Data processing agreement

In accordance with EU’s General Data Protection Regulation (“GDPR”) article 28 paragraph 3 and the prevailing Norwegian Personal Data Act. This Data Processing Agreement (“DPA”) enters into force if and when the Services entail processing of the Customer’s Personal Data and will form part of the Terms of Service for Access and Use of SESAM Software as a Service (SaaS) (“Terms of Service”). The terms used in this DPA shall have the meanings set forth in this DPA. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Terms of Use. Except as modified below, the terms of the Terms of Use shall remain in full force and effect.

1. Definitions

1.1 In this Agreement, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:

1.1.1 “Applicable Laws” means (a) GDPR - EU General Data Protection Regulation 2016/679;

(b) EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;

(c) European Union or Member State laws with respect to all the Personal Data in respect of which the Controller is subject to EU Data Protection Laws; and

(d) any other applicable law with respect to all the Personal Data in respect of which the Controller is subject to any other Data Protection Laws;

1.1.2 “Controller” means Customer, and the Customer determines the purpose and means of processing the Personal Data;

1.1.3 “Processor” means Vendor (or a Subprocessor), which processes Personal Data on behalf of the Controller;

1.1.4 “Personal Data” means any information relating to an identified or identifiable natural person which is Processed by the Processor on behalf of the Controller pursuant to or in connection with the Principal Agreement;

1.1.5 “Data Protection Laws” means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any member state or other country;

1.1.6 “EEA” means the European Economic Area;

1.1.7 “Third Countries” means non-EU/EEA-countries that do not have a sufficient level of security for processing personal data;

1.1.1 “Services” means the SESAM SaaS-services that will be supplied pursuant to the specifications in the Principal Agreement;

1.1.2 “Subprocessor” means any person (including any third party, but excluding an employee of the Processor) appointed by or on behalf of the Processor to Process Personal Data on behalf of the Controller in connection with the Principal Agreement.

2. Processing of Personal Data on the Controller’s behalf

2.1.1 This Agreement comes into force if and when the Customer chooses to enter and store Personal Data in the Services. The Agreement is an appendix to the Principal Agreement and does not imply any changes to the commercial terms between the parties.

2.1.2 The object of this Agreement is to set out the rights and obligations pursuant to the GDPR, the prevailing Norwegian Act on the Processing of Personal Data, with additional Regulation(s). This Agreement shall ensure that the Personal Data regarding the Data Subjects is not used in a non-compliant manner or compromised to un-authorized parties.

2.1.3 SESAM will process Personal Data necessary for the purpose to perform the Services in accordance to the Agreement, and as further instructed by Customer in its use of the Services.

2.1.4 This Agreement shall ensure that the Personal Data processed by the Processor on behalf of the Controller, is only processed in compliance with Applicable Laws and according to the Controller’s documented instructions.

2.1.5 The subject matter of the Processing of the Personal Data is set out in the Principal Agreement and this Agreement, and the duration of the processing shall be for the duration of the Customer’s right to use the Services pursuant to the Principal Agreement.

2.1.6 The Processor will typically not have access to the Personal Data. The Personal Data is only to be stored in the Processor’s operating environment. Where Personal Data is stored in the operating environment that is part of the Processor’s Services, the Processor shall only monitor and provide support on the Services and not process the Personal Data in any way other than what is stipulated in the Principal Agreement. If the Controller wants the Processor to carry out any other form of processing of the Personal Data, the Controller must make the request by a written change order to the Processor. Further/other processing of the Personal Data as a result of such a change order may lead to increased costs for the Processor and must thus be covered by the Controller, see section 2.5.

2.1.7 Where the Controller stores the Personal Data in their own operating environment, the Processor will not be able to access the Personal Data unless the Controller provides such access. The Processor shall monitor and provide support on the Services and not process the Personal Data in any way other than what is stipulated in the Principal Agreement. If the Controller wants the Processor to carry out any other form of processing of the Personal Data, the Controller must make the request by a written change order to the Processor and then provide access to the Personal Data. Further/other processing of the Personal Data as a result of such a change order may lead to increased costs for the Processor and must thus be covered by the Controller, see section 2.5.

2.2 Categories of Personal Data and Data Subjects

2.2.1 The Customer may submit Personal Data to the Services, which may include, but is not limited to, categories of Personal Data such as first and last name, home address, mobile number, job title, date of birth, education/qualifications, personal identification number, salary, bank account number, passwords, pictures and so on.

2.2.2 The Customer may submit Personal Data to the Services, which may include, but is not limited to, categories of Data Subjects such as customers, end users, employees, agents, advisors, job applicants, partners, suppliers, clients and customers.

