If you are a customer of Tappin AS and need a signed version of our data processing agreement, please Contact Us
Version 23.10
In accordance with current Norwegian personal data legislation and Regulation (EU) 2016/679 of 27 April 2016, Articles 28 and 29, cf. Articles 32-36, the following agreement is entered into
between
Customer of Tappin AS
(data controller)
and
Tappin AS, Org. No. 999215777
(data processor)
Terms used in the agreement either follow a natural linguistic understanding, are defined in the agreement, or are read as defined in Regulation (EU) 2016/679 of 27 April 2016, Article 4.
1. Purpose of the agreement
The parties to this Data Processor Agreement have entered into an agreement dated 01.06.21 (the "Agreement") on the basis of the purchase of event technical assistance. This Data Processor Agreement regulates the rights and obligations of the parties to ensure that all processing of personal data takes place in accordance with the applicable legislation on the processing of personal data, including the EU's Personal Data Protection Regulation 2016/679 ("GDPR") and the applicable data protection legislation that implements this ("personal data legislation").
The data processor agreement must ensure that personal data is not used illegally, unlawfully or that the data is processed in ways that lead to unauthorized access, change, deletion, damage, loss or unavailability.
The data processor agreement regulates the data processor's management of personal data on behalf of the controller, including collection, registration, compilation, storage, processing, disclosure and deletion or combinations of these, in connection with the use of/processing in event technical assistance (hereinafter referred to as the "service").
In the event of a conflict, the terms of this agreement shall take precedence over the data processor's privacy statement or terms in other agreements entered into between the data controller and the data processor in connection with use of/processing in the service.
2. Purpose of the treatment
The purpose of the data processor's management of personal data on behalf of the data controller is arrangement technical assistance.
Personal data that the data processor manages on behalf of the data controller cannot be used for other purposes without the prior approval of the data controller.
The data processor cannot transfer personal data covered by this agreement to collaboration partners or other third parties without this being approved in advance by the controller, cf. point 10 of this agreement.
3. Instructions
The data controller, as responsible for the personal data being processed in accordance with data protection legislation, has the right and duty to decide which purposes shall apply and which aids shall be used in the processing.
The controller must give the data processor documented instructions on how personal data is to be processed. If no other instructions are given, this data processor agreement constitutes the applicable instructions.
The data processor must only process personal data in accordance with written instructions from the data controller and must follow the documented instructions for managing personal data in the service that the data controller has determined shall apply.
The data processor must record all processing activities and comply with all obligations in accordance with current Norwegian personal data legislation that applies when using the service to process personal data.
The data processor undertakes to notify the data controller if the data processor receives instructions from the data controller that the data processor believes are in conflict with the provisions of current Norwegian personal data legislation.
The data processor must, on request, assist the data controller in carrying out a privacy impact assessment, also known as a "Data Protection Impact Assessment". In the same way, the data processor shall, upon request, assist in ensuring that requirements for built-in privacy in the data processor's solutions are met. This includes building in functionality to meet privacy principles as well as functionality to ensure the data subject's rights, as far as this can reasonably be expected with regard to the purpose of the solution.
The data processor must ensure that personal data that is processed on behalf of the controller is kept physically or logically separate from other data that the data processor processes.
4. Registered and information types
The data processor will process personal data to the extent necessary to fulfill the Agreement. Categories of personal data and categories of registered persons are specified in Appendix 1.
5. The rights of the data subjects
The data processor is obliged to assist the data controller in safeguarding the data subject's rights in accordance with current Norwegian personal data legislation.
The data subject's rights include the right to information about how his or her personal data is processed, the right to demand access to their own personal data, the right to demand correction or deletion of their own personal data and the right to demand that the processing of their own personal data be restricted.
To the extent that it is relevant, the data processor shall assist the controller in safeguarding the data subject's right to data portability and the right to oppose automatic decisions, including profiling.
6. Satisfactory information security
The data processor must implement satisfactory technical, physical and organizational security measures to protect personal data covered by this agreement against unauthorized or illegal access, change, deletion, damage, loss or unavailability.
Data processors must document their own security organisation, guidelines and routines for security work, risk assessments and established technical, physical or organizational security measures. The documentation must be available to the controller on request.
Data processors must establish continuity and contingency plans for the effective handling of serious security incidents. The documentation must be available to the controller on request.
The data processor must provide its own employees with sufficient information about and training in information security so that the security of personal data that is processed on behalf of the controller is safeguarded.
A detailed description of measures for information security is attached in Appendix 2.
7. Confidentiality
Only employees of the data processor who have a business need for access to personal data that is managed on behalf of the controller may be granted such access. The data processor is obliged to document guidelines and routines for access management. The documentation must be available to the controller on request.
