Data processing agreement

Data Processing Agreement
with Evovia, standard terms

Agreed conditions for data processing
The customer who accepts these terms and conditions and Evovia ApS, CVR no. 31285305 (Evovia) has entered into an agreement regarding the Customer's access to and use of Evovia (Subscription Agreement). Evovia is a standard IT service offered by Evovia as a cloud service for organising and conducting EDP interviews, etc.

Evovia will act as Data Processor for the Customer under the stated Subscription Terms, in accordance with the definitions in the General Data Protection Regulation, as Evovia stores and processes personal information in the context of the Evovia cloud service being made available to the Customer. The parties acknowledge that the Data Protection Regulation and Data Protection Act apply to Evovia's processing of personal data on behalf of the Customer.

The data processing terms are drawn up in order for the parties to comply with Article 28, 3. of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (Data Protection Regulation).

The Data Processing Terms will take effect from the time the Customer accepts them, and the Data Processing Terms will replace any earlier data processing agreement concluded between the Parties in relation to the agreed data processing activities under the Agreement.

The Data Processing Terms additionally complement the Subscription Agreement and prevail over conflicting terms.

Data processing agreement
These data processing terms (Data Processing Terms) constitute the Data Processing Agreement between the parties for the processing of personal data as entrusted by the Customer, and which Evovia has undertaken to do as part of the delivery of Evovia cloud services. 

The Data Processing Terms determine the rights and obligations that apply when Evovia is processing personal data on behalf of the Customer, and the Data Processing Terms specify the security measures that the Evovia undertakes.

For those data processing activities that are entrusted to Evovia to perform on behalf of the Customer, Evovia is the data processor in accordance with the applicable data protection rules, while the Customer is either data controller or data processor in accordance with the applicable data protection rules. The parties shall each comply with the obligations imposed on them by the applicable data protection rules and the Data Processing Terms do not release either Evovia or the Customer from such obligations.

Duration
The Data Processing Terms are valid from the time they enter into effect, and until Evovia has deleted the Customer's Data in accordance with these Data Processing Terms. The Data Processing Terms and the Subscription Agreement are interdependent, and the Data Processing Terms, therefore, cannot be terminated separately.

Evovia's special guarantees
Evovia possesses sufficient expertise, reliability and resources to take the necessary measures to comply with the Data Protection Regulation as regards the data processing activities that Evovia undertakes for the Customer by virtue of the Subscription Agreement.

The Customer's special responsibility
The customer is responsible for complying with the applicable personal data rules currently in force in relation to the personal data entrusted to Evovia's processing. The customer is in particular responsible to Evovia for and warrants that:

- The customer has the necessary authority to process and to entrust it to Evovia to process the personal information that is entered into Evovia. In the event that the Customer is Data Processor for the personal data that is entrusted to Evovia's processing, the Customer warrants to Evovia that the Customer's instructions as expressed by these Data Processing Terms and the Subscription Agreement and the use of Evovia including Sub Data Processors as a secondary Data Processor is authorised by the Data Controller.

- The instructions according to which Evovia shall process the personal data on behalf of the Customer are legal. In addition, the Customer is responsible for carrying out necessary safety assessments in relation to the Customer's use of the Evovia cloud service, including the Customer declaring that, in view of the current technical level of Evovia and in Evovia as a whole in relation to the described precautions and measures in the Data Processing Terms, state of the art, the costs of implementation and the nature, scope, context and purposes of processing, as well as the risks to natural persons' rights and freedoms, the Customer considers the safety measures implemented by Evovia to be appropriate and that they ensure a level of security that matches the identified risks for the registered persons to whom the entrusted information relates.

The nature and purpose of the processing of data
The nature of the agreed data processings, determined by the parties, is the delivery of a standard cloud service from Evovia to the Customer, in which the Customer's data is stored, and through which the Customer may initiate additional processings, such as, for example, the generation of statistics done by Evovia in an automated manner.