2.2.3 In the case that the Controller processes special categories of Personal Data, this must be specifically agreed upon with the Processor in advance of such Processing.

2.3 The Controller’s Obligations

2.3.1 The Controller shall provide the Processor with written instructions on the processing of the Personal Data on behalf of the Controller, hereunder transferring the Personal Data to any country or territory as reasonably necessary for the provision of the Services and consistent with the Principal Agreement and in accordance with Applicable Laws.

2.3.2 The Controller shall ensure that the processing of the Personal Data is lawful.

2.3.3 The Controller shall authorise the Processor to provide each Subprocessor with the same written instructions that the Processor has been provided with.

2.3.4 The Controller has provided the Data Subjects with the necessary information according to Applicable Laws; and it is the responsibility of the Controller to collect any consents from the Data Subjects for the processing of Personal Data taking place according to the Principal Agreement.

2.4 The Processor’s obligations

2.4.1 The Processor shall only process the Personal Data on behalf of the Controller and on written instructions from the Controller, unless Processing is required by Applicable Laws to which the Processor is subject, in which case the Processor shall to the extent permitted by Applicable Laws inform the Controller of that legal requirement before the relevant Processing. The Processor shall only process the Personal Data for the sole purpose and to the extent necessary to provide the Services, in accordance with the terms in this Agreement and Applicable Laws.

2.4.2 The Processor does not have the right of use of the Personal Data, and may therefore not process them for their own purposes under any circumstances.

2.4.3 The Processor has carried out the technical and organizational security measures as described in this Agreement’s section 4, in order to protect the Personal Data from loss, misuse or un-authorized alternation or dissemination, or against other illegal processing. These measures represent a level of security appropriate to the risks represented by the processing, taking into account the costs of the implementation.

2.4.4 The Processor shall give the Controller access to its applicable security documentation, and in other respects assist, so that the Controller may comply with his own responsibilities according to Applicable Laws.

2.4.5 The Controller has, unless otherwise agreed or pursuant to Applicable Laws, the right to access the Personal Data being processed and the systems used for this purpose. The Processor shall provide necessary assistance for such access to be given.

2.4.6 The Processor is subject to confidentiality regarding the documentation and the Personal Data for which it gains access to under this Agreement. This provision also applies after the termination of this Agreement.

2.4.7 The Processor may freely choose where it geographically stores the Personal Data, although in such a manner that the Personal Data shall not be stored in countries outside of EU/EEA without a separate written agreement or the transfer/storage being included in a special arrangement (e.g. “SCC”). The Controller may at any time require information on where the Personal Data is stored.

2.4.8 The Processor shall, without undue delay, notify the Controller on any request from governmental authorities or the police regarding the disclosure of the Personal Data, unless this is prohibited (e.g. prohibited by the Penal Code to preserve the confidentiality of an investigation), on any unauthorized access to or unauthorized disclosure of the Personal Data (see section 7.1) and on any request received directly from a Data Subject, without answering the request unless otherwise authorized to do so. The Processor will only disclose the Personal Data to governmental authorities or the police when legally obliged to do so, e.g. court order, judgement, order with a basis in law or similar.

2.5 In the case that the Controller’s instructions or the Processor’s assistance to the Controller lead to increased costs for the Processor compared to what was initially agreed upon between the parties, the Controller shall compensate the Processor for the increased cost in accordance with the Processor’s regular terms and hourly rates.

3. Processor’s Personnel

3.1 The Processor shall take reasonable steps to ensure the reliability of any employee, agent or contractor of the Processor who is given access to the Personal Data.

3.2 The Processor shall ensure in each case that access is strictly limited to those individuals who need to know/have access to the relevant Personal Data, as strictly necessary for the purposes of the Principal Agreement, and to comply with Applicable Laws in the context of that individual’s duties to the Processor.

3.3 The Processor shall ensure that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality. The obligations of confidentiality will survive the termination of the personnel engagement.

4. Security

4.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Processor shall in relation to the Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in GDPR Article 32 (1). The safeguards are designed to prevent accidental or unlawful destructions, loss, alteration, unauthorized access, security oversight and enforcement.

4.2 In assessing the appropriate level of security, the Processor shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.

4.3 The Controller confirms that the Processor has provided sufficient guarantees that they will implement appropriate technical and organizational measures that ensure that the processing meets the requirements of Applicable Laws, hereunder the protection of the Data Subjects’ rights.

