TERMS AND CONDITIONS
General terms and conditions for customers use of Sproom's trading platform
Valid from 1 March 2018
1. ACCESS TO THE TRADING PLATFORM
1.1 Sproom Solutions A/S (hereinafter referred to as “Sproom”) gives the Customer non-exclusive right of use of the Trading Platform under the terms set forth in these “General Trade Terms for Network Users”. The right of use includes the Customer’s company, which is exercised under the registered CVR number at the specified Contact Address. If the Customer changes their Contact Address, this should be updated immediately via the Website.
1.2 The right of use enters into force when the Customer is created as a User on the Website and when the Customer has accepted the General Trade Terms for Network Users. The right to use is, at all times, subject to the Customer fulfilling its obligations.
1.3 The Customer’s access to the Trading Platform requires login with an email and password. The password is received via mail when created as a User, after which it can be changed on the Website. It is always the Customer’s responsibility that unauthorised persons do not gain access to the Customer’s password and Sproom account. All transactions made with a valid login are the Customer’s responsibility.
1.4 The Customer’s use of the Trading Platform is subject to continued Subscription to the relevant Services, as well as payment of the relevant Current Services according to the applicable price list.
1.5 The Customer may use Sproom’s Trading Platform to send and/or Receive invoices and other business documents. The right to use the Trading Platform applies to the Customer and Customer’s Affiliated Companies and Associated Companies, provided that they have established their own right of use.
1.6 The Customer may allow third parties to use the Trading Platform on behalf of the Customer if this use is in accordance with the General Trade Terms for Network Users, and the Customer indemnifies and enforces the third party’s use to Sproom.
1.7 Except for the use described above and except for the rights described in Sections 1.5 and 1.6, the Customer cannot transfer, sublicence, lend or otherwise make the Trading Platform available to third parties.
1.8 In addition to the applicable provisions of the data protection legislation for operators as data processors, cf. item 1.9, responsibility for compliance with applicable laws in connection with data exchange through the Trading Platform is the sole responsibility of the Customer. The customer is responsible for the content and accuracy of the issued electronic invoices and other business documents and that they comply with the then applicable legislation. Sproom does not control the contents of the received electronic documents, but only that they are valid in relation to the supported standards and formats.
1.9 The Customer agrees, upon acceptance of the General Trade Terms for Network Users, that an electronic invoice is considered a document having the same legal effect as a regular physical invoice. The customer’s dispatch of electronic invoices containing personal data will be subject to the data protection legislation currently in force, including Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, the General Data Protection Regulation and the Data Processing Act of 25 May 2018; Data Protection Act (Act on supplementary provisions to the regulation on the protection of individuals with regard to the processing of personal data and on the free exchange of such information). The Customer is the data controller for all personal data that the Customer receives, processes and transmits via Sproom’s Trading Platform and in connection with the issuance of electronic invoices. Sproom is the sole data processor for personal data that the Customer processes in the Trading Platform. The Customer is responsible for ensuring that the Customer and Recipient’s processing and transmission of electronic invoices complies with applicable data protection legislation at any given time. Sproom cannot be held responsible for this, and the Customer shall indemnify Sproom for any compensation and fine liabilities. The Customer has also acceded to Sproom’s general data processing terms; “Data Processing Agreement”.
1.10 The Customer ensures that the accounting materials and copies thereof are kept in accordance with applicable legislation.
2.1 The Customer, upon acceptance of the General Trade Terms for Network Users, allows Sproom to act as an operator on behalf of the Customer and that documents may be delivered with releasing effect through the channels chosen by Sproom to carry out data transport. Sproom is not responsible for errors in the recipient’s system and cannot guarantee a deadline for receiving the document at the recipient.
2.2 The Customer simultaneously accepts the General Terms for Use of NemHandel, as evidenced by https://digst.dk/media/13701/nemhandel-aftalevilkaar-version-1-4.pdf
2.3 Sproom records the Customer’s Contact Address, CVR Number, GLN Number, and which document types and Standard Formats the Customer can send and receive in an electronic storage directory. The Customer consents to the electronic storage directory being made available to other senders, recipients and operators. As a registered User in Sproom, the Customer agrees to also receive documents from other companies.
