Data Processing Agreement
Last updated: 30 March 2026
Here you will find the data processing agreement that applies within the agreement between the data controller and the data processor. We draw your particular attention to the fact that it is the data processing agreement set out below that you accept when you sign the cooperation agreement with OPARKO, as is also stated in the cooperation agreement itself. OPARKO is the data processor, and the data controller is the parking operator or site owner that has entered into a cooperation agreement with OPARKO.
1. Background for the data processing agreement
- 1.1
This agreement sets out the rights and obligations that apply when the data processor carries out processing of personal data on behalf of the data controller.
- 1.2
The agreement is designed to ensure the parties’ compliance with Article 28(3) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the General Data Protection Regulation), which sets specific requirements for the content of a data processing agreement.
- 1.3
The data processor’s processing of personal data is carried out for the purpose of fulfilling the parties’ "main agreement".
- 1.4
The data processing agreement and the "main agreement" are interdependent and cannot be terminated separately. The data processing agreement may, however, without terminating the "main agreement", be replaced by another valid data processing agreement.
- 1.5
This data processing agreement takes precedence over any corresponding provisions in other agreements between the parties, including in the "main agreement".
- 1.6
Four appendices are attached to this agreement. The appendices form an integral part of the data processing agreement.
- 1.7
Appendix A to the data processing agreement contains further information about the processing, including the purpose and nature of the processing, the type of personal data, the categories of data subjects and the duration of the processing.
- 1.8
Appendix B to the data processing agreement contains the data controller’s conditions for the data processor’s use of any sub-processors, as well as a list of the sub-processors, if any, that the data controller has approved.
- 1.9
Appendix C to the data processing agreement contains detailed instructions on the processing the data processor is to carry out on behalf of the data controller (the subject of the processing), the security measures that must be observed as a minimum, and how the data processor and any sub-processors are supervised.
- 1.10
The data processing agreement, together with its appendices, is retained in writing, including electronically, by both parties.
- 1.11
This data processing agreement does not release the data processor from obligations imposed directly on the data processor under the General Data Protection Regulation or any other legislation.
2. The data controller’s obligations and rights
- 2.1
As a general rule, the data controller is responsible towards the outside world (including the data subject) for ensuring that the processing of personal data is carried out within the framework of the General Data Protection Regulation and the Data Protection Act.
- 2.2
The data controller therefore has both the rights and the obligations to make decisions about the purposes for which, and the means by which, processing may be carried out.
- 2.3
The data controller is responsible, among other things, for ensuring that there is a legal basis for the processing that the data processor is instructed to carry out.
3. The data processor acts on instructions
- 3.1
The data processor may only process personal data on documented instructions from the data controller, unless required to do so under EU law or the national law of a Member State to which the data processor is subject; in that case, the data processor shall inform the data controller of that legal requirement before processing, unless that law prohibits such notification on important grounds of public interest, cf. Article 28(3)(a).
- 3.2
The data processor shall immediately inform the data controller if, in the data processor’s opinion, an instruction infringes the General Data Protection Regulation or data protection provisions in other EU law or the national law of a Member State.
4. Confidentiality
- 4.1
The data processor ensures that only those persons currently authorised to do so have access to the personal data being processed on behalf of the data controller. Access to the data must therefore be closed down immediately if the authorisation is withdrawn or expires.
- 4.2
Only persons for whom it is necessary to have access to the personal data in order to fulfil the data processor’s obligations towards the data controller may be authorised.
- 4.3
At the request of the data controller, the data processor shall be able to demonstrate that the relevant employees are subject to the above-mentioned duty of confidentiality.
5. Security of processing
- 5.1
The data processor shall implement all measures required under Article 32 of the General Data Protection Regulation, which states, among other things, that, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing in question, as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, appropriate technical and organisational measures shall be implemented to ensure a level of security appropriate to those risks.
- 5.2
The above obligation means that the data processor shall carry out a risk assessment and then implement measures to address the identified risks. Depending on what is relevant, these may include, among others, the following measures:
- •
Pseudonymisation and encryption of personal data.
- •
The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.
- •
The ability to restore the availability of and access to personal data in a timely manner in the event of a physical or technical incident.
