Terms and conditions
End User License Agreement (EULA), Data Processor Agreement (DPA), Privacy Policy and Cookie policy
End User License Agreement (EULA)
This End User License Agreement (“EULA”) is a legal agreement between the Parties: Uniconta A/S, Ørestad Boulevard 73, 2300 København S, Denmark, CVR/Company Registration no. 33266928 (“Uniconta“) and the (“Customer”).
The EULA is accepted by the Customer on the Uniconta website www.uniconta.com and shall form the agreement between the parties.
The Service covered by the EULA is provided business to business (the “Service/System”).
This EULA replaces previous agreements between Uniconta and the Customer regarding Uniconta Enterprise Resource Planning’s software, including selected add-ons and plug-ins.
The EULA consists of:
- End User License Agreement
- Appendix 1: Data processing agreement
- Appendix 2: Personal data policy
The terms of the End User License Agreement apply to the extent that they are not deviated from in the appendices.
End User License Agreement (EULA)
1. THE NOTIFIED LICENSE
1.1 The rights reserved by Uniconta
Uniconta owns all property rights and intellectual property rights in and to the Service. Uniconta reserves all rights not expressly granted to the Customer under this EULA.
1.2 Customer’s right of use
1.2.1 Subject to Customer’s performance of the Customer’s obligations under the EULA, including, inter alia, payment of all applicable subscription fees, Uniconta hereby grants the Customer, subject to the limitations in paragraph 2 below, a personal, non-exclusive and non-transferable right to use the Service under the terms of this EULA.
1.3 The Customer’s right to use the Service shall become effective on the date of the Customer’s first login and shall run until terminated in accordance with the terms of this EULA.
1.3.1 The Service may contain an overview of selected modules. For certain functions, services and add-on modules, separate terms must be accepted by the Customer in addition to this EULA before they may be used.
1.3.2 In addition to the Customer’s own access, the Customer has the right to grant a third party access to the Service. The Customer vouches for and is fully responsible for the third party to whom the Customer grants access.
1.3.3 Each of the users of the Service that the Customer has chosen (“the named user”) must create a user profile with which the named user has access to and uses the Service. The Customer is responsible for the administration of the named users who are registered under the Customer and for the named users’ use of the Service.
1.3.4 The Customer ensures that the Service is not used in a way that could damage Uniconta’s name, reputation or goodwill, or that is contrary to applicable laws or regulations.
2. LIMITATIONS
2.1 No transfer, sale, sub-licensing, rental, lending or leasing
Subject to clause 1.3.3, the Customer may not assign, sell, sub-license, rent, lease or lend the Service.
2.2 No copying
The Customer may not make copies of the Service beyond the extent expressly permitted by applicable law. Nor may the Customer publish, distribute or otherwise make the Service publicly available for others to copy.
2.3 Restrictions on reverse engineering, decompilation and disassembly
The Customer is not entitled to reverse engineer or to decompile or disassemble the Service except and only to the extent that applicable law expressly permits such activity notwithstanding this limita-tion.
2.4 Support, upgrade, maintenance, etc.
Uniconta provides support, upgrade, maintenance and other services in connection with the Service at Uniconta’s discretion as notified by Uniconta.
3. PRICE AND PAYMENT TERMS
If the Customer receives an invoice directly from Uniconta, the following applies:
3.1 If the Customer needs a different level of capacity or functionality, the Service will be automati-cally upgraded or downgraded accordingly. The Customer agrees that as a result, the price will be increased or decreased in accordance with the configuration of the Service.
3.2 If the Customer charges the Service disproportionately by excessive use of the Service, Uniconta is entitled to charge additional fees.
3.3 Payment terms, including due date, appear on the invoice.
3.4 Payment must be in our bank account no later than the due date applicable from time to time. If not paid, access to the Service will be closed after a reminder. We also reserve the right to charge interest on late payments, as well as payment of reminder letters and collection fees in accordance with applicable law. Once all outstanding claims have been paid, we will initially open access to the Service.
3.5 The Customer accepts that invoices and reminders that Uniconta sends per e-mail, is considered to have been correctly received by the Customer. E-mails to the address specified by the Customer are considered delivered when they are sent by Uniconta.
3.6 The applicable service fees can be seen on Uniconta’s website and, in the event of changes, can be changed on the website with 1 (one) month’s notice. The same applies to changes in the compo-sition and content of license types and add-on modules. All prices are exclusive VAT.
3.7 The first billing cycle runs from the beginning of the month in which access to the Service is first granted. Invoices are charged monthly, unless the parties have agreed otherwise.
3.8 If the Customer receives the Service on the basis of an agreement between the Customer and a third party that is not Uniconta (e.g. Uniconta Partner or Uniconta Distributor), the price and pay-ment terms will be agreed directly with the third party.
