Last revision date: 30.09.2020
The intention of this Information Management Agreement (“IMA”) is twofold;
to ensure management and processing of Customer Data that Provider gets access to from Customer in compliance with Customer’s standards and instructions, and to ensure that Customer Data is not unlawfully used or comes into the hands of a third party; and
to the extent Personal Data is processed by the Provider on behalf of the Customer under the Subscription Agreement, this IMA includes a data processing agreement in compliance with the requirements of Data Protection Laws.
In case of any conflicting terms between the Subscription Agreement and this IMA related to Customer Data, the terms of this IMA shall prevail.
In this IMA, words, expressions and definitions shall have the same meanings as are respectively assigned to them in the Subscription Agreement, unless a specific definition is ascribed to it in this IMA.
Agreed Locations means Provider’s datacentres listed in Appendix 1.
Subscription Agreement means the agreement executed by the parties on 31 August 2020, to which this IMA is included as an integrated part.
Customer Data means any data, qualitative or quantitative, that Provider gets access to from Customer or an appointee as a result of the Subscription Agreement, whether or not arising out of the performance of the Services, including Personal Data and data from operations or testing by Customer or at a Customer controlled site.
Data Protection Laws means the EU General Data Protection Regulation (GDPR) 2016/679 of the European Parliament and of the Council of 27 April 2016 and the Norwegian Personal Data Act of 14 April 2000, No. 31, the Norwegian Personal Data Regulations and other laws on the protection of individuals with regard to the processing of personal data and on the free movement of such data or implementing Council Directive 2002/58/EC concerning the processing of personal data, the protection of privacy in the electronic communications sector, and all other laws relating to the processing of personal data and privacy in any other relevant jurisdiction.
Personal Data means any information relating to an identified or identifiable natural person as defined in relevant Data Protection Laws.
Purpose means performance of the Services.
Services shall mean the Services provided under the Subscription Agreement.
As part of the Purpose, Provider will process Customer Data on behalf of the Customer.
The Customer retains ownership of the Customer Data. The Provider shall only process Customer Data on behalf of, and as instructed by, the Customer, solely for the Purpose. The Provider shall only process Customer Data necessary for the Purpose. Unless otherwise agreed, Provider may not share Customer Data with third parties.
To the extent machine learning models or algorithms are trained on Customer Data, the same restrictions shall apply to Provider’s use of the resulting trained machine learning models or algorithms.
During the term of the Subscription Agreement, the Customer may stipulate reasonable routines and issue instructions to the Provider for processing of Customer Data, in addition to those stipulated in the Subscription Agreement and this IMA. The Provider will comply with any such reasonable instructions without undue delay.
Customer’s audit right
Customer is entitled to audit Provider’s compliance with the terms of this IMA.
The Provider shall make available to the Customer any information necessary to demonstrate compliance with the obligations laid down in this IMA, allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer.
The Provider is obliged to give the Customer access to written technical and organisational security measures and to assist the Customer in fulfilling its responsibilities pursuant to Data Protection Laws.
If Customer Data is processed in Provider’s IT systems, the Provider shall implement and maintain appropriate technical and organisational security measures to ensure a level of security appropriate to the risk and in accordance with current international information security standards and best practices. The measures must protect the Customer Data against accidental loss, destruction or alteration, unauthorized disclosure or access, and unlawful destruction. Provider shall, in establishing such security measures, take into account the confidentiality, integrity and availability of the Customer Data.
Provider shall ensure that persons authorised to process the Customer Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
The Provider shall take steps to ensure that any natural person who has access to Customer Data shall act under the authority of the Provider and shall not process Customer Data except as instructed by the Customer, unless required to do so under EU/EEA member state law. The Provider shall immediately inform the Customer if, in its opinion, an instruction infringes applicable Data Protection Laws.
Provider may only perform processing and storing of Customer Data at the Agreed Locations. Any change of location shall be subject to Customer’s prior written approval.
The Provider shall assist the Customer in ensuring compliance with Data Protection Laws related to security of processing, data protection impact assessment and prior consultation with local authorities, as and when appropriate, taking into account the nature of processing and the information available to the Provider.
Identity and access management
Access to Customer Data or IT systems shall be subject to Customer’s instructions. Provider shall ensure that access is limited and relevant to the Services which are performed by the Provider. Provider shall only use corporate electronic identities and shall report identities which will no longer be used.
Use of remote access to Customer Data or IT systems shall be subject to Customer’s prior specific or general written authorisation. Provider shall ensure that IT equipment used for remote access is protected by a firewall, running on supported versions of software, regularly updated with security patches and have antivirus solutions with updated antivirus definitions. Provider must ensure that remote access is performed only from locations allowed by Customer’s prior specification.
Use of subcontractors shall be subject to Customer’s prior specific or general written authorisation. In the case of general authorisation, the Provider shall inform the Customer of any intended changes concerning the addition or replacement of subcontractors. The Customer shall have the right to object to such changes.
The same obligations as set out in this IMA between the Customer and the Provider shall be imposed on the subcontractor by way of contract. The contract must in particular provide sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing carried out by the subcontractor will meet the requirements of applicable Data Protection Laws.
