Data Processing Agreement

SIST OPPDATERT: 7 mars, 2024

1. Parties

Text Link

This Data Processing Agreement (“DPA”) is incorporated into and forms part of the Terms of Use entered into by and between the Customer, a company incorporated under the laws of Norway (the “Controller”); and Glede Norway AS, a company incorporated under the laws of Norway with its registered address Sem Sælands vei 1, 7034 Trondheim, Norway (the "Processor"). Each of the Controller and the Processor may hereafter be referred to as a "Party" and jointly the "Parties".

2. Background

This data processing agreement (the "Processing Agreement") sets out the terms and conditions for the processing of Personal Data (as defined below) conducted in accordance with the Terms of Use Agreement regarding the provision and use of the Processor's digital gifting platform which the Controller has accepted and agreed to be bound by (such Terms of Use agreement is hereinafter referred to as the "Agreement").

The Controller determines the purpose and means of the processing of Personal Data (as defined below) and is therefore the data controller for the processing of Personal Data conducted in accordance with the Agreement.

The Processor shall process Personal Data on behalf of the Controller in accordance with this Processing Agreement. Glede is therefore the personal data processor for the processing of Personal Data. 

This Processing Agreement aims to comply with the obligations provided for in the Data Protection Legislation (as defined below), which requires that processing conducted by a data processor on behalf of a data controller is governed by a written agreement.

3. Definitions and interpretation

3.1 Definitions
In this Processing Agreement, in addition to the terms and expressions defined above, the following capitalized terms and expressions shall have the meaning set out below:

  • "Data Protection Legislation" means the applicable national legislation and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR)
  • "Personal Data" means any information relating to an identified or identifiable natural person (as defined in Data Protection Legislation) and which the Processor, or its Sub-Processors (if any), processes on behalf of the Controller.
  • "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed;
  • "Processing" means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
  • "Standard Contractual Clauses" means the contractual clauses issued by the European Commission in Decision 2010/87/EU.
  • "Sub-Processor" or “Subprocessor” means any person (including any third party and any Glede Affiliate, but excluding Glede personnel) appointed by or on behalf of Glede or any Glede Affiliate to Process Personal Data on behalf of Customer and/or Customer Affiliate in connection with the Agreement.
  • "EU" and "EEA" means European Union and European Economic Area respectively

3.2 Processing Defined
All references to "processing", "process", "processes", shall have the same meaning as set out in the Data Protection Legislation

3.3 Headings
Headings in this Processing Agreement are for ease of reference only.

3.4 Section References
Unless otherwise stated, reference in this Processing Agreement to "section" and "appendices" shall be deemed to be references to sections and appendices to this Processing Agreement.

3.4 Inclusions
For the avoidance of doubt, this Processing Agreement comprises this data processing agreement, any appendices to it and any other document in agreed form.

4. Responsibilities and undertakings

4.1 The controller
The controller undertakes to process personal data in accordance with applicable legislation, including but not limited to Data Protection Legislation and thereto related ordinances, regulations and guidelines issued by relevant and competent authorities.

4.2 The processor

  • only process Personal Data in accordance with the Controller's documented instructions as set forth in the Agreement and this Processing Agreement. The Processor shall not deviate from the Controller's instructions, unless except and only to the extent that the Processor is required to do so to comply with legislation to which the Processor is subject, and in such case the Processor shall inform the Controller of the legal requirement prior to conducting the processing (unless applicable legislation prohibits such information);
  • only process Personal Data in accordance with Data Protection Legislation and thereto related ordinances and regulations issued by relevant and competent authorities;
  • immediately notify the Controller if, in its opinion, an instruction infringes Data Protection Legislation or any other applicable data protection legislation;
  • keep all Personal Data strictly confidential and ensure that persons authorized to process Personal Data have undertaken to comply with confidentiality obligations in respect of Personal Data;
  • maintain written records of all processing activities relating to Personal Data in accordance with the requirements set forth in Data Protection Legislation;
  • without undue delay comply with all decisions and judgments of a competent authority, court or, where appropriate, arbitration tribunal regarding Personal Data;
  • to the extent necessary and only in an instance in which the Processor has access to the relevant Personal Data assist the Controller in ensuring compliance with its obligations under applicable Data Protection Legislation, including, taking into account the nature of the processing, assist the Controller by appropriate technical and organizational security measures, to fulfill its obligation to respond to requests for exercising the data subject's rights in accordance with Data Protection Legislation, conduct data protection impact assessments and prior consultations with the competent supervisory authority where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the Controller to mitigate the risk; and
  • upon request, provide the Controller with all relevant information and documentation demonstrating the measures taken by the Processor to fulfill its obligations under this Processing Agreement.

5. Security General

5.1 Security
The Processor undertakes to establish and maintain appropriate technical and organizational measures in order to protect Personal Data against unauthorized or unlawful processing and against accidental, unauthorized or unlawful destruction, loss, alteration or disclosure taking into account the nature of the processing. Such measures shall at least maintain the level of security set forth in Data Protection Legislation, including thereto related ordinances, regulations and guidelines issued by the relevant authorities.

5.2 Access
The Processor shall ensure that access to Personal Data is limited to those persons who need access in order for the Processor to meet its obligations under this Processing Agreement and the Agreement, that such access is only granted to such persons as is necessary in relation to that person's particular duties and that such persons only processes Personal Data in accordance with the instructions of the Controller.

