Try it for free

Try it now

DPA

1. Introduction

1.1 - This Data Processing Agreement (the “DPA”) is entered into on the date of signing between the parties of the Service Agreement to which this DPA is an appendix (the “Agreement”).

1.2 - Defined words used is the Agreement shall be given the same meaning when used in this DPA, unless the context in which they are used clearly indicates otherwise. The contact details of the Supplier for the purposes of this DPA are set forth in the Platform, and the contact details for the Company for the purposes of this DPA are those provided by the Company when creating its Account or, where applicable, as set forth in the Main Agreement.

1.3 - Pursuant to the undertakings which follow from the Agreement, the Supplier may process personal data as well as other information on behalf of the Company. As a consequence, the Parties are entering into this DPA to govern the conditions for the Supplier’s Processing of, and access to, Personal Data belonging to the Company.

1.4 - The DPA comprises this document and the appended Instruction, Appendix I. In the event of any contradictions between this document and the Instruction, this document shall take precedence, unless otherwise specifically stipulated or clearly indicated by the circumstances.

1.5 - The DPA shall apply to all agreements executed between the Parties in which the Supplier is the Processor on behalf of the Company, and the DPA shall remain in force for as long as the Supplier Processes Personal Data on the Company’s behalf.

2. Definitions

Unless the circumstances clearly indicate otherwise, definitions or terms used in this document shall be defined as set forth below. Any term which is used in the GDPR (as defined below) and which is not stated below shall be defined as follows from Article 4 of the GDPR.

Other Regulation means national laws which, from time to time, apply to Processing of Personal Data (excluding the GDPR)

Processing means an operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction

GDPR means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation)

Instruction means the instructions which the Company gives to the Supplier within the scope of this DPA

Personal Data means any information relating to an identified or identifiable natural person, whereupon an identifiable natural person is a person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data or online identifiers, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person

Controller means a natural or legal person, public authority, institution, or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data; where the purposes and means of such Processing are determined by Union law or Member State law, the Controller or the specific criteria for its nomination may be provided for by Union law or Member State law

Processor means a natural or legal person, public authority, institution, or other body which processes Personal Data on behalf of the Controller

Personal Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored, or otherwise Processed

Data Subject means the living natural person who is alive and whose Personal Data is Processed

3. Generally regarding the Processing of Personal Data

3.1 - The Company is the Controller of the Personal Data which is Processed within the scope of the Agreement, and the Supplier is regarded as the Processor on behalf of the Company.

3.2 - The Supplier has provided sufficient guarantees that it shall take suitable technical and organisational measures to ensure that the Processing of Personal Data meets the requirements of the GDPR and any Other Regulation, and ensures protection of the rights of the Data Subject.

3.3 - Taking into consideration the nature of the Processing, the Supplier shall assist the Company by taking suitable technical and organisational measures, to the extent possible, to enable the Company to perform its obligation to respond to requests regarding the exercise of the Data Subject’s rights in accordance with Chapter III of the GDPR.

3.4 - If the Supplier believes that the Instruction or other instruction or notification from the Company would conflict with the GDPR or any Other Regulation, the Supplier shall be entitled to notify the Company and defer the Processing in question.

4. Purpose and type of Personal Data etc.

The Instruction shall, inter alia, state the subject of the Processing, the duration of the Processing, the nature and purpose of the Processing, the type of Personal Data, and categories of Data Subjects.

5. The Supplier’s personnel etc.

5.1 - The Supplier, its employees, and other persons who perform work under the Supplier’s supervision and who gain access to Personal Data belonging to the Company may only process such Personal Data on the Company’s instruction, unless such person is obligated to do so pursuant to Union law or Swedish national law.

5.2 - The Supplier shall ensure that its employees and all other persons for whom the Supplier is liable and who are authorised to process Personal Data covered by this DPA have undertaken to maintain confidentiality (unless such person is subject to an appropriate statutory confidentiality obligation).

6. Security

6.1 - The Supplier shall take all safeguards required under Article 32 of the GDPR.

6.2 - Taking into consideration the type of Processing and the information which the Supplier has, the Supplier shall assist the Company in ensuring that the obligations regarding security can be satisfied in a manner which follows from Article 32 of the GDPR.

6.3 - In conjunction with the assessment of an appropriate security level, particular consideration shall be given to the risks which follow from the Processing, particularly resulting from unintentional or unlawful destruction, loss, or modification, from unauthorised disclosure, or from unauthorised access to the Personal Data which is transferred, stored, or otherwise processed.

7. Personal Data breach

Taking into consideration the type of Processing and the information available to the Supplier, the Supplier shall assist the Company in ensuring that the obligations arising due to any Personal Data Breach can be fulfilled in a manner as required in Articles 33-34 of the GDPR.

8. Impact assessment and prior consultation

Taking into consideration the nature of the Processing and the information which is available to the Supplier, the Supplier shall assist the Company in fulfilling its obligations, if any, to conduct an impact assessment and/or prior consultation with a supervisory authority pursuant to Articles 35 and 36 of the GDPR.

