Data Processor Agreement (DPA) - TimeCenter

Version: 2018-05-25

This agreement is an attachment to TimeCenter Terms of Use - Service providers and represents Data Processor Agreement ("The Agreement") between TimeCenter AB with Swedish organization number 556897-7747 ("Data Processor") and the Service provider ("Data Controller") (individually referred to as "Party" and together "Parties") and regulates the processing of End Users personal data.

1 Background

1.1 The parties have reached an agreement on online scheduling ("Service agreement"). According to the Service Agreement, the Data Processor will provide a web-based meeting booking platform ("The Service"). According to the Service Agreement, the Data Processor will process personal data for the Data Controller.

1.2 According to applicable data protection legislation, see section 2.5 below, processing of personal data by a Data Processor for a Data Controller shall be regulated by an agreement. As a result, the parties have entered into the Agreement.

1.3 The purpose of the Agreement is to ensure that the Data Processor's processing of personal data for the Data Controller is in accordance with applicable data protection legislation, authority decisions and Data Controller instructions.

1.4 The agreement forms an annex to the Service Agreement. In case of conflicting provisions, the Agreement shall be given priority.

2 Definitions

2.1 "Personal Data" refers to any information that may be directly or indirectly attributed to an individual who is in life and is processed for the Data Controller.

2.2 "Registered" refers to the physical person to which Personal Data refers.

2.3 "Process" or "Processing" means the action or combination of personal data actions, whether performed automated or not, such as collection, registration, organization, structuring, storage, processing or modification, production, reading, use, delivery by transfer, dissemination or provision by other means, adjustment or assembly, restriction, erasure or destruction.

2.4 "Sub-contractor" means any natural or legal person, authority or other organ employed by the Data Processor for the Data Controller.

2.5 "Current data protection legislation" refers to Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, incorporated in Swedish law by the Personal Data Act (1998:204) and the Personal Data Regulation (1998:1191) and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free flow of such data and repealing Directive 95/46/EC (General Data Protection Ordinance) with its implementing regulations and any other applicable legislation (including terms and regulations) applicable to the processing of personal data, as this may change over time.

2.6 Concepts and expressions relating to personal data and personal data processing and which begins with lowercase, such as "data controller", "data processor", "personal data incident" etc. shall be given the meaning in the current Data protection legislation.

3 Responsibility and instruction

3.1 The Data Processor undertakes to process only Personal Data on behalf of the Data Controller in accordance with the Service Agreement, the Agreement and in accordance with the documented instructions of the Data Controller at all times.

3.2 Data Controllers' instructions to the Data Controller regarding the type and purpose of the processing, duration, type of personal data and categories of registrants is shown by Attachment 1 - Instructions to the Agreement.

3.3 In the processing of Personal data, the Data Processor shall comply with Applicable data protection legislation and the competent authority's statements and recommendations. The parties agree that the Agreement shall be adjusted if required by applicable Data Protection Act.

3.4 The Data Processor shall notify the Data Controller without delay if the Data Processor has insufficient or incorrect instructions regarding the Data Controller's Processing of Personal Data or if the Data Processor suspects or detects that the Data Controller's instructions violate applicable data protection legislation.

4 Security etc.

4.1 The Data Processor shall, in the Processing of Personal Data, take all appropriate technical and organizational measures to ensure a level of security appropriate to the risk and to protect Personal Data from unauthorized or unlawful processing, accidental or illegal loss, destruction or alteration or unauthorized disclosure or access to such Personal Data. In any event, the Data Processor shall take such measures as may be seen from Attachment 2 - Safety Instructions to the Agreement.

4.2 The Data Processor shall provide, upon request, a summary of the security measures taken for the Data Controller.

4.3 The Data Processor shall without undue delay, but no later than twenty four (24) hours, notify in writing the Data Controller of a suspected or detected personal data incident that may lead to accidental or illegal destruction, loss or change or to unauthorized disclosure or unauthorized access to Personal Data.

4.4 The Data Processor shall provide the Data Controller with the following information regarding the Personal Data Incident:

4.5 The Data Processor shall assist The Data Controller in the Processing of Personal Data with the implementation of impact assessments regarding data protection, prior consultation with the competent supervisory authority, and the design of appropriate technical and organizational measures, as required under applicable data protection legislation.

5 Secrecy

5.1 The Data Processor and the persons working under the supervision of the Data Processor shall, in the processing of personal data, observe confidentiality. Staff or co-workers with the Data Processor with the authorization to process personal data shall enter into a particular confidentiality agreement or be informed that there is a confidentiality by law or agreement.

5.2 The Data Processor's confidentiality obligation also applies after the Agreement has expired.

6 Disclosure of personal data

6.1 In case a Registered, Competent Authority or other third party requests information from the Data Processor regarding Processing of Personal Data, the Data Processor shall refer to the Data Controller. The Data Processor may not disclose Personal Data or other information about the Processing of Personal Data without the instruction from the Data Controller, or whether disclosure is required by law.

6.2 The Data Processor shall promptly inform the Data Controller of any contact with the competent supervisory authority that concerns, or may be of importance to, the Data Processors' Processing of Personal Data. The Data Processor is not entitled to represent the Data Controller or act on his behalf towards the competent supervisory authority.

