1. Egelyhunde processes various personal data on the customer’s behalf.
This concerns data about the customer’s household, i.e. data relating to the address and dogs within the household.
2. Processed personal data.
2.1. The Data Processor, which handles credit-card charges, has access, on behalf of the Data Controller, to process:
Name, address and phone numbers of the users.
3. The purpose and scope of the personal data processing.
3.1. The purpose of the personal data processing is to help the Data Controller's with their dogs.
4. The Data Processor’s obligations
4.1. The Data Processor may only process the personal data in question in accordance with the instructions of the Data Controller, i.e. the instructions contained in the Egelyhunde website under which the Data Processor shall manage participations where the Data Controller participates.
4.2. The Data Processor is required to comply with the currently-applicable personal data legislation and shall notify the Data Controller immediately if an instruction from the Data Controller is, in the Data Processor’s opinion, contrary to the General Data Protection Regulation or Danish personal data legislation in general.
4.3. The Data Processor shall use appropriate technical and organisational security measures to ensure that personal data is not destroyed, lost, degraded or disclosed to unauthorised bodies, misused or otherwise processed in breach of personal data legislation, whereby the Data Processor shall implement the measures necessary pursuant to article 32 of the General Data Protection Regulation.
4.4. The Data Processor is obliged to inform the Data Controller without undue delay of any data breach. In this regard, the Data Processor shall inform the Data Controller of:
* The nature of the data breach.
* If possible, the type and number of affected data subjects, as well as the type of personal data concerned and the number of records of personal data concerned.
* The measures that the Data Processor has taken or proposes should be taken to deal with the data breach, including, where appropriate, measures to limit its potential adverse effects.
* The probable consequences of the data breach.
4.5. The Data Processor shall, at the Data Controller’s request, provide the Data Controller with sufficient information to ensure that the Data Processor has taken the necessary technical and organisational security measures.
4.6 The Data Processor shall provide all the information necessary to demonstrate that the Data Processor complies with the General Data Protection Regulation’s article 28, whereby the Data Processor shall allow and contribute to audits, including inspections carried out by the Data Controller or another auditor authorised by the Data Controller. It is emphasised that inspections/audits in every respect take place at the Data Controller’s expense.
4.7. The Data Processor shall secure/ensure that the persons who are authorised by the Data Processor to process personal data have committed themselves to confidentiality or are bound by an appropriate statutory professional secrecy obligation.
4.8. If a data subject asks the Data Processor (usually such requests will be made to the Data Controller) for access to and insight into that person’s personal data, the Data Processor shall immediately forward the request to the Data Controller.
4.9. The Data Processor shall assist the Data Controller with appropriate technical and organisational tools to enable the Data Controller to fulfil the Data Controller’s obligations to respond to requests for the exercise of the rights of the data subjects as specified in chapter III of the General Data Protection Regulation.
5. Specifically about the transfer of information to sub-data processors or third parties
5.1. T Data Processor may only disclose or transfer personal data to third parties or sub-processors with the prior agreement with the Data Controller. However, the Data Processor may disclose or transfer personal data without the Data Controller’s instructions, if permitted by law.
5.2. The Data Processor must not transfer personal data to third countries that the EU Commission has not assessed as safe third countries.
6. Duration of data processing
6.1. The processing of personal data pursuant to this agreement continues until such time as partnership concluded between the parties ceases.
6.4. However, as a limitation to the foregoing provisions, it is noted that, pursuant to the Danish Bookkeeping Act for the purposes of documenting the services/consignments, the Data Processor shall store the relevant personal data for up to five yars. The personal data shall then be deleted.