Generelle markedsførings betingelser: 2018-05-14
__________________________________________________________________________________________________
Generelle markedsførings betingelser: 2018-05-14
Disse er fortrolige oplysninger, og ingen af parterne vil videregive denne fortrolige information til en tredjepart med disse generelle markedsførings betingelser. Disse vilkår og betingelser ("V & B'er") gælder for alle ordrer, der er stillet af os til dig, som beskrevet nærmere nedenfor.
Definitioner:
"Vi"
Betyder Finduddannelse Danmark ApS, et selskab registreret i Danmark med CVR nr. 33264291, hvis hovedsted er Xxxxxxxxx 00X, 0 xxx – 0000 Xxxxxxxxx K og handler som xxxxxxxxxxxxxx.xx og xxxxxxxxx.xx og "Os" og "Vores" skal fortolkes i overensstemmelse hermed.
"Du"
Betyder den klient, hvis detaljer er angivet i ordren, og "din" skal fortolkes i overensstemmelse hermed.
1 Oprettelse af bindende kontrakt.
1.1 Hver ordre, der er underskrevet af dig og os, udgør en separat bindende kontrakt, der er fastsat i disse V & B'er.
1.2 Du accepterer, at hver underskrevet ordre er en bindende kontrakt, der forpligter os til at levere, og at du betaler for tjenesterne i overensstemmelse med ordren og disse V & B'er. Hver sådan kontrakt, vil begynde på den første dag i dens løbetid og fortsætte til slutningen af dens løbetid.
2 Vores ydelser.
2.1 Med hensyn til din betaling af ydelserne i overensstemmelse med betalingsplanen skal vi levere de tjenester, der er angivet i ordren.
3 Honorar og betaling.
3.1 Vi vil fakturere dig for honoraret ved ordrens underskrift, og du skal betale honoraret i overensstemmelse med det relevante betalingsplan i ordren.
3.2 Hvis De ønsker at bestride en faktura, skal De skriftligt underrette os om tvistens art inden for ti
(10) dage efter modtagelsen af fakturaen.
4 Hele Aftalen.
4.1 Disse V & B'er sammen med ordren udgør hele aftalen mellem parterne med hensyn til dens emne og erstatter alle tidligere repræsentationer, aftaler og anden kommunikation mellem parterne, både mundtligt og skriftligt.
5 Databeskyttelse.
5.1 I løbet af vores levering af tjenesterne kan både dig og vi modtage personlige data. Når parterne modtager personlige data som “data controllers”, accepterer hver part at overholde databeskyttelseslovgivningen.
6 Fortrolighed.
6.1 Parterne forpligter sig til at behandle vilkårene i denne aftale, med den anden parts skriftlige samtykke.
_________________________________________________________________________________________________
Finduddannelse Danmark ApS CVR nr. 33264291
Xxxxxxxxx 00 X, 0 sal –
2300 København S
www xxxxxxxxxxxxxx.xx xxx.xxxxxxxxx.xx
(x00) 0000 0000
Data Processing Agreement (DPA)
This Data Processing Agreement ("DPA") is reached between:
(1) EMG - Educations Media Group AB, Organization Number 556652-1653, Xxxxxxxxxx 000 ("Personal Data controller/ Controller") and (2) Customer] ("Personal Data Processor/ Processor").
Hereafter, the individual termed "Party" and together "The Parties." This Agreement shall be deemed to form part of the Agreement concluded between the Parties this day. This Agreement takes precedence over other agreements between the Parties for cases where contradictory information exists.
1. Background
This Agreement governs Processors’ rights and obligations as Personal Data Processor and Controllers’ rights and obligations as Personal Data controller when Processor handles Personal Data. This DPA is an amendment to EMG's Terms and Conditions (TOC)
2. Definitions
The terms used in the Agreement shall have the following meanings:
"Treatment / Treatment" refers to an action or combination of actions relating to Personal Data or sets of Personal Data, whether performed automatically or not (e.g., collection, registration, organization, structuring, storage, processing or modification, production, reading, use, transfer by transmission, dissemination or provision by other means, adjustment or assembly, restriction, erasure or destruction).
"Personal Data" means any information about an identified or identifiable natural person (where identifiable physical person is a person that can be identified directly or indirectly).
"Controller" refers to the legal person (EMG) who determines the purpose and means of treatment under the agreement.
