Data Processing Agreement

Agreement governing the processing of personal data between the Data Controller and the Data Processor.

Document type
Agreement
Published
Updated
Version
1.0.0
Jurisdiction
Europe
Audience
B2B

This Data Processing Agreement is only a draft of what may be included in such an agreement. It is important to adapt the agreement according to specific needs and circumstances. Contact a legal advisor or data protection officer for guidance.

1. Parties and Definitions

1.1 Parties

This Data Processing Agreement (“DPA” or “Agreement”) is entered into between:

  • Data Controller: The legal entity specified in the main agreement (“Client”, “the Data Controller”)
  • Data Processor: NWG Digital AB, with company registration number 559386-0066, address Bleckslagargatan 16, 934 31 Kåge, Sweden (“Supplier”, “Data Processor”, “we”, “us”, “our”, “HallinMedia”)

The Data Controller and Data Processor are jointly referred to as the “Parties” and individually as a “Party”.

1.2 Definitions

In this Agreement, the following terms shall have the meanings set forth below:

  • Personal Data: Any information relating to an identified or identifiable natural person, where an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
  • Processing: Any operation or set of operations which is performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
  • Data Subject: The natural person to whom the personal data relates.
  • Personal Data Breach: A security breach leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
  • Main Agreement: The agreement or agreements entered into by the Parties regarding services where the Data Processor processes personal data on behalf of the Data Controller.
  • Data Protection Legislation: Applicable legislation regarding the processing of personal data, including but not limited to the EU General Data Protection Regulation (GDPR) and national supplementary provisions.

2. Background and Purpose

2.1 Background

The Parties have entered into one or more agreements (“Main Agreement”) according to which the Data Processor will provide certain services to the Data Controller. In order to deliver these services, the Data Processor will process personal data on behalf of the Data Controller.

2.2 Purpose of the Agreement

This Agreement aims to meet the requirements in Article 28 of the General Data Protection Regulation (GDPR) and ensure an adequate protection of personal data processed by the Data Processor on behalf of the Data Controller.

The agreement regulates:

  • The Parties rights and obligations
  • The purpose and scope of the processing of personal data
  • Technical and organisational security measures
  • Instructions for the Processing of Personal Data
  • Procedures for incident management and other obligations according to Data Protection Legislation

2.3 The Agreement relationship to the Main Agreement

This Agreement shall form an integral part of the Main Agreement. In case of any discrepancies between the provisions of this Agreement and those of the Main Agreement regarding the processing of personal data, the provisions of this Agreement shall take precedence.

3. Scope and Purpose

3.1 Purpose of Processing

The Data Processor may only process personal data for the purpose or purposes specified in this Agreement, which are necessary in order to provide the services specified in the Main Agreement and in accordance with the documented instructions of the Data Controller.

The main purpose of the Processing may be:

  • Provision of web development and web hosting services
  • Design and production services
  • Customer relationship management
  • Marketing and communication services
  • Support and maintenance of systems and applications

3.2 Categories of Personal Data

Types of Personal Data that the Data Processor may process include, but are not limited to:

  • Contact details (e.g. name, address, e-mail address, phone number)
  • Identification details (e.g. social security number, ID number, user name)
  • Employment-related information (e.g. job title, workplace, job role)
  • Technical information (e.g. IP address, geographical area, browser history)
  • Behavioural data and preferences (e.g. purchasing habits, interests)
  • User generated content (e.g. messages, image, text material)

3.3 Categories of Data Subjects

The groups of Data Subjects whose Personal Data may be processed include:

  • Employees of the Data Controller
  • Clients of the Data Controller
  • Suppliers and cooperation partners of the Data Controller
  • Users of the Data Controller’s services and websites
  • Other categories of Data Subjects as specified in the Main Agreement

3.4 Processing activities

The Processing activities that the Data Processor may carry out include, but are not limited to:

  • Collection
  • Registration and structuring
  • Storage and hosting
  • Usage and analysis
  • Transfer and sharing (within the scope of the Agreement)
  • Deletion and destruction

4. Obligations and Rights of the Data Controller

4.1 Responsibilities of the Data Controller

The Data Controller shall be responsible for:

  • Ensuring that a legal basis exists for processing personal data
  • Carrying out processing in accordance with Data Protection Legislation
  • Informing Data Subjects about the Processing in accordance with Data Protection Legislation
  • Providing clear, documented instructions to the Data Processor
  • Establishing a register of processes carried out by it under its responsibility
  • Carrying out appropriate impact assessments as required under Data Protection Legislation
  • Obtaining prior authorisation from the supervisory authority to the extent required
  • Notifying the Data Processor of any changes to instructions

4.2 Right to Information and Monitoring

The Data Controller is entitled to:

  • Access all information necessary to demonstrate compliance with the obligations set out in Article 28 of the GDPR
  • Carry out audits, including inspections, of the Data Processor
  • Issue further written instructions with respect to the Processing

Audits shall be carried out in a manner that minimises disruption to the Data Processor’s operations and with reasonable prior notice (minimum 30 days unless otherwise agreed).

