This DATA PROCESSING AGREEMENT (the “Agreement”) is entered into by and between:
- [PicHit.me AB], a [limited liability] company incorporated under the laws of Sweden with corporate registration number 556914-4156 (“PicHit.me AB” [or for the sake of this template, the “[Data Processor]”); and
- [YourCompanyName], a [limited liability] company incorporated under the laws of [Your Country] with corporate registration number [●] (the “Customer”).
Each of [Data Processor] and the [Customer] is referred to as a “Party” and together as the “Parties”.
- [Data Processor] is [PicHit.me AB (Brand name Pickit)]. [Data Processor] has developed and sells the Pickit Business service, which is a SaaS solution providing content (images) in MS Office 365 through an Add-in.
- The [Data Processor]’s Pickit is a software as a service solution and cloud service in which data processing is carried out in Microsoft Azure Cloud rendering the Customer the data controller, whilst [Data Processor] qualifies as data processor under the applicable data protection laws. In light of the above, [Data Processor] and [Customer] have agreed on the following terms and conditions set out in this written Agreement concerning the processing of Personal Data under this Agreement.
“Applicable Laws” shall mean all acts, laws, regulations, including but not limited to Data Protection Laws, applicable to each Party.
“Data Protection Laws” shall mean the applicable national laws concerning data protection and, if applicable, the national laws implementing Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of Personal Data and on the free movement of such data and Directive 2002/58/EC of the European Parliament and of the Council concerning the processing of Personal Data and the protection of privacy in the electronic communications sector (ePrivacy Directive) and the subsequent directives and regulations such as the General Data Protection Regulation (Regulation no. 2016/679) and their national implementations and related national legislation.
“EEA” shall mean the European Economic Area.
“Personal Data” shall mean all information that is directly or indirectly referable to a natural living person such as name, email address, IP-address, location data etc.
“Personal Data Breach” shall mean a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
2. GENERAL TERMS
- 2.1 [Data Processor] may under this Agreement process Personal Data on behalf of the Customer according to the instructions of the Customer. The Personal Data is and shall remain the property of the Customer.
- 2.2 This Agreement is intended to constitute and shall be interpreted as a written data processing agreement between the [Customer] and [Data Processor] pursuant to applicable Data Protection Laws.
3. The processing
- 3.1 [Data Processor] shall process the Personal Data relating to the categories of data subjects and shall consist of the processing operations as set out in Schedule 1.
- 3.2 [Data Processor] shall process the Personal Data for the purpose of providing the [Product/Service/Software] to the [Customer].
4. Term of processing
- 4.1 This Agreement shall enter into force on the date of last signing and, subject to the below section 2, shall remain effective until the [Service Agreement] is terminated or expires.
- 4.2 Upon the termination or expiry of the [Service Agreement], without entering into a new data processor agreement replacing this Agreement, the provisions of this Agreement, subject to the discretion of [Data Processor], shall continue to apply as long as and to the extent Personal Data is processed by [Data Processor] pursuant to the instructions of the Customer.
5. [DATA PROCESSOR]’S obligations
- 5.1 [Data Processor] may process Personal Data only for purposes necessary for the due performance of the [Service Agreement] and only in accordance with the Data Protection Laws applicable to [Data Processor] and in accordance with the written instructions from the Customer as further detailed in Schedule 2 and as otherwise instructed by the Customer in writing from time to time. [Data Processor] may not disclose any Personal Data to a third party without the prior written approval from the Customer or if required by law.
- 5.2 If [Data Processor] does not have sufficient instructions to enable [Data Processor] to deliver the Services and/or other deliverables or otherwise fulfill its obligations, [Data Processor] shall without delay inform the Customer hereof and specify the need for further instructions and await further written instructions from the Customer prior to continuing the relevant processing of the Personal Data.
- 5.3 [Data Processor] shall implement and maintain appropriate and adequate technical and organisational measures as set forth in Schedule 2 to ensure the security for the processed data. The measures shall as a minimum protect the processed data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, the Personal Data transmitted, stored or otherwise processed by [Data Processor]. The measures shall take into account the particular risks associated with the processing of the Personal Data and the sensitivity of the Personal Data which is processed. The measures shall ensure a level of security appropriate to the risk, including inter alia as appropriate:
- the pseudonymisation and encryption of the processed data;
- the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
- the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
- a process for regularly testing assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
- 5.4 [Data Processor] undertakes to oblige all persons, including but not limited to its employees, who access the processed Personal Data in the course of the processing operations carried out by [Data Processor] to comply with confidentiality obligations and access restrictions with regards to the processing of Personal Data. [Data Processor] shall ensure that only such employees have access to Personal Data who have received training and/or instruction in the care and handling of Personal Data.
- 5.5 Taking into account the nature of the processing, [Data Processor] shall, at Customer’s cost upon Customer’s request in accordance with Customer’s written instructions, assist the Customer by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Customer’s obligation to respond to requests for exercising data subject's rights under applicable Data Protection Laws.
- 5.6 [Data Processor], shall, at its own cost, upon Customer’s request in accordance with Customer’s instructions, assist the Customer by appropriate technical and organisational measures, for the fulfilment of the Customer’s obligation to respond to requests for exercising data subject's rights under applicable Data Protection Laws.
- 5.7 [Data Processor] undertakes to, at its own cost, assist the Customer upon Customer’s request in ensuring compliance with applicable Data Protection Laws, including but not limited to, with regards to the security of processing, notification to the data protection authority and communication to the data subjects of data breaches, data protection impact assessments and prior consultations with the data protection authority.
- 6.1 [Data Processor] shall immediately inform the Customer if, in its opinion, an instruction infringes or is contrary to applicable Data Protection Laws.
- 6.2 The [Data Processor] shall notify the Customer immediately after becoming aware of a Personal Data Breach. [Data Processor] shall not disclose any information relating to a Data Breach without the prior written consent of the Customer. For the avoidance of doubt, information relating to a Data Breach shall be treated by [Data Processor] as confidential information.
- 6.3 [Data Processor] shall not respond, without Customer’s prior written specific consent, to requests or inquiries of third parties, including but not limited to government agencies, public authorities, courts, data subjects, relating to the processing of Personal Data under this Agreement and [Data Processor] shall immediately forward such requests or inquiries to the Customer.
- 6.4 In the event [Data Processor] is required to disclose information, including but not limited to the processed Personal Data or information relating to the processing, according to Applicable Laws or the decisions of public authorities or courts, [Data Processor] shall be obligated to inform the Customer thereof immediately and request confidentiality in conjunction with the disclosure of requested information, unless otherwise specified in Applicable Laws.
7. Information and audit
- 7.1 [Data Processor] at its own cost, is obliged to, upon Customer’s request, make available to the Customer all information necessary for the purpose of demonstrating compliance with applicable Data Protection Laws.
- 7.2 Customer may, pursuant to the relevant provision of the [Service Agreement] but in any case notwithstanding what is set out in the [Service Agreement], carry out or mandate a third party auditor to carry out an audit, with ten (10) days of prior notice, in order to verify [Data Processor]’s compliance with this Agreement and with applicable Data Protection Laws. Notwithstanding what is set out in the Service Agreement, [Data Processor] grants access to the [Data Processor]’s premises, records and documents for Customer or mandated third party auditor to carry out the audit to which [Data Processor] shall provide assistance and [Data Processor] shall bear the costs of such audit if the audit reveals any non-compliance with this agreement or Applicable Data Protection Laws.
- 8.1 This Agreement does not constitute a general authorisation for the [Data Processor] to engage subprocessors for carrying out the processing of the Personal Data. The [Data Processor] may not engage subprocessors without the prior specific consent, in writing, from Customer.
- 8.2 All subprocessors must as a minimum conform to the respective requirements of this Agreement. When engaging subprocessors, [Data Processor] undertakes to ensure that the contract entered into between [Data Processor] and any subprocessor shall impose at least the same data protection obligations as set out in this Agreement.
- 8.3 [Data Processor] may not transfer Personal Data to a country outside the EEA without the prior written approval of the Customer. For the avoidance of doubt, transfer of Personal Data includes but is not limited to any transmission or sharing of, or granting access to Personal Data. [Data Processor] shall be fully liable for the lawfulness and appropriateness of any data transfer approved by the Customer.
- 8.4 [Data Processor] shall, upon Customer’s request, promptly provide all relevant information relating to the approved subprocessors, such as corporate identity, address, location, a copy of the relevant subprocessing agreement.
- 8.5 [Data Processor] shall be fully liable for the acts and omissions of subprocessors. If the subprocessor fails to fulfil its data protection obligations under the Applicable Data Protection Laws, [Data Processor] shall be fully liable to Customer.
- 9.1 [Data Processor] warrants that it has the necessary authority and mandate to enter into this Agreement.
