Data processing agreement

Agreement on sub-contracted personal data processing under Article 28 of the EU General Data Protection Regulation (GDPR)

Contents

  1. Preamble
  2. Rights and duties of the data controller
  3. The data processor acts according to instructions
  4. Non-disclosure
  5. Security of processing
  6. Use of data sub-processors
  7. Transfer to third countries or international organisations
  8. Assistance to the data controller
  9. Notification of breach of personal data security
  10. Deletion and return of data
  11. Audit, including inspection
  12. Liability and limitation of liability
  13. Record keeping by the data processor
  14. Changes to the data processing conditions
  15. Agreement of the Parties on other matters
  16. Entry into force and termination
  17. Contact information of the Parties

Appendix A Information about the processing
Appendix B Data sub-processors
Appendix C Instruction on the processing of personal data

1. Preamble

  1. The data controller and data processors have entered into an agreement on the data controller’s access to and use of the Evovia cloud service (the Main Agreement/Subscription Agreement). Evovia is a digital management platform offered as a cloud service (SaaS).
  2. The Provisions form an integral part of the Main Agreement/Subscription Agreement.
  3. The Provisions set out the rights and obligations of the data processor when the data processor carries out the processing of personal data on behalf of the data controller.
  4. The Provisions are designed to comply with Article 28(3) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the GDPR).
  5. In the context of the provision of the Evovia cloud service, the data processor processes personal data on behalf of the data controller, in accordance with these Provisions.
  6. These Provisions shall take precedence over any corresponding provisions in other agreements between the Parties.
  7. There are three appendices to these Provisions, and the appendices form an integral part of the Provisions.
  8. Appendix A contains details of the processing of personal data, including the purpose and nature of the processing, the type of personal data, the categories of data subjects and the duration of the processing.
  9. Appendix B contains the data controller’s conditions for the data processor’s use of sub-processors, and a list of sub-processors whose use has been approved by the controller.
  10. Appendix C contains the data controller’s instructions regarding the data processor’s processing of personal data, a description of the security measures that the data processor must as a minimum implement, and how the processor and any sub-processors are supervised.
  11. The Provisions and their associated appendices shall be stored in written form, including by electronic means, by both Parties.
  12. These Provisions do not exempt the data processor of any obligations imposed on the data processor by the GDPR or any other legislation.
  13. Neither do these Provisions exempt the data controller from any obligations imposed on the data controller by the GDPR or any other legislation.

 

2. Rights and duties of the data controller

  1. The data controller is responsible for ensuring that the processing of personal data is carried out in accordance with the General Data Protection Regulation (see Article 24 of the Regulation), the data protection provisions of other EU or member states’* national law, and these Provisions.
  2. The data controller has the right and the duty to decide the purpose(s) and the means by which personal data may be processed.
  3. The data controller is inter alia responsible for ensuring that there is a processing basis for the processing of personal data that the data processor is instructed to carry out.
  4. The data controller is therefore in particular responsible towards the data processor for ensuring and undertaking that:
    • The data controller has the necessary legal capacity to process and entrust to the data processor and its sub-processors the carrying out of the agreed processing operations on the personal data processed in the context of the provision of the agreed services.
    • The data controller’s instructions, as expressed through these Provisions and any other agreements, are lawful.
    • The data controller does not entrust the data processor with the processing of personal data other than those specified in the data controller’s instructions, and that the personal data so entrusted do not relate to categories of data subjects other than those specified in the instructions.

*References to “member states” in these Provisions shall be understood to be references to “EEA member states”.

 

3. The data processor acts according to instructions

  1. The data processor may only process personal data on the basis of a documented instruction from the data controller, which the data processor has accepted, unless required to do so by EU law or by the national legislation of the member states to which the processor is subject. This instruction shall be specified in Appendices A and C. Subsequent instructions may be given by the data controller to the effect that the data processor shall cease further processing, resulting in the deletion of the data controller’s data by the data processor, as specified in the section “Deletion and return of data” below, but the instruction must always be documented and stored in written form, including by electronic means, together with these Provisions.
  2. The data controller may also subsequently request the data processor to receive further instructions for the processing of personal data for the data controller, and the processor shall be free to choose to accept or refuse such further instructions.
  3. The data processor shall inform the data controller without delay if the data processor considers that an instruction is contrary to the GDPR or to the data protection regulations of other EU law or member state legislation.
  4. If, in the reasonable assessment of the data processor, the data controller’s instruction is likely to be unlawful, the data processor may, without breaching these Provisions or the Main Agreement/Subscription Agreement entered into, otherwise cease further data processing other than storage until the data controller issues a further instruction that the personal data processed may be lawfully processed, or that the data must be returned or deleted.

 

4. Non-disclosure

  1. The data processor may only grant access to personal data processed on behalf of the data controller to persons who are subject to the data processor’s instructional powers, and who have given an undertaking of non-disclosure or who are subject to an appropriate legal obligation of non-disclosure, and only to the extent necessary. The list of persons to whom access has been granted shall be subject to review on an ongoing basis. On the basis of this review, access to personal data may be denied if such access is no longer necessary, and the personal data shall then no longer be accessible to these persons.
  2. At the request of the data controller, the data processor must be able to show that the persons concerned, who are subject to the data processor’s instructional powers, are subject to the aforementioned duty of non-disclosure.

 

5. Security of processing

  1. Article 32 of the General Data Protection Regulation states that the data controller and the data processor shall implement appropriate technical and organisational measures to ensure a level of protection appropriate to the risks presented, taking into account the current technical state of the art, the cost of implementation, the nature, scope, context and purposes of the processing involved, and the risks of varying degrees of probability and severity to the rights and freedoms of individuals. The data controller must assess the risks to the rights and freedoms of individuals posed by the processing, and implement measures to address those risks. Depending on their relevance, this may include:
    • Pseudonymisation and encryption of personal data
    • The ability to ensure the continued confidentiality, integrity, accessibility and robustness of data processing systems and services
    • The ability to restore the availability of and access to personal data in a timely manner in the event of a physical or technical incident
    • A procedure for the regular testing, assessment and evaluation of the effectiveness of the technical and organisational measures to ensure security of processing.
  2. Article 32 of the Regulation also requires that the data processor – independently of the controller – assesses the risks to the rights of individuals represented by the data processing entrusted to the data processor, and implements measures to address those risks. For the purposes of the data processor’s risk assessment, the data controller shall provide the necessary information to the data processor to enable the data processor to identify and assess such risks.
  3. In addition, the data processor shall assist the data controller in complying with the data controller’s obligation under Article 32 of the GDPR by, inter alia, providing the data controller with the necessary information regarding the technical and organisational security measures already implemented by the data processor pursuant to Article 32 of the GDPR and – for a separate fee – any other information necessary to allow the data controller to comply with the data controller’s obligations under Article 32 of the GDPR. If, in the assessment of the data controller, addressing the identified risks identified by the agreed processing of personal data requires the implementation of measures in addition to those already implemented by the data processor, the data controller shall specify to the data processor the additional measures to be implemented. The Parties shall then conclude a separate agreement on the implementation of such additional security measures, including the timetable and the remuneration of the data processor. If the Parties cannot reach such an agreement, the data controller shall instruct the data processor to cease further processing and delete the personal data entrusted, in accordance with the section “Deletion and return of data”, below. The data controller may then terminate the Subscription Agreement in accordance with the termination terms agreed therein.

