Common use of Data Processor’s Obligations Clause in Contracts

Data Processor’s Obligations. The Data Processor acts solely on behalf of and on instructions from the Data Controller in connection with the performance of the agreed Project tasks. The Data Controller thus decides the purposes for which the processing of personal data may take place. The Data Processor undertakes to comply with the Data Protection Rules. Among other things, the Data Processor must (list not exhaustive): Process personal data in accordance with the general principles laid down in Art. 5 of the General Data Protection Regulation. Assist the Data Controller in complying with and protecting the rights of the data subject(s). Prepare a record of processing activities, cf. Art 28(2) of the General Data Protection Regulation. Upon request, the Data Processor must provide the Data Controller with sufficient information to allow the Data Controller to ensure that appropriate technical and organisational security measures have been implemented. Among other things, this includes information about where the personal data are located, as well as physical access to the personal data, if so required by the Data Controller. The Data Processor must ensure that only persons who have a need for such information for the purpose of fulfilling the purpose of the agreement and instructions have access to the personal data. The Data Processor must not, except when instructed by the Data Controller, disclose data which come into the possession of the Data Processor in connection with the performance of the Data Processor’s task. Moreover, the Data Processor must not use or process data from the data processing task for their own purposes or for purposes other than those stipulated by the Data Controller. If, in contravention of this agreement, the Data Processor processes data for their own purposes or for purposes other than the purposes stipulated by the Data Controller, an independent legal basis must exist, and the Data Processor will have the independent status of Data Controller for such processing. If the Data Controller finds that an impact assessment must be carried out, cf. Art. 35 of the General Data Protection Regulation, the Data Processor must contribute to carrying out this impact assessment, if so requested by the Data Controller. The Data Processor must implement appropriate technical and organisational security measures, cf. Art. 32 of the General Data Protection Regulation, to protect the personal data against accidental or unlawful destruction, loss or deterioration, and against any unauthorised disclosure, abuse or processing of the personal data in violation of the Data Protection Rules. As a minimum, the Data Processor is obliged to comply with the following security measures: Electronic registration (logging) of all use of personal data. As a minimum, the registration must contain information about time and user access. Systems, including both software and hardware, used in connection with data processing, must be safe to use and updated. Personal data which must be stored and/or transferred electronically must be encrypted. Personal data must be password-protected. Data storage media and prints must be stored in a safe manner, so that they are not accessible to unauthorised persons. The Data Processor must ensure that only staff members with a work-related purpose have access to the personal data. It must be ensured that the Data Processor's staff members are trained properly and provided with adequate instructions and guidelines on the processing of personal data. The Data Processor is obliged to ensure that the staff members involved in processing personal data are familiar with the security requirements. In connection with the repair and servicing of media containing personal data, and in connection with the discarding of such media, measures must be taken to protect the personal data. The above security regulations also apply to the extent that the Data Processor makes use of home or remote workstations. If the Data Processor is to store personal data for a shorter or longer period of time, the Data Processor is obliged to state where the data are stored. The Data Processor must, within reasonable time, inform the Data Controller of any change of storage location. This form must be filled in by the Data Processor. Data centre location (physical address) CONFIDENTIALITY AND SECRECY In connection with the processing of personal data, the Data Processor's staff members, business partners, external consultants, temporary staff etc. are subject to the duty of secrecy and confidentiality applying to staff members in the public administration. Reference is made to section 27 of the Danish Public Administration Act and sections 152-152(f) of the Danish Criminal Code The Data Processor and any Sub-processors are obliged to inform their own staff members, business partners, external consultants, temporary staff etc. about the duty of secrecy. The Data Processor must keep the personal data confidential, and is thus only entitled to use the personal data as part of the fulfilment of the Data Processor's obligations under the Data Processing Agreement. The Data Processor's obligations to maintain secrecy and confidentiality also apply after termination of the agreement. SUB-PROCESSORS Any transfer of the personal data on the part of the Data Processor to one or more Sub-processors is subject to prior written consent by the Data Controller. If written consent has been obtained in accordance with the above, it is the responsibility of the Data Processor to ensure that the Sub-processors comply with the Data Processing Agreement, as the agreement also applies to Sub-processors. The Data Processor must have concluded data processing agreements with any Sub-processors on terms similar to the terms set out in the present Data Processing Agreement, and must generally ensure compliance with Art. 28(2) and (4) of the General Data Protection Regulation. At the request of the Data Controller, the Data Processor must supply a copy of the sub-processor agreement(s).

