General Terms of Business

55,000+ trusted Businesses

General Terms of Business

55,000+ trusted Businesses

Postbuddy Disclaimer


Postbuddy provides direct mail services in accordance with the Danish Marketing Act (§10) and GDPR regulations. However, the responsibility for data compliance rests solely with the business using our services.


No Liability for Data Compliance

Postbuddy acts solely as a service provider and does not assume responsibility for:

  • The legality of the data provided by clients.

  • Whether clients have obtained necessary consent or have a valid legal basis for processing personal data.

  • Any non-compliance with marketing laws, GDPR, or other regulations.


Businesses using Postbuddy must ensure that:


  • Their privacy policies accurately reflect their data usage.

  • They have a lawful basis for using personal data for marketing purposes.


Responsibility for Opt-Out Management

Postbuddy ensures that all direct mail recipients have a clear and accessible opt-out option, as required by §10, stk. 6 of the Danish Marketing Act.


However, it remains the responsibility of businesses to ensure that any previous opt-out requests made directly to them are honored.


No Liability for Data Accuracy or Use

Postbuddy does not verify, modify, or validate the accuracy of client-provided data. We do not accept liability for:


  • Incorrect, outdated, or unlawfully obtained data.

  • Any claims, fines, or legal consequences resulting from non-compliance.


By using our services, businesses acknowledge and accept full responsibility for compliance with all applicable laws.


Postbuddy ApS Data Processing Agreement


Pursuant to Article 28(3) of Regulation 2016/679 (the General Data Protection Regulation) regarding the data processor’s processing of personal data

Between

COMPANY

COMPANY NUMBER

ADDRESS

POSTAL CODE AND CITY

COUNTRY


Hereinafter referred to as "the Data Controller"


and


Postbuddy ApS

Company number: 44631822

Borgergade 24B, 2nd floor, 1300 Copenhagen
Denmark


Hereinafter referred to as "the Data Processor" or "Postbuddy"


Each individually referred to as a "Party" and collectively as "the Parties."


The Parties have agreed to the following standard contractual clauses (the "Clauses") in order to comply with the General Data Protection Regulation and ensure the protection of privacy and fundamental rights and freedoms of natural persons.


  1. Content

  2. Preamble
  3. Rights and Obligations of the Data Controller
  4. The Data Processor Acts on Instructions
  5. Confidentiality
  6. Security of Processing
  7. Use of Sub-processors
  8. Transfer to Third Countries or International Organizations
  9. Assistance to the Data Controller
  10. Notification of Personal Data Breaches
  11. Audits, Including Inspections
  12. Agreement on Other Matters
  13. Effective Date and Termination
  14. Contact Persons of the Data Controller and Data Processor

2. Preamble

 

  1. These Clauses set out the rights and obligations of the Data Processor when processing personal data on behalf of the Data Controller.

  2. These Clauses are designed to ensure compliance with Article 28(3) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

  3. In the provision of the System covered by the Agreement, the Data Processor processes personal data on behalf of the Data Controller in accordance with these Clauses.

  4. These Clauses take precedence over any similar provisions contained in other agreements between the Parties.

  5. Four annexes accompany these Clauses, forming an integral part thereof.

  6. Annex A provides detailed information on the processing of personal data, including its purpose and nature, types of personal data, categories of data subjects, and duration of processing.

  7. Annex B outlines the Data Controller’s conditions for the use of sub-processors by the Data Processor and includes a list of approved sub-processors.

  8. Annex C includes the Data Controller’s instructions regarding the Data Processor’s processing of personal data, a description of the minimum security measures required, and oversight mechanisms for the Data Processor and any sub-processors.

  9. Annex D contains provisions related to other activities not covered by these Clauses.

  10. These Clauses and accompanying annexes must be kept in written form, including electronically, by both Parties.

  11. These Clauses do not exempt the Data Processor from obligations imposed by the GDPR or any other applicable legislation.


3. Rights and Obligations of the Data Controller

 

  1. The Data Controller is responsible for ensuring that the processing of personal data complies with the GDPR (see Article 24 of the Regulation), relevant EU law, and national laws of the Member States, as well as these Clauses.

  2. The Data Controller has the right and obligation to determine the purposes and means of processing personal data.

  3. The Data Controller is responsible for ensuring, among other things, that there is a legal basis for processing personal data as instructed to the Data Processor.

4. The Data Processor Acts on Instructions

 

  1. The Data Processor may only process personal data in accordance with documented instructions from the Data Controller, unless required to do so under EU law or the national law of a Member State to which the Data Processor is subject. These instructions shall be specified in Annex A and C. Subsequent instructions may be given during the processing of personal data but must always be documented and retained in written form, including electronically, along with these Clauses.


  1. The Data Processor shall immediately notify the Data Controller if, in its opinion, an instruction is in conflict with the GDPR or other applicable data protection laws.




5. Confidentiality


  1. The Data Processor shall only grant access to personal data to persons under its authority who have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, and only to the extent necessary. The list of persons granted access shall be reviewed regularly. Based on this review, access shall be revoked if no longer necessary, and personal data shall no longer be available to such persons.

  2. Upon request from the Data Controller, the Data Processor must demonstrate that the persons under its authority are subject to the confidentiality obligation.

6. Security of Processing

 

  1. The GDPR’s Article 32 requires that the Data Controller and Data Processor implement appropriate technical and organizational measures to ensure a level of security appropriate to the risks. This includes taking into account the latest technological advancements, implementation costs, the nature, scope, context, and purposes of processing, and the risks posed to the rights and freedoms of natural persons.


The Data Controller must assess risks related to the processing of personal data and implement measures to mitigate those risks. These measures may include:


a. Pseudonymization and encryption of personal data.


b. Ensuring ongoing confidentiality, integrity, availability, and resilience of processing systems and services.


c. Ability to restore access to personal data in a timely manner in the event of a physical or technical incident.


d. Implementing procedures for regular testing, assessing, and evaluating the effectiveness of technical and organizational measures to ensure processing security.


  1. The Data Processor must also independently assess risks and implement necessary measures to mitigate these risks. The Data Controller must provide relevant information to the Data Processor to facilitate risk identification and mitigation.

  2. Additionally, the Data Processor shall assist the Data Controller in complying with Article 32 by providing necessary information on the technical and organizational measures already implemented and any additional information required for compliance.


If additional measures are deemed necessary by the Data Controller, these must be specified in Annex C.


7. Use of Sub-processors


  1. The Data Processor shall comply with the conditions set forth in GDPR Article 28(2) and (4) when engaging another data processor (a sub-processor).


  2. The Data Processor shall not engage a sub-processor to fulfill these Clauses without prior general written approval from the Data Controller.


  3. The Data Processor has the Data Controller’s general approval to use sub-processors. The Data Processor must notify the Data Controller in writing of any planned changes concerning the addition or replacement of sub-processors at least one month in advance, allowing the Data Controller to object before the sub-processor is engaged. A longer notice period for specific processing activities may be stated in Annex B. The list of sub-processors already approved by the Data Controller is set forth in Annex B.


