Personal data service agreement
Last updated: 2023-01-24
This personal data processor agreement has been entered into between the "Supplier" Vyer Technologies AB, corporate no. 559089-5891, Sergels torg 12, 111 57 Stockholm, (Person data processor) and the "Customer" (Personal data controller) in connection with the Customer's acceptance of the terms of the Supplier's Subscription Agreement upon the electronic signing of the Order Form regarding the "Views" service. The agreement means, among other things, that the Supplier, as a personal data processor, will process personal data on behalf of the Customer (Personal Data).
Definitions
Terms that are not capitalized, e.g. "treatment", "registered", "personal data incident" etc. shall have the same meaning as in Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free flow of such data and on the repeal of Directive 95/46/EC ("GDPR") .Other concepts with a capital letter that are not defined in the personal data processor agreement have the same meaning as in the Subscription Agreement.
The treatment
GDPR
The parties undertake to fulfill their obligations under the GDPR and laws implementing or supplementing the GDPR (“Applicable Data Protection Legislation”).
Appropriate
The Supplier may only process Personal Data for the purposes stated in Appendix A and/or according to the Customer's written instructions. The Supplier must immediately inform the Customer if the Supplier considers that the Customer's instructions are contrary to Applicable Data Protection Legislation.
Security and privacy
Requirements for authorized persons
The supplier must implement and maintain all measures required under Article 32 GDPR. The supplier must ensure that all persons authorized to process Personal Data have undertaken to observe confidentiality, or are subject to an appropriate statutory duty of confidentiality.
Personal data incidents
Procedure
The Supplier must notify the Customer without undue delay (if possible, never later than 36 hours) if the Supplier discovers any personal data incident affecting Personal Data. The notification must contain the information required for the Customer to be able to fulfill its obligations according to Article 33–34 GDPR.
Impact assessments and prior consultation
Counseling
The supplier shall assist the Customer with impact assessments regarding data protection and prior consultation with the supervisory authority in accordance with Article 35–36 GDPR, if the Customer requests it.
Communication
Reference
If a registered person, supervisory authority or other third party contacts the Supplier regarding Personal Data, the Supplier must immediately refer the request to the Customer.
Data subject's rights
Rights
If possible and taking into account the nature of the processing, the Supplier shall, through appropriate technical and organizational measures, assist the Customer in fulfilling its obligation to respond to the request for the exercise of the data subject's rights under the GDPR.
Assistants
Prior permission
The supplier hereby receives a general prior permission to engage subcontractors for the processing of Personal Data ("Subcontractors"). The Supplier shall enter into written assistance agreements with all its Sub-Assistants, with at least the same level of obligations as the Supplier has under this assistance agreement.
Information obligation
The Supplier shall inform the Customer of any plans to hire new or replace Sub-Assistants, so that the Customer has the opportunity to object to such changes. Such objection must be notified to the Supplier within thirty (30) days of the Supplier informing the Customer of its plans, after which the Customer shall be deemed to have accepted the Subcontractor in question.
Exception
In the event that the Customer's objection to the employment of a Sub-Assistant, in the Supplier's opinion, opposes the efficient provision of the Supplier's services, the Supplier may withdraw from the Subscription Agreement without any responsibility or obligation to pay a penalty due to such withdrawal with a notice period of thirty (30) days.
Responsibility
The Supplier is responsible for its Sub-Agents as if the processing had been carried out by the Supplier itself. A list of sub-processors, which are considered approved when the personal data processor agreement is entered into, appears in Appendix A.
Transfer outside the EU/EEA
Protective measures
The Supplier may only transfer Personal Data outside the EU/EEA if the Supplier ensures that the transfer is covered by appropriate protective measures, or is otherwise permitted under Applicable Data Protection Legislation.
Allowed transfer mechanism
If the transfer mechanism used to ensure that the transfer is permitted under Applicable Data Protection Legislation would be declared invalid or illegal by the EU Court of Justice, the European Commission or another competent EU institution or national court or authority, the Supplier shall ensure that all processing of Personal Data outside the EU/ EES takes place on the basis of another permitted transfer mechanism according to Applicable Data Protection Legislation.
