DATA PROCESSING AGREEMENT
Last updated: 05.12.2022
About the agreement
The agreement is entered into between Businesses (hereinafter referred to as "Controller") that offer Services from Assisted self-help to service recipients (hereinafter referred to «End users»), and Assistert Selvhjelp AS (hereinafter referred to as "Data processor").
The agreement regulates the Data Processor's use of personal data about End Users on behalf of the Controller, including collection, registration, compilation, storage, disclosure or combinations of these, in connection with the use of services provided by the Data Processor.
The agreement regulates rights and obligations between the Controller and Data Processor according to the Personal Data Act (LOV-2018-06-15-38) and the EU's privacy regulation (2016/679/EC of 27 April 2016, General Data Protection Regulation, hereinafter referred to as the privacy regulation). The agreement must ensure that personal information about the registered persons is not used unlawfully or comes into unauthorized hands.
In the event of a conflict between the data processing agreement's regulation and the framework resulting from the Personal Protection Ordinance or other relevant legislation, the agreement's regulation takes precedence.
This agreement applies to all processing of Personal Data that the Data Processor undertakes on the basis of Assisted Self-Help for internet-assisted treatment/self-help aimed at mental health (hereinafter referred to as the "service/assignment agreement"). In the event of a conflict between this agreement and the service/assignment agreement, this data processing agreement shall apply.
Services included in this agreement are the services included in the service/assignment agreement and which involve the processing of personal data.
This data processor agreement regulates the processing of personal data carried out on behalf of the Data Controller to ensure that all processing of Personal Data in connection with the "service/assignment agreement" takes place in accordance with current legislation on the processing of personal data.
"Personal information" shall mean information that can be linked to an individual, as defined in the personal data legislation currently in force.
"Treatment" of Personal data shall mean any use of personal data, such as e.g. collection, registration, compilation, storage and disclosure or a combination of such uses, as defined in the legislation in force at any given time.
This agreement will also apply to further processing of personal data based on any written agreements between the parties that are entered into during the period of operation of this agreement and which imply that the Data Processor processes personal data on behalf of the Controller (hereinafter referred to as "subsequent written agreements between the parties")
Personal data shall only be used for the purposes that follow from this agreement, the service/assignment agreement and subsequent written agreements between the parties to the extent that it is strictly necessary to implement and meet the requirements in the agreements.
Theme of the treatment
Most End Users access the Services from Assistertselvhjelp.no. In a limited pilot project, End Users are given access via Helsenorge.no. Project participants are predefined, and neither the End User nor Professionals can choose the access method. Most of the framework conditions are the same, but the different conditions are described in sections A and B below.
A Access from Assistertselvhjelp.no
The parties to this Data Processing Agreement have concluded the "service/assignment agreement":
The Data Processor shall Process Personal Data that End Users register in the service with an anonymised access code assigned by the Controller:
The data processor must store data and make it available to End Users by logging in with the anonymised access code. It is only to the extent that third parties are made aware of additional information that identifies the End User who uses an anonymized access code that this is Personal Information (cf. "pseudonymisation").
The data controller will have access to a report function where, assuming consent from the End User when logging into the Service, they can see registrations and progress in the anonymised access code. The data processor does not get access to Personal Data as long as only an anonymized access code is used.
Purpose of processing, categories of information and who is registered
This information is set out in attachment 1.
The framework for data processors' processing of personal data
The data processor must only process the personal data based on documented instructions from the data controller, unless it is required according to legal rules to which the data processor is subject; in that case, the data processor must notify the data controller of the aforementioned legal requirements before the processing, unless this law prohibits such notification due to important public interests. The data processor must at all times be able to document the Controller's instructions. The data processor must notify the Data Controller of instructions and routines that involve a breach of the current legislation on the processing of personal data. The data processor will use the contact details provided for the Data Controller, and must use a form of communication that is appropriate based on the degree of urgency.
The data processor does not have independent control over the personal data, and cannot process this for its own purposes.
The data controller has, unless otherwise agreed or follows from the law, the right to access and inspect personal data that is processed by the data processor. The end user registers in the service with an anonymised access code, and only the Data Controller will have access to additional information that makes it possible to find out who registers information in the access codes.
