DATA PROCESSING AGREEMENT
Version Date: January 13th, 2021
THIS DATA PROCESSING AGREEMENT (“DPA”) is made on the Effective Date.
(1) The legal entity identified as customer in the electronic order form or similar when signing up to the NUITEQ Stage Cloud Service (the “Controller”), and
(2) Natural User Interface Technologies AB, with company registration number 556731-1344, a corporation duly formed under Swedish law, with registered address Laboratorgränd 11 1tr, 931 77 Skellefteå, Sweden (the “Processor”);
(1) – (2) together the Parties and individually a Party.
BACKGROUND and purpose
(B) The Parties understand and acknowledge that the Parties’ compliance with this DPA is a prerequisite for any cooperation between the Parties.
(C) The Processor acts as a Data Processor and the Controller acts as a Data Controller, the concepts of which are further defined in the Applicable Privacy Laws.
(D) The Parties acknowledge and understand that when the GDPR has been interpreted by competent courts of justice, including the European Court of Justice, or if binding instructions are given by any Supervisory Authority, this DPA might need to be updated, if so mutually agreed between the Parties. If any Party deem it necessary to update this DPA due to change in law or its interpretation, then the Parties shall negotiate in good faith to comply with such change.
IT IS AGREED as follows:
1.1. Any terms not defined in this DPA or the Agreement shall be given the meaning allocated to them in Applicable Privacy Laws from time to time, and such terms shall be interpreted in accordance with the then prevailing interpretation of the term’s meaning in jurisprudence concerning Applicable Privacy Laws.
1.2. The following defined terms shall be used to the extent these do not conflict with the terms in the Applicable Privacy Laws:
shall mean the agreement between the Parties for the provision of services as defined in Recital A;
“Applicable Privacy Laws”
shall mean the Swedish Personal Data Act (1998:204, as amended) or any other applicable data protection legislation as amended from time to time (including but not limited to the EU Data Protection Directive (95/46/EC) and the General Applicable Privacy Laws, “GDPR” (2016/679/EU)) and the instructions and binding orders of the data protection authorities;
shall mean any action, claim, assertion, demand or proceeding;
“Controller Security Requirements”
shall mean the security policies of the Controller in relation to whom the Services might be provided as communicated to and agreed upon in writing by Processor;
shall mean the date when this Agreement is entered into between the Parties;
shall mean Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data;
shall mean all systems used to access, store or otherwise Process Personal Data, including temporary files;
shall mean any Claim, loss, damage, cost, charge, fine, fees, levies, award, expense or other liability of any nature (whether foreseeable or contingent or not) and including any direct, indirect or consequential losses;
“Minimum Security Requirements”
shall mean the security measures specified in the security description of the Service (https://docs.nuiteq.com/nuiteq-stage/0/security/) as may be updated or reissued from time to time by Controller in accordance with the terms of this Agreement as well as any Controller Security Requirements;
shall mean any information relating to an identified or identifiable natural person as defined by the Applicable Privacy Law and including the categories of data listed in the Processing Appendix together with any additional such personal data to which the Processor have access from time to time in performing the Services;
“Process”, “Processing” or “Processed”
shall mean any operation or set of operations which is performed upon Personal Data whether or not by automatic means, including collecting, recording, organising, storing, adapting or altering, retrieving, consulting, using, disclosing, making available, aligning, combining, blocking, erasing and destroying Personal Data as defined in the Applicable Privacy Law;
shall mean the services provided by the Processor in relation to the Processing of Personal Data as described in a Processing Appendix from time to time;
“Standard Contractual Clauses”
shall mean the model contract clauses set out in the European Commission’s Decision of 5 February 2010 on standard contractual clauses for the transfer of Personal Data to data-processors established in third countries, under the Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data as may be amended or replaced by the European Commission from time to time;
shall mean sub-processors, whether legal or natural persons, engaged to perform some or all data processing tasks contemplated by the Agreement;
shall mean the relevant supervisory authority with responsibility for privacy or data protection matters in the jurisdiction of the Controller.
