General Data Protection Regulation

made and entered into between


CVR no.: «VAT»


«PostalCode» «City»


(the "Controller")


RushFiles A/S

CVR no.: 34623422

Chr M Østergaards Vej 4

8700 Horsens


(the "Processor")

(The Controller and the Processor are collectively referred to as the "Parties" and individually a "Party")


1.1 The Parties have agreed to the provision of certain services from the Processor to the Control- ler. In this connection, the Processor may process personal data on behalf of the Controller, and for that purpose, the Parties have entered into this agreement and underlying appendices ("Processor Agreement").

1.2 The purpose of the Processor Agreement is to ensure that the Processor complies with the personal data regulations in force from time to time (“GDPR”), including in particular:

  • the Danish Act on Data Privacy (in Danish: Databeskyttelsesloven) (Act 23/05/2018 no. 502)
  • the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016)

1.3 The primary service (“Primary Service”) consists of the following:

  • The Processor provides a software Enterprise File Sync and Sharing Solution (EFSS so- lution) where the Controller and its users can store data in the cloud. The Controller buys a time limited and non-exclusive user license to the solution, after which the Controller is granted access to the solution where after the Controller alone is in charge of the management and use of the solution.
  • The data in the solution is encrypted and the Processor has no knowledge of what the Controller or its users stores in the solution. See Appendix 1 for more information on the solution.


2.1 The Processor Agreement applies as long as the Processor processes personal data on behalf of the Controller (according to the agreement(s) on the provision of the Primary Service (“Main Agreement”) or a new data processor agreement is concluded.


3.1 The processor has no knowledge of what kind of data the Controller or its users stores in the solution. The data is encrypted, so the Processor has no way of knowing to which extend per- sonal data is being stored and which type of personal data it is. Personal data may only be uploaded by the Controller or users authorized hereto.

See Appendix 1 for more specific information about data type and data category.


4.1 The Controller has the following obligations:

  • To ensure that the Instructions are lawful in relation to the GDPR in force from time to time
  • That the Instructions are appropriate in relation to this Processor Agreement and the Primary Service.
  • To ensure that data are stored securely.

4.1 The Controller guaranties that any personal data which the Controller or its users supply to the Processor may be processed by the Processor.


5.1 The Processor is authorized to process personal data on behalf of the Controller on the terms and conditions set out in the Processor Agreement.

5.2 The Processor may only process personal data subject to documented instructions from the Controller ("Instructions"). This Processor Agreement, including appendices, constitutes the Instructions at the date of signature.

5.3 The Instructions may be changed, amended, clarified, specified etc. at any time by the Con- troller. Regardless of the above, this Processor Agreement can only be changed subject to agreement between the Parties.

5.4 Unless otherwise specified in the Processor Agreement, the Processor may use all relevant technical aids, including IT systems.

5.5 The Processor shall host all personal data on its own or Sub-Processor’ servers, placed in Den- mark or within the EU.

5.6 The Processor shall not transfer or otherwise process personal data according to the Processor Agreement outside the EU, without the Controllers prior written approval hereof.

5.7 The Processor shall not use any personal data supplied to the Processor by the Controller in any other way than to supply the Primary Services.

5.8 Nothing in the Processor Agreement shall prevent a party from fulfilling a legal obligation im- posed by a competent court of law or authority. Both Parties shall nevertheless to the extent reasonable possible discuss the appropriate reaction to any request from a competent court of law or authority in connection with disclosure of information.

5.9 See Appendix 2 about Supports use of TeamViewer.


6.1 The Processor shall ensure that employees who process personal data for the Processor have undertaken to observe confidentiality or are subject to an appropriate statutory duty of con- fidentiality.

6.2 The Processor shall ensure that employees processing personal data for the Processor only process such data in accordance with the Instructions.


7.1 The Processor is responsible for implementing necessary (a) technical and (b) organizational measures to ensure an appropriate security level.

7.2 The Processor shall implement the suitable technical and organizational measures in such a manner that the processing by the Processor of personal data meets the requirements of the GDPR in force from time to time.

