Data Processing Agreement
2024
Noova Energi Systems AS will process personal data on behalf of our customers when providing the customer with energy as well as technology solutions. In these instances, where Noova Energi Systems AS will act as the data processor and the customer will act as the data controller, the parties must enter into a data processing agreement pursuant to the General Data Protection Regulation ("GDPR") article 28 in addition to a Software as a Service agreement or similar agreement.
Noova Energi Systems AS has prepared the following data processing agreement for our existing and potential customers. In order to conclude the data processing agreement with Noova Energi Systems AS, please follow this link "Need a signed copy", and a request will be sent to Noova Energi Systems AS. If you have any questions, please contact us at post@noova.no
1 BACKGROUND AND PURPOSE
1.1 In the context of providing the Data Controller with energy as well as technology solutions (the "Services"), the Data Controller and Noova Energi System AS have entered into a [Software as a Service] agreement on the delivery of the Services. In this regard, the Data Processor shall only process personal data on behalf of the Data Controller as described in this Data Processing Agreement (the "Agreement") or as agreed in writing between the Parties. This Agreement further sets out the rights and obligations of the Data Controller and the Data Processor, when processing personal data on behalf of the Data Controller.
1.2 This Agreement has been designed to ensure the Parties' compliance with Article 28(3) of Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regards to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation or "GDPR"), and the Norwegian Personal Data Act (hereafter the "prevailing data protection legislation"). In case of conflict between the terms of this Agreement and the prevailing data protection legislation or any other relevant legislation, this Agreement has no precedence.
1.3 Two appendices are attached to this Agreement, and they are an integral part of the Agreement.
1.4 Appendix A contains details about the processing of personal data, including the purpose and nature of the processing, type of personal data, categories of data subjects and duration of the processing.
1.5 Appendix B contains the Data Controller's conditions for the Data Processor's use of sub processors and a list of sub processors authorized by the Data Controller.
1.6 In the event of a contradiction between this Agreement and the provisions of related agreements between the Parties existing at the time when this Agreement is agreed or entered into thereafter, this Agreement shall prevail. This Agreement shall take priority over any similar provisions contained in other agreements between the Parties.
1.7 This Agreement shall not exempt the Data Processor from obligations to which the Data Processor is subject pursuant to GDPR or other legislation.
2. THE RIGHTS AND OBLIGATIONS OF THE DATA CONTROLLER
2.1 The Data Controller is responsible for ensuring that the processing of personal data takes place in compliance with the prevailing data protection legislation and this Agreement, cf. GDPR article 24.
2.2 The Data Controller has the right and obligation to make decisions about the purposes and means of the processing of personal data.
2.3 Among other things, the Data Controller is responsible for ensuring that there is a legal basis for the delegated processing of the personal data.
3 THE RIGHTS AND OBLIGATIONS OF THE DATA PROCESSOR
3.1 Instructions: The Data Processor is subject to the Data Controller's authority regarding the processing of personal data and shall only process personal data based on documented instructions from the Data Controller. If the processing is required under European Union law or Norwegian law, the Data Processor shall notify the Data Controller about the aforementioned legal requirements before the processing, unless Union or Norwegian law prohibits such notification for the sake of important social interests. Subsequent instructions may also be given by the Data Controller throughout the duration of the processing of personal data. These instructions shall always be documented. If the Data Processor means that an instruction from the Data Controller is in breach of the prevailing data protection legislation or any other legislation, the Data Processor shall immediately notify the Data Controller about this.
3.2 Confidentiality: The Data Processor has a duty of confidentiality regarding the documentation and the personal data which it will have access to in accordance with the Agreement. This provision also applies after termination of the Agreement. The Data Processor is responsible for ensuring that the necessary agreements or obligations for confidential processing of such information are established with anyone who has access to that information. The Data Processor shall, whenever required by the Data Controller, be able to demonstrate the above-mentioned confidentiality.
