The safe handling of your personal data is of high priority here at NordicScreen. That is why we practice a high safety standard in everything from the technical design of our solutions to our choice of subcontractors and training of our employees. We do this to ensure you as a customer that we will handle your data in a proper and safe way, with great respect for your privacy. On this site, you will find an example of the NordicScreen DPA, along with the option of requesting your own signed DPA.
At NordicScreen we offer a standard DPA to all customers.
Reach out to us, if you want your own signed copy of our DPA.
An updated list of the NordicScreen subcontractors, which we use in connection with the services we provide, are available on our NordicScreen Subcontractor site.
NordicScreen provides a standard DPA to all our customers related to the services we provide. The DPA is available in the following languages:
– English (Primary)
Request your own by reaching out to our Support at [email protected]
All updates about legal information, changes in subcontractors, and general terms are sent through your Legal Newsletter. Subscribe to the newsletter and be sure to get an email when there are updates.
In the follow you can read an example of our DPA. If you whish to request your own DPA, please contact our support team.
2. THE RIGHTS AND OBLIGATIONS OF THE DATA CONTROLLER
3. THE DATA PROCESSOR ACTS ACCORDING TO INSTRUCTIONS
5. SECURITY OF PROCESSING
d. a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
6. USE OF SUB-PROCESSORS
7. TRANSFER OF DATA TO THIRD COUNTRIES OR INTERNATIONAL ORGANISATIONS
8. ASSISTANCE TO THE DATA CONTROLLER
d. the right to rectification
e. the right to erasure (‘the right to be forgotten’)
f. the right to restriction of processing
g. notification obligation regarding rectification or erasure of personal data or restriction of processing
h. the right to data portability
i. the right to object
j. the right not to be subject to a decision based solely on automated processing, including profiling
9. NOTIFICATION OF PERSONAL DATA BREACH
10. ERASURE AND RETURN OF DATA
11. AUDIT AND INSPECTION
12. THE PARTIES’ AGREEMENT ON OTHER TERMS
13. COMMENCEMENT AND TERMINATION
14. DATA CONTROLLER AND DATA PROCESSOR CONTACTS/CONTACT POINTS
The purpose of the data processor’s processing of personal data
Processing on behalf of the data controller shall mainly pertain to:
categories of data subject
The purpose of the data processor’s processing of personal information is to ensure the data controller’s access to the product(s) selected, see selected licenses, and to provide the data controller with support for the use of the solution.
Storage of personal data used for the data controller to access the system(s); storage of personal information that the data controller uploads to the systems, including information about meetings, events, etc. as well as storage of personal data in connection with the data processor providing the data controller with support for the system.
Employees of the data controller who are granted access to the products by the data controller.
Persons who appear from the information uploaded to the system by the data controller, e.g. the data controller’s customers.
A.1. The processing includes the following types of personal data about data subjects:
The processing includes the following types of personal data about data subjects
☒ Non-sensitive categories of personal data
Name, password, telephone number, mobile number, e-mail address, IP address, position, language, type of user in accordance with the data controller’s choice.
In addition, any personal data that the customer chooses to upload in connection with the use of the systems are processed, including information about meetings, events and information from the customer’s calendar system when using Q-Cal.
Special categories of personal data (tick the boxes)
☐ Racial or ethnic origin
☐ Political opinions
☐ Religious beliefs
☐ Philosophical beliefs
☐ Trade union membership
☐ Health data
☐ Sex life or sexual orientation
☐ Genetic or biometric data for the purpose of identification
☐ Criminal convictions and offenses
A.2. The data processor’s processing of personal data on behalf of the data controller may be performed when the Clauses commence. Processing has the following duration:
The processing takes place until the end of the month in which the customer relationship ends + 30 calendar days.
In connection with support for the system, the written documentation regarding the support case is stored for 2 years, in order to ensure traceability and documentation.
APPENDIX B AUTHORISED SUB-PROCESSORS
B.1. Approved sub-processors
On commencement of the Clauses, the data controller authorises the engagement of
the sub-processors that appeared on NordicScreen’s website at the time.
