Privacy

1. Introduction, Purpose and Definitions 

When fulfillment of the "Agreement" (see definition in point 1 of the Provider's (i.e. Catacloud Services) terms of use) will involve the processing of personal data, such processing will be subject to legal provisions and obligations in accordance with applicable privacy legislation. 

The Supplier, hereafter "Data Processor", and the Customer, hereafter "Data Processor", have entered into this Data Processor Agreement to regulate the Data Processor's rights and obligations, with regard to all processing of personal data on behalf of the Processor under the Agreement, including under this data processing agreement, to ensure that all processing of personal data is carried out in accordance with the applicable privacy regulations. 

This Data Processor Agreement shall ensure that the Controller's personal data is processed in accordance with: 

  • EU Regulation 2016/679 ("General Data Protection Regulation" or "GDPR") as amended from time to time and all relevant national legislation, including national implementations of the GDPR. 

This Data Processor Agreement is intended to meet the requirements of the GDPR. The parties agree that if laws, regulations according to guidelines from the supervisory authorities change to a significant extent, the terms of this Data Processing Agreement shall be revised in good faith, with the intention that the provisions and content of the Data Processing Agreement shall, on an ongoing basis, meet the requirements of the Personal Data Protection Regulation. 

This Data Processor Agreement applies in addition to the Data Processor's privacy policy. 

"Personal information" shall mean any information about an identified or identifiable natural person, as further defined in GDPR article 4 (1). 

"Processing of personal data" shall mean any operation or series of operations carried out with personal data, whether automated or not, e.g. collection, registration, organisation, structuring, storage, adaptation or change, as further defined in GDPR article 4 (2). 

"Sub-processor" shall mean any other data processor or third party that processes Personal Data at the Data Processor's initiative, knowingly or unintentionally, to carry out specific processing activities on behalf of the Controller, including software entities and affiliated companies. 

"Third country" means countries outside the EU/EEA area. 

This Agreement includes: 

  • Appendix A: Information about the treatment 
  • Appendix B: Authorized Sub-Data Processors 
     

The Data Processor and the Controller will hereafter be collectively referred to as the "Parties" or individually as a "Party". 

 

2. Rights and Duties of the Data Controller 

The controller is responsible for ensuring that the processing of Personal Data takes place in accordance with the GDPR (cf. GDPR article 24), including applicable national privacy legislation and this Data Processor Agreement. 

The Controller has the right and duty to make decisions about the purpose and the means to be used when processing Personal Data. 

The controller must be responsible for ensuring that the Data Processor has sufficient instructions and information at all times to fulfill its duties in accordance with the Data Processor Agreement and the privacy regulations. 

The data controller must inform the relevant data subjects (data subjects) about the processing activities that the Data Processor will carry out on behalf of the Data Processor under this Data Processor Agreement. 

The controller must implement sufficient technical and organizational measures to ensure and demonstrate compliance with the GDPR. 

The Data Controller must notify any privacy breaches to the relevant authorities and, if necessary, the data subjects without undue delay in accordance with the applicable law. 

3. Instructions from the Data Controller 

The Data Processor shall only process Personal Data in accordance with documented instructions from the Controller, unless otherwise required by EU or national legislation to which the Data Processor is subject. The agreement (cf. definition in point 1 of the Supplier's terms of use) constitutes the instructions on the date of conclusion of this Data Processor Agreement. Instructions may also be given after the time of conclusion of the Agreement and the Data Processor Agreement. The data processor must be able to document such instructions at all times. 

Unless otherwise specified in the Data Processor Agreement, the Data Processor may use all relevant technical aids (incl. IT systems and software) to fulfill the obligations incumbent on the Data Processor. 

If the Data Processor is of the opinion that an instruction from the Data Controller is contrary to the privacy regulations, the Data Processor must immediately notify the Data Controller of his opinion. 

4. Confidentiality 

The Data Processor must ensure that employees and others who have access to Personal Data are authorized to process such Personal Data on behalf of the Data Processor. If such authorization expires or is withdrawn, access to the Personal Information shall cease without undue delay. 

