This Personal Data Processing Agreement (”DPA”) is an inseparable part of the Terms of Service available at https://snapshop.no/terms-of-service / concerning SnapShop’s photo-sharing and communication solution for enterprise Customers (”Terms”).
The purpose of this DPA is to agree on the privacy and data protection of the Personal Data of the Controller in the services of the Provider. This DPA constitutes a written Terms in accordance with the EU General Data Protection Regulation (679/2016) (“Regulation”) concerning the processing of personal data.
If the terms concerning the Processing of Personal Data of the DPA and the Terms are in conflict, the parties shall primarily apply the terms of this DPA.
In accordance with the EU General Data Protection Regulation, the terms below are defined as follows:
“Controller” shall mean the Customer or the Customer’s client, who shall define the purposes and methods of Personal Data Processing.
“Processor” shall mean the Provider, who shall Process Personal Data on behalf of the Controller based on the Terms.
“Processing” or “Processing Activities” shall mean any operation or set of operation which is performed on Personal Data or sets of Personal Data using automated means or manually, such as data collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Personal Data” shall mean any information relating to an identified or identifiable natural person, hereafter ”Data Subject”; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Personal Data Breach” shall mean a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.
3. Data Protection and Processing Personal Data
3.1 Obligations of the Provider and the Customer
The Provider shall process the Personal Data of the Controller on behalf of, and commissioned by the Customer, on the grounds of the Terms. The Customer or the Customer’s client shall be the Controller and the Provider shall be the Processor of the Personal Data Processed in the service. The parties undertake to abide by the legislation, decrees and authority orders and guidelines concerning Processing of Personal Data in force from time to time both in Norway and EU.
The Controller is entitled and obligated to define the purpose and methods of the Processing of Personal Data. The subject, character and purpose of Processing is defined in more detail in the Terms. The types of Personal Data and sets of data subjects Processed in the services have been defined in the Section 9 of this DPA.
The Provider is entitled to Process the Personal Data and other data of the Controller only on the grounds of the Terms, this DPA and according to the written guidelines of the Customer and only to the extent and in a manner, it is necessary in order to provide services. The Provider shall notify the Customer if any conflict with the data protection legislation of EU or Norway is detected in the guidelines and in such a case, the Provider may immediately decline and stop the application of the guidelines of the Customer.
The Provider shall maintain the service description or other record of the Processing Activities of the service in cases where it is required to do so by the EU General Data Protection Regulation. The Provider is entitled to collect anonymous and statistic data of the use of the services pursuant to the Terms, that does not specify the Customer nor data subjects and uses it for analyzing and developing its services.
3.2 Deletion or Returning of Data
After the expiry of the Terms, the Provider shall return or delete, according to the guidelines of the Customer, all the personal data of the Controller and delete all duplicates, unless applicable legislation requires the retention of the Personal Data.
The Provider may use subcontractors for Processing the Controller’s Personal Data. The Provider is responsible for its subcontractor’s actions as for its own and shall draft written agreement with the subcontractors concerning the Processing of Personal Data. If requested, the Provider shall inform the Customer beforehand of subcontractors the Provider intends to use in processing the personal data within the service. The Customer is entitled to oppose the use of a new subcontractor on reasonable grounds. If the Parties are unable to reach agreement concerning the use of a new subcontractor, the Customer is entitled to terminate the Service with thirty (30) days’ notice, in so far as the change of subcontractor materially affects the Processing of Personal Data.
3.4 Provider’s Obligation to Provide Assistance
The Provider shall immediately forward all requests to inspect, rectify, erase or object to the Processing of Personal Data or other requests received from the Data Subjects, to the Customer. If requested by the Customer, the Provider shall support the Customer in fulfilling the requests of the Data Subjects.
The Provider is obligated, taking into account the nature of the Processing of Personal Data and the data available, to assist the Customer in ensuring that the Customer complies with its legal obligations. These obligations may include requirements related to data security, notifying of data breaches, data protection impact assessments as well as obligations regarding prior consultations. The Provider is obligated to assist the Customer only to the extent that applicable legislation obligates the Processor of Personal Data. Unless otherwise agreed, the Provider is entitled to invoice the expenses incurred from action pursuant to this section 3.4 according to the Provider’s valid price list.
The Provider shall forward all inquiries made by data protection authorities directly to the Customer and shall await further guidance from the Customer. Unless otherwise agreed, the Provider is not authorized to represent the Customer or act on behalf of the Customer in relation to the authorities supervising the Customer.
4. Processing Taking Place Outside EU/EEA
The Provider and its subcontractors may process personal data outside the EU/EEA.
In case the transfer of data outside the EU/EEA from the Provider to the sub-processor is permitted according to subsection 3.3, the Provider ensures that the transfer is only to: (a) countries for which the Commission has decided that they have an adequate level of data protection or (b) parties, which have committed to the Privacy Shield or use standard contractual clauses or other appropriate safety measures as they are described in article 46 of the General Data Protection Regulation. When the above-mentioned prerequisites are met and presuming that the Provider keeps the Controller aware of transfers of personal data outside the EU/EEA, the Controller gives its consent to the transfers and authorizes the Provider to agree on the use of privacy clauses on behalf of the Controller and to represent the Controller regarding those conditions of the standard contractual clauses that refer to the rights and liabilities of the Controller.
The Customer or an auditor authorized by the Customer (however, not a competitor of the Provider) is entitled to audit the activities pursuant to the DPA. The Parties shall agree on the time of the auditing and other details ahead of time and at latest 14 days before the inspection. The auditing shall be carried out in a way that does not impede the obligations of the Provider or its subcontractors in regard to third parties.
The representatives of the Customer and the auditor must sign conventional non-disclosure commitments.
The Parties shall be responsible for their own expenses caused by the auditing.
