Appendix 1 Data Processing Agreement
This Data Processing Agreement (the “Processing Agreement“) governs the personal data processing that results from the Customer’s use of Trustlinks in accordance with the Agreement and is consequently an integral part of the Agreement. The Customer Data that the Customer enters into Trustlinks is encrypted and We have no access to the information other than the fact that We store the information on our servers and in exceptional cases may need to assist the Customer in connection with support matters. This storage of information means that according to the Data Protection Regulation (2016/679) (“GDPR”) we are considered to process personal data on behalf of the Customer and thus constitute a processor to the Customer in its role as controller. Terms in this Processing Agreement shall be construed in accordance with the GDPR as well as applicable local adaptation and regulation regarding data protection (collectively the “Data Protection Rules“). The terms in the Processing Agreement shall have the meaning that appears primarily in the Data Protection Rules and otherwise in the Agreement, unless circumstances clearly dictate otherwise.
1. Responsibility and instruction
The type of data and the categories of data subjects processed under this Processing Agreement by the Processor in connection with the Processor’s provision of Trustlinks and the purpose, nature, duration and object of the processing are described in section 5. The Customer shall ensure that the Processor does not process additional categories of data other than those specified in section 5.
The Customer is aware that Trustlinks is a platform that is distributed to a large number of customers and that We will therefore not necessarily be able to follow such instructions that are not a direct consequence of the Customer’s need to follow the Data Protection Rules. If the Customer gives us such instructions that We do not have the possibility to follow, the Customer undertakes to stop entering and exporting all such Customer Data that is affected by the current instructions. The foregoing shall not constitute a breach of contract or the availability of Trustlinks.
The Customer is controller for all personal data that the Processor processes on behalf of the Customer under the Processor Agreement. The Customer is thus responsible for compliance with the applicable Data Protection Rules and undertakes to follow the guidelines for the use of Trustlinks that are applicable from time to time.
By entering into this Agreement, the Customer agrees to the security measures set forth in Trustlinks’s current organisational and technical measures as adequate for the Customer’s intended use of Trustlinks.
2. The Processor’s commitment
The Processor commits to:
a) having adequate technical and organizational security and taking the security measures set forth in Trustlinks current organisational and technical measures, Trustlinks.com/measures, and in Article 32 of the GDPR to protect the data processed under this Agreement, including an appropriate duty of confidentiality imposed the persons at the Processor with the authority to process this data;
b) assisting the Customer to comply with the security requirements set out in articles 32-36 of the GDPR (such as technical and organizational measures, notification and information to the Customer without undue delay in personal data breach, impact assessment and prior consultation), and the Customer’s obligations regarding individual rights in Chapter III of GDPR is complied with (such as the right to information, access, correction, deletion, restriction of processing, data portability, objection to automated decision-making);
c) giving the Customer the right to receive information from the Processor in order to check and verify measures taken by the Processor in accordance with this agreement. The Processor shall facilitate and contribute to investigations (including inspections) carried out by the Customer or an auditor who carries out such investigations on behalf of the Customer. The Processor shall further refer to the Customer whose personal data is processed, the supervisory authority or another third party who requests information from the Processor concerning the processing of personal data. The Processor shall without delay inform the Customer of any contacts from the supervisory authority that concern or may be of significance for the processing of personal data,
d) depending on what the Customer chooses; deleting, anonymising or returning all personal data to the Customer when the Agreement terminates, regardless of the reason for this, including deleting all copies which according to the Data Protection Act must not be saved,
e) otherwise providing the Customer with access to such information as is necessary for the Customer to be able to fulfil its obligations as a controller vis-à-vis the supervisory authority and/or individuals,
f) not transferring the data to third countries or an international organization unless this is required by the Data Protection Act, whereby the Processor shall immediately inform the Customer, unless such information is prohibited.
The Processor further undertakes to always process data in accordance with the Data Protection Rules. This includes, but is not limited to, keeping a register of all categories of processes performed, providing a register extract of completed processing at the request of the Customer and informing the Customer immediately if the Processor suspects that there is a risk that the individual’s freedoms and rights are being violated.
3. Sub-processors and transfer to third countries
Provided that the Processor (i) informs the Controller of its plans in reasonable time in advance, with the right for the Controller to object, the Processor has a general authorisation to hire sub-processors for the processing of data on behalf of the Customer, for which the Processor shall be fully responsible to the Customer.
Provided that the Processor (i) informs the Controller of its plans at least 30 days in advance, with the right for the Controller to object, and (ii) applies adequate and in accordance with the Data Protection Rules approved security mechanisms, the Processor may transfer Personal Data outside the EU/EEA.
By entering into this Agreement, the Customer approves the sub-processors stated in section 5. At the time of entering into this Agreement, the Processor does not transfer Personal data to any third country.
4. Miscellaneous
The provisions of the Agreement shall also apply to this Processor Agreement. In the event of a conflict between the Agreement and this Processor Agreement, the Processor Agreement shall prevail.
5. Instruction
This section 5 constitutes the Customer’s initial instructions to the Processor and may, subject to section 1.2, be supplemented at a later date.
Categories of data subjects. Individuals using or affected by the Trustlinks compliance platform, such as employees, consultants, partners, and individuals included in records or communications managed in the system.
Purpose, nature and object of processing, and Categories personal data. The processing is carried out to support secure compliance management including documentation of policies, risk registers, internal audits, and reporting mechanisms. Processing operations include collection, structuring, storage, retrieval, restriction, access control, communication, and deletion of personal data. The categories of personal data processed may include names, positions, contact details, employment information, communication records, case-related notes, and other compliance-relevant documentation. Depending on Customer configurations, special categories of data (e.g., health, criminal records) may also be processed in accordance with GDPR requirements.
Data Storage. Data is retained for the duration defined by the Customer within the Trustlinks platform’s retention settings.
Sub-processors. As of the conclusion of this Agreement, the Processor has the following sub-processors, which may, however, be amended in accordance with Section 3:
SMSAPI (Poland)
Brevo (France)
OPSWAT (Germany)
Glesys (Sweden)
T-Systems International (Germany)
Third country transfers. As of the conclusion of this Agreement, the Processor has no transfers outside the EU/EEA, which may, however, be amended in accordance with Section 3:
a) Transfers outside EU/EEA: none.
