Terms & conditions and GDPR

Personal data regulations regarding the relationship between the customer as the Data Controller and WEBSHIPPER ApS as the Data Processor

Terms for Privacy & Data with WEBSHIPPER ApS, version 2.0 is effective from May 2, 2018

1. The subscription that the customer has with WEBSHIPPER ApS is a platform for automating freight processes for the customer and as a natural part of this, WEBSHIPPER ApS processes various personal data on the customer’s behalf.

This concerns data about the customer’s customers, i.e. data relating to the persons who are the recipients of the consignments.

This section concerns the relationship between the Data Controller (customer) and the Data Processor (WEBSHIPPER ApS), in connection with the personal data regulations.

2. Processed personal data.

2.1. The Data Processor, as part of the subscription, has access, on behalf of the Data Controller, to process:

Name and address of the persons receiving the consignments.

Information about the individual type of item sent and the value/price of the item.

3. The purpose and scope of the personal data processing.

3.1. As a natural part of the Data Processor’s status as the provider of subscription-based solutions for handling the Data Controller’s freight processes, the Data Processor stores the information, and similarly the Data Controller exchanges information with relevant third parties in the form of freight companies that the Data Controller uses, and possibly customs authorities (if the consignments are cross-border).

3.2. The purpose of the personal data processing is to manage the Data Controller’s freight processes.

3.3. It is emphasised that the Data Processor may only process personal data to the extent necessary for the operation of the Data Controller’s WEBSHIPPER subscription with the Data Processor, and/or if the Data Processor is required by law to process the data otherwise.

3.4. It is emphasised that the freight companies to which personal data is disclosed as part of this agreement are the Data Controller’s (the customer’s) Data Processors, not WEBSHIPPER ApS’ Data Processors. – WEBSHIPPER ApS has only an intermediary function in this regard.

4. The Data Processor’s obligations

4.1. The Data Processor may only process the personal data in question in accordance with the instructions of the Data Controller, i.e. the instructions contained in the WEBSHIPPER solution under which the Data Processor shall manage freight processes for the Data Controller.

4.2. The Data Processor is required to comply with the currently-applicable personal data legislation and shall notify the Data Controller immediately if an instruction from the Data Controller is, in the Data Processor’s opinion, contrary to the General Data Protection Regulation or Danish personal data legislation in general.

4.3. The Data Processor shall use appropriate technical and organisational security measures to ensure that personal data is not destroyed, lost, degraded or disclosed to unauthorised bodies, misused or otherwise processed in breach of personal data legislation, whereby the Data Processor shall implement the measures necessary pursuant to article 32 of the General Data Protection Regulation.

4.4. The Data Processor is obliged to inform the Data Controller without undue delay of any data breach. In this regard, the Data Processor shall inform the Data Controller of: 

  • The nature of the data breach.
  • If possible, the type and number of affected data subjects, as well as the type of personal data concerned and the number of records of personal data concerned.
  • The measures that the Data Processor has taken or proposes should be taken to deal with the data breach, including, where appropriate, measures to limit its potential adverse effects.
  • The probable consequences of the data breach.

4.5. The Data Processor shall, at the Data Controller’s request, provide the Data Controller with sufficient information to ensure that the Data Processor has taken the necessary technical and organisational security measures.

4.6 The Data Processor shall provide all the information necessary to demonstrate that the Data Processor complies with the General Data Protection Regulation’s article 28, whereby the Data Processor shall allow and contribute to audits, including inspections carried out by the Data Controller or another auditor authorised by the Data Controller. It is emphasised that inspections/audits in every respect take place at the Data Controller’s expense.

4.7. The Data Processor shall secure/ensure that the persons who are authorised by the Data Processor to process personal data have committed themselves to confidentiality or are bound by an appropriate statutory professional secrecy obligation.

4.8. If a data subject asks the Data Processor (usually such requests will be made to the Data Controller) for access to and insight into that person’s personal data, the Data Processor shall immediately forward the request to the Data Controller.

4.9. The Data Processor shall assist the Data Controller with appropriate technical and organisational tools to enable the Data Controller to fulfil the Data Controller’s obligations to respond to requests for the exercise of the rights of the data subjects as specified in chapter III of the General Data Protection Regulation.

5. Specifically about the transfer of information to sub-data processors or third parties

5.1. As a natural part of the WEBSHIPPER solution, the Data Processor is entitled to disclose personal data to the Data Controller’s other data processors (freight companies), and the Data Processor is also entitled to exchange personal data with the customs authorities.

5.2. In all other cases the Data Processor may only disclose or transfer personal data to third parties or sub-processors with the prior agreement with the Data Controller. However, the Data Processor may disclose or transfer personal data without the Data Controller’s instructions, if permitted by law.

