Data Processing Agreement

in accordance with the Personal Data Act and the General Data Protection Regulation (GDPR) Art. 28

1. The purpose of the agreement
2. Purpose and processing of personal data
3. DATA CONTROLLER`s duties
4. DATA PROCESSOR’s duties
5. Sub-Provider usage
6. Security
7. Security audits
8. Duration of the appointment
9. Upon termination
10. Notices and any miscellaneous charges
11. Choice of law and venue.

 

1. The purpose of the agreement

1.1.          The purpose of the agreement is to regulate the parties’ rights and obligations under the Personal Data Act, including the requirements for data processing agreements a resulting from the General Data Protection Regulation (GDPR) Nature. 28.

1.2.          This Agreement regulates the DATA PROCESSOR’s processing of personal data on behalf of the DATA CONTROLLER, including the collection, registration, compilation, storage, disclosure, or combinations thereof.

1.3.          The Agreement is an appendix (document) to the agreement on the use of eDialog24 (Terms of Service).

 

2. Purpose and processing of personal data

2.1.          THE DATA PROCESSOR develops and delivers solutions and software to its customers (DATA CONTROLLER).

The License/Maintenance/Support Agreement (Terms of Service) entails, among other things, an obligation for the DATA PROCESSOR to perform maintenance and support on the software. This also includes the processing of data collected and processed by the DATA CONTROLLER on the system/software provided by the DATA PROCESSOR.

2.2.          The purpose of the agreement is to establish the conditions for the DATA PROCESSOR’s processing of personal data on behalf of the DATA CONTROLLER, including to fulfill the requirements of the Personal Data Act for the data processing agreement.

2.3.          The agreement covers all processing of personal data accessed by the DATA PROCESSOR through maintenance and support in accordance with the license agreement. The license agreement entails that the DATA PROCESSOR shall have access to the electronically stored information collected, archived, and processed by the DATA CONTROLLER. The processing by the DATA PROCESSOR follows from a license agreement with the DATA CONTROLLER or on the instructions of the DATA CONTROLLER as part of the fulfillment of the license agreement.

2.4.          The basis for the DATA PROCESSOR’s obligations and rights under this Data Processing Agreement applies for the same period as the license agreement with the DATA CONTROLLER.

2.5.          Personal data that the DATA PROCESSOR processes under the license agreement are:

Optional fields:

First name
Surname
E-mail address
Client number	Organization number
Company Name
Visiting address
Postal address
Postcode
City
IP Address
Dialog content	Email
Dialog content	Phone – Manual Note

 

Required fields:

Phone	Phone number
E-mail	SMTP header/metadata information (Deleted along with the e-mail)

In addition, the DATA PROCESSOR processes such personal data about employees entered the program by the DATA CONTROLLER:

First name, last name, telephone number, mobile phone number, e-mail address, job title,

 

DATA PROCESSOR is also permitted to process personal data contained in documents and notes uploaded by data controller employees in the program provided by the DATA PROCESSOR.

2.6.          To fulfill the license agreement, the DATA PROCESSOR is permitted to carry out the following processing activities of personal data entered the program by the DATA CONTROLLER:

Collection, registration, compilation, storage, deletion, as well as disclosure of personal data or combinations thereof, on behalf of the DATA CONTROLLER.

DATA PROCESSOR shall process personal data necessary to carry out statutory tasks and tasks a resulting from contractual obligations under the license agreement, necessity reasons or in cases where consent has been given by the person. The processing also applies to the processing of personal data that the DATA CONTROLLER has instructed the DATA PROCESSOR to process.

2.7.          DATA PROCESSOR shall only handle personal data in the same way that the DATA CONTROLLER himself has access to.

2.8.          If the DATA PROCESSOR determines the purpose of the processing of personal data and which aids to use, beyond what follows from the license agreement, the data processing agreement and any instructions from the DATA CONTROLLER, the DATA PROCESSOR is deemed to be the data controller for such processing.

