Standard Contractual Clauses
This agreement with the underlying agreements (Terms of use and the privacy policy) is bindingly entered into upon acceptance of an offer from the supplier. ONwork may change the text of the agreement if necessary. In the event of any change, ONwork is obliged to notify you three months before the change takes effect. If you do not accept the change, you are free to notify ONwork and then be released from the agreement.
The agreement is deliberately designed in a simple and understandable language.
If something should still be unclear, we will be happy to hear from you info@onwork.no
What is the Standard Contractual Clauses?
The Norwegian Personal Data Act and EU Regulation 2016/679 ("GDPR") (collectively referred to as "privacy legislation") contain requirements for the regulation of the relationship between data processor and data controller, and for the security and organizational measures that must be implemented to ensure legal and secure processing of personal data. This data processor agreement has been entered into to ensure that personal data is only processed in accordance with applicable laws and regulations.
The following personal information may be processed in the Solution: Name, telephone number and e-mail for registered contacts.
The purpose of processing data, including personal data, is to be able to offer an IT platform that makes interaction and control better and easier over time.
Some important concepts in this context are:
- The registered person / persons: An identified or identifiable living natural person for whom the data controller has registered personal data in the Solution.
- Data processor: It is you as a customer who is responsible for the processing of the personal information / data registered in the Solution - and that the privacy in this connection is adequately safeguarded.
- Data controller: ONwork as a supplier processes the personal data on behalf of you as the data processor
- Standard contractual clauses: This agreement regulates the data processor's treatment of personal data on behalf of the data controller.
Duties and rights of the data controller
- There is a sufficient basis for treating the processing of personal data.
- The data controller is responsible for the accuracy, integrity, content, reliability and legality of the personal data that is processed.
- The data controller has informed the registered persons in accordance with the applicable legal requirements at any given time.
-
The data controller shall ensure that personal data is processed in accordance with privacy policy, respond to inquiries from the data subjects and ensure that sufficient technical and organizational measures are implemented to secure the personal data that is processed, cf. Article 32 of the GDPR.
- The data controller is responsible for reporting breaches of personal data security to the Norwegian Data Protection Authority and possibly to the data subjects without undue delay in accordance with current policy.
- The data controller shall not register or store personal data beyond what is necessary for the purpose of the processing.
Duties and rights of the data processor
- The data processor does not have ownership of personal data that is processed on behalf of the data controller, but shall only process these on behalf of the data controller and in accordance with the data controller's instructions as regulated in this Standard contractual clauses.
- The data processor must immediately notify the data controller if the data processor believes that an instruction from the data controller is in breach with the privacy policy.
- The data processor shall ensure adequate protection of personal data through both technical and organizational measures in accordance with GDPR Article 32. This is done, among other things, through a risk and vulnerability analysis that provides a basis for organizational routines and technical measures.
- The data processor must maintain a security level for the processing of personal data that is sufficient in relation to the risk of the processing. The data processor shall protect the personal data from destruction, alteration, unauthorized disclosure, or unauthorized access.
- The data processor confirms that all persons who are authorized to process the personal data have undertaken to treat the data confidentially.
- Upon request, the data processor shall assist the data controller with regard to work to fulfill the latter's obligations under privacy policy, for example pursuant to GDPR Chapter III and Articles 32-36. The work is invoiced according to time spent and current hourly rates.
- The data processor shall, without undue delay, notify the data controller if a breach of personal data security has been established, or is suspected.
- The data processor can generate aggregated and anonymised statistics and analyzes of usage patterns in the Solution as part of the fulfillment of the Terms of use, and to streamline the data controllers' choice alternatives and use of the Solution.
- In order to be able to follow up the customer relationship with the data controller (such as invoicing or contacting), the data processor can access and use registered personal information such as user and company name, address, e-mail and telephone number.
- The data processor may have access to registered personal information in the event of suspicion of errors in or misuse of the Solution.
Audits
The data processor shall assist the data controller by making documentation available to the extent necessary for the data controller to be able to demonstrate that the data processor's obligations under the data processor agreement and the privacy policyhave been fulfilled. All such assistance from the data processor to the data controller is made on written request and invoiced after the elapsed time.
The data controller and relevant supervisory authority have the right to carry out audits, including inspections, of personal data that is processed, technical and organizational security measures carried out. The data controller shall not be given access to information concerning the data processor's other customers and information that is subject to confidentiality obligations. The data controller shall cover costs related to audits initiated by the data controller or incurred in the audit of the data controller, unless the audit reveals non-fulfillment of obligations under the Standard contractual clauses or privacy policy.