In addition, it can be agreed specifically between the parties that the nature of the processing also includes the provision of services that entail processing of the Customer's information.

Evovia will thus process the information provided by the Customer with the agreed purpose of providing the Evovia service to the Customer, including facilitating the agreed functionality as stipulated in the Agreement.  

The type of personal data
The entrusted processing of personal data includes those types of information that the Customer enters and imports into the Evovia cloud service. This includes names, e-mail addresses, employees' location in the organisation, information about the immediate manager and any other personal information that the employee and his/her manager enter into the cloud service, e.g. preparatory notes, scores, commented agreements and action plans with deadlines in connection with EDPs, WPAs, etc.

Categories of subject data
The categories of data subjects comprises the categories of data subjects that the Customer includes in the use of Evovia. Evovia is designed to allow for typing in information about the Customer's employees.

If a customer wishes to use the Evovia feature “360-degree managerial evaluation”, which also includes e.g. contributions from external stakeholders, the categories of data subjects will also include such external stakeholders.

The same will apply if the Customer wishes to use a “Team Dialogue Group” that includes one or more external stakeholders.

Scope of processing activities
Upon the Customer's acceptance of the Data Processing Terms, the Customer instructs Evovia to process the Customer's personal data for the delivery of the Evovia cloud service on the terms specified in the Subscription Agreement and these Data Processing Terms.

Also, the Customer may request that Evovia receives further written instructions for processing personal data for the Customer. Evovia may freely choose to accept or refuse such additional instructions. However, Evovia will always accept an instruction to discontinue further processing, in which case Evovia will delete the Customer's data within the time limits specified in the data deletion section below. Evovia's obligations in the Subscription Agreement, which cannot be delivered as a consequence hereof, will therefore also ceases to apply.

Evovia will comply with those of the Customer's instructions, which Evovia has approved unless processing of the personal data according to the instructions will violate the applicable data protection legislation to which Evovia is subject. In this case, Evovia will inform the Customer about this, unless such notification will also be in violation of applicable law.   

Evovia is only allowed to process the Customer's personal data according to the instructions of the Customer, as accepted by Evovia. However, Evovia is required to perform processing activities if this follows from a legal obligation to which Evovia is subject. In this case, Evovia will inform the Customer about this before the processing is performed, unless such notification is illegal.

Duration of processing activities
Evovia will perform data processing of the Customer's personal data for as long as Evovia is required to do so under the Subscription Agreement - typically for as long as the Subscription Agreement is in force - and for a period of time afterwards, until Evovia deletes the Customer's data in accordance with the regulations set forth below in these Data Processing Terms.

Security measures
Evovia implements all measures required by Article 32 in the General Data Protection Regulation, including the implementation of appropriate technical and organisational measures to protect the entrusted personal data against accidental or illegal destruction, loss, alteration, unauthorised disclosure or access to the personal data.

The implemented measures are further described in Evovia’s Description of Implemented Security Measures, April 2022 Version, (Here) which Evovia may continuously update. However, changes in security measures should never lead to a deterioration in the level of security. Updated versions of the Description of implemented security measures are automatically included as part of the Data Processing Terms and replace previous versions.

Notification of personal data breaches
If Evovia becomes aware that there has been a personal databreach in relation to the personal data that the Customer has entrusted to Evovia to process, Evovia must notify the Customer about this breach without undue delay after Evovia has become aware that a breach has occurred.

Evovia shall, without undue delay after becoming aware of a personal data breach, take reasonable and proportional steps to limit the damage resulting from the breach.

Notification to the Customer shall, if possible, include a description of the circumstances of the breach, the nature of the breach, what steps Evovia has taken or intends to take in order to limit the damage resulting from the breach and which circumstances Evovia believes the Customer should pay particular attention to in connection with the breach.

In the notification, Evovia will provide contact information for Evovia, where further information can be obtained by the Customer.

