Data Processing Addendum (DPA)

The Data Processing Agreement meets the requirements of Article 28, paragraph 3, of Regulation 2016/679 (the General Data Protection Regulation) regarding the Processor's processing of personal data.

Between the Parties

Visma By Creditro A/S (Data Processor)

&

The Customer (Data Controller)

This Data Processing Agreement constitutes Appendix 2. The Customer and Creditro have entered into an agreement on Creditro's standard terms for the provision of digital platforms. This data processor addendum (hereinafter referred to as “Data Processor Addendum” or “DPA”) is an integrated part of the Agreement and defines the terms for the processing of personal data.

Contents

1. Preamble
2. Rights and Obligations of the Controller
3. The Processor acts on instruction
4. Confidentiality
5. Processing Security
6. Use of Sub-processors
7. Transfer to third countries or international organisations
8. Assistance to the Controller
9. Notification of Personal Data Breach
10. Deletion and Return of Data
11. Audit, including Inspection
12. Parties' Agreement on Other Matters
13. Entry into Force and Termination
14. Contact Persons at the Controller and the Processor
15. Appendix A — Information on Processing
16. Appendix B — Sub-processors
17. Appendix C — Instructions regarding the processing of personal data
18. Appendix D — Parties' Regulation of Other Matters

 

1. Preamble

These Clauses set out the rights and obligations of the Processor when processing personal data on behalf of the Controller.

These Clauses are designed to ensure the parties' compliance with Article 28(3) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

In connection with the provision of licenses for the Processor's solution(s) and service(s), the Processor processes personal data on behalf of the Controller in accordance with these Clauses.

These Clauses shall take precedence over any similar provisions in other agreements between the parties.

There are four appendices to these Clauses, and the appendices form an integrated part of the Clauses.

Appendix A contains detailed information on the processing of personal data, including the purpose and nature of the processing, the type of personal data, the categories of data subjects, and the duration of the processing.

Appendix B contains the Controller's conditions for the Processor's use of sub-processors and a list of sub-processors whose use the Controller has approved.

Appendix C contains the Controller's instructions regarding the Processor's processing of personal data, a description of the security measures that the Processor must implement as a minimum, and how the Processor and any sub-processors are supervised.

Appendix D contains provisions regarding other activities not covered by these Clauses.

These Clauses and their appendices shall be kept in writing, including electronically, by both parties.

These Clauses do not release the Processor from obligations imposed on the Processor by the General Data Protection Regulation or any other legislation.

 

2. Rights and Obligations of the Controller

The Controller is responsible for ensuring that the processing of personal data complies with the General Data Protection Regulation (see Article 24 of the Regulation), data protection provisions in other EU law or national law of the Member States, and these Clauses.

The Controller has the right and obligation to make decisions regarding the purpose(s) and means by which personal data may be processed.

The Controller is responsible for, among other things, ensuring that there is a legal basis for the processing of personal data that the Processor is instructed to perform.

 

3. The Processor acts on instruction

The Processor may only process personal data on documented instructions from the Controller, unless required by EU law or national law of the Member States to which the Processor is subject. These instructions must be specified in Appendices A and C. Subsequent instructions may also be given by the Controller while personal data is being processed, but the instructions must always be documented and kept in writing, including electronically, together with these Clauses.

The Processor shall immediately notify the Controller if, in its opinion, an instruction is in breach of this Regulation or data protection provisions in other EU law or national law of the Member States.

 

4. Confidentiality

The Processor may only grant access to personal data, which is processed on behalf of the Controller, to persons who are subject to the Processor's instructions, who have committed themselves to confidentiality or are subject to an appropriate statutory duty of confidentiality, and only to the extent necessary. The list of persons who have been granted access shall be reviewed continuously. Based on this review, access to personal data may be closed if access is no longer necessary, and the personal data shall thereafter no longer be available to these persons.

The Processor shall, upon request from the Controller, be able to demonstrate that the persons concerned, who are subject to the Processor's instructions, are subject to the aforementioned duty of confidentiality.