Data Processor’s Obligations. The Data Processor acts solely on behalf of and on instructions from the Data Controller in connection with the performance of the agreed Project tasks. The Data Controller thus decides the purposes for which the processing of personal data may take place. The Data Processor undertakes to comply with the Data Protection Rules. Among other things, the Data Processor must (list not exhaustive): Process personal data in accordance with the general principles laid down in Art. 5 of the General Data Protection Regulation. Assist the Data Controller in complying with and protecting the rights of the data subject(s). Prepare a record of processing activities, cf. Art 28(230(2) of the General Data Protection Regulation. Upon request, the Data Processor must provide the Data Controller with sufficient information to allow the Data Controller to ensure that appropriate technical and organisational security measures have been implemented. Among other things, this includes information about where the personal data are located, as well as physical access to the personal data, if so required by the Data Controller. The Data Processor must ensure that only persons who have a need for such information for the purpose of fulfilling the purpose of the agreement and instructions have access to the personal data. The Data Processor must not, except when instructed by the Data Controller, disclose data which come into the possession of the Data Processor in connection with the performance of the Data Processor’s task. Moreover, the Data Processor must not use or process data from the data processing task for their own purposes or for purposes other than those stipulated by the Data Controller. If, in contravention of this agreement, the Data Processor processes data for their own purposes or for purposes other than the purposes stipulated by the Data Controller, an independent legal basis must exist, and the Data Processor will have the independent status of Data Controller for such processing. If the Data Controller finds that an impact assessment must be carried out, cf. Art. 35 of the General Data Protection Regulation, the Data Processor must contribute to carrying out this impact assessment, if so requested by the Data Controller. The Data Processor must implement appropriate technical and organisational security measures, cf. Art. 32 of the General Data Protection Regulation, to protect the personal data against accidental or unlawful destruction, loss or deterioration, and against any unauthorised disclosure, abuse or processing of the personal data in violation of the Data Protection Rules. As a minimum, the Data Processor is obliged to comply with the following security measures: Electronic registration (logging) of all use of personal data. As a minimum, the registration must contain information about time and user access. Systems, including both software and hardware, used in connection with data processing, must be safe to use and updated. Personal data which must be stored and/or transferred electronically must be encrypted. Personal data must be password-protected. Data storage media and prints must be stored in a safe manner, so that they are not accessible to unauthorised persons. The Data Processor must ensure that only staff members with a work-related purpose have access to the personal data. It must be ensured that the Data Processor's staff members are trained properly and provided with adequate instructions and guidelines on the processing of personal data. The Data Processor is obliged to ensure that the staff members involved in processing personal data are familiar with the security requirements. In connection with the repair and servicing of media containing personal data, and in connection with the discarding of such media, measures must be taken to protect the personal data. The above security regulations also apply to the extent that the Data Processor makes use of home or remote workstations. If the Data Processor is to store personal data for a shorter or longer period of time, the Data Processor is obliged to state where the data are stored. The Data Processor must, within reasonable time, inform the Data Controller of any change of storage location. This form must be filled in by the Data Processor. Data centre location (physical address) CONFIDENTIALITY AND SECRECY In connection with the processing of personal data, the Data Processor's staff members, business partners, external consultants, temporary staff etc. are subject to the duty of secrecy and confidentiality applying to staff members in the public administration. Reference is made to section 27 of the Danish Public Administration Act and sections 152-152(f) of the Danish Criminal Code The Data Processor and any Sub-processors are obliged to inform their own staff members, business partners, external consultants, temporary staff etc. about the duty of secrecy. The Data Processor must keep the personal data confidential, and is thus only entitled to use the personal data as part of the fulfilment of the Data Processor's obligations under the Data Processing Agreement. The Data Processor's obligations to maintain secrecy and confidentiality also apply after termination of the agreement. SUB-PROCESSORS Any transfer of the personal data on the part of the Data Processor to one or more Sub-processors is subject to prior written consent by the Data Controller. If written consent has been obtained in accordance with the above, it is the responsibility of the Data Processor to ensure that the Sub-processors comply with the Data Processing Agreement, as the agreement also applies to Sub-processors. The Data Processor must have concluded data processing agreements with any Sub-processors on terms similar to the terms set out in the present Data Processing Agreement, and must generally ensure compliance with Art. 28(2) and (4) of the General Data Protection Regulation. At the request of the Data Controller, the Data Processor must supply a copy of the sub-processor agreement(s).

