When the fulfillment of the «Agreement» (see definition in point 1 of the Provider’s (i.e. Catacloud Services) terms of use) involves the processing of personal data, such processing will be subject to legal provisions and obligations in accordance with applicable data protection legislation.
The Provider, hereinafter „Data Processor“, and the Customer, hereinafter „Data Controller“, have entered into this Data Processing Agreement to regulate the Data Processor’s rights and obligations, with regard to all processing of personal data on behalf of the Data Controller under the Agreement, including under this data processing agreement, to ensure that all processing of personal data is carried out in accordance with applicable data protection regulations.
This Data Processing Agreement shall ensure that the Data Controller’s personal data is processed in accordance with:
This Data Processing Agreement is intended to fulfill the requirements of GDPR. The Parties agree that if laws, regulations or guidelines from supervisory authorities change significantly, the terms of this Data Processing Agreement shall be revised in good faith, with the intention that the provisions and content of the Data Processing Agreement shall continuously meet the requirements arising from the data protection regulation.
This Data Processing Agreement applies in addition to the Data Processor’s privacy policy.
«Personal Data» shall mean any information relating to an identified or identifiable natural person, as further defined in GDPR Article 4 (1).
«Processing of personal data» shall mean any operation or set of operations which is performed on personal data, whether or not by automated means, e.g. collection, recording, organisation, structuring, storage, adaptation or alteration, as further defined in GDPR Article 4 (2).
«Sub-processor» shall mean any other data processor or third party that processes Personal Data on the Data Processor’s initiative, knowingly or unintentionally, to perform specific processing activities on behalf of the Data Controller, including software entities and affiliated companies.
With «Third Country» means countries outside the EU/EEA area.
This Agreement includes:
The Data Processor and the Data Controller will hereinafter collectively be referred to as «the Parties» or individually as a «Party».
The Data Controller is responsible for ensuring that the processing of Personal Data takes place in accordance with GDPR (cf. GDPR Article 24), including applicable national data protection legislation and this Data Processing Agreement.
The Data Controller has the right and obligation to make decisions about the purpose and means to be used in the processing of Personal Data.
The Data Controller shall be responsible for ensuring that the Data Processor at all times has sufficient instructions and information to fulfill its obligations in accordance with the Data Processing Agreement and data protection regulations.
The Data Controller shall inform the relevant data subjects (data subjects) about the processing activities that the Data Processor will carry out on behalf of the Data Controller under this Data Processing Agreement.
The Data Controller shall implement appropriate technical and organizational measures to ensure and demonstrate compliance with GDPR.
The Data Controller shall notify any personal data breaches to relevant authorities and, if necessary, the data subjects without undue delay in accordance with applicable law.
The Data Processor shall only process Personal Data in accordance with documented instructions from the Data Controller, unless otherwise required by EU or national legislation to which the Data Processor is subject. The Agreement (cf. definition in point 1 of the Provider’s terms of use) constitutes the instructions on the date of entry into this Data Processing Agreement. Instructions may also have been given after the time of entering into the Agreement and the Data Processing Agreement. The Data Processor shall at all times be able to document such instructions.
Unless otherwise specified in the Data Processing Agreement, the Data Processor may use all relevant technical aids (incl. IT systems and software) to fulfill the obligations incumbent on the Data Processor.
If the Data Processor is of the opinion that an instruction from the Data Controller is in conflict with data protection regulations, the Data Processor shall immediately notify the Data Controller of its opinion.
The Data Processor shall ensure that employees and others who have access to Personal Data are authorized to process such Personal Data on the Data Processor’s behalf. If such authorization expires or is withdrawn, access to the Personal Data shall cease without undue delay.
The Data Processor shall ensure that persons who are authorized to process the Personal Data have committed themselves to treating the data confidentially or are subject to an appropriate statutory duty of confidentiality. This provision also applies after the termination of the Data Processing Agreement. The Data Processor shall, upon request from the Data Controller, be able to document the same.
