Personal Data Processor Agreement

3. DOCUMENTS

   3.1 The Agreement comprises this document and the appended Instruction.

   3.2 In the event of any contradictions between this document and the Instruction, this document shall take precedence, unless otherwise specifically stipulated or clearly indicated by the circumstances.

4. GENERALLY REGARDING THE PROCESSING OF PERSONAL DATA

   4.1 The Provider is the Controller of the Personal Data which is Processed within the scope of the Main Agreement.

   4.2 MetaProvide is regarded as the Processor on behalf of the Provider.

   4.3 MetaProvide has provided sufficient guarantees that it shall take suitable technical and organisational measures to ensure that the Processing of Personal Data meets the requirements of the General Data Protection Regulation and any Other Regulation, and ensures protection of the rights of the Data Subject.

   4.4 MetaProvide may only process the Personal Data which is covered under this Agreement on the documented Instructions from the Provider. The Provider shall be entitled to update the Instruction from time to time.

   4.5 If MetaProvide believes that the Instruction or other instruction or notification from the Provider would conflict with the General Data Protection Regulation or any Other Regulation, MetaProvide shall be entitled to notify the Provider and defer the Processing in question.

   4.6 Taking into consideration the nature of the Processing, MetaProvide shall assist the Provider by taking suitable technical and organisational measures, to the extent possible, to enable the Provider to perform its obligation to respond to requests regarding the exercise of the Data Subject’s rights in accordance with Chapter III of the General Data Protection Regulation.

5. PURPOSE AND TYPE OF PERSONAL DATA, ETC.

The Instruction shall, inter alia, state the subject of the Processing, the duration of the Processing, the nature and purpose of the Processing, the type of Personal Data, and categories of Data Subjects.

6. THE METAPROVIDE’S PERSONNEL, ETC.

   6.1 MetaProvide, its employees and consultants, and other persons who perform work under MetaProvide’s supervision and who gain access to Personal Data belonging to the Provider may only process such Personal Data on the Provider’s instruction, unless such person is obligated to do so pursuant to Union law or Swedish national law.

6.2 MetaProvide shall ensure that its employees, consultants and all other persons for whom MetaProvide is liable and who are authorised to process Personal Data covered by this Agreement have undertaken to maintain confidentiality (unless such person is subject to an appropriate statutory confidentiality obligation).

7. SECURITY

   7.1 MetaProvide shall take all safeguards required under Article 32 of the General Data Protection Regulation.

   7.2 Taking into consideration the type of Processing and the information which MetaProvide has, MetaProvide shall assist the Provider in ensuring that the obligations regarding security can be satisfied in a manner which follows from Article 32 of the General Data Protection Regulation.

   7.3 In conjunction with the assessment of an appropriate security level, particular consideration shall be given to the risks which follow from the Processing, particularly resulting from unintentional or unlawful destruction, loss, or modification, from unauthorised disclosure, or from unauthorised access to the Personal Data which is transferred, stored, or otherwise processed.

8. PERSONAL DATA BREACH

Taking into consideration the type of Processing and the information available to MetaProvide, MetaProvide shall assist the Provider in ensuring that the obligations arising due to any Personal Data Breach can be fulfilled in a manner as required in Articles 33-34 of the General Data Protection Regulation.

9. IMPACT ASSESSMENT AND PRIOR CONSULTATION

Taking into consideration the nature of the Processing and the information which is available to MetaProvide, MetaProvide shall reasonably assist the Provider in fulfilling its obligations, if any, to conduct an impact assessment and/or prior consultation with a supervisory authority pursuant to Articles 35 and 36 of the General Data Protection Regulation.

10. SUBPROCESSORS

   10.1 MetaProvide is entitled to retain subprocessors to perform the work under the Agreement.

   10.2 MetaProvide shall inform the Provider of any plans to retain a new subprocessor or to replace an existing subprocessor, in order to allow the Provider to make objections to any such change (however, any objection must be based on an objectively acceptable reason).

   10.3 MetaProvide shall ensure that any subprocessor enters into a written personal data processor agreement before the subprocessor begins work related to the Provider. In such agreements, MetaProvide shall ensure that the subprocessor shall provide sufficient warranties in respect of taking suitable technical and organisational measures so that the Processing meets the requirements of the General Data Protection Regulation.

11. TRANSFER TO A THIRD COUNTRY

MetaProvide may move, store, transfer, or otherwise process Personal Data belonging to the Provider outside of the EU/EEA, provided such transfer meets the requirements and undertakings which follow from the General Data Protection Regulation.

12. RIGHT TO TRANSPARENCY

   12.1 MetaProvide shall grant the Provider access to all information which is required and necessary to enable the Provider to verify compliance with the obligations which follow from Article 28 of the General Data Protection Regulation and to enable and assist in audits, including inspections, which are conducted by the Provider or by an examiner authorised by the Provider. MetaProvide shall, at all times, be entitled to reasonable notice in the event the Provider wishes to exercise its right to conduct an audit or inspection and the Provider shall compensate MetaProvide for its costs incurred in connection with any such audit or inspection.

13. COMPENSATION

MetaProvide shall receive compensation for verified additional costs for measures which it takes in respect of Processing of Personal Data in accordance with the Agreement or as a consequence of the Agreement otherwise.

14. LIABILITY

   14.1 In the event the Parties have reached an agreement regarding limitation of liability in another agreement (including the Main agreement), such limitation of liability shall also apply to this Agreement. In the event the Parties have not reached an agreement regarding such a limitation of liability, MetaProvide’s liability under this Agreement or as a result of the Processing which is covered under the Agreement shall be limited to one hundred thousand kronor (SEK 100,000).

   14.2 The Parties are aware that the limitation of liability shall not apply: (i) in the event the supervisory authority or a court orders any of the Parties to pay an administrative fine; (ii) a Party has a right of subrogation against the other Party because such Party was ordered to pay an administrative fine which legitimately (or through joint and several liability) should have been imposed on the other Party; or (iii) in conjunction with a claim for damages brought by a Data Subject.

15. TERMINATION OF THE AGREEMENT

   15.1 When MetaProvide discontinues Processing Personal Data on behalf of the Provider, MetaProvide shall return all Personal Data to the Provider in the manner instructed by the Provider or, upon the Provider’s written notice, destroy and erase all Personal Data which is associated with the Agreement.

   15.2 Following termination of the Agreement, MetaProvide shall not be entitled to save any Personal Data belonging to the Provider and, as soon as MetaProvide has complied with the provisions of subsection 15.1 above, MetaProvide’s right to process or otherwise use Personal Data belonging to the Provider shall cease (provided storage of Personal Data is not required pursuant to national law or Union law, or MetaProvide has legal grounds to process relevant Personal Data).

16. ASSIGNMENT OF THE AGREEMENT

Neither Party shall be entitled to assign its rights and/or obligations under the Agreement, in whole or in part, without the prior written consent of the other Party.

17. GOVERNING LAW AND JURISDICTION

   17.1 This Agreement shall be governed by the substantive law of Sweden.

   17.2 Any dispute, controversy or claim arising out of or in connection with this Agreement, or the breach, termination or invalidity thereof, shall be finally settled by arbitration administered by the Arbitration Institute of the Stockholm Chamber of Commerce (the “SCC”). The Rules for Expedited Arbitrations shall apply, unless the SCC in its discretion determines, taking into account the complexity of the case, the amount in dispute and other circumstances, that the Arbitration Rules shall apply. In the latter case, the SCC shall also decide whether the Arbitral Tribunal shall be composed of one or three arbitrators.

   17.3 The seat of arbitration shall be Malmö, Sweden.

   17.4 The language to be used in the arbitral proceedings shall be English.

   17.5 The Parties undertake and agree that all arbitral proceedings conducted with reference to this arbitration clause will be kept strictly confidential. This confidentiality undertaking shall cover all information disclosed in the course of such arbitral proceedings, as well as any decision or award that is made or declared during the proceedings. Information covered by this confidentiality undertaking may not be disclosed to a third party without the prior consent by the other Party. Exceptions to the foregoing shall only apply to the extent that disclosure may be required of a Party due to mandatory law, an order of a competent court or public authority, or to protect, fulfil or pursue a legitimate legal right or obligation or to enforce or challenge an award.LIABILITY