1. Scope and the Parties
1.1 This Data Processing Addendum, including its appendixes, forms part of the Master Subscription and Services Addendum (“DPA”) for Inniti Aps entered between Inniti Aps, Langebrogade 4, Copenhagen 1411, Business registration no. 38802380 (“Inniti”) and the Customer (collectively the “Parties”) for the Customer’s purchase of Services from Inniti to reflect the parties’ agreement with regard to the processing of Personal Data.
1.2 This Agreement sets out the rights and obligations that apply when Inniti processes Personal Data on behalf of the Customer in the capacity of Data Processor to the Customer in connection with the Customer’s use of Services from Inniti and as required by applicable Data Protection Laws and Regulations. The Customer is Data Controller and Inniti is Data Processor.
1.3 The Parties agree to comply with the following provisions with respect to the processing of the Personal Data.
”Personal Data” means any Customer User Data processed in connection with the Inniti Services that can identify a unique individual, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of individuals or as such information may be otherwise defined under applicable Data Protection Laws and Regulations.
“Data Controller” means the Costumer who shall determine the purposes for which and the means by which personal data is processed.
“Data Processor” means Inniti ApS who shall process personal data only on documented instructions from the Data Controller.
“Sub Processor” means another Data Processor who is entrusted by the Data Processor to process, in whole or in part, personal data on behalf of the Data Processor.
“Data Protection Laws and Regulations” means (i) the EU General Data Protection Regulation 2016/679 (“GDPR”) and laws or regulations implementing or supplementing the GDPR; and (ii) any other international, federal, state, provincial, and local privacy or data protection laws, rules, regulations, directives, and governmental requirements currently in effect and as they become effective that apply to the processing of personal data under this Addendum.
3. Rights and Obligations of the Data Controller
3.1 The Data Controller is responsible for ensuring that the processing of personal data takes place in compliance with the GDPR. The Data Controller shall be responsible, among other, for ensuring that the processing of personal data, which the Data Processor is instructed to perform, has a legal basis.
3.2 The Data Controller is responsible for ensuring that the security measures agreed in accordance with this section 5 complies with the Data Controllers’ data security obligations pursuant to Article 32 of the GDPR as regards the personal data processed.
4.1 The Data Processor shall solely be permitted to process personal data on documented instructions from the Data Controller unless processing is required under EU or Member State law to which Inniti is subject; in this case, Inniti shall inform the Data Controller of this legal requirement prior to processing unless that law prohibits such information on important grounds of public interest.
4.2 A specific description of the instructions concerning the processing activities, including purpose, types of personal information and categories of data subjects, is described in Appendix A.
4.3 The Data Processor shall assist the Data Controller in requests for the exercise of the data subjects’ rights, including access, correction, limitation, objection, data portability or deletion, if the relevant personal data is processed by Inniti.
5. Notification of Personal Data Breach
5.1 If, in Inniti’s opinion, an instruction conflicts with the Data Protection Laws and Regulations, Inniti must inform the Data Controller accordingly.
5.2 The Data Processor’s notification to the Data Controller shall, if possible, take place within 12 hours after the Data Processor has become aware of the personal data breach to enable the Data Controller to comply with the Data Controller’s obligation to notify the personal data breach to the competent supervisory authority.
5.3 The Data Processor shall assist the Data Controller in notifying the personal data breach to the competent supervisory authority.
6. Security of Processing
6.1 The Data Processor undertakes to implement appropriate technical and organizational security measures according to Article 32 of the GDPR to prevent accidental or illegal destruction, loss or deterioration of Personal Data, and to prevent the personal data from being disclosed to unauthorized persons, misused or otherwise treated in contravention of applicable legislative requirements.
6.2 Inniti’s employees are subject to the obligation of confidentiality.
6.3 The technical and organisational security measures applicable upon entering this Addendum are specified at https://inniti.io/security-standards-for-inniti.
6.4 The Data Controller shall evaluate the risks to the rights and freedoms of natural persons inherent in the processing and implement measures to mitigate those risks.
6.5 The Data Processor shall assist the Data Controller in ensuring compliance with the Data Controller’s obligations pursuant to Articles 32 GDPR, by inter alia providing the Data Controller with information concerning the technical and organizational measures already implemented by the data processor pursuant to Article 32 GDPR along with all other information necessary for the Data Controller to comply with the Data Controller’s obligation under Article 32 GDPR.
7. The Use of Sub-Data Processors
7.1 As a general authorisation, the Data Processor is entitled to engage sub-data processors after meeting all requirements specified in Article 28(2) and (4) GDPR.
7.2 The Data Processor shall not engage another sub-processor without the prior written authorization of the Data Controller.
7.3 The Data Processors use of sub-data processors is based on written agreements that ensure continuation of at least the same level of protection as the level specified in the Addendum.
7.4 The Data Processor is responsible for requiring the Sub-processor complies with the obligations to which the Data Processor is subject pursuant to the GDPR.
7.5 At the signing of the Addendum, the Customer is responsible for having received the Data Controllers authorisation of Inniti’s use of the Sub-Data Processors which can be found at https://inniti.io/list-of-data-sub-processors.
7.6 As a consequence of the general authorisation, cf. section 7.2 , Inniti shall inform the Data Controller of any intended changes concerning the addition or replacement of Sub-Data processors, thereby giving the Data Controller the opportunity to object to such changes.
8. International Transfers
8.1 With instructions from the Data Controller, the Data Processor is entitled to process Personal Data outside the EU/EEA, provided that the Data Processor ensures that the third country in question has an adequate level of protection or that Inniti enters into an agreement on behalf of the Data Controller with Sub-Data Processors using the standard contractual clauses (“SCC”) adopted by the European Commission for such transfers.
9. Audit Rights
9.1 The Data Processor shall make available to the Data Controller on request all information necessary to demonstrate compliance with this Agreement, and shall allow for and contribute to audits, including inspections, by the Data Controller or an auditor mandated by the Data Controller in relation to the Processing of the Customer Personal Data by the Contracted Processors.
9.2 Information and audit rights of the Data Controller only arise under section 9.1 to the extent that the Addendum does not otherwise give them information and audit rights meeting the relevant requirements of Data Protection Law.
10. Duration and Termination
10.1 The Addendum shall enter into force upon the signing of a Master Subscription And Service Agreement by the Parties and shall terminate when the processing of Personal Data described in Appendix A ceases.
10.2 As long as Inniti processes Personal Data on behalf of the Data Controller under this Addendum, Inniti is obligated by the Addendum.
10.3 Upon termination of the Addendum, Inniti shall, at the request of the Customer and after further discussions, return all Personal Data to the Customer, cease to process, and delete all personal data that has been processed under the terminated Addendum.
11. Erasure and Return of Data
11.1 On termination of the provision of person data processing services, the Data Processor shall under obligation:
One of the two options unless Union or Member State law requires storage of the personal data.
Appendix A: Categories of Data Subjects and Types of Personal Data, etc.
Categories of data subjects and types of personal data, etc.
The Purpose of the Processing
Inniti will process the Personal Data to the extent necessary to provide the Services pursuant to the Master Subscription and Services Agreement for Inniti Aps and as further specified in the Addendum, and as further instructed by the Customer in its use of the Services.
Categories of Data Subjects
The processing can include the following categories of Data Subjects:
Types of Personal Data
The processing can include the following types of Personal Data about Data Subjects:
Type of Customer Data