Unloc Privacy Policy and Data Processing

Valid from: March 17, 2024

‍

1. INTRODUCTION

This agreement sets out the main principles for processing of personal data under and constitutes an integral part of the existing agreement for services between the parties (the "Agreement").

References to the term "Processing Agreement" means this agreement document and the following appendices attached hereto:

Appendix A - Overview of Services, Processing, Personal Data and Data Subjects
Appendix B - Approved sub-processors
Appendix C - Overview of technical and organisational measures

‍

2. PURPOSE OF THE PROCESSING AGREEMENT

The purpose of the Processing Agreement is to regulate rights and obligations pursuant to applicable Data Protection Legislation relating to Processor's processing of Personal Data (as data processor) on behalf of the Controller.

“Data Protection Legislation” shall mean the EU General Data Protection Regulation 2016/679 (GDPR) and national provisions, as amended or replaced.
“Personal Data” means any information relating to an identified or identifiable natural person (the “Data Subject”).

The Processing Agreement shall ensure that Personal Data is processed in accordance with Data Protection Legislation and is not used unlawfully or comes into possession of unauthorized parties.

‍

3. SCOPE OF PROCESSING

3.1 General
The Controller determines the purposes and means of the processing of Personal Data. Processor and its sub-processors may only process such data on documented instructions from the Controller.

3.2 Purpose and scope
The agreement covers Processor’s processing of Personal Data in connection with the provision of “Services” as described in Appendix 1.

3.3 Categories of data
As specified in Appendix 1: categories of Personal Data and Data Subjects.

‍

4. OBLIGATIONS OF THE CONTROLLER

The Controller warrants that Personal Data is processed for legitimate and objective purposes and that Processor is not processing more data than necessary.
The Controller is responsible for ensuring a valid legal basis for processing and that the data subjects have been informed accordingly.

‍

5. CONFIDENTIALITY

Processor and its sub-processors are bound by a duty of confidentiality regarding all processing of Personal Data. This obligation also applies after termination of the agreement.

‍

6. TECHNICAL AND ORGANISATIONAL MEASURES

Processor shall implement appropriate technical and organisational measures as required by law to ensure an appropriate level of security.
All data transmissions shall occur with encryption or similar means of protection.
Detailed measures are provided in Appendix 3.

‍

7. ACCESS TO PERSONAL DATA AND FULFILMENT OF DATA SUBJECTS’ RIGHTS

The Controller may request access to processed data. Processor shall assist the Controller in responding to Data Subject requests such as access, rectification, erasure, restriction, objection, and portability.
The Processor may charge NOK 125 per request (0.25 hours at NOK 500/hour).

‍

8. OTHER ASSISTANCE TO THE CONTROLLER

Processor shall assist with inquiries from supervisory authorities and impact assessments as required by law.

‍

9. NOTIFICATION OF PERSONAL DATA BREACH

Processor shall notify the Controller without undue delay after becoming aware of a Personal Data Breach, including details of scope, consequences, and measures taken.

‍

10. TRANSFER

Transfer of Personal Data outside the EU/EEA requires prior approval from the Controller and must rely on EU standard contractual clauses or another legal basis.

‍

11. USE OF SUB-PROCESSORS

Processor may engage sub-processors with the Controller’s general authorisation, provided they meet equivalent data protection requirements.
Approved sub-processors are listed in Appendix 2.

‍

12. AUDITS

Controller and supervisory authorities may conduct audits once a year upon 14 days’ notice. The Controller bears all costs unless non-compliance is discovered.

‍

13. TERM AND TERMINATION

This agreement is valid as long as Processor processes data on behalf of the Controller. The Controller may terminate immediately in case of breach.

‍

14. EFFECTS OF TERMINATION

Upon termination, Processor shall delete or return all Personal Data and confirm deletion in writing.

‍

15. NOTICES AND AMENDMENTS

All notices shall be in writing via email. Any amendments must be agreed in writing and signed by both parties.

‍

16. GOVERNING LAW AND LEGAL VENUE

The governing law and venue shall follow the main service agreement.

‍

APPENDIX A – OVERVIEW OF SERVICES, PROCESSING, PERSONAL DATA AND DATA SUBJECTS

1. Services
Development and provision of software for creating and managing digital keys.

2. Processing
Processing includes all activities necessary to deliver the Services.

3. Personal Data
Personal data processed includes:
a) Name, phone number, and contact details, lock locations, and usage statistics (retained until deletion request).
b) Key usage events (deleted after 60 days).

4. Data Subjects