1. Parties
The Company AB, company reg. no XXXXXX-XXXX, at The Street 17, 11160 The
City, referred to below as “Data Controller”; and
2. Rule Communication – Nordic AB, company reg. No. 556740-1293, at
Kammakargatan 48, 111 60 Stockholm, referred to below as “Data
Processor”.
3. The Data Controller and the Data Processor are individually referred to as
“the Party”, and together as ”the Parties”.
2. Background and Purpose
2.1 Regarding Data Protection Regulation, a written agreement is required that regulates under which circumstances and terms a data processor can process personal data on behalf of a data controller.
2.2 The Parties have entered into an agreement concerning the service Rule (”the Principal Agreement”), that means that the Data Processor will process personal data on behalf of the Data Controller. If provisions of the Agreement (”the Agreement”) are in conflict with the Principal Agreement, the provisions of the Agreement shall have priority
2.3 The Data Controller hereby commissions the Data Processor to store personal data from digital marketing, web traffic etc. and to communicate the results of these to the Data Controller. The Data Processor can gather the personal data in the following ways:
Digital Communication:
The Data Processor saves all the information surrounding the digital communication from the Data Controller’s account in Rule and stores all the information regarding the visitor’s email address, mobile phone number, profile, geographical position, user-agent, time and clicks.
Forms Published from Rule:
It is also possible for the Data Controller, to via Rule create their own forms (“Widgets”) that are displayed on the website. These can be used to gather personal data.
Import or manually Submit Personal data:
The Data Controller can independently, or with the help of the Data Processor, import personal data into the Rules data base. This can happen indirectly, via the website, through digital communication, by importing data directly in the Rules interface or via API. The Data Controller can also choose to activate add-ons for integrations with other systems (email, CRM, event systems etc.). These integrations can supply Rule with personal data.
2.4 In Rule, the Data Controller can perform a match between subscription/member bases with the purpose of identifying behaviours.
2.5 The purpose of this match is to be able to direct more relevant digital communication to the subscriber/member and to offer the subscribers/members who can be identified, a more tailored offer. Rule will therefore, as part of this matching assignment, process personal data on behalf of the Data Controller.
2.6 The protection of the integrity of the Data Controller’s clients is of great ethical and commercial importance to the Data Controller, therefore the Data Processor shall process the Personal Data in accordance with applicable law, regulations and industry standards.
3. Definitions
3.1 ”Personal Data” below, refers to all kinds of data that directly or indirectly can be attributed to a natural person who is alive and, by using the Rule service, is processed on behalf of the Data Controller.
3.2 “Registered” below, refers to the person whom the Personal Data concerns.
3.3 ”Processing” below, refers to every measure or series of measures that is taken when it comes to Personal Data, whether it takes place automatically or not, e.g. collection, registration, organizing, storing, editing or changing, recycling, acquisition, use, disclosure by transmission, spread or other provision of data, compilation or cross-referencing, blocking, erasure or destruction.
3.4 “Data Protection Regulation” refers to the European Parliament and the Council’s Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), also called GDPR. “Data Protection Regulation” also refers to additional national constitutions, regulations, and general guidelines from the supervisory authority (the Swedish Data Protection Authority) and EU organisations as well as indicative rulings from the Swedish Court and the European Court of Justice.
4. The Data Processor’s Obligations
4.1 The purpose of the Agreement is for the Data Processor to ensure that the Processing of Personal Data takes place in accordance with the Data Protection Regulation and applicable regulations and industry standards.
4.2 The Data Processor and the person or persons who work under his/her guidance may only Process Personal Data in accordance with the instructions, that from time to time are supplied by the Data Controller.
4.3 The Data Processor may only collect Personal Data in accordance with the instructions issued by the Data Controller. As the Data Processor only delivers the tools for the collection of Personal Data it is the Data Controller’s responsibility to ensure that the processing takes place on legal grounds, e.g. that the necessary consents have been acquired by the Registered and that the Registered obtain information in accordance with the Data Regulations requirements. The Data Processor shall upon request from the Data Controller without delay submit the data that the Data Controller needs to be able to show that the Registered have been informed, in those cases where the Data Processor holds this data.
4.4 The Data Processor shall take the technical and organizational measures that are required according to the Data Protection Regulation in order to protect the Personal Data that is being Processed against unauthorized access, destruction and changes. The Data Processor shall then especially observe the issued general guidelines or other current regulations at any time, such as the Swedish Data Protection Authority’s general guidelines “Säkerhet för personuppgifter” or other regulations that replace the aforesaid. The Data Processor shall ensure that all the data is encrypted.
4.5 In the event of the Registered, the Swedish Data Protection Authority or other third party requesting information from the Data Processor regarding the Processing of Personal Data, the Data Processor shall refer to the Data Controller. The Data Processor may not disclose Personal Data or other information regarding the Processing of Personal Data without express instructions from the Data Controller.
4.6 The Data Controller has the right to, at his/her own expense or via third party, monitor that the Data Processor is following the Agreement. The Data Processor shall enable and contribute to reviews, including inspections, that are conducted by the Data Controller or other auditors that have been authorized by the Data Controller.
