DATA PROCESSING AGREEMENT
The Parties to the Agreement
1.1 Data Controller:
The Customer who has entered into the Service Agreement. The person who has entered into the Service Agreement on behalf of the Customer is considered the contact person.
1.2 Data Processor:
Installer.com AS,
Address: Sverdrups gate 27, 4007 Stavanger, Norway,
Organization number: 928 748 774
Contact person: Kristoffer Gjerde,
Title: Product Manager,
Phone: +47 938 37 580,
Email: kristoffer.gjerde@installer.com
The Data Controller and the Data Processor are referred to individually as a “Party” and collectively as the “Parties”.
2. Background and Purpose of the Agreement
The Data Processor has undertaken to provide the services described in the General Terms (“Service Agreement”). The performance of this work involves the Data Processor processing Personal Data on behalf of the Data Controller.
As the customer, the Data Controller determines the purpose of the processing of the Personal Data and the means to be used.
This Data Processing Agreement (“DPA”) sets out the framework for the Data Processor’s processing of Personal Data on behalf of the Data Controller.
The purpose of this DPA is to:
regulate the rights and obligations of the Parties with respect to the processing of Personal Data,
ensure that the requirements of data protection legislation and GDPR are complied with in the execution of the Service Agreement, and
ensure that Personal Data is not processed unlawfully, is not accessed by unauthorized persons, and is not processed for purposes other than those set forth in this DPA.
In the event of any conflict between the provisions of this DPA and other agreements between the Parties, including the Service Agreement, the provisions of this DPA shall prevail.
3. Definitions
For the purposes of this DPA, the following definitions shall apply:
“Data Processing Agreement” (DPA) means the provisions set out in this document and its annexes.
“Personal Data” means all types of data or information considered personal data under data protection legislation and GDPR. This includes, but is not limited to, the data specified in Annex 1.
“Processing” (of Personal Data) means any use of Personal Data, such as collection, storage, organization, alteration or adaptation, disclosure, and/or transfer.
“GDPR” means EU Regulation 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (as implemented in Norwegian law).
“Data Protection Legislation” means the Act on the Processing of Personal Data of 15 June 2018 No. 38 with accompanying regulations implementing the GDPR, as well as any other relevant legislation regulating the Parties’ processing of Personal Data.
“Law” means any other applicable legislation to which the Parties are subject.
“Sub-processor” means any third-party data processor engaged by the Data Processor to process Personal Data.
“Data Subjects” means any identified or identifiable natural person to whom the Personal Data relates.
4. General
The Parties shall process Personal Data in accordance with Data Protection Legislation, the GDPR, and this Data Processing Agreement.
The Data Processor shall only collect, register, compile, store, and otherwise process Personal Data to the extent necessary to fulfill the Service Agreement and this DPA.
The Data Controller must ensure that there is a lawful basis for the processing of the Personal Data.
5. Authority of the Data Controller
The Data Processor shall only process Personal Data in accordance with documented instructions from the Data Controller.
The Data Processor may also process Personal Data if required to do so under applicable Law to which the Data Processor is subject. In such cases, the Data Processor shall notify the Data Controller of the legal obligation prior to processing, unless such notification is prohibited by the relevant Law on grounds of public interest.
The Data Controller’s instructions to the Data Processor are set forth in this DPA and its annexes.
Annex 1 to this DPA describes which categories of Personal Data the Data Processor may process and the purpose of such processing. The Data Processor shall not process Personal Data for any purposes other than those described therein.
The Data Controller may issue additional instructions to the Data Processor for as long as the Data Processor processes Personal Data on its behalf. Such additional instructions shall be provided to the Data Processor in writing and must be documented.
The Parties shall immediately notify each other if one Party believes that the instructions or requirements of the other Party are in conflict with Data Protection Legislation or the GDPR.
6. Data Processor’s Duty to Assist the Data Controller
Taking into account the nature of the processing and the information available to the Data Processor, the Data Processor shall assist the Data Controller in ensuring compliance with the Data Controller’s obligations pursuant to GDPR Articles 32–36.
This includes the Data Processor’s duty to assist in connection with data protection impact assessments and prior consultations.
7. Security of Personal Data
The Data Processor shall comply with the information security requirements set out in Data Protection Legislation and the GDPR, and shall implement appropriate technical and organizational security measures to ensure a level of security appropriate to the risk, in accordance with GDPR Article 32.
The technical and organizational measures to be implemented are described in Annex 2.
The Data Processor shall also assist the Data Controller in ensuring compliance with the Data Controller’s obligations regarding adequate information security under GDPR Article 32.
8. Use of Sub-processors
If the Data Processor engages a Sub-processor to perform specific processing activities on behalf of the Data Controller, the Sub-processor shall be subject to the same obligations as set out in this DPA, through a contract or other legal instrument.
The Data Processor shall ensure that any Sub-processor is aware of and complies with the Data Processor’s contractual and legal obligations.
The Data Processor shall remain fully responsible to the Data Controller for the performance of the Sub-processor’s obligations.
The Sub-processors used by the Data Processor in connection with the Service Agreement are listed in Annex 3. The Data Controller accepts that the Data Processor may use these Sub-processors.
The Data Controller also accepts that the Data Processor may use other Sub-processors not listed in Annex 3. If the Data Processor wishes to engage new Sub-processors, the Data Processor shall notify the Data Controller in advance, providing the name and contact details of the Sub-processor. The Data Controller has the right to object to the use of a new Sub-processor. If the Data Controller objects, it shall notify the Data Processor without undue delay.
9. Transfer of Personal Data Abroad
The Data Processor may transfer the Personal Data it processes on behalf of the Data Controller to the countries where the Data Processor and its Sub-processors operate and store such data. These countries are listed in Annex 3. The Data Controller acknowledges and accepts such transfers insofar as they are necessary for the agreed services to be delivered.