- 9.2 [Data Processor] warrants that the processing of Personal Data is carried out in accordance with Applicable Laws, including but not limited to the obligations relating to the security of the processing.
10. Limitation of liability
- 10.1 Unless expressly provided and notwithstanding what is set out in the Service Agreement, Customer shall only be liable for direct losses caused by negligence and the total aggregate liability shall be limited to an amount corresponding to 10 000 SEK.
- 10.2 Customer shall not be liable for any loss of production, loss of data, loss of business or profit, loss of use, loss of goodwill or any indirect or consequential damages.
- 10.3 The above limitations shall not apply
- in the event of any loss which is caused by any Party’s gross negligence, intentional breach;
- to the breach of the confidentiality undertaking set out in this Agreement;
- to the indemnification obligations set out in section 1;
- to death, personal injury.
The [Data Processor] shall hold Customer harmless and indemnify for third party claims, damages as well as administrative penalties or fines issued by courts or authorities if and to the extent Customer is held liable by a competent court, authority or any other dispute resolution body for processing of Personal Data that is contrary to the applicable Data Protection Laws, unless such liability has arisen as a consequence of Customer’s failure to perform its obligations under this Agreement.11.
[Data Processor] is not entitled to any specific remuneration on the basis of the provisions of this Agreement and shall not charge the Customer under this Agreement. For the avoidance of doubt, this provision does not preclude the [Data Processor] from receiving remuneration under any other agreement, including but not limited to the Service Agreement.
13. MEASURES UPON COMPLETION OF PROCESSING
- 13.1 When this Agreement is terminated or expires, the [Data Processor] shall, upon and in accordance with Controller's request, delete all Personal Data or delete and return all Personal Data to the Customer, unless Applicable Laws require the [Data Processor] to store Personal Data. For the avoidance of doubt, deletion shall mean the irreversible erasure of personal in digital formats and the destruction of any hard copies or printouts of such copies.
- 13.2 [Data Processor] shall provide Customer with a certificate of deletion appropriately evidencing the deletion pursuant to section 1.
- 14.1 Customer may assign its obligations under this Agreement to third parties.
- 14.2 [Data Processor] may not assign its obligations under this Agreement without the prior written approval of the Customer. A specific prior approval, issued in writing by the Customer pursuant to 1 of a subprocessor shall not be interpreted as an assignment.
15. Entire Agreement
- 15.1 This Agreement shall supersede any prior agreements, arrangements and understandings between the parties and constitutes the entire agreement between the parties relating to the subject matter hereof.
- 15.2 Customer is entitled to amend this Agreement if it is necessary to comply with requirements of applicable data protection laws. Such amendments enter into force at the latest thirty (30) days after Customer has sent an amendment notice to [Data Processor], or such other time period which Customer is obliged to adhere to according to Personal Data Legislation and Regulations or relevant authorities. Other alterations of and amendments to this Agreement shall be made in writing and be signed by duly authorised representatives of the Parties to be binding.
16. Governing Law and Disputes
- 16.1 This Agreement shall be governed by and construed in accordance with the laws of Sweden, with the exclusion of its conflict of law rules.
- 16.2 [Any dispute, controversy or claim arising out of or in connection with this Agreement, or the breach, termination or invalidity thereof, shall be finally settled by arbitration administered by the Arbitration Institute of the Stockholm Chamber of Commerce (the SCC Institute). The place of arbitration shall be [Stockholm, Sweden]. The language to be used in the arbitral proceedings shall be [English], unless otherwise agreed.
- 16.3 The Rules for Expedited Arbitrations of the Arbitration Institute of the Stockholm Chamber of Commerce shall apply, unless the SCC Institute, taking into account the complexity of the case, the amount in dispute and other circumstances, determines, in its discretion, that the Rules of the Arbitration Institute of the Stockholm Chamber of Commerce shall apply. In the latter case, the SCC Institute shall also decide whether the arbitral tribunal shall be composed of one or three arbitrators.
- 16.4 The Parties undertake and agree that all arbitral proceedings conducted with reference to this arbitration clause will be kept strictly confidential. This confidentiality undertaking shall cover all information disclosed in the course of such arbitral proceedings, as well as any decision or award that is made or declared during the proceedings. Information covered by this confidentiality undertaking may not, in any form, be disclosed to a third party without the written consent of the other Party. This notwithstanding, a Party shall not be prevented from disclosing such information in order to safeguard in the best possible way his rights vis-à-vis the other Party in connection with the dispute, or if the Party is obliged to so disclose pursuant to statute, regulation, a decision by an authority or similar.]