4.7 When the Agreement expires the Data Processor shall make the Personal Data available to the Data Controller via the Rule service and, when the Data Controller has notified the Data Processor that the Personal Data has been collected, he/she shall in writing request the Personal Data be erased. The Data Processor shall in every event, 30 days at the latest after the expiration of the Agreement make sure that there is no Personal Data remaining with the Data Processor, unless otherwise is agreed upon by the Data Processor and the Client.
4.8 The Data Processor shall upon finding out about a personal data breach, that includes the Data Controller’s Personal Data, without any unnecessary delay, notify the Data Controller about the breach. The notification shall include the information necessary for the Data Controller to be able to fulfil his/her obligations according to the Data Protection Regulation to report the personal data breach to the supervisory authority as well as notifying the Registered about the personal data breach. Such a notification shall be given to the person of contact, assigned by the Data Controller, to be in contact with the Data Processor.
4.9 The Data Processor is responsible for the Personal Data that is Processed within the EU/EES.
4.10 The Data Processor shall when necessary help the Data Controller with the execution of a data protection impact assessment as well as any prior consultations with the supervisory authority.
5. Confidentiality
5.1 The Data Processor agrees not to disclose or in any other way reveal information regarding Processing of Personal Data that is included in the Agreement or any other information that the Data Processor has acquired in connection with the Agreement. The Data Processor also agrees not to use the Personal Data for his/her own purposes.
5.2 The undertaking in the first sentence of paragraph 5.1 does not apply to:
a) information that a party can show was publicly known at the time of receipt, or
b) information that a party is ordered to provide to an authority. The confidentiality undertaking also applies after the Agreement in other respects has expired.
5.3 The data processor shall ensure that all individuals working under its supervision, who are involved in the Processing, are bound by confidentiality obligations regarding the Processing. However, this is not required if they are already subject to a legally sanctioned duty of confidentiality. The data processor also undertakes to ensure that there are confidentiality agreements with the subprocessor, as well as confidentiality obligations between the subprocessor and all individuals working under its supervision, who are involved in the Processing
6. Intellectual Property Rights Etc.
6.1 All intellectual property rights for the collection of Personal Data belong to the Data Controller and the Data Controller provides only a non-exclusive right for the Data Processor to use the Personal Data for the execution of assignments according to the Agreement.
7. The Hiring of Sub-Processors
7.1 If the Data Processor, with the permission of the Data Controller, transfers its obligations according to the Agreement to a sub-processor, this may only happen by entering into a written agreement with the sub-contractor, whereby the same obligations that, according to the Agreement are imposed on the Data Processor, will be imposed on the sub-processor.
7.2 The Data Processor shall notify the Data Controller in writing regarding the intention to sign an agreement with a sub-contractor. If the Data Controller does not submit a written objection to this, that is objectively justified, within 14 upon receipt of the notification, the Data Processor is free to hire the sub-processor. At the time of the signing of the Agreement, the sub-processors that appear in Appendix 1 are approved by the Data Controller.
7.3 In the case of the Processing of Personal Data being performed by a sub-processor in third countries, the Data Controller authorizes the Data Processor to sign a data processing agreement on behalf of the Data Controller with sub-processors in third countries, in accordance with the Commission’s Decision (2010/87/EU) on standard contractual clauses for the transfer of personal data to third countries. The Data Processor shall thereby declare to the Data Controller, in which country the Processing is taking place. The requirements in Chapter V GDPR shall also be met.
7.4 If the sub-processor does not meet the obligations regarding Processing, according to the sub-processing agreement, the Data Processor shall remain fully responsible towards the Data Controller for the sub-processor’s fulfilment of his/her obligations according to the Agreement.
8. Financial Compensation
8.1 The Data Processor is not entitled to any particular financial compensation for the Processing of Personal Data according to the Agreement.
9. Limitation of Liability
9.1 In the event of the Registered, or other third-party directing claims against the Data Controller due to the Data Processor’s Processing of Personal Data, the Data Controller shall report this to the Data Processor.
9.2 If the Data Processor has failed to fulfil his/her undertaking according to the Agreement, the Data Controller has the right to be compensated. The Data Processor’s responsibility to the Data Controller under the Agreement is limited to 50% of the payment received, according to the Principal Agreement, from the Data Controller during the past 12-month period after being reported.
10. Force majeure
10.1 None of the parties are responsible for damages or delays arisen due to labour disputes, official decisions or other circumstances beyond the control of the parties.
11. Agreement Period
11.1 The agreement is valid from the date of signature and for as long as the Data Processor Processes the Personal Data according to the Principal Agreement.
12. Applicable Law and Dispute Resolution
12.1 The Agreement and all Processing of personal data that takes place within the Agreement is regulated by Swedish law, with the exception for applicable choice of law rules. Disputes regarding interpretation or application of the Agreement shall be settled according to the Principal Agreement’s dispute resolution provisions.
This agreement has been drawn up in two copies, of which the parties have received one each.