1.1. In this Addendum, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:
1.1.1 "Applicable Laws" means
(a) GDPR - EU General Data Protection Regulation 2016/679;
(b) EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;
(c) European Union or Member State laws with respect to all the Personal Data in respect of which the Controller is subject to EU Data Protection Laws; and
(d) any other applicable law with respect to all the Personal Data in respect of which the Controller is subject to any other Data Protection Laws;
1.1.2 "Controller" means Customer, and the Customer determines the purpose and means of processing the Personal Data;
1.1.3 "Processor" means Vendor (or a Subprocessor), which processes Personal Data on behalf of the Controller;
1.1.5 "Data Protection Laws" means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any member state or other country;
1.1.6 "EEA" means the European Economic Area;
1.1.7 "Third Countries" means non-EU/EEA-countries that do not have a sufficient level of security for processing personal data;
2. Processing of Personal Data on the Controller’s behalf
2.1.2 The object of this Addendum is to set out the rights and obligations pursuant to the GDPR, the prevailing Norwegian Act on the Processing of Personal Data, with additional Regulation(s). This Addendum shall ensure that the Personal Data regarding the Data Subjects is not used in a non-compliant manner or compromised to un-authorized parties.
2.1.3 SESAM will process Personal Data necessary for the purpose to perform the Services in accordance to the Addendum, and as further instructed by Customer in its use of the Services.
2.1.4 This Addendum shall ensure that the Personal Data processed by the Processor on behalf of the Controller, is only processed in compliance with Applicable Laws and according to the Controller’s documented instructions.
2.2 Categories of Personal Data and Data Subjects
2.2.1 The Customer may submit Personal Data to the Services, which may include, but is not limited to, categories of Personal Data such as first and last name, home address, mobile number, job title, position, date of birth, education/qualifications, personal identification number, salary, bank account number, passwords, pictures and so on.
2.2.2 The Customer may submit Personal Data to the Services, which may include, but is not limited to, categories of Data Subjects such as customers, end users, employees, agents, advisors, job applicants, partners, suppliers, clients and customers.
2.2.3 In the case that the Controller processes special categories of Personal Data, this must be specifically agreed upon with the Processor in advance of such Processing.
2.3 The Controller’s Obligations
2.3.1 The Controller shall ensure that the processing of the Personal Data is lawful.
2.3.2 The Controller shall authorise the Processor to provide each Subprocessor with the same written instructions that the Processor has been provided with.
2.4 The Processor’s obligations
2.4.1 The Processor shall only process the Personal Data on behalf of the Controller and on written instructions from the Controller, unless Processing is required by Applicable Laws to which the Processor is subject, in which case the Processor shall to the extent permitted by Applicable Laws inform the Controller of that legal requirement before the relevant Processing. The Processor shall only process the Personal Data for the sole purpose and to the extent necessary to provide the Services, in accordance with the terms in this Addendum and Applicable Laws.
2.4.2 The Processor does not have the right of use of the Personal Data, and may therefore not process them for their own purposes under any circumstances.
2.4.3 The Processor has carried out the technical and organizational security measures as described in this Addendum’s section 4, in order to protect the Personal Data from loss, misuse or un-authorized alternation or dissemination, or against other illegal processing. These measures represent a level of security appropriate to the risks represented by the processing, taking into account the costs of the implementation.
2.4.4 The Processor shall give the Controller access to its applicable security documentation, and in other respects assist, so that the Controller may comply with his own responsibilities according to Applicable Laws.
2.4.5 The Controller has, unless otherwise agreed or pursuant to Applicable Laws, the right to access the Personal Data being processed and the systems used for this purpose. The Processor shall provide necessary assistance for such access to be given.
2.4.6 The Processor is subject to confidentiality regarding the documentation and the Personal Data for which it gains access to under this Addendum. This provision also applies after the termination of this Addendum.
2.4.7 The Processor may freely choose where it geographically stores the Personal Data, although in such a manner that the Personal Data shall not be stored in countries outside of EU/EEA without a separate written agreement or the transfer/storage being included in a special arrangement (e.g. “Privacy Shield”). The Controller may at any time require information on where the Personal Data is stored.
