Relocare Social Security App
By using Relocare’s Social Security App and any module or feature associated with the application (referred to herein as “App”), the Data Responsible (the Customer) will be responsible for its processing of Personal Information in the App. The Data Processor (Relocare) will process Personal Information on behalf of the Data Responsible.
In order to ensure that the Parties fulfill their own obligations under the national data protection rules as well as the European Parliament amt Council Regulation (EU) 2016/279 (“GDPR”), the Parties have entered into this data processing agreement (the “Agreement”), which constitutes the instructions of the Data Responsible to the Data Processor and thus regulates the Data Processor’s processing of Personal Data on behalf of the Data Responsible.
Both Parties confirm that they have the authority to sign the Agreement.
The definition of Personal Data, specific categories of data (sensitive information) and Processing, the Registered, Data Responsible and Data Processor are the same as in the relevant personal data legislation, including GDPR.
The Agreement governs the Data Processor’s processing of personal data on behalf of the Data Responsible, and describes how the Data Processor shall assist in the protection of privacy on behalf of the Data Responsible and its Employees trough technical and organizational measures required under applicable data protection legislation, including GDPR of 25. May 2018.
The purpose of the Data Processor’s processing of Personal Data on behalf of the Data Responsible is to ensure the Data Responsible’s use of the App and the fulfillment of this Agreement.
However, the Agreement does not take precedence if the Parties have entered into another data processor agreement, which states that the data processor agreement takes precedence over this agreement.
The obligations of the Data Processor
The Data Processor must only process personal data on behalf of and as a result of the Data Responsible’s instructions. By entering into this agreement, the Data Responsible instructs the Data Processor to process personal data in the following ways:
- In accordance with applicable law,
- In order to fulfill its obligations under the App License and subscription Terms,
- As further specified by the Data Responsible’s normal use of the App, and as described in this Agreement.
The categories of Registered and Personal Data processed under this Agreement are described in Appendix A.
As part of being able to provide the App, the Data Processor will at all times strive to provide the Data Responsible with solutions that come with technical and regulatory developments. The Data Processor monitors the needs of the individual Data Responsible by registration how the Data Responsible and his representatives use the App, since it is a legal demand to apply for A1 certificates.
Data Processor does this as a basis for developing and improving the App and generally providing better services and providing more relevant communication to the Data Responsible and its representatives. The goal is for the Data Responsible to be able to solve as many challenges and compliance regulatives as possible in one place. To the extent that Personal Data from App is included in this work, it is processed in accordance with this agreement and applicable law and may be shared with companies in the group for the purpose of this work only.
It is underlined, that personal data belonging to present, departed or deceased employees or others, is not a part of the test development environment.
The Data Processor has no reason to believe that current legislation prevents the Data Processor from complying with the instructions set out above. The Data Processor, if it becomes aware of this, will notify the Data Responsible of instructions or other processing activities performed by the Data Responsible which, in the Data Processor’s opinion, contravene the applicable data protection law.
Taking into account the technology available and the cost of implementation, as well as the scope, context and purpose of the processing, the Data Processor is required to take all reasonable measures, including technical and organizational, to ensure an adequate level of security in relation to the risk and the category of personal data that needs to be protected.
The Data Processor shall assist the Data Responsible with appropriate technical and organizational measures where possible and taking into account the nature of the processing and the category of information available to the Data Processor to ensure compliance with the Data Responsible’s obligations under applicable Data Protection Laws, including as regards assistance in meeting requests from Registered as well as general compliance with the provisions of Articles 32-36 of the GDPR.
The Data Processor must notify the Data Responsible without undue delay through the contact person stated in the Data Processor Agreement if the Data Processor becomes aware of a security breach. At present this email must be used (insert email) This information must be given within 24 hours after the security breach is identified.
In addition, the Data Processor shall, as far as possible and legally, notify the Data Responsible if a request for access to Personal Data is received directly from the Registered or directly from state authorities, including the police.
The Data Processor may not respond to such requests from Registered unless authorized by the Data Responsible. Furthermore, the Data Processor will not disclose information about this agreement to state authorities such as the police, including personal data, unless the Data Processor is required by law, by a court order or similar.
