This Data Processing Agreement ("DPA") is incorporated into and forms a part of the Terms of Service ("Principal Agreement") entered into by the undersigned parties: the "Customer" and StrongSales AB, with its principal place of business at Sven Hultins gata 9, 412 58 Gothenburg, Sweden ("Data Processor"), collectively referred to herein as the "Parties".
RECITALS
(A) The Customer is the Data Controller.
(B) The Customer intends to delegate certain Services involving the processing of personal data to the Data Processor.
(C) The Parties aim to execute a data processing agreement that adheres to the legal standards governing data processing, including the General Data Protection Regulation (GDPR) (EU) 2016/679.
(D) The Parties are committed to establishing their respective rights and responsibilities clearly.
AGREEMENT
Definitions and Scope
1.1 Terms not otherwise defined here will have the meanings provided in the GDPR. This includes, but is not limited to:
"Customer Personal Data" is any Personal Data processed by a Contracted Processor on the Customer's behalf in relation to the Principal Agreement.
"Subprocessor" refers to any third party appointed to process Personal Data under the authority of the Data Processor or the Customer.
Personal Data Processing
2.1 The data controller is responsible for ensuring that the processing of personal data takes place in compliance with the GDPR and the applicable legislation relating to the protection of personal data.
2.2 The data controller shall be responsible, among other, for ensuring that the processing of personal data, which the data processor is instructed to perform, has a legal basis.
2.3 The Data Processor agrees to process Personal Data in compliance with the requirements of applicable Data Protection Laws; processing will occur solely on the Customer’s documented directives.
Data Processor Employees
3.1 The Data Processor will ensure that its personnel engaged in processing Personal Data commit to confidentiality.
Data Security
4.1 Considering technological development, the cost of implementation, and the nature, scope, context, and purposes of Processing, as well as risk severity for the rights and freedoms of natural persons, the Data Processor will implement suitable technical and organizational measures to ensure a level of security appropriate to the risk.
Engagement of Subprocessors
5.1 The Customer provides general authorization for the Data Processor to engage Subprocessors, under the condition that Subprocessors are bound by written agreements that enforce data protection obligations compatible with this DPA.
Data Subject Rights
6.1 The Data Processor will assist the Customer, through appropriate technical and organizational measures, in fulfilling the obligation to respond to requests for exercising the data subject's rights under the Data Protection Laws.
Personal Data Incident Notification
7.1 The Data Processor will notify the Customer without unnecessary delay upon becoming aware of a Personal Data breach affecting Customer Personal Data.
Assistance with Compliance
8.1 The Data Processor will assist the Customer in ensuring compliance with the obligations pursuant to Data Protection Impact Assessments (DPIAs) and prior consulting with the Supervisory Authorities.
Deletion or Return of Customer Personal Data
9.1 Upon termination of the services related to processing, the Data Processor, at the choice of the Customer, will delete or return all the Customer Personal Data.
Audit and Documentation
10.1 The Data Processor shall make available to the Customer all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer.
Data Transfers
11.1 Any transfer of Personal Data outside of the EU/EEA shall be done in compliance with the GDPR, ensuring an adequate level of data protection.
General Clauses
12.1 Each Party must treat all information of the other Party as confidential, not using or disclosing it without the prior written consent of the other Party, except as required by law or as already public knowledge.