Haldor’s Data Processing Agreement
Document version: 20210426.1
Haldor AB, Thulegatan 1, 852 32 Sundsvall, Sweden
Reg. No.: 5590237516
Contact: Andreas Skoglund, firstname.lastname@example.org
(Hereinafter rerred to as the “Data Processor” or “Service Provider”)
and Customer (where ”Customer” means the legal entity which has entered into a contract with us and is defined as “customer” in the Service Agreement).
(Customer is hereinafter also referred to as “Data Controller”).
The Data Processor and the Data Controller being hereinafter referred to collectively as “Parties” and individually as “Party”.
1. Personal Data Processing Agreement
1.1 Purpose of this Data Processing Agreement
The Parties have entered into an agreement (“Service Agreement”) under which the Service Provider will provide pedagogical tools for Office 365 ( “Service”; as defined in the Terms of Service under the Service Agreement). The Service involves that the Service Provider processes personal data on behalf of the Customer.
The purpose of this Data Processing Agreement (”Data Processing Agreement”) is to regulate the rights and obligations of the Parties with regards to the processing of personal data under the Service Agreement in order to ensure that the personal data is processed in accordance with applicable data protection laws, including the provisions in the EU General Data Protection Regulation (”GDPR”) and any subsequent legislation replacing or supplementing the GDPR.. Except as may be otherwise required under applicable data protection laws, Customer, on behalf of any other controller (e.g., where applicable, companies within its company group or other controllers designated by Customer; if agreed with Service Provider in the Service Agreement), shall serve as a single point of contact for Service Provider in all matters under this Data Processing Agreement and shall be responsible for the internal coordination, review and submission of instructions or requests to Service Provider as well as the onward distribution of any information, notifications and reports provided by Service Provider hereunder.
Unless stipulated otherwise, the provisions of the Data Processing Agreement shall take precedence over the provisions of the Service Agreement with respect to the subject matter hereof.
This Data Processing Agreement is valid for as long as the personal data is processed. The Data Processing Agreement shall be governed by Swedish law.
1.2 The purpose and scope of the personal data processing
The nature and purpose of the processing, the type of personal data and the categories of data subjects covered under this Data Processing Agreement are specified below in Appendix 1.
1.3 Obligations of the Data Controller
Customer is the data controller for all personal data which Customer shares with Service Provider for processing under the Service Agreement and this Data Processing Agreement. In its capacity as data controller, Customer confirms (for its own part and, as applicable, on behalf of each other controller) that: a) without prejudice to Service Provider’s responsibilities as data processor hereunder, Customer is solely responsible for any personal data provided or made accessible to Service Provider under this Data Processing Agreement and the means by which it has been acquired and collected as well as the accuracy, quality, legality and integrity thereof; b) Customer is entitled to provide access to personal data to Service Provider for the purposes hereof and, consequently, that it has and will maintain a lawful basis for Service Provider´s performance of the Service under the terms of the Service Agreement and hereunder; c) all instructions from Customer for the processing of personal data hereunder shall comply with applicable data protection laws, shall be reasonable and documented in writing, and shall relate to and be consistent with the Service agreed to be provided by Service Provider, and Customer accepts that Service Provider disclaims any obligation or liability with regard to any instructions or requests being in violation of any of the aforesaid.
1.4 Obligations of the Data Processor
1.4.1 Security and information security
Service Provider shall take the technical and organisational measures for the protection of the personal data that are appropriate with regard to the sensitivity of the personal data; the particular risks that exist; existing technical capabilities and the costs of implementing the measures. The personal data shall be protected from any type of unauthorized processing such as change, destruction or unauthorised access and dissemination. Service Provider, accordingly, undertakes to take all measures stipulated in Article 32 of the GDPR. Technical and organisational measures implemented by Service Provider are described in Appendix 2 to this Data Processing Agreement. Service Provider shall be prepared to comply with a competent authority’s decision on measures to be taken in accordance with applicable data protection laws’ security requirements.
Service Provider shall ensure that all of its personnel who has access to personal data under this Data Processing Agreement only processes such data to the extent necessary to carry out the respective work duty. Service Provider shall further see to it that any of its personnel handling personal data hereunder has been provided appropriate training with respect to data privacy, confidentiality and information security requirements.
Data Processor must process personal data only on behalf of and for the benefit of Data Controller and only for the purposes stated in clause 1,2, above. Data Processor must follow the instructions given by the Data Controller per Appendix 1 to this Data Processing Agreement.
Data Processor shall ensure each of its personnel who has access to the personal data covered by this Data Processing Agreement to comply with the terms and conditions of this Data Processing Agreement including specifically only processing the personal data in accordance with the instructions given by Data Controller. Service Provider is responsible for ensuring that sub-processors that it engages only process personal data in accordance with the Data Processing Agreement and applicable data protection laws.
