Version date: 1. January 2017
1. About the Agreement
This agreement (the ”Agreement”) constitutes a data processor agreement in in accordance with the Personal Data Legislation.
The parties to the Agreement are the Customer (as controller) and DEFA (as processor), as identified in the Service Agreement.
The Agreement applies to all data processing of Subscriber Data by DEFA for which the Customer is the data controller; e.g. where Subscriber Data is provided in the context of an employment where the Customer (as employer) has required that the Subscriber (as employee) use the Service.
This Agreement shall not prevent DEFA AS from processing Subscriber Data where DEFA AS has an independent legal basis such processing, and the Customer shall not be deemed controller of such data.
The Agreement supplements the Service Agreement, and shall prevail in case of conflict insofar as the matter relates to the processing of Subscriber Data.
Personal Data Legislation – The Norwegian Personal Data Act (personopplysningsloven) relating to the processing of personal data and the Personal Data Regulations (personopplysningsforskriften), implementing Directive 95/46/EC and/or its implementing decrees, and any amendments to or replacements of the same.
Service – DEFA Plot. For further details of the Service, including user manuals and instructions, please consult the information published on the Website.
Service Agreement – The agreement between DEFA and the Customer relating to the Customer’s use of the Service, including any documents incorporated by reference, as available on the Website and as in force from time to time.
Subscriber Data – shall mean any personal data relating to a Subscriber which is submitted, stored, sent or received via the Services by the Customer or the Subscriber, and which is processed by DEFA on behalf of the Customer.
The terms “personal data”, “processing”, “data subject”, “controller” and “processor” have the meanings given to them in the Personal Data Legislation.
Other capitalized terms shall have the meaning ascribed to them in the Service Agreement.
3. Instructions of the Customer
DEFA shall act upon the Customer’s instructions in its capacity as processor of the Subscriber Data.
This Agreement contains the Customer’s complete and final instructions to DEFA for the processing of Subscriber Data. Any additional or alternate instructions must be agreed with DEFA in writing. The Customer acknowledges that the pricing and functionality of the Service may be affected by the instructions of the Customer.
The purpose and objective of DEFA’s processing of Subscriber Data is the performance of the Service.
5. Processing of Subscriber Data
DEFA shall comply with its obligations as a processor under the Agreement, and the Customer shall comply with its obligations as a controller under the Personal Data Legislation.
DEFA shall only process Subscriber Data to provide the Service to the Customer and in accordance with this Agreement, and shall not process or use Subscriber Data for any other purpose.
DEFA’s personnel shall not process Subscriber Data without authorisation, which shall only be given where there is a legitimate need for such authorisation.
DEFA shall delete Subscriber Data when there is no further need for processing and DEFA AS has no statutory obligation to retain such information.
6. Security measures
DEFA shall take and implement appropriate technical and organisational measures to protect Subscriber Data against accidental or unlawful destruction or accidental loss or alteration or unauthorized disclosure or access or other unauthorized processing. DEFA may update or modify such security measures from time to time, provided that such updates and modifications do not result in a degradation of the overall security of the Services.
DEFA shall take reasonable and appropriate measures to ensure compliance with the security measures by its employees and contractors to the extent applicable to their scope of performance.
DEFA shall provide the Customer with access to its security documentation upon request, to the extent relevant to this Agreement and necessary for the Customer to comply with its obligations under the Personal Data Legislation.
The Customer is solely responsible for its processing of the Subscriber Data, including securing its account authentication credentials, and DEFA has no obligation to protect Subscriber Data that the Customer elects to export outside of DEFA’s systems (e.g., by remote accessing or downloading the information).
7. Rights of the Subscribers
Each Subscriber shall have access to view and administer its Subscriber Data as is part of the functionality of the Service (which may be changed from time to time), and the Customer agrees to such access and any related processing of Subscriber Data by DEFA.
DEFA shall ensure that each Subscriber can exercise its rights under the Personal Data Legislation towards DEFA in relation to its Subscriber Data. Should DEFA receive any request from a Subscriber for records relating to that Subscriber’s personal data included in the Subscriber Data, other than through the embedded functionality of the Service, then DEFA shall advise such Subscriber to submit its request to the Customer.
