The following Data Processing Agreement (the "DPA") is hereby entered into by and between
Customer (data controller):
[the entity called the Customer in the Dixa Agreement]
Dixa ApS, company no. 36561009, Njalsgade 23 C, st. tv., 2300 Copenhagen S
(the Customer and Dixa each referred to as a "Party" and jointly as the "Parties")
By using the customer service platform Dixa and any modules and functions related hereto (the "Dixa Services"), the Customer is responsible as 'data controller' for processing of personal data ("Data") as defined in the Danish Act on Processing of Personal Data and the EU General Data Protection Regulation ("GDPR"). If other confidential information than personal data is processed for the purpose of fulfilling this DPA, e.g. information considered confidential according to the Danish Financial Business Act, the definition "Data" shall include such other confidential information. During the Customer's use of the Dixa Services, Dixa will process Data on behalf of the Customer as 'data processor'.
This DPA governs the processing of Data in order to comply with the above regulations. Unless otherwise explicitly stated, any definitions used in this DPA shall have the meaning as described in the above regulation.
Both Parties confirm that they have the power and authority to sign this DPA.
If any provisions of this DPA conflict with the Agreement, the service order form of the Dixa Services or any other agreement between the Parties, then the provisions of this DPA shall prevail unless the contrary is specifically stated in such other agreement. If the EU Commission's standard contractual clauses for data transfer outside EU/ EES provide stricter obligations for Dixa, such provisions shall prevail over this DPA.
If the Customer requests information or assistance regarding data protection, documentation or general processing that lies beyond the mere compliance with the GDPR, such work will be invoiced by Dixa.
The Customer shall be responsible to the outside world (including the data subject) for ensuring that the processing of Data takes place within the framework of GDPR and applicable data protection legislation.
The Customer hereby confirms that:
Dixa shall solely be permitted to process Data on documented instructions from the Customer unless processing is required under EU or Member State law. In such case, Dixa shall inform the Customer of this legal requirement prior to processing unless that law prohibits such information on important grounds of public interest, cf. GDPR art. 28.
Dixa shall immediately inform the Customer if Dixa believes any instructions by the Customer contravene with EU or Member State data protection legislation.
The Customer hereby instructs Dixa to process Data as follows:
As part of providing the Dixa Services to the Customer, Dixa will continuously provide new services and solutions including updates to the Dixa Services and enhanced communication based on the Customer's individual needs by registration of the Customer's and its representatives' use of the Dixa Services.
Provided the processing of Data from the Dixa Services is needed to enhance the services of Dixa, such processing is subject to the terms of this DPA and applicable legislation and may be shared with other legal entities affiliated with Dixa.
Dixa may not process or use the Customer's Data for any other purpose than provided in the instructions, including the transfer of Data to any third country or an international organization, unless Dixa is required to do so according to applicable legislation. In that case, Dixa shall inform the Customer in writing of that legal requirement before processing, provided no legal restrictions prohibits so.
The categories of data subjects and associated Data that is processed under this DPA is outlined in Attachment A. Dixa shall ensure that persons authorized to process the Data have committed themselves to confidentiality or are under a statutory obligation of confidentiality.
Dixa shall assist the Customer with such technical and organizational measures that are reasonable considering the nature of the processing and the categories of information made available to Dixa, in order for the Customer to comply with its obligations under applicable data protection legislation including handling of requests from data subjects under GDPR art. 12-23 and compliance with GDPR art. 32-36.
Dixa shall without undue delay after becoming aware of the facts notify the Customer about:
In case of a Data breach by the Dixa Services, Dixa shall assist the Customer to comply with his obligation – including (if applicable) to report the breach to the supervisory authority within 72 hours. This may include obtaining necessary documentation regarding the nature of the Data breach, the approximate number of affected data subjects and the categories of affected Data as well as the probable consequences of the Data breach and the measures which have been taken or are proposed to manage the breach.
Dixa shall not respond to requests from data subjects unless authorized by the Customer to do so. Furthermore, Dixa shall not pass on information related to this DPA including Data to the authorities unless Dixa is obligated under law or statute.
In order to operate the Dixa Services, Dixa may engage sub-suppliers, which may be group companies or third-party providers which may be placed outside EU/ EES. An updated list of sub-suppliers can be found here: https://dixa.com/3rd-party-service.
