DATA PROCESSING AGREEMENT
1. Background
The Supplier and the Customer have entered into an agreement that includes Takeback service(s) listed in the General Terms of Sales (the “Agreement”) purchased by the Customer (the “Services”). Under the Agreement and in accordance with this DPA (as defined below), Supplier will from time to time and on behalf of the Customer process personal data for which the Customer is controller.
2. Definitions
“Applicable Data Protection Legislation” means, unless otherwise agreed in writing between the Parties; (i) the General Data Protection Regulation, (ii) the national data protection legislation in Sweden; Denmark, Norway and/or Finland, as applicable for the Services; and (iii) the Data Protection Authority regulations and decisions applicable to the processing of personal data under this DPA in Sweden, Denmark, Norway and/or Finland, as applicable.
“Customer Equipment” means computers and other equipment owned, rented or leased by the Customer or the Customer’s operations provider.
“Supplier” means relevant Dustin company within Dustin group, as listed in Appendix A, and where relevant each person/entity authorized to perform work on behalf of a company listed in Appendix A.
“Supplier Equipment” means computers and other equipment owned, rented or leased by the Supplier or the Supplier’s operations provider.
“DPA” means this data processing agreement and attached appendices, as well as all changes to the aforementioned resulting from provisions of the Agreement.
“Security Measures” means the appropriate technical and organizational measures necessary to comply with Applicable Data Protection Legislation, listed in Appendix A or otherwise necessary to protect the personal data being processed from data breaches.
“Third Country” means a country outside EU/EES.
3. Processing of personal data
3.1 Instructions
The Customer is responsible for the processing of personal data being carried out in compliance with the Applicable Data Protection Legislation in its capacity as controller. The Customer must ensure that the Supplier does not process other categories of personal data on behalf of the Customer than the categories of personal data listed in Appendix A for the relevant Services and in the scope stated therein.
The Supplier shall only process personal data in accordance with documented instructions of the Customer, unless the Supplier is otherwise obligated to process personal data under Swedish, Danish, Norwegian, Finnish and/or EU law, as applicable. In such cases, the Supplier will, to the extent allowed under applicable law, inform the Customer of such legal obligations before the processing is commenced.
Either Party must ensure that the other Party has the right to process contact information and other types of personal data of the other Party’s employees if and to the extent such processing is necessary to provide the Services.
The Supplier may not process personal data for its own purposes or other purposes except as set out in the DPA and the Agreement. The Supplier is entitled to process personal data for the purposes of providing, maintaining and providing support for the Services.
This DPA and the Customer’s use of the Service are the Customer’s complete and final instructions to the Supplier with regard to processing of personal data, with the exception of any written instructions the Customer is obliged to provide Supplier in order to comply with Applicable Data Protection Legislation. Any other changes must be agreed separately in writing between the Parties, including but not limited to changes relating to Appendix A. If the Supplier accepts the adjusted instructions, the Supplier is entitled to reasonable compensation for adapting to such instructions.
3.2 Security Measures
The Supplier shall take appropriate technical and organizational security measures, which include the measures set out in Appendix A in addition to the Supplier’s applicable internal IT safety regulation applies to the delivery of the Services, and the Supplier may adjust such regulations during the term of the Agreement.
In taking the above-mentioned technical and organizational security measures, the Supplier has taken into account the state of the art, the implementation costs of the security measures, the nature, scope, and context of the processing, the purposes and the intended use of its Services as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects that it may expect in view of the intended use of the Services.
The Customer is responsible for ensuring that the Security Measures fulfils the Customer’s obligations related to adequate safety for the personal data being processed under Applicable Data Protection Legislation.
4. Reporting of data breaches
If the Supplier becomes aware of a data breach, the Supplier must inform the Customer without undue delay and in accordance with Applicable Data Protection Legislation.
