Data Processor Agreement
This Data Processor Agreement forms an integrated part of Ironstone's contractual framework. The Data Processor Agreement applies to customers having signed either «Agreement for the establishment of operational services» (Nw/Sw: Etableringsavtalen) or «Operational Services Agreement» (Nw/Sw: Driftsavtalen). In the further, the relevant agreement for your company’s relation to Ironstone is referred to as «The Principal Agreement».
Ironstone AS with business reg. number 917 608 776 and business address Storgata 1, 0155 Oslo, is acting as a data processor (“Processor”) for your company in the role as a “Controller”. The Processor and the Controller are collectively referred to as either "Party" or "Parties".
The Processor shall Process the Personal Data pursuant to The Principal Agreement on behalf of the Controller.
This Data Processor Agreement shall provide for the Processing of Personal Data in accordance with the following regulations, jointly called (“Data Protection Regulation”) in the following:
- In Norway: The Norwegian Personal Data Act of 15 June 2018 no. 38.
- In Sweden: The Data Protection Act (2018:218)
- EU Regulation 2016/679 (”GDPR”) as implemented in the national legislation.
- Any other relevant law or regulation governing the Processing of Personal Data;
- Any industrial norm as defined in appendix 1.
The nature and purpose of the Processing, the duration of the Processing of Personal Data, the subject matter of the Processing of Personal Data, the types of Personal Data to be processed, the categories of data subjects to whom the Personal Data relates and other specifics regarding the Personal Data and Processing carried out under this Data Processor Agreement is set out in Annex 1 to this Agreement.
«Personal Data» means such personal information as the Processor (or sub-processor if relevant) Processes on behalf of the Controller pursuant to The Principal Agreement and as further described in Annex 1.
«Special categories of Personal Data» means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the Processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited.
«Processing» means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
«Controller» means [CONTROLLER], which is the Party that determines the purposes and means of the Processing of Personal Data.
«Processor», means Ironstone AS, which is the Party that Processes the Personal Data on behalf of the Controller;
Any other term as defined in the Person Data Regulation shall have the same meaning in this Data Processor Agreement as in such regulation unless stated otherwise.
3. THE CONTROLLER’S DUTIES
The Controller shall comply with relevant duties according to the Data Protection Regulation and in accordance with any specific lawful means of Processing established between the Controller and the data subject(s) and any other duties arising from this Data Protection Agreement.
It is the Controller's responsibility to ensure the lawful basis for the Processing of the Personal Data.
4. THE PROCESSOR’S DUTIES
4.1 IN GENERAL
The Processor shall comply with all applicable Data Protection Regulation in the Processing of the Personal data.
The Processor should only Process the Personal Data according to the documented instructions of the Controller. The Processing should only be done in accordance with this instruction and only in the manner necessary to fulfill the obligations under this Data Processor Agreement. The Processor shall at all times and at the request of the Controller, provide documentation from the Controller as the basis for the Processing.
4.2 TECHNICAL AND ORGANISATIONAL MEASURES
At the time of entering into this Data Processor Agreement, the Processor has documented its technical and organizational measures necessary for the fulfillment of this Data Processor Agreement and any relevant Data Protection Regulation. This includes technical and organizational measures related to information security. The Controller has accepted these documented measures upon entering this Data Processor Agreement. The relevant documentation is available at IT and Information Security & Data Protection Practices. The Processor shall keep this documentation updated, and inform the Controller of any changes to the technical or organizational measures that may affect the Processing of the Personal Data. Any such changes shall at all times be compliant with the current Data Protection Regulation.
The Processor is obliged to comply with recommended standards and techniques to ensure that privacy is taken into account when planning, designing, developing, and implementing the products or services provided pursuant to The Principal Agreement and used when Processing the Personal Data.
The Processor shall ensure that persons authorized to Process the Personal Data on behalf of the Controller have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
This obligation of confidentiality shall continue to apply after the termination of this Data Processor Agreement. It shall also apply for any and all personnel having had access to the Personal Data, and that are no longer working with or for the Processor.
