FAQ - Frequently asked questions
Updated November 20241. Liability and limitation of liability
Question:
You have an entire Section 12, which is not included in the Danish Data Protection Authority's template. What is your reasoning for including a section on liability and limitation of liability?
Answer:
This limitation of liability is necessary for Evovia to define and contain the risk associated with the service—and thus determine the price for it. In other words, Evovia needs to limit the total risk exposure, and on that basis, calculate the price. This provision reflects that necessity. Furthermore, the addition of the section on liability and limitation of liability also clarifies for both parties how the GDPR’s rules on compensation are applied. For example, it specifies that the provision on joint liability, including the right to seek recourse under the principle in Article 82(5), also applies in cases of compensation for non-material damage, as per Article 82(1). The justification for this section’s inclusion is to ensure the regulation of liability distribution in all matters related to data protection law between the data processor and the data controller.
2. Archiving abligations and the archives act – retrieval and deletion of customer data
Question:
As a public organisation, we are subject to the Archives Act and archival obligations. Therefore, we assume it is not correct, that data is simply deleted?
Answer:
Our Data Processing Agreement states the following:
C.4 Retention Period/Deletion Routine:
Upon termination of the service involving the processing of personal data, the data processor must either delete or return the personal data in accordance with Provision 10.1, unless otherwise specifically agreed between the parties.
Evovia's execution of the data controller’s instructions to delete or return their data is carried out in accordance with the GDPR’s requirements and as quickly as is practically possible. By default, Evovia deletes customer data from the operational environment 14 days after the termination of the Subscription Agreement. The data controller acknowledges that their data will remain part of a backup process for 90 days, after which all copies of the data will be permanently deleted.
This specifically means:
- The customer has the option to either have their data returned (i.e., retrieve it themselves) or simply have the data deleted. If Evovia returns the data, or the customer retrieves it, we will proceed with deletion on an agreed date. This is stipulated in the provision and is in line with the GDPR requirements.
- The customer is free to choose to have the data returned or retrieve it themselves. If the customer is subject to the Archives Act and its archival obligations, they can simply request the data or retrieve it for this purpose.
Thus, there is no issue with the provision. - Upon written request and for an additional fee, Evovia can assist the customer, following their instructions, with retrieving the relevant data for archiving purposes under the Archives Act before any deletion is carried out by Evovia
3. Who is the third party beneficiary in the event of bankruptcy?
Evovia has chosen to deviate from point 7.6 of the Regulations, as it seems difficult to see how this will be in practice. In the event of Evovia's bankruptcy, the rules of the Bankruptcy Act will come into force. This relationship should not be regulated in a data processing agreement and the rules of the Bankruptcy Act cannot simply be waived. Despite that the Danish Data Protection Agency has chosen to insert this provision in the standard contract provisions, it is not a requirement according to the data protection regulation's article 28. This means that the data processing agreement continues to comply with the data protection regulation even if this section is waived. Furthermore, it is an obligation that Evovia is very likely unable to pass on to any sub data processors, which would put Evovia in breach of the data processor agreement.
4. Data for research purposes in 100% anonymised form?
Question:
Evovia states in the Subscription Terms and Business Conditions that data is made available to Aarhus University for research purposes in a 100% anonymised form. You also mention that customers may request to be excluded from this. Therefore, we ask: Can you specify what a customer loses if they choose not to have their data included in the anonymised statistics?
Answer:
That’s correct. As outlined in our Subscription Terms and Business Conditions, Evovia reserves the right to collaborate with university researchers to use statistical data in 100% anonymised form for specific purposes. This is an option we always include in our Business Conditions, based on the following principles:
Evovia extracts data that is fully anonymised and cannot identify any specific customer or group. The data extracts are selected based only on the following parameters:
- Manager’s gender
- Employee’s gender
- Manager’s control panel (number of employees the manager directly supervises)
- Public or private organisation
- Main geographical categories
- Certain broad industry segments, provided there is a critical mass of customers to maintain anonymity.
If a customer does not wish to participate in such benchmarks, they can contact Evovia, and we will exclude them from the research. In doing so, the customer will not participate in the benchmarking nor have access to use it themselves.
