Data Processing Agreement
This Data Processing Agreement is an attachement and forms part of the Customer Agreement between Customer (“Controller“) and Gobi Stories AS, org. no. 915 752 381 (“Processor“).
Background, Purpose and Definitions
The parties to this Data Processing Agreement have entered into a customer agreement granting access to Gobi’s production and distribution tools (“the Agreement”). This Data Processing Agreement is to govern the Processor’s rights and obligations, with regard to all Processing of Personal Data on behalf of the Controller under the Agreement in order to ensure that all Processing of Personal Data is conducted in compliance with applicable data protection legislation.
Processor will Process Personal Data for the following purposes:
- For the tasks necessary in order to fulfill the obligations set forth in the Agreement with Controller, more specifically to be able to make Processor’s products and services available to Controller’s clients and to create, administrate and distribute pictures and videos in the story format on behalf of Controller.
Processor will have access to the following Personal Data from the Controller:
- Customer data: Images and videos uploaded, first name, surname and e-mail addresses.
- General use of our products: Analytical data such as usage and preference information, device information, crash data, log information, on which web pages stories are distributed and data you provide us when using our Service like text added to videos and forms.
- Sales and billing: Price, goods purchased, billing information, emails received from customer and contact information including phone number.
Processing activities may include:
- Collection, structuring, storage, adaption or alteration, retrieval, use, alignment or combination of personal data and hosting, all in one for the purpose of fulfilling the obligations set forth in the Agreement with Controller.
The Controller has the power of attorney to enter into Data Processing Agreements for Personal Data on behalf of its subsidiaries.
For the purposes of this Data Processing Agreement, Customer will be considered the controller (“Controller”) who determines the purposes and means of the processing in accordance with applicable data protection legislation, and Supplier will be considered the processor (“Processor”), meaning the legal entity Processing Personal Data on behalf of the Controller.
This Data Processing Agreement applies for all in-scope Processing of Personal Data by the Processor on behalf of the Controller.
When fulfilment of the Agreement will involve Processing of Personal Data (as defined below) it will be subject to statutory provisions and obligations under relevant data protection legislation. When the Controller is a legal entity established in the European Economic Area (the “EEA“) relevant data protection legislation will include the EU-Regulation 2016/679 (the “Regulation” or “GDPR”) as amended from time to time and all relevant national legislation including national implementations of the Regulation.
The Data Processing Agreement is intended to fulfill the requirements set down in the Regulation. The parties agree to amend this Data Processing Agreement to the extent necessary due to any mandatory new requirements according to the Norwegian implementation of the Regulation.
“Personal Data” shall mean any information relating to an identified or identifiable natural person, as further defined in article 4 (1) in the Regulation.
“Processing of Personal Data” shall mean any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, transfer, storage, alteration, disclosure as further defined in article 4 (2) in the Regulation.
“Data Subjects” means a natural person whose personal data is processed. In this context “Controller’s customers” will be used to refer to the Data Subjects.
“Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
“Third Countries” shall mean countries outside of the EU/EEA not recognized as countries providing adequate protection of Personal Data.
The Processor’s Undertakings
During the term of this Data Processing Agreement the Processor shall comply with all relevant provisions with relevance for the protection of Personal Data set out in this Data Processing Agreement and in applicable data protection legislation. The Processor shall provide the Controller with assistance to ensure and document that the Controller complies with its requirements under the applicable data protection legislation.
The Processor shall comply with the instructions and routines issued by the Controller in relation to the Processing of Personal Data under the Agreement, unless such instructions violate any provision in the Regulation and/or national applicable data protection legislation.
Restrictions on Use
The Processor shall only Process Personal Data on the instructions from the Controller and strictly in accordance with such instructions. The Processor shall not under any circumstances Process Personal Data beyond what is necessary to fulfill its obligations towards the Controller under the Agreement without prior written agreement with the Controller or subject to written instructions from the Controller.
The Processor shall by means of planned, systematic, organisational and technical measures ensure appropriate information security with regard to confidentiality, integrity and accessibility in connection with the Processing of Personal Data in accordance with the information security provisions in applicable data protection legislation. A detailed description of the information security requirements shall be set out in Annex 2 to this Data Processing Agreement.
In deciding which technical and organisational measures should be implemented, the Processor shall take into account:
- The state of the art
- The costs of implementation
- The nature and scope of the processing
- The context and purpose of the processing,
- Risk of varying likelihood and severity for the rights and freedoms of natural persons
The Processor shall consider:
- Implementing pseudonymisation and encryption of Personal Data
- The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services
- The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
- A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing
The Processors shall assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller’s obligation to respond to requests for exercising the data subject’s rights.
The Processor shall assist the Controller in ensuring compliance with applicable law, including:
- Implementing technical and organisational measures as stated above
- Comply with duty of notification to supervisory authorities and data subjects in case of a personal data breach
- Carry out privacy impact assessments
- Carry out prior consultations with supervisory authorities when a privacy impact assessment renders it necessary
Assistance as set out above, shall be carried out to the extent necessary taking into account the Controller’s need, the nature of the processing and the information available to the Processor.
Discrepancies and Data Breach Notifications
Any use of the information systems and the Personal Data that contravenes established routines, instructions from the Controller or applicable data protection legislation, as well as any security breaches, shall be treated as a discrepancy.
The Processor shall have in place routines and systematic processes to follow up discrepancies which shall include re-establishing the normal state of affairs, eliminating the cause of the discrepancy and preventing its recurrence.
The Processor shall provide a written report to the Controller regarding discrepancies. The report shall include information on which measures are taken by the Processor to re-establish the normal state of affairs, eliminate the cause of the discrepancy and prevent its recurrence.
The Processor shall immediately notify the Controller if a discrepancy results in accidental, unlawful or unauthorized access to, use or disclosure of Personal Data, or that the data has been compromised. The Processor shall provide the Controller with all information necessary to enable the Controller to comply with applicable data protection legislation and enable the Controller to answer any inquiries from the data protection authorities. It is for the Controller to notify the applicable Data Protection Authority of discrepancies in accordance with applicable law.
The Processor shall keep confidential all Personal Data and other confidential information. The Processor shall further ensure that each member of the staff of the Processor, whether employed or for hire, having access to or being involved with the Processing of Personal Data under the Agreement (i) undertakes a duty of confidentiality and (ii) is informed of and complies with the obligations of this Data Processing Agreement. The duty of confidentiality shall also apply after termination of this Data Processing Agreement.
The Processor agrees that its organisation, data processing facilities, relevant security measures, use of sub-contractors and any other aspect at any time relevant to the purpose of this Agreement and the relevant Data protection legislation may be subject to audits and inspections by the Controller or a third party on behalf of the Controller. The purpose of such audits shall be for the Controller to verify that the Processor complies with requirements of the Agreement, this Data Processing Agreement and applicable legislation. Such audits shall not be made more than once annually, unless the Controller has reason to believe that there are discrepancies as set out in Section 2.4 above.
The Controller has the right to demand regular security audits, performed by an independent third party. The third party will deliver a report that will be delivered to the Controller upon request.
Each Party will cover its own costs in connection with the inspection and / or audit. However, if a material breach is discovered in connection with the inspection or audit, the Data Processor shall cover the reasonable costs in connection with such audit.
Transfer of Personal Data to Third Countries
The Processor shall comply with any instructions from the Controller with regard to fulfilment of any legal requirements related to lawful transfer of Personal Data and shall not transfer Personal Data to Third Countries without express written consent from the Controller. The same applies to access to Personal Data from a Third Country.
In the above cases the Processor shall collaborate with the Controller in conjunction with the execution of data transfer agreements based on the EU Standard Contractual Clauses for the transfer of Personal Data to Processors established in Third Countries in accordance with the Decision C-311/18 (Schrems II), binding corporate rules, or any replacement or alternative clauses approved by the European Commission. If the circumstances in a Third Country change so that the personal data security there is no longer considered satisfactory, or the basis for the transfer for any other reason lapses, the Controller can revoke the approval for third country transfer with the effect that the Data Processor must immediately cease the transfer.
Due to Article 28 in the Regulation, use of the SCCs must be complemented by a supplementary data processing agreement ensuring that all criteria in Article 28 are met.
Controller grants Processor the right to sign “SCC”s with sub-processors, so that sub-processors may process data on Processors behalf for the purpose of fulfilling the obligations set forth in the Agreement with Controller, when Controller has approved the transfer and the applicable sub-processor.