5.3. If the Data Processor hands over personal data to another data processor (sub-processor), the Data Processor is obliged to conclude a sub-processor agreement with the sub-processor, whereby the Data Processor’s sub-processor is subject to at least the same conditions as stated in this section.

5.4. The Data Processor shall notify the Data Controller if the Data Processor has plans to extend the circle of sub-processors and/or to replace existing sub-processors with others.

5.5. The Data Processor must not transfer personal data to third countries that the EU Commission has not assessed as safe third countries.

5.6. If the information is transferred to foreign sub-processors, it must be stated in the data processing agreement, cf. 5.2 that sub-processors shall comply with the EU’s General Data Protection Regulation and any other current personal data law in force. Sub-processors in EU countries with specific regulatory requirements regarding data processing must also comply with these requirements.

6. Duration of data processing

6.1. The processing of personal data pursuant to this agreement continues until such time as the WEBSHIPPER subscription concluded between the parties ceases.

6.2. However, in the event of the termination of a subscription, the Data Processor is bound by this agreement for as long as the Data Processor has access to personal data originating from the Data Controller.

6.3. In the event of termination of a WEBSHIPPER subscription, the Data Processor is required to delete any backups and other copies of the personal data.

6.4. However, as a limitation to the foregoing provisions, it is noted that, pursuant to the Danish Bookkeeping Act for the purposes of documenting the services/consignments covered by the subscription payments, the Data Processor shall store the relevant personal data for each consignment for up to five years after the consignment year. The personal data shall then be deleted, leaving only the type, value/price of the goods, and the recipient country, while other data (recipient name and postal address) are deleted.

7. Pricing and special agreements

7.1. The pricing of the current subscription plan, as well as of any additions, shall be specified by contract between the Customer and WEBSHIPPER ApS.

7.2. If the Customer wishes to purchase any additional services which are not included in the current subscription plan, and have not had a price set by contract between the Customer and WEBSHIPPER ApS, the price must be agreed in advance with WEBSHIPPER ApS before the service can be delivered.

7.3. All prices are exclusive of VAT unless otherwise stated. A fee corresponding to the amount paid to the payment provider shall be  added to all transactions made via credit card or debit card. Payments made via bank transfer shall be subject to a fee of DKK 50.

8. Liability and defects

8.1. WEBSHIPPER ApS offers no warranties and any liability towards the Customer shall be limited to an amount corresponding to the subscription fees paid by the Customer with a maximum of DKK 10.000 (TEN THOUSAND).

8.2. WEBSHIPPER ApS shall under no circumstance, regardless of any degree of negligence, be liable for any incidental, indirect, special, consequential or punitive damages including, but not limited to, loss of business, revenue, profits, time, goodwill, data or anticipated savings.

8.3. WEBSHIPPER ApS shall be entitled to provide any remedies or replacements through service partners.

9. Personal data regulations. – The relationship between the Customer as the Data Controller and WEBSHIPPER ApS as the Data Processor

9.1. The service provided by WEBSHIPPER ApS is a platform for automating freight processes for the Customer and as a natural part of this, WEBSHIPPER ApS processes various types of personal data on behalf of the Customer. This pertains to data about the Customer’s own customers, i.e. data relating to the persons who are the recipients of the Customer’s consignments.

This clause concerns the relationship between the Data Controller (the Customer) and the Data Processor (WEBSHIPPER ApS) in regard to the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as “the General Data Protection Regulation”).

9.2 Processed personal data.

9.2.1. The Data Processor, as part of the WEBSHIPPER subscription, has access to process the following on behalf of the Data Controller:

The names and addresses of the recipients.

Information about the individual types of goods to be shipped, as well as the value/price of the goods.

9.3. The purpose and scope of the processing of personal data.

9.3.1. As an integral part of the Data Processor’s position as the provider of a subscription-based solution for handling the Data Controller’s freight processes, the Data Processor will process and store personal data. Furthermore, the Data Controller will exchange the processed personal data with relevant third parties in the form of the freight companies which the Data Controller uses and potentially customs authorities.

9.3.2. The purpose of the processing of personal data is to manage the freight processes of the Data Controller.

9.3.3. The Data Processor may only process personal data to the extent necessary for the operation of the Data Controller’s WEBSHIPPER subscription with the Data Processor and/or if the Data Processor is required by law to do so for other reasons.

9.3.4. The freight companies to which personal data is transferred, as part of this agreement, are the data processors of the Customer and not the data processors of WEBSHIPPER ApS. In this regard, WEBSHIPPER ApS acts only as an intermediary between the Customer and the existing data processors of the Customer.

9.4. Obligations of the Data Processor

9.4.1. The Data Processor may only process the personal data in question in accordance with the instructions of the Data Controller, i.e. the instructions contained in the WEBSHIPPER solution under which the Data Processor shall manage freight processes for the Data Controller.