  1. When engaging a sub-processor for specific processing activities on behalf of the Data Controller, the Data Processor must enter into a contract or other legal agreement under EU law or national law that imposes the same data protection obligations as those set out in these Clauses, ensuring that the sub-processor implements appropriate technical and organizational measures in compliance with these Clauses and the GDPR.


  1. If the sub-processor fails to fulfill its data protection obligations, the Data Processor remains fully liable to the Data Controller for the performance of the sub-processor’s obligations. This does not affect the rights of data subjects under the GDPR, including Articles 79 and 82, against the Data Controller, Data Processor, or sub-processor.


8. Transfer to Third Countries or International Organizations

 

  1. Any transfer of personal data to third countries or international organizations by the Data Processor shall only be carried out based on documented instructions from the Data Controller and must always comply with Chapter V of the GDPR.

 

  1. If a transfer of personal data to a third country or an international organization, which the Data Processor has not been instructed to carry out by the Data Controller, is required under EU law or the national law of a Member State, the Data Processor must inform the Data Controller of this legal requirement prior to the transfer unless such notification is prohibited by law for important public interest reasons.

  2. Without documented instructions from the Data Controller, the Data Processor may not:

 

a. Transfer personal data to a controller or processor in a third country or an international organization.

b. Entrust a sub-processor in a third country with personal data processing.

c. Process personal data in a third country.

 

  1. The Data Controller’s instructions regarding the transfer of personal data to third countries, including the applicable transfer basis in GDPR Chapter V, must be set out in Annex C.6.

9. Assistance to the Data Controller

 

  1. The Data Processor shall, taking into account the nature of the processing, assist the Data Controller by implementing appropriate technical and organizational measures to fulfill the Data Controller’s obligation to respond to requests to exercise the data subjects’ rights under Chapter III of the GDPR.


  1. This means that the Data Processor shall, as far as possible, assist the Data Controller in ensuring compliance with:


a. The duty to inform data subjects when collecting personal data from them.


b. The duty to inform data subjects when personal data is not collected directly from them.


c. The right of access.


d. The right to rectification.


e. The right to erasure (“right to be forgotten”).


f. The right to restriction of processing.


g. The duty to notify data subjects regarding rectification, erasure, or restriction of processing.


h. The right to data portability.


i. The right to object.


j. The right not to be subject to automated decision-making, including profiling.


  1. In addition to the Data Processor’s obligation to assist the Data Controller under Clause 6.3, the Data Processor shall also assist the Data Controller, taking into account the nature of the processing and the information available to the Data Processor, with:


a. The Data Controller’s obligation to report a personal data breach to the competent supervisory authority, the Danish Data Protection Agency (Datatilsynet), without undue delay and, where feasible, no later than 72 hours after becoming aware of it, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons.

b. The Data Controller’s obligation to notify the data subject of a personal data breach without undue delay if the breach is likely to result in a high risk to the rights and freedoms of natural persons.


c. The Data Controller’s obligation to conduct a data protection impact assessment (DPIA) prior to processing if the intended processing activities are likely to result in a high risk to the protection of personal data.


d. The Data Controller’s obligation to consult the competent supervisory authority, the Danish Data Protection Agency (Datatilsynet), prior to processing if a data protection impact assessment indicates that the processing would result in a high risk without measures taken by the Data Controller to mitigate the risk.


  1. The necessary technical and organizational measures through which the Data Processor shall assist the Data Controller, as well as the scope and extent of such assistance, shall be specified in Annex C. This applies to the obligations set out in Clauses 9.1 and 9.2.

10. Notification of Personal Data Breaches

 

  1. The Data Processor shall notify the Data Controller without undue delay after becoming aware of a personal data breach.


  2. The notification shall, if possible, be made within 72 hours to ensure that the Data Controller can meet its obligation to report the breach to the competent supervisory authority under GDPR Article 33.


  1. The Data Processor shall assist the Data Controller in notifying the breach by providing necessary information, including:


a. The nature of the personal data breach, including, where possible, the categories and approximate number of affected data subjects and data records.


b. The likely consequences of the breach.


c. The measures taken or proposed by the Data Controller to address the breach, including measures to mitigate its possible adverse effects.

12. Audit and Inspection

 

  1. The Data Processor shall make all necessary information available to the Data Controller to demonstrate compliance with GDPR Article 28 and these Clauses and shall allow and contribute to audits, including inspections, conducted by the Data Controller or an auditor authorized by the Data Controller.

  1. The procedures for audits, including inspections of the Data Processor and sub-processors, are further described in Annex C.7 and C.8.


13. Agreement on Other Matters

 

  1. The Parties may agree on additional provisions regarding the service related to data processing, such as liability, provided that such provisions do not contradict these Clauses or reduce the fundamental rights and freedoms of data subjects under the GDPR.


14. Effective Date and Termination


  1. These Clauses take effect on the date of both Parties’ signatures.


  1. These Clauses remain in effect for as long as the data processing service continues. They may not be terminated unless an alternative agreement governing data processing services is made between the Parties.


  1. Upon termination, if data is deleted or returned as specified in Clause 11.1 and Annex C.4, these Clauses may be terminated with written notice by either Party.


4.     Signature

 
Name: Christian Vestergaard

Position: Chief Executive Officer

Phone: +45 4047 7638

Email: christian@postbuddy.dk


Signature:

 

Postbuddy Disclaimer


Postbuddy provides direct mail services in accordance with the Danish Marketing Act (§10) and GDPR regulations. However, the responsibility for data compliance rests solely with the business using our services.


No Liability for Data Compliance

Postbuddy acts solely as a service provider and does not assume responsibility for:

  • The legality of the data provided by clients.

  • Whether clients have obtained necessary consent or have a valid legal basis for processing personal data.

  • Any non-compliance with marketing laws, GDPR, or other regulations.


Businesses using Postbuddy must ensure that:


  • Their privacy policies accurately reflect their data usage.

  • They have a lawful basis for using personal data for marketing purposes.


Responsibility for Opt-Out Management

Postbuddy ensures that all direct mail recipients have a clear and accessible opt-out option, as required by §10, stk. 6 of the Danish Marketing Act.


However, it remains the responsibility of businesses to ensure that any previous opt-out requests made directly to them are honored.


No Liability for Data Accuracy or Use

Postbuddy does not verify, modify, or validate the accuracy of client-provided data. We do not accept liability for:


  • Incorrect, outdated, or unlawfully obtained data.

  • Any claims, fines, or legal consequences resulting from non-compliance.


By using our services, businesses acknowledge and accept full responsibility for compliance with all applicable laws.


