DATA PROCESSING AGREEMENT
01
Definitions
1.1 “Agreement” refers to the agreement between Unlimit Technologies ApS and the Company to which this Data Processing Agreement is attached.
1.2 “Applicable Data Protection Legislation” refers to the legislation relating to the processing of personal data, including the GDPR.
1.3 “Company Contact Person” refers to the contact person listed in Article 8
1.4 “Controller” refers to the Company and Other Service Recipients who alone or jointly with others determine the purposes and means by which Personal Data may be processed.
1.5 “DBA” refers to this Data Processing Agreement.
1.6 “Other Service Recipients” refers to any third party (such as an affiliate of the Company) entitled to receive Services under the Agreement.
1.7 “GDPR” refers to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
1.8 “Personal Data” has the meaning as defined in Article 4(1) of the GDPR and in the context of this DPA only includes Personal Data processed by Unlimit Technologies ApS as the Company Data Processor.
1.9 “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration or unauthorized disclosure of, or access to, Personal Data processed under this DPA.
1.10 “Processor” refers to a natural or legal person who processes Personal Data on behalf of a Data Controller.
1.11 “Data Processing” has the meaning as defined in Article 4(2) of the GDPR.
1.12 “Service” refers to services provided under the Agreement and involves the processing of Personal Data that Unlimit Technologies ApS performs in its role as Processor for the Company, the Company is the Data Controller. The Services are further specified in Section A.1.
1.13 “Sub-Processor” refers to any other Data Processor performing the Services provided under this DPA on behalf of Unlimit Technologies ApS. Sub-Processor refers solely to a subcontractor with access to Personal Data.
02
Purpose and scope of the Data Processing Agreement
2.1 This DPA serves as a written Data Processing Agreement between the Company and Unlimit Technologies ApS and applies to Services involving the processing of Personal Data and which Unlimit Technologies ApS performs in the role of Data Processor for the Company and/or Other Service Recipients.
2.2 The Data Processing Agreement regulates the rights and obligations of the Company and Unlimit Technologies ApSin connection with the processing of Personal Data. All other rights and obligations are governed solely by the other parts of the Agreement.
2.3 Unlimit Technologies ApS processes Personal Data in accordance with the Agreement and this DPA.
2.4 In performing the Services, Unlimit Technologies ApS must comply with all data protection laws and regulations applicable to data processors. The Company is responsible for complying with laws and regulations applicable to the Company and any Other Service Recipients (in particular laws and regulations applicable to Data Controllers), as well as ensuring to Other Service Recipients that Unlimit Technologies ApS and Unlimit Technologies ApS‘
2.5 In the event of any inconsistency between the provisions of this DPA and the Agreement – which concern the parties’ obligations in connection with the processing of Personal Data – the provisions of this DPA shall prevail. Any limitation of the Data Processor’s liability in the Agreement or other related agreements shall also apply to this DPA and take precedence over the provisions of this DPA.
03
Information about the Data Processing performed by Unlimit Technologies ApS
3.1 The details of the processing of Personal Data carried out by Unlimit Technologies ApS – in particular the different types of Personal Data processed and the categories of data subjects – are set out in Section A.1 of this DPA.
04
Rights related to instructions
4.1 As Data Processor, Unlimit Technologies ApS will only process Personal Data in accordance with written instructions from the Company. The parties agree that the Agreement and this DPA constitute the Company’s final instructions regarding Unlimit Technologies ApS‘ processing of Personal Data.
4.2 Additional or alternative instructions must be agreed in writing between Unlimit Technologies ApS and the Company and may result in additional costs being imposed on the Company.
4.3 If the additional instructions are a direct requirement of Applicable Data Protection Laws and Unlimit Technologies ApS and the Company fail to agree in accordance with Article 4.2, the Company has the right to terminate the Agreement with reasonable notice.
05
Technical and organizational measures
5.1 Unlimit Technologies ApS implements the technical and organizational measures detailed in Section A.2. The Company hereby confirms that the level of security specified is appropriate to the risk associated with Unlimit Technologies ApS‘ processing of Personal Data on behalf of the Company.
5.2 The Company acknowledges and accepts that the technical and organizational measures are subject to technical development. In this regard, Unlimit Technologies ApS has the right to implement appropriate alternative measures, provided the security level of the measures is maintained.
