Data processing agreement
Customer has ordered Services from Onestop Reporting implying that Onestop Reporting Processes Personal Data on behalf of Customer according to the Norwegian Personal Data Act (Act of 15 June 2018 no. 38), which implements EU’s General Data Protection Regulation (EU) 2016/679 (“Applicable Data Protection Law“).
Onestop Reporting Processes Personal Data on behalf of Customer and is the Processor according to this data processing agreement. Customer is the Controller. This data processing agreement regulates the Processor’s Processing of Personal Data on behalf of Controller in accordance with the Terms of Service (the “Agreement“).
The Controller might use the Services to Process Personal Data on behalf of its customers. Strictly spoken, the Customer will then act as a Processor on behalf of its customers acting as Controllers, while OneStop Reporting acts as a sub processor to Customer. Irrespective of Customer acting on behalf of itself and/or its customers, this data processing agreement sets out the relevant rights and obligations of the parties, and complies with requirements in Applicable Data Protection Law.
Definitions in this data processing agreement shall have the same meaning as set out in Applicable Data Protection Law if not otherwise explicitly stated.
2. Description of the Processing
This data processing agreement shall apply to Processing of Personal Data carried out by the Processor on behalf of the Controller under the Agreement. The Processor shall only process the categories of Personal Data that is implied by the Services ordered and only to the extent necessary to fulfill the Agreement.
A copy of the data stored in the ERP-system of Controller or Controller’s customers will be transferred to Processor’s cloud based solution through an API (Application Programming Interface) in order for Controller to analyse and produce reports by use of Processor’s applications. The Controller might also provide additional information directly into the Processor’s solution.
The categories of Personal Data transferred to Processor’s solution may differ depending on the data systems the Controller has instructed Processor to interact with. Below is a “maximum” list of the categories of Personal Data which might be stored in or can be accessed through Processor’s solution:
- Name of employees
- Other contact details of employees
- Employees’ working hours
- Salary information
- Tax information
- Personal identity number (not hosted by Processor)
- Credit card number (not hosted by Processor)
The categories of Personal Data set out above generally relate to employees of Controller or employees of customers of Controller, included might as well be employees in other group companies, partners and subcontractors of Controller or customers of Controller.
The purpose of the processing is solely to facilitate the opportunity for Controller to analyze the information and to produce and distribute reports for itself or its customers. A processor will not analyze any data on Controller’s behalf, except if Controller explicitly asks Processor to assist with the application of or use of a specific functionality etc.
3. The Controller’s undertakings
Controller shall implement appropriate technical and organizational measures to ensure and to be able to demonstrate that its own Processing activities are performed in accordance with Applicable Data Protection Law.
Where proportionate in relation to Processing activities, the measures referred to above shall include the implementation of appropriate data protection policies by the Controller.
Controller warrants that Processor may Process Personal Data under the Agreement and subject to this data processing agreement, i.e. that there is a legal basis for the relevant Processing activities carried out by Processor.
Controller is responsible for the quality and accuracy of the Personal Data Processed under the Agreement.
If Controller Processes Personal Data on behalf of customers, Controller is responsible for distributing user accounts to its customers in a way that prevent that a customer gets access to Personal Data of another customer.
Controller undertakes to behave loyally towards Processor, hereunder to notify Processor without undue delay of any circumstance that might affect Processor’s Processing under the Agreement.
4. The Processor’s undertakings
The Processor’s Processing of Personal Data as Processor for the Controller in order to fulfill the Agreement shall be carried out in accordance with Applicable Data Protection Law.
The Processor shall assist the Controller by appropriate technical and organisational measures, insofar as possible and taking into account the nature of the Processing and the information available to the Processor, in fulfilling the Controller’s obligations under applicable privacy legislation with regards to request from Data Subjects, and general privacy compliance under the GDPR article 32 to 36. The Processor reserves the right to charge its standard rates for such assistance.
The Processor shall comply with the documented instructions and routines issued by the Controller in relation to the Processing of Personal Data. This data processing agreement shall be deemed exhaustive in respect of Controller’s instructions on the Processor with respect to the Processing of Personal Data under the Agreement.
4.2 Restrictions on use
The Processor shall not Process Personal Data beyond what is necessary to fulfil its obligations towards the Controller under the Agreement.
The Processor shall ensure that Personal Data is not disclosed to any third party unless instructed to do so by the Controller or required to do so by law.
The Processor shall not acquire any right, title or interest in any Personal Data disclosed by the Controller to the Processor under the Agreement.
The Processor shall ensure that all Personal Data Processed on behalf of the Controller is kept securely separated from any other data Processed by the Processor. Controller is however responsible for safe distribution of user accounts, cf. clause 3.
4.3 Information Security
The Processor shall by means of planned, systematic organizational and technical measures ensure information security appropriate to the risk with regard to confidentiality, integrity, and accessibility in accordance with Applicable Data Protection Law.
