Try FOR FREE

Try for free!

Use EasySignup for your next event and experience how much easier the registration process is for both you and your guests.

Try our signup system for free, by signing up for EasySignup's newletters.

Bonus: You also get the e-guide: "How to get more attendees" and our "Easy Checklist" for events.

You can try it FOR FREE

Download as PDF  |  Show associated Terms of Service

Data Processing Agreement

between

The Data Controller:

[Organization Name]
[Organization Company Registration Number]
[Organization Address]
[Organization Zipcode and City]
[Organization Country]

and

The Data Processor:

NemTilmeld.dk ApS for EasySignup.com
CVR 27 67 31 20
Strmmen 6
DK-9400 Nrresundby
Denmark

1. Data Processing Agreement preamble

1.1. The Data Controller has a request to enter into an agreement about an online signup and registration system that can be used for events that require the Data Controller's guests (in the following referred to as "Attendees") to sign up, register and possibly pay a fee before attending an event. The system is delivered online as a self-service system.

1.2. The Data Processor's processing of personal data is carried out in order to fulfil the agreement regarding delivery of the above mentioned self-service system, in the following referred to as the "Main Agreement".

1.3. This Data Processing Agreement is valid from [Date of signing] and sets out the rights and obligations that apply to the Data Processor's processing of personal data on behalf of the Data Controller in the self-service system.

1.4. Personal data about the The Data Controller and their users (given access to the administration by The Data Controller) that are being used for The Data Processor's own purposes is not regulated by this Data Processing Agreement. The Data Processor is considered as data controller for this processing. The Data Processor's processing of The Data Controller's and their users' (given access to the administration by The Data Controller) personal data is regulated in the "Cookie- and Privacy Policy" at the addresswww.EasySignup.com/terms/cookie-and-privacy-policy/en/.

1.5. This Agreement has been designed to ensure the Parties' compliance with Article 28, sub-section 3 of Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), which sets out specific requirements for the content of data processing agreements.

1.6. The Data Processing Agreement and the "Main Agreement" shall be interdependent and cannot be terminated separately. The Data Processing Agreement may however - without termination of The Main Agreement - be replaced by an alternative valid Data Processing Agreement.

1.7. This Data Processing Agreement shall take priority over any similar provisions contained in other agreements between the Parties, including the "Main Agreement".

1.8. Four appendices are attached to this Data Processing Agreement. The Appendices form an integral part of this Data Processing Agreement.

1.9. Appendix A of the Data Processing Agreement contains details about the processing as well as the purpose and nature of the processing, type of personal data, categories of data subject and duration of the processing.

1.10. Appendix B of the Data Processing Agreement contains the Data Controller's terms and conditions that apply to the Data Processor's use of Sub-Processors, instructions on transfer to a third country and a list of Sub-Processors and recipients approved by the Data Controller.

1.11. Appendix C of the Data Processing Agreement contains instructions on the processing that the Data Processor is to perform on behalf of the Data Controller (the subject of the processing), the minimum security measures that are to be implemented and how inspection with the Data Processor and any Sub-Processors is to be performed.

1.12. Appendix D of the Data Processing Agreement contains contact information about The Data Controller's Data Protection Officer or person responsible for data protection that Attendees can contact regarding the handling of The Data Controller's obligations in relation to General Data Protection Regulation and the Danish Data Protection Act.

1.13. The Data Processing Agreement and its associated Appendices shall be retained in writing as well as electronically by both Parties.

1.14. This Data Processing Agreement shall not exempt the Data Processor from obligations to which the Data Processor is subject pursuant to the General Data Protection Regulation or other legislation.

2. The rights and obligations of the Data Controller

2.1. EasySignup.com is a self-service system where the information processed by The Data Processor on behalf of The Data Controller is carried out based on the information provided and requested by The Data Controller when creating or editing an event in the self-service system.

2.2. The Data Controller shall be responsible to the outside world (including the data subject) for ensuring that the processing of personal data carried out on behalf of The Data Controller in the self-service system, takes place within the framework of the General Data Protection Regulation and the Danish Data Protection Act, including that the processing is necessary and reasoned in relation to The Data Controller's purposes.

2.3. The Data Controller shall therefore have both the right and obligation to make decisions about the purposes and means of the processing of personal data.