Use of Sub-Processors
The Processor may engage third-party service providers to store, move, transfer or otherwise process Personal Data belonging to the Controller (“Sub-Processors”). By executing this Data Processing Agreement, the Controller acknowledges and accepts the Processor’s use of Sub-Processors as set out in Annex 1 to this Data Processing Agreement.
Processor shall, by written agreement, with any Sub-Processor ascertain that any Processing of Personal Data by Sub-Processors shall be subject to the same obligations and limitations imposed on the Sub-Processor as those imposed on the Processor pursuant to this Data Processing Agreement.
Processor may move, store, transfer, or otherwise process Personal Data belonging to the Controller outside of the EU/EEA, provided such transfer meets the requirements and undertakings which follow from the General Data Protection Regulation, with the execution of data transfer agreements based on the EU Standard Contractual Clauses for the transfer of Personal Data to sub-processors established in Third Countries in accordance with the Decision C-311/18 (Schrems II), or any replacement or alternative clauses approved by the European Commission.
Processor may engage a new Sub-Processor (“New Processor”) to Process Personal Data on Controller’s behalf. Controller may object to the Processing of Customer’s Personal Data by the New Processor, for reasonable and explained grounds, within 30 business days following Processor’s written notice to Controller of the intended engagement with the New Processor. If Controller timely sends Processor a written objection notice, the parties will make a good-faith effort to resolve Controller’s objection. In the absence of a resolution both Parties may terminate the agreement with 7 days’ notice. Notification of termination must be given within 21 days after the Controller opposed the change.
Obligations of the Controller
The Controller confirms that Controller:
- Has sufficient legal basis for Processing of Personal Data
- Has responsibility for the correctness, integrity, content, reliability and legality of the Personal Data
- Complies with applicable law on notification to and authorizations from relevant authorities
- Has informed the Data subject in accordance with applicable law
- Controller will not submit, store, or send any sensitive data or special categories of personal data (collectively, “Sensitive Data”) to Processor. Controller acknowledge that Processor do not request or require Sensitive Data as part of providing the Service to Controller and that Processor do not wish to receive or store Sensitive Data.
The Controller shall implement sufficient technical and organizational measures to ensure and demonstrate compliance with the Regulation.
In case of a Personal data breach the Controller shall without undue delay, and where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with GDPR article 55 and if necessary the data subjects without undue delay in accordance with applicable law.
The notification shall at least fulfill the requirements of GDPR article 33 number 3 letter a) to d).
The Controller shall keep confidential all Personal Data and other confidential information that the Controller has access to from the Processor by this Data Processing Agreement.
Liability, Breach, Notification
The Processor is liable for any action, proceeding, liability, loss, damage, cost, claim, fine, expense and/or demand (“claim”) incurred by the Controller and which arise from the Processor’s breach of obligations under this Data Processing Agreement. The Processor is in the same way responsible and liable for all acts and omissions by the Processor’s Sub-Processors.
The Processor shall at any rate not be liable for indirect, special or consequential damages.
The Processor’s aggregated total liability under this Agreement, including any attachments and appendices thereto shall be limited to a maximum amount equal to 75 % of Processor’s turnover acquired under the Agreement during the last 12 months.
The Processor shall notify the Controller without undue delay if it is or is likely to become unable to comply with any of its obligations under this Data Processing Agreement.
Upon any such aforementioned notice the Controller shall be entitled, at its sole discretion, to either suspend the right of the Processor to Process Personal Data pursuant to this Data Processing Agreement until the Processor is able to demonstrate satisfactory compliance, or to terminate this Data Processing Agreement upon ten (10) working days’ written notice.
Term and Termination of the Data Processing Agreement, Changes
This Data Processing Agreement shall be effective from the date it is signed by both parties and until the Agreement expires or until the Processor’s obligations in relation to the performance of services in accordance with the Agreement is otherwise terminated, except for those provisions in the Agreement and Data Processing Agreement that continues to apply after such termination.
Upon termination of this Data Processing Agreement the Processor (and its permitted sub-processors) shall immediately cease to Process the Personal Data as from a date stipulated by the Controller. The Processor shall in such an event subsequently delete and at the choice of the customer also return all Personal Data and other data or copies of data provided to, or further Processed by the Processor for the purposes of the Agreement. The data shall be returned in a standardised format and medium along with necessary instructions to facilitate the Controller’s further use of the data.
