DATE EFFECTIVE: JANUARY 1ST, 2020
Thanks for choosing Linkfire!
At Linkfire, we want to give you the best possible experience to ensure that you enjoy our service today, tomorrow, and in the future. To do this we collect information to understand how our services are used, so we can deliver that exceptional and personalized service specifically for you. That said, your privacy and the security of your personal data is, and will always be, enormously important to us. So, we want to transparently explain how and why we gather, store, share and use your personal data – as well as outline the controls and choices you have around when and how you choose to share your personal data.
2. About this Policy
This Policy sets out the essential details relating to your personal data relationship with Linkfire ApS and subsidiaries. The Policy applies to all Linkfire Services and any associated services (referred to as the ‘Linkfire Services’). The terms governing your use of the Linkfire Services are defined in our Terms and Conditions of Use (the “Terms and Conditions of Use”).
From time to time, we may develop new or offer additional services. If the introduction of these new or additional services results in any change to the way we collect or process your personal data we will provide you with more information and additional terms or policies. Unless stated otherwise when we introduce these new or additional services, they will be subject to this Policy.
The aim of this Policy is to:
- Ensure that you understand what personal data we collect about you, the reasons why we collect and use it, and who we share it with;
- Explain the way we use the personal data that you share with us in order to give you a great experience when you are using the Linkfire Services; and
- Explain your rights and choices in relation to the personal data we collect and process about you and how we will protect your privacy.
We hope this helps you to understand our privacy commitments to you. For further clarification of the terms used in this Policy please visit our Privacy Center on linkfire.com. For information on how to contact us if you ever have any questions or concerns, please see the ‘How to Contact Us’ section.
3. Your rights and your preferences: Giving you choice and control
Linkfire has always believed in privacy and your right to know your digital footprint and we take great pride in being transparent about it. Accordingly, we have implemented transparency and access controls in our Privacy Portal to help users take advantage of those rights. As available and except as limited under applicable law, the rights afforded to individuals are:
- Right of Access – the right to be informed of and request access to the personal data we process about you;
- Right to Rectification – the right to request that we amend or update your personal data where it is inaccurate or incomplete;
- Right to Erasure – the right to request that we delete your personal data;
- Right to Restrict – the right to request that we temporarily or permanently stop processing all or some of your personal data;
- Right to Object –
- the right, at any time, to object to us processing your personal data where you believe we don’t have a legitimate interest to do so;
- the right to object to your personal data being processed for direct marketing purposes;
- Right to Data Portability – the right to request a copy of your personal data in electronic format and the right to transmit that personal data for use in another party’s service; and
In order to enable you to exercise these rights with ease and to record your preferences in relation to how Linkfire uses your personal data, we provide you with access to the following settings via the following:
- Privacy Settings – allows you to control various categories of data collection; and
- Data Subject Request (DSR) form – allows you an easy route to access a copy of your data or to exercise your right to rectify, restrict, erase, and or port your data to another service.
The Privacy Settings put you in control of how Linkfire processes your personal data. If we send you electronic messages based on your consent or as otherwise permitted by applicable law, you may, at any time, respectively withdraw such consent or declare your objection (“opt-out”) at no cost. The electronic marketing messages you may receive from Linkfire (e.g. those sent via email) also will include an opt-out mechanism within the message itself (e.g. an unsubscribe link in the emails we send to you).
If you have any questions about your privacy, your rights, or how to exercise them, please contact our Data Protection Officer using the details laid out in the ‘Contact Us’ section in the Privacy Portal. We will respond to your request within a reasonable period of time upon verification of your identity where required. If you are unhappy with the way we are using your personal data you can also contact and are free to lodge a complaint with the Danish Data Protection Authority (Datatilsynet) or your local Data Protection Authority.
4. How do we collect your personal data?
We collect your personal data in the following ways:
- Through the use of the Linkfire Services – when you use the Linkfire Services, we collect personal data about your use of the Linkfire Services, such as what campaigns you have visited.
- When our customers onboard for the Linkfire Services (specifically the Linkfire Suite – https://app.linkfire.com & https://v1.linkfire.com) – when you are signed up to the Linkfire Services, we collect certain personal data so you can use the Linkfire Services.
- Personal data collected that enables us to provide you with additional features/functionality – from time to time, you may also provide us with additional personal data or give us your permission to collect additional personal data e.g. to provide you with more features or functionality.
We use anonymized and aggregated information for purposes that include testing our IT systems, research, data analysis, creating marketing and promotion models, improving the Linkfire Services, and developing new features and functionality within the Linkfire Services.