2.4. The Data Controller shall be responsible for ensuring that the processing that the Data Processor is instructed to perform is authorized in law.

2.5. Based on the information that The Data Controller requests and provides when creating or editing an event, the self-service system automatically generates a set of terms of registration. The Data Controller is obligated to read and verify that information in terms of registration are adequate in relation to the General Data Protection Regulation and the Danish Data Protection Act before the self-service system can be used to register and accept signups and payment from Attendees.

2.6. The Data Controller warrants and accepts full responsibility for any users who have access to The Data Controller's account in the self-service system. The Data Controller must inform any of their users of the account in the self-service system about the responsibilities that lie with each user, including any potential issues that may arise when sharing login details.

2.7. Within the self-service system The Data Controller is able to print/send out an "attendee list", display "external statistics" and display a "public attendee list". If these features are used by The Data Controller, it is The Data Controller's responsibility to ensure that use and display of Attendees' information is in accordance with the General Data Protection Regulation and the Danish Data Protection Act.

3. The Data Processor acts according to instructions

3.1. The Data Processor shall solely be permitted to process personal data on documented instructions from the Data Controller unless processing is required under EU or Member State law to which the Data Processor is subject; in this case, the Data Processor shall inform the Data Controller of this legal requirement prior to processing unless that law prohibits such information on important grounds of public interest, cf. Article 28, sub-section 3, para a.

3.2. The Data Controller provides the documented instructions in part through this Data Processing Agreement and in part through use of the self-service system, meaning the information provided by The Data Controller in the system settings as well as general use of the system. Use of the self-service system therefore means that the instructions are automatically processed by the system and causes that The Data Processor to not on a regular basis assess whether or not the instructions conflict with the General Data Protection Regulation and the Danish Data Protection Act.

3.3. The Data Processor may only access The Data Controller's pages in the system when relevant due to support tasks. If during support, or in other ways, it comes to The Data Processor's attention that instructions are deemed to be in conflict with the General Data Protection Regulation or the Danish Data Protection Act, The Data Controller is immediately notified.

4. Confidentiality

4.1. The Data Processor shall ensure that only those persons who are currently authorized to do so are able to access the personal data being processed on behalf of the Data Controller. Access to the data shall therefore without delay be denied if such authorization is removed or expires.

4.2. Only persons who require access to the personal data in order to fulfil the obligations of the Data Processor to the Data Controller shall be provided with authorization.

4.3. The Data Processor shall ensure that persons authorized to process personal data on behalf of the Data Controller have undertaken to observe confidentiality or are subject to suitable statutory obligation of confidentiality.

4.4. The Data Processor shall at the request of the Data Controller be able to demonstrate that the employees concerned are subject to the above confidentiality.

5. Security of processing

5.1. The Data Processor shall take all the measures required pursuant to Article 32 of the General Data Protection Regulation which stipulates that with consideration for the current level, implementation costs and the nature, scope, context and purposes of processing and the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Data Controller and Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

5.2. The Data Processor shall in ensuring the above - in all cases - at a minimum implement the level of security and the measures specified in Appendix C to this Data Processing Agreement.

6. Use of Sub-Processors

6.1. The Data Processor shall meet the requirements specified in Article 28, sub-section 2 and 4, of the General Data Protection Regulation in order to engage another processor (Sub-Processor).

6.2. The Data Processor shall therefore not engage another processor (Sub-Processor) for the fulfilment of this Data Processing Agreement without the prior specific or general written consent of the Data Controller.

6.3. In the event of general written consent, the Data Processor shall inform the Data Controller of any planned changes with regard to additions to or replacement of other data processors and thereby give the Data Controller the opportunity to object to such changes.

6.4. The Data Controller's requirements for the Data Processor's engagement of other sub-processors shall be specified in Appendix B to this Data Processing Agreement.

6.5. The Data Controller's consent to the engagement of specific sub-processors, if applicable, shall be specified in Appendix B to this Data Processing Agreement.

6.6. When the Data Processor has the Data Controller's authorization to use a sub-processor, the Data Processor shall ensure that the Sub-Processor is subject to the same data protection obligations as those specified in this Data Processing Agreement on the basis of a contract or other legal document under EU law or the national law of the Member States, in particular providing the necessary guarantees that the Sub-Processor will implement the appropriate technical and organizational measures in such a way that the processing meets the requirements of the General Data Protection Regulation.

