OPARKO
Data Processor
Here you will find the data processing agreement that applies to the agreement between the data controller and the data processor. We especially emphasize that it is the below data processing agreement that you accept when you sign the cooperation agreement with OPARKO, as also stated in the cooperation agreement itself.
Below you will find the following:
1. Background for the Data Processing Agreement
2. The Data Controller’s Obligations and Rights
3. The Data Processor Acts According to Instructions
4. Confidentiality
5. Processing Security
6. Use of Sub-processors
7. Transfer of Data to International Organizations
8. Assistance to the Data Controller
9. Notification of Personal Data Breaches
10. Deletion and Return of Data
11. Supervision and Audit
12. Commencement and Termination
Annex A: Information on the Processing
Annex B: Conditions for the Data Processor’s Use of Sub-processors and List of Approved Sub-processors
Annex C: Instructions Regarding the Processing of Personal Data
1. Background for the Data Processing Agreement
1. This Agreement sets out the rights and obligations applicable when the Data Processor processes personal data on behalf of the Data Controller.
2. The Agreement is drafted with the intention of ensuring the Parties’ compliance with Article 28(3) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (the General Data Protection Regulation), which sets specific requirements for the content of a data processing agreement.
3. The Data Processor’s processing of personal data is carried out for the purpose of fulfilling the Parties’ “Main Agreement”.
4. The Data Processing Agreement and the “Main Agreement” are mutually dependent and cannot be terminated separately. However, the Data Processing Agreement may – without terminating the “Main Agreement” – be replaced by another valid data processing agreement.
5. This Data Processing Agreement shall take precedence over any similar provisions in other agreements between the Parties, including the “Main Agreement”.
6. This Agreement is accompanied by four annexes. These annexes form an integral part of the Data Processing Agreement.
7. Annex A to the Data Processing Agreement contains detailed information about the processing, including the purpose and nature of the processing, the types of personal data, categories of data subjects, and the duration of the processing.
8. Annex B to the Data Processing Agreement contains the Data Controller’s conditions for the Data Processor’s use of any sub-processors, as well as a list of any sub-processors approved by the Data Controller.
9. Annex C to the Data Processing Agreement provides detailed instructions regarding the processing activities the Data Processor shall carry out on behalf of the Data Controller (the subject of processing), the minimum required security measures, and the supervision procedures for both the Data Processor and any sub-processors.
10. The Data Processing Agreement and its annexes must be stored in writing, including electronically, by both Parties.
11. This Data Processing Agreement does not exempt the Data Processor from obligations directly imposed by the GDPR or any other applicable law.
2. Obligations and Rights of the Data Controller
1. The Data Controller bears overall responsibility towards external parties (including the data subjects) for ensuring that personal data is processed in compliance with the GDPR and the Danish Data Protection Act.
2. The Data Controller therefore has both the rights and the obligations to decide for which purposes and by which means personal data may be processed.
3. The Data Controller is, among other things, responsible for ensuring that there is a lawful basis for the processing instructed to the Data Processor.
3. The Data Processor Acts According to Instructions
1. The Data Processor may only process personal data following documented instructions from the Data Controller, unless processing is required under EU law or the national law of a Member State to which the Data Processor is subject. In such cases, the Data Processor shall notify the Data Controller of that legal requirement before the processing, unless the law prohibits such notification on important grounds of public interest, cf. Article 28(3)(a).
2. The Data Processor shall immediately inform the Data Controller if, in its opinion, an instruction infringes the GDPR or other applicable data protection provisions under EU or Member State law.
4. Confidentiality
1. The Data Processor shall ensure that only persons who are currently authorised have access to the personal data being processed on behalf of the Data Controller. Access shall be immediately revoked if the authorisation is withdrawn or expires.
2. Only persons for whom access to the personal data is necessary to fulfil the Data Processor’s obligations to the Data Controller may be authorised.
3. Upon request from the Data Controller, the Data Processor must be able to demonstrate that the relevant employees are subject to the above confidentiality obligations.
5. Security of Processing
1. The Data Processor shall implement all measures required under Article 32 of the GDPR, which specifies that appropriate technical and organisational measures shall be implemented to ensure a level of security appropriate to the risk, taking into account the current state of the art, implementation costs, the nature, scope, context and purposes of the processing, and the risks of varying likelihood and severity to the rights and freedoms of natural persons.
2. This obligation requires the Data Processor to carry out a risk assessment and implement measures to mitigate identified risks. These measures may, where appropriate, include:
Pseudonymisation and encryption of personal data
The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services
The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing
3. In all cases, the Data Processor must at minimum implement the security measures set out in Annex C of this Agreement.
4. Any additional security arrangements or remuneration related to the establishment of such measures shall be set out in the Parties’ “Main Agreement”.
6. Use of Sub-processors
1. The Data Processor shall comply with the conditions laid down in Article 28(2) and (4) of the GDPR in order to engage another processor (sub-processor).
2. The Data Processor may not engage a sub-processor without the prior specific or general written authorisation of the Data Controller.
