DATA PROCESSING AGREEMENTS

This agreement serves as an annex to the Sajnat General Conditions. When you, as a user of Sajnat, accept the General Terms and Conditions, you also accept this Data Processing Agreement.

When you use Sajnat, we, as a data processor, will process personal data ourselves and/or through another contracted data processor on behalf of the data controller. The purpose of this agreement is to ensure that personal data is processed in accordance with the controller’s instructions and applicable laws and regulations.

Definitions

“The Agreement” means the contractual document Personal Data Processing Agreement and other annexes to the Agreement.

‘Processing’ means any operation or set of operations which is performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’), an identifiable natural person being one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data or online identifiers, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

‘personal data breach’ means a security incident resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

‘Register’ means a structured set of personal data which is accessible according to specific criteria, whether centralized or dispersed on the basis of functional or geographical relationships.

‘Data subject’ means an identified or identifiable natural person.

‘Sensitive personal data’ means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health and data concerning a natural person’s sex life or sexual orientation.

“System administrator” means the person at the Controller who carries out the registration of a natural or legal person with the Processor in connection with the conclusion of the Service Agreement and the start-up of the services.

The terms defined above and other terms and expressions used in this Agreement shall have the meaning given to such terms and expressions under Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 (the “Data Protection Regulation”).

Obligations of the processor

The processor shall, on behalf of the controller, process personal data of the nature, means, purposes, duration, type of personal data and categories of data subjects specified in this Agreement.

The processor may only process personal data in accordance with documented instructions from the controller unless required by applicable data protection legislation. Where such an obligation exists for the processor, the processor shall inform the controller of this legal requirement before processing the personal data, unless such information is prohibited by reference to an important public interest under such data protection legislation.

The Controller acknowledges that the Processor’s obligations under this Data Processing Agreement constitute the complete instructions to be followed by the Processor. Any changes to the Controller’s instructions shall be documented in writing and signed by both Parties. The Controller shall not, without such written agreement, allow the Processor to process other categories of personal data, or to process personal data of other categories of data subjects, other than as set out in paragraph 14.

If the processor considers that an instruction from the controller is contrary to the GDPR or other applicable data protection legislation, the processor shall immediately inform the controller thereof.

If the processor lacks instructions that it deems necessary to carry out the processing of personal data, the processor shall inform the controller of this without delay and await the instructions that the controller deems necessary and communicates to the processor.

The Controller confirms that a System Administrator has the right, on behalf of the Controller, to provide such instructions to the Processor regarding the Processor’s personal data processing operations as are necessary for the System Administrator and the Processor to fulfill their respective obligations to the Controller.

If the Data Controller, as a result of an agreement with a third party for such party to provide services to the Data Controller to be integrated with the Services, activates and approves such integration, the parties hereby confirm that the Data Processor is obliged, and entitled, to disclose and receive to such third party the personal data necessary for the Data Processor to disclose and receive, respectively, in order for such third party and the Data Processor to be able to fulfill their respective obligations to the Data Controller.

Data security and confidentiality

The data processor shall take appropriate technical and organizational measures so that the processing of personal data meets the requirements of the Data Protection Regulation and the Agreement, and otherwise ensure that the rights of data subjects are protected.

The processor shall ensure that persons authorized to process personal data are bound by an undertaking of confidentiality or a statutory obligation of secrecy and only process them in accordance with documented instructions from the controller, unless they are obliged to do so under applicable data protection law.

Use of subcontractors

The controller hereby authorizes the processor to engage another processor to process personal data on behalf of the controller. The processor shall inform the controller of any plans to engage new processors or replace processors so that the controller has the opportunity to object to such change. Such objection shall be made in writing without undue delay from the receipt of the information by the controller.

If the data processor engages another data processor to process personal data on behalf of the data controller, the data processor shall contractually impose on the other data processor the same data protection obligations that apply to the data processor under this Agreement and provide sufficient guarantees to implement appropriate technical and organizational measures in such a way that the processing meets the requirements of the Data Protection Regulation.

Information to the controller

The processor shall, taking into account the nature of the processing, assist the controller by appropriate technical and organizational measures, to the extent possible, so that the controller can fulfil its obligation to respond to requests to exercise the rights of the data subject in accordance with the GDPR.

