Data Processing Agreement

The Customer and Barma are each referred to as a "Party" and together as "Partners"

1. BACKGROUND

1.1. The Customer and Barma have entered into an agreement regarding the delivery of Barma LMS and Barma Academy to the customer.

1.2. The Parties have assessed that the Agreement is of such nature that Barma processes personal data on behalf of the customer, thus making Barma a data processor for the customer, based on, among other things, that:
Barma is subject to instructions from the customer
- The Customer instructs Barma about the purpose of Barma's service and the tools to be used by Barma in this connection, cf. also Appendix 1
- Electronic processing of personal data about the customer's employees is largely carried out via an IT platform provided by Barma
- The Customer can require Barma to cease processing personal data and delete any stored personal data, cf. point 11

1.3. On this basis, this agreement (hereinafter "Data Processing Agreement") has been entered into.

1.4. The purpose of the Data Processing Agreement is to ensure that the Parties at all times comply with applicable data protection legislation in this connection, including the Data Protection Act (Act No. 502 of May 23, 2018) and the Data Protection Regulation (European Parliament and Council Regulation 2016/679 of April 27, 2016 - hereinafter "Data Protection Regulation").

1.5. The Data Processing Agreement establishes the rights and obligations that apply when Barma processes personal data on behalf of the customer.

1.6. The Data Processing Agreement follows the conditions for termination/cancellation of the Agreement, cf. point 1.1 and the associated terms of trade.

1.7. The terms of trade generally also apply to the Data Processing Agreement. In cases of doubt or conflicting situations, the Data Processing Agreement takes precedence unless otherwise specifically follows from the Data Processing Agreement.

1.8. Appendix 1 is attached to the Data Processing Agreement. The appendices function as an integrated part of the Data Processing Agreement.

1.9. The Data Processing Agreement and appendices are stored in writing, including electronically by both parties.

2. INSTRUCTIONS

2.1. Barma may only process personal data according to documented instructions from the customer, unless required by EU law or member states' national law to which Barma is subject; in such case, Barma shall inform the customer of this legal requirement before processing, unless the law in question prohibits such notification due to important public interests, cf. Data Protection Regulation art. 28, paragraph 3, letter a.

2.2. The Data Processing Agreement including appendices hereto constitutes the instruction at the time of signing.

2.3. Barma is hereby authorized to process personal data on behalf of the customer under the terms set forth in the Data Processing Agreement and associated appendices.

2.4. The instruction consists of 2 (two) parts:
2.4.1. This Data Processing Agreement including the appendices at the time of signing.
2.4.2. The entries and processing of personal data that takes place via Barma LMS and Academy simultaneously constitute an instruction to Barma, as Barma automatically based on the information, entries, and uploads received from the customer, hereby performs collection, registration, organization, systematization, storage, adaptation or modification, retrieval, search, use, disclosure by transmission, dissemination or any other form of transfer, compilation or combination, restriction, deletion or destruction.

2.5. Barma shall immediately notify the customer if an instruction in Barma's opinion violates the Data Protection Regulation or data protection provisions in other EU law or member states' national law.

2.6. Unless otherwise stated in the Data Processing Agreement, Barma may use all relevant tools, including IT systems.

3. GENERAL ABOUT PROCESSING SECURITY

3.1. Barma continuously implements all measures required under Article 32 of the Data Protection Regulation.

3.2. Article 32 states, among other things, that appropriate technical and organizational measures must be implemented to ensure a level of security appropriate to the risks associated with processing personal data, taking into account:
- The current security level
- Implementation costs
- The nature, scope, context, and purpose of the processing in question (including consideration of the category of personal data in Appendix 1)
- Risks of varying likelihood and severity for natural persons' rights and freedoms

3.3. The Parties have conducted a risk assessment based on the data processing in question and assessed that Barma in connection with the above must at minimum implement the security level and measures specified below in points 4-6.

3.4. The Parties agree that these measures are sufficient at the time of entering into this Data Processing Agreement to address the risk to the registered persons' rights, noting that Barma has also implemented other measures in internal procedures.

4. PHYSICAL SECURITY

4.1. Barma works in premises to which only a limited number of people have access. Barma ensures that there is no unauthorized physical access to Barma's equipment.

5. ORGANIZATIONAL SECURITY

5.1. All employees are informed about and subject to internal procedures for handling security breaches.

6. TECHNICAL SECURITY

6.1. Barma uses only high-quality hardware and software that is regularly updated, including antivirus software, anti-spam software, and firewalls.

6.2. All communication to/from the System is encrypted.

6.3. Access to Barma's internal IT systems occurs via encrypted login credentials, ensuring that unauthorized persons cannot gain access. Barma changes passwords in internal IT systems at appropriate intervals, which ultimately provide access to the customer's personal data.

7. NOTIFICATION OF PERSONAL DATA SECURITY BREACH

7.1. Barma shall notify the customer without undue delay after becoming aware of a personal data security breach at Barma or any potential Sub-processor.

7.2. Such a security breach includes any breach that potentially may lead to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data processed for the customer ("Security Breach").

7.3. Barma shall maintain and store internal documentation of all Security Breaches. The documentation shall contain at minimum the actual circumstances of the Security Breach, the effects, and the remedial measures taken.

8. USE OF SUB-PROCESSORS

8.1. Barma must fulfill the conditions set out in Article 28, paragraphs 2 and 4 of the Data Protection Regulation to use another Data Processor (Sub-processor).

8.2. The Parties have agreed that Barma may generally use Sub-processors.

8.3. Barma shall inform the customer of any planned changes regarding the addition or replacement of other Data Processors and thereby give the customer the opportunity to object to such changes.

