This Data Processing Agreement (this “DPA”) has been entered into by Billogram AB, company ID no. 556801–7155 (the ”Processor” or “Billogram”) and the customer  that is a party to the Service Agreement (the “Controller” or “Customer”).

The Processor and the Controller are jointly referred to as (the ”Parties”) and each as (”Party”).

This DPA governs the rights and obligations with respect to the Processing of Personal Data in connection with the use of the Processor’s Service.

This DPA constitutes the entire DPA and understanding of the Parties hereto with respect to the subject matter hereof and supersedes all prior agreements and understandings, whether written or oral, relating to such subject matter.

1. Definitions

To the extent that Regulation (EU) 2016/679 of the European Parliament and of the Council, hereinafter referred to as the General Data Protection Regulation (“GDPR”), contains terms similar to those used in this DPA, such terms shall have the same meaning as in the GDPR. In addition to the terms defined continuously through this DPA, the following terms shall have the meaning specified below.

2. Background and purpose

2.1 The Parties have entered into the Service Agreement. 

2.2 The Processor’s obligations under the Service Agreement include to Process Personal Data as a Processor engaged by the Controller.

2.3 In order to provide the Service, Billogram also Processes Customer Data for its own purposes as further set out in Section B.

2.4 The Parties have entered into this DPA to ensure that the Processor’s Processing of Personal Data will be in accordance with the Data Protection Laws.  

2.5 The aim of this DPA is to meet the current requirements for an agreement between the Controller and Processor in accordance with Article 28 GDPR and to safeguard the freedoms and rights of the Data Subject in accordance with the Data Protection Laws.

2.6 Through this DPA, the Instructions and a list of Subprocessors (whereby the Instructions and the list of Subprocessors shall be deemed included in this DPA), the Controller regulates Processor’s Processing of Personal Data on behalf of the Controller. 

2.7 In the event of a conflict between this DPA and the Service Agreement, this DPA will prevail.

2.8 Any reference in this DPA to national or union legislation refers to the provisions applicable at any given time. 

Section A: Billogram as Processor

3. Processing of personal data and specification

3.1 The Controller hereby appoints the Processor to pursuant to the provisions of this DPA carry out Processing on behalf of the Controller for the purpose of delivering the Service according to the Service Agreement. 

3.2 The Processor undertakes to Process Personal Data in compliance with this DPA as well as its own obligations under the Data Protection Laws.

3.3 The Processor furthermore undertakes to only Process Personal Data in accordance with the documented Instructions from the Controller, unless otherwise provided by the Data Protection Laws. 

3.4 The Controller’s Instructions to the Processor are set forth in this DPA and in Appendix 1 to this DPA. The Controller is responsible for ensuring that the Instructions are compliant with the Controller’s obligations under the Data Protection Laws.

3.5 The Controller confirms that the obligations of the Processor set out in this DPA, including the Instructions, constitutes the full and complete Instructions to be followed by the Processor. 

3.6 The Controller undertakes to inform the Processor without undue delay of any changes in the Processing that may affect the Processor’s obligations pursuant to the Data Protection Laws.

3.7 The Processor shall, to the extent required under the Data Protection Laws and in accordance with the Controller’s Instructions in each case, assist the Controller in fulfilling its legal obligations under the Data Protection Laws.

3.8 The Controller is responsible for informing Data Subjects of the Processing and to safeguard the rights of Data Subjects in accordance with the Data Protection Laws, as well as to take every other measure required of the Controller pursuant to the Data Protection Laws.

3.9 If the Processor finds the Instructions to be unclear, in violation of the Data Protection Laws, or non-existent, and the Processor is of the opinion that new or supplementary Instructions are necessary in order to fulfil its obligations under this DPA and the Data Protection Laws, the Processor shall inform the Controller of this without delay. 

3.10 In the event changes in the Service are made which entail new or amended Instructions and the Controller reasonably objects to the new or modified Processing, the Controller may terminate this DPA and the Service Agreement in writing with thirty (30) calendar days’ notice without any termination cost. 

4. Security measures

4.1 The Processor guarantees that it has implemented appropriate technical and organisational security measures required by the Data Protection Laws in order to prevent Personal Data Breaches and ensure that the rights of the Data Subjects are protected. 

