Data Processing Agreement Pursuant to Art. 28 GDPR
-Hereinafter: controller -
REG NR: 927 668 734
NADDERUDVEIEN 145B, 1359, EIKSMARKA, NORWAY
-Hereinafter: processor -
The controller (responsible for the processing) and the processor conclude the following data processing agreement pursuant to Art. 28 of the European General Data Protection Regulation (GDPR). On the basis of the contractual relationship existing between the parties (main contract) the processor processes personal data for the controller. The resulting data protection rights and obligations of the parties are specified by this data processing agreement. The appendices to this agreement are part of the agreement. The provisions made apply to all services rendered by the processor for the controller and all associated activities that result in and may result in the processing of personal data.
§ 1 Subject and duration of processing
- The subject matter of the contract is the processing of personal data (hereinafter referred to as "data") by the Processor for the Controller on the Controllers behalf and in accordance with the Controllers instructions. The Processor shall undertake the processing of personal data in order to enable the employees and staff of the Controller to use the Processor 's language learning app. The subject matter and duration of the Agreement shall furthermore be governed by the Main Agreement. The subject matter and duration of the Agreement shall furthermore be governed by the Main Agreement.
- The controller and the processor have concluded a cooperation agreement for the operation and development of mobile purchasing solutions (main contract). According to this agreement, the processor will perform certain services for the controller in its area of responsibility, namely the operation of mobile portals to support the controller's sales activities. The details result from the processor's offer on which the main contract is based.
- Even in the absence of the aforementioned conditions, the controller is entitled to terminate this agreement and the main contract without notice if the processor repeatedly violates this agreement. Prior written notice or a notice in text form on the part of the controller is a prerequisite for this.
§ 2 Scope, nature and purpose of processing
As part of its services, the processor collects and stores personal information about clients of the controller, in particular also information about intended orders by customers. In particular, the Processor shall carry out the following processing operations on behalf of the Controller:
- Breyta offers a customer relationship management platform that processes various forms of customer and user data on behalf of Breyta’s customers in order to provide automated workflows and insights based on the data provided by Breyta’s customers.
§ 3 Categories of personal data
The processor will potentially have access to the following personal data (as a result of the controller providing it with the data or allowing it access to the data):
- First name and last name
- Phone number
- Job title
- Job department
- IP address
- Additional data categories that the controller might provide
§ 4 Categories of data subjects
The affected data subjects for the above listed data are:
- Customers of the controller
- Potential customers of the controller
- Partners or suppliers of the controller
- Potential or existing investors of the controller
- Employees of the controller depending on their use of the platform
- Additional data subjects depending on the data that the controller provides
§ 5 Obligations of the controller
- The controller alone is responsible for the evaluation of the admissibility of the data processing as well as for the protection of the rights of data subjects and thus is the responsible data controller within the meaning of Art. 4 (7) GDPR.
- The controller gives instructions to the processor regarding the type and extent of processing of the personal data.
- Prior to the start of the commissioning and the associated data processing and subsequently regularly, the controller is entitled, after timely prior notification (of at least 2 weeks), during normal business hours, to ensure compliance with the processor’s technical and organizational data security measures. The controller can also have this check carried out by a third party.
- The processor agrees that the controller is entitled after prior notification to verify compliance with the provisions on data protection and the contractual agreements to the extent necessary, or to have this done by third parties, in particular by obtaining information and viewing the stored data and the systems as well as through other on-site inspections.
- The processor must comply with any possible inspection measures of the data protection supervisory authority pursuant to Art. 58 GDPR. The processor shall inform the controller immediately after notification or knowledge about the execution of the inspection measures as well as in case of other inquiries, investigations or inquiries of the data protection supervisory authority, in particular also if this occurs in a prior consultation pursuant to Art. 36 GDPR, to the extent that the measures or inquiries may concern data processing that the processor provides for the controller.
- At the request of the controller, the processor shall prove compliance with the technical and organizational measures taken. Proof can be provided by presenting a current attestation or report (e.g. by an auditor, external data protection officer, inspector or an external data protection auditor) and, if applicable, a suitable certification (e.g. ISO27001 or according to an approved certification procedure pursuant to Art. 42 GDPR ) or adherence to approved rules of conduct pursuant to Art. 40 GDPR. The inspection rights of the controller remain unaffected.
