Data Processing Agreement
1. BACKGROUND AND PURPOSE
This Data processing agreement ("DPA") forms part of the Terms for service ("Principal Agreement") between: Mevo Norway AS ("Data Processor") and the Customer ("Data Controller").
For the purposes of fulfilling the Principal Agreement and delivering the MevoApp (“the Service”), the Data Processor will process certain Personal Data on behalf of the Data Controller.
The DPA is intended to ensure that personal data is processed in accordance with all applicable requirements for the processing of personal data as provided for in the Privacy Regulations, the Personal Data Act, and related regulations, including the General Data Protection Regulation (“GDPR”), collectively referred to as (“the Applicable Privacy Regulations”).
This DPA sets forth the terms and conditions pursuant to which the Data Processor shall process Personal Data on behalf of the Data Controller under the Principal Agreement.
In this DPA, the following terms shall have the meanings set out below:
- "Data Protection Laws" means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country, such as the Norwegian Personal Data Act (LOV-2018-06-15-38) and Personal Data Regulations;
- "EU Data Protection Laws" means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;
- "GDPR" means EU General Data Protection Regulation 2016/679;
- "Personal Data" means any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.;
- "Sub-processor" means a third party subcontractor engaged by the Data Processor which, will process Personal Data on behalf of the Data Controller; and
- “Users” have the same meaning as in the Principal Agreement.
The terms in this DPA have the same meaning as the Personal Data Act and GDPR, and their cognate terms shall be construed accordingly.
3. PROCESSING OF PERSONAL DATA
The Data Processor will process the following types of Personal Data on behalf of the Data Controller:
Name, telephone number, email address, workplace, occupation, profile photos and other photos uploaded by the Users of the Service, prize-related information, level and training expertise related to activities in the MevoApp, purchase, billing information, IP address, and user-generated information related to the use of the Service.
The Personal Data is connected to the following categories of data subjects:
- The employees or representatives of the Data Controller.
- The customers, their employees or representatives, of the Data Controller.
- The Users.
The Data Processor shall only Process Personal Data for the following purposes:
- To fulfill the obligations under the Principal Agreement.
- To deliver the Service to the Data Controller and the Users.
The processing involves:
- Collecting and storage of data from the Users.
The Data Processor shall not process Personal Data in any other manner than what is agreed in this DPA and on documented instructions from the Data Controller. This includes that the Data Processor is not allowed to process Personal Data for other purposes than as stated above or its own purposes or to disclose data to third parties.
4.THE DATA PROCESSOR’S DUTIES
4.1 General compliance
When processing Personal Data on behalf of the Data Controller, the Data Processor shall follow the routines and instructions stipulated in this DPA.
Data Processor shall comply with all applicable Data Protection Laws in the processing of Personal Data and shall assist the Data Controller in fulfilling its legal obligations under Applicable Data Protection Law.
4.2 Instructions from the Data Controller
The Data Processor undertakes to only process Personal Data in accordance with documented instructions communicated by the Data Controller unless required to do so pursuant to the Applicable Data Protection Law.
If the Data Processor is of the opinion that an instruction from the Data Controller is a violation of the Applicable Privacy Regulations, the Data Processor shall immediately inform the Data Controller of his opinion and may object to the instruction.
4.3 Requests from the Data Controller
Unless otherwise agreed or pursuant to statutory regulations, the Data Controller is entitled to access all Personal Data being processed on behalf of the Data Controller. The Data Processor shall provide the necessary assistance for this.
The Data Processor shall, in accordance with the request or instruction of the Data Controller; correct, delete or return any Personal Data processed by the Data Processor on behalf of the Data Controller under this DPA. This applies unless the applicable laws require the storage of personal data.
The Data Processor shall ensure the confidentially of Personal Data that the Data Processor will have access to as a result of the DPA, and shall ensure that persons authorized to process the Personal Data have undertaken to keep the Personal Data confidential or subject to an appropriate statutory duty of confidentiality. This provision shall also apply after termination of the Principal Agreement.
4.5 Disclosure of Personal Data
The Data Processor may not, without prior written approval from the Data Controller, transfer or in any other way disclose Personal Data or any other information relating to the processing of Personal Data to any third party. This applies with the exception of Subprocessors engaged pursuant to this DPA.
In the event, the Data Processor, according to Applicable Data Protection Law, is required to disclose Personal Data that the Data Processor processes on behalf of the Controller, the Data Processor will inform the Controller thereof.
The Data Processor shall not process Personal Data outside the EU/EEA unless otherwise stated in this DPA. If the transferring of Personal Data to a country outside the EU/EEA or to an international organization outside the EU/EEA is required according to the law in an EU/EEA member state which the Data Processor is subject to or EU/EEA law, the Data Processor shall inform the Data Controller of such requirement prior to the processing, unless the law prohibits such information from being given.
5. THE DATA PROCESSOR’S USE OF SUB-PROCESSORS
The Data Processor may use Subprocessors. The Data Processor shall ensure that the Subprocessors are bound by written agreements that require them to comply with data processing obligations corresponding to those contained in this DPA. The Data Processor shall remain fully liable to the Data Controller for the performance of the Sub processor’s obligations.
