Data Processing Terms

The following Data Processing Terms shall apply to the processing of personal data by Airthings ASA (“Processor”) and the customer of Airthings (“Controller”) for the processing of personal data where the customer is regarded the Data Controller and Airthings is regarded the Data Processor, unless and to the extent Airthings and the customer explicitly agree otherwise in writing.

The Data Processing Terms shall apply to all processing of Personal Data, as defined below, carried out by Data Processor for the Data Controller on the basis of any agreement entering into by the aforesaid with regard to providing products and services by Airthings (the “Agreement”), and outlines the general conditions for the processing of Personal Data which the Data Processor carries out on behalf of the Data Controller. The Agreement shall apply in addition to this Data Processing Terms.

The nature and purpose of the processing of personal data, the duration of the processing of personal data, the subject matter of the processing of personal data, the types of personal data to be processed, the categories of data subjects to whom the personal data relates and other obligations and rights of the Controller are included in the end of this Data Processing Terms.

These Data Processing Terms shall provide for the processing of personal data in accordance with the EU Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

The Processor shall process the personal data only in the way described in the Agreement, as agreed in writing with the Controller, or as instructed by the Controller. Terms and definitions used in these Data Processing Terms shall be construed in the same way as in the General Data Protection Regulation.

1. THE CONTROLLER’S RIGHTS AND THE PROCESSORS DUTIES

The Processor confirms that it will implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the Personal Data Regulation and ensure the protection of the rights of the data subject, inclusive comply with the requirements in Article 32 of the General Data Protection Regulation. The Processor shall only process the personal data under the instructions given by the Controller. The Processor shall be able to document such instructions if requested. The Processor shall not process the personal data in any other way than instructed or necessary to provide the services or undertake the obligations requested by the Controller.

The Processor shall, considering the nature of the processing, assists the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III of the General Data Protection Regulation. In addition, the Processor shall assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the General Data Protection Regulation taking into account the nature of processing and the information available to the Processor. If there are approved code of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42, which the Processor has undertaken to comply with, the Processor shall comply with such code of conduct or certification mechanism at any time during the term of these Data Processing Terms.

The Processor shall maintain record of processing activities (log) which the Processor performs for the Controller. The record shall contain at a minimum the information required under Article 30 no. 2 of the General Data Protection Regulation.

The Processor shall make available to the Controller all information reasonable necessary to demonstrate compliance with the obligations laid down in this Section 2 and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller, which is reasonable and necessary under the legal obligations. The Controller is however solely responsible for the contact and communication with the supervisory authorities, such as Datatilsynet in Norway.

The Processor has a duty of confidentiality regarding the personal data and other information the Processor receives as part of the Agreement and the processing of personal data and shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. The obligation of confidentiality shall survive any termination of the Agreement.

The Processor shall not transfer or give access to the personal data or information which the Processor processes or handles on behalf of the Controller to a third party without the explicit instruction from the Controller. Any requests regarding the personal data or the processing from third parties or the data subject shall be forwarded to the Controller without undue delay if not otherwise agreed in these Data Processing Terms or by instruction by the Controller.

If the Processor is in the opinion that an instruction by the Controller infringes the Personal Data Regulation, the Processor shall immediately inform the Controller.

2. USE OF SUBCONTRACTOR/SUB-PROCESSOR

The Controller has given the Processor a general written authorisation for the use of sub-processor for processing personal data under the Agreement. In case of any intended changes concerning the addition or replacement of sub-processors, the Processor shall inform the Controller and thereby giving the Controller the opportunity to object to such changes.

The Processor shall engage only suppliers for the processing of the personal data (sub-processor) which have confirmed that they undertake to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the Personal Data Regulation and ensure the protection of the rights of the data subject.

Any sub-processor shall be imposed the same obligations as the Processor set forth in the Agreement in a written, binding agreement where in particular the sub-processor is providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the Personal Data Regulation. Where that sub-processor fails to fulfil its data protection obligations, the Processor shall remain fully liable to the Controller for the performance of the sub-processor's obligations.

3. SECURITY OF PROCESSING AND NOTIFICATION OF BREACH

The Processor shall comply with the requirements to security given in the Personal Data Regulation. The Processor shall provide documentation of technical and organisational measures implemented to ensure the security of the personal data upon the request of the Controller.

