Data Processing Agreement

XXX and Compilator AB
Malmö XX XX 2018

1 . PARTIES

2. BACKGROUND AND PURPOSE

2.1 The Parties has reached an agreement regarding the providing of services by the Processor for the Controller (‘the Main Agreement’), dated the XXXX-XX-XX. This DPA shall form a part of the Main                      Agreement.

2.2  This DPA sets out the rights and obligations of the Controller in its capacity as Controller and of the Processor when the Processor processes personal data on behalf of the Controller (the ‘Proccessing’).

2.3 The purpose of this DPA is to ensure that the Processing of personal data is conducted in accordance with the Data Protection Laws, instructions given by the Controller and what is otherwise agreed                      between the Parties.

2.4  In event of any conflicts between this DPA and the Main Agreement, this DPA shall prevail.

2.5  This DPA replaces any previous DPAs entered between the Parties.

DEFINITIONS

3.1 Expressions used in this DPA shall be construed in accordance with the meaning given to them in applicable data protection laws.

3.2 Expressions used in this DPA that are not defined herein, shall be defined in accordance with the Main Agreement.

4 APPENDICES TO THE DPA

4.1  Instructions for Processing of Personal Data     Annex 1

4.2 Sub-Processors authorised in advance Annex 2

5  PROCESSING OF PERSONAL DATA

5.1 The Processor is responsible to conduct all Processing in compliance with applicable data protection laws, other applicable laws, rules, regulations, recommendations, guidelines or good practices. The                    Processor undertakes to only process personal data in accordance with and/or for the purposes necessary for the fulfillment of the obligations set out in the Main Agreement, this DPA or in documented                          instructions given by the Controller, unless otherwise follows from applicable data protection laws. The Controller’s original instructions to the Processor regarding the subject and duration of the                                      Processing, the nature and purpose of the Processing, the type of personal data and categories of data subjects is stated in this DPA and Annex 1.

5.2 The Controller confirms that the obligations set out in this DPA, including Annex 1, with regard to the Processor, forms the complete instructions to be followed by the Processor. The Controller is obliged to              not let the Processor, without a written instruction, carry out Processing of any other categories of personal data, or Process personal data of other categories of registered subjects, than those listed in                          Annex 1. 

5.3 Upon receipt of written instructions from the Controller regarding the Processing, such as the ones set out in Annex 1, the Processor shall without undue delay take appropriate measures to ensure that the              Processing is adapted accordingly. The Processor is not liable for any ambiguities in the instructions, and is neither obliged to take any measures other than those explicitly requested by the Controller. The                    Processor shall be entitled to specific remuneration regarding Processing measures which are not explicitly specified by the Controller at the time of entering into the Main Agreement and this DPA.

5.4 All modifications to the Controller’s instructions shall, in order to be valid, be documented in writing. In the event that the Controller gives the Processor new instructions regarding the Processing, which                    deviate from those resulting from the services under the Main Agreement, and the new instructions are more demanding for the Processor and go further than prescribed in applicable Data Protection Laws                    or the Supervisory Authority’s advice or communications, the Processor shall consider but shall not be obliged to accept those instructions. If such new instructions have the effect that the scope of the                            services provided by the Processor under the Main Agreement is substantially modified, the issue shall primarily be dealt with under the Main Agreement.

5.5 The Processor shall immediately notify the Controller if it considers an instruction to be in breach of applicable data protection laws.

5.6 The Processor undertakes to maintain a record of the Processing carried out on account of the Controller in accordance with Article 30(2) of the EU General Data Protection Regulation.

5.7 The Processor shall, to a reasonable extent, assist the Controller by taking appropriate technical and organisational measures necessary for the Controller to meet its obligation to respond to any request                from data subjects regarding access, rectification, restriction or erasure of personal data.

5.8  The Processor shall be entitled to reasonable compensation for the measures taken in relation the obligations in paragraph 5.7.

6 DISCLOSURE OF PERSONAL DATA

7 SUB-PROCESSORS AND THIRD COUNTRY TRANSFERS

7.1The Controller approves that the Processor may engage sub-processors within and outside the EU/EEA and to transfer personal data outside the EU/EEA. The Processor shall ensure that the sub-                            processors are bound by written agreements which impose such corresponding obligations on them regarding the Processing as the obligations set out in this DPA. Annex 2 to this DPA contains a list of                        sub-processors who the Processor is authorised to engage as of the date of entering into force of this DPA.

7.2 If personal data is transferred, or access is made possible from a place outside the EU/EEA, the Processor shall ensure that there is a legal basis of the transfer in accordance with applicable data                            protection laws, such as the European Commission’s Model Clauses. The Controller authorises the Processor to, on behalf of the Controller, enter into the European Commission’s Model Clauses with sub-                    processors.  

