1. BACKGROUND AND PURPOSE OF THE PROCESSING
2. THE CONTROLLER’S RIGHTS AND THE PROCESSORS DUTIES
3. USE OF SUBCONTRACTOR/SUB-PROCESSOR
4. SECURITY OF PROCESSING AND NOTIFICATION OF BREACH
5. TRANSFER TO THIRD COUNTRIES
6. TERM. INSTRUCTION TO STOP THE PROCESSING. EFFECT ON TERMINATION
7. OTHER DUTIES AND RIGHTS
The following Data Processing Agreement is entered into between the Customer, as specified in the Order Confirmation (hereinafter the “Controller”) and Keystone Academic Solutions AS, a Norwegian limited liability company incorporated under the laws of Norway, registered in the Norwegian Register of Business Enterprises with organization number 891 201 222, address Rolfsbuktveien 4D, 1364 Fornebu, Norway (hereafter “Keystone” or the “Processor”).
This Data Processing Agreement governs the processing of personal data by Keystone on behalf of the Controller for processing of personal data as part of the Services (as defined in the Order Confirmation’s Terms and Conditions) and form part of the agreement for providing services entered into between Keystone and the Controller (hereinafter the “Main Agreement”).
The Processor shall process the personal data on behalf of the Controller with regard to the above said.
The nature and purpose of the processing of personal data, the duration of the processing of personal data, the subject matter of the processing of personal data, the types of personal data to be processed, the categories of data subjects to whom the personal data relates, and other obligations and rights of the Controller are included in the Appendix to this Data Processing Agreement.
This Data Processing Agreement shall provide for the processing of personal data in accordance with the EU Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation/GDPR) and the Norwegian Personal Data Act with regulations which implements the General Data Protection Regulation (collectively “the Personal Data Regulation”).
The Processor shall process the personal data only in the way described in the Data Processing Agreement, as agreed in writing with the Controller, or as instructed by the Controller.
Terms and definitions used in the Data Processing Agreement shall be construed in the same way as in the Personal Data Regulation.
The Processor confirms that it will implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the Personal Data Regulation and ensure the protection of the rights of the data subject, inclusive comply with the requirements in Article 32 of the General Data Protection Regulation. Other duties are set forth under Section 4 below.
The Processor shall only process the personal data under the instructions given by the Controller. The Processor shall be able to document such instructions if requested. The Processor shall not process the personal data in any other way than instructed or necessary to provide the services or undertake the obligations requested by the Controller.
The Processor shall, considering the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III of the General Data Protection Regulation. In addition, the Processor shall assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the General Data Protection Regulation taking into account the nature of processing and the information available to the Processor. If there are approved codes of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42, which the Processor has undertaken to comply with, the Processor shall comply with such code of conduct or certification mechanism at any time during the term of this Data Processing Agreement.
The Processor shall maintain record of processing activities (log) which the Processor performs for the Controller. The record shall contain at a minimum the information required under Article 30 no. 2 of the General Data Protection Regulation.
The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with the obligations laid down in this Section 2 and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller, which is reasonable and necessary under the legal obligations. The Controller is however solely responsible for the contact and communication with the supervisory authorities, such as Datatilsynet in Norway.
The Processor has a duty of confidentiality regarding the personal data and other information the Processor receives as part of the Data Processing Agreement and the processing of personal data and shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. The obligation of confidentiality shall survive any termination of the Data Processing Agreement.
The Processor shall not transfer or give access to the personal data or information which the Processor processes or handles on behalf of the Controller to a third party without the explicit instruction from the Controller. Any requests regarding the personal data or the processing from third parties or the data subject shall be forwarded to the Controller without undue delay if not otherwise agreed in this Data Processing Agreement or by instruction by the Controller.
If the Processor is in the opinion that an instruction by the Controller infringes the Personal Data Regulation, the Processor shall immediately inform the Controller.
The Processor shall not engage another supplier for the processing of the personal data (sub-processor) without prior specific or general written authorisation of the Controller, and the sub-processor has confirmed that it undertakes to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the Personal Data Regulation and ensure the protection of the rights of the data subject.
Any approved sub-processors are included in the Appendix to this Data Processing Agreement.