 

6. Use of data sub-processors

  1. The data processor must comply with the conditions set out in Article 28(2) and (4) of the GDPR in order to make use of another data processor (a data sub-processor).
  2. The data processor may not thus make use of a sub-processor for the purpose of fulfilling these Provisions without the prior general written consent of the data controller.
  3. The data processor has the general approval of the data controller for the use of data sub-processors. The data processor shall notify the data controller in writing, with at least 30 days’ notice, of any planned changes concerning the addition or replacement of data sub-processors, thereby giving the data controller the opportunity to object to such changes prior to the use of the sub-processor(s) concerned. A longer period of notice may be specified in Appendix B for the notification of specific processing activities. If the data processor is not immediately able to perform the data processor’s obligations under the Subscription Agreement, or cannot do so without incurring excessive costs during such period of notice, the data processor shall not be liable for such non-performance.
  4. The data controller moreover accepts that there may be exceptional cases in which a concrete need may arise for a change concerning the addition or replacement of a data sub-processor which must be made at shorter notice or immediately. In such cases, the data processor will notify the data controller of the change as soon as possible.
  5. If the data controller objects to any planned change relating to the addition or replacement of a sub-processor, the data controller may terminate the Subscription Agreement by giving notice under the terms set out in the Subscription Agreement, and ensure that the data controller’s personal data are deleted prior to the planned change relating to the addition or replacement of a sub-processor. Apart from terminating the Subscription Agreement, the data controller shall have no other powers in relation to the data processor in this situation. If the agreement is terminated under this provision, the payment obligation of the data controller shall otherwise continue until the termination of the Subscription Agreement. The list of data sub-processors already authorised by the data controller is set out in Appendix B.
  6. Where the data processor makes use of a sub-processor for the performance of specific processing activities on behalf of the data controller, the data processor shall impose on the sub-processor, by means of a processor agreement, the same data protection obligations as those laid down in these Provisions, providing in particular the necessary guarantees that the sub-processor will implement the technical and organisational measures in such a way that the data processing will comply with the requirements of these Provisions and the GDPR. The data processor must therefore ensure that where a sub-processor is used, a written agreement is concluded with the sub-processor to ensure that:
    • There are adequate guarantees that the data sub-processor will implement appropriate technical and organisational measures in such a way that the processing will comply with the requirements of these Provisions and the GDPR
    • The sub-processor is subject to the same data protection obligations as those laid down in these Provisions, i.e. the requirements of the GDPR’s article 28(3) shall be complied with, and
    • The sub-processor processes the personal data entrusted to the sub-processor only to the extent necessary to fulfil the supply obligations assumed by the sub-processor in relation to the data processor, and that the processing is carried out in accordance with the agreed instructions.
  7. Upon request by the data controller, copies of the sub-processor agreement(s) and any subsequent amendments thereto shall be sent to the data controller, who will thereby have the opportunity to ensure that equivalent data protection obligations resulting from these Provisions are imposed on the sub-processor. Provisions on commercial terms which do not affect the data protection content of the sub-processor agreement shall not be sent to the data controller.
  8. If the sub-processor fails to comply with the sub-controller’s data protection obligations, the data processor shall remain fully liable to the data controller for the performance of the data sub-processor’s obligations. This shall be without prejudice to the rights of data subjects under the GDPR, in particular Articles 79 and 82 thereof, with respect to the data controller and the data processor, including the data sub-processor.

 

7. Transfer to third countries or international organisations

  1. The data processor shall store the data controller’s data within the EU where not otherwise covered by the data controller’s instructions.

  2. Any transfer of personal data to third countries or international organisations may only be undertaken by the data processor on the basis of a documented instruction to that effect from the data controller, and must always be made in accordance with Chapter V of the General Data Protection Regulation.

  3. If the transfer of personal data to third countries or international organisations, which the data processor has not been instructed to carry out by the data controller, is required by EU or member state law to which the data processor is subject, the data processor shall notify the data controller of this legal requirement prior to processing, unless such law prohibits such notification on the grounds of important public interests.

    1. In the absence of a documented instruction from the data controller, the data processor cannot thus within the framework of these Provisions:
    • Transfer personal data to a controller or processor in a third country or an international organisation
    • Entrust the processing of personal data to a sub-processor in a third country
      1. Process personal data in a third country.
  4. The data controller’s instructions regarding the transfer of personal data to a third country, including the possible transfer basis in Chapter V of the General Data Protection Regulation on which the transfer is based, shall be set out in Appendix C.6.

