1. Background and purpose
This Data Protection Agreement ("DPA") forms part of the Terms for service ("Principal Agreement") between: ShiftX ("Data Processor") and the Customer ("Data Controller") together. For the purposes of fulfilling the Principal Agreement, the Processor will process certain Personal Data on behalf of the Controller. This DPA sets forth the terms and conditions pursuant to which the Processor shall process Personal Data on behalf of the Controller under the Principal Agreement.
In this DPA, the following terms shall have the meanings set out below:
- "Data Processor" means Processor or a Subprocessor;- "Data Protection Laws" means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country, such as the Norwegian Personal Data Act (LOV-2018-06-15-38) and Personal Data Regulations;- "EU Data Protection Laws" means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;- "GDPR" means EU General Data Protection Regulation 2016/679;- "Personal Data" means any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;- "Subprocessor" means a third party subcontractor engaged by the Processor which, will Process Personal Data on behalf of the Controller; and- The terms, "Commission", "Controller", "Data Subject", "Member State", "Personal Data", "Personal Data Breach", "Processing" and "Supervisory Authority" shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.
3. Processing of Personal Data
The Data Processor processes data on behalf of the Data Controller in connection with offering cloud services. The processing may consist of personal information. This extracted information will be returned to the Data Controller in a structured format. After processing, the receipts or invoices may be stored for up to 5 years on the Data Processor’s systems in order to fulfill the Data Processor’s duties to the Data Controller.
The Data Processor will process the following types of personal data on behalf of the Data Controller:
- Name, IP address, contact information, occupation, purchase, and other personal information
The personal data is connected to the following categories of data subjects:
- The employees or customers of the Data Controller.
The Data Processor shall not process personal data in any other manner than what is agreed in this DPA and on documented instructions from the controller. This includes that the Data Processor is not allowed to process data for other purposes than as stated above or its own purposes or to disclose data to third parties.
4. The Data Processor’s duties
When processing personal data on behalf of the Data Controller, the Data Processor shall follow the routines and instructions stipulated in this DPA.
Data Processor shall:
- comply with all applicable Data Protection Laws in the Processing of Personal Data; and- not Process Personal Data other than on the Controller’s documented instructions unless Processing is required by Applicable Laws to which the relevant Processor is subject, in which case Processor shall to the extent permitted by Applicable Laws inform the Controller before the relevant Processing of that Personal Data.
The Data Processor is obliged to give the Data Controller access to his written technical and organizational security measures and to provide assistance so that the Data Controller can fulfil its responsibilities pursuant to the Personal Data Act and the General Data Protection Regulation.
The Processor undertakes to only Process Personal Data in accordance with documented instructions communicated by the Controller unless required to do so pursuant to the Applicable Data Protection Law.
The Processor shall assist the Controller in fulfilling its legal obligations under Applicable Data Protection Law. In the event the Processor, according to Applicable Data Protection Law, is required to disclose Personal Data that the Processor Processes on behalf of the Controller, the Processor will inform the Controller thereof. The Processor may not in any way act on behalf of or as a representative of the Controller.
Unless otherwise agreed or pursuant to statutory regulations, the Data Controller is entitled to access all personal data being processed on behalf of the Data Controller. The Data Processor shall provide the necessary assistance for this.
The Data Processor may not, without prior written approval from the Controller, transfer or in any other way disclose Personal Data or any other information relating to the Processing of Personal Data to any third party. This applies with the exception of Sub Processors engaged pursuant to this DPA.
The Data Processor shall not process personal data outside the EU/EEA, unless otherwise stated in this DPA. If the transferring of personal data to a country outside the EU/EEA or to an international organization outside the EU/EEA is required according to law in an EU/EEA member state which the Data Processor is subject to or EU/EEA law, the Data Processor shall inform the Data Controller of such requirement prior to the processing, unless the law prohibits such information from being given.
5. The Data Processor’s opportunity to use sub-processors
The Data Processor may use sub-processors. The Data Processor shall ensure that the Sub-processors are bound by written agreements that require them to comply with data processing obligations corresponding to those contained in this DPA. The Processor shall remain fully liable to the Controller for the performance of the Sub-processor's obligations.
In addition, the Data Processor have the right to use other sub-processors, but is obliged to inform the Data Controller of any intended changes concerning the addition or replacement of other processors. The information shall be given at least eight weeks prior to the planned changes taking effect. If the Data Controller does not consent in the change, the Data Controller has the right to terminate the Agreement with three months’ notice.
6. Transfer of personal data outside the EU/EEA
Apart from this, the Data Processor may not process or use sub-processors that process personal data outside the EU/EEA without prior written approval from the Data Controller. The Data Processor shall ensure that there is a legal basis for the processing of data outside the EU/EEA, or facilitate the establishment of such a legal basis.