3.3 Security measures: The Data Processor confirms that it will take appropriate technical and organizational measures to ensure that all processing under this Agreement meets the requirements of the prevailing data protection legislation and ensures the protection of the data subject's rights, including compliance with all the requirements of GDPR article 32.
3.4 Assistance according to GDPR articles 32-36: The Data Processor is obliged to provide the Data Controller with access to its data security documentation, and to assist the Data Controller with fulfilling its own responsibility in accordance with the prevailing data protection legislation. This is especially true for assistance with audits and inspections, as well as notification of personal data breach and impact assessment. The Data Controller is directly responsible towards the relevant supervisory authorities.
3.5 Assistance with inquiries: The Data Processor shall assist the Data Controller in safeguarding the rights of the data subjects. This applies, but is not limited to, providing information on how the personal data is processed, handling inquiries which include, among others, access to the personal data and fulfilment of the data subjects' right to rectification or deletion of the personal data. For all and any inquiries that the Data Processor may receive directly, the Data Processor shall transmit those inquiries to the Data Controller as soon as possible. The Data Controller is responsible for providing the data subjects with answers within 1 month.
3.6 Other type of assistance: In addition to the Data Processor's obligation to assist the Data Controller pursuant to sections 3.4 and 3.5, the Data Processor shall furthermore assist the Data Controller in ensuring compliance with other obligations as mentioned in this Agreement or in the prevailing data protection legislation, as well as to ensure that personal data is accurate and up to date, by informing the Data Controller without delay if the Data Processor becomes aware that the personal data it is processing is inaccurate or has become outdated.
3.7 Access/Disclosure: The Data Processor shall not disclose personal data or information that it processes on behalf of the Data Controller to a third party without explicit instructions or permission from the Controller.
3.8 Compensation for assistance: the Data Processor shall be compensated for such assistance to the Data Controller as set out in sections 3.5 - 3.7 and section 4, and all other assistance provided in accordance with the prevailing data protection legislation and this Agreement. The right to compensation does however not apply if the assistance is necessary due to a data breach or processing of personal data in breach of prevailing law or this Agreement, which is deemed caused by acts by the Data Processor or any party under the Data Processor's responsibility and liability. The compensation shall be calculated according to elapsed time and the Data Processor's usual terms and hourly rates, or if this is not applicable, as agreed upon between the Parties.
4 SECURITY AND BREACH
4.1 The Data Processor shall comply with the requirements for security measures according to the prevailing data protection legislation. The Data Processor shall at least be able to document routines and security measures that meet these requirements, including, as appropriate, measures to prevent accessible or illegal destruction or loss of data, unauthorized access to or dissemination of data, as well as any other use of personal data that does not comply with this Agreement, and measures to restore access to the personal data in any event.
4.2 The Data Processor undertakes to notify the Data Controller without undue delay and at the latest within 24 hours if the Data Processor has information about, or reason to believe, that the personal data is used in an unauthorised manner or otherwise handled in violation of the data protection legislation and/ or the terms of this Agreement. This is especially true for any breach of personal data security that the Data Processor becomes aware of, including unauthorized access, dissemination, alteration, damage/ destruction, but also for any circumstance that may cause a change in the risk assessment, and which has or may have an impact on data security.
4.3 In the event of a personal data breach by the Data Processor, the Data Processor shall notify the Data Controller within 24 hours of the Data Processor becoming aware of the breach. Notification of breach shall contain, as a minimum, the requirements of GDPR Article 33 (3), including:
- description of the nature of the personal data breach, including, where possible, the categories of and approximate number of data subjects affected, and the categories of and approximate number of personal data records concerned,
- the name and contact information of the data protection officer or other contact point where more information can be obtained,
- description of the likely consequences of the personal data breach,
- description of the measures taken or proposed to be taken by the Data Controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
4.4 The Data Controller is responsible for sending a notification to the supervisory authority at the latest 72 hours after the breach has been detected, and the Data Processor shall not send such notification or contact the supervisory authority without the instructions of the Data Controller. If all information cannot be provided in the first notification, the information should be given successively as soon as it is available. In accordance with section 3.4 above and in the event of a data security or privacy breach by the Data Controller, the Data Processor shall assist the Data Controller in obtaining the necessary information as described in GDPR Article 33 (3), cf. section 4.3 above.