7.3  If the Processor intend to hire a new or replace an existing sub-processor to process personal data subject to this DPA, the Processor shall inform the Controller in advance and provide the Controller the                opportunity to put forward objections. Such objections shall be provided in writing without undue delay and within 30 days from the Controller receiving the information. The Processor shall provide the                        Controller with all information which can reasonably be requested in order for the Controller to assess the sub-processor’s capability of ensuring the fulfilment of the Controller’s obligations as set out in this                  DPA and in applicable data protection laws. The Controller is entitled to cancel the Main Agreement without any additional costs if the fulfilment of these obligations, according to the Controller’s reasonable                  conception, will not be fulfilled through the suggested sub-processor and the Processor, despite the Controller’s objection, wants to engage that sub-processor.

8 DATA SECURTIY AND CONFIDENTIALTY

8.1 The Processor is obliged to fulfil its obligations regarding data security as set out in the applicable data protection laws and shall, at all times, implement appropriate technical and organisational measures                in accordance with Article 32 of the EU General Data Protection Regulation to protect the personal data that is processed. The measures include, when appropriate,

a)    pseudonymisation and encryption of personal data;

b)    the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

c)   the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident

d)   a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the Processing.

8.2  In assessing the appropriate level of security, due account shall be taken to the risks presented by the Processing, in particular from unintentional or unlawful destruction, loss or alternation, unauthorised                disclosure of or access to the personal data transmitted, stored or otherwise processed.

8.3 The Processor undertakes to, as appropriate, assist the Controller when conducting a data protection impact assessment regarding data protection and prior consultations and contribute to investigations of            occurred personal data breaches with the responsible Supervisory Authority.

8.4 The Processor undertakes to not disclose to any third party any data from the Controller, which the Processor received from the Controller in the capacity as Processor, or such information the Processor                  processes in its capacity as Processor to the Controller. The Processor is obliged to ensure that only such employees that must have direct access to personal data in order to fulfil the Processor’s                                  obligations under this DPA receives access to such data. The Processor shall ensure that such employees are subject to an appropriate confidentiality obligation. Confidentiality obligations shall however                        not operate in relation to information which

i.             is common knowledge or will become common knowledge in
               other ways than through a breach of this DPA;

ii.            the Processor can demonstrate was in the Processor’s possession
               before it was transmitted by the Controller under this DPA;

iii.           the Processor lawfully and without limitations with regard to the right to transfer such data,
              obtains from a third party outside of this contractual relationship; or

iv.           a Party is legally required to provide due to imperative law,
              court order or other Authority’s decision.

8.5 The confidentiality obligation in this section shall remain in effect after this DPA has expired.

9 NOTIFICATON IN THE EVENT OF A PERSONAL DATA BREACH

9.1 The Processor shall without undue delay, and no later than within 24 hours, notify the Controller after becoming aware of a personal data breach, unless the Processor can show that the personal data                      breach is unlikely to result in a risk for the rights and freedoms of natural persons. The notification shall include a description of the nature of the personal data breach, the categories of data subjects, the                        number of data subjects concerned, the kind of personal data concerned, the number of personal data records concerned, contact details of a contact point where more information can be obtained, the                          likely consequences of the personal data breach as well as what measures the Processor has taken and what measures the Processor propose to be taken. The Processor shall document any personal                      data breaches and shall keep the documentation available for the Controller and the Supervisory Authority. 

9.2 The Processor shall, to reasonable extent, assist the Controller with the information needed for the Controller to fulfil its obligations regarding the notification of the personal data breach to the Supervisory      Authority and, when applicable, information to the data subjects regarding the personal data breach.

10 RIGHT TO AUDITS

10.1 The Controller shall, in its capacity as data controller, have the right to take appropriate measures to verify the Processor’s capability to fulfill its obligations pursuant to this DPA and that the Processor actually has taken the measures necessary to ensure that they are fulfilled.   

10.2 The Processor undertakes to provide to the Controller all information necessary to demonstrate compliance with the obligations set out in this DPA and allow for and contribute to such audits, including onsite inspections, conducted by the Controller or another auditor mandated by the Controller (the ‘Auditor’), under the condition that the persons conducting the audit conclude appropriate confidentiality agreements. The audits shall be notified at least 30 days in advance and the Controller shall bear the costs.

10.3 When designating the Auditor, the Controller shall take into account competition aspects relevant to the business relationship between the Processor and the proposed Auditor. In this respect, the Auditor              needs to be approved by the Processor. Such approval may however not be unreasonably denied.

1.4 The Processor undertakes to make available, for the Controller or the Auditor, all the documentation necessary to demonstrate that the Processor has fulfilled its obligations set out in this DPA and shall also assist the Controller or the Auditor in the conducting of audits and inspections. Audits and inspections may be performed during business hours, on weekdays between 9.00 and 16.00.

