Data Processing Agreement
- Indivd AB, org. nr 559169-7072, Bankgatan 8, 852 31, Sundsvall (“Indivd” or “Data Processor”); and
- Customer, who’s name, company reg. no and address is stated in the Order Form (“Customer” or ”Data Controller”);
Indivd and the Customer are each referred to as a “Party” and jointly the “Parties”.
A) Indivd and the Customer have entered into a customer agreement (the “Customer Agreement”).
B) When performing the contractual obligations in the Customer Agreement, it is anticipated that Indivd may Process Personal Data on behalf of the Customer. The Processing of such Personal Data by Indivd is conducted on behalf of the Customer for which Indivd is the Data Processor. This Data Processing Agreement regulates the terms and conditions for how Indivd will Process Personal Data on behalf of the Customer.
C) If any provision of the Customer Agreement conflicts with the terms of this Data Processing Agreement, the terms of this Data Processing Agreement shall take precedence to the extent its terms provide greater protection for Personal Data.
In this Data Processing Agreement the following terms have the following meanings:
“Agreement Date” means as stated in the Order Form;
“Processing“, “Data Controller“, “Personal Data“, “Data Processor“, “Personal Data
Breach“, and “Data Subject” shall have the same meaning as in Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (“GDPR“);
“Data Processing Agreement” means this Data Processing Agreement and all appendices attached hereto;
“Applicable Laws” means laws and regulations under EU law and relevant Member State laws that from time to time apply to the Data Processor and the Data Controller (including Applicable Data Protection Laws);
“Applicable Data Protection Laws” means from time to time applicable legislation and regulations, including regulations issued by relevant supervisory authorities, protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the Processing of Personal Data that apply to Indivd and the Supplier, including data protection laws and regulations implementing the Data Protection Directive 95/46/EC and as of 25 May 2018 the GDPR; and
“Third Country” means a country which is not a member of the European Union (EU) or the European Economic Area (EEA).
When the context requires it, singular shall include plural, and vice versa, and the gender of each pronoun shall include all genes.
2. GENERAL OBLIGATIONS FOR THE CUSTOMER
2.1. The Customer shall in its role as the Data Controller ensure the compliance with the Applicable Data Protection Laws.
2.2 The Customer shall in accordance with Section 30 (1) in the GDPR provide the Data Processor records of processing activities that are required in order for the Data Processor to be able to comply with its obligation to maintain a record of processing activities in accordance with Section 30 (2) in the GDPR.
2.3 The Customer shall appoint a data protection officer and/or a representative if required by the Applicable Data Protection Laws and, where necessary, provide the Data Processor with the contact details to such person.
2.4 By entering into this Data Processing Agreement, the Customer confirms that the technical and organizational measures stated in Appendix 2 are considered adequate and sufficient in order to protect the Personal Data covered by this Data Processing Agreement and that the Data Processor gives sufficient guarantees in accordance with Section 28 (1) in the GDPR.
3.1 The Data Controller instructs the Data Processor to process Personal Data only on behalf of the Data Controller and in accordance with the instructions by the Data Controller, as set out in this Data Processing Agreement and the Customer Agreement. The Data Controller ensures that the instructions comply with the Applicable Data Protections Laws.
3.2 If the Data Controller leaves instructions that go beyond what is stated in this Data Processing Agreement and the Customer Agreement, the following shall apply. In the event the implementation of actions required by the instructions entail costs for the Data Processor, the Data Processor shall inform the Data Controller thereof and provide an explanation of why the actions entail costs. The Data Processor shall be required to implement the measures only on condition that the Data Controller confirms that the Data Processor shall bear the costs of the actions. The instructions must be submitted in writing, unless there are special reasons justifying that the instructions may be given orally, in which case the Data Processor shall document and confirm the instructions in writing without undue delay.
3.3 The Data Processor shall notify the Data Controller if the Data Processor considers that an instruction regarding the Processing of Personal Data given by the Data Controller would be in a breach of Applicable Laws (”Challenged Instruction”). The Data Processor will not in such case be obliged to follow the Challenged Instruction unless the Data Controller maintains it and takes the responsibility for the Challenged Instruction. In such case, the Data Processor shall take the measures required by the Data Controller provided that the measures do not concern (i) implementation of technical and organizational measures; (ii) Data Subject’s rights; or (iii) appointing Sub-Processors. In case of disagreement, the Data Processor is entitled to seek guidance from the relevant supervisory authority. If such authority considers that the proposed measures are lawful, the Data Processor shall take them, in which case the Section 3.2 applies with regard to the costs for the measures. The Data Processor’s obligation to notify the Data Controller according the first sentence in this Section shall not apply to the extent the Data Processor is prevented from doing so in accordance with Applicable Laws.
