STANDARD DATA PROCESSING AGREEMENT
Effective date: 1 June 2021
INTRODUCTION
This data processing agreement (the DPA) forms part of each contract regarding delivery of consultancy services and software services (the Main Agreement) by Etain AS, a Norwegian limited liability company with registration number 920 998 704 (theEtain), to Etain’s customer (the Customer).
Etain and the Customer are hereinafter jointly referred to as theParties, and each a Party.
This DPA shall be effective on the date of the Main Agreement (theEffective Date), as from which this DPA shall be deemed an integrated part of the Main Agreement.
To the extent there are conflicts or inconsistencies between this DPA and the Main Agreement, this DPA will prevail.
DEFINITIONS
Unless otherwise defined herein, capitalized terms and expressions used in this DPA shall have the following meaning:
Confidential Information:
Shall have the meaning set out in clause 13.1.
Consultancy Terms
Means Etain’s general terms of service, available here.
Customer Personal Data
Means any Personal Data Processed by Etain or a Sub-Processor on behalf of the Customer pursuant to or in connection with the Main Agreement.
Customer
Shall have the meaning set out in clause 1.
Data Protection Laws
Means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country.
DPA
Means this data processing agreement.
EEA
Means the European Economic Area.
Effective Date
Shall have the meaning set out in clause 1.
EU Data Protection Laws
Means GDPR and law and regulations implementing the GDPR as amended, replaced or superseded from time to time.
Etain
Shall have the meaning set out in clause 1.
GDPR
means EU General Data Protection Regulation 2016/679.
General Terms
Means Etain’s general terms of service, availablehere.
Main Agreement
Shall have the meaning set out in clause 1.
Order Form
Means the order forms describing the specific services to be performed by Etain for the Customer under the Main Agreement.
Party
Shall have the meaning set out in clause 1.
Service Level Policy
Means Etain’s service level and security policy, available here.
Sub-Processor
Means any person appointed by or on behalf of Etain to process Personal Data on behalf of the Customer in connection with this DPA.
In addition, the terms, Commission, Controller,Data Subject, Member State, Personal Data,Personal Data Breach, Processing and Supervisory Authority shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.
PROCESSING OF CUSTOMER PERSONAL DATA
The Customer hereby instructs Etain to process the Customer Personal Data necessary for Etain to fulfill its obligations pursuant to the Main Agreement and any other agreements entered into by the Parties.
The categories of Personal Data subject to processing under this DPA and the type of processing operations that will be carried out on behalf of the Customer is specified in Appendix 1 to this DPA.
Etain shall process Customer Personal Data in accordance with the Main Agreement, including the Service Level Policy, the General Terms and / or Consultancy Terms (as applicable) and any relevant Order Form. In addition, and notwithstanding anything to the contrary herein or in any other relevant agreement documents between the Parties, Etain shall always:
comply with all applicable Data Protection Laws in the Processing of the Customer Personal Data;
not Process the Customer Personal Data other than such Customer Personal Data provided to Etain by or on behalf of the Customer; and
only Process Customer Personal Data in accordance with agreements with the Customer or in accordance with the Customer’s documented instructions, including (without limitation) as set out in the Principal Agreement and other agreement documents applicable for the Parties.
The Customer may at any time amend or withdraw the instruction to Process the Customer Personal Data, including by way of instruction to delete specific Customer Personal Data. Upon instruction to delete Customer Personal Data clause 10 applies accordingly.
ETAIN PERSONNEL
The Customer shall, without undue delay, notify Etain if the Customer discovers or becomes aware of circumstances which may constitute a breach of Etain’s obligations towards the CustoEtain shall take reasonable steps to ensure the reliability of any employee, agent or contractor of Etain or any Sub-Processor who may have access to the Customer Personal Data.
In any case, access shall be strictly limited to those individuals who need to know / access the relevant Customer Personal Data. Etain shall further ensure that all persons employed or otherwise hired by Etain, comply with the Service Level Policy with references and the Data Protection Laws.
