.png)
According to Article 28(3) of Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation), concerning the processing of personal data by the data processor, as entered into between the customer, acting as the data controller,
and
Campaign Builder Aps
VAT number 37637343
Tueager 1
8200 Aarhus N, as the data processor.
Each of the parties constitutes a "party," and together they are referred to as the "parties."
The parties have agreed to the following standard contractual clauses to comply with the GDPR and ensure the protection of privacy and the fundamental rights and freedoms of natural persons.
These provisions establish the rights and obligations of the data processor when processing personal data on behalf of the data controller.
By using Campaignbuilder.io and any additional features associated with the platform (hereinafter referred to as the "Platform"), the data processor processes personal data on behalf of the data controller.
These provisions include three appendices, which form an integral part of the provisions.
The data controller is responsible for the processing of personal data on the platform. The data processor processes personal data according to the instructions of the data controller and in compliance with national data protection laws, including the GDPR, and its own privacy policy.
These provisions use definitions as defined in the GDPR and the Danish Data Protection Act.
The data controller is responsible for ensuring that the processing of personal data complies with the GDPR and other data protection provisions in EU law or national legislation and regulations.
The data controller has the right and obligation to decide the purposes and means of the processing of personal data. Furthermore, the data controller is responsible for ensuring that there is a legal basis for the processing of personal data instructed to the data processor.
The data controller has the obligation to inform the data subjects whose personal data is processed and instructs the data processor in the processing. This includes the obligation to provide guarantees regarding technical and security measures for the personal data of the data subjects.
When using the Platform, the data controller is responsible for providing only the personal data specified in Appendix A and for minimizing the processing of special categories of personal data as described in Article 9 of the GDPR. This limitation can be achieved by anonymizing certain personal data before transferring it to the data processor.
The processor may only process personal data based on documented instructions from the data controller, unless required by EU law or the national laws of the member state to which the processor is subject. These instructions are specified in Appendices A and C. The data controller may issue additional instructions during the processing of personal data, but these instructions must always be documented and stored in writing, including electronically, together with these provisions.
The processor promptly notifies the data controller if an instruction, in their opinion, violates this regulation or data protection provisions under other EU law or national law of the member states. The instructions described in Appendix C do not appear to prevent such processing of personal data.
If the processor determines that an instruction from the data controller is unlawful or contrary to applicable law, the processor shall inform the data controller, who must then rectify the instruction without undue delay. If the data controller is unable to rectify the instruction, the processor has the right to terminate the agreement between the parties.
The processor assists the data controller in implementing appropriate technical and organizational measures that correspond to the nature and category of the personal data being processed.
Furthermore, the processor assists the data controller in handling requests from data subjects regarding the exercise of their rights as defined in the GDPR. However, the processor does not respond to these requests unless specifically agreed upon with the data controller.
In the event of requests from the data controller for information or assistance regarding security measures or the processing of personal data, and if these requests exceed what is necessary under applicable data protection provisions, the processor is entitled to charge for such additional services.
The processor may only grant access to personal data processed on behalf of the data controller to persons under the processor's authority to act in accordance with instructions, who are committed to confidentiality or are subject to an appropriate legal obligation of secrecy, and only to the extent necessary.
The list of individuals with access must be regularly reviewed. Based on this review, access to personal data may be revoked if no longer necessary, and thereafter, the personal data should no longer be accessible to these individuals.
Upon request from the data controller, the processor must be able to demonstrate that the relevant persons under the processor's authority to act in accordance with instructions are subject to the aforementioned duty of confidentiality.
Article 32 of the General Data Protection Regulation establishes that the data controller and the processor, taking into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, shall implement appropriate technical and organizational measures to ensure a level of security appropriate to those risks.
Both parties shall assess the risks to the rights and freedoms of natural persons posed by the processing. Security measures appropriate to those risks shall be implemented by both parties based on their respective assessments.
The processor assists the data controller in ensuring compliance with the obligations laid down in Article 32 of the General Data Protection Regulation. This includes, among other things, the processor providing the necessary information to the data controller regarding the technical and organizational security measures that the processor has already implemented in accordance with Article 32, and any other information necessary for the processor to identify and assess such risks.
If addressing the identified risks, according to the data controller's assessment, requires additional measures beyond those already implemented by the processor, the data controller shall specify the additional measures to be implemented in Annex C.
The processor shall comply with the conditions set forth in Article 28(2) and (4) of the General Data Protection Regulation to engage another processor (a subprocessor).
Therefore, the processor may not engage a subprocessor for the performance of these provisions without prior general written authorization from the data controller. The processor has general authorization from the data controller to use subprocessors.
