Data Processing Agreement
for [Company Name]
This Data Processing Agreement ("Agreement") has been entered into between:
- Data Controller: [Company Name] – [Address] – [Postal Code] [City Name]("Data Controller")
- Data Processor: Mercura ApS, CVR number: 37609110, with address at Åbogade 15, 8200 Aarhus N
("Data Processor")
1. Purpose of the Agreement
This Agreement sets out the terms for the Data Processor's processing of personal data on behalf of the Data Controller in accordance with the requirements of the EU General Data Protection Regulation ("GDPR") (Regulation 2016/679).
2. Scope and Nature of Processing
- Purpose of processing: The Data Processor processes personal data to deliver and administer the CPQ solution, including support and maintenance.
- Data Subjects: Customers and employees of the Data Controller.
- Types of personal data: Name and email address.
3. Instructions
The Data Processor shall only process personal data in accordance with written instructions from the Data Controller, unless otherwise required by applicable law. The Data Processor shall immediately inform the Data Controller if, in the Data Processor's opinion, an instruction infringes applicable law.
4. Confidentiality
The Data Processor shall ensure that persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of secrecy.
5. Security Measures
The Data Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, which meets the requirements of Article 32 of the GDPR. This includes, but is not limited to, data encryption and access control.
6. Use of Sub-processors
The Data Controller accepts that the Data Processor uses the following sub-processors to fulfil its obligations:
- Servicepoint A/S, which provides server capacity and data storage in Germany.
The Data Processor shall enter into a written agreement with sub-processors which ensures that they assume the same obligations as the Data Processor with regard to the protection of personal data. The Data Processor remains fully liable for the services of its sub-processors.
7. Transfers to Third Countries
Personal data shall only be processed within the EU/EEA. The Data Processor shall not transfer personal data to third countries without prior approval from the Data Controller and shall, in such case, ensure that the transfer complies with the GDPR.
8. Assisting the Data Controller
The Data Processor shall assist the Data Controller in fulfilling its obligations with regard to data subjects' rights (e.g., data access, erasure, rectification) and notification of data breaches. Any data breach shall be reported to the Data Controller without undue delay.
9. Deletion and Return of Data
Upon termination of the provision of services, the Data Processor shall, at the Data Controller's choice, either delete or return all personal data and delete all copies, unless applicable law requires storage.
10. Supervision and Audit
The Data Processor shall make available to the Data Controller all information necessary to demonstrate compliance with this Agreement and allow for audits, including inspections, conducted by the Data Controller or a third party mandated by the Data Controller.
11. Duration and Termination
This Agreement shall enter into force at the same time as the main agreement for the provision of services and shall remain valid as long as the Data Processor processes personal data on behalf of the Data Controller.
12. Governing Law and Jurisdiction
Any dispute or case that may arise from these terms and the customer's use of the software shall be brought before the court in Aarhus as the venue. The dispute shall be decided according to Danish law.
By your purchase of software from MERCURA, by installation of software from MERCURA, and by ongoing payment of service subscription fees to MERCURA APS, you accept the above terms.