Data Processor’s Obligations. The Data Processor acts solely on behalf of and on according to written instructions from the Data Controller in connection with the performance of the agreed Project taskstasks in relation to the Project. The Data Controller thus decides the purposes for which the processing of personal data may take place. The Data Processor undertakes to comply with the Data Protection Rules. Among other things, the Data Processor must (list not exhaustive): Process personal data in accordance with the general principles laid down in Art. 5 of the General Data Protection Regulation. Assist the Data Controller in complying with and protecting the rights of the data subject(s). Prepare a record of processing activities, cf. Art 28(2) of the General Data Protection Regulation. Upon request, the Data Processor must provide the Data Controller with sufficient information to allow the Data Controller to ensure that appropriate technical and organisational security measures have been implemented. Among other things, this includes information about where the personal data are located, as well as physical access to the personal data, if so required by the Data Controller. The Data Processor must ensure that only persons who have a need for such information for the purpose of fulfilling Data Processor and the purpose of the agreement and instructions Data Controller have access to the personal data. The Data Processor must not, except when instructed by the Data Controller, disclose data which come into the possession of the Data Processor in connection with the performance of the Data Processor’s task. Moreover, the Data Processor must not use or process data from the data processing task for their own purposes or for purposes other than those stipulated by the Data Controller. If, in contravention of this agreement, the Data Processor processes data for their own purposes or for purposes other than the purposes stipulated by the Data Controller, an independent legal basis must exist, and the Data Processor will have the independent status of Data Controller for such processing. If the Data Controller finds that an impact assessment must be carried out, cf. Art. 35 of the General Data Protection Regulation, the Data Processor must contribute to carrying out this impact assessment, if so requested by the Data Controller. The Data Processor must implement appropriate technical and organisational security measures, cf. Art. 32 of the General Data Protection Regulation, to protect the personal data against accidental or unlawful destruction, loss or deterioration, and against any unauthorised disclosure, abuse or processing of the personal data in violation of the Data Protection Rules. As a minimum, the Data Processor is obliged to comply with the following security measures: Electronic registration (logging) of all If equipment has been supplied for use of personal data. As a minimum, the registration must contain information about time and user access. Systems, including both software and hardware, used in connection with the processing of the data, the Data Processor must use this equipment to perform the agreed data processingprocessing task. If the Data Processor uses his or her own equipment, such as a computer etc., to perform the data processing task, such equipment must be safe password-protected. If the Data Processor creates documents and/or files, the Data Processor is obliged, if technically possible, to use and updatedprotect personal data by password-protecting such documents and/or files. Personal data which The Data Processor must ensure that the Data Controller receives passwords separately from the documents/files. If the Data Processor receives password-protected documents and/or files from the Data Controller, this protection must be stored and/or transferred electronically maintained. If, in connection with the data processing task, there is a need to send personal data via email, the Data Processor must be encrypteduse his or her AAU email account and send the data to the Data Controller's AAU email account. Personal The Data Processor must not forward the personal data to other email addresses, and is therefore also obliged to ensure that their AAU email account is not set up to automatically forwarding emails to another email address. In connection with the performance of the data processing task, the Data Processor must be not use public Wi-Fi networks (e.g. libraries, trains) or internet connections which are not password-protected. Data storage media (e.g. USB keys) and prints must be stored in a safe manner, so that and if technically possible, they are not accessible to unauthorised persons. The Data Processor must ensure that only staff members with a work-related purpose have access to the personal data. It must be ensured that the Data Processor's staff members are trained properly and provided with adequate instructions and guidelines on the processing of personal data. The Data Processor is obliged protected by passwords so as to ensure that the staff members involved in processing personal data are familiar with the security requirements. In connection with the repair and servicing of media containing personal data, and in connection with the discarding of such media, measures must be taken to protect the personal data. The above security regulations also apply to the extent that the Data Processor makes use of home or remote workstations. If the Data Processor is to store personal data for a shorter or longer period of time, the Data Processor is obliged to state where the data are stored. The Data Processor must, within reasonable time, inform the Data Controller of any change of storage location. This form must be filled in by the Data Processor. Data centre location (physical address) CONFIDENTIALITY AND SECRECY In connection with the processing of personal data, the Data Processor's staff members, business partners, external consultants, temporary staff etc. are subject to the duty of secrecy and confidentiality applying to staff members in the public administration. Reference is made to section 27 of the Danish Public Administration Act and sections 152-152(f) of the Danish Criminal Code The Data Processor and any Sub-processors are obliged to inform their own staff members, business partners, external consultants, temporary staff etc. about the duty of secrecy. The Data Processor must keep the personal data confidential, and is thus only entitled to use the personal data as part of the fulfilment of the Data Processor's obligations under the Data Processing Agreement. The Data Processor's obligations to maintain secrecy and confidentiality also apply after termination of the agreement. SUB-PROCESSORS Any transfer of the personal data on the part of the Data Processor to one or more Sub-processors is subject to prior written consent by the Data Controller. If written consent has been obtained in accordance with the above, it is the responsibility of the Data Processor to ensure that the Sub-processors comply with the Data Processing Agreement, as the agreement also applies to Sub-processors. The Data Processor must have concluded data processing agreements with any Sub-processors on terms similar to the terms set out in the present Data Processing Agreement, and must generally ensure compliance with Art. 28(2) and (4) of the General Data Protection Regulation. At the request of the Data Controller, the Data Processor must supply a copy of the sub-processor agreement(s)prevent unauthorised access.