Data Processing Agreement
Between
The Controller: Client name: Org nr.: Address:
And
The Processor: Experience.live AS Org nr: 925 977 659 Økernveien 68, Oslo, Norway
Background of the Data Processing Agreement
This agreement outlines the rights and obligations applicable when the processor handles personal data on behalf of the controller. The agreement is designed to ensure compliance with Article 28 (2) and (3) of the European Parliament and Council Regulation (EU) 2016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (Data Protection Regulation), which sets specific requirements for the content of a data processing agreement. The processing of personal data by the processor is to fulfill ongoing tasks for the maintenance and development of the Controller´s solution and the application itself.
The data processing agreement and the agreement to perform ongoing maintenance and development tasks on the Controller´s solution/application are interdependent and cannot be terminated separately. The processor's Appendix A includes details on the processing, including the purpose and nature of the processing, the types of personal data, the categories of the data subjects, and the duration of the processing.
The processor's Appendix B contains the processor's terms for using subcontractors, as well as a list of subcontractors approved by the controller. The processor's Appendix C contains detailed instructions for the processing carried out by the processor on behalf of the controller (subject of the processing), the minimum security measures to be complied with, and how the processor and any subprocessors will be monitored. The data processing agreement and its appendices shall be kept in writing and/or electronically by both parties. This data processing agreement does not relieve the processor of obligations that are imposed on the processor directly by the data protection law or other legislation.
Processor's Obligations and Rights
The controller is responsible for the processing of personal data within the framework of the privacy law. Therefore, the controller has both the rights and the duties to make decisions about the purposes and means of processing required. The controller is responsible, among other things, for the existence of a lawful basis for the data processing instructed by the processor.
Processor Acts According to Instructions
The processor may only process personal data following documented instructions from the controller, unless required by EU directives or national legislation in the member states to which the processor is subject; in this case, the processor shall inform the controller of this legal requirement before processing, unless such notification is prohibited for important social interests, as per Article 28 (2)(3)(a).
The processor shall immediately inform the controller if an instruction, in the processor's opinion, is in violation of the Data Protection Regulation or other data protection provisions of EU legislation or national legislation.
Confidentiality
The processor ensures that only currently authorized persons have access to the personal data being processed on behalf of the controller. Access to the data must therefore be immediately closed if the authorization is revoked or expired.
Only persons who are authorized to access the personal data may be authorized to fulfill the processor's obligations towards the controller.
The processor ensures that persons authorized to process personal data on behalf of the controller have committed themselves to confidentiality or are under an appropriate statutory obligation of secrecy.
Upon request from the controller, the processor can document that the relevant employees are subject to the mentioned secrecy.
Processing Security
The controller shall, in consultation with the processor, ensure to implement the measures required under Article 32.This includes that the controller, in consultation with the processor, must conduct a risk assessment and then take measures to handle identified risks.
These measures may include, among others:
Pseudonymization and encryption of personal data Ability to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems and services Ability to restore timely availability and access to personal data in the event of a physical or technical incident A procedure for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing Pseudonymization and encryption of personal data
Based on the above, the processor must - in all cases - implement the security level and the measures specified in Appendix C to this agreement.
Use of Subprocessors
The processor shall comply with the conditions set out in Article 28 (1)(2) and (4).
The processor may not use another processor (subcontractors) to fulfill the data processing agreement without prior approval from the controller. The processor shall notify the controller of planned changes concerning the addition or replacement of subprocessors, thereby giving the controller the opportunity to object to such changes. The processor's terms and conditions for the use of subprocessors are found in Appendix B to this agreement. The processor's approved subprocessors are listed in Appendix B to this agreement. When the processor has authorization to use a subprocessor, the processor shall ensure that the subprocessor carries out the necessary technical and organizational measures in such a way that the processing meets the requirements of the Data Protection Regulation. The processor shall impose on any subprocessor the obligations to which the processor is subject under the data protection rules and this data processing agreement with the appendices.
Assistance for the Controller
The processor shall, as far as possible, assist the controller with appropriate technical and organizational measures, considering the nature of the processing. This involves the processor assisting the controller as far as possible in connection with the controller's responsibility to ensure compliance with: The duty to inform when collecting personal data from the data subject The duty to inform when collecting personal data from the data subjectThe duty to inform if personal data has not been obtained from the data subject The data subject's right of access
The right to rectification The right to erasure ("right to be forgotten") The right to restriction of processing Notification obligation in connection with rectification or erasure of personal data or restriction of processing The right to data portability
The right to object The processor shall assist the controller in ensuring compliance with the obligations to the data subject under Articles 32-36 of the Data Protection Regulation, taking into account the nature of the processing and the information available to the processor, as per Article 28 (2)(3)(f). This means that the processor, considering the nature of the processing, must help the controller with:
Implementation of appropriate technical and organizational measures to ensure a level of security appropriate to the risk associated with processing. Measures are estimated and implemented as separate projects, and will not be developed before approval by the controller. Reporting breaches of personal data to the Supervisory Authority (Data Protection Authority) without undue delay and, if possible, within 72 hours after the controller has been notified of the breach - unless it is unlikely that the breach of personal data security poses a risk to the rights or freedoms of natural persons. Notifying the data subject without undue delay about the breach of personal data security, when such a breach is likely to result in a high risk to the rights and freedoms of natural persons. Conducting a data protection impact assessment if a type of processing is likely to pose a high risk to the rights and freedoms of natural persons. Consulting the Supervisory Authority (Data Protection Authority) before processing, if a data protection impact assessment shows that the processing would lead to a high risk in the absence of measures taken by the controller to limit the risk.
