Data Processing Agreement

Data Processing Agreement

This Data Processing Agreement sets forth the terms and conditions regarding the processing of personal data by Tilkynna and/or Tilkynna's sub-processors. Tilkynna is authorized to process personal data concerning legal entities, in connection with services provided to legal entities under this agreement, and may thus be considered a processor within the meaning of the European Parliament and Council Regulation of 27 April 2016, on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

A legal entity, established in Iceland, hereinafter referred to as "controller" that has applied for Tilkynna's services through the website Tilkynna.is

AND

Slidesome ehf, established in Iceland, hereinafter referred to as "processor",

enter into the following Data Processing Agreement, in accordance with Article 28 of the European Parliament and Council Regulation (EU) 2016/679 of 27 April 2016:

I. Purpose of the Agreement

The purpose of these contractual provisions is to specify the obligations that the processor performs on behalf of the controller, in connection with the processing activities covered by the agreement, as detailed in section 4 on Processor's Obligations Towards the Controller.

The contracting parties shall be bound by all applicable legal provisions concerning the processing of personal data and particularly by the European Parliament and Council Regulation (EU) 2016/679 of 27 April 2016, on the protection of individuals with regard to the processing of personal data and the free movement of such data, repealing Directive 95/46/EC (General Data Protection Regulation), which came into effect on 25 May 2018.

II. Description of the Processing Agreed for the Processor to Perform

The processor is authorized to process, on behalf of the controller, the personal data necessary to provide the following service:

The nature of the processing activity in question is to receive notifications and forward them to the legal entity.

The processor is authorized to process the following types of personal data provided by the controller:

• Contact details such as name, national ID number, address, and email of the controller
• Notification areas reserved for the controller
• Subscription plan chosen by the controller

The processor is authorized to process the following types of personal data on behalf of the controller:

• Name, national ID number, phone number, and/or email of notifiers and/or other information that the controller requests on notification areas.

The processor is authorized to process the following categories of data subjects:

• The controller
• Employees and other users of the controller
• Customers of the controller, if applicable
• Users invited to a notification on behalf of the controller

To enable the processor to provide the requested service, the controller shall provide the processor with the following information:

• Name, national ID number, address, and email of the controller
• Notification areas used by the controller
• Subscription plan chosen by the controller

III. Duration of the Agreement

This agreement takes effect when the controller accepts Tilkynna's terms during registration for the service and remains in effect as long as the controller uses Tilkynna's services in any way.

IV. Processor's Obligations Towards the Controller

The processor shall:

1. only process personal data in accordance with the purpose of the processing, as stipulated in this agreement

2. only process personal data according to the controller's written instructions, which accompany this agreement. If the processor believes that the controller's instructions are not in compliance with the General Data Protection Regulation or other applicable legal provisions regarding the processing of personal data, the processor must notify the controller of this without delay. The processor must also notify the controller if the processor is legally required to transfer personal data to third countries or international organizations, unless the law prohibits such disclosure.

3. ensure confidentiality regarding the processing of the personal data covered by this agreement, and

4. ensure that employees who have access to personal data in connection with the execution of the agreement have signed a confidentiality agreement or are bound by confidentiality under the law and that they receive appropriate training in data protection.

5. ensure that devices, tools, products, programs, and services are designed with built-in and default data protection.

6. Use of sub-processors:

   • The processor is authorized to enter into agreements with other parties ("sub-processors") to perform specific processing operations. Before any intended changes take effect, both when adding a sub-processor and when making changes to existing sub-processors or when there are additions or changes to the current arrangement of processing operations, the processor shall inform the controller in writing of the changes. The notice shall specifically state which processing operations the sub-processor intends to undertake, the name and contact information of the sub-processor, along with the date of the agreement. The controller has 30 days from the date they receive information about the change in the use of a sub-processor to object to it. The use of a sub-processor is only permitted if the controller has not objected within the time limit.

7. Right of data subjects to information.

   • The controller is responsible for providing data subjects with information (education) about the processing activity before or at the start of the processing, in accordance with the General Data Protection Regulation regarding information that must be provided to data subjects, cf. Articles 13 and 14.

8. Granting rights to data subjects

   To the extent possible, the processor shall assist the controller in fulfilling its obligation to respond to requests from data subjects regarding their rights, such as the right of access, the right to rectification and erasure of information, and the right to object to processing or restrict it, the right to data portability, and the right not to be subject to automated decision-making, including profiling. When a data subject makes a request to exercise their rights with the processor, the processor shall forward such a request without delay to the controller.

