This Data Processing Agreement sets out the rights and obligations that apply to the Data Processor’s handling of personal data on behalf of the Data Controller.

This Agreement has been designed to ensure the Parties’ compliance with Article 28, sub-section 3 of Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), which sets out specific requirements for the content of data processing agreements.

The Data Processor’s processing of personal data shall take place for the purposes of fulfilment of the Parties’ Master Service Agreement (the “Master Agreement”), commencing on the Effective Date as agreed in the Master Agreement.
The Data Processing Agreement and the ‘Master Agreement’ shall be interdependent and cannot be terminated separately. The Data Processing Agreement may however – without termination of the ‘Master Agreement’ – be replaced by an alternative valid data processing agreement.

This Data Processing Agreement shall take priority over any similar provisions contained in other agreements between the Parties, including the ‘Master Agreement’.

Three appendices are attached at the end of this Data Processing Agreement. The Appendices form an integral part of this Data Processing Agreement.

Appendix A of the Data Processing Agreement contains details about the processing as well as the purpose and nature of the processing, type of personal data, categories of data subject and duration of the processing.

Appendix B of the Data Processing Agreement contains the Data Controller’s terms and conditions that apply to the Data Processor’s use of Sub-Processors and a list of Sub-Processors approved by the Data Controller.

Appendix C of the Data Processing Agreement contains instructions on the processing that the Data Processor is to perform on behalf of the Data Controller (the subject of the processing), the minimum security measures that are to be implemented and how inspection with the Data Processor and any Sub-Processors is to be performed.

The Data Processing Agreement and its associated Appendices shall be retained in writing as well as electronically by both Parties.

This Data Processing Agreement shall not exempt the Data Processor from obligations to which the Data Processor is subject pursuant to the General Data Protection Regulation or other legislation.

The rights and obligations of the Data Controller

The Data Controller shall be responsible to the outside world (including the data subject) for ensuring that the processing of personal data takes place within the framework of the General Data Protection Regulation and the Danish Data Protection Act.

The Data Controller shall therefore have both the right and obligation to make decisions about the purposes and means of the processing of personal data.

The Data Controller shall be responsible for ensuring that the processing that the Data Processor is instructed to perform is authorised in law.

The Data Processor acts according to instructions

The Data Processor shall solely be permitted to process personal data on documented instructions from the Data Controller unless processing is required under EU or Member State law to which the Data Processor is subject; in this case, the Data Processor shall inform the Data Controller of this legal requirement prior to processing unless that law prohibits such information on important grounds of public interest, cf. Article 28, sub-section 3, para a.

The Data Processor shall immediately inform the Data Controller if instructions in the opinion of the Data Processor contravene the General Data Protection Regulation or data protection provisions contained in other EU or Member State law.

Confidentiality

The Data Processor shall ensure that only those persons who are currently authorised to do so are able to access the personal data being processed on behalf of the Data Controller. Access to the data shall therefore without delay be denied if such authorisation is removed or expires.

Only persons who require access to the personal data in order to fulfil the obligations of the Data Processor to the Data Controller shall be provided with authorisation.

The Data Processor shall ensure that persons authorised to process personal data on behalf of the Data Controller have undertaken to observe confidentiality or are subject to suitable statutory obligation of confidentiality.

The Data Processor shall at the request of the Data Controller be able to demonstrate that the employees concerned are subject to the above confidentiality.

Security of processing

The Data Processor shall take all the measures required pursuant to Article 32 of the General Data Protection Regulation which stipulates that with consideration for the current level, implementation costs and the nature, scope, context and purposes of processing and the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Data Controller and Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.

The above obligation means that the Data Processor shall perform a risk assessment and thereafter implement measures to counter the identified risk. Depending on their relevance, the measures may include the following:

Pseudonymisation and encryption of personal data
The ability to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services.
The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

The Data Processor shall in ensuring the above – in all cases – at a minimum implement the level of security and the measures specified in Appendix C to this Data Processing Agreement.

The Parties’ possible regulation/agreement on remuneration etc. for the Data Controller’s or the Data Processor’s subsequent requirement for establishing additional security measures shall be specified in the Parties’ ‘Master Agreement’ or in Appendix D to this Data Processing Agreement.

