Data Processing Agreement

The Data Processing Agreement (DPA) for iMotions, dated June 2023, is designed to ensure compliance with data protection regulations, particularly the EU General Data Protection Regulation (GDPR). Here are the key points summarized:

  1. Purpose and Scope: This DPA forms part of either a Software License Agreement, Master Services Agreement, or Sales Contract between a Controller and iMotions A/S (Processor). It outlines the terms regarding the processing of personal data.
  2. Definitions: Key terms like ‘Sub-processor,’ ‘Data Processor,’ ‘Personal Data,’ and ‘GDPR’ are clearly defined to establish a common understanding.
  3. Processor’s Obligations: The Processor agrees to process personal data only for the purposes specified in the Principal Agreement and in accordance with the Controller’s instructions, ensuring compliance with data protection laws. The Processor is also required to implement appropriate technical and organizational measures to protect personal data.
  4. Sub-Processing: The Processor is authorized to engage Sub-processors under specific conditions and must ensure that these Sub-processors adhere to the same data protection obligations.
  5. Data Subject Rights: The Processor must assist the Controller in fulfilling their obligations to respond to data subject requests under GDPR.
  6. Personal Data Breach: In case of a personal data breach, the Processor must promptly notify the Controller and cooperate in mitigating the effects of the breach.
  7. Data Protection Impact Assessment and Prior Consultation: The Processor shall assist the Controller with data protection impact assessments as required under GDPR.
  8. Erasure or Return of Controller Personal Data: Upon the end of the service or the agreement, the Processor must either return or securely erase the personal data.
  9. Audit Rights: The Controller has the right to conduct audits to ensure the Processor’s compliance with the DPA.
  10. International Transfers of Controller Personal Data: Any transfer of personal data to third countries must be conducted in compliance with GDPR and only upon the Controller’s authorization.
  11. General Terms: This section outlines the governing law, dispute resolution, and the precedence of this DPA over other agreements in matters of data protection.

This summary provides an overview of the main points of the Data Processing Agreement, outlining the responsibilities and obligations of both parties in relation to data processing and protection.