Data Processing Agreement

[Norsk versjon]

Table of Contents

  1. The purpose of this Data Processing Agreement
  2. Definitions
  3. The Data Controller’s obligations and rights
  4. The Data Controller’s instructions for the Data Processor
  5. Confidentiality and duty of secrecy
  6. Assistance to the Data Controller
  7. Security of processing
  8. Notification of breach of personal data security
  9. Use of Sub-Processors
  10. Transfer of personal data to countries outside the EEA
  11. Audits
  12. Erasure and return of information
  13. Breach and suspension orders
  14. Duration and expiry
  15. Governing law and legal venue

Appendix A: Information about the processing
Appendix B: Conditions for the Data Processor’s use and change of sub-processors
Appendix C: Instructions concerning the processing of personal data
Appendix D: Amendments to the standard text of the data processing agreement and amendments after the conclusion of the agreement

Introduction

The parties to this Data Processing Agreement (DPA) are specified in the Main Agreement (iteam kundeavtale); where iteam is the Data Processor and the customer is the Data Controller. The parties accept that the Main Agreement is signed electronically via the Data Processor’s service based on DocuSign, and that this DPA serves as an attachment to the Main Agreement.

1. The purpose of this Data Processing Agreement

1.1 This agreement (“the Data Processing Agreement”) sets out the Parties’ rights and obligations when the Data Processor processes personal data on behalf of the Data Controller, as part of the services to be delivered under the Main Agreement. The purpose of the Data Processing Agreement is to ensure that the Parties comply with the Applicable Privacy Law.

The Data Processing Agreement comprises of this document, as well as Appendices A, B, C, and D.

1.2 In the event of conflict between the terms of the Main Agreement and the Data Processing Agreement, the terms of the Data Processing Agreement will take precedence regarding matters specifically related to the processing of personal data. In the event of any conflict between the Data Processing Agreement and its Appendices, the Appendices take precedence.

1.3 Appendix A of the Data Processing Agreement includes a detailed description of the processing that is to take place, as well as the purposes of the processing, categories of personal data and data subjects, rules for erasure/deletion and return, and the Parties’ designated contact persons, as well as which underlying agreement(s) the processing of personal data is related to (see the definition of the Main Agreement below).

1.4 Appendix B of the Data Processing Agreement includes conditions for the use of Sub-Processors, as well as a list of approved Sub-Processors.

1.5 Appendix C of the Data Processing Agreement contains specific instructions for the processing of personal data under the Main Agreement, including security measures and the Data Controller’s right of access to and audit of the Data Processor and any Sub-Processors, as well as sector-specific provisions concerning the processing of personal data.

1.6 Appendix D of the Data Processing Agreement contains changes to the standard text and any subsequently agreed changes to the Data Processing Agreement.

2. Definitions

Applicable Privacy Law: The applicable version of the EU’s General Data Protection Regulation (2016/679) (“GDPR”), as well as the Norwegian Act on the Processing of Personal Data of 15 June 2018 (the Personal Data Act) with related regulations etc., and any other relevant legislation concerning the processing and protection of personal data, as specified in Appendix C, clause C.7.

Main Agreement: One or more agreements between the Data Controller and the Data Processor concerning the provision of services which entail the processing of personal data, as specified in more detail in Appendix A. The Data Processing Agreement may apply to several underlying agreements.

Sub-Processor: A company or person used by the Data Processor as a subcontractor for the processing of personal data under the Main Agreement.

Article 4 of the GDPR will apply to privacy policy terms not defined in this Data Processing Agreement.

3. The Data Controller’s obligations and rights

The Data Controller is responsible for the processing of personal data in accordance with the Applicable Privacy Law. The Data Controller must specifically ensure that:

  1. The personal data is processed for a specified and explicit purpose and is based on valid legal grounds;
  2. the data subjects have received the necessary information concerning the processing of the personal data;
  3. the Data Controller has carried out adequate risk assessments; and
  4. the Data Processor has, at all times, adequate instructions and information to fulfil its obligations under the Data Processing Agreement and the Applicable Privacy Law.