3. INTEGRATION OF SPROOM’S TRADING PLATFORM
3.1 The use of Sproom’s Integration Tools is at the sole responsibility of the Customer and it is also the Customer’s responsibility to ensure the correct configuration and setup of its other systems so that data is sent properly and received correctly from the Trading Platform, including properly validated in the Standard Format selected on the Website. The Customer exonerates Sproom from any liability in connection with the use of the Integration Tools, except for correction of flaws and deficiencies [defects] in accordance with Section 6.
3.2 The Customer’s use and integration of Third-Party Software in connection with the use of Sproom’s Services and the Trading Platform is at the sole responsibility of the Customer and the licensing and installation of Third-Party Software are done at the Customer’s own risk and expense.
4. COMMUNICATION AND PRESS
4.1 If Sproom wishes to use the Customer as a reference, for example, when preparing a reference case, article or the like, this must be approved by the Customer from time to time.
5.1 Sproom will continuously communicate to the Customer via email about the use of the Trading Platform – including operational information, product and software updates and satisfaction surveys via questionnaires. If the Customer or one of their Representatives has agreed to receive Sproom’s promotional emails, as well offers from third-party suppliers, the consent may be revoked by clicking “unsubscribe” in the forwarded email.
6. BUG FIXES [ERROR RECOVERY]
6.1. Sproom continuously debugs the Trading Platform or Integration Tools with regard to functionality. Bug fixes will be released regularly by Sproom.
6.2 If the Customer becomes aware of an error in the functionality of the Trading Platform or Integration Tools, the Customer is obligated to promptly inform Sproom Support by email at firstname.lastname@example.org.
6.3 After an error [bug] has been reported to Sproom, Sproom will determine the importance of the error and handle it accordingly.
6.4 For upgrades that are expected to affect the uptime specified in Section 10.1, Sproom will notify of a possible downtime on the Website at least 24 hours before the upgrade is initiated.
6.5 It is a debugging prerequisite that the Customer uses the latest version of Integration Tools and other software released by Sproom. The Customer must provide the Customer with a sufficient description of the error and the Customer must keep his other applications, which need to be integrated with Sproom, updated to a supported version. All related costs must be borne by the Customer alone.
7. EXCLUDED SERVICES
7. 1 Sproom’s maintenance and support do not include:
- software, hardware and other components not provided or made available by Sproom
- errors and issues caused by or affected by software, hardware, and other components not provided or made available by Sproom
- errors and problems caused by the Customer or User failing to follow the instructions and recommendations given by Sproom
- errors and problems caused or influenced by third parties who do not act on Sproom’s behalf
- software developed or modified specifically for the Customer
8. PRICES AND PAYMENT
8.1 The Customer may, at any given time, purchase a Subscription to the Services on the Website. Current Fees for Services purchased via the Website can be found on the Website.
8.2 Current Subscription Fees are billed monthly in advance until cancelled pursuant to Section 12.1. Upon signing up for Services, the Subscription will be binding for 30 days. Current Fees based on the Customer’s actual usage or usage exceeding the limit for a Subscription are deducted from the Customer’s Account and will be billed monthly in arrears. Subscriptions, limits, and Current Fees for actual usage can be found on the Website.
8.3 The Customer shall pay for Sproom’s fees in accordance with the applicable prices quoted on the Website.
8.4 Sproom reserves the right to regulate its prices for the platform and other Services. The Customer will be notified in accordance with the term of notice (cf. Section 12.1) before the regulated prices enter into force.
8.5 In order to ensure that all of the Customer’s invoices are always sent and received, Sproom automatically updates the Customer’s Subscription if the Customer exceeds the current limit for the number of documents included in the selected Subscription. If the Customer’s needs change, the Customer can switch to another Subscription at any given time.
8.6 Subscriptions and Current Fees are automatically deducted from the Customer’s Account on the first day of the month. The Customer is obliged to keep a positive balance on the Customer’s Account. The customer has three payment options: Automatic payment, manual top-up using a payment card and bank transfer.