If the Data Controller requires information or assistance regarding security measures, documentation or information on how the Data Processor processes personal data in general, and such request contains information that goes beyond what is required by applicable Data Protection Law, the Data Processor may require payment for such additional services.
The Data Processor and its employees must ensure confidentiality in relation to personal data processed under the Agreement. This provision shall also apply after termination of the Agreement. The Data Responsible employees personal data is only handled by trained and educated staff, whom are compliant with the obligations under this agreement.
The obligations of the Data Responsible
Upon entering into this agreement, the Data Responsible confirms that:
- The Data Responsible shall, using the App provided by the Data Processor, only process Personal Data in accordance with the requirements of the applicable Data Protection Law.
- The Data Responsible has a legal basis for processing and disclosing Personal Data to the Data Processor (including possible sub-processors used by the Data Processor).
- The Data Responsible is responsible for the accuracy, integrity, content of the reliability and legality of the Personal Data processed by the Data Processor.
- The Data Responsible has fulfilled all mandatory requirements and obligations in relation to notification or obtaining permission from the relevant public authorities with regards to the processing of Personal Data.
- The Data Responsible has fulfilled its disclosure obligations to the Registered regarding the processing of Personal Data in accordance with applicable data protection legislation.
- The Data Responsible agrees that the Data Processor has provided the relevant guarantees regarding the implementation of technical and organizational security measures to safeguard the rights of data subjects and their Personal Data.
- The Data Responsible shall not use any sensitive information other than those specified in Appendix A. when using the App.
- The Data Responsible must have an up-to-date list of the categories of Personal Data that it processes, this is especially true to the extent that such processing contains personal sensitive information.
Use of Sub-Data processors and transfer of data
As part of the operation of the App, the Data Processor uses subcontractors (“Sub-Data Processors”). Such Sub-Data Processors may be other companies associated with Relocare, or third party suppliers in the EU / EEA. The Data Processor’s subcontractors are informed in appendix B, if they are contracted.
The Data Processor must ensure that its Sub-Data Processors comply with similar obligations and requirements set forth in the Agreement. Data Processor must ensure, that Sub-Data-Processors are guaranteeing that they will complete appropriate technical and organizational measures in such a way, that handling of the personal data complies with the Data Protection Regulation acts (back-to-back-terms) – however with the exception of Apple, Microsoft and Google. For these companies’ reference is made to their privacy statements & policy. All use of Sub-Data Processors is subject to the Relocare Privacy Statement.
This Agreement constitutes the prior general and specific written approval of the Data Responsible for the Data Processor’s use of Sub-Data Processors.
The Data Responsible must be notified, before the Data Processor changes their suppliers. The Data Responsible does however only have the right to object towards a new Sub-Data-Processor whom will treat personal information’s on behalf of the Data Responsible, if the Sub-Data-Processor does not handle data in agreement with the Data Protection Act. In such a situation, the Data Processor can give the Data Responsible access to the evaluation made by the Data Process of the Sub-Data-Processor upon request. If there are disagreements based on the use of the Sub-Data-Processor the Data Responsible can request that their account in App is deleted and that the Data Responsible employee data is not treated by the Sub-Data-Processor in question.
The Data Processor is required to ensure a high level of security in its products and services, which is ensured by relevant organizational, technical and physical security measures required by information on security measures as described in Article 32 of the GDPR.
Furthermore, Relocare’s internal data protection policies aim to ensure the confidentiality, integrity, resilience and access to Personal Data. The following measures are particularly important:
- Classification of Personal Data to ensure the implementation of security measures relevant to risk assessments.
- Assessment of encryption and pseudonymization as risk reducing factors.
- Limit access to Personal Data to the relevant persons required to comply with the requirements and obligations of the Agreement or pursuant to the Parties Agreement on the use of the App.
- Mapping the security structure and how Personal Data is transferred between the Parties.
- Conduct own security assessment to ensure that current technical and organizational measures are adequate for the protection of Personal Data, including in accordance with Article 32 of the GDPR on Security of Security and Article 25 on Privacy by Design and Default.
