Data Processing Terms
Data Processing Terms for the initial design and test of the Pio system
These "Data Processing Terms" are incorporated into and will automatically form part of Pio AS' ("Pio") Terms and Conditions if a "Potential Customer", at its discretion, decides to share Personal Data (as defined in Section 3 below) with Pio in connection with the initial design and test of the Pio system (the "Test").
By disclosing Personal Data to Pio as described above, you accept the terms and conditions set forth herein on behalf of the Potential Customer. Furthermore, by disclosing Personal Data to Pio you warrant that you have full legal authority to bind the Potential Customer to these Data Processing Terms, and that you have read and understood these Data Processing Terms.
Pio will act, and will hereinafter be referred to, as the "Processor" when it processes Personal Data on behalf of the Potential Customer for the purpose of providing the Test to the Potential Customer. The Potential Customer will act, and will hereinafter be referred to, as the "Controller" for this Personal Data which it has decided to provide to the Processor in connection with the Test.
These Data Processing Terms sets forth the rights and obligations of the Controller and the Processor pursuant to Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the General Data Protection Regulation, or "GDPR").
For clarity, these Data Processing Terms will not apply to personal data which Pio processes as a controller. This processing is further described and governed by Pio's Privacy Notice.
3 INTERPRETATIONS ETC.
Unless otherwise is set out in these Data Processing Terms, words, phrases and abbreviations used herein which have a specific meaning assigned to them in the GDPR, such as 'controller', data subject', 'processor', ' processing', 'personal data', 'personal data breach', 'supervisory authority' and 'third country' etc., shall have the same meanings when used herein.
The capitalized term "Personal Data" shall mean the personal data which the Processor processes on behalf of the Controller under these Data Processing Terms, for the purpose of providing the Test to the Controller.
The following Appendices are incorporated into these Data processing Terms by reference:
Appendix 1 (Categories of Personal Data and data subjects)
4 PURPOSE, NATURE AND DESCRIPTION OF THE PROCESSING
The Processor will process the Personal Data on behalf of the Controller for the purpose of providing the Test to the Controller.
a. The processing for the purpose described above will involve such processing operations as are necessary in pursuit of the stated purposes, including, inter alia, the following basic processing operations: data collection, entry, and storage;
b. transmission and structuring; and
c. dissemination and erasure.
Additional processing operations may also be performed subject to the Controller's instructions. Some operations may be wholly or partially automated.
The categories of Personal Data, including any special categories, and data subjects involved in the processing are set out in Appendix 1 (Categories of Personal Data and data subjects).
5 CONTROLLER'S RESPONSIBILITIES
The Controller shall:
a. ensure that its processing of Personal Data complies with the requirements under the GDPR and other applicable data protection laws;
b. only provide instructions to Pio that are lawful; and
c. provide data subjects with all necessary information regarding the processing of Personal Data under these Data Processing Terms.
Customer shall have the sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data. Customer furthermore warrants that the Controller is entitled to engage Pio as a processor as set out in these Data Processing Terms.
6 PROCESSOR OBLIGATIONS
The Processor shall only Process the Personal Data in accordance with the Controller's instructions as set out in these Data Processing Terms. The Processor is hereby instructed to process the Personal Data as is necessary to provide the Test to the Controller.
The Processor shall not process the Personal Data for any other purposes than those set out above, unless the Processor is obligated to do so to comply with its obligations pursuant to EU/EEA law or national laws, including EU/EEA Member State law. Should such obligations require the Processor to process the Personal Data for other purposes, the Processor shall promptly notify the Controller thereof, unless prohibited from disclosing this information by the relevant laws.
The Processor shall always comply with its obligations pursuant to the GDPR when carrying out the processing.
If, in the Processor's opinion, an instruction from the Controller is in violation of the GDPR or other mandatory national or EU/EEA law, the Processor shall notify the Controller thereof.
The Processor shall ensure that measures are implemented in accordance with the requirements of the GDPR and other data protection law applicable to it, in order to ensure confidentiality (i.e. that Personal Data are not disclosed to unauthorized persons or parties), integrity (i.e. that the Personal Data is not unintentionally changed in relation to the processing) and availability (i.e. that the persons that are required have access to the Personal Data, have the necessary access) in relation to the processing of Personal Data.
