Data Protection Terms

This section includes the following subsections:

• Scope

• Processing of Customer Data; Ownership

• Disclosure of Customer Data

• Processing of Personal Data; GDPR

• Data Security

• Security Incident Notification

• Data Location

• Data Retention and Deletion

• Processor Confidentiality Commitment

• Notice and Controls on Use of Subprocessors

• How to Contact Microting

• European Union General Data Protection Regulation Terms (GDPR terms)


Scope

The terms in this section (“Data Protection Terms”) apply to all Microting services.

Processing of Customer Data; Ownership

Customer Data will be used or otherwise processed only to provide Customer the Microting Services including purposes compatible with providing those services. Microting will not use or otherwise process Customer Data or derive information from it for any advertising or similar commercial purposes. As between the parties, Customer retains all right, title and interest in and to Customer Data. Microting acquires no rights in Customer Data, other than the rights Customer grants to Microting to provide the Microting Services to Customer. This paragraph does not affect Microting’s rights in software or services Microting licenses to Customer.

Disclosure of Customer Data

Microting will not disclose Customer Data outside of Microting or its controlled subsidiaries and affiliates except (1) as Customer directs, (2) as described in the Terms of Service, or (3) as required by law.

Microting will not disclose Customer Data to law enforcement unless required by law. If law enforcement contacts Microting with a demand for Customer Data, Microting will attempt to redirect the law enforcement agency to request that data directly from Customer. If compelled to disclose Customer Data to law enforcement, Microting will promptly notify Customer and provide a copy of the demand unless legally prohibited from doing so.

Upon receipt of any other third-party request for Customer Data, Microting will promptly notify Customer unless prohibited by law. Microting will reject the request unless required by law to comply. If the request is valid, Microting will attempt to redirect the third party to request the data directly from Customer.

Microting will not provide any third party: (a) direct, indirect, blanket or unfettered access to Customer Data; (b) platform encryption keys used to secure Customer Data or the ability to break such encryption; or (c) access to Customer Data if Microting is aware that the data is to be used for purposes other than those stated in the third party’s request.

In support of the above, Microting may provide Customer’s basic contact information to the third party.

Processing of Personal Data; GDPR

Personal Data provided to Microting by, or on behalf of, Customer through use of the Microting Services is also Customer Data. Pseudonymized identifiers may also be generated through Customer’s use of the Microting Services and are also Personal Data. To the extent Microting is a processor or subprocessor of Personal Data subject to the GDPR, the GDPR Terms in (GDPR Terms) govern that processing and the parties also agree to the following terms in this sub-section (“Processing of Personal Data; GDPR”):

Processor and Controller Roles and Responsibilities

Customer and Microting agree that Customer is the controller of Personal Data and Microting is the processor of such data, except when (a) Customer acts as a processor of Personal Data, in which case Microting is a subprocessor or (b) stated otherwise in the Microting Service-specific terms. Microting will process Personal Data only on documented instructions from Customer.

In any instance where the GDPR applies and Customer is a processor, Customer warrants to Microting that Customer’s instructions, including appointment of Microting as a processor or subprocessor, have been authorized by the relevant controller.

Processing Details

The parties acknowledge and agree that:

  • The subject-matter of the processing is limited to Personal Data within the scope of the GDPR;
  • The duration of the processing shall be for the duration of the Customer’s right to use the Microting Service and until all Personal Data is deleted or returned in accordance with Terms of Service;

Data Subject Rights; Assistance with Requests

Microting will make available to Customer in a manner consistent with the functionality of the Microting Service and Microting’s role as a processor Personal Data of data subjects and the ability to fulfill data subject requests to exercise their rights under the GDPR. Microting shall comply with reasonable requests by Customer to assist with Customer’s response to such a data subject request. If Microting receives a request from Customer’s data subject to exercise one or more of its rights under the GDPR in connection with an Microting Service for which Microting is a data processor or subprocessor, Microting will redirect the data subject to make its request directly to Customer. Customer will be responsible for responding to any such request including, where necessary, by using the functionality of the Microting Service. Microting shall comply with reasonable requests by Customer to assist with Customer’s response to such a data subject request.

