Data Processing Agreement

1. PARTIES

    1. This agreement on collection, storage and use of documents and information (hereinafter the” Data Processing Agreement”) has been entered into by and between the Customer and 

bodydox ApS
Skydebanegade 40, 4. th. 
DK-1709 Copenhagen 
(the ”Data Processor”, “we”, “our”, “us”. etc.)

2. DEFINITIONS

    1. Terms and expressions with capital first letters used in this Data Processing Agreement shall have the meanings set out in this Clause 2.
    2. Confidential Information” means all information of a technical, business, infrastructural or similar nature, irrespective of whether this information has been documented, except for information which is or will be made available in another way than through breach of this Data Processing Agreement and all Personal Data.
    3. Customer”, “you”, yours”, etc. shall mean a free trial user or subscriber of Services provided by us.
    4. Data Subject” shall mean the identified or identifiable natural person to whom Personal Data refers. 
    5. GDPR” shall mean the General Data Protection Regulation (EU Regulation 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data). In Denmark, GDPR is supplemented by the Act on supplementary provisions to the regulation on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (Act No. 502 of 23 May 2018 as amended from time to time, the “Data Protection Act”). Under this Data Processing Agreement, a reference to GDPR shall also be a reference to the Data Protection Act.
    6. Parties” shall mean the Customer and the Data Processor jointly and each a “Party”.
    7. Personal Data” shall mean any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Categories of Personal Data processed by the Data Processor under this Data Processing Agreement are set out in Appendix 1.
    8. Pre-Approved Subcontractors” shall be our subcontractors listed in Appendix 2, which has been approved by the Customer. 
    9. Privacy Policy” shall mean our Privacy Policy as updated from time to time. The current, applicable Privacy Policy is available on our website here: bodydox’s Privacy Policy.
    10. Services” shall mean all services rendered to you by us, including, but not limited to, our provision of license to use bodydox and other IT tools or software programs developed by us, hosting of data, support services etc.
    11. Third Party” shall mean a natural or legal person, public authority, agency or body other than the Data Subject, the Data Processor, the Customer and persons who, under the direct authority of the Data Processor or the Customer, are authorized to process Personal Data.
    12. Terms and Conditions” shall mean our Terms and Conditions for the Customer’s use of the Services.
    13. Effective Date” shall have the meaning set forth in Clause 16.1.

3. SCOPE

    1. This Data Processing Agreement concerns the Parties’ obligations related to our processing of Personal Data for the Customer in connection to the Customer’s use of our Services.
    2. Under this Data Processing Agreement, the Customer shall decide for what purpose and by use of what tools Personal Data may be processed.
    3. This Data Processing Agreement  shall apply to all our current and future Services to all companies within Customer’s group of companies, for whom we process Personal Data. 
    4. The categories of Personal Data processed by us under this Data Processing Agreement are set out in Appendix 1.

4. ORDER OF PRECEDENCE

    1. This Data Processing Agreement  forms part of our Terms and Conditions for the Customer’s use of the Services. In case of any inconsistencies between this Data Processing Agreement and our Terms and Conditions, this Data Processing Agreement shall prevail. 
    2. We process Personal Data on your behalf in connection to your use of our Services. We process Personal Data in accordance with the GDPR, including applicable Danish legislation issued according to the GDPR or as a supplement hereto. 
    3. By entering into this Data Processing Agreement, we are instructed by you  to process Personal Data for the purpose of providing our Services to you.
    4. We are not entitled to make use of Personal Data provided by you, for purposes other than fulfillment of this Data Processing Agreement. However, we are entitled to use anonymized data (that can no longer be categorized as “Personal Data”) for historical, statistical, scientific or similar purposes.

5. AUTHORISATION TO PROCESS PERSONAL DATA

    1. As a main rule, we process and store all Personal Data within the EU/EEA. However, our subcontractors may be located or process Personal Data outside the EU/EEA, including e.g. the US. The Customer has provided his/her consent to our use of the Pre-Approved Subcontractors, listed in Appendix 2, as subcontractors.
    2. Further information on our storage of Personal Data and use of subcontractors can be found in our Privacy Policy.
    3. Before transferring Personal Data to a third country or an international organization outside the EU/EEA, you must, as the data controller, assess whether such transfer of Personal Data ensures an adequate level of protection of the Personal Data and ensure that the transfer is in accordance with rules on transfers of Personal Data to third countries or international organizations according to the GDPR.
    4. We will ensure that any sub-processing agreements between us and  the Pre-Approved Subcontractors outside the EU or EEA have adequate level of protection of the Personal Data, and if necessary have entered into pursuant to the EU Commission’s decision of 2010/87/EU regarding the standard model contract for transfer of Personal Data to countries outside the EU or EEA in addition to any permission from data protection authorities if legally required. 

