Data Processor Agreement

PERSONAL DATA PROCESSOR AGREEMENT 
(last updated 2020-08-25)
Download as pdf (eng)  Download as pdf (swe) 

Note: This Data Processor Agreement constitutes an integral part of the Subscription Agreement.

1. PARTIES

This personal data processor agreement (“Processor Agreement”) sets forth the terms and conditions between a customer under the Agreement (“Controller”) and Barium AB (“Processor”), each individually referred to as “Party” and jointly as the “Parties”, regarding processing of Personal Data by the Processor on behalf of the Controller.

2. CONTACT PERSONS

The Parties shall each appoint a contact person with responsibility for the parties’ cooperation with respect to data protection. Any change in contact person or contact details must be notified in writing to the other party.

3. DEFINITIONS

4. PURPOSE AND CONTENT

1. The purpose of this Processor Agreement is to satisfy the requirements of Applicable data
   protection legislation for an agreement between a Controller and a Processor. The processing
   must take place in accordance with the requirements set forth in Applicable data protection
   legislation and in accordance with other requirements and instructions agreed upon in the
   Agreement, including this Processor Agreement.
2. An agreement has been signed between Controller and Processor regarding Barium’s services,
   inter alia in the form of access to Barium Live.
3. Amendments or supplements to this Processor Agreement must be set forth in writing and
   executed by both Parties in order to be valid.

5. PROCESSING OF PERSONAL DATA

1. With the aim of protecting the privacy of registered individuals and ensuring that processing of
   personal data is handled correctly with adequate safeguards, Controller shall provide Processor
   with basic information concerning the personal data that Controller wishes Processor to
   process. Such information is included in Appendix A.

6. INSTRUCTIONS

1. Processor undertakes only to process personal data in accordance with the Agreement and
   Applicable data protection legislation.
2. In the absence of instructions that Processor deems necessary to perform its obligations,
   Processor shall notify Controller thereof without delay and await instructions.
3. Processor undertakes not to process personal data for its own purposes.
4. Processor shall immediately inform the controller if the Processor considers that an instruction
   violates applicable data protection legislation.

7. THE PROCESSOR’S GENERAL UNDERTAKINGS

1. Processor undertakes to comply with Applicable data protection legislation when processing
   personal data.
2. Processor undertakes to take relevant safeguards required for protecting personal data during
   processing in accordance with Article 32 of GDPR.
3. Processor undertakes to maintain a generally accepted certification mechanism to prove
   compliance with the requirements of Article 32 (1) GDPR.
4. Processor may not transfer personal data to a third country other than following written
   consent from Controller or in accordance with established standard contract clauses or in
   accordance with a mechanism that the European Commission considers to guarantee an
   adequate level of protection.
5. Processor shall (depending on what Controller chooses) delete or return all processed personal
   data to Controller or offer Controller the possibility to export personal data after provision of
   processing services has been concluded.
6. Processor shall provide Controller with access to all information required to demonstrate that
   the requirements of Applied data protection legislation have been performed and to facilitate
   and contribute to audits, including inspections performed by Controller or by any other auditor
   authorised by Controller within the scope of the Agreement. In the absence of special cause,
   such an inspection shall be performed not more than one (1) time per year.
7. Processor undertakes to restrict processing of personal data to include only those individuals
   within its own organisation who require such in order to deliver an agreed delivery level in
   accordance with the Agreement.
8. Processor may not disclose personal data or other information regarding the processing of
   personal data to any Third party other than following prior written consent from Controller, with
   the exception of occasions when such disclosure may be required by law.
9. In the event a public authority or other third party requests information from Processor
   concerning the processing of personal data, Processor shall forward such request without delay
   to Controller. Where necessary, Processor shall assist Controller in producing information
   requested by a Third party.
10. Processor is not entitled to represent Controller or act on its behalf vis-à-vis any Third party
    except as stated under the item ‘Subprocessor’.
11. Processor shall notify Controller without delay upon discovery or suspicion of a personal data
    breach which adversely affects the protection of the personal data.
12. Processor undertakes to ensure that persons authorised to process personal data have
    undertaken to comply with confidentiality or are subject to an appropriate statutory duty of
    confidentiality.

