Data Processing Agreement

The data controller is responsible for ensuring that the processing of personal data in connection with the use of the Culturequest application is carried out in accordance with Article 24 of the GDPR, other applicable EU law or national law, and this Data Processing Agreement.

The data controller has both the right and the obligation to determine the purposes and means of the processing of personal data. Furthermore, it is solely under the data controller’s control which personal data is processed, including data entered and generated within the Culturequest application.

The data controller is responsible for ensuring that there is a lawful basis for the processing and disclosure of personal data instructed to the data processor, including disclosure to any sub-processors engaged by the data processor and listed at all times in Appendix B.

The data controller is responsible for the accuracy, integrity, reliability, and lawfulness of the personal data processed by the data processor.

Where relevant, the data controller has fulfilled all mandatory requirements and obligations with respect to notification to or obtaining approval from the relevant public authorities concerning the processing of personal data.

The data controller has fulfilled its obligation to inform the data subjects regarding the processing of their personal data in accordance with applicable data protection legislation.

The data controller confirms that, by entering into this Agreement, the data processor has provided adequate assurances regarding the implementation of appropriate technical and organizational security measures to safeguard the rights of the data subjects and their personal data.

The data processor shall only process personal data in accordance with documented instructions from the data controller, unless required to do so under applicable EU or national law to which the data processor is subject. By entering into this Agreement, the data controller instructs the data processor to process personal data in the following ways:

The data processor shall promptly notify the data controller if, in its opinion, an instruction infringes applicable data protection legislation or other EU or national law.

The data processor is obligated to ensure a high level of security. This is achieved through the implementation of appropriate organizational, technical, and physical security measures. These measures are implemented taking into account the available technology and the costs of implementation, as well as the nature, scope, context, and purpose of the processing, in order to ensure an adequate level of security that addresses the risks and the categories of personal data to be protected.

The data processor may only grant access to personal data processed on behalf of the data controller to individuals who have committed themselves to confidentiality or are subject to an appropriate statutory obligation of confidentiality — and only to the extent necessary. The duty of confidentiality shall also apply after the termination of this Data Processing Agreement.

Culturequest has implemented multiple security measures and internal data protection policies in order to ensure the confidentiality, integrity, resilience, and availability of personal data. These measures include, but are not limited to, the following:

As part of the operation of Culturequest, the data processor engages sub-processors. This Agreement constitutes the data controller’s prior general written authorization for the data processor to use sub-processors. Such sub-processors may include third-party service providers located within or outside the EU/EEA. The data processor’s current sub-processors are listed in the then-applicable Appendix B.

The data processor shall ensure that its sub-processors are subject to the same obligations and requirements as those set forth in this Data Processing Agreement. The data controller shall be informed in writing by email no later than 30 days before the data processor engages a new sub-processor. Notification will be sent to the individual managing data on behalf of the data controller via the platform.

The data controller has the right to object to the engagement of any new sub-processor who will process personal data on behalf of the data controller if the sub-processor does not process data in accordance with applicable data protection legislation. In such cases, the data processor must demonstrate compliance by providing the data controller with access to its data protection assessment and any relevant documentation concerning the use of the sub-processor.

If disagreement remains following such disclosure, the data controller may terminate its subscription with shorter notice than usual, in order to ensure that its personal data is not processed by the sub-processor in question.

Any transfer of personal data to a third country or an international organization may only be carried out by the data processor on the basis of documented instructions from the data controller and must always be conducted in accordance with Chapter V of the General Data Protection Regulation (GDPR), including, for example, through the execution of the European Commission’s Standard Contractual Clauses (EU SCCs) or another valid transfer mechanism. The data controller authorizes the data processor to ensure an adequate legal basis for the transfer of personal data to a third country on behalf of the data controller. The applicable transfer mechanism under Chapter V of the GDPR on which the transfer is based shall be specified in Appendix B.

If the data processor is required to transfer personal data to third countries or international organizations without having received instructions to do so from the data controller, due to legal obligations under EU law or the national law of a Member State to which the data processor is subject, the data processor shall inform the data controller of such legal requirement prior to processing, unless the relevant law prohibits such notification on important grounds of public interest.

The data processor shall, insofar as possible, assist the data controller by implementing appropriate technical and organizational measures, taking into account the nature of the processing and the categories of data available to the data processor, in order to ensure the data controller’s compliance with its obligations under applicable data protection legislation.

The data processor shall assist the data controller in complying with Articles 32–36 of the GDPR, including but not limited to data security, notification of personal data breaches to the supervisory authority, and communication of such breaches to the data subjects, taking into account the nature of the processing and the information available to the data processor.

The data processor may not respond to requests from data subjects unless it is expressly authorized to do so by the data controller. The data processor shall not disclose information relating to this Data Processing Agreement to public authorities, such as the police — including personal data — unless required to do so by law in the form of a court order or similar legal obligation.

Furthermore, the data processor shall, insofar as it is possible and lawful, notify the data controller if:

If the data controller requires information or assistance regarding security measures, documentation, or information on the general processing of personal data by the data processor, and such request exceeds what is necessary under applicable data protection legislation, the data processor may require payment for such additional services.

The data processor shall notify the data controller without undue delay after becoming aware of a personal data breach involving personal data processed on behalf of the data controller. This is to ensure that the data processor supports the data controller in fulfilling its subsequent obligations in this regard.

The data processor’s notification to the data controller shall, where possible, be made no later than 24 hours after becoming aware of the breach, in order to allow the data controller to meet any obligation to notify the supervisory authority within 72 hours.

The data processor shall notify the data controller via the contact person registered as a user in the Culturequest application if the data processor becomes aware of a security incident.

Upon termination of a Culturequest subscription, the data controller shall have the option to have its data returned (exported). Following the termination of the subscription, the data processor will delete or anonymize all personal data processed on behalf of the data controller. This will be carried out in accordance with the applicable terms and conditions.

Upon termination of a Culturequest subscription, the data controller shall have the option to have its data returned (exported). Following the termination of the subscription, the data processor will delete or anonymize all personal data processed on behalf of the data controller. This will be carried out in accordance with the applicable terms and conditions.

If the proposed scope of the audit is covered by an ISAE 3000, ISO, or similar assurance report issued by a qualified third-party auditor within the preceding twelve months, and the data processor confirms that no material changes have occurred in the measures audited, the data controller shall accept this report in lieu of requesting a new audit of the measures already covered.

If the data processor’s assistance in connection with the audit exceeds the standard services the data processor is required to provide under applicable data protection legislation, such assistance shall be billed separately

This Agreement enters into force upon registration as a user of the Culturequest application and shall remain in effect for as long as the data processor processes personal data on behalf of the data controller in connection with the data controller’s use of the Culturequest application.

The current version of the Agreement will be available at all times on the website. Material changes will be notified 30 days prior to taking effect via email to the individual who registered as a user of the Culturequest application. Continued use of the Culturequest application after the update constitutes acceptance of the Agreement.

Liability for actions that are in breach of the provisions of this Agreement shall be governed by the liability and indemnification clauses set out in the Terms and Conditions of the Culturequest application. This also applies to any breaches committed by the data processor’s sub-processors.

The Parties may agree on additional terms and conditions regarding the processing of personal data, such as liability for damages, provided that such terms do not directly or indirectly conflict with this Agreement or impair the fundamental rights and freedoms of the data subjects as provided under the General Data Protection Regulation.

This Data Processing Agreement is governed by Danish law, and any dispute arising out of or in connection with this Agreement shall be subject to the jurisdiction of the Danish courts.