 

5. Processing Security

Article 32 of the General Data Protection Regulation states that the Controller and the Processor shall, taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, implement appropriate technical and organisational measures to ensure a level of security appropriate to those risks. The Controller shall assess the risks to the rights and freedoms of natural persons that the processing entails and implement measures to address these risks. Depending on their relevance, these may include:

1. pseudonymisation and encryption of personal data
2. the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services
3. the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
4. a process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring processing security

Pursuant to Article 32 of the Regulation, the Processor – independently of the Controller – shall also assess the risks to the rights of natural persons that the processing entails and implement measures to address these risks. For the purpose of this assessment, the Controller shall make the necessary information available to the Processor, enabling the latter to identify and assess such risks.

In addition, the Processor shall assist the Controller with the Controller's compliance with the Controller's obligation under Article 32 of the Regulation, inter alia, by making the necessary information available to the Controller regarding the technical and organisational security measures that the Processor has already implemented in accordance with Article 32 of the Regulation, and all other information necessary for the Controller's compliance with its obligation under Article 32 of the Regulation.

If the mitigation of the identified risks – in the Controller's assessment – requires the implementation of additional measures beyond those already implemented by the Processor, the Controller shall specify the additional measures to be implemented in Appendix C.

 

6. Use of Sub-processors

The Processor shall fulfil the conditions referred to in Article 28(2) and (4) of the General Data Protection Regulation for using another processor (a sub-processor).

The Processor may therefore not use a sub-processor to fulfil these Clauses without prior timely notification to the Controller.

The Processor has the Controller's general approval for the use of sub-processors. The Processor shall inform the Controller in writing of any planned changes concerning the addition or replacement of sub-processors with at least 30 days' notice, thereby giving the Controller the opportunity to object to such changes before the use of the sub-processor(s) concerned. Longer notice for notification in connection with specific processing activities may be specified in Appendix B. The list of sub-processors already approved by the Controller is set out in Appendix B.

When the Processor uses a sub-processor in connection with the performance of specific processing activities on behalf of the Controller, the Processor shall, by way of a contract or other legal document under EU law or national law of the Member States, impose on the sub-processor the same data protection obligations as those set out in these Clauses, thereby providing in particular sufficient guarantees that the sub-processor will implement the technical and organisational measures in such a way that the processing complies with the requirements of these Clauses and the General Data Protection Regulation.

The Processor is therefore responsible for requiring the sub-processor to comply at a minimum with the Processor's obligations under these Clauses and the General Data Protection Regulation.

Sub-processor agreement(s) and any subsequent amendments thereto shall be sent – upon the Controller's request – as a copy to the Controller, who thereby has the opportunity to ensure that equivalent data protection obligations as those arising from these Clauses are imposed on the sub-processor. Provisions on commercial terms that do not affect the data protection content of the sub-processor agreement shall not be sent to the Controller.

The Processor shall, if possible, include the Controller as a beneficiary third party in its agreement with the sub-processor in the event of the Processor's bankruptcy, so that the Controller can step into the Processor's rights and enforce them against sub-processors, which, for example, enables the Controller to instruct the sub-processor to delete or return personal data.

If the sub-processor does not fulfil its data protection obligations, the Processor shall remain fully liable to the Controller for the fulfilment of the sub-processor's obligations. This does not affect the rights of the data subjects, which follow from the General Data Protection Regulation, including in particular Articles 79 and 82 of the Regulation.

 

7. Transfer to third countries or international organisations

Any transfer of personal data to third countries or international organisations may only be carried out by the Processor on the basis of documented instructions from the Controller and shall always take place in accordance with Chapter V of the General Data Protection Regulation.

If the transfer of personal data to third countries or international organisations, which the Processor has not been instructed to carry out by the Controller, is required by EU law or national law of the Member States, to which the Processor is subject, the Processor shall notify the Controller of this legal requirement before processing, unless the relevant law prohibits such notification on important grounds of public interest.

Without documented instructions from the Controller, the Processor may therefore not, within the framework of these Clauses:

1. transfer personal data to a controller or processor in a third country or an international organisation
2. outsource the processing of personal data to a sub-processor in a third country
3. process personal data in a third country

The Controller's instructions regarding the transfer of personal data to a third country, including the possible transfer basis in Chapter V of the General Data Protection Regulation, on which the transfer is based, shall be specified in Appendix C.6.

