Data Processing Agreement

Pindena processes personal data on behalf of customers who collect such data in connection with registrations. This is our standard Data Processing Agreement.

Pindena processes personal data on behalf of customers who collect information in connection with registrations. This is our standard Data Processing Agreement, which applies for the duration of the customer relationship.

Data Processing Agreement

Last updated: 27 May 2024.
The Agreement is based on the Norwegian Digitalisation Agency’s standard Data Processing Agreement

Source of the Agreement

Standard contractual clauses
between
The Customer (Controller)
and
Pindena AS (Processor)
Org. nr.: 999 183 719
Østre Kullerød 5
3241 SANDEFJORD
Norway

1. Purpose of this Data Processing Agreement

This Agreement (the “Data Processing Agreement”) sets out the Parties’ rights and obligations when the Data Processor processes personal data on behalf of the Data Controller, as part the services delivered under the Main Agreement. The purpose of the Data Processing Agreement is to ensure that the Parties comply with the Applicable Privacy Policy.
The Data Processing Agreement comprises this document, as well as Appendices A, B, C and D.
In the event of conflict between the terms of the Main Agreement and the Data Processing Agreement, the terms of the Data Processing Agreement will take precedence regarding matters specifically related to the processing of personal data. In the event of any conflict between the Data Processing Agreement and its Appendices, the Appendices will take precedence.
Appendix A of The Data Processing Agreement includes a detailed description of the processing that is to take place, as well as the purpose of processing, categories of personal data and data subjects, rules for erasure/deletion and return, and the Parties’ designated contact persons, as well as which underlying agreement(s) the processing of personal data is related to (see the definition of the Main Agreement below).
Appendix B of The Data Processing Agreement includes conditions for the use of Subprocessors, as well as a list of approved Subprocessors.
Appendix C of the Data Processing Agreement contains specific instructions for the processing of personal data under the Main Agreement, including security measures and the Data Controller’s right of access to and audit of the Data Processor and any Subprocessors, as well as sector-specific provisions concerning the processing of personal data.
Appendix D of the Data Processing Agreement contains changes to the standard text and any subsequently agreed changes to the Data Processing Agreement.

2. Definitions

Applicable Privacy Policy: The applicable versions of the EU’s General Data Protection Regulation (2016/679) (“GDPR”) and the Norwegian Act on the Processing of Personal Data of 15.06.2018 (the Personal Data Act) with related regulations etc., and any other relevant legislation concerning the processing and protection of personal data, as specified in Appendix C, section C.7.

Main Agreement: One or more agreements between the Data Controller and the Data Processor concerning the provision of services which entail the processing of personal data, as specified in Appendix A. The Data Processing Agreement may apply to several underlying agreements.

Subprocessor: A company or person used by the Data Processor as a subcontractor for the processing of personal data under the Main Agreement.

Article 4 of GDPR will apply to privacy policy terms not defined in this agreement.

3. Rights and obligations of the Data Controller

The Data Controller is responsible for the processing of personal data in accordance with the Applicable Privacy Policy. The Data Controller must specifically ensure that:

the processing of personal data is for a specified and explicit purpose and is based on valid legal grounds
the data subjects have received the necessary information concerning the processing of the personal data
the Data Controller has carried out adequate risk assessments; and
the Data Processor has at all times, adequate instructions and information to fulfil its obligations under the Data Processing Agreement and the Applicable Privacy Policy.

