Agreed conditions for data processing
The customer who accepts these terms and conditions and Evovia ApS, CVR no. 31285305 (Evovia) has entered into an agreement regarding the Customer's access to and use of Evovia (Subscription Agreement). Evovia is a standard IT service offered by Evovia as a cloud service for organising and conducting EDP interviews, etc.
Evovia will act as Data Processor for the Customer under the stated Subscription Terms, in accordance with the definitions in the General Data Protection Regulation, as Evovia stores and processes personal information in the context of the Evovia cloud service being made available to the Customer. The parties acknowledge that the Data Protection Regulation and Data Protection Act apply to Evovia's processing of personal data on behalf of the Customer.
The data processing terms are drawn up in order for the parties to comply with Article 28, 3. of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (Data Protection Regulation).
The Data Processing Terms will take effect from the time the Customer accepts them, and the Data Processing Terms will replace any earlier data processing agreement concluded between the Parties in relation to the agreed data processing activities under the Agreement.
The Data Processing Terms additionally complement the Subscription Agreement and prevail over conflicting terms.
Data processing agreement
These data processing terms (Data Processing Terms) constitute the Data Processing Agreement between the parties for the processing of personal data as entrusted by the Customer, and which Evovia has undertaken to do as part of the delivery of Evovia cloud services.
The Data Processing Terms determine the rights and obligations that apply when Evovia is processing personal data on behalf of the Customer, and the Data Processing Terms specify the security measures that the Evovia undertakes.
For those data processing activities that are entrusted to Evovia to perform on behalf of the Customer, Evovia is the data processor in accordance with the applicable data protection rules, while the Customer is either data controller or data processor in accordance with the applicable data protection rules. The parties shall each comply with the obligations imposed on them by the applicable data protection rules and the Data Processing Terms do not release either Evovia or the Customer from such obligations.
The Data Processing Terms are valid from the time they enter into effect, and until Evovia has deleted the Customer's Data in accordance with these Data Processing Terms. The Data Processing Terms and the Subscription Agreement are interdependent, and the Data Processing Terms, therefore, cannot be terminated separately.
Evovia's special guarantees
Evovia possesses sufficient expertise, reliability and resources to take the necessary measures to comply with the Data Protection Regulation as regards the data processing activities that Evovia undertakes for the Customer by virtue of the Subscription Agreement.
The Customer's special responsibility
The customer is responsible for complying with the applicable personal data rules currently in force in relation to the personal data entrusted to Evovia's processing. The customer is in particular responsible to Evovia for and warrants that:
- The customer has the necessary authority to process and to entrust it to Evovia to process the personal information that is entered into Evovia. In the event that the Customer is Data Processor for the personal data that is entrusted to Evovia's processing, the Customer warrants to Evovia that the Customer's instructions as expressed by these Data Processing Terms and the Subscription Agreement and the use of Evovia including Sub Data Processors as a secondary Data Processor is authorised by the Data Controller.
- The instructions according to which Evovia shall process the personal data on behalf of the Customer are legal. In addition, the Customer is responsible for carrying out necessary safety assessments in relation to the Customer's use of the Evovia cloud service, including the Customer declaring that, in view of the current technical level of Evovia and in Evovia as a whole in relation to the described precautions and measures in the Data Processing Terms, state of the art, the costs of implementation and the nature, scope, context and purposes of processing, as well as the risks to natural persons' rights and freedoms, the Customer considers the safety measures implemented by Evovia to be appropriate and that they ensure a level of security that matches the identified risks for the registered persons to whom the entrusted information relates.
The nature and purpose of the processing of data
The nature of the agreed data processings, determined by the parties, is the delivery of a standard cloud service from Evovia to the Customer, in which the Customer's data is stored, and through which the Customer may initiate additional processings, such as, for example, the generation of statistics done by Evovia in an automated manner.
In addition, it can be agreed specifically between the parties that the nature of the processing also includes the provision of services that entail processing of the Customer's information.
Evovia will thus process the information provided by the Customer with the agreed purpose of providing the Evovia service to the Customer, including facilitating the agreed functionality as stipulated in the Agreement.
