Data Processor Agreement
Diplomasafe Data Processor Agreement v1.03
This Data Processor Agreement apply in any relationship between the Customer (Data Controller) and Diplomasafe (Data Processor)
Diplomasafe (hereinafter “Data Processor”)
Customer (hereinafter “Data Controller”)
(together referred to as ”the Parties”)
who have entered into the following processor agreement (hereinafter referred to as ‘the Agreement’):
1.1 The Agreement concerns the processing of Personal Data (see definition under 2.1 below) by the Data Processor on behalf of the Data Controller and in accordance with the Data Controller’s instructions.
1.2 This Agreement is effective from signature of any agreement between the Customer and Diplomasafe.
1.3 The Data Processor shall comply with the safety requirements arising from the Personal Data Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016) and other national legislation that arises as a result.
2.1 The Data Processor will process the following Personal Data of Data Subjects (also denoted “End Users”):
- E-mail address
- Educational and Course Information
2.2 The Data Processor shall deliver the following services to the Data Controller:
- Issuance and management of digital credentials
When an End User accepts a credential, the responsibility is transferred to Diplomasafe as Data Controller.
2.3 The Data Processor shall only process Personal Data on behalf the Data Controller necessary to deliver the service described in section 2.2.
2.4 The Data Processor shall only process Personal Data on Data Subjects in the following category.
- Students of the Data Controller.
- Administrators appointed by the Data Controller
3 OBLIGATION OF THE DATA CONTROLLER
3.1 The Data Controller shall ensure that the Personal Data that the Data Processor processes on behalf of the Data Controller is in accordance with good data processing practices, including that the processing is legal, reasonable and necessary in relation to the purposes set by the Data Controller.
3.2 The Data Controller shall ensure that the obligations imposed by law, including – but not limited to – the Data Subjects’ rights in terms of disclosure and security, are complied with by the Data Controller and the Data Processor.
3.3 The Parties are required to inform each other of increased security requirements arising from either legislation or the Data Controller’s internal security rules. If the increased security requirements arising from the Data Controller’s internal security rules entail increased costs for the Data Processor, the Data Processor is entitled to a separate payment for this.
4 DATA PROTECTION
4.1 The Data Processor shall only process Personal Data on behalf of and under documented instructions from the Data Controller.
4.2 The Data Processor shall inform the Data Controller without undue delay, if an instruction in the Data Processor opinion is in violation of an applicable legislation.
4.3 The Data Processor shall not process Personal Data for the Data Processors own or third parties’ purposes unless instructed by the Data Controller.
4.4 The Data Processor is obligated as the Data Controller to process Personal data according to the applicable laws on Personal Data protection.
4.5 The Data Processor is obligated not to transfer Personal Data to any third party without the Data Controllers written consent unless required by law.
4.6 The Data Processor shall implement appropriate technical and organisational measures to secure Personal Data according to the Data Controllers instructions.
4.7 The Data Processor shall, as far as possible, assist the Data Controller in complying with the Personal Data Regulation, including ensuring the Data Subjects’ rights under the Personal Data Regulation, including – but not limited to – modification, deletion, blocking or disclosure of Personal Data. The Data Processor shall immediately forward any request from the Data Subjects to the Data Controller. Furthermore, at the request of the Data Controller, the Data Processor shall supply relevant information that may be necessary for the Data Controller to comply with his obligations under the Personal Data Regulation.
4.8 The Data Processor warrants that the Data Processor’s employees who access the Personal Data are sufficiently trained to understand the processing of Personal Data and comply with Personal Data Regulations currently in force.
4.9 The Data Processor shall provide the Data Controller contact details to the person(s) responsible for the data and information security of the Data Processor. If, in accordance with future legislation, the Data Processor is required to designate or otherwise appoint a Data Protection Officer, the Data Processor shall communicate the name and contact details of the Data Protection Officer to the Data Controller.
4.10 The Data Processor shall without undue delay inform the Data Controller of any inspection or other similar action taken by the supervisory authorities.
5 TECHNICAL AND ORGANIZATIONAL SECURITY
5.1 The Data Processor provides the necessary guarantees for the implementation of appropriate technical and organisational measures in such a manner that the processing meets the requirements of Personal Data acts currently in force, including Data Protection provisions under EU law or under national law, and protects the rights of Data Subjects.
5.2 The Data Processor shall at any time organise the processing in such a way that it provides adequate protection of Personal Data, including protection against unauthorised or unlawful processing and accidental loss, alteration or destruction.
