Skip to content

Data Processing Agreement

1.  Background and purpose

1.1.  The parties have entered into an agreement for the provision of services ("Service Agreement"). As part of the Service Agreement, the Personal Data Processor will process personal data on behalf of the Personal Data Controller, either alone and/or by engaging another personal data processor.

1.2.  The purpose of this Agreement is to ensure that personal data is processed in accordance with the Personal Data Controller's instructions and applicable laws and regulations.

1.3. In the event of contradiction between the wording of the provisions of this Agreement and the Services Agreement, the provisions of this Agreement shall prevail unless the parties have expressly stated otherwise.

2.  Definitions

2.1.  "Agreement" means this Data Processing Agreement and its appendices.

2.2.  "Processing" means any operation or set of operations relating to personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

2.3.  "Personal data" means any information relating to an identified or identifiable natural person (hereinafter referred to as data subject), whereby an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as name, identification number, location data or online identifiers or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

2.4.  "Personal data breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

2.5.  "Filing system" means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;

2.6.  "Data subject" means an identified or identifiable natural person.

2.7.  “Sensitive data" means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation;

2.8.  "System administrator" means the person with the Personal Data Controller who carries out the registration of a natural or legal person with the Personal Data Processor in connection with the signing of the Services Agreement and the start- up of the services. 

2.9. The terms defined above and the other concepts and terms used in this Agreement shall have the meaning that the corresponding concepts and terms have under Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 ("General Data Protection Regulation").

3. Obligations of the Personal Data Processor

3.1. Processing of personal data

3.1.1. The Personal Data Processor shall process, on behalf of the Personal Data Controller, personal data of the nature, in the ways, for the purposes, with the duration of the type of personal data and with regard to the data subject categories as specified in this Agreement.

3.1.2. The Personal Data Processor may only process personal data in accordance with documented instructions from the Personal Data Controller unless an obligation follows from applicable data protection Where such obligation exists for the Personal Data Processor, the Personal Data Processor shall, before processing the personal data, inform the Personal Data Controller of this legal requirement, unless such information is prohibited by reference on important grounds of public interest under such data protection legislation. 

3.1.3. The Personal Data Controller confirms that the Personal Data Processor's obligations under this Data Processing Agreement, including Appendix 4, constitute the complete instructions to be followed by the Personal Data Any changes to the Personal Data Controller's instructions shall be documented in writing and signed by both Parties. The Personal Data Controller is obliged not to allow, without such written agreement, the Personal Data Processor to process other categories of personal data, or to process personal data about data subject categories other than the ones specified in Appendix 4.

3.1.4. If the Personal Data Processor considers that an instruction Personal Data Controller is in breach of the General Data Protection Regulation or any other applicable data protection legislation, the Personal Data Processor shall immediately inform the Personal Data Controller thereof.

3.1.5. If the Personal Data Processor lacks instructions that it deems necessary to carry out the processing of personal data, the Personal Data Processor shall inform the Personal Data Controller thereof immediately and shall await the instructions that the Personal Data Controller deems necessary and shall notify the Personal Data Processor.

3.1.6. The Personal Data Controller confirms that a System Administrator has the right to provide, on behalf of the Personal Data Controller, the Personal Data Processor with such instructions regarding      the processing of personal data by the Personal Data Processor as are necessary for the System Administrator and the Personal Data Processor to fulfil their respective obligations towards the Personal Data Controller.

3.1.7. If the Personal Data Controller, pursuant to an agreement with a third party on the said party's provision to the Personal Data Controller of services to be integrated with the Services, activates and approves such integration, the parties hereby confirm that the Personal Data Processor is obliged, and entitled, to disclose to such third party and receive from it the personal data necessary for the Personal Data Processor to disclose and receive, respectively, in order for such third party and the Personal Data Processor to be able to fulfil their respective obligations to the Personal Data Controller.