4.4 The Controller confirms to have assessed any security measures specifically stated in the Principal Agreement and thus accepted by the Controller, and the Controller is responsible (as between the parties and to data subjects and supervisory authorities) if those measures in themselves do not meet the GDPR standard of appropriateness. In the assessment the Controller has taken into account that any pre-stated description may only deal with specific aspects of the required security arrangements rather than describing a comprehensive solution.

4.5 The Processor will maintain the measures for the protection of security, confidentiality and integrity of the Personal Data. Measures are described in our Privacy Policies and is set fort in the Principal Agreement clause 5. The SESAM Services are upon accepting this Agreement ISO/IEC 27001:2013 certified.

5. Subprocessing

5.1 The Controller authorises the Processor to appoint (and permit each Subprocessor appointed in accordance with this section 5 to appoint) Subprocessors in accordance with this section 5 and any restrictions in the Principal Agreement.

5.2 The Processor may continue to use those Subprocessors already engaged by the Processor as of the date this Agreement enters into force, subject to the Processor in each case as soon as practicable meeting the obligations set out in section 5.4.

5.3 The Processor shall give the Controller prior written notice of the appointment of any new Subprocessor, including full details of the Processing to be undertaken by the Subprocessor. If, within 2 weeks of receipt of that notice, the Controller notifies the Processor in writing of any objections (on reasonable grounds) to the proposed appointment, the Processor shall not appoint (or disclose any Personal Data to) that proposed Subprocessor until reasonable steps have been taken to address the objections raised by the Controller, and the Controller has been provided with a reasonable written explanation of the steps taken.

5.4 The Processor is responsible for the Suprocessor’s performance in regards of the processing of Personal Data in accordance with the requirements of the GDPR.

5.5 With respect to each Subprocessor, the Processor shall:

5.5.1 before the Subprocessor’s first processing of the Personal Data (or, where relevant, in accordance with section 5.2), ensure that the Subprocessor does not process Personal Data covered by this Agreement in any way that is not necessary for the performance of the Services, and that the Personal Data is not given to anyone else without this being specified in this Agreement or is permitted by the Controller in a prior written notice;

5.5.2 ensure that the arrangement between the Processor and the Subprocessor, is governed by a written contract including terms which offer at least the same level of protection for the Personal Data as those set out in this Agreement and meet the requirements of GDPR article 28 (3); and

5.5.3 provide to the Controller for review such copies of the Processors’ agreements with Subprocessors (which may be redacted to remove confidential commercial information not relevant to the requirements of this Agreement) as the Controller may request from time to time.

5.6 Processing of Personal Data outside of the EU/EEA

5.6.1 If the agreement between the Processor and the Subprocessor involves a transfer to a Third Country, the Standard Contractual Clauses must at all relevant times be incorporated into the agreement between the Processor and the Subprocessor. Or, prior to the Subprocessor’s first processing of Personal Data, the Processor must ensure that the Subprocessor enters into an independent agreement with the Controller that incorporates the Standard Contractual Clauses;

5.6.2 If the Processor is to enter into an agreement with Subprocessors in countries outside the EU/EEA, this should only be done according to EU model agreements for the transfer of personal data to Third Countries, or other applicable legal grounds for transfers to Third Countries in accordance with GDPR Chapter 5. The same applies even if Personal Data is stored in the EU/EEA when personnel with access to the data are located outside the EU/EEA.

5.6.3 If the Controller approves such transfers, the Processor shall cooperate with the Controller to ensure the legality of the transfers.

6. Data Subject Rights

6.1 Taking into account the nature of the Processing, the Processor shall assist the Controller by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller’s obligations to respond to requests to exercise Data Subject rights under Applicable Laws.

6.2 Section 2.5 applies equivalently to this section 6.1.

7. Personal Data Breach

7.1 The Processor shall notify the Controller without undue delay upon the event that the Processor or any Subprocessor becoming aware of a Personal Data Breach affecting the Personal Data, providing the Controller with sufficient information to allow the Controller to meet any obligations to report or inform the applicable Supervisory Authorities and/or the Data Subjects of the Personal Data Breach under Applicable Laws.

7.2 The Processor shall cooperate with the Controller and take such reasonable commercial steps as are directed by the Controller to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

7.3 Section 2.5 applies equivalently to this section 7.2.

8. Data Protection Impact Assessment and Prior Consultation

8.1 The Processor shall provide reasonable assistance to the Controller with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which the Controller reasonably considers to be required of the Controller by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of the Personal Data by, and taking into account the nature of the Processing and information available to, the Processor.

