Data Processing Terms
The Customer accepting these terms and Duuoo ApS, Danish Company Reg. (CVR) No. 37298336 (Duuoo) have entered into an agreement on the Customer’s access to and use of the Duuoo People Management Suite (the Subscription Agreement), which is an online-based standard service accessed via an internet browser or app for the purpose of employee management.
The Customer accepts these Data Processing Terms as part of the Subscription Agreement entered into with Duuoo.
In accordance with the definitions of the General Data Protection Regulation, Duuoo will in some situations be data processor for the Customer under the Subscription Agreement when carrying out and providing the agreed services. Duuoo stores and processes personal data as part of giving the Customer access to the Duuoo People Management Suite and the Subscription Agreement may include that Duuoo also carries out other processing.
The Data Processing Terms have been drawn up for the purpose of the Parties’ compliance with Article 28(3) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the Data Protection Directive) when Duuoo is data processor for the Customer.
The Data Processing Terms come take effect at the time Duuoo receives a signed Order Form when such Order Form forms a valid acceptance of a Duuoo proposal to the Customer, and the Data Processing Terms replace all previous processor agreements entered into between the Parties in relation to the processing activities agreed under the Subscription Agreement. The Customer’s commencement of use or continued use of the Duuoo People Management Suite is regarded as the Customer’s express acceptance of the Data Processing Terms.
In addition, the Data Processing Terms supplement the Subscription Agreement and take precedence over any conflicting terms therein.
The Data Processing Terms constitute the Parties’ processor agreement for the personal data processing which the Customer entrusts to Duuoo, and which Duuoo undertakes to carry out as part of supplying the services agreed under the Subscription Agreement.
The Data Processing Terms lay down the rights and obligations that apply to Duuoo’s processing of personal data on behalf of the Customer and the Data Processing Terms indicate the overall security measures taken by Duuoo.
In accordance with the applicable data protection rules, Duuoo is data processor for the processing activities that have been entrusted to Duuoo for the Customer, while the Customer is either data controller or data processor in accordance with the applicable data protection rules. Each Party must meet the obligations laid down in applicable data protection rules and the Data Processing Terms thus release neither Duuoo nor the Customer from such obligations.
The Data Processing Terms apply from the time they enter into force and until Duuoo has deleted the Customer’s data in accordance with the provisions contained in these Data Processing Terms. The Data Processing Terms and the Subscription Agreement are mutually dependent and the agreements may therefore not be terminated separately.
Duuoo guarantees to the Customer that Duuoo possesses sufficient expert knowledge, reliability and resources to implement the necessary measures to meet the requirements of the General Data Protection Regulation with respect to the processing activities that Duuoo must carry out for the Customer under the Subscription Agreement.
The Customer is responsible for complying with the personal data protection legislation applicable at any time to the personal data entrusted to Duuoo for processing. In particular the Customer is responsible for and guarantees to Duuoo that:
- The Customer has the required legal basis on which to process and to permit Duuoo to process the personal data that are included in the services Duuoo provides to the Customer. In the situations where the Customer is processor of the personal data entrusted to Duuoo for processing, the Customer guarantees to Duuoo that the Customer’s instructions, as expressed through these Data Processing Terms and the Subscription Agreement and the use of Duuoo and its sub-processors as other processors, have been authorised by the controller.
- The instructions given for Duuoo’s processing of personal data on behalf of the Customer are lawful.
The Parties have agreed that the purpose of the processing is the implementation of IT services from Duuoo to the Customer, including in particular storage of and operation relating to personal data in connection with providing access and functionality in the standard cloud service Duuoo People Management Suite.
Duuoo thus processes the data entrusted to it for the agreed purpose of providing the agreed services as specified in the Subscription Agreement and Duuoo’s product descriptions.
The processing covers user credentials in the form of names, e-mail addresses and phone numbers as well as information on Customer employees in relation to their employment such as performance, employee-development 1 on 1 conversations and similar data and such other data as the Customer may include in the Duuoo People Management Suite.
Duuoo is entrusted to process data of those categories of data subjects for which the Customer allows the use of the Duuoo People Management Suite, typically the Customer’s employees.
Duuoo may process the Customer’s personal data only in accordance with the Customer’s instructions which are documented in a written agreement and accepted by Duuoo.
By accepting the Data Processing Terms, the Customer instructs Duuoo to process the Customer’s personal data for supply of the Duuoo People Management Suite as a cloud service on the terms and conditions of the Subscription Agreement and these Data Processing Terms.
The Customer may also request Duuoo to accept additional written instructions regarding processing of personal data for the Customer, and Duuoo is free to accept or reject such additional instructions. However, Duuoo must always accept an instruction to cease further processing, which means that Duuoo deletes the Customer’s data as specified under Return and deletion of the Customer’s data below.
Duuoo will comply with the Customer’s instructions, approved by Duuoo, unless such processing is in violation of the applicable data protection legislation to which Duuoo is subject. In that case Duuoo will notify the Customer of this.