Use of Sub-Processors

The Data Processor shall meet the requirements specified in Article 28, sub-section 2 and 4, of the General Data Protection Regulation in order to engage another processor (Sub-Processor).

The Data Processor shall therefore not engage another processor (Sub-Processor) for the fulfilment of this Data Processing Agreement without the prior specific or general written consent of the Data Controller.

In the event of general written consent, the Data Processor shall inform the Data Controller of any planned changes with regard to additions to or replacement of other data processors and thereby give the Data Controller the opportunity to object to such changes.

The Data Controller’s requirements for the Data Processor’s engagement of other sub-processors shall be specified in Appendix B to this Data Processing Agreement.

The Data Controller’s consent to the engagement of specific sub-processors, if applicable, shall be specified in Appendix B to this Data Processing Agreement.

When the Data Processor has the Data Controller’s authorisation to use a sub-processor, the Data Processor shall ensure that the Sub-Processor is subject to the same data protection obligations as those specified in this Data Processing Agreement on the basis of a contract or other legal document under EU law or the national law of the Member States, in particular providing the necessary guarantees that the Sub-Processor will implement the appropriate technical and organisational measures in such a way that the processing meets the requirements of the General Data Protection Regulation.

The Data Processor shall therefore be responsible – on the basis of a sub-processor agreement – for requiring that the sub-processor at least comply with the obligations to which the Data Processor is subject pursuant to the requirements of the General Data Protection Regulation and this Data Processing Agreement and its associated Appendices.

A copy of such a sub-processor agreement and subsequent amendments shall – at the Data Controller’s request – be submitted to the Data Controller who will thereby have the opportunity to ensure that a valid agreement has been entered into between the Data Processor and the Sub-Processor. Commercial terms and conditions, such as pricing, that do not affect the legal data protection content of the sub-processor agreement, shall not require submission to the Data Controller.

The Data Processor shall in his agreement with the Sub-Processor include the Data Controller as a third party in the event of the bankruptcy of the Data Processor to enable the Data Controller to assume the Data Processor’s rights and invoke these as regards the Sub-Processor, e.g. so that the Data Controller is able to instruct the Sub-Processor to perform the erasure or return of data.

If the Sub-Processor does not fulfil his data protection obligations, the Data Processor shall remain fully liable to the Data Controller as regards the fulfilment of the obligations of the Sub-Processor.

Transfer of data to third countries or international organisations

The Data Processor shall solely be permitted to process personal data on documented instructions from the Data Controller, including as regards transfer (assignment, disclosure and internal use) of personal data to third countries or international organisations, unless processing is required under EU or Member State law to which the Data Processor is subject; in such a case, the Data Processor shall inform the Data Controller of that legal requirement prior to processing unless that law prohibits such information on important grounds of public interest, cf. Article 28, sub-section 3, para a.

Without the instructions or approval of the Data Controller, the Data Processor therefore cannot – within the framework of this Data Processing Agreement:

disclose personal data to a data controller in a third country or in an international organisation
assign the processing of personal data to a sub-processor in a third country
have the data processed in another of the Data Processor’s divisions which is located in a third country

The Data Controller’s instructions or approval of the transfer of personal data to a third country, if applicable, shall be set out in Appendix C to this Data Processing Agreement.

Assistance to the Data Controller

The Data Processor, taking into account the nature of the processing, shall, as far as possible, assist the Data Controller with appropriate technical and organisational measures, in the fulfilment of the Data Controller’s obligations to respond to requests for the exercise of the data subjects’ rights pursuant to Chapter 3 of the General Data Protection Regulation.

This entails that the Data Processor should as far as possible assist the Data Controller in the Data Controller’s compliance with:

notification obligation when collecting personal data from the data subject
notification obligation if personal data have not been obtained from the data subject
right of access by the data subject
the right to rectification
the right to erasure (‘the right to be forgotten’)
the right to restrict processing
notification obligation regarding rectification or erasure of personal data or restriction of processing
the right to data portability
the right to object
the right to object to the result of automated individual decision-making, including profiling

The Data Processor shall assist the Data Controller in ensuring compliance with the Data Controller’s obligations pursuant to Articles 32-36 of the General Data Protection Regulation taking into account the nature of the processing and the data made available to the Data Processor, cf. Article 28, sub-section 3, para f.