2. RIGHTS AND RESPONSIBILITIES OF THE DATA CONTROLLER
2.1. The Data Controller shall
(a) Process the Personal Data in compliance with the Applicable Privacy Laws and good data processing practice;
(b) be entitled to give documented instructions to the Data Processor on the processing of Personal Data, which instructions shall be binding on the Data Processor;
(c) at all times retain the control and authority to the Personal Data; and
(d) at all times retain title and all Intellectual Property Rights and other rights, howsoever arising, to Personal Data.
2.2. Any and all costs incurred by the Data Processor caused by instructions by the Data Controller not covered by the Agreement shall be reimbursed by the Data Controller.
3. RESPONSIBILITIES OF THE DATA PROCESSOR
3.1. General principles applying to the processing of Personal Data
3.1.1. The Data Processor must not use the Personal Data for any other purposes than those specified in the Agreement and this DPA.
3.1.2. The Data Processor shall:
(a) Process personal data with all due care and skill, diligence and prudence, in a workmanlike manner in accordance with good data processing practices and high professional standards and in compliance with applicable laws and regulation;
(b) Process the Personal Data only on documented instructions from the Data Controller, unless required to do so in accordance with applicable laws and regulations to which the Data Processor is subject. In such case, the Data Processor shall immediately inform the Data Controller of such requirement under applicable laws and regulations before Processing of the Personal Data, unless the applicable laws and regulations prohibits such notification;
(c) assist the Data Controller by appropriate technical and organisational measures in Data Controller’s obligation to respond to requests for exercising the Data Subject’s rights;
(d) assist the Data Controller in ensuring compliance with its legal obligations pursuant to Article 32-36 GDPR taking into account the nature of the Processing and the information available to the Data Processor;
(e) make available to the Data Controller all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by the Data Controller or another auditor mandated by the Data Controller;
With regard to point (e) of the first subparagraph, the Data Processor shall immediately inform the Data Controller if, in its opinion, an instruction infringes this Regulation or other Union or Member State data protection provisions; and
(f) Process Personal Data only during the term of this DPA.
3.1.3. This DPA shall not prevent Data Processor from disclosing Personal Data as required by law, regulation or by competent regulatory authority (in which case Data Processor shall, unless prohibited by law, inform Data Controller in advance).
3.1.4. The Data Processor does not own any Personal Data. The Data Controller shall have sole responsibility for the accuracy, quality, integrity, legality, reliability, appropriateness, and intellectual property ownership or right to use of all Personal Data, and the Data Processor shall not be responsible or liable for the deletion, correction, destruction, damage, loss or failure to store any Personal Data except as stated in the Agreement and in all other applicable legislation.
3.2. Instructions from the Data Controller
3.2.1. To ensure that the Data Controller’s instructions in respect of any Personal Data can be carried out as required under this DPA, the Data Processor shall have in place appropriate processes and any associated technical measures that will ensure that the Data Controller’s instructions can be complied with, including the following:
(a) requests by individual Data Subjects to the Data Controller, or any exercise of privacy rights, in respect of their Personal Data from time to time can be implemented;
(b) provision of appropriate interfaces or support for other Processes of the Data Controller in ensuring information is provided to Data Subjects as required by Applicable Privacy Laws;
(c) updating, amending or correcting the Personal Data of any individual upon request of the Data Controller from time to time;
(d) cancelling or blocking access to any Personal Data upon receipt of instructions from the Data Controller; and
(e) the flagging of Personal Data files or accounts to enable the Data Controller to apply particular rules to individual Data Subjects' Personal Data, such as the suppression of marketing activity.
3.3. Privacy Impact Assessments
3.3.1. Where requested to do so by the Data Controller, the Data Processor shall make available to the Data Controller all information necessary to demonstrate the Data Controller compliance with the Applicable Privacy Law and shall assist the Data Controller to carry out a privacy impact assessment of the Services and work with the Data Controller to implement agreed mitigation actions to address privacy risks so identified.
