Data Processing Agreement
Data Processing agreement
This Data Processing Agreement (“DPA”) is entered into between:
- Sonetel AB (publ), org.nr. 556486-5847 (”Supplier”); and
- The company or entity you are representing, (the “Customer”)
hereinafter jointly referred to as “Parties” or individually a “Party”.
1.1 This DPA constitutes an integral part of the Master Services Agreement (the “Agreement“) between the Supplier and the Customer.
1.2 Upon entering of the Agreement, the Supplier will process Personal Data on behalf of the Customer, as a Processor. The Customer is the Controller for the processing of the Personal data.
1.3 If the Customer is joint Controller with another party for the relevant Personal Data, the Customer shall inform the Supplier accordingly.
1.4 The purpose of this Agreement is to ensure that Processing is carried out in accordance with the applicable requirements for data processing and obligations under Data Protection Rules and to ensure adequate protection of personal integrity and fundamental rights of individuals during the transfer of Personal Data from the Customer to the Supplier within the framework of the Services that the Supplier performs under the Agreement.
|”Processing”||means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
|”Personal data”||means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;|
|”Data Protection Rules”||means the from time to time applicable laws and regulations in respect of Processing of Personal Data, including but not limited to, Regulation (EU) 2016/679 of the European Parliament and of the Council (the “GDPR”), Supervisory Authority’s binding decisions, regulations and recommendations and supplementary local adaptions and regulations in respect of data protection.|
|”Controller”||means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;|
|”Processor”||means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;|
|”Sub processor”||means the natural or legal person who processes personal data as a sub processor on behalf of the Supplier;|
|”Data subject”||means the natural person to whom the Personal data relates to.|
|”Supervisory Authority”||means an independent public authority which is established by a Member State pursuant to Article 51. The Supervisory Authority in Sweden is the Swedish Data Protection Authority.|
2.1 Unless otherwise stated, any other term or concept used in capitalized letters in this DPA (except in some cases as part of a heading) shall have the meaning and conception that is established in the Data Protection Rules and otherwise in the Agreement, unless the circumstances obviously require another interpretation.
3.Responsibilities and instructions
3.1 The Customer is Controller for all the Personal Data that the Supplier Processes on behalf of the Customer under the Agreement. The Customer is therefore responsible for complying with Data Protection Rules. The Customer undertakes to inform the Supplier of the Data Protection Rules that are relevant to carry out the Processing under this Agreement. In addition to the requirements that apply directly to a Processor in accordance with Data Protection Rules, the Supplier shall be obliged to comply with other applicable requirements according to Data Protection Rules and recommendations from the Supervisory Authority which the Supplier has been informed of by the Customer. The Customer shall also continuously inform the Supplier of third parties, including the Supervisory Authority’s and the Data Subject’s, actions as a result of the Processing.
3.2 The Supplier and any person acting under the authority of the Supplier, who has access to Personal Data, shall not Process those data for any other purposes than in accordance with the Customers written instructions or according to Data Protection Rules. The instructions that apply to this DPA are set out in Appendix 1. In addition to the instructions set out in Appendix 1, this DPA and the Agreement constitute Customer’s instructions to the Supplier regarding the Processing of Personal Data. The Customer shall immediately inform the Supplier of any changes that affect the Supplier’s obligations under this DPA.
3.3 Personal Data under this DPA may also be Processed if such Processing is required by Union law or under the national law of a Member State to which the Supplier or the Sub processor is subject. If such Processing is required, the Supplier or Sub processor shall inform the Customer of the legal requirement before the Processing, unless such information is prohibited according to a public interest under this law.
3.4 The Supplier has the right to store and Process data derived from the Customer in aggregated or anonymized format, containing no Personal Data, under this DPA.
4.1 The Supplier shall implement technical and organizational measures, as required by the Data Protection Rules, in order to ensure a level of security that is appropriate with regards to the risk and to protect Personal Data being Processed from accidental or unlawful destruction, loss or alteration, or unauthorized disclosure of, or access to, the Personal Data being Processed.
4.2 The Supplier shall assist the Customer in ensuring that the obligations under Articles 32-36 of the GDPR are fulfilled, taking into consideration the type of Processing and the information available to the Supplier.
4.3 The Supplier shall notify the Customer without undue delay after becoming aware of a personal data breach.
5. Disclosure of Personal Data and Information
5.1 In the event that the Supplier receives a request from the Data Subject, Supervisory Authority or other third party to obtain information regarding Personal Data which the Supplier Processes on behalf of the Customer, the Supplier shall without delay forward the request to the Customer. The Supplier and any person acting under the authority of the Supplier, may not disclose Personal Data or other information about the Processing of Personal Data without explicit instructions from the Customer unless such disclosure is required according to applicable Data Protection Rules.