The processor shall inform the data controller in writing of any planned changes concerning the addition or replacement of subprocessors and provide the data controller with the opportunity to object to such changes before the subprocessors in question are engaged. The list of subprocessors already approved by the data controller is found in Annex B.
When the processor engages a subprocessor to perform specific processing activities on behalf of the data controller, the processor shall ensure, through a contract or other legal document under EU law or the national law of Member States, that the subprocessor adheres to the same data protection obligations as those set out in these provisions. This includes ensuring adequate guarantees that the subprocessor will implement the technical and organizational measures in such a way that the processing meets the requirements of these provisions and the General Data Protection Regulation.
The processor is responsible for requiring the subprocessor to comply with at least the processor's obligations under these provisions and the General Data Protection Regulation.
Subprocessor agreements and any subsequent amendments shall be provided to the data controller upon request, enabling the data controller to ensure that equivalent data protection obligations as set forth in these provisions are imposed on the subprocessor. Terms related to commercial terms that do not affect the data protection content of the subprocessor agreement shall not be provided to the data controller.
In its agreement with the subprocessor, the processor shall designate the data controller as a third-party beneficiary in the event of the processor's insolvency, enabling the data controller to enforce the rights against the subprocessor, such as instructing the subprocessor to delete or return the personal data.
If the subprocessor fails to fulfill its data protection obligations, the processor remains fully liable to the data controller for ensuring that the subprocessor's obligations are met. This does not affect the rights of data subjects under the General Data Protection Regulation, including in particular Articles 79 and 82, against the data controller, the processor, and the subprocessor.
Any transfer of personal data to third countries or international organizations shall only be carried out by the processor upon documented instruction from the data controller and always in accordance with Chapter 5 of the General Data Protection Regulation.
If a transfer of personal data to third countries or international organizations, which the processor has not been instructed to carry out by the data controller, is required under EU law or the national law of Member States to which the processor is subject, the processor shall notify the data controller of this legal requirement before the processing begins. This applies unless such notification is prohibited by the applicable law for reasons of important public interest.
Without documented instruction from the data controller, the processor cannot, within the scope of these provisions:
The data controller's instructions regarding a transfer of personal data to a third country, including the possible transfer basis under Chapter 5 of the General Data Protection Regulation, shall be specified in Annex C.8.
These provisions should not be confused with standard contractual clauses as referred to in Article 46(2), (c) and (d) of the General Data Protection Regulation, and these provisions cannot constitute a basis for the transfer of personal data as specified in Chapter 5 of the General Data Protection Regulation.
The processor supports the data controller to the fullest extent possible, taking into account the nature of the processing, by implementing appropriate technical and organizational measures to assist in fulfilling the data controller's obligations to respond to requests for the exercise of data subjects' rights, as described in Chapter 3 of the General Data Protection Regulation.
This entails that the processor, as much as possible, must assist the data controller in ensuring compliance with:
In addition to the processor's obligation to assist the data controller under Clause 6, the processor further assists, considering the nature of the processing and the information available to the processor, in:
In Annex C, the parties shall specify the necessary technical and organizational measures that the processor shall implement to support the data controller, including the scope and extent of these obligations in accordance with the requirements of Clause 9.
The processor shall immediately notify the data controller upon discovering a personal data breach. The notification to the data controller must be made within 36 hours of the processor becoming aware of the breach. This allows the data controller to fulfill its obligation to report the breach of personal data security to the relevant supervisory authority in accordance with Article 33 of the General Data Protection Regulation.
In accordance with Clause 9, the processor shall assist the data controller in making the notification of the breach to the relevant supervisory authority. This entails that the processor shall help gather the following information, as required under Article 33(3), which must be included in the data controller's notification of the breach to the supervisory authority:
In Annex C, the parties shall specify the information that the processor is required to provide in assisting the data controller in its obligation to notify personal data breaches to the competent supervisory authority.
When services related to the processing of personal data cease, the processor shall return all personal data and delete any existing copies, unless there are requirements under EU law or the national law of the Member States to retain the personal data.
The above does not apply to personal data that the processor processes as a data controller in the customer relationship between the processor and the data controller.
The processor shall make available to the data controller all information necessary to demonstrate compliance with Article 28 of the Data Protection Regulation and these provisions, and shall facilitate and contribute to audits, including inspections, conducted by the data controller or another auditor authorized by the data controller.
The procedures for audits, including inspections, by the data controller with the processor and subprocessors are further specified in Annex C.
