Data processing agreement



The Parties have entered into the Agreement, henceforth referred to as the “Main Agreement”, under which the Processor shall provide certain services to the Controller. The Main Agreement is an integral part of this Data Processing Agreement. All provisions in this Agreement shall be given the same definitions as in the Main Agreement. 

1. Between

  1. The Parties as defined in the main agreement.

2. Preamble

  1. Controller and Processor have concluded the reference Main Agreement for the provision of certain services (the reference agreement, further specified by individual agreements concluded as well as contracts, orders, and/or on-demand orders, hereinafter “Main Agreement”).
  2. Processor processes personal data on behalf of the Controller to fulfill the Main Agreement. Controller determines the purpose and means of data processing. The Controller itself can be a processor and its principal is then the main controller. In that case, Controller’s principal determines the purpose and means of data processing. 

3. Subject matter of this agreement

  1. This Agreement governs the collection, processing, and use of personal data (together “Processing” and “Process”) by Processor.
  2. The services to be provided (“Services”) are described in the Main Agreement for the purpose of documentation and effective privacy monitoring.
  3. According to this Agreement, Controller or, if applicable, Controller’s principal, shall remain responsible for processing as controller. Processor shall be the processor.

4. Type and purpose of the processing

  1. The type and purpose of the intended processing is set forth in Appendix 1 (Instructions for the processing of data) of this Agreement.

5. Technical and organizational measures

  1. For the purpose of processing the Processor shall implement technical and organizational measures (“TOMs”) for the protection of Controller data which comply with the legally applicable requirements. The TOMs implemented within the scope of the Agreement ensure the confidentiality, integrity, availability and resilience of the systems and Services in the long run, in connection with the processing of Controller data. 
  2. Processor is type II certified within the SOC 2 framework issued by outside auditors. The certification is based on five “trust service principles”: security, availability, processing integrity, confidentiality, and privacy. The parties agree that SOC 2 certification and compliance with these “trust service principles” shall constitute the TOMs of this Agreement.
  3. Controller has the right to review Processors latest SOC 2 certification documents upon request. 
  4. Controller has the right to suspend the Main Agreement for the period during which the level of protection is not sufficient as defined above. During the suspension of the Main Agreement, Processor does not have the right to demand the agreed payment or reimbursement for damages and expenses.

6. Rectification, restriction, and erasure of Controller data; data portability

  1. Processor is obligated to rectify, restrict, or erase Controller data only after being instructed to do so by the Controller.
  2. Processor shall store Controller Data in a structured, commonly used and machine-readable format.

7. Processor’s obligations 

  1. Processor may Process Controller data only within the scope of this Agreement, for the agreed-upon purpose, with the agreed-upon means and according to Controller’s instruction, unless Processor is obligated to different processing according to applicable national or EU law. Processor shall inform the Controller of such an obligation before starting the activities according to this Agreement. (i) Processing Controller Data for other purposes, (ii) duplicating Controller data, except for backups if they are an integral part of the services or are necessary to ensure proper Processing, or (iii) transfer of Controller data to third parties except and to the extent as expressively stipulated by this Agreement or approved prior in writing by the Controller, is prohibited. This restriction also applies if the Controller data is anonymized or pseudonymized.
  2. Processor shall process and store Controller data separately from its own personal data and that of other principals and shall sufficiently protect Controller data from being accessed by third parties.
  3. Processor shall at Controllers request verify and ensure that it and its Sub-processors comply with the provisions in this Agreement. Processor shall document its assessment in writing and shall make the corresponding documents available to Controller within six (6) weeks of Controller’s requests.
  4. Processor shall fulfill its own documentation obligations according to data protection laws and keep that documentation up to date. Controller has the right to access and inspect that documentation. Upon request, Processor shall help Controller to create the Controllers’s own required documentation in accordance with data protection laws (e.g., records of processing activities). Processor shall provide Controller upon request with the necessary information for such documentation.

