Data Processing Agreement
DATA PROCESSING AGREEMENT
The following agreement (“Data processing agreement”) apply to the customer’s (“Customer”, “you”, hereinafter ‘the Controller’) use of all websites offered by Sell-o AB reg.nr. 556852-2832 (“Sello”, hereinafter ‘the Processor’) and they form a legally binding agreement between Sello and Customer. By using Sello’s websites (“the Services”) you acknowledge that you have read and understood this Data processing agreement and you agree to be bound by the terms and conditions set out herein.
Hereinafter collectively referred to as ‘Parties’ and individually ‘Party’,
- the Controller has access to the personal data of various clients (hereinafter: ‘Data Subjects’);
- the Controller has determined the purpose of and the means for the processing of personal data in accordance with the terms and conditions referred to herein;
- the Processor has undertaken to comply with this data processing agreement (hereinafter: ‘the Data Processing Agreement’) and to comply with the security obligations and all other aspects of the relevant data protection and privacy laws to which the Parties are subject, in particular (but not limited to) the Swedish Personal Data Protection Act (1998:204) valid until 24 May 2018 (hereinafter: ‘PuL’) and the further Swedish law, as modified under the Regulation and Regulation (EU) 2016/679 of the European parliament and of the council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, (and repealing Directive 95/46/EC) (General Data Protection Regulation;
The Parties hereby agree as follows,
For the purposes of this Data Processing Agreement and unless otherwise expressly defined hereinafter, all capitalized terms will have the meanings given to them as follows:
“Regulation” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and repealing Directive 95/46/EC
The Agreement shall mean the general agreement between the Parties that regulate the Parties rights and obligations.
“Directive” means Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data
“Data Subject” means an identified or identifiable natural person, as it can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
“Supervisory Authority” means the Swedish Data Protection Authority;
“Personal Data” means any information relating to an identified or identifiable natural person;
“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
“Controller” means the natural or legal person, public authority, agency or another body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
“Processor” means a natural or legal person, public authority, agency or another body which processes personal data on behalf of the controller;
“Subprocessor” means any sub-contractors hired by the processor to process personal data on its behalf;
“Third Country” means a state outside EU/EEA;
“Model Clauses”, means the model clauses for the transfer of Personal Data to Data Processors established in third countries as approved by the European Commission from time to time (at present the model clauses set out in the European Commission’s Decision 2010/87/EU of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council, and in the future the eventual amendments under the Regulation in force).
- PROCESSING OBJECTIVES
- The Processor undertakes to process personal data on behalf of the Controller in accordance with the written instructions stipulated in this Data Processing Agreement. The processing will be executed exclusively within the framework of the Agreement.
- The Processor shall refrain from making use and/or disclose the personal data for any purpose other than as specified in the Agreement.
- The Processor will not use and/or disclose the personal data for its own purposes.
- All personal data processed on behalf of the Controller shall remain the property of the Controller and/or the relevant Data Subjects.
- The Processor shall not process personal data for any other purposes than as instructed by the Data Controller unless required by law and/or government decision. The Personal data that will be stored includes: email address, IP-address, phone number, mobile number, first and second names, address including postal address, nicknames, order data, registration number of organisation, idendification numbers and/or personal numbers, account details.
- The Processor will not process any sensitive personal data and the Controller must not include any sensitive personal data for processing under this Agreement.]
- PROCESSOR’S OBLIGATIONS
- The Processor shall warrant compliance with the applicable laws and regulations, including laws and regulations governing the protection of personal data.
- The Processor shall furnish the Controller, on request, with details regarding the measures it has adopted to comply with its obligations under this Data Processing Agreement.
- The Processor’s obligations arising under the terms of this Data Processing Agreement shall also apply to any other party processing personal data under the Processor’s instructions.
- TRANSFER OF PERSONAL DATA OUTSIDE EU
- The Processor may process and/or transfer personal data to countries outside the European Union provided that such country guarantees an adequate level of protection and that it satisfies all applicable laws and regulations.
- The Processor shall enter the Standard Model Clauses with the subprocessor, ensuring that an adequate level of protection is maintained in compliance with the European and Swedish Data Protection provisions on third country transfers.
- Upon request, the Processor shall notify the Controller as to which country or countries the personal data will be processed in.
- ALLOCATION OF RESPONSIBILITY
- The Processor shall only be responsible for processing the personal data under this Data Processing Agreement, in accordance with the Controller’s instructions and under the responsibility of the Controller. The Processor is explicitly not responsible for other processing of personal data, including but not limited to processing for purposes that are not reported by the Controller to the Processor, and processing by third parties and/or for other purposes.
