Here can you find the

Previous Terms & Conditions

agreement-02-stroke-rounded 1
Terms & Conditions

03.04.2024-27.10.2024

Terms & Conditions
01 align center
Data Processing Agreement (DPA)

01.04.2024-27.10.2024

Data Processing Agreement (DPA)

Terms & Conditions

03.04.2024-27.10.2024

Terms & Conditions
This agreement is valid from April 3, 2024

  1. Definitions
    In these terms, the  that are capitalized are as defined in Appendix 1.

  2. Agreement and Contract Structure
    1. These General Terms and Conditions, together with the Customer Agreement and associated annexes constitute the Agreement between the Customer and Netto.
    2. To the extent that there is a conflict between these General Terms and Conditions and other contractual documents, these General Terms and Conditions shall apply.

  3. Additional Terms and Conditions
    Some of the Services may be subject to additional terms and conditions. These terms may also include third-party terms relating to Third-Party Software.

  4. Market Place
    Netto may, from time to time, offer Third-party Add-ons in the Netto system under "Integrations" or through other channels. To the extent the Customer subscribes to such Third-party Add-ons, the Customer shall separately agree to all necessary Terms with the provider of such Third-party Add-ons in addition to the terms applicable for the Service. Netto is not responsible for any support related to such Third-party Add-ons and has no liability for claims arising from the customer's use or misuse of Third-party Add-ons or breach of applicable Terms for Third-party Add-ons.

  5. Ordering of Services
    1. The services that are included in the delivery to the Customer are collectively described in the Customer Agreement or the individual Order Confirmation.
    2. Netto can change terms and prices if this is necessary in accordance with the law, regulation or decision of a public authority that takes place after the time of entering into this agreement.
    3. Netto has the right to directly have a dialog with the end-users and end-customers of the customers regarding the Netto product and purchasing additional services directly from Netto.  

  6. Registration of Users
    1. Each User shall create and use a unique user ID and password, and the Customer shall ensure that its Users:
      1. not share their login details with any other person or allow any other person to access the Service
      2. uses the Service in accordance with the Agreement.
    2. User IDs and passwords cannot be shared or used by more than one Authorized User. The customer must take reasonable measures to prevent unauthorized access to or use of the Services, and must notify Netto without undue delay of unauthorized access or use. The customer shall be responsible for unauthorized use arising from misuse of login details.

  7. Maintenance and Interruption
    1. Netto has the right to repair and maintain and upgrade, update or improve its network, infrastructure, website(s), services and the like to ensure the operation of the Netto system.
    2. Netto shall have the right to interrupt or suspend the Services if and to the extent necessary to carry out maintenance operations:
      1. for operational testing, monitoring, prevention, maintenance or adjustments to be carried out either with respect to the Netto system as a whole or part of it;
      2. where necessary, in Netto's reasonable opinion, to preserve the integrity of the Netto system or any part of it or the general quality of the Services; or
      3. to comply with orders imposed by public authorities.
    3. Netto shall, to the best of its ability, attempt to give advance notice if it is practically possible and shall use commercially reasonable efforts to minimize interruptions or disturbances in the use and operation of the Services.

  8. Duration and Extension
    Unless the Agreement is terminated earlier in accordance with the provisions in Clause 17, the agreement shall be effective from the order date and for an initial agreement period as stated in the Agreement or the order confirmation ("InitialAgreement period"). At the end of the Initial Agreement Period, the Agreement is automatically renewed for additional periods (each "Renewal period") corresponding to the Initial Agreement Period, unless the Customer expressly terminates the Agreement in writing before the end of the Initial Agreement Period (or a subsequent Renewal Period).

