For the purposes of Article 28(3) of Regulation 2016/679 (the “GDPR”)
between the organisation registering its account on Equality Check
(the data controller)
and
Equality Check AS
Org number 920585590
C/O Share, Myntgata 2
0151 Oslo
Norway
(the data processor)
each a ‘party’; together ‘the parties’
HAVE AGREED on the following data processor agreement “(Agreement”) in order to meet the requirements of the GDPR and to ensure the protection of the rights of the data subject.
The Agreement is incorporated to the Terms of Service, and effective from the person representing the Organisation clicks “I accept” and registers its account on Equality Check.
Table of Contents
Preamble
The rights and obligations of the data controller
The data processor acts according to instructions
Confidentiality
Security of processing
Use of sub-processors
Transfer of data to third countries or international organisations
Assistance to the data controller
Notification of personal data breach
Erasure and return of data
Audit and inspection
The parties’ agreement on other terms
Commencement and termination
Data controller and data processor contacts/contact points
Appendix A Information about the processing
Appendix B Authorised sub-processors
Appendix C Instruction pertaining to the use of personal data
Preamble
This Agreement sets out the rights and obligations of the data controller and the data processor, when the data processor is processing personal data on behalf of the data controller.
The Agreement has been designed to ensure the parties’ compliance with Article 28(3) of GDPR.
In the context of the provision of Equality Check, the data processor will process personal data on behalf of the data controller in accordance with the Agreement.
The Agreement shall take priority over any similar provisions contained in other agreements between the parties.
Three appendices are attached to the Agreement and form an integral part of the Agreement.
Appendix A contains details about the processing of personal data, including the purpose and nature of the processing, type of personal data, categories of data subject and duration of the processing.
Appendix B contains the data controller’s conditions for the data processor’s use of sub-processors and a list of sub-processors authorised by the data controller.
Appendix C contains the minimum security measures to be implemented by the data processor.
The Agreement along with appendices shall be retained in writing, including electronically, by both parties.
The Agreement shall not exempt the data processor from obligations to which the data processor is subject pursuant to the GDPR or other legislation.
The rights and obligations of the data controller
The data controller is responsible for ensuring that the processing of personal data takes place in compliance with the GDPR (see inter alia GDPR Article 24 and 30), the applicable EU or Member State data protection provisions and the Agreement.
The data controller has the right and obligation to make decisions about the purposes and means of the processing of personal data.
The data controller shall be responsible, among other, for ensuring that the processing of personal data, which the data processor is instructed to perform, has a legal basis.
The data processor acts according to instructions
The data processor shall process personal data only on documented instructions from the data controller, unless required to do so by Union or Member State law to which the processor is subject. Such instructions is specified in the Agreement and appendices. Subsequent instructions can also be given by the data controller throughout the duration of the processing of personal data, but such instructions shall always be documented and kept in writing, including electronically, in connection with the Agreement.
The data processor shall immediately inform the data controller if instructions given by the data controller, in the opinion of the data processor, contravene the GDPR or the applicable EU or Member State data protection provisions.
Confidentiality
The data processor shall only grant access to the personal data being processed on behalf of the data controller to persons under the data processor’s authority who have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality and only on a need to know basis. The list of persons to whom access has been granted shall be kept under periodic review. On the basis of this review, such access to personal data can be withdrawn, if access is no longer necessary, and personal data shall consequently not be accessible anymore to those persons.
The data processor shall at the request of the data controller demonstrate that the concerned persons under the data processor’s authority are subject to the abovementioned confidentiality.
Security of processing
The data processor shall assist the data controller in fulfilling their duties pursuant to Article 32-36 GDPR.
Article 32 GDPR stipulates that, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the data controller and data processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
The data processor shall evaluate the risks to the rights and freedoms of natural persons inherent in the processing and implement measures to mitigate those risks. Depending on their relevance, the measures may include the following:
Pseudonymisation and encryption of personal data;
- the ability to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
The data controller shall provide the data processor with all information necessary to identify and evaluate such risks.
Furthermore, the data processor shall assist the data controller in ensuring compliance with the data controller’s obligations pursuant to Articles 32 GDPR, by inter alia providing the data controller with information concerning the technical and organisational measures already implemented by the data processor pursuant to Article 32 GDPR along with all other information necessary for the data controller to comply with the data controller’s obligation under Article 32 GDPR, upon the data controllers request.
Use of sub-processors
The data processor shall meet the requirements specified in Article 28(2) and (4) GDPR in order to engage another processor (“sub-processor”).
The data processor shall therefore not engage another sub-processor for the fulfilment of the Agreement without the prior general written authorisation of the data controller.
