PARTIES

• “You” or “Your” accordingly, having accepted the Terms of Service of DigiShares A/S’ LAUNCH Platform.

(Customer)

• DigiShares A/S incorporated and registered in Denmark with company number CVR-nr DK40623620 whose registered office is at Niels Jernes Vej 10, 9220 Aalborg Øst  (Provider)

BACKGROUND

1. The Customer and the Provider entered into a Platform Agreement (Terms of Service, hereafter “TOS”) that may require the Provider to process Personal Data on behalf of the Customer.
2. This Personal Data Processing Agreement (Agreement) sets out the additional terms, requirements and conditions on which the Provider will process Personal Data when providing services under the TOS. This Agreement contains the mandatory clauses required by Article 28(3) of the General Data Protection Regulation ((EU) 2016/679)].

AGREED TERMS

1. Definitions and Interpretation

The following definitions and rules of interpretation apply in this Agreement.

1. Definitions:

Authorised Persons: the persons or categories of persons that the Customer authorises to give the Provider written personal data processing instructions as identified in ANNEX A and from whom the Provider agrees solely to accept such instructions.

• Business Purposes: the services to be provided by the Provider to the Customer as described in the TOS and any other purpose specifically identified in ANNEX A.

• Controller, Processor, Data Subject, Personal Data, Personal Data Breach and Processing: have the meanings given to them in the Data Protection Legislation.

• Data Protection Legislation: To the extent the EU GDPR applies, the law of the European Union or any member state of the European Union to which the Customer or Provider is subject, which relates to the protection of personal data.

1. Data Subject: the identified or identifiable living individual to whom the Personal Data relates.
2. EU GDPR: the General Data Protection Regulation ((EU) 2016/679).
3. EEA: the European Economic Area.
4. Term: this Agreement’s term as defined in Clause 9.
5. Standard Contractual Clauses (SCC): the standard contractual clauses for Processors annexed to the European Commission’s Decision (EU) 2021/914 of 4 June 2021, as may be amended, superseded or replaced.

1. This Agreement is subject to the terms of the TOS and is incorporated into the TOS.
2. The Annexes form part of this Agreement and will have effect as if set out in full in the body of this Agreement. Any reference to this Agreement includes the Annexes.
3. A reference to writing or written includes faxes and email.
4. In the case of conflict or ambiguity between:
   1. any provision contained in the body of this Agreement and any provision contained in the Annexes, the provision in the body of this Agreement will prevail;
   2. the terms of any accompanying invoice or other documents annexed to this Agreement and any provision contained in the Annexes, the provision contained in the Annexes will prevail; and
   3. any of the provisions of this Agreement and the provisions of the TOS, the provisions of this Agreement will prevail.