5. What personal data do we collect from you and why?
When you use or interact with the Linkfire Services, we use a variety of technologies to process the personal data we collect about you for various reasons. We have set out in the tables below the reasons why we process your personal data, the associated legal basis we rely upon to legally permit us to process your personal data, and the categories of personal data (identified in Section 5 ‘What personal data do we collect from you?’) used for these purposes:
We would like to take a moment to explain that we do not collect any special categories of personal data (https://gdpr-info.eu/art-9-gdpr/), nor do we process any personal information in a way that could pose a high risk to data subject’s rights or freedoms (https://gdpr-info.eu/recitals/no-75/).
Linkfire does not use any data for automated-decision making purposes.
- *.lnk.to & associated custom domains
5.2. Linkfire visitors:
5.3. Linkfire customers:
In order to provide customers with Linkfire services you may expect personal data processing under the following categories:
6. Sharing your personal data
We have set out the categories of recipients of the personal data collected or generated through your use of the Linkfire Services.
We rely on legitimate interest as our legal reasoning for sharing this data, aside from legal requirements like regulatory institutions or tax authorities.
7. Data retention and deletion
We keep your personal data only as long as necessary to provide you with the Linkfire Services and for legitimate and essential business purposes, such as maintaining the performance of the Linkfire Services, making data-driven business decisions about new features and offerings, complying with our legal obligations, and resolving disputes.
** Notification Contact Details: < 12 months = 1 month after release date + campaign duration (limited to 11 months prior to release)
7.2 Linkfire Customer
8. Cross Border Transfer
Personal data collected within the European Union and Switzerland may, for example, be transferred to and processed by third parties located in a country outside of the European Union and Switzerland. In such instances Linkfire shall ensure that the transfer of your personal data is carried out in accordance with applicable privacy laws and, in particular, that appropriate contractual, technical, and organizational measures are in place such as the Standard Contractual Clauses approved by the EU Commission.
We may display advertisements from third parties and other content that links to third-party websites. We cannot control or be held responsible for third parties’ privacy practices and content. If you click on a third-party advertisement or link, please understand that you are leaving the Linkfire Service and any personal data you provide will not be covered by this Policy. Please read their privacy policies to find out how they collect and process your personal data.
10. Keeping your personal data safe
We are committed to protecting our users’ personal data. We implement appropriate technical and organizational measures to help protect the security of your personal data; however, please note that no system is ever completely secure. We have implemented various policies including anonymization, pseudonymization, encryption, access, and retention policies to guard against unauthorized access, unauthorized alterations or deletion, as well as unnecessary retention of personal data in our systems. Please visit our Technical and Operational Measures for more information.
Your password protects your Linkfire Suite user account, so we encourage you to use a unique and strong password, limit access to your computer and browser, and log out after having used the Linkfire Service (Suite).
The Linkfire Services is not directed to children under the age of 13 years. However, in some countries, stricter age limits may apply under local law. Please see our Terms and Conditions of Use for further details.
We do not knowingly collect personal data from children under 13 years or under the applicable age limit (the “Age Limit”). If you are under the Age Limit, please do not use the Linkfire Services, and do not provide any personal data to us.
If you are a parent of a child under the Age Limit and become aware that your child has provided personal data to Linkfire, please see the ‘How to Contact Us’ section, and you may request exercise of your applicable rights detailed in the ‘Your rights and your preferences: Giving you choice and control’ Section 3 of this Policy.
If we learn that we have collected the personal data of a child under the age of 13 years, we will take reasonable steps to delete the personal data.
We may occasionally make changes to this Policy.
When we make material changes to this Policy, we’ll provide you with prominent notice as appropriate under the circumstances, we may notify you in advance.
Please, therefore, make sure you read any such notice carefully.
13. How to contact us
Artillerivej 86, 3.,
2300 Copenhagen S, Denmark
CVR no. 35835431
We hope you enjoy Linkfire!
© Linkfire ApS.
14. Additional Disclosures
California Consumer Privacy Act (“CCPA”)
If you are a California resident, the processing of certain personal data about you may be subject to the California Consumer Privacy Act (“CCPA”) and other applicable California state privacy laws. Please refer to our Additional California Privacy Disclosures.
Lei Geral de Proteção de Dados (“LGPD”)
Lei Geral de Proteção de Dados (“LGPD”) is a new data privacy law that went into effect on September 18th, 2020. If you are a data subject located within Brazil, LGPD may apply to you. Learn more in our LGPD Disclosure.
YouTube ToS: https://www.youtube.com/t/terms
Google security setting page: https://myaccount.google.com/permissions?pli=1
Linkfire is a company with operations both inside and outside of Denmark.
3. Organizations covered by this policy
The Linkfire Group (“Linkfire Group”) includes the parent company, Linkfire ApS. and its affiliated entities, including companies in Europe and North America operating partnership known as “Linkfire”.
Linkfire Aps is the data controller for the purposes of the personal data processed under this Policy.
4. California Consumer Privacy Act
If you are a California resident, the processing of certain personal data about you may be subject to the California Consumer Privacy Act (“CCPA”) and other applicable California state privacy laws. Please refer to our Additional California Privacy Disclosures.
