Evofleet banner

Data Processing Agreement

Data Processing Agreement for the Evofleet platform

Last updatedJuly 2026

Pursuant to article 28(3) of Regulation 2016/679 (the General Data Protection Regulation) for the purpose of the data processor’s processing of personal data. The Data Processing Agreement takes effect when you are created as a customer on the Evofleet platform.

The agreement is entered into between the Customer (hereinafter “the data controller”) and Evofleet ApS, CVR 43560433, St. Sct. Mikkels Gade 7, 8800 Viborg, Denmark (hereinafter “the data processor”), each of which is a “party” and together constitute the “parties”.

The parties have agreed on the following standard contractual clauses (the Clauses) in order to comply with the General Data Protection Regulation and to ensure the protection of privacy and of the fundamental rights and freedoms of natural persons.

2. Preamble

These Clauses set out the rights and obligations of the data processor when processing personal data on behalf of the data controller.

These Clauses are designed to ensure the parties’ compliance with article 28(3) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the General Data Protection Regulation).

In connection with the provision of Evofleet’s online platform, the data processor processes personal data on behalf of the data controller in accordance with these Clauses.

The Clauses shall take priority over any similar provisions contained in other agreements between the parties.

Four annexes are attached to these Clauses, and the annexes form an integral part of the Clauses.

Annex A contains details about the processing of personal data, including the purpose and nature of the processing, the type of personal data, the categories of data subjects and the duration of the processing.

Annex B contains the data controller’s conditions for the data processor’s use of sub-processors and a list of sub-processors whose use the data controller has approved.

Annex C contains the data controller’s instructions with regard to the data processor’s processing of personal data, a description of the security measures that the data processor must implement as a minimum, and how supervision of the data processor and any sub-processors is conducted.

The Clauses together with the accompanying annexes shall be retained in writing, including electronically, by both parties.

These Clauses do not release the data processor from obligations imposed on the data processor under the General Data Protection Regulation or any other legislation.

3. The rights and obligations of the data controller

The data controller is responsible for ensuring that the processing of personal data takes place in accordance with the General Data Protection Regulation (see article 24 of the Regulation), data protection provisions of other EU law or the national law of the member states, and these Clauses.

The data controller has the right and obligation to make decisions about the purpose(s) and means of processing personal data.

The data controller is responsible, among other things, for ensuring that there is a legal basis for the processing of personal data that the data processor is instructed to carry out.

4. The data processor acts according to instructions

The data processor may only process personal data on documented instructions from the data controller, unless required to do so under EU law or the national law of the member states to which the data processor is subject. These instructions shall be specified in Annexes A and C. Subsequent instructions may also be given by the data controller while personal data is being processed, but the instructions shall always be documented and retained in writing, including electronically, together with these Clauses.

The data processor shall immediately inform the data controller if, in its opinion, an instruction infringes this Regulation or data protection provisions of other EU law or the national law of the member states.

5. Confidentiality

The data processor may only grant access to personal data processed on behalf of the data controller to persons who are subject to the data processor’s authority to instruct, who have committed themselves to confidentiality or are subject to an appropriate statutory obligation of confidentiality, and only to the extent necessary. The list of persons granted access shall be reviewed on an ongoing basis. On the basis of this review, access to personal data may be withdrawn if access is no longer necessary, and personal data shall then no longer be accessible to those persons.

Upon request from the data controller, the data processor shall be able to demonstrate that the persons concerned who are subject to the data processor’s authority to instruct are subject to the above-mentioned obligation of confidentiality.

6. Security of processing

Article 32 of the General Data Protection Regulation provides that, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing in question, as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the data controller and the data processor shall implement appropriate technical and organisational measures to ensure a level of protection appropriate to those risks.

The data controller shall assess the risks to the rights and freedoms of natural persons posed by the processing and implement measures to mitigate those risks. Depending on their relevance, this may include:

  • pseudonymisation and encryption of personal data
  • the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services
  • the ability to restore the availability of and access to personal data in a timely manner in the event of a physical or technical incident
  • a procedure for regularly testing, assessing and evaluating the effectiveness of the technical and organisational measures for ensuring the security of processing.

Pursuant to article 32 of the Regulation, the data processor shall also – independently of the data controller – assess the risks to the rights of natural persons posed by the processing and implement measures to mitigate those risks. For the purpose of this assessment, the data controller shall make available to the data processor the information necessary to enable it to identify and assess such risks.

In addition, the data processor shall assist the data controller in complying with the data controller’s obligation under article 32 of the Regulation by, among other things, making available to the data controller the necessary information regarding the technical and organisational security measures that the data processor has already implemented pursuant to article 32 of the Regulation, and any other information necessary for the data controller’s compliance with its obligation under article 32 of the Regulation.

If mitigating the identified risks – in the data controller’s assessment – requires the implementation of measures additional to those that the data processor has already implemented, the data controller shall specify the additional measures to be implemented in Annex C.

7. Use of sub-processors

The data processor shall meet the conditions referred to in article 28(2) and (4) of the General Data Protection Regulation in order to engage another processor (a sub-processor).

The data processor may therefore not engage a sub-processor for the fulfilment of these Clauses without prior general written authorisation from the data controller.

The data processor has the data controller’s general authorisation for the use of sub-processors. The data processor shall inform the data controller in writing of any intended changes concerning the addition or replacement of sub-processors with at least one month’s notice, thereby giving the data controller the opportunity to object to such changes before the sub-processor(s) concerned are engaged. A longer notice period for notification in connection with specific processing activities may be specified in Annex B. The list of sub-processors already approved by the data controller appears in Annex B.

Where the data processor engages a sub-processor for carrying out specific processing activities on behalf of the data controller, the data processor shall, through a contract or other legal act under EU law or the national law of the member states, impose on the sub-processor the same data protection obligations as those set out in these Clauses, in particular providing the requisite guarantees that the sub-processor will implement the technical and organisational measures in such a manner that the processing complies with the requirements of these Clauses and the General Data Protection Regulation.

The data processor is therefore responsible for requiring that the sub-processor at least complies with the data processor’s obligations under these Clauses and the General Data Protection Regulation.

Sub-processor agreement(s) and any subsequent amendments thereto shall – upon the data controller’s request – be sent in copy to the data controller, who thereby has the opportunity to ensure that data protection obligations equivalent to those following from these Clauses are imposed on the sub-processor. Provisions on commercial terms that do not affect the data protection content of the sub-processor agreement need not be sent to the data controller.

If the sub-processor fails to fulfil its data protection obligations, the data processor remains fully liable to the data controller for the performance of the sub-processor’s obligations. This does not affect the rights of the data subjects that follow from the General Data Protection Regulation, in particular articles 79 and 82 of the Regulation, against the data controller and the data processor, including the sub-processor.

8. Transfer to third countries or international organisations

Any transfer of personal data to third countries or international organisations may only be carried out by the data processor on the basis of documented instructions to that effect from the data controller and shall always take place in accordance with Chapter V of the General Data Protection Regulation.

If transfer of personal data to third countries or international organisations, which the data processor has not been instructed to perform by the data controller, is required under EU law or the national law of the member states to which the data processor is subject, the data processor shall inform the data controller of that legal requirement prior to processing, unless that law prohibits such notification on important grounds of public interest.

Without documented instructions from the data controller, the data processor therefore cannot, within the framework of these Clauses:

  • transfer personal data to a data controller or data processor in a third country or an international organisation
  • entrust the processing of personal data to a sub-processor in a third country
  • process the personal data in a third country

The data controller’s instructions concerning the transfer of personal data to a third country, including the possible transfer basis in Chapter V of the General Data Protection Regulation on which the transfer is based, shall be specified in Annex C.6.

These Clauses shall not be confused with standard contractual clauses as referred to in article 46(2)(c) and (d) of the General Data Protection Regulation, and these Clauses cannot constitute a basis for the transfer of personal data as referred to in Chapter V of the General Data Protection Regulation.

9. Assistance to the data controller

Taking into account the nature of the processing, the data processor shall, as far as possible, assist the data controller by appropriate technical and organisational measures in fulfilling the data controller’s obligation to respond to requests for exercising the data subjects’ rights as laid down in Chapter III of the General Data Protection Regulation.