8.7 When signing up for automatic payment, the Customer allows Sproom to charge the customer’s payment card for the Customer’s selected or used Services. When signing up for automatic payment, the Customer allows Sproom’s payment operator to store all necessary payment card information for the automatic debit of the customer’s payment card. Sproom only saves information about the last 4 digits of the card number. The automatic payment agreement shall no longer apply on the payment card’s expiration date or if said card becomes blocked or cancelled. If the Customer still wishes to be registered for automatic payment, the customer must re-register using a new payment card. If the Customer wishes to change payment cards, the Customer must opt out of automatic payment and must re-register using the new payment card. Upon registering for and unsubscribing from automatic payment, the User will receive a receipt via email. Registering and unsubscribing are done on the Website.
8.8 For manual top-ups, the Customer must make a payment on his Sproom account so that he always has a positive balance. Payment is made via the Website. The customer must pay in advance by payment card or by bank transfer. You can top-up with any amount above 100 DKK, excl. VAT. If the Customer pays via bank transfer, an administration fee will be charged according to the price shown on the Website. For each top-up, an email will be sent to the Customer confirming the amount topped up. In addition, the Customer will receive a monthly invoice showing the Customer’s actual monthly usage. If the Customer is a private person, the credit balance on the Customer’s Sproom account must not exceed 3,000 DKK.
8.9 If the balance on the Customer’s Account is close to $0 DKK, Sproom will send an email to the Customer in this regard. If the Customer’s Account is overdrawn, 1.5% interest will be charged per month until the amount is received by Sproom. Defaulting on payments does not serve as cancellation of the Subscription. The Customer is liable for payment of the Current Fees and interest until cancellation pursuant to Section 12.1.
8.10 The credit balance on the Customer’s Sproom account can be paid out by written request. A fee will be deducted to cover administrative costs. The fee is stated on the Website. However, if the Customer is a private person, no fee will be charged. The refund will be made to the account number specified on the User’s profile.
8.11 The refund will be made to the account number specified on the User’s profile.
8.12 All prices are exclusive of VAT and other taxes payable by the Customer.
9. INTELLECTUAL PROPERTY RIGHTS
9.1 All of Sproom’s Intellectual Property Rights remain Sproom’s property totally and completely.
9.2 Under no circumstance may the Customer decompile or manipulate the Trading Platform. If the Customer needs information about Sproom’s functionality, please contact Sproom Support.
9.3 If a third party claims that Sproom has violated the third party’s rights, the Customer must promptly inform Sproom in writing, and Sproom will take over the defence of the case. Sproom must, at its own expense, have full control over the case and the Customer may not acknowledge guilt or settle or compromise on Sproom’s behalf, without Sproom’s prior written acceptance. The customer must provide Sproom with reasonable assistance in connection with such a case.
9.4 Sproom indemnifies the Customer for all claims and costs relating to the matter, which may be imposed on the Customer by a final decision of a competent court or which result from a settlement made by Sproom. Alternatively, Sproom is entitled to offer the Customer another solution in order to avoid the violation or to acquire a valid third-party right of use.
9.5 If Sproom cannot provide an alternative solution and cannot acquire a valid third-party right of use, Sproom is entitled to terminate the Agreement applicable to the affected parts of Sproom’s Services. The customer must then discontinue using the affected parts.
9.6 Sproom will not be responsible for indemnifying the Customer for any costs or damages arising from the Customer’s use of software or services not provided by Sproom or any of Sproom’s subcontractors or due to a combination of a Sproom Service and other applications that are not supplied by Sproom.
9.7 The foregoing rights constitute the Customer’s comprehensive rights in the event of a third-party claim for violation of third-party intellectual property rights.
9.8 If the Customer becomes aware of an existing or potential violation of Sproom’s Intellectual Property Rights, the Customer must promptly notify Sproom in writing.
10. SPROOM’S OBLIGATIONS
10.1 With the exception of notified upgrades, cf. Section 6.4, Sproom will ensure that the Trading Platform is available at least 99.5% of the year. Sproom is not responsible for the lack of availability resulting from the failure to the supply of data communications.
10.2 For the Customer’s incoming invoices and other business documents, Sproom will ensure that they are delivered to the Customer in the correct and validated Standard Format. On the Website, the Customer can choose which Standard Format they wish to receive.
10.3 For the Customer’s sent invoices and other business documents, Sproom will ensure that they can be sent in the Standard Format selected on the Website, validated and, if they are correct, delivered to the recipient in the latter’s default Standard Format.