5.3 Personal Data Breach
The Processor shall ensure that access to Personal Data is limited to those persons who need access in order for the Processor to meet its obligations under this Processing Agreement and the Agreement, that such access is only granted to such persons as is necessary in relation to that person's particular duties and that such persons only processes Personal Data in accordance with the instructions of the Controller.

  • a description of the nature of the Personal Data Breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of data records concerned;
  • a description of the likely consequences of the Personal Data Breach; and
  • a description of the measures taken or proposed to be taken, if any, by the Processor to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

Where it is not possible for the Processor to provide the information listed under Section 5.3 at the same time, the information may be provided in phases without undue further delay. The Processor shall also provide contact details for the person responsible for handling the relevant Personal Data Breach.

For the avoidance of doubt, the Processor shall upon the Controller's request assist the Controller, where possible taking into account the nature of the processing, in ensuring compliance with its obligations in relation to Personal Data Breaches in accordance with applicable Data Protection Legislation.

6. Sub-processors

6.1 Authorized Sub-Processors
The Controller hereby authorizes the Processor to solicit sub-contractors for Processing Personal Data . The Processor will provide a list of Authorized Sub-processors. Glede’s current Authorized Subprocessors list is available at https://glede.app/legal/subprocessor-list. At least thirty (30) days before any new Subprocessor shall commence Processing Personal Data, Glede will update the list of Authorized Sub-Processors to include the new Subprocessor. If Customer would like to receive notification of such an update to the list, Customer may sign up to receive such notice by emailing compliance@glede.app.

If Customer has a legitimate objection to Glede’s appointment of a new Subprocessor, Customer may notify Glede in writing by emailing compliance@glede.app within fourteen (14) calendar days of receiving the notice. Legitimate objections must contain reasonable and documented grounds relating to a Subprocessor’s non-compliance with applicable Data Protection Legislation. If, in Glede’s reasonable opinion, such objections are legitimate, the Customer may terminate the Agreement by providing written notice to Glede. Customer acknowledges and agrees that (a) Glede Affiliates may be retained as Subprocessors through written agreement with Glede and (b) Glede and Glede Affiliates respectively may engage third-party subcontractors, pursuant to this clause 6.1.

6.2 Sub-Processor Liability and Agreement
The processor shall

  • remain fully liable for the performance of every Sub-processor as if such processing was conducted by the Processor itself; and
  • in each case first ensure that each and every Sub-processor and the Processor have entered into a data processing agreement which sets forth the same responsibilities and obligations as set out in relation to the Processor under this Processing Agreement.

7. Transfer of Personal Data

7.1 Personal Data Transfer Compliance
The Processor may transfer Personal Data to a country outside the EU/EEA provided that the Processor shall comply with the provisions of applicable Data Protection Legislation relating to the transfer of Personal Data outside the EU/EEA and undertakes to take all steps necessary to comply and allow the Controller to comply with such provisions. Information about where the Personal Data might be transferred by the sub-processors is available in the Authorized Sub-Processors list.

7.2 Object to Changes
Upon amendments to the list of Authorized Sub-processors, the Controller shall without undue delay object to any changes that involve the transfer of Personal Data outside the EU/EEA if the Controller has reasonable grounds to doubt such transfer does not comply with applicable Data Protection Legislation.

8. Audit rights

8.1 Processor's Compliance Assistance
The Processor shall provide the Controller with all information necessary for the Controller to demonstrate compliance with the obligations provided for in applicable Data Protection Legislation relating to the Controller's engagement as a processor.

8.2 Controller's Audit Rights
The Controller is entitled to, at its own cost, by itself or by appointing an independent third party auditor (not being a competitor of the Processor), audit, including inspecting the Processor's processing of Personal Data and reviewing whether the Processor's processing of Personal Data is conducted in accordance with this Processing Agreement. The Processor shall assist the Controller and provide access to the Processor's venues and computer equipment to the extent necessary considering the purpose of the audit.

8.3 Advance Notice for Audit
The Controller shall notify the Processor in writing at least five (5) business days prior to the audit and such audit shall be conducted during normal business hours and without unreasonably disrupting the Processor's operations.

8.4 Self-Bearing Audit Costs
Each Party shall bear its own costs for audits conducted in accordance with this Section 8.

9. Confidentiality

The Parties’ confidentiality obligations are set forth in the Agreement.

10. Limitation of liability

The Processor's liability under this Processing Agreement is limited to the extent and amount set out in the Agreement.

11. Term and termination

In the event that the Agreement is terminated or expires, the Processor shall without undue delay return, or if the Controller so requests, delete or otherwise obliterate all data including Personal Data and copies thereof, unless applicable legislation requires storage of the Personal Data or otherwise specified in the Agreement.

12. Miscellaneous

This Processing Agreement is hereby incorporated into and forms part of the Agreement. If any provision of this Processing Agreement or any part thereof would to any extent be or become invalid or unenforceable, the remaining parts of the Processing Agreement shall continue in full force and effect and the Parties shall use their best endeavors to agree upon any necessary and reasonable adjustments of this Processing Agreement in order to secure the vital interests of the Parties and the main objectives prevailing at the time of the execution of this Processing Agreement.

13. Governing law and dispute resolution

The Processing Agreement shall be governed by the substantive laws of Norway. Any dispute, controversy or claim arising out of or in connection with this Processing Agreement, or the breach, termination or invalidity thereof shall be finally settled by Oslo District Court.