"Processor" refers to the legal person who, according to the Agreement, performs treatment on behalf of the Controller.
"Registered" refers to the natural person whose personal data is processed.
"Applicable Data Protection Act Regulation" refers to national and international law or data protection regulations that at any time apply during the term of the Agreement. The term includes the Data Protection Regulation of the European Parliament and of the Council, which will enter into force on 25 May 2018 ("GDPR"), as well as additional local adaptation and regulation on data protection. Prior to the entry into force of the GDPR, the Personal Data Act (1998: 204) and the Personal Data Regulation (1998: 1191) are included.
3 Processing of personal data
3.1 Processor and the person(s) working under Controller’s management undertake to treat only Personal Data according to documented instructions by Controller and in accordance with Applicable Data Protection. Controller’s original instructions to the Processor about the subject and duration of the treatment, the nature and purpose of the treatment, the type of personal data and categories of registered are listed here:
Purpose
Processor has the right to store personal data, provide offered services, communicate with the person, comply with contractual obligations, send newsletters and other targeted communications and analyze data.
Categories of Personal Data
All personal data collected through EMG's web pages and channels. For example: Name, Address, Gender, Age, Phone Number, Email Address, Social Security Number, Interest Area, Educational Background, and Similar Information Required to Execute the Service.
Categories of Registered
Educational applicants, EMG members, E-Commerce customers. People who fill out forms on EMG's web pages.
3.2 Controller confirms that Processor's obligations under this Agreement, with the exception of any written instructions given in individual cases, constitute the complete instructions to be followed by Processor.
3.3 In the event that Processor lacks instructions that the Processor considers necessary to carry out assignments received by Processor from Controller under the Agreement, Processor shall promptly inform Controller of its attitude and await the instructions that Controller considers necessary.
From the date of entry into force of the GDPR, Treatment may also be made if such treatment is required by Union law or under the national law of a Member State to which Processor or Subprocessor is subject. In such cases, Processor or SubProcessor (if applicable) shall inform Controller of the legal requirement before processing the data, unless such information is prohibited by reference to an important interest under applicable law. Processor also undertakes to immediately inform Controller as from the entry into force of the GDPR if Processor considers an instruction to be in violation of GDPR.
3.4 To the extent required by Applicable Data Protection Regulations and in accordance with Controller’s instructions on a case-by-case basis, the Data Protection Officer shall assist Controller in fulfilling its obligations under Applicable Data Protection Regulations. This includes but is not limited to the obligation to respond to requests regarding the Registrar's right to obtain information (registry extract), and to correct, block or delete Personal Data at Registered Request.
4 Disclosure of personal data
4.1 If a Registrar requests information from Processor on the Processing of Personal Data, Processor shall without undue delay refer such request to Controller.
4.2 If the competent authority requests information from Processor regarding the Processing of Personal Data, Processor shall inform Controller without undue delay about this. Processor may not act in any way on behalf of Controller or as agent for this, and may not transfer or otherwise disclose Personal Data or other data relating to the Processing of Personal Data to third parties without the prior consent of Controller, unless otherwise provided by Swedish or European law, court or government decision.
4.3 If, according to applicable Swedish or European laws and regulations, Processor is required to disclose Personal Data as Processor is acting on behalf of Controller, Processor is obliged to notify Controller forthwith of this, unless otherwise provided by applicable law, court or governmental decision, and to request confidentiality in connection with the disclosure.
4.4 Processor may, upon request from Controller, be provided with Personal Data to Controller in a structured, widely used and machine-readable format.
5 Follow-up of Personal data processing
5.1 Processor undertakes not later than the date of entry into force of the GDPR:
(a) to keep a written record of processing of Personal Data under this Agreement with the content specified in Article 30.2 of the GDPR, which includes information on the subject of the Treatment, Duration, Type and Purpose of the Treatment, Type of Personal Data and Categories of Registered; taking into account the specific tasks and responsibilities of Processor in the course of the Treatment to be performed and the risk with regard to the rights and freedoms of the Registers;
(b) to cooperate with the supervisory authority and at its request make such records as mentioned in point (a) above available to serve as the basis for the supervisory authority's supervision of the Processing of Personal Data; respective
(c) to assist Controller in ensuring compliance with the obligations under Articles 32 to 36 of the GDPR (for reporting personal data incidents applies in particular to paragraph 9 below), taking into consideration the type of treatment and the information available to Processor.