The Data Processor shall, in order to assist the Controller in fulfilling its legal obligations under Applicable Data Protection Law regarding security measures and privacy impact assessments, be obliged to take appropriate technical and organizational measures to protect the Personal Data, which is Processed. The Processor shall comply with any written information security requirements or policies communicated by the Controller from time to time. including, as appropriate, the measures referred to in Article 32(1) of the GDPR.
The Data Processor shall maintain adequate security for the Personal Data appropriate to the risk of Processing. The Processor shall protect the Personal Data against destruction, modification, unlawful dissemination, or unlawful access. Having regard to the state of the art and the costs of implementation and taking into account the nature, scope, context and purposes of the processing as well as the risk of varying likelihood and severity for the rights and freedoms of individuals, the Data Processor shall implement technical and organizational measures to secure the data.
The Data Processor shall document routines and other measures made to comply with these requirements regarding the information system and security measures. The documentation shall be available at request by the Data Controller and the authorities.
8. Personal Data Breach
In case of a Personal Data Breach involving Personal Data Processed on behalf of the Data Controller, the Data Processor shall assist the Data Controller in ensuring compliance with the Data Controller’s obligations pursuant to Applicable Data Protection Law, including article 33 in the GDPR. The Data Processor shall notify the Data Controller in writing without undue delay, but no later than 24 hours after becoming aware of such a Personal Data Breach.
The Data Processor’s obligations to assist the Data Controller in fulfilling the obligations of the General Data Protection Regulation article 32 to 36, is considered fulfilled by the Data Processor’s obligations according to this DPA. Considering the nature of the processing performed by the Data Processor and the information available for Data Processor, this assistance is considered sufficient. To the extent the Data Controller requires additional assistance from the Data Processor, the Data Processor may offer such assistance as a separately paid service. The Data Processor may also refuse, unless the Data Processor’s assistance is necessary in order to be able to fulfil the Data Controller’s obligations.
9. Documentation and security audits
The Data Processor shall have documentation that proves that the Data Processor complies with its obligations under this DPA and the General Data Protection Regulation. The documentation shall be available for the Data Controller on request. The Data Processor shall regularly conduct security audits, and shall submit the results of the audit to the Data Controller on request. The Data Controller shall be entitled to conduct audits and inspections regularly, for systems etc. covered by this DPA, in accordance with the requirements of the Personal Data Act, the Personal Data Regulations and the General Data Protection Regulation. Audits may be carried out by a third party mandated by the Data Controller. The third party will be subject to confidentiality (including signing declarations of confidentiality). The audit does not include information concerning Data Processor’s trade secrets. This includes, but is not limited to product know-how, algorithms, software code, test results, processes, inventions, research projects etc.
10. Fulfilling the rights of the data subjects
The Data Processor’s processing on behalf of the Data Controller is not of a nature that makes it necessary or reasonable for the Data Processor to fulfill or assist in fulfilling the Data Controller’s obligations towards data subjects. To the extent the Data Controller requires assistance from the Data Processor, the Data Processor may offer such assistance as a separately paid service. The Data Processor may also refuse unless the Data Processor’s assistance is necessary in order to be able to fulfill the Data Controller’s obligations.
## 11\. The duration of the DPA and the processing
The DPA applies as long as the Data Processor processes personal data on behalf of the Data Controller according to the Agreement.
12. Term and termination
The DPA may be terminated in accordance with the termination clauses in the Agreement. Termination of the underlying agreement also constitutes a termination of the DPA.
The parties may claim damages in respect of any direct loss in relation to breaches of this DPA. The liability for damages does not extend to indirect loss, including lost profits or anticipated savings. Loss of data is considered as an indirect loss. The maximum damages that can be awarded pursuant to this DPA is limited to a sum equivalent to the maximum liability in the Agreement.
14. Return, deletion, and/or destruction of data upon termination of the DPA
Upon termination of this DPA the Processor shall (i) cease all its Processing activities and (ii) delete all Personal Data or copies thereof which is received on behalf of the Controller pursuant of this DPA. The Data Processor will within 30 days delete Personal Data after the termination has taken effect. If nothing else are agreed upon. The duty to delete applies as long as Applicable Data Protection Law does not require the Personal Data to be stored. The Data Processor may anonymize all personal data received from or on behalf of the Data Controller which is comprised by the DPA.
The Data Processor will permanently erase all personal data processed under the DPA (regardless of where and how they are stored), for which the Customer is Data Controller, unless the Data Processor is required by law to store the personal data.
The Data Controller may ask for a confirmation of deletion of data.