This means that the data processor shall, as far as possible, assist the data controller in ensuring compliance with:

  • the obligation to provide information when collecting personal data from the data subject
  • the obligation to provide information where personal data has not been collected from the data subject
  • the right of access
  • the right to rectification
  • the right to erasure (“the right to be forgotten”)
  • the right to restriction of processing
  • the obligation to notify in connection with the rectification or erasure of personal data or restriction of processing
  • the right to data portability
  • the right to object
  • the right not to be subject to a decision based solely on automated processing, including profiling

In addition to the data processor’s obligation to assist the data controller pursuant to Clause 6.3, the data processor shall, taking into account the nature of the processing and the information available to the data processor, further assist the data controller with:

  • the data controller’s obligation to notify the personal data breach to the competent supervisory authority, the Danish Data Protection Agency (Datatilsynet), without undue delay and, where feasible, no later than 72 hours after having become aware of it, unless the personal data breach is unlikely to result in a risk to the rights or freedoms of natural persons
  • the data controller’s obligation to communicate the personal data breach to the data subject without undue delay, when the breach is likely to result in a high risk to the rights and freedoms of natural persons
  • the data controller’s obligation to carry out, prior to the processing, an assessment of the impact of the envisaged processing activities on the protection of personal data (a data protection impact assessment)
  • the data controller’s obligation to consult the competent supervisory authority, the Danish Data Protection Agency (Datatilsynet), prior to processing, where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the data controller to mitigate the risk.

The parties shall specify in Annex C the requisite technical and organisational measures by which the data processor shall assist the data controller, as well as the scope and extent thereof. This applies to the obligations following from Clauses 9.1 and 9.2.

10. Notification of a personal data breach

The data processor shall notify the data controller without undue delay after becoming aware that a personal data breach has occurred.

The data processor’s notification to the data controller shall, where feasible, take place no later than 72 hours after the data processor has become aware of the breach, so that the data controller can comply with its obligation to notify the personal data breach to the competent supervisory authority, cf. article 33 of the General Data Protection Regulation.

In accordance with Clause 9.2.a, the data processor shall assist the data controller in notifying the breach to the competent supervisory authority. This means that the data processor shall assist in providing the following information, which, according to article 33(3), shall appear in the data controller’s notification of the breach to the competent supervisory authority:

  • the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects concerned as well as the categories and approximate number of personal data records concerned
  • the likely consequences of the personal data breach
  • the measures taken or proposed to be taken by the data controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

The parties shall specify in Annex C the information that the data processor shall provide in connection with its assistance to the data controller in the data controller’s obligation to notify a personal data breach to the competent supervisory authority.

11. Erasure and return of data

The Customer is the data controller with regard to any personal data uploaded and processed in the Services. The Customer owns its own data in the Services. However, the Customer’s data is erased or anonymised on an ongoing basis as the purpose for which it was collected comes to an end.

Accounting-related data may be retained for up to 5 years pursuant to the Danish Bookkeeping Act.

12. Audit, including inspection

The data processor shall make available to the data controller all information necessary to demonstrate compliance with article 28 of the General Data Protection Regulation and these Clauses, and shall allow for and contribute to audits, including inspections, conducted by the data controller or another auditor mandated by the data controller.

The procedures for the data controller’s audits, including inspections, of the data processor and sub-processors are further specified in Annexes C.7 and C.8.

The data processor is obliged to grant supervisory authorities, which under applicable legislation have access to the data controller’s or the data processor’s facilities, or representatives acting on behalf of the supervisory authority, access to the data processor’s physical facilities upon presentation of appropriate identification.

13. The parties’ agreement on other matters

The parties may agree on other provisions concerning the service relating to the processing of personal data, for example regarding liability, as long as these other provisions do not directly or indirectly conflict with the Clauses or prejudice the fundamental rights and freedoms of the data subject as they follow from the General Data Protection Regulation.

14. Commencement and termination

The Clauses take effect on the date of both parties’ signature thereof.

Both parties may demand that the Clauses be renegotiated if changes in legislation or inexpediencies in the Clauses give rise to this.

The Clauses are in force for as long as the service relating to the processing of personal data lasts. During this period, the Clauses cannot be terminated unless other provisions governing the provision of the service relating to the processing of personal data are agreed between the parties.

