This Data Processing Agreement (the “DPA”), is executed between Flowbox AB (the “Processor”) and the customer set out in the Order Form to which this DPA is attached (the “Controller”).
The Controller and the Processor are individually referred to as “Party” and jointly referred to as the “Parties”.
(A) This DPA is an integral part of the Agreement executed between the Processor and the Controller, under which the Processor will process personal data on behalf of the Controller when supplying the services under the Agreement.
(B) The Controller is the data controller in relation to the processing of the Data. The Processor is a data processor, processing the Data on behalf of the Controller.
1.1. This DPA consists of this main document and the following appendices:
Appendix 1: Instructions
Appendix 2: Security Measures
2. Definitions and interpretation
2.1 In this DPA, capitalized terms shall have the meanings set out below or, if not defined herein or in the general terms and conditions executed between the Parties, the meanings set forth in Applicable Legislation.
Applicable Legislation means the GDPR and any applicable supplementary legislation to the GDPR.
Data means the personal data (as defined in Applicable Legislation), specified in Appendix 1 hereto.
GDPR means Regulation (EU) 2016/679 of the European Parliament and the Council as amended, supplemented and/or varied from time to time.
Agreement means as set forth in the background to this DPA.
2.2 The Parties shall negotiate in good faith and agree on any relevant and necessary amendments and updates to this DPA and the processing carried out hereunder to ensure that it complies with Applicable Legislation at all times during the term of this DPA.
2.3 The Processor shall provide all services under the DPA in a professional manner and as may be expected from a well reputed provider of data processing services.
3.1 The Processor shall process the Data in accordance with the Controller’s written instructions set out in this DPA, including Appendix 1. The instructions shall at least include the following information:
(i) The purpose of the processing;
(ii) The character of the processing;
(iii) The duration of the processing, or how the duration will be decided;
(iv) Categories of personal data included in the Data; and
(v) Categories of data subjects included in the processing.
3.2 The Processor may not process the Data for any other purposes or in any other way than as instructed by the Controller in this DPA. In the event the Controller wishes to provide new or amended instructions the Parties shall mutually agree on such instructions and update Appendix 1 accordingly.
3.3 Notwithstanding the above, the Processor may undertake reasonable day-to-day actions with the Data without having received specific written instructions from the Controller, provided that the Processor acts for and within the scope of the purposes stated in Appendix 1.
3.4 In the event that the Processor considers that any instruction violates Applicable Legislation, the Processor shall refrain from acting on such instructions and shall promptly notify the Controller and await amended instructions.
4. Security measures
4.1 The Processor shall at all times maintain appropriate technical and organizational measures to protect the Data and shall ensure that the Data is at all times protected by updated appropriate security measures against destruction, modification, proliferation and unauthorized access. The Processor shall further ensure that access events are logged and traceable. The security measures are detailed in Appendix 2.
4.2 The Processor shall ensure (i) that only authorized employees who need access to the Data in order for the Processor to provide the processing services under this DPA have access to the Data, (ii) that the authorized employees process the Data only in accordance with this DPA and the Controller’s instructions and (iii) that each authorized employee is bound by a confidentiality undertaking towards the Processor in relation to the Data.
4.3 The Processor shall notify the Controller without undue delay after becoming aware of a data breach. Furthermore, the Processor shall assist the Controller in ensuring compliance with the Controller’s obligations to (i) document any personal data breach, (ii) notify the applicable supervisory authority of any personal data breach and (iii) communicate such personal data breaches to the data subjects, in accordance with Applicable Legislation.
5. The processor’s obligations to assist
5.1 The Processor shall assist the Controller with the fulfilment of the Controller’s obligation to ensure that the data subjects may exercise their rights under Applicable Legislation by ensuring appropriate technical and organizational measures to such effect. The data subjects’ rights include (i) rights to object to the processing and have the Data erased, (ii) rights to request information about and access to the Data, (iii) if technically viable, rights to move Data from one controller to another, and (iv) rights to request correction of Data.
5.2 The Processor shall further assist the Controller in relation to the Controller’s obligations under Articles 32-36 of the GDPR (such obligations include (i) ensuring security of the processing, (ii) impact assessments regarding data protection and (iii) prior consultations).
6.1 The Processor may engage third parties to process the Data or any part thereof on its behalf (“Sub-Processor”), provided that the Controller has approved thereto. Approved Sub-Processors are listed on https://getflowbox.com/subprocessors/.