06
Commitment to data security
6.1 Unlimit Technologies ApS instructs all employees directly involved in the provision of the Services to keep Personal Data confidential.
07
Sub-processors
7.1 The Company hereby approves Unlimit Technologies ApS‘ use of Sub-Processors. The Sub-Processors are specified in Section A.3.
7.2 At any time, Unlimit Technologies ApS may remove or add new Sub-Processors, but must notify the Company beforehand. The Company may object within 10 days of receipt of the notification, after which the parties must attempt to reach an agreement (possibly by replacing the Sub-Processor or terminating this DPA). The Sub-Processor is considered approved if no objection is raised within the specified deadline.
7.3 Unlimit Technologies ApS has the right to replace Sub-Processors for a shorter period if this is deemed necessary to provide the Service to the Company without interruption. In such a case, Unlimit Technologies ApS must notify the Company without undue delay, Article 7.2 of this DPA regulates the Company’s right to object.
08
Company data protection contact person
8.1 The Company shall notify Unlimit Technologies ApS of the contact details of the data controller in the Company, if the Company has appointed a DPO, their contact details shall be forwarded to Unlimit Technologies ApS. Any changes must be immediately notified in writing to Unlimit Technologies ApS.
8.2 All information and notifications required under this DPA shall be provided in writing (email is sufficient) to the Company Contact Person, unless otherwise expressly agreed.
09
Rectification, erasure and restriction of Data Processing
9.1 Unlimit Technologies ApS rectifies, deletes or restricts the processing of Personal Data as instructed by the Company.
10
Notification and support from Unlimit Technologies ApS
10.1 In the event of a Personal Data Breach, Unlimit Technologies ApS will notify the Company without undue delay after Unlimit Technologies ApS has become aware of such breach. Unlimit Technologies ApS will (i) reasonably cooperate with the Company in connection with the investigation of such Personal Data Breach, (ii) reasonably assist the Company in connection with its breach notification obligations under Applicable Data Protection Laws and (iii) take appropriate measures to remedy the breach.
10.2 Unlimit Technologies ApS shall notify the Company without undue delay of (i) complaints and requests from the data subjects whose Personal Data is processed under this DPA (e.g. in connection with rectification, erasure or restriction of processing of Personal Data (i) and (ii) orders or requests from the courts or the competent supervisory authorities.
10.3 Upon request from the Company, Unlimit Technologies ApS will reasonably assist the Company with
(i) handling complaints, requests or orders as described in Article 10.2 of this DPA
(ii) fulfilling the Company’s obligations under Applicable Data Protection Legislation.
The above services provided by Unlimit Technologies ApS are invoiced separately based on time and costs incurred
11
Audits
11.1 The Company shall have the right to verify – by appropriate means – in accordance with Articles 11.2 and 11.3 below, the compliance of Unlimited Technologies ApSand Sub-Processors with the data protection obligations, including (in particular in relation to the technical and organizational measures) annual audits and occasionally if required by Applicable Data Protection Legislation. These audits shall be limited to information and data processing systems relevant to the provision of the Services.
11.2 Unlimit Technologies ApS and Sub-Processors have the option to demonstrate compliance with data protection obligations by providing audit statements or certifications. The Company confirms that these general statements fulfill the Company’s audit authority under this DPA. Upon the Company’s request, Unlimit Technologies ApS will provide (i) relevant extracts of audit reports and/or (ii) information and documentation regarding applicable certifications for the Services in question. The Company undertakes to treat the audit reports, information and documentation provided as confidential.
11.3 In the sole event that the certifications and audit reports are not sufficient for the Company to comply with applicable audit requirements and obligations under Applicable Data Protection Laws, the Company may at its own expense (i) request additional information and documentation or (ii) upon reasonable written notice, conduct additional audits of Unlimit Technologies ApS‘ control environment and security practices relevant to the processing of Personal Data covered by this DPA. An audit shall be conducted without disrupting Unlimit Technologies ApS‘ business operations and in accordance with Unlimit Technologies ApS‘ security policies and Applicable Data Protection Laws.
