Data processing agreement

This data processing agreement (the “Agreement”) has been entered into by and between Billogram AB, company ID no. 556801–7155 (The ”Provider”) and the customer that is a party to the Service Agreement (the “User”).

The Provider and the User are jointly referred as (the ”Parties”) and each a (”Party”)

The Agreement governs the rights and obligations with respect to the processing of personal data in connection with the use of the Provider’s services.

1. Background and purpose

The Parties have entered into the Service Agreement (as defined below).

The Provider’s obligations under the Service Agreement include to process personal data as a processor engaged by the User.

The Parties have, on this day, entered into this Agreement to ensure that the Provider’s processing of personal data will be in accordance with Applicable Law (as defined below).

In the event of conflict between the Agreement and another, prior agreement between the Parties, this Agreement will prevail.

2. Definitions

The definitions ”controller”, ”processor”, “personal data” and “processing” will have the meaning set forth in the Applicable Law.

“Applicable Law” means applicable laws and regulations and binding rules and decisions from relevant authorities, such as the Swedish Personal Data Protection Act (Sw: personuppgiftslagen), the Swedish Personal Data Protection Ordinance (Sw: personuppgiftsförordningen), the Data Protection Directive 95/46/EC, the Swedish Integrity Agency’s binding ordinances and decisions and, as of its entering into force, the General Data Protection Regulation 2016/679 (GDPR) and the European Data Protection Board’s guidelines, recommendations and best practices, regulations and ordinances issued by the European Commission regarding personal data and the processing thereof.

“Sub-Processor” means another processor than the Provider engaged by the Provider to process personal data for which the User is the controller.

“Service” means the Provider’s invoice services provided to the User under the Service Agreement, including any future, additional and newly developed services.

“Service Agreement” means the agreement between the Parties governing the Service.

Where other terms are used in this Agreement that correspond to those defined or applied in Applicable Law, such terms will be construed and applied in accordance with Applicable Law.

3. The Provider’s undertakings

3.1 General undertakings and liability

The Provider undertakes to process personal data in accordance with Applicable Laws, this Agreement and the User’s instructions set forth in Appendix 1, and with other instructions received from the User. Instructions and other changes in Appendix 1 will be communicated in writing and the Provider will implement them within reasonable time. The Provider is entitled compensation to perform the changes in question.

The Provider has appointed a data protection officer who will ensure that the personal data is processed in accordance with the Provider’s routines and the User’s instructions.

The Provider will keep a record of categories of processing activities performed by or on behalf of the Provider, including (a) the name and contact details of the Provider and the data protection officer, (b) a description of the categories of processing carried out on behalf of the User, (c) where applicable, transfers of personal data to a third country or an international organization, including the identification of such third country and organization and, when required under Applicable Law, the documentation of suitable safeguards in the event of a transfer and, (d), insofar it is possible, a general description of relevant technical and organizational security measures undertaken by the Provider.

The Provider is liable for direct damages incurred by the User as a result of the Provider’s processing of personal data contrary to its obligations as a processor under Applicable Law that specifically govern processor liability, and if the Provider has exceeded or acted contrary to the User’s lawful instructions. The Provider’s liability is limited to the extent set forth in the Service Agreement or, where there is no such limitation of liability in the Service Agreement, to the amount exclusive of VAT and other taxes which the Provider has invoiced the User during the preceding 12 months under the Service Agreement, unless caused by gross negligence or willful misconduct by the Provider.

3.2 Security of processing

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Provider will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate (a) pseudonymization and encryption, (b) the ability to ensure and maintain confidentiality, integrity, availability and resilience of processing systems and services, (c) the ability to restore availability and access to personal data within reasonable time after an incident, whether physical or technical, (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing. The Provider is entitled to additional compensation if the User gives instructions that go beyond what can reasonably be expected to ensure the appropriate level of security described in this section. If the Provider is made aware that the User’s instructions are incompatible with Applicable Law, the Provider will notify the User and await new instructions. Up until new instructions have been issued by the User, the Provider will be entitled to take necessary measures to comply with Applicable Law at the expense of the User.

In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed.

The Provider may, in exchange for remuneration, assist the User with (a) the implementation of appropriate technical and organizational measures to ensure a level of security appropriate to the risk, (b) assessing the impact of the envisaged processing operations on the protection of personal data, where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, and (c) consult with the supervisory authority prior to the processing where a data protection impact assessment described under (b) indicates that the processing would result in a high risk in the absence of measures taken by the User to mitigate the risk.