6.2 When the Controller has approved a Sub-Processor, the Controller may no longer object to such Sub-Processor, unless the Sub-Processor fails to comply with Applicable Legislation or the Processor fails to comply with this DPA due to the Sub-Processor’s default. For any avoidance of doubt, the Processor shall always be liable for the Sub-Processor as for itself.
6.3 The Processor shall enter into a written agreement with every Sub-Processor, in which each Sub-Processor undertakes obligations reflecting those undertaken by the Processor under this DPA. The Controller shall be entitled to review such agreement before the Controller approves to the new Sub-Processor and within the scope of the right to audit pursuant to Section 8 of this DPA.
7. Transfers to third countries
7.1 The Processor may not transfer personal data outside the EU/EEA, or engage a Sub-Processor to process Data outside of the EU/EEA, without the Controller’s prior written consent and upon such consent only if at least one of the following prerequisites is fulfilled:
(i) the receiving country has an adequate level of protection of Data as decided by the European Commission,
(ii) the Controller confirms that the data subject has given his/her consent to the transfer,
(iiii) the transfer is subject to the European Commission’s standard contractual clauses for transfer of personal data to third countries,
(iv) the Processor is subject to Binding Corporate Rules and the receiving party in the third country is also subject to the Binding Corporate Rules.
7.2 In the event of a transfer of Data outside the EU/EEA initiated by the Processor, the Processor shall upon the Controller’s request evidence that a valid legal ground applies to the transfer.
8.1 Upon 30 business days prior written notice, the Processor will provide to the Controller such information and documentation as is necessary to demonstrate the Processor’s compliance with its obligations under Applicable Legislation.
8.2 The Controller shall be entitled on 30 business days prior written notice to carry out an audit of the Processor’s processing of the Data and information and documentation relevant in that respect. The Processor shall assist the Controller and disclose any information and documentation necessary in order for the Controller to carry out such audit. The Controller shall carry the costs for such audit, unless the audit reveals that the Processor has substantially violated this DPA or Applicable Legislation, in which event the Processor shall carry the cost.
8.3 If a Data Protection Authority carries out an audit of the Processor which may involve the processing of the Data, the Processor shall promptly notify the Controller thereof.
9.1 The costs for processing of Data and related services are included in the fees set out in the Agreement. The Processor shall not be entitled to any other fees, costs or reimbursements than those specified in the Agreement for any services related to the processing of Data under this DPA.
10. Limitation of liability
10.1 The Processor’s limitation of liability set forth in the Agreement shall apply for the services related to processing of Data carried out under this DPA.
11.1 The Processor undertakes not to disclose or provide any Data, or any information related to the Data, to any third party unless necessary for the performance of the services in accordance with the Agreement. For the avoidance of doubt, any approved Sub-Processor shall not be considered a third party for the purposes of this Section 11.
11.2 Notwithstanding Section 11.1 above, the Processor may disclose such information if the Processor is obliged hereto by law, judgement by court or by decision by a competent authority. When such obligation arises, the Processor shall promptly notify the Controller in writing before disclosure, unless restricted from doing so under Applicable Legislation.
11.3 The confidentiality obligation will continue to apply also after the termination of this DPA without limitation in time.
12. Return, export and deletion of data
12.1 The Controller shall upon termination of the Agreement instruct the Processor in writing whether or not to transfer the Data to the Controller (such transfer to be made in a common machine-readable format chosen by the Processor). The Processor will erase the Data from its systems no later than 14 days after the effective date of termination of the Agreement.
12.2 If the Controller requests Data exports from the Processor during the term of this DPA, Data shall be exported to the Controller in accordance with the Processor’s routines and in a common machine-readable format chosen by the Processor.
13.1 This DPA shall, notwithstanding the term of the Agreement, enter into effect when the Processor commences to process Data on behalf of the Controller and shall terminate when the Processor has erased the Data in accordance with Section 12 above.
Appendix 1 – Instructions
Any processing carried out by the Processor shall be carried out in accordance with the following instructions. If the Processor processes Data in violation with these instructions, the Processor will be deemed data controller.
|Purposes of the processing||
|The character of the processing||
|The period of the processing||
|Categories of Data||Mainly:
|Categories of data subjects||
Appendix 2 – Security measures
Description of the technical and organisational security measures implemented by the Processor:
The Processor must have proper people, processes and technology to safeguard Controller’s personal data within the following areas:
The Processor should conduct regular risk assessments on the above mentioned areas.
Access control mechanisms must be in place for Controller’s personal data consisting of at a minimum: