– hereinafter referred to as “Data Controller” –
84codes AB, reg.no. 556898-0782, and its wholly-owned affiliates
– hereinafter referred to as “Data Processor” –
This Data Processing Agreement (the “DPA”) is an enclosure to the Terms of Service (hereinafter referred to as Terms), agreed between the Data Controller and the Data Processor in connection with registration for the Service and regulates in detail the measures for processing personal related data under commission.
Unless otherwise defined in the Terms, all capitalized terms used in this DPA shall have the meaning given to them below:
Additional Instructions: means any instructions from Data Controller to the Data Processor which have not been fixed in this DPA upon its execution.
Applicable Data Protection Law: means EU Data Protection Directive 95/46/EC, or other EU legislation that may be declared from time to time, any national or internationally binding data protection laws or regulations applicable at any time during the term of this DPA on, as the case may be, the Data Controller or the Data Processor. “Applicable Data protection laws” includes any binding guidance, opinions or decisions of regulatory bodies, courts or other bodies, as applicable, as well as the forthcoming European Union General Data Protection Regulation (hereinafter referred to as “GDPR”) when it enters into force on the 25th May 2018 and the national laws adopted pursuant to the GDPR.
Terms: The Terms of Service for the Service Offering.
Data Controller: means the entity which determines the purposes and means of the Processing of Personal Data.
Data Processor: means the entity which Processes Personal Data on behalf of the Data Controller.
Data Subject: means an identified or identifiable individual, who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an ID number, location data, an online ID or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Personal Data: means any information relating to an identified or identifiable individual, to the extent that such information is protected as personal data under Applicable Data Protection Law.
Personal Data Breach: means any unauthorized or unlawful breach of security leading to, or reasonably believed to have led to, the unauthorized or accidental destruction loss, alteration, unauthorized disclosure of or access to Personal Data.
Process or Processing: means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Service or Service Offering: means the Service provided by 84codes AB that is the base of the Terms and this DPA.
Subprocessor: means a third party subprocessor engaged by the Data Processor which, as part of the subprocessor’s role of delivering the services, will Process Personal Data on behalf of the Data Controller.
Supervisory Authority: means an independent public authority which is established pursuant to GDPR Article 51 for example in Sweden “Integritetsskyddsmyndigheten”.
Third Country: means a country or region outside the European Union (“EU”) or the European Economic Area (“EEA”).
This DPA applies to the Data Processor’s Processing of Personal Data on behalf of the Data Controller. The Data Processor shall Process Personal Data as necessary to perform the Service pursuant to the Terms and as further instructed by the Data Controller in its use of the Service. This DPA regulates the measures to protect Personal Data according to Art. 28 of the GDPR.
The Personal Data Processed by the Data Processor under this DPA and details of the Processing is described in Appendix 1 (“Data Processing Instructions”) attached to this DPA.
Additional Instructions or terms (if any) outside the scope of this DPA requires prior written agreement between Data Processor and the Data Controller. An agreement on any additional fees payable by Data Controller to the Data Processor for carrying out further instructions and/or terms must also be established.
The Data Controller shall be responsible within the framework of this DPA for complying with the legal provisions of the Applicable Data Protection Law, particular in relation to the allocation of Processing with respect to the Data Processor, and for the Processing itself.
The Data Controller has the right to give instructions to the Data Processor in the following subjects:
The instructions shall be written and at first be fixed in this
DPA and in
The Data Controller shall assure that its instructions and usage of the Service comply with the Applicable Data Protection Law and that the Data Controller’s instructions will not cause the Data Processor to be in breach of the Applicable Data Protection Law.
Notification(s) of information concerning the Processing or Personal Data Breach (if any), will be delivered to the Data Controller’s registered team notification email address Data Protection Officer (DPO) email address (if any). It is the Data Controller’s sole responsibility to ensure that it maintains accurate contact information on the service management console and secure transmission at all times.
The Data Controller has the right to perform controls of the technical and organizational measures taken by the Data Processor according to section 9 and as further described in Appendix 3 before starting the Processing and to check them afterward in regular intervals. These controls could also be performed by an independent auditor on behalf of the Data Controller.
The Data Controller shall inform the Data Processor without delay when it notices any mistakes or irregularities while performing controls according to section 2.5. The Data Processor shall without delay correct such errors or irregularities and notify the Data Controller when corrections have been made.
