# Data processing agreement
Last updated: 02/08/2023
Current version effective from: 02/08/2023
Page contents
| Key Definitions | |
|---|---|
| Agreement | This Data Processing Agreement. |
| Applicable Data Protection Law | Shall mean all privacy laws and regulations in the country where Controller or Processor is registered, hereunder but not limited to national laws based on the Regulation (EU) 2016/679 (the "GDPR") and any national legislation implemented under the GDPR. |
| Controller | The legal entity determining, alone or jointly with others, the purpose for and the means of the processing of Personal Data pursuant to this Agreement: The Customer pursuant to the SaaS Agreement. |
| Personal Data | Any information relating to an identified or identifiable natural person processed by the Processor on behalf of the Controller. |
| Processor | The legal entity processing data on behalf of the Controller pursuant to this Agreement: Signicat AS. |
| Security Requirements Appendix | Appendix "Security Requirements" to the SaaS Agreement. |
| SaaS Agreement | The agreement between the Controller and the Processor under which the Processor provide the Signicat services the processing forms a part of (Titled "SaaS Agreement" or "ASP-agreement", as applicable). |
# 1 Scope and purpose of the data processing
The Processor shall process Personal Data on behalf of the Controller only for the purpose of performing the tasks imposed on the Processor by the Controller pursuant to the SaaS Agreement. The processing of Personal Data pursuant to this Agreement is subject to the requirements set forth in the Applicable Data Protection Law, this Agreement, and the SaaS Agreement.
This Agreement covers any category of Personal Data. A specification on which Personal Data the Processor will process is set out in the Appendix Checklist.
# 2 The Processor’s obligations
# 2.1 General
When processing Personal Data on behalf of the Controller, the Processor shall comply with the documented routines and instructions stipulated by the Controller at any given time, and the Processor shall process Personal Data in compliance with Applicable Data Protection Law.
The Processor shall specify where the Personal Data is stored at any time and shall ensure that any transfer of data shall be done in accordance with the relevant and applicable transfer mechanisms as set out in Applicable Data Protection Law. If the processing carried out by the Processor should include the transfer of Personal Data to a country outside of the EU/EEA which is not recognised by the European Commission to have an adequate level of protection in accordance with Applicable Data Protection Law, the Controller and the Processor or the Processor and Sub-Processor shall enter into the relevant and applicable module of the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (SCC) in accordance with the SCC module 2 (Transfer controller to processor).
Notwithstanding the foregoing, the Processor may disclose Personal Data, and therefore process and /or transfer Personal Data to a third country or an international organization, if required by Applicable Data Protection Law, in which case the Processor shall notify the Controller of such legal requirement before processing, unless the law in question prohibits such information on important grounds of public interests.
# 2.2 Assistance to the controller
The Processor shall comply with the Security Requirements Appendix to the SaaS Agreement, and provide assistance to the Controller in fulfilling its duties under the Applicable Data Protection Law, including but without limitation the Controllers obligations towards data subjects to ensure their right to information, access, rectification, erasure, restriction of processing, and data portability, to the extent such assistance is necessary for the Controller to be compliant with Applicable Data Protection Law.
# 3 Use of subcontractors
The Processor shall ensure that any Sub-Processor (a "Sub-Processor"), and its sub-contractor, is bound by terms ensuring a similar level of data protection as the terms of this Agreement.
As of the effective date of this Agreement, the Controller agrees that the Processor has engaged the Sub-Processor(s) listed in the SaaS Agreement. The Processor is responsible towards the Controller for the engaged Sub-Processors.
The Processor may not use a subcontractor to process Personal Data without notifying the Controller in writing at least 30 days before the new Sub-Processor starts processing any Personal Data. The Controller may, within 90 days after being notified of the engagement of a new Sub-Processor, object to the engagement by terminating both the Agreement and the SaaS Agreement if it can demonstrate that the new Sub-Processor will not meet the requirements set out in GDPR. This termination right is Controller's sole and exclusive remedy if Controller objects to any new Sub-Processor.
# 4 Security
The Processor shall fulfill the requirements for technical and organisational security measures stipulated in the Applicable Data Protection Law. The Processor shall further comply with the security requirements set forth in the Security Requirements Appendix.
