Data Processing Agreement
SCHEDULE 3 - DATA PROCESSING AGREEMENT
BACKGROUND
(A) This data processing agreement (”DPA”) is part of the agreement between Polygon and the Customer as identified in an Order Form regarding Polygon’s provision of the Polygon Solution (the “Agreement”).
(B) The Agreement includes service(s) which entails that Polygon will process personal data as a data processor to the Customer and such processing is subject to this DPA.
(C) Polygon is below defined as ”Processor” and the Customer is defined as ”Controller”.
1. DEFINITIONS
1.1 In this DPA, capitalized terms shall have the meanings set out below or if not defined herein, the meanings set forth in Applicable Legislation.
“Agreement” means as defined in the background to this DPA.
“Applicable Legislation” means GDPR and any applicable supplementary laws to GDPR.
“GDPR” means Regulation (EU) 2016/679 of the European Parliament and the Council as amended, supplemented and/or varied from time to time.
“Personal Data” means the personal data (as defined in Applicable Legislation) processed under this DPA. The Personal Data processed in the Controllers services under the DPA are set forth in Appendix 1.
1.2 The parties shall negotiate in good faith and agree on any relevant and necessary amendments and updates to this DPA and the processing carried out hereunder to ensure that it at all times complies with Applicable Legislation during the term of this DPA.
2. INSTRUCTIONS
2.1 The Processor may not process Personal Data for other purposes than what follows from the Controller’s instructions, unless required to do so by Union or Member State law to which the Processor is subject. The Controller’s initial instructions to the Processor regarding the subject-matter and duration of the processing, the nature and purpose of the processing, the type of Personal Data and categories of data subjects are set forth in Appendix 1 to this DPA. If the Controller provides new or amended instructions, the Processor is entitled to compensation in accordance with Section 10 for its work to comply with such new or amended instructions.
2.2 Notwithstanding the above, the Processor may undertake reasonable day-to-day actions with the Personal Data without having received specific written instructions from the Controller, provided that the Processor acts for and within the scope of the purposes stated in this DPA.
2.3 The Controller’s instructions for the processing of the Personal Data shall comply with Applicable Legislation. In the event that the Processor considers that any instruction violates Applicable Legislation, the Processor shall refrain from acting on such instructions and shall promptly notify the Controller and await amended instructions.
3. THE CONTROLLER’S OBLIGATION TO PROCESS PERSONAL DATA LAWFULLY
3.1 The Controller shall ensure that legal ground recognized under Applicable Legislation applies for processing of the Personal Data, such as explicit and legally valid consents from each data subject for the processing of the Personal Data or other legal ground. The Controller shall further meet all other obligations of a controller under Applicable Legislation (including requirements to properly inform the data subjects of the processing of the Personal Data).
4. SECURITY MEASURES
4.1 The Processor shall maintain adequate security measures to ensure that the Personal Data is protected in accordance with Applicable Legislation. The security measures shall at least ensure that the Personal Data is protected against destruction, modification and proliferation. The Processor shall further ensure that each system where the Personal Data is processed is protected against unauthorized access.
4.2 The Processor shall ensure that (i) only authorized employees who need access to the Personal Data for the Processor’s provision of the services under the Agreement have access to the Personal Data, (ii) the authorized employees process the Personal Data only in accordance with this DPA and the Controller’s instructions and (iii) each authorized employee is bound by a confidentiality undertaking towards the Processor in relation to the Personal Data.
5. NOTIFICATION OF PERSONAL DATA BREACH
5.1 In the event of a personal data breach, the Processor shall cooperate with and assist the Controller for the Controller to comply with its obligations under Articles 33 and 34 of the GDPR.
5.2 The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach. Such notification shall include at least: (i) a description of the nature of the breach (including, where possible, the categories and approximate number of data subjects concerned), (ii) the details of a contact point where most information concerning the personal data breach can be obtained, and (iii) its likely consequences and the measures taken or proposed to be taken to address the breach, including to mitigate its possible adverse effects.
5.3 Where, and insofar as, it is not possible to provide all information at the same time, the initial information shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.
