Terms & Conditions Data Processor Agreement (DPA)
This Agreement shall provide for the processing of personal data in accordance with the regulation under the EC Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data implemented into Norwegian legislation in the Personal Data Act of 14 April 2000 no. 31 with regulation, and in accordance with the EU Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) and any new Norwegian legislation which replaces the Personal Data Act with regulations which implements the General Data Protection Regulation (jointly called “Personal Data Regulation” in the following).
2. Purpose of this Agreement
This Agreement governs the Data Processor’s processing of the Personal Data on behalf of the Data Controller to perform its Services under the Services Agreement. The Data Processor shall process the Personal Data only for the approved purpose and in accordance with applicable laws, this Agreement and theCustomer License Agreement (CLA). The purpose of the processing, duration of processing, type of processing and types personal data to be processed is covered in this Agreement and ensures that personal data is processed in accordance with the requirements of the Data Protection Regulation. Data Processor shall process personal data in the manner described in this Agreement.
3. Personal data to be processed
4. Data Processor rights and duties
The Data Processor confirms that it will implement appropriate technical and organizational measures that ensure that all processing under this Agreement meets the requirements of the Personal Data Regulation and ensure the protection of the rights of the data subject. The Data Processor shall only process the personal data under the instructions given by the Data Controller. The Data Processor shall be able to document such instructions if requested. The Data Processor shall not process the personal data in any other way than instructed or necessary to provide the services or undertake the obligations requested by the Data Controller.
Access to personal data
The Data Processor and its subcontractors has a duty of confidentiality regarding personal data that he or she has access to as a result of the Agreement and processing of personal data, and shall ensure that persons authorized to process the personal data have committed themselves to processing the information confidentially or subject to an appropriate statutory duty of confidentiality. This provision also applies one (1) year after the termination of the Agreement, if the content of the information has not been public known within this period. The Data Controller is responsible for updating and correcting personal data that is wrongfully registered.The Data Processor shall not disclose any information or information it processes to any third party without informing the Data Controller. Inquiries of such information to Data Processor, the Data Processor shall pass on to the Data Controller as soon as possible. Any requests with regard to the personal data or the processing from third parties or the data subject shall be forwarded to the Data Controller without undue delay if not otherwise agreed in this Agreement or by instruction by the Data Controller. If the Data Processor is in the opinion that an instruction by the Data Controller infringes the Personal Data Regulation, the Data Processor shall immediately inform the Controller. The Data Processor is however obligated to perform its duties under this Agreement and any instructions by the Data Controller regardless its opinion on infringement.
5. Data Controllers rights and duties
6. Use of API and 3rd parties
The Data Processor is not responsible for personal data processed by 3. parties through the Data Processors API. It is the Data Controllers obligation to read and accept any terms or consents made available from any 3. party.
7. Security and notifications
The Data Processor shall implement and use technical and organizational security measures in such a way that processing will meet the requirements of the Personal Data Regulation and appropriate to prevent the harm which might result from any unauthorized or unlawful processing, loss, destruction, damage, alternation to or disclosure of the Personal Data and having regard to the nature of the Personal Data which is to be protected.The Data Processor shall comply with the requirements to security given in the Personal Data Regulation.The Data Processor shall provide documentation of technical and organizational measures implemented to ensure the security of the personal data upon the request of the Data Controller. Security audits shall be performed regularly by the Data Processor. Audits may comprise review of routines and processes, inspections, tests, more comprehensive controls and other relevant control activities. A summary of the audit may be available for the Data Controller.
Notification of a Personal data breach
If the Data Processor becomes aware of any Personal Data Breach, the Data Processor shall without undue delay, notify the Data Controller and fully cooperate to remedy the issue as soon as reasonably practicable. The notice shall at least contain the following information:
• description of the Personal Data Breach including summary of the incident that caused the Personal Data Breach, including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
• description of the circumstances of the Personal Data Breach (e.g. loss, theft, copying);
• description of the likely consequences and potential risk that the Personal Data Breach may have towards the affected Data Subject(s);
• description of the measures proposed or taken by the Data Processor and/or the subcontractor, as applicable, to address the Personal Data Breach;
• description of any further information which may be relevant in relation to the Personal Data Breach or its mitigation, especially information which the Data Controller identified as relevant information earlier.