5.2 The Supplier shall assist the Customer in complying with their obligation to respond to requests regarding a Data Subject’s right of access, rectification and erasure, by taking technical and organizational measures, which are appropriate taking into account the nature of the Processing and assist in disclosing Personal Data when required by applicable national law.
6. Contact with Supervisory Authority
6.1 The Supplier shall inform the Customer of any contacts from the Supervisory Authority concerning the Processing of Personal Data under this DPA. The Supplier is not entitled to represent the Customer or act on behalf of the Customer in relation to the Supervisory Authority if not required by Data Protection Rules.
7. Sub processors
7.1 Personal Data may be Processed by a Sub processor provided that the Supplier enters into a written agreement with the Sub processor which impose on them the corresponding obligations when Processing Personal Data as per this DPA.
7.2 The Supplier undertakes to inform the Customer of any plans to retain new Sub processors or to replace Sub processors. The Customer is entitled to object to such changes. Such objection may relate only to objective grounds linked to the fulfilment of technical and organizational security requirements when Processing Personal Data under the DPA.
7.3 The Supplier is responsible for ensuring that the requirements for the use of Sub processors under Data Protection Rules are taken into account and to ensure that such Sub processors provide sufficient guarantees to implement appropriate technical and organizational measures in such a way that the Processing meets the requirements of Data Protection Rules.
7.4 The Supplier shall provide the Customer with a correct and up-to-date list of the Sub processors assigned for the Processing of Personal Data under this DPA, along with Contact Information and the geographic location for the Processing. This list is available for the Customer at https://sonetel.com/en/help/help-topics/terms-conditions/sub-processors/ . The Supplier undertakes to notify the Customer at any update of the list of Sub processors and ensure that it is always correct.
7.5 If a Sub processor fails to fulfill the obligations under the Agreement, this DPA and/or according to Data Protection Rules, the Supplier shall be responsible for performing the Sub processor’s obligations in relation to the Customer.
8.1 The Supplier shall provide the Customer with all information required to comply with the obligations according to this DPA and Data Protection Rules within reasonable time after such request has been made by the Customer to the Supplier.
8.2 The Supplier shall enable and contribute to audits, including inspections carried out by the Customer or by another independent auditor (at Costumers expense) selected by the Customer, and which the Supplier may reasonably accept. The auditor is required to sign sufficient confidentiality agreements provided by the Supplier prior to audits. The Customer has the right to perform one audit per year without cost. If the Customer would like to carry out additional audits the Customer must compensate the Supplier for all costs associated with the audit/audits.
8.3 The Supplier shall regarding the obligations stated in section 8 of this DPA, immediately inform the Customer if the Supplier considers an instruction to be in violation of Data Protection Rules.
9. Transfers of Personal Data outside the EU/EEA
9.1 In the event that the Supplier and/or the Sub processor transfer Personal Data to a location outside of the EU/EEA, the Supplier and/or the Sub processors shall ensure that such transfer complies with applicable Data Protection Rules.
10.1 The supplier shall, where applicable, comply with national legislation applicable to classified or confidential information. The Supplier undertakes to ensure that personnel authorized to process Personal Data under this DPA have undertaken to observe confidentiality for the Processing or are subject to applicable statutory duty of confidentiality.
10.2 Section 10.1 above does not apply to information requested by the Supervisory Authority in accordance with Data Protection Rules or other statutory obligation.
10.3 The confidentiality obligation also applies after the Agreement and/or the DPA has ceased to apply.
11. Data portability
11.1 The Supplier shall ensure that the Customer is able to fulfill any obligation regarding Data Portability relating to Personal Data which the Supplier Processes on behalf of the Customer.
12.1 In the event that the obligations imposed on the Supplier in accordance with Sections 5, 8, 9 and 11 results in extensive work for the Supplier, the Supplier shall be entitled to reasonable compensation from the Customer.
12.2 In the event that the Customer submits a legitimate objection to a new Sub processor pursuant to Section 7 and the Supplier does not agree to replace the Sub processor, the Supplier shall be entitled to additional compensation from the Customer for the costs incurred by the Supplier due to the fact that the Sub processor cannot be used.
12.3 The Supplier shall be entitled to reasonable compensation for all work and all costs that arise due to the Customer’s Instructions for Processing if these exceeds the features and level of security based on the services that the Supplier normally provides to its customers, e.g. in the case that the Supplier’s system / services or other that requires the Supplier to make special adjustments on behalf of the Customer.
