Appendix 1 - Data Processing Agreement (Databehandleravtale)

This Data Processing Agreement (“DPA”) governs the rights and obligations of the processing of Personal Data performed by Wolters Kluwer Norway AS org.nr.
858 698 642 (“Wolters Kluwer”) on behalf of Customer (“Customer”). Each of Wolters Kluwer and Customer are referred to as a “Party” and together the “Parties”.

     

1. Scope of DPA 

  1. Customer has entered into an Agreement with Wolters Kluwer regarding provision of Service(s).  
  2. This DPA apply when Wolters Kluwer process Personal Data on behalf of Customer. 
  3. Wolters Kluwer provides Services which can be used by Customer for processing of Customer’s Personal Data or for processing of Personal Data on behalf of Customer’s client. For the processing of Personal Data performed for Customer where Customer is Controller, Wolters Kluwer is Processor. For the processing of Personal Data performed for Customer where Customer is Processor of its clients(s), Wolters Kluwer is a sub-processor of Customer. In avoidance of doubt, any obligation for Controller according to this DPA shall be within the responsibility of Customer and any obligation for Processor according to this DPA shall be within the responsibility of Wolters Kluwer. In the latter, Customer is towards Wolters Kluwer responsible for any obligation, including but not limited to adequate information to and approvals from, Customer’s relevant client(s).

2. Definitions 

1. In this DPA the terms and expressions shall have the meanings assigned to them below. Other capitalized words and expressions have in this DPA the respective meaning ascribed to them elsewhere in this Agreement. 

"Affiliate” means, with respect to any entity, any other entity that controls, is controlled by or under the control of such first entity.  

“EU Data Protection  Laws” means applicable data protection and privacy legislation in force from time to time, including GDPR applicable to Customer and to
Wolters Kluwer and as amended, replaced or superseded from time to time, including the laws for implementing, replacing or supplementing GDPR. 

“EU Laws” means European Union or Member State law, including EU Data Protection Laws. 

“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016. 

“Personal Data” means any Personal Data of a Data Subject that is processed by Wolters Kluwer on behalf of Controller to perform the Services under the Agreement.

“Standard Contractual Clauses” means the latest version of the standard contractual clauses for the transfer of Personal Data to processors established in third countries under GDPR. 

“Sub-processor” means any party (including Wolters Kluwer’s Affiliates and any other third parties) appointed by Wolters Kluwer to process Personal Data to perform the Services.  

 The terms “Controller”, “Data Subject”, “Personal Data breach”, “Processor” and “Supervisory authority” shall have the meanings ascribed to them in the GDPR, and their cognate terms shall be construed accordingly. 

3. Instructions 

  1. Customer is, in its capacity as Controller of Personal Data, responsible for Personal Data being processed under this DPA in accordance with EU Data Protection Laws and other applicable law. Controller is responsible for ensuring that Wolters Kluwer does not process any categories of Personal Data other than those specified in Appendix A - Specification of the Processing of Personal Data and to the extent specified therein. 
  2. Wolters Kluwer, and each person authorized to perform work on its behalf, undertakes to only process Personal Data in accordance with Controller’s documented instructions, unless Wolters Kluwer is obligated to process the Personal Data pursuant to EU Data Protection Laws. In such event, Wolters Kluwer shall inform Controller about this obligation before the processing begins, to the extent that this is permissible under applicable rules. Each Party shall ensure that the other Party is entitled to process contact details and any other Personal Data of its employees if, and to the extent that this is necessary, to facilitate the performance of the Service. 
  3. Wolters Kluwer shall be entitled to process Personal Data for the purposes of developing and improving the Service, provided expressly indicated by Appendix A - Specification of the Processing of Personal Data. 
  4. This DPA, including Appendix A - Specification of the Processing of Personal Data. constitutes Controller’s complete instructions for the processing of Personal Data under this DPA, with the exception of any written instructions that Controller is obliged to provide during the term of the Agreement in order to comply with EU Data Protection Laws. Controller is responsible for ensuring that Controller’s complete instructions are set out in this DPA and for that Controller’s complete instructions are provided to Wolters Kluwer under the term of the Agreement. All other amendments to the instructions shall be agreed separately by the Parties. Wolters Kluwer shall be entitled to reasonable compensation from Controller for abiding by the amended written instructions.  
  5. If Customer is not sole Controller of the Personal Data processed, Customer is to the extent required under EU Laws, obligated to provide Wolters Kluwer with the name and contact details of relevant Controller(s).  

