DATA PROCESSING AGREEMENT

In connection with the use of Future Driver digital damage reports, time registration, digital workshop booking and other services from Delta Media AS.

Between

Delta Media AS
Organization number
916747330
Bergensveien 47
C0963 OSLO
(hereinafter "Data Processor")

and

Customer of Delta Media AS(hereinafter “Processing controller”)

Conclusion of the agreement

Purpose of the agreement

The data processing agreement must ensure that personal data is processed in accordance with requirements from, among other things, EU directive 95/46/EC of 24 October 1995 implemented in Norway by Act of 14 April 2000 no. 31 on the processing of personal data (the Personal Data Act) with associated regulations, as well as the requirements of the European Parliament and Council Regulation decided on 27 April 2016 (GDPR), and Norwegian law with associated regulations that are introduced as a result of the Personal Data Protection Regulation and replace the Personal Data Act. The Data Processor must process the personal data in the manner described in the Data Processor Agreement, as well as in another way if this has been agreed in writing between the Data Processor and the Controller. Terms and definitions used in the Data Processing Agreement shall be understood in the same way as in the Personal Data Act. The parties agree that if laws or guidelines from the supervisory authorities change significantly, the terms of this data processing agreement must be revised so that they reflect, as far as possible, the parties' original principles when implementing this data processing agreement. This data processor agreement replaces previously concluded agreements regarding the processing of personal data.

Scope of data processing

The purpose of the processing of personal data is to fulfill the agreement on the purchase of services entered into between the Controller and the Data Processor, including the collection, registration, compilation, storage, disclosure of personal data or combinations thereof. The main category of data subjects are employees of the Data Controller, or the Data Controller himself if purchases are made on a private basis. The processing will be limited to the processing that is necessary to deliver and further develop the service electronic damage registration, check-in and check-out reports and time registration with naturally associated functions (system). The data processor collects and uses personal data on behalf of the Data Controller in connection with the use of vehicles and other means of transport. This includes, among other things, the following information: Name, address, telephone, e-mail, registration number, current and historical position of vehicles on which the service is used, basis for reporting regarding fleet management and streamlining operations. The data processor stores and processes information about the vehicle's and trailer's historical movements and reported data with the aim of ensuring good and efficient operational planning in real time as well as ensuring efficient operation of the Data Controller's organisation. The system that the Data Processor delivers is made available to the Data Controller via a password-protected internet-based access. It is the Data Processor who administers the system, and who, on behalf of the Controller, controls who has access to the system from the Controller's side. The data processor regulates the degree of access based on settings made by the data controller.

Data processor's duties

The data processor confirms that it will implement suitable technical and organizational measures that ensure that all processing under this Data Processor Agreement meets the requirements of the Personal Data Act and the protection of the data subject's rights, including meeting all the requirements according to Article 32 of the Personal Data Protection Regulation. The Data Controller shall at all times have full legal authority over the personal data . The Controller's instructions for how personal data are to be processed are considered to have been given through the provisions of this agreement and applicable rules. Delta Media AS must ensure the necessary system security, and ensure that no one gains unauthorized access to the system. Data is stored in accordance with the regulations in force at all times on secure servers in a professional server park. Disclosure of information from the system is regulated by Delta Media's customer terms and conditions. With the exception of users of vehicles/trailers and data controllers themselves, Delta Media AS will not hand over data to anyone other than the police, against a valid court order. Employees of Delta Media AS have a general duty of confidentiality and are bound by a confidentiality agreement. Only employees who work with system operation and customer-oriented activities such as customer support have access to be able to see personal data. The data processor must ensure that only authorized persons have access to the information, and that the data processor revokes access if the authorization expires or for other reasons no longer applies to the person. The data processor must only authorize persons who, for necessary reasons, must have access to the personal data. Information in the system is not used for purposes other than fulfilling the agreement made with the Data Controller, as well as as a basis for invoicing. The data processor has a duty of confidentiality regarding documentation and personal data to which the person concerned has access in accordance with this agreement. This provision also applies after the termination of the agreement. The data processor assists the data controller (using suitable technical and organizational measures) to fulfill the obligation to respond to requests from data subjects regarding the exercise of their rights. The duty applies as far as possible, and the nature of the treatment must be taken into account.