The Controller has given the Processor a general written authorisation for the use of sub-processors for processing personal data under the Data Processing Agreement. In case of any intended changes concerning the addition or replacement of sub-processors, the Processor shall inform the Controller and thereby giving the Controller the opportunity to object to such changes.
Any sub-processor shall be imposed the same obligations as the Processor set forth in the Data Processing Agreement in a written, binding agreement where in particular the sub-processor is providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the Personal Data Regulation. Where that sub-processor fails to fulfil its data protection obligations, the Processor shall remain fully liable to the Controller for the performance of the sub-processor’s obligations.
The Processor shall comply with the requirements to security given in the Personal Data Regulation. The Processor shall provide documentation of technical and organisational measures implemented to ensure the security of the personal data upon the request of the Controller.
In case of personal data breach, the Processor shall without undue delay notify the Controller. Such notification shall at least:
1. Describe the nature of the personal data breach including, where possible, the categories and approximate number of data subjects concerned, and the categories and approximate number of personal data records concerned;
2. Communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
3. Describe the likely consequences of the personal data breach; and
4. Describe the measures taken or proposed to be taken to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
If not all information above may be given in the first notice, the information shall be provided as soon as possible.
The Controller is responsible for notifying the supervisory authorities, such as Datatilsynet in Norway, and the Processor is not to contact or notify the supervisory authorities without the explicit instruction by the Controller.
Personal data shall only be transferred to third countries, i.e. countries outside EU/EEA which ensure an adequate level of protection, upon explicit agreement or instructions by the Controller if no legal basis for transfer exists. The Processor shall not transfer or give access to the personal data to persons in third countries without the explicit approval by the Controller. The consent or instruction given by the Controller must cover the country which the personal data shall be transferred to or accessed from. For transfer to or access from third countries for personal data it is required that the appropriate safeguards including with regard to the rights of data subjects is complied with.
This Data Processing Agreement shall be effective and stay in force as long as the Processor (and its permitted sub-processors) processes personal data on behalf of the Controller in the context of the Main Agreement.
Upon breach of this Data Processing Agreement, of instructions given by the Controller or on the Personal Data Regulation, the Controller may instruct the Processor to stop the processing of the personal data with immediate effect.
Upon termination of this Data Processing Agreement, regardless reason, the Processor (and its permitted sub-processors) shall delete or return any or all personal data to the Controller, subject to the Controllers instructions, in a standardised format and medium along with necessary instructions to facilitate the Controller’s further use of such data and delete all copies of those personal data.
The Controller shall receive a written confirmation from the Processor that all personal data has been returned or deleted according to the Controller’s instructions and that the Processor has not kept any copy, print out or any other representation of such data on any medium.
Other duties and rights between the parties may be subject to the Main Agreement or other agreements between the Controller and the Processor, inclusive any limitation of liability.
If the Main Agreement is transferred, this Agreement shall be transferred accordingly.
The nature and purpose of the processing of personal data
Providing services under the Main Agreement for the Controller.
The duration of the processing of personal data
The personal data shall be processed as long as the services are provided under the Main Agreement.
Subject matter of the processing of personal data
The subject matter of the processing is to process personal data as part of providing services to the Controller.
The types of personal data to be processed
Students’ contact information collected via one of Keystone’s websites and other information provided by the Controller into the Processor’s system.
The categories of data subjects to whom the personal data relates
Students, potential students and other persons interested in the Controller’s study offerings.
The obligations and rights of the Controller
The obligations and rights of the Controller are set out in the Agreement and this Appendix.
All sub-processors used by Keystone Academic Solutions AS are required to process data in accordance with the GDPR. A list of sub-processors and the country of processing is outlined below.
Sendgrid.com: Sends emails on our behalf.
SendinBlue.com: Sends emails on our behalf.
Google Analytics: Analyzes web traffic and usage of websites.
Google Ad Manager: Advertising service for showing banner ads.
Google Tag Manager: Helps us adding Google Ad Manager tags.
FullContact.com: Search engine for e-mail addresses to find basic info about a person.
Zapier.com: Transfers user requests to schools’ CRM systems. Only when requested by school.
logRocket.com and Hotjar.com: Registers how forms are filled in order to improve user experience.