Data Processing and GDPR Agreement
1. Terms and Definitions
- Terms below shall have the following meanings:
- "Agreement" means the Software license agreement signed between PREPPIO and the Client.
- "Company" refers to Preppio AS (PREPPIO), a company organized under the law of Norway.
- "PREPPIO Products" means the Software and other products of PREPPIO.
- "Client Data" means data submitted, stored, sent, or received via the Software by Clients or End Users.
- "Client Personal Data" means personal data contained within the Client Data.
- "Data Incident" means a breach of PREPPIO security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Client Data on systems managed by or otherwise controlled by PREPPIO. Data Incidents will not include unsuccessful attempts or activities that do not compromise the security of Client Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.
- "Data Processing Addendum" (DPA) means this Addendum, an inseparable part of the Software license agreement signed between PREPPIO and the Client.
- "European Data Protection Legislation" means GDPR and any other applicable EU legislation.
- "GDPR" means Regulation (EU) 2016/679 on data protection and privacy.
- "License" means the Software license granted to the Client by PREPPIO pursuant to the Agreement.
- "Party" means either PREPPIO or the Client.
- "Parties" means both PREPPIO and the Client.
- "Term" means the term set forth in the Agreement.
- "SaaS Model" means a software licensing and delivery model in which software is licensed on a subscription basis and is centrally hosted by PREPPIO. The Software is accessed by Clients via a web browser.
- "Services" means the services provided by PREPPIO as described in the Agreement and the Terms of Use for the PREPPIO Services.
- "Software" means computer software (Preppio SaaS), developed by PREPPIO, and PREPPIO visualized on the website www.preppio.com.
- "Standard Contract Clauses" means the standard data protection clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection, as described in Article 46 of the GDPR.
- "Subprocessors" means third parties authorized under this Data Processing Addendum to have logical access to and process Client Data in order to provide parts of the Services and related technical support.
- "Third Parties" means any other persons, organizations, and authorities, besides PREPPIO and the Client.
- All terms, which have not been explicitly defined above, such as “personal data,” “data subject,” “processing,” “controller,” “processor,” “supervisory authority,” etc., have the meanings given in the GDPR.
2. Scope of Addendum
- Software License Agreement:
- PREPPIO provides a SaaS web-based application that by functionality helps customers with their digital workflows for processes like employee onboarding, offboarding, transitions and learning.
- The Parties have signed an Agreement for the use of PREPPIO Software by the Client for the Client’s own internal business purposes.
- Under the Software license agreement, PREPPIO agreed to provide the Client with the Services as specified in the Agreement and the Terms of Use.
- In rendering the Services, PREPPIO may from time to time be provided with, or have access to, information of the Client which may qualify as personal data within the meaning of the GDPR and other applicable European data protection laws and provisions.
- GDPR:
- This Data Processing Addendum reflects the Parties’ agreement with respect to the terms governing the processing and security of Client Data under the Agreement according to the requirements of GDPR and any other European Data Protection Legislation.
- The parties acknowledge and agree that the European Data Protection Legislation, including the GDPR, will apply to the processing of Client Personal Data if the Client Personal Data is personal data relating to data subjects who are in the EU/EEA and the processing relates to the offering to them of goods or services in the EU/EEA or the monitoring of their behavior in the EU/EEA as well as when the processing is carried out in the context of the activities of an establishment of Client in the territory of the EU/EEA.
- The Parties agree that the sets of data processing and transfers covered by this DPA qualify as commissioned data processing as per Art. 28 of the GDPR with PREPPIO qualifying as a processor within the meaning of the GDPR and that they would like to use this DPA as the required contractual processing agreement.
- In order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the Client to PREPPIO of the personal data, the Parties have entered into this DPA.
- The Parties agree that PREPPIO shall have the right to ask for changes to any part of this DPA to the extent required to satisfy any interpretations, guidance, or orders issued by competent Union or Member State authorities, national implementation provisions, or other legal developments concerning the GDPR requirements for the commissioning of data processors in general or other requirements for the commissioning of data processors. The Parties will agree on the necessary changes in good faith effort taking their obligation to carry out this contractual relationship in compliance with applicable data protection law into account.
3. Processor and Controller
- Roles:
- PREPPIO is a processor of Client Personal Data.
- Client is a controller of Client Personal Data.
- Each Party will comply with the obligations applicable to it under the European Data Protection Legislation with respect to the processing of that Client Personal Data.
- Legitimacy:
- Client warrants to PREPPIO that Client’s instructions and actions with respect to that Client Personal Data are legitimate and permitted under the applicable European Data Protection Legislation.
- Client is responsible that the processing activities relating to the personal data, as specified in this DPA, are lawful, fair, and transparent in relation to the data subjects concerned.
4. Scope of Processing
- Instructions:
- By entering into this Data Processing Addendum, the Client instructs PREPPIO to process Client Personal Data only in accordance with applicable law: (a) to provide the Services and related technical support; (b) as further specified via Client’s use of the Services and related technical support; (c) as documented in the applicable Agreement, including the applicable Terms of Use and this Data Processing Addendum; and (d) as further documented in any other written instructions given by Client and acknowledged by PREPPIO as constituting instructions for purposes of this Data Processing Addendum.