4. TERMINATION AND TERMINATION
4.1 Termination:
4.1.1 The Customer may terminate use of the service, downgrade the Service and/or opt out of ad-ditional modules at the end of a calendar month, unless otherwise stated in the description or terms of the specific modules and functions. The Customer can remove a user/users from an account no later than the 5th of the month, then this user will not be billed at the end of the month.
4.1.2 Uniconta may terminate this EULA with 6 (six) months’ written notice or without notice if the Customer has breached any term, condition or provision of the EULA or in the event of the Custom-er’s insolvency or bankruptcy.
4.1.3 Subject to clauses 5.1 and 5.2, upon termination of the license, the Customer shall, for any reason, immediately cease all use of the Service.
5. THE CUSTOMER’S DATA
5.1 The parties accept that the data that the Customer uploads to the Service belongs to the Customer, who can therefore freely dispose of the data while the Service is being used. The Service allows Customer to export all indexes, data, etc. through the Service’s export feature, and Customer agrees that such export must be performed by Customer prior to termination of the EULA.
In the event that access to the Service ceases or is terminated by the Customer, Uniconta endeavors, where it may be reasonable and commercially justifiable, to give the Customer a period of 10 days after the termination in which the export function can be used.
5.2 Uniconta reserves the right to delete the Customer’s data 90 days after termination of the EULA, regardless of the reason for termination, and Uniconta has no obligation to store the Customer’s data after this period.
5.3 Upon termination of the license, Uniconta is entitled to retain the Customer’s data, this solely for statistical and analytical purposes.
5.4 In exceptional cases where Uniconta deems it justified and reasonable, for example to avoid loss of value, Uniconta may give third parties and public authorities access to the Customer’s data in connection with a legal obligation, government demand, bankruptcy, death or the like.
5.5 The Customer accepts that Uniconta has the right to assign its obligations under this EULA to a reseller.
5.6 The Customer agrees that Uniconta and the reseller have access to the Customer’s data, provid-ed that the Customer has accepted this in the reseller access function of the Service.
5.7 The Customer’s data is processed in accordance with the data processing agreement in Appendix 1 .
6. OPERATIONAL STABILITY
6.1 Uniconta strives to achieve the best possible operational stability, but is not responsible for in-terruptions or failures, including operational failures, caused by factors beyond Uniconta’s control. This includes, among other things, power failure, equipment failure, failure in connection with the Internet or telecommunications and the like. The Service are provided on an “as is” basis and Unicon-ta disclaims all warranties, guarantees, guarantees, claims and other terms, whether express or im-plied.
6.2 In the event of service interruptions or disruptions, Uniconta strives to restore operations to normal levels as soon as possible.
6.3 Planned interruptions in access to the Service will primarily be between 21:00 and 6:00 CET. Should it become necessary to close access to the Service outside this time, the Customer will be informed of this as far in advance of the interruption as possible.
7. CHANGES
7.1 Uniconta is entitled to make updates and improvements to the Service on an ongoing basis. Uni-conta is also entitled to change the composition and structure of the Service and the services provid-ed. Such updates, improvements and changes may take place with or without notice and may affect the services provided, including information and data uploaded to or transmitted by the Service.
8. INTELLECTUAL PROPERTY RIGHTS
8.1 The Service and the information transmitted from the Service, except for the Customer’s data, are copyrighted or protected by other intellectual property rights and are owned by or licensed to Uniconta. Individually created software also belongs to Uniconta, unless otherwise agreed in writing. The Customer shall notify Uniconta of any actual or potential infringement of Uniconta’s intellectual property rights or unauthorized use of the Service of which the Customer becomes aware.
8.2 This EULA does not in any way transfer intellectual property rights relating to the Services to the Customer.
8.3 The Customer grants Uniconta and its suppliers permission and a global license to the material and all data uploaded by the Customer that is necessary for Uniconta to properly administer and operate the Service, fulfill its obligations and promote relevant products to the Customer.
8.4 The Customer warrants that the material and data uploaded do not infringe the rights of any third party and do not contain material that may be offensive or that is contrary to applicable laws and regulations.
9. TRANSFER
9.1 Uniconta has the right to assign, in whole or in part, its rights and obligations under the EULA to a third party.
9.2 The Customer accepts that Uniconta is entitled to use subcontractors in connection with all aspects of this EULA, including for the completion and operation of the Service, and to store the Customer’s data.
10. DISCLAIMER AND LIMITATION OF LIABILITY
10.1 Under no circumstances is Uniconta liable to the Customer or any other person or company for any kind of direct or indirect damage, including, among other things, lost profits, lost savings, lost data or other documented loss, indirect or punitively justified or consequential damage, which arising out of or in connection with the use of the Service or any service provided or performed by Uniconta under this EULA, even if Uniconta has been advised of the possibility of such loss or damage or compensation. The aforementioned disclaimer applies to all causes of action, including breach of contract, breach of warranty, strict liability, negligence and other tortious actions.