The data processor and the data processor's employees have a duty of confidentiality and non-disclosure regarding documentation and personal data to which the person concerned is given access in accordance with this agreement. The confidentiality and non-disclosure obligation covers third parties and their employees who carry out assignments as sub-data processors or carry out maintenance (or similar tasks) of systems, equipment, networks or buildings that the data processor uses to deliver the service. The confidentiality and non-disclosure obligations also apply after the termination of the Agreement.
The data processor is obliged to document that those who are subject to a duty of confidentiality have received information about the duty of confidentiality and consented to be bound by it. The documentation must be available to the controller on request.
Norwegian law will be able to limit the scope of the duty of confidentiality for employees of data processors and third parties.
8. Access to information and security documentation
The data controller has, unless otherwise agreed or follows from the law, the right to access and view the personal data handled by the data processor and the systems used for this purpose. The data processor must, on request, make available to the data controller the processed personal data and all information about the processing that is necessary to demonstrate whether the parties' obligations have been fulfilled or not. The data processor is obliged to provide the necessary assistance in this regard.
Upon request, the data processor is obliged to give the data controller access to all security documentation that is necessary for the data controller to be able to fulfill its obligations according to current Norwegian personal data legislation, as well as to cooperate with the data controller and the supervisory authority in this regard.
The data controller has a duty of confidentiality for confidential security documentation that the data processor makes available to the data controller.
9. Duty to notify in the event of a security breach
The data processor must notify the data controller without undue delay if personal data managed on behalf of the data controller is exposed to a security breach.
The notification to the data controller must contain, as a minimum, information describing the security breach, which data subjects are affected by the security breach, which personal data are affected by the security breach, which immediate measures have been taken to deal with the security breach and which preventive measures have been established to avoid similar incidents in the future.
The controller is responsible for the Norwegian Data Protection Authority being notified when this is required.
10. Subcontractors
The data processor must, before the processing of personal data begins, enter into separate agreements with subcontractors that regulate the subcontractors' management of personal data in connection with this agreement.
In agreements between data processors and subcontractors, the subcontractors must be required to take care of all duties to which the data processor itself is subject in accordance with this agreement and the legislation. The data processor is obliged to present the agreements to the data controller on request.
The data processor must check that subcontractors comply with their contractual obligations, in particular that information security is satisfactory and that employees of subcontractors are aware of their obligations and fulfill them.
The data controller approves that the data processor engages the following subcontractors to fulfill this agreement: see Appendix 3.
The data processor cannot engage subcontractors other than those mentioned above without this being approved in advance in writing by the data controller.
The data processor is responsible for the subcontractor's actions and omissions as if they were the data processor's own.
In cases where the data controller has approved the use of a subcontractor in accordance with Appendix 3, the data processor must ensure that the subcontractor complies with any requirements for signing the EU's standard agreement and additional measures in accordance with point 12 of this data processing agreement.
The data processor is obliged not to use subcontractors until the conditions in this point 10 and point 12 have been met.
11. Treatment plans
Both the Data Processor and subcontractors of the Data Processor are obliged to draw up and follow their own procedural work/processing plan which ensures that their processing of personal data is carried out in accordance with their respective concluded data processing agreement.
Such procedural work/treatment plan must be presented to the Data Controller for his quality assurance and approval before the treatment can be implemented.
12. Transfer to countries in/and outside the EU/EEA
Within the EU/EEA
Personal data that the data processor manages in accordance with this agreement will be transferred to the following recipient countries within the EU/EEA: see appendix 3.
Outside the EU/EEA
In order to comply with the requirements in the personal data legislation for the transfer of personal data to data processors/subcontractors where the processing is carried out outside the EU/EEA, the data processor must ensure that no personal data is transferred to countries outside the EEA area without a transfer basis in accordance with the personal data legislation and documentation that demonstrates that the conditions for to use the transfer basis is fulfilled.
Transfers must also meet the additional requirements laid down by the European Court of Justice in (EU) C-311/18 (Schrems II judgment). In such a case, the data processor must document this in Appendix 3. Identification and implementation of additional measures must be at the data processor's expense.
Personal data that the data processor manages in accordance with this agreement will be transferred to the following recipient countries outside the EU/EEA: see appendix 3.
The legal basis for the transfer of personal data to the aforementioned recipient countries outside the EU/EEA is: see appendix 3.
13. Safety audits and impact assessments
Data processors must regularly carry out security audits of their own work to secure personal data against unauthorized or illegal access, change, deletion, damage, loss or unavailability.
Security audits shall include the data processor's security goals and security strategy, security organisation, guidelines and routines for security work, established technical, physical and organizational security measures and the work with information security at subcontractors to this agreement. It must also include routines for notifying the data controller in the event of a security breach and routines for testing emergency and continuity plans.
The data processor must document the security audits. The controller must be given access to the audit reports on request.
If an independent third party carries out security audits at the data processor, the controller must be informed about which auditor is used and be given access to summaries of the audit reports on request.
