Data Processing Terms and Conditions

(Last updated 14 November 2024)

1. Introduction

These terms and conditions apply to the processing of personal data by Abler ehf., ID No. 660117-0670, Höfðabakka 9c, Reykjavík, Iceland, (the “Processor” or “Abler”) on behalf of each Organisation with whom Abler has entered into a licence agreement (the “Licence Agreement”) for use of Abler’s system (the “Controller” or “Organisation”). These terms and conditions, together with the Licence Agreement form the “Data Processing Agreement” between Abler and the Organisation in accordance with Article 28 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (“GDPR”).

Capitalised terms used in these terms and conditions shall have the same meaning as in Abler’s Terms of Use unless otherwise specified or defined in these terms and conditions.

2. Purpose of the Agreement

The purpose of the Data Processing Agreement is to define the conditions in which the Processor undertakes to carry out, on the Controller´s behalf, the personal data processing operations defined below.

The Parties shall comply with all applicable laws and regulations on personal data protection and the processing of personal data and, in particular, the Icelandic Data Protection Act No. 90/2018 and GDPR.

3. Description of the processing

The Processor is authorised to process, on behalf of the Controller, the personal data necessary for providing the Controller with use of the System in accordance with the Licence Agreement.

The Controller is responsible for ensuring that its use of the System complies with all applicable laws and regulations, including that it has a legitimate basis for processing the personal information.

The purpose of the processing is to enable the use of the System by the Controller.

The personal data processed is information about Users as contained in or used by the System, which information may come from Users, the Controller or from third parties to which the System connects. This information may include, but is not limited to, information about the User’s participation in the Controller’s events, contact information, payment and transaction information, family connections, communications with the Controller and/or other Users.

The categories of data subjects are Users.

 

4. Processor‘s obligations

The Processor shall:

a.     process personal data solely in accordance with the Data Processing Agreement;

b.     process the personal data in accordance with the documented instructions from the Controller unless the Processor is otherwise required by law. By entering into the Licence Agreement, the Controller instructs the Processor to process personal data inconnection with the User’s use of the System. Where the Processor considers that an instruction from the Controller infringes applicable laws or regulations, the Processor shall inform the Controller.

c.     notify the Controller if the Processor is legally obliged to transfer Personal Data to a third country or an international organisation, unless law prohibits such notifications;

d.     guarantee the confidentiality of personal data processed under the Data Processing Agreement, and ensure that the staff of the Processor who have access to personal data in connection with the carrying out of their work for the Processor are subject to an obligation of confidentiality and that they receive the approrpriate personal data protection training; and

e.     as far as possible, assist the Controller in carrying out data protection impact assessments;

f.      take into consideration, in terms of products, systems and services, the principles of data protection by design and by default.

 

5. Controller’s obligations

The Controller shall supervise the processing and comply with all applicable data protection laws and regulations with respect to the personal data processed under the Data Processing Agreement.

The Controller is responsible for ensuring the accuracy of all data entered by it into the System, and for ensuring that its Users comply with applicable laws and regulations.

 

6. Sub-processors

The Processor may engage another processor (a “Sub-Processor”) to carry out specific processing activities, the Sub-Processor having provided sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of applicable data protection laws and regulations as well as the Data Processing Agreement, and that the rights of data subjects are ensured. The appointment of a Sub-Processor shall be pursuant to a written agreement, and the Processor shall continue to be fully responsible towards the Controller for the Sub-Processor’s fulfilment of its obligations.

The Processor’s current Sub-Processors are:

·       Google Cloud EMEA Limited, Ireland

·       Datadog, Inc., USA

·       Amplitude Analytics, B.V., Netherlands

·       Twilio Inc., USA

·       Airship Group Inc., USA

·       FreshWorks Inc., USA

·       HubSpot, Inc., USA

·       Peaberry Software Inc., USA

·       Auðkenni ehf, Iceland

·       Nova hf, Iceland

The Processor may change the Sub-Processors it uses at any time, however before any new Sub-Processors commence processing personal data, the Processor shall notify the Controller with details of the new Sub-Processor and the processing activities they are set to undertake. Changes to the Sub-Processor shall be treated as an update to these terms and conditions in accordance with clause 15.

7. Data subjects’ right to information and exercise of data subjects’ rights

The Controller is responsible for informing the data subjects of the processing activities before processing begins in accordance with applicable laws and regulations.

The Processor shall, to the extent possible, assist the Controller in fulfilling its obligation to respond to data subjects’ requests regarding their rights, including their right of access, right to rectification and erasure of personal data, and to object to or restrict processing, right to data portability and the right not to be subject to automated decision-making, including profiling.

8. Notification of personal data breach

The Processor shall notify the Controller via e-mail to the Controller’s designated contact point, describing the nature of the Personal Data breach no later than 72 hours after becoming aware of the breach along with any documents or data that is necessary for the Controller to notify the applicable data protection authority and, depending on the circumstances, the affected data subjects.

The Controller is responsible for notifiying the applicable data protection authority and the affected data subjects, as applicable.

9. Security measures

The Processor shall implement appropriate technical and organisational measures to ensure the security of data received from the Controller, and shall apply technical and organisational measures that ensure sufficient security considering the risk of the processing and the nature of the data to be protected, taking into account the latest technology, cost of implementation, nature, scope, context and purposes of processing as well as the impact on the rights and freedoms of data subjects.

10.  Record of processing activities

The Processor shall, where applicable, maintain a written record of all processing activities carried out on the Controller’s behalf in accordance with applicable laws and regulations.

11.  Proof of compliance

The Processor shall provide the Controller with all necessary documents to demonstrate compliance with all of the Processor’s obligations. The Processor shall allow the Controller or any other auditor it has authorised to carry out reasonable data protection audits, including inspections, and shall provide assistance in relation to such audits.

12.  Duration of the Data Processing Agreement and deletion of personal data upon termination

The Data Processing Agreement enters into force at the same time as the Licence Agreement and shall remain in force indefinitely whilst the Licence Agreement is in force. The Data Processing Agreement may not be terminated by the Controller whilst the Licence Agreement is in force.

Upon termination of the Licence Agreement, the Controller shall inform the Processor what personal data shall be transferred to the Controller and what data should be deleted.

When the Processor has delivered all applicable personal data to the Controller, the Processor shall, at the Controller’s request, delete all personal data that was processed on behalf of the Controller. The Processor shall provide written proof of the deletion.

13.  Data Protection Officer

To the extent the Processor is required by applicable laws and regulations to have a data protection officer and/or representative(s), such officer or representative(s) shall be identified in Abler’s Privacy Policy.

 

14.  Contact persons

The Developer’s contact person for the Data Processing Agreement is the Developer’s Head of Information Security and Privacy. The Organisation’s contact person for the Data Processing Agreement is the Organisation Administrator unless the Organisation has notified the Developer of another contact person in writing.

15.  Updates

Abler reserves the right to update these terms and conditions from time to time. Updates to these terms and conditions will be notified to the Organisation in accordance with the Licence Agreement.

Cookie NoticeWe use cookies to make your browsing experience smoother and more personalised. Want to know more? Check out our Privacy Policy.