The processor is obligated to grant access to supervisory authorities, which under applicable law have access to the data controller's or processor's facilities, or representatives acting on behalf of such authorities, to the processor's physical facilities upon proper identification.
The parties may enter into agreements on other matters related to services related to the processing of personal data, such as liability for damages, provided that these agreements do not directly or indirectly conflict with the provisions of the Data Protection Regulation or in any way diminish the fundamental rights or freedoms of the data subjects.
These provisions enter into force upon the signing of the service contract between the parties. Either party may request renegotiation of the provisions if changes in the law or inadequacies in the provisions give rise to such a request.
The provisions remain in effect for as long as the service related to the processing of personal data continues, and as long as the service contract is in force. During this period, the provisions cannot be terminated unless other provisions governing the provision of the service related to the processing of personal data are agreed upon between the parties.
The provisions are subject to Danish law, and any disputes are settled in the Danish legal system.
The purpose of the collaboration is for the data controller to utilize the platform to create campaigns aimed at engaging participants.
The data processor provides the data controller with a platform for configuring and launching campaigns where personal data is collected. The data processor stores the collected personal data and makes it available to the data controller.
The data controller determines which information is processed by the data processor, as the data controller decides which information the participant should request.
The data controller determines which information is processed by the data processor, as the data controller decides which information the participant should request. Processing of participants' IP addresses is mandatory.
Data subjects refer to individuals participating in campaigns through the platform, which may include, but is not limited to, registrations via forms.
The data processor's processing of personal data on behalf of the data controller may commence upon the entry into force of these provisions. The processing is not limited by time and shall continue until this data processing agreement is terminated or canceled by either party.
The data processor's software relies on several subprocessors to operate effectively. These subprocessors include third-party vendors both within and outside the EU/EEA. An updated list of the data processor's subprocessors is provided below.
By using the platform, the data controller grants permission to involve the following subprocessors:
| Supplier | Address | Hosting Location | Purpose/Services |
|---|---|---|---|
| A/S ScanNet | Højvangen 4, 8660 Skanderborg, Denmark | Hosting inMobile and placed in EU | Hosting |
| Intercom Inc. | 55 Second Street, Suite 400, San Francisco, CA 94105, USA | USA | Customer support via email/chat; processes basic user data |
| Sentry | 45 Fremont Street, 8th Floor, San Francisco, CA 94105, USA | USA | Error tracking and monitoring |
| Beamer | 600 Congress Ave, Austin, Texas, USA | USA | User notifications about new features and updates |
| Hetzner Online GmbH | Sigmundstraße 135, 90431 Nürnberg, Germany | Germany | Scalable and secure cloud hosting |
| Stripe Payments Europe, Ltd. | The One Building, 1 Grand Canal Street Lower, Dublin 2, Ireland | Ireland | Payment processing and billing |
| HeySender ApS | Jens Baggesens Vej 47, 8200 Aarhus N, Denmark | Denmark | Transactional email delivery |
| Klaviyo | United States | USA | Email marketing and automation |
The Data Processor processes personal data on behalf of the Data Controller by performing the following activities:
The Data Processor provides a marketing campaign platform to the Data Controller for creating and launching campaigns aimed at engaging and collecting personal data via these campaigns. The Data Processor is responsible for hosting the collected personal data and ensuring that this data is available to the Data Controller.
Any other processing of personal data covered by the service must be agreed upon between the parties and will be subject to the Data Processor's terms and privacy policies. However, processing of personal data as part of the service delivered to the Data Controller is carried out solely according to the Data Controller's instructions.
The security level must take into account:
The Data Processor shall, as far as possible, assist the Data Controller in accordance with the provisions by implementing technical and organizational measures as follows:
The Data Processor deletes the processed personal data when it is no longer necessary for its purposes, including upon termination of the agreement between the parties.
The Data Processor may retain personal data for a longer period if required by EU law or the national law of Member States. Data where the Data Processor is the Data Controller will be retained for 1 year after termination.
Processing of personal data under the agreement may only take place in the following areas unless prior written permission is given by the Data Controller: Denmark and Germany (Nuremberg).
The Data Processor may only transfer personal data to third countries or international organizations to the extent specified in the Data Controller's instructions and to the extent permitted under applicable law.
The Data Controller or its representative may conduct inspections, including physical inspections, of the processing at the Data Processor's facilities. The Data Processor will invoice a fee of EUR 250/hour excluding VAT for the time spent on these inspections.
The Data Processor or its representative shall have access to documents at Hetzner's facilities in Nuremberg, Germany. Although Hetzner does not allow physical inspections, the Data Processor has access to all relevant documents (e.g., audit reports) and full data access.