This Data Processing Agreement ("Agreement"), between you as the Customer, (here in after referred to as the "Controller") acting on its own behalf; and Adonis AS (hereinafter referred as the “Processor") acting on its own behalf.
The terms used in this Agreement shall have the meanings outlined in this Addendum. Terms not otherwise defined here in shall have the meaning given to them in the Master Agreement. Except as modified below, the terms of the Master Agreement shall remain in full force and effect.
The parties here by agree that the terms and conditions set out below shall be added as an Addendum to the Master Agreement, which will in any case of conflict take precedence over any Master Agreement between the parties.
In this Agreement, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:
"Authorized Sub-processors" means (a) those Sub-processors set out in Annex 3 (Authorized Transfers of Controller Personal Data), and (b) any additional Sub-processors consented to in writing by Controller in accordance with Sub- processing section.
"Sub-processor" means any Data Processor (including any third party) appointed by the Processor to process Controller Personal Data on behalf of the Controller.
"Process/Processing/Processed", "Data Controller", "Data Processor", "Data Subject", "Personal Data", "Special Categories of Personal Data" and any further definition not included under this Agreement or the Master Agreement shall have the same meaning as in EU General Data Protection Regulation (GDPR) 2016/679 of the European Parliament and the European Council.
“Data Protection Laws” means EU General Data Protection Regulation 2016/679 of the European Parliament and the European Council ("GDPR") as well as any local data protection laws.
“Erasure" means the removal or destruction of Personal Data such that it cannot be recovered or reconstructed. "EEA" means the European Economic Area.
"Third country" means any country outside EU/EEA, except where that country is the subject of a valid adequacy decision by the European Commission on the protection of Personal Data in Third Countries.
"Controller Personal Data" means the data described in Annex 1 and any other Personal Data processed by Processor on behalf of the Controller according to or in connection with the Master Agreement.
"Personal Data Breach" means a breach of leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Controller Personal Data transmitted, stored or otherwise processed.
"Services" means the services to be supplied by the Processor to the Controller according to the Master Agreement. “Products” means the products to be supplied by the Processor to the Controller according to the Master Agreement.
"Standard Contractual Clauses" means the standard contractual clauses for the transfer of personal data to processors established in third countries, as approved by the European Commission Decision 2010/87/EU, or any set of clauses approved by the European Commission which amends, replaces or supersedes these.
"Work-related activities" does not contain the physical location of a person. It means the possibility to track for what dates a person is sailing, on leave, on training, etc.
2.1 In the course of providing the Services and/or Products to the Controller according to the Master Agreement, the Processor may process Controller personal data on behalf of the Controller as per the terms of this Addendum. The Processor agrees to comply with the following provisions concerning any Controller personal data.
2.2 To the extent required by applicable Data Protection Laws, the Processor shall obtain and maintain all necessary licenses, authorizations, and permits necessary to process personal data including personal data mentioned in Annex 1.
The Processor shall maintain all the technical and organizational measures to comply with the requirements set forth in the Addendum and its Annexes.
3.1 The Processor shall only process Controller Personal Data for the purposes of the Master Agreement. The Processor shall not process, transfer, modify, amend or alter the Controller Personal Data or disclose or permit the disclosure of the Controller personal data to any third party other than following Controller’s documented instructions, unless the processing is required by EU or Member State law to which Processor is subject. The Processor shall, to the extent permitted by such law, inform the Controller of that legal requirement before processing the Personal Data and comply with the Controller’s instructions to minimize, as much as possible, the scope of the disclosure.
4.1 The Processor shall take reasonable steps to ensure the reliability of any employee, agent, or contractor who may have access to the Controller's personal data, ensuring in each case that access is strictly limited to those individuals who require access to the relevant Controller Personal Data.
4.2 The Processor must ensure that all individuals which have a duty to process controller personal data:
4.2.1 Are informed of the confidential nature of the Controller Personal Data and are aware of Processor's obligations under this Addendum and the Master Agreement concerning the Controller Personal Data;
4.2.2 Have undertaken appropriate training/certifications concerning the Data Protection Laws;
4.2.3 Are subject to confidentiality undertakings or professional or statutory obligations of confidentiality; and
4.2.4 Are subject to user authentication and logon processes when accessing the Controller Personal Data in accordance with this Agreement, the Master Agreement, and the applicable Data Protection Laws.