 

8. Assistance to the data controller

  1. The data processor undertakes to provide the data controller with the following assistance at the written request of the data controller:
  2. The data processor shall, as far as possible and having regard to the nature of the processing entrusted, assist the data controller by appropriate technical and organisational measures in complying with the data controller’s obligation to respond to requests to exercise the rights of data subjects as laid down in Chapter III of the General Data Protection Regulation. This means that the data processor must, as far as possible, assist the data controller to ensure compliance with:
    • The obligation to provide information when collecting personal data from the data subject
    • The obligation to provide information if personal data have not been collected from the data subject
    • The right of access
    • The right of rectification
    • The right to deletion (“the right to be forgotten”)
    • The right to restrict processing
    • The obligation to provide notification in connection with the rectification or deletion of personal data or the restriction of processing
    • The right to data portability
    • The right to object
    • The right not to be subject to a decision based solely on automated processing, including profiling
  3. The data processor shall also assist the data controller in ensuring compliance with the data controller’s obligations under Articles 32-36 of the General Data Protection Regulation, taking into account the nature of the processing operations entrusted to the data processor and the personal data available to the data processor. In addition to the data processor’s obligation to assist the data controller as set out in Provision 5.3, the data processor shall assist the data controller with:
    • The obligation of the data controller to notify the competent supervisory authority, the Danish Data Protection Agency, of the personal data breach without undue delay and, if possible, within 72 hours of becoming aware of it, unless the personal data breach is unlikely to pose a risk to the rights or freedoms of individuals
    • The obligation of the data controller to notify the data subject without undue delay of a personal data breach where the breach is likely to result in a high risk to the rights and freedoms of individuals
    • The obligation of the controller to carry out, prior to processing, an analysis of the implications of the envisaged processing activities for the protection of personal data (impact assessment)
    • The obligation of the data controller to consult the competent supervisory authority, the Danish Data Protection Agency, prior to processing if a data protection impact assessment shows that the processing would lead to a high risk in the absence of measures taken by the data controller to mitigate the risk.
  4. In Appendix C, the Parties shall specify the necessary technical and organisational measures by which the data processor must assist the data controller, and the extent and scope of such assistance. This applies to the obligations arising from Provisions 8.1 and 8.2.
  5. The data processor shall be entitled to a separate fee for the assistance provided in fulfilling the data controller’s requests under this Provision 8. The fee shall be calculated on the basis of the time consumed by the data processor and the data processor’s usual hourly rate for such work.
  6. However, the data processor shall not be entitled to remuneration in relation to assistance in the performance of the data controller’s obligations under Articles 33-34 of the GDPR.

 

9. Notification of breach of personal data security

  1. If the data processor becomes aware of a breach of personal data by the data processor, or by a data sub-processor used in relation to the personal data that the data controller has entrusted to the data processor, the data processor shall notify the data controller of the personal data breach without undue delay after becoming aware that the breach has occurred.
  2. Notification may be sent by e-mail to the contact address provided by the data controller in the Subscription Agreement. On becoming aware of a personal data breach, the data processor shall without undue delay take reasonable and proportionate steps to mitigate the harm caused by the breach.
  3. The data processor must assist the data controller in notifying the breach to the Danish Data Protection Agency or other competent supervisory authority. This means that the data processor must assist in providing the following information, which, in accordance with Article 33(3) of the GDPR, must be included in the data controller’s notification of the breach to the competent supervisory authority:
    • The nature of the personal data breach, including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned
    • The likely consequences of the personal data breach
    • The measures taken or proposed to be taken by the data controller to address the personal data breach, including, where appropriate, measures to mitigate its potential adverse effects.
  4. If it is not possible for the data processor to provide the information in collected form, the information may be provided in instalments without further undue delay. The notification of the data controller by the data processor shall, where possible, be made in time to allow the data controller to undertake complete notification of the collected information to the supervisory authority within the time limits for the notification of personal data breaches specified in Article 33 of the General Data Protection Regulation.
  5. Following the initial notification to the controller, the data processor must therefore, if necessary, continuously update and complete the information to the data controller so that the data controller can if necessary update a personal data breach notification to the supervisory authority.
  6. The data processor’s notification of a personal data breach does not constitute an admission of fault or liability in relation to a personal data breach that has occurred.
  7. At the request of the data controller, the data processor shall also assist the data controller in ensuring compliance with the data controller’s obligations under Article 34 of the General Data Protection Regulation, taking into account the nature of the processing operations entrusted to the data processor and the personal data available to the data processor.

 

10. Deletion and return of data

  1. Upon termination of the agreed services relating to the processing of personal data under the Subscription Agreement, the data processor shall be obliged to delete all personal data that have been processed on behalf of the data controller and to confirm to the data controller that the data have been deleted, unless EU law or the national legislation of the member states requires storage of the personal data.
  2. However, the data processor may continue to store the personal data entrusted by the data controller after termination of the Subscription Agreement and of the personal data processing services agreed therein if the data processor is subject to a legal obligation requiring the data processor to carry out such storage of the data controller’s personal data. The data processor undertakes to process the personal data only for the purpose(s) and period of time, and under the conditions prescribed by these Provisions.
  3. Prior to termination of the Subscription Agreement, the data controller may also instruct the data processor to provide a copy of the personal data. In this case, the medium and format of the delivery shall be agreed. The data processor shall be entitled to remuneration for work carried out in connection with the delivery in accordance with the time elapsed and at the data processor’s generally applicable hourly rate for such work, as well as for any costs and outlays incurred in connection with the work. The data processor shall be entitled to require the payment of a deposit for accepting the delivery instruction.
  4. If the data controller instructs the data processor to deliver personal data, this is also an instruction that the data processor shall not delete the personal data processed on behalf of the data controller until the delivery has been made and confirmed by the data controller.
  5. The data processor’s implementation of the data controller’s instruction to delete the data controller’s personal data shall take place in accordance with the GDPR, and as soon as practicable.
  6. As part of the Subscription Agreement, the data processor shall make data backups. The agreed services relating to the processing of personal data under the Subscription Agreement are, as far as personal data are concerned, included in a backup and are therefore only terminated when the backup is destroyed in accordance with the data processor’s backup procedure. By default, Evovia deletes customer data from the operational environment 14 days after the end of the Subscription Agreement. In this connection, the Customer agrees that the Customer’s data will be included in a backup procedure for 90 days, after which all copies of the Customer’s data will be deleted.

