Data Processing Addendum

1. Introduction

1.1 This Data Processing Addendum (“DPA”) supplements the Cloud Service Master Agreement (“CSMA”) between Configura Sverige AB (“CSAB”) and the customer identified in the CSMA (“Customer”) and forms an integral part of the CSMA.

1.2 This DPA applies to the extent Customer Content contains personal data and such personal data is processed by CSAB on behalf of Customer. In this context, CSAB will act as processor to Customer, who act as controller of personal data included in Customer Content.

1.3 Description of the data processing covered by this DPA:

Subject matter and nature of processing: Compute, storage and such other Services as described in the CSMA with respect to personal data included in Customer Content.

Categories of data subjects: Data subjects may include employees, customers, business contact persons and other data subjects whose personal data is included in Customer Content by Customer.

Categories of personal data: Personal data may include name, contact details and other personal data included in Customer Content.

Purpose of the processing: Provision of the Services to Customer.

Duration of the processing: During the term of the CSMA.

 

2. Definitions

2.1 The terms used in this DPA shall have the same meaning as used in the CSMA, unless this DPA assigns a different meaning.

2.2 The term “Data Protection Laws” shall mean the EU General Data Protection Regulation (EU 2016/679) (“GDPR”) and laws, rules and regulations issued pursuant to or under the GDPR and which are directly applicable to the processing of personal data within the scope of this DPA.

2.3 Expressions used in this DPA, e.g. ‘controller’, ‘processor’, ‘data subject’, ‘personal data’, ‘processing’, ‘personal data breach’ etc., shall be construed in accordance with the meaning given to them in the Data Protection Laws.

 

3. General Obligations of Customer

3.1 Customer is responsible for ensuring that the processing of personal data takes place in accordance with the Data Protection Laws.

3.2 Customer confirms that this DPA constitute all Customer’s documented instructions regarding CSAB’s processing of personal data on behalf of Customer.

 

4. General Obligations of CSAB

4.1 CSAB may process personal data for purposes necessary for the performance of its obligations under the CSMA and in accordance with Customer’s documented instructions set out in this DPA, unless otherwise provided by the Data Protection Laws.

4.2 If CSAB considers that it has insufficient instructions for the processing of personal data according to this DPA or considers that an instruction infringes the Data Protection Laws, CSAB shall notify Customer and await further instructions. If Customer provides additional instructions in addition to what is expressly stated in this DPA, CSAB is entitled to compensation for costs and additional work performed in order to comply with such instructions.

4.3 CSAB shall ensure that persons authorized to process personal data under this DPA have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality and will process personal data in accordance with the instructions from Customer set out in this DPA, unless otherwise provided by the Data Protection Laws.

 

5. Assistance

5.1 CSAB shall, upon written request, taking into account the nature of the processing assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III of the GDPR.

5.2 CSAB shall, upon written request, assist Customer in ensuring compliance with Customer’s obligations pursuant to Articles 32 to 36 of the GDPR taking into account the nature of processing and the information available to CSAB.

5.3 CSAB shall be entitled to compensation for any assistance which CSAB provides to Customer in accordance with this Section 5.

 

6. Sub-processors and international data transfers

6.1 Customer provides general authorization to CSAB’s use of sub-processors to provide processing activities on personal data on behalf of Customer. CSAB will provide information on sub-processors that are currently engaged by CSAB on CSAB’s website. CSAB shall ensure that sub-processors are bound by written agreements that require them to comply with corresponding obligations to those contained in this DPA. Where a sub-processor fails to fulfil its data protection obligations, CSAB shall remain liable to Customer for the performance of the sub-processor’s obligations.

6.2 CSAB will inform Customer of any intended changes concerning the addition or replacement of sub-processors on CSAB’s website, thereby giving Customer the opportunity to object to such changes. In case Customer objects to such changes, Customer shall either terminate the CSMA, subject to the notice of termination period which is set forth in the CSMA, or cease using the Service for which CSAB has engaged the sub-processor.

6.3 If personal data will be transferred to a sub-processor located in a country outside the EU/EEA, CSAB will ensure that such transfer will be permitted under the Data Protection Laws e.g. by ensuring that EU Standard Contractual Clauses will be part of the agreement entered into with the sub-processor.

 

7. Security

The Parties shall implement appropriate technical and organisational measures to protect personal data taking into account the risks that are presented by the processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed. For CSAB, this means that CSAB shall maintain the technical and organizational measures set out in the description of the Services. In the event Customer requests a change of the security measures maintained by CSAB, CSAB shall be entitled to compensation for costs and additional work performed in order to comply with such request.

 

8. Audits

8.1 CSAB shall upon written request and at Customer’s expense provide Customer with all information necessary to demonstrate compliance with CSAB’s obligations under this DPA.

8.2 Upon thirty (30) day written notice and at Customer’s expense, Customer or any third-party auditor mandated by Customer shall have the right to audit the processing of personal data under this DPA. Any on-site inspection will be conditional upon compliance with CSAB’s work rules, security requirements and confidentiality standards and must not interrupt CSAB’s day-to-day business activities.

 

9. Liability

Each Party shall be liable for any administrative fines imposed on it by supervisory authorities that are intended to punish that Party for its violations of the Data Protection Laws. Otherwise, CSAB’s liability shall be limited in accordance with the terms of the CSMA.

 

10. Term

This DPA will continue in force until the termination of the CSMA.

 

11. Effects of Termination

Upon written request by Customer made within 30 days after the effective date of termination of the CSMA, CSAB shall make available functionality for retrieval of personal data to Customer in accordance with the Data Export Policy. In the absence of any such request, CSAB shall without undue delay delete all such personal data, unless CSAB is required to store the personal data under applicable law.

 

12. Miscellaneous

The provisions set forth in the CSMA regarding governing law and dispute resolution shall apply to this DPA.