The data controller and end users will have access to the information registered with the data processor. If the Controller nevertheless wishes to view and access information registered with the Data Processor, the request must only be based on the anonymised access code of the relevant End User.
The end user can influence the treatment
End users can use the Service after the data controller has ended the offer, and must actively decide whether they want to change the access code they have been given by the Data Controller, and/or withdraw their consent to share their data provided that this has been given. End users can also delete their own data at any time. This is described for End Users i The privacy statement,
If the End User only withdraws consent to share their registrations with the Controller, without changing the access code, this will result in the Controller losing access to the End User's registrations in the service. If the End User also chooses to change the access code, this will mean that the original additional information with the Data Controller will no longer be able to be used to identify the person. This has the consequence that the information no longer constitutes personal data, and consequently that the processing of personal data will cease.
B Access from Helsenorge.no
The controller must comply with the obligations arising from the Personal Data Act, the Personal Data Protection Ordinance and other special legislation, as well as this agreement.
The controller confirms that the controller:
- has sufficient legal basis for Processing Personal Data
- has the right to let the Data Processor process the Personal Information
- is responsible for the accuracy, integrity, content, reliability and legality of the Personal Information
- fulfills the applicable legal requirements regarding any notification and license to relevant supervisory authorities
- has informed the person to whom the Personal Information applies in accordance with applicable legislation
The controller must:
respond to inquiries from those registered about the Processing of Personal Data in accordance with this Data Processor Agreement,
assess the necessity of specific measures as stated in this Data Processor Agreement, sections 2.3.2 and 2.3.4, and order such measures from the Data Processor.
The controller has a duty to report deviations to relevant supervisory authorities and possibly to the data subjects without undue delay in accordance with current legislation.
Data processor's duties
The data processor undertakes to process personal data only in accordance with the relevant law and regulations, this agreement, the service/assignment agreement, the Data Controller's documented instructions and other applicable agreements between the parties. The data processor shall not, by any action or omission, put the data controller in such a situation that the data controller violates any provision of the applicable law and regulations.
Data processor must:
- have ongoing control over all categories of processing activities carried out on behalf of the data controller.
- give the data controller access to and insight into personal data processed by the Data Processor (cf. "Framework for data processors' processing of personal data").
- keep and maintain an overview of all information and processing or, if relevant, a protocol of its own processing activities in accordance with Article 30 of the Personal Data Protection Regulation.
- take all reasonable measures to ensure that the Personal Information is correct and up-to-date at all times.
- establish routines for deleting information when it is no longer necessary based on the purpose of the Processing and delete information in accordance with established routines and guidelines.
- have routines for and the technical ability to limit the Processing of the data subject's personal data if the data subject so wishes in accordance with the applicable legislation.
- ensure that all persons who are given access to Personal Data processed on behalf of the Data Controller are familiar with this agreement and applicable agreements between the parties, and are subject to the provisions of these agreements.
- ensure that requirements for built-in privacy and privacy as a standard setting are met in the data processor's solutions if this is relevant. This includes building in functionality to fulfill privacy principles as well as functionality to ensure the data subject's rights.
- provide the data controller with the necessary assistance so that the data controller can fulfill its obligations towards the data subjects.
- cooperate with and assist the Data Controller in fulfilling the data subject's rights related to access to information, including responding to requests from the data subject with a view to exercising their rights set out in Chapter III of the Personal Data Protection Ordinance
- immediately notify the Data Controller if the Data Processor believes that an instruction is in breach of the Personal Data Protection Ordinance or other provisions on the protection of personal data.
- assist the Data Controller to ensure compliance with the obligations in Articles 35-36 of the Personal Data Protection Ordinance, which deal with the assessment of personal data protection consequences and preliminary discussions with the Norwegian Data Protection Authority. When assessing privacy consequences, the Data Processor is obliged to assess security measures that can contribute to reducing the risk the processing entails for the data subjects.
The data processor's assistance in connection with the above shall be provided free of charge.
Deviations and notification of deviations
Any use of the information systems and Personal Data contrary to established routines, instructions from the Controller or applicable legislation on the Processing of Personal Data, as well as security breaches, shall be treated as deviations.