Postbuddy ApS Data Processing Agreement


Pursuant to Article 28(3) of Regulation 2016/679 (the General Data Protection Regulation) regarding the data processor’s processing of personal data

Between

COMPANY

COMPANY NUMBER

ADDRESS

POSTAL CODE AND CITY

COUNTRY


Hereinafter referred to as "the Data Controller"


and


Postbuddy ApS

Company number: 44631822

Borgergade 24B, 2nd floor, 1300 Copenhagen
Denmark


Hereinafter referred to as "the Data Processor" or "Postbuddy"


Each individually referred to as a "Party" and collectively as "the Parties."


The Parties have agreed to the following standard contractual clauses (the "Clauses") in order to comply with the General Data Protection Regulation and ensure the protection of privacy and fundamental rights and freedoms of natural persons.


  1. Content

  2. Preamble
  3. Rights and Obligations of the Data Controller
  4. The Data Processor Acts on Instructions
  5. Confidentiality
  6. Security of Processing
  7. Use of Sub-processors
  8. Transfer to Third Countries or International Organizations
  9. Assistance to the Data Controller
  10. Notification of Personal Data Breaches
  11. Audits, Including Inspections
  12. Agreement on Other Matters
  13. Effective Date and Termination
  14. Contact Persons of the Data Controller and Data Processor

2. Preamble

 

  1. These Clauses set out the rights and obligations of the Data Processor when processing personal data on behalf of the Data Controller.

  2. These Clauses are designed to ensure compliance with Article 28(3) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

  3. In the provision of the System covered by the Agreement, the Data Processor processes personal data on behalf of the Data Controller in accordance with these Clauses.

  4. These Clauses take precedence over any similar provisions contained in other agreements between the Parties.

  5. Four annexes accompany these Clauses, forming an integral part thereof.

  6. Annex A provides detailed information on the processing of personal data, including its purpose and nature, types of personal data, categories of data subjects, and duration of processing.

  7. Annex B outlines the Data Controller’s conditions for the use of sub-processors by the Data Processor and includes a list of approved sub-processors.

  8. Annex C includes the Data Controller’s instructions regarding the Data Processor’s processing of personal data, a description of the minimum security measures required, and oversight mechanisms for the Data Processor and any sub-processors.

  9. Annex D contains provisions related to other activities not covered by these Clauses.

  10. These Clauses and accompanying annexes must be kept in written form, including electronically, by both Parties.

  11. These Clauses do not exempt the Data Processor from obligations imposed by the GDPR or any other applicable legislation.


3. Rights and Obligations of the Data Controller

 

  1. The Data Controller is responsible for ensuring that the processing of personal data complies with the GDPR (see Article 24 of the Regulation), relevant EU law, and national laws of the Member States, as well as these Clauses.

  2. The Data Controller has the right and obligation to determine the purposes and means of processing personal data.

  3. The Data Controller is responsible for ensuring, among other things, that there is a legal basis for processing personal data as instructed to the Data Processor.

4. The Data Processor Acts on Instructions

 

  1. The Data Processor may only process personal data in accordance with documented instructions from the Data Controller, unless required to do so under EU law or the national law of a Member State to which the Data Processor is subject. These instructions shall be specified in Annex A and C. Subsequent instructions may be given during the processing of personal data but must always be documented and retained in written form, including electronically, along with these Clauses.


  1. The Data Processor shall immediately notify the Data Controller if, in its opinion, an instruction is in conflict with the GDPR or other applicable data protection laws.




5. Confidentiality


  1. The Data Processor shall only grant access to personal data to persons under its authority who have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, and only to the extent necessary. The list of persons granted access shall be reviewed regularly. Based on this review, access shall be revoked if no longer necessary, and personal data shall no longer be available to such persons.

  2. Upon request from the Data Controller, the Data Processor must demonstrate that the persons under its authority are subject to the confidentiality obligation.

6. Security of Processing

 

  1. The GDPR’s Article 32 requires that the Data Controller and Data Processor implement appropriate technical and organizational measures to ensure a level of security appropriate to the risks. This includes taking into account the latest technological advancements, implementation costs, the nature, scope, context, and purposes of processing, and the risks posed to the rights and freedoms of natural persons.


The Data Controller must assess risks related to the processing of personal data and implement measures to mitigate those risks. These measures may include:


a. Pseudonymization and encryption of personal data.


b. Ensuring ongoing confidentiality, integrity, availability, and resilience of processing systems and services.


c. Ability to restore access to personal data in a timely manner in the event of a physical or technical incident.


d. Implementing procedures for regular testing, assessing, and evaluating the effectiveness of technical and organizational measures to ensure processing security.


  1. The Data Processor must also independently assess risks and implement necessary measures to mitigate these risks. The Data Controller must provide relevant information to the Data Processor to facilitate risk identification and mitigation.

  2. Additionally, the Data Processor shall assist the Data Controller in complying with Article 32 by providing necessary information on the technical and organizational measures already implemented and any additional information required for compliance.


If additional measures are deemed necessary by the Data Controller, these must be specified in Annex C.


7. Use of Sub-processors


  1. The Data Processor shall comply with the conditions set forth in GDPR Article 28(2) and (4) when engaging another data processor (a sub-processor).


  2. The Data Processor shall not engage a sub-processor to fulfill these Clauses without prior general written approval from the Data Controller.


  3. The Data Processor has the Data Controller’s general approval to use sub-processors. The Data Processor must notify the Data Controller in writing of any planned changes concerning the addition or replacement of sub-processors at least one month in advance, allowing the Data Controller to object before the sub-processor is engaged. A longer notice period for specific processing activities may be stated in Annex B. The list of sub-processors already approved by the Data Controller is set forth in Annex B.


  1. When engaging a sub-processor for specific processing activities on behalf of the Data Controller, the Data Processor must enter into a contract or other legal agreement under EU law or national law that imposes the same data protection obligations as those set out in these Clauses, ensuring that the sub-processor implements appropriate technical and organizational measures in compliance with these Clauses and the GDPR.


  1. If the sub-processor fails to fulfill its data protection obligations, the Data Processor remains fully liable to the Data Controller for the performance of the sub-processor’s obligations. This does not affect the rights of data subjects under the GDPR, including Articles 79 and 82, against the Data Controller, Data Processor, or sub-processor.


8. Transfer to Third Countries or International Organizations

 

  1. Any transfer of personal data to third countries or international organizations by the Data Processor shall only be carried out based on documented instructions from the Data Controller and must always comply with Chapter V of the GDPR.

 

  1. If a transfer of personal data to a third country or an international organization, which the Data Processor has not been instructed to carry out by the Data Controller, is required under EU law or the national law of a Member State, the Data Processor must inform the Data Controller of this legal requirement prior to the transfer unless such notification is prohibited by law for important public interest reasons.

  2. Without documented instructions from the Data Controller, the Data Processor may not:

 

a. Transfer personal data to a controller or processor in a third country or an international organization.

b. Entrust a sub-processor in a third country with personal data processing.

c. Process personal data in a third country.

 

  1. The Data Controller’s instructions regarding the transfer of personal data to third countries, including the applicable transfer basis in GDPR Chapter V, must be set out in Annex C.6.