If the provision of the services relating to the processing of personal data ceases, and the personal data has been erased or returned to the data controller in accordance with Clause 11.1 and Annex C.4, the Clauses may be terminated by either party upon written notice.

This agreement forms part of our terms and conditions, and upon customer creation these are accepted, and the agreement is thereby deemed approved by the customer.

15. Contact persons at the data controller and the data processor

The parties may contact each other via the contact persons set out below.

The parties are obliged to keep each other informed on an ongoing basis of changes regarding contact persons.

The data controller may contact the data processor by e-mail at hello@evofleet.com or by calling 70 604 604. The data processor may contact the data controller by e-mail or telephone.

Annex A – Information about the processing

A.1. The purpose of the data processor’s processing of personal data on behalf of the data controller

Personal data is used for customer creation, creation of leasing agreements, personal guarantees (surety), credit assessments, final statements and invoicing.

A.2. The nature of the processing

The data processor makes a portal available to the data controller and a customer portal to the data controller’s customers.

A.3. Types of personal data

Name, e-mail address, telephone number, address, driving licence number, CPR number (CPR is only used for personal guarantees / surety).

A.4. Categories of data subjects

The data controller and its customers.

A.5. Duration of the processing

The data processor’s processing of personal data on behalf of the data controller may commence after the entry into force of these Clauses. The processing lasts until an agreement is terminated.

Annex B – Sub-processors

B.1. Approved sub-processors

Upon the entry into force of the Clauses, the data controller has approved the use of the following sub-processors:

  • Amazon Services Europe S.à r.l. (Frankfurt, Stockholm) – Hosting centres where all data is stored and processed.
  • ActiveCampaign (Postmark) – Sending of external customer e-mails from the platform.
  • Scrive – MitID service for collecting signatures.

Upon the entry into force of the Clauses, the data controller has approved the use of the above-mentioned sub-processors for the described processing activity. The data processor may not – without the data controller’s written approval – engage a sub-processor for a processing activity other than the one described and agreed, or engage another sub-processor for this processing activity.

Annex C – Instructions concerning the processing of personal data

C.1. The subject matter of the processing/instructions

The data processor’s processing of personal data on behalf of the data controller takes place by the data processor carrying out the following: The data controller creates the customer on the platform. A leasing agreement is then created, which is sent to the customer by e-mail.

The data controller may require a personal guarantee (surety) from a customer. This means that in such cases CPR number data will be stored on the platform.

C.2. Security of processing

The data processor is entitled and obliged to make decisions about which technical and organisational security measures shall be implemented to establish the necessary (and agreed) level of security.

The data processor shall, however – in any event and as a minimum – implement the following measures, which have been agreed with the data controller:

  • Encryption: The data processor uses strong encryption to protect personal data during transmission and storage.
  • Access control: The data processor ensures that only authorised persons have access to the personal data, and that access is limited to what is necessary.
  • Data anonymisation: The data processor anonymises data where possible and appropriate.
  • Backup: The data processor regularly takes backups of data to ensure data integrity and availability.
  • Logging: All access to systems is logged.

C.3. Assistance to the data controller

The data processor shall, as far as possible – within the agreed scope and extent – assist the data controller in accordance with Clauses 9.1 and 9.2 by implementing the requisite technical and organisational measures.

C.4. Storage period/erasure routine

Upon termination of the service relating to the processing of personal data, the data processor shall either erase or return the personal data in accordance with Clause 11.1, unless the data controller – after signing these Clauses – has changed the data controller’s original choice. Such changes shall be documented and retained in writing, including electronically, in connection with the Clauses.

C.5. Location of processing

Processing of the personal data covered by the Clauses may not, without the data controller’s prior written approval, take place at locations other than the following: The processing takes place at Amazon Web Services’ data centre in Frankfurt and Stockholm.

C.6. Instructions concerning the transfer of personal data to third countries

Personal data is not transferred to third countries outside the EU.

Governing law and language precedence

This Data Processing Agreement is governed by Danish law. The agreement is provided in several languages as a service to the customer. In the event of any discrepancy or dispute between the language versions, the Danish version shall prevail.