Data Processor Agreement
1 Background to the data processor agreement
- This agreement sets out the rights and obligations that apply when the data processor processes personal data on behalf of the data controller.
- The agreement is designed for the parties' compliance with Article 28 (1). 3, i Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (Data Protection Regulation), which sets specific requirements for the content of a data processor agreement.
- The Data Processor only processes personal data for purposes that are necessary for the Data Controller's use of the Decision Beacon solution.
- This data processor agreement takes precedence over any similar provisions in other agreements between the parties.
- To this agreement belong 2 appendices (A, B). The appendices function as an integral part of the data processor agreement.
- Appendix A of the Data Processor Agreement contains further information about the processing, including the purpose and nature of the processing, the type of personal data, the categories of data subjects and the duration of the processing.
- Appendix B of the Data Processor Agreement contains further instructions on what processing the data processor must carry out on behalf of the data controller (the subject of the processing), which security measures must be observed as a minimum, and how the data processor and any sub-data processors are supervised.
- This data processor agreement does not release the data processor from obligations which, directly under the Data Protection Regulation or any other legislation, are directly imposed on the data processor.
2 Obligations and rights of the data controller
- The data controller is responsible to the outside world (including the data subject) for ensuring that the processing of personal data takes place within the framework of the Data Protection Regulation and the Data Protection Act.
- When using Decision Beacon, the data controller shall not process sensitive information unless this is specified in Annex A. The data controller shall have an updated list of the categories of personal data that it processes, insofar as such processing differs from the categories of information that appear. of Annex A.
- The data controller is, among other things, responsible for ensuring that there is authority for the processing that the data processor is instructed to carry out (including for sub-data processors used by the data processor).
3 The data processor acts according to instructions
- The data processor may only process personal data in accordance with documented instructions from the data controller, unless required by EU law or the national law of the Member States to which the data processor is subject; in that case, the data processor shall notify the data controller of this legal requirement before processing, unless the court in question prohibits such notification for reasons of important societal interests, cf. art 28, subsection. 3, letter a.
- By entering into the "Terms and Conditions", the data controller instructs the data processor to process personal data in the following ways:
- In accordance with applicable law.
- To fulfill its obligations under the data controller's normal use of Decision Beacon, as further specified by the data controller's normal use of Decision Beacon.
- As described in this agreement.
- The data controller shall inform the data controller without undue delay if, in the data controller's opinion, an instruction is in breach of the Data Protection Regulation or data protection provisions of other Union or national law of the Member States.
- The data processor ensures that only the persons who are currently authorized to do so have access to the personal data that is processed on behalf of the data controller. Access to the information must therefore be shut down immediately if the authorization is revoked or expires.
- Only persons for whom it is necessary to have access to the personal data in order to be able to fulfill the data processor's obligations towards the data controller may be authorized.
- The data processor ensures that the persons authorized to process personal data on behalf of the data controller have committed themselves to confidentiality or are subject to an appropriate statutory duty of confidentiality.
- The data processor must, at the request of the data controller, be able to demonstrate that the relevant employees are subject to the above-mentioned duty of confidentiality.
5 Treatment safety
- The Data Processor shall take the measures required by Article 32 of the Data Protection Regulation, which shall include: It is clear that, taking into account the current level, implementation costs and the nature, scope, coherence and purpose of the treatment in question, as well as the risks of varying probability and seriousness to the rights and freedoms of natural persons, appropriate technical and organizational measures must be taken to ensure a level of security. suitable for these risks.
- The above obligation implies that the data processor must perform a risk assessment and then implement measures to address identified risks. These may include, as appropriate, the following measures:
- Assessment of Pseudonymization and encryption of personal data as risk-reducing factors.
- Ability to ensure lasting confidentiality, integrity, availability and robustness of treatment systems and services
- Ability to timely restore the availability of and access to personal data in the event of a physical or technical incident
- A procedure for regular testing, assessment and evaluation of the effectiveness of technical and organizational measures to ensure treatment safety
- In connection with the above - in all cases - the data processor shall at least implement the level of security and the measures specified in Annex B of this Agreement.