4. THE GENERAL OBLIGATIONS OR THE DATA PROCESSOR
4.1 The Data Processor will Process Personal Data only in accordance with the written instructions issued by the Data Controller by this Data Processing Agreement and the Customer Agreement.
4.2 Notwithstanding what is stated in Section 4.1 above, the Data Processor may Process the Personal Data to the extent it is necessary for the Data Processor in order to comply with legal requirements under Applicable Laws to which the Data Processor is subject. If so, the Data Processor shall inform the Data Controller of that legal requirement before the Processing, unless Applicable Laws prohibit the Data Processor from providing this information.
4.3 The Data Processor shall upon request by the Data Controller assist the Data Controller by providing with necessary information that the Data Processor has access to, in order for the Data Controller to be able to comply with its obligations to perform an impact assessment in accordance with Section 35 and consult the supervisory authority in accordance with Section 36 in the GDPR, regarding the Processing of Personal Data that is conducted in accordance with Data Processing Agreement. The Data Processor is entitled to compensation for the costs from the Data Controller for such measures. The Data Processor’s obligation to assist the Data Controller is limited to such information that the Data Controller otherwise has no access to.
5. SECURITY MEASURES
5.1 The obligation to implement technical and organisational measures to protect the Personal Data
5.1.1 The Data Processor shall implement appropriate technical and organisational measures in accordance what is provided in Appendix 2 to protect and safeguard Personal Data that is processed against Personal Data Breaches. The Data Processor shall have a right to change these measures under the condition that the changes do not result in worse protection of the Personal Data and at least reach the level of protection that follows from the Applicable Data Protection Laws. In case the Data Controller requests that the Data Processor shall take technical and organizational measures that are in addition to what is stated above in this Section 5.1.1, the Section 3.2 shall not be applied to the costs for such measures.
5.2 Access to Personal Data etc.
5.2.1 The Data Processor shall ensure that access to the Personal Data is limited to those employees of the Data Processor who need access to the Personal Data in order for the Data Processor to fulfill its obligations under this Data Processing Agreement and the Customer Agreement as well as in order to perform their job duties.
5.2.2 The Data Processor shall ensure that all employees authorized to access and Process the Personal Data have committed themselves to confidentiality.
5.3 Personal Data Breach
5.3.1 In the event of a Personal Data Breach at the Data Processor, the Data Processor shall notify the Data Controller about the Personal Data Breach without undue delay after when the Data Processor became aware of such Personal Data Breach. Moreover, the Data Processor shall provide such information that follows from the information obligation in Section 33 (3) in the GDPR, that the Data Processor has access to and that the Data Controller cannot access by other means.
5.3.2 The notification to the Data Controller shall include the following Information:
126.96.36.199 a description of the nature of the Personal Data Breach including the categories and number of Data Subjects concerned and the categories and number of Personal Data records concerned;
188.8.131.52 the likely consequences of the Personal Data Breach; and
184.108.40.206 a description of the measures taken or proposed to be
taken by the Data Processor to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.
5.3.3 Where, and in so far as, it is not possible for the Data Processor to provide the above information in Section 5.3.2 above at the same time, the information may be provided in phases (without undue further delay).
6. ACCESS TO INFORMATION
6.1 The Data Processor shall document the measures that the Data Processor has taken in order to comply with its obligations in this Data Processing Agreement. The Data Controller shall have a right to receive a copy of the latest version of such documentation.
6.2 Upon the Data Controller’s request, the Data Processor shall show that is meets the requirements for Data Processors in Section 28 in the GDPR. The Parties agree that this may be done by providing a report prepared in accordance with standards that has been prepared by a third party (“Report”).
6.3 If further inspection measures than those stated above in Section 6.2 are required by the Applicable Data Protections Laws, the Data Controller may require an inspection at the site (”Site Inspection”). The following terms apply for Site Inspections:
(i) Site Inspections are limited to the resources and personnel at the Data Processor which is involved in the Processing of Personal Data covered by this Data Processing Agreement. This means that Site Inspections may not under any circumstances comprise other information regarding the Data Processor’s business that is irrelevant for the Data Processors Processing of Personal Data on behalf of the Data Controller;
(ii) Site Inspections may not be conducted more often than once a year, unless otherwise required by the Applicable Data Protections Laws or as a consequence of a substantial Personal Data Breach that has affected the Personal Data that is covered by this Data Processing Agreement;
(iii) Site Inspections shall be conducted under office hours and in a manner that affects the Data Processors business in the least possible way and in accordance with the Data Processors security policies;
(iv) the Data Controller shall bear the costs that relate to the Site Inspections and preparing reports of the findings during Site Inspections;
(v) Site Inspection shall, when possible, be conducted by a third party chosen by both Parties. The Data Controller shall ensure that such third party undertakes a confidentiality undertaking regarding all information that the third party may get access to during the inspection and is liable to the Data Processor for any breaches of the confidentiality undertaking by the third party. All costs that relate to an inspection shall be borne by the Data Controller, including any costs that the Data Processor has for the cooperation in such inspection.
(vi) Site Inspection shall be preceded by at least thirty (30) days written notice. Reports and reports from Site Inspections are considered the Data Processor’s confidential information and shall not be disclosed to third parties unless required by Applicable Laws or if the Data Processor has consented thereto.
7. USE OF SUB PROCESSORS
7.1 The Data Processor may engage outside sub-contractors, consultants or other third parties to Process Personal Data on behalf of the Data Controller (“Sub-Processors”). Moreover, the Data Controller may let the Data Processor to enter into a data processing agreement on behalf of the Data Controller directly with Sub-Processors. Such data processing agreement with a Sub-Processor shall impose the Sub-Processor corresponding and not less restrictive obligations than what follows from this Data Processing Agreement.
7.2 The Data Processor shall, in the event the Data Processor engages a Sub-Processor without undue delay provide the Data Controller with the information stated in Appendix 1 in writing.
7.3 The Data Controller has a right to, with providing a cause within five (5) working days after the Data Processor has informed the Data Controller in writing about engaging a Sub-Processor, object the Data Processor engaging the actual Sub-Processor. If the Data Controller has not objected within the stated time, the proposed Sub-Processor is deemed accepted. If the Data Controller objects to the Sub-Processor, the Data Processor has a right to choose one of the following alternatives: (a) refrain from engaging the Sub-Processor to process Personal Data covered by this Data Processing Agreement (b) take measures that reasonably eliminate the reason for the Data Controller’s objection; or (c) temporarily or permanently cease to provide the part of the service/services that entail Processing of Personal Data by the actual Sub-Processor. If none of these alternatives is feasible and the Data Controller maintains its objection after [thirty (30)] days has passed after the objection was made, each Party has a right to by giving a reasonable notice period terminate that part of the service/services that entails Processing of Personal Data by the actual Sub-Processor.
7.4 The Data Processor shall, in addition to the information stated in Section 7.2 above, upon the Data Controller’s request provide information regarding the measures that have been taken to ensure that the Sub-Processor gives sufficient guarantees to implement technical and organisational measures in a way that complies with the requirements in Applicable Data Protection Laws.
7.5 The Data Processor is liable towards the Data Controller for the Processing of Personal Data by the Sub-Processors covered by this Data Processing Agreement in accordance with Applicable Data Protection Laws.
The terms and conditions regarding liability in the Customer Agreement shall apply this Data Processing Agreement.
9. DATA SUBJECTS’ RIGHTS
9.1 The Data Controller shall be liable to assess if a request by a Data Subject to exercise its rights under Applicable Data Protection Laws is legitimate or not and provide the Data Processor with instructions regarding the scope of support that is stated below is required.
9.2 The Data Processor shall without undue delay inform the Data Controller about complaints and other notices from the Data Subjects exercising their rights. However, the Data Processor shall not, unless the Data Controller has given the Data Processor sufficient instructions thereof, communicate with the Data Subject.
9.3 The Data Controller is responsible for handling in connection with the Data Subject exercising its rights under Applicable Data Protection Legislation.
9.4 The Data Processor shall upon the request assist the Data Controller with following appropriate technical and organizational measures in connection with the Data Subject exercising its rights under Chapter III in the GDPR:
(i) In connection with a request of information the Data Processor shall provide the Data Controller with such information that is covered by Sections 13 and 14 in the GDPR to the extent such information is available for the Data Processor and the Data Controller does not have access to such information.
(ii) In connection with a request of right of access the Data Processor shall provide the Data Controller with such information that is covered by Section 15 in the GDPR to the extent such information is available for the Data Processor and the Data Controller does not have access to such information.
(iii) In connection with a request of rectification (Section 16 in the GDPR), erasure (Section 17 in the GDPR), restriction of processing (Section 18 in the GDPR), and data portability (Section 20 in the GDPR), the Data Processor shall, to the extent the Data Controller cannot take the measures requested by the Data Subject(s), either by enabling the Data Controller to take such measures, or, if not possible, assisting the Data Controller to take such measures.
(iv) The Data Processor shall, on instructions for the Data Controller, notify the Sub-Processors that Process Personal Data covered by the request by the Data Subject to rectify, erase or restrict the processing (Section 19 in the GDPR) that such request has been made. The Data Controller undertakes to inform other recipients.
(v) In relation to the Data Subject’s right to object processing in Section 21-22 in the GDPR, the Data Controller shall assess whether the objection is legitimate and how it is to be handled. In the event the Data Controller wishes to be assisted by the Data Processor, the Data Controller shall issue further instructions, whereby the routines described in Section 3.2 shall apply to the Data Processor’s right to compensation for costs.
9.5 In the event the Data Controller requests that the Data Processor shall take technical and organisational measures in addition to what is stated in Section 5.1.1 for the purpose of handling the Data Subject’s rights under this Section 9, the Section 3.2 shall apply to the costs for such measures.
9.6 Notwithstanding what is stated above in Section 9.5, the Data Processor is entitled to compensation for reasonable expenses due to the Data Subject exercising its rights as set out above.
10. RETURN OF PERSONAL DATA
10.1 Upon termination of the Customer Agreement, the Data Processor shall return (and/or upon the Data Controller’s written request in a secure and irreversible way delete or anonymise) all Personal Data which belongs to the Data Controller that the Data Processor and or any Sub-Processors have in its possession or control. This applies unless the Data Processor is required under Applicable Laws to continue to store the Personal Data. Unless the Data Controller has within thirty (30) days after the termination of the Customer Agreement instructed the Data Processor that the Data Controller wishes that the Data Processor returns or in secure way deletes the Personal Data, the Data Processor shall, provided that the Data Processor is not required to store Personal Data under Applicable Laws, without undue delay ensure that the Personal Data is deleted in a secure way.
11. TRANSFER AND PROCESSING OF PERSONAL DATA IN A THIRD COUNTRY
11.1 The Data Processor may transfer Personal Data belonging to the Data Controller to a Third Country, provided that:
11.1.1 the Third Country provides an adequate level of protection for Personal Data in accordance with an adequacy decision issues by the EU Commission that covers the Processing of Personal Data;
11.1.2 the Data Processor ensures that there are appropriate safeguards in place in accordance with Applicable Data Protection Laws, e.g. standard data protection clauses adopted by the EU Commission under Applicable Data Protection Laws, covering the transfer and Processing of Personal Data; or
11.1.3 other exception exists under Applicable Data Processing Laws that covers the Processing of Personal Data.
11.2 For the avoidance of doubt, Personal Data may not be transferred to or Processed in Third Countries unless any of the conditions above in Sections 11.1 apply.
12. TERM AND TERMINATION
This Data Processing Agreement will enter into force on the Agreement Date and is valid during the term of the Customer Agreement or the longer period of time that the Data Processor or any Sub-Processor engaged by the Data Processor Processes Personal Data on behalf of the Data Controller.
Neither the rights nor the obligations of either Party under this Data Processing Agreement may be assigned in whole or in part without the prior written consent of the other Party.
Additions and amendments to this Data Processing Agreement shall be in writing and duly signed by both Parties to be valid. Each Party may request amendments to this Data Processing Agreement that are justified by changes in Applicable Data Protection Laws.
15. APPLICABLE LAW
This Data Processing Agreement shall be governed by Swedish law, without the application of the choice of law rules, to the extent Applicable Data Protection Laws do not stipulate another law.
Disputes arising out of this Data Processing Agreement shall be solved in Sweden to the extent Applicable Data Protection Laws do not stipulate another law.
* * * * * *
This Data Processing Agreement has been made in two (2)
identical copies of which each Party has received one
IN WITNESS WHEREOF, the Parties have executed this Agreement on the date first written above:
On behalf of the data controller
On behalf of the data processor
Name: Fredrik Hammargården
Title: Data Protection Officer
Categories of Data Subjects
Visitors in environments.
Categories of Personal Data
Personal data from people counters.
Purpose(s) of the Processing
To gather personal data for anonymization and then analyze anonymized and aggregated data at group level in order to understand customers’ behaviors and optimize the store space.
Personal data is processed, anonymized, to be able to calculate statistics.
Location, and, where applicable, safeguard for third country transfer
Personal data is processed in Europe.
Retention of Personal Data
The personal data is deleted instantly after processing the personal data.
Contact details of the contact person at the Data Processor:
Fredrik Hammargården, firstname.lastname@example.org
Categories of Data Subjects
Customers’ personal data.
Categories of Personal Data
Personal data from people counters.
Legal Ground and Purpose(s) of the Processing
Personal data may, dependant on the chosen Services, need to be sent to the cloud provider for anonymization.
Location, and, where applicable, safeguard for third country transfer
The personal data will be processed in Europe.
Retention of Personal Data
The personal data is deleted instantly after processing the personal data. Sub-processor will retain the Personal Data according to instructions in order for the sub-processor to fulfill its obligations according to Applicable Laws. Sub-processor will never use, sell, access, share, or send the personal data to a third party
Technical and organisational measures
The following measures shall be implemented to address the anonymization of the personal data such as:
- use Indivd People Counter to anonymize personal data,
- personal data is never stored and,
- personal data is deleted instantly after processing.
The following measures shall be implemented to address the encryption of the personal data:
- use secure code signing, symmetric encryption, asymmetric encryption and,
- provide security guidelines to the data processor to ensure they manage encryption of local network, people counter hardware, and transfer of personal data.
Confidentiality Of The Processing Systems And Of The Services
The following measures shall be implemented to address the confidentiality of the processing systems and of the Services:
- provide security guidelines to the data processor to ensure they manage confidentiality of local network, people counter hardware, and transfer of personal data,
- use access control mechanisms to prevent persons from gaining access to data processing systems with which personal data are processed or used without authorization,
- administer and monitor credentials with privileged access management (PAM),
- Data Breach Response Policy,
- ensure that data collected for different purposes can be processed separately.
Integrity Of The Processing Systems And Of The Services
The following measures shall be implemented to address the integrity of the processing systems and of the Services:
- provide security guidelines to the data processor to ensure they manage the integrity of the local network, people counter hardware, and transfer of personal data,
- protection by technical and organizational means regarding authorizations, protocols/logs including analyzing protocols, audits, automatic exclusion protocols, etc,
- Data Classification Policy,
- ensure that measures and activities are logged in a secure manner.
Availability Of The Processing Systems And Of The Services
The following measures shall be implemented to address the availability of the processing systems and of the Services:
- ensure that personal data are protected from accidental destruction or loss,
Resiliency Of The Processing Systems And Of The Services
The following measures shall be implemented to address the resiliency of the processing systems and of the Services:
- ensure that systems and services are designed in a way that they can handle punctual or constant high load of processing operations.
Ability to restore the availability and access to the personal data in a timely manner in the event of a physical or technical incident
The following measures shall be implemented to address the ability to restore the availability and access to the personal data in a timely manner in the event of a physical or technical incident:
- backup concept,
- cloud services.
Process For Regularly Testing, Assessing And Evaluating The Effectiveness Of Technical And Organizational Measures
The following measures shall be implemented to address the regularly testing, assessing and evaluating of the effectiveness of technical and organizational measures:
- Information Security Policy
- Anonymization Policy,
- ensure development following Secure Software Development,
- use ISO/EIC 27001-27002 and ISO/EIC 27005 as frameworks for development,
- review by the data protection officer,
- external reviews, audits, certifications.