This entails that the Data Processor should, taking into account the nature of the processing, as far as possible assist the Data Controller in the Data Controller’s compliance with:

the obligation to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk associated with the processing
the obligation to report personal data breaches to the supervisory authority (Danish Data Protection Agency) without undue delay and, if possible, within 72 hours of the Data Controller discovering such breach unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons
the obligation – without undue delay - to communicate the personal data breach to the data subject when such breach is likely to result in a high risk to the rights and freedoms of natural persons
the obligation to carry out a data protection impact assessment if a type of processing is likely to result in a high risk to the rights and freedoms of natural persons
the obligation to consult with the supervisory authority (Danish Data Protection Agency) prior to processing if a data protection impact assessment shows that the processing will lead to high risk in the lack of measures taken by the Data Controller to limit risk

The Parties’ possible regulation/agreement on remuneration etc. for the Data Processor’s assistance to the Data Controller shall be specified in the Parties’ ‘Master Agreement’ or in Appendix D to this Data Processing Agreement.

Notification of personal data breach

On discovery of personal data breach at the Data Processor’s facilities or a sub-processor’s facilities, the Data Processor shall without undue delay notify the Data Controller.

The Data Processor’s notification to the Data Controller shall, if possible, take place within 24 hours after the Data Processor has discovered the breach to enable the Data Controller to comply with his obligation, if applicable, to report the breach to the supervisory authority within 72 hours.

According to Clause 9.2., para b, of this Data Processing Agreement, the Data Processor shall – taking into account the nature of the processing and the data available – assist the Data Controller in the reporting of the breach to the supervisory authority.

This may mean that the Data Processor is required to assist in obtaining the information listed below which, pursuant to Article 33, sub-section 3, of the General Data Protection Regulation, shall be stated in the Data Controller’s report to the supervisory authority:

The nature of the personal data breach, including, if possible, the categories and the approximate number of affected data subjects and the categories and the approximate number of affected personal data records
Probable consequences of a personal data breach
Measures which have been taken or are proposed to manage the personal data breach, including, if applicable, measures to limit its possible damage

Erasure and return of data

On termination of the processing services, the Data Processor shall be under obligation, at the Data Controller’s discretion, to erase or return all the personal data to the Data Controller and to erase existing copies unless EU law or Member State law requires storage of the personal data.

Inspection and audit

The Data Processor shall make available to the Data Controller all information necessary to demonstrate compliance with Article 28 of the General Data Protection Regulation and this Data Processing Agreement, and allow for and contribute to audits, including inspections performed by the Data Controller or another auditor mandated by the Data Controller.

The procedures applicable to the Data Controller’s inspection of the Data Processor are specified in Appendix C to this Data Processing Agreement.

The Data Controller’s inspection of sub-processors, if applicable, shall as a rule be performed through the Data Processor. The procedures for such inspection are specified in Appendix C to this Data Processing Agreement.

The Data Processor shall be required to provide the supervisory authorities, which pursuant to applicable legislation have access to the Data Controller’s and Data Processor’s facilities, or representatives acting on behalf of such supervisory authorities, with access to the Data Processor’s physical facilities on presentation of appropriate identification.

The Parties’ agreement on other terms

(Separate) terms relating to the consequences of the Parties’ breach of this Data Processing Agreement, if applicable, shall be specified in the Parties’ ‘Master Agreement’ or in Appendix D to this Data Processing Agreement.

Regulation of other terms between the Parties shall be specified in the Parties’ ‘Master Agreement’ or in Appendix D to this Data Processing Agreement.

Commencement and termination

This Data Processing Agreement shall become effective on the date of both Parties’ signature to the Agreement.

Both Parties shall be entitled to require this Data Processing Agreement renegotiated if changes to the law or inexpediency of the provisions contained herein should give rise to such renegotiation.

The Parties’ agreement on remuneration, terms etc. in connection with amendments to this Data Processing Agreement, if applicable, shall be specified in the Parties’ ‘Master Agreement’ or in Appendix D to this Data Processing Agreement.

This Data Processing Agreement may be terminated according to the terms and conditions of termination, incl. notice of termination, specified in the ‘Master Agreement’.

