Data Processing Agreement

FOR USE INSIDE EU/EEA whose registered office is Thorvald Meyers Gate 7,  0555, Oslo, Norway and with company registration number 997901916 ( “Data Owner”)
The Data Owner and the Data User are hereinafter referred to as a “Party” or the “Parties”.
  1. The Data User receives access to Personal Data for the Approved Purpose (as defined below under Section 2.1)
  2. The Parties have entered into a collaboration agreement whereby the Data Owner will provide a limited license to the Personal Data to Data User (the “Collaboration Agreement“) as defined below.
    The Parties wish to conclude this Data Processing Agreement (DPA) in order to formalize the terms and conditions applicable to the access and use of Personal Data. Each Party is an independent data controller of Personal Data.
  3. The purpose of this Data Processing Agreement (DPA) is to secure adequate safeguards with respect to the protection of privacy and to ensure that the use and processing of Personal Data comply with the Parties’ legal obligations.

1.1. In addition to this main body of the agreement, this DPA incorporates the following document:
Annex 1  Description of the Approved Purpose and Data Processing
1.2. In the event that any provision of this DPA is inconsistent with any term(s) of any other agreement concerning the Data Processing, this DPA shall prevail.

2.1. In this DPA the following terms shall have the following meanings:

"Approved Purpose"  the purpose and the reason for the processing and use of Personal Data identified in Annex 1.
"Data Owner"  the entity that collects, stores, and shares the Personal Data and acts as an independent data controller.
"Data User"  the entity that accesses or receives Personal Data from the Data Owner for the “Approved" purpose in accordance with the terms of this DPA and the “Agreement”.
"Data Processing Agreement (DPA)"  this Data Processing Agreement – including any and all subsequent amendments thereto – comprising the terms and conditions in the main body of this document together with any other attachment or annexes expressly incorporated by reference.
"EEA" means the European Economic Area;
"Personal Data" any information relating to an identified or identifiable natural person (data subject) including any sensitive or special categories of data that is processed under or in connection with this Agreement;
"Personal Data Breach" means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to the Agreement Personal Data processed under this Agreement;
"(Data) Processing" any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction including also through remote access. References in this agreement to ‘process’ and ‘processed’ shall be construed accordingly;
"Technical Point of Contact" the Parties technical representatives identified in Annex 1.
The terms "controller", "data subject", "processing", "processor", "sensitive personal data" and "special categories of data" shall have the same meanings ascribed to them under the General Data Protection Regulation (EU) 2016/679 ("GDPR").
3.1. This DPA governs the data processing conducted by the Data Owner and the Data User. The Data User shall process the Personal Data only for the Approved Purpose and in accordance with applicable laws, this DPA, and the “Agreement”. Any processing or use of the Personal Data for any other purpose is strictly forbidden and will be considered a material breach of this DPA and the “Agreement”.
3.2 The Data Owner retains the formal control and all of ownership and rights to the Personal Data. The Data User shall have no rights in or to Personal Data other than the non-exclusive, revocable, and time-limited right to access and process the Personal Data for the Approved Purpose.
The Data Owner warrants and undertakes that:
  1. The Personal Data will be collected, processed, and transferred in accordance with the laws applicable to the Data Owner.
  2. It will respond to inquiries from Data Subjects and the Authority concerning the data processing of the Personal Data by the Data User.
 The Data User warrants and undertakes that:
  1. It will comply with the terms of this DPA and its regulatory obligations as a data controller under applicable laws. It understands that it's the processing of Personal Data entails that it is subject to the GDPR and that it will therefore comply with its rules on the protection of natural persons with the regarding the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
  2. It will process and use the Personal Data only for the Approved Purpose defined in Annex 1 and has the legal authority to give the warranties and fulfill the undertakings set out on this DPA.
  3. It will identify to the Data Owner a contact point within its organization authorized to respond to inquiries concerning processing and use of Personal Data and will cooperate in good faith with the Data Owner, the data subject, and the authority concerning all such inquiries within a reasonable time.
  4. It will also process the Personal Data in accordance with the data processing as set forth in the GDPR; and
  5. It will assist the Data Owner in responding to inquiries from Data Subjects and the Authority concerning the data processing of the Personal Data by the Data User.

6.1 This DPA shall be governed by and interpreted in accordance with the laws of Norway. Any such dispute, controversy, or claim shall be exclusively resolved by Norwegian Courts.

