Personal data processor agreement
Between you (”Personal Data Controller” and customer to PAAM) and PAAM Systems AB, org. nr 556842-0672, Idrottsvägen 33, 702 32 Örebro (“Personal data processor”).
Regulation 2016/679 of the European Parliament and of the Council (General Data Protection Regulation), hereinafter called the Regulation, requires written Personal Data Processor Agreements when a party is to process Personal Data on behalf of another party. This Personal Data Processor Agreement is an addendum to the existing Agreement between the parties, or Order placed according to conditions stipulated in the Quote, Service Level and/or Hosting Service.
1.1. “Personal Data” refers to any information relating to an identified or identifiable physical person, wherein an identifiable physical person is a person who can be identified directly or indirectly with reference to an identifier. Example of identifiers are a name, identification number, location or online identifier or one of more factors specific to the physical, psychological, genetic, mental, economic, cultural or social identity of the physical person.
1.2. “Registered” means the person referred to as Personal Data.
1.3. “Process” or “Processing” means an action or combination of actions on sets of personal data, whether performed automated or not, such as collection, registration, organization, structuring, storage, processing or modification, production, reading, use, transfer by transmission, dissemination or provision by other means, adjustment or assembly, restriction, erasure or destruction.
1.4. “Regulation” refers to GDPR (General Data Protection Regulation)
1.5. “Processor” refers to the Personal Data Processor (The provider of the service)
1.6. “Controller” refers to the Personal Data Controller (The customer)
1.7. “Instruction” refers to the documented Instructions on Data Processing provided by the Data Controller to the Data Processor
1.8. Otherwise, terms in this agreement shall be interpreted in accordance with the Regulation.
2. Processing of personal data
2.1. The Data Processor will, in delivery of the Main Services to the Data Controller, process certain categories and types of Personal Data in behalf of the Data Controller. These are General Personal Data like name, contact information such as e-mail address, phone number and postal address regarding the customer’s personnel and its customers.
2.2. The Processor shall only Processes Personal Data on assignment occasioned from an agreement with the Controller when the Main Services in some manner requires attention. The Processing is preliminary lead by the Controller except when the Controller uses the Hosting Service, where the Processing also includes storage of Personal Data.
2.3. The Processor shall have and maintain a register of processing activities in accordance with GDPR, article 32.
3.1. The Processor may only process Personal Data in accordance with the documented instruction from the Controller, unless The Processor is required by law to act without such instruction. The Instruction at the time of entering into this Personal Data Processor Agreement is that the Processor may only Process the Personal Data with the purpose of delivering the Main Services as described in the Main Service Level Agreement. Subject to the terms, the Controller may issue additional written instructions consistent with the terms of this Agreement. The Data Controller is responsible for ensuring that all individuals who provide written instructions are authorized to do so.
4. The Personal Data Processor’s obligations
4.1. The Processor commits to comply with GDPR as well as to keep informed of the Regulation and related legislation relevant to the agreed Processing.
4.2. The Processor may only Process Personal Data in accordance with this Agreement or, by the Instructions provided by the Controller. If the Processor does not have instructions that the Processor assesses are necessary to carry out the task assigned, or the instructions violates the Regulation, the Processor shall promptly inform the Controller and await further instructions. New instructions shall be documented.
4.3. The Personal Data Processor shall only Process Personal Data on equipment physically located within the EEA, including the use of cloud services. The Processor owns the right to move the data when deemed necessary for security reasons or to ensure the service level, but only after consulting the Controller.
4.4. For those cases where a Registered, the authorities or any other third-party request information from the Processor, the Processor shall refer to the Controller to withhold such information. The Processor shall promptly inform the Controller of any contact that may be of importance for the Processing of Personal Data. The Processor is not entitled to represent the Controller or act for the Controller against any third party without an explicit instruction.
4.5. If the Processor’s assistance is necessary and relevant, the Processor shall assist the Controller in preparing data protection impact assemssments in accordance with GDPR, article 35, along with any prior consulation in accordance with GDPR, article 36.
4.6. If the Controller receives a request from a Registered for the exercise of the Registered’s rights under the Applicabla Law and the correct legitimate reply to such a request necessitates the Processor’s assistance, the Processor shall assist the Controller by providing the necessary information and documentation. The Processor shall be given reasonable time to assist the Controller with such requests in accordance with the Applicable Law.
4.7. Upon detection of an incident regarding Personal Data, the Processor shall inform the Controller without unnecessary delay, and otherwise
assist the Controller to ensure that his or her obligations regarding personal data incidents can be fulfilled.
4.8. To the extent that it is relevant to the nature, extent, context and purpose of the Processing, the Processor shall carry out an impact assessment to determine if it is likely that the processing may lead to a high risk for the Registered’s rights. The impact assessment shall be based on article 35 in the Regulation. The Processor shall consult the authorities if the assessment shows that the processing lead to a high risk for the Registered.
4.9. Following expiration or termination of the Agreement, the Processor will delete or return to the Controller all Personal Data in its possession except to the extent the Processor is required by Applicable law to retain some or all of the Personal Data (in which case the Data Processor will archive the data and implement reasonable measures to prevent the Personal Data from any further processing). The terms of this Agreement will continue to apply to such Personal Data.
5.1. The Processor is given general authorization to engage tird-parties to Process the Personal Data (“Sub-Processors”) without obtaining any further written, specific authorization from the Controller, provided that the Processor notifies the Controller in writing regarding the use of a potential Sub-Processor before any agreement or Processing of Personal Data are made by the Sub-Processor. If the Controller objects to the Sub-Processor, the Controller shall give notice hereof in writing within fifteen (15) days from receiving the notification from the Processor.
5.2. In the event the Controller objects to a new Sub-Processor and the Processor cannot accommodate the Controller’s objection, the Controller may terminate the Services by providing written notice to the Processor.
5.3. The Processor shall conclude a written Agreement with any Sub-Processor. Such Agreement shall at minimum provide the same data protection obligations as the ones applicable to the Processor, including the obligations under this Data Processor Agreement.
5.4. The Processor is at the time of entering into this Data Processor Agreement using the Sub-Processor Digital Ocean (only for the Hosting Service). If the Processor initiates sub-processing with a new Sub-Processor, such new Sub-Processor shall be added here.
6.1. The Processor shall take reasonable technical and organizational measures to protect Personal Data against unauthorized access, destruction and amendment in accordance with the requirements of the Regulation, with regard to the requirements of article 32. This is done by actions like; (i) restricting access to systems and servers by both physical and digital perimeter control; (ii) encrypt traffic, storage, devices and servers where it’s possible; (iii) using multifactor for all systems, servers and devices where it’s possible.
7.1. The Personal Data Processor undertakes not to disclose any information to a third party regarding the Processing of Personal Data covered by this agreement or any other instructions received from the Controller. The confidentiality obligation also applies after this agreement has expired.
7.2. The Processor shall treat all the Personal Data as strictly confidential information. The Personal Data may not be copied, transferred or otherwise processed in conflict with the Instruction, unless the Data Controller in writing has agreed.
7.3. The Processor undertakes to ensure that individuals authorized to Process Personal Data undertake the same level of confidentiality as applies to the Personal Data Process by this agreement or applicable law.
8. The Personal Data Controller commitments
8.1. The Personal Data Controller shall ensure that the processing is made in accordance with the Regulation. The Controller is responsible, inter alia, for informing the Registered of the Processing and if necessary gather consent.
8.2. The Controller shall inform the Processor without delay of any changes in the Processing of Personal Data that may affect the Processor.
9. Remuneration and costs
9.1. The Controller shall remunerate the Processor for any time and material used to adopt and change the processing activities in order to comply with any changes to the Controller’s Instruction, including implementation costs and additional costs required to deliver the Main Services due to the change in the Instruction.
9.2. The Processor is exempted from liability for non-performance with the Main Agreement if the performance of the obligations under the Main Agreement would be in conflict with any changed Instrucion or if contractual delivery in accordance with the changed Instruction is impossible. This could for instance be the case; (i) if the changes to the Instruction cannot technically, practically or legally be implemented; (ii) where the Controller explicitly requires that the changes to the Instruction shall be applicable before the changes can be implemented; and (iii) in the period of time until the Main Agreement is changed to reflect the new Instruction and commercial terms thereof.
10.1. In case of a Registered or other third party direct claims against the Personal Data Controller due to the Processing of Personal Data by the Personal Data Processor, the Controller shall be held free from the complaint. This is if the claim is due to the Processors violation of this agreement or if notified instructions has been unkempt.
11. Agreement rewording
11.1. If required by law in the field of regulatory requirements, this agreement shall be renewed without undue delay in such manner that it is compliant with the legislation that caused the rewording.
12. Agreement period
12.1. This agreement is valid for as long as the Personal Data Processor is processing Personal Data for the Personal Data Controller. This is governed by Agreement describing the type of service to which the Processing refers.