8.2 Section 2.5 applies equivalently to this section 8.1.

9. Deletion or return of the Personal Data

9.1 Subject to sections 9.2 and 9.3 the Processor shall as soon as possible and within 4 weeks of the date of cessation of any Services involving the Processing of the Personal Data (the “Cessation Date”), delete and procure the deletion of all copies of those Personal Data.

9.2 Subject to section 9.3, the Controller may in its absolute discretion by written notice to the Processor within 1 week of the Cessation Date require the Processor to (a) return a complete copy of all of the Personal Data to the Controller; and (b) delete and procure the deletion of all other copies of the Personal Data Processed by the Processor. The Processor shall comply with any such written request within 5 weeks of the Cessation Date.

9.3 The Processor may retain and store the Personal Data to the extent required by Applicable Laws and only to the extent and for such period as required by Applicable Laws. Such cases always entail the provision that the Processor ensures the confidentiality of all such Personal Data and ensures that such Personal Data is only Processed as necessary for the purpose(s) specified in the Applicable Laws requiring its storage and for no other purpose.

9.4 The Processor shall provide written certification to the Controller that it has fully complied with this section 9 within 5 weeks of the Cessation Date.

9.5 All costs connected to extraordinary measures in connection with deletion and/or providing copies of the Personal Data are to be carried by the Controller.

10. Audit rights

10.1 Subject to sections 10.2 and 10.3, the Processor shall make available to the Controller on request all information necessary to demonstrate compliance with this Agreement, and shall allow for and contribute to audits by the Controller or an auditor mandated by the Controller in relation to the Processing of the Personal Data by the Processor.

10.2 Information and audit rights of the Controller only arise under section 10.1 to the extent that the Principal Agreement does not otherwise give them information and audit rights meeting the relevant requirements of Applicable Laws (including, where applicable, GDPR article 28 (3) (h).

10.3 The Controller undertaking an audit shall give the Processor reasonable notice of any audit to be conducted under section 10.1, and shall avoid causing any damage, injury or disruption to the Processor’s premises, equipment, personnel and business while its personnel are on those premises in the course of such an audit. The Processor need not give access to its premises for the purposes of such an audit:

10.3.1 to any individual unless he or she produces reasonable evidence of identity and authority;

10.3.2 outside normal business hours, as they are set out in the Principal Agreement, at those premises, unless the audit needs to be conducted on an emergency basis and the Controller undertaking an audit has given notice to the Processor that this is the case before attendance outside those hours begins; or

10.3.3 for the purposes of more than one audit, in respect of the Processor, in any calendar year, except for any additional audits that the Controller will be required to perform in accordance with Applicable Laws by a Supervisory Authority when the Controller responsible for the audit has identified the relevant request in its notice to the Processor.

10.4 The Controller shall treat all information obtained from the Processor arising from an audit as the Processor’s strictly confidential information and not disclose the information to any third party or use the information otherwise than in connection with the audit.

10.5 The Processor shall immediately inform the Controller if, in its opinion, an instruction pursuant to this section 10 infringes the GDPR or other EU or Member State data protection provisions.

10.6 Section 2.5 applies equivalently to this section 10.3.

11. Transfers to Third Countries

11.1 If the Controller by form of written instruction to the Processor prior to any such processing, instructs the Processor to transfer Personal Data to a Third Country, the Controller (as “Data Exporter”) and Processor/Subprocessor (as “Data Importer”) must enter into an agreement that includes the Standard Contractual Clauses.

11.2 The Standard Contractual Clauses shall come into effect under section 11.1 on the later of:

11.2.1 the data exporter becoming a party to them;

11.2.2 the data importer becoming a party to them; and

11.2.3 commencement of the relevant Restricted Transfer.

12. General Terms

Governing law and jurisdiction

12.1 This Agreement shall be subject to and interpreted in accordance with Norwegian laws. The parties to this Agreement hereby submit to the jurisdiction of the Courts of Oslo.

Order of precedence

12.2 Nothing in this Agreement reduces the Processor’s obligations under the Principal Agreement in relation to the protection of Personal Data or permits the Processor to Process (or permit the Processing of) Personal Data in a manner which is prohibited by the Principal Agreement.

12.3 In the event of inconsistencies between the provisions of this Agreement and any other agreements between the parties, including the Principal Agreement (except where explicitly agreed otherwise in writing) the provisions of this Agreement shall prevail.

Changes in Data Protection Laws, etc.

12.4 The parties shall revise this Data Processing Agreement in the event of relevant changes to the Applicable Laws.

Severance

12.5 Should any provision of this Agreement be invalid or unenforceable, then the remainder of this Agreement shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.

Liability and liability limitations

12.6 Each party is responsible for that party’s processing of Personal Data being in accordance with the GDPR.