Data Processing Terms

User, hereinafter referred to as the „controller“

AND

Payday ehf., id. 520417-2570, domiciled at Bæjarlind 14-16, 201 Kópavogi, hereinafter referred to as the „processor“

enter into a data processing contract, in accordance with Article 28. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016:

The purpose of these contractual provisions is to specify the obligations of the processor on behalf of the controller, in connection with the processing activities covered by the contract, see further in Section 3.

The Contracting Parties shall be bound by all relevant legal provisions relating to the processing of personal data by them and in particular Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and the free dissemination of such information and the repeal of Directive 95/46 / EC (General Data Protection Regulation), implemented 25 May 2018.

In most cases, the personal information covered by this processing is considered general.

The processor may process, on behalf of the controller, the personal information that is necessary for him to provide the services that Payday offers.

The nature of the processing activities in question is accountancy, payroll processing and the submission of public charges.

The Processor may process the following types of personal information provided by the controller:

• Name, identification number, address, email address and bank account of the controller;

• In addition, if the controller chooses to use Payday's payroll services, he also provides information on salaries, pension fund membership, union membership, personal allowance and the employment rate of the controller staff;

• Name, identification number, address, e-mail address of the controller customer if that customer is an individual.

The processor may work with the following categories of registered persons:

• Controller;

• Controller's customer;

• Controller's employee.

Processor has signed processing agreements with subcontractors who may process personal information on our behalf

The processor shall:

Only process personal information in accordance with the purpose of the processing, cf. this agreement;

Only process personal information in accordance with the instructions of the controller attached to this agreement. In cases where the processor considers that the instructions of the controller do not comply with the general privacy regulation or other relevant legal provisions relating to the processing of personal data, it must immediately notify the controller. The processor shall also notify the controller if the processor is required by law to transfer personal information to third countries or international organizations, unless prohibited by law;

Ensure the confidentiality of the processing of personal data covered by this Agreement; and;

Ensure that those employees who have access to personal information in connection with the execution of the contract have signed a confidentiality statement or are bound by confidentiality under the law and that they receive appropriate training in the protection of personal data;

Ensure that devices and tools, products, applications and services are designed with built-in and default privacy in mind;

Use of subcontractors
The processor may negotiate with another party ("subcontractor") to carry out certain processing operations. Before the intended changes take effect, both when adding subcontractors and when modifications are made to the subcontractors already used, or in the case of additions or changes to the existing arrangements for processing operations, the processor shall inform the controller in writing of the changes. It shall specify in particular what processing operations the subcontractor intends to undertake, the name and contact details of the subcontractor together with the date of the contract. Appendix 1 contains a list of existing subcontractors.

The rights of the data subjects.
The responsible party is responsible for providing the recorded information (information) about the processing activities before or as soon as the processing begins, in accordance with the provisions of the General Data Protection Regulation on information that must be provided to the registered person, cf. May 13 and 14.

Granting of rights to the registered person
To the extent possible, the processor must assist the controller with the duty of responding to the records of registered persons for their rights, such as access rights, the right to correct and delete information, and to oppose or restrict the processing, the right to transfer and the right. to avoid having to undergo automated decision making, including using personal profiles. When the data subject submits a request to exercise his rights with the processor, the processor shall forward such request without delay to the controller.

Security breach notification
The processor shall notify the controller of any security breach no later than 24 hours after the breach has occurred. The notification shall include any documents or documents necessary for the controller to report the breach to the appropriate regulatory body (Data Protection).

Information transmitted to the data subject must be clear and simple and state at least:

• the nature of the breach, including, where appropriate, the categories and roughly estimated number of persons affected by the violation and the categories and the amount of records concerned;

• name and contact details of a privacy officer or other contact where further information can be obtained

• what are the likely consequences of the security breach

• what actions have been taken or suggested to be taken to respond to the violation, including, where appropriate, actions to reduce the impact of the violation on individuals

• what actions individuals can take to minimize their damage, such as changing their passwords

Assistance to the controller in complying with the terms of the General Privacy Regulation
The processor shall assist the controller in conducting an assessment of the impact on privacy. The processor shall assist the controller in complying with the provisions of the pre-consultation regulation with the supervisory authority (Data Protection).

Safety measures
The processor shall implement the following security measures:

• implementation of technical and organizational measures designed to ensure lasting confidentiality, uptime, operational security and load-tolerance of processing systems and services

• control of individuals' access to our work site and security

• controlling access of employees and others to systems that contain personal information

• to ensure that our service providers with access to user personal information have taken appropriate safeguards to ensure the security of personal information

• encryption of user personal information

What will happen to personal information at the end of processing
Upon termination of service under this Agreement, the Processor agrees to:

• According to the Regulation on Electronic Accounts and Accounting Law, data for this purpose must be kept for seven years from the date of their publication until the time after which the data is deleted.

• The processor stores personal information for 30 days after the closure of access, cf. Article 3 in Payday's Privacy Policy and will delete them at that time if it does not conflict with the Electronic Accounting and Accounting Act.

When submitting information, all copies of personally identifiable information found in the processor systems must also be deleted.

Data Protection Officer
Björn Hr. Björnsson is Payday's privacy officer and oversees compliance with current laws and regulations on privacy in Payday's operations. Inquiries, comments and suggestions regarding personal information and privacy can be sent to the email address [email protected] or by sending a mail to:

Data Protection Officer
Bæjarlind 14-16
201 Kópavogi
Ísland

List of processing activities
The processor shall keep a record of all processing activities carried out on behalf of the controller.

It shall include the following:

• the name and contact information of the processor, one or more, and any controller responsible for the processor;

• categories of processing performed on behalf of each controller.

Documentation for proof of compliance
The processor shall provide the controller with all necessary documentation to demonstrate compliance and to enable the controller or auditor to carry out audits, including inspections, and to assist with such audits.

Provide the processor with the data mentioned in section 2;

Record in writing all instructions regarding the processing directed to the processor;

Ensure, before and during processing, that it is operating in accordance with the requirements made to it under the General Privacy Regulation; and;

Oversee the processing, including conducting audits and inspections at the processor.

This Agreement comes into force when the controller agrees to Payday's Terms of Service upon registration the service and is valid while the controller uses the Payday Services in some way.