Manymore.com

Data Processing Agreement (DPA)

Updated: 28.07.2025

1. Introduction

This Data Processing Agreement (“DPA”) is entered into between Manymore.com AS (“Manymore,” acting as Processor) and the user of the service (“Controller”). It governs the processing of personal data by Manymore on behalf of the Controller in compliance with EU Regulation 2016/679 (GDPR) and applicable national data protection laws.

This DPA applies for the period during which Manymore processes personal data on behalf of the Controller. Processing is limited to the provision of background check services as defined in the main service agreement. In the event of a conflict between this DPA and the Terms of Use, this DPA shall prevail with respect to data protection matters.

Relation to other agreements

This DPA forms part of Manymore’s broader legal framework, which also includes the Terms of Use, Privacy Policy, and Service Level Agreement (SLA). Together, these documents govern service use, data handling practices, and service commitments. For legal inquiries, contact legal@manymore.com.

2. Definitions

  • Privacy Legislation: GDPR (EU Regulation 2016/679) and applicable national privacy laws.
  • Personal Data: Any information relating to an identified or identifiable natural person (“Data Subject”).
  • Processing: Any operation performed on personal data, such as collection, recording, storage, alteration, retrieval, or deletion.
  • Controller: The entity determining the purpose and means of processing personal data.
  • Processor: The entity processing personal data on behalf of the Controller.
  • Sub-processor: Any third party engaged by the Processor to process personal data.
  • Third Country: Countries outside the EU/EEA.
  • Data Breach: A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data.
  • Audit: An inspection or review of Processor’s compliance with this DPA, conducted by Controller or a mandated auditor.

For privacy terms not defined in this DPA, the definitions in Article 4 of GDPR apply.

3. Rights and obligations of the Controller

The Controller:

  • Determines the purpose and means of processing personal data.
  • Ensures that personal data is collected and processed in compliance with Privacy Legislation.
  • Provides documented processing instructions to the Processor and informs Processor of any changes or inaccuracies.
  • Ensures a legal basis for processing personal data.

4. Scope of processing

4.1 Purpose and instructions

The Processor shall process personal data only on documented instructions from the Controller (Article 28(3)(a) GDPR) and for the purpose of delivering the agreed services. The Processor shall not use personal data for its own purposes or for purposes not explicitly agreed upon.

The processing includes, among other things, the collection, recording, structuring, verification, aggregation, storage, making available, and deletion of personal data in connection with the provision of background check services.

If the Processor considers an instruction to be in breach of GDPR, it must notify the Controller without delay and suspend the instruction until clarified.

4.2 Data subjects and data categories

Data subjects may include:

  • Customers and users of the Service.
  • Employees, contractors, and representatives of the Controller.
  • Other individuals who are directly relevant to the purpose of the background check and whose data is processed based on documented instructions from the Controller.

Categories of personal data may include:

  • Name, contact details, and identification data (including national identification numbers where relevant).
  • Employment, educational and professional data.
  • Documentation uploaded by the candidate through the service (such as certificates and background check documents)
  • IP addresses, device identifiers, and usage logs.
  • Other data categories required for the service.

4.3 Purpose and duration

Processing shall be carried out solely for the purpose of providing background check services as described in the main service agreement and shall continue for the duration of the contractual relationship.

4.4 Termination and data return/deletion

Upon termination of the service agreement, Processor shall, at Controller’s choice, return or securely delete all personal data (including backups) without undue delay.

  • Deletion of backups shall occur within 90 days unless earlier deletion is feasible.
  • Confirmation of deletion or return shall be provided upon request. Retention beyond this period is only permitted where required by law.

5. Confidentiality

The Processor and all sub-processors must comply with strict confidentiality obligations. Access to personal data shall be restricted to authorized personnel with a need to know. The confidentiality obligation continues after termination of this DPA.

6. Security measures

The Processor shall implement and maintain appropriate technical and organizational measures in accordance with Article 32 GDPR to ensure a level of security appropriate to the risk and update these measures when necessary. This includes:

  • Physical access control: restricted entry to premises, keycard access, visitor logs.
  • System access control: password policies, multi-factor authentication, access approvals.
  • Access management: role-based access rights, automatic logging of user activity.
  • Transmission control: end-to-end encryption of personal data in transit.
  • Storage control: encryption of personal data at rest and separation of data by purpose.
  • Monitoring and review: security logging, periodic audits, virus/malware protection.
  • Backup and recovery: regular encrypted backups, remote storage, disaster recovery testing.
  • Staff training: mandatory privacy and security training for all employees.

The Processor shall provide documentation of these measures (e.g., security reports or certifications) upon reasonable request by the Controller.

7. Data breach notification

The Processor shall notify the Controller without undue delay and, where feasible, within 24 hours after becoming aware of a personal data breach, to enable the Controller to meet obligations under Article 33 GDPR.

The notification shall include:

  • Nature of the breach and affected data categories;
  • Number of affected data subjects;
  • Likely consequences;
  • Measures taken or proposed to address the breach.

The Processor shall also notify the Controller without delay of any security incidents involving sub-processors that could impact the Controller’s personal data.

8. Data subject rights

The Processor shall assist the Controller in fulfilling obligations related to data subject rights under GDPR, including:

  • Access requests (Article 15);
  • Correction of inaccurate data (Article 16);
  • Erasure (“right to be forgotten”) (Article 17);
  • Restriction of processing (Article 18);
  • Data portability requests (Article 20).

The Processor shall not respond directly to requests from data subjects without instruction from the Controller, unless legally required to do so. If the Processor receives such a request directly, it must forward it to the Controller.

9. Use of sub-processors

The Processor has the Controller’s general authorization to engage sub-processors. The Processor shall:

  • Maintain an up-to-date list of sub-processors including name, location (country/region), and type of service provided, and make it available to the Controller upon request.
  • Notify the Controller in advance of any intended changes to sub-processors.
  • Allow the Controller to object to new sub-processors within 30 days of notice.
  • Ensure sub-processors are bound by the same or equivalent obligations as set out in this DPA through written agreements.
  • Notify the Controller of any material security incidents involving sub-processors that may affect the Controller’s data.

10. International data transfers

If personal data is transferred outside the EEA, the Processor shall ensure:

  • The recipient country has an adequacy decision (Article 45), or
  • Standard Contractual Clauses (SCCs) are implemented, with supplementary measures where required.

The Processor shall conduct and document Transfer Impact Assessments (TIA) and ensure encryption and other safeguards are applied for all transfers, including transfers involving sub-processors.

11. Audit rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, on reasonable notice.

Audit scope and frequency shall be proportionate to the risk and not unreasonably interfere with Processor operations.

12. Governing law & disputes

This DPA is governed by Norwegian law. Any disputes shall be handled by Oslo District Court.

13. Change management

Where changes in applicable data protection legislation or binding instructions from supervisory authorities require updates to this DPA, the Processor may implement such changes by written notice to the Controller. Such changes shall take effect upon notice.

Any other material changes to this DPA require the Controller’s prior written approval before taking effect.

If the Controller does not accept proposed changes, the parties shall attempt in good faith to reach a solution. If no solution is reached, the agreement may be terminated in accordance with the main service agreement.

14. Contact us

For inquiries related to this DPA, contact legal@manymore.com.