Personal Data Processor Agreement
1.1 The Provider wishes to utilize the MetaProvide service Adminly in accordance with the Terms and Conditions and other agreements between MetaProvide and the Provider (the “ Main Agreement ”).
1.2 Pursuant to the undertakings which follow from the Main Agreement, MetaProvide may process personal data as well as other information on behalf of the Provider.
1.3 As a consequence thereof, the Parties are entering into this Agreement to govern the conditions for MetaProvide’s Processing of, and access to, Personal Data belonging to the Provider. The Agreement shall apply to all agreements executed between the Parties in which MetaProvide is the Processor on behalf of the Provider, and the Agreement shall remain in force for as long as MetaProvide Processes Personal Data on the Provider’s behalf.
Unless the circumstances clearly indicate otherwise, definitions or terms used in this document shall be defined as set forth below and any term which is used in the General Data Protection Regulation and which is not stated below shall be defined as follows from Article 4 of the General Data Protection Regulation.
means national laws which, from time to time, apply to Processing of Personal Data (excluding the General Data Protection Regulation);
means an operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction;
“General Data Protection Regulation”
means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation);
means the instructions which the Provider gives to MetaProvide within the scope of this Agreement;
means any information relating to an identified or identifiable natural person, whereupon an identifiable natural person is a person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data or online identifiers, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person;
means a natural or legal person, public authority, institution, or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data; where the purposes and means of such Processing are determined by Union law or Member State law, the Controller or the specific criteria for its nomination may be provided for by Union law or Member State law;
means a natural or legal person, public authority, institution, or other body which processes Personal Data on behalf of the Controller;
“Personal Data Breach”
means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored, or otherwise Processed; and
means the living natural person who is alive and whose Personal Data is Processed.
3.1 The Agreement comprises this document and the appended Instruction.
3.2 In the event of any contradictions between this document and the Instruction, this document shall take precedence, unless otherwise specifically stipulated or clearly indicated by the circumstances.
4. GENERALLY REGARDING THE PROCESSING OF PERSONAL DATA
4.1 The Provider is the Controller of the Personal Data which is Processed within the scope of the Main Agreement.
4.2 MetaProvide is regarded as the Processor on behalf of the Provider.
4.3 MetaProvide has provided sufficient guarantees that it shall take suitable technical and organisational measures to ensure that the Processing of Personal Data meets the requirements of the General Data Protection Regulation and any Other Regulation, and ensures protection of the rights of the Data Subject.
4.4 MetaProvide may only process the Personal Data which is covered under this Agreement on the documented Instructions from the Provider. The Provider shall be entitled to update the Instruction from time to time.
4.5 If MetaProvide believes that the Instruction or other instruction or notification from the Provider would conflict with the General Data Protection Regulation or any Other Regulation, MetaProvide shall be entitled to notify the Provider and defer the Processing in question.
4.6 Taking into consideration the nature of the Processing, MetaProvide shall assist the Provider by taking suitable technical and organisational measures, to the extent possible, to enable the Provider to perform its obligation to respond to requests regarding the exercise of the Data Subject’s rights in accordance with Chapter III of the General Data Protection Regulation.
5. PURPOSE AND TYPE OF PERSONAL DATA, ETC.
The Instruction shall, inter alia, state the subject of the Processing, the duration of the Processing, the nature and purpose of the Processing, the type of Personal Data, and categories of Data Subjects.
6. THE METAPROVIDE’S PERSONNEL, ETC.
6.1 MetaProvide, its employees and consultants, and other persons who perform work under MetaProvide’s supervision and who gain access to Personal Data belonging to the Provider may only process such Personal Data on the Provider’s instruction, unless such person is obligated to do so pursuant to Union law or Swedish national law.
6.2 MetaProvide shall ensure that its employees, consultants and all other persons for whom MetaProvide is liable and who are authorised to process Personal Data covered by this Agreement have undertaken to maintain confidentiality (unless such person is subject to an appropriate statutory confidentiality obligation).