2.4.8 The Processor shall, without undue delay, notify the Controller on any request from governmental authorities or the police regarding the disclosure of the Personal Data, unless this is prohibited (e.g. prohibited by the Penal Code to preserve the confidentiality of an investigation), on any unauthorized access to or unauthorized disclosure of the Personal Data (see section 7.1) and on any request received directly from a Data Subject, without answering the request unless otherwise authorized to do so. The Processor will only disclose the Personal Data to governmental authorities or the police when legally obliged to do so, e.g. court order, judgement, order with a basis in law or similar.
2.5 In the case that the Controller’s instructions or the Processor’s assistance to the Controller lead to increased costs for the Processor compared to what was initially agreed upon between the parties, the Controller shall compensate the Processor for the increased cost in accordance with the Processor’s regular terms and hourly rates.
3. Processor’s Personnel
3.1.1 The Processor shall take reasonable steps to ensure the reliability of any employee, agent or contractor of the Processor who is given access to the Personal Data.
3.1.3 The Processor shall ensure that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality. The obligations of confidentiality will survive the termination of the personnel engagement.
4.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Processor shall in relation to the Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in GDPR Article 32 (1). The safeguards are designed to prevent accidental or unlawful destructions, loss, alteration, unauthorized access, security oversight and enforcement.
4.2 In assessing the appropriate level of security, the Processor shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.
4.3 The Controller confirms that the Processor has provided sufficient guarantees that they will implement appropriate technical and organizational measures that ensure that the processing meets the requirements of Applicable Laws, hereunder the protection of the Data Subjects’ rights.
5.2 The Processor may continue to use those Subprocessors already engaged by the Processor as of the date this Addendum enters into force, subject to the Processor in each case as soon as practicable meeting the obligations set out in section 5.4.
5.3 The Processor shall give the Controller prior written notice of the appointment of any new Subprocessor, including full details of the Processing to be undertaken by the Subprocessor. If, within 2 weeks of receipt of that notice, the Controller notifies the Processor in writing of any objections (on reasonable grounds) to the proposed appointment, the Processor shall not appoint (or disclose any Personal Data to) that proposed Subprocessor until reasonable steps have been taken to address the objections raised by the Controller, and the Controller has been provided with a reasonable written explanation of the steps taken.
5.4 The Processor is responsible for the Suprocessor’s performance in regards of the processing of Personal Data in accordance with the requirements of the GDPR.
5.5 With respect to each Subprocessor, the Processor shall:
5.5.1 before the Subprocessor’s first processing of the Personal Data (or, where relevant, in accordance with section 5.2), ensure that the Subprocessor does not process Personal Data covered by this Addendum in any way that is not necessary for the performance of the Services, and that the Personal Data is not given to anyone else without this being specified in this Addendum or is permitted by the Controller in a prior written notice;
5.5.2 ensure that the arrangement between the Processor and the Subprocessor, is governed by a written contract including terms which offer at least the same level of protection for the Personal Data as those set out in this Addendum and meet the requirements of GDPR article 28 (3); and
5.5.3 provide to the Controller for review such copies of the Processors' agreements with Subprocessors (which may be redacted to remove confidential commercial information not relevant to the requirements of this Addendum) as the Controller may request from time to time.
5.6 Processing of Personal Data outside of the EU/EEA
5.6.1 If the agreement between the Processor and the Subprocessor involves a transfer to a Third Country, the Standard Contractual Clauses must at all relevant times be incorporated into the agreement between the Processor and the Subprocessor. Or, prior to the Subprocessor’s first processing of Personal Data, the Processor must ensure that the Subprocessor enters into an independent agreement with the Controller that incorporates the Standard Contractual Clauses;
5.6.2 If the Processor is to enter into an agreement with Subprocessors in countries outside the EU/EEA, this should only be done according to E.U. - U.S. Privacy Shield, EU model agreements for the transfer of personal data to Third Countries, or other applicable legal grounds for transfers to Third Countries in accordance with GDPR Chapter 5. The same applies even if Personal Data is stored in the EU/EEA when personnel with access to the data are located outside the EU/EEA.
5.6.3 If the Controller approves such transfers, the Processor shall cooperate with the Controller to ensure the legality of the transfers.
6. Data Subject Rights
6.1 Taking into account the nature of the Processing, the Processor shall assist the Controller by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller’s obligations to respond to requests to exercise Data Subject rights under Applicable Laws.
6.2 Section 2.5 applies equivalently to this section 6.1.
7. Personal Data Breach
7.1 The Processor shall notify the Controller without undue delay upon the event that the Processor or any Subprocessor becoming aware of a Personal Data Breach affecting the Personal Data, providing the Controller with sufficient information to allow the Controller to meet any obligations to report or inform the applicable Supervisory Authorities and/or the Data Subjects of the Personal Data Breach under Applicable Laws.