3.2.  Confidentiality and data protection

3.2.1. The Personal Data Processor shall take appropriate technical and organisational measures to ensure that the processing of personal data complies with the requirements of the General Data Protection Regulation and the Agreement, as well as otherwise ensure that the rights of data subjects are protected. 

3.2.1. The Personal Data Processor shall take appropriate technical and organisational measures to ensure that the processing of personal data complies with the requirements of the General Data Protection Regulation and the Agreement, as well as otherwise ensure that the rights of data subjects are protected.

3.2.2. The Personal Data Processor has engaged the personal data processors, which the Personal Data Controller hereby approves, and shall comply with the security measures set out in Appendix The Personal Data Processor may alter these security measures without the prior consent of the Personal Data Controller, provided that the alteration is not in conflict with the General Data Protection Regulation. The Personal Data Processor shall ensure that persons authorised to process personal data have undertaken to observe confidentiality or are subject to a statutory obligation of confidentiality and only process these in accordance with documented instructions from the Personal Data Controller, unless the persons in question are obliged to do so under the applicable data protection legislation.

3.3.  Engaging subprocessors

3.3.1.  The Personal Data Controller hereby authorises the Personal Data Processor to engage another personal data processor for the processing of personal data on behalf of the Personal Data The Personal Data Processor shall inform the Personal Data Controller of any plans to engage new personal data processors or replace personal data processors, so that the Personal Data Controller has the opportunity to object to such change. Such objection shall be made in writing without undue delay after the Personal Data Controller has received the information.

3.3.2.  If the Personal Data Processor engages another personal data processor for the processing of personal data on behalf of the Personal Data Controller, the Personal Data Processor shall contractually impose on the other personal data processor the same data protection obligations as the ones applicable to the Personal Data Processor under this Agreement and shall provide sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing complies with the requirements of the General Data Protection Regulation.

3.4.  Information to the Personal Data Controller

3.4.1.  Considering the nature of the processing, the Personal Data Processor shall assist the Personal Data Controller through appropriate technical and organisational measures, to the extent possible, so that the Personal Data Controller can fulfil its obligation to respond to requests for exercising the data subject's rights in accordance with the General Data Protection Regulation.

3.4.2. Taking into account the type of processing and the information that the Personal Data Processor has available, the Personal Data Processor shall assist the Personal Data Controller with the necessary information to allow the Personal Data Controller to fulfil its obligations to carry out impact assessment and prior consultation with the supervisory authority regarding the processing of personal data under this Agreement.

3.4.3. The Personal Data Processor shall grant the Personal Data Controller access to all information necessary to demonstrate compliance with the obligations set out in this Agreement and shall allow for and contribute to audits, including inspections carried out by the Personal Data Controller or by its designated third party.

3.5.  Personal data incident

3.5.1.  If a personal data incident occurs, the Personal Data Processor shall notify the Personal Data Controller without delay after the incident has come to the attention of the Personal Data Processor.

3.5.2. Immediately after a personal data incident has occurred, the Personal Data Processor shall investigate the extent, nature and likely consequences of the incident, shall take appropriate remedial action to prevent or limit the adverse effects of the incident and, upon request, consult with the Personal Data Controller to determine whether it is obliged to report the incident to the relevant supervisory Immediately after the completion of the investigation, the Personal Data Processor shall provide the following information regarding the personal data incident:

a) description of the nature of the personal data incident, including, if possible, categories and approximate number of data subjects concerned as well as the categories and approximate number of personal data items concerned;

b) the likely consequences of the personal data incident; and 

c) the action that the Personal Data Processor has taken or intends to take to remedy the personal data incident and to limit its possible adverse effects.

3.5.3.  The Personal Data Processor shall, upon request, provide the Personal Data Controller with comprehensive documentation of all personal data incidents, including the circumstances of the personal data incident, its impact and the remedial action taken.

3.6.  Return of personal data

Upon termination of the Agreement, the Personal Data Processor shall return all personal data , in accordance with the Personal Data Controller's instruction to the Personal Data Controller or alternatively erase all personal data. If such instructions have not been provided within 30 days after the termination of the Agreement at the latest, the Personal Data Processor is entitled to erase all personal data, unless its storage is required by applicable data protection legislation.

