Data Processor Agreement
-
Backround
-
Purpose of this Agreement
-
Personal data to be processed
-
Data processor rights and duties
-
Data controllers right and duties
-
Use of API and 3.parties
-
Security and audits
-
Notification of a personal data breach
-
Storage and transfer
-
Sub-processors
-
Term and terminations
-
Choice of Law and Dispute regulations
-
Other duties and rights
-
Contact
-
Last review
-
Change log
The Customer consenting to these terms (“Customer” or “Data Controller”) and the entity responsible for providing 24SevenOffice Services in your region or Country (or any entities owned by 24SevenOffice (“24SevenOffice” or “Data Processor”) have entered into this Data Processor Agreement (DPA) (“Agreement”) This Agreement will replace any previously applicable data processor agreements or terms previously applicable to privacy, data processing and/or data security.
1. Background
This Agreement shall provide for the processing of personal data in accordance with the regulation under EU Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) and the Norwegian "Lov om behandling av personopplysninger (personopplysningsloven)".
2. Purpose of this Agreement
This Agreement governs the Data Processor’s processing of the Personal Data on behalf of the Data Controller to perform its Services under the Services Agreement. The Data Processor shall process the Personal Data only for the approved purpose and in accordance with applicable laws, this Agreement and the Customer License Agreement (CLA). The purpose of the processing, duration of processing, type of processing and types of personal data to be processed is covered in this Agreement and ensures that personal data is processed in accordance with the requirements of the Data Protection Regulation. Data Processor shall process personal data in the manner described in this Agreement.
3. Personal data to be processed
24SevenOffice is both a data processor and data controller. As a controller 24SevenOffice processes personal data as described in Privacy Notice What personal data do 24SevenOffice process? As a data processor, 24SevenOffice has no access to data controllers data without consent (e.g. if regulations in CLA requires it), but stores and delivers the 24SevenOffice Service to customers. The customers are data controllers and responsible for the data input into the 24SevenOffice Services.
4. Data Processor rights and duties
The Data Processor confirms that it will implement appropriate technical and organizational measures that ensure that all processing under this Agreement meets the requirements of the Personal Data Regulation and ensure the protection of the rights of the data subject. The Data Processor shall only process the personal data under the instructions given by the Data Controller. The Data Processor shall not process the personal data in any other way than instructed or necessary to provide the services or undertake the obligations requested by the Data Controller.
Access to personal data
The Data Processor will not access any other personal data than what is necessary to perform its tasks as a Data Processor. The Data Controller may give the Data Processor limited permission to access data for support or consultant purposes, but not without consent. The Data Processor shall not use personal data for any other purposes than the ones that is listed in the Privacy Notice How 24SevenOffice use Account Information?
Secrecy
The Data Processor and its sub-processors has a duty of confidentiality regarding personal data that he or she has access to as a result of the Agreement and processing of personal data, and shall ensure that persons authorized to process the personal data have committed themselves to processing the information confidentially or subject to an appropriate statutory duty of confidentiality. This provision also applies one (1) year after the termination of the Agreement, if the content of the information has not been publicly known within this period. The Data Controller is responsible for updating and correcting personal data that is wrongfully registered. The Data Processor shall not disclose any information or information it processes to any third party without informing the Data Controller. Inquiries of such information to Data Processor, the Data Processor shall pass on to the Data Controller as soon as possible. Any requests with regard to the personal data or the processing from third parties or the data subject shall be forwarded to the Data Controller without undue delay if not otherwise agreed in this Agreement or by instruction by the Data Controller. If the Data Processor is in the opinion that an instruction by the Data Controller infringes the Personal Data Regulation, the Data Processor shall immediately inform the Data Controller. The Data Processor is however obligated to perform its duties under this Agreement and any instructions by the Data Controller regardless of its opinion on infringement.
Assistance
The Data Processor shall assist the Data Controller in ensuring compliance with the Personal Data Regulation, e.g. giving information and advice when producing a data protection impact assessment ‘DPIA’ or responding to data subject’s right requests.
