Timely Data Processing Agreement

Timely AS, a limited liability company registered in Norway (reg. no. 915 517 203) (the "Provider", "Data Processor") and the subscriber (the "Subscriber", "Data Controller"), each a "Party", jointly the "Parties", have entered into an agreement ("Master Service Agreement") regarding the delivery of Timely and Dewo ("Services"). This Data Processing Agreement forms part of the Master Service Agreement.

WHEREAS

‍

(A) The Subscriber acts as a Data Controller.

‍

(B) The Data Processor will provide certain Services to the Data Controller pursuant to the Master Service Agreement. In the context of the provision of such Services, the Data Processor will process personal data on behalf of the Data Controller in accordance with this Agreement.

‍

(C) The Parties seek to implement a data processing agreement that complies with the requirements of the current legal framework in relation to data processing and with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

‍

(D) The Parties wish to lay down their rights and obligations.

‍

IT IS AGREED AS FOLLOWS:

‍

1. Definitions and Interpretation

1.1 Unless otherwise defined herein, capitalized terms and expressions used in this Agreement shall have the following meaning:

‍

1.1.1 "Agreement" means this Data Processing Agreement and all Appendices;

‍

1.1.2 "Subscriber Personal Data" means any Personal Data Processed by a the Data Processor on behalf of the Data Controller pursuant to or in connection with the Master Service Agreement;

‍

1.1.3 "Data Protection Laws" means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country;

‍

1.1.4 "EEA" means the European Economic Area;

‍

1.1.5 "EU Data Protection Laws" means EU General Data Protection Regulation 2016/679 ("GDPR"), as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time;

‍

1.1.6 "Sub-processor" means any person appointed by or on behalf of the Data Processor to process Personal Data on behalf of the Data Controller in connection with the Agreement.

‍

1.2 The terms, "Commission", "Controller", "Data Subject", "Data Protection Officer", "Member State", "Personal Data", "Personal Data Breach", "Processing" and "Supervisory Authority" shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.

‍

2. Processing of Subscriber Personal Data

2.1 The Data Processor shall:

2.1.1 comply with all applicable Data Protection Laws in the Processing of Subscriber Personal Data;

‍

2.1.2 not Process Subscriber Personal Data other than on the Subscriber’s documented instructions; and

‍

2.1.3 immediately inform the Data Controller if, in the Data Processor's opinion, an instruction infringes the GDPR or other Union or Member State data protection provisions.

‍

2.2 Appendix A contains details about the processing of Subscriber Personal Data, including the purpose and nature of the Processing, type of Personal Data, categories of Data Subject and duration of the Processing.

‍

2.3 The Provider may anonymise and aggregate data for the purpose of providing, improving and publicising the Provider''s products and services, including the Service, or other legitimate business purposes. The Provider acts as controller for processing of personal data for the Provider''s business purposes, and will process such personal data in accordance with its applicable privacy policy which is available [here].

‍

3. The Obligations, Rights and Responsibilities of the Data Controller

3.1 The Data Controller is responsible for ensuring that the processing of personal data takes place in compliance with the Data Protection Laws (see Article 24 GDPR). For the avoidance of doubt, this includes being responsible for ensuring that the Data Controller has a lawful basis for the processing of Personal Data under the Data Protection Laws when using the Services and making available Personal Data to the Data Processor in accordance with the Master Service Agreement.

‍

3.2 The Data Controller has the right and obligation to make decisions about the purposes and means of the processing of personal data. The initial instructions by the Data Controller are that the Data Processor shall process personal data on behalf of the Data Controller as described in this Agreement, in particular section 2 above and Appendix A.

‍

3.3 In the event that the Data Processor violates this Agreement or the Data Protection Laws, the Data Controller may require the Data Processor to stop further processing of the Subscriber Personal Data with immediate effect.

‍

4. Security & Confidentiality

4.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Data Processor shall in relation to the Subscriber Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.

‍

4.2 In assessing the appropriate level of security, the Data Processor shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.

‍

4.3 The Data Processor's current technical and organizational security are further described at https://timely.com/security-at-timely. The Data Processor may update or modify its technical and organizational measures from time to time, provided such updates and modifications do not result in the degradation of the overall security of the services.