Proxy
By entering into this assistance agreement, the Customer authorizes the Supplier to represent the Customer when signing standard contract clauses (annex to European Commission decision 2010/87/EU of 5 February 2010 regarding the transfer of Personal Data outside the EU/EEA, or such approved clauses that replace or supplement these, in the Customer's name and on behalf of the Customer.In addition, the Customer expressly accepts that the Supplier may also represent the sub-assistant in question in relation to the standard contract clauses.
Review and control
Controls
The Supplier must give the Customer access to all information that the Customer needs to check that the Supplier fulfills its obligations under this assistance agreement. The Supplier shall also enable and contribute to reviews/inspections which the Customer, with at least ten (10)] days notice, carries out himself or with the help of a third party (but not a competitor of the Supplier).
Confidentiality Agreements
The Customer may only carry out on-site reviews/inspections at the Supplier during the Supplier's normal office hours and shall be carried out in a manner that does not interfere with the Supplier's obligations towards its customers, sub-contractors or third parties. The customer and others who will participate in reviewing/inspecting the Supplier must first sign customary confidentiality agreements with the Supplier.
Transfer and deletion
Upon termination of agreement
When the Subscription Agreement ends or when the Customer requests it, the Supplier shall, without undue delay and according to the Customer's instructions, delete all Personal Data or transfer all Personal Data to the Customer and then delete existing copies.
Exception
The Supplier may save/process Personal Data without hindrance of this assistance agreement if it is required by the Supplier in order for the Supplier to be able to fulfill its legal obligations and the Supplier first informs the Customer of the legal requirement.
Applicable Law and Dispute
Legal enforcement
Swedish law applies to this assistance agreement, with the exception of choice of law rules that involve the application of foreign law. The subscription agreement's provisions on dispute resolution also apply to this assistance agreement.
Responsibility
In case of breach of contract
The supplier must compensate the customer for its damages to the extent that the supplier's actions entailed a breach of the personal data processing agreement or applicable data protection legislation. To the extent permitted by Applicable Data Protection Legislation, the Supplier's liability shall under no circumstances exceed 100% of the compensation paid by the Customer during a calendar year. Otherwise, the same limitations of liability apply as stated in the Subscription Agreement.
Contract period
Validity
This assistance agreement applies from the day it is signed by the parties and until the day the Supplier stops processing Personal Data.
Replacement
Cost price
The Supplier has the right to invoice the Customer for its costs (cost price) to assist the Customer with impact assessments, prior consultations, individual requests for the exercise of the data subject's rights and to transfer and delete Personal Data. The Supplier is also entitled to invoice the Customer for the Supplier's costs (cost price) in connection with the Customer's possible reviews/inspections, unless these prove that the Supplier has grossly breached its obligations under this assistance agreement.
Interpretation
Interpretation privilege
This assistance agreement shall take precedence over the Subscription Agreement in all matters relating to Personal Data.
Appendix A
The object of the treatment
In connection with using the Views service, the Customer and the Customer's Users have the opportunity to save information on their Organization account, for example when marking details in the premises and reporting errors. The information may contain personal data.
Nature and purpose of the treatment
The supplier will process Personal Data for the purpose of:
-
Provide the service according to the Subscription Agreement, as well as otherwise according to the Customer's documented instructions.
-
Store information for the Customer that the customer chooses to save on their Organization account in the Views service.
Categories of registrants
The customer's employees and other persons whose information is needed for the use of the Views service.
Categories of Personal Data
-
Name
-
Phone
-
Mail
-
Position
-
Responsibility
Processing time - thinning deadlines
The Supplier will process Personal Data as long as the Subscription Agreement runs and for a limited time thereafter according to this assistance agreement, unless Personal Data is deleted by the Customer before then.
Assistants
-
Google Cloud Services, Germany, building information storage
-
Sendgrid, USA, email notifications
-
Intercom, USA (In the process of being migrated to the EU), support communicationn
-
Flagsmith, UK, Control access to special functions
-
Mixpanel, EU, usage analysis for service improvement