The type of personal data
The entrusted processing of personal data includes those types of information that the Customer enters and imports into the Evovia cloud service. This includes names, e-mail addresses, employees' location in the organisation, information about the immediate manager and any other personal information that the employee and his/her manager enter into the cloud service, e.g. preparatory notes, scores, commented agreements and action plans with deadlines in connection with EDPs, WPAs, etc.
Categories of subject data
The categories of data subjects comprises the categories of data subjects that the Customer includes in the use of Evovia. Evovia is designed to allow for typing in information about the Customer's employees.
If a customer wishes to use the Evovia feature “360-degree managerial evaluation”, which also includes e.g. contributions from external stakeholders, the categories of data subjects will also include such external stakeholders.
The same will apply if the Customer wishes to use a “Team Dialogue Group” that includes one or more external stakeholders.
Scope of processing activities
Upon the Customer's acceptance of the Data Processing Terms, the Customer instructs Evovia to process the Customer's personal data for the delivery of the Evovia cloud service on the terms specified in the Subscription Agreement and these Data Processing Terms.
Also, the Customer may request that Evovia receives further written instructions for processing personal data for the Customer. Evovia may freely choose to accept or refuse such additional instructions. However, Evovia will always accept an instruction to discontinue further processing, in which case Evovia will delete the Customer's data within the time limits specified in the data deletion section below. Evovia's obligations in the Subscription Agreement, which cannot be delivered as a consequence hereof, will therefore also ceases to apply.
Evovia will comply with those of the Customer's instructions, which Evovia has approved unless processing of the personal data according to the instructions will violate the applicable data protection legislation to which Evovia is subject. In this case, Evovia will inform the Customer about this, unless such notification will also be in violation of applicable law.
Evovia is only allowed to process the Customer's personal data according to the instructions of the Customer, as accepted by Evovia. However, Evovia is required to perform processing activities if this follows from a legal obligation to which Evovia is subject. In this case, Evovia will inform the Customer about this before the processing is performed, unless such notification is illegal.
Duration of processing activities
Evovia will perform data processing of the Customer's personal data for as long as Evovia is required to do so under the Subscription Agreement - typically for as long as the Subscription Agreement is in force - and for a period of time afterwards, until Evovia deletes the Customer's data in accordance with the regulations set forth below in these Data Processing Terms.
Evovia implements all measures required by Article 32 in the General Data Protection Regulation, including the implementation of appropriate technical and organisational measures to protect the entrusted personal data against accidental or illegal destruction, loss, alteration, unauthorised disclosure or access to the personal data.
The implemented measures are further described in Evovia’s Description of Implemented Security Measures, April 2022 Version, (Here) which Evovia may continuously update. However, changes in security measures should never lead to a deterioration in the level of security. Updated versions of the Description of implemented security measures are automatically included as part of the Data Processing Terms and replace previous versions.
Notification of personal data breaches
If Evovia becomes aware that there has been a personal databreach in relation to the personal data that the Customer has entrusted to Evovia to process, Evovia must notify the Customer about this breach without undue delay after Evovia has become aware that a breach has occurred.
Evovia shall, without undue delay after becoming aware of a personal data breach, take reasonable and proportional steps to limit the damage resulting from the breach.
Notification to the Customer shall, if possible, include a description of the circumstances of the breach, the nature of the breach, what steps Evovia has taken or intends to take in order to limit the damage resulting from the breach and which circumstances Evovia believes the Customer should pay particular attention to in connection with the breach.
In the notification, Evovia will provide contact information for Evovia, where further information can be obtained by the Customer.
Notification can be sent by e-mail to the contact address, which Evovia has on file for the Customer.
Evovia's notification of a personal data breach does not constitute a recognition of guilt or liability in relation to a breach of personal data security.
Upon request, Evovia will assist the Customer in ensuring compliance with the Customer's obligations under Article 33 and Article 34 of the General Data Protection Regulation, taking into account the nature of the entrusted processing and the information available to the Evovia in relation to a breach of personal data protection that occurs in Evovia.