Notification can be sent by e-mail to the contact address, which Evovia has on file for the Customer.

Evovia's notification of a personal data breach does not constitute a recognition of guilt or liability in relation to a breach of personal data security.

Upon request, Evovia will assist the Customer in ensuring compliance with the Customer's obligations under Article 33 and Article 34 of the General Data Protection Regulation, taking into account the nature of the entrusted processing and the information available to the Evovia in relation to a breach of personal data protection that occurs in Evovia.

Using another data processor, sub-processors
By accepting these Data Processing Terms, the Customer grants its general authorisation for Evovia to make use of other data processors (sub-processors) without the Customer’s prior approval. Information about such contracted sub-processors, including their function, and in which country the sub-processor is established, is available at (Here).

When engaging a sub-processor, Evovia ensures that a written agreement is concluded with the sub-processor through which it is ensured that

  1. the necessary guarantees are provided that the sub-processor will implement the appropriate technical and organizational measures in such a manner that the processing meets the requirements of the General Data Protection Regulation.
  2. The sub-processor is subject to the same data protection obligations as those laid down in these Data Protection Terms, which means that the requirements of the General Data Protection Regulation art. 28 (3) must be complied with and that
  3. The sub-processor processes the Customer's personal data solely to the extent required to fulfil the delivery obligations accepted by the sub-processor on behalf of Evovia, and that the processing is done in accordance with the agreed instructions.

If a sub-processor does not fulfill its data protection obligations, Evovia remains fully liable to the Customer for the fulfilment of the data processor's data protection obligations.

Evovia may continuously update the list of sub-processors. Updates must be made at least 30 days before any planned changes regarding addition or replacement of a sub-processor. When updating the list, the Customer is given a separate notice hereof, thereby enabling the Customer to object to the planned changes. If the Customer objects to the proposed changes, the Customer may terminate his/her Subscription Agreement with Evovia with effect either immediately or from the expiration of the current calendar month at the time of notice. It is a requirement for termination after this clause that notice of termination is submitted to Evoia within 30 days after notification of the planned changes has been given to the Customer. Termination of the Subscription Agreement is the Customer's sole remedy in this situation.

Transfers to third countries or international organisations
Unless the Customer gives special instructions to Evovia, the Customer's data may not be transferred to areas outside the EU.

However, Evovia may transfer the Customer's data to a third country or international organisation when required by EU law or the national law of the Member States to which Evovia is subject. In this case, the Customer shall be informed of this legal claim before the transfer unless the court in question prohibits such notification for reasons of important societal interests.

The Customer's own access to personal data stored in the Evovia cloud service from a location that causes a transfer of personal data to a third country is considered as the Customer's own transfer and is therefore not covered by Evovia's responsibilities or obligations.

Assistance to the Customer
Evovia is required at Customer's written request to provide the Customer with the following assistance:

Evovia assists the Customer, the nature of the processing taken into account, by appropriate technical and organizational measures insofar this is possible, in meeting the Customer's obligation to respond to requests to exercise Data Subject rights as set out in Chapter 3 of the General Data Protection Regulation and supplemented by the Data Protection Act. If Evovia receives a request directly from a Data Subject or a potential Data Subject about the exercise of its rights, Evovia immediately passes the inquiry on to the Customer, which then determines whether Evovia's assistance is required.

Evovia also assists the Customer in ensuring compliance with the Customer's obligations pursuant to Article 32-36 of the General Data Protection Regulation, taking into account the nature of the entrusted processing activities and the information available to Evovia.

Evovia is entitled to a separate fee for the assistance granted to the fulfilment of the Customer's requests under this item "Assistance to the Customer". However, as regards assistance to fulfil the Customer's obligations under the General Data Protection Regulation art. 33-34, Evovia does not have a claim for compensation for fulfilment of the obligations of Evovia after the item "Reporting security breaches".

Any fee after this clause is calculated on the basis of the time spent by Evovia and follows Evovia's regular hourly rate for such work. The current prices are can be found (Here).

