Data Processing Agreement

The purpose of the Data Processing Agreement

The purpose, duration, and nature of the processing, and the type and category of the personal data related to individuals (“Data Subject”) are set out in the appendices to this DPA.

The DPA is to assure that personal data is processed in accordance with prevailing requirements for the processing of personal data, as stated for example in the EU directive 95/46/EC of 24 October 1995 (Data Protection Directive) on the protection of Data Subjects with regard to the processing of personal data and on the free movement of such data, which is implemented in Norway by the law of 14 April 2000 no. 31 and its regulations on the Processing of Personal Data (“the Privacy Act”), the requirements of the European Parliament and Council Regulation (EU) No. 2016/679 of 27 April 2016 on the protection of Data Subjects with regard to the Privacy Act and the free movement of such data, and the repeal of the Data Protection Directive, together with Norwegian law and related rules introduced as a result of the General Data Protection Ordinance (“GDPR”) and replacing the Privacy Act (hereinafter both the current and the new privacy act are referred to as “the Privacy Act”).

The Processor is to process personal data in accordance with what is described in the DPA, together with any other relevant specifications that have been agreed upon in writing between the Processor andthe Controller.

Terms and definitions used in the DPA are to be interpreted the same way as in the Privacy Act.

The rights and obligations of the Controller, the obligations of the Processor

The Processor confirms to implement suitable technical and organizational measures to assure that all processing under the DPA meets the requirements of the Privacy Act and protect the rights of the Data Subjects, including compliance with the requirements set out in article 32 of the GDPR. See Section 4 for additional obligations. The Controller shall at all times have the legal liability for the personal data.

The Processor shall only process personal data based on documented instructions from the Controller. The Processor should at all times be able to provide documentation for such instructions. The Processor shall not process any other personal data that is accessed, other than the one that is necessary to perform the activities that the Controller has hired the Processor to do.

The Processor shall assist the Controller in responses to requests from Data Subjects, exercising their rights in accordance with chapter 3 of the GDPR, as far as possible with respect to the nature of the processing, assist by appropriate technical and organizational measures, as well as assist the Controller in assuring compliance with the requirements related to the security of personal data and in the assessment of consequences for personal integrity and preliminary discussions as stated in articles 32 to 36 of the GDPR, with respect to the nature of the processing and the information that is available to the Processor. If there exists a code of conduct that is valid in accordance with article 40 of the GDPR, or a valid certification process in accordance with article 42, according to which the Processor has approved to act or that the Processor has been certified according to, then the Processor is obliged to adhere to that code of conduct or those certification requirements.

The Processor is to keep a record (logbook) of the processing activities that is conducted on behalf of the Controller, which as a minimum is to include the information that is specified in article 30 of the GDPR. The Controller may at any time request to receive a copy of the record.

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations that are presented in this section, and enable and contribute to audits, including inspections conducted by the Controller or another party on behalf of the Controller. This also includes security documentation. The Controller has the direct liability to the relevant supervisory authorities.

The Processor is not allowed to disclose personal data that it is given access to as a result of the DPA, and shall ensure that persons authorized to process the personal data have committed themselves to confidentiality or are subject to appropriate statutory obligation of confidentiality. This term is also valid after the expiration of the DPA.

The Processor may not provide any information about or reveal any data that the Processor is processing on behalf of the Controller to a third party, without having received explicit instructions from the Controller. Any requests to the Processor is to be forwarded to the Controller without undue delay.

If the Processor is of the opinion that an instruction from the Controller is in conflict with the GDPR, the Privacy Act, or other regulation in regards to processing personal data, the Processor shall immediately notify the Controller of their opinion. The Processor is obliged to perform its duties under the DPA despite its opinion.

Engaging subcontractors

The Processor shall only engage subcontractor (“Sub-processor”) for the purpose of processing personal data which has been pre-approved by the Controller through the DPA, and that has been confirmed to implement suitable technical and organizational measures to assure that all processing under the DPA meets the requirements of the Privacy Act and protect the rights of the Data Subjects. Sub-processors that are already approved when entering the DPAs are specified at the end of the DPA, in the appendix section.

The Controller authorizes the Processor to engage Sub-processors for processing of personal data in accordance with the DPA. Upon any plan of engaging additional Sub-processor or replacing a current Sub-processor, the Processor shall inform the Controller about the plans for the Controller to get the possibility to object to such changes.