10.2 Uniconta is under no circumstances liable to the Customer or any other person or company for any damage, be it directly or indirectly caused by instability or failure of the system.
10.3 Uniconta is not responsible for third-party solutions available and/or integrated into the Service, including currency feeds/calculators. Uniconta cannot be held responsible for the accuracy, completeness, quality or reliability of the information or results obtained through these third-party solutions.
Nor can Uniconta be held responsible for the availability, security or functionality of third-party solutions, including possible damage and/or possible loss caused by third party solutions. It is the responsibility of the Customer to prove that a loss suffered by the Customer cannot be attributed to third-party solutions.
10.4 Uniconta’s maximum aggregate liability for claims on the basis of the services provided by Uni-conta or the Service in this EULA is in all cases limited to the direct damage actually incurred by the Customer and is further limited to the amount of the service fee paid by the Customer in the 12 months preceding the event giving rise to the liability.
10.5 Uniconta has no liability to the Customer in respect of losses due to force majeure, i.e. circumstances beyond Uniconta’s control, including, among other things, natural disasters, risks in connection with sea and aviation, fire, flood, drought, explosion, sabotage, accidents, embargo, insurrection, riots, including government and parliamentary actions as well as labour disputes of any kind and cause, including (subject to the validity of the foregoing) work-by-rules action, overtime caps, strikes and lockouts.
11. THIRD-PARTY RIGHTS
11.1 Uniconta cannot grant and does not grant any license to a third-party’s patent or any other intellectual property right held by a third-party. The Customer shall, at the Customer’s own expense, license and maintain such licenses from third-parties, and Uniconta cannot be held liable if third-parties raise claims for infringement of such third-parties’ patent rights or other intellectual property rights.
If the Customer does not license and maintain such third-parties’ licenses as described, and if this causes a third-party to raise a claim for damages against Uniconta, the Customer shall indemnify Uniconta for such third parties’ claims for damages.
12. RENUNCIATION
If Uniconta at any time fails or neglects to invoke any provision of the EULA, this shall not be construed as a waiver of Uniconta’s rights under the EULA and shall in no way, in whole or in part, affect the validity of the EULA and shall not affect Uniconta’s right to take subsequent action.
13. INDIVIDUALITY
In the event that a provision of this EULA is determined by a competent authority to a certain extent as invalid, unlawful or unenforceable, that provision shall be separated to the same extent from the remaining provisions which continue to be valid between the parties to the fullest extent permitted by law.
14. COMPLIANCE WITH LOCAL LAWS
The Customer complies, at the Customer’s own expense and risk, with all relevant and applicable laws, including, among other things, laws and provisions on broadcast in use of the Service.
15. MODIFICATION OF THE TERMS
Uniconta can change the terms and conditions according to this EULA with 1 (one) month’s notice after such changes have been posted on Uniconta’s website. Use of the Service after a change in the terms constitutes acceptance of the changed terms. It is the Customer’s obligation to keep up-to-date on changes to the terms.
16. APPLICABLE LAW AND JURISDICTION
16.1 Applicable law
This EULA is governed, interpreted and enforced in accordance with the laws of Denmark.
16.2 Disputes and jurisdiction
A dispute arising out of or relating to this EULA shall be decided by the Copenhagen City Court. This does not prevent the case from being referred to the national court or the Maritime and Commercial Court in accordance with applicable laws.
Notwithstanding this specific agreement, in the event of a dispute, the parties shall attempt to settle it by mediation in accordance with the Danish IT Lawyers Association’s (“DITA”) mediation procedure (www.danske-it-advokater.dk). To commence mediation, a party must give written notice to the other party to the dispute and request mediation. A copy of the request will be sent to DITA.
The broker will be appointed by DITA within 8 (eight) working days of DITA’s receipt of the notice. Nei-ther party may commence legal proceedings relating to a dispute until the parties have attempted to settle the dispute by mediation. At a minimum, the parties are obliged to attend the first meeting convened by the Broker. A party is entitled to commence legal proceedings if a delay in such pro-ceedings may cause a forfeiture of a right, e.g. due to limitation.
16.3 Right to injunction:
Notwithstanding clause 16.2 above, Uniconta may seek injunctive or equitable relief in any jurisdic-tion to enforce its intellectual property rights.
Appendix 1: Data processing agreement
1. Standard Contractual Clauses
Standard contractual clauses pursuant to Article 28(3) of Regulation 2016/679 (GDPR) for the purpose of the processing of personal data by the data processor
between “Customer”, hereinafter “data controller”
and
Uniconta A/S, Øresunds Boulevard 73, 2300 Københavns S, Denmark, VAT no. 33266928 hereinafter “the data processor”, each of which is a “party” and together constitute the “parties”
The parties have agreed the following standard contractual provisions (the Provisions) in order to comply with the Data Protection Regulation and ensure the protection of privacy and fundamental rights and freedoms of natural persons:
2. Preamble
1. These Provisions set out the rights and obligations of the data processor when processing personal data on behalf of the data controller.