§ 6 Obligations of the processor
- The processor is obliged to process personal data only in accordance with the instructions and in accordance with the provisions of this agreement.
- In granting the rights of data subjects pursuant to Art. 15 et seq. GDPR (correction, limitation of processing, deletion, notification and provision of information), the processor shall support the controller upon first request within its means. The processor shall take appropriate technical and organizational measures. The processor shall, upon instruction, correct, delete or restrict the processing of the personal data processed on behalf of the controller.
- Should the data collected on behalf of the controller be the subject of a request for data portability pursuant to Art. 20 GDPR, the processor shall immediately make the relevant data set available to the customer in a structured, standard and machine-readable format upon request.
- If a data subject turns directly to the processor to exercise their rights as a data subject, the latter processor must immediately forward this request to the controller.
- The processor shall inform the controller immediately if it believes that a given instruction violates legal regulations. The execution of the corresponding instruction may be suspended until it has been confirmed or changed by the controller.
- After termination of the main contract, the processor is obliged to hand over to the controller all personal data connected with the contractual relationship, which has come into the processor’s possession, and to delete the data in compliance with data protection and data security regulations and in accordance with controller's instructions. This also applies to any data backups at the processor. The data-protection and data-security compliant deletion must be documented in writing and confirmed to the controller in writing.
- The processor shall ensure that the employees involved in the processing of the data of the controller and other persons working for the processor are prohibited from processing the data outside the instructions. Furthermore, the processor shall guarantee that the persons authorized to process the personal data have committed themselves to confidentiality or are subject to appropriate legal confidentiality. The obligation to confidentiality/secrecy persists even after the commission is completed. Insofar as the processor participates in the provision of commercial telecommunications services in connection with the services rendered for the controller, the processor is required to oblige the employees involved therein in writing to confidentiality regarding telecommunications.
- The Processor shall ensure that in the event of a personal data breach, the Processor immediately informs the Controller and supports the Controller in its obligations pursuant to Art. 33 - 36 GDPR.
- The processor confirms that, provided the conditions are met, it has appointed a data protection officer in accordance with Art. 37 GDPR and monitors compliance with data protection and data security regulations via the data protection officer. The data protection officer for the processor is:
FRESH COMPLIANCE GMBH
FÜRBRINGER STR. 15
10961 BERLIN, GERMANY
§ 7 Place of performance
- The processing and use of the data takes place exclusively in the territory of the European Union or in another Contracting State of the Agreement on the European Economic Area. Any transfer to a third country requires the prior consent of the controller and may take place only if the special conditions of Art. 44 et seq. GDPR are fulfilled.
- If the processing of personal data takes place outside the EU, the processor warrants that the requirements applicable under the respective applicable data protection regulations for the occurrence of a permissible circumstance for the processing of personal data outside the EU are met ("justification under data protection law"). This is the case, on the one hand, if and to the extent that the EU Commission has certified an adequate level of protection for the data controller. Furthermore, if the processing is carried out by the processor on the basis of appropriate guarantees within the meaning of Art 46(1)(c) GDPR (EU standard contractual clauses) with further security precautions. Finally, if the processing of personal data outside the EU takes place exclusively within the framework of a program that has been certified by the EU Commission as offering an adequate level of protection (successor agreement to the EU-US Privacy Shield, if applicable), and the further processor fulfills the formal and substantive requirements necessary for participation in the program, has qualified for it and remains qualified for the program without interruption during the term of the order.
§ 8 Subcontracting
- The controller agrees that the processor may involve subcontractors. Before contracting or replacing subcontractors, the processor shall inform the controller in individual cases.
- The controller may object to the change – within an appropriate period of time – for good cause – vis-à-vis the entity designated by the controller. If no objection is made within the deadline, the consent to the change shall be deemed granted. If there is good cause related to data protection, and if a mutual solution between the parties is not possible, the controller is granted a special right of termination.