6. STORAGE OF PERSONAL DATA AND TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES

    1. As a main rule, we process and store all Personal Data within the EU/EEA. However, our subcontractors may be located or process Personal Data outside the EU/EEA, including e.g. the US. The Customer has provided his/her consent to our use of the Pre-Approved Subcontractors, listed in Appendix 2, as subcontractors.
    2. Further information on our storage of Personal Data and use of subcontractors can be found in our Privacy Policy.
    3. Before transferring Personal Data to a third country or an international organization outside the EU/EEA, you must, as the data controller, assess whether such transfer of Personal Data ensures an adequate level of protection of the Personal Data and ensure that the transfer is in accordance with rules on transfers of Personal Data to third countries or international organizations according to the GDPR.
    4. We will ensure that any sub-processing agreements between us and  the Pre-Approved Subcontractors outside the EU or EEA have adequate level of protection of the Personal Data, and if necessary have entered into pursuant to the EU Commission’s decision of 2010/87/EU regarding the standard model contract for transfer of Personal Data to countries outside the EU or EEA in addition to any permission from data protection authorities if legally required. 

7. CONFIDENTIALITY

    1. The Parties accept, both for the duration of this Data Processing Agreement and subsequently, not to disclose any Confidential Information to a Third Party. This non-disclosure obligation shall not apply to information which (a) a Party is obliged to disclose under applicable law, regulations or stock exchange rules (b) information provided to the client of the Customer if such information originates from or regards such client of the Customer or (c) information which a Party document has been created by the Party itself. 
    2. The Parties shall ensure that employees and consultants who receive Confidential Information are obliged to accept a similar obligation regarding Confidential Information from the other Party and the cooperation in general in accordance with this Data Processing Agreement.
    3. We will ensure that all people employed by us with access to Personal Data are familiar with this Data Processing Agreement and are subject to the provisions of this Data Processing Agreement.  

8. APPROPRIATE TECHNICAL AND ORGANIZATIONAL MEASURES

    1. We, as the The Data Processor, must, taking the risks related to the processing of Personal Data for the Customer into consideration, implement appropriate and reasonable technical and organizational measures to ensure a level of security that matches the risks of our data processing of Personal Data under this Data Processing Agreement, including reasonably ensuring a) pseudonymisation  and encryption of Personal Data; b) continuous confidentiality, integrity, availability and robustness of the processing systems and services for which the Data Processor is responsible; c) timely recovery of the availability of and access to Personal Data in case of a physical or technical incident; d) a procedure for regular testing, assessment and evaluation of the effectiveness of the technical and organizational measures to ensure processing security; e) that Personal Data is not accidentally or unlawfully destroyed, lost or impaired and against any unauthorized disclosure, abuse or in any other way is processed in violation of any applicable law on Personal Data.
    2. The Customer shall determine the appropriate level of technical and organizational measures. However, the Data Processor shall, upon prior written request from the Customer and within reasonable time-limits from such a request, provide the Customer with sufficient information to document that the abovementioned technical and organizational security measures have been taken.

9. DATA SUBJECTS’ RIGHTS

    1. The Data Processor shall upon request from the Customer, at the cost of the Customer and without undue delay provide all reasonable assistance and information to the Customer related to request from Data Subjects concerning the Data Processor’s processing of Personal Data for the Customer, including requests related to exercising of the Data Subjects’ rights according to the GDPR.
    2. The Data Processor’s fees for assistance to the Customer is regulated in Clause 14.

10. DATA SECURITY BREACH

    1. In case of a Data Security Breach for which the Data Processor (or any Pre-Approved Subcontractor) is responsible, the Data Processor shall inform the Customer hereof without undue delay. 