5.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Processor shall implement appropriate technical and organizational measures (Annex 2) to ensure a level of Controller Personal Data security appropriate to the risk, including but not limited to:
5.1.1. Pseudonymization and encryption;
5.1.2. The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
5.1.3. The ability to restore the availability and access to Controller Personal Data in a timely manner in the event of a physical or technical incident; and
5.1.4. A process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing.
5.2. In assessing the appropriate level of security, the Processor shall take into account the risks that are presented by processing, in particular from an accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Controller Personal Data transmitted, stored or otherwise processed.
6.1. As of the Addendum Effective Date, the Controller hereby authorizes the Processor to engage those Sub- Processors set out in Annex 3 (Authorized Sub-Processors). The Processor shall not engage any Data Sub-Processors to Process Controller Personal Data other than with the prior written consent of Controller, which Controller may refuse with absolute discretion.
6.2. Concerning each Sub-processor, the Processor shall:
6.2.1. Provide the Controller with full details of the Processing to be undertaken by each Subprocessor.
6.2.2. Carry out adequate due diligence on each Sub-Processor to ensure that it can provide the level of protection for Controller Personal Data, including without limitation, sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of GDPR, this Agreement, the Master Agreement, and the applicable Data Protection Laws.
6.2.3. Include terms in the contract between the Processor and each Sub-processor which are the same as those set out in this Addendum. Upon request, the Processor shall provide a copy of its agreements with Sub-Processors to the Controller for its review.
6.2.4. Insofar as that contract involves the transfer of Controller Personal Data outside of the EEA, incorporate the Standard Contractual Clauses or such other mechanism as directed by the Controller into the contract between the Processor and each Sub-Processor to ensure the adequate protection of the transferred Controller Personal Data.
6.2.5. Remain fully liable to the Controller for any failure by each Sub-Processor to fulfill its obligations concerning the Processing of any Controller Personal Data.
7.1. Taking into account the nature of the processing, the Processor shall assist the Controller by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Controller's obligation to respond to requests for exercising Data Subject rights as laid down in EU GDPR.
7.2. The Processor shall promptly notify the Controller if it receives a request from a Data Subject, the Supervisory Authority, and/or other competent authority under any applicable Data Protection Laws concerning Controller Personal Data.
7.3. The Processor shall cooperate as requested by the Controller to enable the Controller to comply with any exercise of rights by a Data Subject under any Data Protection Laws concerning Controller Personal Data and comply with any assessment, inquiry, notice, or investigation under any Data Protection Laws concerning Controller Personal Data or this Agreement, which shall include:
7.3.1 The provision of all data requested by the Controller within any reasonable timescale specified by the Controller in each case, including full details and copies of the complaint, communication or request, and any Controller Personal Data it holds concerning a Data Subject.
7.3.2 Where applicable, providing such assistance as is reasonably requested by the Controller to enable the Controller to comply with the relevant request within the timescales prescribed by the Data Protection Laws.
7.3.3 Implementing any additional technical and organizational measures as may be reasonably required by the Controller to allow the Controller to respond effectively to relevant complaints, communications, or requests.
8.1. The Processor shall notify the Controller without undue delay and, in any case, within twenty-four (24) hours upon becoming aware of or reasonably suspecting a Personal Data Breach. The Processor will provide the Controller with sufficient information to allow the Controller to meet any obligations to report a Personal Data Breach under the Data Protection Laws. Such notification shall as a minimum:
8.1.1. Describe the nature of the Personal Data Breach, the categories and numbers of Data Subjects concerned, and the categories and numbers of Personal Data records concerned;
8.1.2. Communicate the name and contact details of the Processor's Data Protection Officer, Privacy Officer, or other relevant contacts from whom more information may be obtained;
8.1.3. Describe the estimated risk and the likely consequences of the Personal Data Breach; and
8.1.4. Describe the measures taken or proposed to be taken to address the Personal Data Breach.
8.2. The Processor shall co-operate with the Controller and take such reasonable commercial steps as are directed by the Controller to assist in the investigation, mitigation, and remediation of each Personal Data Breach.