4. Instructions from the Data Controller to the Data Processor

The Data Processor shall process the personal data in accordance with the Applicable Privacy Policy and the Data Controller’s documented instructions, cf. section 4.2. If other processing is necessary to fulfil obligations to which the Data Processor is subject under applicable law, the Data Processor must notify the Data Controller to the extent this is permitted by law, cf. Article 28 (3) (a) of GDPR.
The Data Controller’s instructions are stated in the Main Agreement and the Data Processing Agreement with Appendices. The Data Processor must notify the Data Controller immediately if the Data Processor believes the instructions conflict with the Applicable Privacy Policy, cf. Article 28 (3) (h) of GDPR.
The Data Processor must be notified of any changes to the instructions by updating Appendix D, and changes must be implemented by the Data Processor by the date agreed between the Parties or, if no specific date has been agreed, within a reasonable time. The Data Processor may require the Data Controller to pay documented costs accrued in connection with the implementation of such changes, or the proportional adjustment of the remuneration under the Main Agreement if the amended instructions entail additional costs for the Data Processor. The same applies to additional costs that accrue due to changes in the Applicable Privacy Policy which concern the activities of the Data Controller.

5. Confidentiality and duty of secrecy

The Data Processor must ensure that employees and other parties who have access to personal data are authorised to process personal data on behalf of the Data Processor. If such authorisation expires or is withdrawn, access to the personal data must cease without undue delay.
The Data Processor shall only authorise persons who need access to the personal data in order to fulfil their obligations under the Main Agreement, the Data Processing Agreement and any other processing that is necessary to fulfil obligations to which the Data Processor is subject, in accordance with applicable law, see section 4.1, last sentence.
The Data Processor must ensure that persons authorized to process personal data on behalf of the Data Controller are subject to obligations of confidentiality either by agreement or applicable law. The obligations of confidentiality shall survive the duration of the Data Processing Agreement and/or employment relationship.
At the request of the Data Controller, the Data Processor shall document that the relevant persons are subject to said obligations of confidentiality see section 5.3.
Upon the expiry of the Data Processing Agreement, the Data Processor is required to discontinue all access to personal data that is processed under the agreement.

6. Assistance to the Data Controller

When requested, the Data Processor shall assist the Data Controller with the fulfilment of the rights of the data subjects under Chapter III of the GDPR through appropriate technical or organisational measures. The obligation to assist the Data Controller solely applies insofar as this is possible and appropriate, taking into consideration the nature and extent of the processing of personal data under the Main Agreement.
Without undue delay, the Data Processor shall forward all enquiries that the Data Processor may receive from the data subject concerning the rights of said data subject under the Applicable Privacy Policy to the Data Controller. Such enquiries may only be answered by the Data Processor when this has been approved in writing by the Data Controller.
The Data Processor must assist the Data Controller in ensuring compliance with the obligations pursuant to Articles 32-36 of GDPR, including providing assistance with personal data impact assessments and prior consultations with the Norwegian Data Protection Authority, in view of the nature and extent of the processing of personal data under the Main Agreement.
If the Data Processor, at the request of the Data Controller, provides assistance as described in sections 6.1 or 6.3, and the assistance goes beyond what is necessary for the Data Processor to fulfil its own obligations under the Applicable Privacy Policy, the Data Processor may claim all documented costs related to the assistance be reimbursed. The assistance will be reimbursed in accordance with the price provisions of the Main Agreement.

7. Security of processing

The Data Processor shall implement the appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. The Data Processor must, as a minimum, apply the measures specified in Appendix C of the Data Processing Agreement.
The Data Processor shall carry out risk assessments to ensure that an appropriate security level is maintained at all times. The Data Processor must ensure regular testing, analysis and assessment of the security measures, in particular with regard to ensuring sustained confidentiality, integrity, availability and robustness in processing systems and services, and the ability to quickly restore the availability of personal data in the event of an incident.
The Data Processor must document the risk assessment and security measures and make them available to the Data Controller on request, and also allow for the audits agreed between the Parties, cf. section 11 of the Data Processing Agreement.

8. Notification of breach of personal data security

In case of a personal data breach, the Data Processor shall without undue delay, notify the Data Controller in writing of the breach, and in addition provide the assistance and information necessary for the Data Controller to be able to report the breach to the supervisory authorities in line with the Applicable Privacy Policy.