  9. Change in the Service
    1. Netto may at any time change the Service by removing, adding, changing functions or to carry out repairs, updates and upgrades in the Service, provided that such changes do not significantly change the core functions or functionality of the Services or change the security of the Service. Such changes may also involve changing suppliers. To the extent that such suppliers function as sub-processors, such changes shall be handled in accordance with the change of sub-processors as stated in the Data Processor Agreement.
    2. If a change requires implementation by the Customer, Netto is not responsible if a Service cannot be used as a result of the Customer not implementing the necessary changes.
    3. If Netto releases a Netto Update necessary for continued use of the Service, Netto will grant access to such Netto Updates at the time such Netto Updates are made generally available to other customers of Netto. This provision does not entail any obligation for Netto to make Netto Updates available to the Customer that involve additional or new functionality (that is, functionality that is not part of the Service). Such Netto Updates that provide new or additional functionality can be made available in accordance with an agreement with the Customer in accordance with any applicable fees and additional terms (when applicable).
    4. The Customer may order new services at any time during the Initial Agreement Period or the Renewal Period (“Additional Services") by signing an Agreement or an order confirmation that sets out the specific additional services, as well as the remuneration associated with Additional Services.
    5. The customer can increase the number of Licenses at any time without a new Agreement or an order confirmation. Any new License will automatically be invoiced from the date of creation according to the same price structure as the existing agreement for the remaining part of the Initial Agreement Period (or a Renewal Period).
    6. Any reduction in the number of Licenses during the Initial Agreement Period (or a Renewal Period) will only take effect after the Initial Agreement Period (or after a Renewal Period if a reduction of Licenses takes place during a Renewal Period).

  10. Customer Obligations
    1. The customer must act in accordance with the General Terms and Conditions.
    2. The services are only provided for the customers' internal use and may not be resold, relicensed, rented out or transferred to a third party or in any other way used for anything other than the intended purpose without Netto's written consent.
    3. If the Customer is exposed to errors, attacks or technical problems, the Customer must notify Netto without undue delay, so that Netto can take measures to rectify the situation and avoid derivative problems for Netto and other customers. Netto is not responsible for problems or errors with the Service related to this.
    4. If an event as stated above in Section 10.3 causes problems which, in Netto's opinion, may lead to operational technical problems for Netto, or for other Nettos customers, Netto may limit or disconnect the Service to remedy or prevent such problems.
    5. The customer is responsible for complying with all applicable laws and regulations that apply to the business when using the Services (including for its Users), including marketing legislation and the legal basis for processing personal data.

  11. Acceptable use Guidelines
    1. The Customer (and its Users) must not:
      1. circumvent or disable technological features or security measures built into the Services;
      2. breach or violate Netto's or a third party's Intellectual Property Rights,
      3. transmit illegal content;
      4. carry out spamming or other unsolicited advertising,
      5. engage in fraudulent activity to the detriment of third parties,
      6. use the Service in such a way that it is likely to interfere with the provision of services to others.
    2. The customer is responsible for all activities that occur in the customer's user account. The customer must not hand over the login information that gives access to the Services to any third party.

  12. Payment and Invoicing
    1. The customer shall pay the remuneration stipulated in the Agreement or the order confirmation within 30 days from the invoice date. Delivery of the Service and remuneration shall take effect from the date of order unless otherwise agreed. Netto submits invoices either via an electronic invoice in an approved standard format or by e-mail. The customer may also choose to pay by credit card.
    2. In the event of late payment, late payment interest accrues in accordance with the Act on interest for late payment, etc. Any accrued late interest can be added to the next invoice for the Service to the Customer. In the event of non-payment beyond 30 days, Netto may close access to the Services and/or limit the customer's access to the Service. The customer cannot make any claims against Netto as a result of this.
    3. The customer cannot set off amounts due under the Agreement against other claims the customer may have.
    4. All fees and amounts to be paid in accordance with the Agreement are calculated on the basis of the data registered or logged by Netto. If the Customer disputes this data or an invoice (or parts of an invoice), the Customer must immediately notify Netto before the due date. If the Customer does not notify Netto before the invoice's due date, the Customer shall be deemed to have accepted the invoice.
    5. Netto's prices can change at the turn of the year, at least corresponding to the increase in Statistics Norway's consumer price index (the main index). Netto's prices can also change to the extent that taxes and fees or prices for third-party suppliers that are part of the service change. In such a case, Netto must notify the Customer of this.

  13. Confidentiality and Notices
    1. Each party receiving Confidential Information ("Recipient") from the other ("DisclosingParty") shall keep this information confidential and shall not disclose such information to third parties without the Issuing Party's written consent. The Recipient shall take reasonable measures for the secure storage of confidential information.
    2. Regardless of Section 13.1, the Recipient may disclose the Disclosing Party's Confidential Information to its board members, and to employees who need access to such Confidential Information for the delivery or receipt of the Services.
    3. The duty of confidentiality laid down in this Clause 13 does not apply:
      1. confidential Information becomes publicly known information (unless this happens as a result of a breach of this Clause 13);
      2. if the Recipient can prove that the information was received from a third party who had the right to pass on such information
      3. where the information was developed by, or for, the Recipient independently of information received in accordance with this Agreement.
      4. if under a duty to hand over the Disclosing Party's Confidential Information by a public authority or in connection with legal proceedings. If a Party is obliged to such a handover, it must inform the Disclosing Party about the handover.
    4. Regardless of other provisions in this section 13, Netto has the right to:
      1. disclose or permit disclosure of the existence of this Agreement to any third party;
      2. disclose that the Customer is its client to a third party.

  14. Customer Data and Protection of Personal Information
    1. Data the Customer brings into the Netto System is owned by the Customer. Netto has the right to process data on behalf of the customer as long as the customer relationship lasts. Netto reserves the right to use data aggregated and anonymised to improve the services, also after the end of the agreement.
    2. If, when performing the service, Netto is to process personal data, this will be done in accordance with national rules and the EU's data protection regulation.

  15. Intellectual Property Rights and Updates
    1. The customer accepts that all Intellectual Property Rights in and to the Netto system (and the platforms included in the Netto System), the Services and any Netto Update (whether these exist now or in the future) belong to or are exclusively licensed to Netto or a Netto Group company. The customer does not have the right to copy or make any changes, corrections or adaptation of the elements covered by any of the foregoing. With the exception of such use as is necessary to make use of the service, this Agreement does not give the Customer any rights to Netto's Intellectual Property Rights.
    2. Regardless of what follows from points 13 and 15.1, Netto is granted a right to use the Customer's logos, names and trademarks in the marketing of its services and as a reference in connection with offers to other customers.
    3. Nothing in this agreement shall imply or be understood as a transfer or assignment of Intellectual Property Rights between the Parties.
    4. Customer is responsible for all necessary third-party clearances required, as well as costs incurred when using the Services (including but not limited to content distributed through use of the Service, such as music, images, etc.).

  16. Limitation of Liability
    1. Netto's overall liability for damages under the Agreement, in or out of contract and regardless of liability, is limited to 25% of the annual Fixed Monthly Remuneration.
    2. Neither Party is liable to the other Party for indirect losses, or consequential damages arising as a result of or in connection with this Agreement (including lost profits, loss of goodwill or reputation, loss of business or business opportunities, loss of expected savings or loss or destruction of data or information).

  17. Termination
    1. This agreement can be terminated immediately by written notice if the other Party
      1. is in material breach of the Agreement and such breach is not remedied within thirty (30) days of notification of this (if such breach can be remedied)
      2. is appointed a guardian, trustee or other form of administrator who takes over all or part of its business or assets;
      3. opens debt negotiation or bankruptcy or is in an insolvency-like situation.
    2. Netto may, by written notice, terminate this Agreement if a license or permit that is necessary for Netto's delivery of the Services ceases.
    3. Termination of the Agreement has no effect on the Parties' rights in default, which are available or have arisen before the time of termination.

  18. Effects of Termination
    1. Upon termination of this Agreement (regardless of the reason):
      1. the Customer must pay all outstanding unpaid invoices and interest (if applicable);
      2. Netto can issue invoices for Services that have been delivered but not yet invoiced and that must be paid immediately upon receipt of the invoice (including any remaining parts of the Fixed Monthly Remuneration for the remaining part of the Initial Agreement Period or Renewal Period), unless it is a case of termination from The customer's side due to significant default by Netto;
      3. Netto shall, in the event of the Customer's termination as a result of material default by Netto, repay any amounts prepaid by the Customer that apply to the period following such termination after deduction of any outstanding invoices;
      4. each Party shall, at the request of the other Party, destroy or return all copies of Confidential Information belonging to the other Party which are in its possession or control on the date of termination of the Agreement; and
      5. each Party shall cease to use the Intellectual Property Rights belonging to the other Party and any Intellectual Property Rights belonging to a third party granted pursuant to this Agreement, and any license granted pursuant to this Agreement shall terminate immediately.

  19. Force Majeure
    1. Neither Party shall be liable for failure to perform any of its obligations under this Agreement to the extent caused by a Force Majeure Event, provided that it shall take all reasonable steps to overcome and limit the consequences of the Force Majeure Event .
    2. If a Force Majeure Event results in non-delivery of the Services (or a substantial part thereof) for more than ninety (90) calendar days, one of the Parties may terminate this Agreement by giving seven (7) calendar days' notice.