Using another data processor, sub-processors
By accepting these Data Processing Terms, the Customer grants its general authorisation for Evovia to make use of other data processors (sub-processors) without the Customer’s prior approval. Information about such contracted sub-processors, including their function, and in which country the sub-processor is established, is available at (Here).
When engaging a sub-processor, Evovia ensures that a written agreement is concluded with the sub-processor through which it is ensured that
- the necessary guarantees are provided that the sub-processor will implement the appropriate technical and organizational measures in such a manner that the processing meets the requirements of the General Data Protection Regulation.
- The sub-processor is subject to the same data protection obligations as those laid down in these Data Protection Terms, which means that the requirements of the General Data Protection Regulation art. 28 (3) must be complied with and that
- The sub-processor processes the Customer's personal data solely to the extent required to fulfil the delivery obligations accepted by the sub-processor on behalf of Evovia, and that the processing is done in accordance with the agreed instructions.
If a sub-processor does not fulfill its data protection obligations, Evovia remains fully liable to the Customer for the fulfilment of the data processor's data protection obligations.
Evovia may continuously update the list of sub-processors. Updates must be made at least 30 days before any planned changes regarding addition or replacement of a sub-processor. When updating the list, the Customer is given a separate notice hereof, thereby enabling the Customer to object to the planned changes. If the Customer objects to the proposed changes, the Customer may terminate his/her Subscription Agreement with Evovia with effect either immediately or from the expiration of the current calendar month at the time of notice. It is a requirement for termination after this clause that notice of termination is submitted to Evoia within 30 days after notification of the planned changes has been given to the Customer. Termination of the Subscription Agreement is the Customer's sole remedy in this situation.
Transfers to third countries or international organisations
Unless the Customer gives special instructions to Evovia, the Customer's data may not be transferred to areas outside the EU.
However, Evovia may transfer the Customer's data to a third country or international organisation when required by EU law or the national law of the Member States to which Evovia is subject. In this case, the Customer shall be informed of this legal claim before the transfer unless the court in question prohibits such notification for reasons of important societal interests.
The Customer's own access to personal data stored in the Evovia cloud service from a location that causes a transfer of personal data to a third country is considered as the Customer's own transfer and is therefore not covered by Evovia's responsibilities or obligations.
Assistance to the Customer
Evovia is required at Customer's written request to provide the Customer with the following assistance:
Evovia assists the Customer, the nature of the processing taken into account, by appropriate technical and organizational measures insofar this is possible, in meeting the Customer's obligation to respond to requests to exercise Data Subject rights as set out in Chapter 3 of the General Data Protection Regulation and supplemented by the Data Protection Act. If Evovia receives a request directly from a Data Subject or a potential Data Subject about the exercise of its rights, Evovia immediately passes the inquiry on to the Customer, which then determines whether Evovia's assistance is required.
Evovia also assists the Customer in ensuring compliance with the Customer's obligations pursuant to Article 32-36 of the General Data Protection Regulation, taking into account the nature of the entrusted processing activities and the information available to Evovia.
Evovia is entitled to a separate fee for the assistance granted to the fulfilment of the Customer's requests under this item "Assistance to the Customer". However, as regards assistance to fulfil the Customer's obligations under the General Data Protection Regulation art. 33-34, Evovia does not have a claim for compensation for fulfilment of the obligations of Evovia after the item "Reporting security breaches".
Any fee after this clause is calculated on the basis of the time spent by Evovia and follows Evovia's regular hourly rate for such work. The current prices are can be found (Here).
Responsibility and limitation of liability
For compensation and other claims payable to a Data Subject as a result of an illegal processing of personal data, the General Data Protection Regulation article 82 and the Data Protection Act section 40 apply. In the interrelationship between the parties, each party is thus responsible for extracting the portion of such amounts that correspond to the party's share of liability for the damage. If necessary, the distribution of responsibilities shall be determined by judicial review.
One of the parties is liable for fines and other punishment imposed on the party as a result of an unlawful processing of personal data and without the possibility of regression.
Evovia's keeping of records
Evovia is required to keep records of the categories of processing activities performed on behalf of the Customer in accordance with the General Data Protection Regulation art. 30. The Customer is required to provide Evovia with the name and contact information of the Customer's Representative and Data Protection Advisor and to update such information so that the records can be properly kept by Evovia.