7.2 The Processor shall cooperate with the Controller and take such reasonable commercial steps as are directed by the Controller to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
7.3 Section 2.5 applies equivalently to this section 7.2.
8. Data Protection Impact Assessment and Prior Consultation
8.1 The Processor shall provide reasonable assistance to the Controller with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which the Controller reasonably considers to be required of the Controller by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of the Personal Data by, and taking into account the nature of the Processing and information available to, the Processor.
8.2 Section 2.5 applies equivalently to this section 8.1.
9. Deletion or return of the Personal Data
9.1 Subject to sections 9.2 and 9.3 the Processor shall as soon as possible and within 4 weeks of the date of cessation of any Services involving the Processing of the Personal Data (the "Cessation Date"), delete and procure the deletion of all copies of those Personal Data.
9.2 Subject to section 9.3, the Controller may in its absolute discretion by written notice to the Processor within 1 week of the Cessation Date require the Processor to (a) return a complete copy of all of the Personal Data to the Controller; and (b) delete and procure the deletion of all other copies of the Personal Data Processed by the Processor. The Processor shall comply with any such written request within 5 weeks of the Cessation Date.
9.3 The Processor may retain and store the Personal Data to the extent required by Applicable Laws and only to the extent and for such period as required by Applicable Laws. Such cases always entail the provision that the Processor ensures the confidentiality of all such Personal Data and ensures that such Personal Data is only Processed as necessary for the purpose(s) specified in the Applicable Laws requiring its storage and for no other purpose.
9.4 The Processor shall provide written certification to the Controller that it has fully complied with this section 9 within 5 weeks of the Cessation Date.
9.5 All costs connected to extraordinary measures in connection with deletion and/or providing copies of the Personal Data are to be carried by the Controller.
10. Audit rights
10.1 Subject to sections 10.2 and 10.3, the Processor shall make available to the Controller on request all information necessary to demonstrate compliance with this Addendum, and shall allow for and contribute to audits by the Controller or an auditor mandated by the Controller in relation to the Processing of the Personal Data by the Processor.
10.3 The Controller undertaking an audit shall give the Processor reasonable notice of any audit to be conducted under section 10.1, and shall avoid causing any damage, injury or disruption to the Processor's premises, equipment, personnel and business while its personnel are on those premises in the course of such an audit. The Processor need not give access to its premises for the purposes of such an audit:
10.3.1 to any individual unless he or she produces reasonable evidence of identity and authority;
10.3.3 for the purposes of more than one audit, in respect of the Processor, in any calendar year, except for any additional audits that the Controller will be required to perform in accordance with Applicable Laws by a Supervisory Authority when the Controller responsible for the audit has identified the relevant request in its notice to the Processor.
10.4 The Controller shall treat all information obtained from the Processor arising from an audit as the Processor’s strictly confidential information and not disclose the information to any third party or use the information otherwise than in connection with the audit.
10.5 The Processor shall immediately inform the Controller if, in its opinion, an instruction pursuant to this section 10 infringes the GDPR or other EU or Member State data protection provisions.
10.6 Section 2.5 applies equivalently to this section 10.3.
11. Transfers to Third Countries
11.1 If the Controller by form of written instruction to the Processor prior to any such processing, instructs the Processor to transfer Personal Data to a Third Country, the Controller (as "Data Exporter") and Processor/Subprocessor (as "Data Importer") must enter into an agreement that includes the Standard Contractual Clauses.
11.2 The Standard Contractual Clauses shall come into effect under section 11.1 on the later of:
11.2.1 the data exporter becoming a party to them;
11.2.2 the data importer becoming a party to them; and
11.2.3 commencement of the relevant Restricted Transfer.
12. General Terms
Governing law and jurisdiction
12.1 This Addendum shall be subject to and interpreted in accordance with Norwegian laws. The parties to this Addendum hereby submit to the jurisdiction of the Courts of Oslo.
Order of precedence
Changes in Data Protection Laws, etc.
12.4 The parties shall revise this Data Processing Addendum in the event of relevant changes to the Applicable Laws.
12.5 Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
Liability and liability limitations
12.6 Each party is responsible for that party’s processing of Personal Data being in accordance with the GDPR.