4.5 Any breach or suspicion of a breach to the personal data security at the Data Processor shall be recorded, hereafter logged and stored at the Data Processor.
4.6 The Data Processor shall, without undue delay, correct or implement measures to prevent personal data breach and nonconformities. Nonconformities or breach which the Data Processor or its sub processors are responsible for shall be corrected or prevented at no charge to the Data Controller and must be documented.
4.7 The security level of the processing shall take into account the nature of the personal data and the risk for personal data breach for the data subjects. For this reason, the Data Processor must conduct risk assessments to ensure satisfactory data security.
5 TRANSFER OF PERSONAL DATA OUTSIDE EU/EEA
5.1 Any transfer of personal data to third countries or international organizations by the Data Processor shall only occur on the basis of documented instructions from the Data Controller and shall always take place in compliance with GDPR Chapter V.
5.2 In case transfers to third countries or international organisations, which the Data Processor has not been instructed to perform by the Data Controller, is required under EU or Norwegian law, the Data Processor shall inform the Data Controller of that legal requirement prior to processing unless that law prohibits such information on important grounds of public interest.
5.3 Without documented instructions from the Data Controller, the Data Processor therefore cannot within the framework of this Agreement:
- transfer personal data to a Data Controller or a Data Processor in a third country or in an international organization
- transfer the processing of personal data to a sub processor in a third country
- have the personal data processed in by the Data Processor in a third country
5.4 The sections in this Agreement are not to be confused with the standard contractual clauses as mentioned in GDPR article 46 (2), and this Agreement does not by itself ensure compliance with obligations related to international transfers in accordance with Chapter V of the GDPR.
5.5 At the time of this Agreement, the Data Processor does transfer personal data outside the EU/EEA.
6 SUBPROCESSORS
6.1 The Data Processor's use of sub processors is dependent on the Data Controller's authorization, who can disapprove them. A list of approved sub processors is attached to this Agreement, cf. Appendix B.
6.2 The Data Processor shall meet the requirements specified in GDPR article 28(2) and (4) in order to engage a sub processor.
6.3 The Data Processor has the Data Controller's general authorisation for the engagement of sub processors as mentioned in Appendix B. The Data Processor shall specifically inform in writing the Data Controller of any intended changes of that list through the addition or replacement of sub processors prior to the engagement of the concerned sub processor(s). If the Data Controller does not object to the changes in writing within two weeks from receipt of such notice, the Data Controller shall be deemed to have accepted the changes.
6.4 In case of change of sub processors, Appendix B shall be updated by the Data Processor and notice of such update shall be sent to the Data Controller's contact person.
6.5 The Data Processor shall ensure that all sub processors are bound by the same requirements for data security and processing in general as set out in this Agreement. The Data Processor shall therefore ensure that its sub processors only process personal data in accordance with the terms of this Agreement and not to a greater extent than is necessary to fulfil the service which the sub processors provide. The Data Controller is entitled to access the Data Processor's sub processing agreements, as well as the relevant sub processors' documentation for the processing, such as security documentation.To the extent necessary to protect business secret or other confidential information, including personal data, the Data Processor may redact the text of the agreement prior to sharing the copy.
6.6 The Data Processor is fully responsible towards the Data Controller for all and any of the sub processors· violations to this Agreement's requirements, as well as to other applicable data protection legislation. The Data Controller can order the Data Processor to stop the immediate use of the sub processors who have acted in breach of their contractual obligations and / or applicable data protection legislation.
