Data processing agreement

1. Processing of Personal Data

1.1 This agreement (the "Agreement") has been entered into between the user company(the "Data Controller") and AUTOBUDGETS ApS, BNR 43914669 (the "Data Processor" or "AUTOBUDGETS"), each referred to as a "Party" and collectively the "Parties".

1.2 The Data Processor processes the types of personal data on behalf of the Data Controller that are listed in Annex 1, and which are necessary for the use of the AUTOBUDGETS service. The personal data relates to the registered persons listed in Annex 1.

1.3 When the Data Controller transfer financial data, the Data Controller instructs the Data Processor to not use data for external use in statistics and benchmarking.

2. Purpose

2.1 The Data Processor may only process personal data for purposes that are necessary for the Data Controller to use the AUTOBUDGETS service.

3. Obligations of the Data Controller

3.1 To the extent that the Data Controller processes personal data in connection with the use of the AUTOBUDGETS service, the Data Controller is responsible for the existence of a legal basis for processing, including that any consent is specific, freely given, unambiguous and informed. The Data Controller is obliged, at the Data Processor's request, to explain in writing and / or document the basis for processing.

3.2 The Data Controller warrants that the data subjects, which the personal data relates to, receive the required information about the processing of personal data. AUTOBUDGETS privacy policy, which may at any time be found on AUTOBUDGETS’ website (“Privacy Policy”).

4. The Data Processor's obligations

4.1 The Data Processor may only process the personal data necessary for making the AUTOBUDGETS-service available to the Data Controller in accordance with the terms and conditions, which may at any time be found at AUTOBUDGETS' website ("Terms and Conditions"). The Data Processor is obligated to comply with all data protection legislation in force from time to time.

4.2 The Data Processor must take all necessary technical and organizational security measures, including any additional measures, required to ensure that the personal data specified in sec. 1.2 and 1.3 is not accidentally or unlawfully destroyed, lost or impaired or brought to the knowledge of unauthorized third parties, abused or otherwise processed in a manner which is contrary to the Danish data protection legislation in force at any time.

4.3 The Data Processor must ensure that employees authorized to process the personal data have committed themselves to confidentiality or are under appropriate statutory obligations of confidentiality.

4.4 If so requested by the Data Controller, the Data Processor must state and/or document that the Data Processor complies with the requirements of applicable data protection legislation, including the requirement for documentation of data flows and written procedures/policies for the processing of personal data.

4.5 If the Data Processor process personal data in another EU/EEA member state, the Data Processor is obligated to comply with applicable legislation regarding security measures in the country in question.

4.6 The Data Processor must notify the Data Controller if there is a suspicion that data protection rules have been breached or other irregularities in connection with the processing of the personal data occur within 48 hours. If requested by the Data Controller, the Data Processor must assist the Data Controller with clarifying the extent of the security breach, including notifying the data subjects and the relevant authorities including the Danish Data Protection Agency and/or data subjects.

4.7 The Data Processor must notify the Data Controller if there is an interruption in operations of IT systems as soon as is reasonable.

4.8 The Data Processor must make available to the Data Controller all information necessary to demonstrate that the Processor have implemented the necessary technical and organizational security measures. At the expense of the Data Controller, the Data Processor allows for and agrees to contribute with input in connection with a yearly data protection audit by an independent third party. The Data Controller must compensate the Data Processor for time spend in relation to such audits. At the request of the Data Controller, the Data Processor will send a copy of the Data Processor’s latest ISAE 3402 audit report, which is updated yearly.

4.9 The Data Processor, or and any of its sub-data processors, must send requests and objections from data subjects to the Data Controller, for the Data Controller's further handling, unless the Data Processor is entitled to handle such requests and objections itself. If requested by the Data Controller, the Data Processor must assist the Data Controller in answering handling any such requests and/or objections.

5. Transfer of data to sub-data processors or third parties

5.1 The Data Processor may only transfer the personal data as stipulated in sec. 1.2 to sub- data processors with the written approval from the Data Controller. The Data Controller may only disclose personal data to third parties with the written approval from the Data Controller or if this follows from applicable legislation.

5.2 The Data Controller hereby grant the Data Processor a general power of attorney to enter into agreements with sub-data processors. The Data Processor must notify the Data Controller of any changes concerning the addition or replacements of sub-data processors by giving no more than one month's notice of such addition or replacement. The Data Controller can make reasonable and relevant objections against such changes.

5.3 When the Data Controller has approved that the Data Processor can use a sub-data processor the Data Processor must impose the same obligations on the sub-data processor as set out in this Agreement by entering into a separate data processing agreement with such sub data controller on terms identical to the terms of this Agreement ("back-to-back" terms).

