Data Processing Agreement


1.1 As part of the parties' agreement governing delivery of Vipps Mobilepay business solutions  (the "Merchant Agreement"), Vipps MobilePay AS (the "Processor") will process personal data on behalf of the Merchant (the "Controller").   
1.2 The "Data Processing Agreement" regulates the processing of personal data performed under the Merchant Agreement, where the Merchant acts as a “Controller” and Vipps Mobilepay acts as a “Processor”. It supersedes any prior agreements between the parties concerning the processing of personal data, for the processes stated in the section 1.3 and the Appendix(s). 
1.3      The products that the herein Data Processing Agreement will be applied to; 
• Customer Club ( “Display of benefits on the Vipps Mobilepay App” ) 



2.1 "Applicable Data Protection Law": The at all times applicable rules and regulations on the processing of personal data, including the local implementation such as Danish, Finnish or Norwegian Data Protection Act (with reference to the GDPR). 
2.2 "GDPR": The EU General Data Protection Regulation 2016/679.
2.3 Other words or terms shall have the meaning as defined in the Applicable Data Protection Law. 



3.1 This Data Processing Agreement governs the processing of personal data on behalf of the Controller under the Merchant Agreement. 
3.2 The nature and purpose of the processing of personal data is to carry out the services under the Merchant Agreement.
3.3 The data subjects are the common customers of the Controller and Processor.
3.4 The categories of personal data that is processed in line with the Merchant Agreement and further details are described in the Appendix(s). The Appendix(s) will be applicable, if the Merchant is requesting the product stated in certain the Appendix(s).



4.1 The Controller shall comply with the Applicable Data Protection Law. Inter alia, the Controller shall:
a) ensure that there is a basis for processing,
b) fulfil the rights of the data subjects (Chapter 3 of the GDPR),
c) when necessary, notify the relevant supervisory authority and the data subjects of any personal data breach (Art. 33 and 34 of the GDPR)



5.1 The Processor shall:
a) only process personal data in accordance with the agreed purpose(s), 
b) only process personal data in accordance with the Controller's documented instructions, provided that any additional costs incurred by the Processor as a result of the instructions are covered;
c) upon request assist, by appropriate technical and organisational measures, in fulfilling the Controller's obligation to respond to requests from the data subjects pursuant to Chapter 3 of the GDPR, and 
d) ensure a secured process and assist the Controller in ensuring compliance with articles 32 - 36 of the GDPR, taking into account the nature of the processing and the information available to the Processor.
5.2 Assistance as mentioned above will be provided at the hourly rates agreed between the parties, or, if no such rates are agreed, at the Processor's at all times applicable hourly rates.   



6.1 The Processor shall undertake appropriate technical and organisational data security measures for the purpose of achieving a level of security that is appropriate to deal with any risk. However, the Processor does not guarantee that security breaches or other violations of the personal data security cannot occur.
6.2 Processor shall evaluate the risks to the rights and freedoms of natural persons inherent in the processing and implement measures to mitigate those risks. Depending on their relevance, the measures may include the following:
6.2.1 Pseudonymisation and encryption of personal data;
6.2.2 the ability to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services;
6.2.3 the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
6.2.4 a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
6.3 The Processor may at all times modify its security measures, unless the modifications do not impair the data protection.
6.4 The Processor shall ensure that only relevant personnel have access to the personal data, and that these are subject to a contractual or statutory obligation of confidentiality.  



7.1 The Processor has the general authorization to engage other processors (sub-processors) to perform tasks under this Data Processing Agreement. This must be done by way of an agreement that imposes on the sub-processor corresponding obligations as under this Data Processing Agreement and that provides sufficient guarantees that the applicable data protection law is complied with. The Processor remains fully liable to the Controller for the performance of the sub-processors' obligations, as if it was performed by the Processor itself.   
7.2 Sub-processors at the time of entering this Data Processing Agreement are listed in Appendix. Upon request, the Controller may receive an overview of the sub-processors. The Controller may also require submitted the data processing agreements with the sub-processors (however, business information and other sensitive material may be concealed).
7.3 The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors, and thereby enable the Controller to oppose such changes.  If the Controller has not opposed to such change within 30 days, it is deemed as accepted. If the Controller opposes to the change within the deadline, and the Processor cannot reasonably proceed with the processing without implementing the change, the Controller is entitled to terminate the Merchant Agreement, including this Data Processing Agreement, with a 30 days' notice. 



8.1 The Processor may engage with a processor (sub-processor) located in a third country, pursuant to the section 7 of this agreement. In that case Controller accepts any subsequent international data transfer(s) of personal data to the processor(s). The Processor shall notify the Controller of any such plans to transfer personal data to a third country. If the Controller has not opposed to such transfer within 30 days of the notice, such transfer is deemed as accepted. 
8.2 If the Processor engages a sub-processor located in a third country, all necessary measures will be taken to ensure that appropriate safeguards will be provided in line with the article 44 of the GDPR. The Processor will be liable for the performance of sub-processors in line with the section 7.1 of this agreement. 



9.1 In the event of a personal data breach, the Processor shall notify the Controller in writing. The notification shall contain information enabling the Controller to fulfil its obligations under art. 33 and 34 of the GDPR.
9.2 The Controller must be notified without undue delay, after the Processor becoming aware of the breach. If it is not possible for the Processor to provide all relevant information after such time limit, the information may be provided gradually without undue delay.  
10.1 The Processor shall make available to the Controller all information necessary to demonstrate compliance with this Data Processing Agreement and the applicable data protection law. 
10.2 Upon request, the Controller shall be provided with any audit reports on data protection prepared by third parties on behalf of the Processor. The Controller shall be entitled to submit such audit reports to its external auditors and to supervisory authorities.  
10.3 Upon request, the Controller, via an auditor or similar third party subject to confidentiality, is entitled to audit the Processor. The Controller shall notify the Processor at least 14 days in advance. Audits cannot be performed more than once every 12 months, unless required by the applicable data protection law. An audit shall be performed during regular business hours and without causing unnecessary interruptions to the Processor's operations. 
10.4 The Processor's assistance during audits at the Controller's request shall be provided at the hourly rates agreed between the parties, or, if no such rates are agreed, at the Processor's at all times applicable hourly rates, unless the audit uncovers significant discrepancies.  
10.5 If an audit reveals deviations from the obligations set out in this Data Processing Agreement or Applicable Data Protection Law, the Processor shall remedy such deviation in due course.  
10.6 The Processor shall notify the Controller if a supervisory authority requires access to or information on the processing of personal data under this Data Processing Agreement, unless this is prohibited by law or statutory order.   



11.1 The limitation of liability in the Merchant Agreement, shall apply correspondingly under the Data Processing Agreement. 



12.1 This Data Processing Agreement will remain in force as long as the Processor processes personal data on behalf of the Controller for the products stated in the Appendix(s), in line with the Merchant Agreement.  
12.2 Upon expiry of the Data Processing Agreement, the Processor shall, at the choice of the Controller, return all personal data and copies thereof to the Controller or delete all personal data and confirm to the Controller that this has been done, unless the Processor is prevented by law from doing so. In such case, the Processor shall ensure a secure storing of the personal data, but no longer actively process such data.  
12.3 The Processor's assistance in returning or deleting data upon the Controller's request shall be provided at the hourly rates agreed between the parties, or, if no such rates are agreed, at the Processor's at all times applicable hourly rates.  
12.4 A termination of this Data Processing Agreement shall not prevent the Processor from continuing to process anonymised information for analytical, statistical and other purposes.  


Appendix 1 - Customer Club

Appendix 2 - Marketing Consents