7.1. In the event of a dispute or claim brought by a data subject or the authority concerning the processing or use of Personal Data against either or both of the Parties, the Parties will inform each other about any such dispute or claims, and will cooperate with a view to settling them amicably in a timely fashion.
7.2 The Parties agree to respond to any generally available non-binding mediation procedure initiated by a data subject or by the Authority. If they do participate in the proceedings, the Parties may elect to do so remotely (such as by telephone or other electronic means). The Parties also agree to consider participating in any other arbitration, mediation, or other dispute resolution proceedings developed for data protection disputes.
This DPA comes into effect from and including 25 May 2018 and is valid until the “Agreement” expires or until this DPA is terminated or replaced by another data user agreement.
No amendment to this DPA shall be considered in effect unless it is made in writing and signed by duly authorized representatives of each of the Parties.
10.1 In the event that the Data User is in breach of its obligations under this DPA, then the Data Owner may temporarily suspend the access to or continued transfer of Personal Data to the Data User until the breach is repaired or remedied to the reasonable satisfaction of Data Owner.

10.2 In the event that:
i. the use of or processing of Personal Data by the Data User has been temporarily suspended by the Data Owner for more than one month pursuant to paragraph (a);
ii. the Data Owner is unable to suspend the further use of or processing of Personal Data due to such  Personal Data having been transferred to Data User, the Data Owner will order the Data User to suspend the further use and processing of Personal Data; or where the Data User does not follow the order of the Data Owner to suspend the processing of Personal Data;      
iii. Compliance by the Data User with these clauses would put in breach of its legal or regulatory obligations;
iv. The Data User is in material or persistent breach of any warranties or undertakings given by it under this DPA or the “Agreement”;
v. a final decision issued by a competent Court of the Data Owner’s country of establishment or of the Authority rules that there has been a breach of this DPA or the “Agreement” by the Data User or the Data Owner; then the Data Owner, without prejudice to any other rights which it may have against the  Data User, shall be entitled to terminate this DPA and the “Agreement”, in which case the Authority shall be informed where required.

In cases covered by (i), (iii), or (v) above the Data User may also terminate this DPA and the “Agreement”.

10.3 The Parties agree that the termination of this DPA at any time, in any circumstances and for whatever reason does not exempt them from the obligations and/or conditions under this DPA as regards the processing of Personal Data.
10.4 In the event of termination of this DPA, the Data User must return all Personal Data and all copies of the Personal Data subject to this DPA to the Data Owner or, at the Data Owner’s choice destroy all copies of the same and certify to the Data Owner that it has done so unless the Data User can prove, it is prevented by its national law or local regulator from destroying or returning all or part of such data, in which event the data will be kept confidential and will not be actively processed for any purpose. The Data User agrees that, if so requested by the Data Owner, it will allow the Data Owner, or an inspection agent selected by the Data Owner and not reasonably objected to by the Data User, access to its establishment to verify that this has been done, with reasonable notice and during business hours.
The details of the use of and the processing of Personal Data are specified in Annex 1. The Parties agree that Annex 1 may contain confidential business information that they will not disclose to third parties, except as required by law or in response to a competent regulatory or government agency.
Annex 1
1. Agreement
The Agreement concerning the processing conducted by the Data User with the Personal Data  allocated by the Data Owner has the following reference
2. Purposes for which Personal Data is to be processed ("Approved Purpose")
Personal Data received from Data Owner will be processed by Data User for recruitment purposes.
3. Personal Data to be processed 
The following Personal Data of data subjects will be processed:
  • Applicants / potential candidates
  • Personal details (i.e. title, name, surname, email, address, employee ID, and job position)
  • Personal information given by the applicant/candidates to special positions or for general application, including but not limited to CV, references, and relevant additional information.
  • Personal information given by the recruiting company, including but not limited to background check information, assessment results, and obtained information from third parties.
  • Demographic details including age, tenure, gender, seniority, work status, place of work (organizational unit or country/city).
  • Technical information (i.e. public IP address, time and date of access, browser activities, browser settings, and Log-In ID data. This is used solely for security purposes, namely authentication and input control.
4. Processes and routines for successive deletion of Personal Data
The Personal Data shall be successively deleted according to instructions from Data Owner.

5. Technical Contact Point
Data Protection Officer
Kristine Angeltvedt
Phone: 0047 92834046