5. Policy of compliance
6. What is personal information?
7. What personal information do we collect?
We collect and maintain different types of personal information in respect of those individuals who seek to be, are, or were employed by us, including the personal information contained in:
- resumes and/or applications;
- references and interview notes;
- photographs and video;
- letters of offer and acceptance of employment; employment contracts;
- mandatory policy acknowledgement sign-off sheets;
- payroll information; including but not limited to social insurance number, bank details, pay cheque deposit information, and pension payment information;
- wage and benefit information;
- forms relating to the application for, or in respect of changes to, health and welfare benefits; including, short and long term disability, medical and dental care; and
- beneficiary and emergency contact information.
In addition to the examples listed above, personal information also includes information such as name, home address, telephone, personal email address, date of birth, personnel identification number (such as SSN/CPR-number), and marital status, and any other information necessary to Linkfire’s business purposes, which is voluntarily disclosed in the course of a person’s application for and employment with Linkfire.
As a general rule, Linkfire collects personal information directly from you. In most circumstances where the personal information that we collect about you is held by a third party, we will obtain your permission before we seek out this information from such sources (such permission may be given directly by you, or implied from your actions).
From time to time, we may utilize the services of third parties (including other members of the Linkfire Group) in our business and may also receive personal information collected by those third parties in the course of the performance of their services for us or otherwise. Where this is the case, we will take reasonable steps to ensure that such third parties have represented to us that they have the right to disclose your personal information to us.
Where permitted or required by applicable law or regulatory requirements, we may collect information about you without your knowledge or consent.
8. Why do we collect personal information?
The personal information collected is used and disclosed for our business purposes, including establishing, managing or terminating your employment relationship with Linkfire. Such uses include:
- determining eligibility for initial employment, including the verification of references and qualifications;
- administering pay and benefits in collaboration with local tax authorities;
- processing employee work-related claims (e.g. worker compensation, insurance claims, etc.)
- establishing training and/or development requirements;
- conducting performance reviews and determining performance requirements;
- assessing qualifications for a particular job or task;
- gathering evidence for disciplinary action, or termination;
- establishing a contact point in the event of an emergency (such as next of kin);
- complying with applicable labour or employment statutes; eg. collaboration with tax authorities or Immigration/VISA services
- compiling directories;
- ensuring the security of company-held information; and
- such other purposes as are reasonably required by Linkfire.
The work output of Linkfire’s employees, whether in paper record, computer files, or in any other storage format belongs to us as per our general IP policy. This work output, and the tools used to generate it, are always subject to review and monitoring by Linkfire.
In the course of conducting our business, we may monitor employee activities and our premises and property. For example, some of our locations are equipped with surveillance cameras. These cameras are generally in high risk areas like office thresholds. Where in use, surveillance cameras are there for the protection of employees and third parties, and to protect against theft, vandalism and damage to Linkfire’s goods and property. Generally, recorded images are routinely destroyed and not shared with third parties unless there is suspicion of a crime, in which case they may be turned over to the police or other appropriate government agency or authority. Pursuant to our Information Security Policy, we have the capability to monitor all employees’ computer and e-mail use.
This section is not meant to suggest that all employees will in fact be monitored or their actions subject to constant surveillance. We have no duty to monitor. It is meant to bring to your attention the fact that such monitoring may occur and may result in the collection of personal information from employees (e.g. through their use of our resources). When using Linkfire equipment or resources employees should not have any expectation of privacy with respect to their use of such equipment or resources.
10. How do we use your personal information?
We may use your personal information:
- for any additional purposes that we advise you of and where your consent is required by law we have obtained your consent in respect of the use or disclosure of your personal information.
We may use your personal information without your knowledge or consent where we are permitted or required by applicable law or regulatory requirements to do so.
11. When do we disclose your personal information?
We may share your personal information with our employees, contractors, consultants and other parties (including other members of the Linkfire Group) who require such information to assist us with establishing, managing or terminating our employment relationship with you, including: parties that provide products or services to us or on our behalf and parties that collaborate with us in the provision of products or services to you. In some instances, such parties may also provide certain information technology and data processing services to us so that we may operate our business. We may share personal information with such parties both in and outside of your home jurisdiction, and as result, your personal information may be collected, used, processed, stored or disclosed in Europe and in the United States of America, and in some cases, other countries. Personal information is only transferred by us to another country, including within the Linkfire Group, if this is required or permitted under the applicable privacy legislation, in particular only in as far as a reasonable level of data protection is assured in the recipient country.
Further, your personal information may be shared or disclosed:
- as permitted or required by applicable law or regulatory requirements. In such a case, we will endeavor to not disclose more personal information than is required under the circumstances;
- to comply with valid legal processes such as complying with tax processes, cooperating with governmental institutions
- as part of Linkfire’s regular reporting activities to other members of the Linkfire Group (including outside of your home jurisdiction);
- to protect the rights and property of Linkfire;
- during emergency situations or where necessary to protect the safety of a person or group of persons;
- where the personal information is publicly available; or
- with your consent where such consent is required by law.
