Ankerdb's data processing agreement
1. Introduction
1.1 This Data Processing Agreement (the "DPA") is part of the entire agreement (the "Agreement") entered into between:
• Ankerdb AS, a Norwegian limited liability company with registration number 929 804 538 (the "Processor"); and
• The Customer as specified on the applicable Subscription Confirmation which is part of the entire Agreement (the "Controller").
2. Background
2.1 The Processor processes Personal Data on behalf of the Controller.
2.2 This DPA governs the Processing of Personal Data that the Processor performs on behalf of the Controller. The Processor shall process Personal Data only in accordance with the listed and agreed specified purposes under this DPA.
2.3 The Norwegian Personal Data Act with Regulations, and EU Regulation 2016/679, contains requirements for the governing of the relationship between the Processor and the Controller, and for the security and organizational measures that must be implemented to ensure lawful and secure processing of Personal Data. This DPA has therefore been entered into to ensure that Personal Data is processed only in accordance with applicable laws and regulations, and only upon instructions from the Controller.
3. Definitions
3.1 "GDPR" (General Data Protection Regulation) means EU Regulation 2016/679.
3.2 "Personal Data" means any information relating to an identified or identifiable natural person, cf. Article 4 (1) of the GDPR.
3.3 "Data Subject(s)" means any information relating to an identified or identifiable natural person of whom the Controller has Personal Data, cf. Article 4 (1) of the GDPR.
3.4 "Processing" means any operation or set of operations which is performed on Personal Data, cf. Article 4 (2) of the GDPR.
3.5 "Third Country" means countries outside the EU/EEA that are not considered to ensure adequate level of protection for the Processing of Personal Data.
4. Processing of personal data
4.1 Personal Data to be Processed
4.1.1 Under the Agreement, the Processor delivers a proprietary and access restricted software-as-a-service solution located at ankerdb.com, to the Controller, and will Process Personal Data on behalf of the Controller. The categories of Personal Data to be Processed pursuant to this DPA are specified in Appendix 1.
4.2 Purpose of the Processing of Personal Data
4.2.1 The purpose of the Processor's Processing of Personal Data pursuant to this DPA is to provide the Controller with services according to the Agreement.
5. Controller's obligations
5.1 The Controller confirms that:
(i) There is adequate basis for the Processing of Personal Data;
(ii) The Controller is entitled to and responsible for the legality of the transfer of Personal Data to the Processor;
(iii) The Controller is responsible to notify applicable regulatory authorities and/or Data subjects in case of personal data breach, pursuant to applicable data protection regulation;
(iv) The Controller is responsible for the accuracy, integrity, content, reliability, and legality of the Personal Data being Processed; and
(v) The Controller has notified the Data Subjects in accordance with the current statutory requirements.
5.2 The Controller shall ensure that Personal Data is processed in accordance with the GDPR, respond to the Data Subjects' inquiries and ensure that adequate technical and organizational measures are taken to secure the Personal Data Processed, cf. Article 32 of the GDPR.
5.3 The Controller is obliged to report nonconformity to the relevant supervisory authorities and, if applicable, to the Data Subject without undue delay in accordance with applicable legislation.
6. Processor's obligations
6.1 Basic Obligations
6.1.1 Processor shall only process Personal Data upon, and in accordance with, instructions from the Controller and in accordance with the GDPR.
6.1.2 The Processor shall not process Personal Data without prior written agreement with the Controller or written instructions from the Controller beyond what is necessary for the purposes specified in this DPA.
6.1.3 The Processor shall assist the Controller in ensuring and documenting that the Controller complies with the obligations under applicable law on the Processing of Personal Data.
6.1.4 The Processor shall notify the Controller without undue delay if the Processor is of the opinion that an instruction from the Controller is in violation of any applicable data protection regulation.
6.2 Data Security
6.2.1 The Processor shall ensure, through planned, systematic, organizational, and technical measures, adequate data security in relation to confidentiality, integrity and availability in the Processing of Personal Data in accordance with Article 32 of the GDPR.
6.2.2 The measures and the internal control documentation can be made available to the Controller on request.
6.2.3 In the assessment of the technical and organizational measures to be implemented, the Processor shall, in consultation with the Controller, consider:
• Best practice;
• The cost of implementation;
• The nature and extent of the Processing;
• The context and purpose of the Processing; and
• The seriousness of the risk that the Processing of Personal Data entails for the Data Subject's rights.
6.2.4 The Processor shall, in consultation with the Controller, consider:
• Implementation of pseudonymisation and encryption of Personal Data;
• The ability to ensure ongoing confidentiality, integrity, availability and robustness of systems for Processing and services;
• The ability to restore availability and access to Personal Data on time in case of physical or technical incidents; and
• A process for regular testing, assessment, and evaluation of the effectiveness of technical and organizational measures for the security of the Processing.