For many years, we have worked with institutions such as the Department of Political Science at Aarhus University. Read more here
This means:
- If a customer opts out, their data will not be used for research purposes.
- Additionally, it will not be possible to generate reports or extracts of the company's data for benchmarking.
5. Data Processing Agreement based on the Danish Data Protection Authority's standard – with additions
Question:
The data processing agreement is based on the Danish Data Protection Authority’s standard, but it has been edited in several places. As a result, its legality may be subject to review. How do you approach this?
Answer:
We have utilised the Danish Data Protection Authority’s standard because we aim to meet the minimum requirements, and those have been fully complied with. Should the Data Protection Authority conduct a review, they will approve the parts that align with their entire standard. Yes, they will also examine the sections that go beyond the standard. However, none of these additions deviate from Article 28 of the GDPR. The changes made serve to provide further clarification and incorporate commercial considerations, which, in our experience, are both relevant and important. Allow us to provide a few examples:
- In the Preamble, we refer to the applicable subscription terms, which many customers inquire about—these terms are accepted upon payment of the first invoice.
- Regarding sub-processors, the standard offers two options: either prior specific approval or prior general approval. In practice, the first option is unworkable in our industry, while the second option is coupled with a clear framework for providing written notice in the event of a change in sub-processors.
- Notification in the event of a breach follows the standard, but we’ve provided additional detail in line with Articles 33 and 34 of the GDPR. This has proven necessary to avoid having to address this individually with each customer.
- Audits, including inspections: We have committed to uploading an independent audit report to every customer’s administration page each year in June, verifying compliance with security standards through an ISAE 3000 declaration. This investment by Evovia ensures that all customers can have confidence that everything is in order. Should a customer wish to conduct an additional inspection, they are welcome to do so under the terms of the agreement, but at their own expense.
6. Documentation for ISAE 3000 declaration
Question:
Can the data controller receive the underlying documentation for the ISAE 3000 declaration, such as sub-processor agreements, risk assessments, etc.?
Answer:
No, not without further steps. And certainly not by simply sending it out! Our system is surrounded by extremely high security, which means we cannot and must not send out such information. For this reason, we invest every year in having BDO, an independent and recognised audit firm, prepare the annual ISAE 3000 audit declaration at the end of May, which all our customers can review. This is similar to how an audited financial statement is made public, where the underlying documents and attachments are also not disclosed.
Our ISAE 3000 declaration is the audit’s certification and approval of the control objectives outlined in the report. If there are deviations in one or more control objectives, this will be clearly indicated in the auditor’s reservations. The declaration includes all relevant control objectives prepared by FSR (the Danish auditors’ association), which were published by the Data Protection Authority in February 2019. It is clearly stated that these control objectives are examples and must be adapted to the data processed by each company on behalf of its customers.
If a customer is dissatisfied with the ISAE 3000 audit declaration, a management statement from Evovia’s executive team can be provided to cover any topics that may not be sufficiently addressed in the ISAE 3000 declaration. Should this still not be satisfactory, the customer may request an external audit, which would take place on-site, and would incur a fee and be subject to strict security protocols, confidentiality agreements, and similar measures.
7. Research collaboration with Aarhus University
Question:
Is it a shared data responsibility with Evovia, since Evovia itself processes data by, for example, sending anonymous data for research at Aarhus University?
Answer:
No, not at all.
The Subscription Terms and Conditions of Business state the following:
Evovia reserves the right, in conjunction with university researchers, to use statistical data in 100% anonymized form for scientific purposes. This is an option that we have always included in our terms of business and it follows the following principles:
Evovia makes a data extract that is 100% anonymous and can not identify a particular customer or group, as data extracts are selected only on the following parameters:
- The gender of the leader
- Employee gender
- Leader's span of control (number of employees directly leading you)
- Public or private company
- Geographical main categories
- And in some overall branch segments when there is security for a critical mass of customers, so anonymity can be maintained.
