Data Processing Agreement
LAST REVIEWED AND UPDATED SEPTEMBER, 2023
The Agreement sets forth the rights and obligations of the Parties according to Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the “GDPR“), and the applicable Norwegian law implementing the GDPR (hereinafter together referred to as “Applicable Data Protection Law“).
For the purposes of this Agreement, “Controller“, “Data Subject“, Processor“, “Process/Processing/Processed“, “Personal Data“, “Personal Data Breach” and “Supervisory Authority” shall have the meanings provided in Applicable Data Protection Law.
For clarity, this Agreement will not apply to personal data which Vind Technologies AS Processes as a Controller. This Processing is further described and governed by Vind Technologies AS’s Privacy Notice.
2. Description of purpose and processing activities
In connection with this Agreement entered between the Controller and the Processor (the “Main Agreement“), the Processor will have access to and Process Personal Data on behalf of the Controller. In the event of conflict between the Main Agreement and this Agreement, this Agreement shall prevail.
The types of Personal Data, categories of Data Subjects, Processing activities, and the nature and purpose of the Processing being carried out on behalf of the Controller are set out in Data Processing Description.
The Processor is only entitled to access, use, update, amend and store the Personal Data to the degree necessary to comply with the Processors obligations pursuant to the Main Agreement or Applicable Data Protection Law. However, the Processor may use aggregated, non-identifiable, data for its own or another’s purposes.
3. Requirements for the processing
The Processor shall only Process Personal Data in accordance with this Agreement, instructions from the Controller and Applicable Data Protection Law, and not Process Personal Data for any other purposes.
The above limitation does not apply in so far as the Processor is obligated to Process the Personal Data pursuant to national law or EU/EEA law. In the event of any such obligation, the Processor shall notify the Controller, unless mandatory law prevents the Processor from disclosing this information.
If, in the Processor’s opinion, an instruction from the Controller is in violation of Applicable Data Protection Law or other mandatory national or EU/EEA law, the Processor shall notify the Controller thereof.
The Processor shall ensure that measures are implemented in accordance with Applicable Data Protection Law requirements in order to ensure confidentiality (i.e. that Personal Data are not disclosed to unauthorized persons or parties), integrity (i.e. that the information is not unintentionally changed in relation to the Processing) and availability (i.e. that the persons that are required have access to the data, have the necessary access) in relation to the Processing of Personal Data.
Unless otherwise is agreed, the Processor shall treat all Personal Data received in accordance with this Agreement as confidential. The obligation of confidentiality applies both during and after the term of the Agreement.
The Processor shall ensure that the Personal Data are Processed solely by reliable personnel who are:
- only granted access to the Personal Data on a need-to-know basis;
- made familiar with the regulatory requirements applicable to the Processor’s Processing of Personal Data; and
- subject to appropriate confidentiality obligations.
4.1 Security of Processing
The Processor will implement and maintain appropriate technical and organizational security measures (i) to protect the Personal Data from accidental or unlawful destruction, accidental loss, alteration, unauthorized disclosure or access, and other breaches of security in accordance with Article 32 (1) of the GDPR, and (ii) comply with any other standards or norms that the Parties agree upon in writing.
The security measures under item (i) above shall have regard to the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. Such measures may include, as appropriate:
- The pseudonymisation and encryption of Personal Data;
- The ability to ensure the ongoing confidentiality, integrity, availability and resilience of systems and services Processing Personal Data;
- The ability to restore the availability and access to data in a timely manner in the event of a physical or technical incident; and/or
- A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the Processing.
The Processor shall document the routines and measures implemented in order to comply with the requirements set out in item a) through d) above. The documentation shall be available upon the Controller’s request.
4.2 Security incidents and notification (Personal Data Breach)
Upon becoming aware of any Personal Data Breach, the Processor shall, without undue delay after having become aware of the incident, notify the Controller and provide all information and cooperation that the Controller may require in order for the Controller to fulfil its Personal Data Breach requirements under Applicable Data Protection Law. Furthermore, the Processor shall take such measures and actions necessary to remedy and mitigate the effects the such security a breach.
5. Compliance Assistance
The Processor shall, taking into account the nature of the Processing and the information available to the Processor, upon the Controller’s request reasonable assist:
- the Controller in carrying out a data protection impact assessment (DPIA), and (if required) in consultations with its relevant supervisory authority, in accordance with Articles 35 and 36 GDPR;
- the Controller with fulfilling its obligations pursuant to Articles 32 to 34 of the GDPR; and
- the Controller with responding to (i) requests from data subjects to exercise their rights under the GDPR (e.g., the rights of access, correction, objection, erasure, and data portability, as applicable); and (ii) other correspondence, enquiries or complaints received from a data subject, supervisory authority or other third party in connection with the Processing of the Personal Data.
If any request, correspondence, enquiry, or complaint is made by data subjects directly to the Processor, the Processor shall inform the Controller without undue delay, providing the necessary details of the same.
6. Audit and compliance review
The Processor shall maintain accountability documentation in relation to the Personal Data Processed under the Agreement (as may be defined, described or required under Applicable Data Protection Law), including written records of the Personal Data Processing carried out on behalf of the Controller.
The Processor shall permit the Controller to monitor compliance with the terms of this Agreement, including by giving access to accountability documentation, and otherwise assist in a manner necessary in order for the Controller to comply with applicable law requirements.
Unless otherwise is agreed or follows from Applicable Data Protection Law, the Controller shall be granted access to Personal Data that are Processed under this Agreement and the systems that are used for this purpose.
The Controller’s right to review the Processor’s compliance with this Agreement shall be subject to no less than one (1) month’s written notice to the Processor, shall be performed during the Processor’s ordinary business hours, and be limited to one (1) review not exceeding two (2) business days per year.
7. Use of sub-processors
The Processor may not use third parties to assist with Processing of Personal Data or subcontract any Processing of Personal Data (“Sub-Processors”), without the prior written authorization of the Controller. Processor shall impose data protection terms on Sub-Processors it appoints in accordance with the foregoing sentence which are in accordance with the data protection obligations set out in this Agreement.
By entering into this Agreement, the Controller gives to the Processor its general authorization to engage Sub-Processors in its Processing of Personal Data on behalf of the Controller.
A list of Sub-Processors engaged by the Processor at the time of this Agreement, and to which the Controller has pre-approved is set out in Sub-Processors.
In the event that the Processor replaces any of the Sub-Processors included in Sub-Processors, or engages a new Sub-Processor, the Controller shall be entitled to 14 days’ written notice informing the Controller of the Processor’s intentions. The Controller shall on reasonable grounds be entitled to object to the Processor’s change or addition of Sub-Processors. If the Controller objects to the Sub-Processor, the Parties shall negotiate in good faith to find a solution to address the Controller’s reasonable concerns.
The Processor shall keep an updated list of all Sub-Processors engaged in the Processing of Personal Data on behalf of the Controller available at the Controller’s request at all times.
For the avoidance of doubt, the Processor shall remain responsible for any acts and/or omissions of its Sub-Processors as if such acts and/or omissions were carried out by the Processor itself.
8. Transfers of personal data to third parties
The Processor shall not Process or cause the Personal Data to be Processed by Sub-Processors, outside the EEA without the Controller’s prior authorization. The Controller hereby gives the Processor its authorization as set out in the preceding sentence, provided that the Processor:
- provides the Controller reasonable written notice, informing the Controller of the contemplated transfer of Personal Data to a third country; and
- has implemented the necessary measures to ensure that an essentially equivalent level of protection for the Personal Data in accordance with the GDPR.
The Processor shall ensure that there is a valid basis pursuant to the GDPR Chapter V for any transfers of Personal Data to third countries. Where so required, the Processor shall enter, and Controller authorizes Processor to enter, standard contractual clauses for data transfers between EU and non-EU countries pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (or any successor thereto) with the third country recipient of the Personal Data (processor to processor transfers).
The Controller shall be entitled to object to the transfer if there is reasonable cause to believe that the transfer in question would be detrimental to the data protection requirements set out herein. However, if the Controller objects to the transfer, the Processor may not be able to fulfil its obligations under the Main Agreement (or parts thereof) to Controller.
9. Term and Termination
The Agreement shall remain in effect for as long as the Processor Processes Personal Data on behalf of the Controller for the purpose described in this Agreement and in connection with the Main Agreement.
If the Main Agreement is terminated, the Agreement shall remain in effect for as long as the Processor Processes Personal Data on behalf of the Controller.
10. Data erasure and retention
Upon termination of this Agreement in accordance with Section 9 of this Agreement, the Controller may instruct the Processor to immediately return to the Controller all of the Personal Data and any copies thereof which the Processor is Processing or has Processed on behalf of the Controller and/or securely destroy the same. Notwithstanding the above, the Processor may retain such Personal Data if the Processor is under a legal obligation to retain under national or EU/EEA law.
11. Limitations of liability
The liability and indemnification provisions of the Main Agreement shall apply with respect to the obligations of the Parties under this Agreement.
Claims from Data Subjects for material or non-material damage resulting from an infringement of the GDPR shall be settled in accordance with article 82 of the GDPR.
The Processor shall be entitled to compensation from the Controller, calculated on a time and materials basis, for its assistance and participation pursuant to Section 5 (Compliance assistance) and Section 6 (Audit and compliance review) above.
13. Governing law and legal venue
The Agreement is subject to Norwegian law and the parties agree on Oslo District Court (Oslo tingrett) as the legal venue. This also applies after termination of the Agreement.
14. Pre-approved Sub-Processors
This table includes the list of the Sub-Processors which in accordance with Section 7 of the main body of the Agreement have been pre-approved by the Controller. If the Processing takes place outside the EEA, the measures implemented to ensure an adequate level of protection for the Personal Data shall be set out in the rightmost column.