3. In the case of general written authorisation, the Data Processor must inform the Data Controller of any intended changes concerning the addition or replacement of sub-processors, thereby giving the Data Controller the opportunity to object.
4. The detailed conditions set by the Data Controller for the Data Processor’s use of any sub-processors are outlined in Annex B of this Agreement.
5. Any approval by the Data Controller of specific sub-processors is listed in Annex B of this Agreement.
6. Upon obtaining the Data Controller’s approval, the Data Processor shall ensure that the sub-processor is subject to the same data protection obligations as those set out in this Data Processing Agreement, by way of a contract or other legal act under EU or Member State law. In particular, the Data Processor must ensure that the sub-processor provides sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing meets the requirements of the GDPR. The Data Processor is responsible for imposing on the sub-processor, via a sub-processing agreement, obligations that are at least equivalent to those imposed on the Data Processor under the GDPR and this Agreement and its annexes.
7. The sub-processing agreement, including any amendments, shall be made available to the Data Controller upon request, allowing the Data Controller to verify that a valid agreement is in place between the Data Processor and the sub-processor. Any commercial terms (e.g., pricing) that do not affect the data protection content of the agreement need not be disclosed.
8. The Data Processor shall include in its agreement with the sub-processor a third-party beneficiary clause in favour of the Data Controller in the event of the Data Processor’s bankruptcy, allowing the Data Controller to assert its rights against the sub-processor, e.g., by instructing the sub-processor to delete or return data.
7. Transfer of Data to International Organizations
1. The Data Processor may only process personal data following documented instructions from the Data Controller, including with respect to the transfer (disclosure, dissemination, and internal use) of personal data to third countries or international organizations, unless required under EU or Member State law to which the Data Processor is subject. In such cases, the Data Processor shall inform the Data Controller of the legal requirement prior to processing, unless such notification is prohibited for important public interest reasons, cf. Article 28(3)(a).
2. Without specific instructions or approval from the Data Controller, the Data Processor may not, within the scope of this Agreement:
Disclose personal data to a data controller in a third country or international organization,
Assign processing of personal data to a sub-processor in a third country,
Allow the data to be processed by another unit of the Data Processor located in a third country.
3. Any instructions or approvals from the Data Controller regarding transfers of personal data to third countries shall be set out in Annex C to this Agreement.
8. Assistance to the Data Controller
1. Taking into account the nature of the processing, the Data Processor shall assist the Data Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Data Controller’s obligation to respond to requests for exercising the data subject’s rights under Chapter III of the GDPR.
This includes assisting the Data Controller in ensuring compliance with:
The duty to inform when collecting personal data from the data subject
The duty to inform when personal data is not collected from the data subject
The right of access
The right to rectification
The right to erasure (“right to be forgotten”)
The right to restriction of processing
The obligation to notify regarding rectification or erasure or restriction of processing
The right to data portability
The right to object
The right not to be subject to a decision based solely on automated processing, including profiling
2. The Data Processor shall also assist the Data Controller in ensuring compliance with the obligations pursuant to Articles 32–36 of the GDPR, taking into account the nature of the processing and the information available to the Data Processor, cf. Article 28(3)(f).
This includes assistance in relation to:
The obligation to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risks of the processing
The obligation to notify the supervisory authority (Danish Data Protection Agency) of personal data breaches without undue delay and, where feasible, no later than 72 hours after becoming aware of it, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons
The obligation to notify the data subject(s) of a personal data breach without undue delay where the breach is likely to result in a high risk to their rights and freedoms
The obligation to conduct a data protection impact assessment if the processing is likely to result in a high risk to the rights and freedoms of natural persons
The obligation to consult the supervisory authority prior to processing where a data protection impact assessment indicates that processing would result in a high risk in the absence of mitigating measures by the Data Controller
3. Any commercial terms, including remuneration related to assistance provided by the Data Processor, shall be set out in the Parties’ “Main Agreement”.
9. Notification of Personal Data Breaches
1. The Data Processor shall notify the Data Controller without undue delay after becoming aware of a personal data breach involving the Data Processor or any sub-processor. Such notification must be made, where feasible, no later than 48 hours after becoming aware of the breach, to enable the Data Controller to comply with its obligation to report the breach to the supervisory authority within 72 hours.
2. In accordance with section 10.2(b) of this Agreement, the Data Processor shall, taking into account the nature of the processing and the information available to the Data Processor, assist the Data Controller in notifying the breach to the supervisory authority. This may include providing the following:
The nature of the breach, including, where possible, the categories and approximate number of data subjects and personal data records concerned
The likely consequences of the breach
The measures taken or proposed to address the breach, including, where appropriate, measures to mitigate its adverse effects
10. Deletion and Return of Data
Upon termination of the services relating to the processing of personal data, the Data Processor shall, at the choice of the Data Controller, delete or return all personal data and delete any existing copies, unless EU or national law requires storage of the personal data.
11. Supervision and Audit
1. The Data Processor shall make available to the Data Controller all information necessary to demonstrate compliance with Article 28 of the GDPR and this Agreement and allow for and contribute to audits, including inspections, conducted by the Data Controller or another auditor mandated by the Data Controller.