1. Personal data types and processing purposes
   1. The Customer and the Provider agree and acknowledge that for the purpose of the Data Protection Legislation:
      1. the Customer is the Controller and the Provider is the Processor.
      2. the Customer retains control of the Personal Data and remains responsible for its compliance obligations under the Data Protection Legislation, including but not limited to, providing any required notices and obtaining any required consents, and for the written processing instructions it gives to the Provider.
      3. ANNEX A describes the subject matter, duration, nature and purpose of the processing and the Personal Data categories and Data Subject types in respect of which the Provider may process the Personal Data to fulfil the Business Purposes.
2. Provider’s obligations
   1. The Provider will only process the Personal Data to the extent, and in such a manner, as is necessary for the Business Purposes in accordance with the Customer’s written instructions. The Provider will not process the Personal Data for any other purpose or in a way that does not comply with this Agreement or the Data Protection Legislation. The Provider is not responsible for compliance with any data protection laws applicable to the Customer or its industry that are not generally applicable to the Provider.
   2. The Provider must comply with Customer written instructions requiring the Provider to amend, transfer, delete or otherwise process the Personal Data, or to stop, mitigate or remedy any unauthorised processing.
3. Security
   1. The Provider must implement appropriate technical and organisational measures against accidental, unauthorised or unlawful processing, access, copying, modification, reproduction, display or distribution of the Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Personal Data.
   2. Notwithstanding any provision to the contrary, the Provider may modify or update the Security Measures at its discretion provided that such modification or update does not result in a material degradation in the protection offered by the Security Measures.
4. Personal data breach
   1. The Provider will notify the Customer without undue delay after it becomes aware of any Personal Data Breach.
   2. At the Customer’s request, the Provider will promptly provide the Customer with such reasonable assistance as necessary to enable it to notify relevant Personal Data Breaches to competent authorities and/or affected Data Subjects, if Customer is required to do so under Data Protection Laws. For the avoidance of doubt, the Provider will not inform any third-party of any accidental, unauthorised or unlawful processing of all or part of the Personal Data and/or a Personal Data Breach without first obtaining the Customer’s written consent, except when required to do so by domestic or EU law.
5. Cross-border transfers of personal data
   1. The Provider must not transfer or otherwise process the Personal Data outside the EEA without obtaining the Customer’s prior consent.
   2. Whenever Personal Data is transferred outside of the EEA, each party will ensure such transfers are made in compliance with the requirements of Data Protection Legislation.
   3. If any Personal Data transfer between the Customer and the Provider requires execution of SCC in order to comply with the Data Protection Legislation (where the Customer is the entity exporting Personal Data to the Provider outside the EEA), the parties will complete all relevant details in, and execute the SCC, and take all other actions required to legitimise the transfer.
   4. If engaged Sub-Processors are located outside of the EEA, the Customer authorises the Provider to enter into the SCC with the Sub-Processor in the Customer’s name and on its behalf. The Provider will make the executed SCC available to the Customer on request.
6. Sub-Processors
   1. The Customer agrees that the Provider may engage Sub-Processors to Process Personal Data on its behalf. The Provider has currently engaged such Sub-Processors as specified in Annex B.
   2. The Provider will promptly notify the Customer on its website should any Sub-Processors be replaced or added to Annex B. Where EU GDPR is applicable, the Provider will give the Customer the opportunity to object to the engagement of new Sub-Processors on reasonable grounds relating to the protection of Personal Data within 30 days of notifying the Customer. If the Customer does notify the Provider of such an objection, the parties will discuss the raised concerns in good faith with a view to achieving a commercially reasonable resolution. If no such resolution can be reached, the Provider will, at its sole discretion, either not appoint the new Sub-Processor, or permit the Customer to suspend or terminate the affected Platform service in accordance with the provisions of the TOS. The parties agree that by complying with this clause 7.2, DigiShares fulfils its obligations under Sections 9 of the Standard Contractual Clauses.
   3. Where the Provider engages Sub-Processors, it will impose data protection terms on the Sub-Processors that provide at least the same level of protection for Personal Data as those in this DPA.
7. Complaints, data subject requests and third-party rights
   1. The Provider must take such reasonable technical and organisational measures as may be appropriate, and promptly provide such information to the Customer as the Customer may reasonably require, to enable the Customer to comply with:
      1. the rights of Data Subjects under the Data Protection Legislation, including, but not limited to, subject access rights, the rights to rectify, port and erase personal data, object to the processing and automated processing of personal data, and restrict the processing of personal data; and
      2. information or assessment notices served on the Customer by the regulator under the Data Protection Legislation.
   2. The Provider must promptly notify the Customer in writing if it receives any complaint, notice or communication that relates directly or indirectly to the processing of the Personal Data or to either party’s compliance with the Data Protection Legislation.
   3. The Provider must notify the Customer within 7 days if it receives a request from a Data Subject for access to their Personal Data or to exercise any of their other rights under the Data Protection Legislation.
   4. The Provider will give the Customer commercially reasonable assistance in responding to any complaint, notice, Data Subject request or communication if such assistance is specifically requested by the Customer in writing.
   5. The Provider must not disclose the Personal Data to any Data Subject or to a third-party other than in accordance with the Customer’s written instructions, or as required by domestic or EU law.
8. Term and termination
   1. This Agreement will remain in full force and effect so long as the TOS remains in effect.
   2. If a change in any Data Protection Legislation prevents either party from fulfilling all or part of its TOS obligations, the parties may agree to suspend the processing of the Personal Data until that processing complies with the new requirements. If the parties are unable to bring the Personal Data processing into compliance with the Data Protection Legislation within 30 days, either party may terminate any part of the TOS involving the processing of the Personal Data on not less than 10 days written notice to the other party.
9. Data return and destruction
   1. At the Customer’s request, the Provider will give the Customer, or a third-party nominated in writing by the Customer, a copy of or access to all or part of the Personal Data in its possession or control in the format and on the media reasonably specified by the Customer.
   2. On termination of the TOS for any reason or expiry of its term, the Provider will securely delete or destroy or, if directed in writing by the Customer, return and not retain, all or any of the Personal Data related to this Agreement in its possession or control.
   3. If any law, regulation, or government or regulatory body requires the Provider to retain any documents, materials or Personal Data that the Provider would otherwise be required to return or destroy, it may retain such data as required.
10. Audit
    1. The Provider will permit the Customer and its third-party representatives to audit the Provider’s compliance with its Agreement obligations, on at least 60 days’ written notice and no more than once a year, during the Term. The Provider will give the Customer and its third-party representatives all necessary assistance to conduct such audits and the Customer will cover all reasonable costs incurred by the Provider as the result of compliance with this clause. The assistance shall include: 

(a) physical access to, remote electronic access to, and copies of the Records and any other information held at the Provider’s premises or on systems storing the Personal Data; 

(b) access to and meetings with any of the Provider’s personnel reasonably necessary to provide all explanations and perform the audit effectively; and 

(c) inspection of all Records and the infrastructure, electronic data or systems, facilities, equipment or application software used to process the Personal Data. 

1. Warranties
   1. The Customer warrants and represents that the Provider’s expected use of the Personal Data for the Business Purposes and as specifically instructed by the Customer will comply with the Data Protection Legislation.
2. Limitation of Liability
   1. Each party’s liability arising out of or related to this DPA (and any other DPAs between the parties) and the Standard Contractual Clauses (where applicable), whether in contract, tort or under any other theory of liability, will be subject to the limitations and exclusions of liability set out in the TOS.
   2. Notwithstanding the foregoing, the Customer acknowledges that the Provider is reliant on the Customer for direction as to the extent to which the Provider is entitled to use and process the Personal Data. Consequently, the Provider will not be liable for any claim brought by a Data Subject arising from any action or omission by the Provider, to the extent that such action or omission resulted from the Customer’s instructions.
3. Notice
   1. Any notice given to a party under or in connection with this Agreement must be in writing and delivered to:

    For the Customer: CUSTOMER CONTACT AS SPECIFIED IN THE TOS

    For the Provider: [PROVIDER DATA PRIVACY CONTACT]

1. 14.1 does not apply to the service of any proceedings or other documents in any legal action or, where applicable, any arbitration or other method of dispute resolution.

1. Governing Law
   1. This Agreement shall be governed and construed in accordance with the laws of Denmark.