Data Processing Agreement (DPA)

This Data Processing Agreement ("Agreement") is entered into by and between Duckling Media ApS, VAT-id: DK-43764810 The Data Processor (“the Processor”), and the Data Controller (“the Controller”).

(Collectively referred to as the "Parties" and individually as a "Party")

This Agreement outlines the terms and conditions under which the Processor will process personal data on behalf of the Controller, in accordance with the General Data Protection Regulation (GDPR) (EU) 2016/679.

1. PURPOSE OF THE DATA PROCESSING

The Processor shall process personal data solely for the purposes set out in the Agreement and in accordance with the Controller's documented instructions. The processing is undertaken to enable the Processor to provide a social media network in an app or website, which allows users to share multimedia stories, setup groups and interact with each other with likes, comments and similar means.

2. DATA PROCESSING INSTRUCTIONS

The Processor will process personal data only in accordance with the Controller's Privacy Policy and Legal Terms, which may be amended from time to time. The Processor will not use personal data for any other purposes unless required to do so by applicable law.

3. DURATION OF DATA PROCESSING RIGHTS

The Processor shall process personal data for the duration of the provision of services under this Agreement. Upon termination of the services delivered to the Processor, the Processor will retain user data as necessary for its legitimate business purposes and compliance with applicable laws. However, Duckling shall return or securely delete the personal data upon request from individual users, provided such a request is made in accordance with the data subject's rights under applicable data protection laws.

4. NATURE AND PURPOSE OF THE PROCESSING

The Processor will collect, store, and process personal data as part of the service delivery. The processing activities may include data hosting, analytics, user authentication, recommendations, verification and blacklisting of content and users. The purpose of the processing is to enable the Processor to provide the services outlined in this Agreement.

5. CONFIDENTIALITY

The Data Processor may only grant access to personal data processed on behalf of the Data Controller to individuals who are subject to the Data Processor’s authority, have committed to confidentiality, or are bound by an appropriate statutory duty of confidentiality, and only to the extent necessary. The list of individuals granted access must be reviewed regularly. Based on this review, access to personal data may be revoked if it is no longer necessary, and such data must no longer be accessible to these individuals. Upon request from the Controller, the Processor must be able to demonstrate that the individuals under its authority are subject to the aforementioned confidentiality obligations.

6. TYPE OF PERSONAL DATA

The types of personal data to be processed may include:

  • Contact details:  Name, email address and telephone number

  • Demographic information: School, age, gender

  • Usage data: User interactions like likes and views

7. CATEGORIES OF DATA SUBJECTS

The personal data to be processed pertains to the following categories of data subjects:

  • Content creators who creates stories an uploads media on the Duckling platform

  • Content viewers who views or otherwise interacts with stories and media on the Duckling platform.

  • Supporters, teachers and mentors who offer learning and guidance on the platform.

8. OBLIGATIONS AND RIGHTS OF THE CONTROLLER

The Controller acknowledges that it is responsible for ensuring that the personal data provided to the Processor is processed in compliance with applicable data protection laws. The Controller has the following obligations and rights:

  • Ensure that all personal data shared with the Processor is lawfully collected and processed.

  • Provide clear instructions to the Processor regarding data processing.

  • Monitor the Processor's compliance with data protection laws.

  • Ensure the data subjects' rights (e.g., right of access, rectification, erasure, etc.) are upheld.

9. DATA PROCESSING SECURITY

Under Article 32 of the GDPR, the Data Controller and Data Processor must implement appropriate technical and organizational measures to ensure a security level proportionate to the risks posed to users' rights and freedoms. These risks include unauthorized access, data breaches, identity theft, and profiling that could infringe on users' privacy, digital autonomy, and civil liberties.

To mitigate these risks, the Processor must:

  • Encrypt and pseudonymize critical private data to prevent unauthorized access.

  • Ensure continuous confidentiality, integrity, and availability of user data.

  • Implement robust access controls

  • Establish a rapid recovery system to restore data availability in case of cyberattacks or system failures.

  • Conduct regular security audits and penetration testing to identify vulnerabilities.

  • Maintain a transparent notification policy, informing users within 72 hours in case of a data breach.

  • Store user data on GDPR-compliant servers, ensuring strict adherence to data protection laws.

  • Restrict data processing to the minimum necessary and prevent the use of user data for unauthorized profiling or targeted advertising.

  • Train all employees and subcontractors on data protection best practices to reduce human errors leading to breaches.