If claims are placed on one of the contracting parties by a Data Subject in connection with any claim as per Art. 82 of the GDPR, the contracting party concerned shall notify the other party without delay. The contracting parties shall support one another in defending the claim.
The Data Processor ensures that, during the term of this DPA, it has implemented and further undertakes to comply with appropriate technical and organizational measures in such a manner that its Processing of Personal Data under this DPA will meet the requirements of Applicable Data Protection Law and ensure the protection of the rights of the Data Subject.
The Data Processor undertakes to only Process the Personal Data pursuant to the Data Controller's documented instructions and within the framework of the Service Offering, unless in exceptional cases as per Applicable Data Protection Law. The Data Controller’s initial instructions to the Data Processor regarding the subject-matter and duration of the Processing, the nature and purpose of the Processing, the type of Personal Data and categories of Data Subjects are set forth in this DPA and in Appendix 1 (“Data Processing Instructions”).
The Data Processor shall inform the Data Controller without undue delay if it would discover that an instruction of the Data Controller would violate the Applicable Data Protection Law. The Data Processor shall be authorized to interrupt the performance of this instruction until it is confirmed or changed by the responsible person of the Data Controller.
For the Processing of Personal Data, the Data Processor shall ensure to apply all measures which are defined in this DPA.
The Data Processor shall produce and update a list of all categories of activities which it carries out on behalf of the Data Controller including the compulsory specifications according to Art. 30 para. 2 of the GDPR as set out in Appendix 1.
The Data Processor shall not use the data for other purposes than specified by the Data Controller and shall not keep them any longer than the Data Controller has determined. Copies or duplicates may not be generated without knowledge of the Data Controller.
The Data Processor shall not view, access, edit, or use the Personal Data without specified permission, or when required to maintain the Service, or as necessary to comply with the law or binding order of the Supervisory Authority.
Processing by telecommuting is allowed for engineers of the Data Processor. The Data Processor ensures that the Processing by telecommuting complies with required data protection measures, meaning that the data is protected against unauthorized access. This means e.g., safe and encrypted end-to-end communication, no print-out possibility of Data Controller’s data in the home office, no access possibility to IT-Systems for an unauthorized person in the home office.
Data for testing purposes will be kept closed until the Data Controller instructs the Data Processor to destroy, erase or block it in accordance with the data protection law or to return it to the Data Controller. The erasure or destruction shall be confirmed to the Data Controller with a date in writing.
The Data Processor shall appoint the contact partner for the Data Controller for data protection questions arising within the framework of the Terms and this DPA. The Data Controller shall be notified on beforehand (or at least 2 weeks before) of any changes of the contact partner.
The Data Processor is obliged to ensure that the persons authorized to process the Personal Data have committed themselves to confidentiality in writing before taking up the activity. Furthermore, the Data Processor shall ensure that its associates are sufficiently informed on the regulations of the GDPR as well as on further relevant data protection requirements and are familiar with the instructions of the Data Controller. The Data Processor shall supervise the compliance of the data protection regulations.
The Data Controller shall be obliged to respect the confidentiality of all business secrets and data protection measures of the Data Processor which may be disclosed within the framework of the contractual relationship.
The confidentiality and integrity obligation shall continue to apply also after termination of the contractual relationship.
The Data Processor shall without undue delay forward any request to the Data Controller from a Data Subject, Supervisory Authority or any other third party, who is requesting receipt of information regarding Personal Data that the Data Processor is Processing under this DPA. The Data Processor, or anyone working under the Data Processor’s supervision, shall not disclose Personal Data, or information about the Processing of Personal Data, without the Data Controller’s expressed instruction or as provided in this DPA, unless required by Applicable Data Protection Law. In the event that the Data Processor is obliged to disclose Personal Data according to Applicable Data Protection Law, the Data Processor shall take all measure to request confidentiality in connection with the requested information and immediately inform the Data Controller accordingly, unless the Data Processor is prevented from doing so under Applicable Data Protection Law.
