Data Processing Agreement

1 Background and scope

1.1
These data processing terms (the "DPA") apply when the Mittanbud entity what is described in the terms and conditions ("Mittanbud") acts as a processor of personal data on behalf of the professional party registrering for the Mittanbud services ("Customer"), who acts as the controller. This arrangement is detailed in the Data Processing Appendix below.For the purpose of this DPA the Customer is hereafter referred to as the "controller" and Mittanbud as the "processor", and jointly as the "parties".

1.2
Within the scope of the Terms and Conditions, and in order to provide the Mittanbud service, personal data shall be transferred to and processed by the processor. The parties wish to set out the conditions for this processing in this DPA in accordance with Article 28 of the General Data Protection Regulation 2016/679 of 27 April 2016 ("GDPR").

1.3
This DPA sets out the rights and obligations of the controller and the processor, when processing personal data on behalf of the controller. In the context of the terms and conditions entered into between the parties ("Terms and Conditions"), the processor shall process personal data on behalf of the controller in accordance with the DPA.

2 Definitions

2.2
"controller", means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data (herein the Customer).

2.3

"personal data", means any information relating to an identified or identifiable natural person ("data subject") that the Processor processes on behalf of the controller; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

2.5
"processor", means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller (herein Mittanbud).

2.6

"special categories of personal data", means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, data concerning a natural sexual orientation and data relating to criminal convictions and offences.

2.7
"EU or Member State law" refers to any regulations or laws applicable to a country that has implemented the GDPR and is a member of the European Economic Area (EEA).

Words, abbreviations and expressions not defined herein shall have the content ascribed to them in the Terms and Conditions and Applicable Data Protection Law, unless otherwise appears from the context or is expressly stated below.

3 Description of the processing

3.1

A detailed description about the processing of personal data of the data subjects concerned, in particular the categories of personal data and the purpose and nature of the processing for which the personal data is processed on behalf of the controller, is included in the Data Processing Appendix below.

4 The obligations, rights and responsibilities of the controller

4.1
The controller is responsible for ensuring that the processing of personal data takes place in compliance with Applicable Data Protection Law (see Article 24 GDPR). For the avoidance of doubt, this includes the responsibility for ensuring that the controller has a lawful basis for the processing of personal data under Applicable Data Protection Law when using the Mittanbud services and making available personal data to the processor in accordance with the Terms and Conditions.

4.2
In the event that the processor violates this DPA or the Applicable Data Protection Law, the controller may require the processor to stop further processing of the personal data with immediate effect.

5 General obligations of the processor

5.1
The processor undertakes to process personal data on behalf of the Controller in accordance with Applicable Data Protection Law, the Terms and Conditions, this DPA with appendix and any subsequent agreement between the parties.

5.4
The processor shall immediately notify the controller when the processor considers an
instruction given by the controller to be in breach with the Applicable Data Protection Law or any other legal requirement concerning data protection of EU or Member State law.

5.6
At the explicit request of the controller, the processor shall provide the controller with a copy of the personal data being processed under the DPA.

6 Assistance from the processor to the controller

6.1

If the data subject contacts the processor directly or issues a request to the processor for exercising its rights laid down in Chapter III GDPR, the processor shall without undue delay refer the data subject to the controller.

Taking into account the nature of the processing, the processor shall assist the controller by appropriate technical and organisation measures, insofar as this is possible, for the fulfilment of the controller's obligation to respond to requests for exercising the data subjects' rights laid down in Applicable Data Protection Law.

a) the controller’s obligation to carry out an assessment of the impact of the envisaged
processing operations on the protection of personal data (a data protection impact
assessment);

b) the controller’s obligation to consult the competent supervisory authority, prior to
processing where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the Controller to mitigate the risk;

c) the obligations in Article 32 GDPR.

7 Confidentiality

7.1

The processor shall ensure that only authorised personnel have access to the personal data, and that authorisation is only assigned to personnel who have a justified need to access the personal data.

7.2

The processor shall ensure that persons authorised to process the personal data are committed to processing the information confidentially by a confidentiality statement in an employment contract or in another agreement, if such person is not subject to an appropriate statutory duty of confidentiality.

7.3

The duty of confidentiality described in clause 7.1 and 7.2 above shall survive the termination of this DPA.

8 Security and processing

8.1

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the processor shall, in accordance with Article 32 GDPR, implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.

8.2

The processor and controller have agreed upon the technical and organizational measures to be implemented to ensure the security of the personal data. These measures are detailed on the processor's dedicated webpage regarding security measures, which is incorporated into this DPA by reference and is available at the following link: [Insert link to website overview of technical and organisational measures]. The processor may update or modify its technical and organizational measures from time to time, provided such updates and modifications do not
result in the degradation of the overall security of the Mittanbud service.

8.3

In case of accidental or unlawful destruction, loss, unauthorised access to or processing of the personal data (“Data Breach”), the processor shall inform the controller thereof without undue delay after becoming aware of the Data Breach. The controller shall notify the Data Breach to the competent data protection authority and/or the data subjects in accordance with Articles 33 and 34 GDPR.