The data processor must have routines and systematic processes for following up on deviations, which must include re-establishing the normal state, eliminating the cause of the deviation, and preventing repetition.
The Data Processor must immediately and without undue delay notify the Controller of any breach of this Agreement or accidental, illegal or unauthorized access, use or disclosure of Personal Data, or that Personal Data may have been compromised or breach of the integrity of the Personal Data. The Data Processor shall provide the Data Controller with all information necessary to enable the Data Controller to comply with the current legislation on the Processing of Personal Data and to enable the Data Controller to respond to inquiries from data supervisory authorities. Unless otherwise agreed in writing, the data processor will use contact details provided by the Data Controller, and use a form of communication that is appropriate in relation to the degree of urgency. It is the Data Controller's responsibility to report deviations to the Norwegian Data Protection Authority in accordance with current legislation.
The data processor has a duty of confidentiality regarding personal data and other confidential information, including, but not limited to, business secrets. The Data Processor must ensure that everyone who performs work for the Data Processor, whether employees or contractors, who has access to or is involved in the Processing of Personal Data according to the Agreement (i) is subject to a duty of confidentiality and (ii) is informed of and complies with the obligations under this Data Processor Agreement. The confidentiality obligation also applies after termination of the Agreement.
The Data Processor will carry out the necessary security audits for systems and the like that are relevant to the Processing of Personal Data covered by this Data Processor Agreement. The controller must have access to reports documenting security audits.
The Data Processor makes available to the Data Controller all information necessary to demonstrate that the obligations laid down in the Personal Data Protection Regulation have been met, as well as enables and contributes to audits, including inspections, which are carried out by the Data Controller or another auditor authorized by the Data Controller. The data controller agrees that the data processor can calculate a special remuneration for carrying out the audit.
The data controller can show such a report to supervisory authorities and others who have a right to know the content.
Technical, organizational and security measures
The Data Processor is obliged to take and implement all necessary and adequately planned and systematic technical, organizational and security measures so that there is satisfactory information security at all times when processing Personal Data.
The data processor must:
- establish and comply with the necessary technical and organizational measures with regard to continued confidentiality, integrity, availability and robustness when processing Personal Data to ensure satisfactory information security in accordance with Article 32 of the Personal Data Protection Regulation.
- have routines for authorization and management which ensure that only those of the Data Processor's employees who have a real need for access to systems and the information in order to carry out tasks necessary for the implementation of the service/assignment agreement are given such access. The level of access must be in accordance with real needs linked to carrying out the assignment. The data processor must withdraw access if the authorization expires or for other reasons no longer applies to the person.
- uncover, register, report and close non-conformities related to information security, including logging and documenting any attempt at unauthorized access and other breaches of personal data security in the computer systems. Such documentation must be kept by the Data Processor.
- in the event of suspicion or detection of deviations, immediately notify the Data Controller. The notice states the discrepancy with an explanation of the cause, time frame and time the discrepancy was discovered, the categories of and approximate number of registered persons who are affected, the categories of and approximate number of registrations of personal data that are affected, the name and contact details of the data protection representative or another contact point where more information can be obtained, assumed consequences of the deviation and which immediate measures have been initiated or are considered to be initiated to deal with the deviation.
- immediately notify the Data Controller in the event of unauthorized disclosure of personal data.
- record all authorized and unauthorized access to information. All postings made must be registered so that they can be traced to the individual user (i.e. employees of the data processor, subcontractors and data controller). The logs must be kept until it is no longer assumed that there is a use for them or in accordance with what the service/assignment agreement specifies.
- assist the Controller in ensuring compliance with the obligations in the Personal Protection Regulation articles 32–34.
- notify the Data Controller of all circumstances that lead to a change in the risk picture.
Use of subcontractors
The controller allows the Data Processor to use subcontractors to fulfill the obligations under the Data Processor Agreement.
The controller gives the Data Processor general permission to use and change sub-processors for the Processing of Personal Data in accordance with the Agreement. In the event that the Data Processor has plans to use other sub-processors or replace sub-processors, the Data Processor must inform the Data Controller in writing (including electronically) of the plans and thus give the Data Controller the opportunity to oppose such changes.