The Processor shall at all times comply with the following minimum security requirements:
- Availability: The Processor will use its best efforts to ensure the availability of data. Processor uses PaaS (Platform as a Service) from Microsoft which means that all maintenance regarding the operating system and network is provided by Microsoft. The SLA with Microsoft guarantees 99,9 % availability of data.
- Integrity: Integrity of data is ensured by Microsoft’s PaaS and requirements under SLA. Microsoft ensures integrity of data related to network, hardware, operating system and databases.
- Confidentiality: Confidentiality of data is ensured by Microsoft’s PaaS, see security documentation by Microsoft.
The Processor’s access to data is secured by use of HTTPS. All employees have signed a non-disclosure agreement and have completed a training program.
Access to data can only be obtained prior to entering a username and password.
- Isolation (purpose limitation): Processor’s employees and sub-contractors have access to data on a need to know basis.
- Accountability: Processor regularly conducts self-auditing with regard to technical and organizational security, follow-up of sub-contractors, internal routines and training plans.
- Data retention and deletion: Processor has functionality for deletion of data which may be adjusted according to Controller’s needs.
- Physical security: Microsoft ensures physical security of data servers containing Personal Data.
- Processor has established routines with regard to securing offices and access to PC’s, including alarm services.
If required by Applicable Data Protection Law, Processor shall document the relevant security measures.
Any use of the information system that is contrary to established routines, this data processing agreement or Applicable Data Protection Law, as well as any security breach, shall be treated as a discrepancy.
The Processor shall follow up discrepancies in order to re-establish the normal state of affairs, eliminating the cause of the discrepancy and preventing its recurrence.
The Processor shall notify the Controller without undue delay after becoming aware of a breach to a reasonable degree of certainty.
The notification referred to shall include information required according to GDPR article 33.3, and as stated in article 33.4, where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.
Members of the staff of the Processor being involved in the Processing of Personal Data under the Agreement shall be subject to a duty of confidentiality as regards the Personal Data Processed. The duty of confidentiality shall also apply to other data of significance for the information security. The duty of confidentiality also applies after termination of this data processing agreement.
The Processor shall ensure that members of the staff of the Processor which Processes Personal Data on behalf of the Controller is familiar with this data processing agreement and complies with its terms and conditions.
4.6 Security audits
Controller may request that a security audit shall be carried out by an independent third party in accordance with recognized standards for security audit. Controller shall carry the costs for such audit.
If the security audit reveals any unforeseen use of the information system this shall be treated as a discrepancy, cf. clause 5.4.
The result of the security audit shall be documented and the report from the security audit shall be provided to the Controller, save for information that reveals business secrets or is otherwise confidential to Processor.
4.7 Use of subcontractors
Processor has entered into a PaaS (Platform as a Service) Agreement with Microsoft, which means that Microsoft’s owns the platform where the Personal Data is stored. Processor has entered into a data processing agreement with Microsoft.
To the extent, the Processor wishes to use other sub-contractors to fulfil the obligations under the Agreement, and the sub-contractor is involved in the Processing of Personal Data, the Processor shall ensure that the sub-contractor undertakes responsibilities corresponding to the obligations set out in this data processing agreement. The Processor shall maintain a list of all such sub-contractors which shall be available for the Controller upon request.
If the Controller has reasonable grounds for rejecting the use of a specific sub-contractor, and Processor cannot replace the relevant sub-contractor, the Controller shall be entitled to terminate the Agreement with immediate effect.
4.8 Transfer of personal data
The Processor will not transfer Personal Data relating to Data Subjects in the European Economic Area (the “EEA”) to a country outside the EEA which is not considered to provide an adequate level of data protection according to Applicable Data Protection Law (“Third Country”), without the Controller’s prior written consent.
If the Controller is situated in a Third Country and the Parties have agreed upon Processing of Personal Data in a Third Country, the Controller is responsible for notifying the Processor if the Controller shall use the Services to Process Personal Data on behalf of customers situated in the EEA. The Controller shall in such case obtain consent from its relevant customers to the transfer of Personal Data and provide for necessary signatures to agreements entered into for the transfer of Personal Data, cf. below.
If the Controller has given its written consent to transfer of Personal Data to a Third Country, Processor undertakes, on Controller’s request, to enter into EU standard contractual clauses for the transfer of Personal Data to processors in third countries (2010/87/EC) or other clauses replacing the 2010/87/EC clauses.
The Processor shall inform the Controller of an intended transfer to a Third Country before such transfer takes place. If the Controller will not consent to such transfer, the Controller shall have the right to immediate terminate the Agreement.
5. Limitations of liability
Limitations of liability agreed under the Agreement shall apply also under this data processing agreement.
6. Term and termination of the data processing agreement
This data processing agreement shall be effective from the time the Agreement is entered into and until the Agreement expires, save for clauses that shall remain in force according to this data processing agreement or the Agreement.
Upon termination of this data processing agreement, the Processor (and its sub-contractors) shall cease to Process the Personal Data held by the Processor on behalf of the Controller. The Processor shall in accordance with established routines delete the copies of Personal Data which is kept on behalf of Controller or return Personal Data to the Controller if the Controller so requires.