Confidentiality
The data processor, its subcontractors and others who, on behalf of the data processor, have access to the personal data, are subject to a duty of confidentiality and shall comply with the duty of confidentiality in connection with the processing of personal data in accordance with privacy policy. The data processor is responsible for ensuring that subcontractors and others who act on behalf of the data processor are subject to such a duty of confidentiality.
The data controller is subject to a duty of confidentiality with regard to documentation and information related to the data processor's and its subcontractors' implementation of technical and organizational security measures, and information that the data processor otherwise wishes to keep confidential. However, the data controller may always share such information with relevant supervisory authorities, if this is necessary to comply with the data controller's obligations under the privacy policy or other statutory obligations.
The duty of confidentiality also applies after the termination of the Standard contractual clauses
General
Transfer out of the EU / EEA
Transfer of personal data to countries outside the EU / EEA can only take place after approval by the data controller as described in the section "Use of subcontractors" below, and using the EU's standard terms, or based on other legal grounds for such transfer in accordance with applicable law.
By entering into this Standard contractual clauses, the data controller authorizes the data processor to enter into the EU standard terms on behalf of the data controller, or to secure another legal basis for the transfer of personal data out of the EU / EEA to a subcontractor approved in accordance with the procedure in "Use of subcontractors "below.
Upon request, the data processor shall provide the controller with a copy of such EU standard terms or a description of other legal basis for the transfer, and provide reasonable assistance and documentation for use in the controller's risk assessment of subcontractors or transfers of personal data out of the EU / EEA.
Agreement duration
The Standard contractual clauses is an appendix to the Terms of use and lasts as long as the data processor treats personal data on behalf of the data controller.
Upon termination of the Standard contractual clauses, the data processor shall, at the choice of the data controller, delete or return all personal information and delete existing copies. Such deletion / return must be completed within 90 days after the termination of the Standard contractual clauses. The data controller will have the opportunity to retrieve previously registered data for 90 days after the Termination of the Terms of use. The data controller will be invoiced based on time elapsed for work operations that are not included in the automated solution.
Deletion of and access to personal information
The data controller is responsible for determining the retention period for the personal data, so that personal data is not stored longer than is necessary for the purpose for which they were collected.
The data controller can choose to delete all or part of the information in the Solution. When deleting information, all associated data, including personal information, will also be deleted.
Access to and change of personal information
Retrieval of information on request stored in the Solution that is not included in the automated solution, but which requires separate work operations by the data processor will be invoiced to the data controller.
In cases where there is no functionality for changing personal information in the Solution, a written inquiry can be sent to the data processor. Modification of personal data will only be carried out if it is not in conflict with current legislation. The data processor will invoice the data controller for the time spent on work in connection with changes to personal data.
In the event of changes, old values will be available as backup for up to 3 months. This time period is set to prevent inconsistencies in registered personal data in the event of unforeseen events.
Supplier
Name: ONwork AS
Org.nr.: 824948232
Adress: Nordre gate 8, 7011 TRONDHEIM
Contact person: Anne Hegle Jespersen
E-mail: anne@onwork.no
Use of subcontractors
The data controller approves that the data processor may engage subcontractors to assist in providing the service and process personal data under the Terms of use, provided the data processor complies with the procedure for engaging new / replacing subcontractors as described below, and the data processor ensures that the data processor's obligations and Standard contractual the privacy legislation is imposed on subcontractors through a written agreement.
The data processor shall have a list with an overview of the identity of all subcontractors and places where subcontractors process personal data on behalf of the data controller.
The data processor shall update the list to reflect any addition or replacement of subcontractors and notify the data controller no later than two months before the subcontractor is to begin processing personal data. Any objection to such changes must be submitted to the data processor within two weeks of receiving such notification.
The data processor shall be fully responsible to the data controller for the subcontractors fulfilling their obligations.
Source AS
IT supplier who performs the technical development of ONwork. Source AS is subject to a data processor agreement. We try to keep their access to data to a minimum, but they need access to correct errors and improve the solution.
Norway
TomorrowNext AS
Some of our technical project managers are engaged through the company TomorrowNext AS, and are subject to a Standard contractual clauses
Norway
Microsoft Inc.
ONwork is operated on Microsoft's servers within the EU / EEA