These Clauses should not be confused with standard contractual clauses as referred to in Article 46(2)(c) and (d) of the General Data Protection Regulation, and these Clauses cannot constitute a basis for the transfer of personal data as referred to in Chapter V of the General Data Protection Regulation.

 

8. Assistance to the Controller

The Processor shall, taking into account the nature of the processing, as far as possible assist the Controller by means of appropriate technical and organisational measures in fulfilling the Controller's obligation to respond to requests for exercising the rights of data subjects as set out in Chapter III of the General Data Protection Regulation.

This implies that the Processor shall, as far as possible, assist the Controller in ensuring compliance with:

1. the information obligation when collecting personal data from the data subject
2. the information obligation if personal data has not been collected from the data subject
3. the right of access
4. the right to rectification
5. the right to erasure (“right to be forgotten”)
6. the right to restriction of processing
7. the notification obligation in connection with rectification or erasure of personal data or restriction of processing
8. the right to data portability
9. the right to object
10. the right not to be subject to a decision based solely on automated processing, including profiling

In addition to the Processor's obligation to assist the Controller in accordance with Clause 6.3., the Processor shall further, taking into account the nature of the processing and the information available to the Processor, assist the Controller with:

1. the Controller's obligation to notify the competent supervisory authority, the Danish Data Protection Agency, of a personal data breach without undue delay and, if possible, no later than 72 hours after becoming aware of it, unless it is unlikely that the personal data breach will result in a risk to the rights or freedoms of natural persons
2. the Controller's obligation to notify the data subject of a personal data breach without undue delay when the breach is likely to result in a high risk to the rights and freedoms of natural persons
3. the Controller's obligation to carry out an analysis of the intended processing activities' consequences for the protection of personal data (a data protection impact assessment) prior to processing
4. the Controller's obligation to consult the competent supervisory authority, the Danish Data Protection Agency, before processing, if a data protection impact assessment shows that the processing will lead to a high risk in the absence of measures taken by the Controller to mitigate the risk.

The Processor's obligations under the agreement do not entail a claim for separate payment to the Processor for time spent, unless the time spent exceeds five (5) hours.

The parties shall specify in Appendix C the necessary technical and organisational measures by which the Processor shall assist the Controller, as well as the scope and extent of such assistance. This applies to the obligations arising from Clauses 9.1. and 9.2.

 

9. Notification of Personal Data Breach

The Processor shall without undue delay notify the Controller after becoming aware of a personal data breach.

The Processor's notification to the Controller shall, if possible, be made no later than 24 hours after becoming aware of the breach, so that the Controller can comply with its obligation to report the personal data breach to the competent supervisory authority, cf. Article 33 of the General Data Protection Regulation.

In accordance with Clause 9.2.a, the Processor shall assist the Controller in reporting the breach to the competent supervisory authority. This means that the Processor shall assist in providing the information below, which, according to Article 33(3), must be included in the Controller's report of the breach to the competent supervisory authority:

1. the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned
2. the likely consequences of the personal data breach
3. the measures taken or proposed to be taken by the Controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

If the Controller has been notified by the Processor of a personal data breach without undue delay in accordance with Clause 10, and the breach is solely due to the Controller's circumstances, the Processor is entitled to separate remuneration for time spent on the notification.

The parties shall specify in Appendix C the information that the Processor shall provide in connection with its assistance to the Controller in the latter's obligation to report personal data breaches to the competent supervisory authority.

 

10. Deletion and Return of Data

Upon termination of the Processor's services relating to the processing of personal data, the Processor is obliged to delete all personal data that has been processed on behalf of the Controller and confirm to the Controller that the data has been deleted, unless the Controller instructs the Processor otherwise, or unless EU law or national law of the Member States prescribes the retention of personal data.

 

11. Audit including Inspection

The Processor shall make all information necessary to demonstrate compliance with Article 28 of the General Data Protection Regulation and these Clauses available to the Controller and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor authorised by the Controller.

The procedures for the Controller's audits, including inspections, with the Processor and sub-processors are specified in Appendix C.7. and C.8.