An updated list of sub-processors used can be found at any time on NordicScreen’s website.
The data controller shall on the commencement of the Clauses authorise the use of the abovementioned sub-processors for the processing described for that party. The data processor shall not be entitled – without the data controller’s explicit written authorisation – to engage a sub-processor for a ‘different’ processing than the one which has been agreed upon or have another sub-processor perform the described processing.
APPENDIX C – INSTRUCTION PERTAINING TO THE USE OF PERSONAL DATA
C.1. The subject of/instruction for the processing
The data processor’s processing of personal data on behalf of the data controller shall be carried out by the data processor performing the following:
The data controller creates an account in which the data controller’s administrator can create users who have permission to access the customer’s account. NordicScreen only accesses the information that the customer uploads to a system if the customer requests support and such access is necessary to provide such support, or if special operational conditions make it necessary, e.g. when handling threats.
C.2. Security of processing
The level of security shall take into account:
As only personal data of a non-sensitive nature are processed (Article 6), and at the same time, it has been assessed that the impact on the rights and freedoms of the data subject is low, it has been assessed that it is sufficient to establish a low level of security.
Subsequently, the data processor is entitled and obliged to make decisions about which technical and organizational security measures must be implemented to establish the necessary (and agreed) level of security.
However, in any case and as a minimum, the data processor must implement the following measures:
All communication on public networks must be encrypted.
Where possible, access to the system is done with a 2-factor login and may only be done using a personal username and password.
Any access and access attempts must be logged.
All servers must be backed up.
Through internal policies and internal supervision, NordicScreen ensures that all employees are aware of the security requirements that must be followed in order to achieve adequate processing security, including requirements that
· Personal data in print may not be brought along in connection with working from home
· Personal data may not be accessed in non-secure areas, including in public spaces
NordicScreen also ensures that employees can only access the system if they are authorized to do so and that the systems are accessed solely as part of the performance of the work.
NordicScreen follows internal policies and procedures for the secure storage of the information. The security level is continuously evaluated and audited internally at least once every year.
NordicScreen has locked rooms where key cards and code locks are required to gain access.
C.3. Assistance to the data controller
The data processor shall insofar as this is possible – within the scope and the extent of the assistance specified below – assist the data controller in accordance with Clause 9.1. and 9.2. by implementing the following technical and organisational measures:
At the data controller’s specific request and considering the nature of the processing, the data processor assists the data controller in fulfilling the data controller’s obligations regarding the exercise of the data subjects’ rights as set out in the personal data legislation.
Requests made by data subjects to exercise their rights must be passed on without undue delay to the data controller.
At the specific request of the data controller, considering the nature of the processing and considering what information is available to the data processor, the data processor assists the data controller in complying with its obligations, see Articles 32-36 of the General Data Protection Regulation:
· Processing safety
· Personal data breaches, including notification to data subjects
· Impact analysis
· Prior enquiries with supervisory authorities
C.4. Storage period/erasure procedures
Personal data is stored until the end of the month in which the license agreement expires + 30 days. After that, the information will be deleted.
Information included in any support cases is stored for 2 years after the support case is closed. After this, the information is deleted.
C.5. Processing location
Processing of the personal data under the Clauses cannot be performed at other locations than the following without the data controller’s prior written authorisation:
8920 Randers NV
Reference is made to the locations that appear from the list of sub-processors attached as Appendix B.
C.6. Instruction on the transfer of personal data to third countries
The data processor may transfer personal data to third countries in connection with the use of the approved sub-processors.
Transfer to third countries may potentially take place using sub-processors based in a third country, but where the personal data is stored in the EU.
Transfer to third countries will take place directly using individual sub-processors.
C.7. Procedures for the data controller’s audits, including inspections, of the processing of personal data being performed by the data processor
Once a year, the data processor prepares a report to the data controller, documenting that the agreed level of security has been maintained and that these provisions have been complied with. The report will be published on the https://nordicscreen.com/.
If the data controller should wish to receive an auditor’s statement or to carry out a physical inspection of the data processor, this is to be done at the data controller’s expense.