11. USE OF SUBCONTRACTORS 

    1. We may not use any subcontractors without the Customer’s prior written approval. 
    2. The Customer has provided its consent to our use of the Pre-Approved Subcontractors, listed in Appendix 2, as subcontractors.
    3. The Data Processor must inform the Customer of any plans to either add or replace Pre-Approved Subcontractors. No sub Data Processor may be added to the list of the Pre-Approved Subcontractors without the Customer’s prior written approval. 
    4. If we use a subcontractor to carry out specific processing activities on behalf of the Customer, the same data protection obligations as are described in this Data Processing Agreement shall be imposed on the subcontractor in a written agreement. 
    5. When we use a subcontractor to provide the Services to you under this Data Processing Agreement, we remain liable for the subcontractor’s actions or failures to act/breach on the same terms as for our own Services.
    6. All communication between the Customer and the subcontractor shall go through the Data Processor. 

12. THE CUSTOMER’S ACCESS TO PERSONAL DATA

    1. During the term of this Data Processing Agreement, the Customer has full access to any Personal Data being processed by the Data Processor for the Customer. The Customer will not have access to Personal Data processed by  the Data Processor for other customers.
    2. If the Customer so requests, the Data Processor is obliged to keep a back-up copy of the Personal Data and additional information available in the Data Processor’s systems for up to thirty (30) days after the expiry or termination of the Data Processing Agreement. Provided such request has been made, the Customer may, until the expiration of such 30-day period and irrespective of the reason for the expiry of the Data Processing Agreement, request for an access to any Personal Data and additional information recorded in such back-up copy. 
    3. The Data Processor may only disclose Personal Data and information to the Customer and/or to a Third Party appointed by the Customer. 

13. COOPERATION WITH THE SUPERVISORY AUTHORITY

    1. The Data Processor must always provide supervisory authorities and  the Customer with the necessary access to and insight into the Personal Data which is being processed and the systems used.
    2. The Parties and, where applicable, their representatives, shall cooperate, on request, with the supervisory authority in the performance of its tasks.

14. COSTS AND FEES

    1. With the exemptions set forth in Clause 14.2-14.4, costs related to the Data Processor’s obligations under this Data Processing Agreement are included in the fees paid by the Customer to us for the Customer’s use of the Services.
    2. Notwithstanding Clause 14.1, costs related to the Customer’s revision, inspection or audit of our processing of Personal Data for the Customer, shall be borne by the Customer. 
    3. Notwithstanding Clause 14.1, we are entitled to charge a fee for our assistance to you in relation to your revision, inspection or audit of us as the Data Processor. The fee will be charged according to time spent with an hourly rate of 800 DKK. The amount is subject to annual indexation according to the “Producer price index for services” as published by Statistics Denmark. 
    4. We are, in addition to the Service fee and the fee mentioned in clause 14.3 above, entitled to a separate fee, for the following services:
          • Support to the Customer with answering of requests from Data Subjects;
          • Support to the Customer in connection with Privacy Impact Analysis (“PIAs”);
          • Implementation of special technical or organizational security measures upon the Customer’s request (provided, and only to the extent, that we are able to implement the technical or organizational security measures in question). 
          • The above-mentioned fees will be charged in accordance with Clause 14.3.

15. LIABILITY

    1. Subject to our Terms and Conditions and Clause 15.2 below, the Parties’ liability related to processing of Personal Data under this Data Processing Agreement is regulated in accordance with the GDPR.
    2. We are not liable for any fines that you receive for breaches of the GDPR whether by ruling, judgment or similar measure by any court, government agency or supervisory authority.
    3. WARRANTY:
    4. By entering into this Data Processing Agreement, the Customer warrants and guarantees that we can lawfully process Personal Data for provision of Services for the Customer. The Customer agrees to hold us harmless from any claim for damages, compensation or other payments, which we are ordered to pay whether by ruling, judgment or similar measure by any competent court, government agency or supervisory authority, due the Customer’s breach of its obligations according to this clause 15.3.