4. The Data Controller’s instructions for the Data Processor

4.1 The Data Processor shall process the personal data in accordance with the Applicable Privacy Law and the Data Controller’s documented instructions, cf. Section 4.2. If other processing is necessary to fulfil obligations to which the Data Processor is subject under applicable law, the Data Processor must notify the Data Controller to the extent this is permitted by law, cf. Article 28 (3)(a) of the GDPR.

4.2 The Data Controller’s instructions are stated in the Main Agreement and the Data Processing Agreement with Appendices. The Data Processor must notify the Data Controller immediately if the Data Processor believes the instructions conflict with the Applicable Privacy Law, cf. Article 28 (3) (h) of the GDPR.

4.3 The Data Processor must be notified of any changes to the instructions by updating Appendix D and changes must be implemented by the Data Processor by the date agreed between the Parties or, if no specific date has been agreed, within reasonable time. The Data Processor may require the Data Controller to pay documented costs accrued in connection with the implementation of such changes, or the proportional adjustment of the remuneration under the Main Agreement if the amended instructions entail additional costs for the Data Processor. The same applies to additional costs that accrue due to changes in the Applicable Privacy Law which concern the activities of the Data Controller.

5. Confidentiality and duty of secrecy

5.1 The Data Processor must ensure that employees and other parties who have access to personal data are authorized to process personal data on behalf of the Data Processor. If such authorization expires or is withdrawn, access to the personal data must cease without undue delay.

5.2 The Data Processor shall only authorize persons who need access to the personal data in order to fulfill their obligations under the Main Agreement, the Data Processing Agreement, and any other processing that is necessary to fulfil obligations to which the Data Processor is subject in accordance with applicable law, see Section 4.1 last sentence.

5.3 The Data Processor must ensure that persons authorized to process personal data on behalf of the Data Controller are subject to obligations of confidentiality, either by agreement or applicable law. The obligations of confidentiality shall survive after the duration of the Data Processing Agreement and/or employment relationship.

5.4 At the request of the Data Controller, the Data Processor shall document that the relevant persons are subject to said obligations of confidentiality, see Section 5.3. 5.5 Upon the expiry of the Data Processing Agreement, the Data Processor is required to discontinue all access to personal data that is processed under the Data Processing Agreement.

6. Assistance to the Data Controller

6.1 When requested, the Data Processor shall assist the Data Controller with the fulfillment of the rights of the data subject under Chapter III of the GDPR, through appropriate technical or organizational measures. The obligation to assist the Data Controller solely applies insofar as this is possible and appropriate, taking into consideration the nature and extent of the processing of personal data under the Main Agreement.

6.2 Without undue delay, the Data Processor shall forward all enquiries that the Data Processor may receive from data subjects concerning the rights of said data subjects under the Applicable Privacy Law to the Data Controller. Such enquiries may only be answered by the Data Processor when this has been approved in writing by the Data Controller.

6.3 The Data Processor must assist the Data Controller in ensuring compliance with the obligations pursuant to Articles 32-36 of the GDPR, including providing assistance with personal data impact assessments and prior consultations with the Norwegian Data Protection Authority, in view of the nature and extent of the processing of personal data under the Main Agreement.

6.4 If the Data Processor, at the request of the Data Controller, provides assistance as described in Section 6.1 or 6.3, and the assistance goes beyond what is necessary for the Data Processor to fulfil its own obligations under the Applicable Privacy Law, the Data Processor may claim all documented costs related to the assistance be reimbursed by the Data Controller. The assistance will be reimbursed in accordance with the price provisions of the Main Agreement.

7. Security of processing

7.1 The Data Processor shall implement the appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. The Data Processor must, as a minimum, apply the measures specified in Appendix C of the Data Processing Agreement.

7.2 The Data Processor shall carry out risk assessments to ensure that an appropriate security level is maintained at all times. The Data Processor must ensure regular testing, analysis and assessment of the security measures, in particular with regard to ensuring sustained confidentiality, integrity, availability and robustness in processing systems and services, and the ability to quickly restore the availability of personal data in the event of an incident.

7.3 The Data Processor must document the risk assessment and security measures and make them available to the Data Controller on request, and also allow for the audits agreed between the Parties, cf. Section 11 of the Data Processing Agreement.