Where the subcontractor fails to fulfil its obligations, the Provider shall remain fully liable to the Customer for the performance of the subcontractor´s obligations.
Customer may request that Provider audit a subcontractor or provide confirmation that such an audit has occurred, to ensure compliance with the requirements of this IMA, on a time and material basis.
Relevant data and processing activities
The Provider shall process Personal Data in accordance with applicable Data Protection Laws and this IMA. In doing so, the Provider must take into account the nature and purpose of the processing, as set out below:
Purpose of processing:
Provision of resource management services (tracking information)
Nature of processing:
Register people resource
Connect (identify) people to department and location
Compare, validate, update, record, collect relevant information on employee/ department / location
To the extent that Provider processes Personal Data on behalf of the Customer, Customer will act as data controller, and appoints Provider as data processor according to Data Protection Laws. Personal Data may consequently be processed under the Subscription Agreement and include categories of data and data subjects such as, but not limited to:
Registration of Name, email, telefon number and time of registration of the Customers visitors.
Please note that Personal Data will be deleted after 14 days.
If Personal Data is processed, appropriate security measures shall include inter alia
pseudonymisation and encryption of Personal Data when appropriate;
ability to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services;
ability to restore availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
Processing of Personal Data outside the EEA/EU approved area shall be subject to Customer’s prior written approval unless such transfer is required under applicable EU/EEA member state law. The Provider shall inform the Customer of such legal obligation before transferring, unless prohibited by law.
In order to ensure that transfer of Personal Data to a third country complies with Data Protection Laws, Customer and Provider shall, to the extent applicable, ensure that an appropriate legal ground for transfer is in place, such as the EU Model Clauses agreement or equivalent legal instrument. The Provider shall upon request assist Customer in filing for any required governmental approval on a time and material basis.
Data subject´s rights
The Provider shall assist the Customer by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Customer´s obligation to respond to requests from data subject.
In case of a data breach affecting the Customer Data, in addition to the notification requirements mentioned under Article 9 below, where Personal Data is affected by the data breach, the Provider shall also include, to the extent possible, the categories and approximate number of data subjects concerned and the categories and approximate number of Personal Data records concerned.
8Records of processing activities
The Provider shall maintain a record of all categories of processing activities carried out on behalf of the Customer, containing:
(a) the name and contact details of the Provider or Providers and of the Customer on behalf of which the Provider is acting, and, where applicable, of the Customer's or the Provider's representative, and the data protection officer;
(b) the categories of processing carried out on behalf of the Customer;
(c) where applicable, transfers of Personal Data to a third country, including the identification of that third country, included the documentation of suitable safeguards as and when required;
(d) where possible, a general description of the technical and organisational security measures applied.
The records shall be in writing, including in electronic form.
Retention period and deletion
The Customer Data shall not be kept or handled by the Provider for longer than necessary for the Purpose. Unless otherwise agreed, Customer Data shall be deleted immediately following the termination or expiry of the Subscription Agreement, subject to any requirement from Customer to perform a mass export of Customer Data.
At the choice of the Customer, and within the deadline specified by Customer, the Provider shall, upon termination of the Subscription Agreement or parts thereof, either delete the Customer Data, including backup copies thereof, or return the Customer Data to the Customer or a third party nominated by the Customer. Overwriting of back-up systems within due time is regarded as sufficient deletion. Such deletion or requested mass transfer shall be conducted at no additional cost for the Customer.
Provider shall, upon request by Customer and without undue delay, provide documentation in writing that Customer Data will not be further processed and that permanent deletion has taken place. Deletion shall include Customer Data held in any form of storage and backups.
Should applicable EU/EEA member state law prevent Provider and/or any subcontractor from deleting certain Customer Data, Provider shall specify to Customer in writing what parts of the Customer Data that will be retained, for how long, in what form and any other information relevant with regard to such retention. Provider guarantees the confidentiality of any Customer Data retained and will not actively process Customer Data retained for such purpose.
This IMA will remain effective for the duration of the Subscription Agreement.
Termination of this IMA will not affect accrued rights, indemnities, existing commitments or any contractual provision intended to survive termination.
Indemnification and limitation of liability
Provider agrees to indemnify, defend and hold harmless the Customer against any liability, loss, claim and expense, including reasonable attorney's fees, related to or arising out of the Provider’s, its affiliates, subcontractors’ or employees’ breach of this IMA or Data Protection Laws.
The aggregate liability of Provider for any one incident or for any one claim under this IMA, whether in contract, negligence or other tortious action will under no circumstances exceed the total fees payable by Customer during a 12-month subscription period. The limitation of liability set out in this Article 12 does not apply in cases of gross negligence or wilful misconduct.
Appendix 1 – Agreed locations
Data will be stored and processed in Europe.
Database (persistent storage): Azure West Europe
• Primary service: West Europe
• Secondary service (backup service if primary service is unresponsive): North Europe
See the physical locations here: https://azure.microsoft.com/en-us/global-infrastructure/geographies/#overview
Appendix 2 – Subcontractors
For the execution of the Service the following subcontractors are executing work on behalf of the Provider. The subcontractor is tasked with the technical responsibility of the Service:
Kongsberg Digital AS (Org nr 916 981 880).