The Processor is obliged to grant supervisory authorities, who, according to applicable legislation, have access to the Controller's or Processor's facilities, or representatives acting on behalf of the supervisory authority, access to the Processor's physical facilities upon proper identification.

 

12. Parties’ Agreement on Other Matters

The parties may agree on other provisions regarding the service concerning the processing of personal data, e.g., liability, as long as these other provisions do not directly or indirectly conflict with the Clauses or impair the fundamental rights and freedoms of the data subject as derived from the General Data Protection Regulation.

 

13. Entry into Force and Termination

The Clauses shall enter into force upon signature by both parties.

Both parties may demand renegotiation of the Clauses if changes in law or inconsistencies in the Clauses give rise thereto.

The Clauses are valid for as long as the service concerning the processing of personal data lasts. During this period, the Clauses cannot be terminated, unless other provisions governing the provision of the service concerning the processing of personal data are agreed between the parties.

If the provision of services concerning the processing of personal data ceases, and the personal data has been deleted or returned to the Controller in accordance with Clause 11.1 and Appendix C.4, the Clauses may be terminated with written notice by both parties.

 

14. Contact Persons for the Controller and the Processor

The Processor can be contacted via the contact person below or by communication to persons normally communicated with in the contractual relationship between the Controller and the Processor.

Name – Asmita Velji Tejani
Position – Managing Director
Email – avt@creditro.com

On behalf of the Data Processor
Asmita Velji Tejani
Managing Director

 

Appendix A — Information on Processing

A.1. Purpose of the Processor's processing of personal data on behalf of the Controller

The processing of the Controller's personal data is carried out for the purpose of fulfilling the agreement entered into between the Processor and the Controller regarding the Processor's delivery of the Processor's solutions and services. The Processor's solutions covered by this data processing agreement are listed in the Main Agreement and any addendums to the Main Agreement. The purpose of the Processor's solution(s) and/or service(s) is:

• Creditro Comply: To assist the Controller in complying with its obligations under anti-money laundering legislation, including inviting persons associated with the Controller's Clients to be registered as End-users of Creditro and to store documentation for anti-money laundering investigations.
• Kyc.Creditro.com / StoreMyID: To create and maintain an ID database of money laundering-relevant persons for use with the Creditro Comply solution.
• Creditro Assess: To obtain and provide information on financial and credit-related matters to the Controller and to store the obtained information for the Controller.
• Creditro Sign: To send and store documents in connection with digital signatures on behalf of the Controller.

A.2. Nature of Processing

As the owner and provider of the solution, the Processor, in its general operation—including hosting, display, organizing, receiving, forwarding, structuring, adapting, implementing, searching, processing, storing, restoring, deleting, restricting, maintaining, developing, logging, supporting, troubleshooting, and other IT services related to the Processor's solution(s) and/or service(s) to the Controller—acts in accordance with the agreement entered into between the parties.

A.3. Types of Personal Data

The Processor generally processes the categories of personal data listed below. However, when using the solution, the Controller may transfer the processing of all types of data and personal data to the Processor, which means the Processor could potentially process all categories of personal data.

Categories of Personal Data: Ordinary personal data (cf. Article 4, para. 1 and Article 6 GDPR); ordinary and confidential personal data, including information about CPR numbers (cf. Article 87 GDPR):

Creditro Comply

• Name
• Contact information, including email address and mobile phone number
• Relationship to company, firm, or organization, including role as owner, management member, position; PEP status
• Anti-money laundering reports
• Copies of identity documents
• CPR number
• Media mentions
• Information in documents that the Controller uploads to the Processor's service
• Information that the Processor, by agreement with the Controller, obtains for the Controller's use

Kyc.creditro.com / StoreMyID

• Name
• Contact information, including email address and mobile phone number
• Relationship to company, firm, or organization, including role as owner, management member, position; PEP status
• Anti-money laundering reports
• Copies of identity documents
• CPR number
• Media mentions
• Information in documents that the Controller uploads to the Processor's service
• Information that the Processor, by agreement with the Controller, obtains for the Controller's use