The Data Processor shall therefore be responsible - on the basis of a sub-processor agreement - for requiring that the sub-processor at least comply with the obligations to which the Data Processor is subject pursuant to the requirements of the General Data Protection Regulation and this Data Processing Agreement and its associated Appendices.

6.7. If the Sub-Processor does not fulfil his data protection obligations, the Data Processor shall remain fully liable to the Data Controller as regards the fulfilment of the obligations of the Sub-Processor.

7. Transfer of data to third countries or international organizations

7.1. The Data Processor shall solely be permitted to process personal data on documented instructions from the Data Controller, including as regards transfer (assignment, disclosure and internal use) of personal data to third countries or international organizations, unless processing is required under EU or Member State law to which the Data Processor is subject; in such a case, the Data Processor shall inform the Data Controller of that legal requirement prior to processing unless that law prohibits such information on important grounds of public interest, cf. Article 28, sub-section 3, para a.

7.2. Without the instructions or approval of the Data Controller, the Data Processor therefore cannot:

  1. disclose personal data to a data controller in a third country or in an international organization
  2. assign the processing of personal data to a sub-processor in a third country
  3. have the data processed in another of the Data Processor's divisions which is located in a third country

7.3. The Data Controller's instructions or approval of the transfer of personal data to a third country, if applicable, shall be set out in Appendix B to this Data Processing Agreement.

7.4. To the extent that The Data Processor is entitled to transfer personal data to a third country as described in Appendix B to this Data Processing Agreement, The Data Processor is committed to ensure that:

  1. such a transfer is legal, including that an appropriate security level is present for the transfer of personal data e.g. when entering into the European Commission's standard contractual clauses,
  2. all necessary approvals have been obtained, as well as
  3. all necessary notifications in regards to the transfer in question have been given to the relevant supervisory authority.

8. Assistance to the Data Controller

8.1. The Data Processor, taking into account the nature of the processing, shall, as far as possible, assist the Data Controller with appropriate technical and organizational measures, in the fulfilment of the Data Controller's obligations to respond to requests for the exercise of the Attendees' rights pursuant to Chapter 3 of the General Data Protection Regulation.

This entails that the Data Processor should as far as possible assist the Data Controller after The Data Controller's verification of The Attendee in the compliance with:

  1. notification obligation when collecting personal data from The Attendee
  2. notification obligation if personal data have not been obtained from The Attendee
  3. right of access by The Attendee
  4. the right to rectification
  5. the right to erasure ("the right to be forgotten")
  6. the right to restrict processing
  7. notification obligation regarding rectification or erasure of personal data or restriction of processing
  8. the right to data portability
  9. the right to object
  10. the right to object to the result of automated individual decision-making, including profiling

In the self-service system The Data Controller is able to comply with a number of the mentioned obligations to The Attendee without assistance from The Data Processor. The self-service system is regularly updated so that the majority of The Data Controller's obligations to The Attendee can be done directly in the system without assistance from The Data Processor.

In the event that The Data Processor receives a request to access from The Attendee, The Data Processor must as soon as possible forward this request to The Data Controller.

8.2. The Data Processor shall assist the Data Controller in ensuring compliance with the Data Controller's obligations pursuant to Articles 32-36 of the General Data Protection Regulation taking into account the nature of the processing and the data made available to the Data Processor, cf. Article 28, sub-section 3, para f.

This entails that the Data Processor should, taking into account the nature of the processing, as far as possible assist the Data Controller in the Data Controller's compliance with:

  1. the obligation to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk associated with the processing
  2. the obligation to report personal data breaches to the supervisory authority (Danish Data Protection Agency) without undue delay and, if possible, within 72 hours of the Data Controller discovering such breach unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons
  3. the obligation - without undue delay - to communicate the personal data breach to The Attendee(s) when such breach is likely to result in a high risk to the rights and freedoms of natural persons
  4. the obligation to carry out a data protection impact assessment if a type of processing is likely to result in a high risk to the rights and freedoms of natural persons
  5. the obligation to consult with the supervisory authority (Danish Data Protection Agency) prior to processing if a data protection impact assessment shows that the processing will lead to high risk in the lack of measures taken by the Data Controller to limit risk

8.3. The Data Processor is entitled to be compensated for its employees' time used in relation to:

  1. any assistance with reporting the data breach to the Danish Data Protection Agency, unless the breach is due to The Data Processor
  2. any assistance to carrying out a data protection impact assessment
  3. assistance to consulting the supervisory authority before processing that will lead to high risk due to the lack of measures taken by the Data Controller to limit risk

The price is EUR 150 excluding VAT per hour.