6 Use of sub-processors
- The data processor must meet the conditions set out in Article 28 (1) of the Data Protection Regulation. 2 and 4, to make use of another data processor (sub-data processor).
- As part of the operation of Decision Beacon, the Data Processor uses subcontractors (“Sub-Data Processors”). Such Sub-Data Processors may be third party suppliers inside and outside the EU / EEA. The data processor's subcontractors are listed in the up-to-date list of sub-data processors, which can be viewed on Decision Beacon's, which is the company behind Decision Beacon's website. The Data Processor shall ensure that its Sub-Data Processors must comply with similar obligations and requirements as described in the Agreement.
- This Agreement constitutes the data controller's prior general and specific written approval of the data processor's use of sub-data processors.
- If a Sub-Data Processor is established outside or Personal Data is stored outside the EU / EEA, the Data Controller authorizes the Data Processor to ensure a sufficient basis for the transfer of Personal Data to third countries on behalf of the Data Controller, including using EU Commission Standard Contracts or in accordance with European Commission Standard Contractual Clauses.
- The data controller is informed via Decision Beacon's website if the data processor replaces its sub-data processors. However, the data controller is only entitled to protest against a new sub-data processor, which processes personal data on behalf of the data controller, if the data controller does not process data in accordance with applicable data protection legislation. In such a situation, the data controller must demonstrate compliance by giving the data controller access to the data controller's data protection assessment of the sub-processor. If there is still disagreement about the use of the sub-processor, the data controller may terminate his subscription to Decision Beacon, including with a shorter notice than usual to ensure that the data controller's personal data is not processed by the sub-processor in question.
- In the event of the data processor's bankruptcy, the data controller has the right to intervene with the data processor's rights and enforce them vis - à - vis the sub - data processor, e.g. so that the data controller can instruct the sub-processor to delete or return information belonging to the data controller.
- If the sub-data processor does not fulfill its data protection obligations, the data processor remains liable to the data controller for the fulfillment of the sub-data processor's obligations.
7 Transfer of information to third countries or international organizations
- The data processor may only process personal data in accordance with documented instructions from the data controller, including with regard to the transfer (transfer, transfer and internal use) of personal data to third countries or international organizations. If a sub-data processor is established outside or personal data is stored outside the EU / EEA, the data controller authorizes via this agreement authorization to ensure a sufficient basis for the transfer of personal data to third countries on behalf of the data controller, including using EU Commission Standard contracts or in compliance with the European Commission Standard Contractual Clauses.
The data controller shall, on account of the nature of the processing, assist the data controller as far as possible by appropriate technical and organizational measures, in complying with the data controller's obligation to respond to requests for the exercise of data subjects' rights as set out in Chapter 3 of the Data Protection Regulation.
This means that the data processor must, as far as possible, assist the data controller in connection with the data controller ensuring that compliance with:
- the duty to provide information when collecting personal data from the data subject
- the duty to provide information if personal data has not been collected from the data subject
- the data subject's right of access
- the right to rectification
- the right to erasure ('the right to be forgotten')
- the right to restrict treatment
- duty to notify in connection with the correction or deletion of personal data or restriction of processing
- the right to data portability
- the right to object
- the right to object to the result of automatic individual decisions, including profiling
The data controller shall assist the data controller for data processed in Decision Beacon in ensuring compliance with the data controller's obligations under Articles 32-36 of the Data Protection Regulation, taking into account the nature of the processing and the information available to the data processor, cf. 3, letter f.
This means that the data processor must, taking into account the nature of the processing, assist the data controller in connection with the data controller having to ensure compliance with:
- the obligation to implement appropriate technical and organizational measures to ensure a level of safety appropriate to the risks associated with the processing;
- the obligation to report breaches of personal data security to the supervisory authority (Datatilsynet) without undue delay and, if possible, no later than 72 hours after the data controller has become aware of the breach, unless it is unlikely that the breach of personal data security poses a risk to natural persons' rights; freedoms.