If a customer does not wish to be included in such a benchmark, one can be exempted by contacting Evovia. Then, the customer will neither participate nor be able to make use of this benchmark.
The short answer is then:
- No, there is no talk of shared responsibility here
- The customer is responsible for what you enter - and what you want to use the statistics that can be extracted from the system, graphs and reports - and how
- Evovia is responsible for how data is stored and made available to the customer - including in statistics and reports and that it complies with the legislation
- And in relation to 100% anonymous data for research purposes at Aarhus University - we do not offer anything for those who can not extract statistics and reports, just 100% anonymous! However, we have just expanded with some geography and overall industry + male / female leader, and here we use a single research program that "guesses" on gender in terms of first name with the risk that "Inge" is a boy's name in Norway , while it is a maiden name in Denmark!
- And finally, any customer may, upon request, opt out of participating in and making use of such benchmark data.
8. Warranties - in case of security breach
Question:
Missing something, especially in the "Reporting of security breaches" section. Evovia does not provide any contractual assurances that we are able to lift the 72-hour requirement relative to a data burst from them, as Evovia does not guarantee the information kind. 33 and 34 require.
Answer:
No, nothing is missing. Both parts are clearly contained. And Evovia provides the necessary guarantees.
Please be aware that the data controller's deadline for the max. 72 hours will first count from the notification received from the data processor. Since the data processor must notify without undue delay, and since the data processor merely finds that there has been a violation, this will in practice provide very limited options for staying from the data processor to be aware of the violation for notification to be given.
In Evovia's data processing agreement, it follows that the data processor is required to assist the data controller in fulfilling its obligations under Articles 33 and 34.
Therefore, there are necessary guarantees that Evovia assists in lifting the data controller's obligations.
Additional documentation:
Report on page 496 states that:
As stated in the wording of the provision, the data controller's obligation to report personal data breach to the supervisory authority is activated after the data controller has become aware of a breach of personal data security. A simple presumption that a breach of personal data security has occurred or a simple detection of an incident is not considered sufficient to regard a breach of personal data security as being "done" within the meaning of the regulation. Such a simple presumption may, however, cause the data controller to consider processing security, cf. Article 32 of the Regulation.
In assessing whether a breach has occurred, it must be assumed that particular attention should be paid to the information referred to in Article 33 (1) of the Regulation. 3, is available to the provider.
And on page 497:
As regards the cases where the data controller has left the processing of personal data to a data processor, reference is made to Article 33 (1) of the Regulation. 2, which is discussed in more detail below.
The Ministry of Justice's Executive Order does not, therefore, link the data controller's deadline and a data processor's deadline together.
These sections are repeated in the manual issued by the Data Inspectorate regarding violations of personal data security.
Article 29 group has stated in their WP250 breach of personal data security on page 13:
Article 33(2) makes it clear that if a processor is used by a controller and the processor becomes aware of a breach of the personal data it is processing on behalf of the controller, it must notify the controller “without undue delay”. It should be noted that the processor does not need to first assess the likelihood of risk arising from a breach before notifying the controller; it is the controller that must make this assessment on becoming aware of the breach. The processor just needs to establish whether a breach has occurred and then notify the controller. The controller uses the processor to achieve its purposes; therefore, in principle, the controller should be considered as “aware” once the processor has informed it of the breach. The obligation on the processor to notify its controller allows the controller to address the breach and to determine whether or not it is required to notify the supervisory authority in accordance with Article 33(1) and the affected individuals in accordance with Article 34(1). The controller might also want to investigate the breach, as the processor might not be in a position to know all the relevant facts relating to the matter, for example, if a copy or backup of personal data destroyed or lost by the processor is still held by the controller. This may affect whether the controller would then need to notify.
Regardless of what the Data Inspectorate states in their presentation on a data processor agreement, the data controller's deadline is counted only after the notification has been received from the data processor. Since the data processor must notify without undue delay, and since the data processor merely finds that there has been a violation, this will in practice provide very limited options for staying from the data processor to be aware of the violation for notification to be given.
It follows that the data processor is required to assist the data controller in fulfilling its obligations under Articles 33 and 34.
