The following Agreement is entered into between: Account Name (“Processing Controller”) and
Isave AS (“Data Processor”).
Isave offer a Service that allows you to create and send digital communication to your subscribers.
This Agreement encompasses conditions for ensuring that the obligations of the Parties to the Agreement are in compliance with the Act relating to the processing of personal data of 14 April 2000 No. 31 (“PDA”) and appurtenant regulations.
The term Processing Controller means: ”the person who determines the purpose of the processing of personal data and which means are to be used”, Cf. PDA Section 2 no. 4. Responsibility lies with the business entity’s executive management. It is the responsibility of the Processing Controller to ensure that personal data are used in compliance with the provisions of the Norwegian Personal Data Act.
The term Data Processor means ”the person who processes personal data on behalf of the controller” Cf. PDA Section 2 no. 5. No Data Processor may process personal data in any way other than that which is agreed in writing with the Processing Controller. Cf. PDA Section 15.
Processing of personal data under the provisions of this Agreement means any use of personal data such as, for example, gathering, registering, collating, storing, distributing or a combination of these. In the event the need arises to interpret agreements or there are incompatibilities, disputes or contradictions in the various documents, this Data Processing Agreement takes precedence in questions associated with the processing of personal data and the Norwegian Personal Data Act (PDA).
The purpose of this Agreement is generally to clarify the responsibilities of the Parties in terms of the DPA for fulfilment of the Contract that has been entered into between the Parties to the Agreement.
In accordance with the Contract the Data Controller performs a number of services within the areas of importing, storing and analysing personal subscriber data to allow the Data Controller to create and send personal and targeted digital and postal communication, and to track the subscribers response to the communication. The personal data transferred and stored may concern any subscriber the Data Controller choose to communicate with, such as but not limited to customers, clients, prospects and employees. The personal data transferred may concern name, gender, birthdate, language, email address, telephone number, home address, employer, work address, title, expertise, other demographic information, purchase history, and event attendance. Data will not include Social Security numbers or other national ID numbers, passwords, security credentials, or sensitive personal information of any kind.
To carry out the Contract, the Data Processor is given access to personal data for which the Processing Controller is responsible. The personal data transferred will be subject to the following basic processing activities: storage; access for customer service; in accordance with your use of features; abuse detection, prevention, and remediation; maintaining, improving, and providing our Services. The Data Controller expressly authorizes the Data Processor to respond to the following requests received directly from the data subjects: unsubscribes, updates to information, removal of information, or a block of that data subject’s information from being stored in Data Controllers system.
The Data Processor may only process the Processing Controller’s customer information for the purpose of fulfilling the Contract that has been entered into between the Parties to the Agreement. The Contract defines in more detail the tasks to be performed by the Data Processor on behalf of the Processing Controller.
In compliance with the DPA, the Processing Controller shall see to it that customer, member and debtor information can be processed in a legal manner to perform the services as described in the Contract. This entails ensuring that necessary statutory authority exists to justify processing customer information, and ensuring that the information is of sufficient quality and that necessary notification is sent or authorizations are issued in accordance with the DPA.
The Processing Controller shall make the necessary personal data available to the Data Processor so that the Data Processor can perform the services that are described in the Contract.
The Data Processor cannot process personal data to which they gain access though assignment from the Processing Controller in any manner other than what is necessary in order to complete the assignment. When the customer data are made available to the Data Processor, the latter is obligated to safeguard the information in compliance with Section 13 of the DPA, cf. point 5 for details.
The Data Processor shall ensure that relevant personnel have a good knowledge of applicable legal provisions for processing personal data. Persons in the Data Processor’s business who have access to information to be processed in accordance with the Contract and this agreement shall be made aware of the Agreement’s relevant provisions and shall sign a declaration of non-disclosure.
The Processing Controller shall advise the Data Processor of any new statutory requirements or requirements from the authorities that may be significant for the fulfilment of the Agreement. If new requirements demand changes in the services, these are to be implemented as changes as stipulated in the regulations pertaining to changes in the Master Agreement.
The Data Processor shall ensure that customer data made available from the Processing Controller are segregated from the processor’s own systems, as well as from his own or others’ customers, members or debtors databases.
The Processing Controller and Data Processor shall at all times meet relevant requirements pertaining to information security as prescribed in DPA Section 13 and the Personal Data Regulations, Chapter 2. The Data Processor shall see to it that all processing of customer information encompassed by this Agreement is conducted in conformity with the acceptable risk level.
The Data Processor shall establish and maintain a security management system equivalent to that described in the Personal Data Regulations, Chapter 2. The Data Processor has established routines for:
- processing of nonconformities that involve notification of errors relevant for this Agreement
- regular security audits
- management review of security efforts
The Processing Controller shall see to it that necessary security for customer information is in place up until the Data Processor has physically taken possession of the information. From this point on, the Data Processor shall ensure that material received is properly secured. The Processing Controller can demand insight into necessary information from the Data Processor that is evidence that the Data Processor fulfils the conditions in the Agreement, relevant provisions of the DPA, including the security provisions in DPA Section 13 and in Chapter 2 of the Personal Data Regulations.
The Data Processor can use subcontractors to fulfil the Contract, including the granting of access to necessary personal data made available from the Processing Controller for fulfilment of the Contract or this Agreement. The Data Processor is responsible for seeing to it that subcontractors fulfil relevant provisions prescribed in the DPA, the Contract and this Agreement. By the term subcontractor is meant a person (physical or juristic) that is not in the employ of the Data Processor and who performs services to fulfil the Contract or this Agreement.
The Parties to the Agreement shall observe a duty of confidentiality concerning all confidential information, matters of a personal nature, business circumstances, information that may harm one of the parties or that can be exploited by external business interests.
The duty of confidentiality applies to the employees of the Parties to the Agreement and to others who act on behalf of the Parties in conjunction with fulfilment of the Contract and this Agreement. The parties agree to take the precautions necessary to ensure that the material or information is not disclosed to others in contravention with this point.
The Data Processor’s personnel shall sign the Processing Controller’s declaration of non-disclosure before work commences. The duty of confidentiality applies both in relation to one’s own employer and to other members of the Data Processor’s personnel.
The point also applies after the termination of the Agreement. Employees or others who retire their services for either of the parties must be placed under an obligation of confidentiality concerning the circumstances mentioned above.
The Agreement enters into force when signed by both Parties to the Agreement. The Agreement continues in force as long as the Contract entails use of customer information to fulfil it. When the Contract has ended, this Agreement will also cease to be in force.
In the event the Processing Controller becomes aware that the Data Processor is not processing personal data in conformity with the description in the Agreement or in contravention with his obligations under the provisions of the DPA and regulations, the Processing Controller can demand that the Data Processor cease further processing of data effective immediately (within 24 hours).
In the event of breach of this Agreement or of the provisions of the DPA or the Personal Data Regulations, the Processing Controller can terminate this Agreement with the Data Processor in question by advance, written notification of at least 14 days.
Upon expiry of the term of agreement or termination of the agreement, the Data Processor shall see to it that all customer data that have been made available by the Processing Controller are returned to the latter or destroyed in an adequate manner.
The Agreement is prepared in accordance with Norwegian law. An attempt will be made to resolve any dispute arising between the parties by negotiation. In the event negotiations fail to resolve the dispute, it shall be heard by the Norwegian Court according to Norwegian law, with Oslo District Court as first legal venue and authority.
All notifications given pursuant to this Agreement must be in writing and addressed to the specified contact persons below.
For Data Controller
For Data Processor
This agreement is prepared in two –2– copies, one –1– of which is to be kept by each of the parties.