Unless the context explicitly requires otherwise, the following capitalized terms in this Data Processing Agreement will have the following meanings:

Capitalized terms not defined above will have the same meaning as defined in the Terms of 3Service, unless the context explicitly requires otherwise.

Justikal shall provide Services to the Customer in accordance with the Terms of Services. In providing the Services, Justikal shall process the Customer Data on behalf of the Customer. Customer Data may include Personal Data. Therefore, the Customer shall be:

Data controller with respect to the Customer Data; or

Data processor, where the Customer processes personal data on behalf of a third party.

For the purposes of this Data Processing Agreement and Terms of service, Justikal is a data processor. Justikal will process and protect Customer Data in accordance with the terms of this Data Processing Agreement.

This Data Processing Agreement shall apply only to the processing of the Customer Data, where Justikal processes such data on behalf of the Customer and under its documented instructions while providing the Services.

In cases where Justikal processes the Customer Data as a data controller, this Data Processing Agreement shall not apply. Instead, Privacy Policy and other Justikal documents shall apply.

Justikal shall process the Customer Data in order to provide Services.

Justikal shall process such types of Personal Data that the Customer uploads or submits when using the Services. This may include, but is not limited to, name, surname, date of birth, personal code, phone number, email address, address, workplace data. Please note that this is a non-exhaustive list and may vary in every case, including, but not limited to, depending on the nature and contents of the Customer Data provided by the Customer (or third party where the Customer acts as a data processor) to Justikal when using the Services. This is especially due to the fact that there could be a variety of types of judicial cases managed via the Services, and the Customer Data could likewise contain all types of Personal Data, including special categories of Personal Data, such as Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, data concerning health, criminal records, etc.

The categories of data subjects whose Personal Data Justikal processes while providing the Services may include, but are not limited to, claimants, defendants, prosecutors, attorneys, public officials, witnesses, as well as any other third parties whose Personal Data may be present in the documents uploaded by the Customer as part of Customer Data.

Justikal shall process the Customer Data from the moment the Customer uploads or submits them when using the Services until the removal thereof by the Customer but no longer than specified in Article 13.2 of this Data Processing Agreement.

Justikal shall ensure for the Customer Data to be processed in the European Economic Area. However, should any Personal Data within the Customer Data become necessary to be transferred outside of the European Economic Area (e.g., if Justikal engages a Sub-Processor located outside of EEA), Justikal will make sure that such transfers take place in full compliance with the GDPR, following appropriate legal safeguards to protect the Personal Data concerned. Thus, Personal Data transfers outside of EEA may take place either (i) on the basis of an adequacy decision held by the respective third country or international organisation, or (ii) where other appropriate safeguards are in place between Justikal and Personal Data recipient, e.g., standard contractual clauses adopted by the European Commission.

Justikal shall use the Customer Data only for the provision of the Services and implementation of its rights under the Terms of Service. Justikal shall not, under any circumstances, transfer or otherwise disclose Personal Data or other information relating to the processing of Personal Data to third parties without the prior instructions of the Customer, with the exception of the categories of recipients of Personal Data indicated in Article 4.3 of this Data Processing Agreement, and of the persons to whom the right to receive the Personal Data from Justikal has been granted by law.

Justikal shall ensure that the access to the Customer Data would be granted only to those employees or suppliers of Justikal which require such data for performing work functions or providing services to Justikal.

Justikal shall ensure that the employees or suppliers of Justikal processing Customer Data would comply with this Data Processing Agreement and would undertake to observe the confidentiality clause or would be subject to relevant confidentiality obligation establish under the laws. This also applies with regard to Sub-Processors that Justikal may engage as further detailed in Chapter 9 of this Data Processing Agreement.

If in complying with the requirements of the laws Justikal is obliged to disclose the Customer Data to third parties (e.g. law enforcement authorities), Justikal shall immediately notify the Customer about the requirements to disclose the Customer Data, unless otherwise required by the laws.

Such confidentiality obligations shall remain in force indefinitely and following the expiry of this Data Processing Agreement.

Justikal shall process the Customer Data only according to documented instructions of the Customer.The Customer shall ensure that appropriate legal basis for processing of Customer Data by Justikal exists. Justikal shall also comply with the obligations imposed on data processors by the GDPR, the Icelandic Act on Data Protection, or other legislation.

The Parties agree to regard this Data Processing Agreement, Terms of Service and Service settings, which may be set by the Customer when using Services, as documented Customer instructions. The Parties may agree on execution of additional Customer instructions and the price thereof.

Additional Customer instructions outside the scope of the documented instructions (if any) require prior written agreement between Justikal and the Customer, including agreement on any additional fees payable by Customer to Justikal for carrying out such instructions, including, but not limited to:

assistance with the data controller’s obligation to respond to data subject requests;

implementation of any additional technical and organisational measures not set forth by this Data Processing Agreement;

assistance with the data controller’s obligation to carry out a data protection impact assessment and/or prior consultation with the supervisory authority.

