Personal Data Processing Agreement
Document version: 2.0 2019-01-23
Haldor AB, Thulegatan 1, 852 34 Sundsvall, Sweden
Contact: Daniel Wahlgren, email@example.com
(Hereinafter rerred to as the “Data Processor” or “Service Provider”)
and the customer
(Hereinafter referred to as the “Data Controller” or “Customer”).
The Data Processor and the Data Controller being hereinafter referred to collectively as “Parties” and individually as “Party”.
1. Personal Data Processing Agreement
1.1 Purpose of this Data Processing Agreement
The Parties have entered into an agreement (the “Service Agreement”) under which the Service Provider will provide pedagogical tools for Office 365 (the “Service”). The Service involves the Service Provider processes personal data on behalf of the Customer. The Service Agreement remains in effect until terminated by either Party.
The purpose of this Data Processing Agreement is to regulate the rights and obligations of the Parties with regards to the processing of personal data under the Service Agreement in order to ensure that the personal data is processed in accordance with the provisions in the EU General Data Protection Regulation (GDPR) and any subsequent legislation replacing or supplementing the above.
1.2 The purpose and scope of the personal data processing
The purpose of the processing of personal data is to:
– fulfil our contractual and legal obligations.
– provide access to and manage our services.
– generate aggregated statistical information and carry out analyses in order to improve our services, goods, and offers, including long-term analyses in order to understand trends over time.
– ensure the security of our services, and discover or prevent various types of unlawful use, or use which otherwise contravenes the terms and conditions.
Categories of data subjects covered by the processing of personal data under the Service Agreement are: Teachers, Students, Guardians, School administrators, System Administrators, Support Personnel.
Categories of personal data covered by the processing of personal data under the Service Agreement are:
– E-mail address
– First name
– Last name
– User identification number
– User generated data
– Data stored in Customer’s Azure Active Directory tenant shared through integration with the Service
1.3 Obligations of the Data Controller
The Data Controller shall notify the Data Processor without undue delay of any and all circumstances that may arise which may involve the need to change the way in which the Data Processor processes personal data under this Data Processing Agreement.
1.4 Obligations of the Data Processor
1.4.1 Security Measures
The Data Processor shall implement appropriate technical and organisational measures to ensure that personal data is processed in accordance with the requirements in the applicable data protection laws, the conditions in the Service Agreement and in this Data Processing Agreement. All security measures must be at least equal to the level which the competent supervisory authority typically requires for equivalent processing activities. The measures must be documented and submitted to the Data Controller upon request without undue delay.
The Data Processor must process personal data only on behalf of and for the benefit of the Data Controller, only for the purposes stated in item 2 above. The Data Processor must follow the instructions given by the Data Controller per Appendix 2 to this Data Processing Agreement.
The Data Processor shall ensure each of its personnel who has access to the personal data covered by this Data Processing Agreement to comply with the terms and conditions of this Data Processing Agreement including specifically only processing the personal data in accordance with the instructions given by the Data Controller.
If the Data Processor is of the opinion that the instructions given by the Data Controller are in conflict with the applicable data protection legislation, the Data Processor must immediately inform the Data Controller of the same using the contact information in the preamble of this Data Processing Agreement. The Data Processor does not have the right to terminate the Service Agreement for this reason.
1.4.3 Transfer of personal data and use of sub-contractors
When using a subcontractor who processes personal data (a “subprocessor”), the Data Processor, as the Data Controllers representative, shall obtain written agreement with the subprocessor, according to which the subprocessor, as data processor, undertakes towards the Customer to comply with the same provisions as the Data Processor. Where personal data will be transferred to a country outside of the EU/EEA, the Data Processor shall ensure that the subprocessor signs the EU’s standard agreement clauses for transferring personal data to a third country. The Data Processor shall be entitled to sign the agreement as a representative of the Data Controller. Prior to using a subprocessor for the processing of personal data, the Data Processor shall notify the Data Controller of the subprocessors it intends to use and which country personal data will be processed in. On the Data Controller’s request, the Data Processor shall send the Data Controller a copy of any agreements signed by the Data Processor
1.4.4 Requirements with regards to localisation and transfer of personal data to third countries
The Data Processor undertakes to ensure that the personal data is stored and processed in European Union (EU). In certain circumstances the Data Processor, or a subprocessor, needs to transfer your information outside of the European Economic Area to ensure availability of the service. The Data Processor undertakes to ensure appropriate safeguards are in place, including, for example, that the subprocessor signs the EU’s standard agreement clauses for transferring personal data to a third country.
1.4.5 Obligation of Confidentiality
The Data Processor must ensure that any person who will process personal data under this Data Processing Agreement is either covered by a statutory obligation of confidentiality or have undertaken the same in a binding agreement. Confidentiality shall apply with regards to all information processed by the Data Processor under this Data Processing Agreement and the information shall remain confidential also after this Data Processing Agreement has terminated. Access to personal data may only be granted to such person who needs it in order to carry out its duties.
1.4.6 Incident Reporting
The Data Processor must promptly notify the Data Controller of any security incidents where such incidents have resulted in or are likely to result in accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to the personal data covered by this Data Processing Agreement.
