Requirement for the Supplier. 3.1 The Supplier must process personal data in compliance with applicable Danish data protection regulations including the General Data Protection Regulation.
3.2 The Supplier must ensure that the persons authorized to process personal data have committed themselves to confidentiality or are bound by an appropriate statutory professional secrecy.
3.3 The Supplier must take all measures required pursuant to article 32 of the General Data Protection Regulation including implementing appropriate technical and organizational security measures to protect the processed personal data against
(i) accidental or unlawful destruction, loss or alteration,
(ii) unauthorized disclosure or access, or
(iii) processing in breach of the legislation including the General Data Protection Regulation.
3.4 The Supplier must also comply with the legal standards on security measures, which bind the Supplier directly, including the standards on security measures in the country in which the Supplier is established or in the country in which the data processing takes place.
3.5 The appropriate technical and organizational security measures must be defined in consideration of
(i) the current technical level,
(ii) the implementation costs,
(iii) the character, the extent, the context and the purpose of the processing as well as the risks of varying probability and seriousness related to the rights and freedoms of natural persons.
3.6 The Supplier must in ensuring the above-mentioned security measures as a minimum implement the technical and organizational measures specified in Appendix 3 of the Agreement.
3.7 At the request of the Customer, the Supplier must make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in the Data Processing Agreement and allow for and contribute to audits in accordance with the Data Processing Agreement including inspections conducted by the Customer or another auditor mandated by the Customer.
3.8 Each year, the Supplier must, at his own expense, obtain a declaration from an independent expert concerning the Supplier’s fulfillment of the requirements for the security measures stated in the Agreement. The declaration must be uploaded on the Supplier’s website xxx.xxxxxx.xx once each year. By written notification to the Customer, the Supplier is entitled to change the website on which the declaration must be uploaded.
3.9 In addition, the Customer is entitled to appoint an independent expert at his ow...