- On our homepage, e.g. image, full name and work email address
In congruence with Article 15c, you have the right to request detailed information regarding who we shared your data with by contacting the office of our Data Privacy Officer.
12. Notification and consent
Privacy laws do not generally require Linkfire to obtain your consent for the collection, use or disclosure of personal information for the purpose of establishing, managing or terminating your employment relationship. In addition, we may collect, use or disclose your personal information without your knowledge or consent where we are permitted or required by applicable law or regulatory requirements to do so.
To the extent that your consent is required, we will assume, unless you advise us otherwise, that you have consented to Linkfire collecting, using and disclosing your personal information for the purposes stated above (including any other purposes stated or reasonably implied at the time such personal information was provided to us).
Where your consent was required for our collection, use or disclosure of your personal information, you may, at any time, subject to legal or contractual restrictions and reasonable notice, withdraw your consent. All communications with respect to such withdrawal or variation of consent should be in writing and addressed to our Privacy Officer.
13. How is your personal information protected?
Linkfire endeavors to maintain physical, technical and procedural safeguards that are appropriate to the sensitivity of the personal information in question. These safeguards are designed to protect your personal information from loss and unauthorized access, copying, use, modification or disclosure.
14. How long is your personal information retained?
Except as otherwise permitted or required by applicable law or regulatory requirements, Linkfire endeavors to retain your personal information only for as long as it believes is necessary to fulfill the purposes for which the personal information was collected (including, for the purpose of meeting any legal, accounting or other reporting requirements or obligations). We may, instead of destroying or erasing your personal information, make it anonymous such that it cannot be associated with or tracked back to you.
- Maternity and Paternity: 6 years from the end of employment.
- Financial records: NATIONAL LEGAL REQUIREMENTS (tax, salary/pay, working time)
- Application and Recruitment Records: 24 months.
- All Personnel Files and Records: 6 years from the end of employment.
- Redundancy Records: 6 years from the end of employment.
- Sickness Absence Records: 6 years from the end of employment.
15. Updating your personal information
It is important that the information contained in our records is both legally accurate and current. If your personal information happens to change during the course of your employment, you are legally obliged to keep us informed of such changes. This is in order for us to comply with legal requirements for your employment as well as to be able to cooperate with national authorities as required by local law, e.g. tax authorities.
16. Access to your personal information
You can ask to see the personal information that we hold about you. If you want to review, verify or correct your personal information, please contact the office of our Privacy Officer using the contact information set out below. Please note that any such communication must be in writing.
When requesting access to your personal information, please note that we may request specific information from you to enable us to confirm your identity and right to access, as well as to search for and provide you with the personal information that we hold about you. If you require assistance in preparing your request, please contact the office of our Privacy Officer.
Your right to access the personal information that we hold about you is not absolute. There are instances where applicable law or regulatory requirements allow or require us to refuse to provide some or all of the personal information that we hold about you. In addition, the personal information may have been destroyed, erased or made anonymous in accordance with our record retention obligations and practices.
In the event that we cannot provide you with access to your personal information, we will endeavour to inform you of the reasons why, subject to any legal or regulatory restrictions.
17. Inquiries or concerns?
18. Privacy Officer
Tobias Demuth – DPO
Linkfire Aps is the data controller for the purposes of the personal data processed under this Policy.
Cookies don’t contain any information that personally identifies you. However, personal information that we store about you may be linked, by us, to the information stored in, and obtained from, cookies. The cookies used on Linkfire websites include those which are strictly necessary for access and navigation, that track usage (performance cookies), remember your choices (functionality cookies), and that provide you with targeted content or advertising.
We may use the information we obtain from your use of our cookies for the following purposes:
- to recognize your computer when you visit our websites
- to improve the websites’ usability
- to analyze the use of our websites
- in the administration of our websites
- to personalize the website for you, including targeting advertisements which may be of particular interest to you.
We may use both session cookies and persistent cookies on Linkfire properties.
We may set 3rd party cookies depending on which Linkfire property you are visiting and what you provide consent to during that visit. You have options to manage your privacy at the bottom of every Linkfire property. To determine what cookies are in use, please refer to the “manage your permissions” options.
Opt Out of Linkfire cookies
If you prefer that we do not collect non-personally identifiable information about your visits for the purpose of delivering targeted advertising, you may opt out by clicking on the ‘opt-out’ link.
When you opt out, we will place an opt-out cookie on your computer. The opt-out cookie tells us not to collect your information for delivering relevant online advertisements on all lnk.to domains. Please note that if you delete, block, or otherwise restrict cookies, visit a different domain other than lnk.to, or use a different computer or Internet browser, you will need to renew your opt-out choice.