Records of Processing Activities

Microting shall maintain all records required by Article 30(2) of the GDPR and, to the extent applicable to the processing of Personal Data on behalf of Customer, make them available to Customer upon request.

Data Security

Security Practices and Policies

Microting will implement and maintain appropriate technical and organizational measures to protect Customer Data and Personal Data.

Customer Responsibilities

Customer is solely responsible for making an independent determination as to whether the technical and organizational measures for an Microting Service meets Customer’s requirements, including any of its security obligations under the GDPR or other applicable data protection laws and regulations. Customer acknowledges and agrees that (taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of the processing of its Personal Data as well as the risks to individuals) the security practices and policies implemented and maintained by Microting provide a level of security appropriate to the risk with respect to its Personal Data. Customer is responsible for implementing and maintaining privacy protections and security measures for components that Customer provides or controls.

Security Incident Notification

If Microting becomes aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data or Personal Data while processed by Microting (each a “Security Incident”), Microting will promptly and without undue delay (1) notify Customer of the Security Incident; (2) investigate the Security Incident and provide Customer with detailed information about the Security Incident; (3) take reasonable steps to mitigate the effects and to minimize any damage resulting from the Security Incident.

Notification(s) of Security Incidents will be delivered to one or more of Customer’s administrators by any means Microting selects, including via email. It is Customer’s sole responsibility to ensure Customer’s administrators maintain accurate contact information on each applicable My Microting. Customer is solely responsible for complying with its obligations under incident notification laws applicable to Customer and fulfilling any third-party notification obligations related to any Security Incident.

Microting’s obligation to report or respond to a Security Incident under this section is not an acknowledgement by Microting of any fault or liability with respect to the Security Incident.

Customer must notify Microting promptly about any possible misuse of its accounts or authentication credentials or any security incident related to an Microting Service.

Data Location

For the Microting Services, Microting will store Customer Data at rest at:

Microting A/S (Denmark)

For Microting Services (Microting eForm) that uses speech to text, Customer Data (audio recordings) will be transferred and processed by Google LLC.

Data Retention and Deletion

At all times during the term of Customer’s subscription, Customer will have the ability to access, extract and delete Customer Data stored in each Microting Service.

Except for free trials, Microting will retain Customer Data that remains stored in Microting Services in a limited function account for 90 days after expiration or termination of Customer’s subscription so that Customer may extract the data. After the 90-day retention period ends, Microting will disable Customer’s account and delete the Customer Data and Personal Data within an additional 90 days, unless Microting is permitted or required by applicable law to retain such data or authorized in this agreement.

Microting has no liability for the deletion of Customer Data or Personal Data as described in this section.

Processor Confidentiality Commitment

Microting will ensure that its personnel engaged in the processing of Customer Data and Personal Data (i) will process such data only on instructions from Customer, and (ii) will be obligated to maintain the confidentiality and security of such data even after their engagement ends.

Notice and Controls on use of Subprocessors

Microting may hire third parties to provide certain limited or ancillary services on its behalf. Customer consents to the engagement of these third parties and Microting Affiliates as Subprocessors. The above authorizations will constitute Customer’s prior written consent to the subcontracting by Microting of the processing of Customer Data and Personal Data if such consent is required under the Standard Contractual Clauses or the GDPR Terms.

Microting is responsible for its Subprocessor’s compliance with Microting’s obligations in the Terms of Service. Microting makes available information about Subprocessors on a Microting website. When engaging any Subprocessor, Microting will ensure via a written contract that the Subprocessor may access and use Customer Data or Personal Data only to deliver the services Microting has retained them to provide and is prohibited from using Customer Data or Personal Data for any other purpose. Microting will ensure that Subprocessors are bound by written agreements that require them to provide at least the level of data protection required of Microting by the Terms of Service.