2. These Provisions are designed to comply with Article 28 (3) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals in connection with the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (Data Protection Regulation).
3. In connection with the provision of the Service under the EULA, the data processor processes personal data on behalf of the data controller in accordance with these Provisions.
4. The Provisions prevail over any corresponding provisions in other agreements between the parties.
5. There are four annexes to these Provisions and the Annexes form an integral part of the Provisions.
6. Appendix A contains details of the processing of personal data, including the purpose and nature of the processing, the type of personal data, the categories of data subjects and the duration of the processing.
7. Annex B contains the data controller’s conditions for the data processor’s use of sub-processors and a list of sub-processors whose use the data controller has approved.
8. Annex C contains the data controller’s instructions regarding the data processor’s processing of personal data, a description of the security measures that the data processor must implement as a minimum, and how the data processor and any sub-processors are supervised.
9. The Provisions and their annexes shall be kept in writing, including electronically, by both parties.
10. These Provisions do not release the data processor from obligations imposed on the data processor under the General Data Protection Regulation or any other legislation.
3. Rights and obligations of the data controller
1. The data controller is responsible for ensuring that the processing of personal data takes place in accordance with the data protection regulation (see the regulation’s article 24), data protection regulations in other EU law, or the national law of the member states and these Provisions.
2. The data controller has the right and obligation to make decisions about the purpose (s) and means of processing personal data.
3. The data controller is responsible for, among other things, ensuring that there is a processing basis for the processing of personal data that the data processor is instructed to carry out.
4. The data processor acts according to instructions
1. The data processor may only process personal data on documented instructions from the data controller, unless required by Union or Member State law to which the data processor is subject. These instructions must be specified in Annexes A and C. Subsequent instructions may also be given by the data controller while personal data is being processed, but the in-structions must always be documented and stored in writing, including electronically, to-gether with these Provisions.
2. The data processor shall inform the data controller without delay if, in its opinion, an instruc-tion infringes this Regulation or data protection provisions of other Union or Member State law.
5. Confidentiality
1. The data processor may only grant access to personal data processed on behalf of the data controller to persons who are subject to the data processor’s powers of instruction, who have committed themselves to confidentiality or are subject to an appropriate statutory duty of confidentiality, and only to the extent necessary. The list of persons who have been granted access must be reviewed on an ongoing basis. Based on this review, access to personal data may be closed if access is no longer necessary and the personal data shall no longer be accessible to these persons.
2. Upon request from the data controller, the data processor must be able to demonstrate that the persons in question, who are subject to the data processor’s instructional powers, are subject to the above-mentioned confidentiality obligation.
6. Treatment safety
1. Article 32 of the Data Protection Regulation states that the data controller and the data processor, taking into account the current technical level, the implementation costs and the nature, scope, context and purpose of the processing in question, as well as the risks of varying probability and seriousness to the rights and freedoms of natural persons, implement appropriate technical and organizational measures to ensure a level of protection appropriate to these risks.
The data controller shall assess the risks to the rights and freedoms of natural persons posed by the processing and implement measures to address these risks. Depending on their relevance, it may include:
a. Pseudonymization and encryption of personal data
b. ability to ensure the ongoing confidentiality, integrity, availability and robustness of processing systems and services
c. ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
d. a procedure for the regular testing, assessment and evaluation of the effectiveness of technical and organisational measures to ensure the safety of treatment
2. Pursuant to Article 32 of the Regulation, the data processor, independently of the data controller, shall also assess the risks to the rights of natural persons posed by the processing and implement measures to address these risks. For the purpose of this assessment, the data controller shall make available to the data processor the necessary information which ena-bles him to identify and assess such risks.
3. In addition, the data processor shall assist the data controller in its compliance with the data controller’s obligation under Article 32 of the Regulation by, among other things, making available to the data controller the necessary information regarding the technical and organisational security measures already implemented by the data processor pursuant to Article 32 of the Regulation and any other information necessary for the data controller’s compliance with its obligation under Article 32 of the Regulation Article 32 of the Regulation.
If, in the assessment of the data controller, addressing the identified risks requires the im-plementation of additional measures beyond those already implemented by the data pro-cessor, the data controller shall indicate the additional measures to be implemented in Annex C.
7. Use of sub-processors
1. The data processor must meet the conditions referred to in Article 28(2) and (4) of the General Data Protection Regulation in order to make use of another data processor (a subcon-tracted data processor “sub-processor”).
2. Thus, the data processor may not make use of a sub-processor to comply with these Provisions without the prior general written approval of the data controller.
