Data Processing Agreement
This DATA PROCESSING AGREEMENT (the "Agreement") is entered into by and between:
- Idefendo Media Protection AB, a limited liability company incorporated under the laws of Sweden with corporate registration number 559077-6026 ("Idefendo"), or for the sake of this template, the ("Data Processor"); and
The customer specified in the relevant Service Agreement (defined below) (the "Customer").
Each of Data Processor and the Customer is referred to as a "Party" and together as the "Parties".
- Data Processor has developed a file management service integrated with a blockchain technology called Digital Witnesses™ which the Data Processor offers to its customers on a software-as-a-service (the "Service").
- Customer has entered into an agreement (the "Service Agreement") with Data Processor under which the Customer is granted the rights to use the Service, which Service forms the subject matter of the processing of Personal Data under this Agreement.
- The Data Processor’s Service is rendering the Customer the data controller, whilst Data Processor qualifies as data processor under the applicable data protection laws. In light of the above, Data Processor and Customer have agreed on the following terms to govern the Data Processor’s processing of Personal Data under the Service Agreement.
"Applicable Laws" shall mean all acts, laws, regulations, including but not limited to Data Protection Laws, applicable to each Party.
"Data Protection Laws" shall mean the applicable national laws concerning data protection and, if applicable, the national laws implementing Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of Personal Data and on the free movement of such data and Directive 2002/58/EC of the European Parliament and of the Council concerning the processing of Personal Data and the protection of privacy in the electronic communications sector (ePrivacy Directive) and the subsequent directives and regulations such as the General Data Protection Regulation (Regulation no. 2016/679) and their national implementations and related national legislation.
"EEA" shall mean the European Economic Area.
"Personal Data" shall mean all information that is directly or indirectly referable to a natural living person such as name, email address, IP-address, location data etc.
"Personal Data Breach" shall mean a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
Data Processor may under this Agreement process Personal Data on behalf of the Customer according to the instructions of the Customer. The Personal Data is and shall remain the property of the Customer, and the Customer takes full responsibility for the Personal Data, including that such data does not infringe any third-party rights or in any other way violate Applicable Laws.
This Agreement is intended to constitute and shall be interpreted as a written data processing agreement between the Customer and Data Processor pursuant to applicable Data Protection Laws.
Data Processor shall process the Personal Data relating to the categories of data subjects and shall consist of the processing operations as set out in Schedule 1.
Data Processor shall process the Personal Data for the purpose of providing the Service to the Customer.
- TERM OF PROCESSING
- This Agreement shall enter into force upon conclusion of the relevant Service Agreement, shall remain effective until the Service Agreement is terminated or expires, subject to Section 4.2 below.
- Upon the termination or expiry of the Service Agreement, without entering into a new data processor agreement replacing this Agreement, the provisions of this Agreement, shall continue to apply as long as and to the extent Personal Data is processed by Data Processor pursuant to the instructions of the Customer.
DATA PROCESSOR’S OBLIGATIONS
- Data Processor may process Personal Data only for purposes necessary for the due performance of the Service Agreement and only in accordance with the Data Protection Laws applicable to Data Processor and in accordance with the written instructions from the Customer as further detailed in Schedule 2. Data Processor may not disclose any Personal Data to a third party without the prior written approval from the Customer or if required by law.
- If Data Processor does not have sufficient instructions to enable Data Processor to deliver the Services or otherwise fulfil its obligations, Data Processor shall without delay inform the Customer hereof and specify the need for further instructions and await further written instructions from the Customer prior to continuing the relevant processing of the Personal Data.
- Data Processor shall implement and maintain appropriate and adequate technical and organisational measures as set forth in Schedule 2 to ensure the security for the processed data. The measures shall as a minimum protect the processed data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, the Personal Data transmitted, stored or otherwise processed by the Data Processor. The measures shall take into account the particular risks associated with the processing of the Personal Data and the sensitivity of the Personal Data which is processed.
- Data Processor undertakes to oblige all persons, including but not limited to its employees, who access the processed Personal Data in the course of the processing operations carried out by Data Processor to comply with confidentiality obligations and access restrictions with regards to the processing of Personal Data. Data Processor shall ensure that only such employees have access to Personal Data who have received training and/or instruction in the care and handling of Personal Data.
- Taking into account the nature of the processing, Data Processor shall, at Customer’s cost upon Customer’s request in accordance with Customer’s written instructions, assist the Customer by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Customer’s obligation to respond to requests for exercising data subject's rights under applicable Data Protection Laws.
