Data Processing Agreement.
September 22, 2022Privacy & Security.
This Data Protection Agreement (“DPA”) is part of Maria Arango Kure’s Terms of Service available at Terms & Conditions, between Customer and Maria Arango Kure, or other agreement entered into between Customer and Maria Arango Kure governing Customer’s use of the services provided by Maria Arango Kure (the “Agreement”) when Maria Arango Kure is processing personal data on behalf of the customer. The DPA have been entered into in order to meet the requirements of the GDPR and to ensure the protection of the rights of the data subject between the customer(“the controller”) and Maria Arango Kure with business address Lundmarksgatan 31,57831 Aneby, Jönköping, Sweden. (“Maria Arango Kure” or ”the processor“).
(A) The Controller and the Processor entered into a Services Agreement (Services Agreement) that may require the Processor to process Personal Data on behalf of the Controller.
(B) This Processor Agreement (Agreement) sets out the terms and conditions on which the Processor will process Personal Data when providing services under the Services Agreement. This Agreement contains the mandatory clauses required by Article 28(3) of the retained EU law version of the General Data Protection Regulation ((EU) 2016/679) (“UK GDPR”) (insofar as the UK GDPR applies) and Article 28(3) of the General Data Protection Regulation ((EU) 2016/679) (“EU GDPR”) (insofar as the EU GDPR applies) for contracts between controllers and processors.
1. Definitions and Interpretation
The following definitions and rules of interpretation apply in this Agreement.
Data Protection Legislation: all applicable data protection laws in the UK and the EU including the UK GDPR, the Data Protection Act 2018 (and regulations made thereunder) (DPA 2018), the EU GDPR and any applicable national implementing laws, regulations and secondary legislation relating to the processing of Personal Data and the Privacy and Electronic Communications Directive (2002/58/EC) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426).
Data Subject: an individual who is the subject of Personal Data.
GDPR: General Data Protection Regulation ((EU) 2016/679).
Personal Data: means any information relating to an identified or identifiable natural person that is processed by the Processor as a result of, or in connection with, the provision of the services under the Services Agreement; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Personal Data Breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
Processing: means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
UK GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act of 2018.
1.2 The Schedules form part of this Agreement and will have effect as if set out in full in the body of this Agreement. Any reference to this Agreement includes the Schedules.
1.3 A reference to writing or written includes email.
2. Processing Purposes
2.1 The Controller and the Processor acknowledge that the Controller is the controller and the Processor is the processor and that the Controller retains control of the Personal Data and remains responsible for its compliance obligations under Data Protection Legislation. 2.2. Where the Processor appoints a subcontractor pursuant to clause 4 below, the Processor shall be a data controller in relation to such processing. 2.3 The Processor may process the Personal Data categories and Data Subject types set out in Schedule 1 of this Agreement.
3. Processor Obligations
3.1 The Processor shall:
3.1.1 implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of Data Protection Legislation and ensure the protection of the rights of the Data Subject, as further set out below in this Agreement;
3.1.2 only use subcontractors to help with the processing of Personal Data in the circumstances set out in clause 4 below;
3.1.3 process the Personal Data only on documented instructions from the Controller, unless required to do so by Union or Member State law to which the Processor is subject; in such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;
3.1.4 ensure that persons authorised to process the personal data (such as its employees) have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
3.1.5 take the security measures set out in clause 5 below;
3.1.6 taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller’s obligation to respond to requests for exercising the Data Subject’s rights as set out in clause 6 below;
3.1.7 assist the Controller in ensuring compliance with the obligations set out in clause 7 below (data breach) taking into account the nature of processing and the information available to the Processor;
3.1.8 at the choice of the Controller, delete or return all the Personal Data to the Controller after the termination or expiry of the Services Agreement and delete existing copies (unless Union or Member State law requires storage of the Personal Data);
3.1.9 make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller;
3.1.10 assist the Controller in ensuring compliance with the requirement to carry out Data Protection Impact Assessments as set out in Article 35 of GDPR, taking into account the nature of processing and the information available to the Processor;
3.1.11 immediately inform the Controller, if in the opinion of the Processor, an instruction from the Controller infringes Data Protection Legislation.
3.2 The Processor will promptly comply with any request by or instruction from the Controller to process the Personal Data, or to stop, mitigate or remedy any unauthorised processing.
3.3 The Processor will keep all Personal Data confidential and not disclose such data to third parties unless specifically authorised in writing by the Controller or as required by law. If the Processor is required by law, court, regulator or supervisory authority to process or disclose any Personal Data, the Processor will first inform the Controller of this and allow the Controller to object or challenge the requirement, unless the law prohibits the Processor from informing the Controller.
