Integrationer & Partners
Kontakt
sales@next-tech.com
Telephone: 013-470 40 13
Registrera dig för vårt nyhetsbrev och få uppdateringar direkt till din inkorg
This Data Processor Agreement (the ”Agreement”) concerns the processing of personal data that the Supplier (the ”Data Processor”) shall perform for the Customer (the ”Data Controller”) as a result of the agreement entered into between the Supplier and Customer for the provision of certain services (the ”Main Agreement”).
The Agreement constitutes an integral part of the Main Agreement and shall enter into force upon execution of the Main Agreement.
The Data Processor processes personal data on behalf of the Data Controller based on the reasons outlined above.
The purpose of the processing, the duration of the processing, the nature of the processing, the types of personal data to be processed, and categories of data subjects are detailed in the appendix to the Agreement.
The Agreement shall ensure that personal data is processed in accordance with the applicable requirements for the processing of personal data, including, among others, the Personal Data Act of 2018, the European Parliament and Council Regulation on the protection of individuals in relation to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (the General Data Protection Regulation), other Norwegian laws with associated regulations relevant to the processing of personal data, and any legislation that later replaces these laws (”Data Protection Legislation”).
The Data Processor shall process personal data in the manner described in the Agreement, as well as in any other manner if this is explicitly agreed upon in writing between the Data Processor and the Data Controller.
Terms and definitions used in the Agreement shall be understood in the same way as in the Data Protection Legislation.
The Data Processor confirms that it will implement appropriate technical and organizational measures to ensure that all processing under this Agreement complies with the requirements set out in the Data Protection Legislation and protects the rights of the data subjects, including fulfilling all the requirements under Article 32 of the General Data Protection Regulation.
The Data Processor shall only process the personal data based on documented instructions from the Data Controller. The Data Processor shall at all times be able to document such instructions. The Data Processor shall not process personal data to which it has access in any manner other than what is necessary to perform the processing that the Data Processor is to carry out for the Data Controller.
The Data Processor shall assist the Data Controller in responding to requests from data subjects considering the nature of the processing and, to the extent possible, assist by using appropriate technical and organizational measures. This includes requests from data subjects to exercise their rights under Chapter III of the General Data Protection Regulation, as well as assisting the Data Controller in ensuring compliance with obligations related to personal data security. This also applies to assistance with assessments of data protection impacts and prior consultations under Articles 32 to 36 of the General Data Protection Regulation, considering the nature of the processing and the information available to the Data Processor. If there are approved codes of conduct under Article 40 of the General Data Protection Regulation or approved certification schemes under Article 42, which the Data Processor has undertaken to comply with or be certified after, the Data Processor is obliged to comply with these codes of conduct or certification requirements.
The Data Processor shall make available to the Data Controller all information necessary to demonstrate that the obligations set forth in this section 2 are fulfilled, as well as enable and contribute to audits, including inspections, carried out by the Data Controller or another authorized by the Data Controller. The Data Controller has the direct responsibility for contact and communication with the relevant supervisory authorities, including the Data Inspectorate, and the Data Processor shall not contact the supervisory authority about the processing without clearance from the Data Controller.
The Data Processor is bound by confidentiality regarding personal data that it gains access to as a result of the Agreement and the processing of personal data, and shall ensure that persons authorized to process the personal data have committed to treating the information confidentially or are subject to an appropriate statutory duty of confidentiality. This provision also applies after the termination of the Agreement.
The Data Processor shall not disclose information or data that it processes on behalf of the Data Controller to others without explicit instruction from the Data Controller. Any inquiries to the Data Processor shall be forwarded to the Data Controller as quickly as possible.
If the Data Processor believes that an instruction from the Data Controller is in conflict with the Data Protection Legislation, the Data Processor shall immediately notify the Data Controller of its opinion.
The Data Controller is responsible for ensuring that personal data is processed in accordance with Data Protection Legislation, and has both the right and obligation to determine the purposes and the means that can be used in the processing carried out by the Data Processor. Therefore, the Data Controller shall provide the Data Processor with documented instructions on how personal data shall be processed, where the instructions may either be part of the Agreement or attached to the Agreement as an appendix. The instructions may also be given after the Agreement has been entered into.
The Data Controller has the right to terminate the Agreement if the Data Processor no longer meets the requirements of the General Data Protection Regulation under Article 28 Num. 1.
The Data Processor shall only use subcontractors for the processing of personal data (sub-processor) that have been explicitly approved in writing by the Data Controller and who have confirmed that they will implement appropriate technical and organizational measures to ensure that all processing under this Agreement meets the requirements of Data Protection Legislation and protects the rights of data subjects.