  20. Notices
    Any notice or other communication given to a Party under or in connection with this Agreement must be in writing. Written in this context also means e-mail.

  21. Transfer
    The customer may not assign, sublicense or otherwise transfer any of its rights under the Agreement without Netto's written consent (including in the event of a merger or demerger). Such consent shall not be withheld without good reason. Netto can assign, sublicense, transfer or otherwise dispose of its rights or obligations under the agreement.

  22. Choice of Law
    This agreement is subject to Norwegian law and with Oslo District Court as the agreed venue.



Appendix 1 - Definitions

Term Definition
"Additional Services" the meaning set out in Clause 9.4.
"Netto Company" any company or other business entity that controls, is controlled by or is under common control with Netto at any time, where "control" means direct or indirect ownership of: (i) 50% or more of the voting securities or voting interests in such company such company or other entity; or (ii) 50% or more of the right to the profits or earnings of a business entity other than a company; or (iii) in the case of a partnership, any other similar interest in the general partner.
"Agreement" the customer agreement/contract between the Parties, as documented in this document, including Annexes, and any document expressly referred to in this document, with any amendments, but expressly excluding any document or offer prior to the date of this Agreement, unless expressly mentioned in this Agreement. All other terms and conditions in an order confirmation and/or an order form or other document that are not expressly referred to in the General Terms and Conditions will have no effect.
"Confidential Information" means non-public confidential or proprietary information of the disclosing party that is (i) clearly marked as confidential at the time of disclosure or (ii) a reasonable person would understand, based on the circumstances of the disclosure and the nature of the information, that the information should be treated as confidential.
"Customer Data" means the content of messages, shared files, correspondence, configuration data or other communications that are transmitted or stored while you use the Netto service, as well as information about the Customer's Users.
"Customer's Equipment" any devices, technology, software (other than software licensed and provided by Netto to the Customer) or additional facilities that the Customer or its End Users use from time to time to make and/or receive communications with End Users.
"Customer" means the party described as a customer in an Agreement or an order confirmation.
"Data Protection Legislation" means the laws and regulations applicable at any time relating to the use or processing of personal data, including: (i) GDPR; (ii) laws or regulations ratifying, implementing, adopting, supplementing or replacing the GDPR); and (iii) laws and regulations that implement or are made pursuant to EU Directive 2002/58/EC (as amended by 2009/136/EC), Directive on Privacy in Electronic Communications (EC Directive) 2003); in each case, as updated, amended or replaced from time to time.
"Effective Date" the date as on the Agreement or an order confirmation, which defines when this Agreement comes into force.
"End User" a person who uses the Netto service from time to time to communicate with the Customer.
"Guidelines for Acceptable Use" as stated in Clause 13.
"Compensation" the consideration that the customer pays to Netto in relation to the Services as stated in the prices in an Agreement or an order confirmation (which may be changed in accordance with Clause 13.7).
“Force Majeure Event” an act or event that prevents or affects Netto's performance of its obligations hereunder as a result of acts, events, omissions or circumstances beyond Netto's reasonable control, including (but without limiting their general nature) pandemic situations, regardless of whether this is defined as an emergency for public health or not, including but not limited to viral infections such as COVID -19, disaster, cyber terrorism and cybercrime (including hacking, malicious software (malware) and other deliberate disruption of computer networks), actual or threatened terrorist attack, failure to deliver from a utility or a labor dispute affecting a third-party supplier that cannot reasonably be replaced, provided that Netto has taken all steps (if any) that could reasonably be expected to have been taken to prevent the occurrence of such an act or event or the fulfillment of its obligations is prevented or adversely affected and provided that Netto cannot make the obligations as a force majeure event: (i) Netto's willful acts or omissions, or failure to comply with all reasonable precautions; or (ii) failure of hardware, software, telecommunications or other system components (including, in the case of Netto, the Netto System) unless and to the extent that such failure occurs as a result of one or more events described above (or any similar, the equivalents or analogous event).
"Fixed Monthly Fee" means the fixed monthly fee per License to be paid by the Customer for having been granted the right to use the Service (regardless of the Customer's actual use of such Services).
"Initial Agreement Period" means the first period of the Service specified in the Agreement or an order confirmation.
"Intellectual Property Rights" all industrial and intellectual property rights, including patents, utility models, rights to inventions, applications for patents, copyright (including source code) and related rights, moral rights, database rights, author rights, rights of publication, semiconductor rights, company names, trade names, trademarks , service marks or other proprietary designations, registered designs, rights in designs, trade secrets, rights to confidential information and know-how, contractual rights, license rights and/or other intellectual or proprietary rights recognized by any jurisdiction, (whether registered or unregistered and including any renewals and extensions of these) whether they exist now or arise later and the right to apply for registrations of any of the foregoing.
"Maintenance Window" a period during which the Netto system undergoes maintenance.
"Module" means the individual parts of the Service as specified in the Agreement or an order confirmation.
"Part" the parties to the agreement each independently referred to as a "Party", and collectively referred to as the "Parties".
"Netto Update" any updates, upgrades, new versions, improvements, modifications, enhancements, inventions or developments created by Netto in relation to the Netto System for use with the Netto System and/or in the provision of the Services.
"Netto System" the system or software owned and/or operated by Netto.
"Netto" The Netto entity described in the Agreement or an order confirmation.
"Renewal Period" has the meaning set out in Section 8.
"Service(s)" the services offered by Netto in accordance with this Agreement as stated in an Agreement or an order confirmation.
"Agreement Period" from the Effective Date until the agreement expires or is terminated as described in Sections 8 and 17.
"Third Party Software" means the third-party software specified as such in any Agreement or order confirmation and all modifications, enhancements, and/or new versions of the same.
"Third Party Additions" products and services offered by third parties on Netto's website but not part of the Services.
"Terms for Third-Party Add-ons" means all terms and conditions, including license terms, governing the provision or use of Third-party Add-ons.
"User" someone who uses the service.
"VAT" means value added tax.
"Workday" means weekdays (Monday to Friday) excluding public holidays.
Back to the top