5.4 The Controller shall inform the Processor of the contact details to the recipient
6. THE PROCESSOR’S OBLIGATION TO ASSIST
6.1 The Processor shall by appropriate technical and organisational measures, insofar as this is possible, assist the Controller with the fulfilment of the Controller’s obligation to ensure that the data subjects may exercise their rights under Applicable Legislation. The data subjects’ rights include (i) rights to object to the processing and have the Personal Data erased, (ii) rights to request information about and access to the Personal Data, (iii) if technically viable, rights to move Personal Data from one controller to another, (iv) right to request restriction of processing, and (v) rights to request rectification of Personal Data.
6.2 The Processor shall, taking into account the nature of processing and the information available to the Processor, further assist the Controller in relation to the Controller’s obligations to (i) carry out data protection impact assessment where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons, (ii) consult the competent supervisory authority/ies prior to processing where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the Controller to mitigate the risk, and (iii) ensure security of the processing.
7. SUB-PROCESSORS
7.1 The Processor may engage third parties to process the Personal Data, or parts thereof (”Sub-Processor”). The Sub-processors involved in the delivery of services to the Controller are set forth in Appendix 2 to this DPA.
7.2 The Processor shall enter into a written agreement with every Sub-Processor, in which each Sub-Processor undertakes obligations reflecting those undertaken by the Processor under this DPA. Where a Sub-Processor does not comply with Applicable Legislation or fails to fulfil its obligations under its agreement with the Processor, the Processor shall remain fully liable to the Controller for the performance of such Sub-Processor.
7.3 The Controller acknowledges that in relation to Sub-Processors who are suppliers of certain standard services (such as Amazon and Microsoft), the Processor shall only be obliged to apply the data processing agreement applied by such Sub-Processor, to the extent such agreement fulfils the Controller’s and the Processor’s obligations under Applicable Legislation.
7.4 If the Processor intends to engage a new Sub-Processor, the Processor shall notify the Controller thereof in writing at least 20 days in advance. Such notification shall include information on the identity of the proposed Sub-Processor, the services provided by the Sub-Processor to the Processor, the location of the processing and any other information reasonably relevant for the Controller to assess the proposed Sub-Processor.
7.5 If the Controller objects in writing to the new Sub-Processor within 10 days from receipt of the Processor’s notice, the Controller may terminate the services that cannot be provided by the Processor without using the new Sub-Processor. Such termination shall be made in writing no later than 20 days after the Controller’s receipt of the notice of the new Sub-Processor.
8. TRANSFERS TO THIRD COUNTRIES
8.1 Where the processing of Personal Data does not take place within EU/EEA, or a territory that has been designated by the European Commission as ensuring an adequate level of protection, the transfer of the Personal Data must be subject to appropriate safeguards in accordance with Chapter V of the GDPR.
8.2 The Controller agrees that where the Processor engages a Sub-Processor for carrying out specific processing activities and those processing activities involve a transfer of Personal Data to a third country, the Processor and the Sub-Processor can ensure compliance with Chapter V the GDPR by using standard contractual clauses adopted by the Commission in accordance with Article 46(2) of the GDPR, provided the conditions for the use of those standard contractual clauses are met.
9. AUDITS
9.1 Upon the Controller’s request, the Processor will ensure that the Controller receives such information and documentation as is necessary to demonstrate the Processor’s compliance with its obligations under Applicable Legislation.
9.2 The Controller shall, with at least 30 days’ written notice, be entitled to carry out an audit of the Processor’s processing of the Personal Data, if the Controller has reason to believe that the Processor fails to comply with this DPA. Such audit shall be performed by an independent auditor agreed between the parties. The Processor undertakes to assist the auditor and disclose all information and documentation necessary for the auditor to carry out the audit. The Controller shall carry the costs for an audit.
10. COMPENSATION
The Processor’s costs relating to the processing of Personal Data under this DPA is included in the prices set forth in the Agreement. The prices in the Agreement do not include costs for meeting changed or additional instructions from the Controller, unless such changed or additional instructions are made for the parties to be in compliance with Applicable Legislation. The Processor shall therefore be entitled to compensation on time and material basis.
