Data Processing Agreement

Similar documents
GDPR AMC SAAS AND HOSTED MODULES. UK version. AMC Consult A/S June 26, 2018 Version 1.10

Data Processing Clauses

DATA PROCESSING TERMS

Eco Web Hosting Security and Data Processing Agreement

Data Processor Agreement

Data Processing Agreement

Data Processing Agreement for Oracle Cloud Services

DATA PROCESSING AGREEMENT

"PPS" is Private Practice Software as developed and produced by Rushcliff Ltd.

Data Processing Agreement

Data Processing Agreement

Data Processing Agreement

Data Processing Agreement DPA

SHELTERMANAGER LTD CUSTOMER DATA PROCESSING AGREEMENT

Data Protection Policy

PS Mailing Services Ltd Data Protection Policy May 2018

Privacy Policy. MIPS Website Privacy Policy. Document Information. Contact Details. Version 1.0 Version date March 2018.

Data subject ( Customer or Data subject ): individual to whom personal data relates.

CliniSys Website Privacy Policy

Privacy Policy. Last updated on 31 May 2018

HPE DATA PRIVACY AND SECURITY

PRIVACY POLICY CORPORATE CUSTOMER

Privacy Policy. Data Controller - the entity that determines the purposes, conditions and means of the processing of personal data

Haaga-Helia University of Applied Sciences Privacy Notice for JUSTUS publication data storage service

Privacy Policy Hafliger Films SpA

Fluid Metering, Inc. Privacy Policy

Haaga-Helia University of Applied Sciences Privacy Notice for the Laura Recruitment Service

PRINCIPLES OF PROTECTION OF PERSONAL DATA (GDPR) WITH EFFICIENCY FROM

COMPUTAMATRIX LIMITED T/A MATRICA Data Protection Policy September Table of Contents. 1. Scope, Purpose and Application to Employees 2

DATA PROCESSING AGREEMENT

Integrity Notice. Fjärde AP-fonden (AP4)

Act CXII of 2011 on the right to information self-determination and freedom of information. Act ;

Individual Agreement. commissioned processing

Learning Management System - Privacy Policy

Privacy Policy. In this data protection declaration, we use, inter alia, the following terms:

Use of data processor (external business unit)

Privacy Policy CARGOWAYS Logistik & Transport GmbH

PRIVACY POLICY PRIVACY POLICY

PRIVACY POLICY FOR WEB AND ONLINE TRADING PLATFORM

Rules for Commissioned Processing. (DDV Declaration of Conformity)

PRIVACY NOTICE Olenex Sarl

Within the meanings of applicable data protection law (in particular EU Regulation 2016/679, the GDPR ):

Employee Security Awareness Training Program

Privacy Policy Identity Games

Information Security Policy

DISCLOSURE ON THE PROCESSING OF PERSONAL DATA LAST REVISION DATE: 25 MAY 2018

2. Who we collect information (data) from & why we collect it

GDPR Processor Security Controls. GDPR Toolkit Version 1 Datagator Ltd

1 About GfK and the Survey What are personal data? Use of personal data How we share personal data... 3

EU Data Protection Agreement

Haaga-Helia University of Applied Sciences Privacy Notice for Urkund Plagiarism Detection Software

1. Type of personal data that we collect and process?

Use of data processor (external business unit)

At Oatly we believe in the importance of protecting personal information and an individual s right to privacy and integrity.

Terms and Conditions for Allegion Data Processing and Transfer

GDPR Controls and Netwrix Auditor Mapping

PRIVACY POLICY. What personal data we collect and why we collect it IN ORDER TO: (Date of last update: 1 st January 2019)

Privacy Statement. Your privacy and trust are important to us and this Privacy Statement ( Statement ) provides important information

ADIENT VENDOR SECURITY STANDARD

Talenom Plc. Description of Data Protection and Descriptions of Registers

Legal notice and Privacy policy

The Apple Store, Coombe Lodge, Blagdon BS40 7RG,

We reserve the right to modify this Privacy Policy at any time without prior notice.

Do you handle EU residents personal data? The GDPR update is coming May 25, Are you ready?

Privacy Statement for Use of the Certification Service of Swisscom (sales name: "All-in Signing Service")

CALSTRS ONLINE AGREEMENT TERMS AND CONDITIONS

SCHOOL SUPPLIERS. What schools should be asking!