7.3 The Parties agree that the provided safeguards are adequate at the date of conclusion of this Processor Agreement.


8.1 The Controller authorizes the Processor on a general basis to make use of third parties for the processing of personal data for the Controller ("Sub-Processor"). The Processor shall notify the Controller of any planned changes regarding additions, replacements of Sub-Processors thereby giving the Controller opportunity to object against such changes.

8.2 By entering into the Processor Agreement, the Processor accepts that the Processor may make use of the Sub-Processors listed in Appendix 3.

8.3 The Processor and the Sub-Processor shall conclude a written agreement imposing the same data protection obligations on the Sub-Processor as those of the Processor according this Pro- cessor Agreement.

8.4 The Sub-Processor shall also only act under the Instructions of the Controller. All communica- tion with the Sub-Processor is handled by the Processor, unless otherwise specifically agreed. Any changed, amended, clarified, specified etc. Instructions from the Controller to the Proces- sor must immediately be passed on by the Processor to the Sub-Processor.

8.5 If a Sub-Processor does not comply with the Instructions, the Controller may prohibit the use of the relevant Sub-Processor.

8.6 The Processor is directly responsible towards the Controller for the Sub-Processor's processing of personal data in the same manner as had the processing been carried out by the Processor.


9.1 The Processor may only transfer personal data to third countries or international organiza- tions to the extent:

a) the country is a secure third country

b) transfer is made under US Privacy Shield or similar approved arrangements

c) binding Corporate rules apply

d) transfer is made under approved SCC agreements (Standard Contractual Clauses)

e) transfer is made under approved code of conducts or an approved certification mech- anism

f) transfer is made under approved ad hoc agreements

g) transfer is made under specific consent (in general not to be used in general/mass transfers of personal data)

h) otherwise allowed under GDPR

9.2 In any case, personal data may only be transferred to the extent permitted under GDPR in force from time to time.


10.1 The Processor shall in accordance with current GDPR legislation to the necessary and reason- able extent assist the Controller in the performance of its obligations in the processing of the personal data covered by this Processor Agreement, including in connection with:

  • processing security
  • responses to data subjects on exercise of their rights
  • reporting of security breaches to the competent supervisory authority
  • notification of security breaches to the data subjects
  • impact assessments

10.2 In this connection, the Processor shall obtain the information to be included in a notification to the supervisory authority provided that the Processor is best suited to do so.

10.3 According to this Processor Agreement, the Processor shall report all security breaches to the Controller. A security breach shall mean a breach of security leading to the accidental or un- lawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed, see the General Data Protection Regulation arti- cle 4(12). Security breaches must be reported to the Controller without undue delay.

10.4 The Processor is entitled to payment for time spent and materials consumed for assistance, unless otherwise specified. Payment can never be claimed for the performance of tasks ne- cessitated by a breach by the Processor


11.1 The Processor and any Sub-Processors shall return all personal data processed by the Proces- sor under this Processor Agreement to the Controller on termination of the Processor Agree- ment, provided that the Controller is not already in possession of the personal data. The Pro- cessor is then obliged to delete all personal data received from the Controller. The Controller may request reasonable information for such deletion.


12.1 As part of the Processor's demonstration to the Controller of compliance with its obligations according to the Processor Agreement, the following points must be completed and observed.

12.1.1 Upon written request, the Processor is obliged to submit the following general documentation to the Controller:

  • A declaration from the Processor's management specifying that, during the pro- cessing of personal data on behalf of the Controller, the Processor continuously en- sures compliance with its obligations under this Processor Agreement.
  • A description of the practical measures, both technical and organizational, imple- mented by the Processor to ensure compliance with its obligations under the Proces- sor Agreement. The description may include a presentation of established and imple- mented management systems for information security and for processing of personal data as well as a description of other initiatives taken. As part thereof, the Processor is also obliged to participate in follow-up meetings with the Controller.

The general documentation must be provided no later than five working days after the Con- troller has made its written request to the Processor, unless otherwise specifically agreed. The Processor shall prepare documentation for its own account.

12.1.2 Upon written request, the processor shall contribute to and give access to audit.

The audit must be conducted by an independent third party selected by the Controller and approved by the Processor. The Processor may not reject a suggested third party without rea- sonable cause. The independent third party must accept a general confidentiality agreement with the Processor. A request for audit must be made subject to at least 14 days’ prior written notice.

