Data Processing Agreement

YOGO.DK ApS

Njalsgade 21F, 6. sal

2300 København S

CVR: 39467542

1. Contents

2 Background of the Data Processing Agreement

3 Obligations and Rights of the Data Controller

4 The Processor Acts According to Instructions

5 Confidentiality

6 Data Security

7 Use of Sub-Processors

8 Transfer of Data to Third Countries or International Organizations

9 Assistance to the Data Controller

10 Notification of Personal Data Breach

11 Deletion and Return of Data

12 Supervision and Audits

13 Commencement and Termination

14 Contact Persons/Points at the Controller and Processor

Annex A: Information about the Processing

Annex B: Terms for the Processor’s Use of Sub-Processors and List of Approved Sub-Processors

Annex C: Instructions Regarding the Processing of Personal Data

2. Background of the Data Processing Agreement

This agreement sets out the rights and obligations that apply when YOGO (the data processor) processes personal data on behalf of a customer (the data controller).

The agreement is designed to ensure both parties’ compliance with Article 28(3) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the General Data Protection Regulation), which establishes specific requirements for the content of a data processing agreement.

The processor’s processing of personal data is carried out in connection with the data controller's use of the YOGO system, as described in YOGO’s terms of service.

The Data Processing Agreement and YOGO’s terms of service are interdependent and cannot be terminated separately. However, the Data Processing Agreement may – without affecting YOGO’s terms of service – be replaced by another valid Data Processing Agreement. If the agreement is amended, YOGO must notify the data controller and send the updated agreement.

This Data Processing Agreement takes precedence over any conflicting provisions in other agreements between the parties, including YOGO’s terms of service.

Three annexes are attached to this agreement, all of which are considered integral parts of the agreement.

  • Annex A includes detailed information about the processing, such as its purpose and nature, the type of personal data, categories of data subjects, and the duration of the processing.

  • Annex B outlines the terms under which the processor may use sub-processors and includes a list of any sub-processors approved by the data controller.

  • Annex C contains specific instructions regarding the processing performed on behalf of the data controller (subject of the processing), the minimum required security measures, and how audits of the processor and any sub-processors should be conducted.

The Data Processing Agreement with its annexes will be provided to the data controller upon request, and always when the data controller begins a partnership with YOGO.

This agreement does not exempt the data processor from obligations imposed directly by the GDPR or any other applicable laws.

3. Rights and Obligations

The data controller is, by default, responsible to external parties (including data subjects) for ensuring that the processing of personal data is conducted in accordance with the General Data Protection Regulation (GDPR) and the Danish Data Protection Act.

The data processor must always, without undue delay, comply with reasonable requests from the data controller intended to ensure compliance with the GDPR and the Danish Data Protection Act.

The data controller is responsible for ensuring that there is a legal basis for the processing the data processor is instructed to carry out.

4. The Processor Acts According to Instructions

  1. The data processor may only process personal data based on documented instructions from the data controller, unless required to do so by EU or Member State law to which the processor is subject. In such a case, the processor shall inform the controller of that legal requirement before processing, unless the law prohibits such disclosure for important societal reasons (Article 28(3)(a)).

  2. The processor shall immediately inform the data controller if, in its opinion, an instruction infringes the GDPR or other applicable data protection laws.

5. Confidentiality

The data processor ensures that only individuals who need access to personal data for their work with YOGO have such access. Access shall be removed immediately when no longer needed or when the individual is no longer associated with YOGO.

Only individuals necessary for fulfilling the processor's obligations may be authorized. Authorized personnel must commit to confidentiality. Upon request, the processor must prove this obligation.

The data controller can create system users with access to personal data.

6. Security of Processing

The processor implements all measures required by GDPR Article 32, ensuring an appropriate level of security.

This includes a risk assessment and may involve:

  • Pseudonymization and encryption

  • Ensuring ongoing confidentiality, integrity, availability, and resilience

  • Ability to restore access and availability after incidents

  • Regular testing and evaluation of security measures

Minimum measures are specified in Annex C. Any further terms are defined in YOGO's terms of service.

7. Use of Sub-Processors

The processor must meet GDPR Article 28(2) and (4) requirements before engaging sub-processors.

They must not use sub-processors without prior specific or general written approval from the controller. For general approval, the processor must notify the controller at least one month in advance of any changes.

Sub-processors must be bound by the same data protection obligations through a valid legal contract. The processor remains fully liable for sub-processor obligations.

Commercial terms not affecting data protection do not need to be shared.

8. Transfers to Third Countries or International Organizations

The processor may only transfer personal data to third countries based on documented instructions or if required by law. Any such transfers must be approved by the data controller, as described in Annex C.

9. Assistance to the Data Controller

The processor shall assist the controller in fulfilling obligations under Chapter 3 of the GDPR, including:

  • Information obligations

  • Rights of access, rectification, erasure, and data portability

  • Restrictions and objections

  • Responding to data subject requests

The processor also assists with obligations under Articles 32–36:

  • Security of processing

  • Notification of data breaches

  • Data Protection Impact Assessments (DPIAs)

  • Prior consultation with supervisory authorities

Terms of such assistance are defined in YOGO's business terms.

10. Notification of Personal Data Breach

The processor shall notify the controller without undue delay and within 36 hours of becoming aware of a data breach.

The processor must assist in providing:

  • Nature and scope of the breach

  • Likely consequences

  • Measures taken or proposed

11. Deletion and Return of Data

At the end of service use, the processor shall delete or return all personal data per the controller’s instructions, unless otherwise required by law.

12. Audits and Supervision

The processor must provide all information needed to demonstrate GDPR compliance and allow audits by the controller or their authorized auditor.

Physical inspections and any associated costs are borne by the controller.

13. Commencement and Termination

This agreement takes effect when the controller begins using YOGO’s system. Either party may renegotiate the agreement if required by law or due to practical issues.

The agreement remains effective until processing ends and data is deleted.

14. Contact Persons

Data Protection Inquiries:

  • Magnus H. Friis – magnus@yogo.dk

  • Anders H. Straarup – anders@yogo.dk

Annex A: Processing Information

Purpose: Enable the data controller to use YOGO to manage member data.

Data Types: Name, email, phone, address, birthdate, membership type, class/event registrations.

Data Subjects: Individuals with a profile created via YOGO.

Duration: Until termination of agreement.

Annex B: Use of Sub-Processors

General Approval: Granted with a 1-month notice period for changes. Objections must be raised within 14 days with justified reasoning.

Approved Sub-Processors:

  • Gateway API – SMS delivery

  • Mailgun – Email delivery

  • Amazon Web Services – Infrastructure hosting

Annex C: Processing Instructions

Scope: Handle customer data for class scheduling, course management, payments, etc.

Security Level: Reflects standard personal data and purchase history (not sensitive data under Article 9).

Storage and Deletion: Data remains until deletion is requested. Deleted user data is anonymized, retaining only non-identifiable records for reporting.

Audit Procedure: The controller bears the cost of physical audits. The processor must allocate reasonable time and resources to facilitate audits.