Creditro Assess

• Name
• Contact information, including email and mobile phone number
• Relationship to company, firm, or organization, including role as owner, management member, and position
• Company reports
• Financial affairs
• CPR number
• Media mentions
• Information that the Processor, by agreement with the Controller, obtains for the Controller's use

Creditro Sign

• Name
• Contact information, including email and mobile phone number
• Relationship to company, firm, or organization, including role as owner, management member, and position
• Data contained in the document
• Electronic signature

A.4. Categories of Data Subjects

The Processor generally processes the categories of data subjects listed below. However, when using the solution, the Controller may transfer the processing of all types of data and personal data to the Processor, which means the Processor could potentially process personal data about more categories of data subjects.

Creditro Comply

• Individuals whom the Controller wishes to conduct anti-money laundering investigations on
• Individuals who have a relationship with companies, firms, or organizations about whom the Controller wishes to obtain information
• Individuals who appear in documents that the Controller uploads to the used solutions

StoreMyID

• Individuals whom the Controller wishes to conduct anti-money laundering investigations on
• Individuals who have a relationship with companies, firms, or organizations about whom the Controller wishes to obtain information
• Individuals who appear in documents that the Controller uploads to the used solutions

Creditro Assess

• Individuals about whom the Controller wishes to obtain information

Creditro Sign

• Individuals whom the Controller wishes to sign documents

A.5. Start and Duration

The Processor's Processing of Personal Data on Behalf of the Controller can commence after these Clauses enter into force.

Duration: The processing is not time-limited and continues until the subscription agreement between the parties regarding the delivery of the Processor's tools to the Controller is terminated or rescinded by one of the parties.

 

Appendix B — Sub-processors

B.1. Approved Sub-processors

Upon the entry into force of these Clauses, the Controller has approved the use of the following sub-processors, depending on the solution specified in the Main Agreement or addendum to the Main Agreement.

 

Creditro Comply

 

 

KYC.creditro.com / StoreMyID

 

 

Creditro Assess

 

 

Creditro Sign

 

Upon entry into force of the Provisions, the Data Controller has approved the use of the above-mentioned sub-processors for the described processing activity. The Data Processor may not – without notice to the Data Controller – use a sub-processor for a processing activity other than the described and agreed upon or use another sub-processor for this processing activity.

The Data Processor’s solutions covered by this Data Processor Agreement are set out in the Main Agreement and any amendments to the Main Agreement. The data processor must maintain a current list of sub-processors on the data processor's website, which constitutes the current Annex B. The sub-processor agreements are requested via the website or by written request to the data processor.

B.2. Notice for information on the use of sub-processors

The data processor's notification of any planned changes regarding the addition or replacement of sub-processors must reach the data controller at least 30 days before the use or change is to come into effect, insofar as this is immediately possible, cf. contractual clause 7, 7.3.

The data processor guarantees that any use of sub-processors complies with the legislation and this agreement in general. In this regard, the data processor ensures that in the event of a third-country transfer to an unsafe third country, a valid transfer basis exists and a satisfactory Transfer Impact Assessment is available to the extent required by the legislation.

Notwithstanding the above, the data controller accepts that there may be very special cases where a specific need may arise for the change regarding the addition or replacement of sub-processors to take place at shorter notice, e.g. critical situations where the solution cannot be operated. In such cases, the data processor will notify the data controller of the change as soon as possible. It is noted that these cases are completely extraordinary critical situations. Critical situations are defined as situations that may cause, for example, non-compliance with legislation, including data loss and the like. In these cases, the data controller may object to the change regardless of whether the effective date has occurred. Objections must be made within 30 days of the data controller being notified of the change.

If the data controller objects to the changes, the data controller must notify the data processor thereof before the change's notified effective date. The data controller may only object if the data controller has reasonable, concrete reasons for doing so.

By objecting, the data controller also accepts that the data processor may be prevented from providing all or part of the agreed services. Such non-compliance cannot be attributed to the data processor's breach of contract. The data processor maintains its claim to payment for such services, regardless of whether they cannot be provided to the data controller.

Where it is specifically agreed that the processor may not use sub-processors without the prior consent of the controller, the controller accepts that this may result in the processor being prevented from performing the services. If the controller has refused to make changes to add or replace sub-processors, failure to provide services will therefore not be considered a breach of the parties' agreement to provide the services attributable to the processor in cases where the failure to perform is attributable to the circumstances of a sub-processor.

Appendix C — Instructions regarding the processing of personal data

C.1. Subject matter/instructions of the processing

The data processor may only process data on instructions from the data controller. The data processor's processing of personal data on instructions from and on behalf of the data controller is carried out by the data processor generally performing the following:

General operations, including hosting, displaying, organizing, receiving, forwarding, structuring, adapting, implementing, searching, processing, storing, restoring, deleting, restricting, maintaining, developing, logging, supporting, troubleshooting and other IT services related to the data processor's solution(s) and/or service(s) to the data controller in accordance with the agreement entered into between the parties.

The data processor's processing of personal data on behalf of the data controller is carried out by the data processor performing the following:

Creditro Comply

• Obtain information about the possible status of the persons specified by the data controller as PEP or RCA. Obtain information about whether the person is registered on public sanctions lists. Based on the information uploaded by the data controller and information obtained from third parties, assess the risk of the person's involvement or risk of involvement in money laundering or terrorist financing. Continuously monitor and update information about persons obtained for the data controller.

StoreMyID

• Send invitations via email to the persons specified by the data controller with a link to create a StoreMyID account. Store identity documents and responses to the KYC questionnaire on behalf of the data controller.
• Send invitations via email with a link to StoreMyID referencing profile updates at intervals determined by the data controller in StoreMyID.

Creditro Assess

• Obtain information on financial and credit-related matters about companies and individuals on instructions from the data controller. Analyze information in scoring models defined and/or approved by the data controller. Store information and analyses on behalf of the data controller and, by agreement, continuously obtain updated information.

Creditro Sign

• Electronically send documents ordered by the data controller for digital signing by instructed persons. Register signatures and store signed documents on behalf of the data controller for documentation purposes.

The solutions covered by this data processing agreement are set out in the Main Agreement and any amendments to the Main Agreement.

C.2. Processing security

The security level must reflect that processing may include various categories of personal data as listed in Annex A. The data processor has implemented a generally high level of security. The data processor is entitled and obliged to decide which technical and organizational measures are implemented to establish the necessary level of security.

Minimum measures (agreed):

Information Security

• Policies, controls and processes for confidentiality, integrity, availability.
• Processing only on instruction; procedures reviewed at least annually.

Physical and Environmental Security

• Protect premises against unauthorized access; evaluate and improve measures as needed; align level with threat landscape and data sensitivity.

Communication & Encryption

• Protect systems and networks; protect data in transit; use appropriate encryption per law and good practice; encrypted transmission for sensitive/confidential information; firewalls allow only encrypted traffic.

Firewall / Remote Access

• External access only via VPN; admin access controlled to maintain firewall configuration and rules.

Antivirus

• Installed and kept up to date.

Backup

• Daily backups; restore without undue delay; backups stored separately from primary data in a security-approved data center; redundant environment to ensure availability.

Home/Remote Workplaces

• Encrypted connection to networks; internal instructions for employees; use of 2-factor authentication where technically possible.

Instruction of Employees

• Ongoing awareness and training; information security policy approved within past year; onboarding/offboarding procedures; signed confidentiality; awareness training documented.

Disposal of Equipment

• Formal processes to ensure effective deletion before disposal.

Logging

1. Logging in all environments processing personal data.
2. Log privileged activities and changes to logging settings and user rights.
3. Define scope based on risk; ensure storage capacity; perform regular spot checks.
4. Protect logs against deletion and manipulation.

C.3. Assistance to the data controller

Rights of data subjects (cf. section 9.1):

• Assist with access, deletion, restriction, rectification (incl. sub-processors).
• Assist without undue delay; maintain procedure for handling data subject requests.