10.4 In the event that the sent invoices cannot be delivered to the recipient, the Customer is notified about correcting the information so that the invoices can be sent.
10.5 Insofar as Sproom is to assist the Customer in setting up Integration Tools, Sproom will comply with the Customer’s reasonable security rules.
10.6 Sproom’s obligations as data processor, in accordance with applicable data protection legislation, are stated in the Data Processing Agreement. As regards Sproom’s processing of personal data for its own purposes, please refer to the Privacy Statement. The Customer also gives Sproom the right to store the Customer’s data after cancellation in order to use this in an anonymous form for statistics and analysis of the service.
11. LIMITATION AND DISCLAIMING OF LIABILITY
11.1 Sproom disclaims any liability for errors and omissions that do not arise from the Trading Platform, but which are related to external factors, including software that has not been developed by Sproom. In addition, Sproom disclaims any liability for the Trading Platform’s impact on the Customer’s hardware or other software, as well as any liability for errors, deficiencies or inconveniences in the third-party’s standard software. Sproom is also not responsible for compatibility and the Trading Platform’s functionality in the case of the Customer’s own implementation against the Trading Platform for updates, as well as upon the Customer’s installation of Third-Party Software, including spam filter, new versions, modified setup, etc.
11.2 Sproom shall never be held liable for subsequent loss or damage, regardless of whether these were predictable, known or otherwise came to Sproom or the Customer’s knowledge:
- loss of revenue
- loss of actual or expected profit
- damage to, destruction or loss of data or software, for whatever reason
- consequential damages of not having access to data or software, for whatever reason
- damage or loss to the Customer due to hacking, viruses or similar attacks directed at Sproom
- loss of goodwill
- loss of expected savings
- loss of the use of available funds
- business interruptions
- referring to the regulation in Sections 9.2 to 9.8, any loss related to third-party claims of any kind, any kind of indirect loss, special loss or consequential loss or other loss that may arise from the Customer’s use of the Trading Platform
- loss or fines as a result of the Customer’s failure to comply with applicable data protection regulation, cf. item 1.9.
11.3 Should Sproom, in spite of the above, be recognised as liable for damages, Sproom’s liability is always limited to an amount equal to the remuneration paid by the Customer for use of the service in the last preceding month before the claim for damages arose, however, so that Sproom’s total liability for damages to the Customer, regardless of the above, can never exceed 1,000.00 DKK.
11.4 The above disclaimer also applies to product liability, which is generally disclaimed, unless otherwise prevented by mandatory legislation.
12. TERM AND TERMINATION
12.1 The agreement enters into force at the time of the Customer’s registration as a User of the Trading Platform and may be terminated or amended by both Parties by written notice of one month to the end of a month. The customer is able to continuously register and unsubscribe to the various functionalities of the Trading Platform. Registration is immediate and the Subscription is cancelled with effect until the end of a month, however, the Customer’s access to functionality will expire immediately upon cancellation. The Customer’s registered Subscriptions can be found on the Website.
12.2 Changes to the General Trade Terms For Network Users will be communicated to the Customer via the Website or via email. The current version of the General Trade Terms for Network Users will always be available on the Website. The modified General Trade terms For Network Users enters into force 4 weeks after the change has been communicated to the Customer.
12.3 Upon cancellation, up to 4 weeks of processing time may be expected before any prepaid amount in the account is refunded. An administration fee will be deducted from the refund according to the prices stated on the Website.
12.4 If one of the Parties substantially violates the Agreement and fails to remedy the default within 30 days of the date of the material breach of the Agreement being notified in writing by the other Party, the non-defaulting Party has the right to terminate the Agreement with immediate effect, in writing.
12.5 In the case where Sproom cancels due to the Customer’s material breach, the Customer shall immediately cease to use the Service.
12.6 Sproom reserves the right to permanently or temporarily suspend the Customer’s access to the Website, including withholding documents to/from the Customer under Danish law. If it is agreed that access to use of the Website will be reopened, Sproom is entitled to charge a separate re-entry fee for this.
12.7 Termination of the Agreement does not exempt the Customer from his payment obligation for the disposal and use of Sproom’s Services until the Customer actually ceases to use the Service.