4.2 The Processor has implemented the technical and organisational measures set out in the Instruction and undertakes not to substantially change these or otherwise change the security measures in a way that results in a lower level of information security than the one intended in Section 4.1 or the Instructions, without the prior written consent of the Controller.

4.3 The Processor shall continuously ensure that the technical and organisational security measures relating to the Processing maintain an appropriate level of confidentiality, integrity, availability and resilience. 

5. Request for information and disclosure of personal data

5.1 The Processor undertakes not to, without the Controller’s prior written consent, disclose or otherwise make Personal Data Processed under this DPA available to any third party, unless otherwise provided by Swedish or European law, judicial or administrative decisions. Notwithstanding the foregoing, the Processor has, without the prior approval from the Controller, the right to disclose Personal Data to third party recipients who are or provide clearing systems, banks and/or payment system providers, to the extent necessary to make payments in accordance with the Service Agreement. Such third-party recipients of Personal Data are Controllers for the Personal Data thus received.

5.2 The Processor shall take all reasonable steps (i) to maintain the confidentiality of the Personal Data, (ii) to ensure that only such staff and other representatives of the Processor who require access to Personal Data in order to fulfil the Processor’s obligations under this DPA and the Service Agreement have access to the Personal Data, (iii) to ensure the reliability of such staff and other representatives of the Processor and (iv) to ensure that all such staff and representatives have agreed in writing to maintain the confidentiality of the Personal Data.

5.3 If Data Subjects request information from the Processor regarding the Processing of Personal Data, the Processor shall refer such request to the Controller without undue delay. 

5.4 The Processor shall through appropriate technical and organisational measures, to the extent possible and with due regard to the nature of the Processing, assist the Controller in fulfilling the Controller’s obligations to comply with the Data Subjects’ requests for exercising their rights under the GDPR (such as rectification, deletion, restriction, data portability and request of access) in accordance with Section 7 below.

5.5 The Processor shall assist the Controller in fulfilling the Controller’s obligation to carry out data protection impact assessments for Processing under this DPA when such Processing is likely to result in a high risk to the rights and freedoms of individuals.

5.6 If competent authorities request information from the Processor regarding the Processing of Personal Data pursuant to this DPA or the Service Agreement, the Processor shall refer such request to the Controller without undue delay. The Processor may not in any way act on behalf of, or as a representative of, the Controller and may not, without prior instructions from the Controller, transfer or in any other way disclose Personal Data or any other information relating to the Processing of Personal Data to any third party, unless otherwise provided by Swedish or European law, judicial or administrative decisions. The Processor shall assist the Controller by providing the Controller with the information, assistance and resources that may be reasonably required to fulfil the Controller’s obligation to provide information and documentation to the competent authorities for prior consultation. 

5.7 In the event the Processor, according to applicable Swedish or European laws and regulations, is required to disclose Personal Data that the Processor Processes on behalf of the Controller, the Processor shall be obliged to inform the Controller thereof without undue delay, unless otherwise provided by Swedish or European law, judicial or administrative decisions, and request confidentiality in conjunction with the disclosure of the requested information.

6. Audits

6.1 At the request of the Controller, the Processor shall without undue delay provide information regarding the technical and organisational security measures used to ensure that the Processing complies with the requirements of this DPA and the Data Protection Laws and allow for and contribute to audits conducted by the Controller or another auditor mandated by the Controller, provided that persons performing the audits enter into appropriate confidentiality agreements with the Processor.

6.2 Such audits shall be subject to at least thirty (30) business days written notice and may be carried out once per calendar year, unless where the Controller reasonably considers an additional audit necessary because of genuine concerns as to the Processor’s compliance with this DPA or in the event of a security breach that reasonably would raise such concerns. In the event of a request for an additional audit, the Controller will communicate its reasons for the request, concerns and other relevant information when giving notice about the additional audit to the Processor.

6.3 Any information that may be considered a trade secret or that otherwise is subject to confidentiality by law or agreement, will be excluded from the audit and the Controller will have no right to access, audit or inspect such information.

6.4 Information that the Controller or another auditor mandated by the Controller collects during its audit under this DPA must be deleted by the Controller as soon as it is no longer necessary for the purpose of the audit and the Controller shall confirm that this has been done in writing to the Processor.

