Online Partner

Appendix 1

Personal data assistant agreement

2019-03-28

Online Partner AB (hereinafter referred to as “Online Partner” or “Personal Data Assistant”), and the Customer (hereinafter referred to as “the Customer” or the “Personal Data Controller”) (hereinafter collectively referred to as “the Parties”) . The parties have entered into this Personal Data Assistant Agreement

  1. Background

1.1 The parties have previously – or in connection with this Agreement – entered into agreements regarding services that Online Partner occasionally performs (hereinafter referred to as the “Service Agreement”), to which Online Partners’ General Terms and Conditions[för tjänster och mjukvaror] is valid.

1.2 Within the commitments that follow from the Service Agreement, Online Partner may process personal data and other information on behalf of the Customer.

1.3 Due to this, the Parties enter into this Agreement to regulate the conditions for Online Partners’ processing of personal data in the performance of the services regulated in the Service Agreement (hereinafter referred to as the “Services”). This Agreement applies to all agreements signed between the Parties where the Online Partner is the Personal Data Assistant to the Customer and the Agreement applies as long as the Online Partner processes personal data on behalf of the Customer.

  1. Definitions

2.1 The definitions set out in Article 4 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (the “Data Protection Regulation”) shall apply. on this Agreement.

2.2 In other respects, the terms listed below shall have the following meanings:

“Data protection legislation” refers to the Data Protection Regulation together with associated European and national implementing regulations, as well as instructions and binding decisions from the EU data protection authorities.

“Sub-assistant” refers to such a personal data assistant (subcontractor) who has been hired by the Personal Data Assistant and who processes personal data on behalf of the Personal Data Officer.

  1. Scope of the agreement

3.1 The Personal Data Assistant provides services that are agreed upon with the Personal Data Officer from time to time. The personal data assistant’s main place of business is in Sweden.

3.2 The service includes the storage and transfer of user data and content provided by the users of the service. This information can directly or indirectly identify a natural person.

3.3 The Personal Data Assistant will only process personal data provided by the Personal Data Controller in order to be able to perform commitments that follow from the Service Agreement.

3.4 The personal data that may be processed by the Personal Data Assistant on behalf of the Data Controller shall be deleted permanently and automatically when the Service Agreement expires (unless the storage of personal data is required by national law or Union law).

3.5 The parties agree that the processing, the categories of personal data to which the processing applies, the data subjects or the purpose of the processing can at any time by agreement be clarified regarding specification and / or extended regarding scope. Such changes must be made in writing to be valid as soon as possible after they become known. The terms of this Agreement shall apply to such amendments, unless the parties agree otherwise.

  1. Responsibilities / obligations of the personal data assistant

4.1 The Personal Data Controller shall have full authority over the personal data.

4.2 The personal data assistant undertakes to:

  1. (a) only process personal data covered by the Personal Data Controller’s documented instructions (“Instructions”), including transfers of personal data to a third country or an international organization, for the purposes set out in the Service Agreement and in accordance with this Agreement and applicable law;
  2. (b) implement the security measures specified in the Agreement;
  3. c) do not claim any rights to the personal data;
  4. d) not use the personal data for any purpose other than for the performance of the obligations arising from this Agreement, the Service Agreement or for troubleshooting in the Personal Data Assistant’s system, and
  5. e) not process personal data for its own purpose without the prior written certificate from the Personal Data Controller.

4.3 If the Personal Data Assistant considers that any instruction from the Personal Data Controller is in conflict with the Data Protection Ordinance or other data protection legislation, the Personal Data Assistant has the right to await execution of the instruction until the legality has been confirmed by a competent person appointed by the Personal Data Controller or until the instruction has been rewritten.

4.4 The Data Protection Officer shall assist the Data Protection Officer through appropriate technical and organizational measures, taking into account the nature of the processing and the information available to the Data Protection Officer, so that the Data Protection Officer can fulfill his obligation to respond to requests to exercise the data subject’s rights. in the Data Protection Ordinance.

4.5 The Personal Data Assistant shall assist the Personal Data Controller in ensuring that the obligations pursuant to Articles 32-36 of the Data Protection Ordinance are fulfilled, taking into account the type of processing and information that the Personal Data Assistant has available.

  1. Obligation to report for the Personal Data Assistant

5.1 The Personal Data Assistant shall immediately notify the Personal Data Officer if the Personal Data Assistant becomes aware that any unauthorized access to personal data and / or unintentional or intentional disclosure of personal data to a third party has taken place.

5.2 The Personal Data Assistant shall immediately notify the Personal Data Controller of any material breach of applicable data protection legislation that it becomes aware of that is related to this Agreement.

5.3 If the Personal Data Assistant considers that an instruction from the Personal Data Controller is in conflict with the Data Protection Legislation, it shall immediately report this to the Personal Data Controller.

  1. Responsibility of the person responsible for personal data

6.1 The Personal Data Controller shall provide the Personal Data Assistant with instructions for the processing of personal data. The instructions must be in writing (either physical or electronic).

6.2 I the instructions must include state the subject of the processing, the duration of the processing, the nature and purpose, the type of personal data and categories of data subjects.

6.3 The Personal Data Controller has the individual responsibility to inform the data subject about the processing of personal data carried out by the Personal Data Assistant and to ensure that the data subject is aware of his or her rights under applicable law.

6.4 The Personal Data Controller is obliged to perform his obligations in accordance with current Data Protection legislation. Nothing in this Agreement shall be construed as a transfer of the Personal Data Controller’s responsibilities, which follow from applicable data protection legislation, to the Personal Data Assistant.

  1. Transfer to third countries

7.1 In order to provide the agreed Services, the Personal Data Assistant’s servers are located in Finland and in a further 5 countries (both within the EU and in third countries).

7.2 The Personal Data Controller is aware of and accepts that servers located in third countries are covered by co-location agreements with partners. These parties do not have the right to access personal data on the servers and the limited right to material access to the servers. When personal data is transferred between the Personal Data Assistant’s servers, the personal data is encrypted. The servers are managed by the Personal Data Assistant’s assistant, directly or remotely.

7.3 The Personal Data Officer undertakes to ensure that the data subjects have received information or are informed that his or her personal data can be transferred to a country outside the EU / EEA before the Personal Data Assistant begins processing the personal data.

7.4 If the transfer of personal data to a third country or an international organization is required under Union or national law, the Personal Data Assistant may carry out such processing. In that case, the Personal Data Assistant shall inform the Personal Data Controller of the legal requirement before the data is processed, unless such information is prohibited with reference to an important public interest in accordance with data protection legislation.

  1. Audit

8.1 The Data Protection Officer shall provide the Data Protection Officer with access to all information required to demonstrate that the obligations under Article 28 of the Data Protection Regulation have been fulfilled and, at the request of the Data Protection Officer, allow audits, including inspections, to see whether the Data Protection Officer fulfills its obligations under . The Personal Data Assistant shall participate and assist the Personal Data Controller and the person performing the audit as much as may reasonably be required in the implementation of the audit. The Personal Data Controller is aware that, for security reasons, there are restrictions and regulations regarding who can gain access to the premises where the servers are located.

8.2 The parties shall jointly agree on which organization is to carry out the above review.

8.3 The Person responsible for Personal Data shall pay all costs, fees and expenses for the organization that carries out the audit.

  1. Assistant

9.1 The Personal Data Controller acknowledges and agrees that, (a) companies in the same group as the Personal Data Assistant may be engaged as an Assistant; and (b) that the Personal Data Assistant and companies in the same group as the Personal Data Assistant may in turn enter into agreements with Sub-Assistants to fulfill the delivery of the Services. The Personal Data Assistant has or shall enter into written agreements with each individual Sub-Assistant. The Deputy Assistant shall be required to comply with the same data protection obligations as set out in this Agreement. In such a personal data assistant agreement, the assistant shall provide sufficient guarantees to implement appropriate technical and organizational measures in such a way that the processing meets the requirements of the Data Protection Ordinance

9.2 The Personal Data Assistant shall at all times be able to provide the Personal Data Officer with a list of complete, correct and up-to-date information on all Sub-Assistants. This list should include the Deputy Assistant’s contact information and the country in which it is located. If the Personal Data Assistant is to hire a new Sub-Assistant, the Personal Data Officer must be notified in writing before the new Sub-Assistant is authorized to process personal data when performing the Services.

9.3 The Personal Data Controller may object to the use of a new Assistant by notifying the Personal Data Assistant in writing within ten (10) working days of receipt of the Personal Data Assistant’s notification. If the Personal Data Controller has objected to a new Sub-Assistant, the Personal Data Assistant shall, through reasonable effort, make available a change in the service to the Personal Data Controller or recommend a commercially reasonable change in the use of the Service to avoid the new Sub-Assistant processing personal data, without undue burden. for the Personal Data Controller. If the Personal Data Assistant does not succeed in implementing such a change within a reasonable time, which shall not be more than thirty (30) days, the Personal Data Officer may terminate the Service Agreement, by written notice, regarding the services that can not be provided by the Personal Data Assistant. new Deputy.

9.4 In order for the Personal Data Controller to be able to object to an Assistant as described above, the Personal Data Controller must have a justified reason for this. Reasonable reason refers to circumstances on the side of the new Deputy Assistant that significantly affect, or are likely to affect, the protection of the data subject’s privacy, such as that the new Deputy Assistant does not meet the requirements of the Data Protection Act.

9.5 If the Assistant does not fulfill the obligations regarding the processing of personal data set out in this agreement, the Personal Data Assistant shall remain fully liable to the Personal Data Officer for the Assistant’s failure to fulfill the obligations.

  1. Security and privacy

10.1 The Personal Data Assistant has provided sufficient guarantees to implement appropriate technical and organizational measures in such a way that the processing of personal data meets the requirements of data protection legislation and ensures that the data subject’s rights are protected.

10.2 The Personal Data Assistant has implemented and will maintain measures to maintain the security of the Services as described in Appendix A.

10.3 The Parties agree that the security measures set forth in Appendix A to this Agreement are appropriate technical and organizational measures to ensure an adequate level of security against potential risks, such as the protection of personal data against accidental or unlawful destruction, loss or alteration or unauthorized disclosure of or unauthorized access to the personal data transferred, stored or otherwise processed. This takes into account recent developments, implementation costs and the nature, scope, context and purpose of the treatment, as well as the risks, of varying degrees of probability and seriousness, to the rights and freedoms of natural persons.

10.4 The Personal Data Assistant undertakes not to disclose or otherwise disclose information about personal data covered by this agreement to third parties. The confidentiality obligation applies even after this agreement has otherwise expired.

10.5 If the Personal Data Assistant is obliged to disclose personal data to a third party or authority in order to fulfill a legal requirement or respond to an order or decision from the relevant authority, the Personal Data Assistant shall, unless prohibited by law, without undue delay after the obligation to disclose personal data known, notify the Personal Data Controller in writing of the legal requirement and the type of disclosure in question. The personal data assistant shall, if it is not prohibited by law, wait for further instructions from the Personal Data Controller regarding the disclosure.

10.6 The personal data assistant shall ensure that all persons who have been given authority to process the personal data have entered into a special confidentiality agreement or are informed that there is a special duty of confidentiality in accordance with an agreement or applicable law.

10.7 The Personal Data Assistant shall take all security measures required by Article 32 of the Data Protection Regulation.

11.Other

11.1 The provisions of the Online Partner’s general terms and conditions regarding contract period and termination, liability, applicable law and competent court, apply to this Agreement.

11.2 Additions and amendments to this Agreement must be in writing to be effective. Except for any amendments to this Agreement, this Agreement will be effective. If there is a conflict between this Agreement and the Service Agreement, this Agreement takes precedence.

Appendix A: Technical and organizational measures

Online Partner will implement at least the following listed actions, or equivalent, during the term of the Agreement:

Control of access to the premises

The Personal Data Assistant will implement appropriate measures to prevent unauthorized persons from gaining access to equipment that processes personal data by introducing or maintaining the following:

  • – Access control and permits for employees and third parties
  • – Protection and restrictions for inputs and outputs (restricted key cards and / or access cards)
  • – Protection of relevant premises (alarms and / or security guards)

Control of access to personal data and user control

  • The Personal Data Assistant is obliged to ensure that all employees and / or other persons with access to personal data only have it to the extent necessary to be able to provide the Services in the Service Agreement, by:
  • All staff use enhanced authentication, 2FA for login
  • Requirements for user authorization and strict access control
  • Confidentiality obligations
  • Custom access privileges
  • Controlled destruction and movement of information on data storage media
  • Log of events and activities (follow-up of attempts by unauthorized persons to enter or gain access)
  • Issuance and securing procedure of identification codes
  • Use of encryption where the Personal Data Assistant deems it appropriate
  • Automatic logout of the user ID that has not been used for a significant time
  • Assurance that customers only have access to their own information

Data transfer

  • The Personal Data Assistant will protect personal data that is transferred and / or processed in accordance with the Service Agreement and Instructions, by:
  • Guidelines governing the production of backup copies
  • Documentation of transfer, retrieval and transfer programs
  • Certificate instructions
  • Encryption of external transfers online
  • Deletion of information before changing data storage media
  • The traffic between the user and the service is with an encrypted SSL certificate
  • Personal data is not transferred to third parties without the written consent of the Data Controller, unless it is a legal requirement.

Organizational control

  • The personal data assistant will maintain his internal organization in a way that meets the requirements of data protection legislation, by:
  • Binding internal guidelines for employees and / or consultants regarding security and processing of personal data, and / or instructions
  • Internal crisis plan for restoration and protection of personal data
  • Restricted access to personal data only to the level necessary
  • No customer information will be copied to external devices (USB memory, CD, etc.) without the necessary security measures, such as encryption or password protection.