The Customer hereby gives explicit consent to Dixas use of sub-suppliers listed in the above link. Furthermore, the Customer gives explicit authority to Dixa to provide for the legal transfer of Data outside EU/ EES including but not limited to transfer under EU Commission's standard contractual clauses and Privacy Shield.
Dixa shall ensure that the Sub-supplier is subject to the same data protection obligations as those specified in this DPA on the basis of a contract or other legal document under EU or Member State law.
Dixa may add or replace sub-suppliers in order to operate the Dixa Services provided the Customer is notified thereof. If the Customer can demonstrate non-compliance with data protection legislation due to the use of such new sub-supplier, and Dixa is not able to verify compliance, the Customer may terminate the Agreement with Dixa with such notice that limits the effect on the Customer's Data of the use of such new sub-supplier.
If a sub-supplier does not fulfil the data protection obligations, Dixa shall remain fully liable to the Customer as regards the fulfilment of the obligations under this DPA.
Dixa shall keep Data confidential. Dixa shall not disclose the Data to third parties unless strictly necessary for the performance of Dixa's obligations to the Customer and/ or according to this DPA.
All terms of this DPA apply to Dixa's employees and Dixa shall ensure that its employees comply with the DPA. Only persons who require access to the Data in order to fulfil the obligations of Dixa to the Customer shall be provided access.
Dixa shall ensure that persons authorised to process Data on behalf of the Customer have undertaken to observe confidentiality or are subject to suitable statutory obligation of confidentiality. The confidentiality obligations of Dixa shall survive the termination of the Parties' cooperation.
With due consideration to the available technology and the costs associated with implementation as well as the nature, scope, context and purpose of the data processing, Dixa shall according to GDPR art. 32 implement appropriate technical and organizational measures to ensure an adequate level of data security.
Dixa has established data protection policies and technical measure to ensure ongoing confidentiality, integrity, availability and resilience of the Dixa Services and the ability to restore the availability and access to Data in the event of a physical or technical incident.
Dixa will regularly test, assess and evaluate the security level of the Dixa Services to ensure adequate technical and organizational measures which may include pseudonymization and encryption of Data.
Once a year in November, the Customer is entitled to such information necessary to demonstrate compliance with GDPR. The Customer shall present a detailed audit plan describing the scope, duration and start date giving a minimum notice of 4 weeks to Dixa. Inspections by the Customer and/ or a third-party auditor shall be under strict confidentiality.
In case the Customer request an audit of Data which is being processed with other customers' Data, Dixa is entitled to appoint a neutral auditor for security reasons. If Dixa's compliance has been confirmed under ISO or similar standards by a qualified independent auditor within the past 12 months and Dixa confirms that no material changes have been made, the Customer shall accept such audit and not be entitled to perform is own audit.
Inspection and audit shall take place within normal office hours in accordance with Dixa's policies and instructions and shall not interfere with Dixa's commercial operations. The Customer shall cover all costs associated with the audit including payment to Dixa for assistance which goes beyond the requirements stated in applicable data protection legislation.
Dixa shall provide the supervisory authorities, which pursuant to applicable legislation have access to the Customer's and Dixa's facilities, or representatives acting on behalf of such supervisory authorities, with access to Dixa's physical facilities on presentation of appropriate identification.
This DPA shall remain in effect as long as the Customer uses the Dixa Services and will automatically terminate with the Agreement between Dixa and the Customer. Regardless hereof, the DPA shall be in effect as long as Dixa processes Data on behalf of the Customer.
The Parties may at any time agree to amend this DPA. Amendments must be in writing.
At termination of the DPA, Dixa shall at the Customer's request erase or return all the Customer's Data unless EU or Member State law requires storage of the Data. Any assistance provided by Dixa at the Customer's request regarding return of Data shall be invoiced separately with due consideration to complexity and format.
Any liability for breach of this DPA (including any sub-suppliers breach) shall be governed by the applicable provisions in the Agreement.
This DPA is subject to Danish law, excluding the choice of law rules, and any disputes shall be settled by a Danish court of law.
Categories of Data
Dixa shall process one or more of the following sensitive information on behalf of the Customer:
The Customer shall on commencement of this DPA approve the engagement of the following sub-suppliers:
The Customer shall on the commencement of this DPA specifically approve the use of the above sub-suppliers for the processing described for that party.
The Data Processor shall not be entitled – without the Data Controller's explicit written consent – to engage a sub-processor for 'different' processing than the one that has been agreed or have another sub-processor perform the described processing.