It is therefore clearly contained the necessary guarantees that Evovia assists in lifting the data controller's obligations.
9. Approval of the Data Processing Agreement
Question:
Where and how do you approve the Data Processing Agreement?
Answer:
- As soon as the top leader in an organisation - or delegated at the top level - log in to Evovia, the Data Processing Agreement domes up and you can not move on until one of you has approved it
- The data-processing agreement is available here
- Within a few seconds of approval, an email in ones mailbox will be sent attached with a PDF file of the Data Processing Agreement, where the company name is entered - and where Evovia's director's signatures are stamped down with date.
10. Approval of sub data processors
Question:
Does Evovia, as the data processor, need approval from the data controller, i.e., the customer, before changing a sub data processor?
First, we’ll explain the standard procedure if a sub-processor needs to be changed. Such changes typically occur in a planned manner, and customers will be notified, providing them with 30 days to object to the change or potentially terminate the subscription if they cannot accept the new sub-processor. This procedure is clearly outlined in our Data Processing Agreement.
However, in urgent security-related situations, we must act swiftly to ensure the best possible protection for our customers. Here's a more detailed explanation as to why:
- As the responsible data processor, we must recognise that force majeure situations can arise. For example, if a sub-processor breaches our trust, we must immediately take action to safeguard our customers by replacing that sub-processor.
- If we were required to wait for individual approval in an emergency situation, we might be forced to leave customer data with a sub-processor we no longer trust. This is, of course, not a viable solution.
Here's a clarification of how the procedure would work in such an urgent situation:
- If we must change sub-processors overnight, we will do so.
- As soon as the change is complete and validated, we will send a uniform notification to all our customers, explaining the situation and introducing the new sub-processor with a validation report.
- If a customer cannot accept the change, we will engage in a dialogue to address the issue, potentially ending the collaboration and returning the customer's data.
At Evovia, we have chosen to implement general approval, as per Article 28 of the GDPR, because, for security reasons, specific approval cannot be reliably applied in service to our customers. The above procedure complies with Article 28 and has been validated by our GDPR legal advisors.
11. Incidents – storage and deletion of reports
After dialogues with the Danish Data Protection Authority in autumn 2022, two things have become clear:
- Evovia, as the data processor, is obligated to provide a legal framework for the processing and storage of data related to incidents. By default, we have set this up so that such data is stored for 5 years, after which it is automatically deleted once the 5-year period has passed.
- The customer, as the data controller, is responsible for not retaining such data longer than necessary. This period could be, for example, 3 or 5 years. In practice, this means that the customer should contact Support to have this tool, "Incidents", configured to retain data for a specific period, such as 3 or 5 years, after which the data is deleted. However, if a particular case needs to be retained for a longer period, the customer must retrieve it and store it outside of Evovia, as the automatic deletion will occur otherwise.
12. Notification of breach of personal data protection to the supervisory authority
Question:
Some have asked us if we could not set a deadline, so we, as a Data Processor, report personal data breach out of max. 24 hours. Currently there is "no undue delay".
Answer:
No, we neither can nor will. This is because of a misreading of Article 33 of the Personal Data Regulation itself (see below). The data processor must report without undue delay. And Data Managers must report within 72 hours, but the two time frames are not inclusive, but each has its own sphere. Data administrators have 72 hours from the moment the Data Processor has informed!
If there is a breach of personal data protection, we have the following responsibilities as data administrators:
- "Without undue delay informs the data controller after being aware that there has been a violation of personal data protection" (citation Article 33)
- "Without undue delay" really means as soon as possible! But also, in a way, the data processor ensures that you do not unnecessarily disturb the unnecessary number of customers, so the data processor must make things clear. It will take place carefully and without undue delay.
- And then, when the customer = data manager is notified from the data processor, the customer has 72 hours to fullfill his obligation.
- It is, of course, in everyone's interest that it is done as soon as possible! Or: Without undue delay, as Article 33 says!
Here is the text: The EU's Personal Data Regulation, Article 33
Notification of breach of personal data protection to the supervisory authority.