APPENDIX A.1: DESCRIPTION OF DATA PROCESSING ACTIVITIES
This Annex contains a description of the basic data processing activities performed by the Processor in order to fulfill the contractually agreed services in the Main Agreement. If a particular service includes the processing of additional or different categories of data subjects or of personal data, the respective information is provided in the relevant service description.
| Product | Service | Associated processing of personal data |
| Security solutions: – TVO system – Automatic intrusion alarm system – Access control system – Related management platform |
Maintenance, inspection and repair* (onsite or via remote access) | Personal data stored in the system (e.g. system log data containing username and user activities, video recordings) can be viewed |
| Operational assistance | For assistance with standard operating functions of the purchased security solutions, personal data in the system can be accessed and changed by Unlimit Technologies ApS employees on behalf of the customer (e.g. creating new users, editing cardholders, reviewing video recordings). | |
| Back-up services | Back-up files with system configuration data stored at Unlimit Technologies ApS contain personal data such as username and code. Files that include additional personal data such as users’ activities, names of employees and their entries in certain security areas or recordings made via video surveillance systems are stored on customer equipment (e.g. portable hard drive, local server) and can be restored | |
| Hosting | In connection with hosting, Unlimit Technologies ApS provides IT services to the data controller and thereby stores personal data about the data controller’s users and customers on the data processor’s server systems. | |
| The processing includes the following categories of data subjects: – Employees of the customer and business partners who gain access to the customer’s buildings and/or are created as users/cardholders in the customer’s security system – Employees of the customer who are responsible for operating the customer’s security system and/or associated management platforms – Guests/other individuals who enter a monitored area at the customer – Persons who are specified as contact persons on Unlimit Technologies ApS relationship order |
||
| Categories of personal data: – Master data (name, username, social security number, email address, validity of access authorization) – Business contact data (email address, phone number) – Access data (location and access time) – IP addresses of devices to access relevant systems – Logged activity (e.g. changes to system configuration) – Only in case of video surveillance: Video recordings |
||
* In connection with troubleshooting and repair, our Danish support organization may receive assistance from Unlimit Technologies ApS product support in New Zealand. This support service does not include any data processing activity, however, it cannot be excluded that personal data stored in the database of the individual system is visible in the troubleshooting process.
| Product | Service | Associated processing of personal data |
| Building automation | Operational assistance | In connection with assistance for user administration in the CTS system on behalf of the customer, personal data can be accessed and changed by Unlimit Technologies ApS employee (e.g. creation of new users) |
| Back-up services | Back-up files with system configuration data stored at Unlimit Technologies ApS contain personal data such as username and code. | |
| Hosting | In connection with hosting, Unlimit Technologies ApS provides IT services to the data controller and thereby stores personal data about the data controller’s users and customers on the data processor’s server systems. | |
| The processing includes the following categories of data subjects: – Employees of the customer, business partners and customers who are created as users in the customer’s building automation system |
||
| Categories of personal data: – Username – IP addresses of devices to access relevant systems – Logged activity (e.g. changes to system configuration) |
||
ANNEX A.2: TECHNICAL AND ORGANIZATIONAL MEASURES
Technical and organizational measures according to Art. 32 General Data Protection Regulation (“GDPR”)
- Introduction
This document describes the technical and organizational security measures for the protection of personal data (“security measures” and “measures”),
which the data processor, as a minimum, establishes in connection with the processing carried out on behalf of the controller, taking into account the
technological development, the costs of implementation, the context and purposes of processing and the risk of varying likelihood and severity for the rights and freedom of
persons.
If different special security measures are agreed in the underlying master agreement, these special measures apply instead of or in addition to the security measures described in this document.
- Basic security measures
The basic measures ensure the protection of confidentiality and the integrity of the systems by which Unlimit Technologies ApS processes
personal data, especially when it comes to remote access. These security measures apply to all processing carried out by Unlimit Technologies ApS,
unless otherwise agreed in the underlying master agreement. - Company internal processes
The data processor has appointed a data protection manager within the company. All employees and service providers who have access to personal data are obliged to
process this data only on the instructions of the controller and exclusively for the performance of the contractually agreed services. - Protection against unauthorized access
Unauthorized persons must be prevented from gaining access to computer centers or business premises where data processing takes place.
Measures:
The Processor protects the buildings or business premises with appropriate control systems for physical access based on a security classification
of buildings or business premises and correspondingly defined access authorization concepts. All buildings or business premises must be secured, with technical access control measures e.g. using card reading systems. Depending on the security classification, property, buildings or individual areas should be secured with additional measures. This can include special profiles for physical access, biometrics, PIN access, crossbar systems that only allow individual access, video surveillance and security personnel. Access rights for authorized persons are issued individually according to set criteria. This also applies to external persons.