9. The Instruction

9.1 - The Supplier may only process the Personal Data which is covered under this DPA on the Instruction (including in respect of transfers of Personal Data to a third country or an international organisation, provided such Processing is not required pursuant to EU law or the national law of a Member State to which the Supplier is subject and, in such case, the Supplier shall inform the Company of the legal requirement before the data is Processed, unless such information is prohibited with reference to an important public interest under relevant national law).

9.2 - The Company shall be entitled to update the Instruction from time to time. The Supplier shall be entitled to compensation for additional costs incurred if the Company modifies the Instruction.

10. Sub-processors

10.1 - The Supplier has the Company’s general authorisation for the engagement of sub-processors. The Supplier shall inform in writing the Company of any intended changes concerning the addition or replacement of sub-processors at least 30 days in advance, thereby giving the Company the opportunity to object to such changes prior to the engagement of the concerned sub-processor(s) (however, any objection must be based on an objectively acceptable reason). Longer time periods of prior notice for specific sub-processing services can be provided in Appendix II. The list of sub-processors already authorised by the data controller can be found in Appendix II.

10.2 - Where the Supplier engages a sub-processor for carrying out specific processing activities on behalf of the Company, the Supplier shall ensure that any such sub-processor enters into a written personal data processor agreement before the sub-processor begins work related to the Company. Any such personal data processor agreement must contain the undertakings and obligations which follow from the DPA. In any such a personal data processor agreement, the sub-processor shall provide sufficient warranties in respect of taking suitable technical and organisational measures so that the Processing meets the requirements of the GDPR.

10.3 - In the event the sub-processor fails to fill its obligations, the Supplier shall be liable to the Company for the performance of the sub-processor’s obligations.

10.4 - The Supplier is aware that it must comply with the provisions regarding retention of sub-processors.

11. Transfer to a third country

The Supplier may move, store, transfer, or otherwise process Personal Data belonging to the Company outside of the EU/EEA, provided such transfer meets the requirements and undertakings which follow from the GDPR.

12. Right to transparency

The Supplier shall grant the Company access to all information which is required and necessary to enable the Company to verify compliance with the obligations which follow from Article 28 of the GDPR and to enable and assist in audits, including inspections, which are conducted by the Company or by an examiner authorised by the Company. The Supplier shall, at all times, be entitled to reasonable notice in the event the Company wishes to exercise its right to conduct an audit or inspection and the Company shall compensate the Supplier for its costs incurred in connection with any such audit or inspection.

13. Compensation

The Supplier shall receive compensation for verified additional costs for measures which it takes in respect of Processing of Personal Data in accordance with the DPA or as a consequence of the DPA otherwise.

14. Liability

In the event the Parties have reached an agreement regarding limitation of liability in another agreement, such limitation of liability shall also apply to this DPA. In the event the Parties have not reached an agreement regarding such a limitation of liability, a Party’s liability under this DPA or as a result of the Processing which is covered under the DPA shall be limited to one hundred thousand kronor (SEK 100,000). Notwithstanding anything to the contrary contained herein, the following shall apply. If the Supplier’s wrongful processing of Personal Data is a result of the Company’s wrongful acts or instructions, the Company shall compensate the Supplier for any eventual administrative fees or damages which the Supplier shall pay as a consequence of such acts/instructions (whereupon any limitation of liability provision, for the avoidance of doubt, shall not apply).

15. Termination of the DPA

15.1 - When the Supplier discontinues Processing Personal Data on behalf of the Company, the Supplier shall return all Personal Data to the Company in the manner instructed by the Company or, upon the Company’s written notice, destroy and erase all Personal Data which is associated with the DPA.

15.2 - Following termination of the DPA, the Supplier shall not be entitled to save any Personal Data belonging to the Company and, as soon as the Supplier has complied with the provisions of Clause 15.1 above, the Supplier’s right to process or otherwise use Personal Data belonging to the Company shall cease (provided storage of Personal Data is not required pursuant to national law or Union law, or the Supplier has legal grounds to process relevant Personal Data).

16. Confidentiality

16.1 - The Parties hereby undertake, during the term of the DPA and thereafter, not to disclose to any third party information regarding the DPA, nor any other information which the Parties have learned as a result of the DPA, whether written or oral and irrespective of form (“Confidential Information”). The Parties agree and acknowledge that the Confidential Information may be used solely for the fulfilment of the obligations under the DPA and not for any other purpose. The receiving Party further agrees to use, and cause its directors, officers, employees, sub-contractors or other intermediaries to use, the same degree of care (but not less than reasonable care) to avoid disclosure or use of Confidential Information as it uses with respect to its own confidential and/or proprietary information.

16.2 - This confidentiality undertaking does not apply to information which

i) at the date of its disclosure is in the public domain or at any time thereafter comes into the public domain (other than by breach of this DPA); or

ii) the receiving Party can evidence was in its possession or was independently developed at the time of disclosure and was not obtained, directly or indirectly, by or as a result of breach of a confidentiality obligation.