The Sub-processor shall have knowledge about the obligations of the Processor, according to the DPA and the framework that is regulating the processing of the Controller’s personal data. The Sub-processor shall be subject to the same obligations regarding the protection of personal data, that is stated in the DPA, according to which the Sub-processor is to provide sufficient guarantees for implementing the technical and organizational measures to assure that all processing meets the requirements set by law. If the Sub-processor fails to comply with their obligations regarding the protection of personal data and the requirements in the DPA, the Processor shall remain fully liable to the Controller for the Sub-processor’s lack of compliance.

Compliance and discrepancies

The Processor shall comply with the security requirements that are stated in the Privacy Act and its regulations. The Processor shall be able to document routines and other activities that are performed to meet these requirements. The documentation shall be made available upon request from the Controller.

If the Controller wishes to perform an audit of the Processor’s compliance, then the Processor should be noticed no later than 2 months prior the time for the actual audit. The audit may include inspecting routines, random checks, more extensive local inspections, and other appropriate control measures. If the audit reveals a lack in compliance with agreement terms or legal requirements that the Processor is liable for implementing, it is the obligation of the Processor to correct those discrepancies in such a manner that the terms of the agreement are fulfilled. If the identified discrepancies are of significant character and the Processor may be accused of negligence (both parts are to be evaluated by a neutral third party, such as an external IT security firm), the Processor is to refund the costs necessary for the Controller to perform the audit, at a maximum total corresponding to 3 times the monthly license fee of the Controller (calculated as a monthly average since the date of signature on License Agreement).

In case of a security or integrity breach, the Processor shall notify the Controller without undue delay. The report of the breach is to include the following, as a minimum:

• Description of the character of the violation of the personal data security, including, if possible, the categories and approximate number of the Data Subjects that are affected, together with the categories and approximate number of personal data that are affected.
• Name and contact information of the data integrity advisor, or other contact person, from whom it is possible to retrieve additional information.
• Description of the plausible consequences from the violation of the persona data security.
• Description of the measures that have been taken or that are suggested to be taken to manage the violation of the persona data security, including, when needed, measures to reduce possible damage as a consequence of the violation.

If it is not possible to provide all information with the initial notice, then additional information shall be provided continually thereafter, as soon as it is available.

The Controller is responsible for informing supervisory authorities and the Processor shall not send any such information or contact supervisory authorities without prior instructions from the Controller.

Transfer to other countries

Personal data shall only be transferred to countries outside of the EU/EEA (third countries) upon instructions from the Controller. The Processor may not transfer or in other ways make the personal data available to persons in a third country without the prior written and explicit approval and instructions for such transfer or access from the Controller. The approval and instructions shall include information about which country the personal data is to be transferred to. The transfer to a third country requires, even with the approval and instructions, compliance with the requirements for security and protection of the rights of the Data Subject, as stated in the Privacy Act and other regulatory frameworks.

Duration of the DPA, cancellation of agreement, obligations at the expiration/cancellation

The DPA is valid as long as the Processor is processing or has access to personal data on behalf of the Controller in accordance with the License Agreement.

In case of a breach of the DPA, the Privacy Act, or other relevant regulatory frameworks, the Controller may instruct the Processor to immediately stop further Processing of personal data without further notice.

The Processor shall, after such instruction from the Controller, destroy or return all personal data to the Controller after the services that relate to the processing have been delivered, and destroy any existing copies, as long as there are no existing legal basis for the continued storing of the personal data. This also applies to any backup copies, but it is sufficient to overwrite those in accordance with established procedures for backup copying.

The Controller shall receive a written confirmation from the Processor of that all personal data has been returned or destroyed in accordance with the instructions from the Controller, and of that the Processor has not kept personal data in terms of copies, prints, or other media format.

Additional obligations and rights

Additional obligations and rights are stated in the License Agreement, that has been entered by the Processor and the Controller regarding the services that necessitates thepProcessing of personal data and the DPA. The same contact persons should be applied for the DPA as for the License Agreement.

The DPA is not to expand the possibilities for sanctions on behalf of the Controller, or the liability of the Processor, in addition to what is stated in the License Agreement.

At a possible transfer of the License Agreement to another party, the DPA will be transferred correspondingly.

Notifications

Notifications under the DPA shall follow agreed upon procedures in the License Agreement.

Legislation and jurisdiction

Legislation and jurisdiction of the DPA shall be the same as is stated in the License Agreement.