9. Assistance to the Data Controller

 

  1. The Data Processor shall, taking into account the nature of the processing, assist the Data Controller by implementing appropriate technical and organizational measures to fulfill the Data Controller’s obligation to respond to requests to exercise the data subjects’ rights under Chapter III of the GDPR.


  1. This means that the Data Processor shall, as far as possible, assist the Data Controller in ensuring compliance with:


a. The duty to inform data subjects when collecting personal data from them.


b. The duty to inform data subjects when personal data is not collected directly from them.


c. The right of access.


d. The right to rectification.


e. The right to erasure (“right to be forgotten”).


f. The right to restriction of processing.


g. The duty to notify data subjects regarding rectification, erasure, or restriction of processing.


h. The right to data portability.


i. The right to object.


j. The right not to be subject to automated decision-making, including profiling.


  1. In addition to the Data Processor’s obligation to assist the Data Controller under Clause 6.3, the Data Processor shall also assist the Data Controller, taking into account the nature of the processing and the information available to the Data Processor, with:


a. The Data Controller’s obligation to report a personal data breach to the competent supervisory authority, the Danish Data Protection Agency (Datatilsynet), without undue delay and, where feasible, no later than 72 hours after becoming aware of it, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons.

b. The Data Controller’s obligation to notify the data subject of a personal data breach without undue delay if the breach is likely to result in a high risk to the rights and freedoms of natural persons.


c. The Data Controller’s obligation to conduct a data protection impact assessment (DPIA) prior to processing if the intended processing activities are likely to result in a high risk to the protection of personal data.


d. The Data Controller’s obligation to consult the competent supervisory authority, the Danish Data Protection Agency (Datatilsynet), prior to processing if a data protection impact assessment indicates that the processing would result in a high risk without measures taken by the Data Controller to mitigate the risk.


  1. The necessary technical and organizational measures through which the Data Processor shall assist the Data Controller, as well as the scope and extent of such assistance, shall be specified in Annex C. This applies to the obligations set out in Clauses 9.1 and 9.2.

10. Notification of Personal Data Breaches

 

  1. The Data Processor shall notify the Data Controller without undue delay after becoming aware of a personal data breach.


  2. The notification shall, if possible, be made within 72 hours to ensure that the Data Controller can meet its obligation to report the breach to the competent supervisory authority under GDPR Article 33.


  1. The Data Processor shall assist the Data Controller in notifying the breach by providing necessary information, including:


a. The nature of the personal data breach, including, where possible, the categories and approximate number of affected data subjects and data records.


b. The likely consequences of the breach.


c. The measures taken or proposed by the Data Controller to address the breach, including measures to mitigate its possible adverse effects.

12. Audit and Inspection

 

  1. The Data Processor shall make all necessary information available to the Data Controller to demonstrate compliance with GDPR Article 28 and these Clauses and shall allow and contribute to audits, including inspections, conducted by the Data Controller or an auditor authorized by the Data Controller.

  1. The procedures for audits, including inspections of the Data Processor and sub-processors, are further described in Annex C.7 and C.8.


13. Agreement on Other Matters

 

  1. The Parties may agree on additional provisions regarding the service related to data processing, such as liability, provided that such provisions do not contradict these Clauses or reduce the fundamental rights and freedoms of data subjects under the GDPR.


14. Effective Date and Termination


  1. These Clauses take effect on the date of both Parties’ signatures.


  1. These Clauses remain in effect for as long as the data processing service continues. They may not be terminated unless an alternative agreement governing data processing services is made between the Parties.


  1. Upon termination, if data is deleted or returned as specified in Clause 11.1 and Annex C.4, these Clauses may be terminated with written notice by either Party.


4.     Signature

 
Name: Christian Vestergaard

Position: Chief Executive Officer

Phone: +45 4047 7638

Email: christian@postbuddy.dk


Signature:

 

Postbuddy Disclaimer


Postbuddy provides direct mail services in accordance with the Danish Marketing Act (§10) and GDPR regulations. However, the responsibility for data compliance rests solely with the business using our services.


No Liability for Data Compliance

Postbuddy acts solely as a service provider and does not assume responsibility for:

  • The legality of the data provided by clients.

  • Whether clients have obtained necessary consent or have a valid legal basis for processing personal data.

  • Any non-compliance with marketing laws, GDPR, or other regulations.


Businesses using Postbuddy must ensure that:


  • Their privacy policies accurately reflect their data usage.

  • They have a lawful basis for using personal data for marketing purposes.


Responsibility for Opt-Out Management

Postbuddy ensures that all direct mail recipients have a clear and accessible opt-out option, as required by §10, stk. 6 of the Danish Marketing Act.


However, it remains the responsibility of businesses to ensure that any previous opt-out requests made directly to them are honored.


No Liability for Data Accuracy or Use

Postbuddy does not verify, modify, or validate the accuracy of client-provided data. We do not accept liability for:


  • Incorrect, outdated, or unlawfully obtained data.

  • Any claims, fines, or legal consequences resulting from non-compliance.


By using our services, businesses acknowledge and accept full responsibility for compliance with all applicable laws.


Postbuddy ApS Data Processing Agreement


Pursuant to Article 28(3) of Regulation 2016/679 (the General Data Protection Regulation) regarding the data processor’s processing of personal data

Between

COMPANY

COMPANY NUMBER

ADDRESS

POSTAL CODE AND CITY

COUNTRY


Hereinafter referred to as "the Data Controller"


and


Postbuddy ApS

Company number: 44631822

Borgergade 24B, 2nd floor, 1300 Copenhagen
Denmark


Hereinafter referred to as "the Data Processor" or "Postbuddy"


Each individually referred to as a "Party" and collectively as "the Parties."


The Parties have agreed to the following standard contractual clauses (the "Clauses") in order to comply with the General Data Protection Regulation and ensure the protection of privacy and fundamental rights and freedoms of natural persons.


  1. Content

  2. Preamble
  3. Rights and Obligations of the Data Controller
  4. The Data Processor Acts on Instructions
  5. Confidentiality
  6. Security of Processing
  7. Use of Sub-processors
  8. Transfer to Third Countries or International Organizations
  9. Assistance to the Data Controller
  10. Notification of Personal Data Breaches
  11. Audits, Including Inspections
  12. Agreement on Other Matters
  13. Effective Date and Termination
  14. Contact Persons of the Data Controller and Data Processor

2. Preamble

 

  1. These Clauses set out the rights and obligations of the Data Processor when processing personal data on behalf of the Data Controller.

  2. These Clauses are designed to ensure compliance with Article 28(3) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

  3. In the provision of the System covered by the Agreement, the Data Processor processes personal data on behalf of the Data Controller in accordance with these Clauses.

  4. These Clauses take precedence over any similar provisions contained in other agreements between the Parties.

  5. Four annexes accompany these Clauses, forming an integral part thereof.

  6. Annex A provides detailed information on the processing of personal data, including its purpose and nature, types of personal data, categories of data subjects, and duration of processing.