The controller must object in writing (including electronically) to a change of sub-data processor no later than 14 days after electronic notification of a possible change of sub-data processor. The data controller can only object to the use of the sub-data processor if it is factually justified. If the data processor does not accept the data controller's objections, the data controller can terminate the Agreement with a three-month period calculated from written (including electronic) notice of termination.
Data processor must:
- ensure that the subcontractors assume corresponding obligations as Data Processors under this agreement and applicable legislation.
- maintain an up-to-date list of the identity and location of subcontractors as specified in The privacy statement.
- at the Data Controller's request, submit documentation from the subcontractor that substantiates that it is a serious and reliable supplier, which can satisfy the requirements for protection in the GDPR.
- notify the Data Controller of any plans to use other subcontractors or replace subcontractors. Such changes must be notified in good time so that the Data Controller is given the opportunity to oppose the change.
- ensure that the Data Controller and the supervisory authorities have the same right to access and control the Processing of Personal Data at a subcontractor as the Data Controller has vis-à-vis the Data Processor according to this data processor agreement.
- upon termination of the data processor agreement, ensure that subcontractors fulfill the obligation to delete or properly destroy all personal data and all possible copies and backup copies of the information that appears in this agreement in the same way as the Data Processor, insofar as it does not conflict with other legal provisions.
The Data Processor is at all times fully responsible to the Data Controller for all work carried out by subcontractors and for the subcontractors' compliance with the provisions of this agreement.
Access to personal data for third parties requires a specific agreement beyond this agreement between the parties for anyone other than the Data Processor's subcontractors.
Transfer of personal data abroad
The main rule is that none of the personal data processed under this agreement shall be taken out of Norway as a result of using our services, and the personal data is stored on servers within the EU. The data processor has the following exceptions that involve transfer abroad:
Permanent developers who reside outside the EU are used. The developers, in the same way as other personnel at the data processor, do not have access to additional information that makes it possible to identify End Users. They design solutions for the websites, so that Assistert Selvhjelp's services are simple, clear and work satisfactorily, including complying with the requirements for privacy. When designing and testing the solution, developers will need access to de-identified information about End Users or Private Persons (pseudonymisation). In order to safeguard security and maintain operations, they may also need to remove encryption of IP addresses temporarily. The IP addresses are not connected to other data that is recorded. Neither Assistert Selvhjelp nor our developers have access to directly identifiable personal data in this connection at any time.
The developers must have access to this information in order to safeguard information security, maintain operations and create a solution that satisfies the requirements of the Personal Data Act. This is authorized in the GDPR itself, in that it gives the Data Processor the opportunity to "implement suitable technical and organizational measures to ensure and demonstrate that the processing is carried out in accordance with" the Personal Data Act, cf. GDPR article 6 no. 1 letter c (legal obligation) and see GDPR article 24 no. 1 and 32.
When transferring personal data to countries outside the EU/EEA (third countries), the Data Processor uses approved transfer bases.
The data processor confirms that no other subcontractors specified in The privacy statement transfers personal data covered by this agreement abroad.
The Data Processor's employees and others who act on the Data Processor's behalf in connection with the Processing of personal data in accordance with this agreement, service/assignment agreement and subsequent written agreements between the parties (hereinafter referred to as "persons authorized to process the personal data"), are subject to a duty of confidentiality according to this agreement and applicable regulations.
The data processor must ensure that everyone who processes personal data under the data processor agreement is aware of the duty of confidentiality.
Employees and others who act on behalf of the Data Processor in connection with the Processing of Personal Data must have signed a non-disclosure agreement. The provision applies similarly to subcontractors.
The parties also have a duty of confidentiality regarding confidential information relating to each other's business, which is communicated in connection with the assignment.
The parties are obliged to take the necessary precautions to ensure that material or information is not made known to others in violation of this point.
The confidentiality obligation also applies after the termination of the agreement.
Implementation of inspection, verification and audit
The data controller must give the Data Processor notice in a reasonable amount of time if access and control are required, usually at least 30 days' notice. For requests for access to documents, at least 14 days' notice should be given. The Data Controller must help ensure that access and control can be coordinated between several Data Processors who receive services from the Data Processor. Inspection and control can be carried out by the Data Controller or a third party appointed by the Data Controller. The data processor can demand covered documented additional costs incurred in such revisions.