The Processor shall notify the Controller any discrepancies between this Agreement and the requirements set out in the Applicable Data Protection Law.
The Processor shall, if reasonably requested the Controller and to the extent necessary, assist the Controller in (i) complying with the Applicable Data Protection Law; (ii) conducting the necessary data protection impact assessments pursuant to the Applicable Data Protection Law, and (iii) consulting the relevant supervisory authority prior to processing where the data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the Controller to mitigate such risks.
# 5 Audit
The Processor shall annually conduct privacy audits for systems and services covered by this Agreement to assess the Processors compliance with the Applicable Data Protection Law and this Agreement.
# 6 Inspection or audits
The Processor shall upon the Controller’s reasonable prior written notice submit its relevant processing systems and supporting documentation to demonstrate compliance with its obligations under this Agreement and the Applicable Data Protection Law. The Processor shall also allow for and contribute to inspections and audits that the Controller or an auditor mandated by the Controller may require for the review of such compliance. In the event of any such inspection or audit, each Party shall provide all reasonable assistance to the other Party on a time and material basis.
If an inspection or audit reveals or confirms that processing pursuant to this Agreement is unlawful or otherwise conducted in a manner not compliant with the Applicable Data Protection Law, the Parties shall take immediate action to ensure future compliance with the Applicable Data Protection Law.
# 7 Confidentiality
The Processor and the Processor's personnel shall observe unconditional confidentiality as regards the processing of Personal Data pursuant to this Agreement and any documentation accessed under this Agreement. The Processor shall not disclose Personal Data in any way to any employee or third party without the prior written approval of the Controller, except where (i) the disclosure is in accordance with the instructions from the Controller, or where (ii) Personal Data need to be disclosed to a competent public authority to comply with a legal obligation or (ii) in accordance with the SaaS Agreement
The Processor shall take reasonable steps to ensure the reliability of any personnel and Sub-Processor who may have access to Personal Data processed pursuant to this Agreement, ensuring in each case that access is strictly on a need-to-know basis.
This provision shall survive expiration or termination of this Agreement.
# 8 Notification of non-compliance and data breaches
The Processor shall, as soon as possible or at the latest within 24 hours after becoming aware of it, notify the Controller of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed or similar Personal Data breaches. Thereafter, the Processor shall contribute to and reasonably cooperate with the Controller to obtain the following information:
a) describe the nature of the personal data breach including the categories and approximate number of data subjects and personal data records concerned;
b) communicate the name and contact details of the Processor’s data protection officer or other contacts where further information can be obtained;
c) describe the likely consequences of the personal data breach; and
d) describe the measures taken or proposed to be taken by the Processor to address the personal data breach, including measures to mitigate its possible adverse effects.
The Processor shall co-operate with the Controller and take such reasonable commercial steps as are directed by the Controller to assist in the investigation, mitigation and remediation of personal data breaches involving the Processor.
# 9 Liability
Subject to the limitations of liability of the SaaS Agreement, the Processor is liable for claims, costs (including reasonable expenses for legal services), loss, fines, expenses or damages incurred by the Controller as a result of the Processor's breach of this Agreement, including non-compliance with the Applicable Data Protection Law.
# 10 Term
This Agreement remains valid for as long as the SaaS Agreement is in force and terminates automatically upon the termination or expiration of the SaaS Agreement. The Processor may not process Personal Data on behalf of the Controller following the termination or expiration of this Agreement.
In the event of a material breach of this Agreement or the Applicable Data Protection Law, the Controller is entitled to terminate this Agreement with immediate effect and may instruct the Processor to cease further processing of the Personal Data in question with immediate effect.
# 11 Termination
After termination of this Agreement, the Processor shall return all Personal Data in a format agreed on between the Parties, and in accordance with reasonable industry standards.
The Processor shall further delete or destroy in a secure and definite/irreversible manner, insofar reasonably possible, all Personal Data, as well as any back-up copies. The Processor shall, upon request, declare in writing to the Controller that such deletion or destruction has been accomplished in accordance with this Agreement.
# 12 Contact information
Notifications pursuant to this Agreement shall be submitted in writing to:
For Controller:
Name:
Position:
Phone number:
Email:
For Processor:
Name: Privacy team
Phone number: +47 99 77 83 77
Email: privacy@signicat.com