SIST OPPDATERT: 7 mars, 2024
This Data Processing Agreement (“DPA”) is incorporated into and forms part of the Terms of Use entered into by and between the Customer, a company incorporated under the laws of Norway (the “Controller”); and Glede Norway AS, a company incorporated under the laws of Norway with its registered address Sem Sælands vei 1, 7034 Trondheim, Norway (the "Processor"). Each of the Controller and the Processor may hereafter be referred to as a "Party" and jointly the "Parties".
This data processing agreement (the "Processing Agreement") sets out the terms and conditions for the processing of Personal Data (as defined below) conducted in accordance with the Terms of Use Agreement regarding the provision and use of the Processor's digital gifting platform which the Controller has accepted and agreed to be bound by (such Terms of Use agreement is hereinafter referred to as the "Agreement").
The Controller determines the purpose and means of the processing of Personal Data (as defined below) and is therefore the data controller for the processing of Personal Data conducted in accordance with the Agreement.
The Processor shall process Personal Data on behalf of the Controller in accordance with this Processing Agreement. Glede is therefore the personal data processor for the processing of Personal Data.
This Processing Agreement aims to comply with the obligations provided for in the Data Protection Legislation (as defined below), which requires that processing conducted by a data processor on behalf of a data controller is governed by a written agreement.
3.1 Definitions
In this Processing Agreement, in addition to the terms and expressions defined above, the following capitalized terms and expressions shall have the meaning set out below:
3.2 Processing Defined
All references to "processing", "process", "processes", shall have the same meaning as set out in the Data Protection Legislation
3.3 Headings
Headings in this Processing Agreement are for ease of reference only.
3.4 Section References
Unless otherwise stated, reference in this Processing Agreement to "section" and "appendices" shall be deemed to be references to sections and appendices to this Processing Agreement.
3.4 Inclusions
For the avoidance of doubt, this Processing Agreement comprises this data processing agreement, any appendices to it and any other document in agreed form.
4.1 The controller
The controller undertakes to process personal data in accordance with applicable legislation, including but not limited to Data Protection Legislation and thereto related ordinances, regulations and guidelines issued by relevant and competent authorities.
4.2 The processor
5.1 Security
The Processor undertakes to establish and maintain appropriate technical and organizational measures in order to protect Personal Data against unauthorized or unlawful processing and against accidental, unauthorized or unlawful destruction, loss, alteration or disclosure taking into account the nature of the processing. Such measures shall at least maintain the level of security set forth in Data Protection Legislation, including thereto related ordinances, regulations and guidelines issued by the relevant authorities.
5.2 Access
The Processor shall ensure that access to Personal Data is limited to those persons who need access in order for the Processor to meet its obligations under this Processing Agreement and the Agreement, that such access is only granted to such persons as is necessary in relation to that person's particular duties and that such persons only processes Personal Data in accordance with the instructions of the Controller.
5.3 Personal Data Breach
The Processor shall ensure that access to Personal Data is limited to those persons who need access in order for the Processor to meet its obligations under this Processing Agreement and the Agreement, that such access is only granted to such persons as is necessary in relation to that person's particular duties and that such persons only processes Personal Data in accordance with the instructions of the Controller.
Where it is not possible for the Processor to provide the information listed under Section 5.3 at the same time, the information may be provided in phases without undue further delay. The Processor shall also provide contact details for the person responsible for handling the relevant Personal Data Breach.
For the avoidance of doubt, the Processor shall upon the Controller's request assist the Controller, where possible taking into account the nature of the processing, in ensuring compliance with its obligations in relation to Personal Data Breaches in accordance with applicable Data Protection Legislation.
6.1 Authorized Sub-Processors
The Controller hereby authorizes the Processor to solicit sub-contractors for Processing Personal Data . The Processor will provide a list of Authorized Sub-processors. Glede’s current Authorized Subprocessors list is available at https://glede.app/legal/subprocessor-list. At least thirty (30) days before any new Subprocessor shall commence Processing Personal Data, Glede will update the list of Authorized Sub-Processors to include the new Subprocessor. If Customer would like to receive notification of such an update to the list, Customer may sign up to receive such notice by emailing compliance@glede.app.
If Customer has a legitimate objection to Glede’s appointment of a new Subprocessor, Customer may notify Glede in writing by emailing compliance@glede.app within fourteen (14) calendar days of receiving the notice. Legitimate objections must contain reasonable and documented grounds relating to a Subprocessor’s non-compliance with applicable Data Protection Legislation. If, in Glede’s reasonable opinion, such objections are legitimate, the Customer may terminate the Agreement by providing written notice to Glede. Customer acknowledges and agrees that (a) Glede Affiliates may be retained as Subprocessors through written agreement with Glede and (b) Glede and Glede Affiliates respectively may engage third-party subcontractors, pursuant to this clause 6.1.
6.2 Sub-Processor Liability and Agreement
The processor shall
7.1 Personal Data Transfer Compliance
The Processor may transfer Personal Data to a country outside the EU/EEA provided that the Processor shall comply with the provisions of applicable Data Protection Legislation relating to the transfer of Personal Data outside the EU/EEA and undertakes to take all steps necessary to comply and allow the Controller to comply with such provisions. Information about where the Personal Data might be transferred by the sub-processors is available in the Authorized Sub-Processors list.
7.2 Object to Changes
Upon amendments to the list of Authorized Sub-processors, the Controller shall without undue delay object to any changes that involve the transfer of Personal Data outside the EU/EEA if the Controller has reasonable grounds to doubt such transfer does not comply with applicable Data Protection Legislation.
8.1 Processor's Compliance Assistance
The Processor shall provide the Controller with all information necessary for the Controller to demonstrate compliance with the obligations provided for in applicable Data Protection Legislation relating to the Controller's engagement as a processor.
8.2 Controller's Audit Rights
The Controller is entitled to, at its own cost, by itself or by appointing an independent third party auditor (not being a competitor of the Processor), audit, including inspecting the Processor's processing of Personal Data and reviewing whether the Processor's processing of Personal Data is conducted in accordance with this Processing Agreement. The Processor shall assist the Controller and provide access to the Processor's venues and computer equipment to the extent necessary considering the purpose of the audit.
8.3 Advance Notice for Audit
The Controller shall notify the Processor in writing at least five (5) business days prior to the audit and such audit shall be conducted during normal business hours and without unreasonably disrupting the Processor's operations.
8.4 Self-Bearing Audit Costs
Each Party shall bear its own costs for audits conducted in accordance with this Section 8.
The Parties’ confidentiality obligations are set forth in the Agreement.
The Processor's liability under this Processing Agreement is limited to the extent and amount set out in the Agreement.
In the event that the Agreement is terminated or expires, the Processor shall without undue delay return, or if the Controller so requests, delete or otherwise obliterate all data including Personal Data and copies thereof, unless applicable legislation requires storage of the Personal Data or otherwise specified in the Agreement.
This Processing Agreement is hereby incorporated into and forms part of the Agreement. If any provision of this Processing Agreement or any part thereof would to any extent be or become invalid or unenforceable, the remaining parts of the Processing Agreement shall continue in full force and effect and the Parties shall use their best endeavors to agree upon any necessary and reasonable adjustments of this Processing Agreement in order to secure the vital interests of the Parties and the main objectives prevailing at the time of the execution of this Processing Agreement.
The Processing Agreement shall be governed by the substantive laws of Norway. Any dispute, controversy or claim arising out of or in connection with this Processing Agreement, or the breach, termination or invalidity thereof shall be finally settled by Oslo District Court.