DATA PROCESSING AGREEMENT
This attachement contains Data Processing Agreement and is an integral part of Agreement on Accounting Assingments.
The performance of the assignment entails that the Accounting Firm processes personal data on the Customer’s behalf. The Accounting Firm thus acts as Data Processor for the Customer as Data Controller.
The object of the present Data Processing Agreement is to regulate the Accounting Firm’s processing of personal data on the Customer’s behalf and thus ensure that the data are processed in accordance with the Norwegian Act relating to the Processing of Personal Data (LOV-2018-06-15-38), including the EU’s General Data Protection Regulation (EU/2016/679), and subsequent legislation which replaces or supplements these statutes (‘the Personal Data Protection Legislation’).
The definitions provided in Article 4 of the General Data Protection Regulation apply correspondingly to terms used in the present Data Processing Agreement.
2. PURPOSE AND TYPE OF DATA PROCESSING
The purpose of the Accounting Firm’s processing of personal data is to perform the accounting assignment in accordance with the Contract, including Accounting Norway’s standard delivery terms for accounting assignments (‘the Standard Terms’).
Annex 1 to this document describes the specific purposes of the data processing and the categories of personal data and Data Subjects covered.
The Data Processing Agreement does not apply to processing of personal data performed for the Accounting Firm’s own purposes. This also comprises processing necessary to meet the Accounting Firm’s statutory obligations. For such data processing, the Accounting Firm is itself the Data Controller.
3. THE ACCOUNTING FIRM’S OBLIGATIONS
3.1 Prohibition on disposal and duty of notification
The Accounting Firm may only process personal data in accordance with documented instructions from the Customer, including in the Contract and in the present Data Processing Agreement’s Annex 1 to this document.
If the Accounting Firm finds that an instruction from the Customer (see the first paragraph) is contrary to the Personal Data Protection Legislation, the Customer must be notified thereof.
The Accounting Firm must notify the Customer without undue delay if the Accounting Firm will not be able to meet its obligations under the present Data Processing Agreement.
3.2 Disclosure and duty of confidentiality
The Accounting Firm must not disclose personal data to third parties unless the Customer has consented to such disclosure in writing in advance or there is a statutory duty for the Accounting Firm to disclose personal data. Disclosure of data to other data processors must be in accordance with the terms and conditions of Clause 4 of the present Data Processing Agreement.
The provision on a duty of confidentiality in Clause 1.6 of the Standard Terms also applies to personal data processed under the Agreement.
3.3 Security of processing and communication of personal data breaches
The Accounting Firm must take all measures necessary to establish a suitable security level for the data processing in accordance with the requirements for security of processing in Article 32 of the General Data Protection Regulation. The measures must be documented.
The Accounting Firm must notify the Customer without undue delay about any personal data breach which has resulted in accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data processed under the present Data Processing Agreement. The notification must contain the information required in accordance with Article 33 (3) of the General Data Protection Regulation.
The Accounting Firm must immediately implement measures aimed at preventing or limiting the consequences of the personal data breach.
3.4 Duty to provide assistance
The Accounting Firm must provide the Customer with assistance to meet the requirements for security of processing in Articles 32 to 36 of the General Data Protection Regulation.
The Accounting Firm must also assist the Customer in meeting the Customer’s obligation to answer inquiries from Data Subjects who wish to exercise their rights under the General Data Protection Regulation. The Accounting Firm must not answer such inquiries itself, but must forward the inquiry to the Customer without undue delay or refer the Data Subject to contact the Customer directly.
3.5 Access to data and security audits
On request, the Accounting Firm must grant the Customer access to all data and documentation necessary to show that the data are processed in accordance with the present Data Processing Agreement and the Customer’s instructions.
If the Customer ascertains any personal data breaches or other deviations, the Accounting Firm must implement corrective measures without undue delay.
4. TERMS FOR USE OF OTHER DATA PROCESSORS
The Customer consents to the Accounting Firm transferring personal data processed under the Contract to other Data Processors (Sub-processors) stated in Annex 2 to this document.
Before new Data Processors are engaged in the processing, the Customer must be given written notice no later than two weeks before the personal data are transferred to the new Data Processor. The notice must contain information about where the processing will take place; see Clause 5 of the present Data Processing Agreement.