6.5 The Processor shall inform the Controller if, in its opinion, Instructions provided to the Processor when the Controller exercises its rights hereunder infringes the Data Protection Laws.

6.6 Audits shall be performed during normal business hours in a manner to minimise disruption to Processor’s business, and the Controller shall promptly provide the Processor with a copy of the results of the audit. 

6.7 Despite any other provision under this DPA, the Processor is under no obligation to provide or allow audit access to a third party auditor that is a competitor of the Processor.

6.8 The Processor shall enable the supervisory authority, or other government agency with legal authority, to conduct audits at the authority’s request and pursuant to Data Protection Laws at any given time, even if such an audit would otherwise violate the provisions of this DPA.  

7. Handling of corrections, deletions, etc.  

7.1 In the event that the Controller has requested a correction or deletion as a result of incorrect Processing by the Processor or as a result of a request from a Data Subject, the Processor shall take appropriate measures, without undue delay but in any event no later than thirty (30) calendar days from the date on which the Processor received the required information from the Controller. When the Controller has requested deletion, the Processor may only perform Processing of the Personal Data in question as part of the correction or deletion process or as required by Data Protection Laws or other applicable laws.

8. Personal data breaches

8.1 The Processor shall have the ability to restore availability and access to Personal Data in a timely manner in the event of a physical or technical incident as provided for in Article 32(1)(c) of GDPR.

8.2 The Processor undertakes to assist the Controller in fulfilling its obligations in the event of a Personal Data Breach involving the Processing. At the request of the Controller, the Processor shall also assist in investigating suspicions of unauthorised Processing of and/or access to Personal Data. 

8.3 If the Processor becomes aware of a Personal Data Breach, the Processor shall, without undue delay, notify the Controller thereof in writing. The Processor shall, subject to the information available to the Processor, provide the Controller with a written description of the Personal Data Breach. 

8.4 A notification pursuant to Section 8.3 shall include all information which may be reasonably required by the Controller to fulfil its obligations under the Data Protection Laws. Such information includes e.g., a description of: 

a) the nature of the Personal Data Breach, categories of and the approximate number of Data Subjects affected, categories of and the approximate number of Personal Data included;

b) likely consequences as a result of the Personal Data Breach; and

c) a description of the measures taken to rectify the Personal Data Breach or to mitigate its potential adverse effects. 

8.5 If it is not possible for the Processor to provide all the required information at the same time as the Personal Data Breach notification, the description may be provided in stages without undue additional delay.

8.6 To the extent a Personal Data Breach has occurred due to the Controller’s act or omission, or otherwise as a consequence of any circumstances on the Controller’s side in relation to which the Processor has no involvement or responsibility, then any assistance by the Processor requested by the Controller will be charged by the Processor on a time and material basis. 

8.7 The Controller shall compensate the Processor for any direct costs that the Processor incurs under this Section 8 as a result of the Controller not complying with Data Protection Laws or this DPA. 

9. Subprocessor

9.1 The Processor may only engage those Subprocessors listed in Appendix 2 to perform its undertakings under this DPA. All engagements of a Subprocessor for the purpose of this DPA are subject to the Subprocessor agreeing in writing to the same data protection obligations as set out in this DPA. 

9.2 When the Processor intends to engage a new Subprocessor or replace an existing one, the Processor shall verify the Subprocessor’s capacity and ability to meet its obligations in accordance with the Data Protection Laws. 

9.3 The Controller may object to new Subprocessors, provided that the Controller has an objectively justified reason not to approve the new Subprocessor and that the Controller objects to the engagement of such Subprocessor within fourteen (14) calendar days after the Processor’s notice of the intention to engage the Subprocessor. If the Controller does not object in writing within the stipulated time, the Controller will be deemed to have approved the Subprocessor.  If the Controller reasonably objects to a new Subprocessor, the Controller may terminate this DPA and the Services Agreement in writing with thirty (30) calendar days’ notice without any termination cost. 

9.4 The Processor is responsible in relation to the Controller for any Processing carried out by a Subprocessor as if it was the Processor’s own Processing. 