3.4. Data security
3.4.1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Data Controller and the Data Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
(a) pseudonymize or encrypt the Personal Data where so required;
(b) ensure at all times the confidentiality, integrity, availability and resilience of systems and services processing Personal Data;
(c) restore the availability and access to Personal Data in a timely manner in the event of a Disaster; and
(d) regularly test, assess and evaluate the effectiveness of technical and organisational measures for ensuring the security of the processing.
3.4.2. The Data Processor shall ensure that any person acting under the authority of the Data Processor who has access to Personal Data shall not Process them except on instructions from the Data Controller, unless he or she is required to do so by Applicable Privacy Laws.
3.4.3. The Data Processor shall document the activities taken to ensure its compliance with its obligations under this Section 3.4, and shall ensure such activities have been completed before starting to Process the Personal Data, and upon request present the documentation to the Data Controller for review.
3.5. Business Continuity and Disaster Recovery
3.5.1. Disaster shall in this DPA mean an unexpected interruption or disruption of the operations of the Controller attributable to a major critical error or defect in the Services or unavailability of or disruption in the Services (whether caused by a natural or a man-made phenomenon or occurrence and whether affecting the Data Controller or the Data Processor or both) that requires the implementation of the Disaster Recovery Plan and which is acknowledged to be a Disaster by the Parties pursuant to the Disaster Recovery Plan, including, but not limited to, (a) any substantial physical damage or destruction of tangible property, (b) any pandemic; (c) computer virus or other malware; (d) interruption or other disruption of telecommunications; (e) denial-of-service attacks; (f) loss or other disruption of electricity or other utilities.
3.6.1. The Data Processor shall maintain a record in an electronic form (“Record”), of all Personal Data Processing carried out under this DPA and the Agreement on behalf of the Data Controller, containing at least:
(a) the name and contact details of the Data Processor, and the data protection officer;
(b) the categories of Processing carried out on behalf of the Data Controller;
(c) information on any transfers of Personal Data outside of the EU/EEA made in accordance with Section 5 and the documentation of appropriate safeguards implemented;
(d) a description of the technical and organisational security measures taken in accordance with Section 3.4.1;
(e) a list of subcontractors used for Personal Data Processing; and
(f) a report of any own audits performed by the Data Processor or a third party, which shall include at least information on execution of this DPA and requests of the relevant Supervisory Authority and the Data Subjects and on the measures taken on the basis of those requests.
3.7. Reporting and notification obligation
3.7.1. The Data Processor shall provide the Data Controller with the Record without undue delay but no later than in seven (7) business days from the Data Controller’s request.
3.7.2. In case the Data Subjects or the Supervisory Authority make a request concerning Personal Data, including a request for blocking, deleting, amending the Personal Data, delivering them any information or executing any other actions, the Data Processor shall, without undue delay, inform the Data Controller on all such requests prior to any response or other action concerning Personal Data, or afterwards as soon as reasonably possible in case any law or regulation prescribes an immediate response. The Data Processor may only correct, delete, amend or block the Personal Data processed on behalf of the Data Controller when instructed to do so by the Data Controller or required by law or regulation. Such instructions shall be clear and delivered to the Data Processor without undue delay upon request.
3.7.3. The Data Processor shall notify the Data Controller of any changes in its activities that may affect the data protection and/or data security of the Data Controller’s Personal Data.
3.8. Personal Data Breach notification
3.8.1. In the event of a “Personal Data Breach”, i.e. a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed, the Data Processor shall without undue delay after becoming aware of it notify the Data Controller in writing and additionally in any other reasonable and prompt manner (e.g. by phone).
3.8.2. The Personal Data Breach notification shall contain at least the following:
(a) a description of the nature of the Personal Data Breach including, the categories and approximate number of Data Subjects concerned and the categories and approximate number of data records concerned;
(b) the name and contact details of the person responsible for the Data Processor’s data protection matters;
(c) a description of likely consequences and/or realized consequences of the Personal Data Breach; and
(d) a description of the measures taken to address the Personal Data Breach and to mitigate its possible adverse effects.
3.8.3. Where, and in so far as, it is not possible to provide the information listed in Section 3.8.2 at the same time, the information may be provided in phases without undue further delay.