4. Security measures 

  1. Wolters Kluwer shall implement the organizational and technical security measures required pursuant to EU Data Protection Laws. If applicable for the Service, the measures shall be in accordance with the relevant Security Measures Description (“SMD”) (constituting Appendix 3 – Security Measures Description).  
  2. Controller is responsible for ensuring that the security measures agreed in accordance with 4.1 complies with Processor data security obligations pursuant to the EU Data Protection Laws as regards the Personal Data processed.  
  3. If Wolters Kluwer discovers that the security measures agreed in accordance with section 4.1 wholly or in part conflict with EU Data Protection Laws, Wolters Kluwer shall notify Controller in writing within a reasonable time. If Controller fails to provide new instructions to Wolters Kluwer within a reasonable time despite being asked to do so, Wolters Kluwer is entitled to implement any reasonable and necessary security measures required by EU Data Protection Laws at the cost of Controller.

5. Sub-processors and transfers to third countries 

  1. Controller hereby authorizes the appointment and use of Sub-processors within and outside the EU/EEA for the processing of Personal Data under this DPA. Controller approves the Sub-processors set out on the Wolters Kluwer website or otherwise presented to Controller.  
  2. Wolters Kluwer shall ensure that Sub-processors are bound by written agreements that impose the same obligations when processing Personal Data as those obligations laid down in this DPA. If a Sub-processor fails to fulfil its obligations under such agreement, Wolters Kluwer shall remain fully liable to Controller for the performance of the Sub-processor's obligations as for its own performance. 
  3. In case the Wolters Kluwer intends to engage new or additional Sub-processors, the Controller hereby provides general written authorization for Wolters Kluwer to do so, provided that Wolters Kluwer shall inform Controller of any intended changes concerning the addition or replacement of any Sub-processor. Such notification can be provided via the Wolters Kluwer website or via email. Wolters Kluwer shall state the Sub-processor’s name and details of the location of the processing and, at Controller’s written request, information about the processing activity to be undertaken by the Sub-processor on behalf of Wolters Kluwer. Controller shall be entitled to object to such changes in writing within 30 days of Wolters Kluwer’s notice. If Wolters Kluwer still intends to engage a new Sub-processor despite Controller’s objection, Controller shall be entitled to terminate the Service affected within 30 days of Wolters Kluwer’s notice of the change. Notice of termination shall be given in writing, and the notice period shall be at least 30 days but no more than 60 days. Wolters Kluwer shall then reimburse Controller for any charges paid for the period after the expiry of the notice period. If Controller has a justifiable reason for its objection, Wolters Kluwer may not, for the Service affected, engage the new Sub-processor for the processing of Controller’s Personal Data during Controller’s notice period. If Controller does not have a justifiable reason for its objection, Controller’s notice shall be regarded as a premature notice of termination without cause, whereby Controller shall not be entitled to any reimburse for any charges paid. A ‘justifiable reason’ shall mean circumstances on the part of the Sub-supplier that significantly negatively affect, or are likely to affect, the protection of the Data Subject’s Personal Data, e.g. where the new sub-processor does not satisfy the requirements on Processors in EU Data Protection Laws. 
  4. Controller entitles Wolters Kluwer to enter into the Standard Contractual Clauses for transfer of Personal Data to a third country or any provisions succeeding these, on Controller’s behalf. To clarify, if Customer is not Controller for such transfer it is within the responsibility of Customer to enter into relevant agreements for such transfer.  

 6.  Obligation to assist Controller 

  1. To the extent legally permitted and when relevant, Wolters Kluwer will promptly notify Controller if Wolters Kluwer receives any complaint, inquiry or request including requests made by Data Subjects to exercise their rights pursuant to EU Data Protection Laws related to Personal Data. Taking into account the nature of the processing, Wolters Kluwer shall assist Controller at Controller’s cost and request, by appropriate technical and organizational measures, insofar as this is reasonably possible, for the fulfillment of Controller’s obligation to respond to requests for exercising such Data Subjects’ rights. 
  2. Wolters Kluwer shall notify Controller without undue delay once Wolters Kluwer becomes aware of a Personal Data breach affecting Personal Data.  
  3. Unless otherwise agreed in writing, Wolters Kluwer shall be entitled to reasonable compensation from Controller for Wolters Kluwer’s assistance to Controller in accordance with section 6. 

7.  Disclosure of Personal Data 

  1. Wolters Kluwer shall not disclose or otherwise reveal any Personal Data covered by the DPA to a Data Subject or third party, unless otherwise stated in the Agreement or required by law or a court or official authority’s decision. In the event that Wolters Kluwer must disclose such Personal Data due to law or a court or official authority’s decision, Wolters Kluwer shall notify Controller of the disclosure, unless this is prohibited by applicable law or a court or official authority’s decision. 
  2. Wolters Kluwer shall notify Controller without undue delay about any enquiries from a Data Subject or Supervisory authority that refer specifically to the processing of Personal Data under this DPA and also refer such Data Subject or the Supervisory authority to Controller. Wolters Kluwer shall be entitled to reasonable compensation from Controller for any requested cooperation that refers specifically to the processing of Personal Data processed under this DPA that is not a consequence of Wolters Kluwer being in breach of its obligations under the DPA regarding the processing of Personal Data. 

8.  Audit 

  1. Wolters Kluwer shall make available to Controller all information necessary to demonstrate compliance with the EU Data Protection Laws’ requirements on Processors and allow for and contribute to audits, including inspections, conducted by Controller or another auditor mandated by Controller. In the event that Controller wishes to conduct an inspection, Controller shall provide Wolters Kluwer with reasonable prior notice and shall at the same time specify the content and scope of the inspection. Wolters Kluwer may charge Controller for any reasonable costs incurred in conjunction with the audit. 
  2. Wolters Kluwer shall immediately inform Controller if Wolters Kluwer considers that information, including inspections, in accordance with section 8.1, is not required or infringes EU Data Protection Laws. An inspection may only be conducted if an audit cannot according to EU Data Protection Laws be met by Wolters Kluwer providing information. 
  3. A precondition for an audit under section 8.1 is that Controller or an auditor mandated by Controller, has entered into necessary confidentiality undertakings and complies with Wolters Kluwer’s security regulations at the location where the inspection is to be performed, including that the inspection will be performed without any risk of it hindering the Wolters Kluwer’s business or the protection of other customers’ information. Information collected as part of the inspection shall be erased after the audit has been completed or when it is no longer needed for the purpose of the audit. 

9. Confidentiality  

  1. Wolters Kluwer’s processing of the Personal data under the DPA is covered by the confidentiality provisions included in the Agreement. 
  2. Wolters Kluwer is obligated to ensure that only such personnel that directly require access to the Personal Data in order to fulfil Wolters Kluwer’s obligations in accordance with this DPA has access to the Personal Data. Wolters Kluwer shall ensure that such personnel are bound by adequate confidentiality undertakings. 

10. Remuneration for work performed 

  1. In addition to what is otherwise stated in this DPA, Wolters Kluwer shall be entitled to reasonable remuneration for complying with Controller’s written instructions, provided that the action requested is not included in the Service or otherwise specified as included in the Agreement. If Wolters Kluwer is entitled to remuneration for work performed, the at the time applicable Wolters Kluwer Price List shall apply. 

11. Term of DPA and measures upon termination 

  1. This DPA is valid for as long as Wolters Kluwer is processing Personal Data on behalf of Customer.  

________________ 

 

Appendix A - Specification of the Processing of Personal Data 

 

1. Brief description of the Service and the purposes of the processing 

Wolters Kluwer will process the Personal Data to the extent necessary to provide the Service pursuant to the Agreement and as specified in the applicable Service description and as further instructed by Customer in its use of the Service. 

 2. Categories of Personal Data 

- Contact information such as names, email addresses, telephone numbers and physical addresses 

- Identification numbers such as social security numbers and IP-addresses 

- Financial information insofar necessary to perform compliance processes such as closing of books, tax declaration and audit, payroll and internal bookkeeping

- Information on social and/or societal status insofar necessary to perform compliance processes such as closing of books, tax declaration and audit 

 3. Categories of Data Subjects 

- Employees of Controller 

- Clients of Controller 

-Other categories of Data Subjects provided access to the Services by Controller 

 4. Processing activities 

Storage, administration, erasure and error correction of Personal Data and such other processing activities that are required to process the Personal Data in accordance with Controller’s instructions and to ensure that Controller can use the compliance processes supported by the Service, such as closing of books, tax declaration and audit services.  

 5. Location of Personal Data processing 

The processing will mainly be located in Norway, but Personal Data may also be processed by Sub - processors outside of Norway as specified below:

Name           

Location of processing

Description of the processing

IT Forum A/S

EEA

Hosting services

Penneo ApS

EEA

Provision of Penneo

Bluewhale ApS

EEA

Provision of Bluewhale

Multisoft AB

EEA

Software development

Wolters Kluwer (group)

EEA, UK, India, Belarus, US

Software development, Support services, Business supporting services

Salesforce

EEA, US

Support services

Microsoft

EEA

Hosting services, Support services

Amazon Web services

EEA

Backup services

Telenor

EEA

Support services

TeamViewer

EEA

Support services

Sendgrid

EEA, US

Email services

ECIT

EEA

Provision of Capego Smartflow

 

6. Use for the purposes of improving the Services 

Name, email address and Service details of Controller’s employees may be used for the purpose of improving Wolters Kluwer’s provision of the Services. 

Oppdatert pr. mars 2022.