Commitment to confidentiality
Evovia must ensure that the persons authorised by Evovia to process the Customer's personal data have committed themselves to confidentiality or are subject to an appropriate statutory duty of confidentiality. Evoiva and anyone who performs work on behalf of Evovia, and who have access to the Customer's personal data, may process this data only according to the Customer's instructions unless otherwise required by legal regulation to which Evovia is subject.
Evovia may only authorise persons for whom it is necessary to have access to the personal data in order to fulfil Evovia's obligations to the Customer. Evovia must continuously review authorisations and close accesses when authoriations expire or terminate.
Inspection and auditing
Evovia makes all the information necessary to demonstrate compliance with the requirements of the General Data Protection Regulation Article 28 and the requirements to Evovia, as stipulated by these Data Processing Terms, available to the Customer. As part hereof, Evovia provides the opportunity for and contributes to audits, including inspections made by the Customer or any other auditor, authorised by the Customer.
Once a year, Evovia's auditor Deloitte reviews the security setup and issues a statement of assurance, which Evovia makes available to the Customer on the website.
The Customer may request a physical inspection at Evovia. Requests must be submitted in writing to Evovia, indicating what the Customer wishes to include in the inspection. The parties then agree on the circumstances and scope of the inspection, including the date of inspection and the form of reporting.
Inspection can only be done by a person who submits to Evovia's general safety measures and who accepts a confidentiality clause directly to Evovia.
Evovia may raise objections to a designated person for inspection if the designated person is not suitable or qualified for the purpose of the inspection, including the person (1) not being independent, (2) being a direct competitor of Evovia or (3) being for other reasons obviously unsuitable for carrying out the task.
If Evovia raises an objection to the designated person, the Customer may designate another person to carry out the inspection.
Auditing of sub-processors used by Evovia is done through Evovia. However, the Customer may choose to initiate and participate in a physical inspection also at the sub-processor. Audits must be carried out in compliance with the sub-processors' terms of inspection.
Any expenses incurred by Evovia or the sub-processor in connection with being physically audited/inspected shall be borne by the Customer. Evovia and any sub-processor are also eligible for a fee for the spent on inspection, based on current price list (Here).
Regarding this clause concerning "Inspection and Auditing", Evovia shall promptly inform the Customer if Evovia considers an instruction to be in violation of the General Data Protection Act or other applicable data protection legislation to which Evovia is subject.
Deletion and return of the Customer's data
Following the Customer's decision, Evovia deletes or returns all Personal data to the Customer after the termination of the Services - usually termination of the Subscription Agreement - and Evovia deletes existing copies unless Evovia is subject to a legal obligation stating that Evovia must keep the personal data.
Evovia's execution of the Customer's instructions to delete or return the Customer's data is done in accordance with the regulation of the General Data Protection Regulation and as quickly as practicable. By default, Evovia deletes customer data from the operating environment 14 days after Subscription Agreement has expired. The Customer hereby agrees that the Customer's data is included in a 90-day backup procedure, after which all copies of Customer's data are deleted.
Changes to the data processing terms
Evovia can change these Data Processing Terms with a 90-day notice. Information about planned changes will be forwarded to the Customer. If the Customer does not wish to accept the notified changes, the Customer may terminate its Subscription Agreement. The customer has no other powers as a consequence of changes to the Data Protection Terms.
Any changes will always ensure that the minimum requirements in force at any given time in the personal data rules for the content of a Data Processor Agreement, pt. nature. 28 of the GDPR, will be met after a given change.
Evovia's contact informaion
Customer inquiries to Evovia concerning data protection, including requests for audits and inspections, must be forwarded to:
INCUBA, Åbogade 15
DK - 8200 Aarhus N
Attention: CEO, adm. director
Tlf.: +45 8675 1242.
Record keeping obligation of the Parties
Evovia and the Customer are each required to electronically retain a version of these Data Processing Terms and the Subscription Agreement, which stipulates the additional agreed instructions and any other information relevant to or supplementing these Data Processing Terms.
Version, August 2020