Customer is responsible for the instructions for processing of personal data given to Service Provider hereunder. Service Provider shall only process Customer’s personal data in accordance with this Data Processing Agreement and the instructions given by Customer from time to time. If Service Provider deems that instructions are contrary to the requirements of applicable data protection laws, then Service Provider shall notify Customer thereof without delay. Service Provider shall for the avoidance of doubt not be obliged to perform a certain measure if, according to Service Provider´s reasonable assessment, this would result in a breach of data protection laws. Service Provider shall for the avoidance of doubt however not be obliged to perform own investigations or surveys in order to establish whether there is a breach or not, or whether instructions comply with data protection laws or not. Service Provider reserves the right to charge Customer on a time and material basis for any work caused relating to this clause and/or for any other work or measures (including measures or work requested by Customer) not expressly covered by Service Provider´s obligations set out herein.
1.4.3 Use of sub-processors
Service Provider may engage sub-processors for the processing of personal data under the Service Agreement subject to this clause 1.4.3. Customer acknowledges that appointment of new sub-processors may from time to time be required in order to perform the Service. Service Provider is responsible for ensuring that all processing of personal data performed by a sub-processor is governed by a written agreement with the sub-processor that corresponds to the requirements of this Data Processing Agreement and data protection laws. Subject to the above, Customer (also on behalf of other controllers, if applicable) hereby gives its general written consent and mandate (also for the purpose of the Standard Contractual Clauses, if applicable) to Service Provider to use sub-processors, and for the sub-processors to use sub-processors, in respect of: i) Service Provider´s affiliates, ii) other sub-processors used in Service Provider´s regular business and service delivery; and iii) otherwise any sub-processor of which Service Provider has provided thirty (30) days’ prior written notice to Customer. Service Provider will maintain a list of its permitted sub-processors; such list to be made available without undue delay upon Customer’s request and shall without undue delay notify (such notification may be given in-service or posted on-line) Customer of any change of sub-processors to the extent relating to processing of personal data under this Data Processing Agreement. Customer shall have the right to object to the use of a sub-processor under this clause 1.4.3 by written notice to Service Provider, such objection only to be made in good faith and based on justifiable grounds, and without undue delay from the time when Customer was notified of the use of such sub-processor. The Parties will discuss possible activities to mitigate such objection from Customer in good faith. Customer acknowledges that its objection to the use of a sub-processor may adversely affect Service Provider´s ability to provide the Service. Furthermore, unless otherwise agreed, Service Provider is under no obligation to refund any payments made in advance for the Service under the Service Agreement. Service Provider is responsible for the sub-processor’s processing of personal data under the Service Agreement and is fully responsible for sub-processors who do not fulfil their obligations according to the Data Processing Agreement. The sub-processors used on the date of entering into of the Service Agreement and this Data Processing Agreement are listed in Appendix 1.
1.4.4 Requirements with regards to localization and transfer of personal data to third countries
Processing activities (including storage) shall take place on the location(s) set out in Appendix 1. Personal data shall not be transferred outside such location, including to other countries/states, without the prior written consent of Customer. It is acknowledged that Service Provider, either itself or using sub-processors, as part of the Service, may need to perform certain services from locations in countries and territories outside the EEA. In case of such performance, then Customer (for its own part and, where applicable, on behalf of other controllers referenced herein being established in the EEA) will give its specific written consent, mandate, authorization and instruction to Servce Provider for the purposes of conducting transfers outside EEA when providing the Service under the Service Agreement from locations outside the EEA, as set forth below. Service Provider or its sub-processors may process personal data outside the EU/EEA only if:
a) The recipient has been deemed by the EU Commission to guarantee an adequate level of protection of the personal data, or;
b) Service Provider or its sub-processor has provided appropriate safeguards pursuant to article 46 of the GDPR, or;
c) The transfer and rights and freedoms of the data subjects are protected through approved Binding Corporate Rules pursuant to Article 47 of the GDPR, or;
d) The transfer and rights and freedoms of the data subjects are protected through the Commission’s Standard Contractual Clauses (as may be amended, updated and/or replaced by competent EU authority from time to time), together with; as the case may be, as appropriate;
e) Appropriate measures having been adopted in conformity with applicable EU recommendations or guidelines (including those issued by EDPB).
1.4.5 Obligation of Confidentiality
The Data Processor must ensure that any person who will process personal data under this Data Processing Agreement is either covered by a statutory obligation of confidentiality or have undertaken the same in a binding agreement. Confidentiality shall apply with regards to all information processed by the Data Processor under this Data Processing Agreement and the information shall remain confidential also after this Data Processing Agreement has terminated. Access to personal data may only be granted to such person who needs it in order to carry out its duties.