Breaches and incidents (cf. clause 9.2): information to be sent

• Facts (time, place, cause), timeline (start, discovery, end)
• Nature (confidentiality, integrity, availability impacted)
• Approx. categories and numbers of data subjects and data types (if possible)
• Contact point details
• Likely consequences
• Measures taken or proposed

C.4. Retention period/deletion routine

Personal data is stored for the period of the parties' agreement on delivery of the data processor's solution(s)/service(s), or pursuant to a separate written agreement, after which it is deleted. Upon termination, the data processor shall delete or return personal data in accordance with clause 11.1, unless the controller has changed the original choice and documented it in writing.

C.5. Location of processing

Processing cannot, without prior written approval from the controller, take place at locations other than those specified in this DPA and the addresses stated for sub-processors (including further tiers) as described in Appendix B.

C.6. Instructions regarding transfer to third countries

If the controller does not provide documented instructions regarding third-country transfers, the processor is not entitled to make such transfers within these Terms, unless to authorized sub-processors in Annex B. Transfer grounds per GDPR Chapter V apply as listed in Annex B. Where required, a satisfactory TIA must be prepared prior to transfers to unsafe third countries.

C.7. Procedures for the controller's audits/inspections

• Within 12 months, the processor obtains at its own expense an ISAE 3000 (or equivalent) report regarding compliance with GDPR and these Provisions; available on the processor’s website.
• The controller may, for a fee, challenge scope/methodology and request a new report.
• Based on results, the controller may request additional measures.
• The controller (or representative) may, for a fee, carry out inspections, including physical inspections, when deemed necessary; controller bears own costs.

C.8. Procedures for audits/inspections of sub-processors

• The processor, at its own expense, supervises sub-processors in line with Danish DPA guidance.
• Documentation of such supervision is forwarded to the controller upon request.

Appendix D — The parties' regulation of other matters

D.1 Liability and breach

Any breach of the Provisions shall be regulated and dealt with in accordance with the parties' agreement regarding the provision of the services.

In cases where the data processor has paid amounts to data subjects in accordance with Article 82 GDPR or Section 26 of the Danish Liability Act, the data processor shall have full recourse against the data controller for the amount paid which exceeds the agreed limitation of liability in the parties' agreement regarding the provision of the services.

The parties have hereby contractually deviated from Article 82(5) GDPR and Section 26 of the Danish Liability Act. Notwithstanding Article 82(5) GDPR, a party that has paid compensation to an injured party that does not correspond to full compensation may have recourse in accordance with the principle in Article 82(5).

In relation to other compensation for non-economic losses to data subjects, the principle in Article 82 shall also apply with regard to the internal final division of responsibility between the data processor and the data controller.

The parties may not assert recourse or claim for compensation against the other party for fines or other penalties imposed pursuant to section 41 of the Data Protection Act and for fines accepted pursuant to section 42 of the Data Protection Act.

D.2 Consequences of the data controller's unlawful instruction

The Data Controller is aware that the Data Processor is dependent on the Data Controller's instructions as to the extent to which the Data Processor is entitled to use and process the Personal Data on behalf of the Data Controller. The Data Processor is therefore not liable for claims arising from the Data Processor's acts or omissions to the extent that these acts or omissions constitute a direct data processing activity carried out in accordance with the Data Controller's instructions, unless it can be established that the Data Processor was aware of the unlawfulness of the processing.

D.3 Use of sub-processors that provide on standard terms

Notwithstanding clause 7 of the contract, if the data processor uses a sub-processor that provides its services on its own terms, from which the data processor cannot deviate, the sub-processor’s terms apply to the entrusted processing activities. Where processing takes place on the terms of a sub-processor, this is indicated by the relevant sub-processor in the list of sub-processors. By these Provisions, the data controller accepts and instructs that such specific processing activities take place on the sub-processor’s terms.

D.4 Deletion and return of information

It is agreed that the data controller will instruct the data processor on deletion and return of personal data upon termination of the Provisions.

The data controller shall, no later than 30 days after processing has ceased, notify whether all personal data shall be deleted or returned. If returned, the processor shall also delete any copies and ensure sub-processors comply.

If no notification is received within 30 days after processing has ceased, the processor shall send a reminder. If the controller still fails to notify, the processor is entitled to delete personal data without further notice.

The processor is entitled to remuneration for processing activities up to the time the controller informs whether data should be deleted or returned.