DATA PROCESSING AGREEMENT


1.   Background and objective of this Data Processing agreement

The parties have entered into a service agreement ("Contract") for Defigo access control and digital intercom services. To provide services in line with the Contract, the Data Processor will process personal information on behalf of the Data Controller.

 

The objective of this Agreement on Data Processing is to regulate the rights and obligations of the parties following the applicable data protection policies and in connection with the Data Processor's processing of personal information on behalf of the Data Controller. The Agreement on Data Processing applies only to the processing of personal data that occurs on behalf of the Data Controller.

 

In case of discrepancies between the Contract and the Agreement on Data Processing in matters specifically related to data protection, the Agreement on Data Processing will take precedence.

 

2. Definitions

"Agreement on Data Processing" refers to this agreement.

 

"GDPR" refers to the Regulation of the European Parliament and the Council (EU) 2016/679 from April 27, 2016, on the protection of physical persons in connection with the processing of personal information and on the free exchange of such information as well as annulment of the directive 95/46/EF (data protection regulation).

Data Controller means the natural or legal person who, alone or jointly with others, determines the purposes and means of the Processing of Personal Data, cf. Article 4 (7) of the GDPR.

Data Processor means the legal entity that Processes Personal Data on behalf of the Data Controller, cf. Article 4 (8) of the GDPR.

"Data protection legislation" refers to the at all times applicable Norwegian legislation related to data protection, including the legislation that implements or supplements GDPR:

 

"Personal information" refers to all information about an identified or identifiable natural person (the "Registered").

 

"Third countries" refer to countries outside of the EU/EEA.

 

"Sub-supplier" refers to sub-suppliers that manage personal information on behalf of the Data processor.

 

3. Rights and obligations of the Data Controller

The Data Controller is responsible for ensuring that the processing of personal information happens in line with the data protection legislation.

 

The Data Controller has the right and obligation to determine the goal of the processing of personal information and what means shall be used to achieve it.

 

The Data Controller is responsible for, among other things, ensuring that there is a basis for the processing of personal information which the Data Processor is instructed to carry out.

 

4. Scope of the processing

The Data Processor shall process personal information on behalf of the Data Controller only in line with the Contract, this Agreement on Data Processing, and documented instructions of the Data Controller unless the applicable legislation requires otherwise.

 

The Data Processor shall periodically notify the Data Controller if the Data Processor is ordered by law, decree, or administrative order to manage personal information contrary to the instructions of the Data Controller, or if the Data Processor thinks that instructions constitute a breach of the data protection legislation.

 

More detailed information on the processing of personal information, including the aim of the processing and kind, type of personal information, and category of the Registered, is included in Appendix 1.

 

5. Confidentiality

The Data Processor has confidentiality in relation to Personal Data. The Data Processor shall ensure that anyone performing work for the Data Processor, either employees or hired staff, who have access to or are involved in the Processing of Personal Data under the Agreement (i) are subject to confidentiality and (ii) are notified of and comply with the obligations under this Data Processing Agreement. Confidentiality also applies after the Agreement has been terminated.

 

6. Secure processing

The Data Processor shall take all necessary measures to fulfill the GDPR Article 32 and appropriate technical and organizational safety measures to achieve a security level that is adequate to the risk. This will include, among other things, measures to ensure that personal information is available, prevent loss and damage of personal information and prevent unintended access to personal information. The Data Processor shall also ensure that only staff providing service and support get access to personal information.

 

The Data Processors shall also assist the Data Controller in fulfilling the obligations of the Data Controller under GDPR Article 32. They shall consider the type of processing and information available to the Data processor.

 

7.   Access to personal information and fulfillment of the rights of the registered person

Unless otherwise agreed or provided by the applicable legislation, the Data Controller shall have access to all personal information processed by the Data Processor on behalf of the Data Controller.

 

If the Data Processor or a Sub-supplier receives an inquiry from the Registered regarding the processing of personal information, the Data Processor shall forward the inquiry to the Data Controller unless the Data Processor themselves is competent to handle the inquiry.