Notification of Breach of Personal Data Security
The processor shall inform the controller without undue delay after having become aware that a breach of personal data security has occurred at the processor or any subprocessor. The processor's notification to the controller should, if possible, occur no later than 48 hours after it has become aware of the breach, so that the controller is able to fulfill its obligation to report the breach to the Supervisory Authority within 72 hours. In accordance with point 9.2(b) of this agreement, the processor shall assist the controller in assessing the processing and information that has been made available by the breach. This may mean that the processor should assist with providing the following information described in Article 33(3) of the Data Protection Regulation, which should be included in the controller's notification to the Supervisory Authority:
The nature of the breach of personal data security, including, where possible, the categories and approximate number of data subjects concerned, and the categories and approximate number of personal data records concerned. The likely consequences of the breach of security to personal data. The measures taken or proposed to be taken to address the leaked personal data, including, where appropriate, measures to mitigate possible adverse effects.
Delete and Retrieve Information
At the termination of processing services, the processor is obliged to delete or return all personal data to the controller, as well as delete existing copies, unless EU or national legislation prescribes the storage of personal data.
Audit
The processor shall provide all information necessary to demonstrate that data are processed in accordance with this agreement and Article 28 of the Data Protection Regulation, and contribute to audits carried out by the controller or another auditor appointed by the controller.
Entry into Force and Termination
This agreement comes into force when both parties have signed.
The agreement may be renegotiated by both parties if legal changes or inconsistencies in the agreement give reason for this.
Contact Persons
The parties have the following contact persons / contact points:
Date:
On behalf of the processor Experience.live Name: Position: Phone number: Email:
Signature:
On behalf of the controller
For the client: Name: Position: Phone number: Email:
Signature:
------------------------------------------------
Appendix A: Information about the Processing
The purpose of the processor's processing of personal data on behalf of the controller is:
-
to have members and guests registered to access the facilities - including its other services.
-
to receive payment from members/guests.
-
to identify the member/guest to prevent misuse.
-
to allow the user to log onto their personal account.
-
to provide a great personal user experience based on user preferences and data collection.
The processor may use OCPX, which is owned and managed by the processor, to collect and process information about the controller's users.
The processor stores personal data on OC Cloud servers. The processing includes the following types of personal data about the data subjects: first name, last name, email address, mobile number, date of birth, main language, main facility to use, profile picture, height.
The processing includes the following categories of users: People who is addedd by the Controller or added themselves trough registrations.
The processing has the following duration: The processor's processing of personal data on behalf of the controller may be initiated after the agreement's entry into force. The processing is not time-limited and lasts until the agreement is terminated by one of the parties.
Appendix B: Conditions for the Processor's Use of Subcontractors and List of Subcontractors
Conditions for the Processor's Use of Subcontractors:
The processor may only use a subcontractor after prior approval from the controller. The processor's request must be given to the controller at least 1 week before the application or change takes effect. The controller can only refuse approval if the controller has reasonable, concrete reasons for this.
Approved Subcontractors:
At the entry into force of the data processing agreement, the controller has approved the use of the following subcontractors for specified tasks:
Name |
Description |
Responsible |
Teletopia |
Sms sendouts |
Experience.live |
Mailgun |
Mail sendouts |
Experience.live |
Google Cloud |
Server setup |
Experience.live |
Firebase |
Push notifications |
Experience.live |
Google Bigquery |
Statistics |
Experience.live |
Google Analytics |
Analytics |
Experience.live |
Datadog |
Server monitoring, optimization |
Experience.live |
Grafana |
Server monitoring |
Experience.live |
Google |
Authentication |
Experience.live |
NetsEasy |
Payment solution |
Experience.live / Client |
Mnemonic |
Security tests |
Experience.live / Client |
Apple |
App distributor, authentication, and testflight |
Experience.live |
Google Play Store |
App distributor |
Experience.live |
Facebook |
Authentication |
Experience.live |
|
|
|
|
|
|
Appendix C: Instructions for the Processing of Personal Data
Element of Processing / Instruction: The processor's processing of personal data on behalf of the controller is carried out by the processor performing the following:
-
Ensure user registration in the app
-
Verify that the user belongs to the correct ticket and membership category
-
Ensure that the user can log in to their personal account
-
Provide a personal and tailored user experience, based on user preferences, navigation, and data collection
-
Ensure that the user can book/purchase access to the facilities
-
Ensure that the user gets the right size of equipment
Processing Security:
The processor is entitled and obliged to make decisions about the technical and organizational security measures to be used to create the necessary (and agreed) security level around the information.
Storage Period / Deletion Routine:
Personal data is stored at the processor until the controller requests that the data be deleted or returned.
Location for Processing:
The processing of personal data in the agreement cannot be done without the controller's prior written consent at places other than the following:
- Google Cloud - Saint-Ghislain, Belgium 50°28′09.6″N 3°51′55.7″E
Last edited: May 10th, 2024
|