8. Notification of breach of personal data security

8.1 In case of personal data breach, the Data Processor shall, without undue delay, notify the Data Controller in writing of the breach, and in addition provide the assistance and information necessary for the Data Controller to be able to report the breach to the supervisory authorities in line with the Applicable Privacy Law.

8.2 Notification in accordance with Section 8.1 must be given to the Data Controller’s point of contact in accordance with Appendix C, Section C.9, and must:

  1. describe the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects concerned, and the categories of and approximate number of personal data records concerned,
  2. state the name and contact details of the data protection officer or other contact point from where more information can be obtained,
  3. describe the likely consequences of the personal data breach, and
  4. describe the measures taken or proposed by the Data Processor to address the breach, including, where appropriate, measures to mitigate possible adverse effects.

If necessary, information may be given in phases without any further undue delay.

8.3 The Data Processor shall implement all necessary measures that may reasonably be required to rectify and avoid similar personal data breaches. As far as possible, the Data Processor must consult the Data Controller concerning the measures to be taken, including assessment of any measures proposed by the Data Controller.

8.4 The Data Controller is responsible for notifying the Data Protection Authority and the data subjects affected by the personal data breach. The Data Processor may not inform third parties of any breach of personal data security unless otherwise required under applicable law or in accordance with the express written instructions of the Data Controller.

9. Use of Sub-Processors

9.1 The Data Processor may only use a Sub-Processor with the prior general or specific written authorization of the Data Controller, in accordance with Appendix B of the Data Processing Agreement. For an overview of approved Sub-Processors, see Appendix B in the Data Processing Agreement.

9.2 If a Data Processor engages a Sub-Processor to carry out specific processing activities on behalf of the Data Controller, the same data protection obligations as set out in this Data Processing Agreement shall be imposed on the Sub-Processor by way of written agreement. See Section 9.7 concerning the use of standard third-party services.

9.3 The Data Processor may only engage Sub-Processors who provide appropriate technical and organizational measures, to ensure that the processing fulfils the requirements in accordance with the Applicable Privacy Law. The Data Processor must assess and verify that satisfactory measures have been taken by the Sub-Processor. Upon request, the Data Processor must be able to submit reports from such assessments to the Data Controller.

9.4 If the Data Controller objects to changes in the use of Sub-Processors pursuant to Appendix B, Section B.1, of the Data Processing Agreement, the Parties must negotiate in good faith with the aim of reaching on a reasonable solution as to how the further delivery of the services under the Main Agreement is to take place, including the distribution of any costs between the Parties. The Parties must come to an agreement before changes in the use of Sub-Processors can be made.

9.5 If the Sub-Processor fails to fulfil its data protection obligations, the Data Processor shall remain liable to the Data Controller, for the performance of the Sub-Processor’s obligations in the same way as if the Data Processor itself were responsible for the processing.

9.6 The Data Processor is obligated, on request, to disclose agreements with its Sub-Processors to the Data Controller. This solely applies to the parts of the agreement that are relevant to the processing of the personal data and subject to any statutory or regulatory limitations. Commercial terms and conditions are not required to be submitted.

9.7 If the Data Processor uses a sub-contractor that provides standardized third-party services, the Parties may agree that the sub-contractor’s standard data processing agreement will be used and applied directly to the Data Controller, as in a direct data processing relationship (i.e., not as a Sub-Processor), under the following terms:

  • The Data Controller must expressly accept under the Main Agreement that the standardized third-party services are provided on the sub-contractor’s standard terms
  • The Data Processor must follow up on the standard terms on behalf of the Data Controller
  • The standard terms must fulfil the requirements in the Applicable Privacy Law.

The Data Processor must follow up the data processing agreement with the sub-contractor on behalf of the Data Controller, unless otherwise agreed in each individual case.

10. Transfer of personal data to countries outside the EEA

10.1 Personal data may only be transferred to a country outside the EEA (“Third Country”) or to an international organization if the Data Controller has approved such transfer in writing and the terms in Section 10.3 are fulfilled. Transfer includes, but is not limited to:

  1. processing of personal data in data centers etc. located in a Third Country or by personnel located in a Third Country (by remote access);
  2. assigning the processing of personal data to a Sub-Processor in a Third Country; or
  3. disclosing the personal data to a Data Controller in a Third Country or in an international organization.

