DATA PROCESSING AGREEMENT
The Client consenting to these terms (“Client” or “Controller”) and iQ Global AS (“iQ Global” or “ Processor”) have entered into this Data Processor Agreement (DPA) (“Agreement”).
The Processor shall process the personal data on behalf of the Controller with regard to the above stated background for the Agreement.
The nature and purpose of the processing of personal data, the duration of the processing of personal data, the subject matter of the processing of personal data, the types of personal data to be processed, the categories of data subjects to whom the personal data relates are included in Appendix to this Agreement.
This Agreement shall provide for the processing of personal data in accordance with the EU Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) and the Norwegian Personal Data Act with regulations which implements the General Data Protection Regulation (jointly called “Personal Data Regulation” in the following).
The Processor shall process the personal data only in the way described in the Agreement, as agreed in writing with the Controller, as instructed by the Controller, or required by the law.
Terms and definitions used in the Agreement shall be construed in the same way as in the Personal Data Regulation.
The Processor confirms that it will implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the Personal Data Regulation and ensure the protection of the rights of the data subject, inclusive comply with the requirements in Article 32 of the General Data Protection Regulation. Other duties are set forth under Section 4.
The Processor shall only process the personal data under the instructions given by the Controller. The Processor shall be able to document such instructions if requested. The Processor shall not process the personal data in any other way than instructed or necessary to provide the services or undertake the obligations requested by the Controller.
The Processor shall, taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III of the General Data Protection Regulation. In addition, the Processor shall assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the General Data Protection Regulation taking into account the nature of processing and the information available to the Processor. If there are approved code of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42, which the Processor has undertaken to comply with, the Processor shall comply with such code of conduct or certification mechanism at any time during the term of this Agreement.
The Processor shall maintain records of processing activities (log) which the Processor performs for the Controller. The record shall contain at a minimum the information required under Article 30 of the General Data Protection Regulation. The Controller may at any time request the record provided.
The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this Section 2 and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller. The Processor shall also make available all documentation with regard to information security for the Controller. The Processor is however solely responsible for the contact and communication with the supervisory authorities, such as Datatilsynet in Norway.
The Processor has a duty of confidentiality with regard to the personal data and other information the Processor receives as part of the Agreement and the processing of personal data, and shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. The obligation of confidentiality shall survive any termination of the Agreement.
The Processor shall not transfer or give access to the personal data or information which the Processor processes or handles on behalf of the Controller to a third party without the explicit instruction from the Controller. Any requests with regard to the personal data or the processing from third parties or the data subject shall be forwarded to the Controller without undue delay if not otherwise agreed in this Agreement or by instruction by the Controller.
If the Processor considers that an instruction by the Controller infringes the Personal Data Regulation or other law, the Processor shall immediately inform the Controller.
The Processor shall not engage another supplier for the processing of the personal data (sub-processor) without prior specific or general written authorisation of the Controller, and the sub-processor has confirmed that it undertakes to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the Personal Data Regulation and ensure the protection of the rights of the data subject.
Any pre-approved sub-processors are included in the Appendix to this Agreement.
The Controller has given the Processor a general written authorisation for the use of sub-processor for processing personal data under the Agreement. In case of any intended changes concerning the addition or replacement of sub-processors, the Processor shall inform the Controller and thereby give the Controller the opportunity to object to such changes.
Any sub-processor shall be imposed the same obligations as the Processor set forth in the Agreement in a written, binding agreement where in particular the sub-processor is providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the Personal Data Regulation. Where that sub-processor fails to fulfil its data protection obligations, the Processor shall remain fully liable to the Controller for the performance of the sub-processor's obligations.
The Processor shall comply with the requirements to security given in the Personal Data Regulation. The Processor shall provide documentation of technical and organisational measures implemented to ensure the security of the personal data upon the request of the Controller.
Audits shall be performed regularly, and the parties shall agree on when security audits shall be performed. Audits may comprise review of routines and processes, inspections, tests, more comprehensive controls and other relevant control activities as agreed and instructed by the Controller. The Processors use of resources in relation to audits shall be agreed upon, or if not agreed, the Processors shall provide reasonable resources as necessary for the audit.
In case of personal data breach, the Processor shall without undue delay notify the Controller. Such notification shall at least:
If not all information above may be given in the first notice, the information shall be provided as soon as possible.
The Controller is solely responsible for notifying the supervisory authorities, such as Datatilsynet in Norway, and the Processor is not to contact or notify the supervisory authorities without the explicit instruction by the Controller.
Personal data shall only be transferred to third countries, ie. countries outside EU/EEA which ensure an adequate level of protection, upon explicit agreement or instructions by the Controller. The Processor shall not transfer or give access to the personal data to persons in third countries without the explicit approval by the Controller. The consent or instruction given by the Controller must cover the country which the personal data shall be transferred to or accessed from. For transfer to or access from third countries for personal data it is required that the appropriate safeguards including with regard to the rights of data subjects is complied with.
This Agreement shall be effective and stay in force as long as the Processor (and its permitted sub-processors) processes personal data on behalf of the Controller.
The Controller may instruct the Processor to stop the processing of the personal data with immediate effect.
Upon termination of this Agreement, regardless reason, the Processor (and its permitted sub-processors) shall delete or return any or all personal data to the Controller, subject to the Controllers instructions, in a standardised format and medium along with necessary instructions to facilitate the Controller’s further use of such data, and delete all copies of those personal data.
The Controller shall receive a written confirmation from the Processor that all personal data has been returned or deleted according to the Controller’s instructions and that the Processor has not kept any copy, print out or any other representation of such data on any medium.
Other duties and rights between the parties may be subject to the Main Agreement or other agreements between the Controller and the Processor.
If the Main Agreement is transferred, this Agreement shall be transferred accordingly.
Nature of the Data Processing | The data processing described in the Main Agreement. |
Purposes of the Data Processing | The data processing provided for by the Main Agreement is executed for the purpose of providing the services described in the Main Agreement. |
Type of Personal Data | The personal data may include the domain name itself, DNS data history, vendor and partner contact and billing information, and the following for a domain name registrant, a domain name’s administrative contact, a domain name’s technical contact, and a domain name’s billing contact: name; organization name; contact information, such as e-mail address, physical address, telephone number, and fax number.Controllers employees/users: Name, email address. |
Categories of Data Subjects | ● Users of the Data Controller; ● The Users’ End Users |
Sub-processors
The following Sub-Processors shall be considered approved by the data Controller at the time of entering into this Data Processor Agreement:
Name of Other Processor | Description of Processing | Location of Other Processor |
Amazon Web Services | Computing Infrastructure, Storage | Ireland |
Webslice | Data backup | Netherlands |
Email, file storage | USA | |
Groove | User relationship management | USA |
24SevenOffice | Invoicing information | USA |
MailChimp | User relationship management | USA |
Intercom | Online support | USA |