Skip to content

Sensa´s data processing agreement terms

Skilmálar

These data processing agreement terms („Terms„) apply to the processing of personal data by Sensa ehf., kt. 480202-2520, Lyngháls 4, 110 Reykjavík, https://sensa.is („Sensa„), which is necessary in connection with any kind of service that Sensa may perform on behalf of the client.

The Terms constitute a data processing agreement between Sensa, as processor, and the client, as data controller, in the sense of Act No. 90/2018 on Data Protection and the Processing of Personal Data (the „Data Protection Act„), which implemented Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 („GDPR“).

In these Terms, Sensa is also referred to as the „Processor“ and the client as the „Controller“ and to the parties collectively as the „Parties„.

1.     Binding force of the Terms 

In connection with Sensa’s services, Sensa may need to process personal data on behalf of the client.

A reference to these Terms  in a service agreement, made between the contracting parties, shall constitute acceptance of the Terms and the same applies if the client starts using one or more of Sensa’s services where it is necessary for Sensa to process personal data on behalf of the client.

If the parties have entered into a special processing contract prior to the entry into force of these Terms, that agreement shall remain in force unless otherwise agreed.

2.     Description of processing

In the description of Sensa’s specific processing of personal data, which is considered a part of these Terms, a specification is provided of what personal data Sensa processes on behalf of the client (the „personal data„), categories of data subjects (the „data subjects„), information on the use of sub-processors and the purpose of the processing. The part of the description of specific processing that specifies the services that the client purchases from Sensa at any given time applies to the contractual relationship between Sensa and the client.

It should be noted that the third parties from whom Sensa is reselling services or licences, as the case may be, may also act as processors in the sense of the Data Protection Act vis-à-vis the client as a controller, without Sensa acting as an intermediary. This may apply, for example, in cases where the customer is granted permission to use third-party software that also hosts the customer’s personal data. The Controller shall be  responsible for ensuring that a data processing agreement is concluded with such third parties.

3.     Processor’s obligations

a.     Processing based on instructions from the Controller

The Processor shall only process personal data to the extent necessary to provide the Controller with the defined services and to comply with written instructions from the Controller.

The Processor shall inform the Controller if it considers that the Controller’s instructions are in conflict with data protection legislation.

b.     Confidentiality and training of staff

The Processor shall ensure the confidentiality of the personal data that it receives, processes and/or has access to or obtains knowledge of from the Controller, as well as other information that the Processor may become aware of in the course of its work as a service provider for the Controller. The duty of confidentiality applies regardless of whether the information concerns employees, customers, clients or other individuals on behalf of the Controller.

The Processor shall ensure that all employees who are involved in providing services to the Controller and who are permitted to have access to and/or handle information from the Controller have signed a declaration of confidentiality with the Processor prior to being granted access. The aforementioned duty of confidentiality remains even if the employee resigns from their position with the Processor.

The Processor shall ensure that its employees have received adequate training and education on the obligations incumbent on the Processor in relation to the processing of personal data.

c.     Access to information

The Processor shall not disclose or otherwise make the Controller’s personal data available to third parties, whether in writing or orally, without the unambiguous consent of the Controller, unless mandatory law stipulates otherwise.

d.     Security of personal information

The Processor undertakes to implement appropriate and adequate technical and organisational security measures to ensure adequate security of the personal data and to protect it against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or  access. The measures shall take into account the latest technology, the cost of implementation, scope, context and purpose of processing, and risk.

In order to ensure appropriate technical measures, the Processor shall, as appropriate:

  1. be able to ensure the ongoing confidentiality, continuity, availability and load capacity of processing systems and services,
  2. be able to restore the timely availability and access to personal data in the event of a material or technical incident;
  3. adopt a process for regularly testing and evaluating the effectiveness of technical and organisational measures to ensure the security of the processing, and
  4. use pseudonymization and information encryption, where applicable.

When assessing adequate security, particular consideration shall be given to the risk entailed by the processing, in particular with regard to the accidental or unlawful deletion of personal data transmitted, stored or otherwise processed, or their loss, alteration, disclosure or access to them without their consent.