Taking into account the technical development and implementation costs, the nature, scope, purpose and context of the processing, in addition to the varying likelihood and severity of risks to the rights and freedoms of natural persons, the Data Controller and Data Processor shall consider implementing one or more of the following technical and organizational measures:
In accordance with GDPR Article 32, the Data Processor shall also – independently of the Data Controller – assess the risk to the rights and freedoms of natural persons in connection with the processing, and implement measures to reduce these risks. For this purpose, the Data Controller shall provide the Data Processor with all information necessary to identify and evaluate such risks.
Furthermore, the Data Processor shall assist the Data Controller in ensuring compliance with the Data Controller’s obligations under GDPR Article 32, by, among other things, providing the Data Controller with information about the technical and organizational measures implemented by the Data Processor in accordance with GDPR Article 32 together with other information necessary for the Data Controller to have access to in order to comply with the Data Controller’s obligation under GDPR Article 32.
Further security measures will be implemented by the Data Processor, in accordance with the Data Processor’s security guidelines.
The Data Processor shall fulfill the requirements of GDPR Article 28 (2) and (4) to engage another data processor (a Sub-processor).
At the time of entering into the Data Processing Agreement, the Data Processor has the Data Controller’s general authorization to engage Sub-processors. The Data Processor shall inform the Data Controller in writing of any intended changes regarding the addition or replacement of Sub-processors at least fourteen (14) days in advance, thereby giving the Data Controller the opportunity to object to such changes before the relevant Sub-processor is engaged. Approved Sub-processors at the time of entering into the Data Processing Agreement are specified in Appendix B to the Data Processing Agreement.
Sub-processors shall be made aware of the Data Processor’s obligations under this Data Processing Agreement and the regulations governing the processing of the Data Controller’s Personal Data, and shall be subject to the same obligations with regard to the protection of Personal Data as set out in this Data Processing Agreement, where the Sub-processor shall provide sufficient guarantees that technical and organizational measures will be implemented to ensure that the processing meets legal requirements. The Data Processor shall remain fully responsible to the Data Controller for the performance of the Sub-processor’s obligations in accordance with its contract with the Data Processor. The Data Processor shall notify the Data Controller of any deficiencies in the Sub-processor’s fulfillment of its contractual obligations.
The Data Controller also has the right, upon written request, to receive copies of the relevant terms of the Data Processor’s agreement with Sub-processors who will process personal data on behalf of the Data Controller, with any limitations that may follow from law or regulation. Purely commercial terms cannot be demanded.
The Data Processor shall enter into a third-party beneficiary clause with the Sub-processor, so that – in the event that the Data Processor is actually removed, ceases to exist legally or has become insolvent – the Data Controller shall have the right to terminate the contract with the Sub-processor and instruct the Sub-processor to delete or return the Personal Data.
Any transfer of Personal Data to Third Countries or International Organizations shall only take place on the basis of documented instructions from the Data Controller and shall always take place in accordance with GDPR Chapter V.
In the event that transfers to Third Countries or International Organizations, which the Data Processor has not been instructed to carry out by the Data Controller, are required by EU or national legislation to which the Data Processor is subject, the Data Processor shall inform the Data Controller of the legal basis before the transfer takes place, unless the law prohibits this for important reasons of public interest.
The Data Controller’s instructions regarding the transfer of Personal Data to a Third Country, including, if applicable, the transfer basis under GDPR Chapter V on which the transfer is based, shall be specified in Appendix B.1.
This Data Processing Agreement shall not be confused with standard data protection clauses in accordance with GDPR Article 46 (2) (c) and (d), and this Data Processing Agreement cannot be considered a transfer basis under GDPR Chapter V.
Taking into account the nature of the processing, the Data Processor shall assist the Data Controller with appropriate technical and organizational measures, as far as possible, in fulfilling the Data Controller’s obligations to respond to requests for exercising the data subject’s rights in accordance with GDPR Chapter III.