14. Obligations in the event of termination/termination
Upon termination of the Agreement, the Data Processor is obliged, at the Data Controller's option, to return or delete all personal data that has been received on behalf of the Data Controller and which is covered by this Agreement. When returning, the personal data and other data must be handed over in a standardized format and medium together with the necessary instructions that enable the Data Controller to use the data further.
The Data Processor is obliged to delete or properly destroy all documents, data, storage media, etc., which contain (copies of) information or data that is covered by the Agreement and which the Data Processor must not return, or is required to keep by virtue of another law. This also applies to any backup copies.
The data processor must provide written documentation that return or deletion has taken place, in accordance with the Controller's instructions.
15. Default
In the event of breach of the terms of this data processor agreement due to errors or negligence on the part of the data processor, the data controller may terminate the agreement with immediate effect. Such breach will constitute a material breach of the Agreement. The data processor will still be obliged to return and delete personal data that is managed on behalf of the data controller in accordance with the provisions in point 14 above.
16. Duration of the agreement
This data processor agreement applies until the termination of the Agreement.
16.1 Changes to this agreement
This data processing agreement can be changed with 30 days' notice by Tappin AS. Such a change will be announced on Tappin AS's website.
17. Contact persons
The contact person at the data processor for questions related to this agreement is: Data Protection Officer/DPO at Tappin AS, gdpr@tappin.no
The contact person at the data controller for questions related to this agreement is the person specified in the signed agreement between Tappin AS and the data controller.
Breaches of personal data security must be reported to the data controller's data protection officer.
18. Choice of law and venue
The agreement is governed by Norwegian law and the parties adopt Oslo as the venue. This also applies after termination of the agreement.
APPENDIX 1 REGISTERED AND CATEGORIES OF INFORMATION
Registered
- Participants at events
· employees, hirers, users, participants, visitors, website visitors, suppliers, speakers.
Categories information
- Name*
- Telephone number*
- E-mail address*
- Address
- Information about the employer
- Title/position
- Photos and personal videos
- Conversations between participants
- Birth and social security number
- Sex
- Personal notes
- Statistics and logs about use of the system*
- Logs of sent e-mails and SMS*
- Published messages on the timeline or elsewhere in the system*
*These categories are always registered, the other categories are optional based on the controller's choice.
Special categories of information
- In some cases, health information such as allergies and disabilities is stored.
Further information
- IP adress
- Cookies for improving the user experience
- Date and time of communication between users
- Time for logging in and logging out
- Geodata → limited to countries
- Data on access control in cases where this is provided by Tappin AS → time, session.
APPENDIX 2 INFORMATION SECURITY
- Security template https://tinyurl.com/ygajz326
- Deviation form https://tinyurl.com/ydn8nxlz
- Safety instructions safety officer https://tinyurl.com/yehlwwsq
- Security organization https://tinyurl.com/yfjcxo3y
- GDPR info package https://go.tappin.no/TappinGDPRinfo
APPENDIX 3 TRANSFER TO COUNTRIES OUTSIDE THE EEA AREA AND SUB-SUPPLIERS (SUB-DATA PROCESSORS)
1. Transfer to data processor, country:
Tappin AS, Norway
2. Transfer to subcontractors (subprocessor), name and country:
Data processor will use the following subcontractors:
Name | Treatment activity | Place |
Amazon AWS * | Storage of data | Dublin, Ireland |
Microsoft Azure* | Storage of data | Norway |
MongoDB* | Database | Europe |
Flow player | Video services | Stockholm, Sweden |
Whereby | Video meeting services | Norway |
Cloudflare * | CDN | Globally |
Google * | Internal tools (Google Cloud - email, word processing, spreadsheets, presentations, storage of files and documents for internal processes) | Europe |
* subcontractors who are always used, the others are voluntary and based on the data controller's wish(s)
3. Basis of transfer:
The data processor/subcontractor shall not transfer personal data outside the EEA, or give subcontractors outside the EEA access to personal data, without the written consent of the data controller.
When consenting to the transfer of personal data to a country outside the EEA area, which is not considered to ensure proper processing in accordance with GDPR Article 45, the data processor is obliged to enter into an agreement on the basis of the EU's standard agreements for transfer to data processors in third countries ((EU) 2021 /914) or other such standard agreement which may have replaced this.
In these cases, the data processor must undertake to ensure that access to or processing of personal data does not occur before:
(i) EU standard agreements are signed by the EEA-based data processor as data exporter and the non-EEA-based data processor or subcontractor as data importer, and
(ii) The data processor has received the controller's unequivocal confirmation that any requirements to notify or obtain approval from the data supervisory authorities before the transfer are considered to have been taken care of.
4. More information about subcontractors
AWS
Cloudflare
Whereby
Flow player
Mongo DB