Data Processing Agreement
This data processing agreement is meant to ensure that the data controller (the customer) and the data processor (Jobbkort AS, org. number 915 376 215 MVA) understand the requirements and responsibilities related to the processing of personal data.
The data processing agreement is part of and regulates all processing of personal data in relation to the terms and conditions.
1. Definitions
Personal data: Any information related to an identified or identifiable individual.
Processing: Any action undertaken in relation to personal data, including but not limited to collecting, registering, organising, structuring, storing, adjusting, changing, retrieving, using, making available, disclosing, transferring, spreading, collating, limiting or deleting personal data.
The registered: An individual whose personal data is processed for the purpose of providing HSE cards, such as the owner of a company, employee, contact person etc.
Data controller: The Customer. The person or company determining the use of data processing and the means used.
Data processor: Jobbkort.no. The company using the personal data on behalf of the Customer.
Reason for processing: It is only lawful to process personal data when there is a reason for doing so. According to the General Data Protection Regulation article 6 this includes processing data in order to comply with laws and regulations, fulfill an agreement the registered entity is bound by or fulfill a request put forth by the Customer or a third party. The Customer is responsible for ensuring that there is justification for the processing of personal data.
2. Background
Jobbkort processes personal data on behalf of the Customer (data controller) as listed above.
This data processing agreement is meant to regulate rights and responsibilities in accordance with the Personal Data Act of 14. April 2000, no. 31 and Personal Data Regulation of 15. December 2000, no. 1265. In addition, this data processing agreement complies with the European Parliament and Council Regulation 2016/679, of 27. April 2016, which regulates the protection of individuals during data processing, the exchange of data, as well as the repeal of Directive 95/46/EF (referred to as “personvernlovgivningen”).
Jobbkort will process personal data as defined in this agreement, as well as in any additional manner agreed in writing between Jobbkort and the Customer.
The terms and definitions of this agreement should be interpreted in the same way as in the Personal Data Act and the Personal Data Regulation.
3. Intent, processing method and personal information used
Jobbkort is a data processor and provides consulting services that help Customers order or renew their HSE cards. This requires the company and contact person to provide personal data. Jobbkort’s processing of this personal information is done to complete the order as described in the terms and conditions. The Customer accepts these terms and condition when placing their order.
The personal information registered by the Customer and processed by the Service Provider can be found here:
HSE cards for building and construction sites.
HSE cards for cleaning services.
Personal information that must be provided includes contact name, postal address, email address, personal ID number/D-number, ID and photo.
4. Consumer Rights and Responsibilities
The Customer is responsible for ensuring that the personal data is processed in accordance with the Personal Data Act and the Personal Data Regulation (ref. article 24).
The Customer has the right and the responsibility to determine the intent of the processing, and the tools used for processing (ref. article 4 nr. 7).
Through this data processing agreement, and the terms and conditions, the Customer provides the Service Provider with written instructions for the processing of this data (ref. article 28 nr. 3 letter a).
The Customer has the right to terminate the agreement if Jobbkort fails to comply with laws and regulations, article 28, no. 1.
5. Processor Responsibilities
Jobbkort ensures that both technical and organisational measures are taken to ensure the safe processing of personal data, and to safeguard the rights of the registered individual, in accordance with GDPR, article 32.
Jobbkort will only process personal data based on written instructions from the Customer. Jobbkort will at all times be able to document these instructions. Jobbkort will not process personal data provided by the Customer in any way that is not necessary for the completion of the order placed by the Customer.
When inquiries are submitted to Jobbkort by the Customer, Jobbkort will respond to the inquiry, using the information available. This applies to enquiries from the registered individual regarding their rights, as well as enquiries related to the Consumer or Provider’s responsibilities when processing personal data.
Jobbkort will also make use of the available information when reviewing privacy measures or discussing processing with the Customer as laid out in the Personal Data Regulation article 32 to 36.
Jobbkort will keep a record of all processing activity performed on behalf of the Customer, including, but not limited to, the information that is required by the General Data Protection Regulation. The Customer can at any point request access to this record.
Jobbkort is required to disclose information that is necessary to determine that activity is in compliance with the terms laid out in article 3 of this agreement. Jobbkort is also required to enable and contribute to inspections performed by the Customer. This includes giving access to security documentation. The Customers is responsible for all interaction with government regulators.
Jobbkort, its employees and third party providers are bound by a confidentiality agreement regarding documentation and personal information accessed in accordance with this data processing agreement. The confidentiality agreement applies even after termination of the agreement.
Jobbkort will not disclose information or documentation for processing by a third party provider on behalf of the customer, without the Customer’s explicit consent.
If Jobbkort believes that a customer is in any way violating the Personal Data Act or the Personal Data Regulation or any other act or regulation, Jobbkort will immediately inform the customer of this potential violation.
6. Security measures
The Data Processor must be able to demonstrate the measures taken to comply with the security measures of the Personal Data Act and Personal Data Regulation. The documentation must be made available to the Customer upon request.
If security or privacy breaches are discovered, Jobbkort is required to inform the Customer immediately.
The Customer is responsible for notifying The Norwegian Data Protection Authority (Datatilsynet) in the event of a breach.
7. Transferring data abroad
Personal data can only be transferred to countries outside the EU/EEA with the written consent of the Customer. Jobbkort cannot transfer personal data or allow individuals from outside the EU/EEA access, without informing the customer prior to the transfer being completed or access being given, and only after receiving explicit written consent from the Customer.
The consent and the instructions must apply in the country the data will be transferred to or accessed in. Transfer to countries outside the EU/EEA presupposes, even with consent and instructions being given, that the transfer complies with the safety and privacy measures of the Personal Data Act and Personal Data Regulation.
8. Duration of the agreement
The data processing outlined in this data processing agreement remains valid even when the terms and conditions are fulfilled, or in case of any breach of laws and regulations.
In the event of a breach in the agreement between Service Provider and Customer, or any act or regulation, the Customer can terminate further processing of personal data with immediate effect.
When terminating the agreement the Customer must explicitly inform Jobbkort that data should be disclosed, transferred or deleted prior to the termination. In case of a transfer, personal data will be stored with the Customer, who assumes full responsibility.
In the event of the terms and conditions being terminated, Jobbkort is required to delete all registered personal data and any data backups upon written instructions from the Customer, unless the data has to be retained for legal purposes. The Customer is responsible for requesting the removal of personal data and a confirmation of this removal.
In the event of termination, the main agreement applies as a general agreement for the use of the services.
9. Governing law and jurisdiction
Conflicts related to these terms, as well as conflicts arising from situations described in these terms, is regulated by the general courts, and will be resolved in the appropriate District Court based on the registered address of the Service Provider.
10. Privacy Policy
Jobbkort AS is required to process personal data in a secure manner and in accordance with the Norwegian Data Protection Authority and GDPR.
11. Communication
The Customer and Jobbkort agree that communication and disclosure of information in accordance with this agreement will occur via email.
Please note that the Data Processing Agreement in Norwegian is the only legally binding agreement, in case of differences of interpretation between the two.