Upon request from the Data Controller, the Data Processor must promptly provide the Data Controller with all requested information about the incident such as the facts relating to the incident, its effects and the remedial action taken and cooperate with the Data Controller in communicating about the incident with the supervisory authority where necessary.
1.4.7 Assistance with fulfilling obligations towards the data subjects
The Data Processor must assist the Data Controller in fulfilling its obligations towards data subjects and help the Data Controller facilitate the exercise of data subjects rights such as the correction and removal of data, data portability etc. in accordance with the data protection legislation. This assistance must be provided without undue delay and without any demands from the Data Processor for additional financial compensation unless agreed otherwise in writing between the Parties.
1.4.8 Removal of personal data
During the current term of the Data Processing Agreement, the Data Controller’s user indicates when personal data is to be deleted. They shall then be destroyed, overwritten or otherwise deleted by the Data Processor within 14 days.
After the termination of the Service Agreement, the Data Processor undertakes to, at the choice of the Data Controller, return and/or delete or destroy all personal data covered by the Service Agreement This must take place promptly after the completion of the data processing activities under this Data Processing Agreement without any requirement for additional financial compensation, unless the Parties agree otherwise.
1.4.9 Audits and inspections
The Data Processor must allow for and contribute to audits, including inspections conducted by the Data Controller or another auditor mandated by the Data Controller Additional rules on how the audit must be carried out are found in the instructions in Appendix 2 of this Data Processing Agreement.
The Data Controller may suspend or terminate the Service Agreement and this Data Processing Agreement at any time, with immediate effect by notice in writing and without incurring any liability for compensation for termination if the Data Controller, acting reasonably and in good faith, has reason to believe that the Data Processor is unable or has failed to comply with its obligations under this clause 1.4.
1.5.1 The Data Processor agrees to keep the Data Controller unaccountable for material or immaterial damage when the Data Controller is held accountable towards somebody according to article 82 in the General data protection regulation, if the management of the personal data, that is the cause of the claim paid, has been carried out by the Data Processor or a sub controller in violation with the General data protection regulation, this personal data agreement or instruction from the Data Controller.
1.5.2 The Data Processor also agrees to keep the Data Controller unaccountable in cases where the Data Controller is damaged due to the Data Processor management of personal data in violation with this agreement.
1.6 The right to renegotiate
Both Parties have the right to request the renegotiation of this Data Processing Agreement including instructions and other Appendices, in the event of:
– substantial changes in ownership or management of the other Party
– modification of the applicable legislation or interpretation thereof in a way that affects the processing of personal data covered by this Data Processing Agreement.
The Data Processor does not have the right to terminate the Service Agreement for the sole reason that the right to renegotiate is invoked or that renegotiations have been initiated.
1.7 Applicable Law and Jurisdiction
1.7.1 This Data Processing Agreement is governed by and interpreted in accordance with Swedish law.
1.7.2 Any disputes arising out of or in connection with this Data Processing Agreement shall be settled by Swedish courts unless otherwise agreed by the Parties.
This Data Processing Agreement shall remain in effect as long as the Data Processor is processing personal data on behalf of the Data Controller.
The Data Controller hereby provides Haldor AB, in its capacity as Personal Data Processor, the following instructions.
The Data Processor shall have documentation that proves that the Data Processor complies its obligations under this DPA and the General Data Protection Regulation.
The Data Controller may, at regular intervals, audit the technical and organisational measures taken by the Data Processor and document resulting findings. For such purpose, the Data Controller may
– obtain information from the Data Processor
– request Processor to submit to Data Controller an existing attestation or certificate by an independent professional expert, or
– upon reasonable and timely advance agreement, during regular business hours and without interrupting Processor’s business operations, conduct an on-site inspection of Processor’s business operations or have the same conducted by a qualified third party which shall not be a competitor of Processor.
Data Processor shall, upon Data Controller’s written request and within a reasonable period of time, provide Data Controller with all information necessary for such audit.
Any costs arising from external audits initiated by the Data Controller shall be borne by the Data Controller.
2.2 Information security
The Personal Data Processor is responsible for, in accordance with industry best practices, (a) stablishing controls to ensure the confidentiality of the personal data and to ensure that the personal data is not disclosed contrary to the provisions of the Data Processing Agreement or any privacy laws and, (b) develop, implement and maintain appropriate technical, physical, administrative and organisational security measures, procedures and practices designed to protect the personal data taking into account the risks that the processing of personal data may result in for the data subject’s rights and freedoms, and for the operations of the Personal Data Controller. The Personal Data Processor shall particularly ensure that the personal data is protected against any actual, suspected or anticipated threats to the security and integrity of personal data such as accidental or unlawful destruction, loss or change, unauthorised disclosure of or access to personal data and other data breaches.
2.2.2 The Personal Data Processor must ensure that all users are authenticated with their user in Office 365 / Azure Active Directory.
2.2.3 The Personal Data Processor must ensure that any person working under its supervision who has access to personal data covered by this Data Processing Agreement only processes such data to the extent necessary for this person to carry out its work duties.
2.2.4 The Personal Data Processor shall provide training, as appropriate, regarding the privacy, confidentiality and information security requirements in the Data Processing Agreement to all of its personnel who has access to personal data.
The following subcontractors are engaged by Haldor AB in carrying out the Service covered by the Service Agreement.