 

3.7.  Filing system

3.7.1.  The Personal Data Processor shall keep filling system in electronic form of all processing of personal data performed on behalf of the Personal Data Controller. The filing system shall contain the following information:

a) the name and contact details of the Personal Data Processor or Personal Data Processors and of each Personal Data Controller on whose behalf the Personal Data Processor acts, and, where applicable, of the Personal Data Controller's or Personal Data Processor's representative and data protection officer;

b) the purpose of the processing;

c) the data subject categories and the personal data categories as well as the estimated deadlines for the erasure of the different categories of data,

d)  Where applicable, transfers to a third country or an international organisation, stating such third country or international organisation, and, in case of transfers referred to in the second section of Article 49 of the General Data Protection Regulation, documentation of appropriate protective measures. 

e) A general description of the technical and organisational security measures referred to in Article 1 of the General Data Protection Regulation.

3.7.2.  At the request of a competent supervisory authority, the Personal Data Processor and the personal data processor it has engaged shall make the filing system available to the said authority.

3.7.3.  If a data subject requests a filing system extract regarding the processing of their personal data, the Personal Data Processor shall, at the request of the Personal Data Controller, provide filing system extracts regarding such processing.

4.  In case of request of information

4.1.  In the event that the data subject or another third party, supervisory authority, court or any other authority requests information from the Personal Data Processor relating to the processing of personal data or the content of such data, the Personal Data Processor shall refer to the Personal Data Controller, subject to the obligations of the Personal Data Processor under this Agreement or applicable data protection legislation. 

4.2.  The Personal Data Processor shall immediately inform the Personal Data Controller of the request for information or other contacts referred to in subsection 1 above, which concerns or may be relevant to the processing of the personal data.

5.  Review, inspection and audit  

5.1.  In order for the Personal Data Controller to verify that the processing of personal data complies with the requirements of this Agreement and the General Data Protection Regulation, the Personal Data Processor shall also allow for and contribute to audits, including inspections, carried out by the Personal Data Controller or by auditors or other personnel authorised by the Personal Data Controller.

5.2. The Personal Data Processor shall allow the Personal Data Controller, alone or through the use of others, to conduct audits regarding the Personal Data Processor's processing of personal data on behalf of the Personal Data Audits shall, among other things, be possible to conduct regarding administration of permissions, security procedures, logs, log follow-up and traceability of the processing of personal data that the Personal Data Processor shall have in accordance with this Agreement and the General Data Protection Regulation. The Personal Data Processor shall provide the Personal Data Controller with the access and assistance necessary to conduct such audits.

5.3. The Personal Data Processor shall grant the Personal Data Controller the right to investigate, as appropriate and to a reasonable extent, unauthorised access to the personal data.

 6.  Way of transfer of personal data 

 6.1. The transfer of personal data between the Parties shall take place on a medium agreed between the the Parties. 

 6.2. If a data subject has submitted a request for action in electronic form, the data protection officer shall, if possible, provide the information in electronic form.

 7.  Right and permissions 

7.1.  The Personal Data Processor is fully responsible for ensuring that it has all the rights required for its signing and fulfilment of the Data Processing Thus, the Personal Data Processor shall, among other things, ensure that it holds all the rights required for the fulfilment of its obligations and shall ensure that its fulfilment of the obligations does not constitute an infringement of the rights of third parties.

7.2.  The Personal Data Processor does not have the right to represent the Personal Data Controller or otherwise act on its behalf without special agreement to this effect.

7.3.  The Personal Data Processor obtains no rights to the personal data processed under this Data Processing Agreement or to the outcome of such processing.

8.  Processing of personal data in another country

8.1.  The Personal Data Processor or a party engaged by it may only transfer personal data to a third country if the conditions of Chapter V of the General Data Protection Regulation are The Personal Data Processor shall, at the request of the Personal Data Controller, provide a written description of how the said conditions are met.

