Agreed terms for processing of data
The Customer accepting these terms and NanoLink ApS, Company Reg. (CVR) No. 29167001 (NanoLink) have entered into an agreement on the Customer’s access to and use of the NANOLINK SYSTEM (the Subscription Agreement), which is a cloud-based standard service and part of NanoLink’s tracking system for locating, tracking and managing tracking chips and other objects registered by the Customer.
The Customer accepts these Data Processing Terms as part of the Subscription Agreement entered into with NanoLink.
In accordance with the definitions of the General Data Protection Regulation, NanoLink will in some situations be data processor for the Customer under the Subscription Agreement when carrying out and providing the agreed services. NanoLink stores and processes personal data as part of giving the Customer access to the NANOLINK SYSTEM and the Subscription Agreement may include that NanoLink also carries out other processing.
The Data Processing Terms have been drawn up for the purpose of the Parties’ compliance with Article 28(3) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the General Data Protection Regulation) when NanoLink is data processor for the Customer.
The Data Processing Terms come into force at the time the Customer accepts them from which time they replace all previous processor agreements entered into between the Parties in relation to the processing activities agreed under the Subscription Agreement. The Customer’s commencement of use or continued use of the NANOLINK SYSTEM is regarded as the Customer’s express acceptance of the Data Processing Terms.
In addition, the Data Processing Terms supplement the Subscription Agreement and take precedence over any conflicting terms therein.
The Data Processing Terms constitute the Parties’ processor agreement for the personal data processing which the Customer entrusts to NanoLink, and which NanoLink undertakes to carry out as part of supplying the services agreed under the Subscription Agreement.
The Data Processing Terms lay down the rights and obligations that apply to NanoLink’s processing of personal data on behalf of the Customer and the Data Processing Terms indicate the overall security measures taken by NanoLink.
In accordance with the applicable data protection rules, NanoLink is data processor for the processing activities that have been entrusted to NanoLink for the Customer, while the Customer is either data controller or data processor in accordance with the applicable data protection rules. Each Party mustmeet the obligations laid down in applicable data protection rules and the Data Processing Terms thus release neither NanoLink nor the Customer from such obligations.
The Data Processing Terms apply from the time they enter into force and until NanoLink has deleted the Customer’s data in accordance with the provisions contained in these Data Processing Terms. The Data Processing Terms and the Subscription Agreement are mutually dependent and the agreements may therefore not be terminated separately.
NanoLink’s specific guarantees
NanoLink guarantees to the Customer that NanoLink possesses sufficient expert knowledge, reliability and resources to implement the necessary measures to meet the requirements of the General Data Protection Regulation with respect to the processing activities that NanoLink must carry out for the Customer under the Subscription Agreement.
The Customer’s specific responsibilities
The Customer is responsible for complying with the personal data protection legislation applicable at any time to the personal data entrusted to NanoLink for processing. In particular the Customer is responsible for and guarantees to NanoLink that:
- The Customer has the required legal basis on which to process and to entrust NanoLink to process the personal data that are included in the services NanoLink provides to the Customer. In the situations where the Customer is processor of the personal data entrusted to NanoLink for processing, the Customer guarantees to NanoLink that the Customer’s instructions, as expressed through these Data Processing Terms and the Subscription Agreement and the use of NanoLink and its sub-processors as other processors, have been authorised by the controller.
- The instructions given for NanoLink’s processing of personal data on behalf of the Customer are lawful.
The nature and purposes of the processing
The Parties have agreed that the nature of the processing is the implementation of IT services from NanoLink to the Customer, including in particular storage of and operation relating to personal data in connection with providing access and functionality in the standard cloud service NANOLINK SYSTEM.
NanoLink thus processes the data entrusted to it for the agreed purpose of providing the agreed services as specified in the Subscription Agreement and NanoLink’s product descriptions.