The Processor shall maintain active internal control to ensure compliance with the company’s security measures, including through the execution of audits. For example, the Processor shall ensure that only those employees of the Processor who necessarily need access to personal data, including information systems that contain the Controller’s personal data, for their work with the Processor, have such access.

The Processor shall ensure that the company complies with the rules of the Data Protection Authority no. 299/2001 on the security of personal data and that its operations are certified on the basis of the ISO 27001 standard on information security.

In cases where the Controller deems it necessary to provide the Processor with further instructions on special security measures, the parties shall agree on this separately.

e.     Transfers outside the European Economic Area

The Processor shall not be permitted to transfer Personal Data outside the European Economic Area („EEA“) except on the basis of the Controller’s instructions thereon or in cases where the Controller has consented to the use of sub-processors established outside the EEA.

f.      Assistance in fulfilling obligations

The Processor shall assist the Controller in carrying out a data protection impact assessment if the Controller requests such assistance, in consultation with the Controller, as well as assist the Controller in ensuring that the obligations pursuant to Articles 32-36 of the GDPR are otherwise fulfilled.

The Processor shall assist the Controller, taking into account the nature of the processing and to the extent possible, in fulfilling its obligation to respond to requests from data subjects on the basis of the rights guaranteed to them by the Data Protection Act.

Should the Processor receive a request from a natural person related to the data subject’s rights according to the Data Protection Act, the Processor shall instruct the data subject to contact the Controller. Thus, the Processor shall not respond to requests from the data subjects without the consent of the Controller.

The Processor may charge  a reasonable fee for assistance provided under this clause,  in accordance with the Processor’s tariff at any given time.

g.     Security breaches and reporting obligation

If the Processor becomes aware of a security breach in the processing of personal data on behalf of the Controller, it shall notify the Controller thereof without undue delay.

In such notification, the Processor shall, to the best of its ability, describe, based on the information available at the time of notification, the nature of the security breach, including the categories and estimated number of data subjects affected by the breach, and the categories and estimated number of records of personal data concerned. The Processor shall also describe the likely consequences of the breach and the measures it has taken or intends to take as a result of the safety breach. The notification to the Controller shall be accompanied by any documents and data necessary for the Controller to be able to report the security breach to the Data Protection Authority, should they deem it necessary, to the extent that such documents and data are available to the Processor.

4.     Obligations of the Controller

The Controller shall ensure that it fulfils the legal obligations incumbent on it according to the Data Protection Act, including providing data subjects with adequate information and ensure that authorisation forms the basis for processing. The Controller shall also ensure that it has the authority to outsource processing to the Processor, and the Controller shall be responsible for the instructions it gives to the Processor.

5.     Access to personal information

a.     Controller

The Processor shall ensure that the Controller is able to monitor the Processor’s compliance with the provisions of these Terms and that it complies with its obligations under the Data Protection Act, e.g. by providing the Controller with adequate information and/or data when requested. 

The Processor shall also give the Controller, or the third party appointed by the Controller on its behalf, the opportunity to carry out audits of the Processor’s processing of the personal data and provide appropriate assistance with such audits. The purpose of such audits is to ascertain that the Processor complies with its obligations under these Terms and obligations based on the Data Protection Act. Auditors shall be bound by confidentiality on the basis of a contract if the law does not stipulate the confidentiality obligations of the auditor.

Furthermore, the Controller’s compliance officer, the Controller’s external and internal auditor, the data protection officer and/or the Controller’s security manager shall be guaranteed access to all personal data of the Controller that the Processor processes on the basis of this agreement, where applicable and for the purpose of reviewing the performance of tasks carried out for the Controller.

The Processor shall be permitted to charge a fee for assistance provided on the basis of this provision in accordance with the Processor’s tariff at any given time.

  1. Public regulators

The Processor must ensure that the personal data it processes on behalf of the Controller is accessible to public supervisory authorities for possible audits and/or monitoring activities of such entities. If a public supervisory body requests access to the Controller’s personal data on the basis of an unambiguous legal authority or a court decision, the Processor must notify the Controller thereof as soon as possible, preferably before access is granted, unless the Processor is not permitted to do so.

