Drople Design Thunem
Company reg. (CVR) no.: NO 919194340 MVA
(the “Data Controller”)
Company reg. (CVR) no: 29179824
(separately referred to as a “Party” and collectively the “Parties”)
have entered into this statutory data processing agreement (the “Agreement”) on SmartWeb’s processing of personal data on behalf of the Data Controller.
- Customers of the Data controller
Types of personal data:
- Customer login information
- Username (email)
- Password (encrypted)
- Customer Information
- First Name
- Phone number
- Mobile phone number
- Web address
- Date of birth
- Customer number
- Customer order information
- Customer Id
- Customer Information
- Emails with order information
- Comments on orders
- Customer pricing
- Customer Id
- Customer tags
- Customer Id
- Customer carts and wish lists
- Customer Id
- Customer blog/forum/product comments
- Customer Id
- Customer Polls
- Customer Id
- Customer search
- Customer Id
This Schedule 1 to the Data Processing Agreement was updated May 16th, 2018
List of existing sub-processors:
- Danhost Aps, Højvangen 4, 8660 Skanderborg
This Schedule 2 to the Data Processing Agreement was updated May 16th, 20
1. The processed personal data
This Agreement was made in connection with the Parties’ conclusion of an agreement on a webshop platform based on SmartWeb’s subscription terms and conditions (the "Subscription").
2. Purpose and instructions
SmartWeb may only process personal data for purposes which are necessary to ensure that the webshop platform provided by SmartWeb is functional.
The Data Controller hereby instructs SmartWeb only to process the personal data covered by clause 1.2 in order to perform the following data processing tasks:
- Custom development
SmartWeb must immediately inform the Data Controller if SmartWeb finds that any given instruction is or may at a later date be inconsistent with the data protection legislation.
3. The Data Controller’s obligations
The Data Controller warrants that the purposes of processing the personal data are legal and legitimate and that no personal data will be transferred to SmartWeb other than those necessary to achieve the purpose.
The Data Controller is responsible for ensuring that a valid basis of processing exists at the time when the personal data is transferred to SmartWeb, including that any consent is express, freely given, unambiguous and informed. At the request of SmartWeb, the Data Controller must provide a written account of and/or document the basis of processing.
Moreover, the Data Controller warrants that the data subjects which the personal data concern have received sufficient information regarding the processing of personal data.
Any instruction regarding the processing of personal data under this Agreement must be presented to SmartWeb. If the Data Controller gives instructions directly to any sub-processor appointed in accordance with clause 5.1, the Data Controller must immediately inform SmartWeb thereof. SmartWeb cannot be held liable for the sub-processor’s processing of personal data made in accordance with such instructions.
4. SmartWeb’s obligations
Any processing by SmartWeb of the personal data provided by the Data Controller must be in accordance with the instructions of the Data Controller, and SmartWeb is, furthermore, obliged to comply with the data protection legislation in force from time to time.
SmartWeb must take all necessary technical and organisational security measures, including any additional measures required to prevent the personal data specified in clause 1.2 from accidental or unlawful destruction, loss or impairment, unauthorised disclosure to third parties, abuse or otherwise from being processed in a manner which is contrary to data protection legislation in force from time to time.
At the request of the Data Controller, SmartWeb must describe and/or document that SmartWeb complies with the requirements of data protection legislation and the obligations under this Agreement, including that the necessary technical and organizational security measures have been taken. The Data Controller must compensate SmartWeb for the time spent on meeting such request.
SmartWeb must ensure that employees involved in the processing of the personal data have committed themselves to confidentiality or are under appropriate statutory obligation of confidentiality.
SmartWeb must notify the Data Controller of any interruption in operation, a suspicion that the data protection legislation has been breached or any other irregularities in connection with the processing of the personal data. Such notification must be given without undue delay and not later than 48 hours after Smart-Web has been made aware of the above. At the request of the Data Controller, SmartWeb must assist the Data Controller in clarifying the security breach, including in connection with any reports filed with the Danish Data Protection Agency and/or data subjects.
The Data Controller is entitled, for its own account, to arrange for an annual audit of SmartWeb’s processing of personal data by an independent third party. The Data Controller must compensate SmartWeb for the time spent by SmartWeb in connection with such audit.
If SmartWeb, or another data processor which has received personal data, receives a request for access to the relevant personal data from a data subject or its agent or if a data subject objects to the processing of the relevant personal data, SmartWeb must send such request and/or objection to the Data Controller, for the Data Controller’s further processing thereof, unless SmartWeb is authorised to handle such request itself. SmartWeb must assist the Data Controller in relation to requests and/or objections if so requested by the Data Controller. The Data Controller must compensate SmartWeb for the time spent by SmartWeb in connection with SmartWeb’s assistance in handling requests from a data subject.
5. Transfer of data to other data processors or third parties
By signing this Agreement, the Data Controller accepts that SmartWeb can switch to other data processors (sub-processors) in connection with SmartWeb’s fulfilment of its obligations under this Agreement. On conclusion of this Agreement, SmartWeb us-es the sub-processors listed in Schedule 2. Before adding or replacing the sub-processors listed in Schedule 2, SmartWeb will inform the Data Controller thereof. The Data Controller must notify SmartWeb within 5 (five) days if the Data Controller wishes to object to the addition or replacement of sub-processors.
Once a year, SmartWeb will provide the Data Controller with a revised and updated list corresponding to Schedule 2 listing the sub-processors to which SmartWeb has transferred personal data for which the Data Controller is responsible.
Apart from what is specified in clause 5.1, SmartWeb is not authorised to disclose personal data to third parties or data controllers without the Data Controller’s prior written instruction, unless such disclosure or transfer follows from legislation.
Before transferring personal data to a sub-processor, SmartWeb must enter into a written data processing agreement with the sub-processor in which the sub-processor undertakes vis-à-vis SmartWeb to be bound by back-to-back terms with respect to the provisions of this Agreement.
If personal data is transferred to sub-processors outside Denmark, the applicable data processing agreement must specify that the data protection legislation of the country of the Data Controller applies to foreign sub-processors.
SmartWeb must in its own name enter into written data processing agreements with sub-processors within the EU/EEA. As regards sub-processors outside the EU/EEA, SmartWeb must enter into standard agreements in accordance with the European Commission’s Decision 2010/87/EU of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council (“Standard Agreement”), later versions or Commission Decisions, replacing the mentioned decision.
The Data Controller hereby authorises SmartWeb to enter into Standard Agreements with sub-processors outside the EU/EEA on behalf of the Data Controller and in the name of the Data Controller.
The Parties are liable in damages under the general rules of Danish law, always provided that neither Party is entitled to claim compensation for any indirect losses or consequential losses, whether such indirect losses or consequential losses are suffered by the Data Controller, SmartWeb or a third party. Any loss of business opportunities, loss of profits, business interruption, loss of revenue, loss of goodwill, loss of data, including any loss in connection with data recovery, must always be considered as indirect losses/consequential losses.
SmartWeb’s total liability in damages under this Agreement is overall limited to the lowest of the following amounts: (i) the amount which the Data Controller has paid to SmartWeb under the Subscription, or (ii) DKK 20.000.
7. Effective date and termination
This Agreement is signed as soon as the Data Controller ticks off “I have read and agree to SmartWeb’s Data Processing Agreement” and clicks "Accept" via SmartWeb Admin https://login.smartweb.dk (“Administration”).
This Agreement enters into force on the date on which the Agreement is signed.
Any termination of the main agreement [title of main agreement – the same as under clause 1.1] will result in the termination of this Agreement. However, SmartWeb remains subject to the obligations stipulated in this Agreement as long as SmartWeb processes personal data on behalf of the Data Controller.
In the event of termination of this Agreement, the Data Controller is entitled to demand that SmartWeb returns the personal data or that SmartWeb deletes the personal data.
8. Governing law and venue
This Agreement is governed by and construed in accordance with Danish law.
Any claim or dispute arising from or in connection with this Agreement must be settled by the court in Aarhus.