The processor shall, taking into account the nature of the processing and the information available to the processor, provide the controller with the necessary information to enable the controller to comply with its obligations to carry out impact assessment and prior consultation with the supervisory authority regarding the processing of personal data under this Agreement.

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations set out in this Agreement and shall enable and contribute to audits, including inspections, carried out by the Controller or a third party designated by the Controller.

Personal data breach

In the event of a personal data breach, the processor shall notify the controller without undue delay after becoming aware of the breach.

Without undue delay after a personal data breach has occurred, the processor shall investigate the extent, nature and likely impact of the breach, take appropriate remedial action to prevent or mitigate the adverse effects of the breach and, upon request, consult with the controller to determine whether the controller is required to notify the breach to the relevant supervisory authority. As soon as possible after completion of the investigation, the processor shall provide the following information regarding the personal data breach:

Description of the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects concerned, and the categories and approximate number of personal data records concerned,
the likely consequences of the personal data breach; and
the measures that the processor has taken or intends to take to address the personal data breach and to mitigate any adverse effects of the personal data breach.

Upon request, the processor shall provide the controller with aggregated documentation of all personal data breaches, including the circumstances of the personal data breach, its effects and the corrective measures taken.

Disclosure of personal data

Upon termination of the Agreement, the data processor shall, in accordance with the data controller’s instructions, return all personal data to the data controller or delete the personal data. If such instructions have not been provided within 30 days of the termination of the Agreement, the data processor is entitled to delete all personal data, unless retention of the personal data is required by applicable data protection legislation.

Register

The processor shall keep a record in electronic form of all processing of personal data carried out on behalf of the controller. The register shall contain the following information

the name and contact details of the processor or processors and of each controller on whose behalf the processor is acting, and, where applicable, of the controller’s or processor’s representative and data protection officer,
The purposes of the processing,
the categories of data subjects and the categories of personal data and the envisaged time limits for the erasure of the different categories of data,
Where applicable, transfers to a third country or an international organization, specifying such third country or international organization and, in the case of transfers referred to in the second paragraph of Article 49 GDPR, documentation of appropriate safeguards.
A general description of the technical and organizational security measures referred to in Article 32(1) GDPR.

At the request of the competent supervisory authority, the processor and the processor engaged by it shall make the register available to that authority.

Where a data subject requests a record of the processing of his or her personal data, the processor shall, at the request of the data subject or the controller, provide the record of such processing.

When requesting information

In the event that the data subject or other third party, supervisory authority, court or other authority requests information from the data processor concerning the processing of personal data or the content of such data, the data processor shall refer to the data controller, subject to the data processor’s obligations under this Agreement or applicable data protection legislation.

The processor shall inform the controller without delay of any requests for information or other contacts pursuant to clause 4.1 above, which relate to or may be relevant to the processing of the personal data.

Audit, inspection and review

In order for the controller to verify that the processing of personal data complies with the requirements of this Agreement and the GDPR, the processor shall also enable and contribute to audits, including inspections, conducted by the controller or by an auditor or other personnel authorized by the controller.

The processor shall allow the controller to carry out an audit of the processor’s processing of personal data on the controller’s behalf, either by itself or by engaging a third party. Auditing shall be possible, among other things, regarding authorization administration, security routines, logs, log follow-up and traceability for the processing of personal data that the data processor must have under this Agreement and the Data Protection Regulation. The processor shall provide the controller with the access and assistance necessary to carry out such an audit.

The processor shall grant the controller the right to investigate unauthorized access to the personal data, where appropriate and to a reasonable extent.

Form of transfer of personal data

The transfer of personal data between the parties shall take place on a medium agreed between the parties.

Where a data subject has submitted the request for action in electronic form, the Data Protection Officer shall, where possible, provide the information in electronic form.

Rights and permissions

The data processor is fully responsible for ensuring that it has all the rights necessary for the conclusion and performance of the data processing agreement. Thus, the processor must ensure that it has all the rights necessary for the performance of its obligations and ensure that the performance of its obligations does not infringe the rights of third parties.

The processor is not entitled to represent the controller or otherwise act on its behalf without a specific agreement with the controller.

The processor does not obtain any rights to the personal data processed under this data processing agreement or to the result of such processing.