‍

4.4 The Data Processor shall assist the Data Controller in ensuring compliance with the obligations set out in Article 32 GDPR, taking into account the nature of the Processing and the information available to the Data Processor4.5 The Data Processor shall take reasonable steps to ensure the reliability of any employee, agent or contractor who may have access to the Subscriber Personal Data, ensuring in each case that access is limited to those individuals who need to know / access the relevant Subscriber Personal Data, as necessary for the purposes of the Master Service Agreement, and to comply with the EU Data Protection Laws, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

‍

5. Sub-processing

5.1 The Data Processor has the Data Controller’s general authorisation for the engagement of Sub-processors. The Data Processor shall inform in writing the Data Controller of any intended changes concerning the addition or replacement of Sub-processors at least 1 month in advance, thereby giving the Data Controller the opportunity to object to such changes prior to the engagement of the concerned Sub-processor(s). The Data Processor may transfer Personal Data to intra-group entities, to the extent necessary for performing its obligations under the Master Service Agreement. The list of Sub-processors and intra-group entities already authorised by the Data Controller can be found in Appendix B.

‍

5.2 The Data Processor shall be responsible for requiring that the Sub-processor at least complies with the obligations to which the Data Processor is subject pursuant to this Agreement and the GDPR.

‍

6. Data Subject Rights

6.1 Taking into account the nature of the Processing, the Data Processor shall assist the Data Controller by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Data Controller's obligations under the Data Protection Laws, as reasonably understood by the Data Controller, to respond to requests to exercise Data Subject rights under the Data Protection Laws.

‍

6.2 Data Processor shall:

‍

6.2.1 promptly notify the Data Controller if it receives a request from a Data Subject under any Data Protection Laws in respect of Subscriber Personal Data; and

‍

6.2.2 ensure that it does not respond to that request except on the documented instructions of the Data Controller or as required by applicable Data Protection Laws to which the Data Processor is subject, in which case the Data Processor shall to the extent permitted by applicable Data Protection Laws respond to the request.

7. Personal Data Breach

7.1 The Data Processor shall notify the Data Controller without undue delay upon Data Processor becoming aware of a Personal Data Breach affecting Subscriber Personal Data, providing the Data Controller with sufficient information to allow the Data Controller to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.

‍

7.2 The Data Processor shall cooperate with the Data Controller and take reasonable commercial steps as are directed by the Data Controller to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

‍

7.3 The notification of the Personal Data Breach must contain the following information, as a minimum:

‍

7.3.1 A description of the nature of the Personal Data Breach including, if possible, the categories and approximate number of Data Subjects affected by the Personal Data Breach and the categories and approximate number of Personal Data records concerned, along with any information that might help to identify them;

‍

7.3.2 The name and contact details of the Data Protection Officer or other point of contact, from whom additional information may be obtained;

‍

7.3.3 A description of the probable consequences of the Breach;

‍

7.3.4 A description of the measures already taken or to be taken to remedy the Breach and, if applicable, measures to mitigate the negative consequences of said Breach.

‍

7.4 The notification will be sent to the Data Controller's Data Protection Officer if applicable, alternatively to any contact person appointed by the Data Controller.

‍

8. Data Protection Impact Assessment and Prior Consultation

Data Processor shall provide reasonable assistance to the Data Controller with any data protection impact assessments, and prior consultations with Supervisory Authorities or other competent data privacy authorities, which the Data Controller reasonably considers to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Subscriber Personal Data by, and taking into account the nature of the Processing and information available to, the Data Processor.

‍

9. Deletion or return of Subscriber Personal Data

9.1 Upon termination of this Agreement and/or the Master Service Agreement, the Data Processor shall, unless the Parties agree otherwise, terminate the Processing of Subscriber Personal Data, and, at the Data Controller’s discretion and on its request, without delay:

‍

9.1.2 delete or return all Subscriber Personal Data processed in respect of this Agreement to the Data Controller. The Subscriber Personal Data will be returned in a readable, usable format that meets the security standards for Processing described in this Agreement;

‍

And to:

‍

9.1.3 delete existing copies of the Subscriber Personal Data processed in the context of this Agreement unless European Union law or the law of the Member State concerned requires said Subscriber Personal Data to be retained, in which case, the Data Processor shall inform the Data Controller promptly of its statutory obligation.

‍

9.1.4 The Data Processor undertakes to ensure that any sub-processors and any person authorised by it to process Subscriber Personal Data in the context of this Agreement are informed and apply the rules relating to restitution described in this section 9.