This Data Processing Agreement shall apply as long as the processing is performed. Irrespective of the termination of the ‘Master Agreement’ and/or this Data Processing Agreement, the Data Processing Agreement shall remain in force until the termination of the processing and the erasure of the data by the Data Processor and any sub-processors.

Signature:

On behalf of the Data Controller, i.e. Customer in Master Agreement

Name:	[State name]
Position:	[State position]
Date:	[State date]
Signature:	[Insert signature]

On behalf of the Data Processor

Name:	Martin Rosengaard
Position:	Co-founder
Date:	15th March, 2024
Signature:

Data Controller and Data Processor contacts/contact points

The Parties may contact each other using the contact points stated in the Master Agreement.

The Parties shall be under obligation continuously to inform each other of changes to contacts/contact points stated in the Master Agreement.

Information about the processing

The purpose of the Data Processor’s processing of personal data on behalf of the Data Controller is:

that the Data Controller is able to use the Customer Platform as defined in the Master Agreement which is owned and managed by the Data Processor to collect and process data about the Data Controller’s members, i.e. the Users defined in the Master Agreement. This will include information about the Users.

The Data Processor’s processing of personal data on behalf of the Data Controller shall mainly pertain to (the nature of the processing):

that the Data Processor makes available the Customer Platform as defined in the Master Agreement to the Data Controller and the Users as defined in the Master Agreement and hereby stores personal data about the Users on the Data Processor’s servers..

The processing includes the following types of personal data about data subjects:

Name, e-mail address, telephone number, home address, IP address, national identification number, payment details, membership number and type of membership.

Processing includes the following categories of data subject:

Persons, i.e. Users as defined in the Master Agreement, who uses the offered services on Customer Platform provided by the Data Processor. This includes Users providing opportunities for other Users to rent brief stays at the former Users’ home.

The Data Processor’s processing of personal data on behalf of the Data Controller may be performed when this Data Processing Agreement commences. Processing has the following duration:

Processing shall not be time-limited and shall be performed until this Data Processing Agreement is terminated or cancelled by one of the Parties.

Terms of the Data Processor’s use of sub-processors and list of approved sub-processors

Terms of the Data Processor’s use of sub-processors, if applicable

The Data Processor has the Data Controller’s general consent for the engagement of sub-processors. The Data Processor shall, however, inform the Data Controller of any planned changes with regard to additions to or replacement of other data processors and thereby give the Data Controller the opportunity to object to such changes. Such notification shall be submitted to the Data Controller a minimum of 1 month prior to the engagement of sub-processors or amendments coming into force. If the Data Controller should object to the changes, the Data Controller shall notify the Data Processor of this within 2 weeks of receipt of the notification. The Data Controller shall only object if the Data Controller has reasonable and specific grounds for such refusal.

Approved sub-processors

The Data Controller shall on commencement of this Data Processing Agreement approve the engagement of the following sub-processors:

Service name	Full company name	Company no.	Address	Processing Location	Purpose	Data
Slack	Slack Technologies Limited	IE3336483DH	Slack Technologies Limited Salesforce Tower 60 R801, North Dock Dublin Ireland	EU	Notifications & event communication	Name, email address, event attendance, event information (time, date, location, description), user event role
MS Teams	Microsoft Corporation		One Microsoft Way Redmond, Washington, U.S.	EU	Notifications & event communication	Name, email address, event attendance, event information (time, date, location, description), user event role
Google Maps	Google Ireland Ltd	IE 6388047V	Google Ireland Limited Gordon House Barrow Street Dublin 4 Ireland	EU	Show event location	Address
Login with Google	Google Ireland Ltd	IE 6388047V	Google Ireland Limited Gordon House Barrow Street Dublin 4 Ireland	EU	Login and Register User	Email address, name
Google Cloud Services	Google Ireland Ltd	IE 6388047V	Google Ireland Limited Gordon House Barrow Street Dublin 4 Ireland	EU	Maps, Login with Google, recaptcha	IP addresses, location addresses, email addresses
Google Analytics	Google Ireland Ltd	IE 6388047V	Google Ireland Limited Gordon House Barrow Street Dublin 4 Ireland	EU	funnel analysis, usage analysis	IP address, location, browser data, usage time, web activity, link clicks
Google Workspace	Google Ireland Ltd	IE 6388047V	Google Ireland Limited Gordon House Barrow Street Dublin 4 Ireland	EU	Data visualisation, data analysis, temporary storage	Name, e-mail address, telephone number, home address, IP address, attendance data
Looker Studio	Google Ireland Ltd	IE 6388047V	Google Ireland Limited Gordon House Barrow Street Dublin 4 Ireland	EU	Data visualisation	Name, email address, address, office location, gender, department, attendance data
Sendgrid	Twilio	270654600	375 Beale Street, 3rd Floor San Francisco, CA 94105	USA (GDPR/data shield compliant)	Email confirmation, Event notifications	Name, e-mail address, telephone number, home address, IP address, event information (time, date, location, description), user event role
ReCaptcha	Google Ireland Ltd	IE 6388047V	Google Ireland Limited Gordon House Barrow Street Dublin 4 Ireland	EU	Protect websites from spam and abuse
AWS	Amazon Web Services EMEA SARL	B186284	38 Avenue John F. Kennedy, L-1855 Luxembourg	Stockholm EU	Database, web servers.	Name, e-mail address, telephone number, home address, IP address, and all database records