3.8.4. The Data Processor shall document any Personal Data Breaches and have the record available to the Data Controller upon request.
3.8.5. The Data Processor shall take all the necessary steps to protect the Personal Data after having become aware of the Personal Data Breach. After having notified the Data Controller in accordance with Section 3.8.1 above, the Data Processor shall, in consultation with the Data Controller, take appropriate measures to secure the Personal Data and limit any possible detrimental effect to the Data Subjects. The Data Processor will cooperate with the Data Controller, and with any third parties designated by the Data Controller, to respond to the Personal Data Breach. The objective of the Personal Data Breach response will be to restore the confidentiality, integrity, and availability of the Services, to establish root causes and remediation steps, preserving evidence and to mitigate any damage caused to Data Subjects or the Data Controller.
3.9. Deletion or Returning of Personal Data
3.9.1. The Data Processor shall delete Personal Data from the Service(s) in accordance with the retention policies for the Service(s) and at such other times as may be required from time to time by the Data Controller.
3.9.2. Upon termination or expiry of any of the relevant Services, in respect of such Services any remaining Personal Data shall, at the Data Controller's option, be destroyed or returned to the Data Controller, along with any medium or document containing Personal Data.
3.9.3. Upon termination or expiry of the Agreement, any remaining Personal Data shall, at the Data Controller's option, be destroyed or returned to the Data Controller, along with any medium or document containing Personal Data.
4. STORAGE OF PERSONAL DATA
4.1. The Data Processor shall inform the Data Controller in writing about the locations where Personal Data is stored, accessed or otherwise processed on behalf of the Data Controller and the identities of the subcontractors of the Data Processor, if any, taking part in such Processing.
5. TRANSFERS OF PERSONAL DATA
5.1. The Data Processor shall not transfer any Personal Data to any third party or country outside the European Union or the European Economic Area except for transfers in accordance with the Data Controller’s prior written instructions and the express terms of this DPA and the Agreement. Where the Data Controller requires or consents to a transfer of Personal Data outside the borders of European Union and European Economic Area and as required by the Applicable Privacy Laws or as requested by the Data Controller, the Data Processor shall enter into the Standard Contractual Clauses for the transfer of Personal Data to third countries.
6. USE OF SUB-PROCESSORS
6.1. The Data Processor is using the Sub-Processors listed in the documentation here https://docs.nuiteq.com/nuiteq-stage/0/0/nuiteq-stage/.
6.2. The Data Processor shall not add additional Sub-Processors unless and until:
(a) The Data Processor has updated the webpage linked in Section 6.1 and notified the Data Controller by email;
(b) the Data Processor has provided to the Data Controller details (including categories) of the Processing to be carried out by the Sub-Processor in relation to the Services; and such other information as may be requested by the Data Controller in order for the Data Controller to comply with Applicable Privacy Law or for the Data Controller to notify the relevant Supervisory Authority;
(c) the Data Processor has made reasonable efforts to imposed legally binding terms no less onerous than those contained in this Agreement on such Sub-Processor;
(d) the Data Controller has not objected to the subcontracting or outsourcing within ten (10) working days from receiving Data Processor's written notification set forth in Section 6.1(a) together with the information set forth in Section 6.1(b); and
(e) the Data Processor has entered into Standard Contractual Clauses with the Sub-Processor, where the scope of sub-contracting involves the Data Controller's Personal Data to be Processed or stored by any means in third countries.
6.3. The Data Processor shall inform the Data Controller of any intended changes concerning addition or replacement of other Sub-Processors. The Data Processor is obliged to regularly ensure that the used Sub-Processors are properly experienced and qualified and ensure that the Sub-Processors comply with the confidentiality, data security and other obligations specified in this DPA.
6.4. The Data Processor is obliged to regularly monitor the performance of its Sub-Processors and it remains fully liable for the work of its Sub-Processors. Any omission, wilful misconduct or gross negligence by the Sub-Processors shall be deemed an omission, wilful misconduct or gross negligence by the Data Processor. Upon request, the Data Processor shall provide the Data Controller with information on the substance of the contract related to the implementation of the data protection and security obligations within the subcontract relationship.