3. The data processor has the data controller’s general approval for the use of sub-processors. The data processor shall notify the data controller in writing of any planned changes regarding the addition or replacement of sub-processors with at least 10 days’ notice, thereby giving the data controller the opportunity to object to such changes before the use of the sub-processor(s) concerned. Longer notice for notification in connection with specific processing activities may be specified in Appendix B. The list of sub-processors already approved by the data controller is set out in Appendix B.
4. When the data processor makes use of a sub-processor in connection with the performance of specific processing activities on behalf of the data controller, the data processor shall, through a contract or other legal document under Union or Member State law, impose on the sub-processor the same data protection obligations as those set out in these Provisions, providing in particular the necessary guarantees that the sub-processor will implement the technical and organisational measures in such a way that the processing complies with the requirements of these Provisions and the Data Protection Regulation.
The data processor is therefore responsible for requiring the sub-processor to at least comply with the data processor’s obligations under these Provisions and the data protection regulation.
5. Sub-processor agreement (s) and any subsequent amendments thereto are sent – upon the data controller’s request – in a copy to the data controller, who thereby has the opportunity to ensure that corresponding data protection obligations arising from these Provisions are imposed on the sub-processor. Provisions on commercial terms that do not affect the data protection law content of the sub-processor agreement shall not be sent to the data controller.
6. The data processor must include the data controller in its agreement with the sub-processor as a beneficiary third-party in the event of the data processor’s bankruptcy, so that the data controller can enter into the data processor’s rights and enforce them against sub-processors, such as enables the data controller to instruct the sub-processor to delete or return the personal data.
7. If the sub-processor fails to meet its data protection obligations, the data processor remains fully liable to the data controller for the fulfillment of the sub-processor’s obligations. This does not affect the rights of data subjects arising from the General Data Protection Regula-tion, in particular Articles 79 and 82 of the Regulation, vis-à-vis the data controller and the data processor, including the sub-processor.
8. Transfer to third countries or international organisations
1. Any transfer of personal data to third countries or international organisations may only be carried out by the data processor on the basis of documented instructions from the data controller and must always take place in accordance with Chapter V of the General Data Protection Regulation.
2. Where the transfer of personal data to third countries or international organisations which the data processor has not been instructed to carry out by the data controller is required by Union law or the national law of the Member States to which the data processor is subject, the data processor shall inform the data controller of this legal requirement before pro-cessing, unless that court prohibits such notification for the sake of important social interests.
3. Thus, without documented instructions from the data controller, the data processor cannot, within the framework of these Provisions:
a. transfer personal data to a data controller or data processor in a third country or an international organisation
b. entrust the processing of personal data to a sub-processor in a third country
c. process the personal data in a third country
4. The data controller’s instructions regarding the transfer of personal data to a third country, including the possible transfer basis in Chapter V of the General Data Protection Regulation on which the transfer is based, must be specified in Annex C.6.
5. These Provisions should not be confused with Standard Contractual Clauses within the meaning of Article 46(2)(c) and (d) of the General Data Protection Regulation, and these Provisions cannot constitute a basis for the transfer of personal data within the meaning of Chapter V of the General Data Protection Regulation.
9. Assistance to the data controller
1. The data processor, taking into account the nature of the processing, assists the data con-troller, as far as possible, by means of appropriate technical and organisational measures, in fulfilling the data controller’s obligation to respond to requests for the exercise of the rights of data subjects as laid down in Chapter III of the General Data Protection Regulation.
This implies that the data processor must, as far as possible, assist the data controller in connection with the data controller ensuring compliance with:
a. the duty to provide information when collecting personal data from the data subject
b. the obligation to provide information if personal data have not been collected from the data subject
c. the right of access
d. the right to rectification
e. the right to erasure (“the right to be forgotten”)
f. the right to restriction of processing
g. the notification obligation in connection with the correction or deletion of personal data or restriction of processing
h. the right to data portability
i. the right to object
j. the right not to be subject to a decision based solely on automated processing, including profiling
2. In addition to the data processor’s obligation to assist the data controller in accordance with Clause 6.3., the data processor shall also, taking into account the nature of the processing and the information available to the data processor, assist the data controller with:
a. the data controller’s obligation to notify the competent supervisory authority without undue delay and, if possible, within 72 hours of becoming aware of it, of a per-sonal data breach, unless the personal data breach is unlikely to result in a risk to the rights or freedoms of natural persons
b. the data controller’s obligation to notify the data subject without undue delay of a breach of personal data security when the breach is likely to result in a high risk to the rights and freedoms of natural persons
c. the obligation of the data controller to undertake a pre-processing analysis of the implications of the intended processing activities on the protection of personal data (an impact assessment);
d. the obligation of the data controller to consult the competent supervisory authority before processing where a data protection impact assessment shows that the pro-cessing would lead to high risk in the absence of measures taken by the data controller to mitigate the risk.