Blocking and deleting cookies
Most browsers allow you to block and/or delete cookies. The way to do this varies between browsers and operating systems, so please see your browser’s help section for more information.
Blocking and/or deleting cookies will have a negative impact on the usability of many websites. You may, for example, be signed out of your accounts, or be unable to use certain features.
The Linkfire websites are owned and operated by Linkfire A/S, a company registered in Denmark.
When a Customer End User visits an Asset, we collect User Data via Cookies and Pixels.
- Adobe Digital Marketing Cloud
- Central Tag
- DoubleClick Floodlight
- Google Tag Manager
Data Processing Agreement
Below you will find our Data Processing Agreement, also known as a DPA. You may request a signed copy by reaching out to us at email@example.com.
- This Data Processing Agreement sets out the rights and obligations that apply to the Data Processor’s handling of personal data on behalf of the Data Controller.
- This Agreement has been designed to ensure the Parties’ compliance with Article 28, sub-section 3 of Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), which sets out specific requirements for the content of data processing agreements.
- The Data Processor’s processing of personal data shall take place for the purposes of fulfillment of the Parties’ ‘Master Service Agreement’.
- The Data Processing Agreement and the ‘Master Service Agreement’ shall be interdependent and cannot be terminated separately. The Data Processing Agreement may, however – without termination of the ‘Master Service Agreement’ – be replaced by an alternative valid Data Processing Agreement and amended from time to time.
- This Data Processing Agreement shall take priority over any similar provisions contained in other agreements between the Parties, including the ‘Master Service Agreement’.
- Three appendices are attached to this Data Processing Agreement. The Appendices form an integral part of this Data Processing Agreement.
- Appendix A of the Data Processing Agreement contains details about the processing as well as the purpose and nature of the processing, type of personal data, categories of data subject and duration of the processing.
- Appendix B of the Data Processing Agreement contains the Data Controller’s terms and conditions that apply to the Data Processor’s use of Sub-Processors and a list of Sub-Processors approved by the Data Controller.
- Appendix C of the Data Processing Agreement contains instructions on the processing that the Data Processor is to perform on behalf of the Data Controller (the subject of the processing), the minimum security measures that are to be implemented and how inspection with the Data Processor and any Sub-Processors is to be performed.
- The Data Processing Agreement and its associated Appendices shall be retained in writing as well as electronically by both Parties.
- This Data Processing Agreement shall not exempt the Data Processor from obligations to which the Data Processor is subject, pursuant to the General Data Protection Regulation or other related legislation.
The Data Controller’s rights and obligations
- The Data Controller shall be responsible to the outside world (including the data subject) for ensuring that the processing of personal data takes place within the framework of the General Data Protection Regulation and the Danish Data Protection Act.
- The Data Controller shall, therefore, have both the right and obligation to make decisions about the purposes and means of the processing of personal data.
- The Data Controller shall be responsible for ensuring that the processing that the Data Processor is instructed to perform is authorized in law.
The Data Processor’s acts according to instructions
- The Data Processor shall solely be permitted to process personal data on documented instructions from the Data Controller unless processing is required under EU or Member State law to which the Data Processor is subject; in this case, the Data Processor shall inform the Data Controller of this legal requirement prior to processing unless that law prohibits such information on important grounds of public interest, cf. Article 28, sub-section 3, para a.
- The Data Processor shall immediately inform the Data Controller if instructions in the opinion of the Data Processor contravene the General Data Protection Regulation or data protection provisions contained in other EU or Member State law.
- The Data Processor shall ensure that only those persons who are currently authorized to do so are able to access the personal data being processed on behalf of the Data Controller. Access to the data shall, therefore, without delay, be denied if such authorization is removed or expires.
- Only persons who require access to the personal data in order to fulfill the obligations of the Data Processor to the Data Controller shall be provided with authorization.
- The Data Processor shall ensure that persons authorized to process personal data on behalf of the Data Controller have undertaken to observe confidentiality or are subject to the suitable statutory obligation of confidentiality.
- The Data Processor shall, at the request of the Data Controller, be able to demonstrate that the employees concerned are subject to the above confidentiality standard.
Security of processing
- The Data Processor shall take all the measures required pursuant to Article 32 of the General Data Protection Regulation which stipulates that with consideration for the current level, implementation costs and the nature, scope, context and purposes of processing and the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Data Controller and Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
- The above obligation means that the Data Processor shall perform a risk assessment and thereafter implement measures to counter the identified risk. Depending on their relevance, the measures may include the following:
- Pseudonymization and encryption of personal data.
- The ability to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems and services.
- The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
- A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
- The Data Processor shall in ensuring the above – in all cases – at a minimum, implement the level of security and the measures specified in Appendix C to this Data Processing Agreement.
