DATA PROCESSING AGREEMENT
This Data Processing Agreement (the “Processing Agreement“) governs the personal data processing that results from the Customer’s use of Whistlelink in accordance with the Agreement and is consequently an integral part of the Agreement. The Customer Data that the Customer enters into Whistlelink is encrypted and We have no access to the information other than the fact that We store the information on our servers and in exceptional cases may need to assist the Customer in connection with support matters. This storage of whistleblowing information means that according to the Data Protection Regulation (2016/679) (“GDPR”) we are considered to process personal data on behalf of the Customer and thus constitute a processor to the Customer in its role as controller. Terms in this Processing Agreement shall be construed in accordance with the GDPR as well as applicable local adaptation and regulation regarding data protection (collectively the “Data Protection Rules“). The terms in the Processing Agreement shall have the meaning that appears primarily in the Data Protection Rules and otherwise in the Agreement, unless circumstances clearly dictate otherwise.
1. Responsibility and instruction
1.1 The type of data and the categories of data subjects processed under this Processing Agreement by the Processor in connection with the Processor’s provision of Whistlelink and the purpose, nature, duration and object of the processing are described in section 4. The Customer shall ensure that the Processor does not process additional categories of data other than those specified in section 4.
1.2 The Customer is aware that Whistlelink is a platform that is distributed to a large number of customers and that We will therefore not necessarily be able to follow such instructions that are not a direct consequence of the Customer’s need to follow the Data Protection Rules. If the Customer gives us such instructions that We do not have the possibility to follow, the Customer undertakes to stop entering and exporting all such Customer Data that is affected by the current instructions. The foregoing shall not constitute a breach of contract or the availability of Whistlelink.
1.3 The Customer is controller for all personal data that the Processor processes on behalf of the Customer under the Processor Agreement. The Customer is thus responsible for compliance with the applicable Data Protection Rules and undertakes to follow the guidelines for the use of Whistlelink that are applicable from time to time and the legislation that applies to the handling of whistle-blowers.
1.4 By entering into this Agreement, the Customer agrees to the security measures set forth in Whistlelink’s current organisational and technical measures [link] as adequate for the Customer’s intended use of Whistlelink.
2. The Processor’s commitment
2.1 The Processor commits to:
- having adequate technical and organizational security and taking the security measures set forth in Whistlelink’s current organisational and technical measures and in Article 32 of the GDPR to protect the data processed under this Agreement, including an appropriate duty of confidentiality imposed the persons at the Processor with the authority to process this data;
- assisting the Customer to comply with the security requirements set out in articles 32-36 of the GDPR (such as technical and organizational measures, notification and information to the Customer without undue delay in personal data breach, impact assessment and prior consultation), and the Customer’s obligations regarding individual rights in Chapter III of GDPR is complied with (such as the right to information, access, correction, deletion, restriction of processing, data portability, objection to automated decision-making);
- giving the Customer the right to receive information from the Processor in order to check and verify measures taken by the Processor in accordance with this agreement. The Processor shall facilitate and contribute to investigations (including inspections) carried out by the Customer or an auditor who carries out such investigations on behalf of the Customer. The Processor shall further refer to the Customer whose personal data is processed, the supervisory authority or another third party who requests information from the Processor concerning the processing of personal data. The Processor shall without delay inform the Customer of any contacts from the supervisory authority that concern or may be of significance for the processing of personal data,
- depending on what the Customer chooses; deleting, anonymising or returning all personal data to the Customer when the Agreement terminates, regardless of the reason for this, including deleting all copies which according to the Data Protection Act must not be saved,
- otherwise providing the Customer with access to such information as is necessary for the Customer to be able to fulfil its obligations as a controller vis-à-vis the supervisory authority and/or individuals,
- not transferring the data to third countries or an international organization unless this is required by the Data Protection Act, whereby the Processor shall immediately inform the Customer, unless such information is prohibited.
2.2 The Processor further undertakes to always process data in accordance with the Data Protection Rules. This includes, but is not limited to, keeping a register of all categories of processes performed, providing a register extract of completed processing at the request of the Customer and informing the Customer immediately if the Processor suspects that there is a risk that the individual’s freedoms and rights are being violated.
3. Sub-processors and transfer to third countries
3.1 Provided that the Processor (i) informs the Controller of its plans in reasonable time in advance, with the right for the Controller to object, the Processor has a general authorisation to hire sub-processors for the processing of data on behalf of the Customer, for which the Processor shall be fully responsible to the Customer.
3.2 Provided that the Processor (i) informs the Controller of its plans at least 30 days in advance, with the right for the Controller to object, and (ii) applies adequate and in accordance with the Data Protection Rules approved security mechanisms, the Processor may transfer Personal Data outside the EU/EEA.
3.3 By entering into this Agreement, the Customer approves the sub-processors stated in section 5. At the time of entering into this Agreement, the Processor does not transfer Personal data to any third country
4.1 The provisions of the Agreement shall also apply to this Processor Agreement. In the event of a conflict between the Agreement and this Processor Agreement, the Processor Agreement shall prevail.
5.1 This section 5 constitutes the Customer’s initial instructions to the Processor and may, subject to section 1.2, be supplemented at a later date.
5.2 Categories of data subjects. Anyone who may be mentioned in a whistleblowing in Whistlelink, including Whistleblower, if Whistleblower wishes not to stay anonymous and a reported person.
5.3.Purpose, nature and object of processing, and Categories personal data. Taking into account the Processor’s main function and purpose of providing Whistlelink and thereby constituting processor specifically for the storage of the Customer Data which may contain personal data, the categories of personal data include all categories of data that may occur in the context of a whistle-blowing, including sensitive data and alleged breaches of law.
5.4 Storage. The Processor stores data in case of Whistleblowing as long as necessary, but for the longest during two years after a Whistleblowing case is closed or such other time that the controller sets the storage to within Whistlelink.
5.5 Sub-processors. As of the conclusion of this Agreement, the Processor has the following sub-processors, which may, however, be amended in accordance with Section 3:
- Sub-processor: Swerolab AB (Sweden), Swerolab SRL (Romania), SMSAPI (Norway), Sendinblue (France), Opswat (Romania), Glesys (Sweden), Elmah (Denmark), Language Wire (Denmark), T-Systems International (Germany)
5.6 Third country transfers. As of the conclusion of this Agreement, the Processor has no transfers outside the EU/EEA, which may, however, be amended in accordance with Section 3:
- Transfers outside EU/EEA: none.