The Data Controller shall on the commencement of this Data Processing Agreement specifically approve the use of the above sub-processors for the processing described for that party. The Data Processor shall not be entitled – without the Data Controller’s explicit written consent – to engage a sub-processor for ‘different’ processing than the one that has been agreed or have another sub-processor perform the described processing.

Instruction pertaining to the use of personal data

The subject of/instruction for the processing

The Data Processor’s processing of personal data on behalf of the Data Controller shall be carried out by the Data Processor performing the following:

The services described in the Master Agreement section 2.1 – 2.6.

Security of processing

The level of security shall reflect that the processing involves a large volume of personal data which can be subject to Article 9 of the General Data Protection Regulation on ‘special categories of personal data’ which is why a ‘high’ level of security should be established.”

The Data Processor shall hereafter be entitled and under obligation to make decisions about the technical and organisational security measures that are to be applied to create the necessary (and agreed) level of data security.

The Data Processor shall however – in any event and at a minimum – implement the following measures that have been agreed with the Data Controller (on the basis of the risk assessment that the Data Controller has performed):

Availability

Data Processor has a thorough information security policy in place. As a result, Data Processor has implemented specific measures such as admission controls, system access controls, data access controls, transmission controls, input controls, job controls, availability controls, and segregation controls in order to ensure adequate protection of personal data. This includes specific measures such as the use of anti-virus applications, proper training protocols, systematic access management, and DDOS mitigation technologies.

Integrity

Data Processor’s active approach to protect the integrity of the data includes, but is not limited to, technical and organisational measures such as proper system administration, regular backup procedures, the use of authentication codes, signature procedures, network controls, and proper training of employees and relevant third parties.

Confidentiality

All confidential information that is stored on Data Processor’s computer systems and transmitted over unsecure networks is encrypted. Remote access to Data Processor’s internal systems is protected by VPN technology and secure log-on procedures. Data Processor further ensures organisational security by providing employees and relevant third parties with the necessary training and by limiting access to relevant persons based on their job function and position. Sharing of confidential information is governed by proper and adequate contractual measures.

Transparency

Data Processor conducts regular reviews of internal systems and procedures in order to ensure that personal data is handled in accordance with this Agreement. Data Processor ensures that the processing of personal data is done in a legal and transparent manner, by ensuring proper documentation of processing activities and the personal data handled by Data Processor. In addition, Data Processor ensures transparency by providing the Data Controller with regular reports of the processing activities as described in the Agreement, and by warranting the same behaviour from any approved sub-processor(s).

Isolation (purpose limitation)

Data Processor only processes personal data in accordance with the Purpose of this Agreement and has established specific roles and responsibilities for the handling of personal data. Data Processor ensures that access restrictions to systems containing personal data is based on individual business application requirements, and in accordance with proper password and secure log-on procedures.

Intervenability

Personal data is processed in accordance with the principle of proportionality and Data Processor is committed to implementing the proper systems and processes in order to ensure transparent and accessible processing of personal data. Data Processor ensures proper documentation of all processing activities and regularly, as well as on request, allows the Data Controller the necessary access to intervene and correct any perceivable improper processing activities.