9.5 When the Processor stops using a Subprocessor, the Processor shall notify the Controller in writing thereof. 

9.6 At the Controller’s request, the Processor shall provide a copy of the agreement governing the Subprocessor’s Processing of Personal Data.

10. Localisation and transfer of personal data to a third country

10.1 The Processor shall ensure that the Personal Data will primarily be Processed within the EU/EEA by a natural or legal person who is established in the EU/EEA and that any transfer of Personal Data to a Third Country for Processing (e.g. for service, support, maintenance, development, operations or other similar handling) will be carried out only if such transfer complies with the  Data Protection Laws and fulfils the requirements for the Processing set out in this DPA and the Instructions, including but not limited to, ensuring that:

(i) the EU Commission has determined that the level of protection is adequate in the Third Country where the Personal Data is Processed and thus granted an adequacy decision; or 

(ii) the Processing is covered by the EU Commission's Standard Contractual Clauses (SCCs) for data transfer to Third Countries; as applicable at any given time; or 

(iii) the Processing is covered by Binding Corporate Rules approved by a competent supervisory authority; and

(iv) the Processor has taken other appropriate safeguards prior to the transfer and that such safeguards comply with the Data Protection Laws. 

10.2 The Processor shall ensure that none of the provisions in the Standard Contractual Clauses or the Binding Corporate Rules are in conflict with this DPA, including the Instructions.

11. Compensation

11.1 The Processor shall be entitled to compensation on a time and material basis, applying the Processor’s at each time applicable Services Fees for work performed under Sections 4.4, 6 and 8.6 of this DPA. In addition, any third party costs or expenses incurred by the Processor in connection with such work shall be reimbursed in full by the Controller.

11.2 The Processor is not entitled to any other compensation for Processing of Personal Data under this DPA, then as set out above.

Section B: Billogram as Controller

12. The purpose of the processing

12.1 In order to provide the Service, Billogram also Processes Customer Data in order to administrate direct debit mandates, to ensure functionality of the Service, to analyse the performance of the Service, to correct errors, and to improve, develop and measure the use of the Service. When Billogram is Processing Customer Data for its own purposes as described above, Billogram is acting as a Controller in relation to such Processing activities. 

12.2 The provisions concerning Processing of Customer Data as described in this section remain in force for as long as disclosure is taking place for the purposes agreed upon by the Parties. 

13. The scope of the processing  

13.1 The table below sets out the scope of Processing by Billogram as Controller.

13.2 When Customer uses Services stipulated in Special Terms and conditions for Payment Services, Billogram will, in addition to the Processing set out in Section 13.1, Process Personal Data when required by mandatory law, including but not limited to anti money laundering legislation. Such Processing will be limited to include the categories of Personal Data that are required to fulfil the relevant regulatory requirements under applicable law.

14. Billogram’s obligations

14.1 Billogram shall ensure compliance with applicable Data Protection Laws as well as its obligations as a Controller in relation to the Processing of Customer Data. 

14.2 Billogram undertakes to take appropriate technical and organisational measures to protect the Personal Data being Processed in accordance with applicable Data Protection Laws. 

14.3 Billogram shall ensure that Customer Data to the extent possible is anonymised or Processed at an aggregated level.

14.4 Billogram shall ensure that personnel who Process Personal Data are aware of the applicable Data Protection Laws and Process Personal Data in accordance therewith. 

14.5 Billogram shall ensure that personnel who Process Personal Data for a given purpose, are reliable and bound by appropriate confidentiality obligations, either by law or by agreement. Billogram shall also ensure that such personnel understand what the confidentiality obligation entails.

14.6 Billogram shall, in its capacity as a Controller, only use Customer Data as set out in Section 12.1 and shall not share Customer Data with any third party in their capacity as Controller.

15. Data subjects’ rights and information 

15.1 Billogram shall be responsible for assisting the Data Subject in the exercise of its rights in accordance with the GDPR.  

15.2 The Customer shall inform the Data Subjects about the data disclosure in accordance with the applicable Data Protection Laws. Billogram shall publish its privacy notice fulfilling the information requirements set out in the applicable Data Protection Laws on its website and the Customer shall refer thereto in its own privacy notice. 

15.3 The Parties shall cooperate, if necessary, to ensure that the Data Subject is able to exercise its rights according to the GDPR. 