5. Sub-processors and transfers to third countries
The Supplier is entitled to subcontract processing of personal data to subprocessors within and outside of the EU/EEA. The Customer hereby approves that processing of personal data may be carried out by the sub-processors, if any, listed in Appendix A in the countries stated therein. The Supplier must ensure that sub-processors are bound by written agreements that provide at least the same level of data protection as the obligations under this DPA. If any subprocessor fails to fulfil the obligations in accordance with above, the Supplier is responsible for the non-performance of such sub-processors’ obligations.
The Supplier will inform the Customer of any intentions to replace or hire a new sub-processor. The information will include an indication of the name of the sub-processor and the geographic location of the processing of personal data. The Customer has the right to submit a written objection to the replacement or hiring of such new subprocessor within fourteen days from receipt of notice.
The Supplier must ensure that there is a legal basis for transfer of personal data to a Third Country. Such legal basis may be standard data protection clauses adopted by the EU Commission or other equivalent provisions.
6. Assistance with requests from data subjects
In addition to what follows from section 3.2, the Supplier must implement adequate technical and organizational measures in order to, at the written request of the Customer, be able to assist the Customer in fulfilling the rights of the data subjects as set out in the General Data Protection Regulation. The Supplier’s obligation under this provision only applies to the extent such assistance is reasonably possible and to the extent the processing of personal data requires such obligation.
In addition to the above and taking into consideration the nature of the processing and the information available to the Supplier, the Supplier must at the written request of the Customer assist so that the Customer can fulfil the obligations imposed on it related to safety for personal data, data breaches, data protection impact assessment and prior consultation in accordance with Applicable Data Protection Legislation.
The Supplier is entitled to reasonable compensation for the assistance provided under this section 6.
7. Confidentiality and disclosure of personal data
The Supplier must not disclose the Customer’s personal data under this DPA to a data subject or a third party, unless otherwise stated in the Agreement or provided by law, a judicial decision or an official decision. If the Supplier discloses such information due to legal requirements, a judicial decision or an official decision the Supplier will inform the Customer of the disclosure unless prohibited by the law, judicial decision or official decision in question.
The Supplier must without undue delay inform the Customer if the data subject requests information related to the processing of personal data under this DPA and refer the data subject to the Customer. The Supplier will assist the Customer in responding to such requests in accordance with section 6 above.
The Supplier and its representatives are obligated under Applicable Data Protection Legislation to co-operate with competent supervisory authorities. The Supplier will inform the Customer of such request without unreasonable delay if the request specifically concerns the processing of personal data under this DPA. The Supplier will not represent the Customer or act on behalf of the Customer in such requests from a supervisory authority. The Supplier is entitled to reasonable compensation for its work with inquiries related to the Customer subject to the enquiry not resulting from Supplier’s breach of its obligations under this DPA.
8. Compensation
In addition to what is stated in this DPA, the Supplier is entitled to reasonable compensation for complying with the Customer's written instructions unless the requested action is specifically stated in the Agreement. If the Supplier is entitled to compensation for work performed, the Supplier’s current price list will apply unless otherwise stated in the Agreement.
9. Liability
9.1 General
If the Supplier is liable to pay damages to data subjects in accordance with Applicable Data Protection Legislation, and the Customer has participated in the processing of personal data that forms the basis of the data subjects’ claims, the Customer must reimburse the Supplier for the part of the damages that the Supplier is obligated to pay to data subjects that is attributable to the Customer’s non-performance of its obligations or the Customer’s instructions to the Supplier. In addition, the Customer must reimburse Supplier for its reasonable costs relating to the Supplier’s defense against claims from data subjects (including what Supplier has been ordered to pay to data subjects).
If the Customer is liable to pay damages to data subjects in accordance with Applicable Data Protection Legislation, and the Supplier has participated in the processing of personal data that forms the basis of the data subjects’ claims, the Supplier must reimburse the Customer for the part of the damages that the Customer is obligated to pay and which is attributable to the Supplier’s nonperformance of its obligations under Applicable Data Protection Legislation or this DPA. In addition, the Supplier must reimburse the Customer for its reasonable costs relating to the Customer’s defense against claims from data subjects (including what the Customer has been ordered to pay to data subjects). The Supplier’s total liability under this DPA is limited to 150 percent of the service fee for the first twelve months of the Services, unless the Supplier has caused the damage by intent or gross negligence.