2. The detailed procedure for the Data Controller’s supervision of the Data Processor is described in Annex C of this Agreement.
3. As a general rule, the Data Controller shall conduct supervision of any sub-processors via the Data Processor. The detailed procedure is outlined in Annex C.
4. The Data Processor shall allow access to its premises to public authorities having a legal right of access, or to representatives acting on their behalf, subject to proper identification.
12. Commencement and Termination
1. This Agreement enters into force upon signature by both Parties.
2. Either Party may request renegotiation of the Agreement if legal changes or deficiencies in the Agreement warrant it.
3. Termination of this Data Processing Agreement is subject to the notice terms set out in the “Main Agreement”.
4. This Agreement shall remain in force for as long as the processing continues. Notwithstanding the termination of the “Main Agreement” and/or this Agreement, the Data Processing Agreement will remain in effect until the processing has ceased and the data has been deleted by the Data Processor and any sub-processors.
13. Signatures
By signing the Main Agreement, both the Partner and OPARKO accept this Data Processing Agreement.
Annex A: Information on the Processing
Purpose of the processing of personal data by the Data Processor on behalf of the Data Controller:
To use personal data for performing parking control in the agreed area. Additionally, to allow the Data Controller to use the Data Processor’s systems for collecting and processing data.
Nature of the processing:
The Data Processor provides systems that enable the Data Controller to independently perform parking control in the agreed area. In addition, the system stores personal data of the Data Controller’s members on servers.
Types of personal data processed:
Name, email address, phone number, address, payment details, membership type, license plate number, number of issued fines and permits.
Categories of data subjects:
The processing concerns individuals who are or have been registered with the Data Controller. This includes those who are registered to park in the designated area with a temporary or permanent permit issued by the Data Controller, but does not include guests who have purchased a single-use parking ticket.
Commencement and duration of the processing:
Processing may begin upon entry into force of this Agreement. The processing is not time-limited and continues until the Agreement is terminated by either Party.
Annex B: Conditions for the Data Processor’s Use of Sub-processors and List of Approved Sub-processors
B.1 Conditions for the Data Processor’s Use of Any Sub-processors
The Data Processor may only engage sub-processors with the prior specific written approval of the Data Controller. Such approval shall be obtained through consultation between the Data Processor and the Data Controller. The Data Processor’s request must be received by the Data Controller at least one month prior to the intended commencement or change. If a sub-processor is already included in the agreement, the Data Processor is not obligated to notify the Data Controller one month in advance of the commencement or change. The Data Controller may only refuse approval if there are reasonable and specific grounds to do so.
B.2 Approved Sub-processors
Annex C: Instructions Regarding the Processing of Personal Data
C.1 Subject of the Processing / Instructions
The Data Processor processes personal data on behalf of the Data Controller by performing the following activities:
Collection of parking fines
Registration of parking permits
Communication of new initiatives and changes from the Data Processor
C.2 Security of Processing
It is noted that the processing involves regular, non-sensitive personal data, and therefore a “low” level of security must be established.
The Data Processor is thus entitled and obliged to decide on the appropriate technical and organizational security measures necessary to ensure the agreed security level of the data.
However, the Data Processor shall – in all cases and at a minimum – implement the following measures as agreed with the Data Controller:
Recognized encryption must be used for the transfer of personal data between data centers and between data centers and users.
Storage of personal data in data centers must be securely protected against unauthorized access.
An effective backup procedure must be established to ensure the Data Processor’s access to all necessary processing systems.
The Data Processor must secure all physical premises against unauthorized access. This includes alarm systems, access control, and personal access management for employees.
Employees of the Data Processor may only access personal data to the extent necessary to perform their work.
Employees of the Data Processor may not process personal data outside the agreed operating environment without the prior approval of the Data Controller.
Personal data may not be stored locally on employees’ devices or mobile devices, including external hard drives and USB sticks.
The Data Processor must ensure that employees with access to personal data have signed a confidentiality agreement. This duty of confidentiality applies both during and after employment.
Personal data must be effectively and securely deleted when disposing of IT equipment.
C.3 Retention Period / Deletion Routine
Personal data shall be stored by the Data Processor until the termination of the Main Agreement or upon request by the Data Controller to delete or return the data.
C.4 Location of Processing
Processing of the personal data covered by this Agreement may not take place in any other locations than the following without the prior written approval of the Data Controller:
Processing shall take place at the Data Processor’s address.
Processing may also take place at the sub-processors listed in Annex B.
C.5 Instruction or Approval Regarding Transfers to Third Countries
If the Data Controller has not provided an instruction or approval regarding the transfer of personal data to a third country in this section or via subsequent written notice, the Data Processor is not permitted, within the scope of this Agreement, to make such transfers.
C.6 Procedure for the Data Controller’s Supervision of the Processing Performed by the Data Processor
The Data Controller may carry out supervision of the personal data processing by the Data Processor whenever the Data Controller deems it necessary.