- In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
- The processor shall notify the controller without undue delay after becoming aware of a personal data breach.
- The notification referred to in paragraph 1 shall at least:
- describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
- communicate the names and contact details of the data protection officer or other contact point where more information can be obtained;
- describe the likely consequences of the personal data breach;
- describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
- Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.
- The controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. That documentation shall enable the supervisory authority to verify compliance with this Article.
13. Instructions from data managers for data processors
Question:
The Article 28 (1) of the Regulation, 3a states that the data processor may only process personal data after documented instructions from the data controller, what does that mean? Should there be a special document for that?
Answer:
The data processor is only allowed to process personal data based on documented instructions from the data controller. When the GDPR refers to "documented instructions," it means that there must be clear and written guidelines or instructions from the data controller to the data processor regarding how the personal data should be processed. This ensures that the data processor only carries out processing activities approved by the data controller, and that these actions can be documented if required.
It does not necessarily need to be a single "specific document." The key is that the instructions are written and sufficiently documented, which can be done through various forms, such as contracts, emails, or other written communications that meet the documentation requirement.
14. Storage of data after end of subscription
Question:
What is the basis for the provision that the data processor can store data after termination of the Subscription Agreement? What legal obligation can this be?
Answer:
The wording follows from the minimum requirements for a data processing agreement according to the data protection regulation, article 28, subsection 3, litra g. Evovia may be legally obliged to store data. This can for example be courts or other public authorities who oblige Evovia to store data. There is currently not much practice in this area, which is why it is difficult to give a exact example of this.
15. Storage of personnel data on resigned employees
Question:
It is stated in Evovia's Data Processor Agreement that when an employee is deleted by the customer's system, the employee is deleted after 14 days while entered data, appointments and scores are stored in the manager's archive for 5 years. Is it legal with the 5 years?
Answer:
Yes, it is legal to store staff records for +5 years according to the Data Inspectorate's practice, and the manager's archive is an archive that only the leader in question has access to, and it is to be regarded as an "extended feature" of the Employee Folder.
16. Duty to inform employees
Question:
As the data controller, we have a duty to inform our employees. Can you help us fulfil this obligation?
Answer:
Yes, we can assist with that.
Types of information stored:
From the Data Processing Agreement, Annex A:
A.3. The processing includes the following types of personal data about the data subjects:
The processing includes the types of information that the data controller enters and uploads into the Evovia cloud service. By default, this includes names, email addresses, employees' positions within the organisation, and the name of their immediate supervisor.
Additionally, it includes other personal information that the employee and their supervisor themselves upload to the cloud service, such as preparatory notes, scores, comments on agreements, and action plans with deadlines for performance reviews, workplace assessments, etc. Since free text fields can be used in these cases, the type of information may be sensitive. The data processor is therefore obligated to meet the security requirements related to processing any potentially sensitive information, as further detailed in C.2.
Where Is the Data Actually Stored?
When the customer engages in dialogues with employees, makes agreements with deadlines, and performs follow-ups, all data is stored at Hetzner’s data centre in Germany, on our dedicated server section.
-
Mirroring for Physical Security:
In real-time, the data is mirrored to another server location at Hetzner in Germany. This ensures protection against physical disruptions, such as hardware failures, fire, or vandalism. -
Daily Encrypted Backups for Data Security:
Additionally, every day, an encrypted data file containing all the data is sent to Hetzner's facility in Finland. At the same time, another encrypted data file is sent to a location in Denmark (Cloud Factory A/S).
While step 1 focuses on safeguarding against physical risks within data centres, step 2 is aimed at protecting data from malware, hacking, or similar threats. This ensures that we can always restore from the most recent "clean" backup of all data.
In the event of a total data loss, everything can be restored from such a "clean" backup—either from Finland or Denmark. Twice a year, we conduct internal "simulated" failures to test the procedures and speed of recovery, though fortunately, we’ve never had to use them.
Data does not leave the hosting centre unless this is agreed upon with the data controller. Data is only stored on the data processor's computers to the extent it may be cached in the browser. Sensitive personal data will only be cached on the data processor’s computer if the data controller has granted permission to work with that data.