1.4.6 Incident Reporting
The Data Processor must promptly notify the Data Controller of any security incidents where such incidents have resulted in or are likely to result in accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to the personal data covered by this Data Processing Agreement.
Upon request from the Data Controller, the Data Processor must promptly provide the Data Controller with all requested information about the incident such as the facts relating to the incident, its effects and the remedial action taken and cooperate with the Data Controller in communicating about the incident with the supervisory authority where necessary.
1.4.7 Assistance with fulfilling obligations towards the data subjects and authorities
Service Provider shall notify Customer without delay if Service Provider receives a request from a data subject regarding his or her rights, such as information, correction or deletion of the data subject’s personal data. Service Provider shall not respond to such a request without Customer’s written consent, except for the purpose of notifying the data subject that the request has been received and forwarded to Customer. Service Provider shall render Customer reasonable assistance in managing data subjects’ inquiries and rights, unless Service Provider is prevented from doing so by law or by official decision. Service Provider shall further notify Customer without delay if a government authority contacts Service Provider regarding personal data processed hereunder (unless prevented under law to provide such a notification). At Customer’s request, Service Provider shall, to a reasonable extent, assist Customer with official communication and shall otherwise provide information so that Customer is able to respond to the official communication within reasonable time. Service Provider has no right to respond on Customer’s behalf or act in Customer’s name. Service Provider reserves the right to charge on a time and material basis for work performed assisting Customer to fulfil its obligations in relation to data subjects and authorities.
1.4.8 Return or removal of personal data
Without undue delay after the of expiration or termination of the Service Agreement, Service Provider shall delete, or, where requested by Customer in writing, return all personal data processed under this Data Processing Agreement.
1.5.1 Service Provider is only liable for claims and damages from a data subject or a third party and administrative penalties from an authority targeting Customer or otherwise, where Service Provider or a sub-processor has failed to fulfil its obligations according to the Data Processing Agreement and relevant data protection laws. Customer shall indemnify Service Provider with respect to any claims and damages from a data subject or a third party and administrative penalties from an authority not caused by Service Provider.
1.5.2 WITHOUT PREJUDICE TO ANY EXPRESS RIGHT OR REMEDY AVAILABLE TO DATA SUBJECTS PROVIDED UNDER APPLICABLE DATA PROTECTION LAWS, ANY LIABILITY FOR SERVICE PROVIDER ARISING OUT OF OR IN CONNECTION WITH THIS DATA PROCESSING AGREEMENT (WHETHER IN CONTRACT, TORT OR OTHERWISE) IS, AS BETWEEN THE PARTIES, LIMITED TO DIRECT DAMAGES (EXCLUDING ANY INDIRECT, CONSE¬QUENTIAL, SPECIAL OR INCIDENTAL COST, LOSS OR DAMAGE OF ANY KIND) AND SUBJECT TO THE APPLICABLE PROVISIONS ON LIMITATION OF LIABILITY OF THE SERVICE AGREEMENT. CUSTOMER´S AND ANY OTHER CONTROLLER’S CLAIMS IN THE AGGREGATE, AND THE TOTAL AND AGGREGATE LIABILITY SHALL, IN ANY EVENT, FOR ANY CALENDAR YEAR BE CAPPED AT AN AMOUNT CORRESPONDING WITH FIFTY (50) PERCENT OF THE TOTAL FEES PAID BY CUSTOMER UNDER THE SERVICE AGREEMENT FOR THE APPLICABLE SERVICE DURING TWELVE (12) MONTHS PRECEDING THE DATE OF THE OCCCURANCE OF THE CLAIM FORMING BASIS FOR LIABILITY. FOR CLARITY, ANY CLAIM, OR MULTIPLE INTERLINKED CLAIMS, SHALL BE SUBJECT TO THE LIABILITY CAP APPLICABLE AT THE DATE ON WHICH THE EVENT OR CIRCUMSTANCE FORMING THE BASIS FOR THE CLAIM(S) FIRST OCCURRED.
1.6 The right to renegotiate
Both Parties have the right to request the renegotiation of this Data Processing Agreement including instructions and other Appendices, in the event of:– modification of the applicable legislation or interpretation thereof in a way that affects the processing of personal data covered by this Data Processing Agreement.