Justikal shall immediately inform the Customer if Justikal believes that the Customer’s instructions are in conflict with the GDPR, the Icelandic Act on Data Protection or other applicable legislation governing the protection of personal data. This clause does not in any way impose Justikal with the duty to monitor Customer Data and/or to take any additional steps and/or to acquire additional information to evaluate the lawfulness of the Customer’s instructions.

In processing the Customer Data, Justikal shall implement appropriate technical and organizational measures to protect the Customer Data. Justikal shall select technical and organizational measures taking into consideration the level of development of technical possibilities, costs of implementation and the nature, scope, context and purpose of data processing, as well as risks of various probability and seriousness with respect to rights and freedoms of natural persons associated with data processing.

Technical and organizational measures implemented by Justikal include, but are not limited to, the following:

Justikal has appointed a data protection officer (dpo@justikal.com) who acts without being bound by instructions;

All employees processing Personal Data are obligated when taking up their duties to maintain confidentiality. The obligation continues after their employment ends;

Executives and project managers assume responsibility for ensuring that their employees receive regular qualification training in personal data and privacy protection;

Access rights to Personal Data are controlled in a central system and are granted by a functional responsible person based on the minimum principle. The responsible person is obliged to keep this information up to date;

The Customer itself is also able to control access rights to Customer Data per each User. After the case is accepted by the court, the latter gains control over the case documentation. Limited access option is also available for the Customer to use;

Limited access option is enabled allowing the Customer to submit Customer Data, e.g., certain sensitive evidence, for only the court to see, without access to other parties;

Static application security testing (SAST) and dynamic application security testing (DAST) are performed regularly.

The Sub-Processors responsible for collecting and storing personal identifiable information, shall implement appropriate technical and organizational measures to protect the personal data against unauthorized or unlawful processing, including but not limited to the use of AES 256 (Advanced Encryption Standard) encryption for the user personal codes.

The Parties agree that Justikal has implemented appropriate technical and organisational measures (indicated in Article 6.2) for processing of Customer Data under this Data Processing Agreement and Justikal shall not be obliged to take into consideration any unreasonable Customer instructions regarding additional technical and organizational measures.

To verify whether Justikal properly processes the Customer Data, the Customer shall have the right to conduct inspections of such processing under the procedure provided for in Article 8.

Justikal shall inspect, at least once per calendar year, at its own initiative and expense, whether applicable technical and organization measures are in line with the nature, scope, context and purposes of data processing, as well as risks associated with data processing with respect to the rights and freedoms of natural persons. Justikal shall engage an independent inspector for the inspection with the instructions to prepare inspection report (hereinafter – Report).

At the request of the Customer and according to an additional agreement by the Parties regarding the protection of confidential information, Justikal shall submit a Report to the Customer. Upon performance of this obligation by Justikal, it shall be considered that the Customer has exercised its right provided for in Item 8.1 of this Data Processing Agreement and GDPR Article 28(3)(h).

In accordance with the applicable legislation, Justikal may be required to provide information related to this Data Processing Agreement to competent regulatory or government institutions, but only upon a lawful and legitimate request.

If the Customer wishes to additionally and/or by means other than specified in Article 8 inspect how Justikal processes personal data and/or performs its obligations under this Data Processing Agreement, such inspection may be conducted upon consent of Justikal and the agreement of the Parties on the scope, method, time and price of the inspection. In any case, if the Parties agree on such additional inspection, it will have to comply with the following requirements: (i) the inspection must be related only to the processing of the Customer Data; (ii) the Customer must inform Justikal about the wish to conduct additional inspection within a reasonable time period which must be at least 4 weeks; (iii) additional inspection must be conducted in a way it would not interfere with daily activities of Justikal; (iv) additional inspection must be conducted at the expense of the Customer; (v) additional inspection must be conducted by an independent person whose candidacy must be approved in advance by Justikal and such person must undertake to protect confidential information of Justikal.

Justikal shall have the right to receive remuneration for assistance in conducting additional inspection. The size of such remuneration will be determined by Justikal taking into consideration costs incurred by Justikal with respect to additional inspection. Justikal shall provide information to the Customer about the size of remuneration before the inspection.

In the event the Customer is not satisfied with the information provided in the Report and/or the Parties fail to agree on additional inspection as provided for in Items 8.5–8.6 of this Data Processing Agreement, the Customer shall have the right to unilaterally, under out-of-court procedure, terminate this Data Processing Agreement and the Terms of Service. In this case, the termination of the agreements will be the only measure that can be applied by the Customer and Justikal will not be obliged to compensate damages to the Customer.

The Customer hereby gives general advance consent to Justikal to engage Sub-Processors which will process Customer Data on behalf of Justikal according to the scope and purposes specified in this Data Processing Agreement. Justikal shall engage only those Sub-Processors which will ensure the following:

implementation of appropriate technical and organizational measures;

data processing in compliance with GDPR as well as Icelandic Act on Data Protection requirements; and

protection of the rights of the data subject.