4.1 The Processor may only authorise a third party (“subcontractor”) to process the Personal Data if:
4.1.1 the Processor has obtained the prior written consent from the Controller for each appointment of a subcontractor (or the subcontractor’s name is set out in Schedule 1); and
4.1.2 the Processor has carried out appropriate due diligence on any subcontractor to ensure that the subcontractor can satisfy its contractual obligations; and
4.1.3 the Processor and the subcontractor enter into a written contract containing terms the same as those set out in this Agreement, in particular, in relation to data security measures; and
4.1.4 the Processor maintains control over all Personal Data it shares with the subcontractor; and
4.1.5 the Processor ensures that the subcontractor does not process the Personal Data except on instructions from the Data Controller (unless required to do so by UK Law and/or Union or Member State law); and
4.2 The Processor shall be fully liable for the actions and inactions of the subcontractor and shall be responsible for the subcontractor’s performance of obligations.
5.1 The Processor shall, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including as appropriate:
- the pseudonymisation and encryption of Personal Data;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
5.2 In assessing the appropriate level of security, the Processor shall take account in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
6. Responses to Data Subjects
6.1 The Processor will put in place such technical and organisational measures as may be appropriate to enable the Controller to comply with the rights of Data Subjects under Data Protection Legislation, including the right of access, the right to rectification, the right to erasure, the right to restriction of processing, the right to data portability, the right to object to processing and the right to object to automated individual decision making.
6.2 If the Processor receives any complaint or other communication relating to the processing of the Personal Data or a Subject Access Request from a Data Subject, it must notify the Controller as soon as possible after it receives it and will provide the Controller with all reasonable assistance in helping the Controller to reply to such communications.
6.3 The Processor will provide to the Controller such information as the Controller may reasonably require in order for the Controller to comply with the rights of Data Subjects under Data Protection Legislation.
6.4 The Processor will provide all appropriate assistance to the Controller to enable it to comply with any information or assessment notices served on the Controller by any supervisory authority under the Data Protection Legislation.
6.5 The Processor shall not disclose Personal Data to any third party other than at the Controller’s written request or as set out in this agreement or as required by law.
7. Personal Data Breach
7.1 If any Personal Data is lost or destroyed or becomes damaged, corrupted, or unusable (“Personal Data Loss”), the Processor will notify the Controller without undue delay after learning of such Personal Data Loss.
7.2 If the Processor becomes aware of any unauthorised or unlawful processing of the Personal Data or any Personal Data Breach, it will notify the Controller without undue delay (and in any event within 24 hours) including all relevant information such as:
(a) a description of the nature of the Personal Data Breach, the unauthorised or unlawful processing and/or the Personal Data Loss, including the categories and approximate number of both Data Subjects and Personal Data records concerned;
(b) the likely consequences; and
(c) description of the measures taken, or proposed to be taken, including measures to mitigate the impact.
7.3 The parties will co-ordinate and co-operate with each other to investigate any matters arising as contemplated by this clause.
7.4 The Processor shall take reasonable steps to mitigate the effects and reduce the impact of any Personal Data Breach or unlawful Personal Data processing.
7.5 The Processor agrees that it shall not (and the Controller is solely responsible to):
(a) provide notice of the Personal Data Breach to any Data Subjects, supervisory authorities, regulators, law enforcement agencies or any other third party, except when the Processor (as opposed to the Controller) is required by law or regulation to provide such notice; and
(b) offer any type of remedy to affected Data Subjects.
8. Cross-border Transfers
8.1 The Processor (or any subcontractor of the Processor) shall not transfer or otherwise process Personal Data outside the UK or the European Economic Area (EEA) without obtaining the Controller’s prior written consent (except where the Processor is required to transfer such data by UK law and/or Union or Member State law, in which case the Processor shall inform the Controller of such legal requirement before processing takes place, unless any law prohibits such disclosure on important grounds of public interest).
8.2 If the Controller consents to the transfer or other processing of the Personal Data outside of the UK [and/or the EEA (as the case may be)] and no appropriate safeguards exist (such as an adequacy decision), the Processor and the Controller will each execute the European Commission’s Standard Contractual Clauses for the transfer of Personal Data from the European Union to processors established in third countries (controller-to-processor transfers), as set out in the Schedule to Commission Decision 2010/87/EU (“SCCs”) (or the UK approved versions of the same as the case may be).
9. Term & Termination
9.1 This Agreement will continue for so long as the Processor processes any Personal Data related to the Services Agreement (Term).
10.1 The Controller (and any third-party representatives) may audit the Processor’s compliance with its obligations under this Agreement and the Processor will give the Controller (and its third-party representatives) all necessary assistance and co-operation to conduct such audits.
11. Governing Law
11.1 This agreement, and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims), shall be governed by, and construed in accordance with the law of Sweden.
11.2 Each party irrevocably agrees that the courts of Sweden shall have non-exclusive jurisdiction to settle any dispute or claim arising out of or in connection with this agreement or its subject matter or formation (including non-contractual disputes or claims).