SECURITY
Etain shall ensure that satisfactory information security is established in its own organization in accordance with the GDPR and the Service Level Policy through planned and systematic measures. Etain shall regularly, at least once per year, perform safety reviews and controls of the systems and measures implemented to process Personal Data. If the Customer requires information security measures which goes further than the GDPR requires which impose increased costs, work or similar on Etain, Etain may charge the Customer for such added services on market terms.
Etain shall also and nonetheless independently evaluate the risks related to the processing of Customer Personal Data and shall continuously implement required measures to mitigate those risks and ensure adequate information security taking the sensitive nature of such Customer Personal Information into account.
SUBPROCESSING
Etain shall generally be authorized to engage Sub-Processors to the extent necessary for complying with its obligations under the Main Agreement.
All Sub-Processors shall sign data processing agreements with Etain which at least imposes obligations on the Sub-Processor that are equivalent to those imposed on Etain under this DPA.
Etain shall provide the Customer with a written notice if it plans to appoint or remove any Sub-Processor(s) relevant for the services provided by Etain to the Customer. Such written notice shall be given in reasonable advance to the planned changes entering into force. The Customer may within reasonable time object in writing to the appointment or removal of a Sub-Processor. Such notice shall explain the reasonable grounds for the objection. In such event, the Parties shall discuss such concerns in good faith with a view to achieving commercially reasonable resolution. If this is not possible, either Party may terminate the DPA.
Upon request of the Customer, Etain shall provide the Customer with a list of the Sub-Processors used by Etain for the services relevant for the Customer, and copies of the data processing agreements made with such Sub-Processors. Clauses on business related issues that do not affect the processing of Personal Data in data processing agreements with the Sub-Processors may be left out of the disclosure to the Customer.
Etain shall use commercially reasonable efforts to ensure that the processing carried out by the Sub-Processor is in accordance with Data Protection Laws.
Etain shall remain fully liable to the Customer for its use of Sub-Processors.
DATA SUBJECT RIGHTS
Considering the nature of the Processing, Etain shall assist the Customer by implementing appropriate technical and organizational measures, insofar as this is commercially and reasonably possible, for the fulfilment of the Customer’s obligations, as reasonably understood by Etain, to respond to requests to exercise Data Subject rights under the Data Protection Laws. Hereunder, Etain shall:
promptly notify the Customer if it receives a request from a Data Subject under any Data Protection Law in respect of the Customer Personal Data; and
ensure that it does not respond to that request except on the documented instructions of the Customer or as required by the Data Protection Laws to which the Processor is subject, in which case Processor shall to the extent permitted by the applicable Data Protection Laws inform the Customer of that legal requirement before the Sub-Processor responds to the request.
Extra services in this relation shall be considered add-on services subject to payments and to be delivered under the Consultancy Terms unless otherwise agreed.
PERSONAL DATA BREACH
Etain shall notify the Customer without undue delay upon Etain becoming aware of any Personal Data Breach affecting the Customer Personal Data, providing the Customer with sufficient information to allow the Customer to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.
Etain shall co-operate with the Customer and take commercially reasonable steps as are directed by the Customer to assist in the investigation, mitigation, and remediation of each such Personal Data Breach.
DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION
Etain shall provide reasonable assistance to the Customer with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which the Customer reasonably considers to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of the Customer Personal Data by Etain or its Sub-Processors.
DELETION OR RETURN OF THE CUSTOMER PERSONAL DATA
Subject to this section 10, Etain shall promptly, and in any event within 10 business days of the date of cessation of any services involving the Processing of the Customer Personal Data (theCessation Date), delete and procure the deletion of all copies of such Customer Personal Data.
Customer Personal Data which is stored in back-up files shall be deleted within 90 days after receipt of such request.
