Data Processing Agreement
Data Processing Agreement
Background and Interpretation
The Vendor will upon performance of Agreement process personal data on behalf of the Client, in the capacity of the Client’s processor. The Vendor will process personal data for which the Client is the controller.
This DPA forms an integral part of the Agreement. The purpose of this DPA is to ensure a secure, correct and legal processing of personal data and to comply with applicable requirements for data processing agreements as well as to ensure adequate protection for the personal data processed within the scope of the Agreement.
Any terms used in this DPA, e.g. processing, personal data, data subjects, supervisory authority, etc., shall primarily have the meaning as stated in the GDPR and otherwise in accordance with the Agreement, unless otherwise clearly indicated by the circumstances.
In light of the above, the parties have agreed as follows.
Instructions and Responsibilities
The type of personal data and categories of data subjects processed by the Vendor under this DPA and the purpose, nature, duration and objects of this processing, are described in the instructions on processing of personal data in Annex A or the written instructions that the Client provides from time to time. The Vendor shall not process additional categories of personal data or personal data in relation to other data subjects than those specified in Annex A.
The Client is responsible for complying with the GDPR.
The Client shall in particular:
be contact person towards data subjects and i.e. respond to their inquiries regarding the processing of personal data;
ensure the lawfulness of the processing of personal data, provide information to data subjects pursuant to Articles 12-14 in the GDPR and maintain a record of processing activities under its responsibility;
provide the Vendor with documented instructions for the Vendor’s processing of personal data, including instructions regarding the subject-matter, duration, nature and purpose of the processing as well as the type of personal data and categories of data subjects;
immediately inform the Vendor of changes that affect the Vendor’s obligations under this DPA;
immediately inform the Vendor if a third party takes action or lodges a claim against the Client as a result of the Vendor’s processing under this DPA; and
immediately inform the Vendor if anyone else is joint controller with the Client of the relevant personal data.
When processing personal data, the Vendor shall:
only process personal data in accordance with the Client’s documented instructions, which at the time of the parties entering into this DPA are set out in Annex A;
ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
maintain an adequate level of security for the personal data by implementing all technical and organizational measures set out in Article 32 of the GDPR in the manner set out in section 3 below;
respect the conditions referred to in paragraphs 2 and 4 of Article 28 of the GDPR for engaging a sub-processor;
taking into account the nature of the processing, assist the Client by appropriate technical and organizational measures, insofar as it is possible, for the fulfilment of the Client’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III of the GDPR;
assist the Client in ensuring compliance with the obligations pursuant to Articles 32-36 of the GDPR, taking into account the nature of the processing and the information available to the Vendor;
at the choice of the Client, delete or return all the personal data to the Client after the end of the Agreement, and delete existing copies, unless EU law or applicable national law of an EU Member State requires storage of the personal data; and
make available to the Client all information necessary to demonstrate compliance with the obligations laid down in Article 28 in the GDPR and this DPA and allow for and contribute to audits, including inspections, conducted by the Client or another auditor agreed upon by the parties.
The Vendor shall notify the Client without undue delay, if, in the Vendor’s opinion, an instruction infringes the GDPR. In addition, the Vendor is to immediately inform the Client of any changes affecting the Vendor’s obligations pursuant to this DPA.
Security
The Vendor shall implement technical and organisational security measures in order to protect the personal data against destruction, alteration, unauthorised disclosure and unauthorised access. The measures shall ensure a level of security that is appropriate considering the state of the art, the costs of implementation, the nature, scope, context and purpose of the processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons. The Vendor may amend its technical and organisational measures.
The Vendor shall notify the Client of accidental or unauthorised access to personal data or any other personal data breach without undue delay after becoming aware of such data breach and pursuant to Article 33 of the GDPR. Such notification shall not in any manner imply that the Vendor has committed any wrongful act or omission, or that the Vendor shall become liable for the personal data breach.
If the Client during the term of this DPA requires that the Vendor takes additional security measures, the Vendor shall as far as possible meet such requirements provided that the Client pays and takes responsibility for any and all costs associated with such additional measures.
Sub-processors and Transfers to Third Countries
The Client hereby grants the Vendor with a general authorisation to engage sub-processors. Sub-processors are listed in the list of sub-contractors in Annex B. The Vendor shall enter into a data processing agreement with each sub-processor, according to which, the same data protection obligations as set out in this DPA, are imposed upon the sub-processor.
The Vendor shall inform the Client of any intended changes concerning the addition or replacement of sub-processors, thereby giving the Client the opportunity to object to such changes. Such objection shall be made in writing and within thirty (30) calendar days after the Vendor has informed the Client about the intended changes. If the Client objects to the Vendor engaging a sub-processor and the parties cannot agree, within reasonable time, on the new sub-processor’s engagement in the processing of personal data, the Vendor can terminate the Agreement.
The Vendor store personal data in the EU/EEA.
The Vendor shall, as a main principle, not intentionally, nor unintentionally transfer personal data outside the EU/EEA. If the Vendor and/or sub-processors transfers personal data outside the EU/EEA, such transfer shall always comply with the applicable data protection requirements according to the GDPR and related data protection legislation. More detailed information about potential transfers of personal data can be found in Annex B.