 

11. Audit, including inspection

  1. At the request of the data controller, the data processor shall make available to the data controller all information necessary to demonstrate compliance with Article 28 of the General Data Protection Regulation and these Provisions, and shall enable and contribute to audits, including inspections, carried out by the data controller or by another auditor authorised by the data controller.
  2. Inspection may only be carried out by a person who is subject to the data processor’s general security measures and who enters into a non-disclosure agreement directly with the data processor, under the usual terms.
  3. The data processor may object to a person designated by the data controller to carry out an inspection if, in the reasonable opinion of the data processor, the designated person is not fit or qualified to carry out the inspection, including if the person (1) is not independent, (2) is affiliated with or has relations with a direct competitor of the data processor, or (3) is otherwise manifestly unfit to perform the task.
  4. If the data processor objects to the designated person, the data controller may designate another person to carry out the inspection.
  5. Supervision of the data processor’s sub-processors shall be carried out via the data processor. The procedure is set out in Appendix C. However, the data controller may also choose to initiate and participate in a physical inspection at the premises of the data sub-processor, if the sub-processor so permits. Inspection shall be carried out in accordance with the terms for inspection laid down by the data sub-processor.
  6. The procedures for the data controller’s audits, including inspections, with the data processor and sub-processors are detailed in Appendices C.7. and C.8.
  7. The data processor shall be obliged to grant access to the physical facilities of the data processor to supervisory authorities who have access under the applicable law to the facilities of the data controller or the data processor, or to representatives acting on behalf of the supervisory authority, on presentation of appropriate identification.
  8. The data processor shall be entitled to remuneration for the exercise of inspection and audit by the data controller. The remuneration shall be calculated on the basis of the working time consumed and the applicable hourly rates of the data processor, plus any positive costs incurred, including costs incurred by the data processor for the assistance of sub-processors.

 

12. Liability and limitation of liability

  1. For the payment of compensation to persons as the result of an unlawful processing operation or any other processing in breach of the GDPR and the Data Protection Act, Article 40 of the Data Protection Act shall apply. Irrespective of Article 82(5) of the General Data Protection Regulation, a party who has paid compensation to an injured party which does not correspond to full compensation may have right of recourse in accordance with the principle laid down in Article 82(5).
  2. The Parties agree that the same regulation shall in any case also apply in relation to other compensation for non-economic losses, in relation to the final internal allocation of liability between the data processor and the data controller.
  3. The Parties may not claim recourse or compensation from the other party for fines or other penalties imposed pursuant to Article 41 of the Data Protection Act, or for orders to pay fines accepted pursuant to Article 42 of the Data Protection Act.
  4. Additional limitation or disclaimers of liability may be contained in the Subscription Agreement.

 

13. Record keeping by the data processor

  1. The data processor shall be obliged to keep records of the categories of processing operations carried out for the data controller in accordance with Article 30(2). The data controller shall be obliged to inform the data processor of the name and contact details of the data controller’s representative and data protection advisor, if any, and to update such information so that the records can be properly maintained by the data processor.

 

14. Changes to the data processing conditions

  1. The data processor may provide written notification of changes to the Provisions to the data controller with 30 days’ notice to the end of a calendar month.
  2. Information about planned changes shall be forwarded to the data controller’s contact person by e-mail.
  3. If the data controller continues to use Evovia after the notified changes to the Provisions enter into force, the data controller shall thereby be deemed to have accepted the changes to the Provisions.
  4. If the data controller does not wish to accept notified changes to the Provisions, the data controller may terminate the Subscription Agreement in accordance with the termination terms agreed therein, and the data controller shall then ensure that all personal data are deleted from Evovia before the notified changes take effect.

 

15. Agreement of the Parties on other matters

  1. The Parties may agree on other provisions regarding the Evovia Subscription Agreement on the processing of personal data, provided these other provisions do not directly or indirectly conflict with data protection legislation or impair the fundamental rights and freedoms of the data subject as derived from the GDPR.

 

16. Entry into force and termination

  1. These Provisions shall enter into force on the date of signature or other accession by both Parties.
  2. Both Parties may request a renegotiation of the Provisions if changes in the law or inappropriateness in the Provisions gives rise to such a request.
  3. The Provisions shall apply for the same duration as the obligations of the data processor under the Subscription Agreement regarding the processing of personal data. During this period, the Provisions may not be terminated unless other provisions governing the delivery of the service relating to the processing of personal data are agreed between the Parties.

 

17. Contact information of the Parties

Requests by the data controller to the data processor regarding data protection, including requests for supervision and inspection, should be sent to:

Evovia ApS
Finderupvej 5
8000  Aarhus C.

or by e-mail to: gdpr@evovia.com

The data controller’s contact person is stated under the ‘Terms’ tab of the Customer’s own page on the Evovia management platform.

The Parties are obliged to keep each other informed of changes concerning contact persons.

Version: December 2022

 

Appendix A Information about the processing

A.1. The purpose of the processing of personal data by the data processor on behalf of the data controller

The data controller and the data processor have entered into an agreement on the data controller’s access to and use of the Evovia cloud service (the Main Agreement/Subscription Agreement). Evovia is a digital management platform offered as a cloud service (SaaS).

A.2. The processing of personal data by the processor on behalf of the controller mainly relates to (nature of the processing)

When the data processor supplies the Evovia cloud service to the data controller, personal data are processed in accordance with the purposes necessary to provide the services set out in the Subscription Agreement, including storage, collection, recording, systematisation, aggregation, deletion, archiving, etc.

A.3. The processing covers the following types of personal data on the data subjects

The entrusted processing operations cover the types of data that the data controller enters and loads into the Evovia cloud service. By default, this includes the names, e-mail addresses and location of employees in the organisation and the name of their immediate manager. In addition to this are other personal data that the employee and the employee’s manager upload to the cloud service, e.g. preparatory notes, scores, comments on agreements and action plans with deadlines for performance reviews, performance appraisals, etc. As free text fields can be used here, the type of information provided may be sensitive. In this context, the data processor undertakes to comply with the security requirements in relation to the processing of possible sensitive data, as described in more detail in C.2.

A.4. The processing covers the following categories of data subjects

The data subjects encompass the categories to which the data controller extends the use of Evovia, in particular the data controller’s employees. If the data controller wishes to avail of Evovia’s “360-degree leadership evaluation” function, which includes, for example, contributions from external stakeholders, the categories of data subjects will also include such external stakeholders. The situation is similar if the data controller wishes to use a GRUS group which includes one or more external stakeholders.

A.5. The processing of personal data by the data processor on behalf of the data controller may begin after the entry into force of these Provisions. The processing has the following duration

The data processor shall undertake the processing of the data controller’s personal data for as long as Evovia is obliged to do so under the Subscription Agreement, and for a period thereafter until the data processor deletes the data controller’s personal data in accordance with the data processor’s backup procedure.

