Data Processing Agreement
1 Background and Scope
1.1 This data processing agreement (the "DPA") forms an integral part of the Keystone Data Processing Addendum (the “Addendum”) and applies when Keystone acts as a processor of personal data on behalf of the Customer, who acts as the controller. This arrangement is detailed in Section 2 of the Addendum that corresponds to the Keystone Services purchased by the Customer, as specified in the Order Confirmation and provided pursuant to the Main Agreement. For the purpose of this DPA the Customer is hereafter referred to as the "controller" and Keystone as the "processor", and jointly as the "parties".
1.2 Within the scope of the Main Agreement, and in order to provide the Keystone Services, personal data shall be transferred to and processed by the processor. The parties wish to set out the conditions for this processing in this DPA in accordance with Article 28 of the General Data Protection Regulation 2016/679 of 27 April 2016 ("GDPR").
1.3 This DPA sets out the rights and obligations of the controller and the processor, when processing personal data on behalf of the controller. In the context of the Main Agreement the processor shall process personal data on behalf of the controller in accordance with the DPA.
1.4 In addition to the processing of personal data in connection with the Main Agreement, the parties are aware and accept that the processor may also process personal data in the role of controller for its own purposes, such as (i) complying with applicable laws and regulations, (ii) requests and communications with authorities, (iii) for administration, accounting and risk evaluation purposes and (iv) for the purpose of service improvement and product development, analytics, and marketing.
1.5 Notwithstanding the content of this DPA, the parties shall comply with their respective responsibilities and obligations pursuant to EU or Member State law.
2 Definitions
2,1 "Applicable Data Protection Law", means the General Data Protection Regulation (EU) Regulation 2016/679 ("GDPR"), the Norwegian Personal Data Act of 15 June 2018 no. 15 and any legislation implementing GDPR, as well as any other legislation regarding processing of personal data. To the extent the Main Agreement has been entered into with a Keystone entity located in the UK (as specified in the Order Confirmation), the following data protection laws shall apply respectively; the UK Data Protection Act 2018 and the UK General Data Protection Regulation as it forms part of UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018, as amended (including by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019) ("UK GDPR").
2.2 "controller", means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data (herein the Customer).
2.3 "personal data", means any information relating to an identified or identifiable natural person ("data subject") that the Processor processes on behalf of the controller; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
2.4 "processing", means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
2.5 "processor", means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller (herein Keystone).
2.6 "special categories of personal data", means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, data concerning a natural sexual orientation and data relating to criminal convictions and offences.
2.7 "EU or Member State law" refers to any regulations or laws applicable to a country that has implemented the GDPR and is a member of the European Economic Area (EEA).
Words, abbreviations and expressions not defined herein shall have the content ascribed to them in the Main Agreement and Applicable Data Protection Law, unless otherwise appears from the context or is expressly stated below.
3 Description of the Processing
3.1 A detailed description of the processing of personal data of the data subjects concerned, in particular the categories of personal data and the purpose and nature of the processing for which the personal data is processed on behalf of the controller, is specified in Section 2 of the Addendum corresponding to the respective Keystone Service provided to the Customer.
4 The Obligations, Rights and Responsibilities of the Controller
4.1 The controller is responsible for ensuring that the processing of personal data takes place in compliance with Applicable Data Protection Law (see Article 24 GDPR). For the avoidance of doubt, this includes the responsibility for ensuring that the controller has a lawful basis for the processing of personal data under Applicable Data Protection Law when using the Keystone Services and making available personal data to the processor in accordance with the Main Agreement.
4.2 In the event that the processor violates this DPA or the Applicable Data Protection Law, the controller may require the processor to stop further processing of the personal data with immediate effect.
5 General Obligations of the Processor
5.1 The processor undertakes to process personal data on behalf of the Controller in accordance with Applicable Data Protection Law, the Main Agreement, this DPA with appendices and any subsequent agreement between the parties.
5.2 The processor shall process personal data on instructions from the controller, unless it is subject to a legal obligation whereby it is required to perform another processing activity. In such a case, the processor shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest. For the avoidance of doubt, the parties agree that providing the Keystone Services as in accordance with what is set forth in the Main Agreement and this DPA constitutes processing personal data in accordance with the controller's instructions.
5.3 If the processor goes beyond its mandate or determines the purpose and means of the processing itself, it shall be considered as a controller for that processing activity.