- The processor is liable for subcontractors as well as for its own vicarious agents.
- The processor must ensure that all obligations under this agreement also apply to the subcontractors and their employees; this applies in particular to the duty to confidentiality and the obligation to privacy.
- The processor is currently working on the fulfillment of the contract with the following other commissioned data processors, with whose commissioning the controller agrees:
Name and address of the subcontractor
Description of the services
Appropriate safeguards, if applicable
Google Ireland Limited, Gordon House Barrow Street Dublin 4 Irland
Google Cloud Platform is used for all cloud infrastructure such as web services to store and process data from the controller
Google Analytics is used to analyse anonymized web traffic of any visitors to Breyta’s website
Despite data being stored in EU-residence data centers only, the processor relies on most current standard contractual clauses; Transfer Impact Assessment was concluded
Segment is used to track the activity of any logged-out or logged-in users of Breyta’s web app in order to personalize any product services to them
Intercom is used to track conversations with the support team of Breyta and provide chat services on the site
Hubspot is used to track prospects and leads in order to sell to them
§ 9 Technical and organizational measures
- The processor is obliged to comply with the principles of proper data processing in accordance with Art. 32 in conjunction with Art. 5 (1) GDPR. The processor shall take all necessary measures to secure the data or the security of the processing, in particular taking into account the state of the art, as well as to mitigate possible adverse consequences for data subjects. In particular, the measures to be taken shall include measures to ensure adequate pseudonymization and encryption, as well as measures to protect the confidentiality, integrity, availability and resilience of systems and measures ensuring the continuity of post-incident processing.
- The technical and organizational measures taken by the processor are described in detail in the appendix to this agreement and are part of the agreement.
§ 10 Liability
- The processor is liable to the controller in accordance with the statutory provisions for all damages occurring in the provision of the contractual service, through culpable violations of this agreement as well as of legal data protection regulations to which it is subject, which are caused by the processor, its employees or those contracted by it for execution of the contract.
- The controller or the processor is responsible to the data subject pursuant to Art. 82 GDPR for compensation for damages, which a data subject asserts due to inadmissible or incorrect data processing within the scope of the contractual relationship according to the GDPR or other regulations regarding data protection. The processor shall indemnify the controller internally from all claims for damages which are asserted against the controller due to a culpable breach of the obligations arising from this agreement by the processor.
§ 11 Deletion and return of personal data
a) The Processor shall not make copies or duplicates of the Data without the knowledge and consent of the Controller, except for the purpose of data backup or making technical copies for the following purposes:
- To carry out the processing activities under this DPA;
- to provide evidence of proper data processing; or
- for the fulfillment of legal obligations to retain data.
b) Upon termination of the contractual commissioned processing or upon the Client's request earlier, but no later than upon termination of the contract, the Processor shall return to the Controller all documents, processing and usage results and data records, insofar as they relate to this contract, or - after consent has been granted - delete or destroy them in a manner compatible with data protection law. The same applies to all related test, committee, redundant and discarded materials. The log of the deletion or destruction shall be made available upon request.
§ 12. Final provisions
- In the event of any inconsistency between the terms of this agreement and the terms of the main contract, the terms of this agreement prevail.
- Amendments and supplements to this agreement must be made in writing and it must be explicitly stated that the present provisions are thereby amended and/or supplemented. This also applies to a waiver of this formal requirement.
- Should any provision of this agreement be or become invalid or unenforceable, the remaining provisions of this agreement remain unaffected. The invalid or unenforceable provision shall be replaced by a valid and enforceable provision which comes closest to the purpose of the provision to be replaced.
- This agreement is subject to Norwegian law.
- If access to the data is endangered by measures of third parties (e.g. measures of an insolvency administrator, seizure by tax authorities, etc.), the processor must inform the controller immediately about this.
APPENDIX - Technical and organizational measures
The processor takes appropriate technical and organizational measures to ensure an adequate level of protection within the framework of data protection and data security of the present contractual relationship. In particular, the processor ensures the confidentiality, integrity, availability and resilience of the systems or applications used and, among other things, implements the following measures.