  7. Annex B outlines the Data Controller’s conditions for the use of sub-processors by the Data Processor and includes a list of approved sub-processors.

  8. Annex C includes the Data Controller’s instructions regarding the Data Processor’s processing of personal data, a description of the minimum security measures required, and oversight mechanisms for the Data Processor and any sub-processors.

  9. Annex D contains provisions related to other activities not covered by these Clauses.

  10. These Clauses and accompanying annexes must be kept in written form, including electronically, by both Parties.

  11. These Clauses do not exempt the Data Processor from obligations imposed by the GDPR or any other applicable legislation.


3. Rights and Obligations of the Data Controller

 

  1. The Data Controller is responsible for ensuring that the processing of personal data complies with the GDPR (see Article 24 of the Regulation), relevant EU law, and national laws of the Member States, as well as these Clauses.

  2. The Data Controller has the right and obligation to determine the purposes and means of processing personal data.

  3. The Data Controller is responsible for ensuring, among other things, that there is a legal basis for processing personal data as instructed to the Data Processor.

4. The Data Processor Acts on Instructions

 

  1. The Data Processor may only process personal data in accordance with documented instructions from the Data Controller, unless required to do so under EU law or the national law of a Member State to which the Data Processor is subject. These instructions shall be specified in Annex A and C. Subsequent instructions may be given during the processing of personal data but must always be documented and retained in written form, including electronically, along with these Clauses.


  1. The Data Processor shall immediately notify the Data Controller if, in its opinion, an instruction is in conflict with the GDPR or other applicable data protection laws.




5. Confidentiality


  1. The Data Processor shall only grant access to personal data to persons under its authority who have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, and only to the extent necessary. The list of persons granted access shall be reviewed regularly. Based on this review, access shall be revoked if no longer necessary, and personal data shall no longer be available to such persons.

  2. Upon request from the Data Controller, the Data Processor must demonstrate that the persons under its authority are subject to the confidentiality obligation.

6. Security of Processing

 

  1. The GDPR’s Article 32 requires that the Data Controller and Data Processor implement appropriate technical and organizational measures to ensure a level of security appropriate to the risks. This includes taking into account the latest technological advancements, implementation costs, the nature, scope, context, and purposes of processing, and the risks posed to the rights and freedoms of natural persons.


The Data Controller must assess risks related to the processing of personal data and implement measures to mitigate those risks. These measures may include:


a. Pseudonymization and encryption of personal data.


b. Ensuring ongoing confidentiality, integrity, availability, and resilience of processing systems and services.


c. Ability to restore access to personal data in a timely manner in the event of a physical or technical incident.


d. Implementing procedures for regular testing, assessing, and evaluating the effectiveness of technical and organizational measures to ensure processing security.


  1. The Data Processor must also independently assess risks and implement necessary measures to mitigate these risks. The Data Controller must provide relevant information to the Data Processor to facilitate risk identification and mitigation.

  2. Additionally, the Data Processor shall assist the Data Controller in complying with Article 32 by providing necessary information on the technical and organizational measures already implemented and any additional information required for compliance.


If additional measures are deemed necessary by the Data Controller, these must be specified in Annex C.


7. Use of Sub-processors


  1. The Data Processor shall comply with the conditions set forth in GDPR Article 28(2) and (4) when engaging another data processor (a sub-processor).


  2. The Data Processor shall not engage a sub-processor to fulfill these Clauses without prior general written approval from the Data Controller.


  3. The Data Processor has the Data Controller’s general approval to use sub-processors. The Data Processor must notify the Data Controller in writing of any planned changes concerning the addition or replacement of sub-processors at least one month in advance, allowing the Data Controller to object before the sub-processor is engaged. A longer notice period for specific processing activities may be stated in Annex B. The list of sub-processors already approved by the Data Controller is set forth in Annex B.


  1. When engaging a sub-processor for specific processing activities on behalf of the Data Controller, the Data Processor must enter into a contract or other legal agreement under EU law or national law that imposes the same data protection obligations as those set out in these Clauses, ensuring that the sub-processor implements appropriate technical and organizational measures in compliance with these Clauses and the GDPR.


  1. If the sub-processor fails to fulfill its data protection obligations, the Data Processor remains fully liable to the Data Controller for the performance of the sub-processor’s obligations. This does not affect the rights of data subjects under the GDPR, including Articles 79 and 82, against the Data Controller, Data Processor, or sub-processor.


8. Transfer to Third Countries or International Organizations

 

  1. Any transfer of personal data to third countries or international organizations by the Data Processor shall only be carried out based on documented instructions from the Data Controller and must always comply with Chapter V of the GDPR.

 

  1. If a transfer of personal data to a third country or an international organization, which the Data Processor has not been instructed to carry out by the Data Controller, is required under EU law or the national law of a Member State, the Data Processor must inform the Data Controller of this legal requirement prior to the transfer unless such notification is prohibited by law for important public interest reasons.

  2. Without documented instructions from the Data Controller, the Data Processor may not:

 

a. Transfer personal data to a controller or processor in a third country or an international organization.

b. Entrust a sub-processor in a third country with personal data processing.

c. Process personal data in a third country.

 

  1. The Data Controller’s instructions regarding the transfer of personal data to third countries, including the applicable transfer basis in GDPR Chapter V, must be set out in Annex C.6.

9. Assistance to the Data Controller

 

  1. The Data Processor shall, taking into account the nature of the processing, assist the Data Controller by implementing appropriate technical and organizational measures to fulfill the Data Controller’s obligation to respond to requests to exercise the data subjects’ rights under Chapter III of the GDPR.


  1. This means that the Data Processor shall, as far as possible, assist the Data Controller in ensuring compliance with:


a. The duty to inform data subjects when collecting personal data from them.


b. The duty to inform data subjects when personal data is not collected directly from them.


c. The right of access.


d. The right to rectification.


e. The right to erasure (“right to be forgotten”).


f. The right to restriction of processing.


g. The duty to notify data subjects regarding rectification, erasure, or restriction of processing.


h. The right to data portability.


i. The right to object.


j. The right not to be subject to automated decision-making, including profiling.


  1. In addition to the Data Processor’s obligation to assist the Data Controller under Clause 6.3, the Data Processor shall also assist the Data Controller, taking into account the nature of the processing and the information available to the Data Processor, with:


a. The Data Controller’s obligation to report a personal data breach to the competent supervisory authority, the Danish Data Protection Agency (Datatilsynet), without undue delay and, where feasible, no later than 72 hours after becoming aware of it, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons.

b. The Data Controller’s obligation to notify the data subject of a personal data breach without undue delay if the breach is likely to result in a high risk to the rights and freedoms of natural persons.


c. The Data Controller’s obligation to conduct a data protection impact assessment (DPIA) prior to processing if the intended processing activities are likely to result in a high risk to the protection of personal data.


d. The Data Controller’s obligation to consult the competent supervisory authority, the Danish Data Protection Agency (Datatilsynet), prior to processing if a data protection impact assessment indicates that the processing would result in a high risk without measures taken by the Data Controller to mitigate the risk.