16. EFFECTIVE DATE AND TERMINATION

    1. The Data Processing Agreement is entered into by your subscription to our Services. This Data Processing Agreement shall therefore enter into force on the date on which the Customer subscribes to the Data Processor’s Services, whether by monthly subscription or free trial period(the “Effective Date”).
    2. By subscribing to our Services, and thereby entering into this Data Processing Agreement, you confirm that you are authorized to legally act on behalf of the Customer (e.g. if you and the Customer are the same) and commit to our Terms and Conditions and this Data Processing Agreement.
    3. This Data Processing Agreement shall expire on the date of effective termination of the Customer’s use of the Data Processor’s Services. However, the terms of the Data Processing Agreement will apply as long as the Data Processor is processing Personal Data on behalf of the Customer.
    4. After the Data Processing Agreement’s effective termination, we will delete or return the Personal Data that we have processed for you under this Data Processing Agreement. If you wish to have your Personal Data returned to you, you must provide us with your request to return the Personal Data without undue delay and no later than seven (7) days after the Data Processing Agreement’s effective termination.

17. CHANGES IN THE APPLICABLE DATA PROTECTION LEGISLATION

    1. If a change in mandatory data protection legislation applicable to the Parties require the Data Processor to (i) sign on to any additional documentation for mandatory data protection compliance purposes, or (ii) implement additional technical and organizational measures to the ones listed herein, or (iii) accept additional obligations to those set out herein, and such requirement mentioned in (i) – (iii) above cause additional costs or risks for the Data Processor, the Parties agree to negotiate in good faith a fair adjustment of any applicable fees. If the Parties cannot agree on a fair adjustment of any applicable fees, the Data Processor is entitled to terminate the Services with thirty (30) days’ prior, written notice.
    2. Clause 17.1 shall apply accordingly, in case (i) the Customer instructs the Data Processor to undertake services not foreseen in this Data Processing Agreement or (ii) where mandatory applicable data protection legislation applicable to the Customer or to the Data Processor or the relevant supervisory authority imposes obligations on the Data Processor in addition to those set out herein.

18. GOVERNING LAW AND LEGAL VENUE

    1. This Data Processing Agreement is governed by Danish law with the City Court of Copenhagen as its legal venue with the possibility of referral and appeal in accordance with the Danish Administration of Justice Act. United Nations Convention on Contracts for the International Sale of Goods (CISG) shall not apply to the Data Processing Agreement.

 

Version: July 2019

Appendix 1 – Categories of Personal Data 

Categories of Personal Data

The Data Processor shall on behalf of the Customer process the following categories of Personal Data: 

Categories of Personal Data
Contact information, including name, username, home address, telephone number, email
Invoice information, incl. bank account details
Date of birth, face image

Special categories of Personal Data 

The Data Processor shall on behalf of the Customer process the following special categories of Personal Data: 

Special categories of Personal Data
Health information, e.g., information about pain problems, injuries and past operations 
Body images of the client from  front, back, left and right side.

Appendix 2 – Pre-Approved Subcontractors:

Approved Subcontractor  Scope and purpose of processing Processing (and storage) locations (e.g. country/state) Legal basis for transfer of Personal Data (if applicable) (e.g. EU Commission’s standard contractual clauses, EU-U.S. Privacy Shield Framework, BCR etc.)
Revolvo ApS

VAT reg. no. DK35250379

Lyskær 8A

2730 Herlev

Denmark

phone: +45 4243 4445

email: kontakt@revolvo.dk

Hosting provider Denmark & Germnay
Hetzner Online GmbH

VAT reg. no. DE 812871812

Industristr. 25

91710 Gunzenhausen

Germany

phone: +49 (0)9831 505-0

email: info@hetzner.com

Hosting provider (subcontractor of Revolvo) Germany
Dansave Backup

VAT reg. no. DK32392776

Bredgade 25F

1260 København K

phone +45 7199 0899

email: support@dansave.dk

Backup provider (subcontractor of Revolvo) Denmark
Stripe Inc.

510 Townsend Street

San Francisco, CA 94103

United States

email: info@stripe.com

Payment processing provider Primarily USA and EU. EU-U.S. Privacy Shield Framework
Zendesk Inc. 

1019 Market Street

San Francisco, CA 94103 United States

email: privacy@zendesk.com

Helpdesk services

provider

Primarily USA and EU. EU-U.S. Privacy Shield Framework
Sendinblue SAS 

55, rue d’Amsterdam 75008 Paris, France

email: privacy@sendinblue.com

Email services provides Primarily USA and EU. EU Commission’s standard contractual clauses