Notification in accordance with section 8.1 must be given to the Data Controller’s point of contact in accordance with Appendix C, section C.9, and must:

describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned, and the categories of and approximate number of personal data records concerned
state the name and contact details of the data protection officer or other contact point from where more information can be obtained
describe the likely consequences of the personal data breach; and
describe the measures taken or proposed by the Data Controller to address the breach, including where appropriate, measures to mitigate possible adverse effects.

If necessary, information may be given in phases without any further undue delay.

The Data Processor shall implement all necessary measures that may reasonably be required to rectify and avoid similar personal data breaches. As far as possible, the Data Processor must consult the Data Controller concerning the measures to be taken, including assessment of any measures proposed by the Data Controller.
The Data Controller is responsible for notifying the Data Protection Authority and the data subjects affected by the personal data breach. The Data Processor may not inform third parties of any breach of personal data security unless otherwise required under applicable law or in accordance with the express written instructions of the Data Controller.

9. Use of Subprocessor

The Data Processor may only use Subprocessors with the prior general or specific written authorisation of the Data Controller, in accordance with Appendix B of the Data Processing Agreement. For an overview of approved Subprocessors, see Appendix B of the Data Processing Agreement.
If a Data Processor engages a Subprocessor for carrying out specific processing activities on behalf of the Data Controller, the same data protection obligations as set out in this Data Processing Agreement shall be imposed on the Subprocessor by way of written agreement. See section 9.7 concerning the use of standard third-party services.
The Data Processor may only engage Subprocessors who provide appropriate technical and organisational measures to ensure that the processing fulfils the requirements in accordance with the Applicable Privacy Policy. The Data Processor must assess and verify that satisfactory measures have been taken by the Subprocessors. Upon request, he Data Processor must be able to submit reports from such assessments to the Data Controller.
If the Data Controller objects to changes in the use of Subprocessors pursuant to Appendix B, section B.1 of the Data Processing Agreement, the Parties must negotiate in good faith with the aim of reaching a reasonable solution to how the further delivery of the services under the Main Agreement is to take place, including the distribution of any costs between the Parties. The parties must come to an agreement before changes in the use of Subprocessors can be made.
If the Subprocessor fails to fulfil its data protection obligations, the Data Processor shall remain liable to the Data Controller for the performance of the Subprocessor’s obligations in the same way as if the Data Processor himself was responsible for the processing.
The Data Processor is obligated, on request, to disclose agreements with Subprocessors to the Data Controller. This solely applies to the parts of the agreement that are relevant to the processing of personal data, and subject to any statutory or regulatory limitations. Commercial terms and conditions are not required to be submitted.
If the Data processor uses a subcontractor that provides standardised third-party services, the Parties may agree that the subcontractor’s standard data processing agreement will be used and applied directly to the Data Controller as in a direct data processing relationship (i.e., not as a Subprocessor) under the following terms:

The Data Controller must expressly accept under the Main Agreement that the standardised third-party services are provided on the subcontractor’s standard terms
The Data processor must follow up on the standard terms on behalf of the Data Controller
The standard terms must fulfil the requirements in the Applicable Privacy Policy.

The Data Processor must follow up the data processing agreement with the subcontractor on behalf of the Data Controller, unless otherwise agreed in each individual case.

10. Transfer of personal data to countries outside the EEA

Personal data may only be transferred to a country outside the EEA (‘Third country’) or to an international organisation if the Data Controller has approved such transfer in writing and the terms in section 10.3 are fulfilled. Transfer includes, but is not limited to:

processing of personal data in data centres, etc. located in a Third Country, or by personnel located in a Third Country (by remote access)
assigning the processing of personal data to a Subprocessor in a Third State; or
disclosing the personal data to a Data Controller in a Third Country, or in an international organisation.

The Data Processor may nonetheless transfer personal data if this is required by applicable law in the EEA area. In such cases, the Data Processor must notify the Data Controller, to the extent permitted by law.
Transfer to Third Countries or international organisations may only take place if there are the necessary guarantees of an adequate level of data protection in accordance with the Applicable Privacy Policy. Unless otherwise agreed between the Parties, such transfer may only take place on the following grounds:

a decision of the European Commission concerning an adequate level of protection in accordance with Article 45 of GDPR; or
a Data Processing Agreement which incorporates standard personal data protection provisions as specified in Article 46 (2) (c) or (d) of the GDPR (EU model clauses); or
binding corporate rules in accordance with Article 47 of GDPR.

