DATA PROCESSING AGREEMENT
Updated March 30th, 2021
1.1 This data processing agreement (“DPA”) is an appendix to the Main Document and is an integrated part of the Service Agreement entered into between the Customer and the Service Provider. Each of Service Provider and Customer is hereinafter referred to as “Party” and jointly as the “Parties”.
1.2 Within the scope of the Service Agreement the Service Provider will carry out processing of personal data (the “Processor”) for which the Customer is a data controller (the “Controller”) under the Data Protection Laws (the “Processing”).
1.3 The purpose of this DPA is to ensure that the Processing is carried out in accordance with the Data Protection Laws, the Controller’s instructions and what has otherwise been agreed between the Parties.
2. DEFINITIONS AND APPLICABLE LAWS
2.1 The Processing shall be carried out in accordance with the Data Protection Laws.
2.2 The “Data Protection Laws” means all laws and regulations that apply to or govern the processing of personal data, including, but not limited to, the EU General Data Protection Regulation ((EU) 2016/679) and any national data protection laws and regulations implementing the EU Electronic Communications Privacy Directive (2002/58/EC), as well as any amendments to or replacements of such laws and regulations.
2.3 Terms used in this DPA shall have the same meaning as in the Data Protection Laws, unless otherwise stated in this DPA. Any other capitalized terms used in this DPA shall, unless otherwise stated, have the meaning set out in the Terms of Service, Appendix 1 to the Service Agreement.
3. OBLIGATIONS OF THE CONTROLLER
3.1 In relation to the data subjects, the Controller is responsible for the Processing’s compliance with the Data Protection Laws.
3.2 The Controller warrants that the Processing is carried out in accordance with the purpose for which the personal data have been collected.
3.3 It is the Controller’s responsibility to ensure that the Processor is, at any time, duly informed of the Controller’s instructions, as well as of other written instructions provided by the Controller regarding the Processing. If the Controller provides additional instructions which deviate from the instructions that follow from the services provided under the Service Agreement, and such additional instructions require that the Processor takes more measures or more action than what is provided for under the Data Protection Laws or the Swedish Data Protection Authority’s (Sw. Datainspektionen) recommendations, the Processor shall consider, but is not obliged to, accept such instructions. If such additional instructions would imply that the scope of the services under the Service Agreement is materially changed, the matter must be handled under the Service Agreement.
3.4 All instructions provided by the Controller must be in writing.
4. OBLIGATIONS OF THE PROCESSOR
4.1 The Processing is described in detail in Appendix A. The Processor undertakes to only process personal data necessary for the performance of its obligations under the Service Agreement, this DPA or according to specific and documented instructions provided by the Controller in Appendix A, which have been approved by the Processor. The Processor may also process personal data in connection with the provision of additional services that may be ordered by the Controller from time to time.
4.2 Upon receipt of written instructions from the Controller regarding the Processing, such as provided for in Appendix A or additional written instructions, the Processor must, within a reasonable period of time, take appropriate measures to ensure that the Processing is carried out in accordance with the instructions. The Processor shall be entitled to request additional remuneration for any measures relating to the Processing, which have not expressly been specified by the Controller at the time of conclusion of the Service Agreement and this DPA.
4.3 The Processor undertakes to ensure that any natural person acting under the authority of the Processor, and who has access to personal data, is informed of the content of this DPA and processes the personal data only in accordance with this DPA and the Controller’s documented instructions.
4.4 The Processor is, to a reasonable extent, required to assist the Controller with appropriate technical and organisational measures for the fulfilment of the Controller’s obligation to respond to requests from data subjects regarding access to, and rectification or erasure of, personal data.
4.5 The Processor must, without undue delay, notify the Controller after becoming aware of a personal data breach. The Processor shall assist the Controller to a reasonable extent by providing information necessary for the fulfilment of the Controller’s obligation to notify the competent supervisory authority of a personal data breach and, when applicable, the Controller’s obligation to communicate the personal data breach to the affected data subjects.
4.6 The Processor is, to a reasonable extent, required to assist the Controller in connection with any data protection impact assessments and prior consultations carried out by the Controller, as well as to assist in any investigations carried out by the competent supervisory authority regarding a personal data breach.