6.3 The Data Processor shall, without undue delay, assist the Data Controller, in relation to a Request from Registered, for the extradition, rectification, erasure, blocking or transfer of Personal Data, including providing all relevant information and documentation, as far as required under Current data protection legislation. The Data Processor shall not take any action with the result that the Data Controller is considered to act in violation of Current data protection legislation.

7 Sub-contractors

7.1 The Data Processor is entitled to use a Sub-contractor for the fulfillment of the Data Processors' obligations under the Agreement, provided that:

A copy of the sub assistant agreement shall be sent to the Data Controller at the request of the Data Controller.

If the Data Controller uses his/her right to object to the Data Processor's hiring of a new sub-contractor, the Data Processor has the right to terminate the Service Agreement with one (1) month notice without the right of the Data Controller to request compensation for any damage that has arisen in connection with an early termination.

7.2 The Data Processor shall ensure that the Data Controller has knowledge of which Sub-contractor that is Processing Personal Data by providing, at the request of the Data Controller complete, accurate and up-to-date information about all Sub-contractors, where the following information is specified for each Sub-contractor:

7.3 If the Sub-contractor does not fulfill its obligations regarding the Processing of Personal Data under the Sub-contractor Agreement, the Data Processor shall remain fully liable to the Data Controller for the Sub-contractors compliance with the Sub-contractors obligations under the Agreement and Current Data Protection Legislation.

8 Third Country Transfer

8.1 The Data Processor may, by itself or through Sub-contractors, process Personal Data in a third country. If the Data Processor will process Personal Data in a third country, the Data Processor shall:

8.2 If Processing of Personal Data in a Third Country requires that special agreements based on standardized data protection provisions be entered into, the Data Processor has the right to sign the Special Agreement as representative of Data Controller. The Data Controller is entitled to deny approval if the special agreement if it does not meet the requirement for appropriate safety measures under Current Data Protection Legislation.

8.3 The Data Controller is entitled to withdraw a third-party transfer approval at any time under this paragraph. In that case, the Data Processor shall immediately terminate the Processing of Personal Data in third countries and in writing, confirm this to the Data Controller.

9 Insight and follow-up

9.1 The Data Controller is entitled to access facilities, information and records to themselves or third parties in order to verify that the Data Processor, as well as any Sub-contractors, fulfill the obligations described in the Agreement. The Data Controller undertakes to enable and assist the Data Controller as long as it is necessary for the Data Controller to easily be able to verify this.

9.2 The Data Processor shall allow inspections that the competent regulatory authority under applicable Data Protection Legislation may require for the proper processing of personal data. The Data Processor shall comply with the decision of the competent supervisory authority regarding measures to comply with Current Data Protection Legislation.

9.3 The right of transparency pursuant to this paragraph 9 may also be after the Processing of Personal Data has been terminated, if the purpose is to ensure that the Data Processor fulfills its obligations as described in the Agreement.

10 Discontinuation of Processing

10.1 The Data Processor shall, upon termination of the Service Agreement or the Agreement (whichever occurs first) submit Personal Data to the Data Controller within ninety (90) days. After the Data Processor has handed Personal Data to the Data Controller, the Data Processor shall delete Personal Data in such a way that it can not be restored, unless the storage of Personal Data is required by law.

10.2 The Data Processor shall document the actions taken to comply with the obligations set out in this Section 10 and shall provide a copy of such documentation at the request of the Data Controller.

11 Compensation

11.1 The Data Processor has not, in addition to the Service Agreement, the right to special compensation to fulfill obligations under the Agreement or Current Data Protection Legislation.

12 Liability for damage

12.1 Parties responsibility and right to compensation for damages from Registered are regulated in accordance with Article 82 of the General Data Protection Ordinance. Each Party also has the right to receive fair and proportionate compensation for its costs in order to defend itself against the requirements of the Registered. The total liability of the Personal Data Commissioner under the Assistant Agreement pursuant to this Clause 12.1 is limited to an amount corresponding to the annual fee that the Data Controller has paid or will pay under the Service Agreement.

12.2 A party shall make claims for damages to the counterparty for damages under this item 12 no later than six (6) months from the date of the party being liable to the Registered.

12.3 Parties liability for other types of injuries other than those expressly regulated in this section 12 is regulated exclusively in the Service Agreement.

13 Changes to the agreement

13.1 Changes to and additions to the Agreement shall be signed by the Data Controller in order to be binding.

14 Agreement period

14.1 The agreement is coming into force upon electronic approval and will then be applied. The Data Controller is entitled to terminate the Agreement with a notice period of one (1) month. Termination must be in writing.

15 Applicable law and dispute

15.1 For the interpretation and application of the Agreement, Swedish law applies.

15.2 Disputes arising from the Agreement shall be settled as agreed in the Service Agreement.


Attachment 1 - Instructions to the Agreement

The subject of the processing

The subject of the processing is Personal Data as the Data Processor Processes on behalf of the Data Controller in connection with the performance of the Service Agreement.

