DATA PROCESSING AGREEMENT

Legal Plant AS , org. no. 927 347 199, ("Data Processorβ€œ)

And

Organizations signing up as users of LegalPlant ("Controller")

Jointly the Data Processor and Controller is referred to as β€œThe Parties”

1. Background and purpose

The parties have entered into an agreement with the Data Processor as Supplier and the Data Controller as Customer (the "Main Agreement") when the Controller signed up for the service and accepted the Terms & Conditions.

On the basis of the Main Agreement, the Data Processor processes personal data on behalf of the Controller, as regulated in this ("Data Processor Agreement").

In the event of a conflict between the Main Agreement and the Data Processor Agreement, the Data Processor Agreement takes precedence when it comes to matters specifically related to the processing of personal data.

Annexes to Data Processing Agreements describe the purpose of the processing, the duration of the processing, the nature of the processing, the types of personal data to be processed, categories of data subjects.

The Data Processor Agreement must ensure that personal data is processed in accordance with the applicable requirements for the processing of personal data as set out in the personal data protection regulations, i.e. the EU's data protection requirements, the Personal Data Act and associated regulations, etc.

The Data Processor shall process the personal data in the manner described in the Data Processor Agreement, as well as in another way, if this has been agreed in writing between the Data Processor and the Controller.

Terms and definitions used in the Data Processor Agreement shall be understood in the same way as in the privacy regulations.

2. General duties and rights

2.1. The Data Controller's duties

The Controller is responsible for ensuring that the processing of personal data is carried out in accordance with the privacy regulations. In this connection, the Controller must specifically ensure that:

  1. the processing of personal data is purposeful and based on a valid legal basis;
  2. the data subjects have received the necessary information about the processing of the personal data;
  3. The Controller has carried out sufficient risk assessments; and
  4. The Data Processor at all times has sufficient instructions and information to fulfill its duties in accordance with the Data Processor Agreement and the privacy regulations.

2.2. Access to personal data

The Controller must at all times have full legal authority over the personal data.

The Data Processor must, in line with the Controller's request or instructions, correct, delete or return all personal data that the Data Processor processes on behalf of the Controller in accordance with the Data Processor Agreement. This applies unless the applicable privacy regulations require the storage of the personal data.

The Controller must specify guidelines for deleting personal data for the Data Processor, in an appendix to the Data Processor Agreement.

2.3. Instructions from the Data Controller

The Data Processor must only process personal data based on documented instructions from the Controller, unless otherwise follows from the privacy regulations. The Data Processor must be able to document such instructions at all times. Our Privacy policy, this Data Processor Agreement, including its annexes, constitute the instructions on the date of signature. Instructions may also be given after the conclusion of the Main Agreement. The Data Processor must not process personal data that the Data Processor gains access to in any other way than is necessary to carry out the tasks that the Data Processor has for the Controller. Unless otherwise specified in the Data Processor Agreement, the Data Processor may use all relevant technical aids (incl. IT systems and software) to fulfill the obligations incumbent on the Data Processor.

If the Data Processor is of the opinion that an instruction from the Controller is contrary to the privacy regulations, the Data Processor must immediately notify the Data Controller of his opinion.

2.4. Assistance to the Controller

The Data Processor must assist the data controller in fulfilling its obligations under the privacy regulations. Such assistance includes, among other things, the Controller's duty to respond to requests from data subjects for access, correction, restriction of processing, deletion, and the right to be sent a copy of the personal data being processed.

If the Controller receives inquiries from the data subject regarding the processing of personal data, the Data Processor must forward the inquiry as quickly as possible and, as far as possible, assist the Controller in responding to the inquiry. Such inquiries can only be answered by the Data Processor when this has been approved in writing by the Controller.

Furthermore, the Data Processor shall assist the Controller in ensuring compliance with obligations relating to personal data security, assessment of privacy consequences and preliminary discussions.

The duty to assist according to this point 2.4 still only applies to the extent that this is possible and appropriate in view of the nature and scope of the processing of personal data under the Main Agreement.

