This Data Processing Agreement (“DPA”) is an addendum to the legal Agreement entered into by and between O1 Development Group AB (”Buzz”) and the Customer for the Customer’s use of the Services.
For the purposes of the DPA the following definitions apply;
“Customer Personal Data” means all Personal Data that Buzz processes on behalf of the Customer. For purposes of this Agreement, Customer Personal Data does not include personal information of employees or other representatives of Customer with whom Buzz has a direct business relationship.
“Data Protection Law” means (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation, the “GDPR”) (ii) in respect of the United Kingdom (“UK”) any applicable national legislation that replaces or converts in domestic law the GDPR or any other law relating to data and privacy as a consequence of the UK leaving the European Union), and (iii) the Norwegian legislation implementing the GDPR.
“Data Subject” means the identified or identifiable natural person who is the subject of Personal Data.
“New Sub-Processor” means any Sub-Processors engaged by Buzz after the effective date of the Agreement.
“SCC” means the European Commission’s standard contractual clauses for data transfers between EU and non-EU countries.
“SCC” means (a) social security number, tax file number, passport number, driver’s license number, or similar identifier (or any portion thereof); (b) credit or debit card number (other than the truncated (last four digits) of a credit or debit card); (c) employment, financial, credit, genetic, biometric or health information; (d) racial, ethnic, political or religious affiliation, trade union membership, information about sexual life or sexual orientation, or criminal record; (e) account passwords; or (f) other information that falls within the definition of “special categories of data” under applicable Data Protection Laws.
“Sub-Processor” means any third party authorized by Buzz or its Affiliates to Process any Customer Personal Data.
“Data Subject“, “Controller“, “Personal Data“, “Personal Data Breach” “Processor” “Supervisory Authority” shall have the meaning provided to such term pursuant to Data Protection Law.
All capitalized terms not defined in this DPA shall have the meaning set forth in the Agreement.
The parties acknowledge and agree that with regards to the processing of Customer Personal Data, Customer is the controller and Buzz is a processor acting on behalf of Customer as further described in Annex A (Details of Data Processing).
Buzz shall process Customer Personal Data only in accordance with Customer’s documented lawful instructions as set forth in this DPA, as necessary to comply with applicable law, or as otherwise agreed in writing (“Permitted Purposes”).
The Customer shall (i) comply with its obligations under applicable laws, including Data Protection Laws, in respect of its processing of Customer Personal Data and any processing instructions issued to Buzz; (ii) provide all notices and contain all constants and rights necessary under Data Protection Laws for Buzz to process Customer Personal Data for the purposes described in the Agreement and this DPA does not relieve the Customer’s obligations under Data Protection Law.
Customers will not provide (or cause to be provided) any Sensitive Data to Buzz for processing under the Agreement, and Buzz will have no liability for Sensitive Data, whether in connection with a Security Incident or otherwise. For the avoidance of doubt, this DPA will not apply to Sensitive Data.