation.

5.3. The data processor ensures that the persons authorized to process the personal data have contractually committed themselves to confidentiality or are subject to an appropriate statutory duty of confidentiality.

6. Sub-processors

6.1. The Data Processor may not make use of another Data Processor without prior general written approval from the Data Controller. The Data Controller hereby gives the Data Processor general written approval to make use of one or more other data processors.

6.2. The data processor must notify the Data Controller as soon as possible of any planned changes regarding the addition or replacement of other data processors and thereby give the Data Controller the opportunity to object to such changes.

6.3. If the Data Processor makes use of another Data Processor (Sub-Data Processor) in connection with the performance of specific processing activities on behalf of the Data Controller, the Sub-Data Processor is subject to the same data protection obligations as those stipulated in this contract between the Data Controller and the Data Processor.

6.4. If the Sub-Data Processor, as mentioned under Section 6.3, does not fulfill its
data protection obligations, the original Data Processor remains fully responsible to the Data Controller for the fulfillment of the other Data Processor's obligations.

7. Supervision

7.1. The Data Processor makes all information necessary to demonstrate compliance with the requirements of this Data Processor Agreement available to the Data Controller.

7.2. The data processor allows for and contributes to audits, including inspections, carried out by the Data Controller or another auditor authorized by the Data Controller.

7.3. The Data Processor immediately informs the Data Controller if an instruction regarding Section 7.1 is in the Data Processor's opinion contrary to the Data Protection Regulation or data protection provisions in other EU law or the national law of the Member States.

8. Termination of the agreement

8.1. The data processor deletes all personal data of the data controller after the service relating to the processing has ceased and deletes all existing copies.

8.2. The data processor's handling of personal data, which follows from Section 8.1, is waived if EU law or the national law of the Member States prescribes the storage of the personal data.

8.3. The data processor documents to the Data Controller as soon as possible which rules in EU law or the national law of the Member States prescribe the storage of the personal data, as mentioned under Section 8.2.