7.1. The Data Processor shall and shall procure that any Sub-Processor shall permit the Data Controller, its customers (including the Controller's and customers' respective sub-contractors, auditors or other agents) (each an “Auditing Party”), to access to its premises, computer and other information systems, records, documents and agreements as reasonably required by the Auditing Party to check that the Data Processor and/or its Sub-Processors are complying with their obligations under this DPA (or any subsequent sub-processing contract) or any Applicable Privacy Law. Any review in accordance with Section 7.1 shall not require the review of any third party data, and that such reviewing entity enters into such confidentiality obligations with the Data Processor or with the relevant Sub-Processor as may be reasonably necessary to respect the confidentiality of the Data Processor's or Sub-Processor's business interests and third party data and information of which the reviewing entity may become aware in the course of undertaking the review. The Auditing Party shall bear its own costs in relation to such audit, unless the audit reveals any non-compliance with Data Processor's or Sub-Processor's obligations under any Applicable Privacy Law or this DPA or any subsequent sub-processing contract, in which case the costs of the audit shall be borne by the Data Processor.
7.2. The Data Processor shall and shall procure that any Sub-Processor shall permit at its own costs the Privacy Authorities to conduct a data protection audit with regards to the Processing carried out by Data Processor or Sub-Processor in accordance with the Applicable Privacy Law.
8. WARRANTIES AND INDEMNIFICATION
8.1. The Data Processor warrants that it shall Process Personal Data in accordance with the terms and conditions of this DPA, GDPR, the Applicable Privacy Laws and any other applicable and written instructions, rules or policies issued by the Data Controller relating to Processing of Personal Data under this DPA by the Data Processor, save for what has been expressly agreed upon under Section 8.4 below.
8.2. Claims by Data Subjects. In the event a Data Subject is addressing a claim against the Data Controller due the Data Processor’s own breach of the said warranty, the Data Processor (i) shall at its own costs give the Data Controller all information and assistance available required to respond to such claims; and (ii) the Data Processor shall indemnify and hold the Data Controller harmless against all damages that are awarded in a trial or potential settlement, amounts agreed to be paid to a Data Subject as well as all costs, including without limitation attorney’s fees, incurred by the Data Controller provided that (a) the Data Processor have sole control over the trials, arbitration proceedings and/or the negotiations for settlement, and that (b) the Data Processor is promptly, without delay, informed by the Data Controller of any claim, and that (c) the Data Controller, at its own cost, provide the Data Processor with any and all required information as requested. Any such liability for the Data Processor under this Section 8.2 shall be subject to limitation of liability provisions in the Agreement.
8.3. Fines issued by the Supervisory Authority. The Parties agree that the general principle of division of liability between the Parties relating to fines imposed by any relevant Supervisory Authority is based on that the respective Party has to fulfill its obligations under the GDPR and the Applicable Privacy Laws, and that any fines imposed by a Supervisory Authority should be paid ultimately by the Party which has failed in its performance of its legal obligations under the GDPR or the Applicable Privacy Laws. In the event of a claim or procedure that could result in fines, both Parties shall jointly handle the procedure, with good faith cooperation, until it can be established which of the Parties who is liable for breach of GDPR or Applicable Privacy Laws, after which that Party shall take over the proceedings. The non-faulting Party shall provide information and support to the Party handling the procedure in good faith. For the avoidance of doubt, the Data Processor’s liability shall be restricted to breaches where either the Data Processor is in sole control, or have disregarded the Data Controller’s clear and written instructions.