9.4.2. The Data Processor shall be obliged to comply with any applicable legislation regarding personal data. Furthermore, the Data Processor shall immediately notify the Data Controller if an instruction from the Data Controller is, in the view of the Data Processor, contrary to the General Data Protection Regulation or Danish law on personal data more broadly.

9.4.3. The Data Processor shall use appropriate technical and organisational security measures to ensure that personal data is not destroyed, lost, degraded, disclosed to unauthorised entities, misused or otherwise processed in breach of legislation regarding personal data. To this end, the Data Processor shall implement the measures necessary pursuant to article 32 of the General Data Protection Regulation.

9.4.4. The Data Processor shall be obliged to inform the Data Controller, without undue delay, of any breach of data security. In this regard, the Data Processor shall inform the Data Controller of:

  • The nature of the security breach.

  • If possible, the type and number of affected data subjects, as well as the type of personal data concerned and the number of records of personal data concerned.

  • The measures that the Data Processor has taken or proposes to be taken to deal with the security breach, including, where appropriate, measures to limit its potential adverse effects.

  • The possible consequences of the security breach.

9.4.5. The Data Processor shall, at the request of the Data Controller, provide the Data Controller with sufficient information to ensure that the Data Processor has taken the necessary technical and organisational security measures.

9.4.6 The Data Processor shall provide all the information necessary to demonstrate that the Data Processor complies with article 28 of the General Data Protection Regulation, whereby the Data Processor shall allow and contribute to audits, including inspections carried out by the Data Controller or another auditor authorised by the Data Controller. All inspections and audits shall take place at the cost of the Data Controller.

9.4.7. The Data Processor shall make sure that the individuals who are authorised by the Data Processor to handle personal data have committed themselves to confidentiality or are bound by an appropriate statutory professional secrecy obligation.

9.4.8. If the Data Processor receives a request from a data subject for access and insight into the data subject’s personal data, the Data Processor shall immediately forward the request to the Data Controller.

9.4.9. The Data Processor shall provide the Data Controller with appropriate technical and organisational assistance to enable the Data Controller to fulfill its obligations to respond to requests from data subjects to exercise the rights specified in Chapter III of the General Data Protection Regulation.

9.5. Special provisions on the transfer of information to sub-processors or third parties.

9.5.1. As an integral part of the WEBSHIPPER solution, the Data Processor shall be entitled to exchange personal data with other data processors of the Data Controller in the form of freight companies. The Data Processor shall also be entitled to exchange personal data with customs authorities.

9.5.2. In all other cases, the Data Processor may only exchange personal data with third parties or sub-processors with the prior consent of the Data Controller. The Data Processor may, however, exchange personal data without the prior consent or instruction of the Data Controller if permitted or required by law.

9.5.3. If the Data Processor entrusts personal data to another data processor, i.e. a sub-processor, the Data Processor shall be obliged to conclude a sub-processor agreement whereby the sub-processor shall be subject to terms which shall, at a minimum, be identical to the provisions of clause 9 of this agreement.

9.5.4. The Data Processor must notify the Data Controller if the Data Processor plans to appoint or replace one or more sub-processors.

9.5.5. The Data Processor may only transfer personal data to a third country which the European Commission has declared as offering adequate levels of data protection.

9.5.6. If personal data is transferred to sub-processors located outside the European Union and the European Economic Area, the sub-processor agreement required by paragraph 9.5.3 must explicitly oblige the sub-processor to comply with the General Data Protection Regulation, as well any as other legislation regarding personal data. Furthermore, this requirement shall also apply to sub-processors located in countries within the European Union or the European Economic Area where specific requirements for the processing of personal data have been laid down by law.

9.6. Duration of data processing

9.6.1. The processing of personal data pursuant to this agreement shall take place until the termination of the subscription.

9.6.2. In the event of the termination of the subscription, the Data Processor shall be bound by this agreement for as long as the Data Processor has access to personal data originating from the Data Controller.

9.6.3. In the event of the termination of the subscription, the Data Processor shall be required to delete all potential copies of the personal data with due regard to paragraph 9.6.4.

9.6.4. In accordance with the Danish Bookkeeping Act, the Data Processor is obliged to store the relevant personal data pertaining to all consignments for up to five years in order to be able to document the services and consignments covered by the subscription payments. After five years, the personally identifiable data will be deleted in that only the types of goods, value/price and recipient country will be archived, while any other information (such as the names and addresses of the recipients) will be deleted.

10. Jurisdiction

10.1. This agreement shall be governed by Danish law.

10.2. Any claim or dispute arising from, or in relation to this agreement shall be attempted to be resolved by the parties through negotiation. If the parties cannot reach an amicable agreement, the dispute shall be settled in the first instance by the District Court of Aarhus.