Last updated: Mar 30, 2025
The entity (e.g., company, organization) that has entered into the Service Agreement ("Customer"). The person who has entered into the Service Agreement on behalf of the Customer is considered the contact person.
COBRIEF AS, Address: Møllergata 6 0179 OSLO Norway, Organization number: 931645544
Contact person: Jonas Klafstad, Title: CEO, E-mail: jonas@cobrief.no
The Data Controller and Data Processor are individually referred to as "Party" and collectively as "Parties".
The Data Processor has committed to delivering the services described in the end-user agreement (https://www.cobrief.no/juridisk/sluttbrukeravtale) ("Service Agreement"). The execution of this work involves the Data Processor Processing Personal Data on behalf of the Data Controller.
As the customer, the Data Controller determines the purpose of the Processing of Personal Data and the means to be used.
This data processing agreement ("Data Processing Agreement") sets out the framework for the Data Processor's Processing of Personal Data on behalf of the Data Controller.
The purpose of this Data Processing Agreement is to:
In the event of a conflict between the provisions of this Data Processing Agreement and other agreements between the Parties, including the Service Agreement, the provisions of the Data Processing Agreement shall prevail.
The following definitions apply to this Data Processing Agreement:
"Data Processing Agreement" means the provisions set out in this data processing agreement with appendices.
"Personal Data" means any type of data or information that is considered personal data under the Norwegian Personal Data Act and GDPR. This includes, but is not limited to, the information set out in Appendix 1.
"Processing" (of Personal Data) means any use of Personal Data, such as collection, storage, organization, alteration or adaptation, disclosure, and/or transfer.
"GDPR" means EU Regulation 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (as implemented in Norwegian law).
"Personal Data Legislation" means the Norwegian law on the processing of personal data of 15 June 2018 No. 38 with supplementary regulations implementing GDPR and all other relevant legislation regulating the parties' processing of Personal Data.
"Law" means any other applicable legislation to which the Parties are subject.
"Sub-processor" means other data processors used by the Data Processor to process the Personal Data.
"Data Subjects" means any identified or identifiable person to whom the Personal Data relates.
"System" means the Cobrief AS software-as-a-service product described in the Service Agreement, generally a platform for managing procurement processes (currently accessible at app.cobrief.no).
“Customer” means the company purchasing services from Cobrief under the Service Agreement, and is the same Part as Data Controller.
The Parties shall Process Personal Data in accordance with the Personal Data Legislation, GDPR, and this Data Processing Agreement.
The Data Processor shall only collect, record, compile, store, and otherwise Process Personal Data to the extent necessary to fulfill the Service Agreement and the Data Processing Agreement.
The Data Controller must ensure that there is a legal basis for the Processing of Personal Data.
The Data Processor shall only Process Personal Data according to documented instructions from the Data Controller.
The Data Processor may also Process Personal Data if required by Law to which the Data Processor is subject. In such a case, the Data Processor shall notify the Data Controller of the legal obligation prior to the Processing, unless the relevant Law prohibits such information from being provided for reasons of public interest.
The Data Controller's instructions to the Data Processor are set out in this Data Processing Agreement with appendices.
Appendix 1 to the Data Processing Agreement describes the categories of Personal Data the Data Processor may Process and the purpose of the Processing. The Data Processor shall not Process Personal Data for purposes other than those stated herein.
The Parties shall immediately notify each other if one Party believes that instructions or requirements from the other Party are contrary to the Personal Data Legislation or GDPR.
Taking into account the nature of the Processing and the information available to the Data Processor, the Data Processor shall assist the Data Controller in ensuring compliance with the Data Controller's obligations under GDPR Articles 32 – 36.
The Data Processor shall comply with the information security requirements of the Personal Data Legislation and GDPR, including implementing appropriate technical and organizational security measures to achieve a level of security appropriate to the risk, in accordance with GDPR Article 32.
The technical and organizational measures to be implemented are described in Appendix 2.
The Data Processor shall also assist the Data Controller in ensuring compliance with the Data Controller's obligations regarding sufficient information security in accordance with GDPR Article 32.
If the Data Processor engages a Sub-processor to perform specific processing activities on behalf of the Data Controller, the relevant Sub-processor shall be subject to the same obligations for the protection of personal data as set out in this Data Processing Agreement through an agreement or other legal document.
The Data Processor shall be fully liable to the Data Controller for the Sub-processor's compliance with its obligations for the protection of personal data.
The Sub-processors used by the Data Processor in connection with the Service Agreement ("List") are available to the Data Controller at https://www.cobrief.no/juridisk/datautveksling. The Data Controller accepts that the Data Processor uses these Sub-processors.
The Data Controller accepts that the Data Processor uses Sub-processors other than those described in the current List. The Data Processor will provide the Data Controller a mechanism to subscribe to notifications about new Sub-processors and the Data Controller, if it wishes, will subscribe to such notifications where available. If the Data Controller does not subscribe to such notifications, the Data Controller waives any right it may have to receive prior notice of changes in Sub-processors. At least twenty (20) days before the Data Processor grants a third party other than existing Sub-processors access to perform specific processing activities on Personal Data, the Data Processor will add such third party to the List and notify subscribers, including the Data Controller, via the aforementioned notifications. The Data Controller may object to such an agreement by informing the Data Processor in writing and based on objective grounds related to data protection. The Data Controller acknowledges that certain Sub-processors are necessary to provide the Service, and that objection to the use of a Sub-processor may prevent the Data Processor from providing the Service to the Data Controller.