Data Processing Amendment to Google Apps Enterprise Agreement

2. Which personal data is processed by SF Studios and from which source does the personal data originate?

BHBIA New Data Protection Rules. Pharma Company Perspective. Guy Murray Director, Market Research & Analytics, GC&BI MR Operations and Compliance, MSD

Data Protection. Code of Conduct for Cloud Infrastructure Service Providers

USER CORPORATE RULES. These User Corporate Rules are available to Users at any time via a link accessible in the applicable Service Privacy Policy.

the processing of personal data relating to him or her.

CD STRENGTH LLC. A MASSACHUSETTS, USA BASED COMPANY

The City of Mississauga may install Closed Circuit Television (CCTV) Traffic Monitoring System cameras within the Municipal Road Allowance.

This Policy has been prepared with due regard to the General Data Protection Regulation (EU Regulation 2016/679) ( GDPR ).

Identity of the controller: CHARVAT CTS a.s., ID No.: , with the registered office at Okrinek 53, Podebrady, Czech Republic, Postcode

Privacy Policy. You may exercise your rights by sending a registered mail to the Privacy Data Controller.

In compliance with the requirements of the EU General Data Protection Regulation (GDPR, Articles 13, 14 and 30)

PERSONAL DATA POLICY Westpack A/S

Saba Hosted Customer Privacy Policy

Platform Privacy Policy (Tier 2)

CHASE GRAMMAR SCHOOL PRIVACY STATEMENT General Data Protection Regulations (GDPR)

What is cloud computing? The enterprise is liable as data controller. Various forms of cloud computing. Data controller

have concluded the following data processing agreement (hereinafter the Data Processing Agreement or this Agreement ):

Privacy Policy for Trend Micro Products and Services for the European Union, the European Economic Area (EEA) and the United Kingdom

PRIVACY POLICY. 1. Introduction

PERSONAL DATA PROTECTION POLICY

Islam21c.com Data Protection and Privacy Policy

PRIVACY NOTICE 1. Introduction

Information leaflet about processing of personal data (

ACCOUNTING TECHNICIANS IRELAND DATA PROTECTION POLICY GENERAL DATA PROTECTION REGULATION

Plan a Pragmatic Approach to the new EU Data Privacy Regulation

PRIVACY NOTICE. 1.2 We may obtain or collect your Personal Data from various sources including but not limited to:

INFORMATION TO BE GIVEN 2

Site Builder Privacy and Data Protection Policy

German Data Processing Addendum MailChimp

HIPAA For Assisted Living WALA iii

Online Ad-hoc Privacy Notice

PRIVACY POLICY OF THE WEB SITE

Transcription:

In accordance with the European Parliament- and Council s Directive (EU) 2016/679 of 27th April 2016 (hereinafter GDPR) on the protection of physical persons in connection with the processing of personal data and on free exchange of such information, Articles 28 and 29, cf. Articles 32-36, the following agreement is concluded between ColliCare Logistics... Data Controller and (system supplier)..... Data Processor Version 1/May 2018 1/7

1. Purpose of the Agreement To regulate the rights and obligations under the GDPR on the protection of physical persons in connection with the processing of personal data and on the free exchange of such information. The agreement is intended to ensure that personal data is not used illegally, wrongfully, nor that information is processed in ways resulting in unauthorized access, alteration, deletion, damage, loss, or unavailability. The agreement governs the Data Processor s management of personal data on behalf of the Data Controller. It includes collection, registration, compilation, storage, disclosure or combination of these, in connection with the conduct of transport- and logistics services and administrative services within the company, like salary and personnel. In the event of conflict, the terms of this agreement shall precede the Data Processor s personal privacy declaration or the terms of any other agreements entered into between the Data Controller and the Data Processor in connection with the conduct of transport- and logistics services. 2. Instructions The Data Processor will follow the written instructions for the management of personal data which the Data Controller has determined should apply. ColliCare Logistics is obliged to abide by all obligations under the GDPR that apply to the processing of personal data in the conduct of transport- and logistics services. The Data Processor undertakes to notify the Data Controller if it receives instructions from the Data Controller that violate the provisions of GDPR. 3. Purpose Limitations The purpose of the Data Processor s management of personal data on behalf of the Data Controller is to provide and manage transport- and logistics services and administrative services within the company. Personal data that the Data Processor manages on behalf of the Data Controller may not be used for purposes other than delivery and administration of transport- and logistics services, and administrative services within the company, like salary and personnel, without prior approval of the Data Controller. The Data Processor is not permitted to transfer personal data covered by this agreement to partners or other third parties without prior approval of the Data Controller, cf. point 10 of this agreement. 4. Types of information and registered persons The Data Processor manages personal data on behalf of the Data Controller in connection with the delivery and management of transport- and logistics services. Data can be; name and surname home address Version 1/May 2018 2/7