5. Obligations of the Data Processor

5.1 General Obligations

The Data Processor undertakes to:

  • Only process personal data according to the documented instructions of the Data Controller
  • Ensure that persons authorised to process the personal data have undertaken to observe confidentiality
  • Take all technical and organisational measures required by Article 32 of the GDPR
  • Observe the conditions laid down in Article 28.2 and 28.4 of the GDPR regarding engaging another Data Processor (sub Processor)
  • Assist the Data Controller, by suitable technical and organisational measures, to fulfill its obligation to respond to requests from Data Subjects exercising their rights
  • Assist the Data Controller to ensure compliance with the obligations set out in Articles 32-36 of the GDPR
  • At the Data Controller’s option, delete or return all personal data when the service provision has ended
  • Provide the Data Controller with access to all information required to demonstrate compliance with the obligations set out in Article 28 of the GDPR
  • Notify the Data Controller immediately if it considers that any instruction from the Data Controller breaches Data Protection Legislation

5.2 Security Measures

The Data Processor shall take suitable technical and organisational measures to ensure a security level that is appropriate in relation to the risk, including:

  • Pseudonymisation and encryption of personal data where it is suitable
  • Ability to ensure the ongoing confidentiality, integrity, availability and resilience of the systems
  • Ability to restore availability and access to personal data in reasonable time in the event of a physical or technical incident
  • Process for regular testing, investigation and evaluation of the effectiveness of security measures

Specific security measures include, but are not limited to:

  • Strict access control and authorisation management
  • Secure transmission via TLS/SSL encryption
  • Regular backups
  • Continuous monitoring and logging
  • Security updates and vulnerability management
  • Staff training
  • Documented processes for security management
  • Physical security of server locations and equipment

5.3 Register of Processing

The Data Processor shall maintain a register of all categories of processing carried out on behalf of the Data Controller, which shall include:

  • Contact details for the Data Processor and the Data Controller
  • The categories of processing carried out on behalf of the Data Controller
  • If applicable, transfers of personal data to a third country or an international organisation
  • A general description of the technical and organisational security measures

5.4 Reporting of Personal Data Breaches

In the event of a Personal Data Breach, the Data Processor shall:

  • Inform the Data Controller without undue delay and, where feasible, not later than 24 hours after learning of the breach
  • Provide the Data Controller with sufficient information to enable it to comply with the notification obligation to the supervisory authority
  • Document the breach, its impact and measures taken
  • Assist the Data Controller in communicating breaches to Data Subjects as required

Information provided shall at a minimum :

  • Describe the nature of the Personal Data Breach
  • Describe likely consequences
  • Describe measures taken or proposed to be taken
  • Provide contact details for a data protection officer or other contact point

5.5 Assistance to the Data Controller

The Data Processor shall assist the Data Controller with:

  • Complying with any obligation to respond to requests from Data Subjects
  • Conducting impact assessments regarding data protection where relevant
  • Prior consultation with the supervisory authority
  • Implementing suitable technical and organisational measures
  • Providing information needed to demonstrate compliance with Article 28 of the GDPR

6. Sub-processors

6.1 Authorisation

The Data Controller hereby gives a general written authorisation to the Data Processor to engage sub-processors for Processing of Personal Data in connection with this Agreement.

6.2 Information on Sub-processors

The Data Processor shall keep an updated list of engaged sub-processors available to the Data Controller. The list shall include:

  • The name and contact details of the sub-processor
  • The Processing activities carried out by the sub-processor
  • The location of processing (country/region)

The current list of sub-processors shall be provided upon request.

6.3 Information on Amendments

The Data Processor shall notify the Data Controller of any planned amendments regarding additions or replacements of sub-processors at least 30 days in advance, thereby providing the Data Controller an opportunity to object to such amendments.

6.4 Objection to sub-processors

If the Data Controller has justified objections to engaging a particular sub-processor, the Data Controller shall inform the Data Processor in writing within 14 days of being informed. If the Data Processor nevertheless intends to engage the sub-processor despite the Data Controller’s objection, the Data Controller shall be entitled to terminate the Main Agreement with 30 days’ notice.

6.5 Obligations of the Sub-processor

When the Data Processor engages a sub-processor, this shall be done under a written agreement imposing on the sub-processor the same obligations regarding data protection as those set out in this Agreement. The Data Processor remains fully responsible towards the Data Controller for the performance of the sub-processor’s obligations.

7. Transfers to Third Countries

7.1 General Requirements

The Data Processor may only transfer personal data to a third country if:

  • The Data Controller has given explicit written consent to such transfer
  • The transfer is carried out in compliance with the Data Protection Legislation’s provisions on transfers to third Countries

7.2 Suitable Safeguards

When transferring to third Countries, the Data Processor shall ensure that one of the following safeguards is in place:

  • Decision by the European Commission on adequate level of protection
  • Standard contractual clauses adopted by the European Commission
  • Approved certification mechanisms together with binding commitments
  • Approved codes of conduct together with binding commitments
  • Binding Corporate Rules approved under GDPR

7.3 Information on Transfers

The Data Processor shall inform the Data Controller upon request about which countries outside the EU/EEA personal data may be processed in with safeguards implemented for each transfer.

