Data Processing Agreement
EFFECTIVE DATE: NOVEMBER 22, 2023
The following Data Processing Agreement is entered into between the Customer, as specified in the Order Confirmation with address, and organization number set out therein (hereinafter the “ Customer” or the “Controller” or the “Processor” as the case may be) and the relevant Virtual Days entity as specified in the Order Confirmation, with address and organization number set out therein, (hereafter “Virtual Days” or the “Processor” or the “Controller” as the case may be).
This Data Processing Agreement governs the processing of personal data by Virtual Days on behalf of the Customer for processing of personal data received from the Customer (in which Customer assumes the role of “Controller”) and processed by Virtual Days (in which Virtual Days assumes the role of “Processor”) as part of the Services (as defined in the Order Confirmation’s Terms and Conditions) and form part of the agreement for providing services entered into between Virtual Days and the Customer (hereinafter the “Main Agreement”).
This Data Processing Agreement governs also the processing of personal data by Virtual Days as a service to the Customer for processing of personal data received from Virtual Days’ student enquiries and members (in which Virtual Days assumes the role of “Controller”) and processed by Customer (in which the Customer assumes the role of “Processor”) as part of the Services (as defined in the Order Confirmation’s Terms and Conditions) and which form part of the agreement for providing services entered into between Virtual Days and the Customer (hereinafter the “Main Agreement”).
For the avoidance of doubt, both parties assume the role as sole Controller for personal data that are independently processed in the interest of such party, for the services such party provides to the third parties (student enquiries), for whom personal data is processed under this DPA.
1. BACKGROUND AND PURPOSE OF THE PROCESSING
The relevant Processor shall process the personal data on behalf of the relevant Controller with regards to the above said.
The nature and purpose of the processing of personal data, the duration of the processing of personal data, the subject matter of the processing of personal data, the types of personal data to be processed, the categories of data subjects to whom the personal data relates, and other obligations and rights of the Controller are included in the Appendix to this Data Processing Agreement.
This Data Processing Agreement shall provide for the processing of personal data in accordance with the EU Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and the Norwegian Personal Data Act (or relevant countries’ equivalent authority and acts) with regulations and guidelines which implements the General Data Protection Regulation (collectively “the Personal Data Regulation”).
The Processor shall process the personal data only in the way described in the Data Processing Agreement, as agreed in writing with the Controller, or as instructed by the Controller for said and applicable personal data it processes for and on behalf of the Controller.
Terms and definitions used in the Data Processing Agreement shall be construed in the same way as in the Personal Data Regulation.
2. THE CONTROLLER’S RIGHTS AND THE PROCESSORS DUTIES
The Processor confirms that it will implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the Personal Data Regulation and ensure the protection of the rights of the data subject, including complying with the requirements in Article 32 of the General Data Protection Regulation. Other duties are set forth under Section 4 below
The Processor shall only process the personal data under the instructions given by the Controller. The Processor shall be able to document such instructions if requested. The Processor (when acting as a Processor) shall not process the personal data in any other way than instructed or necessary to provide the services or undertake the obligations requested by the Controller (when acting as a Controller).
The Processor shall, considering the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III of the General Data Protection Regulation. In addition, the Processor shall assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the General Data Protection Regulation considering the nature of processing and the information available to the Processor
If there are approved codes of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42, which the Processor has undertaken to comply with, the Processor shall comply with such code of conduct or certification mechanism at any time during the term of this Data Processing Agreement.
The Processor shall maintain record of processing activities (log) which the Processor performs for the Controller. The record shall contain at a minimum the information required under Article 30 no. 2 of the General Data Protection Regulation.
The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with the obligations laid down in this Section 2 and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller, which is reasonable and necessary under the legal obligations.
The Processor has a duty of confidentiality regarding the personal data and other information the Processor receives as part of the Data Processing Agreement and the processing of personal data and shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. The obligation of confidentiality shall survive any termination of the Data Processing Agreement.
The Processor shall not transfer or give access to the personal data or information which the Processor processes or handles on behalf of the Controller to a third party without the explicit instruction from the Controller. Any requests regarding the personal data or the processing from third parties or the data subject shall be forwarded to the Controller without undue delay if not otherwise agreed in this Data Processing Agreement or by instruction by the Controller.
If the Processor is of the opinion that an instruction by the Controller infringes the Personal Data Regulation, the Processor shall immediately inform the Controller.
3. USE OF SUBCONTRACTOR/SUB PROCESSOR
The Processor shall not engage another supplier for the processing of the personal data (subprocessor) without prior specific or general written authorisation of the Controller, and the sub-processor has confirmed that it undertakes to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the Personal Data Regulation and ensure the protection of the rights of the data subject.
The Controller has given the Processor a general written authorisation for the use of subprocessors for processing personal data under the Data Processing Agreement. In case of any intended changes concerning the addition or replacement of sub-processors, the Processor shall inform the Controller and thereby give the Controller the opportunity to object to such changes.
Any sub-processor shall be bound by the same obligations as the Processor set forth in the Data Processing Agreement in a written, binding agreement. Where that sub-processor fails to fulfil its data protection obligations, the Processor shall remain fully liable to the Controller for the performance of the sub-processor’s obligations. The Processor shall immediately upon request from the Controller provide a copy of the sub-processor’s Data Processing Agreements relating to the Services herein
4. SECURITY OF PROCESSING AND NOTIFICATION OF BREACH
The Processor shall comply with the requirements to security given in the Personal Data Regulation. The Processor shall provide documentation of technical and organisational measures implemented to ensure the security of the personal data upon the request of the Controller.
