Last updated: January 2026
This is a Data Processor Agreement (here after: "DPA") entered into on date of digital signature of this document (the "Effective Date") between vimpl.com A/S, a limited liability company (registered under CVR no. 41663073) and with its registered address at Asger Rygs Gade 19, 3.TV, DK-1727 Copenhagen V, Denmark (here after: "Data Processor") and the customer (here after: "Data Controller").
The Data Controller and the Data Processor hereinafter collectively referred to as the "Parties" and separately as "Party". The Parties have agreed the following data processing provisions for the purpose of complying with the DPA requirements under article 28(3) of the Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR) and ensure protection of privacy and the basic rights and freedom rights of natural persons.
This DPA lays out the Data Processor's rights and obligations when the Data Processor processes personal data on behalf of the Data Controller.
This DPA have been prepared for the purpose of the parties' observance of article 28(3) of the regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
In connection with the delivery of the services agreed in appendix D, the Data Processor processes personal data on behalf of the Data Controller in compliance with this DPA.
The DPA supersedes in relation to any similar provisions in other agreements between the parties.
This DPA include six appendices, and the appendices form an integral part of the DPA:
The DPA with attached appendices must be stored in writing, including electronically, by both parties.
This DPA do not release the Data Processor of obligations that the Data Processor is subject to under the General Data Protection Regulation and any other legislation.
The Data Controller is responsible for ensuring that the processing of personal data is made in compliance with the General Data Protection Regulation (see article 24 of the Regulation), data protection provisions in Union law or the national law of the EU/EEA member states and this DPA.
The Data Controller has a right and a duty to make decisions as regards for which purpose(s) and by which means processing of personal data may take place.
The Data Controller shall be responsible, among other, for ensuring that the processing of personal data, which the Data Processor is instructed to perform, has a legal basis.
The Data Processor may only process personal data according to documented instructions from the Data Controller, unless required under Union law or the national law of member states to which the Data Processor is subject. All of these instructions must be specified in appendix A, C and D. Subsequent instructions may also be given by the Data Controller, while processing of personal data takes place, but the instructions must always be documented and stored in writing, including electronically, together with this DPA.
The Data Processor must inform the Data Controller immediately if in the Data Processor's opinion any instructions are contrary to the General Data Protection Regulation or data protection provisions in other Union law or the national law of the member states.
The Data Processor may only grant access to personal data which is processed on behalf of the Data Controller to persons, who are subject to the Data Processor's powers of direction, who have undertaken a duty of confidentiality or are subject to an appropriate mandatory duty of confidentiality and only to the extent necessary. At the request of the Data Controller, the Data Processor must be able to demonstrate that the said persons who are subject to the Data Processor's powers of direction, are subject to the above duty of confidentiality.
Article 32 of the General Data Protection Regulation stipulates that, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Data Controller and Data Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. The Data Processor shall assist the Data Controller with its compliance of the Data Controller's obligations under article 32 of the General Data Protection Regulation.
On expiry or termination of the services concerning processing of personal data, the Data Processor is obliged to erase all personal data which has been processed on behalf of the Data Controller and confirm to the Data Controller that the information has been erased, unless the Union law or the national law of the EU/EEA member requires storage of the personal data.
This DPA enters into force on the date of both parties' acceptance.
The DPA are valid for as long as the service concerning processing of personal data lasts. In this period, the DPA cannot be terminated unless other provisions regulating the delivery of the service concerning processing of personal data are agreed between the parties.
If the delivery of the services concerning processing of personal data ceases, and the personal data has been erased or returned to the Data Controller, this DPA can be terminated by written notice by both parties.