- Further Instructions:
- Any further instructions of processing, given by the Client to PREPPIO that go beyond the instructions contained in this DPA or the Agreement shall be considered within the subject matter of the Services Agreement and this DPA and PREPPIO acts of processing shall be considered lawful and compliant with the GDPR and other applicable legislation.
- It shall be the Client's responsibility to guarantee the legality of any personal data processing of which the Client has given instructions to PREPPIO to perform.
- Notifications:
- The Client acknowledges that the Services, provided by PREPPIO to the Client include, among others described above, the provision by PREPPIO to the Client and all End Users, using the Software on behalf of the Client, of notifications on the scope of Services, their update, upgrade, amendment, new releases, development and/or termination via Newsletters, emails and other electronic and non-electronic means of communication, which may be applicable.
- PREPPIO will comply with the instructions described above (Client’s Instructions) (including with regard to data transfers) unless EU law requires other processing of Client Personal Data by PREPPIO, in which case PREPPIO will inform Client (unless that law prohibits PREPPIO from doing so on important grounds of public interest).
- Upon providing such notification, PREPPIO is not obliged to follow the Client’s instruction.
- For clarity, PREPPIO will not process Client Personal Data for Advertising purposes or serve Advertising in the Services.
- Notifications from PREPPIO to the Client and all End Users on the scope of Services, their update, upgrade, amendment, new releases, developments, and/or termination via Newsletters, emails, and other electronic and non-electronic means of communication, which may be applicable, shall not be considered advertising, marketing or other activity, not included in the Services.
- Such notifications shall be considered part of the Services provided by PREPPIO to Client.
- If at any time the Client or any End User would like to unsubscribe from receiving future emails, he or she must follow the instructions on how to unsubscribe at the bottom of PREPPIO emails.
5. Subject Matter
- PREPPIO’s provision of the Services and related technical support to Client.
6. Data Subjects
- Categories: The personal data processed concern the following categories of data subjects:
- Staff of the Client – End Users;
- Other subjects, whose personal data is entered by the End Users.
- Nature and Purpose:
- PREPPIO will process Client Personal Data submitted, stored, sent, or received by Client, its Affiliates or End Users via the Software for the purposes of providing the Services and related technical support to Client in accordance with the Data Processing Addendum.
- Duration:
- The applicable Term plus the period from expiry of such Term until deletion of all Client Data by PREPPIO in accordance with the Data Processing Addendum, unless the GDPR requires otherwise.
- Categories of Data:
- Personal data submitted, stored, sent, or received by Client or End Users via the Services may include the following categories of data:
- Name and User name – necessary for identification of the Data Subject.
- Email address – necessary for authenticating the End Users before allowing its access to the Software and Client Data, including Client Personal Data, as well as for providing technical support.
- Phone number – necessary for providing technical support and communicating conditions in respect of what the Service provides.
- Employee information – necessary for providing the Services according to the onboarding of new hires and their interaction with other stakeholders within their organization.
- Other data, uploaded by Client and End Users – entering and upload of any other personal data is at the full discretion of the Client.
- PREPPIO shall not use any other personal data, entered by Client or End User, except for categories of data, described above.
- It is not PREPPIO’s obligation to monitor personal data, entered or uploaded by Client or End User, to categorize or process it in any other way.
- It is the Client’s responsibility to provide and guarantee that the processing personal data activities, performed by Client and End Users with the Software shall be compliant with the requirements of the GDPR.
- Method of Collection:
- Each User of the Software provides personally the Personal data, entered or uploaded in the Software.
- Client and End users shall enter third party personal data only with due authorization or GDPR compliant consent by such party. Client and End users are responsible for entering somebody else’s personal data without acquiring their preliminary due authorization or GDPR compliant consent. PREPPIO does not control the content, entered by Client and End User. PREPPIO has no contact with any third parties, whose personal data the Client or End User may enter into the software. In the event of a third-party claim or sanctions by a competent authority in respect of entering third party personal data in the Software in violation of GDPR by Client or End User, Client shall compensate PREPPIO for all sustained damages, including any compensations, administrative penalties, and sanctions, reasonable lawyer fees, expenses, etc.
- Data Subjects:
- Personal data submitted, stored, sent, or received via the Services may concern the following categories of data subjects: End Users including Client’s employees and contractors; the personnel of Client’s Clients, suppliers, and subcontractors; and any other person who transmits data via the Services, including individuals collaborating and communicating with End Users.
- Client shall grant access to End Users after acquainting them to the information, provided to Client in this DPA, the rights of the End Users under the GDPR, and the methods of their implementation. Client acknowledges that such provision of information is required by GDPR and is necessary for the implementation of GDPR principles of data protection. Client shall also grant access to End Users, who have accepted the terms and conditions of data protection, included in this DPA. In the event of a Data Subject claim or sanctions by a competent authority in respect of entering or processing personal data in the Software in violation of GDPR by Client or End User, Client shall compensate PREPPIO for all sustained damages, including any compensations, administrative penalties, and sanctions, reasonable lawyer fees, expenses, etc.