Taking into account the nature of the Processing, the Data Processor shall assist the Data Controller by taking appropriate technical and organisational measures insofar as this is possible, in observing its legal obligations in relation to the rights of Data Subjects under Applicable Data Protection Law. This includes, but shall not be limited to, the Data Controller’s obligation to respond to requests concerning the right of Data Subjects to receive information and, upon request by Data Subjects, rectify, block or erase Personal Data.
The Data Processor shall assist the Data Controller in fulfilling potential duties under Applicable Data Protection Law to enable data portability regarding Personal Data which the Data Processor is Processing under this DPA.
The Data Processor shall inform the Data Controller any inquiries from Supervisory Authority concerning Processing of Personal Data under the DPA. The Data Processor is not entitled to represent the Data Controller or act on the Data Controller’s behalf in relation to Supervisory Authority.
The Data Processor may only subcontract Processing to third parties based on the Data Controller’s prior written consent. The Data Processor may use Subprocessors to fulfill its contractual obligations under this DPA or to provide specific services on its behalf, such as providing support services. The Subprocessors assigned by the Data Processor are listed in Appendix 3 to this DPA. For the Subprocessors referred to in Appendix 3, authorization is granted by the Data Controller upon execution of this DPA.
When engaging a Subprocessor, the Data Processor shall ensure the compliance with Art 28.2 and 28.4 of the GDPR. In particular, the Data Processor is responsible for ensuring that such Subprocessor provides sufficient guarantees to implement appropriate technical and organizational measures, in such a manner that the Processing meets the requirements of Applicable Data Protection Law. The Data Processor shall inform the Data Controller of any intended changes concerning the addition or replacement of Subprocessor at least thirty (30) days before planned use of a new Subprocessor, thereby giving the Data Controller the opportunity to object to the change. The Data Controller shall notify the Data Processor of such objection within ten (10) days of receiving the notice of the change.
The Data Processor shall ensure by contract that the provisions fixed between the Data Controller and the Data Processor shall apply accordingly to the Subprocessor(s). Thus, the Data Processor shall enter into a written agreement with its Subprocessor(s). To the extent that the Subprocessor(s) is performing the same Processing services that are being provided by the Data Processor under this DPA, the Data Processor will impose on the Subprocessor(s) the same contractual obligations that the Data Processor has under this DPA.
The Data Processor shall on annual basis (or when necessary) verify the Subprocessor’s compliance with the DPA. The Data Processor shall document the results of these controls.
Subcontracting in the meaning of these provisions does not include any additional services ordered by the Data Processor from third parties to assist in the performance of the DPA, such as telecommunications services, maintenance or user support, cleaning, auditing or the disposal of data media. To ensure the protection and security of the Data Controller’s data, the Data Processor must conclude adequate and conformable to law agreements, and undertake monitoring activities, when any additional services are taken from third parties.
Within the area of its responsibilities, the Data Processor shall organize the internal organization in a way to meet the special requirements of data protection. The Data Processor will take technical and organizational measures to adequately protect the data of the Data Controller by meeting the requirements of Art. 32 of the GDPR.
The technical and organizational measures shall ensure the confidentiality, integrity, availability, and resilience of the systems and services related to the processing on a long-term basis. Measures must also be taken to restore the availability of Personal Data and access to them immediately after a physical or technical incident, as well as to use a procedure for the regular review of the effectiveness of the technical and organizational measures to ensure the safety of the Processing. The measures to be taken include the pseudonymization and encryption of Personal Data, to the extent it is necessary to ensure an appropriate level of security.
The technical and organizational measures taken by the Data Processor as per enclosed Appendix 2, are verified by the Data Controller by agreeing to this DPA, and are confirmed as being binding.
The Data Processor shall support the Data Controller in accordance with Art. 28 para. 3 e) of the GDPR as far as possible using appropriate technical and organizational protective measures to enable the latter to fulfill its existing obligations towards the Data Subject, as per section III of the GDPR. This may include for example the information and access provided to the Data Subject, the rectification or erasure and forgetting of data, the restriction of processing and the right to data portability or to object.
The Data Processor shall assist, in compliance with Art. 28 para. 3 f) of the GDPR to establish a data protection impact assessment (DPIA) according to Art. 35 of the GDPR and, where applicable, in the prior consultation of the Supervisory Authorities according to Art. 36 of the GDPR.
