Data Processing

DATA PROCESSING AGREEMENT – TERMS OF NOONA LABS EHF.

These terms apply to the processing of Noona Labs ehf., company no. 450310-0690, Skipholt 11-13, 105 Reykjavík (hereinafter also referred to as "the Company" or "Processor"), of personal data on behalf of its customer (hereinafter also referred to as "Controller") in connection with the services provided by the Company.

The services in question consist of the use of the scheduling and service system Noona HQ and/or the online booking system Noona. These terms apply to the service that the customer purchases from the Company at any given time.

In connection with the processing that takes place in relation to the use of Noona HQ and Noona, as applicable, the customer acts as a so-called data controller within the meaning of the Personal Data Protection Legislation and the Company as a so-called data processor.

The purpose of these terms is to specify the Processor’s obligations in connection with the services carried out on behalf of the Controller and to ensure that personal data is processed in accordance with applicable legislation.

The term “Personal Data Protection Legislation” refers to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data ("GDPR"), the Icelandic Data Protection Act No. 90/2018 on Data Protection and the Processing of Personal Data and, as applicable, other legislation of the European Union where the Controller is established. 

1. Processing of Personal Data 

The Processor’s services consist of granting the Controller a license to use Noona HQ and/or Noona (hereinafter also referred to as the "Systems"), technical assistance in connection with the use of the Systems, hosting of the data entered into the Systems and the services of sending the Controller’s customers a reminder about booked services (hereinafter collectively referred to as the "Service").

In order to be able to provide the Controller with the Service, the Company needs to process personal data.

In relation to Noona HQ, the Processor processes the following personal data, as applicable, on behalf of the Controller: 

• Users of the System (e.g. employees of the Controller)

• contact information, i.e. name, phone number and email address

• information on appointments for each user of the System and, as applicable, information on users’ days off work

• activity logs for the System’s users 

• information related to technical assistance requests

• Customers of the Controller (including customers of the users of the System) 

• the information that the Controller enters into the System, e.g.: 

• contact information, i.e. including name, ID number, telephone number and e-mail address

• transaction history, i.e. list of appointments 

• comments and notes written by the Controller into the System, including in terms of customer service

• information related to attendances and cancelations of customers 

• photos and attachments 

In relation to Noona, the Processor processes the following personal data, as applicable, on behalf of the Controller: 

• Customers of the Controller (including customers of the users of the System); 

• contact information, i.e. including name, ID number, telephone number and e-mail address

• business history, i.e. list of all appointments and, as applicable, the type of service provided 

In connection with both of the Systems, the Processor undertakes to send messages to customers on behalf of the Controller, e.g. via emails, text messages and notifications in the app. In connection with such services, personal data is processed, that is name, e-mail address, telephone number and messages’ content. 

The Processor also undertakes to provide the Controller’s customers with information on their booking history via the Noona app, in the event the customers have downloaded the app. Through the app, the Controller’s customers can list the Controller as his „favourite“ and make appointments with the Controller through the app. 

2. The Processor‘s Obligations

1. The Controller‘s Instructions 

The Processor is only permitted to process personal data in accordance with the instructions from the Controller and in accordance with the purpose of the processing described in these terms. If the Processor concludes that the Controller’s instructions violate the Personal Data Protection Legislation, the Processor shall notify the Controller thereof.

Notwithstanding the above, the Processor shall have the right to obtain the data subjects’ consent, including from the Controller’s customers, to process the personal data that the Processor processes on behalf of the Controller. That includes i.e. data about the business history of the customers. In connection with such processing the Processor acts as an independent controller and such processing activities shall be independent and irrelevant to the processing activities undertaken under these terms. 

On the basis of these terms, the Processor shall be permitted to process the data collected through the use of the Systems in a non-personally identifiable manner, including for the purpose of developing and improving the quality of the Service.

The Processor shall not be allowed to transfer the personal data processed by the Processor on behalf of the Controller outside the European Economic Area without the Controller’s consent.  

2. Confidentially of Employees   

The Processor shall ensure that all employees who have access to the Controller’s personal data have undertaken a confidentiality obligation. 

