Data processor agreement

in accordance with GDPR article 28

By and between


Data Controller


Culture Exploit AS

Data Processor

Culture Exploit AS, Gaustadalléen 21, 0349 Oslo, Norway, 918 415 823, hereafter called “CE”, and CE’s affiliates recognise the importance of securing and protecting any data collected from people through our platform, and its related products, services and any other functionality found at (collectively the “Platform”).

1. Subject-matter and duration of the processing

This agreement applies to the processing of personal data by Culture Exploit AS as processor (hereinafter referred to as the Processor) on behalf of Client (hereinafter referred to as the Controller) in relation to the service agreement between the two parties dated xx.xx.xxxx.

The purpose of this data processor agreement (the Agreement) is to ensure compliance with the requirements of the GDPR and to regulate the processing of personal data by the Processor on behalf of the Controller, including collection, recording, alignment, storage and disclosure or a combination thereof.

The Processor may process personal data on behalf of the Controller for as long as the service agreement between the parties is valid. In the event of a breach of this Agreement or the GDPR, the Controller may instruct the Processor to stop further processing of the personal data with immediate effect.

2. The nature and purpose of the processing

The Controller has entered into a service agreement with the Processor dated xx.xx.xxxx, which covers Cultural assessment in Culture Exploit.

The service agreement entails processing of personal data by the Processor on behalf of the Controller. The purpose of the processing of personal data covered by this agreement is development of the employees in the organization.

3. The type of personal data and categories of data subjects

Upon performing the services as agreed to in the Service contract, the Processor may process personal data of name and e-mail addresses

The following types of personal data may be processed under this Agreement;


  • Name
  • Contact details (e-mail)
  • Born (year)
  • Seniority (started to work for client year)


4. Obligations and rights of the controller

The Processor may not process personal data in any other way than regulated by this agreement. The Processor shall only process personal data on documented instructions from the Controller, unless required to do so by Union or Member State law to which the Processor is subject. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

The Processor is obliged to give the Controller access to the written technical and organizational security measures and to provide assistance so that the Controller may fulfil his responsibilities pursuant to the GDPR.

Unless otherwise agreed or pursuant to statutory regulations, the Controller is entitled to access all personal data being processed by the Processor on behalf of the Controller and the systems used for this purpose. The Processor shall provide the necessary assistance for this.

The Processor must observe professional confidentiality concerning the documentation and personal data to which he has access to in accordance with this agreement. This provision also applies after the agreement has been terminated.

The Processor shall assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising the data subject's rights as per the GDPR. Any requests for access, deletion and/or rectification received by the Processor shall, without undue delay, be forwarded to the Controller.

Personal data shall not be stored longer than is necessary to carry out the purpose of the processing. Each employee has the possibility to delete all personal information whenever they wan´t.

In the case of a personal data breach, the Processor shall without undue delay and, where feasible, no later than 24 hours after having become aware of it, notify the personal data breach to the Controller. The Controller is responsible for reporting the breach to the relevant national Data Inspectorate.

5. Use of a subcontractor

Delete the non-relevant section:

*The Controller grants the Processor a general authorisation to engage another processor upon the condition that the Processor shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes.

Anyone who performs assignments on behalf of the Processor that include further processing of the relevant personal data which is covered by this agreement shall be familiar with the Processor’s contractual and legal obligations and fulfil the requirements thereto.

6. Security of processing

The Processor shall fulfil the requirements for security of processing as stipulated in article 32 of the GDPR. The documentation shall be available upon request by the Controller.

The Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:


  • The pseudonymisation and encryption of personal data;
  • The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services
  • The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
  • A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

The Processor shall provide physical security to prevent unauthorized access to areas where personal information is stored. The Processor shall furthermore ensure that necessary access controls to all personal data and relevant IT-systems are established. Access must be based on the employees’ need for access, taking into account the relevant work tasks. The use of IT-systems covered by this agreement shall be logged. 

Electronically stored information that contains personal information shall be protected with passwords and other similar technical security measures to ensure that electronically stored information is neither available to unauthorized personnel nor that there is any risk of undesirable alteration / deletion of data. The security must meet generally recognized methods, or better.

7. Security audits

The Processor shall undertake security audits for systems, etc. covered by this agreement every year The Controller shall, upon request, receive documentation of these security audits. 

The audit may include a review of routines and policies, random checks, more extensive site inspections and other suitable control measures. The Controller has right of access to the documentation held by the Processor that is relevant to this Agreement. The Processor is therefore obliged to, after being given reasonable prior notice, to make this documentation available to the Controller.

In instances where the Controller wishes to carry out an onsite inspection or spot checks, the Processor shall be notified in writing, providing reasonable notice prior to onsite inspection. 

8. Duration of the agreement

The agreement is valid for as long as the processor processes personal data on behalf of the controller. In the event of a breach of this agreement or the Personal Data Act, the controller may instruct the processor to stop further handling of the information with immediate effect.

9. Termination

Upon termination of this agreement, the Processor is obliged to delete all personal data received on behalf of the controller and covered under this agreement within one business day. This also applies to any back-up copies. The processor shall document in writing that deletion has taken place in accordance with the agreement.

10. Notifications

Notifications under this agreement shall be submitted in writing to:


Processor: Culture Exploit by CEO


11. Choice of law and legal venue

The agreement is subject to Norwegian jurisdiction and the parties agree upon Oslo district court as the legal venue. This also applies after termination of the agreement.


This agreement has been drawn up in 2 – two copies, of which the parties retain one copy each.

Oslo, Month xxth – 20xx

Controller                                            Processor

                                               Xxxx Xxxx per prokura


                                               Culture Exploit AS

Culture Exploit AS Gaustadalléen 21, Startup Lab - 0349 Oslo - Norway