2.5. Documentation

The Data Processor must keep a protocol (log) of the processing activities it carries out on behalf of the Controller, which must contain at least the information required under Article 30 of the Personal Data Protection Regulation. The Data Controller can at any time demand a copy of such protocol.

The Data Processor shall make available to the Controller all information necessary to demonstrate that the obligations under the Data Processor Agreement and the privacy regulations have been met, as well as enable and contribute to audits, including inspections, which are carried out by the Controller or another inspector authorized by the Controller. This also includes providing access to security documentation in connection with this Data Processor Agreement.

3. Confidentiality

The Data Processor has a duty of confidentiality regarding personal data to which the person concerned gains access as a result of the Data Processor Agreement and the processing of the personal data.

The Data Processor must ensure that employees and others who have access to personal data are authorized to process such personal data on behalf of the Data Processor. If such authorization expires or is withdrawn, access to the personal data shall cease without undue delay.

The Data Processor must ensure that persons who are authorized to process the personal data have undertaken to treat the data confidentially or are subject to a suitable statutory duty of confidentiality. This provision also applies after the termination of the Data Processor Agreement.

The Data Processor must not hand over information or information that it processes on behalf of the Controller to third parties without an explicit order from the Controller.

4. Use of subcontractors (subprocessors)

The Data Processor shall only use subcontractors for the processing of personal data (sub-processor) who have been approved in writing by the Controller and who have confirmed that they have implemented suitable technical and organizational measures that ensure that all processing under this Data Processor Agreement meets the requirements of the privacy regulations and the protection of the data subject's rights.

Approved sub-processors at the conclusion of the Data Processor Agreement are specified in the annex to the Data Processor Agreement.

In the event that the Data Processor has plans to use other sub-processors or to replace sub-processors, the Data Processor must notify the Controller of the plans, and may not use the sub-contractor without first obtaining general or specific written approval from the Controller. The Data Controller must notify the Data Processor in writing of any objection as soon as possible and at the latest within four (4) weeks from the Data Processor informing the Data Processor of a new sub-processor. If the Controller has not notified an objection within the aforementioned deadline, the new sub-data processor will be deemed to have been approved.

The sub-processor shall be made aware of the Data Processor's obligations under this Data Processor Agreement and the regulations governing the processing of the Controller's personal data, and shall be subject to the same obligations with regard to the protection of personal data as stipulated in the Data Processor Agreement, where the sub-processor shall provide sufficient guarantees that it will be carried out technical and organizational measures that ensure that the processing meets legal requirements.

If the sub-processor does not fulfill its obligations with regard to the protection of personal data and the requirements of the Data Processor Agreement, the Data Processor shall have full responsibility towards the Controller for the sub-processor fulfilling its obligations.

The Controller also has the right, upon written request, to receive copies of the relevant terms of the Data Processor's agreement with subcontractors who are to process personal data on behalf of the Controller, with the limitations that may follow from law or regulation. In any case, purely commercial terms cannot be required to be presented.

5. Transfer outside the EU/EEA

Personal data shall only be transferred to countries outside the EU/EEA (third country) if the Controller has approved such a transfer or given instructions for such a transfer and the conditions in this section 5 section three are met. Consent and instructions must cover which countries the information can be transferred to. Transfer to a third country requires, even with consent and instructions, that the requirements for security and protection of the data subject's rights that follow from the privacy regulations are met.

The data processor may still transfer personal data if required in accordance with applicable law in the EU/EEA area. In such cases, the Data Processor must notify the Controller as far as this is permitted by law.

Transfer to third countries or international organizations can only take place if there are necessary guarantees for a sufficient level of protection for personal data protection in accordance with the Current Data Protection Rules. Unless otherwise agreed between the parties, such a transfer can only take place on the basis of:

  1. one of the European Commission's decisions on the adequate level of protection pursuant to Article 45 of the Personal Data Protection Regulation; or{
  2. a data processor agreement incorporating standard privacy provisions as set out in the GDPR Article 46 (2) (c) or (d) (EU Model clauses); or
  3. binding corporate rules (Binding Corporate Rules) in accordance with Article 47 of the Personal Data Protection Regulation.

