Data protection

1 Introduction

1.1 This Appendix is integral part of the agreement (“Agreement”) under which the customer (the “Customer”) uses the Zervicepoint SaaS service (“Service”) provided by FoF Zervicepoint Sweden AB (or transferee of the Zervicepoint business, if applicable, the “Supplier”). The Supplier and Customer hereinafter referred to as the “Parties”.

1.2 This Data Protection Appendix (“Appendix”) defines the rights and obligations of the Parties related to processing of Customer´s or its customer´s personal data (as defined in the Data Protection Provisions, “Personal Data”) under the Service. In this Appendix, “Data Protection Provisions” shall mean the General Data Protection Regulation (EU 2016/679) and other applicable European Union or national data protection laws.

2 Appointment and compliance with Data Protection Provisions

2.1 The Customer appoints the Supplier to process Customer´s or its customer´s Personal Data. With respect to Personal Data, the Customer is the “data controller” and the Supplier is the “data processor”, as defined in the Data Protection Provisions.

2.2 The Supplier undertakes to comply with the obligations imposed to data processors in the Data Protection Provisions as well as instructions and orders regarding the Data Protection Provisions given by the competent authorities. In addition, the Supplier undertakes to comply with the instructions and orders regarding processing of Personal Data given by the Customer, unless these are in conflict with the Data Protection Provisions or instructions and orders given by the competent authorities.

2.3 The Customer acknowledges and accepts that the Supplier may use its group companies in delivering Service and such group companies may also process Personal Data as described in this Appendix. The Supplier ensures that its group companies comply with this Appendix and the Supplier is also liable for acts and omissions of its group companies under this Appendix. For the avoidance of doubt, Supplier´s group companies are not deemed subcontractors within the meaning of this Appendix.

2.4 The Customer undertakes to comply with the obligations imposed to data controllers in the Data Protection Provisions as well as instructions and orders regarding the Data Protection Provisions given by the competent authorities.

3 Rights and obligations related to processing of Personal Data

3.1 The Supplier shall:

(I) process the Personal Data only according to the Agreement and for the purpose of providing the Service during the term of the Agreement, unless otherwise required by compelling legislation or order from a competent authority;

(II) ensure that Personal Data is processed only by such personnel that have committed to duty of confidentiality in respect of Personal Data;

(III) implement appropriate technical and organizational measures, for which it is responsible for, to protect the Personal Data against any access, disclosure, destruction or alteration in violation of this Appendix;

(IV) ensure that Personal Data is processed only by such subcontractors approved by the Customer in writing and that the subcontractors have undertaken to comply with the terms and conditions of this Appendix with respect to Personal Data;

(V) assist the Customer in fulfilling its obligations as data controller and assist the Customer in replying the request from competent authorities regarding Data Protection Provisions;

(VI) at the expiry or termination of the Agreement destroy (or at the request of the Customer, return) Personal Data from all medias of the Supplier or its subcontractors, unless otherwise required by compelling legislation or order from a competent authority; and

(VII) deliver to the Customer all necessary information enabling the Customer to demonstrate that the Supplier is processing Personal Data in compliance with the Data Protection Provisions.

Unless the Parties otherwise agree in writing, the obligations described in this Section 4.1 above have the meaning described in Article 28 of the General Data Protection Regulation (EU 2016/679). The Supplier may charge for execution of the above mentioned and other requests of the Customer.

3.2 The Supplier shall not without a prior written consent of the Customer:

(I) physically nor electronically transfer any Personal Data outside the European Union or the European Economic Area; nor

(II) allow access or process Personal Data within the European Union or the European Economic Area from outside of the European Union or the European Economic Area.

In the event Personal Data is transferred, accessed or processed to or from outside the European Union or European Economic Area as described above, the Parties shall agree on the terms and conditions applicable to the procedure in accordance with the Data Protection Provisions.

3.3 The Supplier shall notify the Customer without undue delay in writing:

(I) it becoming aware of any access or disclosure of Personal Data or their destruction or alteration in violation of this Appendix;

(II) it receiving from any person, whose personal data forms part of the Personal Data, or competent authority a request or demand regarding the exercise of rights pursuant to Data Protection Provisions, or complaint or demand regarding violation of the Data Protection Provisions and/or damages regarding the same;

(III) any communication or requests from any competent authorities regarding Personal Data, unless such competent authority expressly prohibits notifying the Customer about the same.

3.4 In the events described in Section 3.3 above, the Supplier shall take such steps as the Customer or competent authority may reasonably require, within the timescales reasonably required by such entities and provide such further information as any of those entities may reasonably require.

3.5 Both Parties shall notify the other Party without undue delay in writing after becoming aware of any actual or suspected breach of this Appendix, together with such additional information that can be reasonable required to enable the other Party assess the matter.

4 Limitation of liability

4.1 The limitations of liability set out in the Agreement shall apply also to this Appendix. The Parties agree that the general principle of division of responsibilities between the Parties relating to administrative fines imposed by any relevant supervisory authority or claims by data subjects under this Appendix or Data Protection Provisions is based on the principle that the respective Party needs to fulfil its own obligations under the respective Data Protection Provisions. Therefore, any administrative fines imposed or damages ordered should be paid by the Party that has failed in its performance of its legal obligations under the Data Protection Provisions, as decided by the relevant supervisory authority or competent court authorized to impose such fines or damages.

5 Term of the Appendix and settlement of disputes

5.1 This Appendix shall be in effect for as long as the Agreement is in force. All provisions of this Appendix which by nature are intended to survive the termination of the Agreement shall remain in full force and effect regardless of the termination of the Agreement.

5.2 Provisions regarding the governing law and settlement of disputes included in the Agreement shall apply to this Appendix.