 

In such matters, the type of processing is to be taken into consideration. To the degree it is possible, the Data Processor shall assist the Data Controller through suitable technical and organizational measures to fulfill the obligation of the Data Controller to respond to requests submitted by the registered in terms of the exercise of their rights determined by the data protection legislation. This encompasses, among other things, the right of the Registered to insight, reparation, deletion, limitation, protest, and data portability.

 

8. Breach of personal information security

The Data Processor shall inform the Data Controller without undue delay and, at the latest, within 36 hours after gaining knowledge of the breach of personal information security. The Data Controller bears responsibility for informing a relevant inspection authority about the breach of personal information security.

 

Notification to the Data Controller shall contain information that allows the Data Controller to fulfill their obligation under GDPR Article 33 and 34, including (i) the type of breach of security of personal information, including, when possible, the categories of and an approximate number of affected registered, and the categories of and an approximate number of items of affected personal information, (ii) the probable consequences of the breach of security of personal information, (iii) measures the Data Processor has taken or suggests to take to manage the breach of security of personal information, including, if applicable, measures to reduce potential damage due to the breach.

 

If the Data Processor is unable to provide all relevant information within the deadline, the information can be provided gradually without undue delay.

 

If the Data Controller has a duty to notify the Registered about a breach of security of personal information under the data protection legislation, the Data Processor shall assist the Data Controller with this.

9. Assistance to the Data Controller

If the Data Processor or the Sub-supplier receives a request from a relevant inspection authority to obtain insight into or information about personal information or processing activities within the scope of this Agreement on Data Processing, the Data Processor shall warn the Data Controller about the request unless the Data Processor, pursuant to the applicable legislation or under the instructions of the Data Controller, is authorized to deal with such requests.

 

If the Data Controller is obliged to carry out an assessment of consequences for data protection or carry out discussions beforehand with a relevant inspection authority in connection with the processing of personal information under this Agreement on Data Processing, the Data Processor shall assist the Data Controller with this.

 

10.  Use of Sub-suppliers

The Data Controller agrees that the Data Processor can use Sub-suppliers to assist them in the provision of services and managing personal information under the Contract, as long as the Data Processor ensures that

 

1. The Data Controller has the right to refuse additions or replacements of Sub-suppliers in line with the procedure below in point 10;

2. Obligations of the Data Processor with regards to the protection of personal information determined in the Agreement on Data Processing and by data protection legislation are imposed on Sub-suppliers via a written agreement; and that

3. Each Sub-supplier provides sufficient guarantees for the implementation of technical and organizational measures that ensure processing fulfills the requirements of the data protection legislation and the Agreement on Data Processing and provides the Data Controller and relevant inspection authority access and information necessary for verification of such guarantees.

 

The Data Processor fully guarantees that the Sub-supplier fulfills its obligations. The list of Sub-suppliers the Data Controller has approved is included in Appendix 2.

The Data Processors shall notify the Data Controller about each addition or replacement of Sub-suppliers two months before the day the Sub-supplier commences processing of personal information.

 

The Data Controller has the right to object to such changes. Any objection to changes of Sub-suppliers shall be submitted to the Data Processor within three weeks from the receipt of the notification of changes. If the Data Controller speaks against the change or replacement of a Sub-supplier, the Data Processor can terminate the Contract and the Agreement on Data Processing with a one-month notice.

 

The Data Processor shall have an updated list with an overview of approved Sub-suppliers, including names and contact information of all Sub-suppliers and the location of processing of personal information. Upon request, the Data Processor shall disclose the list to the Data Controller.

11.   Transfer to third countries

Transfer of personal information to third countries can only happen after the written pre-approval of the Data Controller. A transfer to a third country presupposes fulfillment of the conditions of the GDPR Chapter 5, including that there is a valid transfer basis and potential additional requirements if this is necessary according to the Data Controller pursuant to the judgment of the Court of Justice of the European Union in the case C-311/18 or subsequent legislation or recommendations/directives from the European Council on Data Protection or national data inspection authority ("Additional requirements").