3.3 Audits and inspections

The User, by itself or by another auditor mandated by the User, has the right to, at its own expense and with reasonable notice, carry out an audit, including inspection of, the Provider’s processing of personal data under this Agreement to ensure that it complies with the Agreement, to the extent technically possible and reasonably can be deemed necessary. Such audits may be carried out once per calendar year, unless where the User undertaking an audit reasonably considers an additional audit necessary because of genuine concerns as to the Provider’s compliance with the Agreement or in the event of a security breach that reasonably would raise such concerns. In the event of a request for an additional audit, the User will communicate its reasons for the request, concerns and other relevant information when giving notice about the additional audit to the Provider.

The Provider will make available to the User all information necessary to demonstrate compliance with the Agreement.

The Provider will immediately inform the User if, in its opinion, an instruction infringes Applicable Law.

The User and any other auditor mandated by the User undertake to keep secret any and all information disclosed to either of them during an audit and acknowledge that they will need to sign a non-disclosure agreement prior to the audit.

Any information regarding other customers of the Provider’s that may be considered a trade secret or that otherwise is subject to confidentiality by law or agreement, will be excluded from the audit and the User will have no right to access, audit or inspect such information.

The Provider will provide the User or another auditor mandated by the User with the assistance that can be reasonably required to conduct an audit. The Provider is entitled to remuneration for such assistance.

Information that the User or another auditor mandated by the User collects during its audit under this Agreement must be deleted by the User as soon as it is no longer necessary for the purpose of the audit.

The Provider undertakes to allow and facilitate audits that the competent authorities or other parties are entitled to carry out under Applicable Law.

3.4 Personal data breach

In the event of a personal data breach, the Provider will, without undue delay after becoming aware of the personal data breach, notify the User about the personal data breach. Where, and insofar as, it is not possible to provide relevant information about the personal data breach at the same time, the information may be provided in phases without undue further delay. The Provider will assist the User with notifying the personal data breach to the supervisory authority and to the data subject in accordance with Applicable Law. The Provider will provide the User with relevant information that the User is obliged to notify the supervisory authority or the data subjects of under Applicable Law. The User will pay remuneration and compensation for any costs that the Provider may incur if its measures under this clause were taken because the User did not comply with Applicable Law.

3.5 Information to data subjects and others

In the event a data subject, supervisory authority or any other authorized third-party requests to obtain information from the Provider that involves the processing of personal data under this Agreement, the Provider will refer such data subject, supervisory authority or any other authorized third party to the User. The Provider may not share any personal data or other information about the processing of personal data without the prior, explicit, written instruction from the User on a case by case basis, unless the Provider is obliged to share such data under Applicable Law. The Provider will, insofar possible, assist the User by taking appropriate technical and organizational measures in order for the User to be able to fulfill its obligations under Applicable Law to meet any requests from the data subject pursuing his or her rights of access, rectification, erasure, restriction of processing and data portability.

3.6 Sub-Processors

The Provider may engage Sub-Processors to perform its undertakings under this Agreement, provided that the Sub-Processor is imposed the same data protection obligations as set out in this Agreement in a written agreement with the Provider and that the Provider gives notice to the User of any intentions to engage a Sub-Processor or replace an already engaged Sub-Processor.

The User may object to potential, new Sub-Processors, provided that the User has a justified reason not to approve the new Sub-Processor and that the User objects to the engagement of that Sub-Processor within 10 bank days after the Provider’s notice of the intention to engage the Sub-Processor. If the User does not object in writing within the stipulated time, the User will be deemed to have approved the Sub-Processor.

Where the Sub-Processor fails to fulfill its data protection obligations, the Provider will remain liable to the User for the performance if the Sub-Processor’s data protection obligations.

3.7 Transfer of personal data to other countries

The Provider may transfer personal data to other countries provided there is a legal ground for the transfer under Applicable Law, or where the recipient is part of the same group as the Provider, or in accordance with following:

3.7.1 Within the EU and EEA and to countries or organizations with an adequate level of protection

Transfer of personal data within the EU, EEA and to countries or organizations that the European Commission has decided ensures an adequate level of protection is permitted, provided that it is ensured that the personal data is adequately protected, i.e. by standard data protection clauses.

3.7.2 Other transfers outside the EU/EEA

All other transfers outside of the EU/EEA that are not otherwise permitted under this section 3.7, are permitted provided that the transfer and the processing thereafter is subject to appropriate safeguards as set forth by Applicable Law.

3.7.3 Other transfers

The Provider may transfer personal data regardless of the User’s instructions where the Provider is required to do so by EU or member state law to which the Provider is subject. In such an event, the Provider will inform the User of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

3.8 Deletion or return of personal data

Upon the termination of the Agreement or after the end of the provision of Services relating to processing of personal data, the Provider will, at the choice of the Provider, delete or return all personal data, and delete existing copies unless Applicable Law requires storage of the personal data.