 

Appendix B Data sub-processors

B.1. Approved data sub-processors

Upon the entry into force of the Provisions, the data controller has authorised the use of the following data sub-processors:

  • Traels.it, Bøgevej 32, 5200 Odense V, CVR 22001884: Main responsibility for the technical development of the entire evovia platform, and therefore full access.
  • Hetzner Online GmbH, Industristrss. 25, 91710 Gunzenhausen, Tyskland, CVR DE 812871812: Hosting of data
  • Hetzner Finland Oy, Huurrekuja 10, 04360 Tuusula, Finland, CVR 2720758-9: Hosting of data
  • Scannet, Højvangen 4, 8660 Skanderborg, CVR. 29412006: Hosting of data
  • Cloud Factory A/S, Vestergade 4, 6800 Varde, CVR-nr. 35393692: Hosting of data
  • SMTP.dk, Refshalevej 163A, 1.tv., 1432 København K., CVR. 29849439: Responsibility for sending automails from the Evovia platform

Upon the entry into force of the Provisions, the data controller has authorised the use of the above-mentioned data sub-processors for the processing activity described. The processor shall not without the consent of the data controller make use of a sub-processor for a processing operation other than those described and agreed, or make use of a different sub-processor for that processing operation.

B.2. Notice period for the approval of sub-processors

The data processor shall notify the data controller in writing, if possible with at least 30 days’ notice, of any planned changes concerning the addition or replacement of data sub-processors, thereby giving the data controller the opportunity to object to such changes prior to the use of the sub-processor(s) concerned.

 

Appendix C Instruction on the processing of personal data

C.1. Subject and instruction of the processing

The processing of personal data by the data processor on behalf of the data controller shall be carried out by the data processor as follows: Any processing necessary for the data processor to fulfil the obligations set out in the Subscription Agreement. This includes in particular processing activities necessary to make the Evovia cloud platform available to the data controller.

C.2. Security of processing

The level of security must reflect:

The data processor shall put into place and implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks represented by the processing activities the data processor carries out for the data controller.

The technical and organisational measures shall be determined taking into account the current technical state of the art, the cost of implementation, the nature, scope, context and purposes of the processing concerned, as well as the risks of varying likelihood and severity to the rights and freedoms of natural persons.

In assessing the appropriate level of security, particular account shall be taken of the risks represented by the data processing, in particular through accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data that is transmitted, stored or otherwise processed.

The data processor shall then be entitled and obliged to decide on the technical and organisational security measures to be implemented in order to establish the necessary (and agreed) level of security.

C.2.1 General security measures

All data processor support staff (and data processor subcontractors) have generated a long and non-trivial password for the system of at least 12 characters, with two-factor authentication.

All employees with support access are set up to run VPN, and are only allowed to run foreign network accesses via VPN.

Access to servers is handled by subcontractors. Access to servers is by means of key files.

Data subcontractors do not work with data unless the data controller has granted permission for this.

C.2.2 Data centres and network security

Data are hosted by the hosting provider: see the list of data sub-processors, Appendix B.

Data are sent only to users who are logged in.

When attempts are made to access the servers of the data processor, access is blocked after three unsuccessful attempts.

C.2.3 Authorisation and access controls

Evovia is a platform on which different users have access to different data – part of this access management is the responsibility of the data controllers themselves. In general, access sharing is granted only at the request/order of the responsible data controller.

If the data controller so requests, the data processor may work on this on behalf of the data controller. All actions are logged.

C.2.4 Data security

All data entries and data retrievals are performed via a secure web connection (https) to our web servers. The servers that drive the website itself are virtual servers, which do not store data. Access to these servers is controlled by a firewall that automatically opens to authorised employees – no one else is allowed to try to log in.

Data is transferred from these servers to a set of virtual database servers. Data is stored on a server at a hosting company which is mirrored to another server at the same hosting company. An encrypted backup file is sent daily to another server in another EU country. Finally, another encrypted backup file is sent to a third hosting company. Access to database servers is locked down to selected employees.

All data processor support staff (and data processor subcontractors) have generated a long and non-trivial password of at least 12 characters for the system.

Access to servers is handled by subcontractors. Access to servers is by means of key files. Data subcontractors do not work with data unless the data controller has granted permission for this.

C.2.5 Authorisation and access control

Evovia only accesses information in the data controller’s system if the data controller requests this – for example in a support situation. Access occurs through the data controller actively ticking a box and unticking it after use. All actions are logged.

When attempts are made to access our servers, access is blocked after three unsuccessful attempts. Logging of data is done in such a way that the top of the document shows who has viewed the document, and when.

C.2.6 Deletion

When a customer deletes an employee who is no longer employed by the customer, the employee is deleted after 14 days, while the data entered in the MUS, etc., is kept in the manager’s archive (generally for five years), including scores and agreements. However, the controller may instruct Evovia to change the length of time for which data are retained. This can be for a longer or a shorter period than five years. This can also be differentiated from tool to tool.

When a company wishes to cease using Evovia, the company is deleted after 14 days, and is completely out of any backup within 90 days.

C.2.7 Employee security

The supplier makes use of home offices. All data are stored online, and will normally only involve employees’ PCs to the extent that the website caches on the employee’s PC. Data provided for processing on an employee’s PC are treated confidentially and deleted immediately after use, by agreement with the data controller. Transmission of data between employees occurs via encrypted e-mails or encrypted attachments.

C.2.8 Input containing personal data

Input is what each user enters into the system. A support employee may only access this if we have been requested to do so by the data controller. This occurs through the data controller/user actively ticking a box and unticking it after use. The action is logged.

C.2.9 Output containing personal data

Not applicable here. A support employee may only access this if the data controller explicitly authorises us to do so in a given situation.

C.2.10 Engagement of data sub-processors

Prior to engaging a data sub-processor, Evovia will conduct due diligence or inspection of the security measures and data protection principles implemented by the sub-processor, ensuring that the sub-processor has a level of security appropriate to the processing activities they will perform for Evovia. If a data sub-processor is deemed suitable for carrying out processing activities, Evovia will enter into a written agreement with the sub-processor in accordance with the requirements of the data processor.

 

C.3 Assistance to the data controller

The data processor shall, to the extent possible – within the scope and extent set out below – assist the data controller in accordance with Provisions 8.1 and 8.2 by implementing the following technical and organisational measures:

At the specific request of the data controller, the data processor shall, as far as possible and having regard to the nature of the processing, assist the data controller by appropriate technical and organisational measures in complying with the data controller’s obligation to respond to requests to exercise the rights of data subjects, as laid down in the legislation on personal data.

If a data subject makes a request to the data processor to exercise the data subject’s rights, the data processor shall notify the data controller without undue delay.

Taking into account the nature of the processing and the information available to the data processor, the data processor shall also, upon specific request, assist the data controller in ensuring compliance with the obligations of the data controller in relation to:

  • The implementation of appropriate technical and organisational measures
  • Security breaches
  • Notification to the data subject of breaches of personal data security
  • Implementation of consequential analyses
  • Prior consultation by the supervisory authorities

 

C.4 Storage period/deletion routine

Upon termination of the personal data processing service, the data processor shall either delete or return the personal data in accordance with Provision 10.1, unless otherwise separately agreed between the Parties.

Evovia’s implementation of the data controller’s instruction to delete or return the data controller’s data shall be in accordance with the GDPR, and take place as soon as practicable. By default, Evovia deletes customer data from the operational environment 14 days after the end of the Subscription Agreement. The data controller agrees that the data controller’s data will be included in a backup procedure for 90 days, after which all copies of the data controller’s data will be deleted.

 

C.5 Processing site

The processing of personal data covered by the Provisions may not without the prior written consent of the data controller take place at locations other than the following:

Details of the processing sites of the data processor and its sub-processors are available on request from the data processor. The information may be disclosed to the extent that such disclosure can in the assessment of the data processor be made without risk to security. In such cases, only information relating to the country and city of the data processing site is in principle provided.

C.6 Instruction on transfer of personal data to third countries

Unless the data controller, in these Provisions or subsequently, provides a documented instruction regarding the transfer of personal data to a third country, the data processor shall not be entitled to perform such transfers within the framework of these Provisions.

 

C.7 Procedures for controller audits, including inspections, of the processing of personal data entrusted to the processor

The data controller has the right and the duty under Articles 24 and 28 of the GDPR to carry out the supervision of the processing of personal data by the data processor on behalf of the data controller. The data controller may carry out supervision of the data processor by performing one of the following actions:

  • Self-monitoring on the basis of documents made available by the data processor to the data controller
  • Written supervision, or
  • Physical inspections.

C.7.1 Self-monitoring

The data processor shall annually, at the data processor’s own expense, obtain an audit opinion from an independent third party on the compliance of the data processor with the GDPR, the data protection regulations contained in other EU law or the national legislation of member states, and these Provisions.

It is agreed by the Parties that the following type of audit report may be utilised in accordance with these Provisions: ISAE3000 – type 2

The audit report will be placed on Evovia’s data controller administration page every year in June, where the data controller has the possibility of carrying out its own checks.

Based on the results of the audit report, the data controller shall be entitled to request the implementation of additional measures to ensure compliance with the GDPR, the data protection regulations contained in other EU law or the national legislation of member states and these Provisions.

C.7.2 Written supervision and physical inspection

The data controller may choose to carry out supervision, either by written supervision or by physical inspection. The supervision may be carried out by the data controller itself and/or in cooperation with third parties. The supervision must be based on the security measures agreed between the Parties. Procedure and reporting for written supervision or physical inspection:

  • The data controller contacts the data processor by e-mail to gdpr@evovia.com with a request to carry out supervision and/or inspection.
  • The data processor acknowledges receipt of the request and states the final date for carrying out the supervision and/or inspection.
  • The supervision and/or inspection takes place.
  • The data controller draws up a report which is then sent to the data processor.
  • The data processor reviews the draft report and comments on any observations made by the data controller (this may be repeated several times).
  • The final report is concluded by the data controller.
  • The supervision is terminated.

C.8 Procedures for audits, including inspections, of the processing of personal data entrusted to sub-processors

On the basis of the data processor’s risk assessment, and taking into account the specific processing activities, the data processor carries out audits, including inspections, of the sub-processors’ processing of personal data, either in the form of self-monitoring of audit reports and the equivalent (where possible), written supervision or physical inspection, or a combination thereof.

The data controller may, at the data controller’s request, obtain further information on the control measures put in place and implemented in respect of each sub-processor.

The data controller may initiate a separate supervision of a sub-processor in relation to the data processor. This supervision is carried out in accordance with the usual and established procedure of the sub-processor, and at the expense of the data controller.

Version december 2022

FAQ, Frequently asked questions

Approval of the Data Processing Agreement


Question:
Where and how do you approve the Data Processing Agreement?

Answer:

  • As soon as you as a leader in an organisation - or delegated at the top level - log in to Evovia, the Data Processing Agreement picks up and you can not move on until one of you has approved it!
  • If you have not had the necessary time to read the Data Processing Agreement, please accept, and then you have until May 14, 2018 to sign up for the Data Terms of Service. Unless we have heard from the customer in writing by 14 May 2018, the approval is valid!
  • Within a few seconds of approval, an email in your mailbox will be attached with a PDF file attached to the entire Data Processing Agreement, where your company name is entered - and where Evovia's director's signatures are stamped down with date.
Consent to withdraw anonymous graphic data


Question:
Should employees give consent for anonymous graphical data to be drawn?

Answer:
No, the employee should not. And the employee can't demand it either.

Legally, there is no legal basis to make that claim.

Because anonymization can occur, statistical information can also be extracted as long as it is not possible to identify the person from the information.

“To the extent that […] employee development interviews are held in the private labor market, ordinary information may be processed with the consent or on the basis of Article 6 (2). In the case of sensitive information, only the express consent of the employee may, in principle, be processed. However, it may also be a matter of processing information for other purposes, e.g. Article 9 (2) of the Regulation 2 (f) (determination etc. of legal requirements). "

The company can therefore process personal data in connection with EDP based on a balance of interests.

Therefore, it will not in principle be a consent-based treatment or treatment that can only be done based on consent.

Lawyers discuss making statistical information based on personal data. First, the lawyers conclude that the anonymization of personal data is not at all a processing, as it lacks meaning in relation to the basic principle of the nature of the Regulation 5 on storage restriction. The regulation directly states in the preamble that processing of anonymized data falls outside the scope of the regulation. (Peter Blume has argued that viewpoint).

Other lawyers state that anonymization is always within the scope of the original treatment, since it in turn supports the principle of retention of storage.

Finally, other lawyers find that anonymization is always compatible with the original purpose and that treatment can therefore be done.

Evovia has usually recommended the two first mentioned angles on the case.

Instructions from Data Managers for Data Processors


Question:
The Article 28 (1) of the Regulation, 3a states that the data processor may only process personal data after documented instructions from the data controller, what does that mean? Should there be a special document for that?

Answer:
No, it is not necessary because we can not predict all conceivable situations, but when it happens, it must be documented / documentable.