8.4. Barma imposes on Barma's Sub-processors at minimum the same level of security requirements and data protection as those set out in this Data Processing Agreement through a contract or other legal document, ensuring that the requirements for technical and organizational measures in the Data Protection Regulation and/or other relevant applicable regulation are met at all times.

8.5. If Barma's Sub-processors do not fulfill their data protection obligations, Barma remains fully responsible to the customer for the fulfillment of Sub-processors' obligations.

9. TRANSFER OF INFORMATION TO THIRD COUNTRIES OR INTERNATIONAL ORGANIZATIONS

9.1. Barma may only process personal data according to documented instructions from the customer, including regarding transfer (assignment, disclosure, and internal use) of personal data to third countries or international organizations, unless the exceptions hereto in the Data Protection Regulation and/or other relevant applicable regulation are met.

9.2. The customer's possible instruction or approval for transfer of personal data to a third country must appear in the Appendices (alternatively via specification of Sub-processors) or separate written instruction.

9.3. If the customer has not specified an instruction or approval regarding transfer of personal data to a third country or international organizations in the Appendices or in separate instruction, Barma may not make such transfer.

9.4. To the extent that transfer to a third country occurs, the customer assists Barma without compensation in concluding necessary agreements, or the customer issues authorization to enter into the necessary agreements on behalf of the customer and at their expense.

10. ASSISTANCE TO THE CUSTOMER

10.1. Barma assists, taking into account the nature of processing, as far as possible the customer by means of appropriate technical and organizational measures with the fulfillment of the customer's obligation to respond to requests for exercising the data subjects' rights as established in Chapter 3 of the Data Protection Regulation.

10.2. Barma assists the customer in ensuring compliance with the customer's obligations pursuant to Articles 32-36 of the Data Protection Regulation, taking into account the nature of processing and the information available to Barma, cf. Data Protection Regulation art. 28, paragraph 3, letter f.

10.3. The Parties' agreement on payment for Barma's assistance to the customer is set out in point 12.

11. DELETION AND RETURN

11.1. Barma does not delete the customer's personal data (or other data) during the term of the Agreement unless instructed to do so by the customer.

11.2. Upon termination of the Cooperation and associated processing of personal data, Barma shall, at the customer's choice, delete or return all personal data to the customer, and delete existing copies and passwords that may be stored at Barma according to instructions from the customer, unless EU law or national law prescribes storage of the personal data.

12. SUPERVISION AND AUDIT

12.1. Barma shall without undue delay make available all information necessary to demonstrate Barma's compliance with Article 28 of the Data Protection Regulation and this agreement, at the request of the customer.

12.2. Barma shall, among other things, enable and contribute to audits, including inspections, carried out by the customer or another expert (e.g., auditor or IT specialist) authorized by the customer.

12.3. Barma shall - if the customer so wishes - once annually obtain a customary and recognized statement (e.g., audit statement or IT statement) from an independent, expert third party regarding Barma's compliance with the Data Processing Agreement with associated appendices. The statement is prepared at the customer's expense and Barma is entitled to receive a copy of the statement for presentation to other of Barma's customers. If a statement has been prepared for similar purposes within the last 12 months, Barma may offer the customer to receive a copy of this instead.

12.4. The customer or a representative of the customer also has access to conduct supervision, including physical supervision, at Barma when the customer wishes.

12.5. Supervision must be notified with a minimum of one month's notice. Along with the notice, the customer must send a detailed plan describing the scope, duration, and start date of the supervision. Barma is obligated to allocate the resources (mainly time) necessary for the customer to carry out their supervision.

12.6. Barma's expenses in connection with audit and/or other forms of supervision (including internal time) are borne by the customer and settled in relation to the time spent by Barma.

12.7. This also applies if the customer requests documents or other material from Barma to verify compliance with the Data Processing Agreement.

13. BREACH

13.1. The regulation of remedies for breach follows the terms of trade associated with the Agreement, cf. point 1.1.

14. LIABILITY AND LIMITATIONS OF LIABILITY

14.1. The regulation of liability and limitations of liability is regulated by the Agreement, cf. point 1.1 and associated terms of trade.

15. AMENDMENT

15.1. Barma can make changes to the Data Processing Agreement with 1 month's notice and without costs.

16. DURATION AND TERMINATION

16.1. The Data Processing Agreement can be replaced by another valid Data Processing Agreement. The Data Processing Agreement cannot be terminated or cancelled separately during the term of the Agreement.

16.2. Regardless of the termination of the Data Processing Agreement, points 5.3 (employee confidentiality), 11 (deletion/return), 14 (liability and limitation of liability) and 17 (disputes) shall remain in effect after the termination of the Data Processing Agreement.

16.3. Barma may continue to process personal data for up to three months after the termination of the Data Processing Agreement to the extent necessary to carry out necessary statutory measures, cf. also point 11.2. During the same period, Barma is entitled to include personal data in Barma's usual backup procedure. Barma's processing during this period is considered to continue to take place in compliance with the instruction in the Data Processing Agreement.

17. DISPUTES

17.1. Handling of disputes related to the Data Processing Agreement follows the Agreement's terms.

17.2. If nothing is agreed, the Data Processing Agreement is subject to Danish law and the Parties are entitled to require the dispute to be settled by the ordinary courts. The Court in Aarhus is chosen as venue in the first instance.

APPENDIX 1

1. Purpose
1.1. This appendix elaborates on the content of the Data Processing Agreement regarding the specific personal data processed on behalf of the customer.

2. TYPES OF PERSONAL DATA
2.1. The agreement entails that Barma processes the following categories of personal data:
- Name
- Email address
- Phone number
- Job title
- Employment period

3. THE PROCESSING INCLUDES THE FOLLOWING CATEGORIES OF PERSONS
Customer's employees