Types of data
The entrusted processing covers user credentials in the form of names, e-mail addresses and phone numbers as well as geopositions of tracking chips and electronic units on which the NanoLink app is installed.
Categories of data subjects
NanoLink is entrusted to process data of those categories of data subjects for which the Customer allows the use of the NANOLINK SYSTEM, including tracking chips, to cover, typically the Customer’s employees.
Scope of processing activities
NanoLink may process the Customer’s personal data only in accordance with the Customer’s instructions which are documented in a written agreement and accepted by NanoLink.
By accepting the Data Processing Terms, the Customer instructs NanoLink to process the Customer’s personal data for supply of the NANOLINK SYSTEM as a cloud service on the terms and conditions of the Subscription Agreement and these Data Processing Terms.
The Customer may also request NanoLink to accept additional written instructions regarding processing of personal data for the Customer, and NanoLink is free to accept or reject such additional instructions. However, NanoLink must always accept an instruction to cease further processing, which means that NanoLink deletes the Customer’s data as specified under Return and deletion of the Customer’s data below.
NanoLink will comply with the Customer’s instructions, approved by NanoLink, unless such processing is in violation of the applicable data protection legislation to which NanoLink is subject. In that case NanoLink will notify the Customer of this.
Irrespective of the Customer’s instructions –including those on deletion – NanoLink must, however, carry out processing of the Customer’s personal data if this follows from a legal obligation to which NanoLink is subject. In that case the Customer must be informed of this before processing unless such information is unlawful.
The Customer thus determines the purposes and scope of the processing activities entrusted to NanoLink.
Duration of processing activities
NanoLink will carry out processing of the Customer’s personal data for as long as NanoLink is required to do so under the Subscription Agreement – typically for as long as the Subscription Agreement is in force. NanoLink will delete or anonymise the Customer’s data when the Customer’s Subscription Agreement terminates. The Customer may also instruct NanoLink to delete the data at an earlier time in accordance with the item Return and deletion of the Customer’s data.
NanoLink takes all measures that are required under Article 32 of the General Data Protection Regulation. NanoLink implements appropriate technical and organisational measures to protect the personal data made available from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
NanoLink may change the implemented security measures on an ongoing basis, but when doing so, NanoLink must make efforts to ensure that the changes overall do not result in a reduced level of security.
NanoLink has determined the level of security on the basis of considerations concerning the type of personal data registered in the NANOLINK SYSTEM and the expected categories of data subjects.
NanoLink implements security measures, considering on average what is appropriate and the Parties therefore agree that in the mutual relationship the Customer is responsible for assessing whether the measures implemented are sufficient to reach a security level that matches the risk involved in the processing activities entrusted to NanoLink.
Reporting of data breaches
If NanoLink becomes aware that a personal data breach has occurred in relation to NanoLink’s services to the Customer, NanoLink must notify the personal data breach to the Customer without undue delay after having become aware of such breach.
NanoLink must take reasonable and proportionate measures to mitigate the adverse effects of the breach without undue delay after becoming aware of the breach.
In continuation of the notification to the Customer, NanoLink must provide a description of the circumstances of the breach, its nature, the measures NanoLink has taken, or proposes to take, to mitigate any adverse effects of the breach and the circumstances NanoLink believes the Customer should pay particular attention to in connection with the breach so that the Customer can meet its obligations in connection with data breaches within the time limits laid down in the General Data Protection Regulation.
The notification may be sent by email to the contact person designated by the Customer.
NanoLink’s notification of a personal data breach does not constitute an admission of fault or liability in relation to the personal data breach.
Taking into account the nature of the processing entrusted to NanoLink and the information available to NanoLink with respect to a personal data breach occurring at NanoLink, NanoLink will also assist the Customer, upon request, with ensuring compliance with the Customer’s obligations under Article 33 and Article 34 of the General Data Protection Regulation.