Any approval by the Data Controller for the transfer of personal data to a Third Country or international organisation must be stated in Appendix B of the Data Processing Agreement.

11. Audit

Upon request, the Data Processor shall make available to the Data controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and this Data Processing Agreement.
The Data Processor shall allow and contribute to inspections and audits carried out by or on behalf of the Data Controller. The Data Processor shall also allow and contribute to inspections conducted by relevant supervisory authorities. The Data Controller’s review of any Subprocessor shall be conducted by the Data Processor, unless otherwise specifically agreed. Specific procedures for conducting audits are stated in Appendix C, section C.5.
If an audit reveals a breach in the obligations in the Applicable Privacy Policy or the Data Processing Agreement, the Data Processor must rectify the breach as soon as possible. The Data Controller may require the Data Processor to temporarily stop all or part of the processing activities until the breach has been rectified and approved by the Data Controller.
Each Party shall pay its own costs associated with an annual audit. If an audit reveals significant breaches of the obligations under the Applicable Privacy Policy or the Data Processing Agreement, the Data Processor shall pay for the Data Controller’s reasonable costs accrued from the audit.

12. Erasure and return of information

Upon the expiry of this Data Processing Agreement, the Data Processor is obligated to return and erase all personal data processed on behalf of the Data Controller under the Data Processing Agreement, in accordance with the provisions of Appendix C, section C.6. This also applies to any back-up copies.
The Data Controller will determine how any return of personal data is to take place. The Data Controller may require return to take place in a structured and commonly used machine-readable format. The Data Controller will pay the Data Processor’s documented costs associated with the return unless this is included in the remuneration under the Main Agreement.
If a shared infrastructure or back-up is used and direct erasure is not technically possible, the Data Processor must ensure that the personal data is made inaccessible until it has been overwritten.
The Data Processor must confirm in writing to the Data Controller that the data has been erased or made inaccessible, and shall, upon request document how this has taken place.
Further provisions concerning erasure and return are stated in Appendix C.

13. Breach and suspension order

In the event of breach of the Data Processing Agreement and/or Applicable Privacy Policy, the Data Controller and relevant supervisory authorities may order the Data Processor to cease all or part of the processing of the data effective immediately
If the Data Processor fails to comply with its obligations pursuant to this Data Processing Agreement and/or Applicable Privacy Policy, this shall be deemed a breach of the Main Agreement, and the obligations, deadlines, sanctions and limitations of liability in the Main Agreement’s regulation of the Supplier’s breach will be applied, unless otherwise expressly agreed between the Parties in Appendix D.

14. Duration and expiry

The Data Processing Agreement will come into effect from the date it is signed by both Parties. The Data Processing Agreement shall apply for as long as the Data Processor processes personal data on behalf of the Data Controller. It shall also apply to any personal data held by the Data Processor or any of its Subprocessors after the expiry of the Main Agreement.
The rules concerning termination specified in the Main Agreement shall also apply to the Data Processing Agreement, to the extent this is applicable. The Data Processing Agreement may not be terminated if the Main Agreement is in effect unless it is replaced by a new Data Processing Agreement.

15. Governing law and legal venue

The Data Processing Agreement is governed by Norwegian law. Disputes will be resolved in accordance with the provisions of the Main Agreement, including any provisions concerning legal venue.

Appendix A – Information about the processing

A.1 The Main Agreement and the purpose of the processing of personal data

The Data Processor’s processing of personal data on behalf of the Data Controller pertains to the delivery of services as described in the Main Agreement.