- •
A procedure for regularly testing, assessing and evaluating the effectiveness of the technical and organisational measures for ensuring the security of the processing.
- •
- 5.3
In connection with the above, the data processor shall in all cases, as a minimum, implement the level of security and the measures specified in more detail in Appendix C to this agreement.
- 5.4
Any arrangement or agreement between the parties concerning remuneration or the like in connection with the data controller’s or the data processor’s subsequent request for the establishment of additional security measures will appear in the parties’ "main agreement".
6. Use of sub-processors
- 6.1
The data processor shall meet the conditions referred to in Article 28(2) and (4) of the General Data Protection Regulation in order to make use of another processor (sub-processor).
- 6.2
The data processor may therefore not make use of another processor (sub-processor) to fulfil the data processing agreement without prior specific or general written approval from the data controller.
- 6.3
In the case of general written approval, the data processor shall inform the data controller of any planned changes concerning the addition or replacement of other processors, thereby giving the data controller the opportunity to object to such changes.
- 6.4
The data controller’s detailed conditions for the data processor’s use of any sub-processors appear in Appendix B to this agreement.
- 6.5
The data controller’s approval, if any, of specific sub-processors is stated in Appendix B to this agreement.
- 6.6
When the data processor has the data controller’s approval to make use of a sub-processor, the data processor shall ensure that the sub-processor is subject to the same data protection obligations as those set out in this data processing agreement, by way of a contract or other legal instrument under EU law or the national law of a Member State, whereby in particular the necessary guarantees are provided that the sub-processor will implement the appropriate technical and organisational measures in such a way that the processing meets the requirements of the General Data Protection Regulation. The data processor is thus responsible, through the conclusion of a sub-processor agreement, for imposing on any sub-processor at least the obligations to which the data processor is itself subject under the data protection rules and this data processing agreement, together with its appendices.
- 6.7
A copy of the sub-processor agreement and of any subsequent amendments thereto shall, at the data controller’s request, be sent to the data controller, who is thereby able to satisfy itself that a valid agreement has been concluded between the data processor and the sub-processor. Any commercial terms, such as prices, that do not affect the data protection content of the sub-processor agreement need not be sent to the data controller.
- 6.8
In its agreement with the sub-processor, the data processor shall include the data controller as an intended third-party beneficiary in the event of the data processor’s bankruptcy, so that the data controller can step into the data processor’s rights and enforce them against the sub-processor, for example so that the data controller can instruct the sub-processor to delete or return data.
7. Transfer of data to international organisations
- 7.1
The data processor may only process personal data on documented instructions from the data controller, including with regard to the transfer (assignment, disclosure and internal use) of personal data to third countries or international organisations, unless required to do so under EU law or the national law of a Member State to which the data processor is subject; in that case, the data processor shall inform the data controller of that legal requirement before processing, unless that law prohibits such notification on important grounds of public interest, cf. Article 28(3)(a).
- 7.2
Without the data controller’s instructions or approval, the data processor may therefore not, within the framework of the data processing agreement, among other things:
- 7.2.1
Disclose the personal data to a data controller in a third country or in an international organisation,
- 7.2.2
Assign the processing of personal data to a sub-processor in a third country,
- 7.2.3
Have the data processed in another of the data processor’s departments located in a third country.
- 7.2.1
- 7.3
The data controller’s instructions or approval, if any, for personal data to be transferred to a third country will appear in Appendix C to this agreement.
8. Assistance to the data controller
- 8.1
This means that the data processor shall, as far as possible, assist the data controller in ensuring compliance with:
- 8.1.1
The duty to provide information when collecting personal data from the data subject.
- 8.1.2
The duty to provide information where personal data has not been collected from the data subject.
- 8.1.3
The data subject’s right of access.
- 8.1.4
The right to rectification.
- 8.1.5
The right to erasure ("the right to be forgotten").
- 8.1.6
The right to restriction of processing.
- 8.1.7
The obligation to notify in connection with the rectification or erasure of personal data or the restriction of processing.
- 8.1.8
The right to data portability.
- 8.1.9
The right to object.
- 8.1.10
The right to object to the outcome of automated individual decision-making, including profiling.