5. Data Controllers rights and duties
Data Controller is responsible for lawful processing of personal data and observing the rights of data subject, including collecting data subject consents and requests. The Data Controller determines the purposes of the processing of personal data and has the rights described in the Privacy Notice - What is my rights. The Data Controller retains the formal control of and all ownership and rights to the personal data. The Data Processor shall have no rights in or to the personal data other than the non-exclusive, revocable and time limited right to process the personal data for the approved purpose. The Data Controller may in its sole discretion withdraw consent(s) given relating to the use of the Service. In such an event the Data Controller will provide an explanation to the Data Processor setting out the reason behind the withdrawal. The Data Processor cannot guarantee that the 24SevenOffice Service will function without these approvals. Any dysfunctions in the 24SevenOffice Service as a result of withdrawn approval, does not affect the term of the Agreement.
6. Use of API and 3.parties
The Data Processor is not responsible for personal data processed by 3. parties through the Data Processors API. It is the Data Controllers obligation to read and accept any terms or consents made available from any 3. party.
7. Security and audits
The Data Processor shall implement and use technical and organizational security measures in such a way that processing will meet the requirements of the Personal Data Regulation and appropriate to prevent the harm which might result from any unauthorized or unlawful processing, loss, destruction, damage, alternation to or disclosure of the Personal Data and having regard to the nature of the Personal Data which is to be protected. Security policies and procedures are developed according to the ISO 27001 standard. Data Processor has developed an Information Security Management System (ISMS) that is regularly audited. The Data Processor shall provide documentation of technical and organizational measures implemented to ensure the security of the personal data upon the request of the Data Controller. A Statement of Applicability (SOA) report can be displayed on request, as such documentation.
Security audits shall be performed regularly by the Data Processor. Audits may comprise review of routines and processes, inspections, tests, more comprehensive controls and other relevant control activities. Eventually additional audits requested by Data Controller shall be at Data Controllers cost and at timing agreed upon between the parties. The Data Processor may refer to completed similar audits as an alternative.
8. Notification of a Personal data breach
If the Data Processor becomes aware of any Personal Data Breach, the Data Processor shall without undue delay, notify the Data Controller and fully cooperate to remedy the issue as soon as reasonably practicable. The notice shall at least contain the following information:
-
description of the Personal Data Breach including summary of the incident that caused the Personal Data Breach, including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
-
description of the circumstances of the Personal Data Breach (e.g. loss, theft, copying);
-
description of the likely consequences and potential risk that the Personal Data Breach may have towards the affected Data Subject(s);
-
description of the measures proposed or taken by the Data Processor and/or the subcontractor, as applicable, to address the Personal Data Breach;
-
description of any further information which may be relevant in relation to the Personal Data Breach or its mitigation, especially information which the Data Controller identified as relevant information earlier.
-
If not all information above may be given in the first notice, the information shall be provided as soon as possible.
-
Notice will be communicated inside the 24SevenOffice Service, or by mail or phone if the breach only affect individual Data Controllers. The Data Processor’s Technical Customer Service shall be available for expedient assistance to clarify and respond to any follow up questions that the Data Controller may have.
-
Depending on the nature of the Personal Data Breach the Data Controller may be obliged to make a report to the Data Protection Authority in the country it resides. The Data Processor does not have to make a report to any Data Protection Authority unless this is expressly required by applicable law or the Data Controller approved or instructed to do so. The Data Processor shall, without undue delay, notify the Data Controller if it receives a request from any data protection authority or other governmental body requiring the Data Processor or any of its sub-processors to grant the data protection authority or other applicable governmental body access to Personal Data. Such notice shall wherever possible, and to the extent permitted by applicable laws, be given prior to any disclosure by the Data Processor. The Data Processor shall immediately inform the Data Controller if, in its opinion, an instruction infringes applicable laws.
9. Storage and transfer
Personal Data will only be processed by the Data Processor and the sub-processors listed in this Agreement. See also Where does 24SevenOffice process and store data? How long the data is stored and the terms for deletion of data is covered in How long does 24SevenOffice store data – Deletion of Personal data. Beyond that, personal data shall only be transferred to third countries, i.e. countries outside EU/EEA which ensure an adequate level of protection, upon explicit agreement or instructions by the Data Controller.
10. Sub-processors
The Data Processor is hereby authorized by the Data Controller to use any relevant approved sub-processor (or sub-contractor) on Data Controller’s behalf for the above mentioned purpose and for any relevant approved territory. The processing of the Personal Data shall only take place in technological environments approved by the Data Processor and approved sub-processors in the approved territory. The Data Processor shall ensure that any processing of personal data by a sub-processor complies with the requirements set out under this Agreement. This includes verifying that the security measures implemented by a sub-processor ensure at least the equivalent level of protection to that required of the Data Processor under this Agreement. Any sub-processor shall be informed of the Data Processors obligations under this Agreement and the obligations under the Personal Data Regulation, and the sub-processor shall be imposed the same obligations as the Data Processor set forth in the Agreement in a binding agreement where in particular the sub-processor is providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the Personal Data Regulation. Any additions or changes of sub-processor that process personal data will be informed to the Data Controller through 24SevenOffice channels. By continuing to use the Service after such information is given is regarded to be an acceptance of the addition/change. See the list of sub-processors for more details. For a list of details about approved territory, see Where does 24SevenOffice process and store data?
11. Term and Terminations
This Agreement shall be effective and stay in force as long as the Data Processor (and its permitted sub-processors) processes personal data on behalf of the Controller in the context of the Customer License Agreement (CLA). In case of breach of this Agreement, the Data Controller may instruct the Data Processor to stop further processing of the information with immediate effect. Upon termination of this Agreement, regardless of reason, The Data Processor shall, at the discretion of the Data Controller, delete or return all Personal data to the Data Controller after the services associated with the processing are delivered, and delete existing copies, unless there is a legal requirement that the Personal Data will continue to be stored. Any export assistance concerning return of Personal data performed by the Data Processor is invoiced according to the Customer License Agreement (CLA). The Data Controller shall receive a confirmation from the Data Processor that the duties in the above paragraph have been complied with.
12. Choice of Law and Dispute regulations
The Customer License Agreement (CLA) regulation with regard to governing law and jurisdiction applies in full for this Agreement.
13. Other duties and rights
Other duties and rights between the parties may be subject to the Customer License Agreement (CLA) or other agreements between the Data Controller and the Data Processor. If the Customer License Agreement (CLA) is transferred, this Agreement shall be transferred accordingly.
14. Contact
Any questions regarding this Agreement shall be sent to privacy (a) 24SevenOffice.com.
Last review
17 February 2023
Changelog
17 February 2023
Updated references to regulations in the "Background" paragraph. Reference to ISO 27001 updated in the paragraph about" Security". Updated unclear language under "Storage and Transfer"
5 May 2022
Updated and clarified the description of ‘Personal data to be processed” section. Added a paragraph about the right to assistance from Data Processors to Data Controllers to ensure compliance in ‘Data Processor rights and duties
7 February 2022
The name of the Norwegian personal data legislation is updated in the background paragraph. The Data Controller's responsibility for lawful processing of personal data is clarified under Data Controllers rights and duties. Security and notifications are split into two paragraphs, and the following paragraphs have received a higher number. The security paragraph is updated with the possibility for the Data Controller to request an Statement of Applicability (SOA) report, as a consequence of the approved 24SevenOffice ISO 27001 certification. The paragraph about subcontractors is updated to include a link to the list of subcontractors and how 24SevenOffice notifies about any changes. A last paragraph of contact point at the Data Processor is included.
3 May 2018
Data Processor Agreement first version as a separate addition to the Customer License Agreement (CLA)