The data processor has the data controller’s general authorisation for the engagement of sub-processors. The data processor shall in reasonable time prior to changes, inform in writing the data controller of any intended changes concerning the addition or replacement of sub-processors, thereby giving the data controller the opportunity to object to such changes prior to the engagement of the concerned sub-processor(s). The Controller may not reject a new sub-processor without a legitimate reason.
Where the data processor engages a sub-processor for carrying out specific processing activities on behalf of the data controller, the same data protection obligations as set out in the Agreement shall be imposed on that sub-processor by way of a contract or other legal act under EU or Member State law, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the Agreement and the GDPR.
The data processor shall therefore be responsible for requiring that the sub-processor at least complies with the obligations to which the data processor is subject pursuant to the Agreement and the GDPR. If the sub-processor does not fulfil its data protection obligations, the data processor shall remain fully liable to the data controller as regards the fulfilment of the obligations of the sub-processor.
A copy of such a sub-processor agreement and subsequent amendments shall – at the data controller’s request – be submitted to the data controller, thereby giving the data controller the opportunity to ensure that the same data protection obligations as set out in the Agreement are imposed on the sub-processor. Business related issues that do not affect the legal data protection content of the sub-processor agreement, shall not require submission to the data controller.
Transfer of data to third countries or international organisations
Any transfer of personal data to third countries or international organisations by the data processor shall only occur with approval from the data controller and shall always take place in compliance with Chapter V GDPR. The list of sub-processors that may send data to a third country that is already approved by the data controller is listed in Appendix B.
In case transfers to third countries or international organisations, which the data controller has not approved, is required under EU or Member State law to which the data processor is subject, the data processor shall inform the data controller of that legal requirement prior to processing unless that law prohibits such information on important grounds of public interest.
Without approval from the data controller, the data processor therefore cannot within the framework of the Agreement:
transfer personal data to a data controller or a data processor in a third country or in an international organization
transfer the processing of personal data to a sub-processor in a third country
Assistance to the data controller
Taking into account the nature of the processing, the data processor shall assist the data controller by appropriate technical and organisational measures, insofar as this is possible, in the fulfilment of the data controller’s obligations to respond to requests for exercising the data subject’s rights laid down in Chapter III GDPR.
Notification of personal data breach
In case of any personal data breach, the data processor shall, without undue delay after having become aware of it, notify the data controller of the personal data breach.
The data processor’s notification to the data controller shall take place without undue delay after the data processor has become aware of the personal data breach to enable the data controller to comply with the data controller’s obligation to notify the personal data breach to the competent supervisory authority, cf. Article 33 GDPR.
The data processor shall assist the data controller in notifying the personal data breach to the competent supervisory authority, meaning that the data processor is required to assist in obtaining the information listed below which, pursuant to Article 33(3)GDPR, shall be stated in the data controller’s notification to the competent supervisory authority:
- The nature of the personal data including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
- the likely consequences of the personal data breach;
- the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
Erasure and return of data
On termination of the provision of personal data processing services, the data processor shall be under obligation to delete all personal data processed on behalf of the data controller and certify to the data controller that it has done so.
The data processor may upon termination only retain aggregated data, not containing identifiable information of the data subjects. The data processor can use anonymized and aggregated data for its own statistical purposes.
Audit and inspection
The data processor shall make available to the data controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 and the Agreement and allow for and contribute to audits, including inspections, conducted by the data controller or another auditor mandated by the data controller.
The data processor shall be required to provide the supervisory authorities, which pursuant to applicable legislation have access to the data controller’s and data processor’s facilities, or representatives acting on behalf of such supervisory authorities, with access to the data processor’s physical facilities on presentation of appropriate identification.
The parties’ agreement on other terms
Each party is responsible for covering administrative fines and other sanctions imposed as a result of breaches of the data protection legislation.
If a party has been held liable for damages under Article 82 of the GDPR for a matter for which the other party is responsible, the party responsible shall cover the damages costs.
The data processors aggregate liability under section 13.2 is limited to an amount equal to what the controller has paid for the processors services in a period of 12 months prior to the date of the (initial) claim.
Commencement and termination
The Agreement shall become effective on the date of which the data controller register’s its account on Equality Check. The person registering the Organisation warrants and represents that it has the necessary authority to bind the Organisation to this Agreement.
The Agreement shall apply for the duration of the provision of personal data processing services. For the duration of the provision of personal data processing services, the Agreement cannot be terminated unless other Agreement governing the provision of personal data processing services have been agreed between the parties.
If the provision of personal data processing services is terminated, and the personal data is deleted, anonymized, or returned to the data controller pursuant to section 11.1. The Agreement may be terminated by written notice by either party.
Signature
The Agreement is accepted and effective once the person representing the Organisation clicks “I accept” and registers its account on Equality Check
A signed copy of the Agreement can be obtained by request to the data processor to the contact information stated below.