6. Data Security
The Provider shall implement the appropriate technical and organizational measures to protect the Personal Data of the Controller, taking into account all the risks of Processing, especially the unintentional or illegal destruction, loss, alteration, unauthorized disclosures or access to Personal Data that has been transferred, saved or otherwise Processed. When organizing the security measures, the technical options and their costs shall be assessed in relation to the special risks of the Processing at hand and the sensitivity of the Personal Data Processed.
The Customer shall be obligated to ensure that the Provider is notified of all the circumstances concerning the Personal Data the Customer has delivered, such as risk assessments and the Processing of special sets of Data Subjects that affect the technical and organizational measures pursuant to this DPA. The Provider shall ensure that the personnel of the Provider or a subcontractor of the Provider shall abide by the appropriate non-disclosure commitments.
7. Data Breaches
The Provider must notify the Customer of all Personal Data Breaches without undue delay after receiving information of the breach or after a subcontractor of the Provider has received information of the breach.
If requested by the Customer, the Provider shall, without undue delay give the Customer all relevant information concerning the data breach. In so far as the information in question is available to the Provider, the Provider shall describe at least the following to the customer:
the occurred data breach,
if possible, the sets of data subjects and the number thereof, as well as the sets of personal data types and estimated numbers,
a description of the likely consequences caused by the data breach, and
a description of reparative measures, that the Provider has implemented or shall implement in order to prevent data breaches in the future, and if necessary, the measures to minimize the harmful effects of the data breach.
The Provider shall document and report the results of the inquiry and the implemented measures to the Customer.
The Customer shall be liable for the necessary notifications to the data protection authorities.
If any tangible or intangible damage is caused to a person due to a breach against the EU General Data Protection Regulation or the DPA, the Provider shall be liable for the damage only in so far that it has not explicitly abided by the obligations directed to Personal Data Processors in the EU General Data Protection Regulation or this DPA.
Both parties are obligated to pay only the part of the damages or administrative fine that corresponds to the liability for damage confirmed in the final decision of a data protection authority or a court of law. In all cases the liability of the parties shall be determined pursuant to the Terms.
9. Data Processing Details
Types of Personal Data Processed by the Provider:
First name and surname
Contact information (email, telephone number, postal address)
Geo-location of the uploaded content
Start and end date of service
Direct marketing permits and bans
Sets of data subjects:
Employees of Controller
Subcontractors of Contoller
Customers of Controller
Partners of Controller
10. Other Provisions
The Provider shall notify the Customer in writing of all changes that may affect its ability or chances to abide by this DPA and the written guidance of the Customer. The Parties shall agree on all additions and amendments to this DPA writing.
This DPA shall enter into force at the moment the Customer duly accepts to be bound by the Terms. The DPA shall remain in force (i) as long as the Terms is in force or (ii) the parties have obligations concerning personal data processing activities towards one another.
Those obligation that due to their nature are meant to survive the expiry of this DPA shall remain in force after the expiry of the DPA.
SnapShop er et produkt utviklet og levert av BeMobile AS
What personal information do we process and why?
BeMobile processes personal information that is needed in order to deliver the SnapShop solution with the agreed functionality. Personal information can be name, mobile number, position and GPS position to attach submitted photos and reports to the right seller, store, campaign, etc.
We receive personal information directly from the user when creating a user profile or by receiving lists from the user's employer. When creating a user profile directly or indirectly from the employer, there is at the same time a consent goven from the user that we process personal information.
Users of the service may withdraw their consent at any time by contacting BeMobile.
Who has access to the information?
Processing of personal information about our users is an integrated part of our business. BeMobile will share information with subcontractors and partners where necessary.
BeMobile uses various IT services and IT systems in our business. In some of these, personal data is stored and handled. Our categories of service providers and partners are:
• Hosting / infrastructure / storage
• SMS gateway
• Analytical tools
• Suppliers of customer support tools
• Marketing and email providers
• Internal communication tools
Some of these systems are installed locally with us, and only our employees have access to the data. However, some systems are cloud solutions or installed at the supplier, which means that we transfer personal data to the supplier. In these cases, the supplier is responsible and handles the data on our behalf and in accordance with our instructions.
Data controller contact info
BeMobile by the general manager is the person responsible for the treatment of the company's processing of personal information.
If you have any questions about our privacy statement or about our use of personal information, please contact us at firstname.lastname@example.org or by mail at BeMobile AS, Schweigaardsgate 34C, 0191 Oslo
As a user of SnapShop, you have the right to gain access to your personal data and use of these, which includes the following:
- To gain access to your own personal information, what we have stored about you
- Removing all the personal data we have stored on you
- That incorrect, incomplete or information is corrected, deleted or supplemented
- Being able to dispute our processing of data
- To be able to withdraw the consent you have given
- The right to data portability. To the extent it is relevant, to be able to transfer data that we have collected under consent to another solution
If you have any questions regarding our processing of your personal information, please contact us via the contact details below. Requests must be answered within 30 days.
If you wish to complain about our processing of your personal data, you can address a request to the Norwegian Data Protection Authority (Datatilsynet).
Storage location and times
BeMobile stores your personal information as long as it is required for the purpose. If you are a user of SnapShop then your contact information will be retained as long as you choose to be a customer or as long as your employer wants to keep data in the solution. If a user is deleted in the system then all personal information will be anonymised.
All data on our local systems is stored within the EU (Belgium) on Google Cloud.
BeMobile is belonging in Norway and it is the Norwegian Data Protection Authority (Datatilsynet) that supervises that privacy law has been followed up. If you have any questions about privacy and BeMobile, you can contact the Norwegian Data Protection Authority (Datatilsynet) directly. You can find more information on their website: https://www.datatilsynet.no/