 

3. DATA CONTROLLER`s duties

3.1.           DATA CONTROLLER is the one who determines the purpose of the processing of personal data and which aids to use. The data controller is responsible for ensuring that information is processed in accordance with the requirements set out in the Personal Data Act.

3.2.          DATA CONTROLLER is responsible for ensuring that affected persons for whom personal data is processed are informed of the processing in accordance with the rules that always follow from the Personal Data Act.

 

4. DATA PROCESSOR’s duties

4.1.          DATA PROCESSOR shall only process information about data subjects in accordance with what is stated in the agreement between the parties, including the DATA CONTROLLER’s documented instructions. DATA PROCESSOR is therefore permitted to process personal data about data subjects in the manner that follows from the agreement or that is necessary to fulfill the license agreement with the data controller.

4.2.          DATA PROCESSOR is only obliged to comply with any instructions from the DATA CONTROLLER for the processing of personal data under this Data Processing Agreement and the License Agreement.

4.3.          Any instructions from the DATA CONTROLLER other than those set out in the license agreement and the data processing agreement shall only be carried out if the DATA PROCESSOR is compensated for the additional cost of performing the thesis from the data controller.

4.4.           DATA PROCESSOR is obliged to notify the DATA CONTROLLER immediately if the DATA PROCESSOR believes that the instructions from the data controller are in violation of the regulations.

4.5.          DATA CONTROLLER has, unless otherwise agreed or follows from law, the right to access and access the personal data processed and the systems used for this purpose. DATA PROCESSOR is obliged to provide the necessary assistance for this.

4.6.          DATA PROCESSOR is obliged to ensure that persons authorized to process the personal data have a duty of confidentiality regarding documentation and personal data that they access in accordance with the license agreement and the data processing agreement. This provision also applies after the termination of the agreement.

4.7.          DATA PROCESSOR is responsible for ensuring that subcontractors engaged by DATA PROCESSOR fulfill their duties corresponding to those applicable to the DATA PROCESSOR under this agreement.

4.8.          DATA PROCESSOR is obliged to carry out appropriate technical and organizational measures to ensure that the processing of the personal data meets the requirements set out in the regulations. DATA PROCESSOR shall make available to the DATA CONTROLLER all the information necessary to prove that the obligations as a data processor are fulfilled.

4.9.          In the event of requests from the data subject to the exercise of their rights set out in Chapter III of the General Data Protection Regulation, DATA PROCESSOR is obliged to assist DATA CONTROLLER in fulfilling their obligations.

4.10.        DATA PROCESSOR shall implement appropriate technical and organizational measures to achieve a level of safety appropriate to the risk. DATA PROCESSOR is obliged to assist the DATA CONTROLLER in ensuring compliance with the obligations under art. 32 – 36, taking into account the nature of the processing and the information available to the data processor. DATA PROCESSOR shall also assist DATA CONTROLLER in fulfilling the DATA CONTROLLER’s obligation to respond to requests that the data subject submits for the purpose of exercising his/her rights.

4.11.        DATA PROCESSOR is obliged not to transfer personal data to a third State without the data controller being informed in advance and approved such transfer.

 

5. Sub-Provider usage

5.1.          If DATA PROCESSOR uses a subcontractor or others who are not normally employed by DATA PROCESSOR, this must be agreed in writing with the data controller before the processing of personal data starts.

5.2.          All persons who, on behalf of DATA PROCESSOR, carry out assignments where the use of the personal data in question is included, shall be familiar with DATA PROCESSOR’s contractual and legal obligations and fulfill the conditions thereof.

5.3.          DATA PROCESSOR may not engage or replace any DATA PROSESSORS other than what emerges from this Agreement, without the DATA CONTROLLER being informed and having the right to object to such changes.