The data processor must ensure that persons who are authorized to process the Personal Information have undertaken to treat the information confidentially or are subject to a suitable statutory duty of confidentiality. This provision also applies after the termination of the Data Processor Agreement. The data processor must be able to document the same at the request of the Data Controller. 

 

 

5. Security of the Treatment 

Taking into account the technical development and implementation costs, the nature, scope, purpose and context of the processing, in addition to the varying degree of probability and severity for natural persons' rights and freedoms, the Controller and Data Processor shall consider implementing one or more of the following technical and organizational measures: 

  • pseudonymisation and encryption of Personal Data; 
  • ability to ensure continued confidentiality, integrity, availability and robustness of the processing systems and services; 
  • ability to restore availability and access to Personal Data in a timely manner if a physical or technical incident occurs; 
  • a process for regular testing, analysis and assessment of how effective the processing's technical and organizational security measures are. 

 
Pursuant to GDPR Article 32, the Data Processor must also – independently of the Controller – assess the risk to the rights and freedoms of natural persons in connection with the processing, and take measures to reduce these risks. For this purpose, the Data Controller shall provide the Data Processor with all information necessary to identify and evaluate such risks. 

Furthermore, the Data Processor must assist the Data Controller in ensuring compliance with the Data Controller's obligations in accordance with GDPR Article 32, by, among other things, providing the Data Controller with information about the technical and organizational measures implemented by the Data Processor in accordance with GDPR Article 32 together with other information that is necessary for the Controller to have access to in order to comply with the Controller's obligation according to GDPR article 32. 

Additional security measures will be implemented by the Data Processor, in accordance with the Data Processor's security guidelines. 

6. Use of Sub-Data Processors 

The data processor must meet the requirements of GDPR article 28 (2) and (4) to engage another data processor (a Sub-data processor).  

At the time of entering into the Data Processor Agreement, the Data Processor has the Data Controller's general authorization to engage Sub-Processors. The Data Processor shall inform the Data Controller in writing of any intended changes regarding the addition or replacement of Sub-Data Processors at least fourteen (14) days in advance, thereby giving the Data Controller the opportunity to oppose such changes before the relevant Sub-Data Processor is engaged. Approved Sub-processors at the conclusion of the Data Processor Agreement are specified in Annex B to the Data Processor Agreement. 

Sub-processors must be made aware of the Data Processor's obligations under this Data Processor Agreement and the regulations governing the processing of the Controller's Personal Data, and must be subject to the same obligations with regard to the protection of Personal Data as stipulated in this Data Processor Agreement, where the Sub-Data Processor must provide sufficient guarantees that there will be implemented technical and organizational measures that ensure that the processing meets legal requirements. The Data Processor shall remain fully responsible to the Data Controller for the performance of the Sub-Data Processor's obligations pursuant to its contract with the Data Processor. The Data Processor must notify the Data Controller of any deficiencies in the Sub-Data Processor's fulfillment of its contractual obligations. 

The Data Controller also has the right, upon written request, to receive copies of the relevant terms of the Data Processor's agreement with Sub-Data Processors who are to process personal data on behalf of the Data Controller, with the limitations that may follow from law or regulation. In any case, purely commercial terms cannot be required to be submitted. 

The Data Processor shall enter into a third-party favoring clause with the Sub-Data Processor, so that - in the event that the Data Processor is actually removed, ceases to exist legally or has become insolvent - the Data Controller shall have the right to terminate the contract with the Sub-Data Processor and instruct the Sub-Data Processor to delete or return the Personal Information . 

  

7. Transfer of Personal Information to Third Countries or International Organisations 

Any transfer of Personal Data to Third Countries or International Organizations must only take place on the basis of documented instructions from the Controller and must always take place in accordance with GDPR chapter V.   

In the event that transfers to Third Countries or International Organisations, which the Data Processor has not been instructed to carry out by the Data Controller, are required according to EU or national legislation to which the Data Processor is subject, the Data Processor shall inform the Data Controller of the legal basis before the transfer takes place, with unless the law prohibits this for important reasons of public interest. 

  

The Controller's instructions regarding the transfer of Personal Data to a Third Country including, if applicable, the basis for transfer under GDPR Chapter V on which the transfer is based, shall be set out in Annex B.1. 