Type of processing

Processing of Personal Data is performed partly and fully automated and includes the following processing measures:

This description of the processing is supplemented by the Service Agreement.

Purpose of processing

The Data Processor Processes Personal Data for the purpose of providing and delivering the Service to the Data Controller and fulfilling its obligations under the Service Agreement.

Types of personal data

The Data Controller determines which Personal Data to Be Processed by making adjustments to the Service. Processing of Personal Data usually refers to contact information and address.

Categories of registered

Processing of Personal Data includes customers and potential customers of the Data Controller.

Physical location where treatment is performed

Upon the Agreement's signing, Processing of Personal Data is taking in Sweden and the locations that are shown in the table in the Sub-contractors section below. The site where Processing of Personal Data is performed can be changed over time and to the extent permitted by the Agreement.

Duration of processing

Processing of Personal Data is ongoing as long as it is necessary for the Data Processors under the Service Agreement.

Instructions for processing

The Data Processor has the possibility of correcting personal data without further permission from the Data Controller, upon request from a Registered.

Sub-contractors

Name Contact details Type of processing Geographical location
Amazon AWS Ireland Limited aws.amazon.com/contact-us Send email to registered EU/EES
Cellsynt AB www.cellsynt.com/sv/kontakt Send email to registered EU/EES
Rackspace Germany GmbH www.rackspace.com/information/contactus Store data EU/EES

Attachment 2 - Safety Instructions to the Agreement

Physical safety

IT equipment must be protected against power outage and other interference caused by technical supply systems. Space where personal data is stored or otherwise processed (eg server rooms, server halls and offices) shall be protected by appropriate access controls to ensure that only authorized personnel can get access. Employee and visitor identity must be ensured. IT systems and storage media should be protected from damage and theft.

Access Protection

Computer equipment and portable storage media not under surveillance should be locked in order to protect against unauthorized use, impact and theft. Otherwise, personal data must be encrypted.

Computers and mobile devices

Employee computers should be locked automatically in case of inactivity and require strong password for unlocking. The number of open communication ports in the computers should be minimized and firewalls, antimalware software and security updates should be installed and updated regularly. Hard drives of laptops should always be encrypted with a strong key.

Processing of Personal Data on mobile devices shall be limited in accordance with documented procedures. Storage memories of mobile devices should always be protected by encryption. Mobile devices should be protected with a sufficiently strong password and can be automatically deleted if incorrect passwords are entered too many times. Ability to delete personal data from mobile devices via remote access should be provided. Employees shall not be permitted to process Personal Data on Private Computers or Private Mobile Devices.

Authentication

System login should be via personal user ID with password. The password should be strong. It should not be allowed to transfer or share credentials with other people.

Authentication Control

Employees' access to Personal Data shall be regulated by a technical system of access control. Employees should be given the least access when processing Personal Data. Only employees who need access to Personal Data for their work shall be given access. There must be documented procedures for assignment and removal of permissions.

Access Control

Access to user account with access to Personal Data shall be possible to checked with logs. Completed checks must be documented and reported to the Data Controller on request.

Servers

Access to administrative tools and interfaces on servers should be limited. Employees with administrative rights should use strong passwords. It should not be allowed to transfer or share credentials with other people. There should be documented procedures that ensure that important updates for operating systems and applications are installed immediately.

Network security

Networks should be protected against external attacks and loss of information. Wireless networks should be protected with encryption. Inbound and outbound network traffic should be filtered through, for example, firewalls.

Protection against malicious code

There should be documented routines for protecting systems against viruses, trojans and other forms of digital crime.

Backups

Personal data should be routinely transferred to backups. The backups must be kept separate and well protected so that Personal Data can be recovered after a malfunction. There must be documented procedures for backup, reading of backups and backup tests.

Data communication

Connection for external data communication shall be protected with such technical function that ensures that the connection is authorized. Personal data transmitted through computer communications outside premises controlled by the Personal Data Barrier (eg, the Internet) shall be protected by encryption.

Erasure

There should be documented procedures that ensure that Personal Data can be deleted when they are not long enough for the purpose and that they are not possible to recreate.

Repair and service

When repair and service of computer equipment is performed by a person other than the Data Processor, contracts that regulates security and confidentiality shall be met with the service company. During service visits, the service must be under the supervision of the Data Processor. If this is not possible, storage media containing Personal Data will be removed or encrypted.

Service via remote data communication may only be done after the secure electronic identification of the person who performs the service. Service personnel shall be given access to the system only at the time of service. If there is a separate communication for service, it must be closed when service is not in progress.

Personal data incident

There must be documented procedures for promptly notifying the Data Controller in the event of suspected or identified personal data incidents. The Data Processor shall have the ability to restore availability and access to Personal Data in a reasonable time in case of a physical or technical incident.

Separation

The personal data must be separated logically from other personal data.

Pseudonymisation

Personal data should as far as possible be pseudonymized in the development environment.

Staff training

Employees should be trained regularly in data protection (at least once a year). Newly employed employees should be trained in data protection before accessing Personal Data. Completed programs must be documented and reported to the Data Controller on request.