3. The parties must specify in Annex C the necessary technical and organisational measures with which the data processor must assist the data controller and to what extent. This ap-plies to the obligations arising from Clause 9.1. and 9.2.
10. Notification of personal data breaches
1. The data processor notifies the data controller without undue delay after becoming aware that a breach of personal data security has occurred.
2. If possible, the data processor’s notification to the data controller must take place no later than 48 hours after the data controller has become aware of the breach, so that the data controller can comply with its obligation to report the personal data breach to the competent supervisory authority, cf. Article 33 of the General Data Protection Regulation.
3. In accordance with Provision 9.2.a, the data processor shall assist the data controller in making notification of the breach to the competent supervisory authority. This means that the data processor must assist in providing the following information, which according to Article 33 (3), must be stated in the data controller’s notification of the breach to the competent supervisory authority:
a. the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects concerned as well as the categories and ap-proximate number of personal data records concerned
b. the likely consequences of the personal data breach
c. the measures taken or proposed by the data controller to address the personal data breach, including, where appropriate, measures to limit its possible adverse effects.
4. The parties must specify in Annex C the information that the data processor must provide in connection with its assistance to the data controller in his obligation to report breaches of personal data security to the competent supervisory authority.
11. Deletion and return of information
1. Upon termination of the services regarding the processing of personal data, the data processor is obliged to return all personal data and delete existing copies, unless EU or Member State law provides for the storage of the personal data.
12. Audit, including inspection
1. The data processor makes available to the data controller all information necessary to demonstrate compliance with Article 28 of the Data Protection Regulation and these Provisions and provides for and contributes to audits, including inspections, carried out by the data controller or another auditor authorised by the data controller.
2. The procedures for the data controller’s audits, including inspections, with the data processor and sub-processors are detailed in Appendix C.7. and C.8.
3. The data processor is obliged to grant supervisory authorities which, according to applicable law, have access to the data controller’s or data processor’s facilities, or representatives acting on behalf of the supervisory authority, access to the data processor’s physical facilities against proper identification.
13. Agreement of the parties on other matters
1. The parties may agree on other provisions relating to the service regarding the processing of personal data, such as liability, as long as these other provisions do not directly or indirectly conflict with the Provisions or impair the fundamental rights and freedoms of the data subject as a result of the General Data Protection Regulation.
14. Entry into force and termination
1. The Provisions shall enter into force on the date of signature of both parties.
2. Either party may require the Provisions to be renegotiated if changes in the law or inadequacies in the Provisions give rise to this.
3. The Provisions are valid as long as the service relating to the processing of personal data lasts. During this period, the Provisions cannot be terminated, unless other provisions governing the provision of the service regarding the processing of personal data are agreed between the parties.
4. If the provision of the services regarding the processing of personal data ceases and the personal data is deleted or returned to the data controller in accordance with Clause 11.1 and Appendix C.4, the Provisions may be terminated with written notice by either party.
Signature: The provisions are entered into upon acceptance of the EULA.
Annex A Information about the treatment
A.1. The purpose of the data processor’s processing of personal data on behalf of the data controller
The purpose of processing personal data is to support the Customer’s financial management activi-ties, including, for example, bookkeeping, invoicing, internal control and auditing.
A.2. The data processor’s processing of personal data on behalf of the data controller primarily concerns (the nature of the processing)
The processing of personal data primarily concerns access to the system (login), the processing of attachments related to the Customer’s operation and the Customer’s other input into the system according to the purpose (financial management activities).
A.3. The processing includes the following types of personal data of the data subjects
The data processor only processes personal data related to the Customer’s financial management activities. However, the data controller has free access to upload attachments to the system.
General personal data processed:
- Login: Name, email, phone number and code
- Financial information: Name, address, phone numbers, purchase history and invoice numbers
A.4. The processing includes the following categories of data subjects
The data controller’s employees, suppliers, advisers and customers.
A.5. The processing of personal data by the data processor on behalf of the data controller may commence after the entry into force of these Provisions. Treatment has the following duration:
Processing will take place as long as the Provisions are in force between the parties.
The data processor may delete the personal data upon termination of the Service and must delete the personal data no later than 12 months after termination, unless the data processor is required to retain the personal data for a longer period in accordance with legal requirements.
Appendix B Sub-processors
B.1. Approved sub-processors
Upon the entry into force of the Provisions, the data controller has approved the use of the following sub-processors:
NAME | VAT NO. | ADDRESS | DESCRIPTION OF TREATMENT |
Sotea A/S | 10085225 | Højbovej 1b, DK-8600 Silkeborg Denmark | Hosting |
Paperflow | 37035785 | Niels Juels Gade 5, 4th floor, DK-1059 Copenhagen K | Digital reading of documents |
Paperflow Bulgaria Service Center | N/A | 132, ul. “Mimi Balkanska” Str, 1540 Sofia Bulgaria |
Upon the entry into force of the Provisions, the data controller has approved the use of the above-mentioned sub-processors for the described processing activity. The data processor may not – with-out the data controller’s written approval – make use of a sub-processor for a processing activity other than the one described and agreed or make use of another sub-processor for this processing activity.
