Data Processing Agreement
The Client and Barma will be referred to individually as “the Party” and collectively as “the Parties”.
1. BACKGROUND
1.1. The Client and Barma have entered into an agreement regarding delivery of Barma LMS and Barma Academy to the Client.
1.2. The Parties have assessed that the Agreement is of such a nature that Barma must process personal data on behalf of the Client, making Barma the Client’s data processor due to factors such as:
Barma being subject to the Client’s instructions;
the Client instructing Barma of the purpose of Barma’s service and the assistive resources used by Barma in connection with this cf. Appendices 1 and 2;
the Client’s employees’ personal data being electronically processed to a significant degree and delivered by Barma through an IT platform;
the Client demanding that Barma terminates its processing of personal data and deletes any personal data stored cf. Section 11;
Barma has no independent need to receive the personal data, as Barma can, in principle, deliver its services (Barma LMS and Barma Academy) without obtaining the personal data in question;
Barma is due to carry out a task that could, in principle, be carried out by the Client (electronic sales training/optimising, et cetera).
1.3. This agreement (hereinafter the ”Data Processing Agreement”) was established as a result of these factors.
1.4. The purpose of the Data Processing Agreement is to ensure that the Parties comply with the current legislation on personal data at all times, including the Data Protection Act (no. 505, 23 May 2018) And the General Data Protection Regulation (EU 2016/679, 27 April 2016, hereinafter “GDPR”).
1.5. The Data Processing Agreement establishes the rights and obligations of Barma when processing personal data on behalf of the Client.
1.6. The Data Processing Agreement follows the conditions for termination of the Agreement cf. Clause 1.1 and the associated Terms and Conditions.
1.7. The Terms and Conditions generally apply to the Data Processing Agreement. In case of doubt or conflict, the Data Processing Agreement takes precedence unless otherwise outlined in the Data Processing Agreement.
1.8. Appendices 1 and 2 are attached to the Data Processing Agreement. The appendices are an integrated part of the Data Processing Agreement.
1.9. The Data Processing Agreement and appendices must be stored in writing, including in electronic copies held by the Parties.
2. INSTRUCTIONS
2.1. Barma may only process personal data with documented instruction to do so from the Client unless this is required per EU law or national legislation of any member state to which Barma may be subject. In such a case, Barma will inform the Client of this legal requirement to process their data unless the law in question prohibits such notification due to societal interest cf. GDPR Article 28, Section 3, Subsection a.
2.2. The Data Processing Agreement and its appendices constitute this instruction at the time of agreement.
2.3. Barma is hereby authorised to carry out data processing on behalf of the Client per the conditions outlined in the Data Processing Agreement and its appendices.
2.4. The instruction consists of 2 (two) parts:
2.4.1. The Data Processing Agreement and its appendices at the time of agreement.
2.4.2. The data entry and processing of personal data that takes place on Barma LMS and Academy are considered instructions to Barma, as Barma automatically gathers, registers, organises, systematises, stores, adjusts or amends, recovers, searches, uses, transfers by transmission, communicates or otherwise hands over, compiles or aggregates, limits, deletes or destroys data entered, uploaded, and received from the Client.
2.5. If an instruction is considered by Barma to conflict with GDPR or other data protection legislation at the EU or member-state level, Barma will immediately inform the Client of this.
2.6. Unless otherwise outlined in the Data Processing Agreement, Barma may use any relevant assistive resources, including IT systems.
2.7 Barma offers various discounts and advantages that the Client and the Client’s employees can use through Barma. The Client, therefore, gives Barma permission to get the Client’s employees’ consent to contact them in writing or directly through emails, letters, texts, and calls in connection with consultation, sales, statistics, surveys, marketing of products in Barma’s or Barma’s partners’ product portfolios, and/or in connection with optimisation of/consultation surrounding services. An employee’s consent is voluntary, and they reserve the right to withdraw consent at any time.
3. ON PROCESSING SECURITY IN GENERAL
3.1. Barma takes all the necessary measures according to GDPR Article 32.
3.2. Amongst other things, Article 32 stipulates that appropriate technical and organisational measures must be taken to ensure a security level corresponding to the risks connected with the processing of personal data considering:
- the current security level;
- the cost of implementation;
- the nature of the data processing agreement, extent, context, and purpose (including consideration of the category of personal data in Appendix 1);
- the risks of varying probability and severity to the rights and liberties of physical persons.