How to Contact Microting

Microting A/S

Hvidkærvej 48, indgang 2

5250-DK Odense C


Updated contact information can be found at https://www.microting.dk/kontakt

European Union General Data Protection Regulation Terms

Microting makes the commitments in these GDPR Terms, to all customers effective May 25, 2018. These commitments are binding upon Microting with regard to Customer regardless of (1) the version of the Terms of Service that is otherwise applicable to any given Microting Services subscription or (2) any other agreement that references this document.

For purposes of these GDPR Terms, Customer and Microting agree that Customer is the controller of Personal Data and Microting is the processor of such data, except when Customer acts as a processor of Personal Data, in which case Microting is a subprocessor. These GDPR Terms apply to the processing of Personal Data, within the scope of the GDPR, by Microting on behalf of Customer. These GDPR Terms do not limit or reduce any data protection commitments Microting makes to Customer in the Terms Of Service or other agreement between Microting and Customer. These GDPR Terms do not apply where Microting is a controller of Personal Data.

Relevant GDPR Obligations: Articles 28, 32, and 33

1. Microting shall not engage another processor without prior specific or general written authorisation of Customer. In the case of general written authorisation, Microting shall inform Customer of any intended changes concerning the addition or replacement of other processors, thereby giving Customer the opportunity to object to such changes. (Article 28(2))

2. Processing by Microting shall be governed by these GDPR Terms under European Union (hereafter “Union”) or Member State law and are binding on Microting with regard to Customer. The subject-matter and duration of the processing, the nature and purpose of the processing, the type of Personal Data, the categories of data subjects and the obligations and rights of the Customer are set forth in the Customer’s licensing agreement, including these GDPR Terms. In particular, Microting shall:

  • (a) process the Personal Data only on documented instructions from Customer, including with regard to transfers of Personal Data to a third country or an international organisation, unless required to do so by Union or Member State law to which Microting is subject; in such a case, Microting shall inform Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;
  • (b) ensure that persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
  • (c) take all measures required pursuant to Article 32 of the GDPR;
  • (d) respect the conditions referred to in paragraphs 1 and 3 for engaging another processor;
  • (e) taking into account the nature of the processing, assist Customer by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Customer’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III of the GDPR;
  • (f) assist Customer in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to Microting;
  • (g) at the choice of Customer, delete or return all the Personal Data to Customer after the end of the provision of services relating to processing, and delete existing copies unless Union or Member State law requires storage of the Personal Data;
  • (h) make available to Customer all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer.

Microting shall immediately inform Customer if, in its opinion, an instruction infringes the GDPR or other Union or Member State data protection provisions. (Article 28(3))

3. Where Microting engages another processor for carrying out specific processing activities on behalf of Customer, the same data protection obligations as set out in these GDPR Terms shall be imposed on that other processor by way of a contract or other legal act under Union or Member State law, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the GDPR. Where that other processor fails to fulfil its data protection obligations, Microting shall remain fully liable to the Customer for the performance of that other processor’s obligations. (Article 28(4))

4. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Customer and Microting shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

  • (a) the pseudonymisation and encryption of Personal Data;
  • (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  • (c) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and
  • (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. (Article 32(1))

5. In assessing the appropriate level of security, account shall be taken of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed. (Article 32(2))

6. Customer and Microting shall take steps to ensure that any natural person acting under the authority of Customer or Microting who has access to Personal Data does not process them except on instructions from Customer, unless he or she is required to do so by Union or Member State law. (Article 32(4))

7. Microting shall notify Customer without undue delay after becoming aware of a personal data breach. (Article 33(2)). Such notification will include that information a processor must provide to a controller under Article 33(3) to the extent such information is reasonably available to Microting.

Document last updated 28th November 2018