Data controller and data processor contacts/contact points
The parties may contact each other using the following contacts/contact points:
For the date controller:
The contact information provided in the registration process on Equality Check.
For the data processor
Name Marie Louise Sunde
Position CEO
Telephone +47 41454498
E-mail marie@equalitycheck.com
The parties shall be under obligation continuously to inform each other of changes to contacts/contact points.
Appendix A Information about the processing
A.1. The purpose of the data processor’s processing of personal data on behalf of the data controller is:
|
Name of service |
The purpose of the data processing |
The duration of the processing |
|
Equality Check |
Fulfil the main agreement with the data controller |
As long as the parties have a main agreement giving access to Equality Check |
|
Equality Check |
Map equality in organisation, identify problem areas, get evidence based solutions to improve, and be compliant with D&I legislation. Compare the personal data with data of other data controllers. |
Until the purpose is achieved |
|
Equality Check |
Perform analysis, and do research on the data, with the aim of improving the accuracy of the service |
Until the purpose is achieved |
|
Equality Check |
Import data to perform the above mentioned analysis and mapping |
Until the purpose is achieved |
A.2. The data processor’s processing of personal data on behalf of the data controller shall mainly pertain to (the nature of the processing):
|
Processing |
Processing activity |
|
Registration |
Registration of the data controller to the Service |
|
Data collection |
Data collection from the data controller |
|
Storage |
Storage of data from the data controller |
|
Analysis |
Analyse data from the data controller |
|
Presentation |
Present data from the data controller |
|
Anonymization |
Anonymize the data to be kept upon termination of the Agreement |
|
Deletion |
Delete data not necessary to fulfil the purposes of the processing |
A.3. The processing includes the following types of personal data about data subjects:
|
Type of personal data |
Data subject |
Comment |
|
Name, email address, telephone number, address etc |
Data controller (Client) |
This is data the representative(s) of the data controller register to create an account on Equality Check |
|
Data about the data controller’s employees such as: ID, first name, e-mail, legal gender, salary, job title, seniority level etc. |
Employee |
The data controller may upload an excel-sheet or manually provide the personal data, in order for the processor to simplify the work of the controller in achieving the purposes mentioned in point A.1. What data is being processed depends on what data fields are available in the Equality Check solution, and what data the data controller provides. |
|
Aggregated data about the data controllers’ employees, such as how many of the data controllers employees are working part time and differences based on gender etc. |
Employee |
The information is not personal data unless there is only 1 person in said group. |
A.4. Processing includes the following categories of data subject:
Data Controller (Client)
Employees
Appendix B Authorised sub-processors
B.1. Approved sub-processors
On commencement of the Agreement, the data controller authorises the engagement of the following sub-processors:
|
NAME |
LOCATION |
DESCRIPTION OF PROCESSING |
|
Azure |
Norway* |
Data Storage |
|
Auth0 |
Germany, with failover to the Republic of Ireland |
Authentication |
|
Postmark |
USA |
We use postmark to send you system emails such as user requests, login-codes and reminders |
|
Twilio |
EU |
We use twilio to send you one time passwords for logging into the application |
|
Mixpanel |
EU |
We use mixpanel to analyse the user behaviour on our platform |
The data controller shall on the commencement of the Agreement authorise the use of the abovementioned sub-processors for the processing described for that party. The data processor shall not be entitled – without the data controller’s explicit written authorisation – to engage a sub-processor for a ‘different’ processing than the one which has been agreed upon or have another sub-processor perform the described processing.
The data controller accepts that Azure delivers standard services subject to standard data processing terms. Such terms may not be in accordance with all requirements set forth in this Agreement. The data controller may review the Azure data protection agreement here.
Appendix C Instruction pertaining to the use of personal data
C.1. The subject of/instruction for the processing
The data processor’s processing of personal data on behalf of the data controller shall be carried out by the data processor performing the following:
The processing shall be carried out in accordance with this Agreement and the main agreement giving the data controller access to Equality Check, which is a tool where organisations can add their D&I data after validated indicators, get digital reports mapping the pipeline in terms of equality, identifying problem areas and suggesting evidence based solutions to improve.
C.2. Security of processing
The level of security shall take into account:
The data processor shall hereafter be entitled to make decisions about the technical and organisational security measures that are to be applied to create the agreed level of data security.
The data processor shall implement the following measures that have been agreed with the data controller:
Enable MFA (Multi factor authentication) for all users
Data will only be made available to persons under the authority of the data processor on a need-to-know-basis.
The application will be subject to an external security analysis on an annual basis
Data will be encrypted at transit using SSL/TLS
Data will be encrypted at rest using AES-256 industry standard
We are already supporting
Book a demo with our specialist and start acting today.
