DATA PROCESSING TERMS

1. SUBJECT MATTER

1.1

These terms on the Processing of Personal Data (“Terms”) apply to all processing of personal data by Defend Iceland ehf., company number 520623-1910, Kalkofnsvegi 2, 101 Reykjavik (“Processor” or “Defend Iceland”) where Defend Iceland acts as a data processor when providing customer (“Controller”) service.

1.2

All reference to the “Data Protection Act” shall in these Terms mean the Act on Data Protection and the Processing of Personal Data No. 90/2018 and Regulation (EU) 2016/679 of the European Parliament and the Council of 27 April 2016, on the protection of natural persons regarding the processing of personal data on the free movement of such data, which entered into force on 25 May 2018 (“GDPR”).

1.3

The terms “controller”, “personal data”, “data subject”, “processing”, “processor” and “personal data breach” shall have the meaning ascribed to them in the Data Protection Act.

1.4

Defend Iceland ́s services do not entail any processing (access, transfer, or storage) by Defend Iceland of personal data in customer ́s possession. In the context of such services, these Terms apply to the extent any incidental processing of such data takes place while performing the Services and/or if any processing has been specifically agreed between the parties.

1.5

Any references to these Terms in a service agreement entered into between the parties, or in an offer made by Defend Iceland which is accepted by the Controller, as applicable, shall include acceptance of the Terms.

2. PARTIES` OBLIGATIONS

2.1

The Controller is fully responsible for fulfilling its legal obligation under the Data Protection Act, including providing adequate information to data subjects and making sure that all processing is lawful. The Controller shall also ensure that it is authorized to entrust the Processor with the processing of personal data and the Controller is solely responsible for the processing instructions provided to the Processor.

2.2

The Processor shall only process personal data to the extent necessary to provide the Controller the specified Services and in accordance with the Controller`s written instructions. The Processor shall not process the personal data for any other purpose or in a way that does not comply with these Terms or the Data Protection Act. The Processor must promptly notify the Controller if, in its opinion, the Controller`s instructions do not comply with the Data Protection Act and in such events the Processor is not obliged to follow the Controller`s instructions.

2.3

The Processor shall maintain the confidentiality of all personal data and it shall not disclose personal data to third parties unless in accordance with these Terms, where such authorization is provided for in an agreement between the parties, the Controller provides special permission for dissemination of information, or the Processor is legally obliged to do so.

2.4

The Processor will ensure that its employees:

1. are informed of the confidential nature of the personal data processed and that they are contractually bound by an obligation of confidentiality,
2. are aware of their confidentiality obligations imposed by legislation, including the Act on Financial Undertakings, as applicable,
3. have undertaken training on the Data Protection Act relating to the processing of personal data;
4. are aware of the Processor`s obligations under the Data Protection Act and these Terms.

3. SECURITY OF PERSONAL DATA

3.1

The Processor shall implement appropriate technical and organizational measures, appropriate to the risk, to ensure level of security and to minimize the risk of unlawful or unauthorized processing of personal data. The measures shall seek to, as appropriate:

1. ensure ongoing confidentiality, contiguity, and availability of personal data,
2. ensure a process for testing and evaluating the effectiveness of measures safeguarding the processing, and
3. ensure that adequate security measures are taken, having regards to the nature of the personal data processed, e.g. in terms of access control, the use of pseudo-identity and encryption.

3.2

In the event a Controller deems it necessary to implement extra security measures, in addition to the measures the Processor has implemented in relation to specific services, the parties shall enter into specific agreement in relation to such additional service.

4. PERSONAL DATA BREACH

4.1

The Processor shall, without undue delay, notify the Controller after becoming aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed (“Personal Data Breach”).

4.2

The Processor`s notification shall include all information referred to in Article 33(3) of the GDPR.

4.3

The parties agree that the Controller is solely responsible for and has the sole right to determine:

1. whether to provide notice of the Personal Data Breach to any data subjects, supervisory authorities, or others; and
2. how such notices shall be sent.

5. SUBPROCESSORS

5.1

If the Processor appoints a third-party subcontractor to provide the services, or parts of it, and that requires the subcontractor`s processing of personal data, the subcontractor shall be considered as Sub Processor in the meaning of the Data Protection Act.

