Data Processing Agreement - We care about your data

Data processing agreement

Revision 22.3

Effective from 01/03/2022

The Data Controller Customer in the EU/EEA

(hereinafter referred to as "The Data Controller")

and

The Data Processor

Bricksite ApS

CVR 29408378

Normansvej 1

DK8920 Randers NV

Denmark

(hereinafter each referred to as "Party", and collectively referred to as "the Parties")

have entered into this data processing agreement ("Data Processing Agreement") regarding the Data Processor's processing of personal data on behalf of the Data Controller.

Contact Points

Bricksite can be contacted electronically at privacy@bricksite.com.

Bricksite shall only comply with instructions from the Data Controller's Contact Person, as specified in the Main Agreement.

It is the Data Controller's responsibility and obligation to continuously maintain its contact information with Bricksite.

Inquiries from third parties will be referred to the Data Controller's Contact Person.

If the Contact Person cannot be contacted due to termination of employment, death, or other reasons; or constitutes a significant risk to the processing security, including the misuse of privileges, access, or loss of any degree; the Data Processor may be requested to transfer the Contact Person role, services, and payment obligation, in accordance with the Main Agreement, against the necessary documentation.

Background

1.1. This Data Processing Agreement is subject to legislation, including the Data Protection Act [Act no. 502 of 23/05/2018] and the Data Protection Regulation [Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, together with related legal acts and derived national legislation.

1.2. Previous revisions of the Data Processing Agreement can be provided upon request to the Data Processor.

Commencement

2.1. This Data Processing Agreement, including appendices, is entered into upon the establishment of the customer relationship in addition to Bricksite's Terms and Conditions ("Main Agreement").

2.2. The Data Processing Agreement applies to the Data Controller's use of the Data Processor's services, in which personal data is processed for the Data Controller, whether this processing is part of a subscription, a free service, or other services.

Purpose and Scope

3.1. The Data Processor acts solely on documented instructions from the Data Controller. This Data Processing Agreement, including appendices, constitutes the instruction.

3.2. Data processors process personal data only for the purposes necessary to fulfill the instruction and the Data Processor's other obligations in legislation.

3.3. The types of personal data that the Data Processor processes for the Data Controller are listed in Appendix A.

Data Controller's Obligations

4.1. The Data Controller is responsible to the outside world (including the Data Subject) for the lawful compliance with the personal data regulations (cf. point 2), including that personal data must be processed for legitimate and objective purposes.

4.2. The Data Controller must also ensure its duty of disclosure to the Data Subject.

Data Processor's Obligations

5.1. The primary data processing that the Data Processor performs is the storage of the data that the Data Controller entrusts to the Data Processor.

5.2. If the Data Controller wishes for other types of data processing that are not related to the standard services provided by the Data Processor, the Data Controller must provide the Data Processor with a clear documented instruction.

5.3. The Data Processor may only process personal data upon documented instructions from the Data Controller, unless otherwise required by EU law or the national law of the Member States to which the Data Processor is subject; in such case, the Data Processor shall inform the Data Controller of this legal requirement before processing, unless the relevant law prohibits such notification for important societal interests.

5.4. The Data Processor shall promptly inform the Data Controller if, in the Data Processor's opinion, an instruction is in conflict with EU law or national law.

5.5. Requests, objections, or other inquiries from the Data Subjects to the Data Processor will be forwarded to the Data Controller for further processing thereof.

5.5.1. In accordance with this, the Data Processor shall, upon the Data Controller's written and explicit request, as far as possible assist the Data Controller in fulfilling the Data Controller's obligations to respond to requests for the exercise of the Data Subject's rights, including access, rectification, restriction or deletion if the relevant personal data is processed by the Data Processor.

5.6. The Data Controller is liable for all costs of the Data Processor's assistance, including for subprocessors. The Data Processor's assistance is invoiced at the Data Processor's current hourly rate for such work.

Confidentiality

6.1. The Data Processor ensures that only employees who need to process personal data in order to fulfill the Data Processor's obligations to the Data Controller are authorized.

6.2. The Data Processor ensures that employees authorized to process personal data have committed themselves to confidentiality or are subject to an appropriate statutory duty of confidentiality.

6.3. The Data Processor ensures that employees authorized to process personal data process them only according to instructions.

Processing Security

7.1. The Data Processor implements all necessary technical and organizational measures required by Article 32 of the Regulation to ensure a level of security appropriate to the personal data in Annex A not being accidentally or unlawfully destroyed, lost, impaired, or disclosed to unauthorized third parties, misused, or otherwise processed in violation of applicable data protection regulation; taking into account the nature, scope, context, and purpose of the processing, as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons.

7.2. The above obligation means that the Data Processor must conduct a risk assessment and then implement measures to address identified risks.

7.3. The Data Processor, as a minimum, implements the security level and measures specified in Annex B.

7.4. If requested by the Data Controller, the Data Processor shall indicate or document that the Data Processor meets the requirements of the data protection legislation.