Duration and termination
This data processor agreement applies from the conclusion of the Service Agreement and applies until the agreement and all applicable agreements between the parties, which imply that the Data Processor shall Process Personal Data on behalf of the data controller, have ceased.
In the event of a breach of this agreement or the Personal Data Act, the Controller may order the Data Processor to stop the further Processing of the information with immediate effect.
The agreement can be terminated in writing by both parties with a mutual deadline of 6 months.
Upon termination of the data processor agreement, the Data Processor must delete information that the data processor has received and processed on behalf of the controller. This happens by changing the code that gives access to the information, so that the information can no longer be linked to a natural person by the Controller or another person.
After all the information has been transferred to the Controller and confirmed receipt by the latter, the Data Processor must irreversibly delete or properly destroy all the information and all possible copies and backup copies of the information in its systems, unless mandatory legal rules require that the personal information continue to be stored.
If shared infrastructure is used where direct deletion is not technically possible, the Data Processor must ensure that data is made inaccessible until this data has been overwritten by the system.
The data processor's assistance in connection with the above shall be provided free of charge. All routines and safeguarding of information must be in place until all data is deleted or destroyed.
The data processor must give the Data Controller written confirmation that the information has been transferred and deleted as stated above.
Transfer of rights and obligations
The data controller may fully or partially transfer its rights and obligations under the agreement to another business, which is then entitled to similar conditions. The data processor may demand that any additional costs associated with the transfer be covered.
The Data Processor can transfer its rights and obligations under the agreement with the written consent of the Data Controller. Such consent cannot be refused without a valid reason. The right to remuneration under the agreement can be freely transferred, but the transfer does not exempt the Data Processor from taking care of duties and responsibilities under this agreement.
If one of the parties does not fulfill its obligations under this agreement and this is not due to circumstances for which the other party is responsible or the risk, the aggrieved party can plead breach of contract. This must be notified to the other party in writing without undue delay.
In the event of default, the aggrieved party may withhold his compensation, but not obviously more than what seems necessary to remedy the effects of the default, and only until the relationship is brought into accordance with the agreement.
If there is a significant breach, the other party - after giving written notice and a reasonable period of time to put things in order - can terminate all or part of the agreement with immediate effect and demand compensation for any losses this has caused. Total compensation per calendar year is limited to an amount that corresponds to the Agreement's total annual remuneration excl. value added tax.
Compensation for indirect losses cannot be claimed. Indirect losses include, but are not limited to, lost profits of any kind and lost savings.
Messages and contact
Notifications, notifications, notices or other communication between the Data Controller and the Data Processor must be given in writing, or confirmed in writing to the email addresses that the parties have provided when entering into the agreement.
APPENDIX 1 – PURPOSE AND CATEGORIES
The purpose and duration of processing of personal data, which personal data is processed, categories of the registered and the nature of the processing are described below.
The purpose is for the data to form the basis for the processing protocols that both the data controller and data processor are bound to create and keep track of.
Purpose of the processing:
|Other (please specify):|
The purpose is to give Professionals at the controller insight into the End User's registrations, and thus be able to provide effective follow-up of End Users who use the Service. In practice, it will be that Professionals during the period the End User uses the service under active follow-up can:
follow the progress and use of the person being guided in advance of agreements
adjust workload between follow-up hours as best as possible
have a better basis for assessing utility and effect
The personal data that is processed relates to the following categories of data subjects associated with the data controller:
|Other (please specify):|
Categories of personal data:
|Contact information – name, telephone number, e-mail, residential address, social security number/birth number, etc.|
|Special categories of personal data. See below.|
|Work-related information – position/role, organisation, company, telephone number, e-mail, workplace, work history, etc.|
|Monitoring/surveillance data – logs from access control (physical and logical), etc.|
|Payment information – financial transactions, recipients, account number, amount, date, time, place of purchase, etc.|
|Payment card information – credit card number, expiry date, CCV number other cardholder information, etc.|
|Other, please specify below:|
The information that is stored concerns the registrations made in the Service after logging in with the unique code. Examples of information that is stored:
- Standardized answers/answer categories related to questions and tasks about behaviour, emotions, thoughts and experience of various situations
- What content has been reviewed
- Overview of scores on mapping tools, for example mapping symptoms of anxiety and depression
- Automatic information about date/time of login, and time spent
- Clickstream data, type of operating system and browser and other user information which is part of the service analysis
- Evaluation and feedback related to use of the Services
Privacy legislation does not apply to anonymised information. The information is anonymous if it is not possible, with the aids that can reasonably be thought to have been used, to identify individuals in the data set. It is only to the extent that third parties have access to additional information that makes it possible to identify a person, that this is personal information. To achieve this, the anonymised access code must be actively and intentionally linked to other personal data held by the Controller in connection with the provision of an access code.