8 SECURITY MEASURES

1. With the aim of protecting Controller’s personal data, Processor undertakes to take and
   maintain technical and organisational protection measures that are included in the standard
   offering of agreed services under the Agreement.
2. Processor certifies that Processor’s operations are conducted in a manner which ensures
   compliance with currently Applied data protection legislation. The Processor undertakes to
   comply with decisions by public authorities concerning security measures for the handling of
   personal data.
3. Personal data which, pursuant to GDPR, is defined as Sensitive personal data may not be sent by
   email from Barium Live. No party is able to guarantee satisfactory protection for sensitive
   personal data when it leaves Barium Live via email.
4. For the purpose of protecting personal data, Controller undertakes to use applicable embedded
   and provided security functions in Barium Live. Examples of such functions include deletion
   routines, confidential form fields and rights structures as regards user accounts in Barium Live.
   Furthermore, Controller undertakes to comply with advice and recommendations from
   Processor which are communicated in connection with development of new security functions
   in Barium Live.
5. In order to ensure that Processor take sufficient security measures, Controller shall be entitled
   to necessary and reasonable insight into Processor’s operations, systems and personal data
   processing.
   1. Processor undertakes, upon request by Controller, to provide Controller with the
      information that Controller requires to exercise its supervision.
   2. Processor shall be entitled to debit Controller for costs associated with such exercise of
      supervision.

9. SUBPROCESSORS

New Subprocessors for existing processing
Controller hereby issues a general written approval for Processor to retain another Subprocessor for
such processing as performed by current Subprocessors upon entry into the Agreement. Processor shall
notify Controller of its intentions to replace a Subprocessor. Upon entry into this Agreement, Processor
has executed agreements for the processing of personal data with Subprocessors listed in Appendix B.

Subprocessors for new processing
Processor may not, without Controller’s written consent, retain a Subprocessor for other processing of
personal data on behalf of Controller that is not covered by the first paragraph. Such consent shall not
be withheld in the absence of objective circumstances as regards the requirements included in this
Agreement. In the event Controller does not grant consent to the retention of Subprocessors, Processor
shall be entitled, however not obliged, to terminate the Agreement, with the sole consequence being
that prepaid subscription fees for the remainder of the contract term shall be refunded.

In those cases where Processor retains a Subprocessor to perform specific processing on behalf of
Controller, such Subprocessor shall, through agreement or other legal act, assume the same obligations
with respect to data protection as established in the Processor Agreement between Controller and
Processor.

10. RECTIFICATION AND DELETION OF PERSONAL DATA

1. Processor undertakes (in situations in which Controller does not personally have the possibility to
   engage in processing), at the request and on instructions from Controller, without delay
   (however within thirty (30) days) to delete or rectify inaccuracies in registered personal data.
2. Requests and instructions regarding deletion of personal data must be conveyed in writing to
   Processor.
3. After Controller has made a written request for deletion of personal data, Processor may only
   process the personal data as a stage in the deletion process and for backup copying for an
   additional 30 days.
4. Upon termination of the Agreement, data (including personal data) for which Controller is
   responsible shall be deleted. However, all data shall be saved for a further 30 days in backup
   copies before it may be deemed fully deleted.
5. Prior to the expiry of the Agreement, Controller shall be entitled to request to receive the
   personal data in an agreed digitally portable format. Processor undertakes, in the event of
   readback of backups, to once again delete data that was previously deleted in the service

11. PORTABILITY OF PERSONAL DATA

Processor undertakes (in circumstances in which Controller itself has no possibility to carry out the
processing), through a written request from Controller, to provide personal data in (at the time of the
request) an agreed format. Processor shall be entitled to compensation for such measures and services
as are beyond the scope of the Agreement.

12. LIABILITY FOR LOSS

In the event any data subject brings a claim against Controller for compensation for damage or loss
incurred or if a Supervisory Authority has issued a conditional fine or other administrative sanctions as a
consequence of Processor having processed personal data in violation of the Agreement or Applicable
data protection legislation, Processor shall compensate Controller for loss incurred. Any obligation to
pay compensation is limited in the manner stated in the Agreement.

13. ASSIGNMENT

This agreement may not be assigned without the prior consent of the other Party.

14. TERM

This Processor Agreement shall be valid commencing the date of entry into the Agreement until such
time as Processor’s processing of personal data ceases.

15. DISPUTES AND APPLICABLE LAW

The agreement shall be governed by Swedish law. Disputes relating to the Processor Agreement shall be
conclusively determined in the manner stated in the Agreement.

Appendix A

PURPOSE OF THE PROCESSING
Through the Agreement, Controller has been granted the right to use Barium Live with appurtenant
services.
Processor is afforded access to the information that Controller has registered in the system.

TYPE OF PROCESSING
Processor will process data in connection with Controller’s use of Barium Live and other provided
services including data processing for support and maintenance of services provided.

CATEGORIES AND TYPES OF PERSONAL DATA
The various types of personal data that Controller may choose to compile and process in Barium Live
are primarily:

In addition, Controller has a possibility to upload other personal data (including personal data which,
according to GDPR, is defined as Sensitive personal data) in connection with the use of Barium Live.
Controller hereby grants Processor the right to process such personal data.

Appendix B

Subprocessors