<img height="1" width="1" style="display:none;" alt="" src="https://dc.ads.linkedin.com/collect/?pid=463105&amp;fmt=gif">

Data Processor Agreement

This personal data processor agreement sets forth the terms and conditions between a customer and Barium AB 



This personal data processor agreement (“Processor Agreement”) sets forth the terms and conditions between a customer under the Agreement (“Controller”) and Barium AB (“Processor”), each individually referred to as “Party” and jointly as the “Parties”, regarding processing of Personal Data by the Processor on behalf of the Controller.


The Parties shall each appoint a contact person with responsibility for the parties’ cooperation with respect to data protection. Any change in contact person or contact details must be notified in writing to the other party.


Personal data

Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, and identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Processing of personal data

Any operation or set of operations which is performed on personal data or onsets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.


A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.


A natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller.



Also referred to as subcontractor.  A natural or legal person, public authority, agency or other body, retained by Processor to perform the processing of personal data belonging to Controller.

Data subject

A natural person whose personal data is the subject of processing in any form.

Personal data breach

A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, processed personal data.

Supervisory authority

An independent public authority. In Sweden, it is the Swedish Data Protection Authority.

Third party

A natural or legal person, public authority, agency or body other than the data subject, Controller, Processor and persons who, under the direct authority of the Controller or Processor, are authorised to process personal data.

Third country

A state not included in the European Union or which is not a member of the European Economic Area

EU legislation

Means (i) upon entry into force of this Agreement, Directive 95/46/EC of the European Parliament and the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and the free movement of such data, and all amendments and supplements thereto; and (ii) when it becomes applicable, Regulation (EU) 2016/679 of the European Council and the Parliament of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter also referred to as ”GDPR”).


Applicable data protection legislation

Means such privacy and personal data legislation, and any and all other legislation (including ordinances and regulations) that are applicable to the processing of personal data that takes place pursuant to the Agreement (such as the Personal Data Act (1998:204) and EU legislation, which may be changed over time.


Terms in this Processor Agreement that are used without capital letters, such as “controller”, “processor”, “personal data”, “processing”, “data subject”, etc. shall be deemed to have the meaning stated in EU legislation.


The Agreement covers services that Processor shall provide to Controller (Barium Live, Consulting Services, etc). The Agreement with any appendices, together with this Processor Agreement, governs Processor’s responsibilities and what Processor shall perform on behalf of Controller. This Processor Agreement constitutes an integral part of the Agreement.



  1. The purpose of this Processor Agreement is to satisfy the requirements of Applicable data protection legislation for an agreement between a Controller and a Processor. The processing must take place in accordance with the requirements set forth in Applicable data protection legislation and in accordance with other requirements and instructions agreed upon in the Agreement, including this Processor Agreement.
  2.  An agreement has been signed between Controller and Processor regarding Barium’s services, inter alia in the form of access to Barium Live.
  3. Amendments or supplements to this Processor Agreement must be set forth in writing and executed by both Parties in order to be valid.


  1. With the aim of protecting the privacy of registered individuals and ensuring that processing of personal data is handled correctly with adequate safeguards, Controller shall provide Processor with basic information concerning the personal data that Controller wishes Processor to process. Such information is included in Appendix A.


  1. Processor undertakes only to process personal data in accordance with the Agreement and Applicable data protection legislation.
  2. In the absence of instructions that Processor deems necessary to perform its obligations, Processor shall notify Controller thereof without delay and await instructions.
  3. Processor undertakes not to process personal data for its own purposes.
  4. Processor shall immediately inform the controller if the Processor considers that an instruction violates applicable data protection legislation.


