Data Processor Agreement.

Data processor agreement between Plaii AS and its customers

Background

This data processor agreement (the "agreement") is entered into between Plaii AS, organization number 929705920 (the "processor") and the customer (the "controller"). The agreement regulates the processor's processing of personal data on behalf of the controller in connection with delivery of services from Plaii AS.

Definitions

In this agreement, the following terms have the following meaning:

a) "Personal data": Any information that can be linked to an identified or identifiable natural person, such as name, address, phone number, email address, IP address, national identity number, health information and similar information.

b) "Processing": Any operation or set of operations performed on personal data, whether automated or manual, including collection, registration, storage, adaptation, alteration, retrieval, use, transfer and deletion.

c) "Processor": A third party that processes personal data on behalf of a controller.

d) "Controller": A natural or legal person that determines the purpose of the processing of personal data and which methods are used.

Purpose

The processor shall process personal data on behalf of the controller to perform the agreed service, such as delivering a cloud service or other software.

Processing of personal data

a) The processor shall process personal data according to the controller's instructions and only to the extent necessary to perform the agreed service.

b) The processor shall ensure sufficient technical and organizational measures to process personal data securely and protect it against unauthorized access or use.

c) The processor shall not transfer personal data to third parties without the controller's prior consent, unless required by law.

d) The processor shall not use personal data for purposes other than those agreed with the controller.

e) The processor shall immediately notify the controller if it receives a request for access to or rectification of personal data from a data subject.

f) The processor shall ensure that employees and subprocessors processing personal data are bound by confidentiality and have sufficient privacy training.

Security measures

The processor shall implement appropriate technical and organizational measures to ensure adequate protection of personal data in accordance with privacy regulations. This includes, but is not limited to, access control, encryption, deletion, logging, monitoring and regular risk assessments.

Subprocessors

The processor may use subprocessors to process personal data on behalf of the controller. The processor shall enter into agreements with subprocessors that meet privacy regulation requirements and ensure that subprocessors comply with the processor's instructions and this agreement's security requirements.

Notification

If the processor becomes aware of a security breach that may lead to unauthorized access to, destruction, loss or alteration of personal data, the processor shall notify the controller as soon as possible and no later than 48 hours after the breach was discovered.

Controller obligations

The controller shall ensure that personal data transferred to the processor complies with privacy regulations, provide all necessary information and instructions, and comply with its obligations under privacy regulations.

Termination and deletion

Upon termination of the agreement, the processor shall delete or return all personal data to the controller unless retention is required by law. The processor shall confirm deletion in writing unless this is impossible or requires disproportionate effort.

Governing law

The agreement shall be interpreted and enforced under Norwegian law. Any dispute shall first be sought resolved amicably. If the parties do not succeed, the dispute shall be brought before Oslo District Court.

Confidentiality, liability and duration

The processor and any subprocessors shall treat all information received from the controller confidentially and shall not disclose such information to third parties without written consent unless required by law.

The agreement applies as long as the processor processes personal data on behalf of the controller, and the notice period is 30 days.

Last updated 16.04.2023