- Protecting computers
The computers used for processing must be secured and protected against unauthorized use.
Measures:
Only authorized users are granted access to the data processor’s computer (both laptop and desktop) and the following security measures further protect against unauthorized access: data encryption, individualized password protection (minimum 8 characters, usually with automatic expiration date), employee identity cards with personal identity encryption, automatic shutdown of idle systems. The protection of the computers used against attacks and accidental or deliberate destruction or modification is provided, among other measures, by intrusion detection systems, firewalls and regularly updated malware filters.
- Protection of data during transfer, transport and remote accessPersonal datamust not be read, copied, modified or removed during electronic transmission or during transportation of data or its storage on data media. It must be possible to examine and determine at which locations a transfer of personal data using data transmission equipment is possible.
Action:
The electronic communication channels must be secured with the installation of closed networks and data encryption processes. In case of physical transportation of data media, data must be encrypted. Data media must be disposed of in a manner that is appropriate for the protection of data. Remote connections must be protected by encryption. The date, type and extent of remote maintenance activities shall be recorded in logs. III. Special security measures for services in which Unlimit Technologies ApS stores customer data in IT systems These special measures ensure the protection of confidentiality, integrity, availability and robustness of IT systems in which Unlimit Technologies ApS stores customers’ personal data. These measures apply when the storage of data represents part of the contractual services provided by Unlimit Technologies ApS, and is not only temporary.
- Protection against unauthorized processing
Only employees who are engaged in the purposes for which the personal data is processed have access to IT systems used to store customer data.
Personal data must not be read, copied, modified or removed without permission during processing, use and after storage.
Action:
Access to personal data in IT systems is granted on the basis of an authorization concept that limits employees’ access to personal data that is necessary for the performance of the contractually agreed services (“need to know”). In addition, it is required that unauthorized access to personal data is prevented as necessary by means of data encryption.
- Ensuring traceability
It must be possible to examine and determine whether and by whom personal data has been entered, modified or removed in data processing systems.
Action:
The Data Processor allows only authorized users to have access to personal data based on a “need to know” authorization concept. Access to personal data is specified in log data files, which record the entry, modification and deletion of personal data in a protocol.
- Ensuring integrity, availability and stabilityThesystems used for processing must be secured against errors and that personal data is fully accessible and protected against loss at all times.
Action:
The Processor stores personal data using redundant systems depending on the security classification and uses uninterruptible power supplies (e.g. UPS, batteries, generators) to secure the power supply in its own computer centers. A comprehensive, written emergency plan is in place and emergency procedures and systems are tested regularly
ANNEX A.3: APPROVED SUB-PROCESSORS
The controller has approved the use of the following sub-processors at the entry into force of the data processing agreement:
| Name of company | CVR no. | Address | Possible involvement in data processing |
| CCTV Nordic | 35485392 | Olaf Ryes Gade 7K DK-6000 Kolding |
– Registration of customer contact information in control center software and disclosure of this information to the guard – Registration of customer inquiries in the customer log |
| G4S | Olaf Ryes Gade 7K DK-6000 Kolding |
– Receiving and processing signals from Unlimit Technologies ApS equipment, e.g. video “live stream” in the alarm case – Sending log printouts to the customer – Filling out patrol reports with the customer’s contact information |
|
| ICT | Olaf Ryes Gade 7K DK-6000 Kolding |
– Storage of personal data recorded in connection with the establishment and use of Honestbox or MyKey: o Users’ personal data entered in connection with Honestbox’s or MyKey’s registration process o Personal data linked to the users’ account in connection with the operation of Honestbox or MyKey o Backup of the control center configuration containing usernames and access rights – Analysis of the system configuration, log files and database for troubleshooting (3rd level support) |
|
| Unlimit Technologies ApS/Honestbox | 43241486 | Galoche Alle 2, 4600 Køge, Denmark | Hosting/data storage |
Concepts
Innovative store concepts
The concept
Hybrid store
High-insulated store pavilions
AI stores
Technologies
Software solutions
Information
Email: ml@unlimitretail.dk
Galoche Allé 2, 4600 Køge
CVR: 43241486
Unlimited Group