5.2 The Processor undertakes to state at Controller's request what actions, considerations and assessments Processor has done to fulfill its obligations under this Agreement. Processor undertakes to assist Controller from the date of entry into force of the GDPR at Controller's request with the fulfillment of the Controller's obligation to conduct impact assessments regarding data protection for processed Personal Data and, if appropriate, prior consultation with the supervisory authority.
6 Transfers outside the EEA
6.1 The Processor undertakes not to transfer personal data to a location outside the EEA area without PTA's prior written consent (or allow anyone to have access to Personal Data from such site.) To the extent that the Parties have agreed that Personal Data is to be Processed by the Processor or Processor Subsection at a location outside the EEA area, the person (s) who process Personal Data outside the EEA shall always comply with any applicable requirements for such transmission in accordance with Applicable Data Protection Regulations. Under the terms of this Agreement, such requirements in relation to certain countries may be fulfilled, for example, by the Processor ensuring that a direct agreement under the EU Standard Contract Clauses (2010/87/EU) is concluded. The Processor is required to keep Controller informed on such grounds for transfer. The Controller has the right to revoke prior consent for transfer to non-EEA countries on a legitimate basis. If this happens, The Processor will immediately terminate the transfer and, upon request by the Controller, provide written confirmation.
7 Data security and privacy
7.1 In order to assist the Controller in complying with its legal obligations, including but not limited to the assessment of security and data protection risks, the Processor shall take technical and organizational measures to protect the Personal Data Processed and thereby comply with the written information security requirements and policies that the Controller has announced. The measures should at least provide a level of safety that is appropriate with regard to:
(a) existing technical possibilities;
(b) the cost of implementing the measures;
(c) the particular risks associated with the Treatment; and
(d) the degree of sensitivity of the Personal Data Treated.
The Processor shall maintain an adequate level of security and protect personal data from destruction, alteration, unauthorized disclosure and unauthorized access. Personal data should also be protected from any other form of illegal treatment. Taking into account the latest developments, implementation costs and the nature, extent, context and purpose of the treatment and the risks, of varying probability and seriousness, for the rights and freedoms of natural persons, the technical and organizational measures that Processor will take, if appropriate, include:
(a) pseudonymization and encryption of personal data;
(b) ability to continuously ensure the confidentiality, integrity, availability and resilience of the System Processing Personal Data;
(c) ability to restore availability and access to Personal Data in a reasonable time in case of a physical or technical incident; and,
(d) a procedure for periodically testing, investigating and evaluating the effectiveness of the technical and organizational measures to ensure the safety of the treatment.
7.2 The Processor undertakes not to disclose or otherwise disclose information about the Processing of Personal Data covered by this Agreement or other information received by Processor as a result of this Agreement to third parties. This commitment does not apply to information posted by Processor to the Authority or under Applicable Data Protection. Processor undertakes to promptly notify Controller in writing of any injunction if such disclosure has been issued or if Processor has reason to suspect that such injunction will be requested and/or issued.
7.3 The confidentiality obligation also applies after this Agreement has ceased to apply.
8 Notifications for data breach
8.1 The Processor shall notify the Controller immediately after 24 hours of knowledge of a personal data incident.
8.2 The Processor shall assist Controller with the information reasonably required to fulfill its obligation to report personal data incidents, as stated in Article 33 of the GDPR.
9 Responsibility
9.1 In the event that one or more Registered, Appropriate Regulators or other third parties direct claims against Controller due to Processor or its Subscription Processing of Personal Data, Processor shall indemnify Controller for such claims (including but not limited to comprehensive damages, administrative sanctions, fines, costs for legal assistance) that are attributable to the Processor's or its Subscription to Personal Data in violation of Applicable Data Protection, this Agreement or Instructions from Controller. This clause applies in spite of the possible liability limitations of the Service Agreement.
10 Term of appointment
10.1 The provisions of this Agreement shall apply from the signature and as long as the Processor processes Personal Data on behalf of Controller.
11 Changes to the agreement
11.1 The Controller owns unilaterally the right to change the content of this Agreement to the extent required to meet the requirements of Applicable Data Protection. Such change will come into effect within 30 days after the Controller has sent an update to the Processor. Other amendments to and additions to the Agreement shall be binding in writing and be signed by the Parties.
12 Applicable law and disputes
12.1 This paragraph is governed by Swedish law in the Swedish General Court.