Data Processing Agreement

1. Definitions of Terms

Data Processor: A Data Processor is a natural or legal person, public authority, institution, or any other entity that processes Personal Data on behalf of the Data Controller.

Data Controller: A Data Controller is a natural or legal person, public authority, institution, or any other body or organization which, alone or jointly with others, determines the purposes and means of the processing of Personal Data; when the purposes and means of the processing are determined by European Union legislation or the national law of Member States of the European Union, the controller or the specific criteria for the controller's nomination may be provided for by European Union legislation or the national law of Member States of the European Union.

Personal Data: Personal Data refers to any information and assessments that can be linked to a person as an individual. Typical Personal Data includes name, address, phone number, email, and social security number. A photo is considered Personal Data if individuals can be recognized, and audio recordings can be Personal Data even if no names are mentioned in the recording. Biometrics such as fingerprints, iris patterns, and head shape (for facial recognition) consist of unique biological characteristics that can be used to identify an individual and are also considered Personal Data. 

Source: The Norwegian Data Protection Authority.

2. Purpose of the Agreement

This Agreement, pursuant to Article 28 paragraph 3 of the GDPR (Regulation (EU) 2016/679), defines the rights and obligations regarding the processing of Personal Data to ensure it is not misused or accessed by unauthorized persons. It governs the Data Processor's handling on behalf of the Data Controller, encompassing the collection, registration, compilation, storage, disclosure, and any combination of these activities.

3. Purpose and means of data processing 

The purpose of this agreement is to regulate the processing and storage of Personal Data that Checkin stores on behalf of the Data Controller (Checkin's customer). Checkin is a registration system where Personal Data is collected in connection with sign-ups and ticket sales.

  • Checkin shall process the Personal Data collected from participants who register/sign up either directly from checkin.no or via the Data Controller's own websites integrated with Checkin. For all customers, Checkin will process name, phone number, email, and the event the person will participate in. Checkin will also process other Personal Data requested by the Data Controller on a case-by-case basis. In some cases, this may involve processing health information like allergies and disabilities.
  • Checkin processes Personal Data by storing collected information on external servers as specified in Appendix 1, sending tickets to the registrants, processing payments, and registering attendance or access to the event the registrant is signed up for.
  • Checkin may not process Personal Data stored on behalf of the Data Controller for any purpose other than those described above.
  • Further use of collected data, for example for marketing purposes, is subject to any consents obtained from participants by the Data Controller at registration. The Data Controller is responsible for obtaining such consents, although Checkin will facilitate acquiring such consents.

4. Rights and Obligations of the Data Controller

By entering into this Agreement, the Data Controller accepts the following rights and obligations:

  • The Data Controller is responsible for ensuring that Personal Data is processed in accordance with the General Data Protection Regulation and the Norwegian Personal Data Protection Act (cf. Article 24).
  • The Data Controller has both the right and the obligation to decide the purposes and means that can be used in processing (cf. Article 4 paragraph 7).
  • The Data Controller is responsible for deciding what Personal Data is collected through Checkin and ensuring they are permitted to collect this data.
  • The Data Controller is responsible for how Personal Data is used further, including communication, marketing, and any exports to other systems. Obtaining consents is the Data Controller's responsibility, while Checkin is responsible for facilitating technically the collection of such consents.
  • The Data Controller can issue documented instructions to the Data Processor on how Personal Data should be processed (cf. Article 28 paragraph 3 letter a). The instructions shall be part of the agreement or attached as an appendix to the agreement. It is up to the Data Controller to decide whether additional instructions should be given.
  • The Data Controller has the right to terminate the agreement if the Data Processor no longer meets the legal requirements according to Article 28 paragraph 1.