9. Notification of personal data breach

9.1. On discovery of a personal data breach at the Data Processor or a sub-processor, the Data Processor shall without undue delay notify the Data Controller.

The Data Processor's notification to the Data Controller shall, if possible, take place within 2-4 hours after the Data Processor has discovered the breach and an additional more detailed notification within 36 hours after the Data Processor has discovered the breach, to enable the Data Controller to comply with his obligation, if applicable, to report the breach to the supervisory authority within 72 hours.

9.2. According to Clause 9.2., para b, of this Data Processing Agreement, the Data Processor shall - taking into account the nature of the processing and the data available - assist the Data Controller in the reporting of the breach to the supervisory authority.

This may mean that the Data Processor is required to assist in obtaining the information listed below which, pursuant to Article 33, sub-section 3, of the General Data Protection Regulation, shall be stated in the Data Controller's report to the supervisory authority:

  1. The nature of the personal data breach, including, if possible, the categories and the approximate number of affected data subjects and the categories and the approximate number of affected personal data records
  2. Probable consequences of a personal data breach
  3. Measures which have been taken or are proposed to manage the personal data breach, including, if applicable, measures to limit its possible damage

10. Erasure and return of data

10.1. On termination of the processing services, the Data Processor shall be under obligation, at the Data Controller's discretion, to erase or return all the personal data to the Data Controller and to erase existing copies unless EU law or Member State law requires storage of the personal data.

10.2. Information related to a payment is stored for the remainder of the relevant financial year and an additional 5 years according to the Danish Bookkeeping Act.

11. Inspection and audit

11.1. The Data Processor shall make available to the Data Controller all information necessary to demonstrate compliance with Article 28 of the General Data Protection Regulation and this Data Processing Agreement, and allow for and contribute to audits, including inspections performed by the Data Controller or another auditor mandated by the Data Controller.

11.2. The procedures applicable to the Data Controller's inspection of the Data Processor are specified in Appendix C to this Data Processing Agreement.

11.3. The Data Controller's inspection of sub-processors, if applicable, shall as a rule be performed through the Data Processor. The procedures for such inspection are specified in Appendix C to this Data Processing Agreement.

12. The Parties' agreement on other terms

12.1. The parties are relative to this Data Processing Agreement liable according to current legislation's applicable rules. The parties, however, disclaim any liability for indirect losses and consequences such as consequential loss, loss of goodwill, loss of savings or income, including expenses to recover lost income, loss of interest, costs for restoration of data etc.

12.2. Any liability between the Data Controller and Data Processor according to this Data Processing Agreement is for all accumulated claims limited per calendar year to this threshold: The total amount The Data Processor has invoiced The Data Controller during the previous calendar year. In the case where The Data Controller has not been a subscriber during the previous calendar year, responsibility is assessed based on the amount of expected subscription and affiliated services for the current year.

The limitation of liability does not include losses due to the other party's deliberate action or gross negligence.

12.3. If any liability according to current legislation, including Article 82 of the General Data Protection Regulation are claimed by the stated categories of data subjects in this Data Processing Agreement then:

  1. The Data Controller must indemnify the Data Processor for any claims, including legal costs on the part of the claim in which the Data Controller is responsible in according to current legislation, including Article 82, sub-section 5 of the General Data Protection Regulation.

  2. The Data Controller must indemnify the Data Processor for any claims, including legal costs on the part of the claim above the threshold in section 12.2. in which the Data Processor is responsible in according to current legislation, including Article 82, sub-section 5 of the General Data Protection Regulation.

  3. The Data Processor are only obligated to indemnify the Data Controller up to the threshold in section 12.2 and only on the part of the claim in which the Data Processor is responsible in according to current legislation, including Article 82, sub-section 5 of the General Data Protection Regulation.