If not all information above may be given in the first notice, the information shall be provided as soon as possible.
Notice will be posted through the information center inside the 24SevenOffice Service, or by mail or phone if the breach is only affect individual Data Controllers. The Data Processor’s Technical Customer Service shall be available for expedient assistance to clarify and respond to any follow up questions that the Data Controller may have.
Depending of the nature of the Personal Data Breach the Data Controller may be obliged to make a report to the Data Protection Authority in the country it resides. The Data Processor does not have to make a report to any Data Protection Authority unless this is expressly required by applicable law or the Data Controller approved or instructed it do so. The Data Processor shall without undue delay, notify the Data Controller if it receives a request from any data protection authority or other governmental body requiring the Data Processor or any of its subcontractors to grant the data protection authority or other applicable governmental body access to Personal Data. Such notice shall wherever possible, and to the extent permitted by applicable laws, be given prior to any disclosure by the Data Processor. The Data Processor shall immediately inform the Data Controller if, in its opinion, an instruction infringes applicable laws.
8. Storage and transfer
Personal Data covered by this Agreement will only be stored at locations listed in the Privacy Statement 10. Where does 24SevenOffice process and store data?. How long the data is stored and the terms for deletion of data is covered in 11. How long does 24SevenOffice store data – Deletion of Personal data. Personal data shall only be transferred to third countries, i.e.. countries outside EU/EEA which ensure an adequate level of protection, upon explicit agreement or instructions by the Data Controller. The Data Processor shall not transfer or give access to the personal data to persons in third countries without the explicit approval by the Data Controller. The consent or instruction given by the Data Controller must cover the country which the personal data shall be transferred to or accessed from. For transfer to or access from third countries for personal data it is required that the appropriate safeguards including with regard to the rights of data subjects is complied with.
The Data Processor is hereby authorized by the Data Controller to use any relevant approved subcontractor (sub-processor) on Data Controller’s behalf for the above mentioned purpose and for any relevant approved territory. The processing of the Personal Data shall only take place in technological environments controlled by the Data Processor and approved subcontractors in the approved territory. The Data Processor shall ensure that any processing of personal data by a subcontractor complies with the requirements set out under this Agreement. This includes verifying that the security measures implemented by a subcontractor ensure at least the equivalent level of protection to that required of the Data Processor under this Agreement. Any sub-processor shall be informed of the Processors obligations under this Agreement and the obligations under the Personal Data Regulation, and the sub-processor shall be imposed the same obligations as the Processor set forth in the Agreement in a written, binding agreement where in particular the sub-processor is providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the Personal Data Regulation. For details about approved territory, see Privacy Statement 10. Where does 24SevenOffice process and store data?
10. Term and Terminations
This Agreement shall be effective and stay in force as long as the Processor (and its permitted sub-processors) processes personal data on behalf of the Controller in the context of the Customer License Agreement (CLA). In case of breach of this Agreement, the Data Controller may instruct the Data Processor to stop further processing of the information with immediate effect. Upon termination of this Agreement, regardless of reason, The Data Processor shall, at the discretion of the Data Controller, delete or return all Personal data to the Data Controller after the services associated with the processing are delivered, and delete existing copies, unless there is a legal requirement that the Personal Data will continue to be stored. Any export assistance concerning return of Personal data performed by the Data Processor is invoiced according to the Customer License Agreement (CLA). The Data Controller shall receive a confirmation from the Data Processor that the duties in the above paragraph have been complied with.
11. Choice of Law and Dispute regulations
The Customer License Agreement (CLA) regulation with regard to governing law and jurisdiction applies in full for this Agreement.
12. Other duties and rights
Other duties and rights between the parties may be subject to the Customer License Agreement (CLA) or other agreements between the Data Controller and the Data Processor. If the Customer License Agreement (CLA) is transferred, this Agreement shall be transferred accordingly.