The Customer shall be responsible for responding to any such request using the functionality of the Service and/or by contacting DEFA.
8. Customer’s access to Subscriber Data
DEFA shall provide the Customer with access to and the ability to edit, block and export Subscriber Data in a manner consistent with the functionality of the Service and in accordance with the terms of the Agreement.
To the extent the Customer does not have the ability to edit or block Subscriber Data as required by applicable law, or to migrate Subscriber Data to another system or service provider, DEFA shall comply with any reasonable requests from the Customer to assist in facilitating such actions to the extent DEFA is legally permitted to do so and has reasonable access to the Subscriber Data.
DEFA may in any event keep version logs and copies of any Subscriber Data to the extent required by law, as part of DEFA’s standard backup routines, or if DEFA has grounds for continued processing of the Subscriber Data that are independent of this Agreement.
DEFA’s personnel shall be obligated to maintain the confidentiality of any Subscriber Data even after their engagement ends.
DEFA shall not disclose Subscriber Data to any third party except as directed by the Customer, as required by law, or as otherwise permitted by this Agreement or required to perform the Service (including that each Subscriber shall have access to its Subscriber Data).
Should a third party contact DEFA with a demand for Subscriber Data, DEFA shall attempt to redirect the third party to request it directly from the Customer and may provide the Customer’s contact information in connection therewith.
If DEFA is required under law to disclose Subscriber Data to a third party, then DEFA shall use commercially reasonable efforts to notify the Customer in advance of a disclosure unless legally prohibited.
DEFA may engage third parties to provide limited services on its behalf related to the Service, such as support services and cloud-based storage and processing services. Any such subcontractors shall be permitted to obtain Subscriber Data only to deliver the services DEFA has retained them to provide, and they shall be prohibited from using Subscriber Data for any other purpose.
DEFA remains responsible for its subcontractors’ compliance with the obligations of this Agreement, and DEFA shall enter into written agreements with such subconractors requiring that the subcontractor provide at least the same level of privacy protection with respect to Subscriber Data as required by this Agreement.
The Customer consents to DEFA’s transfer of Subscriber Data to subcontractors as described in this clause. DEFA shall make available to the Customer information about any subcontractors used by DEFA and any related information that the Customer has a need for pursuant to the Personal Data Legislation.
11. Transfer of Subscriber Data
Subscriber Data may be transferred to, and stored and processed in, the EU or any other country in which DEFA or its subcontractors maintain facilities and which is permissable under the Peronal Data Legislation. The Customer appoints DEFA to perform any such transfer of Subscriber Data to any such country and to store and process Subscriber Data in order to provide the Service.
12. Notification of breach
If DEFA becomes aware of any unlawful access to Subscriber Data stored in the systems, equipment or facilities of DEFA or its contractors, or unauthorized access to the same, that results in loss, disclosure or alteration of Subscriber Data, then DEFA shall promptly notify the Customer of such incident and take reasonable steps to minimize harm and secure and/or restore Subscriber Data.
Notification(s) of any such incident shall be delivered to the e-mail address provided by the Customer in connection with the Service.
For the avoidance of doubt, DEFA shall have no obligation to notify the Customer of any:
- unsuccessful access attempts or similar events that do not compromise the security or privacy of Subscriber Data; or
- accidental loss or disclosure of Subscriber Data caused by the Subscribers’ or the Customer’s use of the Services or loss of account authentication credentials.
DEFA’s obligation to report or respond to an incident under this clause is independent of, and is not an acknowledgement by DEFA of, any fault or liability with respect to such incicent.
This Agreement shall automatically terminate upon any termination or expiration of the Service Agreement.
Upon termination the Customer shall have a reasonable time period to extract Subscriber Data, and DEFA shall delete Subscriber Data following such time period, each in accordance with the use rights for the Service.
Notwithstanding the above, DEFA may keep Subscriber Data to the extent required by law or if DEFA has grounds for continued processing of the Subscriber Data that are independent of this Agreement.