Responsibility and limitation of liability
For compensation and other claims payable to a Data Subject as a result of an illegal processing of personal data, the General Data Protection Regulation article 82 and the Data Protection Act section 40 apply. In the interrelationship between the parties, each party is thus responsible for extracting the portion of such amounts that correspond to the party's share of liability for the damage. If necessary, the distribution of responsibilities shall be determined by judicial review.

One of the parties is liable for fines and other punishment imposed on the party as a result of an unlawful processing of personal data and without the possibility of regression.
 

Evovia's keeping of records
Evovia is required to keep records of the categories of processing activities performed on behalf of the Customer in accordance with the General Data Protection Regulation art. 30. The Customer is required to provide Evovia with the name and contact information of the Customer's Representative and Data Protection Advisor and to update such information so that the records can be properly kept by Evovia.

Commitment to confidentiality
Evovia must ensure that the persons authorised by Evovia to process the Customer's personal data have committed themselves to confidentiality or are subject to an appropriate statutory duty of confidentiality. Evoiva and anyone who performs work on behalf of Evovia, and who have access to the Customer's personal data, may process this data only according to the Customer's instructions unless otherwise required by legal regulation to which Evovia is subject.

Evovia may only authorise persons for whom it is necessary to have access to the personal data in order to fulfil Evovia's obligations to the Customer. Evovia must continuously review authorisations and close accesses when authoriations expire or terminate.

Inspection and auditing
Evovia makes all the information necessary to demonstrate compliance with the requirements of the General Data Protection Regulation Article 28 and the requirements to Evovia, as stipulated by these Data Processing Terms, available to the Customer. As part hereof, Evovia provides the opportunity for and contributes to audits, including inspections made by the Customer or any other auditor, authorised by the Customer.

Once a year, Evovia's auditor Deloitte reviews the security setup and issues a statement of assurance, which Evovia makes available to the Customer on the website.

The Customer may request a physical inspection at Evovia. Requests must be submitted in writing to Evovia, indicating what the Customer wishes to include in the inspection. The parties then agree on the circumstances and scope of the inspection, including the date of inspection and the form of reporting.

Inspection can only be done by a person who submits to Evovia's general safety measures and who accepts a confidentiality clause directly to Evovia.

Evovia may raise objections to a designated person for inspection if the designated person is not suitable or qualified for the purpose of the inspection, including the person (1) not being independent, (2) being a direct competitor of Evovia or (3) being for other reasons obviously unsuitable for carrying out the task.

If Evovia raises an objection to the designated person, the Customer may designate another person to carry out the inspection.

Auditing of sub-processors used by Evovia is done through Evovia. However, the Customer may choose to initiate and participate in a physical inspection also at the sub-processor. Audits must be carried out in compliance with the sub-processors' terms of inspection.

Any expenses incurred by Evovia or the sub-processor in connection with being physically audited/inspected shall be borne by the Customer. Evovia and any sub-processor are also eligible for a fee for the spent on inspection, based on current price list (Here).

Regarding this clause concerning "Inspection and Auditing", Evovia shall promptly inform the Customer if Evovia considers an instruction to be in violation of the General Data Protection Act or other applicable data protection legislation to which Evovia is subject.

Deletion and return of the Customer's data
Following the Customer's decision, Evovia deletes or returns all Personal data to the Customer after the termination of the Services - usually termination of the Subscription Agreement - and Evovia deletes existing copies unless Evovia is subject to a legal obligation stating that Evovia must keep the personal data.

Evovia's execution of the Customer's instructions to delete or return the Customer's data is done in accordance with the regulation of the General Data Protection Regulation and as quickly as practicable. By default, Evovia deletes customer data from the operating environment 14 days after Subscription Agreement has expired. The Customer hereby agrees that the Customer's data is included in a 90-day backup procedure, after which all copies of Customer's data are deleted.

