Data Processor Agreement
Between, you, an Organization that uses the Truegroups Services and that may upload Personal Data to the Truegroups Services (hereafter "You")
Truegroups AS (hereafter "Truegroups")
Intention of the agreement
The intention of the agreement is to regulate rights and obligations pursuant to the Norwegian Act of 22 May 2018 relating to the processing of personal data (the Personal Data Act) and the EU General Data Protection Regulation ("GDPR"). The agreement shall ensure that personal information relating to the data subjects is not used unlawfully or comes into the hands of a third party.
The agreement concerns Truegroups’s handling of personal data on behalf of You, including collection, recording, alignment, storage and disclosure or a combination of such uses.
Truegroups services are designed to provide effective communication between families and groups in their local community. If you represent an organization, you may wish to upload certain personal data to the Truegroups Services. This Agreement identifies how Truegroups will handle such personal data, and what will happen to that data should your organization wish to terminate using the Truegroups Services
Personal data that can be uploaded to the Truegroups Services
Any user can upload personal data in the form of a name and one or more email addresses to individuals that are not registered with Truegroups. Such individuals can take steps to delete their name and email addresses from the Truegroups Services if they wish to.
As an organization, you may choose to upload more detailed personal data into the Truegroups Services. The data you can upload are:
- Individuals’ membership IDs in your own membership registry
- Individuals’ first name and last name
- Individuals’ birthdates
- Individuals’ email-addresses
- Individuals’ personal ID Number
These individuals, or their parents, may choose to confirm or to change any of the data you have uploaded (with the exceptions of Membership IDs and Personal ID numbers which remain hidden to the individual users), and they may also choose to delete the data. If they choose to confirm or to change any of the data, Truegroups will consider that this data changes ownership from your organization to that individual user. If they choose to delete their own data, Truegroups will let them do so.
If your Organization terminates the use of the Truegroups services, Truegroups will delete from its databases:
- Any personal data you have uploaded where ownership has not changed to an individual user
- Any memberships in your organization as stored in the Truegroups database
If You extract any personal data from Truegroups for Your own purposes, You assume responsibility that any subsequent handling of this data is in accordance with the applicable legislation for processing of personal data, in Europe known as "GDPR".
When processing personal data on behalf of You, Truegroups shall follow the routines and instructions as set out by Truegroups at any given time.
Truegroups is obliged to give You access to their written technical and organizational security measures and to provide assistance so that You can fulfil your responsibilities pursuant to the Act and the Regulations.
Unless otherwise agreed or pursuant to statutory regulations, You are entitled to access all personal data being processed on behalf of You and the systems used for this purpose. Truegroups must observe professional secrecy in regard to the documentation and personal data to which Truegroups has access in accordance with this agreement.
Use of a subcontractor
Truegroups currently subcontracts database hosting and management services to Microsoft Ireland Operations Limited. By uploading personal data to the Truegroups Services You accept the use of this subcontractor for handling your data. If Truegroups changes subcontractor for handling your data, Truegroups will notify you, and you may choose to terminate your use of the Truegroups Services if you are in disagreement with the choice of such new subcontractor.
Truegroups shall fulfil the requirements for security measures stipulated in the GDPR. The documentation shall be available to You upon Your request.
Truegroups shall report to You all security discrepancies. You are responsible for reporting the discrepancy to your national authorities pursuant to the legislation in your jurisdiction.
The implementation of regular security audits for systems etc. covered by this agreement shall be completed by Truegroups as a minimum on a yearly basis.
Duration of the agreement
The agreement is valid for as long as Truegroups processes personal data on behalf of You.
In the event of breach of this agreement or the Personal Data Act, You can instruct Truegroups to stop further handling of the information with immediate effect by terminating use of the Truegroups Services.
You may terminate this agreement by stopping use of the Truegroups Services. You terminate use of the Truegroups Services by deleting your Organization in the Truegroups Services. Upon termination of this agreement, Truegroups is obliged to delete all personal data received on behalf of You, where You retain ownership and that is covered under this agreement.
The parties shall agree that Truegroups shall delete or destroy in a secure and definite/irreversible manner all documents, data, diskettes, CDs, etc. that contain information covered under this agreement. This also applies to any back-up copies.
Choice of law and legal venue
The agreement is subject to Norwegian jurisdiction and the parties agree on Oslo District Court as the legal venue. This also applies after termination of the agreement.
Updated: June 22nd 2018