Supply Platform Data Processing Terms
Data Processing Terms
The Processor and the Subprocessor are hereinafter jointly referred to as the “parties” and individually as the “party”.
The terms used in the DPT shall have the meanings set forth in the DPT. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Principal Agreement. Except as modified below, the terms of the Principal Agreement shall remain in full force and effect. Except where the context requires otherwise, references in the DPT to the Principal Agreement are to the Principal Agreement as amended by, and including, the DPT.
The Subprocessor and the Processor therefore wish to enter into a contract in accordance with the provisions of these DPT. Agreement
In these DPT, except to the extent expressly provided otherwise:
"Data Protection Laws" means all applicable laws relating to the processing of Personal Data including, while it is in force and applicable to Processor Personal Data, the General Data Protection Regulation (Regulation (EU) 2016/679);
"Effective Date" means the date upon which the Principal Agreement comes into force;
"Personal Data" has the meaning given to it in the Data Protection Laws applicable in Norway from time to time;
"Processor Personal Data" means any Personal Data that is processed by the Subprocessor on behalf of the Processor under or in relation to these DPT; and
"Services" means the services and other activities to be supplied to or carried out by or on behalf of the Subprocessor for the Processor pursuant to the Principal Agreement.
These DPT shall continue in force until the termination or expiry of the Principal Agreement.
3. Data protection
3.1 The Subprocessor shall comply with the Data Protection Laws with respect to the processing of the Processor Personal Data.
3.2 The Processor warrants to the Subprocessor that it has the legal right to disclose all Personal Data that it does in fact disclose to the Subprocessor under or in connection with these DPT.
3.3 The Processor shall only supply to the Subprocessor, and the Subprocessor shall only process, in each case under or in relation to these DPT, the Personal Data of data subjects falling within the categories specified in Paragraph E of Exhibit 1 (Data processing information) and of the types specified in Paragraph D of Exhibit 1 (Data processing information); and the Subprocessor shall only process the Processor Personal Data for the purposes specified in Paragraph C of Exhibit 1 (Data processing information).
3.4 The Subprocessor shall only process the Processor Personal Data during the Term and for not more than 30 days following the end of the Term, subject to the other provisions of this Clause 3.
3.5 The Subprocessor shall only process the Processor Personal Data on the documented instructions of the Processor (including with regard to transfers of the Processor Personal Data to any place outside the European Economic Area), as set out in these DPT or any other document agreed by the parties in writing.
3.6 The Subprocessor shall promptly inform the Processor if, in the opinion of the Subprocessor, an instruction of the Processor relating to the processing of the Processor Personal Data infringes the Data Protection Laws.
3.7 Notwithstanding any other provision of these DPT, the Subprocessor may process the Processor Personal Data if and to the extent that the Subprocessor is required to do so by applicable law. In such a case, the Subprocessor shall inform the Processor of the legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
3.8 The Subprocessor shall ensure that persons authorised to process the Processor Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
3.9 The Subprocessor and the Processor shall each implement appropriate technical and organisational measures to ensure an appropriate level of security for the Processor Personal Data.
3.10 The Processor hereby grants a general authorization to the Subprocessor to appoint other third party processors. The Subprocessor shall ensure that each third party processor is subject to equivalent legal obligations as those imposed on the Subprocessor by this Clause 3.
3.11 The Subprocessor may continue to use any third party processors already engaged by the Subprocessor as at the date of incorporation of the DPT into the Principal Agreement.
3.12 The Subprocessor shall, insofar as possible and taking into account the nature of the processing, take appropriate technical and organisational measures to assist the Processor with the fulfilment of the Processor's obligation to respond to requests exercising a data subject's rights under the Data Protection Laws.
3.13 The Subprocessor shall assist the Processor in ensuring compliance with the obligations relating to the security of processing of personal data, the notification of personal data breaches to the supervisory authority, the communication of personal data breaches to the data subject, data protection impact assessments and prior consultation in relation to high-risk processing under the Data Protection Laws. The Subprocessor shall report any Personal Data breach relating to the Processor Personal Data to the Processor within 24 hours following the Subprocessor becoming aware of the breach.
3.14 The Subprocessor shall make available to the Processor all information necessary to demonstrate the compliance of the Subprocessor with its obligations under this Clause 3 and the Data Protection Laws.
3.15 The Subprocessor shall, at the choice of the Processor, delete or return all of the Processor Personal Data to the Processor after the provision of services relating to the processing, and shall delete existing copies save to the extent that applicable law requires storage of the relevant Personal Data.
3.16 The Subprocessor shall allow for and contribute to audits, including inspections, conducted by the Processor or another auditor mandated by the Processor in respect of the compliance of the Subprocessor's processing of Processor Personal Data with the Data Protection Laws and this Clause 3.
3.17 If any changes or prospective changes to the Data Protection Laws result or will result in one or both parties not complying with the Data Protection Laws in relation to processing of Personal Data carried out under these DPT, then the parties shall use their best endeavours promptly to agree such variations to these DPT as may be necessary to remedy such non-compliance.
4.1 The parties to the DPT hereby submit to the choice of jurisdiction stipulated in the Principal Agreement with respect to any disputes or claims howsoever arising under the DPT, including disputes regarding its existence, validity or termination or the consequences of its nullity.
4.2 The DPT and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the Principal Agreement.
4.3 Nothing in the DPT reduces the Subprocessor’s obligations under the Principal Agreement in relation to the protection of Processor Personal Data or permits the Subprocessor to process (or permit the processing of) Processor Personal Data in a manner which is prohibited by the Principal Agreement.
4.4 Subject to section 4.3, with regard to the subject matter of the DPT, in the event of inconsistencies between the provisions of the DPT and any other agreements between the parties, including the Principal Agreement and including (except where explicitly agreed otherwise in writing, signed on behalf of the parties) agreements entered into or purported to be entered into after the date of the DPT, the provisions of the DPT shall prevail.
4.5 The Processor may propose any variations to the DPT which the the Processor reasonably considers to be necessary to address the requirements of any Data Protection Law.
4.6 If the Processor gives notice under section 4.5, the parties shall promptly discuss the proposed variations and negotiate in good faith with a view to agreeing and implementing those or alternative variations designed to address the requirements identified in the Processor's notice as soon as is reasonably practicable.
4.7 Should any provision of the DPT be invalid or unenforceable, then the remainder of the DPT shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
EXHIBIT 1: Date Processing Information
Subject-matter and nature of the processing. The subject-matter of processing of Processor Personal Data by the Subprocessor is the provision of the Services that involves the processing of Processor Personal Data. Processor Personal Data will be subject to those processing activities as may be specified in the Principal Agreement.
B. Duration of the processing. Processor Personal Data will be processed for the duration of the Principal Agreement.
C. Purpose of the processing. Processor Personal Data will be processed for purposes of providing the Services set out and otherwise agreed to in the Principal Agreement.
D. Types of Personal Data. Online identifiers, including cookie identifiers, internet protocol addresses and device identifiers, client identifiers.
E. Categories of data subjects. Processor Personal Data will concern the following categories of data subjects:
(i) Data subjects about whom the Subprocessor collects Personal Data in its provision of the Services; and/or
(ii) Data subjects about whom Personal Data is transferred to the Subprocessor in connection with the Services by, at the direction of, or on behalf of the Processor.
Depending on the nature of the Services, these data subjects may include individuals: (a) to whom online advertising has been, or will be, directed; (b) who have visited specific websites or applications in respect of which the Subprocessor provides the Services; and/or (c) who are customers or users of the Processor’s products or services.