10.5 The Processor may limit the Auditor’s access to facilities where the Processing is carried out. When such onsite inspections are conducted, the Auditor shall follow reasonable labour rules, safety requirements and other regulations applicable in the workplace, and may not disturb the Processor’s daily activities. The Auditor shall not have access to such confidential data relating to other customers of the Processor or other personal data than those processed in accordance with the DPA.

10.6 The Processor shall allow for and contribute to inspections conducted by the Data Protection Authority (Sw. Datainspektionen) or any other competent supervisory authority.

11 TERM
The provisions in this DPA shall remain in force for as long as the Processor processes personal data for which the Controller is the controller. Provisions regarding termination are set out in the Main Agreement.

12 EFFECTS OF TERMINATION

12.1 Upon termination of this DPA the Processor shall, depending on what the Controller choose, delete or return all personal data processed under this DPA within thirty (30) days after the termination of the Main Agreement, unless such measures breach applicable national law or EU law. This request shall be made in writing and be provided to the Processor at the latest in connection with the termination or expiration of the Main Agreement.

12.2 If requested by the Controller, the Processor shall confirm in writing what measures have been taken regarding the personal data after the termination of the Processing in accordance with paragraph above.

13 REMUNERATION
In addition to what is expressly stated in this DPA, the Processor shall be entitled to a reasonable remuneration for complying with the Controller’s written instructions, if it is evident that the requested measures are not covered by the Processor’s obligations pursuant to the Agreements or if the measures are not corresponding to requirements set out in the EU General Data Protection Regulation with regard to processors. In case the Processor is entitled to remuneration for work performed, the price list included in the Agreements shall apply. If no such price list is included, the remuneration shall be given according to the Processor’s at any time applicable price list.

14 LIMITATION OF LIABILITY

14.1 The limitations of liability set out in the Main Agreement shall be applicable with regard to the liability of the Processor under this DPA. [Paragraphs 14.2-14.6 contain alternative provisions, to be used in relation to Volvo. In this case, delete para.14.1.]

14.2 The Processor shall hold the Controller harmless from any damages in the event that the Controller suffers damages according to applicable data protection laws, if the Processing which the damage arises from is attributable to the Processor’s Processing in breach of this DPA or lawful instructions given by the Controller. This obligation is not cover by the limitation of liability in the paragraph below.

14.3 The Processor shall not be liable to indemnify any indirect damage such as loss of profit under this DPA.

14.4  Claims relating to this section shall be made to the Processor within 6 months from the date the claim was made to the Controller. After this time limit, the Controller loses its right to make any claims against the Processor.

14.5 A Party’s liability for damages under this DPA is subject to the limitation of liability set out in the Main Agreement.

15 GOVERNING LAW AND DISPUTES

15.1 This DPA shall be governed by Swedish law.

15.2 Disputes due to this DPA shall be settled in accordance with the dispute resolution clause of the Main Agreement.

This DPA has been executed in two original copies, of which the Parties have taken one each.

Malmö 2018-                           PLACE 2018-
COMPILATOR AB                              XXX:

_____________________                            _______________________

Anders Paulcén                                                Name
[Title]                                                               [Title]

 

Annex 1 – Instructions for Processing of personal data
________________________________________________

1. Data Protection Officer

The Controller’s point of contact with regard to personal data breaches, routines and modifications of this instruction is XXXXX Data Protection Officer or representative. This person also has the mandate to request record extracts;

Name
Email
Phone

The Processor’s point of contact with regard to personal data breaches, routines and modifications of this instruction is the Supplier’s Data Protection Officer:

Anders Paulcén
DPO@compilator.com
040-6728888

2. Purpose

The purpose of the Processor’s Processing of personal data on behalf of the Controller is to

  • Fulfil its obligations pursuant to the Main Agreement and this DPA.
  • Assist the Controller in investigating suspicions regarding breaches of employment contracts or other contracts, data safety requirements or similar obligations.
  • Make available, upon written instruction from the Controller, personal data to other Processors engaged by the Controller, such as application maintenance suppliers.