  1. The necessary technical and organizational measures through which the Data Processor shall assist the Data Controller, as well as the scope and extent of such assistance, shall be specified in Annex C. This applies to the obligations set out in Clauses 9.1 and 9.2.

10. Notification of Personal Data Breaches

 

  1. The Data Processor shall notify the Data Controller without undue delay after becoming aware of a personal data breach.


  2. The notification shall, if possible, be made within 72 hours to ensure that the Data Controller can meet its obligation to report the breach to the competent supervisory authority under GDPR Article 33.


  1. The Data Processor shall assist the Data Controller in notifying the breach by providing necessary information, including:


a. The nature of the personal data breach, including, where possible, the categories and approximate number of affected data subjects and data records.


b. The likely consequences of the breach.


c. The measures taken or proposed by the Data Controller to address the breach, including measures to mitigate its possible adverse effects.

12. Audit and Inspection

 

  1. The Data Processor shall make all necessary information available to the Data Controller to demonstrate compliance with GDPR Article 28 and these Clauses and shall allow and contribute to audits, including inspections, conducted by the Data Controller or an auditor authorized by the Data Controller.

  1. The procedures for audits, including inspections of the Data Processor and sub-processors, are further described in Annex C.7 and C.8.


13. Agreement on Other Matters

 

  1. The Parties may agree on additional provisions regarding the service related to data processing, such as liability, provided that such provisions do not contradict these Clauses or reduce the fundamental rights and freedoms of data subjects under the GDPR.


14. Effective Date and Termination


  1. These Clauses take effect on the date of both Parties’ signatures.


  1. These Clauses remain in effect for as long as the data processing service continues. They may not be terminated unless an alternative agreement governing data processing services is made between the Parties.


  1. Upon termination, if data is deleted or returned as specified in Clause 11.1 and Annex C.4, these Clauses may be terminated with written notice by either Party.


4.     Signature

 
Name: Christian Vestergaard

Position: Chief Executive Officer

Phone: +45 4047 7638

Email: christian@postbuddy.dk


Signature:

 

Postbuddy Disclaimer


Postbuddy provides direct mail services in accordance with the Danish Marketing Act (§10) and GDPR regulations. However, the responsibility for data compliance rests solely with the business using our services.


No Liability for Data Compliance

Postbuddy acts solely as a service provider and does not assume responsibility for:

  • The legality of the data provided by clients.

  • Whether clients have obtained necessary consent or have a valid legal basis for processing personal data.

  • Any non-compliance with marketing laws, GDPR, or other regulations.


Businesses using Postbuddy must ensure that:


  • Their privacy policies accurately reflect their data usage.

  • They have a lawful basis for using personal data for marketing purposes.


Responsibility for Opt-Out Management

Postbuddy ensures that all direct mail recipients have a clear and accessible opt-out option, as required by §10, stk. 6 of the Danish Marketing Act.


However, it remains the responsibility of businesses to ensure that any previous opt-out requests made directly to them are honored.


No Liability for Data Accuracy or Use

Postbuddy does not verify, modify, or validate the accuracy of client-provided data. We do not accept liability for:


  • Incorrect, outdated, or unlawfully obtained data.

  • Any claims, fines, or legal consequences resulting from non-compliance.


By using our services, businesses acknowledge and accept full responsibility for compliance with all applicable laws.


Postbuddy ApS Data Processing Agreement


Pursuant to Article 28(3) of Regulation 2016/679 (the General Data Protection Regulation) regarding the data processor’s processing of personal data

Between

COMPANY

COMPANY NUMBER

ADDRESS

POSTAL CODE AND CITY

COUNTRY


Hereinafter referred to as "the Data Controller"


and


Postbuddy ApS

Company number: 44631822

Borgergade 24B, 2nd floor, 1300 Copenhagen
Denmark


Hereinafter referred to as "the Data Processor" or "Postbuddy"


Each individually referred to as a "Party" and collectively as "the Parties."


The Parties have agreed to the following standard contractual clauses (the "Clauses") in order to comply with the General Data Protection Regulation and ensure the protection of privacy and fundamental rights and freedoms of natural persons.


  1. Content

  2. Preamble
  3. Rights and Obligations of the Data Controller
  4. The Data Processor Acts on Instructions
  5. Confidentiality
  6. Security of Processing
  7. Use of Sub-processors
  8. Transfer to Third Countries or International Organizations
  9. Assistance to the Data Controller
  10. Notification of Personal Data Breaches
  11. Audits, Including Inspections
  12. Agreement on Other Matters
  13. Effective Date and Termination
  14. Contact Persons of the Data Controller and Data Processor

2. Preamble

 

  1. These Clauses set out the rights and obligations of the Data Processor when processing personal data on behalf of the Data Controller.

  2. These Clauses are designed to ensure compliance with Article 28(3) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

  3. In the provision of the System covered by the Agreement, the Data Processor processes personal data on behalf of the Data Controller in accordance with these Clauses.

  4. These Clauses take precedence over any similar provisions contained in other agreements between the Parties.

  5. Four annexes accompany these Clauses, forming an integral part thereof.

  6. Annex A provides detailed information on the processing of personal data, including its purpose and nature, types of personal data, categories of data subjects, and duration of processing.

  7. Annex B outlines the Data Controller’s conditions for the use of sub-processors by the Data Processor and includes a list of approved sub-processors.

  8. Annex C includes the Data Controller’s instructions regarding the Data Processor’s processing of personal data, a description of the minimum security measures required, and oversight mechanisms for the Data Processor and any sub-processors.

  9. Annex D contains provisions related to other activities not covered by these Clauses.

  10. These Clauses and accompanying annexes must be kept in written form, including electronically, by both Parties.

  11. These Clauses do not exempt the Data Processor from obligations imposed by the GDPR or any other applicable legislation.


3. Rights and Obligations of the Data Controller

 

  1. The Data Controller is responsible for ensuring that the processing of personal data complies with the GDPR (see Article 24 of the Regulation), relevant EU law, and national laws of the Member States, as well as these Clauses.

  2. The Data Controller has the right and obligation to determine the purposes and means of processing personal data.

  3. The Data Controller is responsible for ensuring, among other things, that there is a legal basis for processing personal data as instructed to the Data Processor.

4. The Data Processor Acts on Instructions

 

  1. The Data Processor may only process personal data in accordance with documented instructions from the Data Controller, unless required to do so under EU law or the national law of a Member State to which the Data Processor is subject. These instructions shall be specified in Annex A and C. Subsequent instructions may be given during the processing of personal data but must always be documented and retained in written form, including electronically, along with these Clauses.


  1. The Data Processor shall immediately notify the Data Controller if, in its opinion, an instruction is in conflict with the GDPR or other applicable data protection laws.




