1. Definitions
   In this Agreement, the following definitions shall apply:
   • Personal Data: Any information relating to an identified or identifiable natural person.
   • Processing: Any operation or set of operations performed on personal data, including collection, storage, modification, deletion, and disclosure.
   • Sub-processor: Any third party that receives personal data from Jelly & Fish to process it on behalf of the Data Controller.
   • Consulting Services: The services provided by Jelly & Fish pursuant to the executed consulting agreement.

2. The Processed Personal Data
   1.1 This Agreement is entered into in connection with the Parties’ execution of the Consulting Agreement with Jelly & Fish ApS regarding the services provided by Jelly & Fish ApS.
   1.2 Jelly & Fish processes the types of personal data set forth in Appendix 1 on behalf of the Data Controller. The personal data relates to the categories of data subjects listed in Appendix 1.
   1.3 The Data Controller is entitled to delete and/or add further types of personal data and/or data subjects to the list in Appendix 1 by submitting a new list of personal data and/or data subjects to Jelly & Fish.
   1.4 Jelly & Fish may only process the personal data specified in Appendix 1 for the purpose set forth in this Agreement. Any change or expansion of the processed data must be documented in writing and agreed upon separately.

3. Purpose and Instruction
   2.1 Jelly & Fish shall only process personal data for purposes necessary to deliver the Consulting Services agreed upon by the Parties.
   2.1a Furthermore, the processing shall be carried out in accordance with the principle of data minimization, so that only the information strictly necessary to achieve the purpose is processed.
   2.2 The Data Controller hereby instructs Jelly & Fish to process solely the personal data referred to in section 1.2 for the purpose of performing the following data processing tasks:
    • Consulting tasks related to data analysis, where access is provided to data either transmitted or made available by the Data Controller.
    • Consulting tasks related to the Data Controller’s website.
    • Consulting tasks related to the Data Controller’s external IT systems/IT platforms or third-party software.
   2.2a Data Storage and Deletion: Personal data may only be stored for as long as necessary to fulfill the specified purposes. Thereafter, the data must either be deleted or anonymized in accordance with further instructions from the Data Controller.
   2.3 Jelly & Fish shall immediately notify the Data Controller if it determines that any instruction is, or may later become, contrary to data protection legislation.

4. Obligations of the Data Controller
   3.1 The Data Controller warrants that the purpose of processing the personal data is lawful and legitimate, and that no more personal data is provided to Jelly & Fish than is necessary to achieve the purpose.
   3.2 The Data Controller is responsible for ensuring that at the time of transferring personal data to Jelly & Fish there exists a valid legal basis for processing, including that any consents are explicit, voluntary, unambiguous, and informed. Upon Jelly & Fish’s request, the Data Controller shall provide a written account of and/or documentation for the legal basis for processing.
   3.3 The Data Controller further warrants that the data subjects to whom the personal data relates have received sufficient information about the processing.
   3.3a The Data Controller shall also ensure that the data subjects are informed of their rights under the GDPR (e.g., the right of access, rectification, deletion, data portability, and objection).
   3.4 Any instruction regarding the processing of personal data under this Agreement must be submitted to Jelly & Fish. If the Data Controller directly instructs a sub-processor, cf. section 5.1, the Data Controller must immediately inform Jelly & Fish. Jelly & Fish cannot be held liable for the sub-processor’s processing of personal data carried out in accordance with such instructions.

5. Obligations of Jelly & Fish
   4.1 Jelly & Fish shall only process the personal data provided by the Data Controller in accordance with the latter’s instructions and shall at all times comply with applicable data protection legislation.
   4.2 Jelly & Fish shall take the necessary technical and organizational security measures, including any additional measures that may be required, to prevent the personal data specified in section 1.2 from being accidentally or unlawfully destroyed, lost, or impaired, and to ensure that it is not disclosed to unauthorized parties, misused, or processed in violation of applicable law.
   4.2a Jelly & Fish shall implement appropriate security measures, including encryption, pseudonymization, and ongoing risk assessments, in accordance with Article 32 of the GDPR.
   4.3 Upon the Data Controller’s request, Jelly & Fish shall provide a written account of and/or documentation demonstrating compliance with data protection legislation and the obligations under this Agreement, including the implementation of the necessary security measures. The Data Controller shall compensate Jelly & Fish for the time expended on this documentation.
   4.3a However, compensation for the documentation effort shall not apply if the request is due to an error or non-compliance on the part of Jelly & Fish.
   4.4 Jelly & Fish shall ensure that employees who process personal data are bound by confidentiality or are subject to statutory confidentiality obligations.
   4.5 Jelly & Fish is obliged, without undue delay – and no later than 72 hours after discovery – to notify the Data Controller of any operational disruptions, suspected breaches of data protection legislation, or other irregularities in connection with the processing. Upon the Data Controller’s request, Jelly & Fish shall assist in clarifying any security breach, including any notification to the Data Protection Authority and/or the data subjects.
   4.6 The Data Controller is entitled, at its own expense, to have an annual audit of Jelly & Fish’s processing of personal data conducted by an independent third party. Jelly & Fish shall be compensated for the time expended in connection with such an audit.
   4.7 If Jelly & Fish or any other processor receives a request for access to a data subject’s personal data, or if a data subject objects to the processing, Jelly & Fish shall forward the request/objection to the Data Controller for further handling, unless Jelly & Fish is entitled to handle it directly. Upon request, Jelly & Fish shall assist the Data Controller in responding.
   4.7a Furthermore, Jelly & Fish shall assist the Data Controller in handling inquiries from data subjects in accordance with the provisions of the GDPR (including Articles 15, 16, 17, and 20).