Sub-processors with whom we have sub-processor agreements:
- Traels.it, Bøgevej 32, 5200 Odense V, CVR 22001884: Primarily responsible for the technical development of the entire Evovia platform and, therefore, has full access.
- Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany, CVR DE 812871812: Data hosting.
Hetzner Finland Oy, Huurrekuja 10, 04360 Tuusula, Finland, CVR 2720758-9: Data hosting. - Scannet, Højvangen 4, 8660 Skanderborg, CVR 29412006: Data hosting.
- Cloud Factory A/S, Vestergade 4, 6800 Varde, CVR 35393692: Data hosting.
- SMTP.dk, Refshalevej 163A, 1.tv., 1432 Copenhagen K, CVR 29849439: Responsible for sending automated emails from the Evovia platform.
How long is data stored?
From the FAQ, Employee Files in the Evovia Platform:
Typically, data is stored for 5 years in accordance with the Danish Data Protection Authority's (DPA) guidelines.
Employee files
For former employees, how long should the data remain stored?
Question:
According to Evovia’s Data Processing Agreement, when an employee is deleted from the customer’s system, the employee is removed after 14 days, but the entered data, agreements, and scores are stored in the manager’s archive for 5 years. Is this 5-year storage period legal?
Answer:
Yes, it is legal to store employee documents for up to 5 years, according to the Danish Data Protection Authority's practice. The manager’s archive is an archive accessible only to the respective manager and should be considered an "extended function" of the employee file.
Who can see what?
In the system, all dialogue documents contain the following data at the top, ensuring that neither the employee nor the manager is uncertain about who can view what information before entering it.
- Who is this employee: Jørgine
- Which team is she in: Administration
- Who can see the data entered in the preparation sheet and minutes: The immediate manager, Poul L. (in case of a change in managers, the new manager cannot view sensitive data unless the employee shows it to them).
- And Kasper M.: It is possible to grant others access to the data, but only when the employee can see who has access, and never retroactively.
- Agreements made and anonymous graphical summaries per team can be viewed by senior management and, where relevant, HR. This is because agreements bind the organisation beyond the immediate manager. Any new manager will always be able to see agreements, as they obligate the organisation beyond the manager who originally made the agreement.
17. Privacy by default and privacy by design
Question:
Has Evovia implemented Privacy by Default and Privacy by Design?
Answer:
Yes, we have.
At Evovia, we have integrated privacy considerations throughout our entire platform. We have chosen strong technical solutions that ensure data protection, with the core philosophy of creating a secure space where employees know that only the relevant manager(s) can access the information entered.
From the outset, our goal has been to create a confidential environment between the manager and employee, so there’s no need to enable any additional features to ensure data security. For example, a user must grant permission to support staff before the system allows them access to elements that contain sensitive data.
Here’s how it works in practice:
Privacy by Design
Privacy by Default:
The entire architecture of Evovia is built to prioritise confidentiality and the highest level of personal data protection. Additionally, personal information about a user is only stored for as long as necessary to provide our service.
Who can see what?
Within the system, all dialogue documents clearly display the following data at the top, ensuring that neither the employee nor the manager is in doubt about who can view what information before anything is entered.
For example, in a performance review (EDP):
- Who is this employee: Jørgine
- Which team is she in: Administration
- Who can see the data entered in the preparation sheet and minutes: The immediate manager, Poul L. (If there is a change in managers, the new manager cannot view sensitive data of this type unless the employee chooses to show it).
- And Kasper M.: It is possible to grant others access to the data, but only when the employee can see who has access, and never retroactively.
- Agreements made and anonymous graphical summaries per team can be viewed by senior management and, where applicable, HR. This is because agreements obligate the organisation beyond the immediate manager. A new manager will always be able to see agreements, as these bind the organisation beyond the manager who originally made them.
18. Right to decline or accept instructions
Question:
What does it mean when, in point 3.2, it states that you, as the data processor, are free to decline or accept an instruction from the data controller?
