Login
Terms and privacy policy

1. BACKGROUND, PURPOSE AND DEFINITIONS

The parties of this data processor agreement have entered into an agreement (the “Agreement”) regarding access to services that the data processor offers to the data controller in order to be used by the data controller’s personnel.

In connection with these services, the data processor will process personal data on behalf of and act as data processor for the data controller.

This data processing agreement regulates the rights and obligations of the parties to ensure that all processing of personal data takes place in accordance with current legislation on the processing of personal data, including the EU’s data protection regulation 2016/679 (“GDPR”) and in the current data protection legislation that implements this.

The data processor will process personal data to the extent necessary to fulfill the Agreement, as specified in Appendix 1. The background for, the nature of, the purpose of, categories of personal data and categories of registered persons are specified in Appendix 1.

The terms “personal data”, “sensitive personal data”, “processing”, “controller”, “data processor”, “the data subject”, etc. used in this data processor agreement shall have the same meaning as according to the GDPR and applicable privacy legislation.

 

2. OBLIGATIONS OF THE PROCESSOR

The data processor confirms that he/she:

  • Has sufficient legal basis for processing personal data,
  • Has the right to allow the data processor to process the personal information,
  • Must implement sufficient technical and organizational measures to ensure and document compliance with applicable legislation.

 

3. DATA PROCESSOR’S OBLIGATIONS

 

3.1. Compliance with applicable law

The data processor must comply with all provisions for the protection of personal data laid down in this data processor agreement and in applicable privacy legislation.

The data processor must comply with the instructions and routines given by the data controller with regard to the processing of personal data. The data processor must immediately notify the data controller if the data processor is of the opinion that an instruction from the data controller is contrary to the applicable privacy legislation.

The data processor must assist the data controller in ensuring and documenting that the data controller complies with its obligations under the applicable data protection legislation.

 

3.2. Restrictions on processing

The data processor must only process personal data on, and in accordance with, instructions from the cata controller, except when:

  1. Data processor is obliged to process personal data in accordance with prescriptive legislation. In that case, the Data Processor must notify the data controller before processing begins, unless such notification is prohibited.
  2. The data processor must process personal data in order to fulfill its obligations towards the Data Controller after the termination of the Agreement. In that case, this data processor agreement shall apply until the processing ceases.

 

3.3. Information security

 

3.3.1. Duty to ensure information security

The data processor shall, by means of planned, systematic, organizational, and technical measures, ensure sufficient information security with regard to confidentiality, integrity and availability in connection with the processing of personal data in accordance with the provisions on information security in the current privacy legislation.

 

3.3.2. Assessment of measures

In assessing which technical and organizational measures are to be implemented, the Data Processor, in consultation with the Data Controller, shall take into account:

  • Best practice,
  • The cost of implementation,
  • The nature and scope of the processing,
  • The context and purpose of the processing,
  • Seriousness of the risk the processing of personal data entails for the data subject’s rights. The data processor shall, in consultation with the data controller, assess:
  • Implementation of pseudonymization and encryption of personal data
  • The ability to ensure ongoing confidentiality, integrity, availability, and robustness of systems for treatment and services
  • The ability to restore availability and access to personal data in a timely manner in the event of physical or technical incidents
  • A process for regular testing, assessment and evaluation of the effectiveness of technical and organizational measures for the safety of the treatment

 

3.3.3. Requests from the data subject

Taking into account the nature of the processing, the Data Processor must implement sufficient technical and organizational measures to support the Data Controller’s duty to answer questions about the exercise of the data subject’s rights in accordance with GDPR chapter 3.

 

3.3.4. Assistance to the Data Controller

The data processor must provide assistance so that the data controller can take care of his own responsibilities according to law and regulations, including assisting the Data Controller to:

  • Implement technical and organizational measures as mentioned above,
  • Comply with the obligation to notify supervisory authorities and registered persons as a result of deviations,
  • Carry out assessments of privacy consequences (“data privacy impact assessments”),
  • Carry out prior discussions with supervisory authorities when an assessment of privacy consequences makes this necessary
  • Notify the Data Controller if the Data Processor believes that an instruction from the Data Controller is contrary to the applicable privacy regulations.

 

Assistance as mentioned above must be carried out to the extent necessary based on the Data Controller’s needs, the nature of the processing and the information available to the Data Processor.

 

3.4. Deviations and notification of deviations

 

Any use of the information systems and personal data contrary to established routines, instructions from the Data Controller or applicable privacy legislation, as well as security breaches, shall be treated as deviations.

The data processor must have routines and systematic processes for following up on deviations, which must include re-establishing the normal state, eliminating the cause of the deviation, and preventing repetition.

