Data Processing Agreement

This Data Processing Agreement including its appendices (the “DPA”) is entered into between:

(1) Customer, hereinafter (“Controller”); and 

(2) All Ears AB, reg. no. 559075-2100, c/o iOffice, Vasagatan 10, 111 20 Stockholm, hereinafter (“Processor”). Each of Controller and Processor are referred to as a “Party” and jointly as the “Parties”.

  1. Background

    1.1 The Parties have entered into an agreement regarding a web-based media monitoring service (the Agreement”), where Controller has contracted Processor in order to use the Service which forms the subject matter of the processing of personal data under the Agreement.

    1.2 In light of the above, the Parties have agreed on the following terms in this DPA regarding the processing of personal data under the Agreement.

    1.3 Terms such as “personal data”, “processing” and “data subject” and other expressions not defined in this DPA shall have the same meaning as set out in the Regulation of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the "GDPR"), as may be amended, updated, replaced or superseded from time to time, if not expressly stated otherwise.

    1.4 This DPA shall supersede any prior agreements, arrangements and understandings between the parties and constitutes the entire agreement between the parties relating to the subject matter hereof. In case of conflict between the Agreement and the DPA, this DPA shall take precedence.

  2. Processor’s obligations

    2.1 Processor shall to the extent any personal data is processed by Processor on behalf of Controller under the Agreement:

    (i) only process personal data in accordance with Controller’s documented instructions, unless when required to do so under applicable European Union or Member State law. Processor shall in such case inform Controller of such legal obligation unless prohibited by law. Processor shall immediately inform Controller if the Controller’s documented instructions, in the Processor’s opinion, are infringing applicable laws, rules and regulations. Such information shall not be considered as legal advice provided by Processor; 

    (ii) ensure that the employees, sub-contractors or other persons that are authorized to process personal data are subject to an obligation of confidentiality or subject to an appropriate statutory duty of confidentiality. Processor is only allowed to disclose personal data to third parties if Controller has given its written consent or if it is required by applicable law;

    (iii) implement appropriate technical and organizational measures required pursuant to Article 32 of the GDPR; 

    (iv) is deemed to have a general authorization from the Controller to engage other processors (“Sub-processors”) for the processing of personal data on behalf of the Controller. Where Processor engages a Sub-processor under this clause, Processor undertakes to ensure that the contract entered into between Processor and any Sub-processor shall impose, as a minimum, data protection obligations not less stringent than those set out in this DPA. Processor shall notify Controller of any intended changes concerning the addition or replacement of Sub-processors, to which the Controller may object. If Controller has made no such objection within ten (10) days from the date of receipt of the notification, Controller is assumed to have made no objection; 

    (v) have the right to cure an objection from Controller as described in (iv) above, at Processors sole discretion. If the Processor considers that no corrective option is reasonably available the Processor shall have a right to terminate the Agreement without liability.;

    (vi) is deemed to have a general authorization to transfer Personal Data to third countries outside EU/EES.  When personal data is transferred to a country that does not ensure an adequate level of data protection, the Processor ensures that the transfer is subject to adequate safeguards as stated in Chapter V GDPR is in place. Processor is hereby given clear mandate, on behalf of the Controller, enter into: 2010/87/EU: Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council (notified under document C(2010) 593) or decisions and clauses that may replace or amend these;

    (vii) taking into account the nature of the processing and the information available for the Processor, at Controller’s cost, assist the Controller in its obligation to respond to requests from data subjects pursuant to chapter III in the GDPR by implementing appropriate technical and organizational measures, insofar as this is possible;

    (viii) taking into account the nature of processing and the information available to the Processor, at Controller’s cost, assist the Controller to fulfil its obligations pursuant to Articles 32 to 36 in the GDPR;

    (ix) on termination or expiration of the Agreement or on instruction from Controller, upon written request and at Controller’s choice, return or delete all personal data processed under the Agreement at Controller’s cost, unless Processor is required to retain the personal data by applicable laws, rules and regulations. Controller must make such written request fourteen (14) days from the Agreement’s termination or expiration; and

    (x) upon Controller’ request and at the cost of Controller, make available all information necessary to demonstrate Processor's compliance with the obligations laid down in Article 28 in the GDPR and in this DPA. The Processor shall allow for and contribute to audits, including inspections, conducted by Controller or another auditor mandated by Controller and accepted by Processor. Processor shall not unreasonably withhold its acceptance. The audit shall be carried out maximum once (1) per calendar year, and a written notice shall be sent to the Processor with a notice period of at least sixty (60) days, before the audit commences. The audit shall be conducted during Processor’s normal working hours without disturbance to the normal operations of Processor.

  3. Limitation of Liability and Indemnification

    3.1 In case of compensation for damages in connection with processing, which is established by a court ruling or settlement, shall be paid to the data subject due to a breach of the DPA, the Controller's instructions and/or applicable data protection legislation, Article 82 in the GDPR shall apply.

    3.2 Administrative fines according to Article 83 of the GDPR or Chapter 6 Section 2 of the Act containing supplementary provisions to the EU General Data Protection Regulation (SFS 2018:218) (Sw: lag (2018:218) med kompletterande bestämmelser till EU:s dataskyddsförordning) shall be borne by the Party to which such a fee has been imposed.

  4. Governing Law And Disputes

    4.1 This DPA shall be governed in accordance with the substantive laws of Sweden, with the exclusion of its conflict of laws rules.

    4.2 Any dispute, controversy or claim arising out of or in connection with this DPA, or the breach, termination or invalidity thereof, shall be finally settled by arbitration administered by the Arbitration Institute of the Stockholm Chamber of Commerce (the SCC Institute). The Rules for Expedited Arbitrations of the Arbitration Institute of the Stockholm Chamber of Commerce shall apply, unless the SCC Institute, taking into account the complexity of the case, the amount in dispute and other circumstances, determines, in its discretion, that the Rules of the Arbitration Institute of the Stockholm Chamber of Commerce shall apply. In the latter case, the SCC Institute shall also decide whether the arbitral tribunal shall be composed of one or three arbitrators. The seat of arbitration shall be Stockholm, Sweden. The language to be used in the arbitral proceedings shall be Swedish. 

    4.3 The Parties agree that all arbitrary proceedings arising from this arbitration clause as well as all information, documents and other material contained in such arbitration proceedings shall be confidential and used only for the purpose of arbitration.

__________________________

Schedule 1 – Controller’s instructions 

The following are instructions from the Controller to the Processor for the processing of personal data which covers this DPA. 

Processing Activities

The Processor will take the processing measures necessary to be able to provide the services under the Agreement, including but not limited to: collection, storage and reading.

Categories of personal data

The Processor will process the following categories of personal data: name, e-mail address and telephone number.

Categories of data subjects

The Processor will process the following categories of data subjects: The Customer's users of the Services under the Agreement.

Retention period

The Processor will process the personal data until: The Agreement is terminated or the Controller requests in writing that the Processor delete or return all personal data processed under the DPA, unless the Processor is obliged to retain the personal data in accordance with applicable laws, rules and regulations.