6. Transfer of Data to Other Processors or Third Parties
   5.1 By signing this Agreement, the Data Controller authorizes Jelly & Fish to engage other processors (sub-processors) in connection with fulfilling its obligations under this Agreement. At the time of entering into the Agreement, the sub-processors listed in Appendix 2 are utilized. Prior to the addition or replacement of any sub-processors in Appendix 2, the Data Controller shall be notified and must, within 5 (five) days, communicate any objections to the change.
   5.2 Jelly & Fish shall, once annually, provide a revised and updated list corresponding to Appendix 2, which shows the sub-processors that have received personal data under the responsibility of the Data Controller.
   5.3 Except as specified in section 5.1, Jelly & Fish is not entitled to disclose personal data to third parties or other processors without the prior written instructions of the Data Controller, unless such disclosure is mandated by law.
   5.4 Prior to transferring personal data to a sub-processor, Jelly & Fish shall enter into a written data processing agreement with the sub-processor, whereby the sub-processor commits to complying with “back-to-back” terms corresponding to the provisions of this Agreement.
   5.5 If personal data is transferred to foreign sub-processors, the data processing agreement shall stipulate that the relevant data protection legislation of the Data Controller’s country applies.
   5.6 Jelly & Fish shall, in its own name, enter into written data processing agreements with sub-processors within the EU/EEA. For sub-processors outside the EU/EEA, Jelly & Fish shall enter into standard agreements in accordance with the Commission Decision 2010/87/EU on standard contractual clauses for the transfer of personal data to processors established in third countries, including any subsequent versions or replacement Commission Decisions.
   5.6a For sub-processors outside the EU/EEA, Jelly & Fish shall enter into standard agreements in accordance with the applicable standard contractual clauses as established by the European Commission at the time of the transfer.
   5.7 The Data Controller hereby authorizes Jelly & Fish to enter into standard agreements with sub-processors outside the EU/EEA on behalf of and in the name of the Data Controller.

7. Liability
   6.1 The Parties are liable for damages in accordance with the general rules of liability under Danish law, provided, however, that neither Party may claim damages for indirect losses or consequential damages – including loss of business opportunities, profits, operational downtime, turnover, goodwill, or data loss (including losses associated with data recovery).
   6.1a The limitation of liability shall not apply to damages caused by intentional actions or gross negligence on the part of a Party.
   6.2 Jelly & Fish’s total liability under this Agreement is limited to DKK 10,000.
   6.2a This limitation shall not result in the disregard of non-derogable rights to compensation under applicable law.

8. Entry into Force and Termination
   7.1 This Agreement shall enter into force on the date of its signing/acceptance.
   7.2 In the event of termination of the main agreement (the Consulting Agreement with Jelly & Fish ApS), this Agreement shall simultaneously terminate, although Jelly & Fish shall remain obligated for as long as personal data is processed on behalf of the Data Controller.
   7.3 Upon termination of the Agreement, the Data Controller is entitled to require that Jelly & Fish return or delete the transferred personal data.
   7.3a Upon termination of the Agreement, the return or deletion of personal data shall be carried out in a secure and documented manner and in accordance with the instructions of the Data Controller – including confirmation that all copies have been removed or destroyed.

9. Governing Law and Jurisdiction
   8.1 This Agreement shall be governed by and construed in accordance with Danish law.
   8.2 Any dispute or claim arising out of or relating to this Agreement shall be settled by the courts in Copenhagen, subject to any claims by the Data Protection Authority.

10. Additional Provisions
    9.1 Documentation and Audit: The Parties shall continuously document compliance with this Agreement as well as the technical and organizational security measures. Annual security audits may be conducted to confirm compliance.
    9.2 Definitions: See Section 0 for the definitions used.
    9.3 Amendment Clause: Any changes and updates to this Agreement shall be agreed upon in writing between the Parties. The Parties shall also continuously inform each other of any changes that may affect the content of the Agreement or compliance with applicable law.

 

Jelly & Fish ApS
CVR No. 41611480
 

Appendix 1
Types of Personal Data

• • Name

• 
  • Address

• 
  • Contact Information

• 
  • Customer Profile, Purchase History

• • IP Address

•  

Appendix 2
Sub-processors
• HubSpot.com
• Wix.com
• Simply.com

​

15.2.2025