5. Confidentiality


  1. The Data Processor shall only grant access to personal data to persons under its authority who have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, and only to the extent necessary. The list of persons granted access shall be reviewed regularly. Based on this review, access shall be revoked if no longer necessary, and personal data shall no longer be available to such persons.

  2. Upon request from the Data Controller, the Data Processor must demonstrate that the persons under its authority are subject to the confidentiality obligation.

6. Security of Processing

 

  1. The GDPR’s Article 32 requires that the Data Controller and Data Processor implement appropriate technical and organizational measures to ensure a level of security appropriate to the risks. This includes taking into account the latest technological advancements, implementation costs, the nature, scope, context, and purposes of processing, and the risks posed to the rights and freedoms of natural persons.


The Data Controller must assess risks related to the processing of personal data and implement measures to mitigate those risks. These measures may include:


a. Pseudonymization and encryption of personal data.


b. Ensuring ongoing confidentiality, integrity, availability, and resilience of processing systems and services.


c. Ability to restore access to personal data in a timely manner in the event of a physical or technical incident.


d. Implementing procedures for regular testing, assessing, and evaluating the effectiveness of technical and organizational measures to ensure processing security.


  1. The Data Processor must also independently assess risks and implement necessary measures to mitigate these risks. The Data Controller must provide relevant information to the Data Processor to facilitate risk identification and mitigation.

  2. Additionally, the Data Processor shall assist the Data Controller in complying with Article 32 by providing necessary information on the technical and organizational measures already implemented and any additional information required for compliance.


If additional measures are deemed necessary by the Data Controller, these must be specified in Annex C.


7. Use of Sub-processors


  1. The Data Processor shall comply with the conditions set forth in GDPR Article 28(2) and (4) when engaging another data processor (a sub-processor).


  2. The Data Processor shall not engage a sub-processor to fulfill these Clauses without prior general written approval from the Data Controller.


  3. The Data Processor has the Data Controller’s general approval to use sub-processors. The Data Processor must notify the Data Controller in writing of any planned changes concerning the addition or replacement of sub-processors at least one month in advance, allowing the Data Controller to object before the sub-processor is engaged. A longer notice period for specific processing activities may be stated in Annex B. The list of sub-processors already approved by the Data Controller is set forth in Annex B.


  1. When engaging a sub-processor for specific processing activities on behalf of the Data Controller, the Data Processor must enter into a contract or other legal agreement under EU law or national law that imposes the same data protection obligations as those set out in these Clauses, ensuring that the sub-processor implements appropriate technical and organizational measures in compliance with these Clauses and the GDPR.


  1. If the sub-processor fails to fulfill its data protection obligations, the Data Processor remains fully liable to the Data Controller for the performance of the sub-processor’s obligations. This does not affect the rights of data subjects under the GDPR, including Articles 79 and 82, against the Data Controller, Data Processor, or sub-processor.


8. Transfer to Third Countries or International Organizations

 

  1. Any transfer of personal data to third countries or international organizations by the Data Processor shall only be carried out based on documented instructions from the Data Controller and must always comply with Chapter V of the GDPR.

 

  1. If a transfer of personal data to a third country or an international organization, which the Data Processor has not been instructed to carry out by the Data Controller, is required under EU law or the national law of a Member State, the Data Processor must inform the Data Controller of this legal requirement prior to the transfer unless such notification is prohibited by law for important public interest reasons.

  2. Without documented instructions from the Data Controller, the Data Processor may not:

 

a. Transfer personal data to a controller or processor in a third country or an international organization.

b. Entrust a sub-processor in a third country with personal data processing.

c. Process personal data in a third country.

 

  1. The Data Controller’s instructions regarding the transfer of personal data to third countries, including the applicable transfer basis in GDPR Chapter V, must be set out in Annex C.6.

9. Assistance to the Data Controller

 

  1. The Data Processor shall, taking into account the nature of the processing, assist the Data Controller by implementing appropriate technical and organizational measures to fulfill the Data Controller’s obligation to respond to requests to exercise the data subjects’ rights under Chapter III of the GDPR.


  1. This means that the Data Processor shall, as far as possible, assist the Data Controller in ensuring compliance with:


a. The duty to inform data subjects when collecting personal data from them.


b. The duty to inform data subjects when personal data is not collected directly from them.


c. The right of access.


d. The right to rectification.


e. The right to erasure (“right to be forgotten”).


f. The right to restriction of processing.


g. The duty to notify data subjects regarding rectification, erasure, or restriction of processing.


h. The right to data portability.


i. The right to object.


j. The right not to be subject to automated decision-making, including profiling.


  1. In addition to the Data Processor’s obligation to assist the Data Controller under Clause 6.3, the Data Processor shall also assist the Data Controller, taking into account the nature of the processing and the information available to the Data Processor, with:


a. The Data Controller’s obligation to report a personal data breach to the competent supervisory authority, the Danish Data Protection Agency (Datatilsynet), without undue delay and, where feasible, no later than 72 hours after becoming aware of it, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons.

b. The Data Controller’s obligation to notify the data subject of a personal data breach without undue delay if the breach is likely to result in a high risk to the rights and freedoms of natural persons.


c. The Data Controller’s obligation to conduct a data protection impact assessment (DPIA) prior to processing if the intended processing activities are likely to result in a high risk to the protection of personal data.


d. The Data Controller’s obligation to consult the competent supervisory authority, the Danish Data Protection Agency (Datatilsynet), prior to processing if a data protection impact assessment indicates that the processing would result in a high risk without measures taken by the Data Controller to mitigate the risk.


  1. The necessary technical and organizational measures through which the Data Processor shall assist the Data Controller, as well as the scope and extent of such assistance, shall be specified in Annex C. This applies to the obligations set out in Clauses 9.1 and 9.2.

10. Notification of Personal Data Breaches

 

  1. The Data Processor shall notify the Data Controller without undue delay after becoming aware of a personal data breach.


  2. The notification shall, if possible, be made within 72 hours to ensure that the Data Controller can meet its obligation to report the breach to the competent supervisory authority under GDPR Article 33.


  1. The Data Processor shall assist the Data Controller in notifying the breach by providing necessary information, including:


a. The nature of the personal data breach, including, where possible, the categories and approximate number of affected data subjects and data records.


b. The likely consequences of the breach.


c. The measures taken or proposed by the Data Controller to address the breach, including measures to mitigate its possible adverse effects.

12. Audit and Inspection

 

  1. The Data Processor shall make all necessary information available to the Data Controller to demonstrate compliance with GDPR Article 28 and these Clauses and shall allow and contribute to audits, including inspections, conducted by the Data Controller or an auditor authorized by the Data Controller.

  1. The procedures for audits, including inspections of the Data Processor and sub-processors, are further described in Annex C.7 and C.8.


13. Agreement on Other Matters

 

  1. The Parties may agree on additional provisions regarding the service related to data processing, such as liability, provided that such provisions do not contradict these Clauses or reduce the fundamental rights and freedoms of data subjects under the GDPR.