  1. Processor undertakes to comply with Applicable data protection legislation when processing personal data.
  2. Processor undertakes to take relevant safeguards required for protecting personal data during processing in accordance with Article 32 of GDPR.
  3. Processor  undertakes to maintain a generally accepted certification mechanism to prove compliance with the requirements of Article 32 (1) GDPR.
  4. Processor may not transfer personal data to a third country other than following written consent from Controller or in accordance with established standard contract clauses or to any party covered by Privacy Shield.
  5. Processor shall (depending on what Controller chooses) delete or return all processed personal data to Controller or offer Controller the possibility to export personal data after provision of processing services has been concluded.
  6. Processor shall provide Controller with access to all information required to demonstrate that the requirements of Applied data protection legislation have been performed and to facilitate and contribute to audits, including inspections performed by Controller or by any other auditor authorised by Controller within the scope of the Agreement. In the absence of special cause, such an inspection shall be performed not more than one (1) time per year  
  7. Processor undertakes to restrict processing of personal data to include only those individuals within its own organisation who require such in order to deliver an agreed delivery level in accordance with the Agreement. 
  8. Processor may not disclose personal data or other information regarding the processing of personal data to any Third party other than following prior written consent from Controller, with the exception of occasions when such disclosure may be required by law.
  9. In the event a public authority or other third party requests information from Processor concerning the processing of personal data, Processor shall forward such request without delay to Controller. Where necessary, Processor shall assist Controller in producing information requested by a Third party.
  10. Processor is not entitled to represent Controller or act on its behalf vis-à-vis any Third party except as stated under the item ‘Subprocessor’.
  11. Processor shall notify Controller without delay upon discovery or suspicion of a personal data breach which adversely affects the protection of the personal data.


Processor undertakes to ensure that persons authorised to process personal data have undertaken to comply with confidentiality or are subject to an appropriate statutory duty of confidentiality.


  1. With the aim of protecting Controller’s personal data, Processor undertakes to take and maintain technical and organisational protection measures that are included in the standard offering of agreed services under the Agreement.
  2. Processor certifies that Processor’s operations are conducted in a manner which ensures compliance with currently Applied data protection legislation. The Processor undertakes to comply with decisions by public authorities concerning security measures for the handling of personal data.
  3. Personal data which, pursuant to GDPR, is defined as Sensitive personal data may not be sent by email from Barium Live. No party is able to guarantee satisfactory protection for sensitive personal data when it leaves Barium Live via email.
  4. For the purpose of protecting personal data, Controller undertakes to use applicable embedded and provided security functions in Barium Live. Examples of such functions include deletion routines, confidential form fields and rights structures as regards user accounts in Barium Live. Furthermore, Controller undertakes to comply with advice and recommendations from Processor which are communicated in connection with development of new security functions in Barium Live.
  5. In order to ensure that Processor take sufficient security measures, Controller shall be entitled to necessary and reasonable insight into Processor’s operations, systems and personal data processing.
    1. Processor undertakes, upon request by Controller, to provide Controller with the information that Controller requires to exercise its supervision.
    2. Processor shall be entitled to debit Controller for costs associated with such exercise of supervision.



New Subprocessors for existing processing

Controller hereby issues a general written approval for Processor to retain another Subprocessor for such processing as performed by current Subprocessors upon entry into the Agreement. Processor shall notify Controller of its intentions to replace a Subprocessor. Upon entry into this Agreement, Processor has executed agreements for the processing of personal data with Subprocessors listed in Appendix B.

Subprocessors for new processing

Processor may not, without Controller’s written consent, retain a Subprocessor for other processing of personal data on behalf of Controller that is not covered by the first paragraph. Such consent shall not be withheld in the absence of objective circumstances as regards the requirements included in this Agreement. In the event Controller does not grant consent to the retention of Subprocessors, Processor shall be entitled, however not obliged, to terminate the Agreement, with the sole consequence being that prepaid subscription fees for the remainder of the contract term shall be refunded. 

In those cases where Processor retains a Subprocessor to perform specific processing on behalf of Controller, such Subprocessor shall, through agreement or other legal act, assume the same obligations with respect to data protection as established in the Processor Agreement between Controller and Processor.