4.4 USE OF SUB-PROCESSORS
At the date of the agreement, the Controller has approved sub-processor(s) as specified on the Processors webpage.
The Processor has been granted general permission to use one or more sub-processor(s) with this Data Processor Agreement. The Processor is obliged to inform the Controller of plans to use or change a sub-processor in fulfilling the obligations of this Data Processor Agreement. The Controller, acting reasonably, shall be entitled to object to the use of sub-processor(s), and may object to such use by terminating whole or parts of the Principal Agreement immediately upon written notice to the Processor.
Transfer of Personal Data to sub-processors shall not be initiated unless with the prior written approval issued by the Controller.
The Processor is required to impose on any sub-processors covered by this Data Processor Agreement the same data protection obligations as set out in this Data Processor Agreement or in any other legal obligations between the Controller and the Processor.
The Processor shall provide sufficient guarantees that the sub-processor(s) implement(s) appropriate technical and organizational measures in such a manner that the Processing meets the requirements of this Data Processor Agreement.
Where the sub-processor fails to fulfill the data protection obligations, the Processor shall remain fully liable to the Controller for the performance of the sub-processor's obligations
4.5 THE DATA SUBJECTS RIGHTS
The Processor shall, taking into account the nature of the Processing, assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Controller's obligation to respond to requests for exercising the data subject's rights laid down in chapter III of the GDPR. The subject´s rights under Chapter III of the GDPR include i.e, the right of access, rectification, erasure, and restriction of Processing of Personal data, as well as the rules on data portability.
The Processor shall without delay forward to the Controller any Chapter III-related requests that the subject sends directly to the Processor. The Processor shall not fulfill such requests without a prior written instruction from the Controller.
4.6 ERASURE OF PERSONAL DATA
Upon termination of this or The Principal Agreement, or when the purpose of The Principal Agreement has been reached, the Processor shall request instructions from the Controller about whether the Personal Data, and any other information processed within the scope of The Principal Agreement, are to be deleted or returned. The Controller is obliged to answer this request; the response is considered an instruction from the Controller.
The Processor shall upon the Controller’s instructions to delete, without any undue delay erase all Personal Data, and any other information covered by The Principal Agreement.
The Processor shall upon receipt of return instructions from the Controller, without undue delay, send the Controller a copy of all Personal Data, and any other information covered by The Principal Agreement. An instruction for the return of the Personal Data shall be considered as both an instruction for returning the relevant data and an instruction of erasing these data when the Controller has confirmed the receipt of the data. The Processor shall erase all relevant data when the Controller confirms that the data have been safely received and stored.
The Processor shall in accordance with written instructions from the Controller, implement routines for erasing information in accordance with relevant principles of data minimization and necessity.
The Processor must confirm in writing to the Controller that necessary erasure has been completed. The Controller may engage a third Party to verify that the erasure has been completed. The Processor is obliged to give such third Party access to relevant systems in order to verify that erasure has occurred. Such access shall also be provided for an eventual verification that routines for erasure as described above have been implemented and carried through.
4.7 SECURITY OF PERSONAL DATA / SECURITY OF PROCESSING
Taking into account the nature of Processing and the information available to the Processor, the Processor shall assist the Controller in ensuring compliance with the obligations pursuant to GDPR Articles 32 to 36.
The Processor is obliged to:
- Assist the Controller with the implementation of appropriate technical and organizational measures in order to achieve the appropriate level of safety, cf. Article 32 of the GDPR, cf. section 2 of this Data Processor Agreement.
- The Controller shall notify The National Authority no later than 72 hours after becoming aware of a personal data breach, cf. the GDPR Article 33. The Processor shall notify the Controller without undue delay when the Processor is aware of a personal data breach in his own systems and shall assist the Controller in preparing relevant information to the supervisory authority, cf. section 8 of this Data Processor Agreement.
- Assist the Controller in notifying the data subjects if it is likely that a personal data breach will result in a high risk to the rights and freedoms of the data subjects, cf. Article 34 of the GDPR, cf. section 8 of this Data Processor Agreement.