14. Effective Date and Termination


  1. These Clauses take effect on the date of both Parties’ signatures.


  1. These Clauses remain in effect for as long as the data processing service continues. They may not be terminated unless an alternative agreement governing data processing services is made between the Parties.


  1. Upon termination, if data is deleted or returned as specified in Clause 11.1 and Annex C.4, these Clauses may be terminated with written notice by either Party.


4.     Signature

 
Name: Christian Vestergaard

Position: Chief Executive Officer

Phone: +45 4047 7638

Email: christian@postbuddy.dk


Signature:

 

15. Contact Persons for the Data Controller and Data Processor


  1. The Parties may contact each other through the designated contact persons listed below.


  1. The Parties are obligated to continuously inform each other of any changes regarding the contact persons.


Name: CONTACT PERSON

Position: POSITION

Phone number: PHONE

Email: EMAIL


Name: Christian Vestergaard

Position: Chief Executive Officer

Phone number: +45 4047 7638

Email: christian@postbuddy.dk


  • Annex A – Information on Processing


A.1. Purpose of the Data Processor’s Processing of Personal Data on Behalf of the Data Controller


The purpose of the data processing carried out by the Data Processor is to provide access to the System and its functionalities for the Data Controller, as well as to provide support and consulting assistance related to the implementation and daily operation of the System.


If it is agreed that the System is hosted by the Data Processor, the Data Controller’s instructions outlined below include processing personal data for hosting purposes. If the data is not hosted by the Data Processor, the Data Processor will only have access to and process the data under specific agreements with the Data Controller.


A.2. The Data Processor’s Processing of Personal Data on Behalf of the Data Controller Primarily Involves:


  • Sending physical mail on behalf of the sender

  • Storage of and access to personal data


A.3. The Processing Includes the Following Types of Personal Data of Data Subjects:


  • Transaction data, including but not limited to: name, email address, phone numbers, delivery address, and order history.


A.4. The Processing Includes the Following Categories of Data Subjects:


  • Login information (encrypted), including but not limited to: billing address, payment card details, job title, and any other information the Data Controller inputs into the System.


A.5. The Data Processor’s Processing of Personal Data on Behalf of the Data Controller May Commence After the Effective Date of These Clauses. The Processing Duration Is:


  • The processing will take place until the termination of the Agreement.


Regardless of the formal agreement period of these Clauses, they shall remain in effect as long as the Data Processor processes personal data on behalf of the Data Controller.


Annex B – Sub-Processors


B.1. Approved Sub-Processors


At the time these Clauses take effect, the Data Controller has approved the use of the following sub-processors:


Name: DISTRIBUTION PLUS A/S


Company number: 30913078


Address: Charles Lindberghs Vej 99, 9430 Vadum


Description of Processing: In cases where the System is used to send physical letters to the Data Controller’s customers, Postbuddy collaborates with DISTRIBUTION PLUS A/S, which handles printing and mailing of letters.


The Data Processor has the Data Controller’s general approval to engage sub-processors.


Annex C – Instructions on the Processing of Personal Data


C.1. Scope of Processing / Instructions


The Data Processor’s processing of personal data on behalf of the Data Controller consists of the following activities:


System: Postbuddy


Processing Description: The purpose of allowing Postbuddy to perform data processing is to enable the Data Controller to use the System and its functionalities. Postbuddy is used as a tool by the Data Controller to design and send letters based on data provided by the Data Controller.



C.2. Processing Security


The security level must reflect:


  • The processing involves the storage and access to ordinary (including confidential) and, in some cases, sensitive personal data. The processing is carried out as part of the Data Controller’s use of the System, where the Data Controller can control which personal data is included.

  • The Data Processor is entitled and obligated to determine which technical and organizational security measures are required to establish the necessary (and agreed-upon) security level.

Postbuddy applies a risk-based approach to IT security and the protection of personal data it processes on behalf of the Data Controller and its employees.


Postbuddy has implemented the following security measures:


Physical Security: Physical access control ensures that only authorized individuals can access areas where personal data is stored and processed.


Logging: All network traffic and server logs are monitored and recorded.


Firewalls and Antivirus: External access to systems and databases used for personal data processing is secured through firewalls and intrusion prevention systems.


Encryption: Data transmission over the internet and emails are encrypted using TLS 1.2 or higher.


Access Control: Only employees with a business-related need have access to personal data, with regular access reviews.


C.3. Assistance to the Data Controller


The Data Processor shall, as far as possible and to the extent specified, assist the Data Controller in accordance with Clause 9.1 and 9.2 by implementing the following technical and organizational measures:

  • Personal data stored in the System can be accessed and managed by the Data Controller at any time.

  • The Data Processor has structured its organization so that relevant contact persons can escalate issues related to assistance to senior management or legal and technical teams.


C.4. Retention Period / Deletion Policy


Personal data is stored in accordance with the deletion rules set by the Data Controller or with assistance from the Data Processor.


Upon termination of the service related to the processing of personal data, the Data Processor must delete or return the personal data in accordance with Clause 11.1, unless the Data Controller has modified its original decision. Such changes must be documented and stored in writing, including electronically, in connection with these Clauses.


C.5. Instructions on Transfers of Personal Data to Third Countries


The Data Processor does not transfer personal data to third countries unless specifically agreed upon with the Data Controller. If such a transfer is agreed upon, both parties shall ensure that an appropriate transfer mechanism is in place before the transfer occurs.


C.6. Audit and Inspection Procedures


The Data Processor shall obtain an independent third-party statement annually regarding its compliance with security measures specified in these Clauses.


The Data Controller has the right to appoint an independent expert to assess whether Postbuddy has implemented the necessary security measures.


The expert must sign a confidentiality agreement and may only share information with the Data Controller.

Address

Borgergade 24, 2nd floor
1300 Copenhagen
Denmark

Contact us

+45 40 47 76 38
christian@postbuddy.dk
CVR: 44631822

Success Stories
Pricing
Terms & DPA
Privacy & Cookie Policy

Address

Borgergade 24, 2nd floor
1300 Copenhagen
Denmark

Contact us

+45 40 47 76 38
christian@postbuddy.dk
CVR: 44631822

Success Stories
Pricing
Terms & DPA
Privacy & Cookie Policy

Address

Borgergade 24, 2nd floor
1300 Copenhagen
Denmark

Contact us

+45 40 47 76 38
christian@postbuddy.dk
CVR: 44631822

Success Stories
Pricing
Terms & DPA
Privacy & Cookie Policy

Address

Borgergade 24, 2nd floor
1300 Copenhagen
Denmark

Contact us

+45 40 47 76 38
christian@postbuddy.dk
CVR: 44631822

Postbuddy ApS (CVR 44631822)

Postbuddy ApS (CVR 44631822)

Postbuddy ApS (CVR 44631822)

Postbuddy ApS (CVR 44631822)