Security and Legal - DPA
References in the data processing agreement (the “DPA”) to “Ignite”, hereinafter the “Processor”, shall mean Ignite Procurement AS.
References in the DPA to “Customer”, hereinafter the “Controller”, shall mean the entity or person stated as the Customer in the Purchase Agreement.
References in the DPA to “Service” or “Services” shall mean the spend management solution as described in the Terms and the Purchase Agreement.
Note that Ignite updates these terms from time to time. The last update was January 1st, 2021.
This DPA sets out the rights and obligations of the Processor’s processing of personal data on behalf of the Controller pursuant to the Purchase Agreement. This DPA is supplemental to, and forms an integral part of, the Purchase Agreement and is effective upon its incorporation into the Purchase Agreement, which may be specified in the Purchase Agreement, an Order or an executed Purchase Agreement Addendum.
This DPA shall ensure that the processing complies with the requirements set out in the Norwegian data protection legislation, including but not limited to the General Data Protection Regulation (“GDPR”). In the event of a conflict between the provisions in this DPA and the Purchase Agreement, the provisions of this DPA shall prevail.
The Processor processes data on behalf of the Controller in connection with providing the Service to the Customer.
The Processor will process the following types of personal data on behalf of the Controller:
The personal data is connected to the following categories of data subjects:
The Processor shall only process personal data for the following purposes:
The processing involves purchase data, supplier data, contract data, and any other data provided or inserted into the Service by the Controller. The Controller is responsible for ensuring that personal data can be processed by the Processor including the accuracy, integrity, content, reliability, and legality of the personal data.
The Processor shall:
a. Only process personal data in accordance with the purpose of the processing set out in Section 2 and the documented instructions of the Controller. The Processor shall notify the Controller immediately if any of the instructions are inadequate or in violation of the GDPR or Norwegian data protection legislation. The Processor shall also notify the Controller if the Processor is required by mandatory law to process personal data contrary to the Controller’s instructions, unless providing such notification is prohibited by law or applicable legal decision;
b. Only transfer personal data to jurisdictions outside the European Economic Area in accordance with the Controller’s instructions or approval;
c. Notify the Controller if personal data are to be transferred outside the EEA, unless providing such notification is prohibited by law or applicable legal decision, and ensure that the personal data are adequately protected by EU model clauses or other basis for transfer pursuant to the GDPR;
d. Ensure that employees and sub-processors or other third parties authorised to process personal data on behalf of the Controller in accordance with Section 6 are subject to obligations of confidentiality, which shall survive the term of this DPA;
e. Implement appropriate technical and organisational measures required pursuant to Article 32 of the GDPR, including measures to ensure that data is available to the Controller, to prevent the loss or destruction of data, and prevent unauthorized access to data;
f. Keep an updated list of all sub-processors and ensure that any sub-processors processing personal data on behalf of the Processor have entered into a binding DPA with the Processor pursuant to Article 28 (2) and (4) of the GDPR;
g. At the request of the Controller make all information necessary to document that the Controller and the Processor fulfil Article 28 of the GDPR available. The Processor shall enable the Controller to perform audits and inspections, either by the Controller or by a third party designated by the Controller;
h. Keep a record (log) of the processing activities carried out on behalf of the Controller, which shall at least contain the information required pursuant to Article 30 of the GDPR. The Controller can request a copy of such record at any time;
j. Immediately notify the Controller if the Processor receives a request from an authority to disclose personal data processed under this DPA. The Processor is not obliged to notify if the law prohibits such notification. Unless required by law, the Processor shall not comply with such a request without prior written approval from the Controller;
k. Assist the Controller in responding to requests from the data subjects pursuant to Chapter III of the GDPR (including the right to information, access, correction and erasure); and
l. Assist the Controller in fulfilling their duties pursuant to Article 32-36 of the GDPR.
The scope of the Processor’s duty to provide assistance to the Controller under j) and k) shall take the nature of the processing and the information available to the Processor into account.
The Controller is responsible for ensuring that the processing of personal data complies with the requirements set out in Norwegian data protection legislation and the GDPR, hereunder ensuring that the processing of personal data, which the Processor is instructed to perform, has a legal basis.
The Controller has the right and obligation to determine the purpose and means of processing.
The Controller shall provide the Processor with documented instructions on how the personal data should be processed.
In the event of a personal data breach, the Processor shall notify the Controller without undue delay. The notification shall at least describe:
If the Processor is unable to provide all the information above in the first notice, the information shall be provided without undue delay and no later than 72 hours after the occurrence of the personal data breach. The Controller shall ensure that an incident report is sent to the relevant Data Protection Authority in accordance with Article 33 of the GDPR.
The Processor may use the following sub-processor(s):
In addition, to the sub-processors named above, the Controller hereby grants a general authorisation for the Processor to use sub-processors. The Processor shall inform the Controller before replacing existing sub-processors or adding new sub-processors, and the Controller shall have the right to object to such changes. The Controller may not reject a new sub-processor without a legitimate reason.
A well-founded suspicion that the level of data protection could be degraded as a result of the change of sub-processor, shall be regarded as a legitimate reason.
If the sub-processor does not fulfil its data protection obligations, the Processor shall remain fully liable to the Controller as regards the fulfilment of the obligations of the sub-processor. This does not affect the rights of the data subjects under the GDPR – in particular those foreseen in Article 79 and 82.
Each party shall cover their own costs related to audits. In the event an audit reveals a material deviation from the obligations of this DPA, all costs including the Controller’s and external auditors’ reasonable costs shall be covered by the Processor.
Each party is responsible for covering administrative fines and other sanctions imposed as a result of breaches of the data protection legislation. If a party has been held liable for damages under Article 82 of the GDPR for a matter for which the other party is responsible, the party responsible shall cover the damages.
This DPA shall remain in force for as long as the Processor processes personal data on behalf of the Controller pursuant to the Purchase Agreement.
In the event of a breach of this DPA or data protection legislation, the Controller may instruct the Processor to stop further processing of the data with immediate effect.
This DPA may be terminated in accordance with the Purchase Agreement between the parties. If the Purchase Agreement between the parties is terminated, this DPA shall automatically be terminated.
The Controller may terminate this DPA for cause if the Processor does not fulfil its obligations according to this DPA or the GDPR.
Upon termination of this DPA, the Processor is obligated to return all personal data received on behalf of the Controller.
The Controller may require that the Processor deletes or destroys all personal data processed under this DPA. The Controller may ask the Processor to confirm in writing that the deletion is completed. The deletion shall be carried out no later than 60 days after the DPA is terminated.
Should the Controller not request return or deletion in accordance with the previous paragraph, the Processor shall nevertheless delete personal data received on behalf of the Controller no later than 60 days after the termination of this DPA, unless the Processor has another legal basis for storing the data, such as having a legal obligation to do so.
Backup copies that contain personal data will be deleted in accordance with the Processor’s routines for deletion of backups. If the Controller requires the backup copies to be deleted outside the regular routines, the Processor will do this as a paid service, with remuneration based on the Processor’s hourly rates.
The law and legal venue are pursuant to the Purchase Agreement.