12.8 Upon termination of the Agreement, for any reason, Sproom maintains the Customer’s intact profile, filing, log, etc., for 30 days from the termination date. If the Customer does not resume the Agreement by means of deployment, payment of anything outstanding or otherwise re-activating the use of the Service, Sproom has the right to delete all data processed during the Agreement by the Customer via the Trading Platform unless the Customer wishes to have the data returned upon payment for costs, cf. details of the Data Processing Agreement. The customer can subsequently not require data recovery or claim compensation for deleted data.
13. FREEDOM FROM RESPONSIBILITY
13.1 None of the Parties may be held liable for errors or delays in the performance of their obligations if performance is prevented by events that can reasonably be said to be outside the control of each Party, including in the event of war, unrest, rebellion, general strike, labour market unrest, fire, flood, natural disasters, monetary constraints, trade embargoes, transport delays, interruption or breakdown of energy supply, compliance with legislation, orders, rules and regulations issued by a lawful government agency or similar event.
14.1 Sproom is entitled, wholly or partially, at its sole discretion, to assign rights and obligations under the General Trade Terms for Network Users to third parties.
15. APPLICABLE LAW AND JURISDICTION
15.1 These General Trade terms for Network Users are governed and interpreted under Danish law without regard to the United Nations Convention on Contracts for the International Trade in Goods and the Principles of Conflicts of Laws.
15.2 If the Parties fail to resolve a dispute amicably, the Copenhagen City Court shall be the first instance except if the Law on Jurisdiction, with reference to jurisdiction, enables the conflict to be brought before the Maritime and Commercial Court as the first instance.
16.1 Invalidity or limitation of enforcing a Section or part of a Section in the General Trade Terms For Network Users shall not affect the ability to enforce other clauses or sections that shall continue to be fully valid throughout the term of the Agreement.
17.1 In these General Trade Terms for Network Users, there are defined a number of terms and expressions that, when written with the first letter capitalised, have the following meaning:
“Subscription” means the ongoing right to exercise the right to use the Trade Platform’s various functionalities, tools and services as provided by Sproom, from time to time. “Associated Companies” means companies that are not Affiliated Companies in relation to the Customer but who, in agreement with the Customer, have been granted access to the Trading Platform to act on the Customer’s behalf.
“User” means the daily user of the Trading Platform on behalf of the Customer, its Affiliated Companies or Associated Companies.
“Data Processing Agreement” means the separate agreement on the processing of personal data on behalf of the Customer, which is concluded between the Customer and Sproom.
“Website” means Sproom’s chosen website on the internet, through which the Trading Platform is made available to the User. The website URL is: www.sproom.net. Certain features on the Website require the Customer to log in with their assigned username and password.
“Integration Tools” means a number of software components that Sproom makes available from time to time, enabling electronic exchange of Sproom’s supported data formats between the Trading Platform and the Customer’s systems.
“Intellectual Property Rights” means intellectual property rights to the Service, web portal and underlying technology, including intellectual property rights, designs, patents, trademark rights, and other rights, as well as know-how for the Trading Platform with related Services and Integration Tools, new products and deliveries released by Sproom, from time to time, as well as documentation.
“Affiliated Companies” means companies controlled by the Customer either
- through direct or indirect ownership of more than fifty percent (50%) of the share capital or other equity;
- through a voting share of more than fifty percent (50%) of the votes; or by contractually choosing more than half of the company’s board members or similar decision-making bodies.
“Contact Address” means the Customer’s current contact address, including home address, telephone number and email, which is continuously updated via the Website.
“Customer” means the legal entity defined in the Individual Terms.
“Customer’s Account” means the customer-specific account created on the Trading Platform and on which the Customer’s total usage and payments are recorded. “Current Fees” means payments for Subscriptions taken out via the Website.
“Receive” means the Customer’s ability to receive invoices and other business documents from public and private suppliers through the Trading Platform.
“Network Users” means Users of the Trading Platform that have subscribed via the Website.
“Party” means either the Customer or Sproom, according to the context in which it occurs.
“Parties” means both the Customer and Sproom together.
“Trading Platform” means Sproom’s solution for sending and receiving electronic invoices and other business documents. The Trading Platform includes various Integration Tools and Services, which are offered by Sproom, from time to time. “Send/Sending/Sent” means the Customer’s ability to send invoices and other business documents to public and private suppliers through the Trading Platform.