  1. Processor undertakes (in situations in which Controller does not personally have the possibility to engage in processing), at the request and on instructions from Controller, without delay (however within thirty (30) days) to delete or rectify inaccuracies in registered personal data.
  2. Requests and instructions regarding deletion of personal data must be conveyed in writing to Processor.
  3. After Controller has made a written request for deletion of personal data, Processor may only process the personal data as a stage in the deletion process and for backup copying for an additional 30 days.
  4. Upon termination of the Agreement, data (including personal data) for which Controller is responsible shall be deleted. However, all data shall be saved for a further 30 days in backup copies before it may be deemed fully deleted.
  5. Prior to the expiry of the Agreement, Controller shall be entitled to request to receive the personal data in an agreed digitally portable format. Processor undertakes, in the event of readback of backups, to once again delete data that was previously deleted in the service.


Processor undertakes (in circumstances in which Controller itself has no possibility to carry out the processing), through a written request from Controller, to provide personal data in (at the time of the request) an agreed format. Processor shall be entitled to compensation for such measures and services as are beyond the scope of the Agreement.


In the event any data subject brings a claim against Controller for compensation for damage or loss incurred or if a Supervisory Authority has issued a conditional fine or other administrative sanctions as a consequence of Processor having processed personal data in violation of the Agreement or Applicable data protection legislation, Processor shall compensate Controller for loss incurred. Any obligation to pay compensation is limited in the manner stated in the Agreement.


This agreement may not be assigned without the prior consent of the other Party.

14. TERM

This Processor Agreement shall be valid commencing the date of entry into the Agreement until such time as Processor’s processing of personal data ceases.


The agreement shall be governed by Swedish law. Disputes relating to the Processor Agreement shall be conclusively determined in the manner stated in the Agreement.

Appendix A



Through the Agreement, Controller has been granted the right to use Barium Live with appurtenant services.

Processor is afforded access to the information that Controller has registered in the system.



Processor will process data in connection with Controller’s use of Barium Live and other provided services including data processing for support and maintenance of services provided.



 The various types of personal data that Controller may choose to compile and process in Barium Live are primarily:



·     Personal data about employees.

·     Personal data about suppliers, subcontractors,               co-workers, consultants, etc.

·     Personal data about citizens.

·     Contact details (CRM) to customers, partners.

·     Contact details for marketing purposes.












·     Name

·     Address

·     Profile image

·     Next of kin

·     Salary

·     Account number

·     Telephone number

·     Insurance number

·     Registration number

·     CV/personal letters

·     Data concerning rehabilitation

·     Size, work clothes

·     Email address

·     Purchasing history

·     Geographic data

·     Invoice data



In addition, Controller has a possibility to upload other personal data (including personal data which, according to GDPR, is defined as Sensitive personal data) in connection with the use of Barium Live. Controller hereby grants Processor the right to process such personal data. 

Appendix B


Company and reg. no

Geographic location


Mechanism for supervision upon transfer of data to countries outside EU/EEA.




Sveavägen 145, floor 5

113 64 Stockholm

Hosting of operational environment for agreed services in which Controller can choose to process personal data.

No supervision mechanism necessary since all data stored in Sweden.


Mailgun Technologies, Inc.

535 Mission St.

San Francisco, CA 94105 USA

Queue management (temporary storage) of outgoing email from the service. Note that it is Controller which personally chooses which data is to be sent from the service.

EU-U.S. Privacy Shield Framework


The Rocket Science Group, LLC

675 Ponce de Leon Ave NE

Suite 5000

Atlanta, GA 30308 USA

Processor uses MailChimp in order to inform certain types of users regarding changes in the service. The type of processing involves temporary storage and forwarding of email addresses to Controller’s administrators and test users in agreed service

EU-U.S. Privacy Shield Framework


Freshworks, Inc.

1250 Bayhill Drive, Suite 315

San Bruno, California 94066 USA

Freshwork provides cloud services

(Freshdesk)  which Controller uses to store and manage received support matters. Note that it is Controller which personally chooses which data is attached to posted support matters.  

EU-U.S. Privacy Shield Framework


Atlassian PTY Ltd

Atlassian Inc. (San Francisco, Harrison Street Location)

1098 Harrison Street

San Francisco, California 94103 USA

Atlassian provides cloud service (Jira Software) which Processor uses to store and manage technical support matters. Note that it is Controller which personally chooses which data is attached to posted support matters

EU-U.S. Privacy Shield Framework


    Read about our solutions

    Discover our solutions