(hereinafter the ‘Agreement’)
uQualio ApS – CVR no. 39072858
The company that creates a campaign/training account and
Invite users who create and control their own personal accounts
(hereinafter ’Data Controller 2’)
1. 1 This Agreement determines the assignment of responsibilities between uQualio and Data Controller 2 (jointly the ‘Data Controllers’) in connection with the Data Controllers’ processing of personal data, when the data subjects (the users of the system/platform) get access to, attend and complete a course provided by Data Controller 2 by using uQualio’s systems/platform, whereas Data Controller 2 and uQualio jointly, control the data subject’s personal data, including e-mail address, phone number, test and learning results.
1.2 The Data Controllers agree that in connection with the Data Controllers’ processing of personal data in connection with the data subjects’ access, attendance, and completion of courses, there is joint data controllership, cf. the description in section 1.1 above. When assessing this, it has been taken into account, among other things:
Thus, it is not considered possible to separate the data controlling.
1.3 This Agreement is drawn up with a view to enabling the Data Controllers to comply with the requirements of joint data controllership pursuant to Article 26 of the GDPR. This Agreement determines uQualio’s and Data Controller 2’s respective responsibilities for compliance with the obligations under the GDPR, in particular as regards the exercising of the rights of the data subject and their duties to provide the information referred to in Articles 13 and 14.
2.1 uQualio’s overall responsibility consists in making systems/a platform and service available for Data Controller 2 and ensuring the security of these systems. In addition, uQualio is responsible for compliance with the GDPR, meaning that uQualio prepares its own records, internal policies, etc.
2.2 Data Controller 2’s overall responsibility consists in providing courses via uQualio’s systems/platform, including the processing of personal data. Data Controller 2 is responsible for compliance with the data protection legislation, including in relation to the notification duty towards the data subjects, preparation of records, etc.
3.1 Data Controller 2 is responsible for ensuring a valid legal basis for processing carried out by Data Controller 2.
3.2 uQualio and Data Controller 2 are each responsible for compliance with the principles governing the processing of personal data, to the extent that the rules apply to the respective party’s areas of responsibility pursuant to this Agreement.
4.1 The Data Controllers are jointly responsible for protecting the rights of data subjects by observing the below rules of the GDPR:
4.2 uQualio is responsible for compliance with items c), d), e), f), g), h) and i).
4.3 uQualio and Data Controller 2 are each responsible for compliance with items a) and b).
4.4 Data Controller 2 must always notify uQualio in connection with inquiries concerning the data protection legislation, no matter if the inquiry concerns a matter for which uQualio or Data Controller 2 is responsible. Notification must take place immediately after Data Controller 2 has obtained knowledge of the inquiry.
4.5 The Data Controllers are both responsible for assisting each other to the extent that this is relevant and necessary for both parties to comply with the obligations towards the data subjects.
5.1 Taking into account the nature, scope, context, and purpose of the processing in question as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, uQualio is responsible for implementing appropriate technical and organizational measures to ensure and be able to demonstrate that processing is performed in accordance with the GDPR. If necessary, these measures must be reviewed and updated (Article 24 of the GDPR).
5.2 uQualio is responsible for compliance with the rule on data protection by design and data protection by default pursuant to Article 25 of the GDPR.
5.3 uQualio is responsible for compliance with the requirement of Article 32 of the GDPR regarding the security of processing. This implies, that uQualio, taking into account the relevant technical level, the costs of implementation and nature, scope, context, and purpose of the processing in question as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, must implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
5.4 Data Controller 2 is obliged to comply with the technical and organizational measures as well as the data protection policies, etc. to be drawn up and implemented by uQualio pursuant to subclauses 5.1 – 5.3.
6.1 uQualio is entitled to use data processors and/or sub-processors in connection with the joint processing.
6.2 In case of the use of data processors and/or sub-processors, uQualio is responsible for compliance with the requirements of Article 28 of the GDPR. In this connection, uQualio is, among other things, obliged to:
7.1 The Data Controllers are both responsible for compliance with the possible requirement of Article 30 of the GDPR regarding records of processing activities. This implies that both parties prepare a record of the processing that the parties are joint data controllers for.
7.2 uQualio must inform Data Controller 2 about the contents of the above record upon Data Controller 2’s request.
8.1 The Data Controllers are both responsible for compliance with Article 33 of the GDPR regarding notification of a personal data breach to the supervisory authority.
8.2 Data Controller 2 must notify uQualio without undue delay in case of a personal data breach.
8.3 uQualio assesses the personal data breach, stores the assessment, and notifies the Danish Data Protection Agency about the breach, and informs the data subjects, if necessary.
9.1 uQualio is responsible for compliance with the requirement of Article 35 regarding impact assessment concerning data protection. This implies that uQualio, if a type of processing, in particular when using new technologies and, by virtue of its nature, scope, context, and purpose, is likely to involve a high risk to the rights and freedoms of natural persons, prior to the processing carries out an assessment of the impact of the envisaged processing operations on the protection of personal data.
9.2 Likewise, uQualio is obliged to comply with the requirement of Article 36 of the GDPR regarding prior consultation with the supervisory authority, when this is appropriate.
10.1 uQualio can decide that transfer of personal data may take place to third countries or international organizations.
10.2 uQualio is responsible for compliance with the requirements of Chapter V of the GDPR, in case of transfer of personal data to third countries or international organizations.
10.3 Data Controller 2 must not transfer personal data to third countries or international organizations without uQualio’s prior consent.
11.1 The Data Controllers are each responsible for the handling of any complaints from data subjects, if the complaints concern infringements of provisions of the GDPR, for which one of the Data Controllers is responsible pursuant to this Agreement.
11.2 If one of the Data Controllers receives a complaint, which should rightly be handled by the other party, the complaint must be forwarded to the other party as soon as possible for the other party’s reply.
11.3 If one of the Data Controllers receives a complaint, of which part of the complaint rightly should be handled by the other party, such part of the complaint must be forwarded to the other party as soon as possible for the other party’s reply.
11.4 The data subject must, in connection with the party’s forwarding of a complaint or a part hereof to the other party, be informed of the main contents of this Agreement.
12.1 This Agreement will enter into force when it has been signed by both Data Controllers.
12.2 This Agreement shall apply as long as the processing of the personal data in question is performed or until this Agreement be replaced by a new agreement determining the assignment of responsibility in connection with the processing.