3. Categories of personal data and data subjects

The categories of personal data Processed on behalf of the Controller are:

 

Contact details

Financial data

Hours worked/
logbook

Personal identity number

Wage / employment

Sensitive personal data

Vehicle owners

X

X

 

 

 

 

Drivers

X

X

 

 

 

 

Customers

X

X

 

 

 

 

XXXX employees

X

 

 

 

 

 

 

 

 

 

 

 

 

 

4. Processing

The Processor is allowed to carry out the following Processing:

Processing

Description

Limitation

Storage

As set out in the provisions regarding back up, traceability and access in the Main Agreement

Does not cover reading

Moving and/or duplicating

In accordance with specific instruction or order made by the Controller

Does not cover reading

Erasure

In accordance with specific instruction or rules regarding erasure

Does not cover reading or other types of downloading. Does not include erasure requested by the data subject directly

Extract / print outs

In accordance with Controller’s written order

Does not include extracts/print outs requested by the data subject  directly

Rectification

Upon and in accordance with Controller’s written demand

Does not cover demand for rectification by the data subject directly

Administration of Accounts (creation, modification, deletion)

Administration of accounts and user rights

Only upon demand by competent orderer

Record keeping

According to the provisions regarding safety, access and access right in the Main Agreement

Does include reading of records and analysis in case of suspicion of crime or safety breach

Other Processing, such as reading, saving etc., may only be carried out upon written demand by the Controller.

Annex 2 – Sub-Processors authorised in advance
________________________________________

The Controller has authorised the following sub-processors of the Processor:

Sub -processor:

Nordic TeleCom Oy (Callback integration)
Juvan Teollisuuskatu 18
FI – 02920 Espoo
Finland

Phone: +358 44 7474 125

Link Mobility (call-ins and reminders via text messages)
Götgatan 78
118 30 Stockholm
Sweden
info@linkmobility.com

+46 770 870 800

Mandrill mail (call-ins and reminders via e-mail)
Scott Culpepper
General Counsel
The Rocket Science Group LLC
Georgia
675 Ponce De Leon Ave NE, Suite 5000
Atlanta, Georgia 30308
United States of America

legal@mailchimp.com
Phone: (404) 806-5843

https://www.privacyshield.gov/participant?id=a2zt0000000TO6hAAG&status=Active

HubSpot, Inc. (CRM and newsletter)
HubSpot Headquarters (Cambridge, MA)
25 First St., 2nd floor
Cambridge, Massachusetts 02141
United States of America

https://www.privacyshield.gov/participant?id=a2zt0000000TN8pAAG&status=Active

The Rocket Science Group LLC (Mailchimp integration for send outs)
Georgia
675 Ponce De Leon Ave NE, Suite 5000
Atlanta, Georgia 30308
United States of America

https://www.privacyshield.gov/participant?id=a2zt0000000TO6hAAG&status=Active

Zendesk, Inc (Helpdesk matters)
1019 Market Street, 6th Floor
San Francisco, California 94103
United States of America

https://www.privacyshield.gov/participant?id=a2zt0000000TOjeAAG&status=Active

 

 

 

Kontakta mig

Fyll i ditt namn och e-postadress eller telefonnummer så ringer vi upp dig så snart vi har möjlighet!

Tack! Du har fått ett mail skickat till dig där du kan bekräfta att du vill bli kontaktad av oss.

Ota minut

Anna nimesi ja sähköpostiosoitteen tai puhelinnumeron ja soitamme sinulle niin pian kuin mahdollista!

Kiitos! Olet saanut sähköpostia lähetetään , missä voit vahvistaa, että haluat ottaa yhteyttä meihin .

Kontakt meg

Kontakt meg

Skriv inn ditt navn og e-postadresse eller telefonnummer og vi vil ringe deg så snart vi kan!

Takk! Du har mottatt en e-post sendt til deg der du kan bekrefte at du ønsker å bli kontaktet av oss .

Kontakt mig

Indtast dit navn og e-mail-adresse eller telefonnummer og vi vil ringe til dig, så snart vi kan!

Tak! Du har modtaget en e-mail sendt til dig , hvor du kan bekræfte, at du ønsker at blive kontaktet af os .

Contact me

Please provide us with your contact information and we will contact you as soon as possible.

Thanks! You have received an email sent to you where you can confirm that you want to be contacted by us .

Kontakta mig

Fyll i ditt namn och e-postadress eller telefonnummer så ringer vi upp dig så snart vi har möjlighet!

Tack! Vi kontaktar dig så fort vi kan!

Kontakt mig

Indtast dit navn og e-mail-adresse eller telefonnummer og vi vil ringe til dig, så snart vi kan!

Tak! Vi vil kontakte dig så snart vi kan!

Ota minut

Anna nimesi ja sähköpostiosoitteen tai puhelinnumeron ja soitamme sinulle niin pian kuin mahdollista !

Kiitos! Otamme yhteyttä niin pian kuin mahdollista!

Kontakt meg

Skriv inn ditt navn og e-postadresse eller telefonnummer og vi vil ringe deg så snart vi kan!

Takk! Vi vil kontakte deg så snart vi kan!

Contact me

Please provide us with your contact information and we will contact you as soon as possible.

Thanks! We'll contact you as soon as we can!

Contact me

Please provide us with your contact information and we will contact you as soon as possible.

Thanks! We'll contact you as soon as we can!

x