10.2 The Data Processor may, however, transfer personal data if this is required by applicable law in the EEA area. In such cases, the Data Processor must notify the Data Controller, to the extent permitted by law.

10.3 Transfers to Third Countries or international organizations may only take place if the necessary guarantees of an adequate level of data protection in accordance with the Applicable Privacy Law are in place. Unless otherwise agreed between the Parties, such transfers may only take place on the following grounds:

  1. a decision by the European Commission concerning an adequate level of protection in accordance with Article 45 of the GDPR; or
  2. a Data Processing Agreement which incorporates standard personal data protection provisions as specified in Article 46 (2) (c) or of the GDPR (EU Model clauses); or
  3. Binding Corporate Rules in accordance with Article 47 of the GDPR.

10.4 Any approval by the Data Controller for the transfer of personal data to a Third Country or an international organization must be stated in Appendix B of this Data Processing Agreement.

11. Audits

11.1 The Data Processor shall, upon request, make available to the Data Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and this Data Processing Agreement.

11.2 The Data Processor shall allow and contribute to inspections and audits carried out by or on behalf of the Data Controller. The Data Processor shall also allow and contribute to inspections by relevant supervisory authorities. The Data Controller’s review of any Sub-Processor shall be conducted by the Data Processor, unless otherwise specifically agreed. Specific procedures for conducting audits are set out in Appendix C, Clause C.5.

11.3 If an audit reveals a breach in the obligations in the Applicable Privacy Law or this Data Processing Agreement, the Data Processor must rectify the breach as soon as possible. The Data Controller may require the Data Processor temporarily stop all or part of the processing activities until the breach has been rectified and approved by the Data Controller.

11.4 Each Party shall pay its own costs associated with an annual audit. If an audit reveals significant breaches of the obligations under the Applicable Privacy Law or the Data Processing Agreement, the Data Processor shall cover the Data Controller’s reasonable costs accrued from the audit.

12. Erasure and return of information

12.1 Upon the expiry of this Data Processing Agreement, the Data Processor is obligated to return and erase all personal data processed on behalf of the Data Controller under the Data Processing Agreement, in accordance with the provisions of Appendix C, Section C.6. This also applies to any back-up copies.

12.2 The Data Controller will determine how any return of personal data is to take place. The Data Controller may require return to take place in a structured and commonly used, machine-readable format. The Data Controller will pay the Data Processor’s documented costs associated with the return, unless this is included in the remuneration under the Main Agreement.

12.3 If a shared infrastructure or back-up is used and direct erasure is not technically possible, the Data Processor must ensure that the personal data is made inaccessible until it has been overwritten.

12.4 The Data Processor must confirm in writing to the Data Controller that the data has been erased or made inaccessible and shall, upon request, document how this has taken place.

12.5 Further provisions concerning erasure and return are set out in Appendix C.

13. Breach and suspension orders

13.1 In the event of a breach of the Data Processing Agreement and/or Applicable Privacy Law, the Data Controller and the relevant supervisory authorities may order the Data Processor to cease all or part of the processing of the data with effective immediately.

13.2 If the Data Processor fails to comply with its obligations pursuant to this Data Processing Agreement and/or the Applicable Privacy Law, this shall be deemed a breach of the Main Agreement, and the obligations, deadlines, sanctions and limitations of liability in the Main Agreement’s regulation of the Data Processor’s breach will be applied, unless otherwise expressly agreed between the Parties in Appendix D.

14. Duration and expiry

14.1 The Data Processing Agreement will come into effect from the date it is signed by both Parties. The Data Processing Agreement shall apply for as long as the Data Processor processes personal data on behalf of the Data Controller. It shall also apply to any personal data held by the Data Processor or any of its Sub-Processors after the expiry of the Main Agreement.

14.2 The rules concerning termination specified in the Main Agreement shall also apply to the Data Processing Agreement, to the extent this is applicable. The Data Processing Agreement may not be terminated if the Main Agreement is in effect, unless it is replaced by a new data processing agreement.

