Data processing agreement
This Data Processing Agreement is an addendum to our Service Agreement.
The Agreement is to ensure no personal data comes astray or is used irregularly.
Data Processor is SUPREMEWP HOSTING, hereinafter referred to as «Provider».
Data Controller is the client, hereinafter referred to as «Client».
1. The purpose of the agreement
The purpose of the Data Processing Agreement is to regulate rights and obligations according to the legal basis:
- Law of 14th of April 2000 nr 31 on processing personal data, hereinafter referred to as «Personal Data Act».
- Regulations of 15th of December 2000 nr 1265, hereinafter referred to as «Personal Data Regulations».
- Regulations 2016/679/EC (General Data Protection Regulation), hereinafter referred to as «Privacy Regulations».
Hereinafter «Personal Data Act» and «Personal Data Regulations», as well as «Privacy Regulations» will be referred to as the legal basis.
The agreement will ensure registered personal data will not be used unjustified or will be acquired by an unjustified party.
The agreement regulates Providers use of personal data on behalf of the Client, including collection, registration, assembly, storage, extradition or any combinations of these associated with delivery of ISP-services, including operating and administration of domain names, virtual servers, hosting and e-mail services (hereinafter referred as «ISP-services»).
The provider is to follow the written instructions for management of the personal data of this agreement as the Client has agreed to.
The provider is committed to comply with all obligations and laws according to the legal basis applicable when using Provider’s services for processing personal data.
If disclosure of personal data is required according to Union Law or Member States national law, as Provider is subject to, Provider will notify Client on the mentioned legal demands before the disclosure of personal data, unless this right out of consideration to important community interest forbids such notification.
The purpose of Provider’s management of personal data on behalf of Client, is to deliver and administrate Providers ISP-services to Client.
The provider can only process Client personal data to the extent it is necessary to implement and accommodate the requirements in the Service agreement which is at any time available on the following address:
The provider do not have independent sovereignty of personal data and cannot process this for own purposes except for quality assurance and statistical analysis of the usage of Provider’s services.
The provider can only transfer personal data covered in this agreement to partner or other third party, cf. section 10 in this agreement.
4. Data types and registered
The Client is responsible to maintain an overview of which personal data Provider processes for the Client, including affected registered.
Personal data processed on behalf of Client when delivering and administrating Providers ISP-services can be name, birth date, addresses, phone numbers, e-mail addresses, IP-addresses, username, password, cookies, client numbers, social security number or other national identity numbers, credit card number, purchase history, log files or any other information, defined by Client, can be used singularly or with other information to identify a natural person.
Those registered Provider processes personal data on behalf of when delivering and administrating Providers ISP-services can be clients, providers, employees, students, visitors, members, participants or any other group of natural persons, defined by Client.
5. Registered rights
The provider is obligated to assist Client in safeguarding registered rights, cf. legal basis.
Registered rights include the right to information on how his or her personal data is processed, the right to claim access to their own personal data, the right to demand correction or deletion of personal data and the right to demand limited processing of personal data.
To the extent it is relevant, Provider will assist Client to safeguard registered rights to data portability and the right to refuse automatic decisions, including profiling.
If Provider receives fees from third party due to safeguarding registered rights Provider can invoice Client for these fees assuming Provider notifies of the fees in advance.
6. Satisfactory information security
The provider will implement satisfactory technical, physical and organizational security measures to protect personal data included in this agreement against unauthorized or illegal access, changes, deletion, damage, loss or unavailability.
The supplier will document their own organizing of security, guidelines, and routines for security work, risk assessment and established technical, physical or organizational security measures.
The provider will establish continuity- and prepared plans for efficient handling of major security incidents.
The provider will provide employees sufficient information and training on information security to ensure the safety of personal data processed on behalf of Client is safeguarded.
The provider will document the training of employees on informational security.
Documentation associated with technical and organizational measures is attached as appendix 1 in this agreement. When Client accepts this agreement, these are the measures that will be the foundation for the agreement.
The technical and organizational measures can be adjusted by Provider according to technological development. The level of security for the specified measures cannot be reduced as a result of this. Significant changes must be documented.
Employees and hired staff of Provider with official requirements for access to personal data managed on behalf of Client, can be granted access.
Providers staff, and hired personnel have client confidentiality regarding documentation and personal data accessed through service. Confidentiality also applies after the contract expires. Confidentiality also applies to subcontractors.
8. Access to security documentation
The provider is obligated to provide Client access to all security documentation necessary for Client to safeguard their commitments according to the legal basis.