8. Location of Processing

  1. Other than what is established in this Agreement, including its appendices, the Processor is not allowed to process Controller data in a third country outside of the EU/EES or a country decided by the Commission to have an adequate level of protection without the explicit written consent of The Controller. Such processing is however allowed if the processing is required by applicable legislation, and in any such case the Processor shall inform The Controller before the processing is executed.
  2. If the Processor hires a Sub-processor that will process Controller data outside of the EU/EES or a country decided by the Commission to have an adequate level of protection, and there are no binding corporate rules in pace approved by the competent supervisory authority in accordance with Article 47 GDPR, the Processor and Sub-processor shall enter into an agreement based on Standard Contractual Clauses (“SCC:s”) assuring that the processing is covered by additional safety measures complying with data protection regulations (e.g. technical, contractual, and organizational measures). Upon request, the Processor shall provide the Controller with a copy of such an agreement. 
  3. In addition to what is stated above in this section 8, the Processor shall, before it transfers any data to a third country, perform and document a risk assessment according to the European Data Protection Boards recommendations 01/2020 and 02/2020. The risk assessment shall be made available to the Controller upon its written request. 

9. Confidentiality obligation and data protection officer

  1. Processor shall bind all persons authorized to process Controller data to confidentiality unless they are already subject to an appropriate statutory obligation of confidentiality. The duty of confidentiality shall continue after termination or expiration of the Agreement. Processor shall document this obligation and shall provide Controller with appropriate verification within six (6) weeks of Controller’s request or within the scope of its audits according to Clause 12 of this Agreement. Processor shall inform all persons authorized to Process Controller data of their obligations according to this Agreement.

    Processor shall – to the extent required by law – appoint a data protection officer, who can carry out his or her activities according to legal provisions. Processor shall provide Controller upon request with the data protection officer’s contact information for the purpose of direct communication.

10. Inquiries from data subjects and authorities

  1. Processor shall immediately inform Controller of inquiries from data subjects and authorities as well as of any audit activities, measures, or investigations of an authority and to forward such inquiries to Controller if and to the extent they concern Controller data. Processor is not authorized to answer inquiries about this Agreement from data subjects, authorities or other third parties without explicit instruction from Controller. Processor is obligated to support Controller comprehensively in providing information to authorities or other third parties and in fulfilling the rights of the data subjects in connection with the processing of Controller data.
  2. If Processor is legally obligated to answer the inquiry of a competent authority itself or to comply immediately with an order itself, then Processor shall inform Controller of this without delay and in advance in order to enable Controller to prevent access to Controller data.

11. Engagement of Sub-processors

  1. Processor has the right to engage other processors (“Sub-processors”) for carrying out specific processing activities according to this Agreement only with Controller’s prior written consent. Employing Sub-processors to carry out substantial processing operations shall not be permitted unless this is explicitly an integral part of the Main Agreement. Controller already agrees to the Sub-processors listed in Appendix 2 (Authorized Sub-processors) of this Agreement. Controller may not unreasonably refuse the use of Sub-processors if the requirements in Clause 5 of the Agreement are fulfilled.
  2. Processor shall make sure the agreement with Sub-processors complies with the stipulations in this Agreement, applies the same data protection obligations to Sub-processor as set out in this Agreement and ensures the protection of Controller data in the same manner as this Agreement. Clause 8 of this Agreement (Location of Processing) shall apply correspondingly. Upon conclusion of the agreement with Sub-processor, Processor shall upon request provide Controller with a copy of the legally signed sub-contract agreement. 
  3. Controller can demand at any time that a Sub-processor is replaced for cause or that Processor itself carries out the Processing. A cause is, not exclusively, a violation of Clause 5 of this Agreement. If there is a cause and Processor cannot replace Sub-processor or carry out the work itself, then according to Clause 5, Controller has the right to terminate the Agreement for cause.