Data Processing Agreement (DPA)

01.04.2024-27.10.2024

Data Processing Agreement (DPA)

Between Netto AS (“Processor”) and Customer (“Controller”)
This agreement is valid from April 1, 2024

 

1. Purpose and definitions

The purpose of this Data Processing Agreement is to regulate the Processor’s processing of personal data on behalf of the Controller whilst providing the Netto System (“the Service”).

This Data Processing Agreement governs the Processor’s rights and obligations, in order to ensure that all Processing of Personal Data is conducted in compliance with applicable data protection legislation. Processing of Personal Data (as defined below) is subject to requirements and obligations pursuant to applicable law. When the Controller is a legal entity established in the European Economic Area (the "EEA") relevant data protection legislation will include local data protection legislation and the present EU- Regulation 2016/679 dated April 27th 2016. The parties agree to amend this Data Processing Agreement to the extent necessary due to any mandatory new requirements following from the EU Regulation 2016/679 and the revised Electronic Communications Regulation (“ePrivacy”) pursuant to its local implementation.

Personal Data” shall mean any information relating to an identified or identifiable natural person, as further defined in applicable law and EU- Regulation 2016/679.

Processing” of Personal Data shall mean any use, operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, transfer, storage, alteration, disclosure as further defined in applicable law and EU- Regulation 2016/679.

Third Countries” shall mean countries outside of the EU/EEA area which are not recognized as countries providing adequate protection of Personal Data.

2. Controller’s responsibilities

In order to access the Service, the Controller must provide certain data to the Processor, as name and email address of the users. In addition, the users of the Service must allow the Processor to store and retrieve session information through the use of “cookies” which are necessary to enable the login/logout procedures used in the Service and to ensure that unauthorized persons do not gain access to the Services.

The Controller acknowledges and accepts that any Personal Data that the Controller uploads onto the Service, such as uploaded Personal Data pertaining to the Controller’s own customers, may be transferred to a third party (sub processor) based in the European Economic Area (EEA) which will provide for hosting of the Service, including the provisioning of all hardware, infrastructure, data storage and communication lines. The obligations of the third party in regard to Personal Data are set forth in a separate data processing agreement between Processor and the third party within the framework of this Data Processing Agreement. All data in the Service are stored on servers located in Europe.

The Controller confirms that the Controller:

  • has sufficient legal basis for Processing of Personal Data,
  • has the right to use the Processor for Processing of the Personal Data,
  • has the responsibility for the correctness, integrity, content, reliability and legality of the Personal Data,
  • complies with applicable law on notification to and authorizations from relevant authorities, and
  • has informed the Data Subject in accordance with applicable law.