5.4.          DATA PROCESSOR has the following subcontractors who process personal data on behalf of the DATA CONTROLLER:

DigitalOcean – Cloud based data center (EU)
Youtello solution is located and operated in the Netherlands.
Personal data: First name, Last name, Phone number and E-mail.
https://www.digitalocean.com/

Pro ISP –  E-mail accounts (Norway)
Email handling in Youtello goes through this provider.
Personal data: First name, Last name and E-mail.
https://www.proisp.no/

Nordic Hosting – Web / E-mail accounts (Norway)
Web site and E-mail handling in Youtello goes through this provider.
Personal data: First name, Last name, Phone number and E-mail.
https://www.nordichosting.com

Traq – Consent management (Norway)
Personal data: First name, Last name, Phone number and E-mail.
https://no.traq.tech/

Front – Number lookup (Norway)
Personal data: Phone number.
https://fro.no/

1881 – Number lookup (Norway)
Personal data: Phone number.
https://www.1881.no/

Telia Norge AS / Phonero  – Phone operators (Norway)
Personal data: Phone number.
https://www.telia.no, https://www.phonero.no

 

6. Security

6.1.          DATA PROCESSORS shall fulfill the requirements for security measures necessary pursuant to Art. 32. DATA PROCESSOR shall document routines and other measures to meet these requirements. The documentation shall be available at DATA CONTROLLER’s request.

6.2.          The nonconformity report shall be made by DATA PROCESSOR reporting the nonconformity to DATA CONTROLLER. DATA CONTROLLER is responsible for ensuring that the nonconformity notification is sent to the Norwegian Data Protection Authority when such notification is necessary.

6.3.          DATA PROCESSOR is obliged to keep personal data from the DATA CONTROLLER securely separate from personal data belonging to DATA PROCESSOR’s other customers.

 

7. Security audits

7.1.          DATA CONTROLLER may agree with DATA PROCESSOR that security audits are carried out regularly for systems and the like covered by this Agreement.

 

8. Duration of the appointment

8.1.          The agreement applies as long as DATA PROCESSOR processes personal data on behalf of DATA CONTROLLER.

8.2.          In the event of a breach of this Agreement or the Personal Data Act, DATA CONTROLLER may order DATA PROCESSOR to stop the further processing of the data with immediate effect.

8.3.          The Agreement may be terminated on the terms of the License Agreement.

 

9. Upon termination

9.1.           Upon termination of this Agreement, DATA PROCESSOR is obliged to return all personal data received on behalf of DATA CONTROLLER and covered by this Agreement, if requested by DATA CONTROLLER. The return should occur in XML or another open file format.

9.2.          DATA PROCESSOR shall delete or properly destroy all documents, data etc., containing information covered by the Agreement. This also applies to any backups. Deletion and/or destruction shall also include all copies by e-mail and other storage locations.

9.3.           Normally all data (as mentioned in 9.2.) is deleted within 3 months from termination of the license agreement unless data cannot be deleted as a result of requirements under law or regulation. Backups (backups) will be deleted no later than 24 months from the end of the license agreement.

9.4.          DATA PROCESSOR shall document in writing that deletion and or destruction has been carried out in accordance with the Agreement within a reasonable time.

9.5.          DATA PROCESSOR covers all costs in connection with the return or deletion of personal data.

 

10. Notices and any miscellaneous charges

10.1.        The parties agree that any need for changes to this Agreement upon introduction of the GDPR shall be implemented electronically.

10.2.         The parties agree that the agreement can be signed
electronically.

10.3.        Notices under this Agreement shall be sent in writing to the following persons:

For DATA CONTROLLER:
The company that uses the Youtello solution.

 

For DATA PROCESSOR:
Position: ICT-responsible
Telephone: +47 73 89 47 40
E-post: kundeservice@edialog24.no

 

11. Choice of law and venue

The agreement is governed by Norwegian law and the parties adopt the Data Controller’s repatriation as a venue. This also applies after termination of the agreement.

 

12. Definition

Agreement: The Data Processing Agreement as described herein.

Processing of personal data: Any use of and association with personal data, such as collection, registration, storage and disclosure or a combination of these.

Data processor: eDialog24 AS, which supplies the product Youtello®.

Data controller: The customer and the company that is a user of Youtello® .

The program: Youtello® .

Personal data: Information that can be linked to or identify a person.

Support: Technical support

Terms of Service: Terms of Use of Youtello®.