Provider is obligated to provide Client access to other relevant documentation enabling Client to asses if Provider complies the terms of this agreement.
Employees with Client is under confidentiality for security documentation accessible through Provider for Client.
9. Obligation of notification upon security breach
The provider will immediately inform Client if personal data managed on behalf of Client is exposed to security breach with the risk of violations against the registered privacy.
Notification to Client will contain minimum information describing the security breach, which registered affected by the security breach, which personal data affected by the security breach, which security measures have been placed to handle the security breach and which preventative measures have been established to prevent similar future incidents.
The client is responsible for notifications regarding security breach from Provider is forwarded to Datatilsynet, unless Provider consider it appropriate Provider notifies Datatilsynet.
A subcontractor is referred to in this agreement as a part performing processing of personal data directly related to this agreement. The term does not include additional services such as communication services, payment services, postal- and transport services, maintenance- and support services, as well as other measures to ensure confidentiality, accessibility and integrity of hardware and software of data processing systems.
Client accepts Providers need to use subcontractors for delivery of ISP-services and processing personal data, assuming they treat personal data according to this agreement.
The provider will at request provide a copy of the agreement(s) made with the subcontractor(s) at Client request.
The provider will at all times keep list of subcontractors, as well as which personal data and services each subcontractor uses for data processing, available and updated in appendix 2 of this agreement.
The provider cannot hire or use other subcontractors than the ones mentioned in appendix 2. The provider is obligated to update the appendix no later than 30 days before a subcontractor starts processing personal data.
In the event Client apposes usage of new subcontractor Provider must be notified immediately. The client can notifiy Provider of termination of contract immediately. Any payment for current term(s) will be refunded. Should Client want to continue the contract Client must approve subcontractors or not order services where a subcontractor is used.
11. Transfer to countries outside EU/EEA
Personal data Provider manages according to this agreement can be transferred to a country outside EU/EEA if it is necessary in order to deliver the services according to the Service Agreement given that either (a) such a transfer is legal according to the legal basis or (b) Client has obtained the necessary acceptance from the affected registered.
If disclosure of personal data is required according to Union Law or Member States national law, which the Provider is subject to, Provider will notify Client of the mentioned legal requirements before processing, unless this right out of consideration to imporant community interest forbids such notification.
12. Security- and consequence revisions
The client may use their right to audit Provider of an independent third party bound by confidentiality (cf. section 7) to verify security requirements are being followed, that unauthorized usage of personal data does not happen, as well as other related issues.
Such an audit can be demanded once per year or as a result of an incident with substantial claims of personal data abuse.
The provider will contribute with necessary follow-up for such a revision that can be carried out.
Any findings as a result of the audit should be evaluated by Provider and measures implemented after Provider’s own check.
All costs as a result of such an audit will be accounted to the Client. This includes any cost to third party, cost Provider is inflicted when it comes to hours spent, material cost and other costs as a result of the audit.
The provider will assist Client if using the services leads to Client having an obligation to examine the privacy consequences before starting to use the services cf. legal basis. The provider can assist Client implementing privacy promotional measures if the impact assessment deems it necessary.
Upon termination of the agreement, Provider is obligated to return all personal data received on behalf of Client and covered in the agreement. Returning personal data is executed with a standardized format via the Providers client portal. Exporting data beyond possible for Providers client portal will be billed Client and invoiced after hours spent and at current hourly rates.
Client accepts Provider will delete all data upon termination, including any backups, after the final term has expired, and that all data will be deleted after the guidelines and procedures Provider determines.
The provider will in writing confirm or provide documentation deletion has been performed after the agreement has been terminated upon request from Client. Any cost for destruction and documentation will be covered by the Client.
The provider will not be held accountable for any loss of data due to the Client’s failure to perform data export before the expiry date for the service(s).
14. Duration of agreement
The agreement is valid when the Client accepts Service Agreement (as this agreement is a part of) by checking the box “I have read and agree to the website terms and conditions” and is valid as long as Provider processes personal data on behalf of Client for this Service Agreement. Should there occur neglection of the terms in this agreement due to error or neglect made by Provider, the Client has the right to terminate the agreement effective immediately. The provider will still be obligated to follow the terms under section 13.
The provider will send all notifications via written communication according to this agreement to the provided client contact. The client must send notifications written to firstname.lastname@example.org.
16. Governing Law and Jurisdiction
The agreement is subject to Norwegian law and the parties accept Oslo District Court as Jurisdiction. This also applies after termination of the agreement.