12.4. Regulation of jurisdiction and venue is specified in the Parties' "Main Agreement" and applies to this Data Processing Agreement as if this Data Processing Agreement was an integrated part of The Main Agreement.

12.5. Any liabilities not related to this Data Processing Agreement is regulated in the "Main Agreement".

13. Commencement and termination

13.1. This Data Processing Agreement becomes effective when both Parties have accepted it. Either by signature or checking a separate check box in the self-service system.

13.2. Both Parties shall be entitled to require this Data Processing Agreement renegotiated if changes to the law or inexpediency of the provisions contained herein should give rise to such renegotiation. The other Party must be reached and notified of any changes at least 30 days prior to the changes taking effect.

13.3. This Data Processing Agreement may be terminated according to the terms and conditions of termination, incl. notice of termination, specified in the "Main Agreement".

13.4. This Data Processing Agreement shall apply as long as the processing is performed. Irrespective of the termination of the "Main Agreement" and/or this Data Processing Agreement, the Data Processing Agreement shall remain in force until the termination of the processing and the erasure of the data by the Data Processor and any sub-processors.

13.6. Signature

On behalf of the Data Controller On behalf of the Data Processor
Name: [State name]
Position: [State position]
Date: [Date of signing]
Signature: [Inserted signature]
Name: Thomas Kjrgaard
Position: CEO
Date: [Date of signing]
Signature: [Inserted signature]

14. Data Controller and Data Processor contacts/contact points

14.1. The Parties may contact each other using the following contacts/contact points. This contact information will also be used in the event of data breach.

14.2. The Parties shall be under obligation continuously to inform each other of changes to contacts/contact points.

Contact person at The Data Controller: Contact person at the Data Processor:
Name: [State name]
Position: [State position]
Telephone number: [State telephone number]
E-mail: [State e-mail]
Name: Thomas Kjrgaard
Position: CEO
Telephone number: +45 70404061
E-mail: thomas@easysignup.com

Appendix A

Information about the processing

The purpose of the Data Processor's processing of personal data on behalf of the Data Controller is:

  • That The Data Controller is able to use the self-service system EasySignup.com which is owned and managed by the Data Processor, to collect and process data about The Data Controller and the users they give access to the administration as well as The Data Controller's Attendees for events, courses, seminars and similar events.

The Data Processor's processing of personal data on behalf of the Data Controller shall mainly pertain to (the nature of the processing):

  • That the Data Processor makes available the self-service system EasySignup.com to the Data Controller and hereby stores personal data about the Data Controller and the users they give access to the administration as well as The Data Controller's Attendees for events, courses, seminars and similar events.

The processing carried out on behalf of The Data Controller includes the following types of personal data about data subjects:

  • EasySignup.com is a self-service system where the information processed by The Data Processor is the information provided by The Data Controller and requested from Attendees by The Data Controller when creating or editing an event, course, seminar or similar event. The Data Controller can therefore request any personal data including special category of personal data (sensitive data).
  • The majority of the information stored is; name, e-mail address, phone number, address, payment information, title, company/organization, job position, country of origin, sex, age as well as other information relevant for participation in a certain event, such as interests or knowledge about certain subjects.
  • Only a limited amount of special category of personal data is stored. An event's type such as a political event can entail that the particular event contains personal data simply due to the Attendee signing up and thereby assumed to be involved in the event's subject, such as political events, events for patients etc.

Processing done on behalf of The Data Controller includes the following categories of data subject:

  • Persons attending and having attended an event, course, seminar or similar event at The Data Controller.
  • Persons who use the self-service system to create or edit an event, course, seminar or similar.

The Data Processor's processing of personal data on behalf of the Data Controller may be performed when this Data Processing Agreement commences. Processing has the following duration:

  • Processing shall not be time-limited and shall be performed until this Data Processing Agreement is terminated or canceled by one of the Parties.