7.4.1. The Data Processor is entitled to invoice the Data Controller at its usual hourly rate for all the Data Processor's working hours, which such a documentation task may involve for the Data Processor, as well as the Data Controller being liable for any payment to the subprocessor.

7.5. The Data Processor shall notify the Data Controller without undue delay after becoming aware that a breach of personal data security may have occurred at the Data Processor or a subprocessor.

7.5.1. In the event of a personal data breach, the Data Processor shall assist the Data Controller in complying with the Data Controller's obligation to report the personal data breach to the relevant supervisory authority and, if necessary, to communicate the personal data breach to the affected Data Subjects, in accordance with Articles 33 and 34 of the Regulation.

7.5.2. The Data Controller is liable for all costs of the Data Processor's assistance, including for subprocessors. The Data Processor's assistance is invoiced at the Data Processor's current hourly rate for such work.

Use of Subprocessors

8.1. Upon entering into the Data Processing Agreement, the Data Controller grants the Data Processor a general authorization to enter into agreements with Subprocessors for the processing of personal data on behalf of the Data Controller.

8.2. The Data Processor has the Data Controller's general power of attorney to enter into standard contractual clauses (SCCs) with Subprocessors in third countries outside the EU/EEA, or with international organizations.

8.3. The Data Processor shall notify the Data Controller of any additions or replacements of Subprocessors with reasonable notice, taking into account the operation. In addition, the Data Controller may refer to the list of specifically approved Subprocessors in Appendix C.

8.4. The Data Processor ensures, on behalf of the Data Controller, that its Subprocessors comply with the corresponding obligations and requirements as described in this Data Processing Agreement.

8.4.1. The Data Processor imposes the same data protection obligations as set out in this Data Processing Agreement on the Subprocessor, through a contract or other legal document under EU law or the national law of the Member States, thereby providing the necessary guarantees that the Subprocessor will implement appropriate technical and organizational measures pursuant to Article 32 of the Regulation.

8.4.2. All use of Subprocessors is also subject to Bricksite's Privacy Policy.

8.5. The Data Controller has the right to make reasonable and relevant objections to a new Subprocessor.

8.5.1. In such a situation, the Data Processor shall demonstrate compliance by providing the Data Controller access to the Data Processor's data protection assessment of the Subprocessor.

8.5.2. If, considering the Data Controller's objections, the Data Processor still wishes to use a Subprocessor, the Parties have the right to mutually terminate the Data Processing Agreement and possibly the Main Agreement, subject to the deadlines in the Main Agreement, but possibly with a shorter notice to ensure that the Data Controller's personal data is not processed by the concerned Subprocessor.

8.5.3. During this period, the Data Controller may not require the Data Processor to cease its use of the concerned Subprocessor.

Liability

9.1. The Parties' liability, compensation liability, and other matters are governed by the Main Agreement.

Supervision and Audit

10.1. The Data Processor makes all information necessary to demonstrate the Data Processor's and Subprocessors' compliance with Article 28 of the Regulation and this Data Processing Agreement available to the Data Controller and allows for and contributes to the annual audit, including inspections, carried out by the Data Controller or another auditor authorized by the Data Controller.

10.2. The Data Processor is obliged to grant access to the Data Processor's physical facilities to authorities, which, under the applicable legislation, have access to the Data Controller's and Data Processor's facilities, or representatives acting on behalf of the authorities, upon proper identification.

Precedence

11.1. Unless otherwise stated, the Data Processing Agreement takes precedence over corresponding provisions in other agreements or terms between the Parties.

11.2. If legislative changes render parts of this Data Processing Agreement invalid, the remaining parts of the Agreement will still apply.

Termination Effects

12.1. The Data Processing Agreement and the Main Agreement are mutually dependent and cannot be terminated separately. The Data Processing Agreement can, however, be updated separately without terminating the Main Agreement, subject to a 30-day notice.

12.2. Termination of the Data Processing Agreement may take place according to the termination terms, including the termination notice, as stated in the Main Agreement.

12.3. Regardless of the termination of the customer relationship, the Data Processing Agreement will remain in force until the termination of the data processing and the deletion of the information by the Data Processor and any Subprocessors.

12.4. Upon termination of the processing services, the Data Processor is obliged, at the choice of the Data Controller, to either delete or return all personal data to the Data Controller and delete any existing copies, unless otherwise required by EU law or national law.

Governing Law and Jurisdiction

13.1. The Agreement is subject to a competent court of first instance in the same jurisdiction as stated in the Main Agreement.

Annex A — Bricksite Data Processing

A.1. Categories of Data Subjects

Bricksite Classic allows the Data Controller to create guest users. This may include the Data Controller's family, colleagues, employees, suppliers, business and collaboration partners, members, customers, and any third party.