6. Safety of the treatment

The Data Processor confirms that the Data Processor will implement suitable technical and organizational measures that ensure that all processing under this Data Processor Agreement meets the requirements of the data protection regulations and protection of the data subject's rights, including fulfilling all the requirements according to Article 32 of the Data Protection Regulation .

The Data Processor must be able to document routines and other measures to fulfill these requirements. The documentation must be available at the Controller's request.

The Data Processor must carry out risk assessments to ensure that a suitable level of security is maintained at all times. The Data Processor must also ensure regular testing, analysis and assessment of the security measures, particularly with regard to ensuring continued confidentiality, integrity, availability and robustness of processing systems and services, as well as the ability to quickly restore the availability of personal data in the event of incidents.

Security audits must be carried out regularly, and the parties must agree between themselves the times for security audits. The audit may include a review of routines, random checks, more extensive local checks and other suitable control measures. The Controller's obligation to cover any resource consumption associated with carrying out such an audit must be agreed in advance.

The Data Processor must protect the personal data from destruction, alteration, unauthorized disclosure or unauthorized access.

Taking into account the technical development and implementation costs, the nature, scope, purpose and context of the processing, in addition to the varying degree of probability and severity for natural persons' rights and freedoms, the Data Processor shall consider implementing one or more of the following technical and organizational measures :

  1. Pseudonymisation and encryption of personal data;
  2. the ability to ensure continued confidentiality, integrity, availability and robustness of the processing systems and services that process personal data;
  3. the ability to restore availability and access to personal data in a timely manner in the event of a physical or technical incident; and
  4. a process for regular testing, analysis and assessment of how effective technical and organizational security measures are with regard to the security of the processing.

The Data Processor must always at least maintain a level of security that is in line with industry practice.

7. Breach of personal data security

In the event of a security or privacy breach, the Data Processor must notify the Controller without undue delay and provide such assistance and information as is necessary for the Controller to be able to report the breach to the supervisory authorities in line with the privacy regulations.

Notification of infringement must contain at least:

  1. Description of the nature of the breach of personal data security, including, when possible, the categories of and approximate number of data subjects affected, and the categories of and approximate number of personal data records affected,
  2. point of contact for further information,
  3. description of the likely consequences of the breach of personal data security, and
  4. description of the measures that have been taken or that are proposed to be taken to deal with the breach of personal data security, including, if relevant, measures to reduce any harmful effects as a result of the breach.

If not all information can be provided in the first notification, the information must be provided successively as soon as it is available.

The Controller is responsible for sending a notification to the supervisory authority, and the Data Processor shall not send such a notification or contact the supervisory authority without the Controller having given instructions to this effect.

8. Non-compliance and suspension orders

In the event of a breach of this Data Processor Agreement or the privacy regulations, the Controller may order the Data Processor to stop the further processing of the information with immediate effect until the discrepancy has been rectified. The Data Processor is obliged to rectify the discrepancy within a reasonable time.

If a party significantly defaults on its obligations under the Data Processor Agreement, the other party can terminate the Data Processor Agreement. The party that wishes to terminate the Data Processor Agreement must give the other party written notice stating what the breach consists of, and a 14 (fourteen) day deadline to correct the breach. If the default is not rectified within the deadline specified in the notice, the Data Processing Agreement is considered terminated at the end of the deadline.

9. Obligations in the event of termination/termination

Upon termination of the Data Processor Agreement, the Data Processor shall (i) terminate all processing of personal data and (ii) at the Controller's option, return and/or delete all personal data and copies of such personal data that have been received on behalf of the Data Processor and which are covered by the Data Processor Agreement.

Deletion also applies to any backup copies, but where it is sufficient to overwrite according to the established routines for backups. The obligation to delete applies to the extent that it is not required that the personal data be stored in accordance with the privacy regulations.

The Controller must receive a written confirmation from the Data Processor that all personal data has been returned or deleted in accordance with the Data Processor's instructions and that the Data Processor has not kept copies, prints or other forms of personal data in any form.

Regardless of the reason for the termination of the Data Processor Agreement, the Data Processor must, upon written request from the Controller, agree to postpone the termination of the Data Processor Agreement so that the Data Processor secures its data before it is returned and/or deleted.