Appendix B

Terms of the Data Processor's use of sub-processors, instructions regarding transfer to third country and list of approved sub-processors and recipients of personal data

B.1. Terms of the Data Processor's use of sub-processors, if applicable, in relation to the processing of personal data on behalf of The Data Controller

The Data Processor has the Data Controller's general consent for the engagement of sub-processors. The Data Processor shall, however, inform the Data Controller of any planned changes with regard to additions to or replacement of other data processors and thereby give the Data Controller the opportunity to object to such changes. Such notification shall be submitted to the Data Controller a minimum of 30 days prior to the engagement of sub-processors or amendments coming into force. If the Data Controller should object to the changes, the Data Controller shall notify the Data Processor of this within 10 days of receipt of the notification. The Data Controller shall only object if the Data Controller has reasonable and specific grounds for such refusal.

B.2. Instructions regarding transfer of personal data processed on behalf of The Data Controller to third countries

If The Data Controller has not in this section or a subsequent written consent, approved transfer of personal data processed on behalf of The Data Controller to a third country, The Data Processor cannot within the boundaries of this Data Processing Agreement carry out such a transfer.

B.3. Approved sub-processors and recipients of personal data processed on behalf of The Data Controller

The table below lists all the sub-processors and recipients used by The Data Processor in the processing of personal data that The Data Processor does on behalf of The Data Controller. Personal data is only transferred to sub-processors and data recipients when necessary and is limited to the data necessary to carry out the function mentioned below. The Data Controller shall on commencement of this Data Processing Agreement approve the engagement of the following sub-processors and recipients:

Supplier Location/Country Legal basis for processing outside the EU Function
Amazon Web Services, Inc. Agreement with company in: USA
Psysical location of processing: Europe
EU-US Privacy Shield Framework Hosting the signup system's queuing system during peak time.
Clearhaus A/S
CVR-number.: DK-33749996
Denmark Acquirer of transactions performed via credit cards.
Danske Bank A/S
CVR-number: DK-61126228
Denmark Bank.
Google LLC USA EU-US Privacy Shield Framework Displaying a road map on event signup pages.
Link Mobility A/S
CVR-number: DK-30077520
Denmark SMS gateway.
Maxtel.dk ApS
CVR-number: DK-30207734
Denmark IP telephony and mobile telephony.
NETS A/S
CVR-number: DK-37417497
Denmark Acquirer of transactions performed via credit cards.
OnePacket Ltd The Netherlands Hosting and maintenance of servers for the homepage.
QuickPay ApS
CVR-number: DK-77348642
Denmark Payment gateway.
Spar Nord Bank A/S
CVR-number: DK-13737584
Denmark Bank.

The Data Controller shall on the commencement of this Data Processing Agreement approve the general use of the above sub-processors and recipients of personal data for the processing described specifically for that party. The Data Processor shall not be entitled - without the Data Controller's explicit written consent - to engage a sub-processor or recipient for 'different' processing than the one that has been agreed or have another sub-processor perform the described processing.

Appendix C

Instruction pertaining to the use of personal data

C.1. The subject of/instruction for the processing

The Data Processor's processing of personal data is carried out according to The Data Controller's instructions. Instructions from The Data Controller are given in part through this Data Processing Agreement and in part through use of the self-service system.

C.2. Security of processing

The level of security shall reflect:

That the processing involves a large volume of personal data and even though only a limited amount of personal data subject to Article 9 of the General Data Protection Regulation on 'special categories of personal data' is processed, The Data Processor operates on a proportionally 'high' level of security due to the self-service system being used by many different Data Controllers.

The Data Processor shall hereafter be entitled and under obligation to make decisions about the technical and organizational security measures that are to be applied to create the necessary (and agreed) level of data security.

The Data Processor shall however - in any event and at a minimum - implement measures entailing that:

  • The self-service system is robust and technically resistant.
  • A backup procedure has been established.
  • All access to IT-systems, servers and PC's containing confidential information, personal data and critical data is restricted based on specific authorizations. In that connection persons will be authorized for whom access is necessary in order to carry out audit or maintenance and technical system tasks.
  • Only persons who require access to the personal data in order to fulfil their work obligations are authorized to access the personal data.
  • Once a year access rights are reviewed, so that employees are only authorized the necessary access rights.
  • All access requires a personal user ID and password.
  • Personal data is erased effectively and securely during disposal of IT equipment.
  • None of Attendees' personal data is stored in printed form. Employees do not print or extract Attendees' information from the system.
  • Access to The Data Processor's own physical servers is secured with lock and alarm. Only the employees for whom access is necessary, have access to the room(s) in question.
  • All transfer of personal data in the self-service system is carried out through encrypted connections.
  • Only specifically authorized employees have remote access to The Data Processor's internal network, and this always takes place through encrypted VPN connections.
  • The self-service system logs all users' access and activity in the system in order to establish who has requested and viewed information, requested payments etc. in the event that an investigation hereof becomes necessary.
  • Rejected or failed login attempts to the self-service system are monitored and automatically logged. If more than 5 continuous failed login attempts are logged, a time delay is installed between subsequent possible login attempts.