Access to audit
The Data Responsible is entitled to initiate a review of the Data Processor’s obligations under the Agreement once a year. If the Data Responsible is obliged to do so in accordance with current legislation, audits can be performed more often once a year. When requesting an audit, the Data Responsible must provide a detailed audit plan with a description of the scope, duration and start date at least four weeks in advance of the proposed start date. It must be decided jointly between the Parties if a third party is to conduct the audit. However, the Data Responsible may allow the Data Processor to decide that for security reasons, the audit should be performed by a neutral third party of the Data Processor’s choice, in the case of a processing environment in which multiple Data Responsible’s’ data have been used.
If the proposed scope of the audit follows an ISAE, ISO or similar certification report conducted by a qualified third party auditor within the previous twelve months and the Data Processor confirms that there have been no material changes to the measures under review, the Data Responsible shall accept this audit instead of requesting a new revision of the measures already covered.
In any case, audits must be conducted during normal office hours at the appropriate facility in accordance with the Data Processor’s policies and shall not unduly interfere with the Data Processor’s usual commercial activities.
The Data Responsible is responsible for all costs related to the audit request. The Data Processor’s assistance in connection therewith, which exceeds the ordinary service that the Data Processor must provide as a result of applicable data protection legislation, is charged separately.
Duration and termination
The Agreement is valid as long as the Data Processor processes Personal Data on behalf of the Data Responsible in connection with the Data Responsible’s use of the App.
This Agreement will automatically terminate upon deletion of Data Responsible’s account in the App. Upon termination of the account, the Data Processor will delete all Personal Data processed by the Data Processor on behalf of the Data Responsible during the Agreement.
The Data Processor is entitled to retain Personal Data after termination of the Agreement to the extent required by applicable law, which will then be in accordance with the technical and organizational security measures described in the agreement.
Amendments to the Agreement must be included in a separate annex to the Agreement.
If any of the provisions of the Agreement are invalid, this will not affect the remaining provisions. The Parties must replace invalid provisions with a legal provision that reflects the purpose of the invalid provision.
Law and jurisdiction
The agreement is governed by Danish law and any dispute must be referred to a Danish court.
The agreement is hereby concluded between the following Parties:
Data Responsible Data Processor
Date & Place Date & Place
Company & responsible Company & responsible
Appendix A – Categories of Personal Data & Registered
- Categories of Registered and Personal Data processed under the Agreement
Categories of Personal Data
- First name & last name
- Title / Job title
- Company Email
- Residential address
- Social Security Number
- Language Preference
- Social security country
- Full or part time employment
- Employment contract
- Location access. Social Security App, uses location data for automatic registration when users travel into an EU country. The feature will proactively ask the user to record a business trip if it is work related. Location data is used even if the users app is closed or not in use. Users have to accept this in the applications. The location data is only stored when the user confirms a business trip. Location data is only stored on country level i.e. for instance Ireland. Nobody can see if the user is in for instance Dublin or Galway.
- Time log registration will used to find bugs and solve possible errors. Time logs are separated to a separated part of the server and are impersonalized.
Appendix A – Categories of Personal Data & Registered
1. Categories of Registered and Personal Data processed under the Agreement
Categories of registered personal
1. The Data Responsible administrators
2. The Data Responsible employees
3. The Data responsible contact personal
Categories of Personal Data
1. First name & last name
2. Title / Job title
4. Company Email
5. Residential address
6. Social Security Number
7. Language Preference
8. Social security country
11. Full or part time employment
12. Employment contract
13. Location access. Social Security App, uses location data for automatic registration when users travel into an EU country. The feature will proactively ask the user to record a business trip if it is work related. Location data is used even if the users app is closed or not in use. Users have to accept this in the applications. The location data is only stored when the user confirms a business trip. Location data is only stored on country level i.e. for instance Ireland. Nobody can see if the user is in for instance Dublin or Galway.
14. Time log registration will used to find bugs and solve possible errors. Time logs are separated to a separated part of the server and are impersonalized.
Appendix B – Use of Sub-data and transfer of data
Relocare has currently no agreement with any freelancer who has access to personal data except.
The following companies host or send personal data:
Transfer of data:
Google Dublin Google Building Gordon House
|Hosting of data:|
Microsoft Ireland Operations Ltd
|IE8256796U||One Microsoft Place, South County Business Park Leopardstown, Dublin 18, D18 P521 Ireland|
Last revised December 202