3. Security Measures

The Processor shall implement appropriate technical and organizational security measures to ensure adequate level of security of the personal data and to protect it against unlawful destruction, accidental loss or alteration, unauthorized access, and any other unlawful processing. The measures shall take into account the latest technology, the cost of implementation, scope, context and purpose of processing and the associated risk.

4. Data Breaches 

If a data breach occurs in relation to the Processor’s processing of personal data on behalf of the Controller, the Processor shall without undue delay notify the Controller of such a breach. In such a notification, the Processor shall, to the extent possible, describe the breach, including the nature of the breach and its consequences.

5. Data Subjects’ Rights 

The Processor shall, to the extent reasonably possible, assist the Controller in complying with requests from data subjects, concerning the processing undertaken by the Processor on the basis of these terms, related to their rights on ground of the Personal Data Protection Legislation, e.g., in relation to access and/or deletion requests.

6. Access and Audit Rights

The Processor shall provide the Controller with access to information that is necessary to demonstrate that obligations under the Personal Data Legislation have been complied with. The Processor shall also provide the Controller, or the third party designated by the Controller, with the opportunity to carry out an audit of the Processor's processing of personal data on behalf of the Controller, in accordance with the Personal Data Protection Legislation.

7. Return or Erasure of Personal Data

While the Processor processes personal data on behalf of the Controller, the latter may at any time request that the Processor erases the personal data that the Processor processes on behalf of the Controller. At the end of the service agreement, the Processor shall also return and/or erase the personal data the Processor processes on behalf of the Controller, in accordance with the Controller's instructions thereof. If the Processor receives no instructions from the Controller, the Processor shall be allowed to erase the data within one year from the end of the service agreement between the parties.

If the Processor has obtained a consent from the data subjects to process the same personal data which is processed on behalf of the Controller on the basis of these terms, the Processor shall not be obliged to erase that data. In such instances the Processor shall be considered an independent controller of such processing activities.  

3. The Controller ‘s Obligations 

The Controller warrants that the Controller has the authority to entrust the Processor with the processing of the personal data entered into the Systems, that the processing is carried out on a legitimate basis, that the data subjects have been informed about the processing and that the Controller otherwise fulfils the obligations provided for in the Personal Data Protection Legislation.

4. Use of Sub-Processors

The Processor shall be entitled to entrust sub-processors for the processing provided for in these terms, in whole or in part, provided that the Processor ensures that the sub-processor fulfils the same obligations as required by the Processor on the basis of these terms.

An appendix to these terms stipulates the sub-processors used by the Processor. If changes are made and the Processor adds a new sub-processor, the Processor shall be obliged to notify the Controller thereof and provide the Controller the opportunity to object to such appointment within 30 calendar days.

Even though the Processor uses a sub-processor, the Processor shall still be responsible for all processing that takes place on the basis of these terms on behalf of the Controller.

5. Duration

These terms shall be valid as long as the parties are in a business relationship and the Processor processes personal data on behalf of the Controller. 

6. Jurisdiction 

These terms are governed by the jurisdiction of Iceland. If a dispute arises regarding these terms, the proceedings shall be brought before the District Court of Reykjavík. 

Appendix to Terms – List of Sub-Processors

In connection with the Services related to the customer's use of the Systems, the Processor uses the following sub-processors:

Compose

The Company uses Compose to host the Company's database. Compose meets all major international security standards and it hosts databases for many international software companies. Compose is owned by IBM.

The database is hosted in Ireland, which is part of the European Economic Area.

For more information, https://www.compose.com/terms-of-service.

AWS

The Company uses Amazon Web Services (AWS) to store images and attachments that users decide to store inside the System. AWS also hosts the web System itself.

The database is hosted in Ireland, which is part of the European Economic Area.

For more information, https://aws.amazon.com/privacy/

Intercom

The Company uses Intercom to provide direct communication with the users who use the System, e.g. in connection with user assistance and to send messages. Intercom stores conversations and company names.

For more information, https://www.intercom.com/terms-and-policies#privacy

Síminn hf.

The Company sends text messages on behalf of the Controller through Siminn's web services. Síminn does process the content of the messages, only mailing lists. 

For more information, https://www.sa.is/media/2739/siminn-og-personuvernd.pdf