Processing of personal data in another country

The data processor or its subcontracted data processor may only transfer personal data to a third country if the conditions in Chapter V of the GDPR are met. At the request of the controller, the processor shall provide a written description of how those conditions are met.

Obligations of the controller

The data controller is responsible for ensuring that the processing of personal data that it entrusts to the data processor is legally based and necessary for the purpose or purposes of the processing and is otherwise permitted under the General Data Protection Regulation and other applicable data protection legislation.

The controller is fully responsible for ensuring that it has all the rights necessary for the conclusion and performance of the data processing agreement. Thus, the controller shall ensure, inter alia, that it has all such authorizations and consents and meets all other requirements for its lawful performance of this Agreement and that its performance does not infringe the rights of third parties.

The data controller shall provide the data processor with such instructions regarding personal data as are necessary for the data processor to fulfill its obligations under this Agreement and the Data Protection Regulation.

The controller shall inform the processor of the nature of the personal data to be processed by the processor on behalf of the controller and, in particular, whether the personal data are likely to constitute sensitive personal data. In such a case, the controller is obliged to identify the security measures that may be required when processing such personal data and not to allow the processor to process the data until such security measures are in place.

The data controller shall inform the data processor without delay of any circumstances of which the data controller becomes aware and which can reasonably be assumed to be relevant to the data processor’s performance of its obligations under this Agreement.

The controller is not entitled to represent the processor or otherwise act on its behalf without prior specific agreement with the processor.

Responsibility in the processing of personal data

The data processor shall indemnify the data controller against claims for compensation, penalties or other claims against the data controller due to a breach of this Agreement or the Data Protection Regulation with the limitation of liability arising from the Service Agreement.

However, the data processor is never responsible for damage suffered by the data controller that is attributable to the data processor acting in accordance with instructions given by the data controller. The controller shall indemnify the processor against any claims for compensation, penalties or other claims against the processor for acting in accordance with such communicated instructions.

Before entering into any negotiation, settlement or other agreement with a registrant, authority or other third party in relation to the claims referred to in this paragraph 10, the party shall inform the other party and give it the opportunity to assist the party or otherwise appropriately defend its interests.

Compensation

The data processor shall be entitled to full compensation for work, measures and expenses and other costs arising from the data processor’s obligations under the Agreement. Unless otherwise agreed, compensation shall be paid according to the Personal Data Processor’s price list applicable from time to time and, as far as expenses and other costs are concerned, corresponding to the Personal Data Processor’s actual costs.

Duration of the contract

This Agreement enters into force when you accept our General Terms and Conditions and this associated Data Processing Agreement when using Sajnat and expires at the end of the agreement period.

Applicable law and dispute resolution

Swedish law shall apply to these Conditions.
Any dispute arising out of or in connection with these Terms and Conditions shall be finally settled by the general court where Sajnat has its registered office.

Existing and approved subcontractors

Below is a list of existing and approved subcontractors, all of which are required to perform contractual obligations.

Amazon Web Services
Type of service: Data storage
Use of the service and data processed: The document in its entirety, in PDF form. Parts of the document in image format. Processing and conversion of PDF to image format. Encrypted on disk in Sweden (S3). Database is stored on EC2, and backed up to S3, encrypted. Customers’ logos uploaded in the tool. Not encrypted on disk, the logo is public.
Conditions: https://aws.amazon.com/blogs/security/aws-gdpr-data-processing-addendum/

Stripe
Type of service: Payment solution
Use of the service and data processed: Stores customer data for accounting purposes. Contact person, contact email, organization number, etc.
Terms and conditions: https://support.stripe.com/questions/accept-and-download-your-data-processing-agreement-(dpa)-with-stripe

Mailgun
Type of service: Mail server
Use of the service and data processed: Sending emails via EU servers. Stores email content for 3 days, then deletes the data. Logs are also saved for 3 days. Data stored are pdf documents, contract thumbnails, email addresses, names.
Conditions: https://www.mailgun.com/legal/dpa/

Pusher
Type of service: Websocket service
Use of the service and data processed: Sending message updates via servers in the EU. For example that an email has been received.
The data handled are document-related data, such as that the status of a signature changes.
Conditions: https://messagebird.com/legal/dpa