12. Controller’s audit rights and Processor’s duties to cooperate

  1. Controller shall be entitled, before the commencement of the Processing and, in its sole discretion regularly thereafter, to audit and inspect Processor’s compliance with the terms and conditions of this Agreement. Controller has the right to carry out the audit itself or to assign the audit to third parties bound to confidentiality obligations. Processor may reject the assignment to specific third parties for cause. Controller shall endeavor not to interfere with Processor’s normal business operations.
  2. Processor shall grant Controller access for audit purposes to Processor’s facilities during regular business hours. Controller shall notify Processor in writing of an on-site audit, if possible, two (2) weeks in advance. If Controller has reasonable suspicion that Processor is violating an applicable data privacy law or this Agreement in a substantial manner, then Controller has the right to an on-site audit at any time without prior notice. If during an audit Controller finds any violations or irregularities, it shall grant Processor an appropriate period to remedy those violations or irregularities completely. Processor shall at its own cost take all necessary measures to remedy all violations or irregularities found.
  3. Processor shall support Controller during the audits and grant Controller access to all documents, papers, and file records necessary for the audit as well as to allow Controller to inspect its systems to the extent they are used in connection with Processing of Controller data according to this Agreement.
  4. Processor may offer and provide substantive documentation to Controller to demonstrate and prove compliance with the provisions in this Agreement. Controller’s right to carry out on-site audits remains unaffected; Controller shall decide in its sole discretion as to whether an on-site audit is necessary after submission of the documentation.

13. Authority to issue instructions

  1. Processing of Controller data shall take place only within the scope of the provisions in this Agreement and according to Controller’s individual instructions. Processor shall only be bound to comply with Controller’s instructions as listed in Appendix 1.
  2. Within the scope of this Agreement, Processor is not obliged to accept new instructions from Controller if they deviate from the instructions as listed in Appendix 1. If new instructions cannot be accepted by Processor, both parties shall have the option to mutually terminate the Main Agreement and this Agreement. Any changes to the subject matter of the processing and the purpose of processing shall be subject to a mutual agreement in writing.
  3. Processor shall immediately notify Controller if Processor reasonably believes that any of the Controller’s instruction violates statutory provisions. Upon prior notification within reasonable time, Processor may suspend implementation and/or compliance with the relevant instruction, until its legitimacy is confirmed by the Controller in writing or until it is modified by the Controller accordingly.

14. Processor’s reportable incidents

  1. Processor shall inform Controller without undue delay but no later than 24 hours after having become aware of an incident or regarding a violation of security that, irrespective of being unintentional or unlawful, leads to destruction, loss, alteration, or unauthorized disclosure of or unauthorized access to Controller data that was transferred, stored, or processed otherwise (“Incident”). Verbal notices shall immediately be confirmed in writing or via email. The written notice shall contain, in particular, a description of the nature of the Incident, including, when possible, the categories and approximate number of data subjects concerned, the categories and the approximate number of Controller Data and datasets concerned, and a description of the likely consequences of the Incident.
  2. In the event of an Incident, Processor, in consultation with Controller, shall immediately take the necessary steps to secure Controller data and to reduce possible detrimental consequences for data subjects. Processor shall inform Controller regularly of developments and new findings and to make available to Controller without undue delay comprehensive documentation about the incident and its investigation, including, to the extent that it is appropriate and technically possible, a root cause analysis as well as information about the corrective measures taken.
  3. If, in the event of an Incident, Controller or its principal is required to comply with statutory notification obligations to authorities and data subjects, Processor shall immediately support Controller to create the notification by providing documents and other appropriate proof, and by answering all of Controller’s inquiries without undue delay. 

15. Liability and indemnity

  1. The liability limitations agreed upon in the Main Agreement do not apply to liability from and in connection with this Agreement or the processing of Controller data by Processor regardless of the legal basis of the liability claim.
  2. Each Party shall be liable for any damages caused by that Party’s processing of data in breach of applicable data protection regulation or this Agreement resulting in the other Party having to compensate third party, including data subjects, for damages. 
  3. Any administrative fines issued by the competent supervising authority shall be paid by the Party in breach of their obligations under applicable data protection regulation or this Agreement. 