In case of personal data breach, the Processor shall without undue delay notify the Controller. Such notification shall at least:

  1. Describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned, and the categories and approximate number of personal data records concerned;
  2. communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
  3. describe the likely consequences of the personal data breach;
  4. describe the measures taken or proposed to be taken to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

If not all information above may be given in the first notice, the information shall be provided as soon as possible.

The Controller is responsible for notifying the supervisory authorities, such as Datatilsynet in Norway, and the Processor is not to contact or notify the supervisory authorities without the explicit instruction by the Controller.

4. TRANSFER TO THIRD COUNTRIES

Personal data shall only be transferred to third countries, ie. countries outside EU/EEA which ensure an adequate level of protection, upon explicit agreement or instructions by the Controller if no legal basis for transfer exists. The Processor shall not transfer or give access to the personal data to persons in third countries under the EC Model Clauses or the US-EC Privacy Shield. The Controller grants the Processor authority to enter into EC Model Clauses on behalf of the Controller. For transfer to or access from third countries for personal data it is required that the appropriate safeguards including with regard to the rights of data subjects is complied with.

5. TERM. INSTRUCTION TO STOP THE PROCESSING. EFFECT ON TERMINATION

These Data Processing Terms shall be effective and stay in force as long as the Processor (and its permitted sub-processors) processes personal data on behalf of the Controller in the context of the Agreement.

Upon breach of these Data Processing Terms, of instructions given by the Controller or on the Personal Data Regulation, the Controller may instruct the Processor to stop the processing of the personal data with immediate effect.

Upon termination of these Data Processing Terms, regardless reason, the Processor (and its permitted sub-processors) shall delete or return any or all personal data to the Controller, subject to the Controllers instructions, in a standardised format and medium along with necessary instructions to facilitate the Controller’s further use of such data and delete all copies of those personal data.

The Controller shall receive a written confirmation from the Processor that all personal data has been returned or deleted according to the Controller’s instructions and that the Processor has not kept any copy, print out or any other representation of such data on any medium.

6. OTHER DUTIES AND RIGHTS

Other duties and rights between the parties may be subject to the Agreement or other agreements between the Controller and the Processor, inclusive any limitation of liability.
If the Agreement is transferred, these Data Processing Terms shall be transferred accordingly.

A. THE NATURE AND PURPOSE OF THE PROCESSING OF PERSONAL DATA

The processing purpose is based on the legitimate commercial interest in delivering and improving your user experience. Data regarding location, time and sensor data is processed based on the legitimate commercial interest in providing service to you around displaying and giving insights about air quality.

B. THE DURATION OF THE PROCESSING OF PERSONAL DATA

The personal data shall be processed as long as the services are provided under the Agreement.

C. THE TYPES OF PERSONAL DATA TO BE PROCESSED

The personal data to be processed, are contact information for users, logging of user activity, sensor information, such as air quality and sensor data on location (via user or app), time, sensor data, device identification, device name and details about air quality where the device is located.

D. THE CATEGORIES OF DATA SUBJECTS TO WHOM THE PERSONAL DATA RELATES

The personal data processed concerns the following categories of data subjects/End-Users (means the individuals whose personal data is being processed under the Agreement).

E. THE OBLIGATIONS AND RIGHTS OF THE CONTROLLER

The obligations and rights of the Controller are set out in the Agreement and these Data Protection Terms.

F. SUB-PROCESSORS

The following sub-processors are preapproved:

  • Amazon. Data about you is processed by Amazon to provide customer support, handling of user account and handling the name, location and sensor data of devices.
  • Intercom. Data about you is processed by Intercom to provide customer support.
  • Cosignor. Data about you is processed by Cosignor to ship packages to the customer’s address.
  • Ecombix. Data is processed by Ecombix to process orders in the customers in the web shop.
  • Slack. Data about is processed by Slack to gather web application feedback.
  • Hubspot. Data is processed by Hubspot to provide customers and others with our newsletter.
  • Post Affiliate Pro. Data is processed by Quality unit to process orders in our web shop.

___________________________
Airthings Data Processing Terms, September 2018