9.  Obligations of the Personal Data Controller

9.1.  The Personal Data Controller is responsible for ensuring that the processing of personal data the responsibility for which it entrusts to the Personal Data Processor, has legal basis and is necessary for the purpose(s) used as basis for the processing, and is otherwise permitted under the General Data Protection Regulation and other applicable data protection legislation. 

9.2. The Personal Data Controller is fully responsible for ensuring that it has all the rights required for its signing and fulfilment of the Data Processing Thus, the Personal Data Controller shall, among other things, ensure that it holds all such permits and consents, and fulfils all other requirements that apply to its legal fulfilment of this Agreement and that the performance thereof does not constitute an infringement of the rights of third parties.

9.3. The Personal Data Controller shall provide the Personal Data Processor with such instructions regarding personal data as are necessary for the Personal Data Processor to fulfil its obligations under this Agreement and the Data Protection Regulation.

9.4. The Personal Data Controller shall inform the Personal Data Processor of the nature of the personal data to be processed on behalf of the Personal Data Controller and, in particular, whether the personal data can be considered In such case, the Personal Data Controller is obliged to identify the security measures that may be required when processing such personal data and not to allow the Personal Data Processor to process the data before such security measures are taken.

9.5. The Personal Data Controller shall, without delay, inform the Personal Data Processor of such circumstances of which the Personal Data Controller becomes aware and which can reasonably be assumed to be of importance for the Personal Data Processor's fulfilment of its obligations under this Agreement.

9.6. The Personal Data Controller does not have the right to represent the Personal Data Processor or otherwise act on its behalf without prior special agreement with the Personal Data Processor.

 10.  Responsibility when processing personal data

 10.1. The Personal Data Processor shall indemnify the Personal Data Controller against any claims, sanctions or other claims made against the Personal Data Controller due to a breach of this Agreement or the General Data Protection Regulation with the limitation of liability arising from the Service

10.2. However, the Personal Data Processor is never responsible for damage suffered by the Personal Data Controller that is attributable to the Personal Data Processor's acting in accordance with instructions communicated by the Personal Data The Personal Data Controller shall indemnify the Personal Data Processor against compensation claims, sanctions or other claims directed against the Personal Data Processor on account of actions in accordance with such issued instructions.

10.3. Before a Party commences negotiations, enters into a conciliation or signs another agreement with the data subject, an authority or another third party as a result of section 10 above, the Party shall inform the other Party thereof and give the other Party the opportunity to assist or otherwise appropriately safeguard its interests.

11.  Remuneration

11.1. The Personal Data Processor shall be entitled to full remuneration for work, actions as well as expenses and other costs resulting from the Personal Data Processor's obligations under the Unless otherwise agreed, remuneration shall be paid in accordance with the Personal Data Processor's current price list and, as regards expenses and other costs, corresponding to the Personal Data Processor's actual costs.

12.  Contract period

12.1. This Agreement shall come into force when signed by both Parties and shall remain in force thereafter until the Service Agreement expires.

13.  Disputes 

13.1. Disputes regarding the interpretation and/or application of this Agreement shall be settled in accordance with Swedish law with the exception of international private law rules.

13.2. Disputes must be settled by a Swedish public court where the Personal Data Processor has its registered office.

 

 

Attachment 1

Instructions

These instructions constitute an integral part of the Agreement and shall be followed by the Personal Data Processor when processing personal data on behalf of the Personal Data Controller.

CATEGORIES OF PERSONAL DATA AND DATA SUBJECTS

The personal data that the Personal Data Processor shall process in connection with the provision of services under the Service Agreement consists of:

1. name, address, telephone number and email address of customers of the personal data controller.