As an alternative to returning the Personal Data (or other data), the Controller may, in its sole discretion, instruct the Processor in writing, that all or parts of the Personal Data (or other data) shall be deleted by the Processor, save to the extent that the Processor is prevented by mandatory law from deleting the Personal Data.
The Processor has no right to keep a copy of any data provided by the Controller in relation to the Agreement or this Data Processing Agreement in any format, and all physical and logical access to such data shall be deleted.
The Processor shall provide to the Controller a written declaration whereby the Processor warrants that all data mentioned above has been returned or deleted according to the Controller’s instructions and that the Processor has not kept any copy, print out or any other representation of the data on any medium.
The obligations pursuant to sections 2.5 and 3 shall continue to apply after termination. Further, the provisions of the Data Processing Agreement shall apply in full to any Personal Data retained by the Processor in violation of this section 4.
The parties shall amend this Data Processing Agreement upon relevant changes in applicable law.
Dispute and jurisdiction
This Data Processing Agreement shall be governed by and construed in accordance with the laws of Norway, save for mandatory provisions in applicable data protection legislation. The venue shall be Oslo District Court, if no other mandatory jurisdiction applies in applicable data protection legislation.
ANNEX 1: Overview of Personal Data Processed and sub-contractors
*Gobi and all Sub-Processors listed above have signed DPA and EU standard contractual clauses, approved by the EU Commission to ensure that any transfer of Personal Data (both inside and outside the EU/EEA) meets the requirements and undertakings which follow from the General Data Protection Regulation.
ANNEX 2 – Security measures in place for the Personal Data
- We enter into data processing agreements with all Sub Processors.
- We ensure that Personal Information is Processed solely in accordance with the Client’s instructions (control of instructions).
Personnel and Access Control:
- Only authorized staff can grant, modify or revoke access to an information system that uses or houses Personal Information. Authorized personnel have signed confidential agreements, are trained about security obligations, and will only have access to data needed to provide and improve our service.
Logical Access Control:
- Your data is logically separated from other data. Our database is protected from unauthorized access using passwords. Images and videos, and related data, is stored without encryption.
- We ensure that persons entitled to use a Personal Information Processing system, gain access only to such Personal Information as they are entitled to access in accordance with their access rights and that, in the course of Processing or use, and after storage, Personal Information cannot be read, copied, modified or deleted without authorization (data access control).
- Ensure that Personal Information is protected against accidental destruction or loss (availability control); by performing backups either ourselves or through some of our sub-processors like Google Cloud and Cloudinary.
- We consider most of the data we process on behalf of the controller, meant to be publicly shared. When distributed and publicly shared, everyone could without consent store the data by using screen capturing techniques or similar. However Gobi still take data privacy seriously and we are using best practices to protect the data we process.
Measures and assurances regarding government surveillance in third countries (including the U.S):
- When processing data in third countries we will limit the data transferred and the duration of the processing to what’s needed to deliver our services.
- Our sub-processors use encryption for data both in transit and at rest for data stored and processed in third countries to prevent potential surveillance access to personal data.
- Our sub processors data in third countries is logically separated. A potential national security order of the type described in Paragraphs 150-202 of the judgment in the EU Court of Justice Case C-311/18 to any of our sub processors about any of their data controllers will not include data from Gobi unless specifically included in that order.
- Our sub processors in third countries have policies to inform us if getting requests for disclosure of the customer Personal Data by law enforcement authorities (including the U.S. Foreign Intelligence Surveillance Act (“FISA”) §702), unless they deem in good faith that such information sharing is prohibited under applicable law.
- Gobi will notify Customer if Gobi can no longer comply with the Standard Contractual Clauses or these Additional Safeguards, without being required to identify the specific provision with which it can no longer comply.
- We will continue to carry out privacy and security assessments to verify that we comply with the requirements of the Agreement, this Data Processing Agreement and applicable legislation. If necessary, we will update our measures and safeguards and remove sub processors if they will fail to meet any new requirements by the EU to stay compliant with GDPR.
This version of the Data Processing Agreement was created 12.07.2023