Evidi Integration Services - Data Processing Agreement
This data processing agreement (the “Agreement”) is entered into between:
-
Evidi AS, a Norwegian limited company/company with registration number 927 119 781 (“Data Processor“); and
-
The company which has signed an Integration Services agreement, and, in connection therewith, has agreed to be bound by Evidi’s Privacy Policy and this Agreement (“Data Controller“).
1. Background
The Data Processor Processes Personal Data on behalf of the Data Controller. This Agreement governs the Processing of Personal Data that the Data Processor performs on behalf of the Data Controller. The Data Processor shall process Personal Data only in accordance with the listed and agreed specified purposes under this Agreement. The Norwegian Personal Data Act with Regulations, and EU Regulation 2016/679, contains requirements for the governing of the relationship between the Data Processor and the Data Controller, and for the security and organizational measures that must be implemented to ensure lawful and secure processing of Personal Data. This Agreement has therefore been entered into to ensure that Personal Data is processed only in accordance with applicable laws and regulations, and only upon instructions from the Data Controller.
1.1 Definitions
- GDPR (General Data Protection Regulation) means EU Regulation 2016/679.
- Personal Data means any information relating to an identified or identifiable natural person, cf. Article 4 (1) of the GDPR.
- Data Subject(s) means any information relating to an identified or identifiable natural person of whom the Data Controller has Personal Data, cf. Article 4 (1) of the GDPR.
- Processing means any operation or set of operations which is performed on Personal Data, cf. Article 4 (2) of the GDPR.
- Data Controller means the natural or legal person under this Agreement, which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data, cf. Article 4 (7) of the GDPR.
- Data Processor means Evidi AS, the legal entity that Processes Personal Data on behalf of the Data Controller, cf. Article 4 (8) of the GDPR.
- Third Country means countries outside the EU/EEA which are not considered to ensure adequate level of protection for the Processing of Personal Data.
2. Processing of Personal Data
2.1 Personal data to be processed
The Data Processor delivers a Integration Service solution to the Data Controller and the Data Controllers customers and will Process Personal Data on behalf of the Data Controller and its customers in this regard. The categories of Personal Data to be Processed pursuant to this Agreement are specified in Appendix 1 to this Agreement.
2.2 Purpose of the Processing of Personal Data
The purpose of the Data Processor’s Processing of Personal Data pursuant to this Agreement is:
- System Integrations between the data Controller and its customers.
- Message tracking (searching) functionality for all types of message content.
- Support and error-detection
3. Data Controller’s obligations
The Data Controller confirms that:
- There is adequate basis for the Processing of Personal Data;
- The Data Controller is entitled to and responsible for the legality of the transfer of Personal Data to the Data Processor;
- The Data Controller is responsible for the accuracy, integrity, content, reliability and legality of the Personal Data being Processed; and
- The Data Controller has notified the Data Subjects in accordance with the current statutory requirements.
The Data Controller shall ensure that Personal Data is processed in accordance with the GDPR, respond to the Data Subjects’ inquiries and ensure that adequate technical and organizational measures are taken to secure the Personal Data Processed, cf. Article 32 of the GDPR. The Data Controller is obliged to report nonconformity to the relevant supervisory authorities and, if applicable, to the Data Subject without undue delay in accordance with applicable legislation.
4. Data Processor’s obligations
4.1 Basic obligations
- Data Processor shall only process Personal Data upon, and in accordance with, instructions from the Data Controller and in accordance with the GDPR. The Data Processor shall not use Personal Data in messages for its own purposes.
- The Data Processor shall not process Personal Data without prior written agreement with the Data Controller or written instructions from the Data Controller beyond what is necessary for the purposes specified in this Agreement.
- The Data Processor shall assist the Data Controller in ensuring and documenting that the Data Controller complies with the obligations under applicable law on the Processing of Personal Data.
- The Data Processor shall notify the Data Controller if the Data Processor believes it receives instructions from the Data Controller that violates the GDPR.
4.2 Data security
The Data Processor shall ensure, through planned, systematic, organizational and technical measures, adequate data security in relation to confidentiality, integrity and availability in the Processing of Personal Data in accordance with Article 32 of the GDPR.
4.3 Assistance to Data Controller
Data Processor shall provide assistance in such a way that the Data Controller can safeguard its own liability according to law and regulation, including assisting the Data Controller in:
- The Data Processor shall implement technical and organizational measures to assist the Data Controller in responding to inquiries regarding the exercise of the Data Subjects’ rights.
- Observing duty of notification to supervisory authorities and Data Subjects as a result of non-conformity,
- Performing assessment of data privacy implications (“DPIA, Data Privacy Impact Assessments”),
- Performing preceding discussions with supervisory authorities when an assessment of data privacy implications makes it necessary,
- Notifying the Data Controller if the Data Processor believes that a Data Controller’s instruction is in violation of applicable data privacy regulations.
Such assistance as mentioned above shall be carried out to the extent required by the Data Controller’s needs, the nature of the Processing and the information available to the Data Processor.
All assistance to the Data Controller provided by the Data Processor, as described in this clause 4 and elsewhere in this Agreement, shall be compensated by the Data Controller in accordance with the Data Processor’s at all times applicable hourly rates and payment terms.
4.4 Procedures and notification at security breaches
The Data Processor shall without undue delay notify the Data Controller of any violation of this Agreement or accidental, unlawful or unauthorized access, use or disclosure of Personal Data, or that Personal Data may have been compromised or that the integrity of the Personal Data may have been violated.