7. Cookies
- To the extent as permitted under applicable European Data Protection legislation, parties agree that PREPPIO may use Cookies on the Website and collect information about the preferences and interests of the visitors, and to analyze data about the people browsing the Website. b. Information about the collected information and processing of any Website that uses cookies shall be used by PREPPIO to improve the quality of the services offered. c. Disabling Website cookies may affect some features of the Website and these may not work properly or as intended.
8. Additional Services
- If PREPPIO at its option makes any Additional Services available to Client in accordance with the Terms of Use and if Client opts to install or use those Additional Services, the Services may allow those Additional Services to access Client Personal Data as required for the operation of the Additional Services. For clarity, this Data Processing Addendum shall apply to the processing of personal data in connection with the provision of any Additional Services installed or used by Client, including personal data transmitted out of the EU. b. Even if the Client has not objected initially to the transfer of data out of the EU, the Client may at all times inform in writing PREPPIO that Client does not want personal data to be transferred any more to third parties in case of Additional service integration and PREPPIO shall not transfer in the future such data after the date on which PREPPIO has received the communication from the Client. However, if the Client has initially accepted such transfer and has not later on informed PREPPIO in writing about any objection, it shall be considered that the Client has instructed PREPPIO to provide the Additional Service and execute data transfers until the date of the objection. If the Client objects to such transfer, the Client and the end Users shall not be able to use those Additional Services anymore.
9. Data Deletion
- Manual Deletion: Customer may manually delete data within the Preppio solution through the user interface provided. Instructions for manual data deletion can be found in the Preppio user documentation.
- Automated Deletion: Preppio provides automated data deletion features to enable Customer to manage deletion schedules for specified data. Automated deletion settings can be configured through the administrative tools provided by Preppio.
- Data Recovery: Customer is responsible for implementing appropriate data backup procedures. Preppio shall not be liable for any loss of data resulting from the actions of Customer, including manual or automated deletions.
- Compliance with Laws: Customer agrees to use the data deletion features in compliance with the Agreement and all applicable data protection laws and regulations.
10. Data Security
- Measures: PREPPIO will implement and maintain technical and organizational measures to protect Client Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures include ensuring ongoing confidentiality, integrity, availability, and resilience of PREPPIO’s systems and services, and regular testing of effectiveness. Detailed descriptions of these measures will be provided to the Client upon request.
- Compliance: PREPPIO will ensure compliance with these measures by its employees, contractors, and Subprocessors.
11. Data Incidents
- Notification: If PREPPIO becomes aware of a Data Incident, it will notify the Client immediately and no later than 24 hours after becoming aware of the incident. PREPPIO will take reasonable steps to minimize harm and secure Client Data.
- Incident Report: Notifications will include a detailed incident report describing the nature of the Data Incident, the categories and approximate number of data subjects and data records concerned, the likely consequences of the incident, and the measures taken or proposed to be taken to address the incident.
- Mitigation Plan: PREPPIO will work with the Client to develop and implement a plan to mitigate and resolve the incident.
12. Client’s Security Responsibilities
- Use of Services: Client is responsible for its use of the Services and the compliance of its activities with GDPR, including making appropriate use of the Services to ensure a level of security appropriate to the risk in respect of the Client Data, securing account credentials, and backing up Client Data. b. Review: Client is responsible for reviewing PREPPIO’s technical and organizational measures and evaluating whether the Services meet Client’s needs.
13. Data Subject Rights
- Access and Rectification: PREPPIO will enable Client to access, rectify, and restrict processing of Client Data and to export Client Data. b. Inquiries: PREPPIO will deal promptly with all inquiries from the Client relating to its processing of Client Personal Data.
14. Transfers of Data Out of the EU/EEA
- Storage and Processing: PREPPIO and its subprocessors only store and process Client Data in the EU.
15. Subprocessors
- Authorization: Client authorizes the engagement of third-party Subprocessors, provided that PREPPIO obtains written consent from the Client before engaging any new Subprocessors. Information about current Subprocessors and the specific services they provide is detailed in Appendix 1 and will be updated from time to time.
- Approval: PREPPIO will seek and obtain the Client’s approval before engaging any new Subprocessors.
16. Liability
- Liability: PREPPIO shall indemnify and hold harmless the Client against all claims, actions, third-party claims, damages, fines, and expenses incurred by the Client due to PREPPIO’s breach of its obligations under this agreement. The liability cap will be negotiated to ensure adequate coverage for potential risks.
17. Effect of Addendum
- Conflict or Inconsistency: To the extent of any conflict between this DPA and the Agreement, the terms of this DPA will govern. b. Effective Date: This DPA will take effect on the Effective Date and remain in effect until the deletion of all Client Data by PREPPIO.
18. Applicable Law
- Governing Law: This DPA shall be governed by the law of Norway. The place of jurisdiction for all disputes regarding this DPA shall be Oslo, Norway, except as otherwise stipulated by applicable data protection law.