DATA PROCESSING AGREEMENT
Table of content
1. BACKGROUND AND PURPOSE
1.1 This Data Processing Agreement with its appendixes (”DPA”) constitutes an integral part of the general terms and conditions as well as any written changes (“Terms”) which have been agreed upon between the parties and regulates the processing of personal data by the processor, GDPR Hero AB (559088-5116) (”GDPR Hero”), on the behalf of the controller (“Customer”) for the cloud service GDPR Hero (“Service”), referred to individually as Party and collectively as the Parties.
1.2 The purpose of this Agreement is for GDPR Hero to provide adequate guarantees that appropriate technical and organizational measures have been taken in a way that the processing of personal data fulfill the requirements set out in GDPR and ensures that the rights of the data subject are being protected. Nothing within this Agreement should be interpreted as constituting a right or an obligation for one party to process personal data in a way which is not in conformity with GDPR.
2. DEFINITIONS AND INTERPRETATION
2.1 In this Agreement the definitions, as seen below, with initial capital letters have the following meaning:
”Data Protection Legislation” means GDPR, the Swedish law that supplements the GDPR (”lag (2018:218) om kompletterande bestämmelser till EU:s dataskyddsförordning”) and other, in force at that time, laws concerning the protection of the rights and freedoms of the data subject when processing their personal data according to this Agreement.
”GDPR” Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
”Customer” A legal or natural person who has signed the General Terms and who, under this Agreement, is the controller.
”Sub-processors” A processor to GDPR Hero.
2.2 Definitions defined within the GDPR have the same meaning under this Agreement.
3. CUSTOMER’S OBLIGATIONS
3.1 The customer instructs GDPR Hero to process personal data as follows:
(a) to provide the Service;
(b) to comply with the documented instructions of the Customer, in accordance with Appendix 1; and
(c) to comply with other written instructions, which GDPR Hero agrees upon as documented instructions under this Agreement, including changes to technical and organizational measures.
4. GDPR HERO’S OBLIGATIONS
4.1 GDPR Hero may only process personal data in accordance with section 3 (Customer’s obligations) above, unless any of the following is applicable:
(a) another processing is required based on EU law or based on a Member States national legislation, of which GDPR Hero is subject to (GDPR Hero will, in such a situation, inform the Customer about the legal obligation before the data is being processed, as long as such informing is not prohibited based on an important public interest by law); or
(b) the instructions are in breach of GDPR or any other applicable Data Protection Legislation.
4.2 At the request of the Customer, GDPR Hero shall assist in making sure that the obligations under Article 32 – 36 of the GDPR are being fulfilled and reply to the requests regarding the exercise of rights under chapter III of the GDPR, taking into account the type of processing and information GDPR Hero has at its disposal.
4.3 If GDPR hero finds the instructions of the Customer to be unclear, not in compliance with Data Protection Legislation or missing, and GDPR Hero considers new or complementary instructions necessary in order to fulfill its obligations under this Agreement, GDPR Hero will without delay inform the Customer, to the extent possible temporarily cease its processing and wait for new instructions.
5.1 Considering the latest developments, implementation costs and the nature of the processing, scope, context, and gravity, as well as the risks, which vary on the level of probability and severity, for the rights and freedoms of natural persons, GDPR hero will take reasonable technical and organizational measures to make sure that there is an adequate security level in relation to the risk, including, when suitable:
(a) pseudonymization and encryption of personal data;
(b) to continuously have the ability to ensure confidentiality, integrity, accessibility and resilience of the Service;
(c) to have the ability to, within reasonable time during a physical or technical incident, restore accessibility and access to personal data; and
(d) a procedure to regularly test, examine and evaluate the efficiency of the technical and organizational measures which shall ensure the security of the processing of data.
When assessing reasonable level of security, the risks that comes with processing should particularly be taken into account, especially from accidental or unlawful destruction, loss or alteration or unauthorized disclosure of or access to the personal data that have been transferred, stored or in any other way been processed.
5.2 GDPR hero and persons performing tasks under the supervision of GDPR Hero having access to personal data, are only allowed to process this data based on the instruction of the Customer, unless he/she is required to do so based on EU law or Member States national legislation.
5.3 GDPR Hero shall ensure that people authorized to process personal data are subject to a confidentiality agreement or a suitable legal confidentiality requirement.
5.4 Any subsequent or alternated requirements from the Customer concerning the technical or organizational safety measures, after signing this Agreement, shall be classified as changed instructions as stated in paragraph 3.1 c above.
6.1 The Customer will be given access to, by GDPR Hero, all information required so they can demonstrate the fulfillment of all requirements established within this Agreement, as well as enable and contribute to audits, including inspections, conducted by the Customer or of another accountant authorized by the Customer.
6.2 The parties agree upon that the audit shall be conducted by a third party, not in competition with GDPR Hero. This third party shall be an authorized accountant, certified information security accountant, attorney or have equivalent expertise and experience.
6.3 In order to avoid any misunderstandings, the Customer will be solely responsible for all costs regarding third parties within the scope of the audit.
6.4 The Customer shall ensure that any natural persons carrying out an audit are subject to a confidentiality agreement or a suitable legal confidentiality requirement.