- Controller represents and warrants that it has express consent and/or a legal basis to process the relevant personal data. Furthermore, the Controller represents and warrants that the contents are not unlawful and do not infringe any rights of a third party. In this context, the Controller indemnifies the Processor of all claims and actions of third parties related to the processing of personal data without express consent and/or legal basis under this Data Processing Agreement.
- DELETION OF PERSONAL DATA
- Following the expiration of the Agreement, the processor will endeavour to delete or return all transferred personal data, and copies of such data without undue delay. The Controller is entitled to choose whether the personal data shall be returned to him or to be deleted.
- The Processor shall, in any event, ensure that confidentiality will continue to apply to the personal data which he is unable to delete.
- ENGAGING OF SUBPROCESSOR
- The Processor is authorised within the framework of the Agreement to engage subprocessors. The Processor shall inform the Controller about any subprocessors and in the event the Controller reasonably objects to such subprocessor, the Controller shall be entitled to terminate the Data Processing Agreement with the Processor.
- The Processor shall, in any event, ensure that such subprocessor will be obliged to agree in writing to the same duties that are agreed between the Controller and the Processor.
- HANDLING REQUESTS FROM THIRD PARTIES AND DATA SUBJECTS
- All third party requests regarding personal data and/or information about the processing activities under the Agreement shall be redirected to the Controller by e-mail in due time, whether the request is made by a data subject, the Data Protection Authority or any other third party, unless such requests cannot legally be redirected to the Controller.
- If the request is approved, the Processor further undertakes to assist the Controller in making available the personal data and/or information to the third party.
- DUTY TO REPORT
- In the event of a data incident such as a security leak and/or the leaking of data, the Processor shall, to the best of its ability, notify the Controller thereof within 72 hours, after which the Controller shall determine whether or not to inform the Data subjects and/or the Supervisory Authority.
- If required by law and/or Regulation, the Processor shall cooperate in notifying the relevant authorities and/or Data subjects. The Controller remains the responsible party for any statutory obligations in respect thereof, with the exception of claims arising from: (1) a negligent act or omission of the Processor and/or its personnel; and/or (2) any breach of this Data Processing Agreement performed by the Processor.
- The Processor will endeavour to take adequate technical and organisational measures against loss or any form of unlawful processing (such as unauthorised disclosure, deterioration, alteration or disclosure of personal data) in connection with the performance of processing personal data under this Data Processing Agreement.
- The Processor does not guarantee that the security measures are effective under all circumstances. The Processor will endeavour to ensure that the security measures are of a reasonable level, having regard to the state of the art, the sensitivity of the personal data and the costs related to the security measures.
- The Controller will only make the personal data available to the Processor if it is assured that the necessary security measures have been taken. The Controller is responsible for ensuring compliance with the measures agreed by and between the Parties.
- NON DISCLOSURE AND CONFIDENTIALITY
- All personal data received by the Processor from the Controller and/or compiled by the Processor within the framework of this Data Processing Agreement is subject to a duty of confidentiality.
- This duty of confidentiality will not apply in the event that the Controller has expressly authorised the provision of such information to third parties, where the furnishing of the information to third parties is reasonably necessary for view of the nature of the instructions and the implementation of this Data Processing Agreement, or if there is a legal obligation to make the information available to a third party.
- In order to confirm compliance with this Data Processing Agreement, an independent audit may be carried out by an independent third party, who shall be obliged to observe confidentiality in this regard. Any such audit will follow the Processor’s reasonable security requirements, and will not interfere unreasonably with the Processor’s business activities.
- The findings in respect of the performed audit will be discussed and evaluated by the Parties and, where applicable, implemented accordingly as the case may be by one of the Parties or jointly by both Parties.
- The costs of the audit will be borne by the Controller.
- DURATION AND TERMINATION
- This Data Processing Agreement is entered into for the duration set out in the Agreement, and in the absence thereof, for the duration that the Processor processes Personal Data for the Controller.
- The Data Processing Agreement may not be terminated in the interim.
- This Data Processing Agreement may only be amended by the Parties subject to mutual consent.
- The Processor shall have the right to change the terms of this Data Processing Agreement in order to comply with laws and regulations on data protection.
- APPLICABLE LAW
- The Data Processing Agreement and the implementation thereof will be governed by Swedish law.
- Any dispute arising between the Parties in connection with and/or arising from this Data Processing Agreement will be referred to the Swedish courts.
- In the case of any inconsistency between documents and the appendices in this Data Processing Agreement, the following order of priority will apply:
- the Data Processing Agreement;
- the Agreement;
- additional conditions, where applicable.
- Logs and measurements taken by the Processor shall be deemed to be authentic unless the Controller supplies convincing proof to the contrary.