5.4 The processor shall immediately notify the controller when the processor considers an instruction given by the controller to be in breach with the Applicable Data Protection Law or any other legal requirement concerning data protection of EU or Member State law.
5.5 The processor undertakes to provide the controller with all information that allows the controller to demonstrate that the processing is being carried out in accordance with the Applicable Data Protection Laws.
5.6 At the explicit request of the controller, the processor shall provide the controller with a copy of the personal data being processed under the DPA.
6 Assistance Obligations
6.1 If the data subject contacts the processor directly or issues a request to the processor for exercising its rights laid down in Chapter III GDPR, the processor shall without undue delay refer the data subject to the controller.
6.2 Taking into account the nature of the processing, the processor shall assist the controller by appropriate technical and organisation measures, insofar as this is possible, for the fulfilment of the controller's obligation to respond to requests for exercising the data subjects' rights laid down in Applicable Data Protection Law.
6.3 If relevant, the processor shall furthermore, taking into account the nature of the processing and the information available to the processor, reasonably assist the controller in ensuring compliance with:
a) the controller’s obligation to carry out an assessment of the impact of the envisaged processing operations on the protection of personal data (a data protection impact assessment);
b) the controller’s obligation to consult the competent supervisory authority, prior to processing where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the Controller to mitigate the risk;
c) the obligations in Article 32 GDPR.
7 Confidentiality
7.1 The processor shall ensure that only authorised personnel have access to the personal data, and that authorisation is only assigned to personnel who have a justified need to access the personal data.
7.2 Processor shall ensure that persons authorised to process the personal data are committed to processing the information confidentially by a confidentiality statement in an employment contract or in another agreement, if such person is not subject to an appropriate statutory duty of confidentiality.
7.3 The duty of confidentiality described in clause 7.1 and 7.2 above shall survive the termination of this DPA.
8 Security of Processing
8.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the processor shall, in accordance with Article 32 GDPR, implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
8.2 The processor and controller have agreed upon the technical and organizational measures to be implemented to ensure the security of the personal data. These measures shall correspond to the Keystone Group IT Security Measures, as detailed on the processor's dedicated webpage regarding security measures, which is incorporated into this DPA by reference and is available at the following link: Technical and organisational measures (TOM). The processor may update or modify its technical and organizational measures from time to time, provided such updates and modifications do not result in the degradation of the overall security of the Keystone Service.
8.3 In case of accidental or unlawful destruction, loss, unauthorised access to or processing of the personal data (“Data Breach”), the processor shall inform the controller thereof without undue delay after becoming aware of the Data Breach. The controller shall notify the Data Breach to the competent data protection authority and/or the data subjects in accordance with Articles 33 and 34 GDPR.
8.4 The processor shall provide all reasonable assistance to the controller in order to allow the controller to carry out its obligations under Articles 33 and 34 GDPR. In the event that the controller is obliged to communicate a Data Breach to the data subjects pursuant to GDPR, the processor shall assist the controller in doing so, including by providing the information required for the controller to be able to communicate the breach in a clear and lawful manner. The controller shall bear any costs related to such communication to the data subject.
9 Use of Sub-Processors
9.1 The processor has the controller’s general authorisation for engaging another processor (the “sub-processor”) for the fulfilment of the DPA. The processor shall notify the controller of any intended changes concerning the addition or replacement of sub-processors, thereby giving the controller the opportunity to object to such changes prior to the engagement of the concerned sub-processor(s). Such information will be provided by updating the list of sub-processors on the processor’s dedicated webpage, which details the use of sub-processors. This list is incorporated into this DPA by reference and is available at the following link: Sub-processor Overview. If the controller objects to the proposed changes in sub-processor(s), the processor and controller shall attempt to reach an agreement on how to handle the changes.
9.2 Where the processor engages a sub-processor pursuant to this Section 9, the same data protection obligations as set out in this DPA shall be imposed on the sub-processor by way of a written contract, and the processor shall ensure that any use of sub-processors is performed in accordance with Applicable Data Protection Law.
9.3 Where a sub-processor fails to fulfil its data protection obligations, the processor shall remain fully liable to the controller for the performance of that sub-processor's obligations under the DPA.
10 Transfer of Data to Countries Outside the EU/EEA
10.1 Any transfer of personal data to third countries or international organisations by the processor shall always take place in compliance with Chapter V GDPR.