B.2. Notice for approval of sub-processors
An updated list of sub-processors will be available at any time here: https://www.uniconta.com/about-us/sub-processors/
See clause 7.3 above.
Appendix C Instructions regarding the processing of personal data
C.1. The object of treatment/instruction
The data processor’s processing of personal data on behalf of the data controller takes place by the data processor performing the following:
The data processor is instructed to process personal data in connection with the delivery of the system as described above in the end user license, the Provisions and the parties’ other written agreements.
In this connection, the data processor is instructed to process the personal data uploaded to the system at the customer’s initiative in order to support the customer’s financial management activities.
C.2. Treatment safety
The level of security shall reflect:
The processing only includes information covered by Article 6 of the General Data Protection Regula-tion on general categories of personal data, which is why a ‘medium’ level of security must be reflected in the data processing.
The data processor is then entitled and obliged to make decisions about which technical and organi-zational security measures must be implemented in order to establish the necessary (and agreed) security level.
However, the data processor must – in any case and at a minimum – implement the following measures agreed with the data controller:
We refer to the latest version of our statement on our website: https://www.uniconta.com/about-us/it-security-isae-3402/
C.3 Assistance to the data controller
The data processor shall as far as possible – within the scope below – assist the data controller in accordance with Provisions 9.1 and 9.2 by implementing the following technical and organisational measures:
9.1 (Rights of data subjects): If the data processor technically has the personal data to which the request relates and the data controller exceptionally does not, the data processor shall assist the data controller with the practical part associated with answering the request. Finally, the data pro-cessor shall provide input to information messages pursuant to Articles 13 and 14 if requested.
9.2 (notification, notification, impact assessment and consultation): At the request of the data con-troller, the data processor shall, at the discretion of the data controller, assist the data controller in the practical part of notifying, notifying, impacting and conducting consultation. Assistance may, for example, consist of providing information or assisting with assessments and attending meetings. All parts of these activities that can be carried out by the data controller himself cannot be required to be performed by the data processor.
If the assistance is associated with costs for the data processor, the data controller covers these.
C.4 Storage period/deletion routine
Upon termination of the service relating to the processing of personal data, the data processor must either delete or return the personal data in accordance with provision 11.1, unless the data controller – after signing these Provisions – has changed the data controller’s original choice. Such changes must be documented and stored in writing, including electronically, in connection with the Provisions.
C.5 Location of treatment
The processing takes place with the sub-processors listed in these Provisions.
C.6 Instructions on the transfer of personal data to third countries
The data processor may transfer personal data to secure third countries and to insecure third countries if there is a valid basis for transfer.
The data processor is hereby authorised to, on behalf of the data exporter, enter into an agreement on a suitable transfer basis with a data importer, including by applying the EU’s standard contract clauses on transfer (SCC) applicable at any time.
In addition, the data processor is authorised to establish any necessary additional measures after assessing the level of data protection in the unsafe third country. In addition, it is assumed that the technical and organisational measures described in Appendix C are considered sufficient to meet any requirement for the establishment of additional measures.
C.7 Procedures for the data controller’s audits, including inspections, with the pro-cessing of personal data entrusted to the data processor
GENERAL RULE: The data processor shall obtain once (1) annually, at its own expense, a state-ment/inspection report from an independent third party regarding the data processor’s compliance with the General Data Protection Regulation, data protection provisions of other Union or Member State law and these Provisions.
In addition, the data controller may require a declaration/inspection report after a breach if the data controller deems it necessary.
TRANSMISSION: The statement/inspection report is made visible/forwarded without undue delay to the data controller for information.
NEW STATEMENT/INSPECTION REPORT: The data controller may challenge the framework and/or methodology of the declaration/inspection report and may, in such cases, request a new declaration/inspection report under other frameworks and/or using another method.
ADDITIONAL MEASURES: Based on the results of the declaration/inspection report, the data controller is entitled to request the implementation of additional measures to ensure compliance with the General Data Protection Regulation, data protection provisions of other Union or Member State law and these Provisions.
COSTS: Any costs associated with the additional measures are covered by the data controller by further agreement.
PHYSICAL INSPECTIONS: In addition, the data controller or a representative of the data controller has access to carry out inspections, including physical inspections, of the premises from which the data processor carries out the processing of personal data, including physical premises and systems used for or in connection with the processing.
Such inspections may be carried out when the data controller deems it necessary. The assessment must be based on facts and not on a feeling.
Physical inspection in any case requires prior agreement with the data processor, and with a prior notice of 3 weeks, so that the data processor is prepared to be able to devote the necessary resources to it.
Any expenses incurred by the data controller in connection with a physical inspection shall be borne by the data controller itself. However, the data processor is obliged to allocate the resources (mainly the time) necessary for the data controller to carry out its inspection.
ALTERNATIVE FORM OF SUPERVISION: If the parties agree, an alternative form of supervision can be agreed, which must, however, comply with the data protection regulation and data protection regu-lations in other EU law or the national law of the member states.
C.8 Procedures for audits, including inspections, with the processing of personal data entrusted to sub-processors
MAIN RULE: The data controller’s duty to supervise the sub-processors takes place through the data processor’s supervision of the sub-processors.
PROCEDURE: The data processor supervises the sub-processors in the way that the data processor deems appropriate based on the risk assessment of the processing carried out by the sub-processor.
THE RESULTS OF SUPERVISION WITH THE SUB-PROCESSORS: The results of the data processor’s supervision of the sub-processors must appear in the information that must be sent to the data controller as described under point C.7, just as the data controller handles the information as under point C.7.
PHYSICAL INSPECTION: If the data controller wishes to inspect the sub-processors physically, the data processor only makes contact information of the sub-processor available, after which the physical inspection is irrelevant to the data processor.
Appendix 2: Personal data policy
Background
When you use our Service, we collect and process personal data about you as a customer. The pro-tection of your personal data is important to us and we would like to explain how we process your personal data. Below you will find a description of the personal data we collect, for what purpose we process the personal data, how long we keep the personal data and whether we share the personal data with others.
We are the data controller – how do you contact us?
Uniconta A/S
VAT no.: 33266928
Ørestads Boulevard 73
DK-2300 Copenhagen S
Denmark
Tel: +45 70 33 16 16
Email address: info@uniconta.com
Contact details of the data protection officer
We do not have a data protection officer (DPO). On the other hand, we have a person who is responsible for all questions regarding our use of personal data and who handles any complaints from data subjects. You can contact info@uniconta.com with any questions.
Purpose
The use of your information is for the purpose to
- meet the EULA, including improving the Service and handling support requests, and to
- send service messages and news and updates about our Service.
Parts of the information will, to the relevant extent, be used to fulfill statutory duties, including the Danish Bookkeeping Act and the Danish Annual Accounts Act.
Categories of personal data and where the personal data originates
We collect personal data that falls under Article 6 of the General Data Protection Regulation (ordinary personal data).
We collect the personal data of the employees of our Customers with whom we are in contact.
The personal data relates to the tasks that we solve for our Customers. There will typically be contact information in addition to information related to support or queries regarding the Service.
The type of personal data
We collect contact information such as name, position, e-mail and telephone number of relevant employees of our customers and suppliers.
Legal basis
In order to collect, use and possibly disclose personal data, we must have a legal basis under the Data Protection Regulations, including the Data Protection Regulation and Law.
When we process personal data as a data controller in relation to our customers, the processing takes place on the basis of the EULA or for the purpose of adopting the EULA with Customers, cf. Article 6(1)(b) of the General Data Protection Regulation.
Finally, we process personal data if the law otherwise states that we have the right or obligation to do so. This may, for example, result from social or tax legislation and the Accounting Act, cf. the Gen-eral Data Protection Regulation Article 6 (1) (c).
Recipients or categories of recipients
Your personal data is stored with our IT suppliers and other data processors, who provide, for ex-ample, hosting and development of our financial systems as well as e-mail.
Transfer to recipients in third countries
We do not transfer personal data to third countries outside the EU.
The period during which the personal data will be stored
Personal data is deleted on an ongoing basis. We store your personal data for at least one year after termination, unless we are required to keep the personal data for a longer period in accordance with legal requirements, including, for example, the Danish Accounting Act.
Your rights
In general: You should be aware that not all rights can be used to their full extent in all cases. For example, we do not delete information that we must store according to the law, or if we are entitled to continue to store the personal data for another reason.
The rights
You can gain insight into what personal data we process about you, and you can have any incorrect or incomplete personal data corrected.
You can have personal data deleted.
You can demand that we restrict the use of the personal data. You can also object to the processing of personal data.
You can also have some of your personal data transferred digitally (right to data portability).
Finally, we are obliged to inform any recipient to whom the personal data have been disclosed of any rectification or erasure or restriction of processing, unless this proves impossible or is disproportion-ately difficult. We will inform you who has received a copy of the personal data if you request it.
If you wish to make use of these rights, please address us. See contact details above.
Complaint
If you wish to complain about our processing of personal data, please send an email with the details of your complaint to the above e-mail. We will deal with the complaint and get back to you.
You also have the right to complain to the Data Protection Authority about our processing of your personal data. Prior to such a complaint, we would appreciate being contacted.
For further information on how to complain to the Danish Data Protection Agency, please refer to the Danish Data Protection Agency’s website www.datatilsynet.dk