 

If the Data Controller has approved a transfer in advance in writing, the Data Controller can grant the Data Processor power of attorney to accept the EU standard conditions on behalf of the Data Controller or another legal basis for transfer to third countries, in addition to potential additional requirements in line with the instructions of the Data Controller. The Data Processor shall, without undue delay, provide the Data Controller with a copy of such EU standard conditions or a description of another legal basis for the transfer, in addition to potential additional requirements.

 

The Data Processor shall be of reasonable assistance and provide documentation to be used in an independent risk assessment of the Data Controller regarding the use of Sub-suppliers and transfer of personal information to third countries.

12.  Revisions

The Data Processor is obliged to provide the Data Controller with documentation on taken technical and organizational measures to ensure an appropriate security level, as well as other information necessary to prove that the Data Processor fulfills its obligations under this Agreement on Data Processing and data protection legislation.

 

The Data Controller and relevant inspection authority have the right to carry out revisions, including inspections and evaluations of processed personal information, systems used for this purpose, taken technical and organizational security measures, including security instructions, etc., together with Sub-suppliers.

 

The Data Processor shall not have access to information about other customers of the Data processor.

 

If the Data Controller points out external auditors to carry out revisions, the revisionists shall be bound by a duty of confidentiality. The Data Processor has the right to object to their competitor being appointed as a revisionist.

 

Each of the parties covers its costs related to the revision. If a revision reveals no unsubstantial deviations from the obligations of the Data processor, the Data Controller shall have their reasonable expenses connected to the revision covered by the Data processor.

 

13.  Duration and termination

The Agreement on Data Processing applies as long as the Data Processor processes personal information on behalf of the Data Controller.

 

If the Data Processor breaks the Agreement on Data Processing or other documented instructions received from the Data Controller or does not fulfill their obligations or data protection legislature, the Data Controller may order the Data Processor to stop further processing of personal information with an immediate effect and terminate the Agreement on Data Processing with an immediate effect.

 

Upon termination of the Agreement on Data Processing, the Data Processor shall, as instructed by the Data Controller, either delete or return all personal information to the Data Controller, including copies and back-ups, unless otherwise determined by the applicable legislation.

The Data Processor shall document in writing to the Data Controller that deletion has taken place pursuant to the Agreement on Data Processing and as ordered by the Data Controller.

 

14.  Liability

The compensation obligation of the parties for damages that occur to the Registered or other natural persons due to a breach of data protection legislation is regulated by regulations in GDPR Article 82. A potential liability limitation on the compensation liability in the Contract does not apply to liability outlined in the data protection order Article 82.

The parties are individually responsible for breach penalties imposed under GDPR Article 83. 

 

15. Warnings and changes

All information relating to the Agreement on Data Processing is to be sent in writing to an email address stated on the first page of the Contract.

 

In case of changes of data protection legislation, provided that a judgment or a pronouncement of a competent authority or other authoritative source implies a changed interpretation of data protection legislation, or if there have been made changes to the delivery of services under the Contract that demand changes of the Agreement on Data Processing, the parties must cooperate on updating the Agreement correspondingly.

 

16. Choice of law and legal venue

The Agreement on Data Processing is subject to Norwegian law, and the parties have accepted the Oslo District Court as their legal venue.

Appendix 1 - Scope of the processing

 

Type and objective of processing

 

To provide services under the service contract. The service is used to open doors in buildings where the system has been installed or receive visitors via an intercom. Administrators also use the service to manage access and entries of registered users into the building.

 

Type of personal information

 

●  Name

 

●  Phone number

 

●  Email address

 

●  Street address and apartment number

 

 

Categories of the registered

 

●  Residents/tenants of housing associations

 

●  Employees of contractors of the client or the client's tenants


Appendix 2 – Sub-suppliers

 

Suppliers:

Data storage, USA

Amazon Web Services, USA

Seattle, Washington, USA

Data storage, Europe

Amazon Web Services EMEA SARL

38 Avenue John F. Kennedy, L-1855, Luxemburg

Customer & end user support, global

Atender AS

Alameda de Colón, 34, 29001 Málaga, Spania

Necessary guarantees upon transfer to third countries (the basis for transfer and potential additional requirements)