Changes to the data processing terms
Evovia can change these Data Processing Terms with a 90-day notice. Information about planned changes will be forwarded to the Customer. If the Customer does not wish to accept the notified changes, the Customer may terminate its Subscription Agreement. The customer has no other powers as a consequence of changes to the Data Protection Terms.

Any changes will always ensure that the minimum requirements in force at any given time in the personal data rules for the content of a Data Processor Agreement, pt. nature. 28 of the GDPR, will be met after a given change.

Evovia's contact informaion
Customer inquiries to Evovia concerning data protection, including requests for audits and inspections, must be forwarded to:

Evovia ApS
INCUBA, Åbogade 15
DK - 8200 Aarhus N
E-mailsupport@evovia.com
Attention: CEO, adm. director
Tlf.: +45 8675 1242.

Record keeping obligation of the Parties
Evovia and the Customer are each required to electronically retain a version of these Data Processing Terms and the Subscription Agreement, which stipulates the additional agreed instructions and any other information relevant to or supplementing these Data Processing Terms.

Version, August 2020

FAQ, Frequently asked questions

Notification of breach of personal data protection to the supervisory authority


Question:
Some have asked us if we could not set a deadline, so we, as a Data Processor, report personal data breach out of max. 24 hours. Currently there is "no undue delay".

Answer:
No, we neither can nor will. This is because of a misreading of Article 33 of the Personal Data Regulation itself (see below). The data processor must report without undue delay. And Data Managers must report within 72 hours, but the two time frames are not inclusive, but each has its own sphere. Data administrators have 72 hours from the moment the Data Processor has informed!

The case is:

  • If there is a breach of personal data protection, we have the following responsibilities as data administrators:
  • "Without undue delay informs the data controller after being aware that there has been a violation of personal data protection" (citation Article 33)
  • "Without undue delay" really means as soon as possible! But also, in a way, the data processor ensures that you do not unnecessarily disturb the unnecessary number of customers, so the data processor must make things clear. It will take place as soon as possible! And without undue delay.
  • And then, when the customer = data manager is notified from the data processor, the customer has 72 hours to fullfill his obligation.
  • It is, of course, in everyone's interest that it is done as soon as possible! Or: Without undue delay, as Article 33 says!

Here is the text: The EU's Personal Data Regulation, Article 33

Notification of breach of personal data protection to the supervisory authority.

  1. In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
  2. The processor shall notify the controller without undue delay after becoming aware of a personal data breach.
  3. The notification referred to in paragraph 1 shall at least:
    1. describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
    2. communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
    3. describe the likely consequences of the personal data breach;
    4. describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
  4. Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.
  5. The controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. That documentation shall enable the supervisory authority to verify compliance with this Article.
Research collaboration with Aarhus University - With 100% anonymous data made available?


Question:
Is it a shared data responsibility with Evovia, since Evovia itself processes data by, for example, sending anonymous data for research at Aarhus University?

Answer:
No, not at all.

The Subscription Terms and Conditions of Business state the following:

Evovia reserves the right, in conjunction with university researchers, to use statistical data in 100% anonymized form for scientific purposes. This is an option that we have always included in our terms of business and it follows the following principles:

Evovia makes a data extract that is 100% anonymous and can not identify a particular customer or group, as data extracts are selected only on the following parameters:

  1. The gender of the leader
  2. Employee gender
  3. Leader's span of control (number of employees directly leading you)
  4. Public or private company
  5. Geographical main categories
  6. And in some overall branch segments when there is security for a critical mass of customers, so anonymity can be maintained.

If a customer does not wish to be included in such a benchmark, one can be exempted by contacting Evovia. Then, the customer will neither participate nor be able to make use of this benchmark.

