(hereinafter the ‘Agreement’)
CVR no. 39072858
The company who creates a campaign account and
Invite users who create and control their own personal accounts
(hereinafter ’Data Controller 2’)
1. Joint Data Controllership
1. 1 This Agreement determines the assignment of responsibilities between uQualio and Data Controller 2 (jointly the ‘Data Controllers’) in connection with the Data Controllers’ processing of personal data, when the data subjects (the users of the system/platform) get access to, attend and complete a course provided by Data Controller 2 by using uQualio’s systems/platform, whereas Data Controller 2 and uQualio jointly, control the data subjects’ personal data, including e-mail address, phone number, test and learning results.
1.2 The Data Controllers agree that in connection with the Data Controllers’ processing of personal data in connection with the data subjects’ access, attendance and completion of courses, there is joint data controllership, cf. the description in section 1.1 above. When assessing this, it has been taken into account, among other things:
that the Data Controllers both have access to uQualio’s systems and relevant personal data in these systems,
that the Data Controllers must be able to access each other’s data to a certain extent in order to provide service to the data subject,
Thus, it is not considered possible to separate the data controlling.
1.3 This Agreement is drawn up with a view to enabling the Data Controllers to comply with the requirements of joint data controllership pursuant to Article 26 of the GDPR. This Agreement determines uQualio’s and Data Controller 2’s respective responsibilities for compliance with the obligations under the GDPR, in particular as regards the exercising of the rights of the data subject and their duties to provide the information referred to in Articles 13 and 14.
2. Overall Assignment of Responsibilities
2.1 uQualio’s overall responsibility consists in making systems/a platform and service available for Data Controller 2 and ensuring the security of these systems. In addition, uQualio is responsible for compliance with the GDPR, meaning that uQualio prepares its own records, internal policies, etc.
2.2 Data Controller 2’s overall responsibility consists in providing courses via uQualio’s systems/platform, including processing of personal data. Data Controller 2 is itself responsible for compliance with the data protection legislation, including in relation to the notification duty towards the data subjects, preparation of records, etc.
3. Principles and Legal Basis
3.1 Data Controller 2 is responsible for ensuring a valid legal basis for processing carried out by Data Controller 2.
3.2 uQualio and Data Controller 2 are each responsible for compliance with the principles governing processing of personal data, to the extent that the rules apply to the respective party’s areas of responsibility pursuant to this Agreement.
4. The Rights of Data Subjects
4.1 The Data Controllers are jointly responsible for protecting the rights of data subjects by observing the below rules of the GDPR:
a. information to be provided where personal data are collected from the data subject,
b. information to be provided if personal data are not collected from the data subject,
c. the data subject’s right of access to personal data,
d. right to have personal data rectified,
e. right to have personal data erased (right to be forgotten),
f. right to restriction of processing,
g. notification obligation in connection with rectification or erasure of personal data or restriction of processing,
h. right to data portability (however, does not apply to public authorities) and
i. right to object to processing.
4.2 uQualio is responsible for compliance with items c), d), e), f), g), h) and i).
4.3 uQualio and Data Controller 2 are each responsible for compliance with items a) and b).
4.4 Data Controller 2 must always notify uQualio in connection with inquiries concerning the data protection legislation, no matter if the inquiry concerns a matter for which uQualio or Data Controller 2 is responsible. Notification must take place immediately after Data Controller 2 has obtained knowledge of the inquiry.
4.5 The Data Controllers are both responsible for assisting each other to the extent that this is relevant and necessary for both parties to comply with the obligations towards the data subjects.
5. Security of Processing, etc.
5.1 Taking into account the nature, scope, context and purpose of the processing in question as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, uQualio is responsible for implementing appropriate technical and organisational measures to ensure and be able to demonstrate that processing is performed in accordance with the GDPR. If necessary, these measures must be reviewed and updated (Article 24 of the GDPR).
5.2 uQualio is responsible for compliance with the rule on data protection by design and data protection by default pursuant to Article 25 of the GDPR.
5.3 uQualio is responsible for compliance with the requirement of Article 32 of the GDPR regarding security of processing. This implies, that uQualio, taking into account the relevant technical level, the costs of implementation and nature, scope, context and purpose of the processing in question as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
5.4 Data Controller 2 is obliged to comply with the technical and organisational measures as well as the data protection policies, etc. to be drawn up and implemented by uQualio pursuant to subclauses 5.1 – 5.3.
6. Data Processors and Sub-processors
6.1 uQualio is entitled to use data processors and/or sub-processors in connection with the joint processing.
6.2 In case of use of data processors and/or sub-processors, uQualio is responsible for compliance with the requirements of Article 28 of the GDPR. In this connection, uQualio is, among other things, obliged to:
a) use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the GDPR and ensure the protection of the rights of the data subject,
b) ensure that there is a valid data processing contract between uQualio and the data processor, and
c) ensure that the data processor guarantees that there is a valid sub-processing contract between the data processor and any sub-processor.
7.1 The Data Controllers are both responsible for compliance with the possible requirement of Article 30 of the GDPR regarding records of processing activities. This implies that both parties prepare a record of the processing that the parties are joint data controllers for.
7.2 uQualio must inform Data Controller 2 about the contents of the above record upon Data Controller 2’s request.
8. Handling of a Personal Data Breach
8.1 The Data Controllers are both responsible for compliance with Article 33 of the GDPR regarding notification of a personal data breach to the supervisory authority.
8.2 Data Controller 2 must notify uQualio without undue delay in case of a personal data breach.
8.3 uQualio assesses the personal data breach, stores the assessment, and notifies the Danish Data Protection Agency about the breach, and informs the data subjects, if necessary.
9. Impact Assessment and Prior Consultation
9.1 uQualio is responsible for compliance with the requirement of Article 35 regarding impact assessment concerning data protection. This implies that uQualio, if a type of processing, in particular when using new technologies and, by virtue of its nature, scope, context and purpose, is likely to involve a high risk to the rights and freedoms of natural persons, prior to the processing carries out an assessment of the impact of the envisaged processing operations on the protection of personal data.
9.2 Likewise, uQualio is obliged to comply with the requirement of Article 36 of the GDPR regarding prior consultation with the supervisory authority, when this is appropriate.
10. Transfer of Personal Data to Third Countries
10.1 uQualio can decide that transfer of personal data may take place to third countries or international organizations.
10.2 uQualio is responsible for compliance with the requirements of Chapter V of the GDPR, in case of transfer of personal data to third countries or international organizations.
10.3 Data Controller 2 must not transfer personal data to third countries or international organizations without uQualio’s prior consent.
11. Complaints from Data Subjects
11.1 The Data Controllers are each responsible for the handling of any complaints from data subjects, if the complaints concern infringements of provisions of the GDPR, for which one of the Data Controllers is responsible pursuant to this Agreement.
11.2 If one of the Data Controllers receives a complaint, which should rightly be handled by the other party, the complaint must be forwarded to the other party as soon as possible for the other party’s reply.
11.3 If one of the Data Controllers receives a complaint, of which part of the complaint rightly should be handled by the other party, such part of the complaint must be forwarded to the other party as soon as possible for the other party’s reply.
11.4 The data subject must, in connection with the party’s forwarding of a complaint or a part hereof to the other party, be informed of the main contents of this Agreement.
12. Commencement and Termination
12.1 This Agreement will enter into force when it has been signed by both Data Controllers.
12.2 This Agreement shall apply as long as the processing of the personal data in question is performed or until this Agreement be replaced by a new agreement determining the assignment of responsibility in connection with the processing.