TYPE OF PROCESSING

Transfer of personal data in order to fulfil the Personal Data Processor's obligations in accordance with section 3 of the Data Processing Agreement. Processing is done as follows:

1. Collection

2. Registration

3. Storage

4. Reading

5. Erasure

6. Statistical analysis

PURPOSE OF PROCESSING

The processing of personal data takes place for the following purposes:

  • Exercise of the right of withdrawal under Act (2005:59) on distance contracts and off-premises contracts
  • Complaint case
  • Insurance case
  • Statistical analysis 

PHYSICAL LOCATION WHERE THE PROCESSING IS PERFORMED

  • The company's operational sites within the EU/EEA
  • Data centers within the EU/EEA operated by Cloudist AB
  • Data centers within the EU/EEA operated by Microsoft, Nordic region

DURATION OF PROCESSING

The processing of personal data will take place for periods of time determined according to the following criteria:

Skärmavbild 2025-01-23 kl. 16.21.48
Skärmavbild 2025-01-23 kl. 16.23.37

 

Attachment 2

Security measures 

The technical and organisational measures to ensure a level of security shall form an integral part of the Agreement and shall be followed by the Personal Data Processor when carrying out the processing of personal data.

a). Physical security Personal data-bearing systems must be protected against power outages and other disturbances in technical supply Locations where personal data is stored, such as server halls, shall be protected by appropriate access controls to ensure that only authorised personnel are granted access. There must also be satisfactory protection against theft and events that may destroy IT systems and storage media.

b). Access control When the Personal Data Processor's computer equipment and removable data media that contain, or can provide access to, personal data that the Personal Data Processor processes on behalf of the Personal Data Controller are not under supervision, the equipment and media must be locked in order to be protected against unauthorised use, influence and Otherwise, the personal data shall be encrypted.

c) Malware protection Personal data-bearing systems must be protected against viruses, Trojan horse viruses and other forms of digital infringements.

d). Backup The personal data shall be regularly transferred to The backups must be kept separately and well protected so that the personal data can be recreated after a disturbance. The Personal Data Processor shall have a documented procedure for backup and re-reading of backup copies, as well as for re-reading tests.

e). Authorisation check A technical access control system shall control the access to the personal data of the Personal Data The access shall be limited to those who need the data for their work. User identity and passwords are personal and may not be transferred to anyone else. There shall be procedures for assignment and revocation of authorisations.

f). Logging It shall be possible to follow up access to personal data afterwards through logs or similar The documentation shall be possible to verify by the Personal Data Processor and shall be reported back to the Personal Data Controller.

g). Data communication The external data communication connection shall be protected with such a technical function that ensures that the connection is Personal data transferred via computer communication outside premises controlled by the Personal Data Processor shall be protected by encryption.

h). Erasure When fixed or removable storage media containing the personal data are no longer to be used for their purpose, the data shall be erased in such a manner that it cannot be restored.

i). Repair and service When repair and service of computer equipment, which is used to store the Personal Data Controller's personal data, are carried out by a party other than the Personal Data Processor, contracts governing security and confidentiality shall be signed with the service During service visits, the service shall be performed under the supervision of the Personal Data Processor. If this is not possible, storage media containing personal data shall be removed. Service via remote-controlled data communication may only take place following secure electronic identification of the person performing the service. Service personnel shall be granted access to the system only at the time of service. If there is a separate communication input for the service, it shall be closed when the service is not in progress.

j). Personal data incident The Personal Data Processor shall have procedures to promptly notify the Personal Data Controller upon detection of unauthorised access, destruction and modification of personal data or similar privacy incidents, as well as attempts There shall be appropriate and adequate processes in place to ensure the availability and access to the personal data in the event of personal data incidents. In addition, the Personal Data Processor shall have procedures in place to remedy the Personal Data Incident, including, where appropriate, measures to mitigate its potential adverse effects.

k). Pseudonymisation The personal data shall, as far as possible, be pseudonymised.

l). Transparency The Personal Data Controller shall have the right to investigate unauthorised access, destruction, modification of personal data or similar personal data incidents, as well as attempts thereto, at the Personal Data Processor's premises.