5. Obligations of the Data Processor

By entering into this Agreement, the Data Processor accepts the following rights and obligations:

Obligation to Process Personal Data According to Written Instructions from the Data Controller

  • The Data Processor shall only process Personal Datain accordance with this Agreement or in accordance withdocumented instructions from the Data Controller. This limitation does not apply if Norwegian law requires a specific processing of Personal Data by the Data Processor. In such cases, the Data Processor must inform the Data Controller prior to initiating such processing, unless such notification is specifically prohibited by law.In such cases, the Data Processor must inform the Data Controller prior to initiating such processing, unless such notification is specifically prohibited by law.
  • The Data Processor must inform the Data Controller without delay if the Data Processor believes that an instruction violates GDPR, other regulations concerning the protection of Personal Data, or national legislation (cf. Article 28 paragraph 3, last clause).

Obligations for Authorized Personnel to treat Personal Data Confidentially

  • The Data Processorshall ensure that access to Personal Data on behalf of the Data Controller is limited to personnel with a need to know / business need. Such access shall be revokedwhen such access to Personal Data is no longer necessary.
  • The Data Processorshall ensure that access to Personal Data on behalf of the Data Controller is limited to personnel with a need to know / business need. Such access shall be revoked when such access to Personal Data is no longer necessary.
  • The Data Processor shall ensure that such authorized personnel as mentioned above are under obligation to handle Personal Data confidentially or are bound by a legal obligation of confidentiality.
  • Upon request from the Data Controller, the Data Processor must be able to demonstrate that the authorized personnel are subject to confidentiality obligations—such as through documentation (cf. Article 28 paragraph 3, points b) and h)).
  • The confidentiality obligation remains in effect following the completion of the Data Processing assignment.
  • Checkinhasestablished protocols for its employees, requiring confidentiality agreements to be signed upon hiring, and system access is revoked when an employee leaves the company. A list of employees with system access can be provided upon request from the customer.

Assistance in responding to requests concerning data subjects' rights

  • The Data Processor assists the Data Controller (using appropriate technical and organizational measures) in fulfilling the obligation to respond to requests from data subjects exercising their rights. The obligation applies as far as reasonably possible, taking into account the nature of the data processing.
  • Deletion, anonymization, and pseudonymization can be performed by the Data Controller themselves, either through the CRM module in the Checkin system's "My Page" or directly from the event section in "My Page."
  • End users can view their stored information via "My Page" and can also request deletion, anonymization, or pseudonymization there. Such a request are sent to the Data Controller by email, The Data Controller is responsible for carrying out the process using the CRM module in the Checkin system or directly from the relevant event.
  • Checkin highlights that, due to the requirements of the Accounting Act, transaction data—including payments made via card, VIPPS, invoice, or future payment methods—must be retained and cannot be deleted.These records may contain Personal Data, but their use by Checkin and/or the customer is strictly limited to purposes authorized under the Accounting Act.

Assistance to the Data Controller

  • The Data Processor is obligated to assist the Data Controller in fulfilling obligations outlined in Articles 32-36 of the General Data Protection Regulation (GDPR) that are relevant to this contractual relationship.
  • The Data Processor must immediately, within 48 hours, notify the Data Controller if a breach of Personal Data security has occurred or is occurring (cf. Article 33, paragraph 2 of the GDPR).If the breach poses a risk to the rights and freedoms of data subjects, the notification to the Data Controller must include the information necessary for the Data Controller to provide a detailed description of the breach to the supervisory authority (cf. Article 33, paragraph 3 of the GDPR).
  • Incident reports shall be made by the Data Processor notifying the Data Controller of the breach. The Data Controller is responsible for assessing whether a notification to the Data Protection Authority is required and for submitting such notifications if necessary.

Making Information Available to the Data Controller 

  • The Data Processor is obligated to make all data stored on behalf of the Data Controller available.

6. Transfer to Third Countries

Personal Data may only be transferred to a country outside the EEA (third country) or to an international organization if the Data Controller has approved such transfer in writing.

Regardless of the above, the Data Processor may at their own risk transfer Personal Data to third countries if required by applicable law in the EEA. In such cases, the Data Processor shall notify the Data Controller to the extent permitted by law.

