Agreed conditions for data processing
The customer who accepts these terms and conditions and Musskema.dk ApS, CVR no. 31285305 (Musskema) has entered into an agreement regarding the Customer's access to and use of Musskema.dk (Subscription Agreement). Musskema.dk is a standard IT service offered by Musskema as a cloud service for organising and conducting EDP interviews, etc.
Musskema will act as Data Processor for the Customer under the stated Subscription Terms, in accordance with the definitions in the General Data Protection Regulation, as Musskema stores and processes personal information in the context of the Musskema.dk cloud service being made available to the Customer. The parties acknowledge that the Data Protection Regulation and Data Protection Act apply to Musskema's processing of personal data on behalf of the Customer.
The data processing terms are drawn up in order for the parties to comply with Article 28, 3. of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (Data Protection Regulation).
The Data Processing Terms will take effect from the time the Customer accepts them, and the Data Processing Terms will replace any earlier data processing agreement concluded between the Parties in relation to the agreed data processing activities under the Agreement.
The Data Processing Terms additionally complement the Subscription Agreement and prevail over conflicting terms.
These data processing terms (Data Processing Terms) constitute the Data Processing Agreement between the parties for the processing of personal data as entrusted by the Customer, and which Musskema has undertaken to do as part of the delivery of Musskema.dk cloud services.
The Data Processing Terms determine the rights and obligations that apply when Musskema is processing personal data on behalf of the Customer, and the Data Processing Terms specify the security measures that the Musskema undertakes.
For those data processing activities that are entrusted to Musskema to perform on behalf of the Customer, Musskema is the data processor in accordance with the applicable data protection rules, while the Customer is either data controller or data processor in accordance with the applicable data protection rules. The parties shall each comply with the obligations imposed on them by the applicable data protection rules and the Data Processing Terms do not release either Musskema or the Customer from such obligations.
The Data Processing Terms are valid from the time they enter into effect, and until Musskema has deleted the Customer's Data in accordance with these Data Processing Terms. The Data Processing Terms and the Subscription Agreement are interdependent, and the Data Processing Terms, therefore, cannot be terminated separately.
Musskema guarantees to the Customer that Musskema possesses sufficient expertise, reliability and resources to take the necessary measures to comply with the Data Protection Regulation as regards the data processing activities that Musskema undertakes for the Customer by virtue of the Subscription Agreement.
The customer is responsible for complying with the applicable personal data rules currently in force in relation to the personal data entrusted to Musskema's processing. The customer is in particular responsible to Musskema for and warrants that:
- The customer has the necessary authority to process and to entrust it to Musskema to process the personal information that is entered into Musskema.dk. In the event that the Customer is Data Processor for the personal data that is entrusted to Musskema's processing, the Customer warrants to Musskema that the Customer's instructions as expressed by these Data Processing Terms and the Subscription Agreement and the use of Musskema including Sub Data Processors as a secondary Data Processor is authorised by the Data Controller.
- The instructions according to which Musskema shall process the personal data on behalf of the Customer are legal. In addition, the Customer is responsible for carrying out necessary safety assessments in relation to the Customer's use of the Musskema.dk cloud service, including the Customer declaring that, in view of the current technical level of Musskema.dk and in Musskema as a whole in relation to the described precautions and measures in the Data Processing Terms, state of the art, the costs of implementation and the nature, scope, context and purposes of processing, as well as the risks to natural persons' rights and freedoms, the Customer considers the safety measures implemented by Musskema to be appropriate and that they ensure a level of security that matches the identified risks for the registered persons to whom the entrusted information relates.
The nature of the agreed data processings, determined by the parties, is the delivery of a standard cloud service from Musskema to the Customer, in which the Customer's data is stored, and through which the Customer may initiate additional processings, such as, for example, the generation of statistics done by Musskema in an automated manner.
In addition, it can be agreed specifically between the parties that the nature of the processing also includes the provision of services that entail processing of the Customer's information.
Musskema will thus process the information provided by the Customer with the agreed purpose of providing the Musskema.dk service to the Customer, including facilitating the agreed functionality as stipulated in the Agreement.
The entrusted processing of personal data includes those types of information that the Customer enters and imports into the Musskema.dk cloud service. This includes names, e-mail addresses, employees' location in the organisation, information about the immediate manager and any other personal information that the employee and his/her manager enter into the cloud service, e.g. preparatory notes, scores, commented agreements and action plans with deadlines in connection with EDPs, WPAs, etc.
The categories of data subjects comprises the categories of data subjects that the Customer includes in the use of Musskema.dk. Musskema.dk is designed to allow for typing in information about the Customer's employees.
If a customer wishes to use the Musskema.dk feature “360-degree managerial evaluation”, which also includes e.g. contributions from external stakeholders, the categories of data subjects will also include such external stakeholders.
The same will apply if the Customer wishes to use a “TDP group” that includes one or more external stakeholders.
Upon the Customer's acceptance of the Data Processing Terms, the Customer instructs musskema.dk to process the Customer's personal data for the delivery of the Musskema.dk cloud service on the terms specified in the Subscription Agreement and these Data Processing Terms.