an email address such as name.surname@company.co social security number phone number 5. The rights of registered persons Data Processor is responsible for assisting the Data Controller in safeguarding the rights of the registered person, cf. GDPR, Chapter III, Articles 13 to 23. The registered person s rights include the right to information about how his or her personal data is processed, the right to request access to their own personal data, the right to request corrections or deletion of their own personal data and the right to require that the processing of their personal data be limited. To the extent relevant, the Data Processor will assist the Data Controller in maintaining the registered person s right to data portability and the right to oppose automatic decisions, including profiling. The Data Processor is liable for damages to the registered person if errors or omissions on the part of the Data Processor inflict financial or non-financial loss on the registered person as a result of their rights or privacy protection being infringed. 6. Satisfactory information security The Data Processor will implement satisfactory technical, physical and organizational safeguards to protect personal data covered by this agreement from unauthorized or unlawful access, alteration, deletion, damage, loss, or unavailability. The Data Processor will document its own security organization, guidelines and routines for security work, risk assessments and established technical, physical or organizational safeguards. The documentation should be available to the Data Controller. The Data Processor will establish continuity- and contingency plans for effective handling of serious security incidents. The documentation should be available to the Data Controller. The Data Processor will provide its own staff with sufficient information on, and training in, information security to ensure that the security of personal data managed on behalf of the Data Controller is taken care of. The Data Processor will document the training of its own staff in information security. The documentation should be available to the Data Controller. 7. Duty of confidentiality Only employees of the Data Processor, who have a work-related need to access personal data that are managed on behalf of the Data Controller, may be granted such access. The Data Processor is required to document access management guidelines and routines. The documentation should be available to the Data Controller. Employees of the Data Processor have a duty of confidentiality in respect of documentation and personal data which they obtain access in accordance with this agreement. This provision also Version 1/May 2018 3/7

applies after the termination of the agreement. The duty of confidentiality includes employees of third parties performing maintenance (or similar tasks) of systems, equipment, networks or buildings used by the Data Processor to deliver or administer transport- and logistics services. 8. Access to security documentation Data Processor is obliged to provide the Data Controller with access to all security documentation necessary for the Data Controller to be able to fulfil its obligations in accordance with GDPR, Article 5 No.1 letter f and Articles 32-36. The Data Processor is obliged to provide Data Controller with access to other relevant documentation that allows the Data Controller to evaluate whether the Data Processor is complying with the terms of this agreement. Employees of the Data Processor have a duty of confidentiality in respect of confidential security documentation that the Data Processor makes available to the Data Controller. 9. Security breach notification The Data Processor must notify the Data Controller without unreasonable delay if personal data that is managed on behalf of the Data Controller is exposed to any breach of security that involves the risk of infringement of the registered party s personal privacy. The notification to the Data Controller should at a minimum include information that describes the security breach, which registered parties are affected by the security breach and what personal data is affected by the security breach. It should also state what immediate measures have been Implemented to address the security breach, and any preventive actions that may have been taken to avoid similar incidents in the future. The Data Controller is responsible for ensuring that notifications of security breaches from the Data Processor are reported to the Norwegian Data Inspection Authority. 10. Subcontractors The Data Processor is obliged to enter into its own agreements with subcontractors of transport- and logistics services that govern the subcontractor s management of personal data in connection with the delivery and administration of transport- and logistics services. In agreements between the Data Processor and its subcontractors, the subcontractors are required to comply with all obligations to which the Data Processor itself is subject under this agreement. The Data Processor is obliged to submit the agreements to the Data Controller upon request. The Data Processor will ensure that the subcontractors of the transport- and logistics services comply with their contractual obligations, in particular that information security is satisfactory and that employees of the subcontractors are aware of their obligations and fulfil these. The Data Controller grants its approval to the Data Processor hiring the following subcontractors in connection with the delivery and management of transport- and logistics services. Version 1/May 2018 4/7

