ADDENDUM: DATA PROCESSING AGREEMENT
1. GENERAL
1.1 This Data Processing Agreement is part of the agreement between Norce and the Customer (“Agreement”). Norce will process Personal Data on behalf of the Customer as the Customer's data processor. The Customer is the data controller for the processing of the Personal Data. If any other party is a data controller in conjunction with the Customer regarding the relevant Personal Data, the Customer must inform Norce of this.
1.2 The purpose of this Data Processing Agreement is to comply with applicable Data Protection Regulations and to ensure adequate protection of personal privacy.
2. DEFINITIONS
| "Processing" | Any operation or series of operations performed on Personal Data, whether automated or not. |
| "Data Protection Regulations" | Any applicable law or regulation governing the Processing of Personal Data, including but not limited to the Personal Data Act (1998:204) and from May 25, 2018, the General Data Protection Regulation (EU) 2016/679 (“GDPR”), which replaces the Personal Data Act (1998:204); as well as binding decisions and regulations from the Supervisory Authority and additional local adaptation and regulation concerning data protection. |
| "Customer" | The contractual party according to the Master Agreement to which this appendix belongs. |
| "Personal Data" | Information that can be directly or indirectly attributed to a living individual that Norce processes on behalf of the Customer under this Data Processing Agreement. |
| "Data Subject" | The individual to whom a Personal Data relates. |
| "Supervisory Authority" | The relevant supervisory authority according to Data Protection Regulations, e.g., the Data Inspection Authority. |
| "Effective Date" | The day the GDPR comes into force, i.e., May 25, 2018. |
| "Sub-processor" | A party that processes Personal Data as a subcontractor for Norce. |
3. RESPONSIBILITY AND INSTRUCTIONS
3.1 The Customer is the data controller for the Personal Data processed by Norce on the Customer's behalf under the Agreement. The Customer is responsible for ensuring compliance with the applicable Data Protection Regulations and must inform Norce in writing about the content of the Data Protection Regulations relevant for Norce to execute the Processing. Norce agrees to comply with the requirements of the Data Protection Regulations as provided in writing by the Customer.
3.2 Norce and any persons working under Norce's direction shall only process Personal Data in accordance with the Customer's documented instructions and not for any other purposes than those for which Norce has been engaged. The relevant instructions at the time of entering into the Agreement are outlined in Appendix 1 (Instructions for Handling Personal Data). In addition to the specific instructions in Appendix 1, this Data Processing Agreement and the Agreement shall be considered as the Customer's instructions to Norce regarding the Processing of Personal Data. The Customer must promptly inform Norce of any changes affecting Norce's obligations under the Data Processing Agreement. The Customer must also inform Norce of actions taken by third parties, including the Supervisory Authority and Data Subjects, regarding the Processing.
3.3 From the Effective Date, Processing may also occur if such Processing is required by EU law or the national law of a member state that Norce or a Sub-processor is subject to.
3.4 Norce has the right to process data originating from the Customer in any form in an aggregated or anonymized format during the validity of the Data Processing Agreement and thereafter.
4. SECURITY, ETC.
4.1 Norce shall implement the technical and organizational measures required by Data Protection Regulations to ensure an appropriate level of security to protect the Personal Data being processed against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.
4.2 From the Effective Date, Norce shall assist the Customer in ensuring compliance with the obligations under Articles 32-36 of the GDPR, taking into account the type of Processing and the information available to Norce.
5. DISCLOSURE OF PERSONAL DATA AND INFORMATION, ETC.
5.1 If Norce receives a request for access to data that Norce processes on behalf of the Customer, Norce shall forward the request to the Customer. Norce, or anyone working under Norce's direction, may not disclose Personal Data or other information regarding the processing of Personal Data without explicit instructions from the Customer, unless such obligation exists under applicable Data Protection legislation.
5.2 From the Effective Date, Norce shall assist the Customer, to the extent possible through appropriate technical and organizational measures, so that the Customer can fulfill its obligation to respond to requests from the Data Subject when exercising their rights under Data Protection legislation.
5.3 Norce shall inform the Customer of any contacts from the Supervisory Authority concerning the processing of Personal Data. Norce does not have the right to represent the Customer or act on behalf of the Customer in dealings with the Supervisory Authority.
6. SUBPROCESSORS
6.1 Personal Data may be processed by a Subprocessor if Norce enters into a written agreement on behalf of the Customer, which imposes equivalent obligations on the Subprocessor as those imposed on Norce under this Data Processing Agreement.
6.2 From the Effective Date, Norce is specifically responsible for ensuring that the Subprocessor provides sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing meets the requirements of the Data Protection Regulation.
6.3 At the Customer's request, Norce shall inform the Customer of which Subprocessors have been engaged by Norce under this Data Processing Agreement and provide any further specified information regarding such Subprocessor's processing that the Customer may reasonably request under Data Protection legislation.