- The Parties’ possible regulation/agreement on remuneration etc. for the Data Controller’s or the Data Processor’s subsequent requirement for establishing additional security measures shall be specified in the Parties’ ‘Master Service Agreement’ or in Appendix D to this Data Processing Agreement.
Use of sub-processors
- The Data Processor shall meet the requirements specified in Article 28, sub-section 2 and 4, of the General Data Protection Regulation in order to engage another processor (Sub-Processor).
- The Data Processor shall therefore not engage another processor (Sub-Processor) for the fulfillment of this Data Processing Agreement without the prior specific or general written consent of the Data Controller.
- In the event of general written consent, the Data Processor shall inform the Data Controller of any planned changes with regard to additions to or replacement of other data processors and thereby give the Data Controller the opportunity to object to such changes.
- The Data Controller’s requirements for the Data Processor’s engagement of other sub-processors shall be specified in Appendix B to this Data Processing Agreement.
- The Data Controller’s consent to the engagement of specific sub-processors, if applicable, shall be specified in Appendix B to this Data Processing Agreement.
- When the Data Processor has the Data Controller’s authorization to use a sub-processor, the Data Processor shall ensure that the Sub-Processor is subject to the same data protection obligations as those specified in this Data Processing Agreement on the basis of a contract or other legal document under EU law or the national law of the Member States, in particular providing the necessary guarantees that the Sub-Processor will implement the appropriate technical and organizational measures in such a way that the processing meets the requirements of the General Data Protection Regulation. The Data Processor shall, therefore, be responsible – on the basis of a sub-processor agreement – for requiring that the sub-processor at least complies with the obligations to which the Data Processor is subject, pursuant to the requirements of the General Data Protection Regulation and this Data Processing Agreement and its associated Appendices.
- A copy of such a sub-processor agreement and subsequent amendments shall – at the Data Controller’s request – be submitted to the Data Controller who will thereby have the opportunity to ensure that a valid agreement has been entered into between the Data Processor and the Sub-Processor. Commercial terms and conditions, such as pricing, that do not affect the legal data protection content of the sub-processor agreement, shall not require submission to the Data Controller.
- The Data Processor shall in his agreement with the Sub-Processor include the Data Controller as a third party in the event of the bankruptcy of the Data Processor to enable the Data Controller to assume the Data Processor’s rights and invoke these as regards the Sub-Processor, e.g. so that the Data Controller is able to instruct the Sub-Processor to perform the erasure or return of data.
- If the Sub-Processor does not fulfill his data protection obligations, the Data Processor shall remain fully liable to the Data Controller as regards the fulfillment of the obligations of the Sub-Processor.
Transfer of data to third countries or international organizations
- The Data Processor shall solely be permitted to process personal data on documented instructions from the Data Controller, including as regards transfer (assignment, disclosure, and internal use) of personal data to third countries or international organizations unless processing is required under EU or Member State law to which the Data Processor is subject. In such a case, the Data Processor shall inform the Data Controller of that legal requirement prior to processing unless that law prohibits such information on important grounds of public interest, cf. Article 28, sub-section 3, para a.
- Without the instructions or approval of the Data Controller, the Data Processor, therefore, cannot – within the framework of this Data Processing Agreement:
- disclose personal data to a data controller in a third country or in an international organization.
- assign the processing of personal data to a sub-processor in a third country.
- have the data processed in another of the Data Processor’s divisions which are located in a third country.
- The Data Controller’s instructions or approval of the transfer of personal data to a third country, if applicable, shall be set out in Appendix C to this Data Processing Agreement.
Assistance to the Data Controller
- The Data Processor, taking into account the nature of the processing, shall, as far as possible, assist the Data Controller with appropriate technical and organizational measures, in the fulfilment of the Data Controller’s obligations to respond to requests for the exercise of the data subjects’ rights pursuant to Chapter 3 of the General Data Protection Regulation. This entails that the Data Processor should as far as possible assist the Data Controller in the Data Controller’s compliance with:
- notification obligation when collecting personal data from the data subject.
- notification obligation if personal data has not been obtained from the data subject.
- the right of access by the data subject.
- the right to rectification.
- the right to erasure (‘the right to be forgotten’).
- the right to restrict processing.
- notification obligation regarding rectification or erasure of personal data or restriction of processing.
- the right to data portability.
- the right to object.
- the right to object to the result of automated individual decision-making, including profiling.
- The Data Processor shall assist the Data Controller in ensuring compliance with the Data Controller’s obligations pursuant to Articles 32-36 of the General Data Protection Regulation taking into account the nature of the processing and the data made available to the Data Processor, cf. Article 28, sub-section 3, para f. This entails that the Data Processor should, taking into account the nature of the processing, as far as possible assist the Data Controller in the Data Controller’s compliance with:
- the obligation to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk associated with the processing.
