1.1 This data processing agreement ("Data Processing Agreement") forms an integral part of the Agreement between SEEN and the Client and shall apply to any processing of Personal Data carried out by SEEN (the "Processor") on behalf of the Client (the "Controller") in providing the services set out in the Agreement. Interpretations and defined terms set forth in the Terms apply to the interpretation of this Data Processing Agreement.
1.2 This Data Processing Agreement governs the parties’ rights and obligations and shall ensure that personal data are not used improperly or disclosed without prior authorisation or otherwise in contravention to the applicable data protection legislation in the European Union and the United Kingdom, including, hereunder Regulation (EU) 2016/679 (the "EU GDPR"), and the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (including as further amended or modified by the laws of the United Kingdom or a part of the United Kingdom from time to time) (the "UK GDPR") (together, collectively, the "GDPR"); (ii) the UK Data Protection Act 2018; and (iii) all other applicable laws and regulations relating to the processing of personal data (the "Data Protection Laws").
1.3 By entering into this Data Processing Agreement, the Controller authorises the Processor to process personal data on its behalf in accordance with the protocol in Appendix 1.
2. THE CONTROLLER’S OBLIGATIONS
2.1 The Controller shall comply with the obligations that are stipulated in Data Protection Laws, as well as this Data Processing Agreement.
2.2 The Controller shall be responsible, among other, for ensuring that the processing of personal data, which the Processor is instructed to perform, has a legal basis.
2.3 It is the Controller who determines the purpose of the processing of personal data and the means to be used during such processing, cf. the GDPR article 4 no. 7 and the data protection legislation.
3. THE PROCESSOR’S OBLIGATIONS
3.1 The Processor shall comply with the obligations that are stipulated in Data Protection Laws, as well as this Data Processing Agreement.
3.2 The Processor shall follow the documented routines and instructions for the processing that the Controller at all times has decided upon and not process personal data provided under the Data Processing Agreement in any other way or for any purpose other than what is necessary to fulfill the Processor's contractual obligations as stipulated in this Data Processing Agreement or in the documented routines or instructions of the Controller, unless processing is required by Data Protection Laws, in which case the Processor shall, to the extent permitted by applicable laws, inform the Controller of that legal requirement before the relevant processing of that personal data.
3.3 The personal data shall be used only by the Processor in connection with the purpose and nature of the processing as described in Appendix 1.
3.4 The Processor is obliged to notify the Controller without undue delay if the Processor considers that the Controller’s instructions are in violation of the Data Protection Laws.
3.5 The Processor shall keep a record of the processing activities that it performs on behalf of the Controller, which shall contain at least the information required under Article 30 of the GDPR.
3.6 The Controller has, unless otherwise agreed or stipulated by law, the right to access and review the personal data being processed by the Processor.
3.7 If an approved code of conduct exists according to Article 40 of the GDPR or other approved certification scheme according to Article 42 of the GDPR, which the Processor has undertaken to comply with or be certified under, the Processor is required to comply with such code of conduct or certification requirements in the processing of personal data on behalf of the Controller.
3.8 The Processor is subject to a duty of confidentiality regarding the personal data that the Processor has access to under this Data Processing Agreement. The Processor shall only grant access to the personal data to persons under the Processor’s authority who have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality and only on a need-to-know basis. The Processor shall at the request of the Controller demonstrate that the concerned persons under the Processor’s authority are subject to the above mentioned confidentiality.
3.9 The Processor shall not disclose personal data or information that it processes on behalf of the controller to third parties or data subjects without explicit instruction or permission from the Controller, unless otherwise provided by law. Third-party inquiries to the Processor must be forwarded to the Controller as soon as possible.
4. DATA SUBJECTS
4.1 The Processor shall assist the Controller in safeguarding the rights of the data subjects in accordance with Chapter III of the GDPR. This applies to, but is not limited to, providing information on how the personal data is processed, handling inquiries concerning access to personal data and fulfilling the data subjects’ rights to demand correction or deletion of the personal data. As soon as possible and within five (5) days at the latest if it receives a request from a data subject for access to their Personal Data or to exercise any of their other rights under the Data Protection Laws. The Processor shall not respond to such requests unless instructed to do so by the Controller.
5.1 The Processor is entitled to use sub-processors to process personal data on behalf of the Controller, provided that the Processor remains fully liable to the Controller for the sub-processor’s performance of its obligations under this Data Processing Agreement.
5.2 The Processor shall ensure that all sub-processors are informed of and bound by similar requirements for information security, confidentiality, use and other requirements set forth in this Data Processing Agreement and applicable Data Protection Laws.
5.3 If the Processor wishes to engage a new sub-processor, the Processor must notify the Controller of this at least one month before the sub-processor begins processing the personal data.
5.4 The Controller may deny the use of such sub-processor only if the Controller has well-grounded doubts about the ability of the sub-processor to comply with the applicable Data Protection Laws. If the Controller has not opposed the intended sub-processor within 14 days of the Processor's notice, the sub-processor shall be deemed approved by the Controller. If the Controller opposes the use of the sub-processor, the Parties shall negotiate in good faith on how to resolve this issue. If the negotiations do not resolve the issue, the Processor may cease the processing and terminate the Agreement with reasonable notice.
5.5 The Controller shall be entitled to receive a copy of any sub-processing agreement between the Processor and a sub-processor. The Processor is entitled to redact such parts of relevant contract documents that are irrelevant for the control purposes of this Data Processing Agreement (e.g. financial conditions).
5.6 At the conclusion of this Data Processing Agreement, the Controller has approved the sub-processors listed in Appendix 1 of this Data Processing Agreement.