Approved sub-processors at the time of entering into the Agreement are specified in the appendix to the Agreement.
If the Data Controller does not approve the use of the sub-processor as mentioned above, the parties shall agree on how to implement the Main Agreement without the use of the sub-processor.
The sub-processor shall be subject to the same obligations regarding the protection of personal data as established in the Agreement in a binding contract where the sub-processor must provide sufficient guarantees that technical and organizational measures will be implemented to ensure that the processing complies with legal requirements. If the sub-processor fails to meet its obligations regarding Data Protection Legislation, protection of personal data, and the requirements in the Agreement, the Data Processor shall have full responsibility to the Data Controller for ensuring that the sub-processor complies with its obligations.
The Data Processor shall fulfill the security measures required under Data Protection Legislation and industry standards relevant to the processing of personal data under the Main Agreement. The Data Processor shall be able to document routines and other measures to meet these requirements. Documentation shall be made available at the request of the Data Controller.
In case of a security or privacy breach, the Data Processor shall notify the Data Controller without undue delay. The notification of the breach shall at a minimum contain:
If not all information can be provided in the initial notification, the information shall be provided successively as soon as it becomes available.
The Data Controller is responsible for sending notifications to the supervisory authority, and the Data Processor shall not send such notifications or contact the supervisory authority without instructions from the Data Controller.
Personal data shall only be transferred to countries outside the EEA (third countries) based on instructions from the Data Controller. The Data Processor shall therefore not transfer or allow individuals in third countries to access personal data in any way unless the Data Controller has explicitly approved this in writing and given instructions for the transfer or access in advance. Consent and instruction must cover which countries the data may be transferred to. Transfers to third countries require, even with consent and instructions, that the security requirements and protection of the rights of data subjects under the Personal Data Act and other regulations are maintained.
The Agreement is valid as long as the Data Processor processes or has access to personal data on behalf of the Data Controller under the Main Agreement.
In the event of a breach of this Agreement, the Personal Data Act, or other relevant regulations, the Data Controller may instruct the Data Processor to cease further processing of the personal data with immediate effect.
The Data Processor shall, upon the Data Controller’s instruction, delete or return all personal data to the Data Controller after the services related to the processing have been delivered, and shall delete any existing copies, unless there is a legal requirement to continue storing the personal data. This also applies to any backups, where it is sufficient to overwrite following established backup procedures.
The Data Controller shall receive written confirmation from the Data Processor that all personal data has been returned or deleted in accordance with the Data Controller’s instructions and that the Data Processor has not retained any copies, prints, or other forms of personal data in any form.
Other obligations and rights follow from the Main Agreement that applies between the Data Processor and the Data Controller regarding the services that necessitate processing of personal data and this Agreement. The same contact persons apply for the Agreement as those under the Main Agreement.
In the event of any transfer of the Main Agreement to other parties, this Agreement shall be transferred correspondingly.
Data Processor’s contact person: Function/support
e-mail: ncs@next-tech.com phone: +46 (0)13-470 40 13.
This Agreement may be amended in accordance with the provisions of the Main Agreement.
Appendix 1 Data Controller’s Instructions of the Processing of Personal Data
In addition to what is already stated in the Data Processing Agreement, the Data Processor shall also follow the following instructions:
The purpose and objective of the Data Processor’s processing in accordance with the main agreement’s described service of personal data for the data controller, namely: Storage and management of personal data for the purpose of utilizing the tool for the organization’s project management.
The Data Processor is entitled to process the following types of personal data on behalf of the data controller:
The Data Processor is entitled to process personal data regarding the following categories of data subjects:
The Data Processor shall observe the following handling requirements when processing personal data for the Data Controller:
The Data Processor shall implement the following security measures when processing personal data:
The Data Processor shall observe the following requirements regarding logging of user activity and log management:
The Data Processor shall observe the following requirements regarding the localization of personal data:
See: https://next-tech.com/gdpr/
The instructions are valid as long as the Data Processor processes personal data under the Main Agreement or until the instructions are changed.
Upon termination of the processing of personal data according to this Data Processing Agreement, the Data Processor shall delete the personal data according to the main agreement. A written confirmation that this has been carried out shall be sent to the contact person at the Data Controller no later than 90 days after the deletion has occurred.
The Data Processor shall ensure that all the people processing personal data at the Data Processor have received necessary training in applicable law regarding personal data processing. The Data Processor shall further ensure that only people who need access to personal data for their work have access to the personal data.
The Data Processor shall not process personal data to a greater extent than what is required to fulfill its obligations under the main agreement.
The Data Controller further has the right to verify that the measures are followed during the period the Data Processor processes personal data in accordance with the main agreement.