Bricksite Classic allows the Data Controller to create a webshop where any third party can order a product or service.

The Data Processor makes its system available to the Data Controller as a hosted service, and therefore cannot specify the categories of data subjects.

A.2. Types of Personal Data – General

Any type of content that the Customer uploads to the system

Contact and identification information

Visit and statistical data (for Classic only)

IP addresses.

A.2. Types of Personal Data for Guest Users

Full Name

Phone number

Company Registration Number

Fax

Membership information, including encrypted passwords.

Other types of personal data may occur.

A.3. Types of Personal Data for Classic Webshop and Message Center

Full Name

Phone number

Company Registration Number

Fax

Payment information (including account numbers, MD5-ID, Merchant-ID, and PayPal address)

Other information

Order history

Message history

Images

Other types of personal data may occur.

A.4. Types of Personal Data for Bricksite 2 and Bricksite 3 - Contact Form

When using the contact form on the website, at least these personal data are collected to provide the service (legitimate interest) and are deleted immediately after sending:

Name

Email address

Phone number

IP address

Other types of personal data may occur at the Data Controller's instigation and customization of the contact form, including any type of personal data that may appear in the free text field.

A.5. Security

The Data Processor and Subprocessors make systems available that ensure confidentiality, integrity, and availability, including in the physical facilities and offices.

For Classic, the Data Controller is responsible for complying with its obligations, for example, to delete personal data from the Message Center and Classic Webshop, whether these and other services are paid or free of charge.

A full backup of the system is performed daily in case of system failure.

Email accounts can be restored for up to 30 days after accidental or unlawful deletion.

A.6. Data Controller Support Options

In support inquiries, technicians at Subprocessors, possibly outside the EU/EEA, may be granted full access to the Data Controller's website, email, and other services related to the support inquiry. Pseudonymized personal data may also be provided instead of full access, depending on the scope of the support inquiry.

Annex B — Measures

B.1. Technical and Physical Measures

The Data Processor is committed to ensuring a high level of security in its products and services, which is ensured by relevant organizational, technical, and physical security measures required by the information on security measures as described in Article 32 of the Regulation.

B.2. Organizational Measures

In addition, Bricksite has measures in place to ensure the confidentiality, integrity, resilience, and access to Personal Data, including:

Restricting access to Personal Data to relevant persons necessary to comply with the requirements and obligations in the Data Processing Agreement and Main Agreement.

Classifying Personal Data to ensure the implementation of security measures relevant to risk assessments.

Assessing encryption and pseudonymization as risk-reducing factors.

Operating and implementing systems that can detect, recover, counteract, and report incidents related to Personal Data.

Conducting a risk assessment of its own security level to ensure that current technical and organizational measures are adequate to protect Personal Data.

Annex C — List of Specific Approved Subprocessors

C.1. Services where the Customer is the Data Controller

The Customer is the Data Controller for data uploaded to the Customer's website, contact forms, file libraries, email, and other services provided by Bricksite. When the customer uploads data, Bricksite may use subprocessors. In its role as Data Processor, Bricksite is obligated to obtain the Customer's prior consent for specific approved Subprocessors. Bricksite has entered into Subprocessor agreements with the suppliers listed below.

Amazon Web Services EMEA SARL ("Amazon Europe") (FC034225)

Country: EU

Purpose: Hosting, DNS

Legal basis: Necessary for contract fulfillment.

Google Ireland Ltd. (IE368047)

Country: EU

Purpose: Hosting, DNS, System monitoring

Legal basis: Necessary for contract fulfillment.

OVH Groupe SAS (537 407 926)

Country: EU

Purpose: Hosting (Classic)

Legal basis: Necessary for contract fulfillment.

Tucows Inc. ("OpenSRS") (0000909494)

Country: Canada

Purpose: Email hosting

Transfer basis: Adequacy decision

Legal basis: Necessary for contract fulfillment.

C.2. Services where a Third Party is the Data Controller or Shared Data Responsibility Exists

Some services require Bricksite to share data with a Third Party. The Third Party processes this data in accordance with the service's separate Terms & Conditions and Privacy Policy. The Third Party may further process your customers' data for its own purposes, including its legal obligations.

Worldline SA ("ePay - Bambora Online") (DK34215480)

Terms & Conditions: https://www.bambora.com/da/dk/vilkar-og-betingelser

Additional Terms: Depends on the card type you accept. You must enter into a separate agreement with Nets A/S, MobilePay Denmark A/S, etc., if you wish to accept payments on your website.

Country: EU

Purpose: Payment initiation service for your webshop (international payment cards)

Legal basis: Necessary for contract fulfillment. Only relevant if you activate a webshop on your website.

C.3. Other Services where the Customer is the Data Controller

The Customer is responsible for signing Data Processing Agreements to the extent that other services are used, which the Customer independently enters into an agreement with. This could be, for example, a newsletter provider, analytics, or a payment initiation service.