- 8.1.1
- 8.2
The data processor assists the data controller in ensuring compliance with the data controller’s obligations pursuant to Articles 32-36 of the General Data Protection Regulation, taking into account the nature of the processing and the information available to the data processor, cf. Article 28(3)(f).
- 8.2.1
This means that the data processor shall, taking into account the nature of the processing, assist the data controller in ensuring compliance with:
- 8.2.2
The obligation to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks associated with the processing.
- 8.2.3
The obligation to report a personal data breach to the supervisory authority (Datatilsynet, the Danish Data Protection Authority) without undue delay and, where feasible, no later than 72 hours after the data controller has become aware of the breach, unless it is unlikely that the personal data breach entails a risk to the rights or freedoms of natural persons.
- 8.2.4
The obligation to notify, without undue delay, the affected data subject or data subjects of a personal data breach where such a breach is likely to entail a high risk to the rights and freedoms of natural persons.
- 8.2.5
The obligation to carry out a data protection impact assessment where a type of processing is likely to entail a high risk to the rights and freedoms of natural persons.
- 8.2.6
The obligation to consult the supervisory authority (Datatilsynet) before processing, where a data protection impact assessment shows that the processing would lead to a high risk in the absence of measures taken by the data controller to mitigate the risk.
- 8.2.1
- 8.3
Any arrangement or agreement between the parties concerning remuneration or the like in connection with the data processor’s assistance to the data controller will appear in the parties’ "main agreement".
9. Notification of a personal data breach
- 9.1
The data processor shall notify the data controller without undue delay after becoming aware that a personal data breach has occurred at the data processor or a possible sub-processor.
- 9.1.1
The data processor’s notification to the data controller shall, where feasible, take place no later than 48 hours after the data processor has become aware of the breach, so that the data controller is able to comply with any obligation it may have to report the breach to the supervisory authority within 72 hours.
- 9.1.1
- 9.2
In accordance with section 10.2(b) of this agreement, the data processor shall, taking into account the nature of the processing and the information available to it, assist the data controller in reporting the breach to the supervisory authority.
- 9.2.1
This may mean that the data processor shall, among other things, help to provide the information below, which under Article 33(3) of the General Data Protection Regulation must be included in the data controller’s notification to the supervisory authority:
- 9.2.2
The nature of the personal data breach, including, where possible, the categories and approximate number of data subjects concerned as well as the categories and approximate number of personal data records concerned.
- 9.2.3
The likely consequences of the personal data breach.
- 9.2.4
The measures taken or proposed to be taken to address the personal data breach, including, where relevant, measures to mitigate its possible adverse effects.
- 9.2.1
10. Erasure and return of data
- 10.1
On termination of the processing services, the data processor is obliged, at the data controller’s choice, to delete or return all personal data to the data controller, and to delete existing copies, unless EU law or national law requires the storage of the personal data.
11. Supervision and audit
- 11.1
The data processor makes available to the data controller all information necessary to demonstrate the data processor’s compliance with Article 28 of the General Data Protection Regulation and this agreement, and allows for and contributes to audits, including inspections, carried out by the data controller or another auditor mandated by the data controller.
- 11.2
The detailed procedure for the data controller’s supervision of the data processor appears in Appendix C to this agreement.
- 11.3
As a general rule, the data controller’s supervision of any sub-processors takes place through the data processor. The detailed procedure for this appears in Appendix C to this agreement.
- 11.4
The data processor is obliged to grant authorities that, under the legislation in force at any given time, have access to the data controller’s and the data processor’s facilities, or representatives acting on behalf of such an authority, access to the data processor’s physical facilities upon due identification.
12. Entry into force and termination
- 12.1
This agreement enters into force upon both parties’ signature of it.
- 12.2
Either party may require the agreement to be renegotiated if changes in the law or inexpediencies in the agreement give rise to this.
- 12.3
Termination of the data processing agreement may take place in accordance with the termination terms, including notice period, set out in the "main agreement".
- 12.4
The agreement applies for as long as the processing continues. Regardless of the termination of the "main agreement" and/or the data processing agreement, the data processing agreement will remain in force until the processing ceases and the data is deleted at the data processor and any sub-processors.
- 12.5
Signature.
- 12.5.1
By each party’s signature of the main agreement, the cooperation partner and OPARKO respectively accept this data processing agreement.
