Last update: 25/4/2023

This Data Processing DPA (“DPA”) supplements the Terms of Service (the “Agreement”) and the Service Level Agreement entered into by and between Client (as defined in the Agreement) and STRØMWORKS ApS, a Danish corporation located at 1 Amagertorv, 4, 1160 Copenhagen, Denmark (“Strøm”). By executing an Agreement with Strøm, Client enters into this DPA on behalf of itself and, to the extent required under applicable Data Protection Laws (defined below), in the name and on behalf of its Affiliates (defined below), if any. This DPA incorporates the terms of the Agreement, and any terms not defined in this DPA shall have the meaning set forth in the Agreement.

Summary

The DPA sets forth the terms and conditions governing the Processing of Personal Data by STRØMWORKS ApS on behalf of the Client in connection with the Services, including the obligation to Process Personal Data in accordance with the Client's documented instructions, to inform the Client of any legal requirements, to promptly notify the Client of any Personal Data breach, to ensure confidentiality, to implement appropriate technical and organisational measures for security, to obtain the Client's consent for any Sub-processors, and to assist the Client in fulfilling Data Subject rights. The DPA shall remain in effect for the duration of the SLA and upon termination, STRØMWORKS ApS shall delete or return all Personal Data to the Client and delete any existing copies unless required by law.

1. Definitions and Interpretation

  1. In this Data Processing Addendum ("DPA"), unless the context requires otherwise, the following terms shall have the meanings ascribed to them below:
    1. "Controller" means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data;
    2. "Data Subject" means an identified or identifiable natural person;
    3. "Personal Data" means any information relating to a Data Subject;
    4. "Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means;
    5. "Processor" means a natural or legal person, public authority, agency, or other body which Processes Personal Data on behalf of the Controller;
    6. "Subprocessor" means any Processor engaged by the Processor to Process Personal Data on behalf of the Controller;
    7. "GDPR" means the General Data Protection Regulation (EU) 2016/679;
    8. "Service Level Agreement" or "SLA" means the agreement entered into between the parties for the provision of services by STRØMWORKS ApS to the Client;
    9. "Client" means the Controller who is a party to the SLA;
    10. "Services" means the services provided by STRØMWORKS ApS to the Client under the SLA.

2. Purpose and Scope

  1. This DPA forms part of the SLA and sets forth the terms and conditions governing the Processing of Personal Data by STRØMWORKS ApS (herein under TrueTwins) on behalf of the Client in connection with the Services.
  2. 2.2. The parties agree that for the purposes of this DPA, the Client shall be the Controller and STRØMWORKS ApS shall be the Processor.

3. Processing of Personal Data

  1. STRØMWORKS ApS shall only Process Personal Data on behalf of and in accordance with the Client's documented instructions, unless required to do so by applicable law. In such a case, STRØMWORKS ApS shall inform the Client of that legal requirement before Processing, unless prohibited by law.
  2. STRØMWORKS ApS shall promptly inform the Client if, in its opinion, an instruction infringes the GDPR or other applicable data protection provisions.
    1. STRØMWORKS ApS shall notify the Client without undue delay, and if possible, within 24 hours after discovering a Personal Data breach. The notification shall contain sufficient information to enable the Client to assess the breach and comply with its reporting obligations under the GDPR, if applicable, which may include reporting the breach to the supervisory authority within 72 hours.
    2. The notification shall, at a minimum, include the following information:
      1. Description of the nature of the breach, including the categories and approximate number of Data Subjects and Personal Data records concerned;
      2. The likely consequences of the breach;
      3. The measures taken or proposed by STRØMWORKS ApS to address the breach and mitigate its adverse effects; and
      4. Contact details for further information and assistance in relation to the breach.

4. Confidentiality

  1. STRØMWORKS ApS shall ensure that any person it authorises to Process Personal Data on behalf of the Client is subject to a duty of confidentiality, whether a contractual or statutory obligation.

5. Security of Personal Data

  1. STRØMWORKS ApS shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk associated with the Processing of Personal Data, taking into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of Processing, and the risks to the rights and freedoms of Data Subjects.

6. Subprocessing