Answer:
According to the GDPR, the data processor is only allowed to process personal data based on the instructions of the data controller. Naturally, it is assumed that the data processor must be able to accept the conditions of such instructions. The addition of the phrase “as accepted by the data processor,” along with clause 2.3, simply clarifies that the data processor is only required to follow instructions where mutual agreement between the parties has been reached. This ensures that the data processor cannot be held accountable for any new instructions or be liable for them unless they have been previously accepted. Therefore, the data processor has the right to decline any additional instructions.
19. Statement of assurance - why ISAE 3000?
Question:
Why ISAE 3000?
Answer:
Together with BDO, Evovia has chosen ISAE 3000 as the best and most comprehensive European standard for our area. And individual customers can see the latest update on their profile. It will be updated annually.
The primary difference between the ISAE 3000 declaration and other similar reports, such as ISAE 3402, lies in the application. ISAE 3402 is used when the declaration and the controls involved pertain to financial reporting. For instance, if Evovia’s product were Axapta, the declaration would be used by our customers' auditors to support financial statement reporting. In that case, an ISAE 3402 report would be required.
On the other hand, ISAE 3000 is applicable for anything other than financial reporting, including, for example, controls around personal data processing, as BDO has done for us. In general, ISAE 3000 can be used for any area that does not involve financial information, such as service desk systems, portals, and similar services.
That said, there are overlaps in the controls. Area B of our statement addresses general IT controls, which will often also be covered by an ISAE 3402 statement. However, the ISAE 3402 declaration will often have even more IT controls, but it will not contain any personal data.
The extent to which one or the other type of declaration must be provided depends on the service provided. If our customers want to report on whether Evovia complies with the data processing agreement and protects the customers' personal data, then ISAE 3000 is the right one. If we were now a data center, or otherwise run the customer's IT systems, ISAE 3402 might be better.
That is why we have chosen ISAE 3000.
20. Risk assessment - as a basis for the security level
Question:
What risk assessment is based on the security level in the system? And is it taken into account that the system may potentially contain health information?
Answer:
The risk assessment has included an assessment of the sources of risk, the vulnerabilities that may exist in the system and how this threat picture can lead to an event that can be characterized as a violation of personal data protection, in accordance with the Data Protection Regulation nature. 4 (12). The probability and severity of a break is then assessed to determine the overall risk image.
There are clear instructions from Evovia to the users that there is no need to enter health information into our system. Evovia is not just something similar to a medical journal system - but it can be used for a very good dialogue about what creates and reduces absenteeism. It is a dialogue system.
21. Consent to withdraw anonymous graphic data
Question:
Should employees give consent for anonymous graphical data to be drawn?
Answer:
No, the employee should not. And the employee can't demand it either.
Legally, there is no legal basis to make that claim.
Because anonymization can occur, statistical information can also be extracted as long as it is not possible to identify the person from the information.
“To the extent that […] employee development interviews are held in the private labor market, ordinary information may be processed with the consent or on the basis of Article 6 (2). In the case of sensitive information, only the express consent of the employee may, in principle, be processed. However, it may also be a matter of processing information for other purposes, e.g. Article 9 (2) of the Regulation 2 (f) (determination etc. of legal requirements). "
The company can therefore process personal data in connection with EDP based on a balance of interests.
Therefore, it will not in principle be a consent-based treatment or treatment that can only be done based on consent.
Legal experts are debating the issue of creating statistical data from personal information. Some argue that anonymisation of personal data does not constitute "processing" at all, as it lacks relevance in relation to the fundamental principle of storage limitation under Article 5 of the GDPR. The GDPR’s preamble explicitly states that the processing of anonymised data falls outside the scope of the regulation.
On the other hand, other legal experts contend that anonymisation is always part of the original processing purpose, as it supports the principle of storage limitation by ensuring that personal data is no longer identifiable, thereby aligning with the regulation’s goals.
Finally, other lawyers find that anonymization is always compatible with the original purpose and that treatment can therefore be done.
Evovia has usually recommended the two first mentioned angles on the case.
22. Change of sub data processor – service delivery obligation during notice period
Question:
In point 6.3, you disclaim responsibility for failing to meet delivery obligations during the notice period for changing a sub-processor. How does this affect us as the data controller?
