Data processing agreement

Data processing agreement in accordance with the data protection legislation, General Data Protection Regulation (hereinafter GDPR) European Parliament and Council Regulation (EU) 2016/679 concerning Cloud Services Identity Management between the Client (customers of KapitalKontroll ) and Supplier ( KapitalKontroll AS):

The basis for this data processing agreement is an agreement between the Client and the Supplier on the use of KK2 as a collection tool. The data processed in accordance with this agreement is data that the Client enters into KK2 for use in collecting monetary claims. This agreement applies as long as the Client uses KK2. It will also apply to Kapitalkontroll AS for data that remains registered in KK2 after the actual usage agreement is terminated.

1 Purpose of the Agreement  

The purpose of the agreement is to regulate rights and obligations under the Act of 20 July 2018 on the Processing of Personal Data (the Personal Data Act). The agreement shall ensure that personal data about the data subjects are not used unlawfully or come into unauthorized possession, secure the rights of the data subjects and safeguard the privacy principles in accordance with Article 5.

The agreement regulates the data processor's use of personal data on behalf of the controller, including collection, registration, compilation, storage, disclosure or combinations thereof.

2 Purpose 

Statement of the purpose of the data processing agreement:

The processing of personal data carried out by the data processor on behalf of the controller consists of providing a collection system and performing the necessary maintenance of the system. The system shall be used to store the controller's customer data.

The purpose of the processing of personal data is to administer debt collection cases by ensuring the invoicing of outstanding receivables and to keep track of the municipality's current debt collection cases.

The types of personal data that the data processor processes in connection with the delivery and administration of supplier expertise are mainly:

  • Gender (MR/MS prefix)

  • First name

  • Surname

  • Date of birth

  • Email

  • Telephone office/private/mobile

  • Employee number, cost center, department

  • Postal address

  • Credit card information

  • Passport information

This agreement covers the processing of data in connection with the collection of outstanding receivables, including but not limited to:

  • Interest calculation of the claim

  • Production of collection measures such as reminders, SMS, emails and requests for enforcement

  • Long-term monitoring in case of non-compliance with requirements

  • Collection measures against co-debtors 

3 Duties of the controller 

The client in this agreement is the data controller.

The controller is obliged to have an information security management system that satisfies the requirements set out in laws and regulations regarding the processing of personal data.

The controller shall only acquire systems that have built-in privacy and privacy as a default setting, ref. GDPR Article 25.

The controller decides for himself which claims can be collected when using KK2. He also decides which aids such as machines etc. he uses on his side. He decides for himself which additional functions he chooses to use.

4 Data processor's obligations 

The supplier in this agreement is the data processor.

The Data Processor confirms that it will implement appropriate technical and organizational measures to ensure that all processing under this Agreement meets the requirements of the Personal Data Act and the protection of the rights of the data subject, including meeting all requirements under Article 32 of the General Data Protection Regulation. 

The data processor must follow the routines and instructions for processing that the data controller has determined to apply at any given time.

The data processor is obliged to provide the controller with access to its security documentation, and to assist, so that the controller can fulfill its own responsibilities according to law and regulations.

The data processor is obliged to assist the data controller in complying with the obligations under Articles 32-36 that are relevant to this contractual relationship.

The processor must immediately notify the controller of the personal data breach that has occurred or is occurring (see Article 33(2)). Where the breach results in a risk to the rights and freedoms of data subjects, the notification to the controller must contain the information necessary to enable the controller to provide a detailed description of the breach to the supervisory authority (see Article 33(3)). Where the breach requires the controller to notify data subjects (see Article 34), the processor must provide the information necessary to enable the controller to fulfil its obligation to provide such notification in a clear manner and in accordance with Article 33(3)(b), (c) and (d).

The controller has, unless otherwise agreed or required by law, the right to access and inspect the personal data being processed and the systems used for this purpose. The processor is obliged to provide the necessary assistance for this.

The data processor is obliged to maintain confidentiality regarding documentation and personal data to which the person concerned has access in accordance with this agreement. The data processor is obliged to ensure that only those with a business need and who are authorized have access to the information. All personnel at the data processor have signed a confidentiality declaration regarding information to which they have been granted access. Kapitalkontroll AS has conducted a security risk assessment. Security measures are described in a separate appendix to this agreement. This provision also applies after the termination of the agreement.

