Data processing agreement
Updated on May 3, 2022
This Data Processing Agreement (“DPA”) is entered between:
Data Controller (the “Customer”)
Data Processor: Advisible AB, Reg. No. 559188-4977, Box 6075, 102 32 Stockholm, (the “Supplier”)
The parties have entered into an agreement regarding the Customer’s use of the Supplier’s advertising platform (the “Terms of Service”) under which the Supplier will process the Customer’s personal data on the Customer’s behalf (“Personal Data”). This DPA is an appendix to the Terms of Service.
In the event of inconsistencies between the provisions of this DPA and the Terms of Service or the other appendices in respect of personal data, the provisions of this DPA shall prevail.
Terms used but not defined herein, such as “processing”, “data subject”, “personal data breach” and “supervisory authority”, shall have the same meanings as in the EU General Data Protection Regulation (679/2016) (“GDPR”), and their cognate terms shall be construed accordingly.
Defined terms in the Terms of Service shall have the same meanings when used in the DPA.
The parties undertake to fulfil its obligations under the GDPR and any laws implementing or supplementing the GDPR (“Applicable Laws”). As the controller, the Customer is responsible for the processing of the Personal Data being lawful and compatible with the purposes, and for giving information to the data subjects.
The Supplier shall only process the Personal Data in accordance with appendix A and/or the written instructions of the Customer, unless required to do so by the GDPR or the applicable law of the European Union or its member states. In such a case, the Supplier shall inform the Customer of that legal requirement before processing the personal data, unless such information is prohibited by mandatory applicable law. The Supplier is entitled to collect anonymous and deidentified data of the use of the Services, that does not specify the Customer nor data subjects, and use it for analysing and developing the Services.
The Supplier shall, without undue delay, notify the Customer if any conflict with Applicable Laws is detected in the instructions.
4. Security and confidentiality
The Supplier shall implement and maintain the appropriate technical and organizational measures in accordance with article 32 of the GDPR.
The Supplier shall ensure that everyone with authorization to process Personal Data abides by appropriate non-disclosure commitments.
5. Personal Data Breaches
The Supplier shall without undue delay notify the Customer upon receiving information of a personal data breach affecting Personal Data.
The Supplier shall provide the Customer with the information necessary for the Customer to fulfil its obligations according to article 33–34 of the GDPR.
6. Data Protection Impact Assessments and Prior Consultations
The Supplier shall, upon the Customer’s request, assist the Customer in its performance of data protection impact assessments and prior consultations with supervisory authorities in accordance with article 35–36 of the GDPR.
7. Requests from Data Subjects
The Supplier shall, upon receipt of a request from a data subject, supervisory authority or other regarding Personal Data, promptly refer the request to the Customer.
8. Data Subjects’ Rights
The Supplier shall, if reasonably possible and with regard to the art of the processing, through technical and organizational measures, assist the Customer in responding to requests regarding Data Subjects’ rights in accordance with the GDPR.
The Supplier shall have the right to engage subcontractors for the processing of Personal Data (“Sub-processors”).
The Supplier shall enter into written data processing agreements with its Sub-processors that ensure as a minimum the same commitments and obligations that the Supplier has according to this DPA.
The Supplier shall inform the Customer beforehand of new Sub-processors the Supplier intends to use in processing the Personal Data pursuant to the Terms of Service and this DPA. The Customer has the right to object to the use of a new Sub-processor. The Customer shall notify the Supplier of such objection within thirty (30) days of the Supplier’s notice to the Customer. If the Customer does not object within thirty (30) days of the Supplier’s notice to the Customer, the Customer shall be deemed to having accepted the use of the new Sub-processor.
In the event that the Customer’s opposition to such Sub-processor, in the Supplier’s opinion, prevents effective provision of the Supplier’s Services in accordance with the Terms of Service, the Supplier may suspend the Customer’s access to the Services without penalty or liability, with thirty (30) days’ notice.
The Supplier is fully liable toward the Customer for the Sub-processor’s actions and any failure by the Sub-processor to adhere to its data protection obligations when processing Personal Data.
A list of Sub-processors deemed approved when this DPA is concluded is attached in appendix A.
10. Transfer of Personal Data outside the EU/EEA
The Supplier may only transfer Personal Data outside the EU/EEA provided that the Supplier ensures that the transfer is allowed in accordance with Applicable Laws. This shall mean that the Supplier shall not transfer Personal Data to a country outside the EU/EEA unless the Supplier has ensured that (i) the transfer is based upon an adequacy decision published by the European Commission, or (ii) that the standard contractual clauses annexed to implementing decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries apply, or (iii) that the transfer is otherwise allowed under the GDPR and Applicable Laws.
If the transfer mechanism used to ensure that the transfer is allowed in accordance with Applicable Laws would be declared invalid or illegal by the European Court of Justice, the European Commission or any other competent EU institution or national court or authority, the Supplier shall ensure that all processing of Personal Data outside the EU/EEA is based on another permitted transfer mechanism under Applicable Laws.
The Supplier shall provide the Customer with access to information that the Customer needs to verify that the Supplier complies with its obligations under this DPA.
The Supplier shall enable and contribute to inspections and audits that the Customer, with at least twenty (20) days’ notice conducts itself or through a third party (however not a competitor of the Supplier).
The audits may only be conducted at the Suppliers premises during normal office hours. The representatives of the Customer and all others assisting in the audit must sign conventional non-disclosure commitments.
The Supplier has the right to invoice the Customer for the Supplier’s costs (cost price) associated to the audit, unless the audit reveals a material breach by the Supplier of its obligations under this DPA.
12. Return or deletion
Upon termination of the Terms of Service, or upon the Customer’s request, the Supplier shall without undue delay, at the choice of the Customer, return all Personal Data to the Customer or delete the Personal data, and thereafter delete all copies of Personal Data, unless required by law to retain it.
13. Dispute resolution
The terms regulating governing law and dispute resolution in the Terms of Service shall apply to this DPA.
The terms regulating liability in the Terms of Service shall apply to this DPA.
15. Duration of the DPA
This DPA shall enter into force upon signing of the Terms of Service by the parties and remain in force as long as the Supplier processed Personal Data.
The Supplier has the right to invoice the Customer for costs (cost price) incurred by the Supplier when assisting the Customer with data protection impact assessments, prior consultations, requests from data subjects and when deleting and returning Personal Data.
If the terms concerning the processing of Personal Data of the DPA and the Terms of Service are in conflict, the parties shall apply the terms of this DPA.
|Subject matter||The subject matter of the processing of the Personal Data are set out in the Terms of Service and this DPA.|
|Nature and purpose of processing||Processing for the purpose of providing the Services in accordance with the Terms of Service and in accordance with the Customer’s instructions. The Supplier will process the personal data mainly according to the following:|
|Categories of data subjects||Visitors of the Customer’s Digital Property.|
|Categories of Personal Data|
|Retention periods||Processing will take place during the Customer’s use of the Services, and for a limited period thereafter under this DPA.|
The Customer has given the Supplier the following instructions for deletion:
|Transfers outside the EU/EEA||See list of sub-processors.|