Answer:
This is a commercial decision in light of clause 6.3. Based on recent practices, Evovia has decided to include this section. We reserve the right to continue charging for services if certain circumstances, including recent practices, changes in legislation, sub-contractor bankruptcy, etc., prevent us from delivering the service. In these rare situations that may arise during the notice period, the data controller would need to accept this, thereby absolving the data processor from liability for non-fulfilment.
However, this does not limit the data controller’s ability to terminate the agreement according to the standard terms outlined in clause 6.5. It is important to note that these are exceptional cases, and Evovia will always strive to deliver the service as agreed.
23. Issue of fines - limitation of liability?
Question:
If the penalty issuing authority determines a division of responsibility, is that what is followed or is it an internal decision of the same? Limitation of Liability is not entirely clear.
Answer:
As a starting point, the division of responsibility contained in the fine settlement is followed by nature. 83 - which would be consistent with the principles by nature. 82 also. To the extent a party with reference to the guarantees, etc. What is contained in the agreement means that the final distribution of responsibilities must be different, this may be pursued, but in that case it will ultimately be a court decision.
24. Sub data processors' CVR numbers
Some have requested the CVR numbers of our sub-processors:
- Traels.it: CVR-nr. 22001884
- Hetzner Online GmbH: CVR-nr. DE 812871812
- Hetzner Finland Oy: CVR-nr. 2720758-9
- Scannet: CVR-nr. 29412006
- Cloud Factory A/S: CVR-nr. 35393692
- SMTP.dk: CVR-nr. 29849439
25. Sub data processors - can the customer get access to read the agreements with them?
Question:
Is it possible to get access to read the sub data processors agreements?
Answer:
Customers do not have access to view the data processor’s agreements with sub-processors. However, each year, by the end of May at the latest, Evovia commissions an ISAE 3000 audit report. This report is made available to all customers via through the platform.
26. Signature of the Data Processing Agreement: Should it be signed physically?
Question:
Should there be a physical signature of the Data Processing Agreement?
Answer:
- No, it is not necessary.
- We can document who in the company has accepted - and when.
- It is enough.
- However, at the same time a customer has accepted Data Processing Agreement in our system, an email is received with a PDF file with the agreement with the company's name and a date and signature stamped down with the Executive Board at Evovia
- See also: Approval of the Data Processing Agreement
27. Fees for assistance or supervision/audit
Question:
In some sections, you mention that you may charge additional fees, such as for supervision or audits. What could these fees entail?
Answer:
For any assistance related to the data controller’s obligations under GDPR Articles 33-34, no fees can be charged. However, for services beyond those mentioned, a fee may apply—for example, if we are required to provide on-site assistance or similar services.
Regarding the annual supervision or audit, BDO, an independent and recognised audit firm, is engaged to prepare the yearly ISAE 3000 declaration. This declaration serves as the audit’s certification and endorsement of the control objectives outlined. Should there be any deviations from the control objectives, these will be clearly stated in the auditor's reservations. The declaration includes all relevant control objectives developed by FSR, published by the Data Protection Authority in February 2019.
If a customer is not satisfied with the ISAE 3000 audit declaration, a management statement from Evovia's executive team may be provided to cover any topics not adequately addressed in the ISAE 3000 report. Should this still not suffice, the customer can request an external audit, which would take place on-site, and would be subject to a fee, strict security measures, and confidentiality agreements.
28. Changes to data processing terms
Question:
Why does your Data Processing Agreement state that Evovia can change the data processing terms? We believe that, as the data controller, we are responsible for the content of the agreement and any changes made to it.
Answer:
The service we provide is based on standard terms for a standard service. Therefore, we cannot accommodate individual customers' specific preferences and needs unless the customer is willing to pay for such customisation. It is important to emphasise that we have no interest in making changes that would be difficult for our customers to accept. As a result, any changes would only be made if there is a compelling reason to do so.
If, as a customer, you cannot accept a potential change, you have the right to terminate the agreement under clause 14.4.