DATA PROCESSING AGREEMENT
This Data Processing Agreement is valid from: August 30, 2024*
*In the event of any discrepancies or disagreements between the Norwegian and English versions of this Data Processing Agreement, the Norwegian version shall prevail as the official version, and the English version is provided as an unofficial translation
1 Definitions
"Data Processing Agreement" means the provisions set forth in this agreement.
"GDPR" refers to the EU General Data Protection Regulation, "Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC." It was adopted by the European Parliament and the Council of the European Union on April 14, 2016, and is also known as the General Data Protection Regulation.
"System" refers to the software Compleasy® and its related modules, along with all associated and connected documentation. The System includes, but is not limited to, content, design, functionality, and documents or components thereof.
"Terms" means the terms and conditions governing the use of the System.
"Privacy Legislation" means all applicable laws and regulations on data protection and privacy, including the GDPR and the Norwegian Personal Data Act.
"Personal Data" means any information relating to an identified or identifiable natural person. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
"Data Subject(s)" means one or more natural person(s) whose personal data is registered in the System.
"Processing" means any operation or set of operations performed on personal data, whether automated or not, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
"Data Controller" means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of processing personal data. In this Data Processing Agreement, the Data Controller refers to the Customer.
"Data Processor" means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the Data Controller. In this Data Processing Agreement, the Data Processor refers to Compleasy AS.
"Parties" means the Data Controller and Data Processor when referred to collectively. Each individually referred to as a "Party."
"Sub-Processors" means other data processors that Compleasy uses to process personal data.
"Privacy Policy" means the Data Processor’s current Privacy Policy.
"Supervisory Authority" means an independent public authority established by an EU/EEA state in accordance with GDPR Article 51.
2 General
This Data Processing Agreement is entered into between the Data Controller and the Data Processor and regulates the relationship between the Parties.
The Data Processing Agreement is accepted electronically together with the Terms & conditions upon registration in the System. By accepting, the Data Controller confirms to be bound by the obligations outlined in the Data Processing Agreement. If this agreement is not accepted, access to the System will not be granted.
2.1 Duration and Amendments
This agreement remains in effect as long as the Data Processor processes Personal Data on behalf of the Data Controller.
The Data Processor may update and revise the Data Processing Agreement as necessary. The Customer will be notified of changes at least three months before the changes take effect.
By continuing to use the System after the updated Data Processing Agreement comes into effect, the new version of the agreement is considered approved by the Customer.
3 Background and Purpose of Processing
The Data Processor shall process Personal Data on behalf of the Data Controller.
The purpose, duration, and legal basis for Processing, the type of Personal Data to be processed, and the Data Subjects to whom the Personal Data relates are as follows:
To securely register unique Users and contact persons in the System so that the Data Processor can simplify compliance for the Customer. In this context, compliance refers to ensuring that a business follows all relevant laws, regulations, standards, and ethical guidelines applicable to its operations.
The Personal Data processed is part of the data intended to provide the Data Controller with a simpler overview and management basis related to compliance.
The Data Processing Agreement ensures that Processing is carried out in accordance with the GDPR, applicable Privacy Legislation, and other regulatory requirements associated with the Data Controller's operations, including the requirements for the processing of Personal Data.
The Data Processor shall only carry out Processing as described in the Terms & conditions, the Data Processing Agreement, the Privacy Policy, as agreed in writing with or instructed by the Data Controller, and in all cases in accordance with the laws governing the Processing.
4 Personal Data to Be Processed
The following Personal Data may be processed in the System:
For contact persons at the Customer:
-
Name, email, and phone number
For registered Users:
-
Name, email, and phone number
-
Username and password
For the Customer's customers and suppliers:
-
Name, email, and phone number
-
Address, Postal code, City, and Country of residence
4.1 User-Registered Personal Data
If Users register Personal Data in the System, the Customer is responsible for ensuring that such Personal Data is processed in accordance with applicable laws. The Vendor disclaims any responsibility for the processing of such Personal Data in these cases.
5 Data Controller’s Rights and Obligations
The Data Controller has the following responsibilities and obligations:
-
Full responsibility for correspondence with Supervisory Authorities.
-
Ensuring sufficient legal basis for the Processing and that the transfer of Personal Data to the Data Processor is lawful.
-
Ensuring the reliability, accuracy, legality, content, and integrity of the Personal Data.
-
Informing Data Subjects in accordance with the applicable legal requirements and responding to inquiries.
-
Ensuring that Personal Data is processed in accordance with the GDPR.
-
Implementing appropriate technical and organizational measures to secure the Personal Data being processed, as per GDPR Article 32.
-
Reporting breaches to the Supervisory Authorities and, if necessary, to the Data Subjects without undue delay in accordance with applicable law.
-
Immediately notifying the Data Processor if the Data Controller believes that instructions or requirements from the Data Processor are in violation of Privacy Legislation.
-
Not registering or storing Personal Data beyond what is necessary for the purpose. Specifically, the Data Controller shall not store special categories of Personal Data, as defined by the GDPR (e.g., assessments related to an employee's health, religious or political affiliation, etc.), in the System.
-
If required by GDPR Article 30(5), the Data Controller shall maintain a record of processing activities conducted under their responsibility. The record shall contain, at a minimum, the information required by GDPR Article 30. The Data Controller, or its representative, shall make the record available to the Supervisory Authority upon request.
-
Obtaining consent if information about minors is entered into the solution. This particularly applies to employment relationships for individuals under 16 years of age.
6 Data Processor’s Rights and Obligations
The Data Processor does not own the Personal Data but processes it solely on behalf of the Data Controller as regulated by this Data Processing Agreement.