Portability

Data Processor uses standardised or open data formats and interfaces to support portability of personal data.

Accountability

Connections to external networks will only be conducted through the use of sufficient and updated firewalls. Firewall logging and monitoring is always activated, reviewed and managed. Security breaches or attempts of such are reported and followed up by appropriate actions. System management is supported by the use of logging, and Data Processor regularly completes self-audits in order to ensure compliance with internal processes and procedures. Data Processor ensures that violations of its security measures are met through proper disciplinary actions and reported to Data Controller.

Data retention and deletion

Data Processor has a data retention and deletion policy in place and ensures that data is not stored and processed for longer than is necessary to fulfil the Purpose.

Physical security

Data Processor ensures physical security of data through the use of ID cards, secure door entry systems, manned reception, alarm systems, and building security. Processor always monitors and restricts secure areas and all visitors are escorted in restricted areas to protect confidential information.

Storage period/erasure procedures

Personal data are stored with the Data Processor until the Data Controller requests that the data are erased or returned.

Upon termination of the provision of personal data processing services, the data processor shall either delete or return the personal data in accordance with Clause 11.1., unless the data controller – after the signature of the contract – has modified the data controller’s original choice. Such modification shall be documented and kept in writing, including electronically, in connection with the Clauses.

Processing location

Processing of the personal data under this Data Processing Agreement cannot be performed at other locations than the following without the Data Controller’s prior written consent:

European Union, United Kingdom, United States
Main Office location: Nørrebrogade 5C, kl. Th., 2200 Copenhagen N

Instruction for or approval of the transfer of personal data to third countries

If the Data Controller does not in this clause or by subsequent written notification provide instructions or consent pertaining to the transfer of personal data to a third country, the Data Processor shall not be entitled within the framework of this Data Processing Agreement to perform such transfer.

The Data Controller approves that the Data Processor transfers

Name of users
E-mail address
Telephone number
Home address
IP address

to SendGrid located in the United States. As the United States has yet to become the basis of an adequacy decision, the transfer of personal data to SendGrid must comply with chapter V of Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).

SendGrid has confirmed that the transfer is made in compliance with the abovementioned chapter V and its related directives.

The Data Controller approves that the Data Processor transfers

Name of users
E-mail adresse
Telephone number
Home address
IP addresses

to Zapier located in the United States. As the United States has yet to become the basis of an adequacy decision, the transfer of personal data to Zapier must comply with chapter V of Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).

Zapier has confirmed that the transfer is made in compliance with the abovementioned chapter V and its related directives.

Procedures for the Data Controller’s inspection of the processing being performed by the Data Processor

At least annually the Data Processor shall either provide to the Data Controller an audit report covering control of the technical and organisational security measures implemented by the Data Processor which will be prepared by a reputable independent third party that attests to the compliance of the applicable security controls or complete a security questionnaire provided by the Data Controller. The security questionnaire will be provided upon request from the Data Processor.

In addition, upon the Data Controller’s written request, the Data Processor shall permit the Data Controller or any third party appointed by the Data Controller (subject to reasonable and appropriate confidentiality undertakings), to audit the Data Processor’s data processing activities and comply with all reasonable requests or directions by the Data Controller to enable the Data Controller to verify and/or procure that the Data Processor is in full compliance with their obligations under this Agreement and the Data Protection Legislation.

Procedures for inspection of the processing being performed by sub-processors, if applicable

The Data Processor or the Data Processor’s representative shall perform annually a physical inspection with regards to the compliance of this Data Processing Agreement at the Sub-Processor’s facilities.

In addition to the planned inspection, the Data Processor shall be entitled to inspect the Sub-Processor when the Data Processor (or the Data Controller) deems that this is required.

Documentation for such inspections shall without delay be submitted to the Data Controller for information.

The Data Controller may – if required – elect to initiate and participate in a physical inspection at the Sub-Processor’s facilities. This may apply if the Data Controller deems that the Data Processor’s supervision of the Sub-Processor has not provided the Data Controller with sufficient documentation to prove that the processing by the Sub-Processor is being performed according to this Data Processing Agreement.

Page of