- the obligation to notify the data subject (s) without undue delay of any breach of personal data security where such breach is likely to involve a high risk to the rights and freedoms of natural persons;
- the obligation to carry out a data protection impact assessment if one type of processing is likely to involve a high risk to the rights and freedoms of natural persons;
- the obligation to consult the supervisory authority (Datatilsynet) before processing, if an impact assessment concerning data protection shows that the processing will lead to a high risk in the absence of measures taken by the data controller to limit the risk;
- The parties 'possible regulation / agreement on remuneration or the like in connection with the data processor's assistance to the data controller will appear from the parties' "main agreement" or from Appendix B to this agreement.
8 Notification of breaches of personal data security
The data processor notifies the data controller without undue delay after becoming aware that there has been a breach of the personal data security of the data processor or any sub-data processor.
The data processor's notification to the data controller shall, if possible, take place no later than 48 hours after he or she has become aware of the breach, so that the data controller has the opportunity to comply with any obligation to report the breach to the supervisory authority within 72 hours.
- In accordance with point 10.2 (b) of this Agreement, the data controller shall - taking into account the nature of the processing and the information available to it - assist the data controller in notifying the breach to the supervisory authority. This may mean that the data processor i.a. shall assist in providing the following information which, in accordance with Article 33 (2) of the Data Protection Regulation, 3, must appear from the data controller's notification to the supervisory authority:
- The nature of the breach of personal data security, including, if possible, the categories and approximate number of data subjects affected and the categories and approximate number of personal data recordings concerned
- Likely consequences of the breach of personal data security
- Measures taken or proposed to be taken to deal with the breach of personal data security, including, where appropriate, measures to limit its potential harmful effects
9 Deleting and returning information
- Upon termination of the processing services, all personally identifiable personal data belonging to the data controller, as well as existing copies, are deleted or anonymised, unless EU law or national law prescribes the storage of personal data.
10 Supervision and audit
- The data controller is entitled to initiate a review of the data processor's obligations under the agreement once a year. If the data controller is obliged to do so in accordance with current legislation, audits may be performed more frequently once a year. When requesting an audit, the data controller must enclose a detailed audit plan with a description of the scope, duration and start date at least four weeks prior to the proposed start date. It must be decided jointly between the parties if a third party is to carry out the audit. However, the data controller may have the data controller decide that, for security reasons, the audit must be carried out by a neutral third party of the data processor's choice, in the case of a processing environment in which the data controllers' data has been used.
- If the proposed scope of the audit follows an ISAE, ISO or similar certification report performed by a qualified third party auditor within the preceding 12 months and the data controller confirms that there have been no material changes to the measures that have been audited, the data controller accepts this revision instead of requesting a new revision of the measures already covered.
- In any case, auditing must take place during normal office hours at the relevant facility in accordance with the data processor's policies and must not unduly interfere with the data processor's usual commercial activities.
- The data controller is responsible for all costs associated with the audit request. the data processor's assistance in this connection, which exceeds the normal service that the data processor must provide as a result of applicable data protection legislation, is settled separately.
11 The parties' agreements on other matters
- Any (special) regulation of the consequences of the parties 'breach of the data processor agreement will appear from the parties' "Terms and Conditions".
- Any regulation of other relations between the parties will appear from the parties' "Terms and conditions".
12 Entry into force and termination
- This Agreement shall enter into force upon acceptance by both Parties of the "Terms and Conditions".
- The agreement may be required to be renegotiated by both parties if changes in the law or inconveniences in the agreement give rise to this.
- The parties 'possible regulation / agreement on remuneration, conditions or the like in connection with amendments to this agreement will appear from the parties' "main agreement".
- Termination of the data processor agreement can take place in accordance with the termination terms, incl. notice of termination, which appears in the "Terms and Conditions".
- The agreement is valid as long as the treatment lasts. Notwithstanding the "Terms and Conditions" and / or the termination of the data processor agreement, the data processor agreement will remain in force until the end of the processing and the deletion or anonymisation of the information by the data processor and any sub-data processors.
Appendix A: Information on treatment
The purpose of the data processor's processing of personal data on behalf of the data controller is:
That the data controller can use the reporting solution "Decision Beacon", which is owned and managed by the data processor, to collect and process information about the data controller's customers, suppliers and partners as well as information created by the data controller's business processes and internal master data.