7.1 MetaProvide shall take all safeguards required under Article 32 of the General Data Protection Regulation.
7.2 Taking into consideration the type of Processing and the information which MetaProvide has, MetaProvide shall assist the Provider in ensuring that the obligations regarding security can be satisfied in a manner which follows from Article 32 of the General Data Protection Regulation.
7.3 In conjunction with the assessment of an appropriate security level, particular consideration shall be given to the risks which follow from the Processing, particularly resulting from unintentional or unlawful destruction, loss, or modification, from unauthorised disclosure, or from unauthorised access to the Personal Data which is transferred, stored, or otherwise processed.
8. PERSONAL DATA BREACH
Taking into consideration the type of Processing and the information available to MetaProvide, MetaProvide shall assist the Provider in ensuring that the obligations arising due to any Personal Data Breach can be fulfilled in a manner as required in Articles 33-34 of the General Data Protection Regulation.
9. IMPACT ASSESSMENT AND PRIOR CONSULTATION
Taking into consideration the nature of the Processing and the information which is available to MetaProvide, MetaProvide shall reasonably assist the Provider in fulfilling its obligations, if any, to conduct an impact assessment and/or prior consultation with a supervisory authority pursuant to Articles 35 and 36 of the General Data Protection Regulation.
10.1 MetaProvide is entitled to retain subprocessors to perform the work under the Agreement.
10.2 MetaProvide shall inform the Provider of any plans to retain a new subprocessor or to replace an existing subprocessor, in order to allow the Provider to make objections to any such change (however, any objection must be based on an objectively acceptable reason).
10.3 MetaProvide shall ensure that any subprocessor enters into a written personal data processor agreement before the subprocessor begins work related to the Provider. In such agreements, MetaProvide shall ensure that the subprocessor shall provide sufficient warranties in respect of taking suitable technical and organisational measures so that the Processing meets the requirements of the General Data Protection Regulation.
11. TRANSFER TO A THIRD COUNTRY
MetaProvide may move, store, transfer, or otherwise process Personal Data belonging to the Provider outside of the EU/EEA, provided such transfer meets the requirements and undertakings which follow from the General Data Protection Regulation.
12. RIGHT TO TRANSPARENCY
12.1 MetaProvide shall grant the Provider access to all information which is required and necessary to enable the Provider to verify compliance with the obligations which follow from Article 28 of the General Data Protection Regulation and to enable and assist in audits, including inspections, which are conducted by the Provider or by an examiner authorised by the Provider. MetaProvide shall, at all times, be entitled to reasonable notice in the event the Provider wishes to exercise its right to conduct an audit or inspection and the Provider shall compensate MetaProvide for its costs incurred in connection with any such audit or inspection.
MetaProvide shall receive compensation for verified additional costs for measures which it takes in respect of Processing of Personal Data in accordance with the Agreement or as a consequence of the Agreement otherwise.
14.1 In the event the Parties have reached an agreement regarding limitation of liability in another agreement (including the Main agreement), such limitation of liability shall also apply to this Agreement. In the event the Parties have not reached an agreement regarding such a limitation of liability, MetaProvide’s liability under this Agreement or as a result of the Processing which is covered under the Agreement shall be limited to one hundred thousand kronor (SEK 100,000).
14.2 The Parties are aware that the limitation of liability shall not apply: (i) in the event the supervisory authority or a court orders any of the Parties to pay an administrative fine; (ii) a Party has a right of subrogation against the other Party because such Party was ordered to pay an administrative fine which legitimately (or through joint and several liability) should have been imposed on the other Party; or (iii) in conjunction with a claim for damages brought by a Data Subject.
15. TERMINATION OF THE AGREEMENT
15.1 When MetaProvide discontinues Processing Personal Data on behalf of the Provider, MetaProvide shall return all Personal Data to the Provider in the manner instructed by the Provider or, upon the Provider’s written notice, destroy and erase all Personal Data which is associated with the Agreement.