Section C: General provisions

16. Liability for damages in connection with the processing

16.1 In the event that compensation for damages in relation to Processing is due and owed to the Data Subject, through a legally binding judgement or settlement, due to a violation of this DPA and/or applicable provision of the Data Protection Laws, Article 82 of GDPR will apply.

16.2 Fines in accordance with Article 83 of GDPR or Chapter 6 of the Data Protection Act (2018:218) shall be paid by the party to this DPA that has imposed such a fee.

16.3 Subject to what has been set out in 16.1 and 16.2 above and the limitation of liability set out in the Service Agreement, the Controller shall be liable for any damages, costs or losses that are incurred by the Processor or for which the Processor may become liable due to any failure by the Controller to comply with the obligations under this DPA and the Processor shall be liable for any damages, costs or losses that are incurred by the Controller or for which the Controller may become liable due to any failure by the Processor to comply with the obligations under this DPA.

16.4 For the avoidance of doubt, nothing in this DPA shall restrict or limit the Parties’ general obligation at law to mitigate any loss they may suffer or incur as a result of an event that may give rise to a claim under this DPA.

16.5 For the avoidance of doubt and notwithstanding any of the provisions of the Service Agreement, Sections 16.1 and 16.2 of this DPA take precedence over other rules regarding the allocation of liability between the Parties of claims regarding the Processing.

17. Governing law and dispute resolution

17.1 What is stipulated in the Service Agreement applies to dispute settlement and choice of law.

18. Conclusion, term and termination of the DPA   

18.1 This DPA shall enter into force from the time the Parties have entered into an agreement by the Controller’s acceptance of the Terms of Service on the Processor’s website and shall remain in force for as long as the Processor Processes Personal Data on the Controller’s behalf.

18.2 Notwithstanding the above, Section 5.2 and 16 of this DPA shall remain in effect even if the DPA otherwise ceases to apply. 

19. Violations of the DPA

19.1 If either Party becomes aware that the other Party is acting in violation of this DPA, the violating Party shall be informed thereof without delay of the actions in question. The informing Party shall be entitled to suspend the performance of its obligations pursuant to this DPA until such time as the violating Party has declared that the actions have ceased, and the explanation has been accepted by the Party that made the complaint. 

20. Measures in the event of termination of the DPA   

20.1 Upon termination of this DPA, the Controller will, at the choice of the Controller and without undue delay, request that the Processor delete or return all Personal Data to the Controller, unless applicable law requires further Processing. Until the Personal Data is deleted or returned, the Processor shall continue to ensure compliance with this DPA.

20.2 Transfers and deletions pursuant to Section 20.1 shall be carried out no later than thirty (30) calendar days from notice of termination of the DPA, unless otherwise agreed. 

21. Notifications

21.1 All notices shall be in writing and made in Swedish or English and sent by e-mail, (i) as regards the Controller, to the e-mail address provided by the Customer in connection with registration of the user account or the e-mail address which was specified by the Customer by a later time and, (ii) as regards the Processor, to the e-mail legal@billogram.com. Notices sent in the prescribed manner shall be deemed to have been received by the other Party no later than the next business day. 

Appendix 1: Contact information and instructions

1. Contact information

The Processor’s contact details:

Billogram AB
Klara Södra Kyrkogata 1
111 52 Stockholm

Contact e-mail: legal@billogram.com

2. Personal data processing instructions

Purpose of the Processing is to enable the Processor to fulfil its obligations under, and take those measures set forth in, the Service Agreement, inter alia:

- invoice production and distribution

- accounts ledger and invoice payments operations 

- direct debit mandates administration

- provision of end customer communication module 

- provision of sales and offer module 

- provision of end customer support 

- compiling statistics and executing analysis

This also includes to Process all categories of Personal Data set forth below to customise the Service, including profiling when applicable, and to ensure compliance with relevant laws and regulations.

Categories of Data Subjects are the Controller’s customers. 

Categories of Personal Data:

- Identification data

- Contact details

- Billing and payment information

- Bank details

- Case details

- Communication information

- Consent details

- Information generated by use of the Service 

Special categories of Personal Data as defined in article 9 in the GDPR, such as information revealing trade union membership or data concerning health, may be Processed depending on the content on the invoice specified by the Controller. 

