Personal Data Processing Agreement

1         Background

1.1       GPTW (hereinafter the "Supplier") and the customer specified on the Service Agreement (hereinafter the "Customer") have entered into an Agreement according to which the Supplier shall provide certain services specified in the Agreement ("the Services") to the Customer. This data processing agreement ("Personal Data Processing Agreement") is included as an appendix to the Agreement. The Supplier and the Customer are referred to individually as the "Party" and collectively as the "Parties".

1.2       Within the framework of the Agreement, the Supplier, in its capacity as a personal data processor, may process personal data for which the Customer is the personal data controller, as detailed in Appendix 1.

1.3       According to the Data Protection Act, a written agreement must be in place between a personal data controller and a personal data processor. The parties have therefore entered into the following Personal Data Processing Agreement.

1.4       In the event of a conflict between a provision in this Personal Data Processor Agreement and a provision in the Agreement, the provisions in the Personal Data Processor Agreement shall take precedence.

2         Terms and definitions

In this Personal Data Processor Agreement, the following definitions shall have the meaning set forth below:

2.1       "Data Protection Legislation" refers to the EU Data Protection Regulation 2016/67 (“GDPR”) and laws and regulations that have been decided in accordance with the GDPR and that are directly applicable to the processing of personal data covered by this Personal Data Processor Agreement;

2.2       "Personal data processor agreement" means this Personal data processor agreement together with all related annexes;

2.3       Expressions used in this Personal Data Processor Agreement, such as processing, personal data controller, personal data, personal data processor, personal data incident, registered, etc., shall have the same meaning as in the Data Protection Act.

3         Customer's general obligations

3.1       The customer is responsible for taking the necessary measures so that the processing of personal data covered by this Personal Data Processor Agreement meets the requirements of the Data Protection Legislation, including but not limited to informing and obtaining the necessary consents from the data subjects.

3.2       The customer is responsible for ensuring that Appendix 1 is correct and complete and that the Supplier's processing of personal data in accordance with Appendix 1 meets the requirements of the Data Protection Act.

4         Supplier's general obligations

4.1       The supplier undertakes to only process personal data in accordance with the provisions of this Personal Data Processor Agreement and to the extent necessary to fulfil its obligations under the Agreement.

4.2       In the event that the Customer submits new instructions that go beyond what follows from this Personal Data Protection Agreement or the Agreement, the Supplier shall be entitled to reasonable compensation for costs and work performed to comply with such instructions.

4.3       Notwithstanding what is stated in point 4.1 above, the Supplier has the right to process personal data to the extent necessary to fulfil its obligations under Union law or the national law of a Member State. However, it is up to the Supplier to inform the Customer of the legal requirement before the personal data is processed, unless the Supplier is prevented from providing such information according to this right.

4.4       The Supplier must inform the Customer if the Supplier cannot fulfil its obligations under this Personal Data Processor Agreement. In the event that the Supplier considers that it lacks instructions that it deems necessary to process personal data in accordance with this Personal Data Processor Agreement or considers that an instruction is in conflict with Data Protection Legislation, the Supplier shall inform the Customer thereof and await further instructions from the Customer.

5         Processor

5.1       The supplier must, to the extent possible and taking into account the nature of the processing, upon request, assist the Customer through appropriate technical and organizational measures that are necessary for the Customer to be able to fulfil its obligation to respond to requests from data subjects regarding their rights according to Chapter III in GDPR.

5.2       The Supplier shall, upon request, assist the Customer in ensuring that the obligations according to articles 32–36 of the GDPR are fulfilled, taking into account the type of processing and the information available to the Supplier.

5.3       The Supplier must notify the Customer of a personal data incident without undue delay from the time the Supplier becomes aware of a personal data incident. The supplier must assist the Customer with the information that the Customer needs to fulfil its obligations regarding the notification of the personal data incident to the competent supervisory authority and, where applicable, information to the data subjects about the personal data incident. If and to the extent that it is not possible for the Supplier to provide this information at the same time, the information may be provided in installments without unnecessary further delay.