Irrespective of the Customer’s instructions – including those on deletion – Duuoo must, however, carry out processing of the Customer’s personal data if this follows from a legal obligation to which Duuoo is subject. In that case the Customer must be informed of this before processing unless such information is unlawful.
The Customer thus determines the purposes and scope of the processing activities entrusted to Duuoo.
Duuoo will carry out processing of the Customer’s personal data for as long as Duuoo is required to do so under the Subscription Agreement – typically for as long as the Subscription Agreement is in force. Duuoo will delete or anonymise the Customer’s data when the Customer’s Subscription Agreement terminates. The Customer may also instruct Duuoo to delete the data at an earlier time in accordance with the item Return and deletion of the Customer’s data.
Duuoo takes all measures that are required under Article 32 of the General Data Protection Regulation. Duuoo implements appropriate technical and organisational measures to protect the personal data made available from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
Duuoo may change the implemented security measures on an ongoing basis, but when doing so, Duuoo must make efforts to ensure that the changes overall do not result in a reduced level of security.
Duuoo has determined the level of security on the basis of considerations concerning the type of personal data typically registered in the Duuoo People Management Suite and the expected categories of data subjects.
Duuoo implements security measures, considering on average what is appropriate and the Parties therefore agree that in the mutual relationship the Customer is responsible for assessing whether the measures implemented are sufficient to reach a security level that matches the risk involved in the processing activities entrusted to Duuoo.
If Duuoo becomes aware that a personal data breach has occurred in relation to Duuoo’s services to the Customer, Duuoo must notify the personal data breach to the Customer without undue delay after having become aware of such breach.
Duuoo must take reasonable and proportionate measures to mitigate the adverse effects of the breach without undue delay after becoming aware of the breach.
In continuation of the notification to the Customer, Duuoo must provide a description of the circumstances of the breach, its nature, the measures Duuoo has taken, or proposes to take, to mitigate any adverse effects of the breach and the circumstances Duuoo believes the Customer should pay particular attention to in connection with the breach so that the Customer can meet its obligations in connection with data breaches within the time limits laid down in the General Data Protection Regulation.
The notification may be sent by email to the contact person designated by the Customer and the format chosen by Duuoo.
Duuoo’s notification of a personal data breach does not constitute an admission of fault or liability in relation to the personal data breach.
Taking into account the nature of the processing entrusted to Duuoo and the information available to Duuoo with respect to a personal data breach occurring at Duuoo, Duuoo will also assist the Customer, upon request, with ensuring compliance with the Customer’s obligations under Article 33 and Article 34 of the General Data Protection Regulation.
By accepting these Data Processing Terms, the Customer gives Duuoo general authorisation for the use of other processors (sub-processors). Information on the sub-processors used, including their function and in which country they are established, is either available on Duuoo’s website or included in the Subscription Agreement.
When engaging a sub-processor, Duuoo ensures that a written agreement is entered into with the sub-processor in which it is ensured that
If a sub-processor fails to fulfil its data protection obligations, Duuoo will remain fully liable to the Customer for the performance of the sub-processor’s data protection obligations.
Duuoo may update the list of sub-processors used on an ongoing basis. The list will be updated before any intended changes concerning the addition or replacement of a sub-processor are carried out. If the Customer wishes to object to intended changes concerning the addition or replacement of a sub-processor, the Customer may terminate the Subscription Agreement with effect immediately or with effect from the end of the calendar month in which notice of termination is given. It is a condition for termination under this clause that notice of termination is given to Duuoo no later than thirty(30) days after Duuoo has updated the list of sub-processors used or intended to be used. Termination of the Subscription Agreement is the Customer’s only remedy towards Duuoo in this situation.
Duuoo stores the Customer’s data within the EU and personal data are therefore not transferred to any third countries.
However, Duuoo may, as an exemption, transfer the Customer’s data, including personal data, to a third country or an international organisation if this is required under EU or member state law to which Duuoo is subject; in such a case Duuoo must inform the Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
The Customer’s own accessing of personal data stored at the Duuoo People Management Suite from a location that results in a transfer of personal data to a third country is deemed to be the Customer’s own transfer and is thus not covered by Duuoo’s liability or obligations.
Duuoo undertakes, at the Customer’s written request, to provide the following assistance to the Customer:
Taking into account the nature of the processing, Duuoo assists the Customer by appropriate technical and organisational measures, as far as this is possible, with the fulfilment of the Customer’s obligation to respond to requests for exercising the data subjects’ rights as set out in Chapter 3 of the General Data Protection Regulation.
Taking into account the nature of processing and the information available to Duuoo, Duuoo also assists the Customer with ensuring compliance with the Customer’s obligations in respect of Articles 32-36 of the General Data Protection Regulation.
Duuoo is entitled to separate remuneration for the assistance provided for complying with the Customer’s requests under this clause Assistance to the Customer. The remuneration is calculated based on time spent by Duuoo and Duuoo’s ordinary hourly rate for such work.
However, as regards assistance for ensuring compliance with the Customer’s obligations under Articles 33-34 of the General Data Protection Regulation, Duuoo has no right to remuneration for fulfilling its obligations under the clause Reporting of data breaches.