The Processor shall treat all Personal Data received in accordance with these Data Processing Terms as confidential information..
The Processor shall ensure that the Personal Data are processed solely by reliable personnel who are:
d. only granted access to the Personal Data on a need-to-know basis;
e. made familiar with the regulatory requirements applicable to the Processor's processing of Personal Data; and
f. subject to appropriate confidentiality obligations.
7 ENGAGEMENT OF SUB-PROCESSORS
The Processor has the Controller's authorization to sub-contract processing of Personal Data under these Data Processing Terms to third parties or subcontractors ("Sub-Processors"). The above authorizations will constitute Controller's prior written consent to the subcontracting by Processor of the processing of Personal Data if such consent is required under standard contractual clauses or the GDPR.
Processor makes available information about Sub-Processors on a website. The Processor shall keep an updated list of all Sub-Processors engaged in the processing of Personal Data on behalf of the Controller available at the Controller's request at all times (by updating the website). In the case of cloud vendors, the website may contain links to Sub-Processor's separate list of Sub-Processors.
From time to time, Processor may engage new Sub-Processors. If the Processor replaces, or engages a new Sub-Processor, the Controller shall be entitled to reasonable written notice (by updating the website and providing Controller with a mechanism to obtain notice of that update). Upon receiving such notification, and if there is reasonable cause to believe that the engagement of a new Sub-Processor would be detrimental the data protection requirements set out herein, the Controller shall be entitled to object to the Processor's engagement of the Sub-Processor in question. Any objections pursuant to this Section 7 must be received without undue delay, and at the latest within the notice period set out in the Processor's notification to the Controller. If the Controller objects to the Processor, the Controller and the Processor shall negotiate in good faith to find a solution to address the Controller's concerns. If the Controller objects to the engagement of a Sub-Processor, the Processor may not be able to fulfil the Test, and Processor shall be relieved of its obligations thereof. .
Processor will ensure that Sub-Processors are bound by written agreements that require them to provide at least the level of data protection required of Processor by the Data Processing Terms, including the limitations on disclosure of Personal Data. Processor agrees to oversee the Sub-Processors to ensure that these contractual obligations are met. The Processor shall remain responsible for any acts and/or omissions of its Sub-Processors as if they were carried out by the Processor itself.
8 TRANSFERS OF PERSONAL DATA TO THIRD COUNTRIES
The Processor shall not process or cause the Personal Data to be processed by Sub-Processors, outside the EEA without the Controller's prior authorization. The Controller hereby gives the Processor its authorization as set out in the preceding sentence, provided that the Processor:
a. provides the Controller reasonable written notice, informing the Controller of the contemplated transfer of Personal Data to a third country; and
b. has implemented the necessary measures to ensure that an essentially equivalent level of protection for the Personal Data in accordance with the GDPR.
The Processor shall ensure that there is a valid basis pursuant to the GDPR Chapter V for any transfers of Personal Data to third countries. Where so required, the Processor shall enter, and Controller authorizes Processor to enter, standard contractual clauses for data transfers between EU and non-EU countries pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (or any successor thereto) with the third country recipient of the Personal Data (processor to processor transfers).
The Controller shall be entitled to object to the transfer if there is reasonable cause to believe that the transfer in question would be detrimental to the data protection requirements set out herein. However, if the Controller objects to the transfer, the Processor may not be able to fulfil its Test (or parts thereof) to Controller.
The Processor has implemented and maintains appropriate technical and organizational security measures to protect the Personal Data from unauthorized disclosure or access, accidental loss or alteration, accidental or unlawful destruction and other breaches of security, which are implemented with regard to the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
The security measures described in the foregoing paragraph are further detailed in the Processor's information security policy, which is available on a website.
An updated version of the Processor's information security policy will always be available to the Controller on request.
Upon becoming aware of any Personal Data breach, the Processor shall notify the Controller of the breach without undue delay and assist the Controller in handling the breach.