5.4       The supplier shall, to a reasonable extent, upon request, assist the Customer in carrying out impact assessments regarding data protection and prior consultation and participate in the investigation of personal data incidents that have occurred with competent supervisory authorities.

5.5       The Supplier is entitled to reasonable compensation for costs and work performed for such help and assistance as the Customer requests in accordance with this clause 5.

6         Technical and organizational security measures

6.1       The supplier must take appropriate technical and organizational measures to protect personal data, whereby consideration must be given to the risks that processing entails, in particular from accidental or illegal destruction, loss or alteration or to unauthorized disclosure of or unauthorized access to the personal data that is transferred, stored or otherwise processed. The security measures to be taken by the Supplier appear in Appendix 1 and the Customer confirms that these measures are sufficient to achieve the level of security that follows from the Data Protection Legislation. If the Customer requests a change to the security measures shown in Appendix 1, the Supplier has the right to receive compensation for reasonable additional costs to make such a change.

7         Right to information, review and inspections

7.1       The Supplier shall, upon request, (i) provide the Customer with access to all information required to demonstrate that the Supplier's obligations under this Personal Data Processing Agreement have been fulfilled and (ii) enable and contribute to reviews, including inspections, in accordance with this clause 7. All costs incurred in in connection with reviews and/or inspections according to this clause 7 shall be borne by the Customer.

7.2       The Customer has the right, with at least fourteen (14) days' notice, either by himself or through a third party authorized by him who is not a competitor of the Supplier (the "Auditor"), to carry out audits and inspections at the Supplier to check that the Supplier fulfils its obligations according to this Personal Data Processor Agreement.

7.3       In order to avoid misunderstandings, a review and/or inspection in accordance with this clause 7 shall only refer to such information as is necessary for the Customer to be able to fulfil its control obligation according to the Data Protection Act and shall not under any circumstances include other information relating to the Supplier's business that is not direct relevance to the Supplier's processing of personal data on behalf of the Customer.

7.4       In the event that the Customer hires an Auditor, the Customer must ensure that the Auditor signs a non-disclosure agreement regarding all information that he receives within the scope of the review and/or inspection and which is no less restrictive than the non-disclosure agreement stated in section 10.3 below. The Customer is liable to the Supplier for any breach by the Auditor of such a confidentiality obligation.

8         Hiring of subprocessors

8.1       The supplier has the right to engage subcontractors to process personal data covered by this Personal Data Processor Agreement ("Subprocessors").

8.2       In the event that the Supplier engages a Subcontractor, the Supplier must enter into a written personal data subcontractor agreement with such Subcontractor in which he is imposed obligations corresponding to and no less restrictive than what follows from this Personal Data Subcontractor Agreement.

8.3       The Supplier must inform the Customer of any plans to hire new Subprocessors or replace Subprocessor, so that the Customer has the opportunity to object to such changes. If such an objection occurs, the Customer understands and accepts that the Supplier's ability to deliver the Services may be limited or made impossible. In such a case, the Supplier has the right to receive compensation for costs and work carried out thereby arising for the Supplier.

8.4       When signing this Personal Data Processor Agreement, the Customer is informed about and accepts all the Subprocessors that appear in Appendix 2.

8.5       The Supplier is responsible towards the Customer for the Subprocessors processing of personal data as for its own account.

9         Transfer to and processing of personal data in countries outside the EU/EEA

9.1       The supplier may not transfer personal data to a country outside the EU/EEA without the Customer's prior approval. By signing this Personal Data Processor Agreement, the Customer consents to transfers of personal data to the United States that the Supplier carries out within the framework of the provision of the Services, in accordance with what appears in Appendix 2.

9.2       In the event that personal data will be transferred to or processed in a country outside the EU/EEA, the Supplier must first investigate whether the recipient country is covered by a decision on an adequate level of protection announced by the European Commission. In the absence of such a decision, the Supplier must ensure that the transfer is covered by standardized data protection regulations or that the transfer is otherwise permitted according to the Data Protection Act.

9.3       For the avoidance of doubt, personal data may not be transferred to or processed in a country outside the EU/EEA if none of the conditions in point 9.2 above exist.