Special categories of personal data (sensitive):
|Racial or ethnic origin|
|Religious or philosophical beliefs|
|Genetic data for the purpose of uniquely identifying a natural person|
|Biometric data for the purpose of uniquely identifying a natural person|
|Information about a natural person's sexual relations or orientation|
|Information on criminal convictions|
|Information about legal offences|
Special security needs.
Checking any of the following questions will mean that an agreement on increased security must be entered into. The processing of sensitive personal data will result in special needs for security in at least one of the areas below. This must be reflected in the main agreement.
|Special need for confidentiality|
|Particular need for integrity|
|Special need for accessibility|
|Particular need for privacy-promoting technologies (e.g. built-in privacy)|
Processing activities (What should the data processor do with the personal data?):
|Adaptation or change|
|Deletion or destruction|
|Other, please specify below:|
APPENDIX 2 – DETAILED INFORMATION SECURITY REQUIREMENTS
The data processor has an independent duty to implement suitable security measures according to Article 32.
Duty to ensure information security
The data processor must, by means of planned, systematic, organizational and technical measures, ensure sufficient information security with regard to confidentiality, integrity and availability in connection with the Processing of Personal Data in accordance with the provisions on information security in the current legislation on the Processing of Personal Data.
End User Access
The service is built so that it initially does not contain personally sensitive information. This means, among other things, that the service does not contain questions that can identify a person and that the person using the service will be anonymised:
A system for anonymisation and pseudonymisation with unique codes is used to log use and/or give users access to the system. No data that can directly identify the End User is stored in the database, this also applies to IP addresses. The only thing that links a person to an individually tailored service is a code consisting of numbers and letters that the Data Controller creates on behalf of the End User. The data processor cannot find out who has used the programs based on the registered information.
Assessment of measures
In assessing which technical and organizational measures are to be implemented, the Data Processor, in consultation with the Data Controller, shall take into account:
- best practices,
- the cost of implementation,
- the nature and scope of the processing,
- the context and purpose of the processing,
- seriousness of the risk the processing of personal data entails for the data subject's rights.
The data processor shall, in consultation with the Data Controller, assess:
- Implementation of pseudonymisation and encryption of Personal Data
- The ability to ensure ongoing confidentiality, integrity, availability and robustness of systems for processing and services
- The ability to restore availability and access to personal data in a timely manner in the event of physical or technical incidents
- A process for regular testing, assessment and evaluation of the effectiveness of technical and organizational measures for the security of the Processing
Inquiries from the registered
Taking into account the nature of the Processing, the Data Processor must implement technical and organizational measures to assist the Data Controller in responding to inquiries regarding the exercise of data subjects' rights
Assistance to the Data Controller
The data processor must provide assistance so that the Data Controller can take care of his own responsibilities according to law and regulations, including assisting the Data Controller to:
- Implement technical and organizational measures as mentioned above,
- comply with the obligation to notify supervisory authorities and registered persons as a result of deviations,
- carry out assessments of privacy consequences ("data privacy impact assessments"),
- carry out prior discussions with supervisory authorities when an assessment of privacy consequences makes this necessary
- notify the Data Controller if the Data Processor believes that an instruction from the Data Controller is contrary to the applicable privacy regulations.
Assistance as mentioned above shall be carried out to the extent necessary based on the Data Controller's needs, the nature of the processing and the information available to the Data Processor.
Assistance from the Data Processor as stipulated in this Data Processor Agreement, as well as assistance in connection with special routines and instructions imposed by the Data Controller, shall be compensated by the Data Processor in accordance with the Data Processor's usual conditions and hourly rates.