- 12.5.1
Appendix A: Information about the processing
The purpose of the data processor’s processing of personal data on behalf of the data controller is:
To use personal data to carry out parking control in the agreed area. In addition, to enable the data controller to use the data processor’s systems to collect and process data.
The data processor’s processing of personal data on behalf of the data controller primarily concerns (the nature of the processing):
The data processor provides systems that enable the data controller to independently carry out parking control in the agreed area. In addition, the personal data of the data controller’s members is stored in the system and on servers.
The processing includes the following types of personal data about the data subjects:
Name, email address, telephone number, address, payment information, type of membership, registration number, number of created charges and permits.
The processing includes the following categories of data subjects:
The processing includes persons who are or have been registered with the data controller. This includes those who are registered as being permitted to park in the area, to whom the data controller has issued a temporary or permanent permit, which does not include guests who have purchased a ticket on a one-off basis.
The data processor’s processing of personal data on behalf of the data controller may commence after this agreement enters into force. The processing has the following duration:
The processing is not time-limited and continues until the agreement is terminated or cancelled by one of the parties.
Appendix B: Conditions for the data processor’s use of sub-processors and list of approved sub-processors
- B.1
Conditions for the data processor’s use of any sub-processors.
The data processor may only make use of sub-processors after prior specific written approval from the data controller. This takes place in consultation between the data processor and the data controller. The data processor’s request for this must reach the data controller at least 1 month before the use or change is to take effect. If a sub-processor has been included in the contract, the data processor is not responsible for giving notice at least 1 month before the use or change takes effect. The data controller may only refuse approval where the data controller has reasonable, concrete grounds for doing so.
- B.2
Approved sub-processors.
No specific approved sub-processors are listed in this standard agreement. Any approved sub-processors are agreed separately and appear in connection with the cooperation agreement.
Appendix C: Instructions regarding the processing of personal data
- C.1
Subject of the processing/instructions. The data processor’s processing of personal data on behalf of the data controller takes place through the data processor carrying out the following:
- •
Collection of parking charges.
- •
Registration of parking permits.
- •
Providing information about new initiatives and changes at the data processor.
- •
- C.2
Security of processing. As this concerns the processing of ordinary, non-sensitive personal data, a "low" level of security is to be established. The data processor is thereafter entitled and obliged to make decisions about which technical and organisational security measures are to be used to create the necessary (and agreed) level of security around the data. However, the data processor shall in all cases, and as a minimum, implement the following measures, which have been agreed with the data controller:
- •
Recognised encryption must be used when transporting personal data between data centres and when transporting between data centres and users.
- •
Storage of personal data at data centres must be adequately secured against unauthorised access.
- •
An effective backup procedure must be established that ensures the data processor’s access to all necessary processing systems.
- •
The data processor shall secure all physical locations against outside access, including via alarm systems, access control and individual management of employees’ access.
- •
The data processor’s employees may only have access to personal data to the extent necessary for the performance of their work.
- •
The data processor’s employees may not process personal data outside the agreed operating environment without the data controller’s prior approval.
- •
Personal data may not be stored locally on the employee’s equipment or mobile devices, including external hard drives and USB-sticks.
- •
The data processor shall ensure that employees who are given access to personal data have signed a confidentiality declaration. The duty of confidentiality applies both during employment and after the end of employment.
- •
Personal data must be deleted effectively and securely upon disposal of IT equipment.
- •
- C.3
Storage period/erasure routine. The personal data is stored at the data processor until the main agreement terminates or the data controller requests that the data be deleted or returned.
- C.4
Location of processing. Processing of the personal data covered by the agreement may not, without the data controller’s prior written approval, take place at locations other than the following:
- 1)
The processing of personal data takes place at the data processor at its address.
- 2)
Processing may also take place at the sub-processors that appear in Appendix B.
- 1)
- C.5
Instructions or approval regarding the transfer of personal data to third countries. If the data controller has not, in this section or by a subsequent written notice, given instructions or approval regarding the transfer of personal data to a third country, the data processor may not, within the framework of the data processing agreement, carry out such a transfer.
- C.6
Detailed procedures for the data controller’s supervision of the processing carried out at the data processor. The personal data at the data processor may be supervised when the data controller believes that a need for this arises.