6.7 Upon termination of this Agreement, the Data Processor shall ensure that the sub processors fulfil, in the same manner as the Data Processor, the obligation to delete or properly destroy all personal data, including backups, as set forth in section 7.1 of the Agreement.
6. 8 The Data Processor shall agree a third-party beneficiary clause with the sub processor whereby - in the event the Data Processor has factually disappeared, ceased to exist in law or has become insolvent - the Data Controller shall have the right to terminate the sub processor contract and to instruct the sub processor to erase or return the personal data.
7 ERASURE AND RETURN OF DATA
7.1 On termination of the provision of personal data processing services, the Data Processor shall, unless otherwise agreed on in a written agreement, at the choice of the Data Controller, delete all personal data processed on behalf of the Data Controller and certify to the Data Controller that it has done so, or return all the personal data to the Data Controller and delete existing copies unless EU or Norwegian law requires storage of the personal data, or unless otherwise specifically agreed between the Parties.
7.2 For the FLX service, termination of users will result in the actual user being set to inactive. After XX (default 30) days as inactive, the user and related historical data will be permanently deleted from the system. Further, for the FLX service, personal booking information will be automatically anonymized after XX (default 30) days. Anonymized means the link to the actual person is removed, but aggregated data is kept for statistical purposes.
8 LIABILITY
8.1 Each of the Parties is liable for damages and shall compensate the other Party for any documented material or non-material damage suffered by the other Party as a result of a breach of the prevailing data protection legislation or this Agreement.
8.2 Each of the Parties is liable for damages and shall compensate the data subjects for any material or non-material damage suffered by the data subjects as a result of a breach of the prevailing data protection legislation in accordance with GDPR Article 82 (1).
9 TERM AND TERMINATION
9.1 The terms of this Agreement apply as long as the Data Processor processes, including also has access to, personal data on behalf of the Data Controller.
9.2 Both parties shall be entitled to require the Agreement renegotiated if changes to the law or inexpediency of the Agreement should give rise to such renegotiation.
9.3 If the provision of personal data processing services is terminated, and the personal data is deleted or returned to the Data Controller pursuant to section 7.1, the Agreement may be terminated by written notice by either party.
10 GOVERNING LAW AND JURISDICTION
10.1 The Agreement is governed by Norwegian law and disputes between the Parties shall be settled at the S0r-Rogaland District Court. This also applies after termination of the Agreement.
APPENDIX A- DESCRIPTION OF THE PROCESSING
A.1 The purpose of the Data Processor's processing of personal data on behalf of the Data Controller is:
The Data Processor will process personal data on behalf of the Data Controller in order to provide the Data Controller with energy supply and technology solutions.
Noova provides the following services that are subject to Data Processing:
A.2 The Data Processor's processing of personal data on behalf of the data controller shall mainly pertain to (the nature of the processing):
Because of the Data Controller's use of the Services, amongst other things through using the Data Processor's technology platforms the Data Processor may process personal data through:
A.3 The processing includes the following types of personal data about data subjects:
The Data Processor will normally process the following personal data on behalf of the Data Controller in connection with the Services:
A.4 Processing includes the following categories of data subject:
The Data Controller's customers/employees /tenants/suppliers/partners/guests in buildings where the Data Controller uses the Services.
A.5 The processing has the following duration:
Personal data shall not be stored for longer than needed for the purposes mentioned in this Appendix A. The Data Processor will process personal data on behalf of the Data Controller for as long as the Data Controller uses the Data Processor's Services and for as long as this Agreement exists unless longer retention is required by prevailing law. The Data Processor will only delete personal data involved in the Services at regular intervals and/or prior to any termination of this Agreement upon further and specific instructions by the Data Controller.
APPENDIX B - AUTHORISED SUBPROCESSORS
As of the date of this Agreement, the Data Controller authorizes the engagement of sub processors, these can be sent to if you click the button "Need a signed copy". Due to risk mitigations sub processors are not listed here at our website.