Note: This Data Processor Agreement constitutes an integral part of the Subscription Agreement.
This personal data processor agreement (“Processor Agreement”) sets forth the terms and conditions between a customer under the Agreement (“Controller”) and Barium AB (“Processor”), each individually referred to as “Party” and jointly as the “Parties”, regarding processing of Personal Data by the Processor on behalf of the Controller.
The Parties shall each appoint a contact person with responsibility for the parties’ cooperation with respect to data protection. Any change in contact person or contact details must be notified in writing to the other party.
Personal data | Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, and identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. |
Processing of personal data | Any operation or set of operations which is performed on personal data or onsets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. |
Controller | A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. |
Processor | A natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller. |
Subprocessor | Also referred to as subcontractor. A natural or legal person, public authority, agency or other body, retained by Processor to perform the processing of personal data belonging to Controller. |
Data subject | A natural person whose personal data is the subject of processing in any form. |
Personal data breach | A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, processed personal data. |
Supervisory authority | An independent public authority. In Sweden, it is the Swedish Data Protection Authority. |
Third party | A natural or legal person, public authority, agency or body other than the data subject, Controller, Processor and persons who, under the direct authority of the Controller or Processor, are authorised to process personal data. |
Third country | A state not included in the European Union or which is not a member of the European Economic Area |
EU legislation | Means (i) upon entry into force of this Agreement, Directive 95/46/EC of the European Parliament and the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and the free movement of such data, and all amendments and supplements thereto; and (ii) when it becomes applicable, Regulation (EU) 2016/679 of the European Council and the Parliament of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter also referred to as ”GDPR”). |
Applicable data protection legislation | Means such privacy and personal data legislation, and any and all other legislation (including ordinances and regulations) that are applicable to the processing of personal data that takes place pursuant to the Agreement (such as the Personal Data Act (1998:204) and EU legislation, which may be changed over time. Terms in this Processor Agreement that are used without capital letters, such as “controller”, “processor”, “personal data”, “processing”, “data subject”, etc. shall be deemed to have the meaning stated in EU legislation. |
Agreement | The Agreement covers services that Processor shall provide to Controller (Barium Live, Consulting Services, etc). The Agreement with any appendices, together with this Processor Agreement, governs Processor’s responsibilities and what Processor shall perform on behalf of Controller. This Processor Agreement constitutes an integral part of the Agreement. |
New Subprocessors for existing processing
Controller hereby issues a general written approval for Processor to retain another Subprocessor for
such processing as performed by current Subprocessors upon entry into the Agreement. Processor shall
notify Controller of its intentions to replace a Subprocessor. Upon entry into this Agreement, Processor
has executed agreements for the processing of personal data with Subprocessors listed in Appendix B.
Subprocessors for new processing
Processor may not, without Controller’s written consent, retain a Subprocessor for other processing of
personal data on behalf of Controller that is not covered by the first paragraph. Such consent shall not
be withheld in the absence of objective circumstances as regards the requirements included in this
Agreement. In the event Controller does not grant consent to the retention of Subprocessors, Processor
shall be entitled, however not obliged, to terminate the Agreement, with the sole consequence being
that prepaid subscription fees for the remainder of the contract term shall be refunded.
In those cases where Processor retains a Subprocessor to perform specific processing on behalf of
Controller, such Subprocessor shall, through agreement or other legal act, assume the same obligations
with respect to data protection as established in the Processor Agreement between Controller and
Processor.
Processor undertakes (in circumstances in which Controller itself has no possibility to carry out the
processing), through a written request from Controller, to provide personal data in (at the time of the
request) an agreed format. Processor shall be entitled to compensation for such measures and services
as are beyond the scope of the Agreement.
In the event any data subject brings a claim against Controller for compensation for damage or loss
incurred or if a Supervisory Authority has issued a conditional fine or other administrative sanctions as a
consequence of Processor having processed personal data in violation of the Agreement or Applicable
data protection legislation, Processor shall compensate Controller for loss incurred. Any obligation to
pay compensation is limited in the manner stated in the Agreement.
This agreement may not be assigned without the prior consent of the other Party.
This Processor Agreement shall be valid commencing the date of entry into the Agreement until such
time as Processor’s processing of personal data ceases.
The agreement shall be governed by Swedish law. Disputes relating to the Processor Agreement shall be
conclusively determined in the manner stated in the Agreement.
PURPOSE OF THE PROCESSING
Through the Agreement, Controller has been granted the right to use Barium Live with appurtenant
services.
Processor is afforded access to the information that Controller has registered in the system.
TYPE OF PROCESSING
Processor will process data in connection with Controller’s use of Barium Live and other provided
services including data processing for support and maintenance of services provided.
CATEGORIES AND TYPES OF PERSONAL DATA
The various types of personal data that Controller may choose to compile and process in Barium Live
are primarily:
CATEGORIES | TYPES |
|
|
In addition, Controller has a possibility to upload other personal data (including personal data which,
according to GDPR, is defined as Sensitive personal data) in connection with the use of Barium Live.
Controller hereby grants Processor the right to process such personal data.
Subprocessors
COMPANY | GEOGRAPHIC LOCATION | DATA PROCESSING |
Iver Sverige AB, 556575-3042 (former. DGC IB) |
Iver Sveavägen 145 113 46 Stockholm Sweden |
Hosting of operating environment for agreed service in which the Controller can choose to process personal data. |
Atlassian | Atlassian Network Services, Inc. 350 Bush St. Floor 13 San Francisco, CA 94104 USA |
Atlassian provides cloud service (Jira Software) which Processor uses to store and manage technical support tickets. Note, it is Controller which personally chooses which data is attached to the submitted support ticket. |
Freshwork |
Freshworks, Inc. |
Freshwork provides cloud services Note, it is the Controller who chooses which data is to |
MailGun | Mailgun Technologies, Inc. 548 Market St. #43099 San Francisco, CA 94101 USA |
Queue management (temporary storage) of outgoing email from the service. Note, it is the Controller that chooses which data (if any) to send out of the service via E-mail. |
MailChimp | The Rocket Science Group, LLC 675 Ponce de Leon Ave NE Suite 5000 Atlanta, GA 30308 USA |
Processor uses MailChimp in order to inform certain types of users (e.g. administrators and super users) regarding changes in the service (e.g. release notes and disturbances in the service). The type of processing involves temporary storage of messages and forwarding of email addresses to Controller’s Note, the recipient can unsubscribe from this type of mailing if desired. |