- the obligation to report personal data breaches to the supervisory authority (Danish Data Protection Agency) without undue delay and, if possible, within 72 hours of the Data Controller discovering such breach unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
- the obligation – without undue delay – to communicate the personal data breach to the data subject when such breach is likely to result in a high risk to the rights and freedoms of natural persons.
- the obligation to carry out a data protection impact assessment if a type of processing is likely to result in a high risk to the rights and freedoms of natural persons.
- the obligation to consult with the supervisory authority (Danish Data Protection Agency) prior to processing if a data protection impact assessment shows that the processing will lead to high risk due to the lack of measures taken by the Data Controller to limit risk.
- The Parties’ possible regulation/agreement on remuneration etc. for the Data Processor’s assistance to the Data Controller shall be specified in the Parties’ ‘Master Service Agreement’ or in Appendix D to this Data Processing Agreement.
Notification of personal data breach
- On discovery of a personal data breach at the Data Processor’s facilities or sub-processors facilities, the Data Processor shall, without undue delay, notify the Data Controller. The Data Processor’s notification to the Data Controller shall, if possible, take place within 24 hours after the Data Processor has discovered the breach to enable the Data Controller to comply with his obligation, if applicable, to report the breach to the supervisory authority within 72 hours.
- According to Clause 2.2. under the section ‘Assistance to the Data Controller’ in this Data Processing Agreement, the Data Processor shall – taking into account the nature of the processing and the data available – assist the Data Controller in the reporting of the breach to the supervisory authority. This may mean that the Data Processor is required to assist in obtaining the information listed below which, pursuant to Article 33, sub-section 3, of the General Data Protection Regulation, shall be stated in the Data Controller’s report to the supervisory authority:
- The nature of the personal data breach, including, if possible, the categories and the approximate number of affected data subjects and the categories and the approximate number of affected personal data records.
- Probable consequences of a personal data breach.
- Measures which have been taken or are proposed to manage the personal data breach, including, if applicable, measures to limit its possible damage.
Erasure and return of data
- On termination of the processing services, the Data Processor shall be under obligation, at the Data Controller’s discretion, to erase or return all the personal data to the Data Controller and to erase existing copies unless EU law or Member State law requires storage of the personal data.
Inspection and audit
- The Data Processor shall make available to the Data Controller all information necessary to demonstrate compliance with Article 28 of the General Data Protection Regulation and this Data Processing Agreement, and allow for and contribute to audits, including inspections, performed by the Data Controller or another auditor mandated by the Data Controller.
- The procedures applicable to the Data Controller’s inspection of the Data Processor are specified in Appendix C to this Data Processing Agreement.
- The Data Controller’s inspection of sub-processors, if applicable, shall, as a rule, be performed through the Data Processor. The procedures for such inspection are specified in Appendix C to this Data Processing Agreement.
- The Data Processor shall be required to provide the supervisory authorities which, pursuant to applicable legislation, have access to the Data Controller’s and Data Processor’s facilities, or representatives acting on behalf of such supervisory authorities with access to the Data Processor’s physical facilities on presentation of appropriate identification.
The parties’ agreement on other terms
- Separate terms relating to the consequences of the Parties’ breach of this Data Processing Agreement, if applicable, shall be specified in the Parties’ ‘Master Service Agreement’ or in Appendix D to this Data Processing Agreement.
- Regulation of other terms between the Parties shall be specified in the Parties’ ‘Master Service Agreement’ or in Appendix D to this Data Processing Agreement.
Commencement and termination
- This Data Processing Agreement shall become effective on the date of both Parties’ signature to the Agreement.
- Both Parties shall be entitled to require that this Data Processing Agreement is renegotiated if changes to the law or inexpediency of the provisions contained herein should give rise to such renegotiation.
- The Parties’ agreement on remuneration, terms etc. in connection with amendments to this Data Processing Agreement, if applicable, shall be specified in the Parties’ ‘Master Service Agreement’ or in Appendix D to this Data Processing Agreement.
- This Data Processing Agreement may be terminated according to the terms and conditions of termination, incl. notice of termination, specified in the ‘Master Service Agreement’.
- This Data Processing Agreement shall apply as long as the processing is performed. Irrespective of the termination of the ‘Master Service Agreement’ and/or this Data Processing Agreement, the Data Processing Agreement shall remain in force until the termination of the processing and the erasure of the data by the Data Processor and any sub-processors.
Data Controller’s and Data Processor’s Contacts/contact points
- The Parties may contact each other using the registered contact information in connection with the digital approval of this agreement.
- The Parties shall be under obligation continuously to inform each other of changes to contacts/contact points.
A. Information about the processing
The purpose of the Data Processor’s processing of personal data on behalf of the Data Controller is:
That the Data Controller is able to access the services on Linkfire properties, which is owned and managed by the Data Processor to collect and process data about the Data Controller’s Data Subjects.