This means that the Data Processor shall, as far as possible, assist the Data Controller in the Data Controller’s compliance with:
In addition to the Data Processor’s duty to assist the Data Controller under point 5, the Data Processor shall further, taking into account the nature of the processing and the information available to the Data Processor, assist the Data Controller in ensuring compliance with:
In the event of a personal data breach, the Data Processor shall, without undue delay after becoming aware of it, notify the Data Controller of the personal data breach.
The Data Processor’s notification to the Data Controller shall, if possible, take place no later than 48 hours after the Data Processor has become aware of the personal data breach to facilitate the Data Controller’s compliance with the Data Controller’s obligation to report the personal data breach to the competent supervisory authority, cf. GDPR Article 33.
In accordance with point 8, the Data Processor shall assist the Data Controller in notifying the competent supervisory authority of personal data breaches, which means that the Data Processor is obliged to assist in obtaining the information described below, in accordance with GDPR Article 33 (3):
If not all information can be provided in the first notification, the information shall be provided successively as soon as it becomes available without undue delay.
The Parties agree that upon termination of the Agreement (cf. point 3 of the Provider’s terms of use), this Data Processing Agreement shall also be deemed terminated.
Upon termination of the Agreement, the Data Processor is obliged to return all Personal Data to the Data Controller and delete existing copies after agreement with the Data Controller ceases, unless the Parties agree otherwise, and unless EU or national legislation requires the storage of Personal Data.
To avoid doubt, nothing in this Data Processing Agreement shall oblige the Data Processor to delete copies of Personal Data that it holds on its own behalf as Data Controller (if any). Furthermore, nothing in this Data Processing Agreement shall oblige the Data Processor to delete data that is not Personal Data (neither directly nor indirectly) such as, but not limited to, sufficiently aggregated and/or sufficiently anonymized statistical data regarding the Data Controller’s use and the Data Controller’s end-users’ use of the cloud-based accounting system Catacloud offered under the Agreement.
The Data Processor shall make available to the Data Controller all information necessary to demonstrate compliance with the obligations laid down in GDPR Article 28 and this Data Processing Agreement, and contribute to audits, including inspections, carried out by the Data Controller itself or by an auditor mandated by the Data Controller at reasonable intervals or if there are indications of non-compliance.
The Data Processor is obliged to grant supervisory authorities, who in accordance with applicable legislation have access to the Data Controller’s and Data Processor’s facilities, or representatives acting on behalf of such supervisory authorities, access to the Data Processor’s physical facilities upon presentation of appropriate identification.
Other duties and rights between the Parties are set out in the Agreement (cf. definition in point 1, in the Provider’s terms of use).
The same contact persons under the Agreement will be the contact persons under this Data Processing Agreement.
Both Parties acknowledge that this Data Processing Agreement shall not extend the Data Controller’s sanction possibilities, including liability for damages for the Data Processor, beyond what follows from the Agreement (cf. point 13.3 of the Provider’s terms of use), or GDPR. The Parties acknowledge that some of the obligations and responsibilities under GDPR are different from the sanction possibilities in the Provider’s terms of use.
Upon transfer of the Agreement to other parties (cf. point 5 of the Provider’s terms of use), the Data Processing Agreement will be considered transferred simultaneously.
This Data Processing Agreement shall be interpreted in its entirety in accordance with Norwegian law, with the exception of mandatory provisions in applicable data protection legislation.
Any dispute regarding the Data Processing Agreement, or dispute arising as a result of this Data Processing Agreement, shall in the first instance be resolved by the Parties through negotiations.
If a dispute cannot be resolved through negotiations, a dispute shall be subject to Oslo District Court, unless another mandatory jurisdiction applies in applicable data protection legislation.
A.1. The purpose of the Processor’s processing of Personal Data on behalf of the Data Controller is:
The Data Processor will access and process Personal Data on behalf of the Data Controller, for the purpose of fulfilling its obligations under the Agreement (cf. definition in point 1 of the Provider’s terms of use)
The Data Processor will not process or store Personal Data to a greater extent than is necessary to provide the agreed services.