If reasonable grounds exist to suspect non-compliance of this Data Processing Agreement or appliable data protection laws on Service Provider´s part, or if otherwise required under applicable data protection laws, Service Provider shall, upon Customer’s request make all necessary information available to demonstrate compliance hereof and allow for audits, including inspections, to be performed by Customer or its representative. Customer shall endeavor to perform such audit without causing significant interruptions to the Service Provider’s regular operations (e.g. to perform any such measures under reasonable time, place and manner conditions, during regular business hours) and subject to Service Provider´s security policies. Customer will primarily rely on applicable existing audit reports or other available verification, if any, to confirm Service Provider´s compliance and avoid unnecessary repetitive audits; unless required by applicable data protection laws, audits will not be made more than once in any twelve-month period. The audit shall not grant Customer access to trade secrets or proprietary information unless required to comply with applicable data protection laws (and Service Provider shall in particular not be obliged, with regard to any information request or audit, to provide access to any pricing or other commercial information. Customer shall, within a reasonable period of time (at least thirty (30) days), notify Service Provider before such an audit unless otherwise required by a government authority. Customer and any persons conducting an audit, must enter into adequate confidentiality undertakings prior to such audit and be conducted so as not to jeopardise the security of information belonging to other customers. In the event that Customer uses a representative/third party auditor, then Service Provider may oppose to such appointment if such representative/auditor is a competitor of Service Provider or Service Provider has other justifiable grounds for objection. Notwithstanding the foregoing, Customer accepts that any requirements that Customer (itself or on behalf of any controller referenced herein) may have with regard to the purposes of processing personal data hereunder, or any requests made by Customer for information, assistance or activities to be performed by Service Provider, that extend beyond Service Provider’s ordinary routines or policies, or what is otherwise commercially reasonable, may be subject to conditions and to additional charges. Service Provider shall endeavor to procure that Customer is similarly entitled to conduct audits with respect to sub-processors.
APPENDIX 1 – DATA SUBJECTS, PROCESSED DATA, PURPOSE
The processing of personal data under the Data Processing Agreement applies to the following categories of data subjects:
- School administrators,
- System administrators,
- Support personnel,
- School management,
- Other users who access the Service.
- Users appearing in Customer Content.
- Data subjects (other than Users) appearing in Customer Content.
CATEGORIES OF PROCESSED DATA
Categories of processed data are set out below:
- Name, personal identification number, mobile telephone number, email address
- User identification number
- User generated data
- Names, pictures, images, photos, voices/audio of data subjects appearing in Customer Content.
- Plans and assignments
- Assessment, verdicts and comments
- Reasonable adjustments and comments
- Messages and information
- Student documentation such as individual development plans (IDPs), forward planning, notes and files
IT management details
- Logs and security information
- User roles and permissions
- Data stored in Customer’s Azure Active Directory tenant shared through integration with the Service.
PURPOSE, NATURE, OBJECTIVE AND DURATION OF THE PROCESSING
Customer is the party that decides on the purpose of the processing of personal data under the Service Agreement. The purpose of the processing of personal data by Service Provider is:
a) Providing and utilising the agreed Service such as the provision of subscription and other ancillary services which may be agreed in accordance with the Service Agreement;
b) Implementing, managing and monitoring any underlying infrastructure required to provide Service under the Service Agreement and to fulfil the stipulated technical and organisational requirements for the protection of personal data;
c) Communicating with Customer and Customer’s personnel and Users;
d) Implement Customer’s instructions in accordance with clause 1.2, above; and
e) Handling service problems, incidents or security breaches.
The duration of the processing is limited to the duration of the Service Agreement.
TRANSFER OF PERSONAL DATA TO A THIRD COUNTRY
Haldor is a Swedish company operating a global infrastructure and process data in Sweden and the EU. In case data is transferred to a third country under this Data Processing Agreement, this will be effected in compliance with this Data Processing Agreement and applicable data protection laws and regulations for safeguarding transfers of personal data outside of the EU/EEA.
LIST OF SUB-PROCESSORS
A list of sub-processors utilised at the time of entering into of the Service Agreement is set out below:
APPENDIX 2 – SECURITY MEASURES
Technical and organisational measures
Haldor has implemented technical and organisational measures for the protection of personal data, appropriate with regard to the sensitivity of the personal data; the particular risks that exist; existing technical capabilities and the costs of implementing the measures. Measures have been implemented in order to protect the personal data from unauthorized processing such as change, destruction or unauthorised access and dissemination. Service Provider, accordingly, has implemented measures stipulated in Article 32 of the GDPR.
The technical and organisational measures implemented by Haldor are summarized below:
All users log in with their Azure AD / Microsoft 365 accounts. All access to Haldor applications are logged in the customer tenants. Users rights and permissions are controlled by roles in the system.
All data is stored in Azure EU Datacenters. All data is encrypted with state-of-the-art encryption at rest, at the time of writing encryption is done with 256-bit AES Encryption.
All data is encrypted at transit with 256-bit AES encryption.
Access to data and system functionality are based on authority levels and job functions, granted on a need-to-know and least privilege basis. Requests related to access rights follow established processes and are documented.
Change management procedures and tracking mechanisms are designed to test, approve and monitor changes to services and information assets.
Reviews of our policies and measures are carried out regularly and, where necessary, improved.
Employees will complete security and privacy education annually. Regular internal security audits are conducted to verify the security practices.