DigitalNordic – Standard Contractual Clauses (GDPR) - DigitalNordic

Standard Contractual Clauses

GDPR - Digitalnordic

1. Introduction

  1. These Clauses establish the Data Processor’s rights and obligations when processing personal data on behalf of the Data Controller.
  2. The Clauses are designed to ensure compliance with Article 28(3) of Regulation (EU) 2016/679 (GDPR).
  3. In connection with the provision of hosting, website support, and related digital services, the Data Processor will process personal data on behalf of the Data Controller.
  4. These Clauses take precedence over any similar terms in other agreements between the Parties.
  5. Annex A forms an integral part of these Clauses and contains details of the data processing (purpose, nature, categories of data, categories of data subjects, and duration).
  6. Both Parties must store these Clauses and Annex A in written form (including electronic).
  7. These Clauses do not release the Data Processor from obligations under GDPR or other legislation.

2. Rights and Obligations of the Data Controller

  1. The Data Controller is responsible for ensuring that the processing of personal data complies with GDPR, other EU law, or relevant national law.
  2. The Data Controller decides the purposes and means of processing.
  3. The Data Controller ensures that a lawful basis exists for the processing performed by the Data Processor under instruction.

3. The Data Processor Acts Only on Instruction

  1. The Data Processor may only process personal data on documented instructions from the Data Controller, unless required by EU or national law. Instructions must be documented in Annex A.
  2. If the Data Processor considers an instruction to be unlawful, it must immediately notify the Data Controller.

4. Confidentiality

  1. Access to personal data must be limited to individuals under the Data Processor’s authority who are bound by confidentiality obligations. Access rights must be reviewed regularly and revoked when no longer necessary.
  2. Upon request, the Data Processor must be able to demonstrate that staff are subject to confidentiality obligations.

5. Security of Processing

  1. Both Parties must implement appropriate technical and organizational measures as required by Article 32 GDPR. This may include:
    • Pseudonymization and encryption of personal data
    • Ensuring confidentiality, integrity, and availability of systems
    • Ability to restore access to data in case of incident
    • Regular testing and evaluation of security measures
  2. The Data Processor must independently assess risks and implement necessary safeguards.
  3. The Data Processor must assist the Data Controller by providing information about security measures.

6. Use of Sub-Processors

  1. The Data Processor may only engage sub-processors with prior written general authorization from the Data Controller.
  2. The Data Processor must inform the Data Controller of intended changes (at least one month in advance) and allow objections.
  3. Sub-processors must be subject to the same obligations as the Data Processor, ensuring GDPR compliance.

7. Transfers to Third Countries

  1. Transfers to third countries may only occur with documented instruction from the Data Controller and must comply with Chapter V of GDPR.
  2. If legally required transfers are imposed by EU or national law, the Data Processor must notify the Data Controller unless prohibited by law.
  3. No transfers may occur without written instruction from the Data Controller.

8. Assistance to the Data Controller

  1. The Data Processor shall assist the Data Controller in fulfilling obligations regarding data subject rights (access, rectification, erasure, restriction, portability, objection, etc.).
  2. The Data Processor shall assist with:
    • Notifying supervisory authorities of data breaches (Article 33)
    • Informing affected data subjects (Article 34)
    • Conducting data protection impact assessments (Article 35)
    • Consulting with supervisory authorities when required (Article 36).

9. Data Breach Notification

  1. The Data Processor must notify the Data Controller without undue delay after becoming aware of a data breach (no later than 48 hours).
  2. The notification must include:
    • Nature of the breach (categories and approximate number of data subjects affected)
    • Likely consequences
    • Measures taken or proposed to address the breach.

10. Deletion and Return of Data

Upon termination of services, the Data Processor must delete or return all personal data, unless retention is required by law. Written confirmation of deletion must be provided.

11. Audits and Inspections

  1. The Data Processor shall provide all information necessary to demonstrate compliance with GDPR and these Clauses.
  2. The Data Controller (or an appointed auditor) may conduct audits and inspections by agreement.
  3. Supervisory authorities must be granted access where required by law.

12. Additional Provisions

he Parties may agree on additional provisions (e.g. liability) provided they do not contradict GDPR or undermine the rights of data subjects.

13. Duration and Termination

  1. These Clauses take effect upon signature by both Parties and remain valid for as long as data processing services are provided.
  2. They may only be terminated after services end and all data has been deleted or returned.

14. Contact

DigitalNordic ApS
 Contact Person: [Insert Name]
 Position: Director
 Phone: [Insert Number]
 Email: [Insert Email]

Annex A – Details of Processing

A.1 Purpose:

  • Website hosting, technical support, social media communication support, and Google optimization.

A.2 Nature of Processing:

  • Provision of services under the Main Agreement, including analytics, marketing, SEO, support, and service.

A.3 Categories of Data:

  • Standard personal data, e.g. name, email, phone, address, payment details, membership/subscription info, newsletter sign-ups.

A.4 Categories of Data Subjects:

  • Website users, private customers, subscribers, and employees of the Data Controller.

A.5 Duration:

  • Data processed for the duration of the Main Agreement.
  • Transaction data retained for 5 years (per accounting laws).
  • Newsletter data deleted immediately upon cancellation.
  • All data deleted upon termination of the Main Agreement.