The Data Processor has the following obligations:
-
Implement appropriate and suitable technical and organizational measures to ensure that the Processing complies with the GDPR and safeguards the rights of the Data Subjects. This includes meeting the requirements set out in GDPR Article 32.
-
Upon request, provide documentation on information security to the Data Controller.
-
Ensure that Processing is conducted only following the documented instructions of the Data Controller, unless otherwise required by applicable law. In such cases, the Data Controller shall be informed of the legal obligation before the Processing, unless the law prohibits such information due to public interest.
-
Assist the Data Controller with appropriate measures, as far as practicable, to fulfill the Data Controller's obligation to demonstrate compliance with the rights of the Data Subjects.
-
Assist the Data Controller in ensuring compliance with the obligations set out in GDPR Articles 32 to 36.
-
If required by GDPR Article 30(5), the Data Processor shall maintain a record of processing activities carried out on behalf of the Data Controller. The record shall contain, at a minimum, the information required by GDPR Article 30. The Data Controller may request access to the specified record at any time. The Data Processor, or its representative, shall make the record available to the Supervisory Authority upon request.
-
During audits or inspections, provide the Data Controller with all information necessary to demonstrate compliance with the obligations set out in this Data Processing Agreement. This includes allowing and contributing to audits and inspections conducted by the Data Controller or another auditor acting on behalf of the Data Controller. All such assistance provided by the Data Processor to the Data Controller shall be invoiced based on time spent and done upon written request.
-
Maintain confidentiality regarding Personal Data and any other information the Data Processor receives or has access to.
-
If the Data Processor considers that an instruction from the Data Controller violates the GDPR or other laws, the Data Processor shall immediately inform the Data Controller of this.
The Data Processor is entitled to run anonymized analyses on statistics from the System as part of its efforts to improve the user experience.
The Data Processor may also access and use registered Personal Data, such as usernames, company names, addresses, email addresses, and phone numbers for administrative purposes, such as, but not limited to, billing and sending important information.
7 Use of Third Parties as Sub-Processors
By accepting the Terms and the Data Processing Agreement, the Data Controller gives general consent for the Data Processor to engage Sub-Processors.
The Data Processor uses Sub-Processors who, in certain cases, may process personal data registered in the System. In all data processing activities, the Data Processor ensures that the minimum amount of information is exchanged with Sub-Processors to protect privacy.
The Data Processor also uses Sub-Processors for necessary and non-optional functionality, such as logging services. These services may be implemented without explicit consent from the Data Controller. The Data Processor has entered into data processing agreements with all Sub-Processors.
The Data Processor shall notify the Data Controller if other data processors or Sub-Processors are used. The Data Controller has the option to object to such changes, but if they refuse the change, they will no longer be able to use the System.
7.1 Sub-Processors Outside the EU/EEA
If Sub-Processors are located in third countries outside the EU/EEA, the Data Processor ensures that valid transfer mechanisms are used, such as EU Standard Contractual Clauses or other approved mechanisms.
8 Relationship with Third-Party Partners
The Data Processor may suggest third-party products that may constitute a useful offering to the Data Controller, based on registered information in the System. Upon acceptance of such an offer, it is the Data Controller's responsibility to establish a data processing agreement with the relevant partner. The Data Processor will not exchange information with third parties before the relevant module is activated.
In certain situations, it may be necessary for the Data Processor to give third parties access to the Data Controller's information. This may occur under the following circumstances:
-
If a user has lost access to the service.
-
In the event of a sale or transfer of a Customer's business.
-
When required by legal orders or other conditions mandated by law or legal precedent, for example, in the case of suspected criminal activity.
9 Processing Security and Breach Notification
The Data Processor shall comply with the security requirements provided in the Privacy Legislation.
In the event of a breach related to Processing, the Data Processor shall notify the Data Controller without undue delay, in accordance with GDPR Article 33. Such notification shall, at a minimum, include:
-
A description of the nature of the personal data breach, including, where possible, the categories and approximate number of Data Subjects affected, and the categories and approximate number of personal data records affected.
-
The name and contact details of the Data Protection Officer or other contact point where more information can be obtained.
-
A description of the likely consequences of the personal data breach.
-
A description of the measures taken or proposed to address the breach, including, where applicable, measures to mitigate any possible adverse effects.
If all the above information is not provided at the first notification, the missing information shall be sent as soon as possible.
The Data Controller has full responsibility for notifying the relevant Supervisory Authorities. The Data Processor shall not contact or notify the Supervisory Authorities without the approval of the Data Controller.
10 Suspension of Processing, Deletion, and Modification of Data
The Data Controller may instruct the Data Processor in writing to stop Processing with immediate effect. Access to the System will cease at the same time, and the provisions of the Terms regarding termination will apply.
To ensure security and consistency, a backup of the data will be retained for up to 3 months. If there are specific reasons requiring faster deletion of Personal Data, the Data Processor can be contacted in writing.
Upon the Customer's termination, for any reason, the Data Processor shall delete or return all Personal Data related to the processing. This also includes deleting any copies of the Personal Data.
The Data Controller may request written confirmation from the Data Processor that the Personal Data related to the processing has been returned or deleted according to the Data Controller's instructions, and that the Data Processor has not retained any copies, printouts, or other representations of such data.
10.1 Modification of Personal Data
If Personal Data cannot be changed in the System, a written request may be made to the Data Processor. Changes to Personal Data will only be made if they do not violate legal requirements.
11 Governing Law and Jurisdiction
This Data Processing Agreement is governed by Norwegian law. The Parties agree that the Oslo District Court shall be the exclusive legal venue.