5.4 If the personal data is transferred to sub-data processors outside EU/EEA, it must, in the data processing agreement, be stated that the data protection legislation applicable in the Data Controller's country applies to sub-data processors. If the receiving sub-data processor is established within the EU/EEA, it must be stated in the data processing agreement that the receiving EU country's specific statutory requirements regarding data processors, e.g. concerning demands for notification to national authorities must be complied with.

5.5 The Data Processor is obliged to enter into written data processor agreements with sub-data processors within the EU/EEA. As for sub-data processors outside the EU/EEA, the Data Processor must ensure the sufficient transfer mechanisms and enter into a sub-data processor agreement by entering into standard agreements in accordance with the EU Commission's Standard Contractual Clauses ("Standard Contracts"). Standard Contracts can be based on either Decision 2010/87/EU of 5 February 2010 or 2016/679/EU of 4 June 2021:

5.5.1 Standard Contracts based on 2010/87/EU of 5 February 2010 can be entered into until 27 September 2021 and can be used until 27 December 2022, whereafter they must be replaced by Standard contracts based on the General Data Protection Regulation 2016/679/EU of 4 June 2021.

5.5.2 Standard Contracts based on decision 2016/679/EU of 4 June 2021 can be used from 27 June 2021

5.6 At the time of signing this Agreement, the Data Processor engages the sub-data processors listed in Schedule 2.

6. Liability

6.1 The Parties liability are regulated by ordinary Danish rules on tort and damages. However, no Party is entitled to claim damages for indirect losses or consequential damage irrespective of whether these are suffered by the Data Controller, the Data Processor or a third party. Losses in relation to lost business potential, loss of profit, operating loss, loss of goodwill, loss of data, hereunder as part af recreation of data, will always be considered indirect losses or consequential damage.

6.2 The Data Processor's total liability to pay damages under the Agreement is capped in accordance with sec. 12 in the Terms and Conditions.

7. Commencement and termination

7.1 The Agreement becomes effective according to sec. 15 of the Terms and Conditions.

7.2 The Agreement will terminate in accordance with sec. 15 of the Terms and Conditions. However, the Data Processor remains subject to the obligations stipulated in this Agreement, as long as the Data Processor processes personal data on behalf of the Data Controller.

7.3 Upon termination of this Agreement the Data Controller is entitled to demand deletion or return all personal data unless retention of the personal data is prescribed by EU or national law. Personal data will be handed over on an ordinary machine-readable media determined by the Data Processor. Personoplysningerne udleveres på et af Databehandleren besluttet medie i et almindeligt læsbart format.

8. Choice of law and forum

8.1 This Agreement is governed by Danish law.

8.2 Any claim or dispute arising from or in connection with this Agreement are subject to Danish law. Any claim or dispute must be brought before the City Court of Copenhagen.

Appendix 1 – Types of personal data and data subjects

For user-companies that transfer/disclose data to other companies (e.g. accountants, lawyers, or estates in bankruptcy):

Data subjects:

• Persons referred in the transferred/disclosed economic data (e.g. invoice recipients)

• Contact persons that communicate with the AUTOBUDGETS-service

• Employees or other persons related to a user-company, for which data is transferred/disclosed

• Persons related to companies that are invited to use the AUTOBUDGETS- serviceTypes of personal data:

• Information necessary for the use of the AUTOBUDGETS-service:

  • Contact details such as name, email and phone number

  • Economic data (e.g. if a user-company is a one-man business)

For user-companies transferring/disclosing their own data (SMEs):

Data subjects:

• Persons referred to in the transferred/disclosed economic data (e.g. invoice recipients and employees)

• Contact persons that communicate with the AUTOBUDGETS-service

• Persons related to a user-company, for which data is transferred/disclosed

Types of personal data:

• Information necessary for the use of the AUTOBUDGETS-service:

  • Contact details such as name, email and phone number

  • Economic data (e.g. if a user-company is a one-man business)

For user-companies only accessing other user-companies’ data (e.g. banks)

Data subjects:

• Contact persons that communicate with the AUTOBUDGETS-service

• Employees or other persons related to a user-company

Types of personal data:

• Information necessary for the use of the AUTOBUDGETS-service:

  • Contact details such as name, email and phone number

Appendix 2 – Sub-data processors

Regarding the Data Processor's cloud-based infrastructure the Data Processor use Amazon Web Services (hereafter "AWS"), a branch of Amazon.com. The Data Processor has entered into a data processor agreement with AWS on standard terms.

Regarding the Data Processor's cloud-based infrastructure the Data Processor use Microsoft Azure (hereafter "Microsoft"), a branch of Microsoft Inc.. The Data Processor has entered into a data processor agreement with Microsoft on standard terms.