This Platform Data Processing Agreement (”DPA”) comprises part of the Platform Terms of Use between (the “Supplier”) Ramboll Group A/S and/or its Affiliates, as defined in the Platform-Terms Landing Page, and the Client.

“Client” shall mean the client specified in the Supply Agreement.

”Subcontractor” shall mean a data processor Processing Personal Data under the Supply Agreement entirely or partly on behalf of the Data Processor and under assignment from same.

”Personal Data” shall mean any information pertaining to an identified or identifiable natural person.

”Data Processor” shall mean the Supplier, processing Personal data upon under assignment from the Data Controller, solely for carrying out the Delivery and for the duration of the Supply Agreement.

”Processing” shall mean any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

”Software” shall mean the software version and scope of the Supplier’s off-the-shelf software specified in the Supply Agreement.

”Parties” shall mean the Supplier and Client jointly, each of them separately being a ”Party”.

”Services” shall mean consulting or other services pertaining to the Software, specified in the Supply Agreement.

“Data Controller” shall mean the Client, who determines the purposes and methods of Processing.

“Data Protection Legislation” shall mean the EU General Data Protection Regulation (Regulation 2016/679 EU) as well as data protection laws in force from time to time, applicable to the Supply Agreement and the Processing under this DPA.

”Delivery” shall mean the supply of the Software and Services specified under the Supply Agreement.

“Supply Agreement” shall mean the agreement for the Delivery concluded between the Supplier and the Client.

2.1 This DPA shall be applicable to all Processing of Personal Data occurring under the Supply Agreement.

2.2 This DPA shall form a binding agreement between the Parties concerning the Processing of Personal Data, as required under the Data Protection Legislation.

2.3 The Processing carried out by the Data Processor shall be limited to the processing measures set forth under the Supply Agreement and the functionalities of the Software. The Data Controller shall determine the type and volume of the Personal Data to be Processed in the Software, categories of data subjects as well as the purposes and methods of use of the Personal Data.

3.1 The Data Processor undertakes to comply with the obligations imposed under the Data Protection Legislation as well as good data processing practice in the Processing of Personal Data.

3.2 The Data Processor shall be obligated to Process the Personal Data saved in the Software in accordance with the documented, lawful and reasonable instructions issued by the Data Controller. It is stated for the sake of clarity that the Data Controller shall always be deemed to have instructed the Data Processor to carry out the processing actions under the Supply Agreement. In the case of a discrepancy between the Data Controller’s instruction and a legal obligation stipulated for under the Data Protection Legislation, the Data Processor shall be obligated to primarily comply with the legal requirement stipulated for under the Data Protection Legislation, in which case the Data Processor shall inform the Data Controller of this legal requirement, provided such informing is not prohibited under the Data Protection Legislation.

3.3 The Data Processor shall ensure that persons entitled to Process Personal Data on behalf of the Data Processor have undertaken confidentiality obligations or are subject to an appropriate statutory confidentiality obligation, surviving the termination of the Supply Agreement.

3.4 The Data Processor shall ensure that Personal Data is not disclosed to third parties without the prior written consent of the Data Controller, unless the Data Processor is obligated to disclose the information on the basis of mandatory legislation or an authority order.

3.5 To the extent possible and taking into account the nature of the Processing, the Data Processor undertakes to assist the Data Controller by means of appropriate technical and organisational measures to fulfil the Data Controller’s obligation to respond to the data subjects’ requests concerning the exercise of their rights under the Data Protection Legislation.

3.6 The Data Processor agrees, taking into account the nature of the Processing and the information available to the Data Processor, to assist the Data Controller to ensure that the obligations imposed upon same under the Data Protection Legislation are complied with. It is stated for the sake of clarity that the Data Processor shall be obligated to assist the Data Controller only in the scope imposed by the obligations of the Data Protection Legislation or other mandatory legislation.

3.7 The Data Processor shall maintain the requisite records of processing activities and shall make available to the Data Controller all information necessary for the Data Processor in order to evidence compliance with the obligations imposed upon the Data Processor in accordance with the Data Protection Legislation.

3.8 Unless otherwise agreed, the Data Processor shall have the right to charge the costs incurred from the actions described under clauses 3.5 and 3.6 above from the Data Controller.

4.1 In utilising the Software, the Data Controller undertakes to comply with the obligations imposed under the Data Protection Legislation and other mandatory legislation as well as good data processing practice in the Processing of Personal Data.

4.2 The Data Controller shall be obligated to provide the Data Processor with comprehensive and lawful instructions concerning the Processing in documented form. Any instructions in deviation from the Supply Agreement must always be separately agreed upon between the Parties in writing, and the Data Processor may separately invoice the Data Controller for the carrying out of same.