8.3. In the event of a Personal Data Breach, the Processor shall not inform any third party without first obtaining the Controller’s prior written consent, unless notification is required by EU or Member State law to which the Processor is subject, in which case the Processor shall, to the extent permitted by such law, inform the Controller of that legal requirement, provide a copy of the proposed notification and consider any comments made by the Controller before notifying the Personal Data Breach.
The Processor shall provide reasonable assistance to the Controller with any data protection impact assessments which are required under Article 35 of GDPR and with any prior consultations to any supervisory authority of the Controller which are required under Article 36 of GDPR, in each case solely concerning Processing of Controller Personal Data by the Processor on behalf of the Controller and considering the nature of the processing and information available to the Processor.
10.1. Processor shall promptly and, in any event, within 90 (ninety) calendar days of the earlier of (i) cessation of Processing of Controller Personal Data by Processor; or (ii) termination of the Master Agreement, at the choice of Controller (such choice to be notified to Processor in writing) either:
10.1.1. Return a complete copy of all Controller Personal Data to the Controller by secure file transfer in such format as notified by the Controller to the Processor and securely erase all other copies of Controller Personal Data Processed by the Processor or any Authorized Subprocessor unless Union or Member State law requires the storage of the personal data; or
10.1.2. Securely wipe all copies of Controller Personal Data Processed by Processor or any Authorized Sub-processor, unless Union or Member State law requires the storage of the personal data, and in each case, provide written certification to the Controller that it has complied fully with the requirements of section Erasure or Return of Controller Personal Data.
Processor shall make available to the Controller, upon request, all information necessary to demonstrate compliance with this Addendum and allow for, and contribute to audits, including inspections by the Controller or another auditor mandated by the Controller of any premises where the Processing of Controller Personal Data takes place. The Processor shall permit the Controller, or another auditor mandated by the Controller to inspect, audit, and copy any relevant records, processes, and systems so that the Controller may satisfy itself that the provisions of this Addendum are being complied with. The Processor shall provide full cooperation to the Controller concerning any such audit and shall, at the request of the Controller, provide the Controller with evidence of compliance with its obligations under this Addendum. Processor shall immediately inform the Controller if, in its opinion, an instruction according to this section Audit (Audit Rights) infringes the GDPR or other EU or Member State data protection provisions.
12.1. Processor shall not process Controller Personal Data nor permit any Authorized Subprocessor to process the Controller Personal Data in a Third Country, other than concerning those recipients in Third Countries (if any) listed in Annex 3 (Authorized Transfers of Controller Personal Data), unless authorized in writing by Controller in advance, via an amendment to this Addendum.
12.2. When requested by Controller, Processor shall promptly enter into (or procure that any relevant Subprocessor of Processor enters into) an agreement with Controller including Standard Contractual Clauses and/or such variation as Data Protection Laws might require, in respect of any processing of Controller Personal Data in a Third Country, which terms shall take precedence over those in this Addendum.
At the request of the Controller, the Processor shall comply with any Code of Conductapproved according to Article 40 of GDPR and obtain anymandatory certification approved by Article 42 of EU GDPR, to the extent that they relate to the processing of Controller PersonalData.
14.1. Subject to this section, the parties agree that this Agreement and the Standard Contractual Clauses shall terminate automatically upon termination of the Master Agreement or expiry or termination of all service contracts entered into by the Processor with the Controller, according to the Master Agreement, whichever is later.
14.2. Any obligation imposed on the Processor under this Addendum concerning the Processing of Personal Data shall survive any termination or expiration of this Addendum.
14.3. This Addendum, excluding the Standard Contractual Clauses, shall be governed by the governing law of the Master Agreement for so long as that governing law is the law of a Member State of the European Union.
14.4. Any breach of this Addendum shall constitute a material breach of the Master Agreement.
14.5. Concerning the subject matter of this Addendum, in the event of inconsistencies between the provisions of this Addendum and any other agreements between the parties, including but not limited to the Master Agreement, the provisions of this Addendum shall prevail concerning the parties’ data protection obligations for Personal Data of a Data Subject from a Member State of the European Union.