A Party’s liability for damages other than expressly stated herein is governed by the Agreement.
9.2 Notification, right of information etc.
A Party that is subject to claims from data subjects must within reasonable time (i) inform the other Party in writing of any claims made that may result in claims against the other Party pursuant to this section 9; and (ii) allow the other Party insight to the documents in such proceedings, both from the Party and from the data subject, and allow the other Party to submit comments to such documents.
Claims for reimbursement of the other Party under this section 9 is subject to following the rules above and may be raised no later than six months after the Party has been obliged to pay damages to data subjects.
10. Audits
The Supplier will provide the Customer access to any information which may reasonably be needed to prove that the obligations imposed upon processors under Applicable Data Protection Legislation has been fulfilled. This includes providing reasonable assistance in audits and inspections, carried out by the Customer or an auditor appointed by the Customer. Inspections may only be done if an audit cannot be completed by the Supplier’s disclosure of information. Supplier must be informed about an inspection in good time prior to the intended date of inspection with specification of the scope and purpose of the inspection. The Supplier is entitled to reasonable compensation for the costs associated with the implementation of such audit or inspection.
Prior to an audit or inspection, the Customer or the auditor appointed by the Customer must meet the necessary confidentiality obligations and comply with the Supplier’s security regulations at the place of inspection. The inspection must not hinder the Supplier’s business or risk the protection of other customers' information. Information gathered as part of the audit must be deleted after completed audit or when it is no longer necessary for the purpose of the audit.
11. Term and termination
This DPA is valid as long as the Supplier processes personal data on behalf of the Customer and terminates automatically in connection with the Agreement when the Supplier no longer provides any Services to the Customer; however, a Party’s liability under this DPA applies also after the termination of this Agreement.
Upon termination of this DPA, the Supplier must delete or return the Customer’s personal data to the Customer or to a third Party at the instruction of the Customer, including data being processed on Supplier Equipment but excluding data being processed on Customer Equipment. The personal data stored electronically may be provided electronically after the Customer's instructions, if reasonable. The Customer’s request of deletion or return must be submitted within sixty days of the termination of this DPA. After expiration of the period above, and unless otherwise required under Swedish, Danish, Norwegian, Finnish and/or EU law, as applicable, the Supplier may delete existing copies of the personal data. After the return of the personal data, or if the return of personal data has not been requested by the Customer after the expiration of the above period, the Supplier will delete the Customer’s personal data within reasonable time, but no later than six months after the termination of this DPA.
After the termination of this DPA, the Supplier may not process personal data for any other purpose than to delete the personal data or to protect the personal data from data breaches, unless otherwise proved under Swedish, Danish, Norwegian, Finnish and/or EU law, as applicable. The Supplier has the right to reasonable compensation for the work performed under this section 11.