Etain may keep Customer Personal Data necessary for Etain to fulfill its obligations towards the relevant Data Subject, or if otherwise requested by the Data Subject.
AUDIT RIGHTS
Etain shall at the Customer’s request make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by Customer. The Customer may, at its own expense, request an auditor’s report from an independent third party or an inspection according to the section below.
The Customer or a representative of the Customer shall have access to inspect the places where the processing of Personal Data is carried out by Etain (not including Sub-Processors), including physical facilities as well as systems used for and related to the processing to ascertain Etain’s compliance with Data Protection Laws and the DPA. Such an inspection shall be performed when the Customer deems it required, however always subject to reasonable notice.
Any costs, including costs incurred by Etain, relating to physical inspection shall be covered by the Customer.
The Data Processor shall be able to document the Sub-Processor’s compliance with its obligations towards the Data Processor with regards to the processing of Personal Data covered by this DPA.
The Data Processor shall without undue delay obtain and make available audit reports created by the Sub-Processors to ascertain the Sub-Processor’s compliance with applicable Data Protection Laws.
DATA TRANSFER
The Processor may not transfer or authorize the transfer of Data to countries outside the EU and/or the European Economic Area (EEA) without the prior written consent of the Customer. If personal data processed under this DPA is transferred from a country within the European Economic Area to a country outside the European Economic Area, the Parties shall ensure that the personal data are adequately protected. To achieve this, the Parties shall, unless agreed otherwise, rely on EU approved standard contractual clauses for the transfer of personal data.
TERM AND TERMINATION
Upon termination of the Main Agreement, this DPA shall be deemed terminated as well with the same effects as for the Main Agreement.
GENERAL TERMS
Etain may amend this DPA with three (3) months’ notice to the Customer. By not terminating the Main Agreement after the three months period the Customer shall be deemed to accept the amended the DPA as applicable as form the end of the three months’ notice period.
AMENDMENTS
Confidentiality
Each Party must keep this DPA and all information it receives about the other Party and its business in connection with this DPA (Confidential Information) strictly confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that:
disclosure is required by law; or
the relevant information is already in the public domain.
Notices
All notices and communications given under this DPA must be in writing and will be delivered personally, sent by post or by email to the address or email address set out in the heading of this DPA, or at such other address as notified from time to time by the Parties changing address.
GOVERNING LAW AND JURISDICTION
This DPA is governed by the laws of Norway.
Any dispute arising in connection with this DPA, which the Parties will not be able to resolve amicably, will be submitted to the exclusive jurisdiction of the ordinary courts of Norway, with Oslo district court as agreed legal venue.
APPENDIX 1: DESCRIPTION OF CUSTOMER DATA PROCESSING PERFORMED BY ETAIN
Purpose of processing
Etain is a supplier of software and / or consultancy services to the Customer as further described in the applicable Order Forms. Pursuant to the Order Forms, Etain shall develop and / or provide software solutions or consultancy services to the Customer. Delivery of software solutions may include maintenance of, and support relating to, such software and shall include software solutions made available on the cloud or software platforms further described in the Order Forms.
Nature of the processing
Collection, recording, organizing, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of data (whether or not by automated means).
Types of personal data
Required identifiable data (e-mail, first name, last name, profile picture, company, user ID, communication data (IP-address), activities (behavioral pattern, times for login/logout, times for working with documents, browsing history), other information voluntarily provided by users in relevant user profiles, such as for example job title, department, office address, office phone, mobile phone, and other information contained in documents made available or otherwise submitted by the user etc.
Categories of Data Subjects
Employees employed by the Customer, the Customer’s clients and customer, counterparties and other stakeholders involved in projects to which Etain provides software or other services. Etain may also process Personal Data relating to the customer (if this is a physical person) its owners, counterparties, witnesses, counterparties' lawyers and others who have a connection to the case or are mentioned in the relevant documents or information uploaded in the solutions provided by Etain.