Also, the Customer may request that Musskema receives further written instructions for processing personal data for the Customer. Musskema may freely choose to accept or refuse such additional instructions. However, Musskema will always accept an instruction to discontinue further processing, in which case Musskema will delete the Customer's data within the time limits specified in the data deletion section below. Musskema's obligations in the Subscription Agreement, which cannot be delivered as a consequence hereof, will therefore also ceases to apply.
Musskema will comply with those of the Customer's instructions, which Musskema has approved unless processing of the personal data according to the instructions will violate the applicable data protection legislation to which Musskema is subject. In this case, Musskema will inform the Customer about this, unless such notification will also be in violation of applicable law.
Musskema is only allowed to process the Customer's personal data according to the instructions of the Customer, as accepted by Musskema. However, Musskema is required to perform processing activities if this follows from a legal obligation to which Musskema is subject. In this case, Musskema will inform the Customer about this before the processing is performed, unless such notification is illegal.
Musskema will perform data processing of the Customer's personal data for as long as Musskema is required to do so under the Subscription Agreement - typically for as long as the Subscription Agreement is in force - and for a period of time afterwards, until Musskema deletes the Customer's data in accordance with the regulations set forth below in these Data Processing Terms.
Musskema implements all measures required by Article 32 in the General Data Protection Regulation, including the implementation of appropriate technical and organisational measures to protect the entrusted personal data against accidental or illegal destruction, loss, alteration, unauthorised disclosure or access to the personal data.
The implemented measures are further described in Musskema’s Description of Implemented Security Measures, March 2018 Version, (Here) which Musskema may continuously update. However, changes in security measures should never lead to a deterioration in the level of security. Updated versions of the Description of implemented security measures are automatically included as part of the Data Processing Terms and replace previous versions.
If Musskema becomes aware that there has been a personal databreach in relation to the personal data that the Customer has entrusted to Musskema to process, Musskema must notify the Customer about this breach without undue delay after Musskema has become aware that a breach has occurred.
Musskema shall, without undue delay after becoming aware of a personal data breach, take reasonable and proportional steps to limit the damage resulting from the breach.
Notification to the Customer shall, if possible, include a description of the circumstances of the breach, the nature of the breach, what steps Musskema has taken or intends to take in order to limit the damage resulting from the breach and which circumstances Musskema believes the Customer should pay particular attention to in connection with the breach.
In the notification, Musskema will provide contact information for Musskema, where further information can be obtained by the Customer.
Notification can be sent by e-mail to the contact address, which Musskema has on file for the Customer.
Musskema's notification of a personal data breach does not constitute a recognition of guilt or liability in relation to a breach of personal data security.
Upon request, Musskema will assist the Customer in ensuring compliance with the Customer's obligations under Article 33 and Article 34 of the General Data Protection Regulation, taking into account the nature of the entrusted processing and the information available to the Musskema in relation to a breach of personal data protection that occurs in Musskema.
By accepting these Data Processing Terms, the Customer grants its general authorisation for Musskema to make use of other data processors (sub-processors) without the Customer’s prior approval. Information about such contracted sub-processors, including their function, and in which country the sub-processor is established, is available at (Here).
When engaging a sub-processor, Musskema ensures that a written agreement is concluded with the sub-processor through which it is ensured that
If a sub-processor does not fulfill its data protection obligations, Musskema remains fully liable to the Customer for the fulfilment of the data processor's data protection obligations.
Musskema may continuously update the list of sub-processors. Updates must be made at least 30 days before any planned changes regarding addition or replacement of a sub-processor. When updating the list, the Customer is given a separate notice hereof, thereby enabling the Customer to object to the planned changes. If the Customer objects to the proposed changes, the Customer may terminate his/her Subscription Agreement with Musskema with effect either immediately or from the expiration of the current calendar month at the time of notice. It is a requirement for termination after this clause that notice of termination is submitted to Musskema within 30 days after notification of the planned changes has been given to the Customer. Termination of the Subscription Agreement is the Customer's sole remedy in this situation.
Unless the Customer gives special instructions to Musskema, the Customer's data may not be transferred to areas outside the EU.
However, Musskema may transfer the Customer's data to a third country or international organisation when required by EU law or the national law of the Member States to which Musskema is subject. In this case, the Customer shall be informed of this legal claim before the transfer unless the court in question prohibits such notification for reasons of important societal interests.
The Customer's own access to personal data stored in the Musskema.dk cloud service from a location that causes a transfer of personal data to a third country is considered as the Customer's own transfer and is therefore not covered by Musskema's responsibilities or obligations.
Musskema is required at Customer's written request to provide the Customer with the following assistance:
Musskema assists the Customer, the nature of the processing taken into account, by appropriate technical and organizational measures insofar this is possible, in meeting the Customer's obligation to respond to requests to exercise Data Subject rights as set out in Chapter 3 of the General Data Protection Regulation and supplemented by the Data Protection Act. If Musskema receives a request directly from a Data Subject or a potential Data Subject about the exercise of its rights, Musskema immediately passes the inquiry on to the Customer, which then determines whether Musskema's assistance is required.