- Data Processor, taking into account the nature of processing and the information available to the processor, undertakes to assist the Customer, at Customer’s cost upon Customer’s reasonable request substantiating the necessity, in ensuring compliance with applicable Data Protection Laws with regards to the security of processing, notification to the data protection authority and communication to the data subjects of data breaches, data protection impact assessments and prior consultations with the data protection authority.
- Data Processor shall immediately inform the Customer if, in its opinion, an instruction infringes or is contrary to applicable Data Protection Laws.
- The Data Processor shall notify the Customer without undue delay after becoming aware of a Personal Data Breach.
- In the event Data Processor is required to disclose information, including but not limited to the processed Personal Data or information relating to the processing, according to Applicable Laws or the decisions of public authorities or courts, Data Processor shall be obligated to inform the Customer thereof immediately, insofar permitted by Applicable Laws, and request confidentiality in conjunction with the disclosure of requested information.
INFORMATION AND AUDIT
- Data Processor is obliged to, upon Customer’s reasonable request and at Customer’s cost, make available to the Customer all information necessary and strictly limited to the purpose of demonstrating compliance with the obligations of the data processor under applicable Data Protection Laws.
- Customer may, pursuant to the relevant provision of the Service Agreement but in any case notwithstanding what is set out in the Service Agreement once per calendar year at the cost of the Customer, carry out or mandate a third party auditor, who is not a direct competitor to Data Processor and acting under confidentiality undertaking, to carry out an audit strictly limited to verifying Data Processor’s compliance with the obligations of data processors under applicable Data Protection Laws. The audit shall be carried out during Data Processor’s normal working hours without disturbance to the normal operations of Data Processor.
- Customer hereby gives general written authorisation for the Data Processor to engage subprocessors for carrying out specific processing activities on behalf of the Customer. When engaging subprocessors, Data Processor undertakes to ensure that the contract entered into between Data Processor and any subprocessor shall impose, as a minimum, the same data protection obligations as set out in this Agreement.
- Data Processor shall notify the Customer of any intended changes concerning the addition or replacement of subprocessors, to which the Customer may object. If the Customer has made no such objection within ten (10) days from the date of receipt of the notification, the Customer is assumed to have made no objection.
- Data Processor may transfer (including allowing access to) Personal Data outside the EEA, including to its subprocessors. The parties shall jointly take all reasonably required measures necessary for ensuring that such transfer is in accordance with Applicable Laws, which may include entering into model clauses for data transfer outside of the European Economic Area (EEA). Customer hereby gives Processor a clear mandate to enter Standard Contractual Clauses 2010/87/EU with non-EEA based subprocessors in the name and on behalf of the Customer.
- If and to the extent another legal entity than the Customer is the controller, independently or jointly, for all or part of the Personal Data processed by Data Processor on behalf of the Customer under this Agreement, the Customer warrants that it has necessary authority and mandate to enter into this Agreement on behalf of such legal entity.
- The Customer warrants that the processing of Personal Data is carried out in accordance with Applicable Laws, including obtaining necessary licenses, permits or approvals for the processing and notifying the processing to competent authorities or data protection officials and informing the data subjects of the processing.
LIMITATION OF LIABILITY
- Unless expressly provided, each Party shall only be liable for direct losses caused by negligence and the total aggregate liability of each Party shall be limited to the maximum liability cap agreed under Service Agreement.
- Each Party shall not be liable for any loss of production, loss of data, loss of business or profit, loss of use, loss of goodwill or any indirect or consequential damages.
- Notwithstanding what is set out in this Agreement, Data Processor shall be exempt from any and all liability under this Agreement, if such liability is incurred due to instruction of the Customer that infringing the applicable Data Protection Laws.
The above limitations shall not apply
- in the event of any loss which is caused by any Party’s gross negligence, intentional breach;
- to the breach of the confidentiality undertaking set out in this Agreement;
- to the indemnification obligations set out in section 11.
The Customer shall hold Data Processor harmless and indemnify for third party claims, damages as well as administrative penalties or fines issued by courts or authorities if and to the extent Data Processor is held liable by a competent court, authority or any other dispute resolution body for processing of personal that is contrary to the applicable Data Protection Laws, unless such liability has arisen as a consequence of Data Processor’s failure to perform its obligations under this Agreement.
Data Processor is entitled to remuneration on the basis of the provisions of this Agreement and shall, unless otherwise explicitly set out in this Agreement, charge the Customer under this Agreement in accordance with the Service Agreement.
MEASURES UPON COMPLETION OF PROCESSING
When the provisions of this Agreement cease to be effective, the Data Processor shall, upon and in accordance with Controller's request, delete all Personal Data or delete and return all Personal Data to the Customer, unless Applicable Laws require the Data Processor to store Personal Data.
- The Customer may only assign the rights or obligations under this Agreement to a third-party with the prior written consent of Data Processor.
