Data Processing Agreement
This data processing agreement (“Data Processing Agreement”) has been entered into today between:
- A. The Customer in the Agreement (data controller), (“the Customer”) and
- B. Next One Technology AB (data processor), business register no. 556944-2501 (“the Supplier”)
- This Data Processing Agreement constitutes an integral part of the Agreement (as defined below) between the Supplier and the Customer. Upon execution of the Agreement, the Supplier will Process (as defined below) Personal Data (as defined below) on behalf of the Customer as the Customer’s data processor. The Customer is the data controller for the Processing of Personal Data.
- If someone else, together with the Customer, is the data controller for the Personal Data in question, the Customer shall inform the Supplier of the matter.
- The purpose of this Data Processing Agreement is for the Customer and Supplier to fulfil the requirements applicable at any time concerning Data Processing Agreements and obligations in accordance with Data Protection Regulations (as defined below) and to ensure the adequate protection of the personal integrity and fundamental rights of individuals in connection with the transfer of Personal Data from the Customer to the Supplier within the framework of the services supplied by the Supplier to the Customer under the Agreement.
- Definitions The following terms shall have the following meaning when they are written with an initial capital letter.“Agreement” Refers to the agreement(s) entered into between the Customer and Supplier regarding the Supplier’s products and services and within the framework for which the Supplier processes personal data on behalf of the Customer.“Processing” refers to the legal definition of “Processing” according to Data Protection Regulations at any time. At the time of entering into the Agreement, Processing includes any measures or series of measures taken in respect of Personal Data, regardless of whether such measures are performed automatically or not, e.g. collection, registration, organisation, storage, processing or alteration, recovery, collection, use, sharing or other disclosure of data, compilation or coordinated blocking, deletion or destruction. “Data Protection Regulations” refers to the laws or regulations applicable at any time concerning the Processing of Personal Data, which includes but is not limited to the European Parliament and Council Regulation (EU) 2016/679 (“General Data Protection Regulation”), which replaces the Swedish Personal Data Act (1998:204), as well as the Supervisory Authority’s binding decisions and regulations and any future local adaptations and regulations relating to data protection. “Customer” refers to the party specified in the introduction above. Nevertheless, to the extent that the Customer enters into this Data Processing Agreement on behalf of other service recipients pursuant to the Agreement, the definition of “Customer” shall accordingly also refer to such service recipients, unless otherwise specified in this Data Processing Agreement or the Agreement. “Supplier” refers to the party specified in the introduction above. “Personal data” refers to the personal data that the Supplier Processes on behalf of the Customer under this Data Processing Agreement. At the time of entering into the Agreement, “Personal Data” is defined as any information that can be directly or indirectly attributed to a physical living person, but the term shall be considered to have the meaning set out in the legal definition applicable at any time in Data Protection Regulations. “Data Subject” refers to the physical person to which the Personal Data relates.”Supervisory Authority” refers to the relevant supervisory authority authorised to supervise the processing of Personal Data under Data Protection Regulations, i.e. the Swedish Data Protection Authority. “Sub-processor” refers to anyone who Processes Personal Data as a subcontractor to the Supplier.
- Any other definitions with an initial capital letter used in this Data Processing Agreement shall, unless otherwise specified, have the meaning and importance set out primarily in Data Protection Regulations or otherwise in the Agreement, unless the circumstances clearly suggest a different interpretation.
- Responsibilities and instruction
- The Personal Data Processed by the Supplier on behalf of the Customer and the Customer’s instructions concerning the Processing can be found in Appendix A (Instructions on the Processing of Personal Data).
- The Customer shall be the data controller for all Personal Data that the Supplier Processes on behalf of the Customer under the Agreement. The Supplier shall adhere to the requirements applicable at any time set down in Data Protection Regulations and also any applicable recommendations from the Supervisory Authority that the Customer has instructed the Supplier to adhere to. The Customer shall also inform the Supplier of any third-party measures, including measures on the part of the Supervisory Authority and Data Subjects, relating to the Processing.
- The Supplier and/or the person(s) carrying out the work on behalf the Supplier shall only Process Personal Data in accordance with the Customer’s instructions and not for any purposes for which the Supplier has not been commissioned. In addition to the instructions set down in Appendix A, this Data Processing Agreement and the Agreement shall constitute the Customer’s instructions to the Supplier in respect of Processing. The Customer shall immediately notify the Supplier of any changes that may affect the Supplier’s obligations under the Data Processing Agreement. The Supplier shall notify the Customer if the Supplier believes that the instruction violates Data Protection Regulations.
- Processing may also take place if such Processing is required pursuant to EU law or pursuant to a member state’s national law that is applicable to the Supplier or Sub-processor. If Processing is required pursuant to EU law or pursuant to a member state’s national law that is applicable to the Supplier or Sub-processor, the Supplier or Sub-processor shall notify the Customer of the legal requirement prior to Processing taking place, unless such notification is prohibited on the grounds of an important public interest under the law in question.
- During the term of the Data Processing Agreement and thereafter, the Supplier shall have the right to store and process data derived from the Customer in aggregated or anonymised form, i.e. data that does not contain Personal Data.
- Security, etc.
- The Supplier shall take the technical and organisational measures necessary under the Data Protection Regulations to ensure an appropriate security level in relation to the risk and to protect the Personal Data that is Processed against accidental or unlawful destruction, loss or alteration, unauthorised disclosure or unauthorised access to the Personal Data that is Processed.
- The Supplier shall take the measures required to fulfil Article 32 of the General Data Protection Regulation.
- The Supplier shall assist the Customer in ensuring that the obligations under Articles 32-36 in the General Data Protection Regulation have been met, taking into account the type of Processing and the information available to the Supplier.
- Disclosure of Personal Data and information
- In the event that the Supplier receives a request from the Data Subject, Supervisory Authority or another third party for access to information that the Supplier Processes on behalf of the Customer, the Supplier shall forward the request to the Customer without undue delay. The Supplier shall not disclose Personal Data or information about the Processing of Personal Data without explicit instruction to do so from the Customer, unless such an obligation arises pursuant to the applicable Data Protection Regulations.
- Requests from Data Subjects
- Through technical and organisational measures that are appropriate in relation to the nature of the Processing, the Supplier shall assist the Customer to the extent possible so that the Customer can fulfil its obligation to respond to requests from Data Subjects when a Data Subject exercises its rights pursuant to the Data Protection Regulations, which may include the right to obtain information (extracts from registrations) and correcting, blocking or deleting of Personal Data at the request of the Data Subject.
- From and including the Contract Date, the Supplier shall ensure that the Customer can fulfil any obligations to enable data portability for Personal Data Processed by the Supplier on behalf of the Customer.
- Contact with the Supervisory Authority
- The Supplier shall inform the Customer of any contact from the Supervisory Authority in relation to the Processing of Personal Data. The Supplier shall not be entitled to represent the Customer or to act on behalf of the Customer in dealings with the Supervisory Authority.
- Personal Data may be Processed by a Sub-Processor subject to the Supplier, on behalf of the Customer, entering into a written agreement or other legal agreement under EU law under which the Sub-processor is subject to the corresponding data protection requirements that the Supplier is subject to under this Data Processing Agreement. The Customer shall be entitled to object to such changes on objective grounds relating to the security of the Processing. If the Customer, on objective grounds, objects to the change, the Supplier shall be entitled to additional compensation from the Customer for the costs incurred by the Supplier as a result of the Sub-processor in question not being used.
- The Supplier shall have a particular responsibility for ensuring that Articles 28.2 and 28.4 of the General Data Protection Regulation are taken into account when using Sub-processors and to ensure that such Sub-processors provide adequate guarantees that they will take the appropriate technical and organisational measures in such a way that the Processing fulfils the requirements set down in the General Data Protection Regulation.
- If a Sub-processor fails to fulfil its data protection duties, the Supplier shall be liable for the performance of the Sub-processor’s duties in relation to the Customer.
- Right to access
- The Supplier shall, within a reasonable period of time after receiving the Customer’s request, provide the Customer with access to all information required to demonstrate that the obligations arising from Article 28 of the General Data Protection Regulation have been fulfilled, as well as enabling and contributing to audits, including inspections, performed by the Customer or another independent auditor authorised by the Customer and that can reasonably be accepted by the Supplier.
- Transfer of Personal Data outside of the EU/EEA
- The transfer of Personal Data by the Supplier or Sub-processors to any location outside of the EEA may be performed, provided that the applicable requirements concerning such transfers under the Data Protection Regulations are met.
- The Supplier shall have a duty to ensure that the persons authorised to Process Personal Data have undertaken to observe the confidentiality of such Processing or are subject to an appropriate statutory non-disclosure agreement. This duty shall not apply to information that the Supplier is required to disclose to authorities or required to disclose under Data Protection Regulations or other statutory requirements (including decisions of an authority or court). The duty of confidentiality shall apply for the duration of the Agreement and for a period of three (3) years thereafter, unless an extended subsequent period is agreed between the Parties.
- Data portability
- The Supplier shall ensure that the Customer can fulfil any obligations to enable data portability for Personal Data Processed by the Supplier on behalf of the Customer.
- The Supplier shall be entitled to reasonable compensation for all work and all costs arising from the Customer’s Processing instructions, where such instructions extend beyond the features and security level that follow from the services that the Supplier ordinarily offers to its customers or that require the Supplier to perform custom adaptations on behalf of the Customer.
- If the Supplier, the Supplier’s employees or a Sub-processor engaged by the Supplier Process Personal Data in violation of this Data Processing Agreement or the lawful instructions issued by the Customer, the Supplier shall compensate the Customer for any direct losses incurred by the Customer as a result of improper Processing subject to the applicability of any limitations of liability arising from the Agreement. Notwithstanding the limitation of liability under the Agreement, the Supplier’s liability under this Clause 14.1 shall always be limited to an amount corresponding to the fees paid by the Customer to the Supplier under the Agreement for a period of twelve (12) months before the damages occurred.
- The Customer shall indemnify the Supplier for all direct or indirect damages, which also includes claims from Data Subjects arising from the Supplier’s violation of Data Protection Regulations due to unclear, inadequate or unlawful instructions from the Customer, inadequate information from the Customer as to which data categories are Processed (e.g. whether sensitive Personal Data is processed without the Customer having informed the Supplier of the matter) or otherwise arising due to circumstances for which the Customer is responsible.
- The Supplier’s liability for claims and damages under this Clause 14 shall apply provided that i) the Customer has informed the Supplier in writing and without undue delay of any claims raised against the Customer and ii) the Customer allows the Supplier to control the defence of the claim and exclusively decide on any settlement.
- Contract term and measures in the event of termination
- The Data Processing Agreement shall apply from the date on which the Agreement was entered into and for as long as the Supplier Processes Personal Data on behalf of the Customer pursuant to the Agreement or for other reasons.
- Nevertheless, the Supplier shall be entitled to terminate this Data Processing Agreement or the Agreement (including this Data Processing Agreement) with immediate effect through written notice to the Customer if (i) The Customer’s instructions on the Processing of Personal Data are inadequate or incorrect and correction does not take place within seven (7) days of the Supplier notifying the Customer of the issue, or (ii) the Customer furnishes the Supplier with categories of Personal Data other than what is covered under the applicable instructions on the Processing of Personal Data or otherwise furnishes the Supplier with Personal Data that violates the applicable instructions and the Customer fails to correct the matter within seven (7) days of being notified by the Supplier or (iii) the Customer does not make payment in accordance with the Agreement (including this Data Processing Agreement) and the matter is not corrected within seven (7) days of notice from the Supplier or (iv) other material breach of the Agreement (including this Data Processing Agreement) occurs on the part of the Customer and the matter is not corrected within seven (7) days of notice from the Supplier.
- Upon the expiration of the Agreement or the Data Processing Agreement (whichever occurs first), the Supplier shall, depending on the Customer’s choice as reported to the Supplier, delete all Personal Data and ensure that each Sub-processor does the same, but the Supplier shall first ensure that the Customer has the opportunity to retrieve a copy of all Personal Data. If the Customer does not instruct the Supplier as to how Personal Data should be provided, the Supplier shall delete the data no later than three (3) months after the expiration of the Agreement or Data Processing Agreement (whichever occurs first). The Supplier shall delete any existing copies, provided that storage of Personal Data is not required under EU law or national law in the member state in question.
- Changes to the Data Processing Agreement
- In the event that the Data Processing Agreement, due to changes to the Data Protection Regulations or guidelines, or decisions or regulations issued by the Supervisory Authority, no longer meets the requirements applicable to data processing agreements, the Parties shall discuss any necessary changes to this Data Processing Agreement in good time in order to meet any such new or additional requirements. Such changes shall enter into force in accordance with the Parties’ written agreement thereto or otherwise no later than within such a period of time as specified in the Data Protection Regulations or guidelines, or decisions or regulations issued by the Supervisory Authority. The Supplier shall be entitled to reasonable compensation for any work, costs and expenses incurred as a result of such changes.
- Other changes and additions to this Data Processing Agreement shall be established in writing and duly signed by the Parties in order to be binding.
- Otherwise, what is set down in the Agreement shall also apply to the Supplier’s Processing of Personal Data and the duties arising under this Data Processing Agreement. In the event of discrepancies between the provisions set down in the Agreement and this Data Processing Agreement, the provisions in the Data Processing Agreement shall take precedence in relation to all Processing of Personal Data and nothing in the Agreement shall be considered to limit or change the duties specified in this Data Processing Agreement to the extent that this would result in either party being unable to comply with the requirements set down in Data Protection Regulations.
- In all cases, Swedish law shall apply to the Supplier’s Processing of Personal Data under this Data Processing Agreement.
- Any disputes that arise from this Data Processing Agreement shall be resolved in accordance with the dispute resolution provisions in the Agreement.
Appendix A) Instructions on the Processing of Personal Data
The following instructions shall apply to the Processing of Personal Data for which the Customer is the data controller. In addition to what has already been set down in this Data Processing Agreement, the Supplier shall adhere to the following instructions:
Processing of Personal Data
|Purpose Please specify all purposes for which Personal Data will be Processed by the Supplier.||Storage and processing of personal data for the purpose of using the tool in the company’s project management. – Planning – Time reporting and reporting of work performed – Certification – Documentation of events throughout the entire project life cycle.|
|Categories of Personal Data Please specify the categories of Personal Data that will be processed by the Supplier.||Name, nickname, initials, photographs, address, telephone number, e-mail address, date of birth, personal identification number, employee number, login details, next of kin and their contact details.|
|Categories of Data Subjects Please specify all categories of Data Subjects whose data will be processed by the Supplier.||Skilled workers, officials, subcontractors, customers, prospective customers and other partners.|
|Retention period Please specify the retention period after which the Personal Data Processed by the Supplier will be deleted.||In accordance with the instructions provided by the Customer or upon request.|
|Practical Processing Please specify how Processing will take place.||Recording, storage, back-up management. In connection with training and support work, performing registrations in the system for the purpose of exemplifying and/or troubleshooting.|
|Transfer between systems||The transfer of all necessary data between the System and adjacent systems such as finance, payroll, procurement, supplier invoice scanning systems, etc.|
|IT security measures||Physical access to data and systems: – Next One Technology AB hires a subcontractor for the server environment and operations. The Supplier guarantees that it takes the necessary measures to ensure that unauthorised persons cannot access premises and systems where Personal Data is processed. System security: – Next One Technology AB performs all necessary updates, continuously and as required, to underlying systems and uses applications that Process Personal Data in accordance with Supplier recommendations and the following generally accepted practices for this type of system. Application security: – System users have access to Personal Data only through individual logins using encrypted communication. Data availability: – Access to Personal Data is assigned to authorised personnel to the extent that measures are necessary to maintain the purchased service and to perform measures ordered by the data controller. – Authorised personnel connect to the system through methods that ensure an adequate level of data security and traceability. – Authorised personnel are continuously reviewed. Use of subcontractors: – Subcontractors are used only after checking suitability with regard to security awareness. – Subcontractors are engaged only under contracts that ensure an adequate level of data protection.|