7. PERSONAL DATA BREACH
7.1 GDPR Hero shall inform the Customer, without undue delay, when becoming aware of a personal data breach.
7.2 GDPR Hero’s report of a personal data breach shall:
(a) describe the nature of the personal data breach, including if possible, the categories and the approximate number of data subjects concerned as well as the categories and the approximate number of items of personal data concerned;
(b) transmit the name of contact points where more information can be found;
(c) describe the likely consequences of the personal data breach; and
(d) describe the measures taken by or suggested by GDPR Hero in order to remedy the personal data breach, including when appropriate, measures to mitigate its potential negative effects.
If, and in so far as it is not possible to provide for the information simultaneously, the information may be provided in increments, without unnecessary delay.
7.3 GDPR Hero shall document all personal data breaches, including the circumstances around the personal data breach, its effects and the corrective measures taken. The documentation shall make it possible for the Customer to verify the compliance with this section 7.
8.1 The Customer hereby approves that sub-processors hired by GDRR Hero, included in Appendix 2, may process personal data on behalf of the Customer. At the request of the Customer, GDPR Hero will provide a copy of the Data (sub-)Processing Agreement signed with the Sub-processor.
8.2 GDPR Hero is hereby given a general prior written authorization to hire additional sub-processors within the EU/ESS for processing of personal data. The criteria applicable for this general prior written authorization is that the Sub-processor shall conduct a part of the basic function of the Service, concerning the operation, development, or server hosting and at least meet requirements equivalent to those of this Agreement.
8.3 GDPR Hero shall, in a timely manner, inform the Customer, of the intention to replace or hire a new sub-processor. The information shall include the name of the Sub-processor and details of the location and the nature of the processing that the sub-processor will conduct on behalf of the Customer. Any objections to such changes shall be raised within thirty (30) days of the Customer receiving the information.
8.4 Personal Data shall not be processed in a third country, unless the Controller has approved of this, in writing and in advance.
8.5 GDPR Hero may cease to hire Sub-processors without prior approval of the Customer.
8.6 When GDPR Hero hires a Sub-processor for a specific processing on behalf of the Customer, the Sub-processor shall, in accordance with a Sub-processor Agreement, be subject to the same obligations regarding data protection, as established within this Agreement, and give enough guarantees for suitable technical and organizational measures, making the processing fulfill the requirements set out in this Agreement. If the Sub-processor does not fulfill the requirements in regard to data protection, GDPR Hero is to be held fully liable towards the Customer for the execution of the Sub-processor’s obligations.
9. TRANSFER OF PERSONAL DATA TO A THIRD COUNTRY
9.1 GDPR hero may only transfer personal data to a third country after the approval of the Customer.
10.1 GDPR Hero is entitled to compensation for supplementary services as follows:
(a) Instructions as stated in paragraph 3.1 c above;
(b) Request for assistance as stated in paragraph 4.2 above;
(c) Necessary time spent to prepare for, and support, the Audit by the Customer as stated in section 6;
(d) Requiring a copy of the Data Processing Agreement with the Other Processor as stated in paragraph 8.1;
11.1 In the case of compensation for damages in connection with the processing of personal data which, by established judgment or settlement, shall be paid to the data subject due to a breach of a provision of this Agreement, and/or an applicable provision of the Data Protection Legislation, Article 82 GDPR shall apply. Penalty fees based on Article 83 GDPR, or chapter 6 section lag (2018:218) om kompletterande bestämmelser till EU:s dataskyddsförordning, the Swedish law that supplements the GDPR, shall be borne by the party to this Agreement to whom such fee is imposed.
11.2 If either party becomes aware of a circumstance that could lead to damage to the other party, the party shall immediately inform the other party of the situation and actively work with the other party to prevent and minimize such damage.
11.3 Notwithstanding what is stipulated in the Terms, this Agreement applies to section 11 before other provisions on the distribution between claims of the parties among themselves with regard to the processing of personal data.
12. APPLICABLE LAW AND DISPUTE RESOLUTION
12.1 The applicable law and dispute resolution established within the Terms are applicable to this Agreement.
13.1 When terminating this Agreement, GDPR Hero will store the Customers data, including their personal data, for sixty (60) days after the last day of the validity of the Agreement, and following this, GDPR Hero have the right to erase all the personal data. GDPR Hero shall erase all stored personal data, without any delay, if the Customer requests it. Based on a request from the Customer, GDPR Hero can also transfer the personal data to them according to the terms of Supplementary Services.
13.2 Provisions regarding confidentiality as established within this Agreement, are applicable also after the termination of the Agreement.
Appendix 1: Instruction for the processing of personal data
The purpose, subject-matter and nature of processing
The purpose is mainly to provide the Service to the Customer, to enable the Customer to document organizational security, administrate and document extractions from registers as well as incident reports. Also, it is possible to further process personal data in To-do-lists and free text boxes as well as document contact persons for the Sub-processors, Controllers and Data Protection Officers.
Categories of personal data
The categories of personal data include, but are not limited to, names, telephone numbers, email addresses, job positions and workplace.
Contact information to the Customer’s representative as well as other kinds of personal data, which the Customer chooses to register within the Service.
The Customer undertakes to not input special categories of personal data and personal data relating to convictions and offenses.
Categories of data subjects
The Customer’s representative and other categories of data subjects that the Customer choose to register within the Service.
The personal data shall be deleted by GDPR Hero after the termination of the contract and according to clause 13.1.
Appendix 2: Table of Sub-processors
Are the personal data transferred outside of EU/EES?
OMMH Scandinavia AB
|To develop and maintain the functionality of GDPR Hero, OMMH Scandinavia is a supplier of system development.||
In order to maintain our cloud service, we use Qnova as a supplier for server storage, and within Sweden.