Data Processing Addendum - GDPR

Data Processing Addendum - GDPR This Data Processing Addendum forms a part of the existing agreement(s) between Dualog and the Customer with regard to Dualog’s processing of personal data of customer in accordance with the requirements of Data Protection Laws (EU 2016/679).

Dualog AS including subsidiaries (hereinafter referred to as “the processor”, “Dualog”, “we”, “us” and “our”) will process personal data on behalf of the Customer (hereinafter “the controller”, “the customer”) due to the customer subscribing to one or more of the Dualog’s services (“the system” or “the services).

The processor will make related systems available to the controller, as well as maintain and update the services as the processor sees fit.

The system will be used to provide different services related to data traffic including but not limited to business email, crew email, web proxy and network control.

The personal data is being kept allowing the controller to administer services improving crew welfare as well as creating personal administration accounts.

The data processing is not time limited and will last until the customer service provider relationship is terminated according to contractual specifications.

The personal data will be added to the system by or as advised by the customer. The personal data will relate to employees or other users under the controller’s domain.

Personal data includes name, email, address and phone number. Depending on services, most frequently visited domains can also be stored.

The controller is responsible for ensuring personal data is being processed according to (EU) 2016/679 article 24.

The processor is responsible for processing personal data according to article 28.

The controller has the right to terminate the agreement if the processor no longer adheres to article 28.1.

The processor is responsible to limit access to the personal data of the controller both physically as well as logically according to article 32. Personal data is confidential and is not permitted to be shared, traded or sold with a 3rd party in any form by the processor.

The controller will allow the processor to use sub-processors. The processor is responsible to make sure these sub-processors adheres to article 28.4 which governs that sub-processors are bound by the same limitations as the processor.

Upon an audit being demanded of the controller, the processor will assist and extract the relevant information so that the controller can determine if audit is acceptable and does not breach privacy of other natural persons.

If an individual registered person requests audit of data from the controller, the processor will assist the controller providing these.If an individual registered person requests audit of data from the controller, the processor will assist the controller providing these.

The processor will alert the controller without undue delay after becoming aware of a personal data breach. If the breach requires the controller to notify the registered persons, the processor will provide the information required.

Upon ending the customer relationship, the processor will delete or anonymize the data. Certain data, like email, can be extracted and provided to the controller according to further agreement.