Data processing agreement

Find out how we handle personal data in accordance with the applicable data protection legislation.

PUBA

INTRODUCTION

1.1 This DPA applies between the Parties in respect of the Personal Data processed by AM Hultdin System AB on behalf of the Customer.

DEFINITIONS

2.1 In this DPA, the terms defined in the Agreement shall have the meanings ascribed to them in the Agreement (unless otherwise expressly stated). In this DPA, the terms set forth below shall have the following meanings.

Process A measure or combination of measures in respect of Personal Data or sets of Personal Data, whether carried out automatically or not, such as the collection, registration, organisation, structuring, storage, adaptation or modification, production, reading, use, disclosure by transfer, dissemination or provision in some other manner, adjustment or compilation, limitation, deletion or destruction.
Data Protection Regulation Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.                                  
Instruction The Customer’s instruction for processing Personal Data (see appendix 1.1 of this DPA).                                                        
Area The countries included in the European Economic Area (EEA) as well as Switzerland, i.e. all EU countries; Iceland, Liechtenstein and Norway; and Switzerland.                                
Personal Data All information pertaining to an identified or identifiable natural person, whereupon an identifiable natural person is a person who may be directly or indirectly identified particularly by reference to an identifier such as a name, an identification number, localisation data or online identifier or one or more factors specific to that natural person’s physical, physiological, genetic, psychological, economic, cultural or social identity.                                              
DPA This data process agreement and amendments and supplements thereto in accordance with the provisions of the Agreement.                
Data subject 

 

A natural person to whom Personal Data pertains
Sub-processor The party retained by AM Hultdin System AB to Process, as personal data sub-processor of AM Hultdin System AB, Personal Data on behalf of AM Hultdin System AB.                      

BACKGROUND

3.1 The Data Protection Regulation requires a written personal data assistant agreement when a party will Process Personal Data on behalf of another party.                                        

3.2 Since the Agreement may entail that AM Hultdin System AB Processes Personal Data on behalf of the Customer, the Parties have entered into this DPA in order to govern the scope and details of such Processing.          

PERSONAL DATA PROCESSING

4.1 In conjunction with the Processing of Personal Data pursuant to the Agreement, AM Hultdin System AB shall ensure that such Processing occurs in accordance with the Data Protection Regulation and other applicable laws or regulations governing the Processing of Personal Data and shall accept amendments and supplements to the Agreement necessary in order to fulfil the requirements of the Data Protection Regulation or other applicable law in respect of the Processing of Personal Data.

4.2 AM Hultdin System AB and the person or persons working under the guidance of AM Hultdin System AB may only Process Personal Data in accordance with the Instructions appended to this DPA or other instructions provided by the Customer from time to time. The content of the Agreement and the Instructions set out the subject of Processing of Personal Data, the duration, nature and purpose of the Processing, the type of Personal Data and the category of Data Subjects

4.3 AM Hultdin System AB may not release Personal Data or other information regarding the Processing of Personal Data without express instruction from the Customer. However, the aforementioned shall not apply where AM Hultdin System AB is obliged to do so according to law or pursuant to an order issued by a governmental authority or competent court of law.

4.4 Unless otherwise expressly stated in the Agreement, AM Hultdin System AB shall not be entitled to take measures in respect of Personal Data which AM Hultdin System AB obtains from the Customer (i) for purposes other than to fulfil its obligations pursuant to the Agreement or (ii) in some manner other than in accordance with Instructions from the Customer

4.5 Taking into account the nature of the Processing, AM Hultdin System AB shall, to the extent possible, assist the Customer by means of suitable technical and organisational measures such that the Customer can fulfil its obligations to respond upon request to exercise the Data Subject’s rights in accordance with Chapter III of the Data Protection Regulation.

4.6 The Customer shall be responsible for ensuring that the Processing of Personal Data takes place in accordance with the Data Protection Regulation. The Customer shall ensure that AM Hultdin System AB receives the necessary and complete Instructions in respect of the manner in which the company shall perform its engagement. In the event AM Hultdin System AB lacks the Instructions deemed necessary by AM Hultdin System AB in order to perform the engagement on behalf of the Customer, AM Hultdin System AB shall notify the Customer thereof without delay. The Customer shall provide Instructions without delay. In addition, AM Hultdin System AB shall notify the Customer without delay in the event an Instruction contravenes the Data Protection Regulation or other applicable law in respect of the Processing of Personal Data.