If the Data Controller reasonably objects to an engagement in accordance with Section 8, and the Data Processor cannot offer a commercially satisfactory alternative within a reasonable time, the Data Controller may discontinue the use of the Service by giving written notice to the Data Processor. The discontinuation shall not relieve the Data Controller of any fees owed to the Data Processor under the Service Agreement.
If the Data Controller does not object to the use of the new Sub-processor in accordance with Section 8 within twenty (20) days of notification from the Data Processor, the relevant third party will be considered a Sub-processor in connection with this Data Processing Agreement.
The Data Processor shall not transfer Personal Data to countries outside the EU/EEA area or to an international organization without the prior written consent of the Data Controller, unless the European Commission has determined that the country or international organization ensures an adequate level of protection.
If the Data Controller accepts such a transfer of Personal Data to a country outside the EU/EEA area or to an international organization, the Data Processor shall ensure that the transfer takes place in accordance with the rules in GDPR Chapter V, including assessing the level of protection in the third country or third countries to which personal data is to be transferred, and to ensure that supplementary measures of a technical, organizational or contractual nature are implemented to ensure a level of protection essentially equivalent to that in the EU/EEA.
The Data Controller shall be the point of contact for Data Subjects and provide necessary information about the Processing.
The Data Controller is responsible for handling Data Subjects' requests for access, rectification, erasure, restriction, data portability, etc., and for ensuring that such requests are met.
The Data Processor shall, taking into account the nature of the Processing and to the extent possible by means of appropriate technical and organizational measures, assist the Data Controller in fulfilling the Data Controller's obligation to respond to requests that Data Subjects submit with a view to exercising their rights set out in GDPR Chapter III.
If the Data Processor receives a request from the Data Subject, the Data Processor shall notify the Data Controller as soon as possible.
Any use of information systems in violation of the Data Processor's established procedures, the Data Controller's instructions, the Personal Data Legislation, or GDPR, as well as any other security breach, shall be handled as an incident.
The Parties shall establish and maintain procedures and systematic measures for following up on incidents, including measures for restoring normal conditions, removing the cause of the incident, and preventing recurrence.
The Parties shall, as soon as they become aware of an incident, without undue delay and no later than within 36 hours, inform each other of any security breaches and immediately implement all necessary and appropriate measures to restore normal conditions.
The Data Controller is responsible for sending a breach notification to the Data Protection Authority and Data Subjects in accordance with GDPR Articles 33 and 34. The Data Processor shall, if necessary, assist the Data Controller in ensuring that GDPR Articles 33 and 34 are complied with.
The Data Processor shall make available to the Data Controller all information necessary to demonstrate compliance with the Data Processor's obligations under the Personal Data Legislation, GDPR, and this Data Processing Agreement.
The Data Processor shall enable and contribute to audits, including inspections, conducted by the Data Controller or another inspector authorized by the Data Controller, of the Data Processor's compliance with GDPR, the Personal Data Legislation, and this Data Processing Agreement. The Data Controller has the right to conduct such audits at its own expense, up to once a year with four weeks' prior notice.
The Data Processor has a duty of confidentiality regarding the Personal Data and the documentation that the Data Processor gains access to through the Data Processing Agreement. The duty of confidentiality also applies after the termination of the Data Processing Agreement.
The Data Processor shall not disclose or provide access to the Personal Data to anyone other than its own employees, Sub-processors, or employees of the Data Controller, unless this has been agreed in writing with the Data Controller or follows from law, regulation, or decision of a public authority.
The Data Processor shall ensure that persons authorized to Process the Personal Data have committed themselves to treating the information confidentially in the form of a confidentiality agreement or are subject to an appropriate statutory duty of confidentiality.
The Agreement applies as long as the Data Processor processes Personal Data on behalf of the Data Controller.
When the Data Processing Agreement terminates, the Data Processor shall return all Personal Data covered by the Data Processing Agreement in a format suitable for further Processing by the Data Controller or a third party designated by the Data Controller.
The Data Controller may alternatively require that the Personal Data be deleted and/or destroyed in accordance with the Data Controller's written instructions.
The Parties shall agree on how the transfer, or deletion and/or destruction, shall specifically take place.
The Data Processor shall document in writing that deletion and/or destruction has been carried out in accordance with the agreement within a reasonable time after the Data Processing Agreement terminates.
Exceptions apply if the Personal Data Legislation, GDPR, or Law requires that the Personal Data be stored further.
The Agreement is governed by Norwegian law. The Parties agree on Oslo District Court as the legal venue.
Type of personal data:
Category of data subjects:
Purpose of processing:
To deliver the System Cobrief as described in the Service Agreement, a Software as a Service (SaaS) product intended for streamlining a supplier's work in public and private procurement processes, including relevant services such as customer support and newsletter with product information. The Data Controller will use the system to find, evaluate, write and gather feedback on bids submitted to private and public purchasers.
To protect your personal data, Cobrief have implemented the following security measures:
Data Protection
Organizational Security
Sub-processors
Data Portability and Deletion
You can request to have your data exported or deleted at any time.
We are committed to protecting your personal data and take security seriously. We are constantly working to improve our security measures to ensure that your data is safe with us.