8. Confidentiality

8.1 Commitment to Confidentiality

The Data Processor undertakes:

  • To consider all information regarding the Personal Data and its Processing as confidential
  • Ensure that persons authorised to process the Personal Data have undertaken to observe confidentiality or are subject to statutory confidentiality obligations
  • Not disclose personal data or information regarding the Processing of personal data to any third party without prior written consent from the Data Controller, unless such information must be disclosed by law

8.2 Compliance by Employees

The Data Processor is responsible for ensuring that its employees, consultants and others acting on behalf of the Data Processor, who have access to personal data:

  • Are informed of the confidential nature of the Personal Data
  • Are trained for protection of personal data
  • Are aware of the obligations of the Data Processor according to this Agreement
  • Act in compliance with the confidentiality provisions of their respective employment or consulting agreements

8.3 Duration of Confidentiality

The confidentiality commitment shall apply during the term of this Agreement and thereafter indefinitely.

9. Duration of Agreement and Termination

9.1 Duration of Agreement

This Agreement shall apply from the day of signing and throughout the time that the Data Processor processes personal data on behalf of the Data Controller according to the Main Agreement.

9.2 Measures after the Expiration of the Agreement

Upon the expiration of the Agreement, the Data Processor shall, at the Data Controller’s choice:

  • Delete all personal data processed on behalf of the Data Controller or
  • Return all personal data to the Data Controller and delete existing copies

unless retention of personal data is required by Union Law or by national laws of Member States.

9.3 Confirmation upon Deletion

If the Data Controller chooses to have personal data deleted, the Data Processor shall confirm in writing that deletion has occurred within 30 days of the deletion.

10. Amendments and Additions

10.1 Written Amendments

Changes and additions to this Agreement shall be made in writing and signed by both Parties in order to be valid.

10.2 Changes in Legislation

In the event that a change in Data Protection Legislation or in the supervisory authority’s interpretation thereof necessitates a change in this Agreement, the Parties shall in good faith cooperate in order to update the Agreement. The Data Processor shall in such case be entitled to reasonable compensation for any necessary adaptations of the services.

11. Liability and Limitation of Liability

11.1 Damages to Data Subjects

In the event that a Data Subject has received damages due to breach of Data Protection Legislation, and both the Data Controller and the Data Processor have been involved in the Processing, the liability allocation between the Parties shall comply with Article 82 of the GDPR.

11.2 Fines and Other Penalties

If the supervisory authority decides on administrative fines, penalties or other sanctions for any of the Parties, the Party which caused the violation by not fulfilling its obligations under this Agreement shall be liable for such sanctions. If both Parties have contributed to the violation, liability shall be distributed in proportion to each Party’s responsibility for the violation.

11.3 Limitation of Liability

The Data Processor’s total liability under this Agreement is limited to the amount indicated in the Main Agreement pertaining to liability limitation, however maximum to an amount corresponding to the fees paid for the last 12 months.

This limitation of liability does not apply in the case of intent or gross negligence or for liability which cannot be limited according to mandatory law.

12. Notices

12.1 Contact Points

Notices under this Agreement shall be sent in writing to the contact persons listed below or subsequently notified in writing to the other Party.

For Data Processor:

Name: NWG Digital AB

E-mail: [email protected]

Address: NWG Digital AB, Bleckslagargatan 16, 934 31 Kåge, Sweden

For Data Controller:

Name: [NAME]

E-mail: [E-MAIL]

Address: [ADDRESS]

12.2 Data Protection Officers (if necessary)

For Data Processor:

Name: NWG Digital AB

E-mail: [email protected]

Address: NWG Digital AB, Bleckslagargatan 16, 934 31 Kåge, Sweden

For Data Controller:

Name: [NAME]

E-mail: [E-MAIL]

Address: [ADDRESS]

13. Applicable Law and Dispute Resolution

13.1 Applicable Law

This Agreement shall be construed and governed in accordance with Swedish law, without regard to its conflicts of laws rules.

13.2 Dispute Resolution

Disputes arising in connection with this Agreement shall be finally settled in accordance with the same provisions as specified in the Main Agreement regarding dispute resolution. If the Main Agreement lacks provisions on dispute resolution, disputes shall be settled in Swedish general court.

14. Execution of Agreement

This Agreement shall be executed in two (2) identical copies, of which each of the Parties has taken one.

15. Signatures

The Parties hereby affirm that they have the authority to enter this Agreement and that they intend to comply with its provisions in accordance with the above.

Data Processor:

Place and date: [PLACE AND DATE]

Signature: [SIGNATURE]

Name in print: [NAME IN PRINT]

Data Controller:

Place and date: [PLACE AND DATE]

Signature: [SIGNATURE]

Name in print: [NAME IN PRINT]