For the purposes of Article 28(3) of Regulation 2016/679 (the GDPR)
Name: CVR: Address: Postcode and city: Country: (the data controller)
NaviPartner ApSCVR 21382191Titangade 16DK-2200 CopenhagenDenmark(the data processor)
each a 'party'; together 'the parties'
HAVE AGREED on the following Contractual Clauses (the Clauses) in order to meet the requirements of the GDPR and to ensure the protection of the rights of the data subject.
Appendix A Information about the processing. Appendix B Authorised sub-processors. Appendix C Instruction pertaining to the use of personal data. Appendix D The parties' terms of agreement on other subjects.
a) Pseudonymisation and encryption of personal data;
b) the ability to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services;
c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
a) transfer personal data to a data controller or a data processor in a third country or in an international organization
b) transfer the processing of personal data to a sub-processor in a third country
c) have the personal data processed in by the data processor in a third country
a) the right to be informed when collecting personal data from the data subject
b) the right to be informed when personal data have not been obtained from the data subject
c) the right of access by the data subject
d) the right to rectification
e) the right to erasure ('the right to be forgotten')
f) the right to restriction of processing
g) notification obligation regarding rectification or erasure of personal data or restriction of processing
h) the right to data portability
i) the right to object
j) the right not to be subject to a decision based solely on automated processing, including profiling
a) The data controller's obligation to without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the competent supervisory authority, The Danish Data Protection Agency, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons;
b) the data controller's obligation to without undue delay communicate the personal data breach to the data subject, when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons;
c) the data controller's obligation to carry out an assessment of the impact of the envisaged processing operations on the protection of personal data (a data protection impact assessment);
d) the data controller's obligation to consult the competent supervisory authority, The Danish Data Protection Agency, prior to processing where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the data controller to mitigate the risk.
a) The nature of the personal data including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
b) the likely consequences of the personal data breach;
c) the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
A.1. The purpose of the data processor's processing of personal data on behalf of the data controller is:
A.2. The data processor's processing of personal data on behalf of the data controller shall mainly pertain to (the nature of the processing):
A.3. The processing includes the following types of personal data about data subjects:
A.4. Processing includes the following categories of data subject:
A.5. The data processor's processing of personal data on behalf of the data controller may be performed when the Clauses commence. Processing has the following duration:
B.1. Approved sub-processors
On commencement of the Clauses, the data controller authorises the engagement of the following sub-processors:
VAT / company Id
DESCRIPTION OF PROCESSING
NaviPartner Mauritius LTD
Block 2, Clarens Fields, Medine Business Park,Black River Road, Bambous, Mauritius
Adjustment, development and support of NaviPartner Software Solutions and associated supplementary systems
NaviPartner Serbia d.o.o.
Heroja Milana Tepica 1311040 Beograd,Serbia
Iron Mountain A/S
Stamholmen 165, DK-2650 Hvidovre, Denmark
Storage/archiving and courier services of tape backup media
Jens Kofods Gade 1, DK-1268, Copenhagen, Denmark
Audit of controls and processes necessary for Data Processor's ISAE-3402 statement
Lautrupparken 40-42, DK-2750, Ballerup, Denmark
Electronic documents, invoices, orders etc. are sent to KMD. KMD distributes the documents to receivers on the VAN network
Kneza Miloša 42, 32000 Čačak, Serbia
Milana Rakića 47/11, 11050 Belgrade, Serbia
Branislava Nušića 41, 22320 Inđija, Serbia
Borisa Kidriča 53, 31200 Šodolovci, Croatia
Ivana Trnskog 17 10000 Zagreb, Croatia
Wesley Alexander JacobsPrivate
48 Batis Street, 7550 Cape Town, Western Cape, South Africa
Emard Consulting SRL
Str. Almasului Nr.1, Almas, Neamt, Romania
Bidu Andreea Persoana Fizica Autorizata
B-dul Bucureștii Noi, 136, et. Parter, ap. 5, Romania
Lungu Andrei-Ovidiu Persoana Fizica Autorizata
Strada Ion Heliade Radulescu, Nr. 37, Campina, 105600, Romania.
Matei Alin-Mihai Persoana Fizica Autorizata
Salciei 25, Rasnov, Brasov, Romania
Sapera Claudiu Persoana Fizica Autorizata
Paul Greceanu no. 11, 020105 Bucharest, Romania
Horvaćanska cesta 31B,10000 Zagreb, Croatia
Ariana Suisse SA
24 Route De La Chaniaz, 1807, Blonay, Switzerland
Sannes Consulting AB
Spaljevägen 9, 197 36 Bro, Sweden
Rruga 'Arkitekt Sinani', Nd24, Hy.5, Tirana, Albania
HAAL Systems d.o.o.