The short answer is then:

  • No, there is no talk of shared responsibility here
  • The customer is responsible for what you enter - and what you want to use the statistics that can be extracted from the system, graphs and reports - and how
  • Evovia is responsible for how data is stored and made available to the customer - including in statistics and reports and that it complies with the legislation
  • And in relation to 100% anonymous data for research purposes at Aarhus University - we do not offer anything for those who can not extract statistics and reports, just 100% anonymous! However, we have just expanded with some geography and overall industry + male / female leader, and here we use a single research program that "guesses" on gender in terms of first name with the risk that "Inge" is a boy's name in Norway , while it is a maiden name in Denmark!
  • And finally, any customer may, upon request, opt out of participating in and making use of such benchmark data.
Warranties - in case of security breach


Question:
Missing something, especially in the "Reporting of security breaches" section. Evovia does not provide any contractual assurances that we are able to lift the 72-hour requirement relative to a data burst from them, as Evovia does not guarantee the information kind. 33 and 34 require.

Answer:
No, nothing is missing. Both parts are clearly contained. And Evovia provides the necessary and necessary guarantees.

Please be aware that the data controller's deadline for the max. 72 hours will first count from the notification received from the data processor. Since the data processor must notify without undue delay, and since the data processor merely finds that there has been a violation, this will in practice provide very limited options for staying from the data processor to be aware of the violation for notification to be given.

In Evovia's data processing agreement, it follows that the data processor is required to assist the data controller in fulfilling its obligations under Articles 33 and 34.

Therefore, there are necessary guarantees that Evovia assists in lifting the data controller's obligations.

Additional documentation:
Report on page 496 states that:

As stated in the wording of the provision, the data controller's obligation to report personal data breach to the supervisory authority is activated after the data controller has become aware of a breach of personal data security. A simple presumption that a breach of personal data security has occurred or a simple detection of an incident is not considered sufficient to regard a breach of personal data security as being "done" within the meaning of the regulation. Such a simple presumption may, however, cause the data controller to consider processing security, cf. Article 32 of the Regulation.

In assessing whether a breach has occurred, it must be assumed that particular attention should be paid to the information referred to in Article 33 (1) of the Regulation. 3, is available to the provider.

And on page 497:

As regards the cases where the data controller has left the processing of personal data to a data processor, reference is made to Article 33 (1) of the Regulation. 2, which is discussed in more detail below.

The Ministry of Justice's Executive Order does not, therefore, link the data controller's deadline and a data processor's deadline together.

These sections are repeated in the manual issued by the Data Inspectorate regarding violations of personal data security.

Article 29 group has stated in their WP250 breach of personal data security on page 13:

Article 33(2) makes it clear that if a processor is used by a controller and the processor becomes aware of a breach of the personal data it is processing on behalf of the controller, it must notify the controller “without undue delay”. It should be noted that the processor does not need to first assess the likelihood of risk arising from a breach before notifying the controller; it is the controller that must make this assessment on becoming aware of the breach. The processor just needs to establish whether a breach has occurred and then notify the controller. The controller uses the processor to achieve its purposes; therefore, in principle, the controller should be considered as “aware” once the processor has informed it of the breach. The obligation on the processor to notify its controller allows the controller to address the breach and to determine whether or not it is required to notify the supervisory authority in accordance with Article 33(1) and the affected individuals in accordance with Article 34(1). The controller might also want to investigate the breach, as the processor might not be in a position to know all the relevant facts relating to the matter, for example, if a copy or backup of personal data destroyed or lost by the processor is still held by the controller. This may affect whether the controller would then need to notify.

Regardless of what the Data Inspectorate states in their presentation on a data processor agreement, the data controller's deadline is counted only after the notification has been received from the data processor. Since the data processor must notify without undue delay, and since the data processor merely finds that there has been a violation, this will in practice provide very limited options for staying from the data processor to be aware of the violation for notification to be given.

It follows that the data processor is required to assist the data controller in fulfilling its obligations under Articles 33 and 34.

It is therefore clearly contained the necessary guarantees that Evovia assists in lifting the data controller's obligations.

