English (US)
Dansk
Norsk
Svenska
Suomi
English (UK)
Deutsch
Español
Français
Nederlands
Company Information
- Company
- Booking Board ApS
- Address
- Aabenraavej 44, 6100 Haderslev, Denmark
- Registration
- CVR: DK43231952
Background of the Data Processing Agreement
This agreement sets out the rights and obligations applicable when Booking Board (the data processor) processes personal data on behalf of a customer (the data controller).
The agreement is designed to ensure compliance with Article 28(3) of the General Data Protection Regulation (EU) 2016/679, which sets specific requirements for the content of a data processing agreement.
The data processor's processing of personal data occurs in connection with the data controller's use of the Booking Board system, as described in Booking Board's business terms.
The data processing agreement and Booking Board's business terms are interdependent and cannot be terminated separately. However, the data processing agreement may be replaced by another valid data processing agreement without affecting the business terms. If modified, Booking Board must notify the data controller and provide the new agreement.
This data processing agreement takes precedence over any similar provisions in other agreements between the parties, including Booking Board's business terms.
Rights and Obligations
The data controller is ultimately responsible for ensuring that the processing of personal data is conducted within the framework of the General Data Protection Regulation and the Data Protection Act.
The data processor must always comply without undue delay with reasonable requests from the data controller to ensure compliance with the General Data Protection Regulation and the Data Protection Act.
The Data Processor Acts According to Instructions
- The data processor may only process personal data according to documented instructions from the data controller unless required by EU law or national law. In such cases, the data processor shall inform the data controller of this legal requirement before processing, unless the relevant law prohibits such notification for important societal reasons.
- The data processor shall immediately inform the data controller if, in its opinion, an instruction violates the General Data Protection Regulation or data protection provisions in other EU or national laws.
Confidentiality
The data processor ensures that only persons who need access for their work for Booking Board have access to the personal data processed on behalf of the data controller. Access to the data must be immediately revoked if the person no longer needs access or is no longer affiliated with Booking Board.
Data Security
The data processor shall implement all measures required under Article 32 of the General Data Protection Regulation, ensuring appropriate technical and organizational security measures based on the risk to the rights and freedoms of natural persons:
- Pseudonymization and encryption of personal data
- Ability to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems
- Ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
- A process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures to ensure processing security
Use of Sub-processors
The data processor must fulfill the conditions outlined in Article 28(2) and (4) of the General Data Protection Regulation to engage another data processor (sub-processor). The data processor may not engage a sub-processor without prior specific or general written approval from the data controller.
Transfer of Information to Third Countries or International Organizations
The data processor may only process personal data according to documented instructions from the data controller, including for transfers to third countries or international organizations, unless required by EU or national law.
Assistance to the Data Controller
The data processor shall assist the data controller in fulfilling its obligations to respond to requests from data subjects regarding their rights under Chapter 3 of the General Data Protection Regulation.
Notification of Data Breaches
The data processor shall notify the data controller without undue delay upon becoming aware of a personal data breach.
Deletion and Return of Data
Upon termination of the services related to processing, the data processor must, at the data controller's choice, delete or return all personal data to the data controller and delete any existing copies, unless EU or national law requires retention of personal data.
Supervision and Audit
The data processor shall make available all necessary information to demonstrate compliance with Article 28 of the General Data Protection Regulation and this agreement and allow for audits or inspections carried out by the data controller.
Effective Date and Termination
This agreement takes effect when the data controller starts using Booking Board's system. The agreement remains in force as long as the processing continues and cannot be terminated separately from the business terms of Booking Board.
Contact Person at the Data Processor
Inquiries regarding personal data can be directed to the following contact:
- Name
- Casper S. Paulsen
- Partner/Developer
- Phone
- 60534462
Annex A: Information on Processing
The purpose of the data processor's processing of personal data on behalf of the data controller is:
- To allow the data controller to use the Booking Board system, which is owned and managed by the data processor, to collect and process information about the data controller's members.
The processing includes the following types of personal data about the data subjects:
- Name, email address, phone number, address, date of birth, type of membership, registration, and attendance for the data controller's classes.
The processing includes the following categories of data subjects:
- Individuals who have created a profile with the data controller using Booking Board.
The data processor's processing of personal data on behalf of the data controller may begin after this agreement comes into effect. The processing is not time-limited and lasts until the agreement is terminated or canceled by either party.
Annex B: Sub-processors
B.1 Conditions for Using Sub-processors
The data processor has the data controller's general approval to use sub-processors. However, the data processor must notify the data controller of any planned changes regarding the addition or replacement of sub-processors, allowing the data controller to object.
Such notification must reach the data controller at least one month before the change is implemented. If the data controller objects, they must notify the data processor within 14 days. The data controller may only object if there are reasonable, specific grounds.
B.2 Approved Sub-processors
The data controller has, at the time of the agreement's commencement, approved the use of the following sub-processors:
| Name | Description of Processing |
|---|---|
| Twilio | Handles the sending of SMS messages from the system. |
| Mailgun | Handles the sending of emails from the system. |
| DigitalOcean | Provides IT infrastructure for running the system. |
| Hetzner | Provides IT infrastructure for running the system. |
| Scaleway | Provides IT infrastructure for running the system. |
| OneSignal | Handles the sending of push notifications from the system. |
| Sentry | Manages error logging of events in the system. |
The data controller has specifically approved the use of the above sub-processors for the exact processing described. The data processor may not, without the data controller's specific and written approval, use an individual sub-processor for a different type of processing or allow another sub-processor to perform the described processing.
Annex C: Instructions Regarding Processing
C.1 Subject of Processing / Instructions
The data processor's processing of personal data on behalf of the data controller occurs as follows: Managing the data controller's customers' data in connection with the data controller's use of Booking Board to manage classes, courses, payments, etc.
C.2 Data Security
The security level must reflect that the processed data includes basic personal information about the data subjects as well as details about their purchases and use of the data controller's products, but generally not special categories of personal data as described in Article 9 of the General Data Protection Regulation.
The data processor is therefore authorized and obligated to decide which technical and organizational security measures are necessary to ensure the required level of security for the data.
C.3 Retention Period / Deletion Routine
Personal data is stored by the data processor until the data controller requests the deletion or return of the data.
Additionally, member accounts that have been inactive for more than 24 months are automatically anonymized by the system, provided they have no active memberships, pending payments, or other ongoing activity.
When an individual user is deleted from the system, all directly identifiable information is removed, including name, address, email, date of birth, and any descriptive comments. What remains is an anonymized user, allowing the data controller to continue extracting reports.
C.4 Supervision Procedures
The data controller bears any costs related to physical supervision. However, the data processor is obligated to allocate the necessary resources required for the data controller to conduct supervision.