Relocare Social Security App
By using Relocare’s Social Security App and any module or feature associated with the application (referred to herein as “App”), the Data Responsible will be responsible for its processing of Personal Information in the App. The Data Processor will process Personal Information on behalf of the Data Responsible.
In order to ensure that the Parties fulfill their own obligations under the national data protection rules as well as the European Parliament amt Council Regulation (EU) 2016/279 (“GDPR”), the Parties have entered into this data processing agreement (the “Agreement”), which constitutes the instructions of the Data Responsible to the Data Processor and thus regulates the Data Processor’s processing of Personal Data on behalf of the Data Responsible.
Both Parties confirm that they have the authority to sign the Agreement.
The definition of Personal Data, specific categories of data (sensitive information) and Processing, the Registered, Data Responsible and Data Processor are the same as in the relevant personal data legislation, including GDPR.
The Agreement governs the Data Processor’s processing of personal data on behalf of the Data Responsible, and describes how the Data Processor shall assist in the protection of privacy on behalf of the Data Responsible and its Registered trough technical and organizational measures required under applicable data protection legislation, including GDPR of 25. May 2018.
The purpose of the Data Processor’s processing of Personal Data on behalf of the Data Responsible is to ensure the Data Responsible’s use of the App and the fulfillment of this Agreement.
However, the Agreement does not take precedence if the Parties have entered into another data processor agreement, which states that the data processor agreement takes precedence over this agreement.
The obligations of the Data Processor
The Data Processor must only process personal data on behalf of and as a result of the Data Responsible’s instructions. By entering into this agreement, the Data Responsible instructs the Data Processor to process personal data in the following ways:
- In accordance with applicable law,
- In order to fulfill its obligations under the App Subscription Terms,
- As further specified by the Data Responsible’s normal use of the App, and as described in this Agreement.
The categories of Registered and Personal Data processed under this Agreement are described in Appendix A. As part of being able to provide the App, the Data Processor will at all times strive to provide the Data Responsible solutions that come with technical and regulatory developments. The Data Processor monitors the needs of the individual Data Responsible by registration how the Data Responsible and his representatives use the App. Data Processor does this as a basis for developing and improving the App and generally providing better services and providing more relevant communication to the Data Responsible and its representatives. The goal is for the Data Responsible to be able to solve as many challenges as possible in one place. To the extent that Personal Data from App is included in this work, it is processed in accordance with this agreement and applicable law and may be shared with companies in the group for the purpose of this work only.
The Data Processor has no reason to believe that current legislation prevents the Data Processor from complying with the instructions set out above. The Data Processor, if it becomes aware of this, will notify the Data Responsible of instructions or other processing activities performed by the Data Responsible which, in the Data Processor’s opinion, contravene the applicable data protection law.
Taking into account the technology available and the cost of implementation, as well as the scope, context and purpose of the processing, the Data Processor is required to take all reasonable measures, including technical and organizational, to ensure an adequate level of security in relation to the risk and the category of personal data that needs to be protected.
The Data Processor shall assist the Data Responsible with appropriate technical and organizational measures where possible and taking into account the nature of the processing and the category of information available to the Data Processor to ensure compliance with the Data Responsible’s obligations under applicable Data Protection Laws, including as regards assistance in meeting requests from Registered as well as general compliance with the provisions of Articles 32-36 of the GDPR.
The Data Processor must notify the Data Responsible without undue delay through the contact person stated in the Data Processor Agreement if the Data Processor becomes aware of a security breach.
In addition, the Data Processor shall, as far as possible and legally, notify the Data Responsible if a request for access to Personal Data is received directly from the Registered or directly from state authorities, including the police.
The Data Processor may not respond to such requests from Registered unless authorized by the Data Responsible. Furthermore, the Data Processor will not disclose information about this agreement to state authorities such as the police, including personal data, unless the Data Processor is required by law, by a court order or similar.
If the Data Controller requires information or assistance regarding security measures, documentation or information on how the Data Processor processes personal data in general, and such request contains information that goes beyond what is required by applicable Data Protection Laws, the Data Processor may require payment for such additional services.
The Data Processor and its employees must ensure confidentiality in relation to personal data processed under the Agreement. This provision shall also apply after termination of the Agreement.
The obligations of the Data Responsible
Upon entering into this agreement, the Data Responsible confirms that:
- The Data Responsible shall, using the App provided by the Data Processor, only process Personal Data in accordance with the requirements of the applicable Data Protection Law.
- The Data Responsible has a legal basis for processing and disclosing Personal Data to the Data Processor (including sub-processors used by the Data Processor).
- The Data Responsible is responsible for the accuracy, integrity, content of the reliability and legality of the Personal Data processed by the Data Processor.
- The Data Responsible has fulfilled all mandatory requirements and obligations in relation to notification or obtaining permission from the relevant public authorities with regards to the processing of Personal Data.
- The Data Responsible has fulfilled its disclosure obligations to the Registered regarding the processing of Personal Data in accordance with applicable data protection legislation.
- The Data Responsible agrees that the Data Processor has provided the relevant guarantees regarding the implementation of technical and organizational security measures to safeguard the rights of data subjects and their Personal Data.