3.3. The Parties have carried out a risk evaluation based on the data processing in question and assessed that, per Clause
3.2, Barma must ensure at least the security level and implement the measures specified in Sections 4-6 below.
3.4. The Parties agree that these measures are sufficient to mitigate the risk for the rights of the registered persons at the time of entering into this Data Processing Agreement, as Barma has also taken other such measures in connection with internal procedures.
4. PHYSICAL SECURITY
4.1. Barma works on premises to which a limited number of people have access. Barma ensures that there is no unauthorised access to Barma’s equipment. For the added security of the premises, the building and access routes are under alarm surveillance outside business hours.
5. ORGANISATIONAL SECURITY
5.1. Barma offers various discounts and advantages that the Client and the Client’s employees can use through Barma. The Client, therefore, gives Barma permission to get the Client’s employees’ consent to contact them in writing or directly through emails, letters, texts, and calls in connection with consultation, sales, statistics, surveys, marketing of products in Barma’s or Barma’s partners’ product portfolios, and/or in connection with optimisation of/consultation surrounding services. An employee’s consent is voluntary, and they reserve the right to withdraw consent at any time.
5.2. All employees are informed of and subject to internal procedures concerning the handling of security breaches.
6. TECHNICAL SECURITY
6.1. Barma exclusively uses high-quality hardware and software that is updated regularly, including antivirus software, antispam software, and firewalls.
6.2. All communication to/from the system is encrypted.
6.3. Access to Barma’s internal IT systems occurs through encrypted login details, ensuring no unauthorised access. Barma regularly changes the passwords to its internal IT systems that give access to the Client’s personal data.
7. NOTIFICATION OF BREACH OF PERSONAL DATA SECURITY
7.1. In the event that Barma becomes aware of a personal data security breach at Barma or one of its Sub-processors, Barma will notify the Client without undue delay.
7.2. Such a security breach includes any breach that may lead to the accidental or illegal destruction, loss, modification, unauthorised disclosure of or access to personal data processed on behalf of the Client (“Security Breach”).
7.3. Barma is obligated to store internal records of all Security Breaches. This documentation must include at least the events surrounding the Security Breach, its impact, and the measures implemented in response.
8. USE OF SUB-PROCESSORS
8.1. Barma must fulfil the conditions outlined in GDPR Article 28, Sections 2 and 4 concerning the use of another Data Processor (Sub-processor).
8.2. The Parties have established that Barma may generally use Sub-processors cf. Appendix 2, which lists the pre-approved Sub-processors.
8.3. Barma must inform the Client of planned changes regarding changes to the list of Sub-processors to allow the Client to object to the proposed changes.
8.4. Barma’s Sub-processors are subject to the same requirements surrounding security and data protection as the processors outlined in this Data Processing Agreement, having in place a contract or other legal document to ensure compliance with the technical and organisational measures required by GDPR and/or other relevant legislation at all times.
8.5. Should Barma’s Sub-processors fail to fulfil their obligations surrounding data protection, Barma becomes responsible for fulfilling these on behalf of the Sub-processor.
9. DATA TRANSFERS TO THIRD PARTIES OR INTERNATIONAL ORGANISATIONS
9.1. Barma is only permitted to process personal data with documented instruction from the Client. This includes the transfer (handover, disclosure, and internal usage) of personal data to third parties or international organisations unless an exception is present in GDPR and/or other relevant legislation surrounding data protection.
9.2. The Client’s instruction to or approval of the transfer of personal data to a third party must be documented in the Appendices (alternatively in the listing of Sub-processors) or otherwise documented in written form.
9.3. If the Appendices or other written instructions do not document that the Client has instructed or approved of the transfer of personal data to a third party or international organisation, Barma is not authorised to carry out such a transfer.
9.4. Insofar as transfers to a third party occurs, the Client hereby assists Barma by entering into the necessary agreements or issuing authorisation to enter into the necessary agreements on behalf of the Client and at the Client’s expense.