9 Use of sub-processors

9.1

The processor has the controller’s general authorisation for engaging another processor (the “sub-processor”) for the fulfilment of the DPA. The processor shall notify the controller of any intended changes concerning the addition or replacement of sub-processors, thereby giving the controller the opportunity to object to such changes prior to the engagement of the concerned sub-processor(s). Such information will be provided by updating the list of sub-processors on the processor’s dedicated webpage, which details the use of sub-processors. This list is incorporated into this DPA by reference and is available at the following link https://mittanbud.no/om/sub-processors

9.2

If the controller objects to the proposed changes in sub-processor(s), the processor and controller shall attempt to reach an agreement on how to handle the changes. The list of sub-processors, engaged by the processor and authorized by the controller at any given time, is incorporated by reference into this DPA and is available at the following link: https://mittanbud.no/om/sub-processors

9.3

Where the processor engages a sub-processor pursuant to this SectionError: Reference source not found, the same data protection obligations as set out in this DPA shall be imposed on the sub-processor by way of a written contract, and the processor shall ensure that any use of sub-processors is performed in accordance with Applicable Data Protection Law.

9.4

Where a sub-processor fails to fulfil its data protection obligations, the processor shall remain fully liable to the controller for the performance of that sub-processor's obligations under the DPA.

10 Transfer of data to countries outside the EU/EEA

10.1

Any transfer of personal data to third countries or international organisations by the processor shall always take place in compliance with Chapter V GDPR.

10.2

The controller agrees that where the processor engages a sub-processor for carrying out specific processing activities and those processing activities involve a transfer of personal data outside of the EU/EEA within the meaning of Chapter V GDPR, the processor is authorised to facilitates such transfer provided that at least one of the legal grounds (adequacy decision or appropriate safeguards) below apply:

(i) the European Commission has decided that the security level in the relevant third
country, to which personal data shall be transferred, is adequate. These countries are
listed on the European Commission’s homepage;

(ii) the processor has, on behalf of the controller, entered into a binding agreement
incorporating the European Commission's from time to time applicable standard data
protection clauses for the transfer of personal data to third countries, with the sub-
processor in the third country; or

(iii) the transfer is based on binding corporate rules in accordance with article 47 of the GDPR.

10.3
The list of sub-processors engaged by the processor and authorised by the controller, along with the sub-processors location and the legal basis for the data transfer, is incorporated by reference into this DPAand available at the following link: https://mittanbud.no/om/sub-processors

10.4

In case transfers to third countries or international organisations, which the processor has not been instructed to perform by the controller, is required under EU or Member State law to which the processor is subject, the processor shall inform the controller of that legal requirement prior to processing, unless that law prohibits such information on important grounds of public interest.

11 Access to information and performance of audits

11.1

Once per calendar year and whenever there are reasonable indications of a breach of the DPA or Applicable Data Protection Law, for example but not limited to, in the case of a Data Breach, the controller is entitled (to mandate an auditor) to conduct an audit or inspection of the processor’s processing of the personal data upon reasonable prior notification to the processor. The processor shall make available all information necessary for the performance of the audit/inspection by the controller or an auditor. The audit/inspection shall be restricted in scope, manner and duration to what is reasonably necessary to achieve its purpose and may not unnecessarily interrupt the processor’s operations.

The processor shall set aside the resources (mainly time) required for the controller to be able to perform the audit/inspection. The controller shall bear all (other) reasonable costs of the audit/inspection.

11.3

Based on the results of such an audit/inspection, the controller may request further measures to be taken to ensure compliance with Applicable Data Protection Law and the DPA.

12 Duration and termination

12.1

The DPA enters into force on the date of signature of the Terms and Conditions and remains in effect as long as the processor process personal data on behalf of the controller in the context of the Terms and Conditions.

12.2

Upon termination of the Terms and Conditions, or if the controller deletes their user profile, the processor shall terminate the processing under this DPA, unless the parties decide otherwise. The processor shall delete or return, at the choice of the controller, all the personal data in its possession that has been processed in the context of being a processor, as well as every existing copy or back-up made, unless the storage of the personal data is legally required.

12.3

The processor shall ensure that any sub-processor shall terminate the processing of the personal data and delete all the personal data from its files upon termination of the Terms and Conditions.

12.4

Both parties shall be entitled to require the DPA renegotiated if changes to the law or
inexpediency of the DPA should give rise to such renegotiation.

13 Liability

13.1
The parties' liability for damage suffered by a data subject or other natural persons which is due to a violation Applicable Data Protection Law shall follow the provisions of Article 82 of the GDPR. The parties are individually responsible to the relevant supervisory authority, for administrative fines imposed pursuant to Article 83 of the GDPR. As between the Parties (interpartes) theprocessor’s liability under the DPA shall not exceed the limitations on liability as outlined in the Terms and Conditions.

13.2

The processor shall not be liable:

a) for any indirect or consequential damage, loss of profits, loss of turnover, lost business opportunities or reputational damage suffered by the controller.

b) for any damage suffered by the data subjects or other natural persons due to identity theft, data theft or cybercrime, if the technical and organisational measures provided for in Section 8.2 of the DPA have been implemented.

c) for non-performance or delay in performance caused by any event beyond the reasonable control of the processor.

14 Notice

14.1

Notices or communication pursuant to this DPA shall be sent in writing to the parties' given contact persons as set out in the Terms and Conditions.

15 Legal venue and governing law

15.1
This DPA shall be governed by the laws of Norway, with Oslo District Court as the legal venue.