Use of subcontractors

The data processor must only use subcontractors for the processing of personal data (subprocessor) who have confirmed that they have implemented suitable technical and organizational measures that ensure that all processing under this Data Processor Agreement meets the requirements of the Personal Data Act and the protection of the data subject's rights. The data controller gives general permission for the use of sub-data processors given these conditions. The sub-data processor must be made aware of the Data Processor's obligations under this Data Processor Agreement and the regulations governing the processing of the Controller's personal data, and must be subject to the same obligations with regard to the protection of personal data as stipulated in the Data Processor Agreement in a binding agreement where the sub-data processor must be given sufficient guarantees that it will technical and organizational measures are implemented to ensure that the processing meets legal requirements. If the sub-processor does not fulfill its obligations with regard to the protection of personal data and the requirements of the Data Processor Agreement, the Data Processor shall have full responsibility towards the Controller for the sub-processor fulfilling its obligations.

Anonymised data with subcontractors

All subcontractors have entered into data processing agreements with us and operate in accordance with the rules of the GDPR and otherwise. When we pay other companies to contribute to our value chain - for example for processing GPS data - the basic principle is that we ensure that data cannot be linked to companies, vehicles or people. This is called anonymization. Thus, it will not be possible for even our closest suppliers to connect registered GPS data to customers in the event that they experience a breach in their systems. At the same time, we are a cloud service and are dependent on letting our web solution itself be operated in a so-called hosting environment. Here we have chosen Amazon Web Services, which is the world's leading supplier in the area and which has a comprehensive data processing agreement in place for customers. We entered into this long before the GDPR came into force and it forms a central part of the framework for privacy in Delta Media AS. You can find more information about AWS and their GDPR policy here: https://aws.amazon.com/compliance/gdpr-center/

Safety and deviation

The data processor must fulfill the requirements for security measures set out in the Personal Data Act with regulations. The data processor must be able to document routines and other measures to fulfill these requirements. The documentation is available at the Data Controller's request.
In the event of a security or privacy breach, the Data Processor must notify the Data Controller without undue delay. Notification of infringement must contain at least:
1. Description of the nature of the breach of personal data security, including, when possible, the categories of and approximate number of data subjects affected, and the categories of and approximate number of personal data records affected
2. The name and contact details of the privacy advisor or another contact point where more information can be obtained
3. Description of the likely consequences of the breach of personal data security
4. Description of the measures that the Controller has taken or proposes to take to deal with the breach of personal data security, including, if relevant, measures to reduce any harmful effects as a result of the breach.

The Data Controller is responsible for sending a notification of specific breaches relating to specific persons to the supervisory authority, and the Data Processor shall not send such a notification without the Data Controller having given instructions to this effect. Data processors can still report breaches to the supervisory authority on a general basis - without identification of affected persons.

Security audits

The data processor must regularly and after significant changes or deviations, carry out security audits of systems and other things that are relevant to the processing of personal data in accordance with this agreement. If necessary, the data controller can carry out audits himself or by using an auditor. This will then be notified to the data processor well in advance of the audit. The security audit must verify that the technical, physical and organizational security measures that have been decided to be established are actually complied with and function as intended, as well as identify possible improvements.

Special measures in connection with logging in

As part of the GDPR work, we have focused on carrying out a so-called DPIA - Data Protection Impact Assessment for data about the movements of our customers' vehicles and trailers. In our analysis, we have found that the consequences of breaches of data security linked to travel data are large enough that we must continue to maintain extraordinary measures on this front. In some conceivable cases, this will lead to customers being able to experience some frustration related to our requirements for identification if they contact e.g. from a previously unknown phone number or similar. Furthermore, the web solution, which already has strict password protection, is set up with two-factor identification for those who want it. This is precisely to take into account the range of what kind of consequences there may be if data goes astray in each individual case. We already have a built-in privacy function in the solution and support for different types of access for different users in the company. This helps our customers exercise control over the data internally.

Agreement duration

The agreement applies as long as the data processor processes personal data on behalf of the controller. In the event of a breach of this agreement or the Personal Data Act, the Controller may order the Data Processor to stop the further processing of the information with immediate effect Termination of this agreement follows the terms for termination of the agreement that governs the customer relationship between Delta Media AS and the Data Controller.

Upon termination

Upon termination of the agreement, the data controllers themselves must retrieve the necessary data for documentation prior to termination. This data is then stored with data controllers, who themselves assume total responsibility for data security. The data processor shall, at the Data Controller's choice, delete or return all personal data to the Data Controller after the services related to the processing have been delivered, and delete existing copies, unless there is a legal requirement that the personal data must continue to be stored. This also applies to any backup copies.

Choice of law and venue

Any disputes between the parties must be resolved through negotiations. The agreement is governed by Norwegian law and the parties accept the Oslo District Court as the venue for all disputes under this agreement. This also applies after termination of the agreement.

Effective date: January 15, 2022