Approval of the Data Processing Agreement


Question:
Where and how do you approve the Data Processing Agreement?

Answer:

  • As soon as you as a leader in an organisation - or delegated at the top level - log in to Evovia, the Data Processing Agreement picks up and you can not move on until one of you has approved it!
  • If you have not had the necessary time to read the Data Processing Agreement, please accept, and then you have until May 14, 2018 to sign up for the Data Terms of Service. Unless we have heard from the customer in writing by 14 May 2018, the approval is valid!
  • Within a few seconds of approval, an email in your mailbox will be attached with a PDF file attached to the entire Data Processing Agreement, where your company name is entered - and where Evovia's director's signatures are stamped down with date.
Instructions from Data Managers for Data Processors


Question:
The Article 28 (1) of the Regulation, 3a states that the data processor may only process personal data after documented instructions from the data controller, what does that mean? Should there be a special document for that?

Answer:
No, it is not necessary because we can not predict all conceivable situations, but when it happens, it must be documented / documentable.

Specific: If a manager or employee has a technical issue in the dialogue questionnaire and contacting Support for help and Support can not solve this task for the customer without having access to the questionnaire, Support can only do this,  if that manager / employee enters his / her profile and gives Support this access at a check mark that can be removed immediately after the problem is resolved. However, this instruction is "documented" in the system.

The instructions are contained in the terms of the "Scope of processing Activities" section, where is stated that upon Customer's acceptance of the Data Terms of Service, the Customer instructs the Evovia to process Customer's personal information for the delivery of the Evovia cloud service on the terms set forth in the Subscription Agreement and these Data Processing Terms.

In the data processing conditions itself, there is a section about the nature and purpose of the treatment, including states: In addition, it may be agreed between the parties that the nature of the treatments also includes the provision of services that entail processing of Customer's information. It points to the possibility that the customer can give Evovia instructions to take care of, for example, an anonymous well being survey for the customer. Then the Data Processor acts on clear instructions from Data Controller in the given situation.

That's how it should be considered.

Personnel Folders- On resigned employees, how long should data be available here?


Question:
It is stated in Evovia's Data Processor Agreement that when an employee is deleted by the customer's system, the employee is deleted after 14 days while entered data, appointments and scores are stored in the manager's archive for 5 years. Is it legal with the 5 years?

Answer:
Yes, it is legal to store staff records for +5 years according to the Data Inspectorate's practice, and the manager's archive is an archive that only the leader in question has access to, and it is to be regarded as an "extended feature" of the Employee Folder.

Risk assessment - as a basis for the security level


Question:
What risk assessment is based on the security level in the system? And is it taken into account that the system may potentially contain health information?

Answer:
The risk assessment has included an assessment of the sources of risk, the vulnerabilities that may exist in the system and how this threat picture can lead to an event that can be characterized as a violation of personal data protection, in accordance with the Data Protection Regulation nature. 4 (12). The probability and severity of a break is then assessed to determine the overall risk image.

There are clear instructions from Evovia to the users that there is no need to enter health information into our system. Evovia is not just something similar to a medical journal system - but it can be used for a very good dialogue about what creates and reduces absenteeism. It is a dialogue system.

Delivery and deletion of data if Evovia no longer exists?


Question:
How is data delivered / deleted if Evovia goes bankrupt? Who is the beneficiary?

Answer:
If Evovia goes bankrupt, a curator will be appointed to handle the estate. The curator / bankruptcy estate replaces Evovia and has an inherent interest in delivering or deleting data.

Issue of fines - Limitation of liability?


Question:
If the penalty issuing authority determines a division of responsibility, is that what is followed or is it an internal decision of the same? Limitation of Liability is not entirely clear.

Answer:
As a starting point, the division of responsibility contained in the fine settlement is followed by nature. 83 - which would be consistent with the principles by nature. 82 also. To the extent a party with reference to the guarantees, etc. What is contained in the agreement means that the final distribution of responsibilities must be different, this may be pursued, but in that case it will ultimately be a court decision.