15. Governing law and legal venue

This Data Processing Agreement is governed by Norwegian law. Disputes will be resolved in accordance with the provisions of the Main Agreement, including any provisions concerning legal venue.

Appendix A: Information about the processing

16.1 The Main Agreement and the purpose of the processing of personal data

The Data Processor’s processing of personal data on behalf of the Data Controller relates to the provision of services described in the Main Agreement.

The processing serves the following purpose(s):

  • Service delivery
  • Support
  • Data Storage

 

16.2 The Data Processor’s processing of personal data on behalf of the Data Controller

The Data Processor’s processing of personal data on behalf of the Data Controller concerns (the nature of the processing):

  • Registration, Organization and Storage of Data

16.3 Categories of personal data

The processing includes the following categories of personal data pertaining to the data subjects:

Special categories of personal data pursuant to GDPR Article 9 (1):
None
Other information with a special need for protection:
None
Other personal information:
The Data Processor stores the Data Controller’s company name, and the name and contact details of their employees, to be able to provide support. Office and billing address, org.no., bank account no., and company contact details is stored to be able to send bills to the Data Controller according to the services in the Main Agreement.

Other categories of personal data are specified in the Main Agreement.

16.4 Categories of data subjects

The processing includes the following categories of data subjects:

  • The Data Controller’s employees

Other categories; and if information is processed about a particularly vulnerable group, such as children or disabled persons, should be described explicitly and separately in the Main Agreement.

16.5 Duration of processing

The Data Processor’s processing of personal data under the Main Agreement may commence once the Data Processing Agreement has entered into effect. The duration of processing is as follows:

  • The processing is not limited in time and will proceed until termination of the Main Agreement.

Upon termination (of the Data Processing Agreement or a specific processing activity), personal data shall be returned and/or deleted in accordance with Section 12 of the Data Processing Agreement and the instructions in Appendix C.

Appendix B: Conditions for the Data Processor’s use and change of sub-processors

17.1 The Data Controller’s approval of the use of Sub-Processors

Upon entering into the Data Processing Agreement, the Data Controller approves the use of the Sub-Processors listed in Section 17.2. Note that any subsidiary, parent company or another company in a group of companies of the Data Processor will be considered as Sub-Processors if they contribute to the delivery and process personal data.

For any changes or additions in the Sub-Processors used, the following has also been agreed:

The Data Processor may use a Sub-Processor within the same group (subsidiary, parent company or another company in a group of companies) so long as it is established in a country within the EEA. The Data Processor shall inform the Data Controller in advance of the use of such a Sub-Processor. (This option can be combined with one of the other options.)
The Data Processor may implement changes to the use of Sub-Processors, provided that the Data Controller is notified and given the opportunity to object to the changes. Such notification shall be received by the Data Controller no later than one month before the change enters into force, unless otherwise agreed in writing between the Parties. Regardless of the aforementioned, changes entailing the transfer of personal data to countries outside the EEA (Third States) will require written approval in accordance with Section 10 of the Data Processing Agreement.

If the Data Controller opposes the change, the Data Processor shall be notified as soon as possible. The Data Controller cannot oppose the change without reasonable grounds.
The Data Processor may only implement changes to its Sub-Processors with specific and prior written approval from the Data Controller. The Sub-Processor cannot process personal data under the Main Agreement until such approval is granted. Approval cannot be denied without reasonable grounds.

17.2 Approved Sub-Processors

The Data Controller has approved the use of the Sub-Processors listed here.

The Data Processor may not use a Sub-Processor for any processing other than is agreed or allow another Sub-Processor to carry out the described processing in cases other than those set out in Appendix B, clause B.1 on the change of Sub-Processor.

Appendix C: Instructions concerning the processing of personal data

18.1 The scope and purpose of the processing

The personal data shall be processed solely to the extent and for the purposes described in

  • The Main Agreement
  • The Data Processing Agreement with appendices

The Data Processor has no right to control the personal data beyond what is required to fulfil its obligations under the Data Processing Agreement and cannot process it for its own purposes.

18.2 Security of the processing

18.2.1 Indication of security level

Based on an assessment of the scope of personal data processed, the type of data, and the nature of the processing, it is established that the processing:

Requires a high level of security.
Does not require a high level of security. Explanation:
The processing only includes storage of data, which does not include special categories of personal data.