The Customer must be able to object to the personal data being transferred to new Data Processors. In such case, the Parties will loyally seek to agree on a solution that is acceptable to both Parties. If the Parties fail to reach such an agreement, the Contract may be terminated by both Parties in accordance with Clause 12 of the Standard Terms.
The Accounting Firm must enter into a written agreement with its Data Processors which imposes on the Data Processors the same obligations that the Accounting Firm has itself pursuant to the present Data Processing Agreement. The Accounting Firm is fully liable to the Customer for the Data Processor’s data processing.
5. TERMS FOR TRANSFER OUTSIDE THE EU/EEA AREA
Personal data can only be transferred to countries outside the EU/EEA area if the Customer has granted advance consent to this.
The Customer consents to data being transferred outside the EU/EEA area in connection with the personal data being transferred to existing Data Processors on the terms and conditions stipulated in Annex 2 to this document.
Under this provision, a failure to object to the data processing being transferred to a Data Processor which processes personal data outside the EU/EEA area will also be regarded as consent; see Clause 4 of the present Data Processing Agreement.
6. ERASURE AND RETURN OF PERSONAL DATA
On termination of the Agreement, the Accounting Firm is obliged to return, erase or anonymise all personal data in accordance with the Customer’s further instructions at the time of termination. The Parties must loyally agree on the practical implementation of this obligation which meet both Parties’ need to comply with statutory requirements and secure day-to-day operations.
However, the obligation to erase data does not apply to personal data which form part of the Accounting Firm’s own assignment documentation; see Clause 2, third paragraph, of the present Data Processing Agreement.
7. TERM OF THE DATA PROCESSING AGREMEENT AND AMENDMENTS
The Data Processing Agreement will remain in force for as long as the Accounting Firm processes personal data on the Customer’s behalf. The duty of confidentiality shall apply for an indefinite period.
The Data Processing Agreement may be amended as required and by agreement between the Parties in accordance with Clause 7 of the Standard Terms.
8. NOTIFICATIONS AND OTHER COMMUNICATION
Notifications and other communication under this Data Processing Agreement must be given in accordance with Clause 1.4 of the Standard Terms.
9. GOVERNING LAW AND VENUE
The parties’ rights and obligations under the present Agreement shall, in their entirety, be governed by Norwegian law. The Accounting Firm’s court of domicile has been agreed as the proper venue for disputes between the parties.
1. The website does not automatically collect any information, except for information contained in cookie files.
2. Cookies are IT data, in particular text files, which are stored on the Website User’s end device and are intended for using the Website’s websites. Cookies usually contain the name of the website from which they originate, their storage time on the end device and a unique number.
3. The operator placing the cookies on the Website User’s end device and accessing them is the operator of the Novum Website.
4. Cookies are used to:
– adjusting the content of the Website pages to the User’s preferences and optimizing the use of websites; in particular, these files allow to recognize the device of the Website User and properly display the website, tailored to his individual needs;
– creating statistics that help to understand how Website Users use websites, which allows improving their structure and content;
– maintaining the Website User’s session (after logging in), thanks to which the User does not have to re-enter his login and password on every subpage of the Website;
5. The Website uses two basic types of cookies: “session” and “persistent” cookies. Session cookies are temporary files that are stored on the User’s end device until logging out, leaving the website or turning off the software (web browser). Persistent cookies are stored in the User’s device for the time specified in the cookie file parameters or until they are deleted by the User.
6. The Website uses the following types of cookies:
– “necessary” cookies, enabling the use of services available on the Website, e.g. authentication cookies used for services that require authentication on the Website;
– cookies used to ensure security, e.g. used to detect fraud in the field of authentication on the Website;
– “performance” cookies, enabling the collection of information on the use of Website pages;
– “functional” cookies, allowing “remembering” the settings selected by the User and personalizing the User’s interface, eg in terms of the language or region of the User’s origin, size of the font, appearance of the website, etc .;
7. In many cases, software used for browsing websites (web browser) allows cookies to be stored in the User’s device by default. Website Users can change their cookie settings at any time. These settings can be changed in particular in such a way as to block the automatic handling of cookies in the web browser’s settings or to inform them of each entry in the device of the Website User. Detailed information about the possibilities and ways of handling cookies are available in the software (web browser) settings.
9. Cookies placed on the Website User’s end device may also be used by advertisers and partners cooperating with the Website operator.
10. More information about cookies is available in the “Help” section in the browser’s menu.