- Assist the Controller in performing a data protection impact assessment (DPIA) if the Processing of the Personal data may pose a high risk to the rights of data subjects, cf. GDPR article 35.
- Assist the Controller in any consultation with relevant supervisory authority prior to the Processing of the Personal data if the Processing would result in a high risk to the subjects in the absence of measures taken by the Controller to mitigate the risk, cf. article 36 of the GDPR.
The Processor shall further make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in GDPR article 28, and allow for and contribute to audits, including inspections, conducted by the Controller or another independent third Party auditor mandated by the Controller.
The Controller shall cover any costs incurred in connection with the Processors performance of its duties under this section, and any work performed by the Processor shall be remunerated in accordance with the Processor's standard hourly rates as applicable from time to time
The Processor shall immediately inform the Controller if the Processor is of the opinion that an instruction by the Controller infringes the Personal Data Regulation.
4.8 HANDLING AND NOTIFICATION OF BREACH
The Processor shall in case of a personal data breach related to the Data Processor’s Processing of Personal data:
- Without undue delay, initiate measures to minimize any possible damage for the data subject and for the Controller;
- Without undue delay, give written notice to the Controller in accordance with the Data Privacy Regulations, including GDPR Article 33, No. 2 - 4. This includes the obligation to describe the personal data breach with an indication of affected persons; and
- Document the personal data breach, the actual circumstances, effects, and measures, etc., as provided for in Article 33 (5) of the GDPR, so that the Controller can fulfill the duties under the Data Privacy Regulation; and.
- On the Controller’s request, assist the Controller in fulfilling its obligations in notifying the supervisory authority and the data subjects about the personal data breach, in accordance to Data Protection Regulation, and specifically GDPR article 33 and 34.
The Controller shall cover any costs incurred in connection with the Processors performance of its duties under this section, and any work performed by the Processor shall be remunerated in accordance with the Processor's standard hourly rates as applicable from time to time, except where the Controller can clearly prove the breach is caused by the Processor’s negligent actions or omissions.
5. Transfer of the personal data
The Processor may not transfer the Personal Data outside the EEA area without the prior written approval of the Controller. The Processor shall ensure that the Personal data is not transferred to a third country or to an international organization unless permitted by this Data Processor Agreement or by law.
Any transfer of the Personal data to third countries outside the EU/EEA or international organizations must be in accordance with the provisions of Articles 44 to 49 of the GDPR.
6. OTHER DUTIES AND RIGHTS
Any violation of the Data Processor Agreement is deemed as a violation of The Principal Agreement.
The Data Processor Agreement shall take precedence over The Principal Agreement in case of a conflict between the Parties.
Changes in this Data Processor Agreement shall be in writing and signed by both Parties in order to take effect. Each Party may require changes in the Data Processor Agreement if considered necessary in order to make the Data Processor Agreement or the Processing itself compliant with the Data Protection Regulation.
For disputes arising out of the Data Processor Agreement, the provisions of The Principal Agreement shall apply accordingly.
At the date of the agreement, the Controller has approved Third Party Data Processor Agreement(s) as specified on the Third Party Data Processor Agreement webpage.
The purpose of the Processing
For the Processor to provide services according to the Principal Agreement.
The duration of the Processing
This Agreement runs as long as the Processor provides services pursuant to The Principal Agreement, or for the duration as instructed by the Controller.
Subject matter of the Processing
Any personal data regarding persons that the Processor decides to store in the systems pursuant to the Principal Agreement.
The types of Personal Data to be processed
Any personal data regarding persons that the Processor decides to store in the systems pursuant to the Principal Agreement.
Special categories of information to be processed
Any special categories of personal data regarding persons that the Processor decides to store in the systems pursuant to the Principal Agreement.
The categories of data subjects to whom the Personal Data relates
Client, employees, or other registered persons that the Controller stores information about in the systems operated by the Processor according to the Principal Agreement, and for which the Processor has a legal basis for the processing of such personal data.