12.2 The Processor is entitled to payment for time spent and materials consumed for assistance pursuant to this clause, unless otherwise specified in the Processor Agreement.


The Processor cannot be held liable for situations normally referred to as force majeure, in- cluding, but not limited to events of natural disasters, industrial actions, hacking,

malware, ransom ware, virus and DDOS or DOT attacks, disturbance of general communica- tion- or powerlines, illness of key employees, fire, flooding, riots, insurrection, vandalism, strikes, lock out, wars, terrorism, embargo or governmental actions and the like, and occur- rence of force majeure at subcontractors.


14.1 The above points should not be considered exhaustive, and the Processor therefore under- takes to take any such actions and measures as are necessary for the demonstration of the Processor's obligation of the Processor Agreement and compliance with mandatory GDPR leg- islation.

14.2 The Processor is not obliged to follow a request from the Controller according to this Proces- sor Agreement if the request is in violation of the personal data regulation. The Processor shall notify the Controller if the Processor finds that this is the case.

14.3 Processors liability as data processor shall be subject to the same terms and conditions as applicable for the Primary Service.

Appendix 1


The Primary Service consists of the following: The RushFiles solution is a Cloud storage software solu- tion, also known as an Enterprise File Sync and Sharing Solution (EFSS solution), where safety is highly prioritized. The data in the solution is encrypted, and it is only the Controller who can decrypt it. Pro- cessor has no possibility of or interest in reading the encrypted data

RushFiles provides the Primary Service (a platform and a tool) that enable users to securely synchro- nize and share documents, photos, videos and files from multiple devices with employees, and exter- nal customers and partners. RushFiles has no control of how the Primary Service is used and for what content.

The Controller is responsible for keeping the data safe, the solution provides means for doing so throughout the services rendered.

The Primary Service is further described in the Main Agreement including the general terms and con- ditions applicable for the solution.


RushFiles has no knowledge of what kind of data the Controller or users shares and stores in the solu- tion and therefor has no way of knowing to which extend personal data is being stored including which type of personal data it is.

The Controller guarantees to the Processor, that the Processor is entitled to process any personal data supplied from the Controller or its users into the solution.

Types of personal data processed in connection with the delivery of the Primary Service can thus be any form of data including, but not limited to personal data in the form of:

a) General personal data, which is any data about an identified or identifiable data subject.

b) Sensitive personal data, like racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or data concerning health or sex life or sexual orientation, genetic data and biometric data.

c) Other personal data, like criminal offences, serious social problems and purely private matters other than those mentioned in point a).

d) Civil registration numbers (in Danish: CPR-nr.).

The category of registered identified or identifiable natural persons covered by the Processor Agree- ment can be any form of natural person of any age including, but not limited to:

a) Employees

b) Clients

c) Customers

d) Children

Appendix 2


As a part of RushFiles support solution RushFiles offers to use TeamViewer in some support matters, to better understand the Controller’s/clients’ problems and needs.

In such cases, a verbal or written consent will always be needed before any action is taken. The Con- troller/client will need to accept that RushFiles uses TeamViewer in the specific situation, and the Controller/client needs to grant this access before anything will happen.

Using TeamViewer gives access to viewing remote screens in order to be able to help support the solution to any given problem.

If a controller does not wish to share its screens with RushFiles’ support, the Controller can simply decline to accept usage of TeamViewer.


To the extent RushFiles is deemed to be a data controller when using TeamViewer for support func- tionalities, RushFiles shall keep strictly confidential all information provided to it during such support.

The support service provided via TeamViewer is a technical support service, which is not intended specifically for the processing of personal data even though personal data may be processed/accessed in such support situation. Any Personal data will only be collected directly from the user accepting the use of TeamViewer. The personal data is only processed for the supplying of the requested support. In general, only normal personal data in form of contact information will be processed on the sup- ported contact person. All personal data will be deleted once the TeamViewer session has ended. RushFiles does not transfer personal data to any third party, unless specifically agreed during the TeamViewer session. RushFiles has internal rules for processing of personal data including guidelines and security measures that protects personal data and secures the data against destruction, loss, al- terations, unauthorised disclosure or access. RushFiles keeps no records of personal data connected to support sessions.