The Data Processor is liable for damages to the Data Controller for any financial loss that is inflicted on the Data Controller and that is due to illegal or improper treatment of personal data, or inadequate information security on the part of subcontractors for transport- and logistics services. 11. Transfer to countries outside the EU/EEA Background: Personal data that the Data Processor manages on behalf of the Data Controller may be transferred to countries outside the EU/EEA (third countries). Such transfer may take place on certain terms, and the rules for transfer to third countries are to be found in Articles 45-47 and 49 of the Directive. These rules include, among other things, that the transfer will be lawful if it takes place to an EU-approved third country, to US companies in the United States who have joined the Privacy Shield scheme, or on the basis of the EU's standard contracts for the transfer of personal data to data processors in third countries. The rules also apply to backup and other transfer of connection with the administration of the relevant service, such as support. Personal data that the Data Processor manages under this agreement may be transferred to other countries outside the EU/EEA when requested by our customers.... The legal basis for transfer of personal data to the aforementioned recipient countries outside the EU/EEA is... In order to conduct transport- and logistics services internationally, it is essential to be able to transfer the shipping information which may include the name of the contact person, e-mail address and telephone number. 12. Security audits and impact assessments The Data Processor will regularly implement security audits of its own work with safeguarding personal data from unauthorized or unlawful access, alteration, deletion, damage, loss, or unavailability. The Data Processor will enforce security audits of the information security in < name of service >. Security audits should include the Data Processor s security goals and security strategy, security organisation, guidelines and routines for security work, established technical, physical and organizational safeguards and the work of subcontractor information security to < name of service >. It should also include routines for notification to the Data Controller of security breaches, and routines for testing of emergency- and continuity plans. The Data Processor should document the security audits. The Data Controller should be granted access to the audit reports. If an independent third party is conducting security audits at the Data Processor, the Data Controller should be informed of which auditor is being used and be granted access to summaries of the audit reports. Version 1/May 2018 5/7

The Data Processor will assist the Data Controller if the use of transport- and logistics services means that the Data Controller is obliged to investigate the personal privacy impacts prior to the carrying out of the transport- and logistics services, cf. GDPR, Articles 35 and 36. The Data Processor can assist the Data Controller by implementing a personal privacy promoting action if the impact assessment shows that this is necessary. 13. Return and erasure Upon termination of this agreement, the Data Processor is obliged to delete and return all personal data that is managed on behalf of the Data Controller in connection with the delivery and administration of transport- and logistics services. The Data Controller determines how the return of the personal data will take place, including the format to be used. The Data Processor will delete personal data from all storage media containing personal data that the Data Processor manages on behalf of the Data Controller. Erasure is to be done by the Data Processor transmitting the personal data within 30 days from the termination of the agreement. This also applies to the personal data backup. The Data Processor will document that the erasure of personal data has been carried out in accordance with this agreement. The documentation should be made available to the Data Controller. The Data Processor covers all costs associated with the return and erasure of any personal data covered by this agreement. 14. Breach of agreement In the event of breach of the terms of this agreement caused by errors or omissions on the part of the Data Processor, the Data Controller may terminate the agreement with immediate effect. The Data Processor will continue to be obliged to return and erase personal data managed on behalf of the Data Controller pursuant to the provisions of point 13 above. The Data Controller may claim compensation for financial loss, such as errors or omissions on the part of the Data Processor, including breach of the terms of this agreement, that is inflicted on the Data Controller, cf. also points 5 and 10 above. Version 1/May 2018 6/7

15. Duration of the agreement This agreement applies as long as the Data Processor manages the personal data on behalf of the Data Controller. The agreement may be terminated by both parties with a 30 day mutual notice period. 16. Notices Notices under this Agreement shall be sent in writing to:... 17. Choice of law and legal venue The agreement is governed by Norwegian law as legal venue. (adjust to the country in question) This also applies after termination of the agreement. This agreement is in two 2 originals, one to each of the parties.... Place and date On behalf of the Data Controller... On behalf of the Data Processor...... Signature) Signature) ColliCare Logistics Version 1/May 2018 7/7

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback