Data processor agreement
Last updated 28.11.2023
- Superior
- An agreement has been entered into between the Business (the “Controller”) and Purpose (the “Data Processor”) (collectively referred to as the “Parties”) on the processing of personal data (the “Agreement”) that the Data Processor must carry out on behalf of the Controller as a result of the Parties having entered into an agreement (the “Main Agreement”) regarding the delivery of the digital tool “dobee” as stated in Appendix 1.
- Purpose of the agreement
- The Data Processor processes personal data on behalf of the Controller on the basis of the Main Agreement.
- The purpose of the processing, the nature of the processing, the types of personal data to be processed and categories of registered persons follow from Annex 1 to the Agreement.
- The agreement must ensure that personal data is processed in accordance with the applicable requirements for the processing of personal data, including e.g. European Parliament and Council Regulation (EU) 2016/679 (the Privacy Regulation) which was decided on 27 April 2016, and Norwegian law with associated regulations that are introduced as a result of the personal data protection regulation, which i.a. the Personal Information Act.
- The Data Processor must process the personal data in the manner described in the Agreement, as well as in another way if this has been agreed in writing between the Data Processor and the Controller.
- Terms and definitions used in the Agreement shall be understood in the same way as in the Personal Data Act.
- Data processor’s duties
- The data processor confirms that it will carry out suitable technical and organizational measures that ensure that all processing under this Agreement meets the requirements of the Personal Data Act and the protection of the data subject’s rights, including fulfilling all the requirements according to Article 32 of the Personal Data Protection Regulation. See also additional duties in point 4.
- The data processor shall only process the personal data based on documented instructions from the Data Controller. The data processor must be able to document such instructions at all times. The Data Processor must not process personal data that the Data Processor gains access to in any other way than is necessary to carry out the tasks that the Data Processor has for the Controller. However, the data processor will use data from the solution outlined in the Main Agreement to create statistics, and will itself be responsible for this processing.
- The data processor shall assist the Data Controller in responding to requests from data subjects taking into account the nature of the processing and, to the extent possible, assist by means of suitable technical and organizational measures. This applies both to requests from the data subjects to exercise their rights according to Chapter III of the Personal Data Protection Regulation as well as to assist the Data Controller in ensuring compliance with the obligations relating to personal data security. The same applies to assistance with assessment of privacy consequences and preliminary discussions in Articles 32 to 36 of the Personal Data Protection Ordinance, taking into account the nature of the processing and the information available to the Data Processor.
- If there are approved standards of conduct pursuant to Article 40 of the Personal Data Protection Ordinance or an approved certification scheme pursuant to Article 42, which the Data Processor has undertaken to comply with or to be certified according to, the Data Processor is obliged to comply with such standards of conduct or certification requirements.
- The data processor must keep a protocol (log) of the processing activities it carries out on behalf of the Data Controller, which must contain at least the information required under Article 30 no. 2 of the Personal Data Protection Regulation.
- The data processor shall make available to the Data Controller all information necessary to demonstrate that the obligations set out in this point 2 have been fulfilled, as well as enable and contribute to audits, including inspections, which are carried out by the Data Controller or another inspector authorized by the Data Controller. The Data Controller himself has the direct responsibility for contact and communication with relevant supervisory authorities, including the Norwegian Data Protection Authority.
- The data processor has a duty of confidentiality regarding personal data to which the person concerned gains access as a result of the Agreement and processing of the personal data, and must ensure that persons who are authorized to process the personal data have undertaken to treat the data confidentially or are subject to a suitable statutory duty of confidentiality. This provision also applies after the termination of the Agreement.
- The data processor must not hand over information or information that it processes on behalf of the Data Controller to third parties without an explicit order from the Data Controller. Inquiries to the Data Processor must be forwarded by the Data Processor to the Data Controller as quickly as possible.
- If the Data Processor is of the opinion that an instruction from the Data Controller is in conflict with the Personal Data Protection Regulation, the Personal Data Act, or other regulation of the processing of personal data, the Data Processor must immediately inform the Data Controller in writing of the Data Processor’s opinion.
- Use of subcontractors
- The data processor may use subcontractors for the processing of personal data (subprocessor).
- Sub-processors at the conclusion of the Agreement are specified in Appendix 1 to the Agreement.
- In the event that the Data Processor has plans to use other sub-processors or to replace sub-processors, the Data Processor must inform the Data Controller in a reasonable time of the plans on its website, thereby giving the Data Controller the opportunity to oppose such changes. The data processor publishes an updated list of sub-data processors two weeks before they are put into use. The data controller will keep up-to-date on which data processors are engaged in the processing at any given time, and must send any objections to the data processor.