Sub Data Processors - Can the customer get access to read the agreements with them?


Question:
Is it possible to get access to read the sub data processors agreements?

Answer:
There is, as a rule, no access to read the sub data processors agreements. In connection with the execution of supervision of Evovia, Evovia may choose to display those parts of the sub data processors agreements that do not contain commercial terms or such technical specifications that may compromise total security. In addition, Evovia will issue the Executive Board statements and, to a certain extent, statements of assurance regarding the sub-processing agreements that are integrated into the annual statement of assurance (From Deloitte).

Signature of the Data Processing Agreement: Should it be signed physically?


Question:
Should there be a physical signature of the Data Processing Agreement?

Answer:

  • No, it is not necessary.
  • We can document who in the company has accepted - and when.
  • It is enough.
  • However, at the same time a customer has Accepted Data Processing Agreement in our system, you will receive an email with a PDF file with the entire agreement, and with the company's name and a date and signature stamped down with the Executive Board at Musskema.dk.
  • See also: Approval of the Data Processing Agreement
Statement of Assurance - Why ISAE 3000?


Question:
Why ISAE 3000?

Answer:
Together with Deloitte, Evovia has chosen ISAE 3000 as the best and most comprehensive European standard for our area. And individual customers can see the latest update on their profile. It will be updated annually.

The overall difference between ISAE 3000 and other similar ones eg ISAE 3402 lies in the fact that ISAE 3402 applies when the statement and the controls included in the statement deal with financial reporting. If Evovia's product was ex. to supply Axapta, then the statement would have to be used by our client's accountants to use for the accounting of our clients. In that case, it should be an ISAE 3402.

But that's not how our product works.

ISAE 3000 can be used for anything other than financial reporting, including for example reporting on checks on personal data that Deloitte has made with us. But generally, it can be used for anything that does not process financial information, ex. service desk systems, portals etc.

That said, there are overlaps in the controls. Area B of our statement addresses general IT controls, which will often also be covered by an ISAE 3402 statement. However, the ISAE 3402 declaration will often have even more IT controls, but it will not contain any personal data.

The extent to which one or the other type of declaration must be provided depends on the service provided. If our customers want to report on whether Evovia complies with the data processing agreement and protects the customers' personal data, then ISAE 3000 is the right one. If we were now a data center, or otherwise run the customer's IT systems, ISAE 3402 might be better.

That is why we have chosen ISAE 3000.

Consent to withdraw anonymous graphic data


Question:
Should employees give consent for anonymous graphical data to be drawn?

Answer:
No, the employee should not. And the employee can't demand it either.

Legally, there is no legal basis to make that claim.

Because anonymization can occur, statistical information can also be extracted as long as it is not possible to identify the person from the information.

“To the extent that […] employee development interviews are held in the private labor market, ordinary information may be processed with the consent or on the basis of Article 6 (2). In the case of sensitive information, only the express consent of the employee may, in principle, be processed. However, it may also be a matter of processing information for other purposes, e.g. Article 9 (2) of the Regulation 2 (f) (determination etc. of legal requirements). "

The company can therefore process personal data in connection with EDP based on a balance of interests.

Therefore, it will not in principle be a consent-based treatment or treatment that can only be done based on consent.

Lawyers discuss making statistical information based on personal data. First, the lawyers conclude that the anonymization of personal data is not at all a processing, as it lacks meaning in relation to the basic principle of the nature of the Regulation 5 on storage restriction. The regulation directly states in the preamble that processing of anonymized data falls outside the scope of the regulation. (Peter Blume has argued that viewpoint).

Other lawyers state that anonymization is always within the scope of the original treatment, since it in turn supports the principle of retention of storage.

Finally, other lawyers find that anonymization is always compatible with the original purpose and that treatment can therefore be done.

Evovia has usually recommended the two first mentioned angles on the case.