4.7 In the event a Data Subject, the Swedish Authority for Privacy Protection or other authorised third party requests information from AM Hultdin System AB concerning the Processing of Personal Data, AM Hultdin System AB shall refer to the Customer.                         

4.8 AM Hultdin System AB shall inform the Customer without delay in respect of any contacts from the Swedish Authority for Privacy Protection concerning, or which may be significant to, the Processing of Personal Data. AM Hultdin System AB shall not be entitled to represent the Customer in relation to the Swedish Authority for Privacy Protection except where otherwise separately agreed upon by the Parties.

INFORMATION SECURITY

5.1 Taking into account the most recent developments, the costs of execution, the nature, scope, context and purposes of Processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, AM Hultdin System AB shall implement the necessary technical and organisational measures in order to ensure a suitable security level in relation to the risks including, where applicable:

(a) pseudonymisation or encryption of Personal Data;

(b) the ability to continuously ensure the confidentiality, integrity, accessibility and resistance of the processing systems and services;

(c) the ability to restore accessibility and availability of Personal Data within a reasonable period of time in conjunction with a physical or technical incident; and          

(d) a procedure for regularly testing, examining and evaluating the effectiveness of the technical and organisational measures which ensure the security of the Processing.                        

5.2 AM Hultdin System AB shall protect the Processed Personal Data from unintentional or illegal destruction, loss or alteration, unauthorised disclosure and unauthorised access.

5.3 AM Hultdin System AB shall assist the Customer in order that the Customer can fulfil its obligations in respect of data protection and impact assessments thereof. In addition, AM Hultdin System AB shall, to the extent possible, assist the Customer by means of suitable technical and organisational measures such that the Customer can fulfil its obligations to reply, on request from Data Subjects, in respect of the exercise of the Data Subjects’ rights in accordance with section 3 of the Data Protection Regulation. 

PERSONAL DATA INCIDENTS

6.1 AM Hultdin System AB shall take all necessary measures in order to assist the Customer in fulfilling its obligations in reporting personal data incidents to competent governmental authorities and, where required in accordance with the Data Protection Regulation, to the Data Subjects. In conjunction with the occurrence of a personal data incident, AM Hultdin System AB shall, without unreasonable delay after the personal data incident, notify the Customer thereof.

6.2 In any event, notices of personal data incidents shall contain: 

(a) a description of the nature of the personal data incident including, where possible, the categories of and approximate number of Data Subjects affected by the personal data incident; 

(b) the name and contact information of the personal data representative or other contact information where additional information regarding the personal data incident may be obtained; 

(c) a description of the probable impact of the personal data incident; and 

(d) a description of the measures which AM Hultdin System AB has taken or proposed to be taken to remedy the personal data incident including, where possible, measures to mitigate the potential negative effects.

6.3 Where the Customer so requests, AM Hultdin System AB shall assist the Customer in communicating the personal data incident to Data Subjects.                                          

SUB-PROCESSORS

7.1 AM Hultdin System AB shall be entitled to freely retain Sub-processors. In the event a Sub-processor is appointed, AM Hultdin System AB shall enter into a data processing agreement with the Sub-processor containing provisions comparable to those in this DPA and which otherwise comply with the Data Protection Regulation

7.2 The Customer shall at all times be apprised of the Sub-processors who may receive the Personal Data. Consequently, AM Hultdin System AB shall inform the Customer in conjunction with the use of Sub-processors and changes of Sub-processors. A summary of who the Sub-Processors are at any given time can be accessed here.

7.3 AM Hultdin System AB shall bear liability as principal for the work of the Sub-processor which shall not entail any change in the allocation of responsibility between the Parties pursuant to this DPA. Furthermore, AM Hultdin System AB shall be obliged, in conjunction with the use of Sub-processors, to ensure that such Sub-processors comply with the provisions of this DPA including, but not limited to, the provisions regarding Information Security in section 5 above and that Processing of Personal Data by such Sub-processor otherwise takes place in accordance with the Data Protection Regulation

TRANSFER OF PERSONAL DATA OUTSIDE THE AREA

8.1 In the absence of prior written consent from the Personal Data Controller, AM Hultdin System AB shall not be entitled to move, store or in any other manner Process Personal Data of the Customer outside the Area.