Schedule 1 – Processing of Personal Data
Types of Personal Data
The following types of Personal Data are processed by [the Data Processor] on behalf of the Customer under the Agreement:
- user name
- email address
- Company postal & invoicing address
- Invoicing e-mail
- postal code
Categories of data subjects
The processed Personal Data concerns the following categories of data subjects:
[Image Bank Owner]
[Image Bank Admin]
[Image Bank Users]
The following processing operations shall be carried out for the below specified purposes by [the Data Processor] under this Agreement:
When you use or interact with the Service, we may use a variety of technologies that collect information about how the Service is accessed. This information may include
- information about your interactions with the Service including any Content, other users and advertising on the Service
- content that you post to the Service
- technical data, which may include URL information, cookie data, your IP address and the types and identity of devices and network you are using to access or connect to the Service.
If you purchase any Paid Service or if you register an account with Stripe or other payment service provider authorized by Pickit to receive Awards from Pickit, credit or debit card information (such as card type and expiration date) and other financial data that we need to process your payment may be collected and stored by us and/or the payment processors with which we work. We may also collect some limited information, such as your postal code, mobile number, and details of your transaction history, all of which are necessary to provide the Service. In addition, the payment processors generally provide us with some limited information related to you, such as a unique token that enables you to make additional purchases using the information they’ve stored, and your card’s type, expiration date, and certain digits of your card number.
[Data Processor] may not process the Personal Data for any other purposes under this Agreement and its schedules.
Within the Pickit Business service personal data is being registered and stored for each user in order to secure eligibility rules per user managed by the customers Office 365 admin.
Schedule 2 – Instructions
1. Instructions for processing of the Processed Data on behalf of the Data Controller
[Data Processor] shall comply with the instructions set forth below with respect to the processing of the Personal Data under this Agreement.
2. Handling and processing of the Personal Data
The premises used by [Data Processor] shall be protected with adequate physical security measures, such as alarms for fires, water damage, burglary, etc. In addition, there should be procedures and equipment for example in the form of alarms, barriers, locks, etc. which control access to the premises. [Data Processor] shall introduce necessary safety routines, such as (i) lock devices on computers and other equipment; (ii) entry control system; (iii) protection gear for power breaks as well as smoke and water damages; (iv) fire extinguishers; (v) safety locks; and (vi) marking of equipment etc.
[Data Processor] should possess an updated and implemented security policy which states for example the manner in which the Personal Data shall be processed, to whom [Data Processor]’s personnel shall turn in the event of a burglary or other incident, which personnel are authorized as regards which type of information, back-up procedures, contingency plans, etc.
[Data Processor] should create a safe IT-environment, which includes, but is not limited to (i) necessary safety routines for avoiding virus attacks or other threats that could be harmful to the IT-environment; (ii) an encryption system and/or other security measures with the purpose of avoiding tapping or revealing signals; (iii) necessary security routines for IT-equipment; (iv) a control system based on user authorization, which enables identification of user identity (through the usage of passwords or such) and prevents unauthorized use of or access to the processed Personal Data; (v) storage of processing history (log data), which shall be sorted out in accordance with Customer’s instructions; (vi) automatic back-up routines, including storage of back-up copies, which shall be sorted out in accordance with Customer’s instructions; as well as (vii) destruction or other means of eradication of all media that has contained Personal Data that no longer is used.
3. Data subjects’ requests
[Data Processor] shall make it possible to log and trace processing of the Personal Data, including the disclosure and transfer of the Personal Data.
[[Data Processor] shall, subject to the provisions of this Agreement, forward all requests from the data subjects to the Customer and shall only act upon the prior authorization and pursuant to the Customer authorizes [Data Processor] to, subject to the provisions of this Agreement, directly fulfil the requests of data subjects.]
Subject to the above, [Data Processor] undertakes to inform the Customer of any rectification, erasure, or restriction of processing of Personal Data performed by a direct request of a data subject, unless this proves impossible or involves disproportionate effort.]
[[Data Processor] shall have routines to provide Personal Data concerning a data subject in a [structured, commonly used and machine-readable format], at the Customer’s request.]
Subject to the provisions of this Agreement, [Data Processor] shall not maintain the processed Personal Data for longer than is necessary taking into consideration the purpose of the processing.