Halilovići 12, 71000, Sarajevo, Bosnia-Hercegovina
Mali Kiseljak 25E, Blazuj, 71215, Bosnia-Hercegovina
Behdžeta Mutevelića 2B, 71000, Sarajevo,Bosnia-Hercegovina
Poděbradova 584, 664 42 Modřice, Czechia
* The sub-processor is considered full-time employee and work solely for NaviPartner ApS Denmark.Their constallation as unique legal enteties are purely for invoicing purposes.The sub-processor handles adjustment, development and support of NaviPartner Software Solutions and associated supplementary systems.
The data controller shall on the commencement of the Clauses authorise the use of the abovementioned sub-processors for the processing described for that party. The data processor shall not be entitled – without the data controller's explicit written authorisation – to engage a sub-processor for a 'different' processing than the one which has been agreed upon or have another sub-processor perform the described processing.
C.1. The subject of/instruction for the processing
The data processor's processing of personal data on behalf of the data controller shall be carried out by the data processor performing the following:
C.2. Security of processing
The level of security shall take into account:
That the processing involves a large volume of data subjects which heightens the profit for criminals abusing the information for e.g., identity theft, and that the processing involves consolidation of data sets along with profiling of data subjects.
The data processor shall hereafter be entitled and under obligation to make decisions about the technical and organisational security measures that are to be applied to create the necessary (and agreed) level of data security. The data processor undertakes to be checked by an external audit firm annually according to the ISAE-3402 standard. The check must be completed in an ISAE-3402 statement which the Data Processor makes available to the data controller.
C.3. Assistance to the data controller
The data processor shall insofar as this is possible – within the scope and the extent of the assistance specified below – assist the data controller in accordance with Clause 9.1. and 9.2. by implementing the following technical and organisational measures:
Upon receiving any requests from data subjects or third parties, concerning the processing of data, without undue delay inform data controller of those requests. The data processer shall refrain from having direct dialogue with the data subjects regarding the processing of data.
Upon expectation of any data breach remain available and assist the data controller in investigation, notifying supervisory authority and obtaining information.
C.4. Storage period/erasure procedures
Personal data is available during the complete time period of the contract after which access to all personal data is revoked by the data controller.
Upon termination of the provision of personal data processing services, the data processor shall either delete or return the personal data in accordance with Clause 11.1., unless the data controller – after the signature of the contract – has modified the data controller's original choice. Such modification shall be documented and kept in writing, including electronically, in connection with the Clauses.
C.5. Processing location
Processing of the personal data under the Clauses cannot be performed at other locations than the following without the data controller's prior written authorisation:
C.6. Instruction on the transfer of personal data to third countries
The data controller authorizes that the data processor can transfer personal information to third countries with the following instructions for processing: Adjustment, development and support of NaviPartner Software Solutions and associated supplementary systems.
The legal basis for the transfer is the Standard Contractual Clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.
C.7. Procedures for the data controller's audits, including inspections, of the processing of personal data being performed by the data processor
The Data Processor shall annually obtain a safety audit report from an independent third party living up to recognized auditing standards. The parties agree to the standard audit statement being used is: ISAE 3402.
The Data Processor submits the statement of assurance to be used by the Data Controller as soon as possible after collection.
The data controller also has the opportunity to supervise, including physical supervision, at the data processor, when the data controller assesses a need for this. The data controller must provide the data processor with a notice of at least 30 days in such connection. The data controller is obliged to hold the possible expenses incurred in connection with an audit.
C.8. Procedures for the data controller's audits, including inspections, of the processing of personal data being performed by the data processor
The data processor shall annually obtain an evaluation report, appropriate to the type of data processing, or do a carry out a physical inspection, of sub-processor´s. If a sub-processor is unable to present the above approved statement of assurance, the data processor or a representative of the data processor must carry out a physical inspection of compliance with the Clauses with the sub-processors.
In addition to planned inspection, the Data Processor shall be entitled to inspect the Sub-Processor when the Data Processor (or the Data Controller) deems that this is required.
Documentation for evaluation reports and inspections shall without delay be submitted to the data controller for information.
If the data controller finds it necessary with additional security measures, a detailed description must be sent to the data processors e-mail address email@example.com, cf. section 6 on treatment safety. Then the data processor will decide whether these wishes can be met and at what price.
The data controller may request the assistance of the data processor to assist with technical and organizational measures in relation to the areas described in section 9. The price of this request is settled according to hours spent, where the price per hour is bases on the applicable list prices unless another agreement has been signed.
The data processor is willing to, at the request of the data controller, make changes to the Clauses. The price of this request is settled according to hours spent, where the price per hour is bases on the applicable list prices unless another agreement has been signed.
Leave this empty:
Your legal name
Your email address
Signed by Mark Stewart Pedersen
Signed On: 29. May 2023
If you have questions about the contents of this document, you can email the document owner.
Document Name: NaviPartner’s Data Processing Agreement
Agree & Sign