10. Other duties and rights

Other duties and rights, including the right to remuneration, follow from the Main Agreement that applies between the Data Processor and the Data Controller regarding the services that necessitate the processing of personal data and from this Data Processor Agreement. The same contact persons apply for the Data Processor Agreement as under the Main Agreement.

In the event of a transfer of the Main Agreement to other parties, the Data Processor Agreement must be transferred accordingly.

11. Choice of law and venue

The data processing agreement is subject to Norwegian law. Any dispute regarding the Data Processor Agreement, or arising from it, shall in the first instance be resolved by the Parties through negotiation.

The Oslo District Court is the proper venue for disputes regarding the Data Processor Agreement.

Entered into by The Parties when the Controller have signed up to LegalPlant and confirmed the Terms & Conditions as presented through the LegalPlant solution.

Appendix A

A.1. The purpose of the processing

Personal data is processed for the following purposes according to the Data Processor Agreement:

The Data Processor will process personal data on behalf of the Controller in order to deliver the services and benefits that follow from the Main Agreement.

A.2. Duration of treatment

The processing shall last as long as the Data Processor provides services and benefits according to the Main Agreement to the Controller.

A.3. Nature of processing and types of personal data to be processed

The nature of the treatment may vary. All data processing (including processing activities) that is necessary for the Data Processor to be able to deliver the services and benefits that follow from the General Agreement, and to comply with instructions from the Controller, will be carried out. This includes, but is not limited to, collection of personal data, compilation of personal data, structuring of personal data, adaptation of personal data, combination of personal data, transfer of personal data, disclosure of personal data, analysis of personal data, storage of personal data.

A.4. Categories of data subjects and types of personal data to be processed under the Data Processing Agreement

  • The controller's customers (and counterparties in the context of the case)

  • Customers (where the customer is (i) a private person, or (ii) contact persons for business customers):

    • First name and last name
    • E-mail address
    • Telephone number
    • Address
    • Position/role with their employer (if any)
    • Case information / case documents
  • Counterparties (where the counterparty is (i) a private person, or (ii) a contact person in a company):

    • First name and last name
    • E-mail address
    • Telephone number
    • Address
    • Position/role with their employer (if any)
    • Case information / case documents
  • Employees of the data controller

  • First name and last name

  • Image(s)

  • Email address (which constitutes the username for logging in and accessing Legalplant)

  • Password for login and access to Legalplant

  • Name of employer

  • Employer's business address

  • Job title and function, as well as role with the employer

  • Name of the department at the employer in which the individual employee works

  • Case information / case documents

  • Other persons mentioned in case documents The data controller has access to

  • The data controller's partners

    • First name and last name
    • E-mail address
    • Telephone number
    • Position/role with their employer (if any)

In the event that it becomes necessary to process personal data of several categories or more personal data, in addition to the above, it will take place in accordance with instructions from the Controller, and/or because such processing is necessary to fulfill the purpose of the Agreement.

A.5. Storage/deletion

The personal data that is processed must be deleted according to the following guidelines:

Personal data processed in accordance with this Data Processor Agreement must be deleted when either;

a) the purpose of the processing of the personal data has been fulfilled, or

b) The data processing agreement ceases or is terminated, cf. section 9,

Appendix B

B.1. Sub-processors upon entering into the Agreement

At the time of entering into the Agreement and the Data Processor Agreement, the Controller has approved the use of the following sub-processors

Third parties (sub-processors)Company addressCountry data is storedPurpose
Google Cloud PlatformInfrastructure for operating applications, including all necessary data processing in this context.
Google WorkspaceInformation access management and document processing
Microsoft 365Information access management and document processing
Click UpWork flow structure, work processes and communication system
SlackCommunication and support system for various work flows

B.1. More about general approval

With the limitations that follow from the Data Processor Agreement's clauses 4 and 5, the Controller gives a general consent that the Data Processor can use standard software and software from the sub-processors mentioned above and more, in order to fulfill the Data Processor's obligations according to the Agreement. Furthermore, the Controller agrees that such processing is supported by servers in Third Countries.