Musskema also assists the Customer in ensuring compliance with the Customer's obligations pursuant to Article 32-36 of the General Data Protection Regulation, taking into account the nature of the entrusted processing activities and the information available to Musskema.
Musskema is entitled to a separate fee for the assistance granted to the fulfilment of the Customer's requests under this item "Assistance to the Customer". However, as regards assistance to fulfil the Customer's obligations under the General Data Protection Regulation art. 33-34, Musskema does not have a claim for compensation for fulfilment of the obligations of Musskema after the item "Reporting security breaches".
Any fee after this clause is calculated on the basis of the time spent by Musskema and follows Musskema's regular hourly rate for such work. The current prices are can be found (Here).
For compensation and other claims payable to a Data Subject as a result of an illegal processing of personal data, the General Data Protection Regulation article 82 and the Data Protection Act section 40 apply. In the interrelationship between the parties, each party is thus responsible for extracting the portion of such amounts that correspond to the party's share of liability for the damage. If necessary, the distribution of responsibilities shall be determined by judicial review.
Musskema is required to keep records of the categories of processing activities performed on behalf of the Customer in accordance with the General Data Protection Regulation art. 30. The Customer is required to provide Musskema with the name and contact information of the Customer's Representative and Data Protection Advisor and to update such information so that the records can be properly kept by Musskema.
Musskema must ensure that the persons authorised by Musskema to process the Customer's personal data have committed themselves to confidentiality or are subject to an appropriate statutory duty of confidentiality. Musskema and anyone who performs work on behalf of Musskema, and who have access to the Customer's personal data, may process this data only according to the Customer's instructions unless otherwise required by legal regulation to which Musskema is subject.
Musskema may only authorise persons for whom it is necessary to have access to the personal data in order to fulfil Musskema's obligations to the Customer. Musskema must continuously review authorisations and close accesses when authoriations expire or terminate.
Musskema makes all the information necessary to demonstrate compliance with the requirements of the General Data Protection Regulation Article 28 and the requirements to Musskema, as stipulated by these Data Processing Terms, available to the Customer. As part hereof, Musskema provides the opportunity for and contributes to audits, including inspections made by the Customer or any other auditor, authorised by the Customer.
Once a year, Musskema's auditor Deloitte reviews the security setup and issues a statement of assurance, which Musskema makes available to the Customer on the website.
The Customer may request a physical inspection at Musskema. Requests must be submitted in writing to Musskema, indicating what the Customer wishes to include in the inspection. The parties then agree on the circumstances and scope of the inspection, including the date of inspection and the form of reporting.
Inspection can only be done by a person who submits to Musskema's general safety measures and who accepts a confidentiality clause directly to Musskema.
Musskema may raise objections to a designated person for inspection if the designated person is not suitable or qualified for the purpose of the inspection, including the person (1) not being independent, (2) being a direct competitor of Musskema or (3) being for other reasons obviously unsuitable for carrying out the task.
If Musskema raises an objection to the designated person, the Customer may designate another person to carry out the inspection.
Auditing of sub-processors used by Musskema is done through Musskema. However, the Customer may choose to initiate and participate in a physical inspection also at the sub-processor. Audits must be carried out in compliance with the sub-processors' terms of inspection.
Any expenses incurred by Musskema or the sub-processor in connection with being physically audited/inspected shall be borne by the Customer. Musskema and any sub-processor are also eligible for a fee for the spent on inspection, based on current price list (Here).
Regarding this clause concerning "Inspection and Auditing", Musskema shall promptly inform the Customer if Musskema considers an instruction to be in violation of the General Data Protection Act or other applicable data protection legislation to which Musskema is subject.
Following the Customer's decision, Musskema deletes or returns all Personal data to the Customer after the termination of the Services - usually termination of the Subscription Agreement - and Musskema deletes existing copies unless Musskema is subject to a legal obligation stating that Musskema must keep the personal data.
Musskema's execution of the Customer's instructions to delete or return the Customer's data is done in accordance with the regulation of the General Data Protection Regulation and as quickly as practicable. By default, Musskema deletes customer data from the operating environment 14 days after Subscription Agreement has expired. The Customer hereby agrees that the Customer's data is included in a 90-day backup procedure, after which all copies of Customer's data are deleted.
Musskema can change these Data Processing Terms with a 90-day notice. Information about planned changes will be forwarded to the Customer. If the Customer does not wish to accept the notified changes, the Customer may terminate its Subscription Agreement. The customer has no other powers as a consequence of changes to the Data Protection Terms.
Customer inquiries to Musskema concerning data protection, including requests for audits and inspections, must be forwarded to:
INCUBA, Åbogade 15
DK - 8200 Aarhus N
Attention: CEO, adm. director
Tlf.: +45 8675 1242.
Record keeping obligation of the Parties
Musskema and the Customer are each required to electronically retain a version of these Data Processing Terms and the Subscription Agreement, which stipulates the additional agreed instructions and any other information relevant to or supplementing these Data Processing Terms.
Version, October 2019