Between
[Kunde], business reg. no. [Organisasjonsnummer] (the “Controller”)
and
[Databehandler], business reg. no. [Organisasjonsnummer] (the “Processor”)
an agreement on the processing of personal data is entered into (the “Agreement”) on the background of an agreement entered into where the Processor is the supplier, and the Controller is the customer of [Dato hovedavtalen (“Main Agreement”) ble inngått] (the “Main Agreement”).
The Processor shall process the personal data on behalf of the Controller concerning the above-said.
The nature and purpose of the processing of personal data, the duration of the processing of personal data, the subject matter of the processing of personal data, the types of personal data to be processed, the categories of data subjects to whom the personal data relates and other obligations and rights of the Controller are included in Appendix to this Agreement.
This Agreement shall provide for the processing of personal data in accordance with the regulation the EU Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and the free movement of such data, and repealing Directive 95/46/EC (“General Data Protection Regulation” or “GDPR“) as implemented into Norwegian legislation in the Personal Data Act of 14 April 2000 no. 31, and in accordance with other relevant legislation which concerns the processing of personal data under the Agreement (“Personal Data Regulation”).
The Processor shall process the personal data only in the way described in the Agreement, as agreed in writing with the Controller, or as instructed by the Controller.
Terms and definitions used in the Agreement shall be construed in the same way as in the Personal Data Regulation.
The Processor confirms that it will implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the Personal Data Regulation and ensure the protection of the rights of the data subject, inclusive comply with the requirements in GDPR Article 32. Other duties are set forth under Section 5. The Controller shall at any time have the legal rights to the personal data.
The Processor shall only process the personal data under the instructions given by the Controller. The Processor shall be able to document such instructions if requested. The Processor shall not process the personal data in any other way than instructed or necessary to provide the services or undertake the obligations requested by the Controller.
The Processor shall, considering the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller’s obligation to respond to requests for exercising the data subject’s rights laid down in GDPR Chapter III. In addition, the Processor shall assist the Controller in ensuring compliance with the obligations pursuant to GDPR Articles 32 to 36 taking into account the nature of processing and the information available to the Processor. If there are an approved code of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42, which the Processor has undertaken to comply with, the Processor shall comply with such code of conduct or certification mechanism at any time during the term of this Agreement.
The Processor shall maintain a record of processing activities which the Processor performs for the Controller. The record shall contain at a minimum the information required under GDPR Article 30 no. 2.
The Processor shall make available to the Controller all information reasonable and necessary to demonstrate compliance with the obligations laid down in this Section 2 and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller, which is reasonable and necessary under the legal obligations. The Controller is however solely responsible for the contact and communication with the supervisory authorities, such as Datatilsynet in Norway, and the Processor shall not contact the supervisory authorities about the processing unless this has been cleared with the Controller.
The Processor has a duty of confidentiality regarding the personal data and other information the Processor receives as part of the Agreement and the processing of personal data, and shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. The obligation of confidentiality shall survive any termination of the Agreement.
The Processor shall not transfer or give access to the personal data or information which the Processor processes or handles on behalf of the Controller to a third party without the explicit instruction from the Controller. Any requests regarding the personal data or the processing from others or the data subject shall be forwarded to the Controller without undue delay if not otherwise agreed in this Agreement or by instruction by the Controller.
If the Processor is in the opinion that an instruction by the Controller infringes the Personal Data Regulation, the Processor shall immediately inform the Controller.
The Controller is responsible for ensuring that personal data is processed in accordance with the Personal Data Regulation, and has both a right and an obligation to decide which purposes and which aids can be used in the processing carried out by the data processor. Therefore, the Controller must provide the data processor with documented instructions for how personal data is to be processed, where the instructions can either be part of this Agreement or attached to the Agreement. The instructions may also be given after entering into the Agreement.
The Controller has the right to terminate the Agreement if the Processor no longer meets the requirements pursuant to Article 28 no. 1.
The Processor shall not engage another supplier for the processing of the personal data (sub-processor) without prior specific or general written authorisation of the Controller, and the sub-processor has confirmed that it undertakes to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the Personal Data Regulation and ensure the protection of the rights of the data subject.
Any approved sub-processors are included in the Appendix to this Agreement.
Any sub-processor shall be imposed the same obligations as the Processor set forth in the Agreement in a written, binding agreement wherein the sub-processor is providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the Personal Data Regulation. Where that sub-processor fails to fulfil its data protection obligations, the Processor shall remain fully liable to the Controller for performing of the subprocessor’s obligations.
The Processor shall comply with the requirements for security given in the Personal Data Regulation and any best practice/branch standards relevant for the processing. The Processor shall provide documentation of technical and organisational measures implemented to ensure the security of the personal data upon the request of the Controller.
In case of a personal data breach, the Processor shall without undue delay notify the Controller. Such notification shall at least:
If not all information above may be given in the first notice, the information shall be provided as soon as possible.
The Controller is responsible for notifying the supervisory authorities, such as Datatilsynet in Norway, and the Processor is not to contact or notify the supervisory authorities without the explicit instruction by the Controller.
Personal data shall only be transferred to third countries, i.e. countries outside EU/EEA, which ensure an adequate level of protection upon explicit agreement or instructions by the Controller. The Processor shall not transfer or give access to the personal data to persons in third countries without the explicit approval of the Controller. The consent or instruction given by the Controller must cover the country which the personal data shall be transferred to or accessed. For the transfer to or access from third countries for personal data, it is required that the appropriate safeguards, including with regard to the rights of data subjects, be complied with.
This Agreement shall be effective and stay in force as long as the Processor (and its permitted sub-processors) processes personal data on behalf of the Controller in the context of the Main Agreement.
Upon breach of this Agreement, of instructions given by the Controller or on the Personal Data Regulation, the Controller may instruct the Processor to stop the processing of the personal data with immediate effect.
Upon termination of this Agreement, regardless of reason, the Processor (and its permitted sub-processors) shall delete or return any or all personal data to the Controller, subject to the Controllers instructions, in a standardised format and medium along with necessary instructions to facilitate the Controller’s further use of such data, and delete all copies of those personal data.
The Controller shall receive a written confirmation from the Processor that all personal data has been returned or deleted according to the Controller’s instructions and that the Processor has not kept any copy, printout or any other representation of such data on any medium.
Other obligations and rights are governed by the Main Agreement between the Controller and the Processor regarding the services that necessitate the processing of personal data and this Agreement. The same contact persons apply for the Agreement as under the Main Agreement.
If the Main Agreement is transferred, this Agreement shall be transferred accordingly.
The Controller | The Processor |
_______________________ | _______________________ |
[Include name] | [Include name] |
The nature and purpose of the processing of personal data
[Formålet med behandlingen]
The duration of the processing of personal data
[Varigheten av behandlingen]
The subject matter of the processing of personal data
[Behandlingens art]
The types of personal data to be processed
[Typer personopplysninger som skal behandles]
Security measures in the processing
[Sikkerhetstiltak i databehandlingen]
Sub-processors
[Underdatabehandlere ved inngåelse av avtalen]