The nature of Processing is to perform Processing which is necessary for the purpose set forth above, including inter alia collection, recording, organisation, structuring, storage, adaptation and alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

The duration of Processing is limited to the period of time necessary to provide the Service under the Service Agreement, which for bookkeeping documents shall be in accordance with national bookkeeping regulations and for all other information for as long as required with regards to the purpose for which the Personal Data is Processed, unless otherwise set forth in Data Protection Laws.

The place for the Processing is within the EU/EEA. 

The Processor is entitled to engage Subprocessors within the EU/EEA as well as outside the EU/EEA, provided that such Processing is in compliance with the provisions of the DPA.

3. Technical and organisational measures

Billogram implements appropriate technical and organisational measures which are designed to meet the data protection principles in an effective manner and ensures that appropriate safeguards are integrated into the Personal Data Processing to meet the requirements of the GDPR and to protect the rights of Data Subjects as described below. Further information about technical and organisational measures is available upon request.

Data protection risk assessment

Billogram executes and documents a risk assessment to decide which data security measures shall be implemented. The aim is to define the appropriate level of data security measures for each part of the Service. In all cases, Billogram has implemented at least the security measures described in the chapter “Security of Personal Data” below.

Security measures

Billogram has implemented an Information Security Management System (ISMS) in line with the ISO27001 standard. Security and privacy policies and instructions have been created and established throughout the Billogram organisation as part of the ISMS, which are available for customers on request. The policies are supported by a wide range of mandatory rules on different aspects of data protection and information security to ensure compliance with Data Protection Laws and this DPA. These internal documents include e.g. processes for Personal Data Breach management and Data Subject requests. The documents are subject to regular internal review and approval processes.

Security of Personal Data

Billogram has implemented the following measures based on requirements set out in “Security of Processing” (Article 32 of the GDPR):

a) The pseudonymisation and encryption of Personal Data;

- Billogram is utilising encryption and/or pseudonymisation in its operations to mitigate data protection risks where appropriate. Encryption and pseudonymisation techniques may vary between Services following the Service requirements and data protection risk assessment. Details of the measures used are available upon request.

b) The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

- Protection of the Personal Data requires implementation of multiple security controls, which is covered by the ISMS. Standardised processes help to secure quality of the Service and to safeguard Personal Data Processing.

- Access to Billogram IT environment is controlled. To access Billogram systems the employee must have a valid reason, and access to customer interface is only approved by utilising a process agreed on jointly with the customer. Connections to Billogram IT environment are logged to provide audit trails on administrative operations in the systems. At minimum all access to Billogram IT environment and services require a secured channel and strong authentication requirements. Other security controls are applied if required by the data protection risk assessment.

- Unauthorised persons are prevented from gaining physical access to Data Processing facilities. Physical and environmental controls are utilised to protect Personal Data against accidental and unlawful destruction.

- Billogram ensures adequate protection of administrative connections, third party access and file transfers which are deployed within Billogram’s infrastructure.

- Security measures have been implemented to protect the system landscape from security threats.

- Billogram plans, executes and controls customer business related operations. The organisational structure assigns roles and responsibilities to provide for adequate staffing and efficiency of operative capabilities. Billogram management establishes authority and appropriate lines of reporting for key personnel. As a part of the hiring process background checks are conducted based on the employee's position and level of access to Billogram processing facilities and systems.

- Billogram maintains and controls the execution of the Billogram information security policy, provides regular security training to employees and performs application security reviews. These reviews assess the confidentiality, integrity and availability of data, as well as conformance to the information security policy.

c) The ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;

- Billogram has backup processes and strategies which ensure rapid restoration of business critical systems as and when necessary. 

- Billogram has defined and implemented business continuity and disaster recovery plans for the infrastructure supporting Billogram’s Service delivery to customers. These plans are updated and tested on a regular basis. 

d) A process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the Processing;

- Billogram’s emergency processes, plans and systems are regularly tested to assess and evaluate the effectiveness of technical and organisational measures for ensuring the security of the Personal Data Processing. 

- Billogram conducts internal security testing and vulnerability scanning. For high risk environments Billogram utilises security testing services, including penetration testing.

Appendix 2: Authorised subprocessors