6.3 Inquiries from Data Subjects
6.3.1 The Processor shall implement technical and organizational measures to assist the Controller in responding to inquiries regarding the exercise of the Data Subjects' rights.
6.4 Assistance to Controller
6.4.1 Processor shall provide assistance in such a way that the Controller can safeguard its own liability according to law and regulation, including assisting the Controller in:
• Implementing technical and organizational measures as mentioned above;
• Observing duty of notification to supervisory authorities and Data Subjects as a result of non-conformity;
• Performing assessment of data privacy implications (Data Privacy Impact Assessments, the "DPIA");
• Performing preceding discussions with supervisory authorities when an assessment of data privacy implications makes it necessary; and
• Notifying the Controller if the Processor believes that a Controller's instruction is in violation of applicable data privacy regulations.
6.4.2 Such assistance shall be carried out to the extent required by the Controller's needs, the nature of the Processing and the information available to the Processor. Any assistance by the Processor to the Controller is billable according to the Processor's standard rates.
6.5 Procedures and Notification at Security Breaches
6.5.1 Any use of information systems and Personal Data in violation of established procedures, instructions from the Controller or applicable law regarding the processing of personal data, as well as security breaches, shall be treated as non-conformity.
6.5.2 The Processor shall have procedures and systematic processes to follow up non-conformity, including the reestablishment of the normal state, elimination of the cause of the non-conformity, and preventing recurrence.
6.5.3 The Processor shall immediately notify the Controller of any violation of this DPA or accidental, unlawful or unauthorized access, use or disclosure of Personal Data, or that Personal Data may have been compromised or that the integrity of the Personal Data may have been violated.
6.5.4 The Processor shall provide the Controller with all necessary information to enable the Controller to comply with applicable law regarding the processing of Personal Data and enable the Controller to answer inquiries from data protection authorities. The Controller shall report nonconformities to the Data Protection Authority in accordance with applicable legislation.
6.6 Procedures for Deletion
6.6.1 Personal Data shall be deleted when this is no longer necessary in order to achieve the purpose for which it was collected. The parties may agree on specific deletion procedures.
6.7 Deletion Upon Termination
6.7.1 Upon termination of the Agreement, the Processor shall immediately cease Processing of Personal Data on behalf of the Controller. As such, the Processor shall, upon instruction from the Controller, return or delete all Personal Data contained in the Processor's possession in connection with Processing under this DPA.
6.8 Confidentiality
6.8.1 The Processor shall keep confidential all personal data and other confidential information provided to it under the Agreement or this DPA. The Processor shall ensure that each member of its staff, whether employed or hired employee, having access to or being involved with the processing of personal data under the Agreement undertakes a duty of confidentiality and is informed of and complies with the obligations of this DPA. The duty of confidentiality shall also apply after termination of the Agreement or this DPA.
6.9 Annual Security Audits
6.9.1 The Controller may conduct an annual audit of the Processor's Processing of Personal Data. The Processor should facilitate the audit. The Controller is entitled to demand a security audit performed by an independent third party. The third party concerned will prepare a report that will be delivered to the Controller on request. The Controller accepts that the Processor can calculate a separate remuneration for the implementation of the audit.
6.9.2 The Processor will regularly perform security audits on systems that are relevant to the Processing of Personal Data covered by this DPA.
7. Use of subprocessors
7.1 Use of Subprocessors
7.1.1 The Processor may use subprocessors for processing personal data, and the Controller hereby provides the Processor with a general authorisation to engage subprocessors. Processor shall enter into written agreements with the subprocessors in accordance with sections 7.2 and 7.3 below.
7.2 Agreement with Subprocessors
7.2.1 The Processor shall ensure that subprocessors do not Process Personal Data covered by the DPA in any way other than what is necessary to provide the service, and that the Personal Data is not shared with others for Processing without this being in accordance with the DPA.
7.2.2 The Processor shall ensure that any agreement with a subprocessor contains the necessary provisions regarding the Processing of Personal Data in accordance with Article 28 of the GDPR.
7.3 Subprocessors Outside the EU/EEA
7.3.1 If the Processor is to enter into an agreement with subcontractors in countries outside the EU/EEA, this should only be done according to EU model agreements for transfer of personal data to third countries or other applicable basis for transfer to third countries in accordance with Chapter 5 of the GDPR.
8. Duration
8.1 This DPA shall apply from the date it has been signed by both parties until the Processor's obligation to perform services for the Controller is terminated for any reason.
9. Choice of law and legal venue
9.1 This DPA shall be subject to and interpreted in accordance with Norwegian law. Legal venue shall be Oslo District Court.
10. Appendices
Appendix 1: Overview of Personal Data being Processed and Subprocessors.
APPENDIX 1: CATEGORIES OF PERSONAL DATA, DATA SUBJECTS AND SUBPROCESSOR