APPENDIX A. TO DATA PROCESSING AGREEMENT
Specification over processing of personal data in connection with Takeback Services
INSTRUCTIONS | ||
|---|---|---|
1.1 Short description of the Service and the purpose of the processing activity | State all purposes for which personal data will be processed by the Supplier: Supplier will process personal data as necessary to perform the Services pursuant to the Agreement and as further specified in the Service Description, and as further instructed by Customer in its use of the Service. | |
1.2 Categories of personal data | List the types of personal data that will be processed by the Supplier: The Supplier will process (delete) personal data stored on the Customer’s IT equipment, in accordance with the Service Description. The information on any storage media provided by the Customer is dependable on the use of the equipment by the users, and hence not known by Supplier and may be any kind of personal data. List the types of special categories of personal data that will be processed by the Supplier (if any): Personal data stored on Customer’s devices, provided to Supplier within the Service, is dependent on the users’ usage of such devices. Due to this, special categories of personal data may be processed (deleted). | |
1.3 Categories of data subjects | List the categories of data subjects that the Supplier will process personal data on and the scope of processing: The content of any storage media provided by the Customer is dependable on the use of the equipment by the users, and hence it is not known by Supplier which data subjects the personal data may relate to. | |
1.4 Processing activities (storage, administration etc.) | List the processing activities that will be performed by the Supplier: Deleting of storage media on equipment provided by the Customer either by securely overwriting the media or secure destruction of the media/equipment. | |
1.5 Place for processing | List all countries in which personal data may be stored and/or processed by the Supplier: Personal data will be processed by the Supplier in Sweden. |
SECURITY MEASURES | ||
|---|---|---|
State all organizational and technical security measures that will be implemented by the Supplier | ||
2.1 Physical access control | Measures to prevent physical access of unauthorized persons to IT systems that handle personal Data: Access to buildings is restricted using personal access cards with personal pin code and access is only granted to authorized personnel during certain hours of the day. This applies to both office and production environments. Access to production area is restricted even further to only include authorized personnel operating to provide the Service. The buildings are protected by security level 2 alarm, connected to a thirdparty security company. The security company does daily inspection of the premises. Activation of alarm is automated and set to a specific time point in the evening. | |
2.2 System access control | Measures that prevent unauthorized persons from using IT systems and processes: Access rights are implemented on a need-to-know basis, ensuring that personnel only have access to information they need to be able to fulfill their tasks within the responsibility of their roles. Access controls are reviewed regularly within a predefined time frequency to ensure that access rights remain up-to-date and relevant. | |
2.3 Data access control | Measures to ensure that persons authorized to use the IT system have access only to the personal data pursuant to their access rights: Due to the nature of the Service, Supplier will not access the data, no processing will be performed by Supplier except deletion. | |
2.4 Transmission access control | Measures to ensure that personal data cannot be read, copied, altered or deleted by unauthorized persons during electronic transmission or during transport or storage on data media and that those areas can be controlled and identified where transmission of personal data is to be done via data transmission systems: Due to the nature of the Service, Supplier will not transmit personal data electronically. Devices are transported in locked safe boxes with different pin codes for each safe box. The production team scans the applicable box numbers and link the applicable safe boxes to the specific order. The safe boxes are locked when shipped out empty and Customer is responsible for locking safe boxes prior to shipment back to Supplier. Safe boxes are opened when arriving to Supplier and photos are taken to document the content of the boxes. Lock codes are changed with a preset time frequency to prevent unauthorized access to safe boxes. | |
2.5 Data Entry access control | Measures to ensure that it can be subsequently reviewed and determined if and from whom personal data was entered, altered or deleted in the IT system: Access to systems is logged and monitored, to create a trail for audits and revisions in security and processes for accountability. | |
2.6 Availability control | Measures to ensure that personal data are protected against accidental destruction or loss: Due to the nature of the Service, the intention will always be to delete data stored on devices provided by Customer to Supplier. | |
2.7 Separation control | Measures to ensure that personal data collected for different purposes can be processed separately: Not applicable, Supplier will not process personal data on behalf of Customer for any other purposes than deletion. | |
2.8 Secure Erasure Process controls | The process for return, erasure and onward supply has been built to ensure secure handling of the items returned at all times. The key security measures are as follows:
| |
2.9 Retention rules | Measures to ensure that personal data is adequately erased or destroyed when use of the personal data is no longer reasonable or necessary: During term of agreement: Due to the nature of the Service, Supplier will always delete or destroy the personal data as part of delivering the Service, within two 2 months from the date the products were handed over to Dustin. After expiry of the term of the agreement: Supplier will not process the personal data for any other purpose than deletion. Deletion or return of personal data after expiry of the term of the agreement will therefore not apply for the Service. |