4.3 The Data Controller shall be responsible for ensuring that all data subjects whose Personal Data is being Processed with the aid of the Software, have been provided with the information required under the Data Protection Legislation and that the Processing of Personal Data, including any transfer of Personal Data to the Data Processor, as required by the use of the Software, is lawful for the entire duration of the validity of the Supply Agreement and this DPA.

4.4 Prior to the conclusion of the Supply Agreement and this DPA, the Data Controller shall be obligated to ensure that the Processing of Personal Data under this DPA meets the requirements imposed upon the Data Controller in relation to the Processing of Personal Data, including the data security requirements.

5.1 The Data Processor shall implement and maintain appropriate technical and organisational measures in order to protect Personal Data from any accidental or unlawful destruction, loss, or alteration, or from any unauthorised disclosure of or access to the Personal Data.

5.2 The Data Processor undertakes to notify the Data Controller without any undue delay of any Personal Data breaches detected by the Data Processor or a Subcontractor retained by same, pertaining to the Personal Data to be Processed under the Supply Agreement. Unless the Parties have otherwise agreed, the notification shall be made to the contact person designated by the Data Controller.

6.1 The Data Processor shall ensure that any Subcontractors retained by same undertake to Process Personal Data in accordance with the Data Protection Legislation, this DPA and the instructions issued by the Data Controller.

6.2 The Data Processor shall have the right to retain Subcontractors for the Processing of Personal Data under this DPA. When retaining Subcontractors for the Processing under this agreement, the Data Processor undertakes to conclude a written agreement with the Subcontractors. The Data Processor shall be responsible for the fulfilment of the Subcontractors’ obligations under the DPA in relation to the Data Controller.

6.3 The Data Processor shall inform the Data Controller of all contemplated changes concerning the adding or replacing of Subcontractors. In case the Data Controller does not accept the contemplated change and a change in the Subcontractor impacts the Processing of Personal Data under the Supply Agreement, the Data Processor shall have the right to terminate the Supply Agreement, subject to a termination notice period of thirty (30) days.

7.1 The Data Processor may transfer personal data outside of the European Union (”EU”), European Economic Area (”EEA”) or other countries which the European Commission has established as guaranteeing an adequate level of data protection (jointly ”Approved Territory”), in accordance with the terms and conditions of the Supply Agreement. The Data Processor shall comply with any requirements imposed by the supervisory authorities or other authorities serving as a prerequisite for obtaining an authority order pursuant to which Personal Data may be transferred outside of the Approved Territory.

7.2 Prior to transferring Personal Data outside of the Approved Territory, the Data Processor shall implement the appropriate security measures required under the Data Protection Legislation and, if necessary, shall conclude an agreement with the Subcontractor retained by it regarding the transfer of Personal Data employing the model contractual clauses approved by the European Commission (”Model Contractual Clauses”). The Data Controller shall authorise the Data Processor to agree upon the application of Model Contractual Clauses with the Subcontractor established outside of the Approved Territory on behalf of the Data Controller.

8.1 The Data Controller shall at its own expense have the right to audit the Data Processor’s operations encompassed by the DPA (”Audit”). The Data Controller must also compensate the Data Processor for any costs incurred from the Audit.

8.2 The Parties shall agree upon the timing and other details of the Audit in good time prior to the carrying out of same. All persons participating in the Audit must sign a confidentiality undertaking required by the Data Processor for the benefit of the Data Processor. Unless otherwise required under the Data Protection Legislation, the Data Controller shall have the right to carry out no more than one Audit per each time period of twelve (12) months.

9.1 The Parties shall be liable for the fulfilment of the obligations entailed by the Data Protection Legislation, other mandatory legislation and this DPA in their own operations. Either Party shall, therefore, be itself liable for any administrative fines imposed by the supervisory authority or for any damages awarded by a competent court of law as a result of claims brought by the data subjects or other third parties, which according to the ruling of the relevant authority or court of law follow from an action or omission of a Party in breach of the obligations stipulated for under the Data Protection Legislation or this DPA. In all other respects, liability between the Parties shall be determined in accordance with the terms and conditions governing liability and limitation of liability agreed upon under the Supply Agreement.

10.1 This DPA shall remain in force for as long as the Supply Agreement remains in force, or until the Data discontinues the Processing, whichever is later.

10.2 Upon the termination of the Supply Agreement, the Data Processor undertakes in accordance with the Data Controller’s instructions to erase or return all Personal Data to the Data Controller and to delete any existing copies of same, unless the applicable mandatory legislation requires for the Personal Data to be retained. The procedures for the erasure and returning may be agreed upon in more detail between the Parties. In any case, the Data Processor shall have the right to erase the Personal Data without any separate notice latest after two (2) months of the termination of the Supply Agreement.