BETWEEN: Sell-o AB, a company incorporated under the laws of Sweden, having its registered office at Norra Kungsgatan 3, 803 20 in the city of Gävle, as registered with the company number 556852-2832 (hereinafter to be referred to as: the “Data Processor”),
AND
The Client (hereinafter to be referred to as: the “Data Controller”).
HEREBY AGREE AS FOLLOWS:
1.1.This Data Processing Agreement applies exclusively to the processing of personal data in the scope of the Contract between the parties for services rendered (hereinafter to be referred to as: the “Service Agreement”).
1.2.Terms such as “processing”, “personal data”, “data controller” and “processor” shall have the meaning ascribed to them in the General Data Protection Regulation (hereinafter: the "GDPR") or any successor legislation.
1.3.It is possible that the Data Processor will be processing personal data (hereinafter to be referred to as: the “Personal Data”) on behalf of the Data Controller in the course of the performance of the Service Agreement with the Data Controller. An overview of the categories of Personal Data and purposes for which the Personal Data are being processed is provided in Annex 1.
2.1.The Data Processor will act as the data processor and the Data Controller will act as the data controller.
2.2.The Data Processor warrants that it will only process the Personal Data in such manner as- and to the extent that - this is necessary for the provision of the services under the Service Agreement, except as required to comply with a legal obligation to which the Data Processor is subject, or to follow instructions of the Data Controller. The Data Processor shall never process the Personal Data for its own purposes.
2.3.The Parties conclude the Service Agreement in order to benefit from the expertise of the Processor in securing and processing the Personal Data for the purposes set out in Annex 1. The Data Processor shall be allowed to exercise its own discretion in the selection and use of such means as it considers necessary to comply with the Service Agreement.
3.1. Without prejudice to any other security standards agreed upon by the Parties, the Data Processor shall take appropriate technical and organizational measures to ensure the security of the processing of Personal Data. These measures shall include in any case:
(a) measures to ensure that the Personal Data can be accessed only by authorized personnel for the purposes of the Service Agreement;
(b) measures to protect the Personal Data against accidental or unlawful destruction, accidental loss or alteration, unauthorized or unlawful storage, processing, access or disclosure, in particular to use encryption for data in transit and at rest (where possible);
(c) measures to identify breaches of and vulnerabilities in the security of those systems used to provide services to the Data Controller and mitigate and repair those breach and vulnerabilities;
(d) The data processor undertakes to commit all staff and personnel that process personal data to confidentiality. The commitment shall survive a termination or expiration of the staff member's employment relationship with the data processor.
(e) the measures in Annex 2.
3.2.The Data Processor shall at all times have in place a suitable, written security policy with respect to the processing of Personal Data, outlining in any case the measures set forth in Article 3.1. At the request of the Data Controller, the Data Processor shall provide a copy of such security policy and shall demonstrate the measures it has taken pursuant to this Article 3.
3.3 If a data subject contacts the Data Processor for the purpose of exercising their rights as a data subject (e.g. regarding access to, erasure or rectification of personal data), the Data Processor shall promptly forward this request to the Data Controller. The Data Processor will, upon request, reasonably assist the customer to comply with its obligations with respect to the rights laid down in Chapter III of the GDPR. Upon request, the Data Processor shall support the Data Controller by providing information for the performance of Data Protection Impact Assessments pursuant to Art. 35, 36 GDPR.
3.4 At the Controller’s request, the Processor shall permit and contribute to audits of the processing activities covered by the Data Processing Agreement, at reasonable intervals or if there are indications of non-compliance.
An audit will be performed by an independent third party and will take place at a time defined by both parties together. Any such audit will follow the Processor’s reasonable security requirements, and will not interfere unreasonably with the Processor’s business activities.
The findings in respect of the performed audit will be discussed and evaluated by the Parties and, where applicable, implemented accordingly as the case may be by one of the Parties or jointly by both Parties.
The costs of the audit will be borne by the Controller.
4.1 The Parties acknowledge that security requirements are constantly changing and that effective security requires frequent evaluation and regular improvements of outdated security measures. The Data Processor will therefore evaluate the measures as implemented in accordance with Article 3 on an on-going basis and will tighten, supplement and improve these measures in order to maintain compliance with the requirements set out in Article 3.