Compensation and Limitation of Liability
The Vendor is not entitled to any additional compensation for the processing of personal data in accordance with this DPA, instead the compensation provided pursuant to the Agreement also encompasses the measures in this DPA.
Each party shall be responsible for any damages and administrative fines imposed to it under articles 82 and/or 83 of the GDPR.
Notwithstanding any limitation of liability in the Agreement, each party’s liability under this DPA shall be limited to direct damages. In addition, the Vendor’s liability shall be limited to an amount corresponding to the fixed monthly fees paid by the Client to the Vendor under the Agreement for a period of three (3) months before the damage occurred.
Term and Termination
This DPA becomes effective when the Agreement has been entered into.
Upon termination of the Agreement, the Vendor shall delete all the personal data and ensure that each sub-processor does the same.
This DPA remains in force as long as the Vendor processes personal data on behalf of the Client, including deletion or returning of personal data according to section 6.2 above. This DPA shall thereafter cease to apply. Sections 5, 6.2 and 9 shall continue to apply even after this DPA has been terminated.
Changes
If provisions of the GDPR change or if a supervisory authority issues guidelines, decisions or regulations regarding the application of the GDPR during the term of this DPA, with the result that this DPA does not meet the requirements for a data processing agreement, the parties shall change this DPA to meet the requirements.
7Any other changes to this DPA than following from section 7.1 above or changes in the Client’s documented instructions, shall be made in writing and signed by the parties’ authorized representatives, to be binding.
Miscellaneous
In the event of deviating provisions between the Agreement and this DPA, the provisions of this DPA shall prevail with regards to processing of personal data and nothing in the Agreement shall be deemed to restrict or modify obligations set out in this DPA, notwithstanding anything to the contrary in the Agreement.
This DPA supersedes and replaces all data processing agreements between the parties potentially existing prior to this DPA.
Governing Law and Dispute Resolution
Unless otherwise agreed in the Agreement, Swedish law, without regard to its choice of law provisions, shall apply to this DPA.
Any dispute, controversy or claim arising out of, or in connection with, this DPA, or the breach, termination or invalidity thereof, shall be handled as stated in the Agreement.
ANNEX A – INSTRUCTIONS ON PROCESSING OF PERSONAL DATA
Purposes
|
The Vendor collects personal data related to a device when gathering information about how individuals (“Users”) interact with the Client’s advertisement and other marketing materials. The Vendor only processes personal data under the DPA in order to fulfil the Agreement. This means that the Vendor processes personal data for the following purposes: to gather information regarding Users’ interactions with the Client’s advertisement and other marketing materials, to provide a solution for analysing marketing without the use of third-party cookies, to draw conclusions regarding User’s interaction with the Client’s advertisement and other marketing materials, and to provide insights for the Client to use in order to optimize the money spent on advertising.
|
Categories of personal data |
Categories of personal data that will be processed by the Vendor and indirectly could be used to identify an individual include: aggregated session-ID, and information regarding how Users interact with the Client’s advertisements and other marketing material. This information includes for example what purchases are made, when purchases are made and how the Users found the Client’s website and/or marketing material. |
Users that interact with the Client’s advertisements and other marketing material.
| |
Retention time
| The Vendor will in practice not connect the indirect personal data with other information related to the Users that the Client or other third parties may have access to. The Vendor will therefor never process the information collected under this DPA in a way that enables the Vendor to identify an individual User. After the Vendor has collected the indirect personal data regarding a User, the Vendor will continue to use the information without knowing which individual it relates to.
|
Processing operations
| The Vendor process the personal data on behalf of the Client by: collecting information about the Users in relation to its interactions with the Client’s advertisements and other marketing materials, pseudonymising and anonymising information about the Users, analysing data that has been collected regarding Users’ interaction with the Client’s advertisements and other marketing materials, and compiling insights to the Client based on the gathered personal data. Thereafter the Vendor only uses the gathered information on an anonymized level.
|
Information security measures
Access control |
Access is restricted to people with a user account. Only the login page is unrestricted/public.
|
Back-up
|
Daily backups of the database are performed by Amazon. The report database has hourly snapshots, also performed by Amazon. Code is backed up in Provide IT’s version control system.
|
Logging of access to personal data |
The system does not allow users of the system to view any personal data.
|
Authorisation and permissions
|
The persons using the system are connected to one or more organizations that they can view. Admins can administer the user organization connections and see all organizations. Admins can also create, update or remove users. The API requires a valid API-token, each connected to an organization, to be able to be used.
|
Encryption of data communication | All communication with the system is encrypted using TLS 1.2 or TLS 1.3 |
Firewalls, separation of environments and antivirus protection
|
The system only allows public access on ports 80 and 443. Server access is restricted to a limited amount of IP-addresses. This is implemented using security groups in Amazon. Environments are completely separated as the testing environment is hosted on a Provide IT testing server on Glesys.
|
ANNEX B – SUB-PROCESSORS
Name | Purpose | Location of processing (Country) |
Amazon | Hosting | Germany |
|
|
|
The Vendor has chosen to store and host personal data within the EU/EEA. The use of Amazon as a sub-processor means that there may be a risk that pseudonymized personal is transferred outside of the EU/EEA, for example due to support of the hosted service. Any potential transfer is governed by the Standard Contractual Clauses (SCCs).
