Data Processing Agreement

Pursuant to the Norwegian data protection legislation, cf. GDPR Article 28(3), a data processing agreement is entered into between the Customer (Data Controller) and Norsk Byggtjeneste AS (Data Processor).

21. October 2024 

Purpose of the Agreement

The Agreement aims to ensure the integrity, confidentiality, and availability of personal data. It ensures that personal data about the individuals registered in the data processor’s database is not misused or misplaced. 

Personal data shall be processed in accordance with the EU General Data Protection Regulation (Regulation 2016/67) and other applicable laws and regulations, including the current Personal Data Act with any regulations and approved codes of conduct, collectively referred to as the "Regulations." 

The Agreement regulates the data processor’s use of personal data on behalf of the data controller, including collection, registration, compilation, storage, disclosure, or combinations of these. 

Purpose

The purpose of processing personal data is to deliver services and assistance in accordance with the service/user agreement (the Service Agreement) that the data controller (the customer) has entered into with Norsk Byggtjeneste AS, and to ensure that the relevant processing of personal data is carried out in accordance with the Regulations. 

Appendix 1 to this data processing agreement contains a more detailed description of the purpose and scope of the data processor’s processing of personal data, in line with GDPR Article 28(3) and Article 30(2). 

Data Processor’s Obligations

The data processor shall act in accordance with the instructions from the data controller. 

The data processor shall comply with the requirements of the Regulations, including: 

• Ensure that persons authorised to process personal data are committed to confidentiality or are subject to an appropriate statutory confidentiality obligation, cf. Regulation Article 28(3)(b). 

• Not engage another data processor ("sub-processor") without specific or general written consent from the data controller, cf. Regulation Article 28(2). If another sub-processor is used, it must be specified in writing which tasks they will perform and in which countries they are located. If the data processor uses another data processor, and permission is granted for this, the same contractual terms as required under Regulation Article 28(3) must be imposed on the sub-processor, and the original data processor will remain fully responsible for ensuring that other data processors fulfil their obligations. 

• Personal data shall only be processed according to instructions from the data controller, including not transferring personal data to countries outside the EU/EEA (third countries) without a written and documentable instruction from the data controller, cf. Regulation Article 28(3)(a). 

• Taking all necessary measures to achieve a security level appropriate to the relevant risks associated with the processing, cf. Regulation Article 32. 

• Complying with the data controller’s instructions to delete or return all personal data (including copies) after the services related to the processing are completed, unless there is a legal requirement for the data to be retained, cf. Regulation Article 28(3)(g). 

• Making all necessary information available to demonstrate compliance with these obligations to the data controller and facilitating and contributing to audits and inspections conducted by the data controller or another on their behalf, cf. Regulation Article 28(3)(h). 

• Immediately notifying the data controller if an instruction from the data controller is in conflict with the Regulations, see also Regulation Article 28(3). 

The data processor shall ensure that all processing of personal data covered by this Agreement is carried out in accordance with an acceptable level of risk and in accordance with the risk assessment conducted by the data processor. 

The data processor defines security objectives, strategy, organisation, and responsibilities in accordance with the Regulations and follows this up using an internal control system. 

The data processor is obliged to provide the data controller with access to its security documentation and assist in ensuring that the data controller can fulfil its own responsibilities under the Regulations. 

The data processor is obliged to ensure that all persons at its disposal who are given access to personal data processed on behalf of the data controller are familiar with this Agreement and are subject to its provisions. 

Data Controller’s Obligations

The data controller shall ensure that the relevant personal data can be processed. Specifically, the data controller shall: 

• Ensure that there is a sufficient legal basis for the processing, 

• Ensure that agreements entered into with the data subject and the consents formulated comply with and enable the processing of personal data as specified in Appendix 1, and 

• Be responsible for ensuring that the transfer of personal data to the data processor can lawfully take place. 

Use of Sub-contractors

If the data processor uses sub-contractors or others not normally employed by the data processor, this must be agreed in writing with the data controller before the processing of personal data begins. 

All those who perform tasks on behalf of the data processor where the use of the relevant personal data is involved must be aware of the data processor’s contractual and legal obligations and fulfil the requirements under these. 

Consent for activities or tasks to be performed by new sub-contractors, or changes in the operating location, is granted by updating Appendix 2. 

The data processor is responsible for the sub-contractor’s performance of tasks for the data controller, just as if the data processor had performed them itself. 

The requirement for prior consent from the data controller also applies in cases where the data processor and/or sub-contractor’s processing involves the transfer of personal data to countries outside the EU/EEA (Third Countries). Such transfers require a valid transfer basis in accordance with the Regulations. 

For an overview of sub-processor agreements, see Appendix 2. 

Security

The data processor must have satisfactory technical and physical security in place for the solution used. 

Only employees and others acting on behalf of the data processor who have a business need for access to personal data may be given such access. 

The data processor shall have clear procedures for logging errors and incidents of significance covered by this Agreement. If such errors or incidents are discovered, the data processor shall notify the data controller as soon as possible. 

The data controller may audit the data processor’s personal data security using a third party approved by the data processor. The audit may include a review of procedures, spot checks, more comprehensive on-site inspections, and other suitable control measures. Such audits may only be conducted after written prior notice from the data controller. Those conducting the audit must comply with the data processor’s reasonable instructions when accessing the data processor’s premises and otherwise accept the data processor’s legitimate need for confidentiality. Audits should be conducted efficiently and should minimise disruption to the data processor’s work. 

The data processor shall establish measures and procedures to detect deviations from data privacy and other security breaches and have procedures and measures in place to follow up and rectify deviations. The data processor is obliged to assist the data controller in following up on deviations and provide the necessary information about the deviation as required by the Regulations. 

Any deviations must be reported in writing to the data controller without undue delay and no later than 24 hours after the data processor suspected the deviation, even if the data processor does not have all the required information available. Notification to the data controller of any deviations must not be delayed pending investigations into the cause, scope, and consequences. The data controller is responsible for reporting the deviation to the Data Protection Authority without undue delay and, where possible, no later than 72 hours after becoming aware of the deviation. 

Duration of the Agreement

This data processing agreement follows the duration of the associated Service Agreement. However, the data processing agreement applies as long as the data processor processes or has access to personal data on behalf of the data controller. 

In the event of proven breaches of this data processing agreement, relevant matters in the Service Agreement, and/or the Regulations, the data controller may require the data processor to stop further processing of personal data with immediate effect. 

If breaches of this data processing agreement are not corrected within a reasonable time, the data controller may terminate the data processing agreement in whole or in part following prior written notice. Upon full or partial termination of this data processing agreement, services under the Service Agreement will also cease. 

Upon Termination

The data processor shall, at the data controller’s choice, delete (anonymise) or return all personal data to the data controller after the services related to the processing are provided and delete (anonymise) existing copies unless there is a legal requirement to retain the personal data. 

This also includes the deletion of logs, backups, and similar data that the data processor does not have a legal basis to retain. 

The data processor shall document in writing that deletion has been carried out in accordance with the Agreement within a reasonable time after the termination of the Agreement. After this, the data processor’s responsibility ceases. 

Inquiries Regarding the Agreement

All inquiries regarding this data processing agreement, including notification of deviations, shall be directed to the contact points specified in the Service Agreement, unless otherwise agreed in Appendix 1. 

Governing Law and Jurisdiction

The Agreement is subject to Norwegian law, and the parties submit to the jurisdiction of the Oslo District Court. 

This also applies in the event of disputes after the termination of the Agreement. 

Appendix 1 Purpose of Processing

The data processor shall only process personal data to the extent necessary to fulfil its tasks and obligations under the Service Agreement. 

Personal data is processed by the data processor during normal use of products and services, including when the data controller uses the products or services to: 

• Input/edit contact details 

• Obtain consent for further processing from the individual registered 

Personal data is also processed during support and troubleshooting, including using sub-contractors in third countries. The data controller grants the data processor the right to enter into agreements with sub-contractors in third countries on behalf of the data controller. Refer to Appendix 2. 

Types of Personal Data Processed

The data processor processes the following personal data on behalf of the data controller: 

• First name and last name 

• Email address 

• Phone number 

• Country 

• Affiliation to company/organisation 

Category of data subjects 

The data processor will process personal data about the following categories of data subjects: 

Software/service users, employees and contacts 

Agreed contact points, cf. Data Processing Agreement clause 9 

Unless otherwise agreed, all inquiries regarding this Data Processing Agreement, including reporting of deviations, shall be made to the parties' contact points specified in the Service Agreement. 

Duration of processing 

The duration of processing shall be as long as the contractual relationship between the parties persists. Upon termination of the Service Agreement, the Data Processor shall store data for a maximum of 5 years. 

Data that must be stored for accounting purposes shall be stored for as long as required, typically for five years. 

Annex 2 

Overview of subcontractors 

The overview includes all approved subcontractors.