Justikal shall ensure that a written agreement has been concluded with Sub-Processors engaged under which Sub-Processors shall undertake to comply with responsibilities of the data processor established in this Data Processing Agreement at least to the extent applicable to Justikal. Justikal shall be liable against the Customer for the performance of obligations of Sub-Processors engaged.

Up-to-date list of engaged Sub-Processors will be published by Justikal on the Website. Justikal shall notify the Customer about its plans to replace or engage a new Sub-Processor by making such information available on the Website no later than 14 days prior to the planned event.

If the Customer continues using the Services following the replacement or involvement of a new Sub-Processor and notification of the Customer under the procedure provided for in Clause 9.3 of this Data Processing Agreement, it shall be considered that the Customer agreed to such actions of Justikal. If the Customer disagrees with such replacement or involvement of the Sub-Processor, the Customer shall have the right to unilaterally, under out-of-court procedure, terminate this Data Processing Agreement and the Terms of Service. In this case, the termination of the agreements will be the only measure that can be applied by the Customer and Justikal will not be obliged to compensate damages to the Customer.

If the Customer withdraws its general consent to engage Sub-Processor, Justikal shall have the right to unilaterally, under out-of-court procedure, terminate the Terms of Service, and such termination shall be considered to have been made for important reasons and the Customer shall be deemed not to have suffered any damage due to such termination.

The Customer, at its own discretion and responsibility, shall determine the categories of the data subjects whose Personal Data and the types of Personal Data to be provided to Justikal and shall provide to Justikal only Personal Data necessary for proper provision of the Services by Justikal. The Customer shall assume all related risks, including risks in cases where Justikal receives more Personal Data than is necessary.

The Customer represents and warrants that it has obtained and shall retain during the entire validity period of the Terms of Service all necessary permissions and authorisations required for the provision of the Customer Data to Justikal and engage Justikal for the processing of Personal Data under the Terms of Service and this Data Processing Agreement.

Justikalshall notify the Customer, without undue delay, but no later than within 36 hours after becoming aware about the Data Breach, and taking into consideration the nature of provided Services and the processing of personal data and available information, shall provide the following information to the Customer:

the nature of the Data Breach, including, where possible, the categories of the data subjects and approximate number thereof;

possible consequences of the Data Breach;

measures implemented by Justikalor proposed to be taken to address the Data Breach, including, where appropriate, measures for mitigating possible negative consequences of the Data Breach;

full name and contact information of data protection officer or any other contact person that could provide further information. Justikalmay provide this information to the Customer by making it available on the Website.

Justikalshall document all Data Breaches, including facts pertaining to the Data Breach, its impact and corrective actions taken. In cases provided for in legislation, Justikalshall provide such documents to supervisory authority.

The Customer shall be responsible for the compliance with legislation regulating the delivery of notifications or information to the data subjects about the Data Breach.

The Customer, as the data controller, is liable to data subjects for damages that the data subjects may incur as a result of an illegal or incorrect processing of Personal Data in the course of the execution of this Data Processing Agreement.

Taking into consideration the nature, scope, context and purposes of data processing, Justikal liability under this Data Processing Agreement shall be limited to and in any case may not exceed the amount the Customer has paid to Justikal in 12 months.

Limitation of liability shall not apply if Justikal breaches this Data Processing Agreement due to gross negligence or intentional misconduct.

This Data Processing Agreement shall come into force upon the entry into force of the Terms of Service and shall be valid for as long as the latter remains in force.

Upon termination or expiry of the Data Processing Agreement, Justikal shall destroy the Customer Data no later than within 30 days, unless there are grounds to process or manage the Customer Data other than those arising out of this Data Processing Agreement.

This Data Processing Agreement shall be subject to the law of Iceland.

Each dispute, disagreement or claim arising out of or related to this Data Processing Agreement, its violation, termination and validity shall be settled by negotiating. If the Parties are unable to reach an agreement within 30 days from the occurrence of the dispute, disagreement or claim, such dispute, disagreement or claim shall be settled in the court of Iceland.

All notifications of the Customer to Justikal related to this agreement shall be sent via e-mail support@justikal.com and shall be deemed to be received when Justikal confirms the receipt thereof by replying to the Customer’s e-mail.

Justikal notifications to the Customer related to this Data Processing Agreement shall be published by Justikal on the Website. Justikal shall notify the Customer about any changes to this Data Processing Agreement by making such information available on the Website. 

The amendments to this Data Processing Agreement shall come into force following publication thereof on the Website. Justikal shall announce about intended amendment of the Data Processing Agreement at least 30 days prior to the planned amendment. If the Customer continues using the Services following the publication of amendments to the Data Processing Agreement, it shall be deemed that the Customer agrees with the amendments to the Data Processing Agreement. If the Customer disagrees with the amendments, the Customer will not be able to use Services and shall have the right to terminate the Terms of Service.