13.1 The Supplier, any person acting under the authority of the Supplier or a Sub processor, Processes Personal Data in violation of this DPA or the Instructions for Data Processing provided by the Customer, the Supplier shall, in consideration of the limitation of liability arising from the Agreement, compensate the Customer for the direct damage suffered by the Customer due to the wrongful Processing. Regardless of the limitation of liability in this Agreement, the Supplier’s liability under paragraph 13.1 shall always be limited to an amount equivalent to the fees paid by the Customer to the Supplier under the Agreement for a period of twelve (12) months before the damage occurred. In the event that the Agreement has not been valid during a full contract year, such amount shall be calculated on the costs that the Customer is expected to pay during a contract year under the Agreement.
13.2 During the term of this DPA and thereafter, the Customer shall indemnify and hold the Supplier harmless from any direct damage, including claims from Data Subjects and third parties, which the Supplier has suffered due to unclear, inadequate or unlawful instructions from the Customer, or otherwise, depending on the circumstances deriving from the Customer.
13.3 The Supplier’s obligation to pay damages, laid down in section 13.1 above, only applies, provided that i) the Customer without undue delay informs the Supplier in writing of any claims against the Customer; and ii) the Customer allows the Supplier to control the defense of the claim and make independent decisions regarding settlement.
14. Term and Termination
14.1 This DPA enters into force when duly signed by both Parties either separately as an amendment to the Agreement or as a part of the Agreement and remains in force as long as the Supplier Processes Personal Data on behalf of the Customer.
14.2 Upon termination of the Agreement or this DPA (depending on which occurs first), the Supplier shall in accordance with the Customer’s instructions delete or return all Personal Data to the Customer and make sure that all Sub processors do the same.
14.3 If the Customer has not requested that the Personal Data should be returned, the Supplier shall delete the data within 90 days after the termination of the DPA or the Agreement (whichever occurs first). The supplier shall delete any existing copies unless the storage of Personal Data is required by Union law or the national law of the Member State.
15. Changes and additions
15.1 If the Data Protection Rules are changed during the term of this DPA, or if the Supervisory Authority issues guidelines, decisions or regulations concerning the application of the Data Protection Rules that result in this DPA no longer meeting the requirements for a DPA, shall the Parties make the necessary changes to this DPA, in order to meet such new or additional requirements.Such changes shall enter into force no later than thirty (30) days after a Party sends a notice of change to the other Party or otherwise no later than prescribed by the Data Protection Rules, guidelines, decisions or regulations of the Supervisory Authority.
15.2 Other changes and additions to this DPA, in order to be binding, must be made in writing and duly signed by both Parties.
16.1 This DPA supersedes and replaces all prior DPAs between the Parties and supersedes any deviating provisions of the Agreement concerning the subject matter of this DPA, regardless if otherwise stated in the Agreement.
16.2 This DPA shall be governed by the same law and subject to the same forum as the Agreement.
16.3 In addition, the terms of the Agreement shall also apply to the Supplier’s Processing of Personal Data and the obligations under this DPA. However, in the event of contradictions between the provisions of the Agreement and this DPA, the provisions of the DPA will supersede regarding all Processing of Personal Data. The provisions of the Agreement may not restrict or modify any of the obligations of this DPA.
16.4 This DPA shall be governed by the same law and be subject to the same forum as stated in the Agreement.
Appendix 1 – Data Processing Instructions
In these data processing instructions, all capitalised words shall have the same meaning as defined in the DPA, unless otherwise is expressly stated.
Please specify all purposes for which the Personal Data will be Processed by the Supplier as the Customer’s data processor
|The Supplier processes personal data for the purpose of fulfilling the service under the Agreement. Personal data may also be processed for IT-support and related services. Further, the Supplier processes data for fraud detection and other preventive actions.|
|Categories of data
Please specify the Personal Data that will be Processed by the Supplier as data processor
|The Supplier processes the following categories of personal data:
The Supplier does not Process sensitive personal data, the Customer is responsible for ensuring that sensitive personal data is not transferred to the Supplier’s services unless the Supplier has provided the Customer with written consent in advance to such Processing.
|Categories of data subjects
Please specify the categories of data subjects whose Personal Data will be Processed by the Supplier as data processor
|The supplier processes the following categories of Data Subjects:
Please specify the retention time of Personal Data stored by the Supplier
|The personal data must be deleted at the Customer’s request and according to the Customer’s instructions.
The Supplier has a retention period of 90 days after the termination of the Agreement or DPA.