A.2. The Data Processor’s processing of Personal Data on behalf of the Data Controller shall primarily concern (nature of processing):
The nature of the processing may vary. The nature of the processing will include, but is not limited to, collection of Personal Data, structuring of Personal Data, storage of Personal Data, adaptation or alteration of Personal Data, transfer of Personal Data, analysis of personal data, or combinations thereof.
Other processing activities may be performed by the Data Processor for the purpose of fulfilling the Data Processor’s obligations under the Agreement (cf. definition in point 1 of the Provider’s terms of use).
A.3. The processing includes the following types of Personal Data about registered persons:
In the event that it becomes necessary to process more Personal Data than those listed above, such processing will take place in accordance with instructions from the Data Controller, and/or because such processing is necessary to fulfill the Data Processor’s obligations under the Agreement (cf. definition in point 1 of the Provider’s terms of use).
A.4. Processing includes the following categories of data subjects:
In the event that it becomes necessary to process Personal Data about more categories of data subjects than those listed above, such processing will take place in accordance with instructions from the Data Controller, and/or because such processing is necessary to fulfill the Data Processor’s obligations under the Agreement (cf. definition in point 1 of the Provider’s terms of use).
A.5. The Data Processor’s processing of Personal Data on behalf of the Data Controller commences when this agreement enters into force. The processing has the following duration:
For the entire duration/period of the Agreement (cf. point 3 of the Provider’s terms of use).
Appendix B. Authorized sub-processors.
B.1. Approved sub-processors.
At the time of entering into the Agreement (cf. definition in point 1 of the Provider’s terms of use) and this Data Processing Agreement, the Data Controller has approved the use of the following Sub-processors:
Name of Sub-processor | Company address | Location of data processing | Description of purpose of processing |
Catacloud | Rolfsbuktveien 2 | All processing is performed within the EU/EEA | Owns the solution/accounting system available at app.catacloud.com and used by the customer. |
ZTL | Kristian IVs gate 15, 0164 Oslo, Norway | All processing is performed within the EU/EEA | Enables users to initiate secure and convenient payment transactions directly from their accounts. |
Nets (Master Card) | Nets Branch Norway | All processing is performed within the EU/EEA | Facilitates secure and efficient payment transactions between merchants, cardholders and issuing banks. |
ECIT Digital | Stadionveien 4, 7898 Limingen, Norway | All processing is performed within the EU/EEA | Manage and organize documents in a digital format, enabling easy storage, retrieval and tracking. |
Intect | Hørkær 12A 2730 Herlev, Denmark | All processing is performed within the EU/EEA | Administration of remuneration and payroll processes for employees in an accurate and efficient manner. |
Amazon Web Services | One Burlington Plaza, Burlington Road, Dublin 4, Do4 Rh96, Ireland | All processing is performed within the EU/EEA | Hosting and storage of personal data in a secure and scalable manner. |
The Data Controller has, at the commencement of the Agreement and this Data Processing Agreement, approved the use of the aforementioned Sub-processors for the processing described for that party.
B.2. General authorization of the Data Controller
Subject to the limitations explicitly mentioned in this Data Processing Agreement, and subject to applicable limitations under GDPR, the Data Controller gives general consent that the Data Processor may, during the term of the Agreement (cf. point 3 of the Provider’s terms of use), use standard software(s) from Amazon and the other Sub-processors listed under Appendix B, point B.1, to fulfill the Data Processor’s obligations under the Agreement (cf. definition in point 1 of the Provider’s terms of use). Furthermore, the Data Controller agrees that such processing is supported by servers in Third Countries.
The agreed notice periods for authorization to add and/or change Sub-processors are at least fourteen (14) days. The Data Controller has the opportunity to object to such changes within the aforementioned deadline. If no objection from the Data Controller is received by the deadline mentioned above, the relevant Sub-processor shall be deemed accepted by the Data Controller.