The Main Agreement is the following agreement(s) entered into between the Parties:

Licence agreement Pindena AS

The purpose of the processing is as follows:

Collection of personal data for the purpose of administering the event

A.2 The Data Processor’s processing of personal data on behalf of the Data Controller

The Data Processor’s processing of personal data on behalf of the Data Controller concerns (nature of the processing):

Collection of personal data
Communication with registered individuals by email and SMS
Distribution of surveys/evaluations
Processing payments and transmitting orders to invoicing systems
Storing, organising and retaining personal data in the registration system

A.3 Types of personal data

The Controller shall assess and assume responsibility for determining which categories of personal data are to be collected through use of the system in accordance with Article 9 of the GDPR. The system provided by the Processor does not impose any limitations on the categories of personal data that may be collected.

The Controller will generally collect standard personal data such as name, email address and telephone number, and, where necessary, information relating to payment or place of work.

Where objectively justified, the Controller may collect personal data such as national identity number, passport number or other identifiers for the purpose of secure identification.

In exceptional cases, and where there is a lawful basis, the Controller may collect personal data pursuant to Article 9(1) of the GDPR, including data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as the processing of genetic data and biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person’s sex life or sexual orientation.

A.4 Categories of data subjects

The data subjects whose personal data are processed by the Processor may include customers, suppliers, employees, students, visitors, members, participants or any other category of natural persons, as defined by the Controller.

A.5 Duration of processing

The Processor’s processing of personal data under the Main Agreement may commence when the Data Processing Agreement has entered into force. The processing is not limited in time and lasts until the expiry of the Main Agreement.

On expiry (of the Main Agreement or the processing), personal data must be returned and erased in accordance with section 12 of the Data Processing Agreement and the instructions in Appendix C.

Appendix B – Conditions for the Data Processor’s use of and changes in any Subprocessors

B.1 The Data Controller’s approval of the use of Subprocessors

When entering into the Data Processing Agreement, the Data Controller approves the use of the Subprocessors listed in section B.2.

The following is agreed concerning changes in the use of Subprocessors:

The Data Processor may make changes to the use of Subprocessors provided that the Data Controller is notified and is given the opportunity to object to the changes. Any such notification must be received by the Data Controller no later than one month before the change enters into force, unless otherwise agreed in writing between the Parties.

If the Data Controller opposes the change, the Data Processor must be notified as soon as possible. The Data Controller may only object to the change on reasonable and justifiable grounds.

B.2 Approved Subprocessors

This is a general Data Processing Agreement applicable to all customers. Please note which Sub-processors have been selected at the time of entering into the contract.

As standard, Amazon servers located in Stockholm are used. Alternatively, servers located in Norway (Deploi) may be selected. The Norwegian service providers Make AS and Link Mobility AS are used in both cases.

The Data Controller has approved the following Subprocessors in connection with the operation of the system:

Company	Reg. no	Address	Description of the processing
Amazon Web Services Inc.	DUNS- nummer 884745530	410 Terry Avenue North, Seattle, WA 98109-5210, USA	Standard provider for the leasing of virtual servers on which the software is operated. Data are stored on servers located in Stockholm. Further information is provided in Appendix C, Clause C.4.
Deploi	922 105 006	Enebakkveien 117 0680 OSLO	Alternative provider for the leasing of virtual servers on which the software is operated. Data are stored on servers located in Oslo, owned and operated by Deploi. Data Processing Agreement (included in the terms and conditions).
Make AS	993 555 002	Sandakerveien 116 0484 OSLO	Email server service for distribution of emails. Data Processing Agreement (included in the terms and conditions). Please note: If you store personal data as described in Article 9 of the GDPR, you must ensure that the settings for sensitive data in Pindena are enabled so that such data are not transmitted by email.
Link Mobility AS	992 434 643	Langkaia 1, 0150 OSLO	SMS distribution in connection with events. Privacy policy.