Specific: If a manager or employee has a technical issue in the dialogue questionnaire and contacting Support for help and Support can not solve this task for the customer without having access to the questionnaire, Support can only do this,  if that manager / employee enters his / her profile and gives Support this access at a check mark that can be removed immediately after the problem is resolved. However, this instruction is "documented" in the system.

The instructions are contained in the terms of the "Scope of processing Activities" section, where is stated that upon Customer's acceptance of the Data Terms of Service, the Customer instructs the Evovia to process Customer's personal information for the delivery of the Evovia cloud service on the terms set forth in the Subscription Agreement and these Data Processing Terms.

In the data processing conditions itself, there is a section about the nature and purpose of the treatment, including states: In addition, it may be agreed between the parties that the nature of the treatments also includes the provision of services that entail processing of Customer's information. It points to the possibility that the customer can give Evovia instructions to take care of, for example, an anonymous well being survey for the customer. Then the Data Processor acts on clear instructions from Data Controller in the given situation.

That's how it should be considered.

Issue of fines - Limitation of liability?


Question:
If the penalty issuing authority determines a division of responsibility, is that what is followed or is it an internal decision of the same? Limitation of Liability is not entirely clear.

Answer:
As a starting point, the division of responsibility contained in the fine settlement is followed by nature. 83 - which would be consistent with the principles by nature. 82 also. To the extent a party with reference to the guarantees, etc. What is contained in the agreement means that the final distribution of responsibilities must be different, this may be pursued, but in that case it will ultimately be a court decision.

Notification of breach of personal data protection to the supervisory authority


Question:
Some have asked us if we could not set a deadline, so we, as a Data Processor, report personal data breach out of max. 24 hours. Currently there is "no undue delay".

Answer:
No, we neither can nor will. This is because of a misreading of Article 33 of the Personal Data Regulation itself (see below). The data processor must report without undue delay. And Data Managers must report within 72 hours, but the two time frames are not inclusive, but each has its own sphere. Data administrators have 72 hours from the moment the Data Processor has informed!

The case is:

  • If there is a breach of personal data protection, we have the following responsibilities as data administrators:
  • "Without undue delay informs the data controller after being aware that there has been a violation of personal data protection" (citation Article 33)
  • "Without undue delay" really means as soon as possible! But also, in a way, the data processor ensures that you do not unnecessarily disturb the unnecessary number of customers, so the data processor must make things clear. It will take place as soon as possible! And without undue delay.
  • And then, when the customer = data manager is notified from the data processor, the customer has 72 hours to fullfill his obligation.
  • It is, of course, in everyone's interest that it is done as soon as possible! Or: Without undue delay, as Article 33 says!

Here is the text: The EU's Personal Data Regulation, Article 33

Notification of breach of personal data protection to the supervisory authority.

  1. In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
  2. The processor shall notify the controller without undue delay after becoming aware of a personal data breach.
  3. The notification referred to in paragraph 1 shall at least:
    1. describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
    2. communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
    3. describe the likely consequences of the personal data breach;
    4. describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
  4. Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.
  5. The controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. That documentation shall enable the supervisory authority to verify compliance with this Article.
Personnel Folders- On resigned employees, how long should data be available here?


Question:
It is stated in Evovia's Data Processor Agreement that when an employee is deleted by the customer's system, the employee is deleted after 14 days while entered data, appointments and scores are stored in the manager's archive for 5 years. Is it legal with the 5 years?

Answer:
Yes, it is legal to store staff records for +5 years according to the Data Inspectorate's practice, and the manager's archive is an archive that only the leader in question has access to, and it is to be regarded as an "extended feature" of the Employee Folder.

Research collaboration with Aarhus University - With 100% anonymous data made available?


Question:
Is it a shared data responsibility with Evovia, since Evovia itself processes data by, for example, sending anonymous data for research at Aarhus University?

Answer:
No, not at all.

The Subscription Terms and Conditions of Business state the following:

Evovia reserves the right, in conjunction with university researchers, to use statistical data in 100% anonymized form for scientific purposes. This is an option that we have always included in our terms of business and it follows the following principles:

Evovia makes a data extract that is 100% anonymous and can not identify a particular customer or group, as data extracts are selected only on the following parameters:

  1. The gender of the leader
  2. Employee gender
  3. Leader's span of control (number of employees directly leading you)
  4. Public or private company
  5. Geographical main categories
  6. And in some overall branch segments when there is security for a critical mass of customers, so anonymity can be maintained.

If a customer does not wish to be included in such a benchmark, one can be exempted by contacting Evovia. Then, the customer will neither participate nor be able to make use of this benchmark.

The short answer is then:

  • No, there is no talk of shared responsibility here
  • The customer is responsible for what you enter - and what you want to use the statistics that can be extracted from the system, graphs and reports - and how
  • Evovia is responsible for how data is stored and made available to the customer - including in statistics and reports and that it complies with the legislation
  • And in relation to 100% anonymous data for research purposes at Aarhus University - we do not offer anything for those who can not extract statistics and reports, just 100% anonymous! However, we have just expanded with some geography and overall industry + male / female leader, and here we use a single research program that "guesses" on gender in terms of first name with the risk that "Inge" is a boy's name in Norway , while it is a maiden name in Denmark!
  • And finally, any customer may, upon request, opt out of participating in and making use of such benchmark data.
Risk assessment - as a basis for the security level


Question:
What risk assessment is based on the security level in the system? And is it taken into account that the system may potentially contain health information?

Answer:
The risk assessment has included an assessment of the sources of risk, the vulnerabilities that may exist in the system and how this threat picture can lead to an event that can be characterized as a violation of personal data protection, in accordance with the Data Protection Regulation nature. 4 (12). The probability and severity of a break is then assessed to determine the overall risk image.

There are clear instructions from Evovia to the users that there is no need to enter health information into our system. Evovia is not just something similar to a medical journal system - but it can be used for a very good dialogue about what creates and reduces absenteeism. It is a dialogue system.

Signature of the Data Processing Agreement: Should it be signed physically?


Question:
Should there be a physical signature of the Data Processing Agreement?

Answer:

  • No, it is not necessary.
  • We can document who in the company has accepted - and when.
  • It is enough.
  • However, at the same time a customer has Accepted Data Processing Agreement in our system, you will receive an email with a PDF file with the entire agreement, and with the company's name and a date and signature stamped down with the Executive Board at Musskema.dk.
  • See also: Approval of the Data Processing Agreement
Sub Data Processors - Can the customer get access to read the agreements with them?