The data processor shall not disclose data or information that it processes for the Data Controller to third parties without explicit instruction from the Data Controller. The data processor shall forward requests for access to registered data to the Data Controller.

The processor must make available to the controller all information necessary to demonstrate that the obligations in Article 28 have been fulfilled.

The data processor must enable and contribute to audits (such as inspections) carried out by the controller or another inspector, authorised by the controller.

 

The data processor must deliver a system that has built-in privacy and privacy as a default setting, ref. GDPR Article 25.

Upon termination of the agreement or upon instruction from the controller, the data processor shall ensure that registered personal data is deleted.

5 Use of subcontractors

If the data processor uses subcontractors or others who are not normally employed by the data processor, this must be agreed in writing with the data controller before the processing of personal data begins.

Kapitalkontroll has an associated programmer who has access to the system. He has signed an agreement for the provision of services to Kapitalkontroll AS as the only customer. He is considered an employee and has signed a confidentiality agreement. 

KK2 has integrations with other systems. Most of these deliver information to KK2, including:

· Brønnøysund registers

· The Tax Administration

· Norwegian Brochure

KK2 has some suppliers to whom information is provided. These include:

· SvarUt via the client's agreement on sending documents

· Digipost via a separate agreement that the client joins in

· The Tax Administration

These submissions are not considered a leak by the Controller, but are in accordance with agreements that the Controller has entered into.

6 Agreement with subcontractors

Such an agreement is made as an addendum to this agreement.

All persons who, on behalf of the data processor, carry out tasks involving the use of the relevant personal data must be familiar with the data processor's contractual and legal obligations and comply with the terms and conditions set out therein. The data processor bears full responsibility for ensuring that the subcontractor(s) fulfil their obligations with regard to the protection of personal data.

7 Safety and deviations

The data processor shall take all measures necessary to ensure information security in line with the requirements of GDPR Article 32. The data processor shall document procedures and other measures to meet these requirements. The documentation shall be available to the controller upon request.

Personal data shall not be transferred to countries outside the EEA without prior written agreement with the controller. This does not apply if Norwegian law requires the processor to specifically process personal data.

Non-compliance reporting under data protection legislation shall be done by the data processor reporting the non-compliance to the controller without undue delay, so that the controller can fulfil its requirement, under GDPR articles 33 and 34, and reporting the non-compliance within 72 hours to the Norwegian Data Protection Authority and immediately in the event of a high risk to the data subject. This applies to incidents affecting confidentiality, integrity and availability.

8 Security audits

The controller shall agree with the processor that security audits are carried out periodically for systems and the like covered by this agreement. The processor shall enable and contribute to audits and inspections carried out by the controller or someone else on its behalf.

8.1 Audit

The audit may include a review of procedures, random checks, more extensive on-site inspections and other appropriate control measures. The audit shall be continuously reviewed with regard to data protection requirements, the data protection principles and the rights of the data subjects.

9 Duration of the agreement

The agreement applies as long as the data processor processes personal data on behalf of the data controller.

In the event of a breach of this agreement or the privacy policy, the controller may order the data processor to stop further processing of the information with immediate effect.

The agreement can be terminated by either party with a mutual notice of 3 months.

10 Termination

Upon termination of this agreement, the data processor is obliged to delete all personal data received on behalf of the controller and covered by this agreement.

The data processor stores little data, data comes from the Controller's systems, so return is not applicable.

It is agreed that the data processor shall delete or properly destroy all documents, data, etc. containing information covered by the agreement. This also applies to any backup copies, which will be overwritten after a few months.

Data is destroyed by erasing it and overwriting disks with new information over time. More extensive destruction with multiple overwrites must be agreed upon separately and will cost extra.

The data processor must document in writing that deletion and/or destruction has been carried out in accordance with the agreement within a reasonable time after the termination of the agreement.

11 Messages

Notices under this Agreement shall be sent in writing to:

Client who is responsible for processing

Attn: Contract Manager at Client

12 Applicable law and venue

The agreement is subject to Norwegian law and the parties agree that Oslo District Court is the place of jurisdiction. This also applies after termination of the agreement.

 

13 Validity

This agreement applies to all customers of KapitalKontroll AS where a separate data processing agreement has not been entered into.