Last updated: February 1, 2025
This Data Processing Agreement (the “Agreement”) regulates OpenDIMS ApS’ processing of personal data on behalf of you as a customer and has been entered into in accordance with Article 28(3) of Regulation (EU) 2016/679 of the European Parliament and of the Council (“GDPR”). The agreement comes into force when you register as a customer in OpenDIMS.
Parties
Data controller:
[Inserted: Company name, address and CVR number] Contact: [Inserted: Name and contact information]
Data processor:
OpenDIMS ApS Rømersvej 4 7430 Ikast CVR: 43782495 The parties are hereinafter referred to as “the data controller” and “the data processor” respectively, and collectively “the parties”.
1. Preamble
1.1 The definitions of “personal data”, “special categories of personal data”, “data processing”, “data subject”, “controller” and “processor” are similar to those in the GDPR. 1.2 The purpose of this agreement is to ensure the parties’ compliance with data protection legislation and to document the data controller’s instructions to the data processor. 1.3 The agreement regulates the processing of personal data in connection with the data controller’s use of the PIM system OpenDIMS. 1.4 The Agreement shall prevail over any conflicting provisions on the processing of personal data in other agreements between the parties. 1.5 The Agreement does not relieve the Data Processor from obligations imposed directly under applicable data protection legislation.
2. Obligations of the Data Controller
2.1 The Data Controller is responsible for ensuring that the processing of personal data is carried out in accordance with the GDPR and other relevant legislation. 2.2 The Data Controller shall determine the purposes and means of the processing of personal data. 2.3 The Data Controller ensures that there is a legal basis for the processing and disclosure of personal data to the Data Processor. 2.4 The Data Controller is responsible for the accuracy and lawfulness of the personal data processed. 2.5 The Data Controller has fulfilled its duty to provide information to the data subjects.
3. Obligations of the Data Processor
3.1 The Data Processor only processes personal data in accordance with documented instructions from the Data Controller, unless otherwise required by law. 3.2 The Data Processor must immediately notify the Data Controller if an instruction is in conflict with applicable data protection legislation. 3.3 The Data Processor ensures that employees with access to personal data are subject to confidentiality. 3.4 The Data Processor implements appropriate technical and organisational security measures in accordance with Article 32 of the GDPR.
4. Processing safety
4.1 The Data Processor shall ensure an appropriate level of security, taking into account the nature and risks of the processing. 4.2 Safety measures include:
- Encryption of data in transit.
- Access Restriction to Personal Data.
- Regular vulnerability scanning.
- Awareness training for employees.
5. Use of sub-processors
5.1 The Data Processor has the General Consent of the Data Controller to use Sub-Processors. 5.2 The Data Processor shall ensure that Sub-Processors comply with corresponding obligations as described in this Agreement. 5.3 The Data Processor shall give the Data Controller at least 30 days’ notice in the event of a change or use of new sub-processors.
6. Transfer to third countries
6.1 The transfer of personal data to third countries only takes place with a valid basis for transfer, e.g. the European Commission’s Standard Contractual Clauses.
7. Assistance to the Data Controller
7.1 The Data Processor assists the Data Controller in ensuring compliance with obligations under the GDPR, including:
- Processing safety
- Reporting a personal data breach
- Responding to Data Subject Requests
8. Notification of personal data breaches
8.1 The Data Processor shall notify the Data Controller without undue delay and no later than 48 hours after the discovery of a security breach.
9. Returning and Deleting Data
9.1 Upon termination of the collaboration, the Data Processor deletes or anonymizes all personal data, unless storage is required by law.
10. Audit
10.1 The Data Controller has the right to have audits carried out to ensure the Data Processor’s compliance with this Agreement. 10.2 The Data Processor may make relevant audit reports available to the Data Controller.
11. Term and termination of the Agreement
11.1 The Agreement is valid for as long as the Data Processor processes personal data on behalf of the Data Controller. 11.2 Upon termination of the Data Processing Agreement, the Data Processor will only store personal data where this is required by law.
12. Amendments to the Agreement
12.1 The Data Processor may update the Agreement by giving the Data Controller a notice of at least 30 days.
By signing, the parties confirm that they have entered into this data processing agreement.
For the data controller: [Insert name, title and date
For the data processor: [insert name, title and date]
Annex A – Categories of personal data and data subjects
A. Categories of personal data
a.The data controller has control over which categories of personal data are processed in the Screenpublisher application, but may include, among other things: Name Title Telephone number E-mail Address CPR no. Possibly. In addition to the above, special categories of personal data (sensitive data) may be processed by the Data Processor to the extent that the Data Controller processes such data in the OpenDIMS application. However, this is beyond the control of the data processor.
B. Categories of data subjects
b. The Data Controller has control over which categories of data subjects are processed in the OpenDIMS application, but may include, among others: The Data Controller’s end users The Data Controller’s employees The Data Controller’s contact persons
Appendix B – Sub-processors
Overview of sub-processors for OpenDIMS OpenDIMS uses sub-processors to process personal data. These sub-processors are typically providers of cloud services or other IT hosting services. Of course, we ensure that data processing agreements are entered into with all our sub-processors in order to protect your personal data in the best possible way. If sub-processors are located outside the EU, we ensure that we have a valid transfer basis in place by, among other things, entering into the EU’s Standard Contractual Clauses (SCC). Under each category, you can read what data our sub-processors have access to, what the purpose is, where the data is stored and what the basis for transfer is if data is transferred to third countries.
| Sub-processor | Product | Host location | Purpose |
|---|---|---|---|
| Digital Ocean, Inc | Digital Ocean | France | Digital Ocean hosts the OpenDIMS application and database servers and is used for storing customers’ media files. |
| Nets | Nets | Denmark | Nets is an acquirer that takes care of credit card payments on subscriptions and the sale of equipment in the webshop. |
| Billy | Billy | Denmark | Invoicing and accounting. |
| Azehosting | Azehosting | European Union | Azehosting supports sending emails generated through the OpenDIMS application. |
| Intuit | Mailchimp | United States | To send out emails in case of updates of the application and news. |
Contact us if you have any questions
If you have any questions about our use of sub-processors, you are welcome to reach out to us by email or phone. Find our contact information here.