In case of personal data breach, the Processor shall without undue delay notify the Controller. Such notification shall at least:
- Describe the nature of the personal data breach including, where possible, the categories and approximate number of data subjects concerned, and the categories and approximate number of personal data records concerned.
- Communicate the name and contact details of the data protection officer or other contact point where more information can be obtained.
- Describe the likely consequences of the personal data breach; and
- Describe the measures taken or proposed to be taken to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
If not all the information above can be given in the first notice, the information shall be provided as soon as possible.
The Controller is responsible for notifying the supervisory authorities, such as Datatilsynet in Norway, Integritetsskyddsmyndigheten in Sweden and other relevant authorities, and the Processor is not to contact or notify the supervisory authorities without the explicit instruction by the Controller.
5. TRANSFER TO THIRD COUNTRIES
Personal data are provided by the Controller to the Processor and by the Processor to the Controller as set out in the Appendix to match candidates with prospective applicants to such Exhibitors. The nature of the prospective applications may require personal data to be transferred to countries outside EU/EEA/UK under contract/consent as necessary to provide the Services initiated by Customer/students, or as necessary to comply with the law or binding order of a governmental body
For other personal data that is not transferred under a specific consent, or the nature of the personal data does not require it to be transferred, such personal data shall only be transferred to third countries, i.e., countries outside EU/EEA/UK which ensure an adequate
level of protection, upon explicit agreement or instructions by the Controller if no other legal basis for transfer exists. The Processor shall not for such personal data transfer or give access to the personal data to persons in third countries without the explicit approval by the Controller. The consent or instruction given by the Controller must cover the country to which the personal data shall be transferred or accessed from. For transfer to or access from third countries for personal data it is required that the appropriate safeguards, including regarding the rights of data subjects, is complied with.
In continuation of the above, and subject to this Clause 5 last paragraph, the EU’s Standard Contractual Clauses approved by the European Commission implementing Decision (EU) 2021/914 of 4 June 2021, will apply to personal data that is transferred on other grounds than contract/consent, either directly or via onward transfer, to any non-EU third country, (each a “Data Transfer”).
When Customer is acting as a Controller, the EU’s mandatory Controller-to-Processor Clauses set out in the Standard Contractual Clauses Standard Contractual Clauses (SCC) (europa.eu)
Standard contractual clauses for international transfers (europa.eu) will apply to the Data Transfer.
When Customer is acting as a Processor, the EU’s mandatory Processor-to-Controller Clauses set out in the Standard Contractual Clauses Standard Contractual Clauses (SCC) (europa.eu)
Standard contractual clauses for international transfers (europa.eu) will apply to the Data Transfer.
The EU’s Standard Contractual Clauses will not apply to a Data Transfer if an alternative recognised compliance standard for lawful Data Transfers exists.
6. TERM. INSTRUCTION TO STOP THE PROCESSING. EFFECT ON TERMINATION
This Data Processing Agreement shall be effective and stay in force as long as the Processor (and its sub-processors) processes personal data on behalf of the Controller in the context of the Main Agreement.
Upon breach of this Data Processing Agreement, of instructions given by the Controller or on the Personal Data Regulation, the Controller may instruct the Processor to stop the processing of the personal data with immediate effect.
Upon termination of this Data Processing Agreement, regardless of reason, the Processor (and its sub-processors) shall delete or return any or all personal data to the Controller, subject to the Controllers instructions, in a standardised format and medium along with necessary instructions to facilitate the Controller’s further use of such data and delete all copies of those personal data.
The Controller shall receive a written confirmation from the Processor that all personal data has been returned or deleted according to the Controller’s instructions and that the Processor has not kept any copy, print out or any other representation of such data on any medium.
7. OTHER DUTIES AND RIGHTS
Other duties and rights between the parties may be subject to the Main Agreement or other agreements between the Controller and the Processor, inclusive of any limitation of liability.
If the Main Agreement is transferred, this Agreement shall be transferred accordingly.
This Data Processor Agreement shall be governed by and construed in accordance with the laws of and legal venue as set out in the Main Agreement. In case the laws of and legal venue set out in the Main Agreement is set to a country outside EU/EEA/UK, then the parties agree to the mandatory laws of Norway with Oslo as legal venue to apply to any conflict or interpretations relating to this Data Processor Agreement.
The nature and purpose of the processing of personal data
- Providing services under the Main Agreement for the Customer.
The duration of the processing of personal data
- The personal data shall be processed for as long as the Services are provided under the Main Agreement.
Subject matter of the processing of personal data
- The subject matter of the processing is to process personal data as part of providing Services to the Customer.
The types of personal data to be processed.
- Students’ contact information collected via one of Virtual Days’s websites and other information provided by the Customer into Virtual Days’s system
The categories of data subjects to whom the personal data relates.
- Students, potential students, and other persons interested in the Customer’s study offerings.
The obligations and rights of the Controller
- The obligations and rights of the Controller are set out in the Agreement and this Appendix.
All sub-processors used by the Processors are required to process data in accordance with the applicable Personal Data Regulation, and according to this Data Processing Agreement. The Processor warrants that it will keep a list of all its sub-processors and their country of processing and shall make such list immediately available upon Controller’s request. The Processor’s present sub-processors as of the date of this Data Processing Agreement are approved by the Controller.
Virtual Days AB, SE559312205301, Jungfrugatan 6, 114 44 Stockholm, firstname.lastname@example.org