8.2 In the event the Customer has provided the Customer’s consent for the transfer of Personal Data to countries outside the Area, AM Hultdin System AB undertakes to ensure the legal basis for such transfer by means of, for example, entering into on behalf of the Customer such standard clauses with the Sub-processor as have been produced by the European Commission for the transfer of Personal Data to third countries.

8.3 The Customer shall be entitled at any time to revoke such consent as provided in accordance with this section 8. Following revocation of consent, AM Hultdin System AB shall immediately cease transferring Personal Data and, upon request, confirm in writing that such has ceased.

CONFIDENTIALITY

9.1 AM Hultdin System AB undertakes not to disclose or in any other manner reveal information regarding the Processing of Personal Data covered by this DPA to any third party with the exception of Sub-processors appointed in accordance with the provisions of this DPA.

9.2 AM Hultdin System AB hereby undertakes to ensure that only those persons who work under AM Hultdin System AB’s management who require access to the Personal Data for the performance of AM Hultdin System AB’s obligations pursuant to this DPA shall be granted access to the Personal Data. AM Hultdin System AB shall ensure that such persons are bound by confidentiality to the same extent (at a minimum) as AM Hultdin System AB pursuant to this DPA.

9.3 In the event a Sub-processor is appointed, AM Hultdin System AB shall ensure that the Sub-processor is bound by confidentiality to the same extent (at a minimum) as AM Hultdin System AB pursuant to this DPA.

9.4 AM Hultdin System AB shall not be entitled to use such information regarding the Processing of Personal Data for purposes other than as expressly set forth in this DPA.

9.5 Section 12 (Confidentiality) of the General Provisions shall also apply in respect of information covered by this confidentiality undertaking.

LIMITATION OF LIABILITY

10.1 AM Hultdin System AB shall, in relation to the Customer, be liable for direct losses subject to the limitations following from section 10 (Limitation of Liability) in the General Provisions which arise as a consequence of the Processing of Personal Data in the event AM Hultdin System AB has not performed its obligations in accordance with the Data Protection Regulation specifically applicable to AM Hultdin System AB or has acted beyond, or in contravention of, this DPA or otherwise in contravention of Instructions.               

10.2 AM Hultdin System AB shall not be liable in accordance with the above in the event the company can demonstrate that it is not responsible in any respect for the event causing the loss.

10.3 The Customer undertakes to compensate AM Hultdin System AB for any compensation, damages or suchlike which the AM Hultdin System AB – by settlement, judgment or comparable – is ordered to pay provided that the claim is based on the Customer’s inadequate or erroneous Instructions to AM Hultdin System AB and that AM Hultdin System AB has fulfilled its obligations under section 4.6 of this DPA.

10.4 In the event a (i) supervisory authority or court of law imposes an administrative fee on, or (ii) a Data Subject brings a claim in damages against, either Party, such Party shall have a right of subrogation relative to the other Party in the event the Party who paid the administrative fee or damages which was to be duly (or by virtue of joint and several liability) imposed on the other Party. Such right of subrogation shall not be subject to the limitation of liability set forth in section 10.1 above.

INSPECTION

11.1 The Customer or a third party acting on the Customer’s behalf shall be entitled, at its own cost, to examine whether AM Hultdin System AB has complied with this DPA. AM Hultdin System AB shall provide the Customer with the assistance necessary for such examination. In the event the Customer is of the opinion that AM Hultdin System AB has been deficient in any respect regarding the Processing of Personal Data, AM Hultdin System AB shall immediately comply with any Instructions provided by the Customer in order for AM Hultdin System AB to fulfil its undertakings pursuant to this DPA.

COMPENSATION

12.1 No separate compensation shall be payable for AM Hultdin System AB’s Processing of Personal Data pursuant to this Agreement

TERM OF AGREEMENT

13.1 This DPA shall apply during the term of the Agreement.

MEASURES UPON TERMINATION

14.1 After the Processing on behalf of the Customer has ceased, AM Hultdin System AB shall return or delete the Personal Data in accordance with the Customer’s instructions thereon provided that storage of the Personal Data is not required by any law applicable to AM Hultdin System AB. In the event the Personal Data is to be returned, such shall occur without unreasonable delay and in a general and readable digital format.