In addition, the Data Processor has the right to use other Subprocessors but is obliged to inform the Data Controller of any intended changes concerning the addition or replacement of other Subprocessors. The information shall be given at least eight weeks prior to the planned changes takes effect. If the Data Controller does not consent to the change, the Data Controller has the right to terminate the Principal Agreement with three month’s notice.
6. TRANSFER OF PERSONAL DATA OUTSIDE THE EU/EEA
The Data Processor uses the following Subprocessors outside the EU/EEA: Overview of the Subprocessors.
Apart from this, the Data Processor may not process or use Subprocessors that process Personal Data outside the EU/EEA without prior written approval from the Data Controller. The Data Processor shall ensure that there is a legal basis for the processing of Personal Data outside the EU/EEA, or facilitate the establishment of such legal basis.
Taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Data Processor shall in relation to the Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32 of the GDPR.
In assessing the appropriate level of security, Data Processor shall take account in particular of the risks that are presented by processing, in particular from a Personal Data breach. The Data Processor shall protect the Personal Data against destruction, modification, unlawful dissemination, or unlawful access.
8. PERSONAL DATA BREACH
In case of a Personal Data breach involving Personal Data processed on behalf of the Data Controller, the Data Processor shall assist the Data Controller in ensuring compliance with the Data Controller’s obligations pursuant to Applicable Data Protection Law, including Article 33 in the GDPR. The Data Processor shall notify the Data Controller in writing without undue delay, but no later than 24 hours after becoming aware of such a Personal Data breach.
The Data Processor is obliged to assist the Data Controller in fulfilling the obligations in Article 32 to 36 of the GDPR. To the extent the Data Controller requires additional assistance from the Data Processor, the Data Processor may offer such assistance as a separately paid service, at an hourly rate of 120 EUR. The Data Processor may also refuse unless the Data Processor’s assistance is necessary in order to be able to fulfill the Data Controller’s obligations.
10. DOCUMENTATION AND SECURITY AUDITS
The Data Processor shall have documentation that proves that the Data Processor complies with its obligations under this DPA and the General Data Protection Regulation. The documentation shall be available for the Data Controller on request.
The Data Processor is obliged to give the Data Controller access to his written technical and organizational security measures and to provide assistance so that the Data Controller can fulfill its responsibilities pursuant to the Personal Data Act and the General Data Protection Regulation.
The Data Processor shall keep a record of the processing activities, which shall contain at least the information required under article 30 of the GDPR. The Data Controller may at any time request a copy of such protocol.
The Data Processor shall regularly conduct security audits and shall submit the results of the audit to the Data Controller on request. The Data Controller shall be entitled to conduct audits and inspections regularly, for systems, etc. covered by this DPA, in accordance with the requirements of the Personal Data Act, the Personal Data Regulations, and the General Data Protection Regulation.
Audits may be carried out by a third party mandated by the Data Controller. The third-party will be subject to confidentiality (including signing declarations of confidentiality). The audit does not include information concerning Data Processor’s trade secrets. This includes, but is not limited to product know-how, algorithms, software code, test results, processes, inventions, research projects, etc. The Data Processor shall however provide all the information necessary to the Data Controller or an appointed third party during such audit to fulfill the minimum requirements under applicable Data Protection Laws. The Data Processor may offer assistance to the third party mandate by the Data Controller, at an hourly rate of 120 EUR.
11. FULFILLING THE RIGHTS OF THE DATA SUBJECTS
To the extent the Data Controller requires additional assistance from the Data Processor that goes beyond what is necessary and reasonable in order to fulfill the rights of the data subject and to fulfill the Data Processor’s obligations, the Data Processor may offer such assistance as a separately paid service, at an hourly rate of 120 EUR. The Data Processor may also refuse, unless the Data Processor’s assistance is necessary in order to be able to fulfill the Data Controller’s obligations.
12.THE DURATION OF THE DPA AND THE PROCESSING
The DPA applies as long as the Data Processor processes Personal Data on behalf of the Data Controller according to the Principal Agreement.
13. TERM AND TERMINATION
The DPA may be terminated in accordance with the termination clauses in the Principal Agreement. Termination of the underlying Principal Agreement also constitutes a termination of the DPA.
The parties may claim damages in respect of any direct loss in relation to breaches of this DPA. The liability for damages does not extend to indirect loss, including lost profits or anticipated savings. Loss of data is considered as an indirect loss. The maximum damages that can be awarded pursuant to this DPA are limited to a sum equivalent to the maximum liability in the Principal Agreement.
This clause is not applicable in the event of liability under Articles 82 and 83 of the GDPR and each party is liable for costs and administrative fines according to Articles 82 and 83 of the GDPR.
15. RETURN, DELETION, AND/OR DESTRUCTION OF DATA UPON TERMINATION OF THE DPA
Upon termination of this DPA, the Data Processor shall (i) cease all its processing activities and (ii) upon the Data Controller’s choice, delete and/or return all Personal Data or copies thereof which is received on behalf of the Data Controller pursuant of this DPA. The duty to delete applies as long as Applicable Data Protection Law does not require the Personal Data to be stored. The Data Processor may anonymize all Personal Data received from or on behalf of the Data Controller which is comprised by the DPA.