Use of sub-processors
By accepting these Data Processing Terms, the Customer gives NanoLink general authorisation for the use of other processors (sub-processors). Information on the sub-processors used, including their function and in which countrythey are established, is either available on NanoLink’s website or included in the Subscription Agreement.
When engaging a sub-processor, NanoLink ensures that a written agreement is entered into with the sub-processor in which it is ensured that
a.the necessary guarantees are provided for the sub-processor’s implementation of the appropriate technical and organisational measures in such a manner that processing will meet the requirements of the General Data Protection Regulation;
b.the sub-processor is subject to the same data protection obligations as those of these Data Protection Terms, which means that the requirements of Article 28(3) of the General Data Protection Regulation must be met; and that
c.the sub-processor processes the Customer’s personal data only to the extent required to meet the supply obligations the sub-processor has undertaken towards NanoLink and that processing is carried out in accordance with the agreed instructions.
If a sub-processor fails to fulfil its data protection obligations, NanoLink will remain fully liable to the Customer for the performance of the sub-processor’s data protection obligations.
NanoLink may update the list of sub-processors used on an ongoing basis. The list will be updated before any intended changes concerning the addition or replacement of a sub-processor are carried out. If the Customer wishes to object to intended changes concerning the addition or replacement of a sub-processor, the Customer may terminate the agreement on Subscription with NanoLink with effect immediately or with effect from the end of the calendar month in which notice of termination is given. It is a condition for termination under this item that notice of termination is given to NanoLink no later than thirty (30) days after NanoLink has updated the list of sub-processors used or intended to be used. Termination of the agreement on Subscriptionis the Customer’s only remedy towards NanoLink in this situation.
Transfers of data
NanoLink stores the Customer’s data within the EU and personal data are therefore not transferred to any third countries.
However, NanoLink may, as an exemption, transfer the Customer’s data, including personal data, to a third country or an international organisation if this is required under EU or member state law to which NanoLink is subject; in such a case NanoLink must inform the Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
The Customer’s own accessing of personal data stored at NanoLink from a location that results in a transfer of personal data to a third country is deemed to be the Customer’s own transfer and is thus not covered by NanoLink’s liability or obligations.
Assistance to the Customer
NanoLink undertakes, at the Customer’s written request, to provide the following assistance to the Customer:
Taking into account the nature of the processing, NanoLink assists the Customer by appropriate technical and organisational measures, as far as this is possible, with the fulfilment of the Customer’s obligation to respond to requests for exercising the data subjects’ rights as set out in Chapter 3 of the General Data Protection Regulation. If NanoLink receives a request directly from a data subject or a potential data subject for exercising his or her rights, NanoLink must promptly communicate the request to the Customer, who will then decide whether to obtain assistance from NanoLink.
Taking into account the nature of processing and the information available to NanoLink, NanoLink also assists the Customer with ensuring compliance with the Customer’s obligations in respect of Articles 32-36 of the General Data Protection Regulation.
NanoLink is entitled to separate remuneration for the assistance provided for complying with the Customer’s requests under this item Assistance to the Customer. The remuneration is calculated based on time spent by NanoLink and NanoLink’s ordinary hourly rate for such work.
However, as regards assistance for ensuring compliance with the Customer’s obligations under Articles 33-34 of the General Data Protection Regulation, NanoLink has no right to remuneration for fulfilling its obligations under the item Reporting of data breaches.
Return and deletion of the Customer’s data
At the Customer’s choice NanoLink deletes or returns all personal data to the Customer after the end of the provision of services relating to processing and deletes existing copies unless NanoLink is subject to a legal obligation prescribing that NanoLink must retain the personal data.
NanoLink carries out the Customer’s instructions to delete or return the Customer’s data in accordance with the rules of the General Data Protection Regulation and as soon as practically possible.
As part of the instructions to NanoLink, the Customer further allows its data to be part of a backup procedure from which data are deleted when the backup is destroyed in accordance with NanoLink’s backup procedure.