16.3 - Neither shall this confidentiality undertaking apply to the extent that any Party is required to make a disclosure of information by law or pursuant to any order of court or other competent authority or tribunal or by any applicable stock exchange regulations or the regulations of any other recognised market place. In the event that any Party would be required to make any such disclosure, each Party undertakes to give the other Party immediate notice prior to any such disclosure. Each Party also agrees and undertakes to use its best efforts to ensure that any information disclosed under this section, to the extent possible, shall be treated confidentially by anyone receiving such information.

17. Assignment of the DPA

Neither Party shall be entitled to assign its rights and/or obligations under the DPA, in whole or in part, without the prior written consent of the other Party.

18. Governing law and jurisdiction

18.1 - This DPA shall be governed by the substantive law of Sweden.

18.2 - Any dispute, controversy or claim arising out of or in connection with this DPA, or the breach, termination or invalidity thereof, shall be finally settled by arbitration administered by the Arbitration Institute of the Stockholm Chamber of Commerce (the “SCC”). The Rules for Expedited Arbitrations shall apply, unless the SCC in its discretion determines, taking into account the complexity of the case, the amount in dispute and other circumstances, that the Arbitration Rules shall apply. In the latter case, the SCC shall also decide whether the Arbitral Tribunal shall be composed of one or three arbitrators. The seat of arbitration shall be Stockholm, Sweden. The language to be used in the arbitral proceedings shall be English, unless the Parties agree that it shall be Swedish.

18.3 - The undertake and agree that all arbitral proceedings conducted with reference to this arbitration clause will be kept strictly confidential. This confidentiality undertaking shall cover all information disclosed in the course of such arbitral proceedings, as well as any decision or award that is made or declared during the proceedings. Information covered by this confidentiality undertaking may not be disclosed to a third party without the prior consent by the other Party. Exceptions to the foregoing shall only apply to the extent that disclosure may be required of a Party due to mandatory law, an order of a competent court or public authority, or to protect, fulfil or pursue a legitimate legal right or obligation or to enforce or challenge an award.

APPENDIX I TO DPA - INSTRUCTION

The following document is the Instruction.

Definitions used in this Instruction shall have the same meaning as in the DPA, unless the circumstances clearly indicate otherwise.

1. Contact Information

The contact details as set out or referred to in the Agreement shall apply also for the purposes of the DPA.

2. Processing of Personal Data

2.1 - Categories of Personal Data

Contact information such as full name, address, email address, phone number, work title, profile pictures and place of work

Registration data such as contact information (as described above) and other information provided in connection with the creation of an Account

User data such as communication data generated in connection with the use of the Service, the terms for a certain User’s right to use the Service (as decided by the Company), and information about the usage of the Service

Payment data such as information about invoicing address, payment card details etc.

Data contained in Assets (i.e., any digital assets, such as video, audio, pictures and similar, which are uploaded by the Company in the Service)

Other data which the Company (or anyone acting on behalf of the Company) chooses to upload in the Service or otherwise communicate with the Supplier, such as requests, preferences etc.

2.2 - Special categories of Personal Data

Assets may include special categories of Personal Data to the extent the Company (or anyone acting on behalf of the Company) uploads such content.

2.3 - Categories of Data Subjects

Persons who are included in Assets, such as persons seen and/or heard in movie clips

The Company’s employees

Representatives of the Company’s subcontractors and clients

2.4 - Purpose and categories of the Processing

The Supplier will Process the Personal Data for the general purpose of providing the Service to the Company in accordance with the Agreement, including in accordance with the Company’s instructions. Any instructions with are explicitly or indirectly provided through the Company’s use of the Service (such as any settings made in the Service) shall, for the avoidance of doubt, be regarded as instructions provided by the Company for the purposes of the DPA In further detail, Personal Data will be Processed for the following purposes:

For the provision of the Service, including, inter alia, to enable the provision of an Account, adjust the user interface, offer relevant functions, provide relevant content

For communication about and within the Service, such as provide information about updates within the Service and provide relevant offers/subscription plan

To enable payment of the Service

3 - Security measures

3.1 - Technical and organisation security measures

Taking into consideration the type of Processing and the information which the Supplier has, the Supplier takes, for instance, the following technical and organisation security measures:

Encryption

Organizing information in four different security classes according to ISO 27001/20000

Great focus on security-related work and staff training

Information classification

Continuously monitoring the access to information

Subcontractors are chosen with great care

Entering into confidentiality agreements

3.2 - Storage minimisation

Normally, Personal Data shall be deleted within one year after the termination of a service agreement. This applies unless Processing is required due to a legal obligation (for example, to fulfil the obligation to keep accounts) or to safeguard someone’s rights and/or interests in the event of a legal claim, in which case Processing may take place during a longer period. When Personal Data is no longer required for such purposes, it shall be deleted.

APPENDIX I TO DPA - APPROVED SUB-PROCESSORS

This appendix specifies the sub-processors approved by the Company. Such sub-processors will Process the Personal Data of which the Company is the Controller.