5.3 Taking into account the nature of the processing and the information available to the Data Processor, the Data Processor shall assist the Data Controller to ensure compliance with the obligations under Articles 32-36 of the Personal Data Regulation.
5.4 The Data Processor data security controls are described in the Data Processor ISMS documentation.
5.5 The Data Processor may store the Personal Data in 3 months or longer if prescribed by law after the termination of the Agreement, unless written instructions are given by the Data Controller. Upon termination of the Agreement, the Data Processor shall, at the request of the Data Controller, immediately delete the Personal Data unless the national or EU law prescribes the retention of the Personal Data. The Data Processor must be ensured that Personal Data cannot be reconstructed. The Data Processor must confirm to the Data Controller in writing and be able to document that all Personal Data, including copies thereof, have been destroyed.
5.6 The Data Processor shall ensure that the technical and organisational security systems are implemented and functional at the commencement of data processing of the Personal Data, and this must be continuously monitored and secured by the Data Processor. The Data Processor shall inform the Data Controller in writing of any significant change in the physical, organisational, technical or digital security systems of the Data Processor. In any eventual decline in the Data Processor’s data security, the Data Processor shall obtain the Data Manager’s written consent in writing before the change in data security is initiated.
5.7 The Data Processor shall initiate the measures required pursuant to Article 32 of the Personal Data Regulation.
6.1 The Data Processor processes Personal Data on behalf of the Data Controller using the following Subcontractors:
- Amazon Web Service (hereinafter referred to as “AWS”)
- Lab08 Inc. (hereinafter referred to as “Lab08”)
AWS is hosting the system.
AWS address: Amazon Web Services EMEA SAR, 38 Avenue John F. Kennedy, L-1855 Luxembourg, Luxembourg
Lab08 Inc. is an EU based company with responsible for the development and devOps of the system processing Personal Data. Lab08 address: Lab08 Todor Alexandrov 14 blvd 1303 Sofia, Bulgaria
6.2 The use of AWS is configured such that Personal Data is only processed within the EU.
6.3 If Data Processor uses any other Subcontractor except the Subcontractors listed in section 6.1 for processing Personal Data on behalf of the Data Controller, the Data Processor shall without undue delay in writing notify the Data Controller. The Data Controller can reject the use of new Subcontractors within 14 days after notification.
6.4 The Data Processor is fully responsible for its obligations related to the Agreement regardless of the use of Subcontractors.
6.5 The Data Processor shall ensure that the Subcontractors is subject to the same data protection obligations as those stipulated in this Agreement or other legal document between the Data controller and the Data Processor, including – but not limited to – the Subcontractor providing the necessary guarantees to implement the appropriate technical and organisational measures in such a way that the treatment meets the requirements of the personal data law currently in force.
7.1 The Data Processor will make available to Data Controller all information necessary to demonstrate compliance with the obligations laid down in this Agreement and allow for and contribute to audits, including inspections, conducted by the Data Controller or another auditor mandated by the Data Controller.
7.2 The Data Processor shall without undue delay inform the Data Controller if the Data Processor becomes aware of the breach of the Data Processor’s or any Subcontractor’s data security, including in particular – but not limited to – the disclosure of Personal Data to third parties, third party’s unauthorised access to the Personal Data, security breaches or other manipulation of data processing. In such cases, the Data Processor shall, in cooperation with the Data Controller, initiate any necessary measure to stop and correct the data security breach and prevent future data breach.
7.3 If the data security breach is due to a public authority’s access to the Personal Data, the Data Processor shall also immediately inform the Data Controller. Furthermore, the Data Processor shall inform the authority concerned that the Personal Data belongs to the Data Controller and that the authority may not transfer or grant access to this data to third parties without prior consent of the Data Controller.
8 TRANSFER TO OTHER COUNTRIES
8.1 The Data Processors transfer of personal data to countries that are not members of the EU (third countries) can only take place with the Data Controllers written consent.
8.2 If the Data Controller has consented to a transfer after section 8.1, it is the responsibility of the Data Processor to ensure compliance with law currently in force. In case of transfer to third countries, the Data Processor is responsible for ensuring that an adequate level of protection, e.g., an adequacy decision or appropriate safeguards, exists.
9 CHOICE OF LAW
9.1 This Agreement shall be governed by Danish law.
9.2 Any dispute arising out of or in connection with this Agreement, including any disputes regarding existence, validity, or termination, shall be submitted to the City Court of Copenhagen if the dispute cannot be solved by the Parties via negotiation.