The Controller shall:

  • reply to requests from the Data Subjects regarding the Processing of Personal Data pursuant to this Data Processing Agreement,
  • assess the necessity for specific measures as set forth in this Data Processing Agreement Art. 3.3.2 and 3.3.4, and order such measures from the Processor, and
  • the Controller shall implement sufficient technical and organizational measures to ensure and demonstrate compliance with the EU Regulation 2016/679 from the time it enters into force.

The Controller has a duty to notify any personal data breaches to the relevant authorities and, if necessary, the Data Subjects without undue delay in accordance with applicable law.

3. Processor’s responsibilities

3.1 Compliance

The Processor shall comply with all provisions for the protection of Personal Data set out in this Data Processing Agreement and in applicable data protection legislation with relevance for Processing of Personal Data. The Processor shall provide the Controller with assistance to ensure and document that the Controller complies with its requirements under the applicable data protection legislation.

The Processor shall comply with the instructions and routines issued by the Controller in relation to the Processing of Personal Data.

3.2 Restrictions on use

The Processor shall only Process Personal Data on, and in accordance with, the instructions from the Controller. The Processor shall not Process Personal Data without prior written agreement with the Controller or without written instructions from the Controller beyond what is necessary to fulfill its obligations towards the Controller under the Agreement.

3.3 Information Security

3.3.1 Duty to ensure information security

The Processor shall by means of planned, systematic, organizational and technical measures ensure appropriate information security with regard to confidentiality, integrity and accessibility in connection with the Processing of Personal Data in accordance with the information security provisions in applicable data protection legislation.

The measures and documentation regarding internal control shall be made available to the Controller upon request.

3.3.2 Assessment of measures

In deciding which technical and organizational measures should be implemented, the Processor shall, in consultation with the Controller, take into account:

  • the state of the art,
  • the costs of implementation,
  • the nature and scope of the processing,
  • the context and purpose of the processing, and
  • the severity of risks the Processing of Personal Data has for the rights and freedoms of the data subject.

The Processor shall, in consultation with the Controller, consider:

  • implementing pseudonymisation and encryption of Personal Data,
  • the ability to ensure the confidentiality, integrity, availability and resilience of processing systems and services on an ongoing basis,
  • the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident, and
  • a process for, on an ongoing basis, testing, assessing and evaluating regularly the effectiveness of technical and organizational measures for ensuring the security of the Processing.

3.3.3 Requests from the data subjects

Considering the nature of the Processing, the Processors shall implement appropriate technical and organizational measures to support the Controller's obligation to respond to requests regarding exercising the rights of the data subject.

3.3.4 Assistance to the Controller

The Processor shall assist the Controller in ensuring compliance with applicable law, including assisting the Controller with:

  • implementing technical and organizational measures as stated above,
  • complying with duty of notification to supervisory authorities and data subjects in case of a personal data breach,
  • conduct data privacy impact assessments,
  • conduct prior consultations with supervisory authorities when a privacy impact assessment makes it it necessary, and
  • notice to the Controller if the Processor is of the opinion that an instruction from the Controller is non-compliant with applicable data protection regulations.

Assistance as set out above, shall be carried out to the extent necessary, taking into account the Controller’s need, the nature of the processing and the information available to the Processor.

3.3.5 Compensation

Assistance from the Processor as set down in this Data Processing Agreement, as well as assistance in relation to specific routines and instructions imposed by the Controller, shall be compensated by the Controller in accordance with the Processor’s regular terms and prices.

3.4 Discrepancies and data breach notifications

Any use of the information systems and the Personal Data not compliant with established routines, instructions from the Controller or applicable data protection legislation, as well as any security breaches, shall be treated as a discrepancy.

The Processor shall have in place routines and systematic processes to follow up discrepancies, which shall include re-establishing of the normal state of affairs, eliminating the cause of the discrepancy and preventing its recurrence.

The Processor shall immediately notify the Controller of any breach of this Data Processing Agreement or of accidental, unlawful or unauthorized access to, use or disclosure of Personal Data, or that the Personal Data may have been compromised or a breach of the integrity of the Personal Data. The Processor shall provide the Controller with all information necessary to enable the Controller to comply with applicable data protection legislation and enabling the Controller to answer any inquiries from the applicable data protection authorities. It is the Controller`s responsibility to notify the applicable Data Protection Authority of discrepancies in accordance with applicable law.