The Data Processor shall provide the Data Controller with all necessary information to enable the Data Controller to comply with applicable law regarding the processing of Personal Data and enable the Data Controller to answer inquiries from data protection authorities. The Data Controller shall report nonconformities to the Data Protection Authority in accordance with applicable legislation.
4.5 Confidentiality
The Data Processor has confidentiality in relation to Personal Data. The Data Processor shall ensure that anyone performing work for the Data Processor, either employees or hired staff, who have access to or are involved in the Processing of Personal Data under the Agreement (i) are subject to confidentiality and (ii) are notified of and comply with the obligations under this Agreement. Confidentiality also applies after the Agreement has been terminated.
4.6 Annual security audits
The Data Controller acknowledges that the Data Controller’s right to conduct audits under GDPR is fulfilled through the fact that the Data Processor ensures that an independent third party, appointed by the Data Processor, performs a systemic audit of the system on a regular basis. The main results of the audit are made available to the Data Controller on request for a fee decided by the Data Processor. The Data Processors assistance in the Data Controllers audit will be compensated by the Data Controller in accordance with the Data Processor’s all times applicable hourly rates and payment terms.
4.7 Processing of Personal Data for testing purposes
The Data Processor shall only Process Personal Data for testing purposes, including transfer to a Third Country, if the Data Controller has given its explicit and written pre-approval to such Processing in advance.
If the Data Controller has given such pre-approval, the Data Processor, shall ensure the Personal Data being processed during the testing are adequate, relevant and limited to what is necessary for the purposes they are being processed for (“data minimization”). In this context the Data Processor shall on an on-going basis assess measures such as pseudonymization and/or anonymization and/or other measures strengthening the level of data protection and privacy.
In addition, any use of subcontractors that is related to testing which may involve Processing of Personal Data, shall be in compliance with the provisions in the Agreement related to use of Subcontractors.
5. Use of Subcontractors
5.1 Subcontractors
The Data Controller approves the Subcontractors as set out in Appendix 1. The Data Processor shall also be entitled to engage subcontractors acting as sub-processors under the condition that such subcontractors are bound by a written contract which states that it must adhere to the similar data protection, privacy and audit obligations as the Data Processor under this Agreement.
5.2 Agreement with Subcontractors
The Data Processor shall ensure that Subcontractors do not Process Personal Data covered by the Agreement in any way other than what is necessary to provide the service, and that the Personal Data is not left to others for Processing without this being in accordance with the Agreement or agreed in advance in writing with the Data Processor.
The Data Processor shall ensure that any agreement with a Subcontractor contains the necessary provisions regarding the Processing of Personal Data in accordance with Article 28 of the GDPR. The Data Processor is responsible for the Subcontractor Processing Personal Data in accordance with the requirements of the GDPR.
5.3 Change of Subcontractor
If the Data Processor plans to replace or use a new subcontractor, the Data Processor shall notify the Data Controller in writing two (2) months before the new subcontractor begins Processing Personal Data, and the Data Controller may within one (1) month oppose the change. In the event the Data Processor is unable to remove the subcontractor according to the Data Controller ́s request, the Data Processor and the Data Controller are entitled to terminate the Agreement and the other terms and conditions between the Parties related to the Agreement with one (1) month written notice. The possibility to raise compensation claims on this basis against the other Party are hereby explicitly excluded.
5.4 Subcontractors outside the EU/EEA
The Data Processor is not allowed to enter into agreements with Subcontractors outside countries outside the EU/EEA for auditing or storage of Personal Data. The same applies even if Personal Data is kept or stored in the EU/EEA, when personnel with access to the data are located outside the EU/EEA. If the Data Controller approves Subcontractors of Countries outside the EU/EEA to handle, transfer, or audit Personal Data the legal responsibility is fully left to the Data Controller.
6. Liability, limitation of liability
The Data Processor and the Data Controller is responsible for its own acts and omissions that may cause or result in a financial loss or fine as a consequence of its insufficient compliance with its obligations under this DPA and the GDPR. The Data Processor are not liable for any incompliance or unlawful act by it if such act derives from instructions given by the Data Controller, or any act or omission of the Data Controller, provided that the Data Processor has fulfilled its obligations under Article 28 (3) of the GDPR. The regulation of breach, responsibility, and limitation on liability in the Parties Master Agreement will apply to this DPA subsequently and as if this DPA was an integral part thereof. The Parties liability for all cumulated claims and damages that may arise under the duration of this DPA, is limited to the amount paid by the Data Controller over a one (1) month period to the Data Processor solely, based on the latest invoice issued to the Data Controller. The Data Processor is not liable for financial loss or claims from the Data Processors customers using the service.
7. Duration
This Agreement shall apply from the date it has been signed by both parties until the Processing ends. Upon expiration or termination of this Agreement, the Data Controller hereby instructs the Data Processor to delete the Personal Data within 30 calendar days after the last day of the subscription period.
The Data Processor is not entitled to retain a copy of Personal Data or other data provided by the Data Controller in connection with the Agreement in any format, and any physical and logical access to such Personal Data or Data shall be deleted. The Parties shall revise this Agreement in the event of relevant changes to applicable laws.
8. Choice of law and legal venue
This Agreement shall be subject to and interpreted in accordance with Norwegian law. Legal venue shall be Oslo District Court.
9. Change log
Version 1.0: first version published 2022.01.01