7. Use of Sub-contractors

Upon acceptance of this Agreement, the Data Processor has the Data Controller’s general approval to engage other processors. However, the Data Processor must notify the Data Controller of any plans to replace or engage new processors. Such notification must be provided at least 6 weeks prior to the change taking effect. The Data Controller has the right to object to these changes and must communicate their objection to the Data Processor no later than 1 week after receiving the notification.

The subcontractors used by the Data Processor at the time of entering into this Agreement, and approved by the Data Controller, are listed in Appendix 1.

In instances where the Data Controller requests the Data Processor to integrate or otherwise transmit data to third-party systems, the Data Controlleris responsible for ensuring that Data Processing agreements are in place between the third party and the Data Controller. Furthermore, it is the responsibility of the Data Controller to inform users about such integrations/transmissions during registration/ordering.

Checkinwill alert the Data Controllerof the need for establishing separate data processing agreements for integrations with third parties, as far as Checkin is aware that such integrations occur. Automated notifications will be provided regarding this requirement, for instance, when a connection is made to one of the standardized third-party solutions Checkinintegrates with. Checkin holds no responsibility for the actual establishment of such agreements with third parties.

8. Security

The Data Processor must comply with the security measures required by the EU's General Data Protection Regulation (GDPR). The Data Processoris responsible for documenting procedures and other relevant measures necessary to meet these requirements. This documentation must be made available upon the Data Controller's request.

Technical and organizational measures shall, at a minimum, include but are not limited to measures to:

  1. pseudonymize and encrypt Personal Data where relevant;
  2. ensure the capability for ongoing confidentiality, integrity, availability, and resilience ofprocessing systems and services;
  3. ensure the ability to restore the availability and access to Personal Datain a timely manner inthe event of a physical or technical incident;
  4. maintain a process for regular testing, assessing, and evaluating the effectiveness oftechnical and organizational security measures for processing;
  5. prevent data systems that process personal information from being accessed or used by unauthorized individuals, including preventing unauthorized access to read, copy, modify, or deletePersonal Data.

The Data Processor is obligated to implement the aforementioned measures and, if necessary, update themeasures to ensure that the technical and organizational measures are continuously in compliance with Data Protection regulations, including those outlined in GDPR Articles 28 and 32.

9. Security Audits

The Data Controller may arrange with the Data Processor to conduct security audits for systems covered by this Agreement. Any costs associated with such audits will be borne by the Data Controller.

10. Duration of the Agreement

This Agreement shall remain in effect for as long as the Data Processor processes Personal Data on behalf of the Data Controller.In the event of a breach of this Agreement or relevant data protection legislation, the Data Controllerreserves the right to require the Data Processor to immediately stop any further processing of the data.

This Agreement may be terminated by either party with a mutual notice period of one month. 

11. Upon Termination

Upon termination of this Agreement, the Data Processor is obligated to return all Personal Data received on behalf of the Data Controller that is covered by this Agreement.

Upon termination of the agreement between the Data Processor and the Data Controller, the Data Processor will delete all Personal Data stored with Checkin. A copy of the database can be provided to the Data Controller upon request in a suitable format.

The Data Processor shall provide written documentation confirming that the deletion has been completed in accordance with thisAgreement, within 10 days following the termination of this Agreement.

12. Notifications

Notifications pursuant to this Agreement shall be sent in writing to:

  • Data Processor: support@checkin.no
  • Data Controller: The email address currently registered in the customer information with Checkin.

13. Governing Law and Jurisdiction

This Agreement is governed by Norwegian law, and the parties agree that Kristiansand District Court shall have jurisdiction. This provision remains applicable even after the termination of the agreement.

Appendix 1 

External Servers 

Checkin stores all data on external servers hosted by Amazon Web Services (AWS) in Ireland. AWS functions as a sub-processor, and its processing of Personal Data is governed by the following legal document: AWS GDPR Data Processing Addendum.

Integrations

Checkin does not disclose or transfer data to any third parties, except when integrations with other systems have been agreed upon with the Data Controller, or when it has otherwise been agreed that data will be exported from Checkin.