Processing of personal data by Sub-processors may occur in connection with customer follow-up and development activities. The Controller has approved the use of the following Sub-processors:

Company	Reg. no	Address	Description of the processing
Help Scout		100 City Hall Square Suite 510, Boston, MA 02108, USA	The service is used for handling customer enquiries by email, chat and telephone. Data Processing Agreement.
OnePageCRM		Unit 30A, Kilkerrin Park 1 Liosban Industrial Estate, Galway H91 XY29, Ireland	CRM system – Customer Relationship Management. The Processor uses this service to store contact information, as well as correspondence to and from customers. Data Processing Agreement (included in the terms and conditions).
Atlassian/JIRA		1098 Harrison St, San Francisco, CA 94103 USA	The Processor uses the service for project management in connection with improvements and development. Data Processing Agreement.
Google LLC		1600 Amphitheatre Parkway, Mountain View, CA 94043, USA	The Processor uses the Google Workspace service for email, calendar and document storage. Data Processing Agreement.
CoreTrek	984 587 406	Klinestadmoen 10 3241 SANDEFJORD Norway	Provider of development and design services, with access to personal data only where required for the provision of services.

The Processor may not use any individual Sub-processor for processing other than that agreed, nor permit another Sub-processor to carry out the described processing, except as provided in Appendix B, Clause B.1 regarding the replacement of a Sub-processor.

Appendix C – Instructions regarding the processing of personal data

C.1 Scope and purpose of the processing

Personal data shall be processed solely to the extent and for the purposes described in

The Main Agreement
The Data Processing Agreement, including its appendices

The Processor shall not have any authority over the personal data beyond what is necessary to fulfil its obligations under the Data Processing Agreement and may not process the personal data for its own purposes.

C.2 Security of processing

C.2.1 Specification of security level

Based on an assessment of the scope of the personal data being processed, the type of data and the nature of the processing, and on the basis of a specific risk assessment, it has been determined that the processing requires a high level of security.

Justification for requiring a high level of security:
The processing may include special categories of personal data pursuant to Article 9 of the GDPR, which require particular protection.

The Processor shall thereafter have the right and obligation to determine the technical and organisational security measures to be implemented in order to ensure the necessary and agreed level of security.

C.2.2 Information security management system

The Data Processor must have an appropriate system for managing information security. The Data Processor must establish and manage adequate security measures to protect information security concerning the processing of personal data, including the security measures described below.

Encryption measures

Definition and explanation: Encryption is a method of encoding data in such a manner that only authorised persons have access to the information.

The Processor uses server-side encryption for databases in Amazon RDS and for files uploaded to Amazon S3. The encryption key is generated and stored in Amazon KMS (Key Management Service).

On Deploi servers, databases and files are not encrypted.

The Processor uses HTTPS for all installations in order to encrypt traffic between browser and server. On most servers only TLS 1.3 is permitted, but some older servers also allow TLS 1.2.

Measures to ensure the integrity and confidentiality of personal data

Definition and explanation: Examples may include measures to control access and to ensure data integrity.

Access to personal data is restricted by providing the Controller with a dedicated installation to which only authorised users have access. Users may enable two-factor authentication. With an Enterprise licence, departments may be used to limit the number of users with access.

Information marked as sensitive data in forms will not be transmitted by email.

The system includes settings for automatic deletion of sensitive data and deletion of participants.

Employees of the Processor and Sub-processors who may process personal data have signed confidentiality undertakings. Access to personal data shall be granted on a need-to-know basis.

The Processor ensures integrity by logging who makes changes in the installation and when.

Measures to ensure the availability of personal data

The Processor performs daily backups of all servers and databases. On the Norwegian server, backups are also taken of files uploaded to the system. The Processor also maintains recovery procedures.

Measures for the physical security of premises where data are processed

The Processor has two server providers, AWS and Deploi, each of which has implemented multiple measures to ensure the physical security of data, including:

Access control systems with access limited to a restricted number of persons
Fire protection systems with detection and fire suppression measures
Uninterruptible power supply and diesel generators for backup power
Temperature and humidity control

Further information regarding the physical security of data at AWS data centres and Deploi data centres is available.

The Processor’s office premises are secured with access control systems requiring access card and code outside normal working hours. Employees’ computers are protected by password and automatic locking when unattended.