5.1 The Data Processor shall immediately notify the Data Controller of any (planned) permanent or temporary transfers of Personal Data to a country outside of the European Economic Area without an adequate level of protection and shall only perform such a (planned) transfer after obtaining the consent of the Data Controller.
5.2 The Data Controller may impose conditions on the consent as meant in Article 5.1, such as the condition that a transfer only takes place if the relevant parties conclude model contract clauses, such as described in Article 46, second paragraph, under c, GDPR.
6.1. The Data Processor shall immediately notify the Data Controller of any incident with regard to the processing of the Personal Data, shall at all times cooperate with the Data Controller and shall follow the Data Controller’s instructions with regard to such incidents, in order to enable the Data Controller to perform a thorough investigation into the incident, to formulate a correct response and to take suitable further steps in respect of the incident. Specifically, the Data Processor warrants that it provides the Data Controller with all information necessary to fulfill its legal obligations, such as the obligation to notify incidents under Article 33 GDPR. The Data Controller alone may notify any public authority.
6.2 The term “incident” used in Article 6.1 shall be understood to mean in any case any breach of the security and/or confidentiality as set out in Article 4, paragraph 12 GDPR and Article 3 of this Data Processing Agreement leading to the loss or any form of unlawful processing, including destruction, alteration, unauthorized disclosure of, or access to, the Personal Data, or any indication of such breach having taken place or being about to take place.
6.3 The Data Processor shall notify the Data Controller within 24 hours after discovery of the incident. Such notification shall include at least the following information: (i) the nature of the incident; (ii) the date and time upon which the incident took place and was discovered; (iii) the (amount of) data subjects affected by the incident; (iv) which categories of Personal Data were involved with the incident; and (v) whether and, if so, which security measures – such as encryption – were taken to render the Personal Data incomprehensible or inaccessible to anyone without the authorization to access these data.
6.4 The Data Processor shall at all times have in place written procedures which enable it to provide an immediate response to the Data Controller about an incident, and to cooperate effectively with the Data Controller in addressing the incident, and shall provide the Data Controller with a copy of such procedures upon the Data Controller’s written request.
The Processor is authorized within the framework of the Agreement to engage sub-processors. The Processor shall inform the Controller about any sub-processors and in the event the Controller reasonably objects to such sub-processor, the Controller shall be entitled to terminate the Service Agreement with the Processor.
The Processor shall, in any event, ensure that such sub-processor will be obliged to agree in writing to the same duties that are agreed between the Controller and the Processor.
8.1 Upon termination of this Data Processing Agreement, or upon the Data Controller’s written request, the Data Processor shall, at the discretion of the Data Controller, either destroy or return the Personal Data to the Data Controller.
8.2 The Data Processor shall notify all third parties involved with the processing of the Personal Data of the termination of the Data Processing Agreement and shall ensure that all such third parties shall either destroy the Personal Data or return the Personal Data to the Data Controller, at the discretion of the Data Controller.
9.1 This Data Processing Agreement shall come into effect on the same date as the Service Agreement and shall end automatically either: when the Service Agreement is terminated or expires; or at such as the Data Processor has deleted or returned all Personal Data in accordance with Article 8, whichever is later.
9.2 Termination or expiration of this Data Processing Agreement shall not discharge the Data Processor from its obligations meant to survive the termination or expiration of the Data Processing Agreement.
10.1 In the event of any inconsistency between the provisions of this Data Processing Agreement and the provisions of the Service Agreement, the provisions of this Data Processing Agreement shall prevail.
10.2 Any dispute arising between the Parties in connection with and/or arising from this Data Processing Agreement will be referred to the Swedish courts.
Personal data that will be processed in the scope of the Service Agreement:
The above data will be processed only for the purpose of the Service Agreement (E-Commerce integration between Marketplace and ERP / Order management system)
Security
The Data Processor shall take the appropriate technical and organizational measures to ensure the security of the processing of Personal Data as set out in Article 3.
The additional security measures taken by Data Processor are:
Version: 2024-10-16