This Data Processor Agreement should not be confused with standard privacy provisions according to GDPR Article 46 (2) (c) and (d), and this Data Processor Agreement cannot be considered a basis for transfer under GDPR Chapter V. 

 

8. Assistance to the Data Controller 

Considering the nature of the processing, the Data Processor shall assist the Data Controller with appropriate technical and organizational measures, as far as this is possible, in fulfilling the Data Controller's obligations to respond to requests to exercise the data subject's rights in accordance with GDPR chapter III. 

This means that the Data Processor, as far as this is possible, must assist the Controller in the Controller's compliance with: 

  • the right to be informed when Personal Information is collected from the data subject 
  • the right to be informed when Personal Information has not been obtained from the data subject 
  • the data subject's right of access 
  • right to rectification 
  • right to erasure ("the right to be forgotten") 
  • right to restriction of processing 
  • notification obligation in relation to correction or deletion of Personal Data or restriction of processing 
  • right to data portability 
  • right to protest 
  • the right not to be subject to a decision based solely on automated processing, including profiling 

  

In addition to the Data Processor's duty to assist the Data Controller according to section 5, the Data Processor must also, taking into account the nature of the processing and the information available to the Data Processor, assist the Data Processor in ensuring compliance with: 

  • The Data Controller's duty to report the breach to the relevant supervisory authority without undue delay and, where possible, no later than 72 hours after becoming aware of it, unless the breach is likely to entail a risk to the rights and freedoms of natural persons; 
  • The controller's obligation to inform the data subject of the breach without undue delay, when the breach is likely to result in a high risk to the rights and freedoms of natural persons; 
  • The data controller's obligation to carry out privacy impact assessments (Data Protection Impact Assessment); 
  • The Controller's obligation to consult the competent supervisory authority before processing where a privacy impact assessment indicates that a processing will result in a high risk in the absence of measures by the Controller to reduce the identified risk. 
  • The Data Controller's obligation to ensure that the Personal Information is accurate and up-to-date, by informing the Data Controller without undue delay if the Data Processor becomes aware that the Personal Data being processed is inaccurate or out of date. 

  

9. Notification of Privacy Breach 

In the event that a privacy breach occurs, the Data Processor shall, without undue delay after becoming aware of it, notify the Controller of the privacy breach.   

The Data Processor's notification to the Data Controller shall, if possible, take place no later than 48 hours after the Data Processor has become aware of the privacy breach in order to facilitate that the Data Controller can comply with the Data Controller's duty to report the privacy breach to the competent supervisory authority, cf. GDPR Article 33. 

In accordance with point 8, the Data Processor shall assist the Controller in notifying the competent supervisory authority of a privacy breach, this means that the Data Processor is required to assist in obtaining the information as described below, in accordance with Article GDPR 33 (3): 

  • description of the nature of the breach of personal data security, including, when possible, the categories of and approximate number of data subjects affected, and the categories of and approximate number of records of personal data affected; 
  • the name and contact details of the data protection officer or another contact point where more information can be obtained; 
  • describe the likely consequences of the breach of personal data security; 
  • describe the measures that the controller has taken or proposes to take to deal with the breach of personal data security, including, if relevant, measures to reduce any harmful effects as a result of the breach. 

If not all information can be provided in the first notification, the information must be provided successively as soon as it is available without undue delay. 

 

10. Deletion and Return of Personal Information 

The parties agree that upon termination of the Agreement (cf. point 3 of the Supplier's terms of use), this Data Processor Agreement will also be considered terminated. 

Upon termination of the Agreement, the Data Processor is obliged to return all Personal Data to the Controller and delete existing copies within a reasonable time after the agreement with the Controller ceases, unless the Parties agree otherwise, and unless EU or national legislation requires storage of the Personal Data. 

For the avoidance of doubt, nothing in this Data Processor Agreement shall oblige the Data Processor to delete copies of Personal Data that it holds on its own behalf as Controller (if any). Furthermore, nothing in this Data Processor Agreement shall oblige the Data Processor to delete data that is not Personal Data (neither directly nor indirectly) such as, but not limited to, sufficiently aggregated and/or sufficiently anonymized statistical data regarding the Data Controller's use and the Data Controller's end users' use of the cloud-based accounting system Catacloud which is offered under the Agreement. 