Measures to ensure employees’ knowledge of security

The Processor shall endeavour to provide annual security training for its employees. The Processor shall be able to document such training.

C.3 Documentation

The Data Processor shall document the procedures and measures taken to fulfil the requirements arising from the Applicable Privacy Policy and the Data Processing Agreement, including the information security requirements. This documentation must be stored and updated for the duration of the Data Processing Agreement and shall be made available to the Data Controller or supervisory authorities on request.

C.4 Transfer of personal data – Location for processing and access

The processing of personal data covered by the Agreement is described for each Sub-processor used in connection with the operation of the system and, where applicable, in relation to transfers to third countries.

Amazon Web Services

The Processor stores data from installations in the registration system on servers located in Stockholm, Sweden. The Processor has entered into an agreement with Amazon Web Services EMEA SARL in Luxembourg, Europe, which is subject to United States law. Data stored (“at rest”) and data transmitted to and from AWS (“in transit”) are encrypted, and the encryption key is generated and stored in Amazon KMS (Key Management Service) to ensure that both storage and retrieval of information function efficiently.

C.5 Auditing and supervision procedures

In order to monitor compliance with the Applicable Privacy Policy and the Data Processing Agreement, the following has been agreed:
The Processor conducts an internal audit annually.
The Data Controller has the right to carry out an audit at the Processor’s place of business in order to verify the Processor’s compliance with its obligations under this Data Processing Agreement or Applicable Data Protection Legislation.
Such audits shall:

Be subject to reasonable advance notice and shall be performed no more than once per year, unless a security breach at the Data Processor or other special circumstances justify more frequent audits
Take place during normal working hours and without unnecessary disruption of the Data Processor’s work-related activities
Be performed by employees of the Data Controller or by third parties who are approved by the Parties and are subject to an obligation of confidentiality.

The Data Processor shall make available the necessary resources reasonably required in order to perform the audit.

The Data Controller shall cover the costs of any third parties used to conduct the audit. Each Party will cover their own costs pertaining to the performance of the audit. If the audit reveals significant breaches of the obligations under the Applicable Privacy Policy or the Data Processing Agreement, the Data Processor must nonetheless cover the Data Controller’s reasonable costs ensuing from audit.

The Data Processor will engage an external auditor to verify that security measures have been put in place and are working as intended. This audit must:

Be conducted every three years;
Be performed in accordance with recognised assurance standards, for example ISAE 3402;
Be carried out by an independent third party with sufficient knowledge and experience.

The reports must be submitted to the Data Controller on request.

The Data Processor must also provide the information and assistance necessary for the Data Controller to be able to comply with its obligations under the Applicable Privacy Policy.

C.6 Erasure and return of personal data upon the expiry of the agreement

All personal data processed under this Data Processing Agreement, as well as any other relevant information managed on behalf of the Controller, shall be returned upon request upon termination of the Main Agreement. The Controller shall cover the Processor’s costs.

On the termination date of the Agreement, the Processor shall delete all personal data and other relevant information managed on behalf of the Controller. Deletion will be initiated after two weeks and thereafter completed without undue delay and no later than 90 calendar days. Backups shall be deleted after an additional 10 days.

Return shall take place as follows:

The Controller may choose whether personal data shall be returned in Excel format or as a database dump.

C.7 Sector-specific provisions concerning the processing of personal data

None.

C.8 Contact information

For enquiries under this Agreement, for example notification of a personal data breach or changes in the use of Sub-processors, the following channels shall be used:

The Processor may be contacted at the following contact points:
post@pindena.no / tlf. 33 80 65 00
The Controller’s contact person is the individual who completed the Contract.
The Parties shall be obliged to continuously inform each other of changes to contact persons/contact points.

Appendix D – Additional provisions agreed between the Parties

The Processor maintains an up-to-date privacy policy on its website. You can find information and links relating to security here. The Main Agreement is set out in the order form.

Data Processing Agreement