6.4 Norce undertakes to inform the Customer of any plans to engage new Subprocessors or replace existing ones. The Customer has the right to object to such changes. Such objections may only relate to objective grounds concerning the security of the processing under the Data Processing Agreement. If the Customer raises a justified objection and Norce does not agree to replace the relevant Subprocessor, Norce has the right to seek additional compensation from the Customer for the costs incurred due to the inability to use the current Subprocessor. Norce also has the right to terminate the Agreement and/or this Data Processing Agreement in whole or in part, for example regarding a specific additional service, with thirty (30) days' notice.
7. RIGHT TO INSPECT
7.1 Effective from the Effective Date, Norce shall provide the Customer with access to all information necessary to demonstrate that the obligations arising from Article 28 of the Data Protection Regulation have been fulfilled within a reasonable time after such a request is made by the Customer to Norce.
8. TRANSFER OF PERSONAL DATA OUTSIDE THE EU/EEA
8.1 Norce may transfer Personal Data to third parties that are not Subprocessors on behalf of Norce to the extent such transfer is necessary for Norce's fulfillment of the assignments for which the Customer has engaged Norce. Such third parties that process Personal Data for their own account are independent data controllers and are responsible for this processing of personal data. The Customer may provide additional instructions regarding such transfers in Appendix 1.
8.2 Transfers of Personal Data by Norce or by a Subprocessor to a location outside the EEA may take place provided that the applicable requirements for such transfers under Data Protection legislation are met at all times.
8.3 From the Effective Date, Norce shall ensure that the Customer can fulfill any obligation to enable data portability concerning Personal Data that Norce processes on behalf of the Customer.
9. CONFIDENTIALITY
9.1 If the Customer is subject to public access and confidentiality legislation, Norce shall comply with the provisions of such laws for confidential information. Norce shall ensure that persons authorized to process Personal Data have committed to maintaining confidentiality for such processing or are subject to appropriate statutory confidentiality obligations. This commitment does not apply to information that Norce is required to disclose to authorities or pursuant to Data Protection legislation or other statutory obligations.
9.2 The confidentiality obligation applies during the term of the Agreement and thereafter.
10. COMPENSATION AND LIABILITY
10.1 Norce shall be entitled to reasonable compensation for all work and all costs arising from the Client's instructions regarding the Processing that exceed the functions and security level provided by the standardized services, products, solutions, and systems that Norce typically offers its clients, such as those related to Norce's e-commerce platform and any requirements that necessitate Norce making custom adjustments on behalf of the Client.
10.2 If Norce, anyone working under Norce’s direction, or a Subprocessor engaged by Norce processes Personal Data in violation of this Data Processing Agreement or the lawful instructions provided by the Client, Norce shall, taking into account the limitations of liability set forth in the Agreement, compensate the Client for the direct damages incurred by the Client due to the improper Processing.
10.3 The Client shall indemnify Norce for all direct or indirect damages, including claims from Data Subjects, incurred by Norce due to violations of Data Protection Regulations resulting from unclear, inadequate, or unauthorized instructions from the Client, insufficient information from the Client regarding the categories of data being processed, or otherwise due to circumstances on the Client's side.
10.4 Norce's liability for claims and damages under this section 10 is contingent upon i) the Client promptly notifying Norce in writing of any claims made against the Client; and ii) the Client allowing Norce to control the defense of the claim and making decisions regarding any potential settlement.
11. TERM AND TERMINATION
11.1 The Data Processing Agreement shall remain in effect as long as Norce processes Personal Data on behalf of the Client.
11.2 Upon the termination of the Agreement or the Data Processing Agreement (whichever occurs first), Norce shall delete the Personal Data that has come into its possession. If the Client requests it in writing at the time of termination, Norce shall instead return the Personal Data. Norce shall delete any copies unless storage of the Personal Data is required by applicable law.
12. AMENDMENTS TO THE DATA PROCESSING AGREEMENT
12.1 If Data Protection Regulations change during the term of the Data Processing Agreement, or if a Supervisory Authority issues guidelines, decisions, or regulations regarding the application of Data Protection Regulations that necessitate this Data Processing Agreement not meeting the requirements for a data processing agreement, this Agreement shall be amended to comply with such new or additional requirements. Such amendments shall take effect no later than thirty (30) days after the Client has sent a notification of the amendments to Norce, or otherwise within such time period specified in the Data Protection Regulations, Supervisory Authority guidelines, decisions, or regulations. Norce shall be entitled to reasonable compensation for any work, costs, and expenses incurred as a result of such amendments.
12.2 Other amendments and additions to this Data Processing Agreement shall be made in writing to be binding.
13. MISCELLANEOUS
13.1 This Data Processing Agreement supersedes any previous data processing agreements between the Parties and takes precedence over the Agreement concerning the subject matter of this Data Processing Agreement, regardless of what is stated in the Agreement.
13.2 Swedish law shall apply to Norce's processing of Personal Data under this Data Processing Agreement. Any disputes shall be resolved in accordance with the dispute resolution provisions of the Norce Master Agreement.
APPENDIX 1: Instructions for handling personal data
To be outlined by Customer