Liability and limitation of liability
Article 82 of the General Data Protection Regulation and supplemental rules of the Danish Data Protection Act apply to compensation that must be paid to data subjects as a result of infringement of the General Data Protection Regulation, and each Party in the mutual relationship is thus liable to pay the part of the compensation corresponding to that Party’s part of the responsibility for the damage, taking into consideration these Data Processing Terms. If necessary, the apportionment of fault is determined by judicial review. NanoLink’s limitation of liability under Part I of the Subscription Terms and Conditions continues to apply.
The Parties are themselves liable for fines and other penalties imposed on them as a consequence of unlawful processing of personal data and such amounts cannot be claimed from the other Party.
NanoLink must maintain records of the categories of processing activities carried out for the Customer in accordance with Article 30 of the General Data Protection Regulation. The Customer must inform NanoLink of the name and contact details of the Customer’s representative and Data Protection Officer, if any, and keep such information updated so that NanoLink can maintain accurate records.
Duty of confidentiality
NanoLink must ensure that persons it has authorised to process the Customer’s personal data have undertaken to observe confidentiality or are subject to an appropriate statutory obligation of secrecy. NanoLink and anyone carrying out work for NanoLink and who has access to the Customer’s personal data may process these data only on the Customer’s instructions which have been accepted by NanoLink unless other processing is required by rules of law or court decision to which NanoLink is subject.
NanoLink may authorise persons only if it is necessary for them to have access to the personal data for the purpose of fulfilling NanoLink’s obligations to the Customer. NanoLink must regularly assess authorisations and close access when authorisations expire or terminate.
Supervision and auditing
NanoLink makes available to the Customer all information required to demonstrate compliance with the requirements in Article 28 of the General Data Protection Regulation and the requirements made of NanoLink in these Data Processing Terms. NanoLink allows for and contributes to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer.
The Customer may request that a physical inspection be conducted at NanoLink. The request must be sent to NanoLink in writing, stating what the Customer wants the inspection to comprise. The Parties then agree on the further circumstances and scope of the inspection, including the time and the form of reporting.
The inspection may only be carried out by a person who accepts NanoLink’s ordinary security measures and a confidentiality clause directly to NanoLink.
NanoLink may object to a person appointed by the Customer to conduct an inspection if, in Nanolink’s reasonable assessment, the person appointed is not suitable or qualified to carry out the inspection, including that the person (1) is not independent, (2) is NanoLink’s direct competitor, or (3) otherwise clearly unsuitable for the task.
If NanoLink objects to the person appointed, the Customer must appoint another person to carry out the inspection.
Supervision of the sub-processors used by NanoLink is carried out through NanoLink. However, the Customer may initiate and participate in a physical inspection, including at sub-processors. Supervision must then take place in compliance with the terms of inspection specified by the sub-processor.
Any costs incurred byNanoLink or sub-processors in connection with physical supervision or inspections held at NanoLink or sub-processors are paid by the Customer. In addition, NanoLink and any sub-processors are entitled to remuneration for the time spent on the inspection determined on the basis of the current price list.
Amendments to the Data Processing Terms
NanoLink may amend these Data Processing Terms with ninety (90) days’ notice. Amendments that must necessarily be implemented before the end of this notice period may be implemented immediately. Information on planned amendments will be sent to the Customer. If the Customer does not want to accept the amendments of which notice is given, the Customer may terminate the agreement on Subscription. The Customer has no other powers in consequence of amendments to the Data Processing Terms.
NanoLink’s contact details
The Customer must send any inquires to NanoLink concerning data protection, including requests for supervision and inspection to:
8722 Hedensted, Denmark
Tel.: +45 8870 9000
The Parties’ storage period
NanoLink and the Customer must each electronically store a version of these Data Processing Terms and the agreement on Subscription for the products purchased and any other agreements of significance to or supplementing these Data Processing Terms.