At the Customer’s choice Duuoo deletes or returns all personal data to the Customer after the end of the provision of services relating to the Subscription Agreement and deletes existing copies unless Duuoo is subject to a legal obligation prescribing that Duuoo must retain the personal data.
Duuoo carries out the Customer’s instructions to delete or return the Customer’s data in accordance with the rules of the General Data Protection Regulation and as soon as practically possible.
As part of the instructions to Duuoo, the Customer further allows its data to be part of a backup procedure from which data are deleted when the backup is destroyed in accordance with Duuoo’s backup procedure.
Article 82 of the General Data Protection Regulation and supplemental rules of the Danish Data Protection Act apply to compensation that must be paid to data subjects as a result of infringement of the General Data Protection Regulation, and each Party in the mutual relationship is thus liable to pay the part of the compensation corresponding to that Party’s part of the responsibility for the damage, taking into consideration these Data Processing Terms. If necessary, the apportionment of fault is determined by judicial review. Duuoo’s limitation of liability under Part I of the Subscription Terms and Conditions continues to apply.
The Parties are themselves liable for fines and other penalties imposed on them as a consequence of unlawful processing of personal data and such amounts cannot be claimed from the other Party.
The Customer hereby indemnifies Duuoo for any breach of the General Data Protection Regulation by Duuoo where Duuoo is processing data on the express instructions of the Customer.
Duuoo must maintain records of the categories of processing activities carried out for the Customer in accordance with Article 30 of the General Data Protection Regulation. The Customer must inform Duuoo of the name and contact details of the Customer’s representative and Data Protection Officer, if any, and keep such information updated so that Duuoo can maintain accurate records.
Duuoo must ensure that persons it has authorised to process the Customer’s personal data have undertaken to observe confidentiality or are subject to an appropriate statutory obligation of secrecy. Duuoo and anyone carrying out work for Duuoo and who has access to the Customer’s personal data may process these data only on the Customer’s instructions which have been accepted by Duuoo unless other processing is required by rules of law or court decision to which Duuoo is subject.
Duuoo may authorise persons only if it is necessary for them to have access to the personal data for the purpose of fulfilling Duuoo’s obligations to the Customer. Duuoo must regularly assess authorisations and close access when authorisations expire or terminate.
Authorised persons may not access Customer data other than for technical operation purposes unless otherwise authorised by Customer. Duuoo and its employees will thus have no knowledge of or insight in the content of Customer data.
Duuoo makes available to the Customer all information required to demonstrate compliance with the requirements in Article 28 of the General Data Protection Regulation and the requirements made of Duuoo in these Data Processing Terms. Duuoo allows for and contributes to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer.
Duuoo will once every year have an ISAE3000 declaration on privacy produced by an independent accountant, and Duuoo will make the declaration available for Customer immediately after Duuoo has received the declaration.
The Customer may request that a physical inspection be conducted at Duuoo. The request must be sent to Duuoo in writing, stating what the Customer wants the inspection to comprise. The Parties then agree on the further circumstances and scope of the inspection, including the time and the form of reporting.
The inspection may only be carried out by a person who accepts Duuoo’s ordinary security measures and a confidentiality clause directly to Duuoo. Duuoo may object to a person appointed by the Customer to conduct an inspection if, in Duuoo’s reasonable assessment, the person appointed is not suitable or qualified to carry out the inspection, including that the person (1) is not independent, (2) is Duuoo’s direct competitor, or (3) otherwise clearly unsuitable for the task.
If Duuoo objects to the person appointed, the Customer must appoint another person to carry out the inspection.
Supervision of the sub-processors used by Duuoo is carried out through Duuoo. However, the Customer may initiate and participate in a physical inspection, including at sub-processors. Supervision must then take place in compliance with the terms of inspection specified by the sub-processor.
Any costs incurred by Duuoo or sub-processors in connection with physical supervision or inspections held at Duuoo or sub-processors are paid by the Customer. In addition, Duuoo and any sub-processors are entitled to remuneration for the time spent on the inspection determined on the basis of the current price list.
The request for inspections, audits and for information to demonstrate compliance must be made by using Duuoo’s current inspection form when such a form has been published by Duuoo.
Duuoo may amend these Data Processing Terms with ninety (90) days’ notice. Amendments that must necessarily be implemented before the end of this notice period may be implemented immediately. Information on planned amendments will be sent to the Customer by mail or by email subject to Duuoo’s choice. If the Customer does not want to accept the amendments of which notice is given, the Customer may terminate the Subscription Agreement. The Customer has no other powers in consequence of amendments to the Data Processing Terms.
Duuoo and the Customer must each electronically store a version of these Data Processing Terms and the Subscription Agreement and any other agreements of significance to or supplementing these Data Processing Terms.
The Customer must send any inquires to Duuoo concerning data protection, including requests for supervision and inspection to:
Ny Carlsberg Vej 80, 2nd floor, DK-1760 Copenhagen, Denmark