5.2

The Processor may only authorize a Sub-Processor to process personal data if the Processor has entered into a written agreement with the Sub-Processor that contains terms substantially the same as those set out in these Terms in relation to the security of personal data.

5.3

Where the Sub-Processor fails to fulfill its obligations under such a written agreement, the Processor remains fully liable to the Controller.

5.4

If the Processor appoints a new Sub-Processor, it shall inform the Controller thereof and provide the Controller 14 days to object to such an appointment.

6. TRANSFER OF PERSONAL DATA OUTSIDE THE EEA

6.1

The Processor must not transfer personal data outside the European Economic Area (“EEA”) without the Controller ́s consent.

7. DATA SUBJECT REQUESTS

7.1

The Processor shall assist the Controller, to the extent reasonable taking into consideration the nature of the processing, in responding to data subject requests. All work carried out by the Processor in relation to such assistance shall be subject to the parties` Software Agreement and/or the Processor`s price list at any given time.

7.2

The responsibility for responding to requests from data subjects shall always remain with the Controller.

8. DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION

8.1

Upon prior written request of the Controller, the Processor shall assist the Controller to carry out data protection impact assessment (DPIA) and in conducting prior consultation with the Icelandic Data Protection Authority. Such assistance shall however always take into account the nature of processing and the information available to the Processor.

8.2

All assistance with DPIA or prior consultation shall be subject to service fees in accordance with the Processor`s price list at any given time.

9. COMPLIANCE AND AUDIT

9.1

The Processor shall make all information available to the Controller that are necessary to demonstrate compliance with these Terms, and to the extent possible taking into consideration the nature of the service, allow for and contribute to audits by the Controller, or an auditor mandated by the Controller, for the purpose of verifying the Processor`s compliance with these Terms. The audits shall only relate to the services carried out by the Processor on behalf of the Controller and the scope of the audits shall take into account the Processor`s obligations, such as in relation to security. Auditors and scope of audits are thus subject to the Processor`s consent.

9.2

The Processor shall furthermore, in accordance with legal obligations thereof, ensure regulators` access to the personal data processed by the Processor on behalf of Controllers which are classified as regulated entities.

9.3

All assistance in relation to audits shall be subject to service fees in accordance with the Processor`s price list at any given time.

10. DURATION, DATA RETURN AND DELETION

10.1

These Terms shall remain in full force and effect as long as

1. The parties` Software Agreement remains in effect, or
2. The Processor provides the Controller with one or more services.

10.2

Upon termination of service, the Processor shall, at the choice of the Controller, delete or return all personal and client data to the Controller and delete existing copies. If the return of data calls for substantive work on behalf of the Processor, such work shall be subject to service fee in accordance with the Processor`s price list at any given time.

10.3

The Processor shall ensure data on security weaknesses and proofs thereof will not cause damage for the Customer, e.g. security and data breaches.

11. NOTIFICATIONS TO THE CONTROLLER

11.1

Notifications to the Controller based on these Terms shall be sent to the Controller`s registered contact person. The Controller is responsible for providing the Processor with contact details of such a person. If contact persons are listed in the parties` Software Agreement, a notification shall be sent to that contact person, unless parties have agreed otherwise.

11.2

The Controller is responsible for providing the Processor with updated contact details.

11.3

The Processor can also publish all notifications, subject to these Terms, on its websites, on the condition that the Controller`s contact persons shall be informed of such notifications and have the opportunity to register for such notifications.

12. MISCELLANEOUS

12.1

The parties` Software Agreement and Defend Iceland`s General Terms shall, in addition to these Terms, apply to the Processor`s processing of personal data on behalf of the Controller, including provisions regarding limitation of liability. In the event of any inconsistency between the provisions of these Terms and the provisions of Defend Iceland`s General Terms or the parties` Software Agreement, the provisions of these Terms shall prevail.

12.2

These Terms are governed by the laws of Iceland. Any disputes arising from or in connection with these Terms shall be brought exclusively before the District Court of Reykjavík.

12.3

The Processor reserves the right to amend these Terms in accordance with changes in relevant law or regulations or due to changes in how personal data is processed. The Processor shall inform the Controller of any changes made to these Terms. If changes, made to these Terms, materially affect the rights and obligations of the Controller, such changes shall not take effect until after a predetermined time, and if the Controller does not accept such changes after a notification is sent to the Controller, the Controller shall have the right to terminate the appropriate service.