18.2.2 Management system for information security

The Data Processor shall have in place an appropriate management system for information security. The Data Processor shall establish and manage sufficient security measures and safeguards to ensure information security in relation to the processing of personal data, including:

Security requirements as described in the Main Agreement.
Safety requirements as described below:
Access Control and data encryption.

18.3 Documentation

The Data Processor shall document the routines and measures that have been implemented to meet the requirements set out in the Applicable Privacy Law and the Data Processing Agreement, including the requirements for information security. Such documentation shall be stored and kept up to date as long as the Data Processing Agreement remains in effect and shall be made available to the Data Controller or supervisory authorities upon request.

18.4 Transfer of personal data – Location for processing and access

Processing of the personal data covered by the Agreement may not, without the Data Controller’s prior written consent, be carried out at or with access from locations other than those specified in Appendix B.2. Location refers to:

  • Location where it is possible to access personal data
  • Location where the personal data is processed
  • Location where the personal data is stored

The above limitation does not apply to the Data Processor’s subsidiaries, parent company or another company in a group of companies of the Data Processor established within the EEA. However, the Data Processor shall, at the request of the Data Controller, explain where the personal data is being processed at all times.

18.5 Procedures for audit and supervision

In order to verify compliance with the Applicable Privacy Law and the Data Processing Agreement, the following has been agreed:

The Data Controller has the right to conduct audits at the Data Processor’s business location in order to verify the Data Processor’s compliance with its obligations under this Data Processing Agreement or the Applicable Privacy Law.

Such audits shall:
  • be conducted upon reasonable advance notice and no more than once a year, unless a security breach (or several) by the Data Processor or other special circumstances gives grounds for more frequent audits;
  • take place during normal working hours and shall not unnecessarily disrupt the Data Processor’s business; and
  • be performed by employees of the Data Controller or by third parties approved by the Parties and subject to confidentiality.
The Data Processor is obliged to make available the resources that may be reasonably required to carry out the audit.

The Data Controller shall cover the costs of any third parties used to conduct the audit. Otherwise, the Parties cover their own costs when carrying out the audit. If the audit reveals a material breach of the obligations under the Applicable Privacy Law or the Data Processing Agreement, the Data Processor shall cover the Data Controller’s reasonable costs incurred in relation to the audit.
The Data Processor shall use an external auditor to certify that security measures have been established and are effective as intended. Such an audit shall:
  • be carried out once a year;
  • be performed in accordance with recognized certification standards, for example, ISAE 3402; and
  • be performed by an independent third party with sufficient knowledge and experience.
The reports shall be submitted to the Data Controller upon request.

In addition, the Data Processor shall provide such information and assistance as is required for the Data Controller to be able to comply with its obligations under the Applicable Privacy Law.
For standardized third-party services provided by the Sub-Processor, a third-party audit may be presented, provided that the audit has been carried out in accordance with generally accepted principles and by a certified auditor.

18.6 Deletion and return of personal data at termination of the Agreement

The parties have agreed the following on the deletion/return of personal data:

All personal data processed under this Data Processing Agreement shall be deleted without undue delay and no later than within 90 calendar days after termination of the Main Agreement. This also applies to any other relevant information that is managed on behalf of the Data Controller.
All personal data processed under this Data Processing Agreement, as well as any other relevant information managed on behalf of the Data Controller, shall be returned upon termination of the Main Agreement.

After the return has been executed, the Data Processor is obliged to delete all personal data and other relevant information that is managed on behalf of the Data Controller within 30 calendar days.

Returns shall be executed as follows: Export of data

18.7 Sector-specific provisions on the processing of personal data

None.

18.8 Contact information

In case of a security breach, contact the Data Processor’s support at +47 79 00 50 00 or kundeservice@iteam.no. See the Main Agreement for additional contact information.

Appendix D: Amendments to the standard text of the data processing agreement and amendments after the conclusion of the agreement

Changes to the standard text of the Data Processing Agreement and changes after the conclusion of the Agreement shall be specified in the Main Agreement.

Skroll til toppen