The Customer consenting to these terms (“Customer” or “Data Controller”) and the entity responsible for providing JCloud in your region or Country (or any entities owned by JCloud (“JCloud” or “Data Processor”) have entered into this Data Processor Agreement (DPA) (“Agreement”) This Agreement will replace any previously applicable data processor agreements or terms previously applicable to privacy, data processing and/or data security.
1. Background
This Agreement shall provide for the processing of personal data in
accordance with the regulation under the EC Directive 95/46/EC of the
European Parliament and of the Council of 24 October 1995 on the
protection of individuals with regard to the processing of personal data
and on the free movement of such data implemented into Norwegian
legislation in the Personal Data Act of 14 April 2000 no. 31 with
regulation, and in accordance with the EU Regulation 2016/679 of the
European Parliament and of the Council of 27 April 2016 on the
protection of natural persons with regard to the processing of personal
data and on the free movement of such data, and repealing Directive
95/46/EC (General Data Protection Regulation) and any new Norwegian
legislation which replaces the Personal Data Act with regulations which
implements the General Data Protection Regulation (jointly called
“Personal Data Regulation” in the following).
2. Purpose of this Agreement
This Agreement governs the Data Processor’s processing of the Personal
Data on behalf of the Data Controller to perform its Services under the
Services Agreement. The Data Processor shall process the Personal Data
only for the approved purpose and in accordance with applicable laws,
this Agreement and the functionalities in the services provided.
The purpose of the processing, duration of processing, type of
processing and types personal data to be processed is covered in this
Agreement and ensures that personal data is processed in accordance with
the requirements of the Data Protection Regulation. Data Processor
shall process personal data in the manner described in this Agreement.
3. Personal data to be processed
If nothing else is agreed upon, the Data Processor will process personal data as described in Privacy Policy and Security Policy.
4. Data Processor rights and duties
The Data Processor confirms that it will implement appropriate technical
and organizational measures that ensure that all processing under this
Agreement meets the requirements of the Personal Data Regulation and
ensure the protection of the rights of the data subject. The Data
Processor shall only process the personal data under the instructions
given by the Data Controller. The Data Processor shall be able to
document such instructions if requested. The Data Processor shall not
process the personal data in any other way than instructed or necessary
to provide the services or undertake the obligations requested by the
Data Controller.
Access to personal data
The Data Processor will not access any other personal data than what is
necessary to perform its tasks as a Data Processor. The Data Processor
may give the Data Processor limited permission to access data for
support purposes, but not without consent. The Data Processor shall not
use personal data for any other purposes than the ones that is listed in
the Privacy Policy.
Secrecy
The Data Processor and its subcontractors has a duty of confidentiality
regarding personal data that he or she has access to as a result of the
Agreement and processing of personal data, and shall ensure that persons
authorized to process the personal data have committed themselves to
processing the information confidentially or subject to an appropriate
statutory duty of confidentiality. This provision also applies one (1)
year after the termination of the Agreement, if the content of the
information has not been public known within this period. The Data
Controller is responsible for updating and correcting personal data
that is wrongfully registered.The Data Processor shall not disclose any
information or information it processes to any third party without
informing the Data Controller. Inquiries of such information to Data
Processor, the Data Processor shall pass on to the Data Controller as
soon as possible. Any requests with regard to the personal data or the
processing from third parties or the data subject shall be forwarded to
the Data Controller without undue delay if not otherwise agreed in this
Agreement or by instruction by the Data Controller. If the Data
Processor is in the opinion that an instruction by the Data Controller
infringes the Personal Data Regulation, the Data Processor shall
immediately inform the Controller. The Data Processor is however
obligated to perform its duties under this Agreement and any
instructions by the Data Controller regardless its opinion on
infringement.
5. Data Controllers rights and duties
The Data Controller determines the purposes of the processing of
personal data and has the rights described in the Privacy Policy.
The Data Controller retains the formal control of and all ownership and
rights to the personal data. The Data Processor shall have no rights in
or to the personal data other than the non-exclusive, revocable and
time limited right to process the personal data for the approved
purpose. The Data Controller may in its sole discretion withdraw
consent(s) given relating to the use of the Service. In such event the
Data Controller will provide an explanation to Data Processor setting
out the reason behind the withdrawal. The Data Processor cannot
guarantee that the Data Processors Service will function without these
approvals. Any dysfunctions in the Data Processors Service as a result of
withdrawn approval, does not affect the term of the Agreement.
6. Use of API and 3.parties
The Data Processor is not responsible for personal data processed by 3.
parties through the Data Processors API. It is the Data Controllers
obligation to read and accept any terms or consents made available from
any 3. party.