14.6. Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein. IN WITNESS WHEREOF, this Addendum is entered into and becomes a binding part of the Master Agreement with effect from the Addendum Effective Date first set out above.
This Annex 1 includescertain details of the Processing of Controller Personal Data as required byArticle 28(3) GDPR.
a. Categories of Data subjects
b. Categories of Personal data:
This section is only relevant if the Processor shall process sensitive Personal Data as indicated below on behalf of the Controller as part of the Maintenance and Service Agreement or Subscription Agreement. For the Processor to process such data on behalf of the Controller, the types of Sensitive Personal Data in question must be specified by the Controller.
The Controller is also responsible for informing the Processor of any additional types of sensitive Personal Data applicable according to privacy legislation in the Controller's country of establishment.
Subject matter and duration of the Processing of Controller Personal Data
The duration of the Processing is determined by the Maintenance agreement with the customer. The nature and purpose of the Processing of Controller Personal Data
The Personal Data will be processed for purpose of providing the services set out and otherwise agreed to in the Maintenance and Service Agreement or Subscription Agreement.
a. Security policy and procedures: Processor must document a security policy concerning the processing of personal data.
b. Roles and responsibilities:
c. Access Control Policy: Specific access control rights are allocated to each role involved in the processing of personal data, following the need-to-know principle.
d. Resource/asset management: Processor shall have a register of the IT resources used for the processing of personal data (hardware, software, and network). A specific person is assigned the task of maintaining and updating the register (e.g. IT officer).
e. Change management: Processor makes sure that all changes to the IT system are registered and monitored by a specific person (e.g. IT or security officer). Regular monitoring of this process takes place.
a. Incidents handling / Personal data breaches:
b. Business continuity: Processor establishes the main procedures and controls to be followed in order to ensure the required level of continuity and availability of the IT system processing personal data (in the event of an incident/personal data breach).
a. Confidentiality of personnel: Processor ensures that all employees understand their responsibilities and obligations related to the processing of personal data. Roles and responsibilities are communicated during the pre-employment and/or induction process.
b. Training: Processor ensures that all employees are adequately informed about the security controls of the IT system that relate to their everyday work. Employees involved in the processing of personal data are also properly informed about relevant data protection requirements and legal obligations through regular awareness campaigns.
a. An access control system applicable to all users accessing the IT system is implemented. The system allows creating, approving, reviewing, and deleting user accounts.
b. The use of common user accounts is avoided. In cases where this is necessary, it is ensured that all users of the common account have the same roles and responsibilities.
c. When granting access or assigning user roles, the “need-to-know principle” shall be observed in order to limit the number of users having access to personal data only to those who require it for achieving the Processor’s processing purposes.
d. Where authentication mechanisms are based on passwords, Processor requires the password to be at least eight characters long and conform to very strong password control parameters including length, character complexity, and non-repeatability.
e. The authentication credentials (such as user ID and password) shall never be transmitted unprotected over the network
Log files are activated for each system/application used for the processing of personal data. They include details about login, logout, modification, and deletion.
a. Server/Database security
b. Workstation security:
a. Whenever access is performed through the Internet, communication is encrypted through cryptographic protocols.
b. Traffic to and from the IT system is monitored and controlled through Firewalls and logs.
a. Backup and data restore procedures are defined, documented, and linked to roles and responsibilities.
b. Backups are given an appropriate level of physical and environmental protection consistent with the standards applied to the originating data.
c. Execution of backups is monitored to ensure completeness.
During the development lifecycle to the best of our knowledge we use best practice, state of the art and well-acknowledged secure development practices or standards.
a. Software-based overwriting will be performed on media prior to their disposal. In cases where this is not possible (CD’s, DVDs, etc.) physical destruction will be performed.
b. Shredding of paper and portable media used to store personal data is carried out.
The physical perimeter of the IT system infrastructure is not accessible by non-authorized personnel. Appropriate technical measures (e.g. Intrusion detection system) or organizational measures shall be set in place to protect security areas and their access points against entry by unauthorized persons.
For Adonis Support and Consultancy (all Customers)
The support and consultancy sub-processors will never get transferred data but may have access to data through the hosted systems or access to customer systems.