3.5 Confidentiality

The Processor shall keep confidential all Personal Data and other confidential information. The Processor shall ensure that each member of the staff of the Processor, whether employed or hired employee, having access to or being involved with the Processing of Personal Data under the Agreement (i) undertakes a duty of confidentiality and (ii) is informed of and complies with the obligations of this Data Processing Agreement. The duty of confidentiality shall also apply after termination of the Agreement or this Data Processing Agreement.

3.6 Security audits

The Processor shall on a regular basis carry out security audits for systems and similarly relevant for the Processing of Personal Data covered by this Data Processing Agreement. Reports documenting the security audits shall be available to the Controller.

The Controller has the right to demand security audits performed by an independent third party of the Processors choice. The third party will provide a report to be delivered to the Controller upon request. The Controller accepts that the Processor may claim compensation for the performance of the audit.

3.7 Use of sub-contractors (sub-processors)

The Processor is entitled to use sub-contractors and the Controller accepts the use of sub-contractors. A list of pre-approved sub-processors is available in the Netto Trust Center. The Processor shall, by written agreement with any sub-contractor ensure that any Processing of Personal Data carried out by sub-contractors shall be subject to the same obligations and limitations as those imposed on the Processor according to this Data Processing Agreement.

If the Processor plans to change sub-contractors or plans to use a new sub-contractor, Processor shall notify the Controller in writing 4 months prior to any Processing by the new sub-contractor, and the Controller may within 1 month of the notice object to the change of sub-contractors. Should the Controller object to the change, Controller may terminate the Agreement upon 3 months' notice. To the extent Controller does not terminate the Agreement, the change of sub-contractor shall be regarded as accepted.

3.8 Transfer of Personal Data to Third Countries

If the Processor uses sub-contractors outside the EU/EEA area for Processing of Personal Data, such Processing must be in accordance with the EU Standard Contractual Clauses for transfer to third countries, or another specifically stated lawful basis for the transfer of personal data to a third country. For the avoidance of doubt, the same applies if the data is stored in the EU/EEA but may be accessed from locations outside the EU/EEA.

Should the Controller approve such transfer of Personal Data, the Processor is obligated to cooperate with the Controller in order to ensure compliant transfers. If the basis for the transfer is the EU Standard contractual clauses (“SCC”) for processors, the controller hereby authorizes the Data Processor to enter into Such SCCs with the sub-processor on behalf of the Controller.

4. Liability, breach

In the event of breach of this Data Protection Agreement, or a breach of obligations according to applicable law on Processing of Personal Data, the relevant provisions regarding breach in the Agreement shall apply.

 

Claims from one party due to the other party’s non-compliance with the Data Processing Agreement shall be subject to the same limitations as in the Agreement. In assessing whether the limitation in the Agreement is reached, claims under this Data Processing Agreement and the Agreement shall be viewed in conjunction, and the limitation in the Agreement shall be viewed as a total limitation.

The Processor shall notify the Controller without undue delay if it will or has reason to believe it will be unable to comply with any of its obligations under this Data Protection Agreement.

5. Term and termination of the Data Processing Agreement, changes

This Data Processing Agreement shall be effective from the date the Agreement is signed by both parties and until the Processor's obligations in relation to the performance of services in accordance with the Agreement is terminated, except for those provisions in the Agreement and Data Processing Agreement that continue to apply after such termination.

Upon termination of this Data Processing Agreement will the Personal Data be deleted. The Processor (and its sub-contractors) shall immediately stop the Processing of Personal Data from the date stipulated by the Controller.

The Processor has no right to keep a copy of any data provided by the Controller in relation to the Agreement or this Data Protection Agreement in any format, and all physical and logical access to such Personal Data or other data shall be deleted.

The obligations pursuant to sections 3.5 and 4 shall continue to apply after termination. Further, the provisions of the Data Processing Agreement shall apply in full to any Personal Data retained by the Processor in violation of this section 5.

The parties shall amend this Data Protection Agreement upon relevant changes in applicable law.

6. Dispute and jurisdiction

This Data Processing Agreement is subject to Norwegian law and with Oslo District Court as the agreed venue.

7. List of pre-approved sub-Contractors (sub-Processors)

According to clause 3.7 in this agreement, Netto will maintain a list of pre-approved sub-Processors. This list is available in the Netto Trust Center.

 
Back to the top

Got any questions?

Contact us