11. Audit and Inspection 

The Data Processor shall make available to the Data Controller all information necessary to demonstrate compliance with the obligations set out in GDPR Article 28 and this Data Processor Agreement, and contribute to audits, including inspections, carried out by the Data Controller himself or by an auditor commissioned by the Data Controller at reasonable intervals or if there are indications of non-compliance. 

The Data Processor is required to give the supervisory authorities, who according to current legislation have access to the Data Controller's and Data Processor's facilities, or representatives acting on behalf of such supervisory authorities, access to the Data Processor's physical facilities on presentation of appropriate identification. 

 

12. Other Duties and Rights 

Other duties and rights between the Parties are stipulated in the Agreement (cf. definition in point 1, in the Supplier's terms of use). 

The same contact persons under the Agreement will be the contact persons under this Data Processor Agreement. 

Both Parties acknowledge that this Data Processor Agreement shall not extend the Controller's sanctioning options, including liability for compensation for the Data Processor, beyond what follows from the Agreement (cf. point 13.3 of the Supplier's terms of use), or GDPR. The parties acknowledge that some of the obligations and areas of responsibility according to the GDPR are different from the sanction options in the Supplier's terms of use.  

When transferring the Agreement to other parties (cf. point 5 of the Supplier's terms of use), the Data Processor Agreement will be considered transferred at the same time. 

13. Dispute and Jurisdiction 

This Data Processor Agreement shall be interpreted in its entirety in accordance with Norwegian law, with the exception of non-derogable provisions in applicable privacy legislation. 

Any dispute regarding the Data Processing Agreement, or dispute arising as a result of this Data Processing Agreement, shall in the first instance be resolved by the Parties through negotiations. 

If a dispute cannot be resolved through negotiations, a dispute shall be subject to the Oslo District Court, if no other mandatory jurisdiction applies in the current privacy legislation. 

 

Appendix A. Information about the treatment 

A.1. The purpose of the Processor's processing of Personal Data on behalf of the Controller is: 

The Data Processor will gain access to and process Personal Data on behalf of the Controller, for the purpose of fulfilling its obligations under the Agreement (cf. definition in point 1 of the Supplier's terms of use) 

The Data Processor will not process or store Personal Data to a greater extent than is necessary to be able to deliver the agreed services. 

  

A.2. The Data Processor's processing of Personal Data on behalf of the Data Controller shall mainly apply (type of processing): 

The nature of the treatment may vary. The nature of the processing will include, but is not limited to, collection of Personal Data, structuring of Personal Data, storage of Personal Data, adaptation or modification of Personal Data, transfer of Personal Data, analysis of Personal Data, or combinations thereof. 

 

Other processing activities may be carried out by the Data Processor for the purpose of fulfilling the Data Processor's obligations under the Agreement (cf. definition in point 1 of the Supplier's terms of use). 
  

A.3. The processing includes the following types of Personal Data about registered persons: 

  • Contact information such as names, email addresses, telephone numbers and physical addresses. 
  • End users' employment details / information (and related information) such as date of birth, social security number / national identification number, nationality, gender, job title, department, start date, bank account details for salary payments, basic salary, overtime hours and rates, bonus or incentive information, deductions and contributions (taxes , insurance premiums, pension schemes), leave requests and approvals, attendance registration (working hours, absences, delays). 
  • System and usage data such as IP address, device information, logs. 
  • Document metadata such as document titles, author information, date and time of document creation or change, keywords or codes associated with documents. 
  • Financial information to the extent that it is necessary to carry out compliance processes such as closing accounts, tax reporting and auditing. 

 

In the event that it becomes necessary to process more Personal Data than those listed above, such processing will take place in accordance with instructions from the Controller, and/or because such processing is necessary to fulfill the Data Processor's obligations under the Agreement (cf. definition in point 1 in the Supplier's terms of use). 