The data processor must immediately notify the Data Controller of:

  1. Any breach of this Data Processor Agreement
  2. Accidental, illegal or unauthorized access, use or disclosure of Personal Data, or that Personal Data may have been compromised, or
  3. Breach of the integrity of personal data

The data processor shall provide the data controller with all information necessary to enable the Data Controller to comply with the applicable legislation on the processing of personal data and to enable the data controller to respond to inquiries from data supervisory authorities. It is the data controller’s responsibility to report deviations to the Norwegian data protection authority in accordance with current legislation.

 

3.5. Confidentiality

The data processor has a duty of confidentiality regarding personal data and other confidential information, including trade secrets. The data processor must ensure that everyone who performs work for the data processor, whether employees or contractors, who has access to or is involved in the processing of personal data according to the

Agreement, (i) is subject to a duty of confidentiality, and (ii) is informed of and complies with the obligations under this Data Processor Agreement. The confidentiality obligation also applies after termination of the Agreement and the data processing agreement.

 

3.6. Security audits

The data processor must regularly carry out security audits for systems and the like that are relevant to the processing of personal data covered by this Data Processor Agreement. The controller must have access to reports documenting security audits.

The controller has the right to demand a security audit carried out by an independent third party. The relevant third party will prepare a report which will be handed over to the Data Controller on request. The data controller agrees that the data processor can calculate a special remuneration for carrying out the audit according to the current hourly rates.

The data controller can show such a report to supervisory authorities and others who have a right to know the content.

 

4. LIABILITY, BREACH

 

4.1. Procedure

In the event of a breach of this data processor agreement or obligations under current legislation on the processing of personal data, the relevant provisions in the Agreement on procedure for handling breaches/defaults shall apply.

The data processor must notify the data controller without undue delay if the Data Processor will not be, or has reason to believe that it will not be, able to comply with its obligations under this data processor agreement.

 

4.2. Liability and limitation of liability

The data processor is responsible for compensation for direct financial loss, including administrative sanctions and fees, and compensation claims directed against the data controller, as a result of the Data Processor’s breach of any of its obligations under this data processing agreement.

Total compensation per calendar year after this point 4.2 is limited to an amount equivalent to NOK 500,000.

If the data processor or anyone responsible for gross negligence or intent, the aforementioned compensation limitations do not apply.

 

5. DURATION, TERMINATION OF THE DATA PROCESSING AGREEMENT, CHANGES

This Data Processor Agreement shall apply from the date it is signed by both parties and until the Agreement expires, or until the Data Processor’s obligation to provide services in accordance with the Agreement ceases for any other reason, with the exception of the provisions in the Agreement and the data processor agreement that continue to run after termination .

At the conclusion of this data processor agreement, personal data must be returned in a standardized format on a suitable medium together with the necessary instructions to facilitate the Data controller’s further use of the personal data. The Data Processor must first return and then delete all personal data, unless prescriptive legislation prevents the data processor from such deletion.

As an alternative to returning the personal information, the data controller may, at its own discretion, instruct the Data Processor in writing that all or parts of the Personal Information shall be deleted without return.

The obligations according to section 3.5 and section 4 shall continue to apply after the conclusion of the data processing agreement. Furthermore, the provisions in the data processor agreement shall apply in full to any personal data retained by the data processor in violation of this section 5.

 

6. DISPUTES AND JURISDICTION

This data processor agreement shall be subject to and interpreted in accordance with Norwegian law.

The agreed venue is the Oslo district court.

 

 

APPENDIX 1 – SPECIFICATION OF PROCESSING ACTIVITIES

 

1. CATEGORIES OF DATA SUBJECTS

The personal data that is processed in accordance with the data processing agreement concerns the following categories of data subjects:

  • Employees, consultants, and other persons who work for the Data Controller
  • Contact persons at the data controller’s suppliers, customers and other business partners

 

2. INFORMATION CATEGORIES

The categories of personal data that are processed in accordance with the data processing agreement are:

  • Contact information, such as name, age, gender, place of work, role, position, telephone number, e-mail, size of company and how many people the participant is the manager of.
  • When courses are started and finished.
  • Participation, answers, results and other content in connection with courses, trainings, games and other applications offered to the data controller as part of the data processor’s services

 

3. SENSITIVE PERSONAL INFORMATION (IF APPLICABLE)

  • None

 

4. PURPOSE OF THE PROCESSING

The purpose of the processing is to perform the services in accordance with the Agreement,

i.e. to create content and develop, offer and maintain systems and applications for digital courses and to give the data controller’s users access to these systems and applications as well as their content and results. The information will also be processed in anonymized form so that the Data Processor can keep statistics on which companies they reach out to over time and see attitude trends in the companies.

 

5. HOW LONG IS THE INFORMATION STORED?

E-mails to the data controller can be removed by the data processor at any time, but current courses require the existence of a contact person from the company, so in reality the e-mail must be replaced with another one.

All information is automatically deleted 6 months after the course has been completed or archived.