The Data Processor shall authorize the Data Controller to inspect the Data Processor’s compliance with Applicable Data Protection Law as well as its compliance with the Data Controller’s instructions by the latter or by third parties, especially by requesting information and inspecting the storage of Personal Data and the Processing systems or by inspections of the Data Processor’s premises. The Data Processor shall assure to support such inspections, if necessary.
The Data Processor shall provide the Data Controller with the necessary details and documents upon request, and in particular to provide evidence of the implementation of technical and organizational measures. If there is some information requested by the Data Controller that the Data Processor declines to provide, the Data Controller is entitled to terminate this DPA and the Terms.
The Data Processor shall immediately notify the Data Controller if the safety measures taken by the Data Processor differ from the requirements agreed upon, or if serious disturbances occur in the operating procedure, or in case of violations of Applicable Data Protection Law or the provisions made in this DPA by the Data Processor or the persons employed by it, as well as in the case of suspicion of data breaches as per section 11 below or irregularities in the processing of Personal Data.
The Data Processor may only undertake transfer of Personal Data to a Third Country with prior written consent of the Data Controller. If the Data Controller consents to such transfer, the Data Processor and/or Subprocessor who is Processing Personal Data in a Third Country shall ensure that such transfer and Processing is in compliance with Applicable Data Protection Law and specifically Art. 44 to 50 of the GDPR.
The Data Processor provides the option for the Data Controller to use the Service in a Third Country, including countries that may not provide an adequate level of protection for Personal Data according to Applicable Data Protection Law. In this respect, the Data Controller is solely responsible for which data center and region(s) it chooses for the Service (i.e. where the Personal Data will be Processed). Once the Data Controller has made its choice, the Data Processor will not transfer the Personal Data from the Data Controller’s selected data center and region(s), unless upon written instruction from the Data Controller or except as described in section 5.1 of this DPA.
If the Data Controller selects a data center or region(s) in a Third Country, such selection is regarded as consent of transfer to Third Country as per section 10.1. The Data Controller shall in this case ensure that the transfer of Personal Data based on such selection is in compliance with Applicable Data Protection Law and specifically Art. 44 to 50 of the GDPR. The Data Controller shall without undue delay notify the Data Processor of such selection and the Data Processor shall support the Data Controller in ensuring compliance.
For the strict and necessary purposes of enabling the contractual relationship with you, your Personal Data may be communicated to third party judicial subjects of foreign countries whether within or outside the European Union always with respect to the rules contained in art. 44 to 50 of the GDPR.
In case of a Personal Data Breach involving Personal Data Processed on behalf of the Data Controller, the Data Processor shall take into account the nature of Processing and the information available to the Data Processor to support the Data Controller in ensuring compliance with the Data Controllers obligations pursuant to article 33 in the GDPR.
If the Data Processor becomes aware of a Personal Data Breach, the Data Processor shall without undue delay notify the Data Controller of the Personal Data Breach. The notification shall at least:
The liability of each party arising out of or related to this DPA (whether in contract, tort or any other theory of liability) shall be subject to the exclusions and limitations of liability set out in the Terms. The Data Controller agrees that any regulatory penalties incurred by the Data Processor in relation to the Personal Data that arise as a result of, or in connection with, Data Controller’s failure to comply with its obligations under this DPA and the Applicable Data Protection Law shall count towards and reduce the Data Processor’s liability under the Terms as if it were liability to the Data Controller under the Terms.
Subject to section 12.1, the Data Controller shall indemnify and hold the Data Processor harmless for any direct claims, including any claim from Data Subjects, against the Data Processor due to Processing of Personal Data which violates the Applicable Data Protection Law, if such violation is due to unclear, inadequate or inadmissible instructions from the Data Controller, inadequate information from the Data Controller regarding the categories of Personal Data being Processed (e.g. if sensitive Personal Data is Processed without the Data Controller having informed the Data Processor about this) or otherwise due to circumstance on the Data Controller’s side.
This DPA shall continue in force until the termination of the Service (the “Termination Date”).
Upon termination of this DPA, the Data Processor shall return to the Data Controller, or permanently erase, or completely block for access, all business-related information, documentation, and data provided by the Data Controller, including Personal Data created in connection with this DPA, unless there is an obligation for the storage of Personal Data according to EU laws or the rights of member states (see Art. 28 para. 3 lit. g GDPR). The Data Processor shall confirm at the latest 30 days after the request of the Data Controller the return, destruction, erasure, and blocking of all information and records. The same applies to Subprocessors.