 

A.4. Processing includes the following categories of data subjects: 

  • The data controller's (Customer's) employees 
  • The data controller's (Customer's) end users 
  • All other persons / individuals / users who interact with the cloud-based accounting system Catacloud, on the instructions and authorization of the Data Controller, to upload, access and process documents and data. This includes, for example, but is not limited to Retailers who sell access to the system and solution Catacloud for their own account and act as an independent business operator towards both the Supplier and the Retailer's end customers. 
     

In the event that it becomes necessary to process Personal Data of more categories of registered persons than those listed above, such processing will take place in accordance with instructions from the Controller, and/or because such processing is necessary to fulfill the Data Processor's obligations under the Agreement (cf. definition in point 1 of the Supplier's terms of use). 

 

A.5. The data processor's processing of Personal Data on behalf of the Data Controller begins when this agreement enters into force. The treatment has the following duration: 

For the entire duration/period of the Agreement (cf. point 3 of the Supplier's terms of use). 

 

Appendix B. Authorized sub-processors. 

  B.1. Approved sub-processors. 
 

At the time of entering into the Agreement (cf. definition in point 1 of the Supplier's terms of use) and this Data Processor Agreement, the Data Processor has approved the use of the following Sub-Data Processors: 

  

Name of Subdata Processor 

Company address 

Location of the data processing 

Description of the purpose of the treatment 

 

 

Catacloud 

 
Rolfsbuktveien 2 
1364 Fornebu, Norway 

 

 

All processing is carried out within the EU/EEA 

 

 

Owns the solution/accounting system that is available at app.catacloud.com and that is used by the customer. 

 

 

ZTL 
 
 
 

 

 

Kristian IVs gate 15, 0164 Oslo, Norway 
 
 
 

 

 

All processing is carried out within the EU/EEA 
 
 
 

 

 

Enables users to initiate secure and convenient payment transactions directly from their accounts. 
 
 
 

 

 

Nets (Master Card) 
 
 
 

 

Nets Branch Norway 
Haavard Martinsensvei 54 
0978 Oslo 

 

 

All processing is carried out within the EU/EEA 
 
 
 

 

 

Facilitates secure and efficient payment transactions between merchants, cardholders and issuing banks. 
 
 
 

 

 

ECIT Digital 
 
 
 

 

Stadionveien 4, 7898 Limingen, Norway 

 

 

All processing is carried out within the EU/EEA 
 
 
 

 

 

Manage and organize documents in a digital format, enabling easy storage, retrieval and tracking. 
 

 

 

Intect 
 
 
 

 

Hørkær 12A 

2730 Herlev, 

Denmark 

 

 

All processing is carried out within the EU/EEA 
 
 
 

 

 

Administration of remuneration and salary payment processes to employees in an accurate and efficient manner.  
 
 
 

 

 

Amazon Web Services 
 
 
 

 

One Burlington Plaza, Burlington Road, Dublin 4, Do4 Rh96, Ireland 
 
 
 

 

 

All processing is carried out within the EU/EEA 
 
 
 

 

 

Hosting and storage of personal data in a secure and scalable way. 
 
 
 

 

At the start of the Agreement and this Data Processor Agreement, the Controller has approved the use of the above-mentioned Subprocessors for the processing described for that party. 

B.2. General authorization by the Data Controller 

Subject to the limitations explicitly mentioned in this Data Processor Agreement, and subject to applicable limitations according to the GDPR, the Data Controller gives general consent that the Data Processor may, during the term of the Agreement (cf. point 3 of the Supplier's terms of use), use standard software(s) ) from Amazon and the other Subprocessors listed under Appendix B, point B.1, in order to fulfill the Data Processor's obligations under the Agreement (cf. definition in point 1 of the Supplier's terms of use). Furthermore, the Controller agrees that such processing is supported by servers in Third Countries. 

 

The agreed time periods for advance notice for authorization to add and/or change Sub-processors are at least fourteen (14) days. Data controllers have the opportunity to object to such changes within the aforementioned deadline. If no objection from the Controller is received at the latest within the deadline mentioned above, the Sub-Data Processor in question shall be deemed to have been accepted by the Controller.