10. CUSTOMER ASSISTANCE
10.1. Barma assists the Client in fulfilling their obligation to respond to requests to exercise their rights as outlined in GDPR Chapter 3 by making the appropriate technical and organisational measures available, regardless of the nature of the processing.
10.2. Barma assists the Client by ensuring that the Client fulfils their obligations per GDPR Articles 32-36, taking into consideration the nature of the processing and the information available to Barma cf. GDPR Article 28, Section 3, Subsection f.
10.3. The agreement between the Parties concerning the Client’s payment for Barma’s support is outlined under Section 12.
11. DELETION AND RETURN
11.1. Barma will not delete the Client’s personal data (or other data) while the Agreement is in effect unless expressly instructed to do so by the Client.
11.2. In the case of termination of the partnership and associated data processing, Barma must respect the Client’s choice to either delete or return all personal data to the Client and delete existing copies and passwords that may be stored with Barma per the Client’s instructions unless an EU or national court stipulates that personal data must be stored.
12. SUPERVISION AND AUDITING
12.1. Barma will provide the Client with all the information required to prove Barma’s compliance with GDPR Article 28 and this Agreement without undue delay if requested.
12.2. Barma will allow and contribute to audits, including inspections carried out by the Client or other specialist (such as an accountant or IT specialist) authorised by the Client to conduct an inspection.
12.3. Should the Client request it, Barma must produce an annual recognised audit (such as an accounting or IT audit) from an independent third-party specialist evidencing Barma’s compliance with the Data Processing Agreement and its associated appendices. The audit will be conducted at the Client’s expense, and Barma reserves the right to receive a copy of the audit for Barma’s other Client. If an audit has been conducted for similar purposes in the past 12 months, Barma may offer the Client a copy of this audit instead.
12.4. The Client or a representative of the Client is permitted to carry out inspections at Barma, including physical inspections, on request.
12.5. The Client must notify Barma of any inspections at least one month in advance. In this event, the Client must also send a detailed plan describing the inspection’s extent, duration, and start date. Barma is obligated to dedicate the resources (primarily the time) necessary for the Client to conduct their inspection.
12.6. Barma’s expenses related to auditing and/or other kinds of inspection (including internal time) are paid by the Client and calculated based on time spent by Barma.
12.7. The same applies in the event that the Client wants documents or other material from Barma with the intent to check compliance with the Data Processing Agreement.
13. VIOLATION
13.1. Regulation of remedial measures is subject to the Terms and Conditions associated with the Agreement cf. Clause 1.1.
14. LIABILITY AND LIMITATIONS
14.1. Liability and limitations are regulated by the Agreement cf. Clause 1.1 and the associated Terms and Conditions.
15. AMENDMENTS
15.1. Barma reserves the right to amend the Data Processing Agreement at no cost with one month’s notice.
16. DURATION AND TERMINATION
16.1. The Data Processing Agreement may be replaced by another valid Data Processing Agreement. The Data Processing Agreement cannot be terminated or cancelled during the Data Processing Agreement’s specified term.
16.2. In the event that the Data Processing Agreement is terminated, Clause 5.3 (employee confidentiality) and Sections 11 (deletion and return), 14 (liability and limitations), and 17 (disputes) must remain in effect following the termination.
16.3. Barma may continue to process personal data for up to three months following the termination of the Data Processing Agreement to the extent necessary to ensure compliance with legal requirements cf. Clause 11.2. Barma reserves the right to include these personal data in Barma’s usual backup procedure during this period. Barma’s processing of personal data during this period must continue to comply with the Data Processing Agreement.
17. DISPUTES
17.1. Disputes related to the Data processing Agreement will be handled in line with the terms of the Agreement.
17.2. Unless otherwise specified, the Data Processing Agreement is subject to Danish law, and the Parties reserve the right to demand that an ordinary court settles the dispute. The default venue will be the court in Aarhus.
APPENDIX 1
1. Purpose
1.1. This appendix elaborates on the contents of the Data Processing Agreement regarding concrete personal data processed on behalf of the Client.
2. TYPES OF PERSONAL DATA
2.1. Per the Agreement, Barma processes the following categories of personal data:
- Name
- Email address
- Phone number
- Address
- Job description
- Employment period
3. DATA PROCESSING EXTENDS TO THE FOLLOWING CATEGORIES OF PERSONS The Client’s employees