- The Data Responsible shall not use any sensitive information other than those specified in Appendix A. when using the App.
- The Data Responsible must have an up-to-date list of the categories of Personal Data that it processes, this is especially true to the extent that such processing contains personal sensitive information.
Use of Sub-Data processors and transfer of data
As part of the operation of the App, the Data Processor uses subcontractors (“Sub-Data Processors”). Such Sub-Data Processors may be other companies associated with Relocare, or third party suppliers in the EU / EEA. The Data Processor’s subcontractors are currently CapWorks ApS.
The Data Processor must ensure that its Sub-Data Processors comply with similar obligations and requirements set forth in the Agreement. All use of Sub-Data Processors is subject to the Relocare Privacy Statement.
This Agreement constitutes the prior general and specific written approval of the Data Responsible for the Data Processor’s use of Sub-Data Processors.
If a Sub-Data Processor is established outside or Personal Data is stored outside the EU / EEA, the Data Responsible authorizes the Data Processor to secure a sufficient basis for the transfer of Personal Data to third countries on behalf of the Data Responsible, including using the EU Commission’s Standard Contracts or in accordance with the Privacy Shield.
The Data Responsible must be informed before the Data Processor replaces its Sub-Data Processors. However, the Data Responsible is only entitled to protest against a new Sub-Data Processor, which processes Personal Data on behalf of the Data Responsible if it does not process data in accordance with applicable data protection legislation. In such a situation, the Data Processor must demonstrate compliance by giving the Data Responsible access to the Data Processor’s data protection assessment of the Sub-Data Processor. If there is still disagreement about the use of the Sub-Data Processor, the Data Responsible may request the deletion of his account in the App and that the Data Responsible’s Personal Data will not be processed by the Sub-Data Processor concerned.
The Data Processor is required to ensure a high level of security in its products and services, which is ensured by relevant organizational, technical and physical security measures required by information on security measures as described in Article 32 of the GDPR.
Furthermore, Relocare’s internal data protection policies aim to ensure the confidentiality, integrity, resilience and access to Personal Data. The following measures are particularly important:
- Classification of Personal Data to ensure the implementation of security measures relevant to risk assessments.
- Assessment of encryption and pseudonymization as risk reducing factors.
- Limit access to Personal Data to the relevant persons required to comply with the requirements and obligations of the Agreement or pursuant to the Parties Agreement on the use of the App.
- Mapping the security structure and how Personal Data is transferred between the Parties.
- Conduct own security assessment to ensure that current technical and organizational measures are adequate for the protection of Personal Data, including in accordance with Article 32 of the GDPR on Security of Security and Article 25 on Privacy by Design and Default.
Access to audit
The Data Responsible is entitled to initiate a review of the Data Processor’s obligations under the Agreement once a year. If the Data Responsible is obliged to do so in accordance with current legislation, audits can be performed more often once a year. When requesting an audit, the Data Responsible must provide a detailed audit plan with a description of the scope, duration and start date at least four weeks in advance of the proposed start date. It must be decided jointly between the Parties if a third party is to conduct the audit. However, the Data Responsible may allow the Data Processor to decide that for security reasons, the audit should be performed by a neutral third party of the Data Processor’s choice, in the case of a processing environment in which multiple Data Responsible’s’ data have been used.
If the proposed scope of the audit follows an ISAE, ISO or similar certification report conducted by a qualified third party auditor within the previous twelve months and the Data Processor confirms that there have been no material changes to the measures under review, the Data Responsible shall accept this audit instead of requesting a new revision of the measures already covered.
In any case, audits must be conducted during normal office hours at the appropriate facility in accordance with the Data Processor’s policies and shall not unduly interfere with the Data Processor’s usual commercial activities.
The Data Responsible is responsible for all costs related to the audit request. The Data Processor’s assistance in connection therewith, which exceeds the ordinary service that the Data Processor must provide as a result of applicable data protection legislation, is charged separately.
Duration and termination
The Agreement is valid as long as the Data Processor processes Personal Data on behalf of the Data Responsible in connection with the Data Responsible’s use of the App.
This Agreement will automatically terminate upon deletion of Data Responsible’s account in the App. Upon termination of the account, the Data Processor will delete all Personal Data processed by the Data Processor on behalf of the Data Responsible during the Agreement.
The Data Processor is entitled to retain Personal Data after termination of the Agreement to the extent required by applicable law, which will then be in accordance with the technical and organizational security measures described in the agreement.
Amendments to the Agreement must be included in a separate annex to the Agreement.
If any of the provisions of the Agreement are invalid, this will not affect the remaining provisions. The Parties must replace invalid provisions with a legal provision that reflects the purpose of the invalid provision.
Law and jurisdiction
The agreement is governed by Danish law and any dispute must be referred to a Danish court.
The agreement is hereby concluded between the following Parties:
Data Responsible Data Processor
Date & Place Date & Place
Company & responsible Company & responsible
Appendix A – Categories of Personal Data & Registered
- Categories of Registered and Personal Data processed under the Agreement
Categories of Personal Data
- First name & last name
- Title / Job title
- Company Email
- Residential address
- Social Security Number
- Language Preference
- Social security country
- Full or part time employment
- Employment contract
Last revised September 2019.