  1. Other Service Providers

In cases where the Processor is reselling the Controller of services and/or licences from a third party, the third party may reserve the right to inspect the Processor’s systems for the purpose of ensuring that the Processor fulfils its obligations towards the relevant third party. In connection with such an inspection, the party in question may gain access to the Controller’s personal data (e.g. the name of the customer and users as well as IP addresses). The information is not processed for any other purpose than stated above, and the Processor shall ensure that the party in question undertakes the same confidentiality obligations as the Processor according to these Terms.

6.     Submission or deletion of personal data

Unless otherwise required by law, a decision of a judge or other competent authority on the basis of law, the Processor shall hand over or delete the personal data, including any copies thereof, if written instructions to that effect are received from the Controller, but no later than upon termination of this processing agreement, cf. clause 8. The above applies to information in any form, whether it is on paper, in electronic form or any medium related to the Processor’s services to the Controller. The Processor must confirm the submission of data or secure disposal in writing to the Controller’s contact person upon request. Secure disposal may include, for example, services provided by a certified data destruction provider (e.g. AAA-certified).

7.     Using sub-processors

The Processor is not permitted to entrust sub-processors with the execution, in whole or in part, of the processing that the Processor carries out for the Controller on the basis of these Terms without the permission of the Controller.

Where a sub-processor is specified in Sensa’s service description, such appointment shall be deemed approved by the Controller. If it is necessary to add a new sub-processor in connection with individual services, or to replace a sub-processor, the Processor shall notify the Controller of this and give the Controller at least 14 days to object. If no objection is received within this time, the Controller shall be deemed to have approved the use of the sub-processor in question. If the Controller objects to the Processor’s use of sub-processors and the Processor cannot take other measures, the Controller shall be permitted to terminate the service in question.

If the Controller approves the use of a sub-processor, the Processor shall ensure that the same obligations rest on the sub-processor as rest on the Processor according to these Terms, and in such cases the Processor shall be responsible for all processing by the sub-

processor towards the Controller.

8.     Term, termination and termination

The Terms shall apply in the contractual relationship between the parties as long as the Processor processes personal data on behalf of the Controller.

The Controller shall be authorised to terminate the contractual relationship between the parties on the basis of these Terms without notice, by notifying the Processor thereof, in the event of special circumstances that lead to an official supervisory body or Controller requesting that the processing of the Processor on behalf of the Controller be terminated immediately, such as in the event of a significant security breach for which the Processor is responsible or the Processor violates these Terms repeatedly or significantly.

9.     Notifications

Notifications to the Controller on the basis of these Terms shall be sent to the data Controller’s registered contact person in accordance with the service agreement between the parties, or the party of which the Controller has specifically notified the Processor.

The Controller shall be responsible for notifying the Processor of any changes to its contact persons.

10.   Responsibility

The liability of the contracting parties shall be governed by the general principles of liability under applicable law and the provisions of the Data Protection Act.

If the parties have agreed on a special compensation ceiling in their service agreement, such a provision shall also apply to the parties’ liability on the basis of these Terms, unless otherwise specifically stated in the service agreement.

11.   Other provisions

These Terms shall take precedence over the service agreement between the parties with regard to the processing of personal data, unless otherwise specifically stated in these Terms. In other respects, however, the provisions of the Service Agreement shall remain unchanged as well as Sensa’s general terms and conditions.

In the event of a dispute arising out of these Terms which cannot be resolved successfully between the parties, the case shall be brought before the District Court of Reykjavík.

The Processor reserves the right to change these Terms in accordance with changes in data protection legislation or due to changes in how personal data is processed. The Processor shall inform the Controller of any changes to the Terms. If changes are made to the Terms that affect the rights and obligations of the Controller, such changes shall not take effect until a certain period of time has elapsed, during which the Controller shall be given the opportunity to object to the changes. If the Controller objects to the changes and the Processor cannot take measures to comply with such objections, the Controller shall have the right to terminate the relevant service.

These terms and conditions were established on February 2024.

Viltu ráðgjöf?

Hikaðu ekki við að senda okkur línu eða taka upp símann

Hafa samband
Sensa hafa samband kona í orange úlpu

Sensa ehf. notar vefkökur (e.cookies) m.a. til að bæta vefinn og aðlaga betur að þörfum notenda. Nánari upplýsingar hérna.

Samþykkja