The Data Processor’s processing of personal data on behalf of the Data Controller shall mainly pertain to (the nature of the processing):
The use of Linkfire properties will include, but not be limited to, collecting personal data from visitors (Data Subjects) relating to campaigns managed by either the Data Controller or by the Data Processor on behalf of the Data Controller. The Data Controller will, with the Data Processor, have restricted access to the encrypted data stored on behalf of the Data Controller. Data Subjects will have access to their own data in respect to the applicable laws of GDPR.
Processing includes the following categories of Data Subject:
Visitor (Data Subjects) data and retargeting metrics relating to the campaigns managed by the Data Controller or the Data Processor on behalf of the Data Processor.
The Data Processor’s processing of personal data on behalf of the Data Controller may be performed when this Data Processing Agreement commences. Processing has the following duration:
Processing shall not be time-limited and shall be performed until this Data Processing Agreement is terminated or canceled by one of the Parties.
B. Terms of the Data Processor’s use of sub-processors and list of approved sub-processors
Terms of the Data Processor’s use of sub-processors, if applicable:
The Data Processor has the Data Controller’s general consent for the engagement of sub-processors following this agreement. The Data Processor shall, however, inform the Data Controller of any planned changes with regard to additions to or replacement of other data processors and thereby give the Data Controller the opportunity to object to such changes. Such notification shall be submitted to the Data Controller in writing (email to the email address(es) on record in the Processor’s account information for Controller is sufficient) and must give the Controller the possibility to object against the instruction of the sub-processor within 30 days prior to the engagement of sub-processors or amendments coming into force. If the Data Controller should object to the changes, the Data Controller shall notify the Data Processor of this within 2 weeks of receipt of the notification. The Data Controller shall only object if the Data Controller has reasonable and specific grounds for such refusal.
Linkfire may use the following Subprocessors to host Customer Data or provide other infrastructure that helps with the delivery of our Services:
C. Instruction pertaining to the use of personal data
The subject of/instruction for the processing:
The Data Processor’s processing of personal data on behalf of the Data Controller shall be carried out by the Data Processor performing the following:
- Enhancing the marketing campaign process for the Data Controller.
- Managing (collecting, storing and deleting) visitor metrics on behalf of the Data Controller. This includes, but is not limited to, data regarding visitors (Data Subjects).
- Using visitor (Data Subjects) data to an extent that supports the basic functionality of the Data Processor’s provided tools and insights used by Data Controller.
Technical and Operational Measures
Please refer to our Security Structure for TOMs
Storage period/erasure procedures:
Personal data is stored with the Data Processor until the Data Controller requests that the data is erased or returned. In the event of a request to erase, delete or terminate the agreement, the personal data is anonymized within 30 days after the expiry of the agreement, unless legal grounds call for maintenance of this personal data on the company server.
Processing of the personal data under this Data Processing Agreement cannot be performed at other locations than the following without the Data Controller’s prior written consent:
Amazon Web Services, Inc. (US (Virginia), EU (Ireland), AP (Sydney & Tokyo) Region Datacenters)
Processing and Storage:
Amazon Web Services, Inc. (EU (Ireland) Region)
Microsoft Azure. (EU (North Europe) Region)
Instruction for or approval of the transfer of personal data to third countries:
The Data Processor is obliged to duly notify and ask for the Data Controller’s consent pertaining to the transfer of personal data to a third country. The transfer of personal data to a third country can only take place upon approval and instruction of the Data Controller and follow the rules applying to the transfer of personal data to third countries stated in the General Data Protection Regulation, thus forming a legal basis for this transfer.
Procedures for the Data Controller’s inspection of the processing being performed by the Data Processor:
If necessary, the Data Controllers and Data Processors will cooperate with any reasonable request for information regarding the handling of personal data. The Data Controller’s costs, if applicable, relating to physical inspection shall be borne by the Data Controller. The Data Processor shall, however, be under obligation to set aside the resources (mainly time) required for the Data Controller to be able to perform the inspection.
Procedures for inspection of the processing being performed by sub-processors, if applicable:
The Data Processor’s and the Sub-Processor’s costs relating to physical supervision/inspection at the Sub-Processor’s facilities shall not concern the Data Controller – irrespective of whether the Data Controller has initiated and participated in such inspection.
Applicable Laws means laws, rules, directives, regulations issued or enacted by any government entity (including any domestic or foreign, supra-national, state, county, municipal, local, territorial or other government, which includes to the extent applicable, Directive 95/46/EC, Directive 2002/58/EC, European Commission decisions and guidance) each as transposed into domestic legislation of each Member State or other country and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR, and any industry self-regulatory principles that are applicable in the location or region where the Services are provided or received, related to the Processing of Personal Data or the interception, recording or monitoring of communications;
GDPR means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);
Third country is in relation to any additional countries that are not a part of 1) the Data Processor or 2) Data Controller’s domain(s).
The terms, “Commission”, “Controller”, “Data Controller”, “Data Processor”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, and “Processing” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.