10    Privacy

10.1    The Supplier must ensure that the persons who work under the Supplier's management and who are authorized to process personal data according to this Personal Data Processing Agreement observe confidentiality in accordance with this clause 10 or are subject to statutory confidentiality obligations.

10.2    Without prejudice to the application of any confidentiality obligations in the Agreement, the Supplier shall keep all personal data processed on behalf of the Customer strictly confidential. However, the confidentiality commitment shall not apply to information such as:

(i)    is publicly known or comes to public knowledge otherwise than through a breach of this Personal Data Processor Agreement;

(ii)   information that the Supplier had in its possession before the Supplier obtained the information from the Customer in connection with this Personal Data Processor Agreement;

(iii)  information that the Supplier receives from third parties outside of this contractual relationship; or

(iv) information that the Party is legally obliged to provide due to mandatory legislation, court decisions or decisions of other authorities. In such a case, however, it is the Supplier's responsibility to immediately notify the Customer in writing of this and request that the requested personal data be covered by confidentiality upon disclosure.

10.3    The Customer undertakes to keep all information that the Customer receives regarding the Supplier's security measures, routines, IT systems or that is otherwise of a confidential nature strictly confidential and not to disclose confidential information originating from the Supplier or its Subcontractors to any third party. The Customer is only entitled to disclose such information that the Customer is legally obliged to provide due to mandatory legislation or is obliged to disclose according to the Agreement including this Personal Data Assistance Agreement.

10.4    The confidentiality commitment according to this clause 10 applies even if this Personal Data Processing Agreement has ceased to apply.

11    Liability

11.1    Each Party shall be responsible for administrative penalty charges imposed on the Party which are intended to punish the Party for its violations of the Data Protection Legislation. Otherwise, the Supplier's liability shall be limited in accordance with the conditions that follow from the Agreement.

12    Contract period and termination

12.1    This Personal Data Processing Agreement comes into force when both Parties have signed it and applies between the Parties as long as the Supplier processes personal data on behalf of the Customer. Provisions on termination can be found in the Agreement.

12.2    If the Supplier's commitments under this Personal Data Processor Agreement become commercially burdensome for the Supplier in the Supplier's judgment, the Supplier has the right to terminate the Main Agreement with immediate effect.

13    Actions upon termination of data processing agreement

13.1    Upon termination of the Agreement, the Customer shall instruct the Supplier in writing that the personal data that the Supplier has processed on behalf of the Customer within the framework of this Personal Data Service Agreement shall (i) be returned to the Customer or (ii) irrevocably deleted. If the Customer does not receive such instructions within fourteen (14) days of the Main Agreement ceasing to apply, the Supplier must irrevocably delete the personal data within a reasonable time, unless otherwise required by mandatory law.

14    Transfer

14.1    None of the Parties shall have the right to fully or partially assign their rights or obligations under this Personal Data Service Agreement without the other Party's written consent.

15    Amendments and additions

15.1    Amendments and additions to this Personal Data Service Agreement are handled in accordance with the terms and conditions set out in Appendix 1 (General terms and conditions).

16    Choice of law and dispute resolution

16.1    Swedish law shall be applied to this Personal Data Processor Agreement, without application of its choice of law rules.

16.2    Disputes arising from this Personal Data Protection Agreement shall be settled in accordance with the provisions set out in the Agreement.

Signed by:

GREAT PLACE TO WORK INSTITUTE SVERIGE AB

_________________________

Jeanette Bergvall, CEO

Annex 1 – Processing of personal data  

DESCRIPTION OF THE PROCESSING OF PERSONAL DATA COVERED BY THE PERSONAL DATA PROCESSING AGREEMENT

This Appendix 1 shall be considered an integral part of the Personal Data Processing Agreement.

Annex 2 – Subprocessors

SUBPROCESSORS PROCESSING PERSONAL DATA ON CUSTOMER'S ACCOUNT

This Annex 2 shall be considered an integral part of the Personal Data Processing Agreement. The customer approves and is informed that the Supplier engages the following subcontractors in accordance with point 8.4 of the Personal data processing agreement.