10.2 The controller agrees that where the processor engages a sub-processor for carrying out specific processing activities and those processing activities involve a transfer of personal data outside of the EU/EEA within the meaning of Chapter V GDPR, the processor is authorised to facilitate such transfer provided that at least one of the legal grounds (adequacy decision or appropriate safeguards) below apply:
(i) the European Commission has decided that the security level in the relevant third country, to which personal data shall be transferred, is adequate. These countries are listed on the European Commission’s homepage;
(ii) the processor has, on behalf of the controller, entered into a binding agreement incorporating the European Commission's from time to time applicable standard data protection clauses for the transfer of personal data to third countries, with the sub-processor in the third country; or
(iii) the transfer is based on binding corporate rules in accordance with article 47 of the GDPR.
10.3 The list of sub-processors engaged by the processor and authorised by the controller, along with the sub-processors location and the legal basis for the data transfer, is incorporated by reference into this DPA and available at the following link: Sub-processor Overview.
10.4 In case transfers to third countries or international organisations, which the processor has not been instructed to perform by the controller, is required under EU or Member State law to which the processor is subject, the processor shall inform the controller of that legal requirement prior to processing, unless that law prohibits such information on important grounds of public interest.
10.5 To the extent the Main Agreement has been entered into with a Keystone entity located in the UK (as specified in the Order Confirmation), the transfer of personal data from the Customer to Keystone in the UK is governed by Article 45 of the GDPR and the European Parliament resolution of 21 May 2021 on the adequate protection of personal data by the United Kingdom (2021/2594) (the UK Adequacy Decision).
11 Access to Information and Performance of Audits
11.1 If there are reasonable indications of a breach of the DPA or Applicable Data Protection Law, for example but not limited to, in the case of a Data Breach, the controller is entitled (to mandate an auditor) to conduct an audit or inspection of the processor’s processing of the personal data upon reasonable prior notification to the processor. The processor shall make available all information necessary for the performance of the audit/inspection by the controller or an auditor. The audit/inspection shall be restricted in scope, manner and duration to what is reasonably necessary to achieve its purpose and may not unnecessarily interrupt the processor’s operations.
11.2 The processor shall set aside the resources (mainly time) required for the controller to be able to perform the audit/inspection. The controller shall bear all (other) reasonable costs of the audit/inspection.
11.3 Based on the results of such an audit/inspection, the controller may request further measures to be taken to ensure compliance with Applicable Data Protection Law and the DPA.
12 Duration and Termination
12.1 The DPA enters into force on the date of signature of the Main Agreement and remains in effect as long as the processor processes personal data on behalf of the controller in the context of the Main Agreement.
12.2 Upon termination of the Main Agreement, the processor shall terminate the processing under this DPA, unless the parties decide otherwise. The processor shall delete or return, at the choice of the controller, all the personal data in its possession that has been processed in the context of being a processor, as well as every existing copy or back-up made, unless the storage of the personal data is legally required.
12.3 The processor shall ensure that any sub-processor shall terminate the processing of the personal data and delete all the personal data from its files upon termination of the Main Agreement.
12.4 Both parties shall be entitled to require the DPA renegotiated if changes to the law or inexpediency of the DPA should give rise to such renegotiation.
13 Liability
13.1 The parties' liability for damage suffered by a data subject or other natural persons which is due to a violation of Applicable Data Protection Law shall follow the provisions of Article 82 of the GDPR. The parties are individually responsible to the relevant supervisory authority, for administrative fines imposed pursuant to Article 83 of the GDPR. As between the Parties (inter partes) the processor’s liability under the DPA shall not exceed the limitations on liability as outlined in the Main Agreement.
13.2 The processor shall not be liable:
a) for any indirect or consequential damage, loss of profits, loss of turnover, lost business opportunities or reputational damage suffered by the controller,
b) for any damage suffered by the data subjects or other natural persons due to identity theft, data theft or cybercrime, if the technical and organisational measures provided for in Section 8.2 of the DPA have been implemented, or
c) for non-performance or delay in performance caused by any event beyond the reasonable control of the processor.
14 Notice
14.1 Notices or communication pursuant to this DPA shall be sent in writing to the parties’ given contact persons as set out in the Main Agreement and/or the Order Confirmation.
15 Legal Venue and Governing Law
15.1 Unless otherwise agreed in the Main Agreement, this DPA shall be governed by the laws of Norway, with Oslo District Court as the legal venue.