15.2 Following termination of the Agreement, MetaProvide shall not be entitled to save any Personal Data belonging to the Provider and, as soon as MetaProvide has complied with the provisions of subsection 15.1 above, MetaProvide’s right to process or otherwise use Personal Data belonging to the Provider shall cease (provided storage of Personal Data is not required pursuant to national law or Union law, or MetaProvide has legal grounds to process relevant Personal Data).
16. ASSIGNMENT OF THE AGREEMENT
Neither Party shall be entitled to assign its rights and/or obligations under the Agreement, in whole or in part, without the prior written consent of the other Party.
17. GOVERNING LAW AND JURISDICTION
17.1 This Agreement shall be governed by the substantive law of Sweden.
17.2 Any dispute, controversy or claim arising out of or in connection with this Agreement, or the breach, termination or invalidity thereof, shall be finally settled by arbitration administered by the Arbitration Institute of the Stockholm Chamber of Commerce (the “SCC”). The Rules for Expedited Arbitrations shall apply, unless the SCC in its discretion determines, taking into account the complexity of the case, the amount in dispute and other circumstances, that the Arbitration Rules shall apply. In the latter case, the SCC shall also decide whether the Arbitral Tribunal shall be composed of one or three arbitrators.
17.3 The seat of arbitration shall be Malmö, Sweden.
17.4 The language to be used in the arbitral proceedings shall be English.
17.5 The Parties undertake and agree that all arbitral proceedings conducted with reference to this arbitration clause will be kept strictly confidential. This confidentiality undertaking shall cover all information disclosed in the course of such arbitral proceedings, as well as any decision or award that is made or declared during the proceedings. Information covered by this confidentiality undertaking may not be disclosed to a third party without the prior consent by the other Party. Exceptions to the foregoing shall only apply to the extent that disclosure may be required of a Party due to mandatory law, an order of a competent court or public authority, or to protect, fulfil or pursue a legitimate legal right or obligation or to enforce or challenge an award.LIABILITY
The following document is the Instruction.
Definitions used in this Instruction shall have the same meaning as in the Agreement, unless the circumstances clearly indicate otherwise.
1. CONTACT INFORMATION OF THE PROCESSOR
Processor: MetaProvide Holding Ekonomisk Förening, reg. no. 769639-8416
Address: Hänninge 504, 243 91 Höör, Sweden
E-mail address: firstname.lastname@example.org
2. PROCESSING OF PERSONAL DATA
2.1 Categories of Personal Data
MetaProvide shall Process the following categories of Personal Data:
– Information regarding the customers of the Provider, such as name, interests, contact information, photos, payment information.
2.2 Special categories of Personal Data
MetaProvide shall process the following special categories of Personal Data:
– Health data of customers of the Provider.
2.3 Categories of Processing
The following categories of Processing shall take place:
– Transmission of electronic communication.
2.4 Categories of Data
SubjectsThe following categories of Data Subjects are included:
– Customers of Provider.
2.5 Purpose of each Processing activity
The purpose of each Processing activity is as follows:
– To facilitate the service from MetaProvide to the Provider.
3. SECURITY MEASURES
3.1 Technical and organisational security measures
MetaProvide shall take the following technical and organisational security measures:
– All traffic between servers and traffic between servers and clients is encrypted. All web based traffic happens over HTTPS and only using modern versions of TLS.
– Backups are taken on a regular basis and encrypted using AES before being transmitted to a backup server.
– All systems are kept up-to-date in a timely manner.
– Administrative access to services and servers is heavily restricted and follows up-to-date security practices.
– All emails are at a minimum transmitted using opportunistic TLS
3.2 Storage minimisation
Personal Data will be deleted as follows:
– The Personal Data will be retained for as long as the Main Agreement is valid and for a maximum period of two years thereafter.