C.3. Storage period/erasure procedures

Personal data in the self-service system is automatically erased from the system according to the periods described below:

  • When the payment module is in use: Payment information is stored for the remainder of the relevant financial year and an additional 5 years. All other personal data is erased 2 years after the event has ended.
  • When the payment module is not in use: Personal data is stored for 2 years after the event has ended.

The Data Controller may at any time through the self-service system erase and choose for how long the system is to store collected data that is not necessary in order to comply with the Danish Bookkeeping Act.

C.4. Procedures for the Data Controller's inspection of the processing being performed by the Data Processor

The Data Processor shall at any time and on the request of The Data Controller provide The Data Controller sufficient information in order for the latter to ensure that The Data Processor has made the necessary technical and organizational security measures.

The Data Controller or the Data Controller's representative shall by further agreement in addition have access to inspecting, including physically inspecting, the processing at the Data Processor's facilities when the Data Controller deems that this is required

The Data Controller's costs, if applicable, relating to physical inspection shall be defrayed by the Data Controller. The Data Processor shall, however, be under obligation to set aside the resources (mainly time) required for the Data Controller to be able to perform the inspection.

The Data Processor will compose general documentation containing sufficient information in order for The Data Controller to ensure that The Data Processor has made the necessary technical and organizational security measures. If the Data Controller request further information or assistance The Data Processor is entitled to be compensated for its employees' time used in relation to supervision, audit or inspection visit initiated by the Data Controller, unless it is requested by the supervisory authority due to an inability by The Data Processor to comply with data protection regulation. The price is EUR 150 excluding VAT per hour.

The Data Controller shall be entitled to obtain once every year at The Data Controller's expense an inspection report from an independent third party with regards to the Data Processor's compliance with the treatment of personal data.

C.5. Procedures for inspection of the processing being performed by sub-processors, if applicable

The Data Processor shall at any time and on the request of The Data Controller provide The Data Controller sufficient information in order for the latter to ensure that The Data Processor has entered into a valid agreement between The Data Processor and the sub-processor regarding the sub-processor's compliance with this Data Processing Agreement and its associated Appendices.

The Data Processor shall perform an inspection including physical inspection at the Sub-Processor's facilities, when the Data Processor deems that this is required, in regards to the compliance with this Data Processing Agreement and its associated Appendices.

The Data Controller may - if required - elect to initiate and participate in a physical inspection at the Sub-Processor's facilities. This may apply if the Data Controller deems that the Data Processor's supervision of the Sub-Processor has not provided the Data Controller with sufficient documentation to prove that the processing by the Sub-Processor is being performed according to this Data Processing Agreement.

The Data Controller's and The Data Processor's costs related to physical supervision/inspection at the Sub-Processor's facilities initiated by The Data Controller is defrayed by The Data Controller. The Data Processor shall, however, be under obligation to set aside the resources (mainly time) required for the Data Controller to be able to perform the inspection.

The Data Processor is entitled to be compensated for its employees' time used in relation to the supervision, audit or inspection visit of the Sub-Processor initiated by The Data Controller, unless it isrequested by the supervisory authority due to an inability by The Data Processor to comply with data protection regulation. The price is EUR 150 excluding VAT per hour.

Appendix D

Information about Data Protection Officer or person responsible for data protection

D.1. Data Protection Officer or person responsible for data protection at The Data Controller is:

Navn: [Name of Data Responsible]
Position: [Position of Data Responsible]
Phone Number: [Phone Number of Data Responsible]
E-mail: [E-mail of Data Responsible]

This information will appear in the Terms of Registration, regulating The Data Controller's relationship with the Attendees.