4.7 The Processor is entitled to reasonable compensation for any measures taken in relation to the obligations set out in sections 4.4 to 4.6.
5. TRANSFERS OF PERSONAL DATA
Transfers outside of the EU/EEA
5.1 The Processor may not transfer personal data outside of the EU/EEA without the Controller’s prior written consent.
5.2 If the Data Protection Laws allow for transfers outside of the EU/EEA where a separate agreement has been concluded (or certain relevant actions have been taken) for the purpose of maintaining a sufficient level of security, and the Processor presents proof that such an agreement (or such relevant actions have been taken) in accordance with the Data Protection Laws, the Controller may not deny that such a transfer is carried out.
Transfers to third parties
5.3 The Processor may not transfer personal data to third parties without the Controller’s prior written consent, unless such a transfer is required by applicable law or under any court judgments or official orders. Notwithstanding the above, the Processor is always entitled to transfer personal data to Sub-Processors in accordance with section 6 below.
5.4 If any court and/or public authority requests that the Processor disclose personal data or that the Processor take other action relating to the Processing, the Processor is entitled to reasonable compensation for any such measures taken. The Processor is also entitled to reasonable compensation in relation to any required disclosure of personal data to third parties and for any measures taken in connection with such disclosure.
6. ENGAGEMENT OF SUB-PROCESSORS
6.1 By signing this DPA, the Controller approves and acknowledges that the Processor may engage subcontractors for the purpose of carrying out the Processing (“Sub-Processors”). Any transfer of personal data to the Sub-Processors is made at the Processor’s risk and does not alter the allocation of responsibility between the Processor and the Controller.
6.2 The Processor undertakes to inform the Controller in writing prior to engaging a Sub-Processor. The Parties agree that the Controller, by signing this Agreement, is deemed to have been informed of the Processor’s intended engagement of the Sub-Processors listed in Appendix B.
6.3 When engaging a Sub-Processor for the purpose of carrying out the Processing, the Processor undertakes to enter into an agreement with the Sub-Processor regarding the processing activities, pursuant to which the Sub-Processor shall be bound by the same obligations as is the Processor under this DPA.
7. TECHNICAL AND ORGANISATIONAL MEASURES
7.1 The Processor is required to implement appropriate technical and organisational measures in accordance with the Data Protection Laws in order to ensure a level of security appropriate to the risk, including risks relating to unauthorised access, destruction and alteration of personal data. The Processor shall determine how such measures are to be implemented in order to reach an appropriate level of security.
7.2 If the Controller considers it to be probable that new security measures are required or that existing security measures must be altered in order to achieve compliance with the legal requirements regarding an appropriate level of security, or in order to achieve compliance with any court judgments or official orders, the Parties shall discuss in good faith the implementation of such new measures or alterations of existing measures. Any implementation of extended or additional security measures requires that the Parties have agreed on such implementation in writing. The Processor is entitled to reasonable compensation for any extended or additional security measures taken.
8.1 The Processor undertakes not to disclose to any third party such information which the Processor, in its capacity as data processor, has received from the Controller or any other such information which the Processor processes in its capacity as data processor under this DPA. The Processor undertakes to ensure that all persons acting under its authority have undertaken to observe confidentiality in accordance with this section 8. However, this confidentiality obligation shall not apply to:
- information which is generally known or becomes generally known other than as a result of a breach of this DPA;
- information which was in the Processor’s possession prior to being provided to the Processor under this DPA;
- information which the Processor receives from any third party outside the scope of this DPA; or
- information which the Processor is obliged to disclose under law or any court judgment.
9.1 Subject to thirty (30) days written notice and at the Controller’s expense, the Controller or any third party auditor mandated by the Controller (the “Auditor”) shall have the right to audit the Processing, including conducting inspections, for the purpose of verifying compliance with this DPA.
9.2 When designating the Auditor, the Controller must consider any competition aspects with respect to any business relationship between the Processor and the contemplated Auditor. With respect to such competition aspects, the Auditor must be approved by the Processor; however, the Processor’s approval may not be unreasonably withheld.
9.3 The Processor undertakes to make available to the Controller or the Auditor all information necessary to demonstrate compliance with the Processor’s obligations under this DPA, as well as to allow for, and assist in, the audits carried out by the Controller or the Auditor. Audits and inspections shall be carried out on business days between 9 a.m. and 5 p.m.