The Processor must also regularly assess evolving risks and, if necessary, introduce additional protective measures to uphold the digital rights, safety, and civil liberties of users, ensuring that no data processing activities expose them to discrimination, surveillance, or undue manipulation.

10. ASSISTANCE TO THE DATA CONTROLLER

Taking into account the nature of the processing, the Data Processor shall assist the Data Controller as far as possible, by implementing appropriate technical and organizational measures, in fulfilling the Data Controller’s obligation to respond to requests regarding the exercise of data subjects' rights as outlined in Chapter III of the General Data Protection Regulation (GDPR).

This includes assisting the Data Controller, to the extent possible, in ensuring compliance with:

  • The obligation to provide information when collecting personal data from the data subject

  • The obligation to provide information if personal data is not collected from the data subject

  • The right of access

  • The right to rectification

  • The right to erasure ("the right to be forgotten")

  • The right to restriction of processing

  • The obligation to notify regarding rectification or erasure of personal data or restriction of processing

  • The right to data portability

  • The right to object

  • The right not to be subject to a decision based solely on automated processing, including profiling

The Data Processor shall further assist the Data Controller, taking into account the nature of the processing and the information available to the Data Processor, in fulfilling:

The Data Processor shall notify the Data Controller of any personal data breach within 24 hours of becoming aware of the breach, if possible, to enable the Data Controller to comply with its obligation to report the breach to the competent supervisory authority, Datatilsynet in Denmark, without undue delay and, where feasible, no later than 72 hours after becoming aware of the breach, unless the breach is unlikely to result in a risk to the rights or freedoms of natural persons, in accordance with Article 33 GDPR.

The Data Controller’s obligation to notify the data subject of a personal data breach without undue delay when the breach is likely to result in a high risk to the rights and freedoms of natural persons.

The Data Controller’s obligation to conduct an impact assessment regarding the intended processing activities’ consequences for personal data protection (a Data Protection Impact Assessment).

The Data Controller’s obligation to consult the competent supervisory authority, Datatilsynet in Denmark, prior to processing if a Data Protection Impact Assessment indicates that the processing would result in a high risk in the absence of measures taken by the Data Controller to mitigate the risk.

11. NOTIFICATION OF PERSONAL DATA BREACH

The Data Processor shall notify the Data Controller without undue delay upon becoming aware of a personal data breach.

Where possible, the Data Processor’s notification to the Data Controller shall occur no later than 72 hours after becoming aware of the breach, to enable the Data Controller to fulfill its obligation to report the breach to the competent supervisory authority in accordance with Article 33 of the GDPR.

The Data Processor shall assist the Data Controller in reporting the breach to the competent supervisory authority. This means the Data Processor shall help provide the following information, which, according to Article 33(3), must be included in the Data Controller’s report to the supervisory authority:

  • The nature of the personal data breach, including, where possible, the categories and approximate number of affected data subjects, as well as the categories and approximate number of affected personal data records.

  • The likely consequences of the personal data breach.

  • The measures taken or proposed by the Data Controller to address the personal data breach, including, where relevant, measures to mitigate its possible adverse effects.

12. SUB-PROCESSORS

The Processor may engage sub-processors for specific tasks. The sub-processor shall be bound by the same data protection obligations as the Processor.

The Processor must notify the Controller the use of new sub-processors by email or in-app-notification, unless the Controller has specifically opted out of this type of communication.

Duckling must have Data Processing Agreements (DPAs) in place with sub-contractors, and ensure the DPA explicitly defines data protection obligations under GDPR (or other applicable laws), as well as responsibilities regarding security, compliance, and breach notification.

Duckling Media ApS is currently using the following sub-processors:

  • Google LLC, Dublin, Ireland: Duckling uses Google Cloud for storage of data.

  • Twilio GmbH, Berlin, Germany : Duckling uses Twilio for authentication via SMS (when a user sign up they can verify their account via a text message).

13. LIABILITY

Each Party shall be liable for any damages caused by its failure to comply with applicable data protection laws. The Processor shall indemnify the Controller against any claims arising from the Processor's breach of this Agreement.

14. GOVERNING LAW AND DISPUTES

This Agreement shall be governed by the laws of Denmark, and any disputes shall be resolved in the competent courts of Copenhagen, Denmark

15. ACCEPTANCE OF TERMS

By onboarding the Duckling platform and opting in to the legal terms, the Processor acknowledges and accepts the terms of this Data Processing Agreement. This acceptance signifies the Processor's commitment to comply with all obligations set forth in this Agreement and to process personal data in accordance with the Controller’s instructions and the applicable data protection laws.