7. Security and notifications
The Data Processor shall implement and use technical and organizational
security measures in such a way that processing will meet the
requirements of the Personal Data Regulation and appropriate to prevent
the harm which might result from any unauthorized or unlawful
processing, loss, destruction, damage, alternation to or disclosure of
the Personal Data and having regard to the nature of the Personal Data
which is to be protected.The Data Processor shall comply with the
requirements to security given in the Personal Data Regulation. The Data
Processor shall provide documentation of technical and organizational
measures implemented to ensure the security of the personal data upon
the request of the Data Controller. Security audits shall be performed
regularly by the Data Processor. Audits may comprise review of routines
and processes, inspections, tests, more comprehensive controls and other
relevant control activities. A summary of the audit may be available
for the Data Controller.
Notification of a Personal data breach
If the Data Processor becomes aware of any Personal Data Breach, the
Data Processor shall without undue delay, notify the Data Controller and
fully cooperate to remedy the issue as soon as reasonably practicable.
The notice shall at least contain the following information:
• description of the Personal Data Breach including summary of the incident that caused the Personal Data Breach, including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
• description of the circumstances of the Personal Data Breach (e.g. loss, theft, copying);
• description of the likely consequences and potential risk that the Personal Data Breach may have towards the affected Data Subject(s);
• description of the measures proposed or taken by the Data Processor and/or the subcontractor, as applicable, to address the Personal Data Breach;
• description of any further information which may be relevant in relation to the Personal Data Breach or its mitigation, especially information which the Data Controller identified as relevant information
earlier.
If not all information above may be given in the first notice, the information shall be provided as soon as possible.
Notice will be posted through the information center inside the Data Processors Service, or by mail or phone if the breach is only affect individual Data Controllers. The Data Processor’s Technical Customer Service shall be available for expedient assistance to clarify and respond to any follow up questions that the Data Controller may have.
Depending of the nature of the Personal Data Breach the Data Controller may be obliged to make a report to the Data Protection Authority in the country it resides. The Data Processor does not have to make a report to any Data Protection Authority unless this is expressly required by applicable law or the Data Controller approved or instructed it do so. The Data Processor shall without undue delay, notify the Data Controller if it receives a request from any data protection authority or other governmental body requiring the Data Processor or any of its subcontractors to grant the data protection authority or other applicable governmental body access to Personal Data. Such notice shall wherever possible, and to the extent permitted by applicable laws, be given prior to any disclosure by the Data Processor. The Data Processor shall immediately inform the Data Controller if, in its opinion, an instruction infringes applicable laws.
8. Storage and transfer
Personal Data covered by this Agreement will only be stored at locations listed in the Privacy Statement. How long the data is stored and the terms for deletion of data is covered in the Privacy Statement. Personal
data shall only be transferred to third countries, i.e.. countries
outside EU/EEA which ensure an adequate level of protection, upon
explicit agreement or instructions by the Data Controller. The Data
Processor shall not transfer or give access to the personal data to
persons in third countries without the explicit approval by the Data
Controller. The consent or instruction given by the Data Controller must
cover the country which the personal data shall be transferred to or
accessed from. For transfer to or access from third countries for
personal data it is required that the appropriate safeguards including
with regard to the rights of data subjects is complied with.
9. Sub-processors
The Data Processor is hereby authorized by the Data Controller to use
any relevant approved sub-processor on Data Controller’s
behalf for the above mentioned purpose and for any relevant approved
territory. The processing of the Personal Data shall only take place in
technological environments controlled by the Data Processor and
approved subcontractors in the approved territory. The Data Processor
shall ensure that any processing of personal data by a subcontractor
complies with the requirements set out under this Agreement. This
includes verifying that the security measures implemented by a
subcontractor ensure at least the equivalent level of protection to that
required of the Data Processor under this Agreement. Any sub-processor
shall be informed of the Processors obligations under this Agreement and
the obligations under the Personal Data Regulation, and the
sub-processor shall be imposed the same obligations as the Processor set
forth in the Agreement in a written, binding agreement where in
particular the sub-processor is providing sufficient guarantees to
implement appropriate technical and organisational measures in such a
manner that the processing will meet the requirements of the Personal
Data Regulation. For details about approved territory, see Privacy
Statement
The following sub-processors are used
10. Term and Terminations
This Agreement shall be effective and stay in force as long as the
Processor (and its permitted sub-processors) processes personal data on
behalf of the Controller.
In case of breach of this Agreement, the Data Controller may instruct
the Data Processor to stop further processing of the information with
immediate effect. Upon termination of this Agreement, regardless of
reason, The Data Processor shall, at the discretion of the Data
Controller, delete or return all Personal data to the Data Controller
after the services associated with the processing are delivered, and
delete existing copies, unless there is a legal requirement that the
Personal Data will continue to be stored.
Name:
Signature: ______________________________
Name:
Signature: ______________________________