“Services” means services which are specified as services on the Website.
“Sproom” means Sproom Solutions A/S.
“Sproom Support” means Sproom’s Help Desk which handles reported errors/bugs and provides support according to Sproom’s Support Programmes.
“Standard Format” means national and international invoice formats supported by the Trading Platform and in which the Customer can send and receive their invoices and other business documents. Supported standard formats are continuously expanded and can always be found on the Website.
“Support Programmes” means support for the Trading Platform and other Sproom products provided either by email or by telephone. Content and service levels of the support programmes can be found on the Website.
“Third-Party Software” means software developed by third parties that the Customer has acquired for use in their business, in some cases integrated with the Trading Platform using the Integration Tools.
DATA PROCESSING AGREEMENT
By using the Sproom Trading Platform and any module or feature associated with the software (as a whole, referred to as the “Software”), the Data Controller will be responsible for its Processing of Personal Data in the Software. The Data Processor will exclusively process personal data on behalf of the Data Controller. In order to ensure that the Parties comply with their obligations under national data protection legislation, as well as Regulation (EU) 2016/279 of the European Parliament and of the Council (“GDPR”), the Parties have concluded this Data Processing Agreement (“the Agreement”), which constitutes the instructions from the Data Controller to the Data Processor, thus regulating the Data Processor’s Processing of Personal Data on behalf of the Data Controller.
Both Parties confirm that they have the authority to sign the Agreement.
The Data Processor also exclusively processes Personal Data in accordance with Sproom’s Privacy Statement, which can be found via this link: https://sproom.net/privacy/privacy-policy/.
It applies to the entire Agreement and in the relationship between the Data Controller and the Data Processor, that requirements arising from the GDPR described in this agreement and which are not in accordance with current legislation shall not apply until 25 May 2018, when the GDPR shall take effect.
The definitions for Personal Data, Special Categories of Data (Sensitive Data), Processing, Data Subject, Data Controller and Data Processer are the same as the relevant Personal Data Act, including the GDPR.
The Agreement governs the Data Processor’s Processing of Personal Data on behalf of the Data Controller and describes how the Data Processor will help protect privacy on behalf of the Data Controller and its Data Subjects through the technical and organisational measures required under the applicable data protection legislation, including the GDPR of 25 May 2018.
The purpose of the Data Processor’s Processing of Personal Data on behalf of the Data Controller is to ensure the Data Controller’s use of the Software and the fulfilment of this Agreement.
DATA PROCESSOR'S OBLIGATIONS
The Data Processor must exclusively process Personal Data on behalf of and as a result of the Data Controller’s instructions. By entering into this Agreement, the Data Controller instructs the Data Processor to process Personal Data in the following ways: i) in accordance with applicable law, ii) to fulfil its obligations under the terms and conditions of the Software; iii) as further specified by the Data Controller’s normal use of the Software, and iv) as described in this Agreement.
As part of being able to provide the Software, the Data Processor is obligated, at all times, to provide the Data Controller with good and competitive solutions that are accompanied by development. The Data Processor can offer better solutions that are tailored to the needs of the Data Controller by recording how the Data Controller and its representatives use the Software. This allows the Data Processor to make a better version of the Software and generally provide better services and provide more relevant communication to the Data Controller and its representatives. The goal is for the Data Controller to solve as many challenges as possible in one place. Insofar as personal data from the Software is included in this work, it is processed in accordance with this Agreement and applicable law and may be shared with companies in the Visma Group for the purpose of this work.
The Data Processor has no reason to believe that applicable law prevents the Data Processor from following the instructions set out above. The Data Processor shall, if aware of it, provide the Data Controller notice of instructions or other Processing Activities performed by the Data Controller, which, in the view of the Data Processor, violates applicable data protection legislation.
The Categories of Data Subjects and Personal Data processed under this Agreement are described in Annex A.
The Data Processor must assist the Data Controller, as far as possible, with appropriate technical and organisational measures and taking into account the nature of the Processing and the category of data available to the Data Processor to ensure compliance with the Data Controller’s obligations under applicable data protection legislation including as regards assistance in response to requests from Data Subjects and general compliance with the provisions of Articles 32-36 of the GDPR.