16. Duration, term, and termination

  1. This Agreement shall be in effect as of the signing of the Main Agreement. The term shall be the same as that of the Main Agreement. However, the provisions in this Agreement shall apply after the term of this Agreement and of the Main Agreement as long as Processor has possession of the data that is covered by this Agreement and as long as there are further obligations resulting from the provisions of this Agreement that go beyond the term of the Main Agreement.
  2. Termination of the Main Agreement shall also lead to termination of this Agreement, with the exception stated in Clause 16.1.
  3. Controller has the right to terminate the Agreement for cause if:
    a) Processor violates this Agreement or statutory provisions and does not rectify the violation within thirty (30) days of receiving a written request from Controller; or
    b) Processor violates provisions stipulated in Clauses 7 to 14 in this Agreement in a substantial matter.
  4. Statutory rights to terminate for cause shall remain unaffected.

17. Rights regarding Controller data and Processor’s obligations after termination of this Agreement

  1. All of Controller data storage devices and Controller data shall remain the property of Controller. Furthermore, Controller shall retain all rights to know-how, copyrights, other usage rights and other intellectual property rights to Controller data or other information entrusted to Processor within the scope of this Agreement.
  2. Upon termination or expiration of this Agreement or any time upon Controller’s request, Processor shall return to Controller all Controller data obtained from Controller or obtained otherwise in connection with provisions of the services under this Agreement as well as data media, documents, processing or usage results prepared, and databases that are related to this Agreement, or to delete them upon Controller’s instruction in a technically secure and irreversible manner unless and to the extent of an obligation under applicable national or EU law to archive such Controller data. The record of deleting and/or destroying the data shall be presented to Controller upon request. Processor shall bear the costs incurred in connection the obligations under this Clause.
  3. Documentation that serves the purpose of verifying Processing according to the Main Agreement and applicable law shall be archived by Processor after termination or expiration of the Agreement according to the relevant statutory period of retention. To discharge himself, Processor may transfer entirely that documentation to Controller upon termination or expiration of the Agreement.

18. Measures by third parties

  1. If Controller’s property, including all Controller data, is endangered by third-party measures, including but not limited to search and seizure, an attachment order, confiscation during bankruptcy, insolvency, or settlement proceedings, Processor shall inform Controller immediately.
  2. Processor shall also inform the above-mentioned third parties that Controller has the sole rights of disposal and rights to ownership of the Processed Controller data and those statutory provisions that restrict the handling of this data.

19. Place of jurisdiction and applicable law

  1. This Agreement is governed by Swedish law.
  2. Regarding legal disputes that arise from this Agreement, the exclusive place of jurisdiction shall be Sweden. 
  3. Any dispute arising out of this Agreement shall be finally settled by arbitration administered by the Arbitration Institute of the Stockholm Chamber of Commerce ("SCC"). Simplified Arbitration Rules shall apply unless, taking into account the severity of the case, the value of the subject matter of the dispute and other circumstances, SCC determines that arbitration rules shall apply. The seat of the arbitration shall be Stockholm.

20. Severability clause and form

  1. If and to the extent that a provision of this Agreement is unlawful, void, unenforceable or incompatible with the opinions of competent national or European authorities, that provision shall not affect the validity of the remaining provisions of the Agreement. The Parties agree that such an invalid provision shall be replaced by a valid one that corresponds most with the Parties’ original purpose regarding this Agreement.
  2. Amendments or supplement to this Agreement must be made in writing. The same applies to amending or cancelling the written form requirement. 
  3. In the event of inconsistencies between this Agreement and the Main Agreement or another agreement, the provisions of this Agreement shall take precedence.

Appendix 1 – Instructions for the processing of data

Appendix 2 – List of approved Sub-processors