Question:
Is it possible to get access to read the sub data processors agreements?

Answer:
There is, as a rule, no access to read the sub data processors agreements. In connection with the execution of supervision of Evovia, Evovia may choose to display those parts of the sub data processors agreements that do not contain commercial terms or such technical specifications that may compromise total security. In addition, Evovia will issue the Executive Board statements and, to a certain extent, statements of assurance regarding the sub-processing agreements that are integrated into the annual statement of assurance (From Deloitte).

Statement of Assurance - Why ISAE 3000?


Question:
Why ISAE 3000?

Answer:
Together with BDO, Evovia has chosen ISAE 3000 as the best and most comprehensive European standard for our area. And individual customers can see the latest update on their profile. It will be updated annually.

The overall difference between ISAE 3000 and other similar ones eg ISAE 3402 lies in the fact that ISAE 3402 applies when the statement and the controls included in the statement deal with financial reporting. If Evovia's product was ex. to supply Axapta, then the statement would have to be used by our client's accountants to use for the accounting of our clients. In that case, it should be an ISAE 3402.

But that's not how our product works.

ISAE 3000 can be used for anything other than financial reporting, including for example reporting on checks on personal data that Deloitte has made with us. But generally, it can be used for anything that does not process financial information, ex. service desk systems, portals etc.

That said, there are overlaps in the controls. Area B of our statement addresses general IT controls, which will often also be covered by an ISAE 3402 statement. However, the ISAE 3402 declaration will often have even more IT controls, but it will not contain any personal data.

The extent to which one or the other type of declaration must be provided depends on the service provided. If our customers want to report on whether Evovia complies with the data processing agreement and protects the customers' personal data, then ISAE 3000 is the right one. If we were now a data center, or otherwise run the customer's IT systems, ISAE 3402 might be better.

That is why we have chosen ISAE 3000.

Warranties - in case of security breach


Question:
Missing something, especially in the "Reporting of security breaches" section. Evovia does not provide any contractual assurances that we are able to lift the 72-hour requirement relative to a data burst from them, as Evovia does not guarantee the information kind. 33 and 34 require.

Answer:
No, nothing is missing. Both parts are clearly contained. And Evovia provides the necessary and necessary guarantees.

Please be aware that the data controller's deadline for the max. 72 hours will first count from the notification received from the data processor. Since the data processor must notify without undue delay, and since the data processor merely finds that there has been a violation, this will in practice provide very limited options for staying from the data processor to be aware of the violation for notification to be given.

In Evovia's data processing agreement, it follows that the data processor is required to assist the data controller in fulfilling its obligations under Articles 33 and 34.

Therefore, there are necessary guarantees that Evovia assists in lifting the data controller's obligations.

Additional documentation:
Report on page 496 states that:

As stated in the wording of the provision, the data controller's obligation to report personal data breach to the supervisory authority is activated after the data controller has become aware of a breach of personal data security. A simple presumption that a breach of personal data security has occurred or a simple detection of an incident is not considered sufficient to regard a breach of personal data security as being "done" within the meaning of the regulation. Such a simple presumption may, however, cause the data controller to consider processing security, cf. Article 32 of the Regulation.

In assessing whether a breach has occurred, it must be assumed that particular attention should be paid to the information referred to in Article 33 (1) of the Regulation. 3, is available to the provider.

And on page 497:

As regards the cases where the data controller has left the processing of personal data to a data processor, reference is made to Article 33 (1) of the Regulation. 2, which is discussed in more detail below.

The Ministry of Justice's Executive Order does not, therefore, link the data controller's deadline and a data processor's deadline together.

These sections are repeated in the manual issued by the Data Inspectorate regarding violations of personal data security.

Article 29 group has stated in their WP250 breach of personal data security on page 13:

Article 33(2) makes it clear that if a processor is used by a controller and the processor becomes aware of a breach of the personal data it is processing on behalf of the controller, it must notify the controller “without undue delay”. It should be noted that the processor does not need to first assess the likelihood of risk arising from a breach before notifying the controller; it is the controller that must make this assessment on becoming aware of the breach. The processor just needs to establish whether a breach has occurred and then notify the controller. The controller uses the processor to achieve its purposes; therefore, in principle, the controller should be considered as “aware” once the processor has informed it of the breach. The obligation on the processor to notify its controller allows the controller to address the breach and to determine whether or not it is required to notify the supervisory authority in accordance with Article 33(1) and the affected individuals in accordance with Article 34(1). The controller might also want to investigate the breach, as the processor might not be in a position to know all the relevant facts relating to the matter, for example, if a copy or backup of personal data destroyed or lost by the processor is still held by the controller. This may affect whether the controller would then need to notify.

Regardless of what the Data Inspectorate states in their presentation on a data processor agreement, the data controller's deadline is counted only after the notification has been received from the data processor. Since the data processor must notify without undue delay, and since the data processor merely finds that there has been a violation, this will in practice provide very limited options for staying from the data processor to be aware of the violation for notification to be given.

It follows that the data processor is required to assist the data controller in fulfilling its obligations under Articles 33 and 34.

It is therefore clearly contained the necessary guarantees that Evovia assists in lifting the data controller's obligations.

What is the basis for the provision that the data processor can store data after termination of the Subscription Agreement? What legal obligation can this be?

The wording follows from the minimum requirements for a data processing agreement according to the data protection regulation, article 28, subsection 3, litra g. Evovia may be legally obliged to store data. This can for example be courts or other public authorities who oblige Evovia to store data. There is currently not much practice in this area, which is why it is difficult to give a precise example of this.

Who is the third party beneficiary in the event of bankruptcy?

Evovia has chosen to deviate from point 7.6 of the Regulations, as it seems difficult to see how this will be in practice. In the event of Evovia's bankruptcy, the rules of the Bankruptcy Act will come into force. This relationship should not be regulated in a data processing agreement and the rules of the Bankruptcy Act cannot simply be waived. Despite that the Danish Data Protection Agency has chosen to insert this provision in the standard contract provisions, it is not a requirement according to the data protection regulation's article 28. This means that the data processing agreement continues to comply with the data protection regulation even if this section is waived. Furthermore, it is an obligation that Evovia is very likely unable to pass on to any sub data processors, which would put Evovia in breach of the data processor agreement.