The data processor's processing of personal data on behalf of the data controller is primarily about (the nature of the processing):
That the data processor makes the reporting solution "Decision Beacon" available to the data responsible company defined as the Customer in "Terms and conditions".
The processing may include the following types of personal information about the data subjects:
- Name, e-mail address, telephone number, social security number, date of birth, address, payment information, customer number, type of customer, transaction history.
The processing includes the following categories of data subjects:
- The company and / or persons who have or have been a paying customer, lead, employee or business partner with the data responsible company.
The data processor's processing of personal data on behalf of the data controller may commence after the entry into force of this agreement. The treatment has the following duration:
- The processing is not limited in time and lasts until the agreement is terminated or terminated by one of the parties.
Appendix B: Instructions regarding the processing of personal data
B1 Object / instruction of treatment
The data processor's processing of personal data on behalf of the data controller takes place by the data processor performing the following:
- Please refer to section 3. Scope of the agreement in “Terms and conditions”.
B2 Treatment safety
The security level must reflect:
That there is no question of processing a large amount of personal data covered by Article 9 of the Data Protection Regulation on "special categories of personal data", which is why a "high" level of security should not be established.
Against this background, the data processor is entitled and obliged to make decisions about which technical and organizational security measures are to be used to create the necessary (and agreed) level of security around the information.
B3 Storage period / deletion routine
The personal information is stored with the data processor as long as the data processor processes personal data for use in the solution. Upon termination of the agreement, the data processor will delete or anonymize all personal data. If the data controller requests assistance for the return of data, the costs associated with this will be determined by the parties, based on the hourly rate of the data processor's time used, the complexity of the requested process and the chosen format.
If the data controller deletes personal data in his own system and this system sends a delete request to the Decision Beacon solution, an anonymisation of personal data will be carried out on all personal related information, including history of the personal data in question.
If the data controller deletes personal data in his own system, and this system does NOT send a delete request to the Decision Beacon solution, a deletion / anonymisation must be done manually. The costs associated with this are based on hourly rates for the data processor's time spent.
B4 Instructions or authorization regarding the transfer of personal data to third countries
The Data Controller agrees that data may be placed on servers of Google Cloud services in the data centers owned and managed by Google. Even if these are located in third countries, as long as Google complies with the applicable GDPR rules.
B5 Detailed procedures for the data controller's supervision of the processing carried out by the data processor
The data controller may ask the data controller to obtain an audit statement from an independent third party once a year on behalf of the data controller regarding the data processor's compliance with this data processor agreement and its annexes.
The parties agree that the following types of audit statements may be used:
- Independent Auditor's ISAE 3000 Statement of Assurance on Information Security and Measures Under this Data Processor Agreement.
The audit statement is made available to the data controller as soon as possible after collection.
In addition, the data controller or a representative of the data controller has access to supervise, including physical supervision, with the data processor when, in the data controller's assessment, a need arises.
Any costs incurred by the data controller and the data processor in connection with a physical inspection shall be borne by the data controller. However, the data controller is obliged to allocate the resources (mainly the time) necessary for the data controller to carry out his supervision.
B6 Detailed procedures for the supervision of the processing carried out by any sub-data processors
Upon request, the data processor obtains a statement of assurance from the sub-data processor to ensure compliance with this data processor agreement and its appendices.
The audit statement is made available to the data controller as soon as possible after collection.
In addition, the data processor or a representative of the data processor has access to supervise, including physical supervision, at the sub-data processor when, in the opinion of the data processor (or the data controller), a need arises.
Documentation of the inspections carried out is sent as soon as possible for information to the data controller.
The data controller may - if deemed necessary - choose to initiate and participate in a physical inspection at the sub-data processor. This may become relevant if the data controller considers that the data processor's supervision of the sub-data processor has not provided the data controller with sufficient assurance that the processing by the sub-data processor takes place in accordance with this data processor agreement.
The data controller's possible participation in an inspection by the sub-processor does not change the fact that the data processor also hereafter has full responsibility for the sub-processor's compliance with the data protection legislation and this data processor agreement. ”
Any expenses incurred in connection with a physical inspection by the data controller, the data processor and sub-data processors shall be borne by the data controller.