9.4 The Processor may give the Auditor limited access to the Processor’s facilities where the Processor carries out the Processing. When conducting onsite inspections, the Auditor must comply with the Processor’s reasonable work rules, security requirements and standards and must not interrupt the Processor’s day-to-day business activities. The Auditor will not get access to any of the Processor’s other clients’ confidential information and other personal data which is not processed within the scope of this DPA.
10.1 A Party undertakes to indemnify and hold the other Party harmless should the latter Party be liable to pay damages to a data subject, provided that the processing of such a data subject’s personal data has been carried out by the former Party in breach of the Data Protection Laws or this DPA.
10.2 Similarly, a Party furthermore undertakes, in all other respects, to indemnify and hold the other Party harmless against and in respect of the latter Party’s liability to pay damages due to the former Party’s processing of personal data in breach of the Data Protection Laws or this DPA.
10.3 A Party shall not be liable for loss of profit or any other indirect or consequential damage under this DPA. For the avoidance of doubt, damages referred to in section 10 shall be considered direct damages.
11. TERM AND TERMINATION
11.1 This DPA enters into force upon the date of execution by both Parties and remains in force for as long as the Processor processes personal data on behalf of the Controller. Provisions regarding termination are set out in the Service Agreement.
11.2 Unless the Controller explicitly instructs the Processor to return the personal data processed, the Processor shall, upon termination of this DPA, delete all the personal data processed by the Processor on behalf of the Controller and delete existing copies, unless EU or any EU member state law requires storage of the personal data. Any request for the return of the personal data must be in writing and provided to the Processor at the latest in connection with the termination or expiration of the Service Agreement.
11.3 If the Service Agreement is terminated or expires and a new agreement which entails the processing of personal data is concluded between the Parties, without a new data processing agreement being concluded, this DPA will remain in force in relation to any processing of personal data carried out in relation to the services provided under the new agreement.
12. GOVERNING LAW AND DISPUTES
12.1 Any dispute, controversy or claim arising out of or in connection with this DPA shall be settled in accordance with the dispute resolution clause of in the Terms of Service attached to the Service Agreement as Appendix 1.
Instructions regarding the Processing
The Processor shall, in addition to complying with the provisions in the Agreement, carry out the Processing in accordance with the instructions below.
The Processing may only be performed in order to provide the services under the Main Agreement, i.e. for the purpose of offering software as-a-service for self-service business automation. The personal data may not be processed or used for the Processor’s own or any other purposes.
Types of processing
The Processor may use any types of processing which are necessary in order to provide the services covered by the Main Agreement, including registration, organization, storage and erasure of personal data.
Types of personal data
The Processor may only process the following types of personal data: names, titles, customer number, personal ID number, address, telephone number. The Processor may also process other types of personal data, if necessary, to provide the services covered by the Main Agreement.
Categories of data subjects
The personal data processed by the Processor may only concern the users of Zervicepoint (i.e. employees, consultants, customers or partners of the Controller).
Duration of the Processing
The personal data must be erased by the Processor at the time of termination of the Agreement, as set forth in the Agreement. Furthermore, personal data shall be erased from time to time, in accordance with the Controller’s written instructions.
Location of the Processing
The Processing will be performed within the EU/EEA using equipment that the Processor is in direct or indirect (through approved subcontractors) control over.
The Processing may also be performed outside of the EU/EEA if a separate agreement has been concluded (or certain relevant actions have been taken) for the purpose of maintaining a sufficient level of security, and the Processor presents proof that such an agreement (or such relevant actions have been taken) in accordance with the Data Protection Laws.
Sub-Processors approved by the Controller
The Controller accepts and recognizes that the Processor engages the following Sub-Processors in accordance with paragraph 6 of this Agreement. This also applies to any companies which, at any given time, belong to the Processor’s group of companies, provided that such a group company is established within the EU/EEA.
Sub-processor or Service
Type of processing
Microsoft Azure and Office 365
Cloud infrastructure for our apps and services
SMTP Provider for our apps and services
Incident management system, intranet and site status page.
Customer and partner information (CRM)
Customer and partner agreements