- Data Processor may assign its obligations under this Agreement to third parties. Any such assignment of rights shall not be considered as Data Processor engaging a subprocessor.
- This Agreement shall supersede any prior agreements, arrangements and understandings between the parties and constitutes the entire agreement between the parties relating to the subject matter hereof.
- Data Processor is entitled to amend this Agreement if it is necessary to comply with requirements of applicable data protection laws. Such amendments enter into force at the latest thirty (30) days after Data Processor has sent an amendment notice to the Customer, or such other time period which Data Processor is obliged to adhere to according to Personal Data Legislation and regulations or relevant authorities. Other alterations of and amendments to this Agreement shall be made in writing and be signed by duly authorised representatives of the Parties to be binding.
GOVERNING LAW AND DISPUTES
- This Agreement shall be governed by and construed in accordance with the laws of Sweden, with the exclusion of its conflict of law rules.
- Any dispute, controversy or claim arising out of or in connection with this Agreement, or the breach, termination or invalidity thereof, shall be finally settled in accordance with the relevant provisions thereon set out in the Service Agreement.
SCHEDULE 1 - PROCESSING OF PERSONAL DATA
Types of Personal Data
Personal Data processed by the Data Processor on behalf of the Customer under the Service Agreement may include, but is not limited to, the following types of Personal Data:
- telephone number;
- location data;
- user id;
- device information;
- time and date stamps; and
- connection information
Categories of data subjects
The processed Personal Data concerns the following categories of data subjects:
- The Customer;
- recipients of the Customer.
The following processing operations shall be carried out for the below specified purposes by the Data Processor under this Agreement:
Processing operations: Storage and transfer of Personal Data provided by the Customer.
Purposes: Fulfilment of the Service Agreement.
Data Processor may not process the Personal Data for any other purposes under this Agreement and its schedules.
SCHEDULE 2 - INSTRUCTIONS
INSTRUCTIONS FOR PROCESSING OF THE PROCESSED DATA ON BEHALF OF THE DATA CONTROLLER
Data Processor shall process the Personal Data for the purpose of providing the Service to the Customer in accordance with the Service Agreement and comply with the instructions set forth below with respect to the processing of the Personal Data under this Agreement.
HANDLING AND PROCESSING OF THE PERSONAL DATA
The premises used by Data Processor shall be protected with adequate physical security measures, such as alarms for fires, water damage, burglary, etc. In addition, there should be procedures and equipment for example in the form of alarms, barriers, locks, etc. which control access to the premises. Data Processor shall introduce necessary safety routines, such as (i) lock devices on computers and other equipment; (ii) entry control system; (iii) protection gear for power breaks as well as smoke and water damages; (iv) fire extinguishers; (v) safety locks; and (vi) marking of equipment etc.
Data Processor should possess an updated and implemented security policy which states for example the manner in which the Personal Data shall be processed, to whom Data Processor’s personnel shall turn in the event of a burglary or other incident, which personnel are authorized as regards which type of information, back-up procedures, contingency plans, etc.
Data Processor should create a safe IT-environment, which includes, but is not limited to (i) necessary safety routines for avoiding virus attacks or other threats that could be harmful to the IT-environment; (ii) an encryption system and/or other security measures with the purpose of avoiding tapping or revealing signals; (iii) necessary security routines for IT-equipment; (iv) a control system based on user authorization, which enables identification of user identity (through the usage of passwords or such) and prevents unauthorized use of or access to the processed Personal Data; (v) storage of processing history (log data), which shall be sorted out in accordance with Customer’s instructions; (vi) automatic back-up routines, including storage of back-up copies, which shall be sorted out in accordance with Customer’s instructions; as well as (vii) destruction or other means of eradication of all media that has contained Personal Data that no longer is used.
DATA SUBJECTS’ REQUESTS
Data Processor shall make it possible to log and trace processing of the Personal Data, including the disclosure and transfer of the Personal Data.
Customer authorizes Data Processor to, subject to the provisions of this Agreement, directly fulfil the requests of data subjects.
Subject to the above, Data Processor undertakes to inform the Customer of any rectification, erasure, or restriction of processing of Personal Data performed by a direct request of a data subject, unless this proves impossible or involves disproportionate effort. Customer shall reasonably assist the Data Processor in fulfilling the request of the data subject. Such assistance does not entitle the Customer to any reimbursement.
Data Processor shall have routines to provide Personal Data concerning a data subject in a structured, commonly used and machine-readable format, at the Customer’s request.
Subject to the provisions of this Agreement, Data Processor shall not maintain the processed Personal Data for longer than is necessary taking into consideration the purpose of the processing.