9. Notification of a security breach

   The processor shall notify the controller by phone, email, or other means of any security breach no later than 24 hours after becoming aware of the breach. The notification shall include any documents or information necessary for the controller to notify the relevant supervisory authority (Data Protection Authority).

   Information sent to data subjects shall be clear and simple and describe at least:

   • the nature of the security breach, including, where applicable, the categories and approximate number of individuals affected by the breach, and the categories and quantity of data (records) involved,
   • the name and contact information of the data protection officer or other contact point where more information can be obtained,
   • the likely consequences of the security breach,
   • the measures taken or proposed to address the breach, including, where applicable, measures to mitigate the potential adverse effects on individuals,
   • the actions individuals can take to minimize their damage, e.g., changing passwords.

10. Assistance to the controller in meeting the requirements of the General Data Protection Regulation

    The processor shall:

    • assist the controller in conducting a data protection impact assessment.
    • assist the controller in meeting the requirements of the regulation concerning prior consultation with the supervisory authority (Data Protection Authority).

11. Security of personal data

• The processor shall implement appropriate technical and organizational measures to ensure the security of the personal data processed on behalf of the controller. These measures shall take into account the latest technology, the cost of implementation, the nature, scope, context, and purposes of the processing, and the risk.

• The processor shall implement the following security measures:

  • use pseudonymization and encryption of data
  • ensure ongoing confidentiality, integrity, availability, and resilience of processing systems and services
  • be able to restore timely access to personal data in the event of a physical or technical incident
  • implement a process for regularly testing and evaluating the effectiveness of technical and organizational measures to ensure the security of the processing.
  • prevent personal data from being accidentally or unlawfully destroyed, lost, or altered
  • maintain and adhere to ISO 27001 certification for the software system hosting environment, including maintaining a documented security policy, regularly updating risk assessments, and implementing appropriate security measures
  • control access by employees and others to systems that contain personal data

• If the controller decides to conduct a risk assessment in connection with specific processing, the processor shall assist the controller in such an assessment in accordance with data protection laws.

• The processor shall always inform the controller where the personal data is hosted. It is strictly prohibited to transfer personal data outside the European Economic Area unless based on the controller's written instructions.

12. Internal control

• The processor shall maintain internal control over the processing of personal data to ensure compliance with applicable laws and regulations and the security measures that have been decided.
• Internal control shall be maintained regularly. The frequency and scope of the control shall be determined based on the risk associated with the processing, the nature of the data being processed, the technology used to ensure the security of the data, and the cost of conducting the control. However, the control shall be conducted at least annually.
• The processor shall prepare a report on the implementation of the internal control. The report shall describe the outcome of each aspect of the control. The reports must be securely stored. The controller has the right to receive a copy of such a report upon request.

13. Disposal of personal data at the end of processing

    When the service ends under this agreement, the processor agrees to return all personally identifiable information to the controller and delete it.

    • delete all personally identifiable information, or
    • return all personally identifiable information to the controller, or
    • transfer all personally identifiable information to another processor, designated by the controller.

    When returning information, all copies of personally identifiable information that may be found in the processor's systems must also be deleted. Once the information has been deleted, the processor shall demonstrate this in writing.

14. Data Protection Officer

    The processor shall provide the controller with the name and contact information of its Data Protection Officer, if one has been designated, cf. Article 37 of the regulation.

15. Record of processing activities

    The processor shall keep a record of all processing activities carried out on behalf of the controller. The record shall include:

    • the name and contact information of the processor, one or more, and each controller on whose behalf the processor is acting, and, where applicable, the representative of the controller or processor and the Data Protection Officer,
    • the categories of processing carried out on behalf of each controller,

16. Documentation for demonstrating compliance

    The processor shall provide the controller with all necessary documentation to demonstrate compliance and to enable the controller or an auditor to conduct audits, including inspections, and assist with such audits.

V. Controller's Obligations Towards the Processor

The controller shall:

• provide the processor with the data mentioned in section II.
• record in writing all instructions regarding the processing directed to the processor.
• ensure, before and during the processing, that they operate in compliance with the requirements imposed on them under the General Data Protection Regulation, and
• oversee the processing, including by conducting audits and inspections of the processor.

Appendix 1 - Sub-processors

Tilkynna uses Amazon Web Services (AWS) in Ireland, Burlington Rd, Dublin 4, to host services and data.

Tilkynna's use of AWS services began on 1 January 2021.

You can contact AWS here: https://aws.amazon.com/contact-us/

The AWS Data Processing Agreement can be accessed here: AWS Data Processing Agreement