Trust Center

Databehandleraftale / DPA v1.0 (Article 28 GDPR)

Komplet Article 28 GDPR Databehandleraftale. Underskrives som bilag til hovedaftalen (ordrebekræftelse eller Design Partner Agreement) og dækker alle krav i Art. 28(2)-(4). Selve aftaleteksten er på engelsk — standard for nordiske B2B-leverandøraftaler; dansk version udleveres på forespørgsel ved underskrift.

Status: Version 1.0 (12. juni 2026) — komplet standard-DPA, klar til underskrift. Planlagt ekstern gennemgang hos specialiseret IT-/AI-advokatfirma Q3 2026; eventuelle revisioner publiceres her med changelog.

§1 Parties, background and precedence

This Data Processing Agreement ("DPA") is entered into between the customer identified in the main agreement ("Customer", acting as data controller) and PowerQuant ApS, CVR 46274067, Denmark ("PowerQuant", acting as data processor). It forms an integral part of the main agreement (order confirmation or Design Partner Agreement). In case of conflict regarding processing of personal data, this DPA prevails over the main agreement.

§2 Definitions, roles and duration

Terms such as "personal data", "processing", "controller" and "processor" have the meaning given in Regulation (EU) 2016/679 ("GDPR"). Customer is controller; PowerQuant is processor. This DPA applies for as long as PowerQuant processes personal data on behalf of Customer and survives termination of the main agreement until deletion/return per §11 is completed.

§3 Scope of processing

Categories of data subjectsCustomer's employees, contractors, applicants (where AI inventory references them)
Types of personal dataNames, emails, employment-roles, AI-system access-permissions; NO special categories (Article 9)
Purposes of processingGeneration of compliance evidence (Annex IV documentation, Article 4 register, Module 2 deliverables)
DurationLength of contract + 7 years (audit-trail)

§4 Sub-processors (Art. 28(2) and 28(4))

Customer grants a general written authorisation to the sub-processors listed at /trust/sub-processors. PowerQuant gives 30 days' notice of intended changes; Customer has a 14-day objection window. PowerQuant imposes the same data-protection obligations as set out in this DPA on every sub-processor by written contract and remains fully liable to Customer for the sub-processor's performance.

§5 Processing only on documented instructions (Art. 28(3)(a))

PowerQuant processes personal data only on documented instructions from Customer — including with regard to transfers to third countries — unless required to do so by Union or Member State law; in that case PowerQuant informs Customer of that legal requirement before processing, unless the law prohibits this on important grounds of public interest. PowerQuant immediately informs Customer if, in its opinion, an instruction infringes the GDPR or other Union or Member State data protection provisions. The main agreement and this DPA constitute the complete initial instructions.

§6 Confidentiality (Art. 28(3)(b))

PowerQuant ensures that all persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, and that access is limited to persons with a need-to-know for the purposes in §3.

§7 Security measures (Article 32)

§8 Personal data breach notification (Art. 33(2))

PowerQuant notifies Customer without undue delay — and no later than 48 hours — after becoming aware of a personal data breach affecting Customer's personal data. The notification includes, to the extent known: the nature of the breach, categories and approximate number of data subjects and records concerned, likely consequences, measures taken or proposed, and a contact point. Information may be provided in phases as it becomes available.

§9 Assistance to Customer (Art. 28(3)(e)-(f))

§10 International transfers (SCCs)

For US-hosted sub-processors, Standard Contractual Clauses Module 2 (controller-to-processor, EU 2021/914) are attached as Annex 1 of the executed DPA, supplemented where relevant by transfer impact assessments.

§11 Return or deletion of data (Art. 28(3)(g))

On contract termination, at Customer's choice return or deletion, within 30 days:

§12 Audit rights (Art. 28(3)(h))

PowerQuant makes available all information necessary to demonstrate compliance with Article 28 and allows for and contributes to audits, including inspections:

§13 Liability, governing law and venue

Liability follows the main agreement's liability regime. This DPA is governed by Danish law; venue is the City Court of Copenhagen. If any provision is invalid, the remainder stays in force and the invalid provision is replaced by a valid provision reflecting the original intent.

Annexes

Changelog: v1.0 (2026-06-12) — komplet aftale; afløser skelet-versionen. Næste planlagte revision: efter ekstern advokat-gennemgang Q3 2026.