The Data Processor shall notify the Data Controller without undue delay via a contact person specified in the Data Processing Agreement if the Data Processor becomes aware of security vulnerability.
In addition, the Data Processor shall, as far as possible and lawfully, inform the Data Controller if:
- A request for access to Personal Data is received directly from the Data Subject
- A request for access to Personal Data is received directly from government agencies, including the police.
The Data Processor must not respond to such requests from Data Subjects, unless authorised by the Data Controller to do so. Furthermore, the Data Processor will not disclose information about this Agreement to government agencies such as the police, including Personal Data unless the Data Processor is required to by law, such as by a court order or the like.
If the Data Controller requires information or assistance pertaining to security measures, documentation or information about how the Data Processor generally processes Personal Data and such request contains data that goes beyond what is required by applicable data protection legislation, the Data Processor may require payment for such additional services.
The Data Processor and its employees shall ensure confidentiality in relation to the Personal Data processed under the Agreement. This provision shall also apply after termination of the Agreement.
DATA CONTROLLER'S OBLIGATIONS
The Data Controller confirms upon the conclusion of this agreement that:
- When using the Software, the Data Controller shall allow the Data Processor to exclusively process Personal Data in accordance with the requirements of the applicable data protection legislation.
- The Data Controller has a legal basis for processing and disclosing Personal Data to the Data Processor (including for subprocessors used by the Data Processor).
- The Data Controller is responsible for the accuracy, integrity, content of the reliability and the legality of the Personal Data Processed by the Data Processor.
- The Data Controller has fulfilled all mandatory requirements and obligations in relation to notification to, or obtaining permission from, the relevant public authorities regarding the Processing of Personal Data.
- The Data Controller has fulfilled his disclosure obligations to the Data Subjects regarding the processing of Personal Data in accordance with applicable data protection legislation.
- The Data Controller agrees that the Data Processor has provided the relevant guarantees regarding the implementation of technical and organisational security measures to ensure the rights of the Data Subjects and their Personal Data.
- The Data Controller shall not, when using the Software, process Sensitive Data, unless specified in Annex A to this Agreement.
- The Data Controller must have an updated list of the categories of Personal Data it processes, especially in so far as such Processing differs from the categories of Data listed in Annex A.
USING SUBPROCESSORS AND DATA TRANSMISSION
As part of the operation of the Software, the Data Processor uses subcontractors (“Subprocessors”). Such Subprocessors may be other companies within the Visma group to which Sproom belongs or third-party suppliers within and outside the EU/EEA. The Data Processor’s subcontractors are listed in the currently updated list of subprocessors, which can be seen here: https://sproom.net/terms/subcontractors. The Data Processor must ensure that its Subprocessors comply with the corresponding obligations and requirements described in the Agreement. All use of Subprocessors is also subject to the Visma Group’s Privacy Statement.
This Agreement constitutes the Data Controller’s prior general and specific written approval of the Data Processor’s use of Subprocessors.
If a Subprocessor is established outside or Personal Data is stored outside of the EU/EEA, the Data Controller authorises the Data Processor to ensure a sufficient basis for transmitting Personal Data to a third country on behalf of the Data Controller, including using the EU Commission’s Standard Contracts or in accordance with the Privacy Shield.
The Data Controller must be informed before the Data Processor replaces its Subprocessors. However, the Data Controller is only entitled to protest against a new Subprocessor, who processes Personal Data on behalf of the Data Controller, if they do not process data in accordance with applicable data protection legislation. In such a situation, the Data Processor shall demonstrate compliance by giving the Data Controller access to the Data Processor’s data protection evaluation pertaining to the Subprocessor. If there is still disagreement with the use of the Subprocessor, the Data Controller may terminate its subscription to the Software, including with a shorter notice than usual, in order to ensure that the Data Controller’s Personal Data is not processed by the Subprocessor in question.
The Data Processor is required to ensure a high level of security in its products and services, as ensured by appropriate organisational, technical and physical security measures required by the security measures as described in Article 32 of the GDPR.
In addition, the Visma Group’s internal data protection policies aim at ensuring confidentiality, integrity, resistance and access to Personal Data. The following measures are particularly important:
- Classification of Personal Data in order to ensure implementation of security measures relevant to risk assessments.