10 COMPLIANCE ASSISTANCE
The Processor shall, taking into account the nature of the processing and the information available to the Processor, upon the Controller's request reasonable assist:
a. the Controller in carrying out a data protection impact assessment (DPIA), and (if required) in consultations with its relevant supervisory authority, in accordance with Articles 35 and 36 GDPR;
b. the Controller with fulfilling its obligations pursuant to Articles 32 to 34 of the GDPR; and
c. the Controller with responding to (i) requests from data subjects to exercise their rights under the GDPR (e.g., the rights of access, correction, objection, erasure, and data portability, as applicable); and (ii) other correspondence, enquiries or complaints received from a data subject, supervisory authority or other third party in connection with the processing of the Personal Data.
If any request, correspondence, enquiry, or complaint is made by data subjects directly to the Processor, the Processor shall inform the Controller without undue delay, providing the necessary details of the same.
The Processor shall respond to inquiries from the Controller relating to its processing of Personal Data, including making available all information and accountability documentation necessary to demonstrate compliance with these Data Processing Terms and the Processor's obligations under the GDPR and other national data protection law applicable to the Processor.
Furthermore, the Processor will perform regular audits conducted by qualified, independent, reputable, and accredited third-party auditors in accordance with reputable control standards or frameworks. Information regarding what regular audits is conducted by the Processor from time to time is available upon request from the Controller.
The Processor shall, upon the Controller's request, make available to the Controller a copy of reports from audits as described in this Section 11, subject to confidentiality obligations in place with the Controller. The Processor is entitled to redact from such auditing reports any details which, in the Processor's sole discretion, could compromise the information security, integrity or intellectual property rights protection of the Processor, its information systems or infrastructure, or which could otherwise enable a recipient to exploit any vulnerabilities with respect to the aforementioned.
If, and to the extent, audit reports and other standard documentation generally made available by the Processor in accordance with the above provisions cannot reasonably be deemed sufficient to satisfy the Controller's audit requirements under the GDPR or other applicable data protection laws, the Controller may issue supplementary auditing instructions to be carried out subject to further agreement between the Controller and the Processor. All supplementary instructions pertaining to audits and/or inspections shall be carried out by a reputable third-party auditor agreed between the Controller and the Processor, if not carried out by the Processor's existing auditors.
12 DATA ERASURE AND RETENTION Upon termination of these Data Processing Terms in accordance with Section 14 below, the Controller may instruct the Processor to immediately return to the Controller all of the Personal Data and any copies thereof which the Processor is processing or has processed on behalf of the Controller and/or securely destroy the same. Notwithstanding the above, the Processor may retain such Personal Data if the Processor is under a legal obligation to retain under national or EU/EEA law.
13 LIMITATIONS OF LIABILITY
The aggregate liability of the Processor under these Data Processing Terms for breaches of its obligations under these Data Processing Terms shall in no event exceed the highest of the following (i) the total fee (excluding VAT or other levies) paid by the Controller to Processor during the last six months preceding the event giving rise to the liability or (ii) EUR 10,000.
Consideration: The Processor shall be entitled to consideration from the Controller in accordance with the Processor's applicable hourly rates for its assistance and participation pursuant to Section 10 and Section 11 (its first, third and fourth sub-paragraph) of these Data Processing Terms.
Term: These Data Processing Terms shall remain in effect for as long as the Processor processes Personal Data for the purpose of providing the Test to the Controller.
Governing law and dispute resolution: These Data Processing Terms are governed by Norwegian Law. Any dispute, controversy or claim arising out of or in connection with these Data Processing Terms, or the breach, termination, or invalidity thereof, shall be finally settled by arbitration in Oslo, Norway, in accordance with the Norwegian Arbitration Act of 2004.
CATEGORIES OF PERSONAL DATA
Under or in connection with the provision of the Test, the Processor may process the data subjects' full name, employment position, contact information such as email address and telephone number, as well as order line data such as personal data included in order line and inventory data.
SPECIAL CATEGORIES OF PERSONAL DATA
No special categories of Personal Data will be processed.
CATEGORIES OF DATA SUBJECTS
Under or in connection with the Test, the Processor may process Personal Data relating to the Controller's personnel and end users.