Amendments and additions to this DPA and all its constituent elements (including any assurances granted by the Data Processor) shall be made in the form of a written agreement, which may also be in electronic form, with a specific indication that it is an amendment or addition to this DPA. This shall also apply to the waiver of the requirements of this format.
If any provision of this DPA should be, or become, party invalid or unenforceable, it shall not invalidate the whole agreement. Any provision of this DPA that is held invalid or unenforceable only in part or degree shall be rewritten by mutual agreement to closely reflect the invalid or unenforceable provision while being valid and enforceable.
What follows from the Terms shall also apply to the Data Processor’s Processing of Personal Data and the commitments according to this DPA. For avoidance of doubt; where there are conflicting provisions in the Terms and the DPA, the provisions in the DPA shall take precedence regarding all Processing of Personal Data and nothing in the Terms shall be considered to limit or change the commitments according to this DPA to the extent this would mean the Data Controller does not comply with the Applicable Data Protection Law.
Swedish law applies in all aspects to the Data Processor’s Processing of Personal Data under this DPA.
Any dispute arising out of or in connection with the DPA shall be settled in accordance with the dispute resolution provision in the Terms.
The following instructions apply to the Processing of the Personal Data under this DPA. In addition to what is stated in this DPA the Data Processor shall comply with the instructions below:
Processing operations and purposes
Please specify all processing activities to be conducted by the Data Processor
The Processing shall include the following operations and purposes:
Categories of Data
Please specify the categories of Personal Data that will be Processed by the Data Processor
The Personal Data Processed might include the following Categories of Data:
Categories of Data Subjects
Please specify the categories of Data Subjects whose Personal Data will be Processed by the Data Processor
The Personal Data Processed might include the following Categories of Data Subjects:
Please specify the period for which the Personal Data Processed by the Data Processor is retained and when it shall be removed.
The Personal Data shall be erased at the request of the Data Controller pursuant to the Data Controller’s instructions.
The following TOMS are agreed between the Data Controller and the Data Processor and specified in the present individual case, see specimen list.
No unauthorized access to Processing systems is provided. Data is stored in highly secure data centers. All data centers that run the Service are secured and monitored 24/7. Physical access to the data center facilities is strictly limited to selected cloud staff.
No unauthorized system usage. SSH keys are required when identifying trusted computers along with usernames and passwords. 2-step authentication is enabled on every cloud platform that is providing it (platforms as AWS and Heroku). Individual authentication credentials are not shared. SSH keys are frequently rotated. All end-points (computers, laptops, mobile phones) are using encrypted storage, secure passwords, and auto-locking mechanisms.
No unauthorized reading, copying, changing or removing within the system.
Personal Data is Processed in dedicated systems. Data are not shared with other services, applications or corporate entities. Within individual systems and databases, data is segregated with logical access control. Personal Data will not be used for different purposes other than what it has been collected for without explicit customer approval.
No unauthorized reading, copying, changing or removing during electronic transmission or transport. Data in transit can be encrypted and encrypted storages can be used, which can be specified by the Data Controller while setting up the service.
Determination of whether and by whom Personal Data was entered, changed or removed by the Data Controller is not logged by the Data Processor.
Protection against accidental damage or destruction or loss via escalation ways and emergency plans.
No Processing under commission according to Art. 28 of the GDPR without corresponding instructions from the Data Controller via explicit contract design, formalized order management, stringent selection of the service provider, obligation to convince in advance, follow-up inspections.
Systems and services are designed in a way that intermittent high stresses or high constant loads of processing can be ensured.
Use of personnel, customer, and supplier IDs instead of names.
Data encryption can be enforced by the Data Controller when using the Service.
The Data Controller has the option to set up redundancy for Personal Data Processed via the Service.
Company name, direction and nomination of possible Data Protection Officer/contract partner for data protection questions
Content of assignment (Scope of the commission by the Processor)
Place of Processing
Transmission of/access to Personal Data of the Data Controller (category of data and Data Subjects)
|1||Amazon Web Services||Data Center||Dependent on the Data Controller||Storage of data|