The Data Controller consents to the processing of Personal Data outside Norway. However, the Data Processor shall not transfer Personal Data to countries outside the EU/EEA area or to an international organization without the prior written consent of the Data Controller, unless the European Commission has determined that the country or organization ensures an adequate level of protection.
If the Data Controller consents to such transfers, the Data Processor must ensure that the transfer complies with the provisions of GDPR Chapter V.
The Data Processor also undertakes to assess the level of protection in the third country or countries to which Personal Data is to be transferred, and to implement supplementary measures — technical, organizational, or contractual — to ensure a level of protection essentially equivalent to that within the EU/EEA.
10. Handling of Data Subject Rights
The Data Controller shall serve as the contact point for Data Subjects and provide the necessary information regarding the processing.
The Data Controller is responsible for handling Data Subject requests for access, rectification, erasure, restriction, data portability, etc., and for ensuring that such requests are met.
Taking into account the nature of the processing and using appropriate technical and organizational measures, the Data Processor shall assist the Data Controller in fulfilling its obligations to respond to requests made by Data Subjects in exercising their rights under GDPR Chapter III.
If the Data Processor receives a request from a Data Subject, it shall promptly notify the Data Controller.
11. Incident Handling and Notification
Any use of information systems contrary to the Data Processor’s established routines, the Data Controller’s instructions, Data Protection Legislation, or GDPR, as well as any other security breach, shall be treated as a security incident.
The Parties shall establish and maintain routines and systematic measures for handling incidents, including measures to restore normal operations, eliminate the cause of the incident, and prevent recurrence.
The Parties shall, as soon as they become aware of an incident, without undue delay and no later than 36 hours, inform each other of any security breaches and immediately implement all necessary and appropriate measures to restore normal operations.
The Data Controller is responsible for reporting incidents to the Data Protection Authority and to the Data Subjects in accordance with GDPR Articles 33 and 34. The Data Processor shall, if necessary, assist the Data Controller in ensuring compliance with GDPR Articles 33 and 34.
12. Audit and Inspection
The Data Processor shall make available to the Data Controller all information necessary to demonstrate compliance with the Data Processor’s obligations under Data Protection Legislation, the GDPR, and this DPA.
The Data Processor shall enable and contribute to audits, including inspections, conducted by the Data Controller or by another auditor authorized by the Data Controller, to verify compliance with the GDPR, Data Protection Legislation, and this DPA.
The Data Controller is entitled to conduct such audits at its own expense, no more than once per year, with four weeks’ prior written notice.
13. Confidentiality
The Data Processor is subject to a duty of confidentiality regarding any Personal Data and documentation accessed under this DPA. The duty of confidentiality continues to apply after the termination of the DPA.
The Data Processor shall not disclose or provide access to Personal Data to anyone other than its own employees, Sub-processors, or employees of the Data Controller, unless agreed in writing with the Data Controller, or required by law, regulation, or order of a public authority.
The Data Processor shall ensure that persons authorized to process Personal Data are bound by a confidentiality agreement or are subject to a statutory duty of confidentiality.
14. Duration of the Agreement
This Agreement remains in effect for as long as the Data Processor processes Personal Data on behalf of the Data Controller.
15. Termination
Upon termination of this DPA, the Data Processor shall return all Personal Data covered by the Agreement in a format suitable for further processing by the Data Controller or by a third party designated by the Data Controller.
Alternatively, the Data Controller may require that the Personal Data be deleted and/or destroyed in accordance with written instructions.
The Parties shall agree on the specific method for transfer, deletion, and/or destruction.
The Data Processor shall provide written confirmation that deletion and/or destruction has been carried out in accordance with the Agreement within a reasonable period after termination.
An exception applies where Data Protection Legislation, the GDPR, or other Law requires that the Personal Data be retained.
16. Governing Law and Jurisdiction
This Agreement is governed by Norwegian law. The Parties agree that Oslo District Court shall have exclusive jurisdiction.
Annexes to the Agreement
Annex 1: Description of Personal Data and Purpose of Processing
Types of Personal Data:
Name, contact information (such as e-mail address, phone number, physical address),
User-generated data (notes, statuses, and interaction logs),
Technical data (cookies, logs, and backup data).
Categories of Data Subjects:
Customers and potential customers: Private individuals and companies with which the Data Controller has, or is considering establishing, a relationship.
Employees and partners: Persons directly or indirectly engaged in sales, support, or service delivery.
Third parties: Suppliers and other partners involved in service delivery or administration.
Purpose of Processing:
Administration and handling of customer information to deliver services, including managing inquiries and follow-up.
Analyzing and improving service quality, customer experience, and internal processes.
Facilitating cooperation between the Data Controller and relevant parties, such as suppliers and customers.
Ensuring compliance with requirements for security, storage, and availability of information under applicable laws and regulations.
Annex 2: Technical and Organizational Security Measures
Key elements and measures:
Encryption and pseudonymization: Personal Data shall be encrypted both at rest and in transit. Pseudonymization shall be applied where appropriate.
Access control: Role-based access ensuring that only authorized individuals can access the data.
Logging and auditing: All access, modifications, and transfers of data shall be logged and reviewed regularly.
Secure storage: Data is stored in secure data centers with regular backups and strict access limitations.
Transfers: Data transfers shall be conducted via secure protocols such as HTTPS or SFTP.
Training and contingency: Employees shall receive security training, and contingency plans must be in place for handling security breaches.
Annex 3: List of Sub-processors
Microsoft Azure – Cloud services for storage and data processing
Databricks – Platform for data analytics
Twilio – Communication services for SMS, voice, and messaging
Mapbox – Mapping services and geographic information systems
Installer enables the industry leaders working with installers