11. LIABILITY
11.1 For the avoidance of doubt, administrative fines under Article 83 of the GDPR, due to a party’s breach of its direct obligations under the GDPR, will be imposed on the offending party and is not subject to liability settlement between the parties under this DPA.
11.2 If a party becomes liable to a data subject under Applicable Legislation and the other party was involved in the same processing as formed the basis for the data subject’s claim, the other party shall, in accordance with Article 82.5 of the GDPR, reimburse the liable party with the part of the compensation corresponding to the other party’s part of the responsibility for the damage. In addition, the other party shall compensate the liable party for fair and proportionate (in relation to the other party’s liability) costs of defending such claims.
11.3 A party subject to a claim from a data subject shall within reasonable time inform the other party in writing of the claim, if it is likely that claims against the other party in accordance with section may be made. The other party shall gain insight into the data subject’s and the party’s documents in such lawsuit and shall be given the opportunity to comment on this.
11.4 A party’s liability for other damages than damages referred to in this Section 11 is exclusively governed by the Agreement.
12. CONFIDENTIALITY
12.1 The Processor undertakes not to disclose or provide Personal Data to any third party. For the avoidance of doubt, any approved Sub-Processor shall not be considered a third party for the purposes of this Section 12.
12.2 Notwithstanding Section 12.1 above, the Processor may disclose such information if the Processor is obliged hereto by law, judgement by court or by decision by a competent authority. When such obligation arises, the Processor shall promptly notify the Controller in writing before disclosure, unless restricted from doing so under Applicable Legislation.
13. TERM
13.1 This DPA applies between the parties during the time the Processor processes the Personal Data, or until the Agreement expires, whichever comes last.
13.2 Upon expiration of this DPA, the Controller shall instruct the Processor in writing whether to delete or transfer the Personal Data to the Controller. If the Controller requests transfer of the Personal Data, the Personal Data will be transferred in a common machine-readable format. After such transfer, the Processor shall without undue delay delete the Personal Data from its systems. If the Controller has not made a request of deletion or transfer within 30 days from the expiration of this DPA, the Processor may delete the Personal Data. Until the data is deleted or returned, the Processor shall continue to ensure compliance with this DPA.
APPENDIX 1 – INSTRUCTIONS
Any processing carried out by the Processor shall be carried out in accordance with the following instructions.
Purposes of the processing
INSTRUCTION: The purpose of the processing is to provide the Polygon Solution and the Services according to the Agreement.
The character of the processing
INSTRUCTION: The character of the processing includes collecting, storage and use.
The period of the processing
INSTRUCTION: The personal data is deleted one (1) year after the Agreement has expired/been terminated.
Categories of Personal Data
INSTRUCTION: Name, address, contact details (email, phone numbers).
Categories of data subjects
INSTRUCTION: The Controller’s customers.
APPENDIX 2 – SUB-PROCESSORS
Name: Amazone Web Services Inc
Contact: https://aws.amazon.com/contact-us
Description: The Solution is hosted in AWS. https://aws.amazon.com/privacy/ and E-mail service provider, used for log-in codes and notifications from platform
Location of data centers / Link: Ireland
Name: 46 Elks AB
Contact: https://46elks.se/support
Description: SMS service provider, used for log-in codes and notifications from platform
Location of data centers / Link: Sweden, https://46elks.se/gdpr
Name: Twilio Inc.
Contact: https://help.twilio.com/articles/360048500694-Contacting-Twilio-Support
Description: The solution uses Twilio services for communication (SMS, voice, APIs). Privacy information: https://www.twilio.com/legal/privacy
Location of data centers / Link: Twilio services are hosted across multiple regions, including the EU (Ireland, Germany) and the US. More details: https://www.twilio.com/legal/data-protection-addendum
Name: Brevo
Contact: www.brevo.com
Description: E-mail service provider, used for log-in codes and notifications from platform
Location of data centers / Link: France, Germany and Belgium (https://help.brevo.com/hc/en-us/sections/18503544961042-GDPR)