6.1 The Processor is obliged to implement all necessary organisational and technical measures to safeguard the confidentiality, integrity and availability of the personal data and to prevent the personal data from being exposed to unauthorised access, dissemination, alteration, damage, destruction or inaccessibility.
6.2 The Processor shall comply with the requirements for security measures imposed by the at all times applicable Data Protection Laws, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
6.3 The technical and organisational measures are subject to technical development and the Processor may implement adequate alternative measures in the course of the Data Processing Agreement. Such measures shall comply with the legal provisions set out in Article 32 of the GDPR and must not fall short of the level of security previously held. No special agreement is required if these changes lead to an improvement to the level of security that was previously part of this Data Processing Agreement in the context of commissioned processing.
6.4 The Processor shall assist the Controller so that it can fulfil its own duties in regard to information security, personal data breaches and data protection impact assessments pursuant to Articles 32 to 36 of the GDPR and the at all times applicable Data Protection Laws. At the request of the Controller where required to handle the privacy risk as identified through impact assessments, the Processor is obliged to assist in assessing the privacy-related consequences prior consultations, as well as in the dialogue with, where the EU GDPR applies, the Norwegian Data Protection Authority, and where the UK GDPR applies, the UK Information Commissioner’s Office.
7. BREACH NOTIFICATION
7.1 The Processor is obliged to notify the Controller without undue delay if the Processor discovers that personal data is or has been exposed to unauthorised access, dissemination, alteration, damage, destruction or inaccessibility or another form of security breach or otherwise used in an unauthorised manner or handled in violation of the Data Protection Laws and/or the terms of this Data Processing Agreement.
7.2 The breach notification shall document the breach and contain, as a minimum:
7.3 A description of the nature of the breach, including where possible the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned.
a) The name and contact details of the data protection oﬃcer or other contact point with the Processor.
b) A description of the likely or realised consequences of the breach.
c) A description of the measures that has been taken or which is proposed to be taken to address the breach, including where relevant, measures to mitigate its possible adverse effects.
7.4 If the Processor is unable to provide the above-mentioned information at the same time, the information can be provided in phases without further undue delay.
7.5 In the event of a breach, the Processor is obliged to ensure the security of the personal data by implementing appropriate measures and co-operate with the Controller in the investigation and mitigation of each such breach. Such assistance shall be provided to the Controller at no extra cost.
7.6 The Processor agrees and understands that, except when the Processor is required to do so by applicable law, the Controller has the sole right to determine:
a) whether to provide notice of the breach to any data subjects or to the Data Protection Authority, as required by law or regulation or at the Controller’s discretion, including the contents and delivery method of the notice; and
b) whether to offer any type of remedy to affected data subjects, including the nature and extent of such remedy.
8.1 The Processor shall make available to the Controller all reasonably required information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.
8.2 The Controller or a third party appointed by the Controller may at any time demand access to and verification of the Processor's processing of personal data, including access to and verification of documentation for fulfilment of the requirements for information security and this Data Processing Agreement as well as assessments of organisation, routines, security measures and use of communications between partners and suppliers, random checks, site controls or other appropriate control measures, as well as a description of how the Processor secures personal data against unauthorised access, dissemination, alteration, damage, destruction or inaccessibility. If the Controller uses a third party to carry out the audit, such third party cannot be a direct competitor to Processor and must be bound by a duty of confidentiality before commencing with the audit.
8.3 The Controller shall insofar as possible, give the Processor notice in reasonable time when requiring access and control, normally at least 30 days. For request for access to documents at least 14 days’ notice should be given.
8.4 Audits shall not impair the confidentiality, integrity and access to personal data, nor shall it impair the confidentiality, integrity and access to the Processor’s internal reports, prices or other clients’ information.
8.5 The Processor is obliged to give the supervisory authorities or representatives acting on behalf of such authorities’ access to the Processor's physical facilities after presentation of appropriate identification and basis for the access.
8.6 If the audits reveal defects, the Processor shall promptly rectify such deficiencies at no cost to the Controller. Any material deficiencies that constitute an obvious threat to information security should be corrected immediately.
9.1 Personal data processed by the Processor on behalf of the Controller may be transferred to, stored and processed in those countries listed in Appendix 1.
9.2 The Processor shall not transfer personal data to or allow persons outside of the countries listed in Appendix 1 to gain access to personal data, without the explicit prior written consent of and appurtenant instructions for transfer by the Controller. Consent and instructions must cover which countries the personal data may be transferred to. Transfer to a third country requires that the requirements contained in the Data Protection Laws for the information security and protection of the rights of the data subjects are met as well as the use of approved EU or UK transfer mechanisms.
10.1 This Data Processing Agreement shall apply for as long as the Processor processes personal data on behalf of the Controller.
10.2 In the event of a breach of this Data Processing Agreement or the data protection legislation, the Controller may instruct the Processor to discontinue further processing of the personal data with immediate effect.
11.1 Upon termination or expiry of this Data Processing Agreement, the Processor shall cease the processing of all personal data. The provisions relating to confidentiality of documentation and personal data that the Processor may access pursuant to this Data Processing Agreement shall survive this Data Processing Agreement.
11.2 Upon termination or expiry of this Data Processing Agreement, or upon the Controller’s written request, the Processor shall either, at the choice of the Controller, return and/or destroy personal data processed (including security copies).
11.3 If shared infrastructure is used where direct erasure is not directly possible, the Processor shall ensure that personal data is rendered unavailable until such data is overwritten by the system.
11.4 The Processor may not retain any copies of personal data provided by the Controller under this Data Processing Agreement, in any format, and any physical and logical access to such personal data shall be erased.
12.1 Changes to this Data Processing Agreement shall be agreed in writing by and between the Parties. The Controller is entitled to change the content of this Data Processing Agreement where necessary to comply with changes in the data protection legislation.