- The sub-data processor shall be subject to the same obligations with regard to the protection of personal data as stipulated in the Agreement in a binding agreement where the sub-data processor shall provide sufficient guarantees that technical and organizational measures will be implemented to ensure that the processing meets legal requirements. If the sub-processor does not fulfill its obligations with regard to the protection of personal data and the requirements in the Agreement, the Data Processor shall have full responsibility towards the Controller for the sub-processor’s fulfillment of its obligations.
- Safety and deviation
- The data processor must fulfill the requirements for security measures set by the Personal Data Act and other legislation, including regulations. The data processor must be able to document routines and other measures to fulfill these requirements. The documentation must be available at the Data Controller’s request.
- In the event of a security or privacy breach, the Data Processor must notify the Data Controller without undue delay.
- If not all information can be provided in the first notification, the information must be provided successively as soon as it is available.
- The Controller is responsible for sending a notification to the supervisory authority, and the Data Processor shall not send such a notification or contact the supervisory authority without the Controller having given instructions to this effect.
- Transfer to third countries
- The data processor must only transfer the personal data within the EU/EEA or to third countries that have been approved by the European Commission (decision on adequate level of protection).
- If the Data Processor is nevertheless to transfer personal data to third countries that have not received a decision on an adequate level of protection, the Data Controller must approve such transfer in writing in advance. Approved recipients and transfers to third countries appear from the annexes to the Agreement. Transfer to a third country requires that the requirements for security and protection of the rights of the data subjects that follow from the Personal Data Act and other regulations are met.
- Duration of the agreement, suspension order, obligations in the event of termination/termination
- The agreement applies as long as the Data Processor processes or has access to personal data on behalf of the Data Controller according to the Main Agreement.
- The data processor must, following the instructions of the Controller, delete or return all personal data to the Controller after the services related to the processing have been delivered, and delete existing copies, unless there is a legal requirement that the personal data must continue to be stored. This also applies to any backups, but where it is sufficient to overwrite according to the established routines for backups.
- The Data Controller must receive a written confirmation from the Data Processor that all personal data has been returned or deleted in accordance with the Data Processor’s instructions and that the Data Processor has not kept copies, prints or other forms of personal data in any form.
- Other duties and rights
- Other duties and rights follow from the Main Agreement that applies between the Data Processor and the Data Controller regarding the services that necessitate the processing of personal data and this Agreement.
- This Agreement shall not extend the Processor’s sanctioning options, including liability for damages for the Data Processor, beyond what follows from the Main Agreement.
- Choice of law and venue
- The agreement is subject to Norwegian law. This also applies after termination of the agreement.
APPENDIX 1 – PROCESSING OF PERSONAL DATA TO DATA PROCESSING AGREEMENT
- The purpose of the processing is: Databehandler offers an employee, mobilization and collaboration SaaS solution, which allows businesses to realize the most important goals and initiatives that create results, restructuring and growth for the organisation.
- The nature of the processing is: Software-as-a-Service solution, where information from employees is received in order to collaborate and mobilize employees.
- Data processor will operate and maintain the solution. The subject of the treatment is: Employees will be able to create a simple user account. The data controller will have access to a dashboard solution, which shows information entered into the solution. The data processor must receive and store personal data, and allows people to post and present information in a cloud solution.
- Type of personal data: Email, first name, last name, audio and visual material from film recordings, and information relating to goals, results and work carried out.
- Categories of registered: Employees and possibly other external parties who have been invited to help achieve a goal.
What systems of treatment are used?
- Type of system for treatment Google Cloud, Stripe, Active Campaign, Hubspot
- State whether the systems are manual or electronic Electronically
- Who has access to the system? Employees and hires at Purpose AS
- How long is data stored in the system? Suppliers reserve the right to store data as long as the Customer’s subscription is active. In the event of termination, data is stored for up to twelve (12) months from the date of termination. Statistics used to make dobee better are not deleted, but all personal data is removed.
Data processor its own data processors for processing data in connection with the Agreement
- Cefalo AS
- Purpose Development and operation of dobee.it
- Existing contractual basis SSA-B contract between Purpose AS and Cefalo. Actor is located in Norway.
- Google Ireland Limited, ActiveCampaign LLC and Stripe
- Purpose Offers Google Cloud as a platform and analysis tool.
- Existing contractual basis Data is located in the EU/EEA.