- Assessment of encryption and pseudonymisation as risk mitigating factors.
- Limit access to Personal Data to the relevant persons required to comply with the requirements and obligations of the Agreement or pursuant to the Parties’ agreement on the use of the Software.
- Operation and implementation of systems that can detect, restore, respond and report events related to Personal Data.
- Identify and map the security structure and how to transfer Personal Data between the Parties.
- Make an assessment of one’s own level of security to ensure that current technical and organisational measures are sufficient for the protection of Personal Data, including in accordance with Article 32 of the GDPR on Processing Security, and Article 25 on Privacy by Design and Default.
ACCESS TO REVIEW
The Data Controller is entitled to initiate a review of the Data Processor’s obligations under the Agreement once a year. If the Data Controller is required to do so under applicable legislation; reviews can be repeated once a year. The Data Controller must send a detailed review plan with a description of the scope, duration and start date at least four weeks prior to the proposed start date for requesting a review. It must be decided jointly between the Parties if a third party is to conduct the review. However, the Data Controller may allow the Data Processor to decide whether the review of the security reasons should be done by a neutral third party of the Data Processor’s choosing, insofar as there is a processing environment where multiple data controller data is used.
If the proposed scope of the review follows an ISAE, ISO or similar certification report conducted by a qualified third party reviewer within the previous twelve months and the Data Processor confirms that there have been no material changes in the measures under review, the Data Controller must accept this review instead of requesting a new review of the measures which have already been covered.
In any case, reviews must take place during normal office hours at the relevant facility in accordance with the Data Processor’s policies and may not unreasonably interfere with the Data Processor’s usual business activities
The Data Controller is responsible for all costs associated with the request for review. The Data Processor’s assistance in connection therewith, which exceeds the general service that the Data Processor and/or Visma Group must make available as a result of applicable data protection legislation, shall be settled separately.
TERM AND TERMINATION
The Agreement is valid as long as the Data Processor processes Personal Data on behalf of the Data Controller in connection with the Data Controller’s use of the Software.
This Agreement will automatically terminate at the end of the Data Controller’s notice period in relation to the Software Subscription. Upon termination of the Subscription, the Data Processor will erase or return all Personal Data in the appropriate format that the Data Processor has processed on behalf of the Data Controller under the Agreement. If the Data Controller requests assistance with returning the data, the associated costs shall be determined jointly by the Parties and shall be based on: (i) hourly rates for the Data Processor’s time spent; (ii) the complexity of the requested process; and (iii) the format chosen.
The Data Processor is entitled to retain Personal Data after termination of the Agreement insofar as it is required by applicable legislation, which, in such case, will be in accordance with the technical and organisational measures described in the Agreement.
Changes to the Agreement must be enclosed in a separate Annex to the Agreement.
If any of the provisions of the Agreement are invalid, this will not affect the remaining provisions. The Parties shall replace invalid provisions with a legal provision that reflects the purpose of the invalid provision.
Liability for actions contrary to the provisions of this Agreement is governed by the liability and compensation provisions in Sproom’s terms and conditions. This also applies to any violation by the Data Processor’s Subprocessors.
GOVERNING LAW AND JURISDICTION
The agreement is governed by Danish law and any dispute must be brought before a Danish court.
Annex A – Categories of Personal Data and Data Subjects
1. THE CATEGORIES OF DATA SUBJECTS AND PERSONAL DATA PROCESSED UNDER THIS AGREEMENT
a) Categories of Data Subjects
i. The Data Controller’s end users
ii. The Data Controller’s employees
iii. The Data Controller’s contact persons
iv. The Data Controller’s customers and the customers’ end users
v. The Data Controller’s customers’ employees
vi. The Data Controller’s customers’ contact persons
b) Categories of Personal Data
iii. Telephone Number
2. THE CATEGORIES OF SENSITIVE PERSONAL DATA PROCESSED UNDER THIS AGREEMENT
The Data Processor shall process one or more of the following data on behalf of the Data Controller:
- Political, philosophical or religious conviction
- Trade union membership
- Race or ethnic origin
- Health data
- Information about an individual’s sexual relationships or sexual orientation
- Genetic or biometric data for the purpose of uniquely identifying a natural person