8.4. In accordance with the principle set out in Section 8.3 above, the Data Controller and the Data Processor are liable for their respective compliance with their own obligations as set forth in the GDPR or the Applicable Privacy Laws. The Data Processor shall review the requirements and instructions issued by the Data Controller regarding data processing activities performed by the Data Processor under this DPA on their behalf, and notify the Data Controller beforehand in writing if it is obvious that the implementation of such requirements or instructions would likely constitute a violation of the GDPR or the Applicable Privacy Laws applicable to the Data Processor. The Data Processor shall to a reasonable extent in its written notice advise the Data Controller on how such requirements and instructions should be amended in order to avoid such potential violation of the GDPR or the Applicable Privacy Laws by the Data Processor due to following such requirements or instructions. If the Data Controller in its written response continues requiring that the Data Processor shall implement such requirements and instructions despite the associated risks, then the Data Controller shall at their own cost indemnify and hold the Data Processor harmless against any fines imposed by any Supervisory Authority.
9.1. Notices regarding any dispute, claim or controversy arising out of or relating to this DPA and its appendices, or the breach, termination or validity thereof shall be deemed sufficient if made in writing and delivered by registered mail, by courier, by email, or by fax to the recipient at the address officially registered or at other address that the receiving Party has supplied in writing. Each Party is entitled to change their contact persons by informing in writing the other Party thereof.
10. TERM AND TERMINATION
10.1. This DPA shall become effective when acknowledged by the Controller, and the Agreement is binding between the Parties, and shall continue to be in effect until terminated pursuant to section 10.2 or 10.3 below.
10.2. This DPA shall automatically terminate upon any termination or expiration of the Agreement.
10.3. In case the Data Processor materially breaches this DPA and fails to remedy the breach, if such breach is remediable, the Data Controller shall have the right to terminate, in thirty (30) days from the Data Controller’s notification of the breach to the Data Processor, or in thirty (30) days from the date when the Data Processor should have noticed the breach, with an immediate effect, any and all Services and other agreements which the breach affects or relates to. In case one of the Data Processor’s subcontractors materially breaches this DPA and fails to remedy the breach, if such breach is remediable, the Data Controller shall have the right to terminate, in thirty (30) days from the Data Controller’s notification of the breach to the Data Processor, or in thirty (30) days from the date when the Data Processor should have noticed the breach, with an immediate effect, any and all Services and other agreements which the breach affects or relates to, unless the Data Processor replaces the subcontractor within such thirty (30) day period.
10.4. Termination or expiration of this DPA shall not discharge the Data Processor from its confidentiality or other obligations pursuant to the Agreement and notably the Data Processor agrees to, even after the termination or expiry of this DPA, to perform any and all of its legal obligations as the Data Processor and to assist the Data Controller in its performance of its legal obligations pursuant to the Applicable Privacy Laws.
11.1. Section and other headings in this DPA are for convenience of reference only and shall not constitute a part of or otherwise affect the meaning or interpretation of this DPA. Schedules to this DPA shall be deemed to be an integral part of this DPA to the same extent as if they had been set forth verbatim herein.
11.2. This DPA is personal to the Data Processor and the Data Processor shall not under any circumstances assign, novate or otherwise transfer any of its rights or obligations under this DPA without the Data Controller’s prior express written consent.
11.3. This DPA, including the Appendices attached hereto and any subsequent properly executed Processing Appendices agreed between the Parties, constitutes the entire agreement between the Parties pertaining to the subject matter hereof and supersedes all prior agreements, understandings, negotiations and discussions of the Parties. For the avoidance of doubt, the terms and conditions of the Agreement are not incorporated in this DPA.
11.4. The provisions of this DPA shall endure to the benefit of and shall be binding upon the Parties and their respective successors and assignees.
12. APPLICABLE LAW AND DISPUTE RESOLUTION
12.1. This DPA, including the arbitration clause, and any dispute, claim or controversy arising out of or relating to this DPA, or the breach, termination or validity thereof, are governed by the laws of the country where the Controller is established without regard to its principles and rules on conflict of laws.
12.2. Any dispute, controversy or claim arising out of or in connection with this DPA, or the breach, termination or invalidity thereof, shall be finally settled by arbitration in accordance with the Arbitration Rules of the Arbitration Institute of the Stockholm Chamber of Commerce. The arbitral tribunal shall be composed of three arbitrators. The seat of arbitration shall be Stockholm, Sweden. The language to be used in the arbitral proceedings shall be English.