4. The User’s undertakings and liability

In addition to the User’s obligations under Applicable Law, the following will apply.

4.1 Personal data controller

In its capacity of controller, the User agrees to ensure, and accepts responsibility for ensuring, that the processing of data is performed in accordance with Applicable Law.

4.2 Legal ground for processing

The User is responsible to ensure that the processing of data in accordance with this Agreement is lawful under Applicable law, whether the data subjects have consented to the processing or if there is another legal ground for the processing, and that the personal data covered by this Agreement and that the Provider processes on behalf of the User have been collected for specific, explicit and justified purposes, and otherwise in accordance with Applicable Law and that these purposes have been set forth in full and correct in Appendix 1. The User will immediately give notice to the Provider if the nature of the personal data processed under the Agreement changes.

The User is further responsible to ensure that the Provider does not process other categories of personal data than those set forth in Appendix 1 on the behalf of the User.

4.3 Instructions and information

The User agrees to provide clear and precise instructions to the Provider and determine the purposes and means of the Provider’s processing of personal data in accordance with the Agreement and Applicable Law. The User agrees to provide, and accepts responsibility for the provision of, its instructions to the Provider with respect to personal data, and that such instructions are adequate, relevant and proportionate to the purposes for which the personal data are processed, and that the technical and organizational measures necessary to comply with such instructions to ensure an adequate level of protection in accordance with Applicable Law are sufficiently clear and precise for their purpose.

4.4 Claims from the data subjects or the competent supervisory authority

If the User receives an inquiry or a claim, demand or decision from a third party (in this sub-section generically referred to as a “claim”), or where such claim is likely to be made, the User will notify the Provider without delay. If it is plausible that the claim is the result of the Provider’s breach of the Agreement, the User will give the Provider full access to the information (including any documentation) that may be of importance for the claim. The Parties will consult with each other regarding a claim and the User will take the Provider’s remarks into consideration.

4.5 Liability

The User is responsible for any damages, costs or losses that is incurred by the Provider if and to the extent any claims, demands or decisions are directed towards the Provider regarding the processing of personal data, unless such claim, demand or decision is caused by the Provider’s breach of this Agreement.

5. Notifications

All notifications and other communication under this Agreement must be in writing in Swedish or in English. The Provider will give notice to the User in accordance with the Service Agreement or, where the notification is of general nature, on a webpage designated for notifications under this Agreement.

6. Confidentiality

Subject to what is set forth in the Agreement, the Service Agreement and Applicable Law, each Party undertakes not to disclose and keep confidential information about personal data and the processing of personal data under this Agreement, and the contents of this Agreement.

Notwithstanding the above, the Provider will ensure that persons authorized to process personal data (including but not limited to employees and Sub-Processors) have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality comparable to the terms of the Agreement.

7. Term of the agreement

This Agreement enters into force when duly signed by both Parties and it will remain in effect as long as the Provider’s obligations with respect to processing of personal data for which the User is the controller (or, where applicable, as assigned to the Provider) remain.

8. Governing law, jurisdiction and dispute resolution

Any dispute arising from the Agreement will be settled by Swedish general courts with Stockholm District Court as the court of first instance by application of Swedish law, unless otherwise set forth by the Service Agreement.

Appendix 1: personal data and instructions

The Provider’s contact details
Billogram AB
Att: Data Protection Officer
Klara Södra Kyrkogata 1
111 52 Stockholm
Sweden

Company ID no. 556801–7155

Contact email:
dpo@billogram.com

Purpose of the processing is to enable the Provider to fulfill its obligations under the Service Agreement.

Categories of data subjects are the User’s employees, customers, suppliers, and contractors engaged by the User.

Categories of personal data is name, personal ID number, address, telephone numbers, contact details, and e-mail addresses, as well indirect identifiers such as IP address and the similar.

Unless otherwise is explicitly set forth below, no special categories of personal data will be processed. Special categories of personal data include racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

The nature of processing is to perform processing which is necessary for the purpose set forth above, including inter alia recording, organisation, structuring, storage, adaptation and alteration, retrieval, consultation, transfer, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

The duration of processing is limited to the period of time necessary to provide the Service, unless where otherwise is set forth in the Agreement or in Applicable Law.

The Provider may also process all categories of personal data set forth above for the purpose of improving the Service.

The Provider is entitled to engage Sub-Processors within the EU/EEA as well as outside the EU/EEA, provided that the provisions of the Agreement are complied with.

Data processors

Company Location Purpose
Amazon Web Services, Inc.USAInfrastructure and cloud storage
Freshworks Inc.USACustomer support
The Rocket Science Group LLC d/b/a MailChimpUSAEmail distribution
46elks ABSwedenSMS distribution
Evry ABSwedenLetter distribution