‍

10. Audit rights

10.1 Subject to this section 11, the Data Processor shall make available to the Data Controller on request all information necessary to demonstrate compliance with this Agreement, and shall allow for and contribute to audits, including inspections, by the Data Controller or an auditor mandated by the Data Controller in relation to the Processing of the Subscriber Personal Data by the Data Processor.

‍

10.2 Any audit will be carried out during the working days and times of the entities being audited and may be carried out at any site where Subscriber Personal Data are processed in the context of the Master Service Agreement.

10.3 The Data Processor undertakes to cooperate actively with the auditor by making all resources and information necessary for it to carry out its duties available to it.

10.4 A copy of the audit report written by the auditor will be given to each Party and examined jointly by the Parties, who undertake to meet for this purpose.

10.5 Should the audit reveal the existence of failures to fulfil their obligations by the entities audited, the Data Controller may ask the entities concerned to implement corrective measures at their own expense, without delay.

‍

10.6 The audit ordered by the Data Controller will be at its own expense, except in the event of a failure by the Data Processor to fulfil its obligations under this document or the EU Data Protection Laws being revealed in the audit report. In this case, the costs of the audit will be payable exclusively by the Data Processor.

‍

10.7 The Data Processor undertakes to inform any Sub-processors and any person authorised by it to process Subscriber Personal Data in the context of the Master Service Agreement about the rules applicable to the audit, and to audit the aforementioned entities based on the same scope as the audit ordered by the Data Controller, if the Data Controller so requests. The Data Processor will then send the reports for the audits it has undertaken to the Data Controller.

‍

11. Transfer of Personal Data to third countries or international organisations

11.1 The Data Processor may not transfer or authorise the transfer of Subscriber Personal Data to third countries outside the EU and/or the European Economic Area (EEA) without the prior written consent of the Data Controller. The Data Processor is hereby authorised to transfer personal data to the intra-group entities and Sub-processors listed in Appendix B.

‍

Any transfer of Subscriber Personal Data to third countries or international organisations by the Data Processor shall always take place in compliance with Chapter V GDPR. The Data Processor may rely on EU Standard Contractual Clauses as legal grounds for transfers to third countries, in addition to further required measures.

‍

11.2 In case of transfers to third countries or international organisations, which the Data Processor has not been authorised to perform by the Data Controller, is required under EU or Member State law to which the Data Processor is subject, the Data Processor shall inform the Data Controller of that legal requirement prior to processing unless that law prohibits such information on important grounds of public interest.

12. General Terms

12.1 Confidentiality. Each Party must keep this Agreement and information it receives about the other Party and its business in connection with this Agreement (“Confidential Information”) confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that:

‍

(a) disclosure is required by law;

‍

(b) the relevant information is already in the public domain.

‍

This confidentiality obligation continues to apply after the termination and/or expiration of this Agreement.

‍

12.2 Notices. All notices and communications given under this Agreement must be in writing and will be delivered personally, sent by post or sent by email to the address or email address set out in any Order Form under the Master Service Agreement or at such other address as notified from time to time by the Parties.

‍

12.3 Liability. The Parties' liability for damage suffered by a data subject or other natural persons which is due to a violation of the Data Protection Laws shall follow the provisions of Article 82 of the GDPR. The Parties are individually liable for administrative fines imposed pursuant to Article 83 of the GDPR. As between the Parties (inter partes) the Data Processor’s liability under this Agreement shall correspond to the regulation on limitation of liability as set out in the Master Service Agreement.

‍

The Data Processor shall not be liable:

‍

(a) for any indirect or consequential damage, loss of profits, loss of turnover, lost business opportunities or reputational damage suffered by the Data Controller.

‍

(b) for any damage suffered by the data subjects or other natural persons due to identity theft, data theft or cybercrime, if the technical and organisational measures provided for in section 4 of this Agreement have been implemented.

‍

(c) for non-performance or delay in performance caused by any event beyond the reasonable control of the Data Processor.

‍

13. Governing Law and Jurisdiction

13.1 This Agreement is governed by the laws of Norway.

‍

13.2 Any dispute arising in connection with this Agreement, which the Parties will not be able to resolve amicably, will be submitted to the exclusive jurisdiction of the courts of Norway.