DPA & GDPR
Data Processing Agreement
DATA PROCESSING AGREEMENT
Leadenhancer Sweden AB
Regarding processing of personal data through the Leadenhancer Services
Leadenhancer is an Self Service (SaaS) platform for the modern B2B marketeer that want to generate leads and customer intelligence for its sales organisation. Leadenhancer Automate B2B Lead Generation by identifying anonymous visitors on your websites, send automatic sales lead reports to the salesforce and allow marketing to start target leads with personalised communication through IP targeted advertisement and personalised website content. On Customer’s website (“Customer”). Leadenhancer(Supplier) provides services (“Service”) to Customer. The Parties have entered into an agreement that specifies the terms and conditions for the Supplier’s provision of the Service to Customer (“Agreement“).
Customer has entered into the agreement for supply of digital services (the “Agreement”) with Leadenhancer in order to use the services in its business operations, which forms the subject matter of the processing of Personal Data under this DPA.
1.2 Upon performance of the Agreement, the Supplier will be Processing Personal Data a) on behalf of Customer being the data controller . In the latter case, Supplier is the Customer’s data processor.
1.3 For the purpose of ensuring compliance with the Data Protection Rules, the Parties have entered into the DPA, which forms and integral part of the Agreement.
1.4 For situations where the Customer is data controller, the Customer shall be deemed to have all of the same rights in relation to the Supplier has under the DPA. Furthermore, all of the Supplier’s obligations in relation to Customer under the DPA shall also apply in relation to the Customer.
1.5 For the purpose of ensuring compliance with the Data Protection Rules, the Parties have entered into the the DPA, which forms and integral part of the Agreement.
”Data Protection Rules” means all general laws and regulations, as applicable from time to time, in respect of Processing of Personal Data, including but not limited to, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation, or “GDPR”) as well as the Supervisory Authority’s binding decisions, regulations and recommendations and supple-mentary local adaptions and regulations in respect of data protection.
”Data Subject” means the identified or identifiable natural person, whom the Personal Data relates to.
”Personal Data” means any information, which directly or indirectly relates to a Data Subject and which the Supplier Processes under the DPA.
”Processing” means any operation or set of operations which is performed on Personal Data, or on sets of Personal Data, whether or not by automated means.
”Supplier’s Sub-Processor” means any third party that Processes Personal Data on behalf of the data controller under the DPA, whether Customer or the Supplier is data controller.
”Supervisory Authority” means the independent public supervisory authority/supervisory authorities, authorised to conduct supervision of the Processing of Personal Data in accordance with the Data Protection Rules.
2.1 Unless otherwise stated, any other capitalized term or concept used in the DPA (except merely as part of a heading) shall have the meaning and conception ascribed to it in the Data Protection Rules or otherwise in the Agreement, unless the circumstances obviously require another interpretation.
3. Responsibility and Instruction
3.1 The Personal Data Processed by the Supplier under the DPA consist of data included in the Supplier software service.
3.2 The Supplier shall with regard to Processing of Personal Data under the DPA comply with the Data Protection Rules. Such obligations include inter alia that the Supplier will maintain a record of all Processing of Personal Data as provided for under the Data Protection Rules.
3.3 The Supplier, and anyone working under the Supplier´s supervision, shall only Process Personal Data in accordance with those included in the Supplier software service.
3.4 What is stated above in section 3.3 specifically implies that Personal Data may only be Processed for purposes that are explicitly stated and justified, and that the Supplier, and anyone working under the Supplier’s supervision, may not Process Personal Data for any other purposes than for those for which the Supplier has been engaged in the Processing. If the Supplier does not have any instructions to be able to carry out its obligations under the DPA, the Supplier shall immediately inform Customer of this, specifying whether the performance of the Agreement may be affected by the need of instructions, or if the Supplier deems an instruction to be contrary to Data Protection Rules and await further instructions from Customer. The Supplier is not entitled to suspend, delay or terminate performance in regard to the Service, while awaiting further instructions. The Supplier shall also immediately inform Customer of any changes regarding the Supplier, which affect the Supplier’s obligations under the DPA.
3.5 Processing of Personal Data may also be performed where required by EU law or applicable EU member state law. If Processing is required by EU law or applicable EU member state law, which the Supplier or any of the Supplier’s Sub-Processors are subject to. The Supplier or the Supplier’s Sub-Processor shall inform Customer of such legal requirement prior to Processing the Personal Data, unless providing such information is prohibited for reasons of important public interest under the applicable law.
3.6 Taking into account the nature of the Processing and the information available to the Supplier, the Supplier shall assist Customer in ensuring compliance with the obligations pursuant to Articles 32 to 36 of GDPR, including but not limited to the security of the Processing and notification of a personal data breach to the Supervisory Authority and the Data Subject.
3.7 Taking into account the nature of the Processing, the Supplier shall assist Customer by taking appropriate technical and organizational measures insofar as this is possible, in observing its legal obligations in relation to the rights of Data Subjects under the Data Protection Rules. This includes, but shall not be limited to, Customer’s or the Customer’s obligation to respond to requests concerning the right of Data Subjects to receive information and, upon request by Data Subjects, rectify, block or erase Personal Data.
3.8 The Supplier shall assist Customer in fulfilling potential duties to enable data portability regarding Personal Data which the Supplier Processes under the DPA.
4.1 The Supplier shall implement technical and organizational measures in order to protect Personal Data and to ensure a level of security appropriate to the risk with regard to the state of art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. The technical and organizational measures shall as a minimum comply with the level of security that the Supervisory Authority requires for corresponding processing.
4.2 The Supplier undertakes to implement technical and organizational measures in order to protect Personal Data from accidental or unlawful destruction, loss or alteration, or unauthorised disclosure of, or access to the Personal Data. The Supplier will upon all Processing, in particular, adhere to the Supervisory Authority´s general guidelines, other recommendations and decisions and shall take all measures required pursuant to Article 32 of GDPR.
4.3 The Supplier shall assist and immediately notify the Customer about unintentional or unauthorized access to Personal Data as well as any other personal data breach pursuant to Article 33 of GDPR.
4.4 In accordance with Article 35 of GDPR, the Supplier shall upon request assist Customer in performance of Customer’ or the Customer’s obligation to perform data protection impact assessments regarding those Personal Data that the Supplier Processes.
4.5 The Supplier shall document the technical and organizational security measures it is using in order to fulfil the security requirements according to the Data Protection Rules and the DPA.
4.6 The Supplier shall implement any additional technical and organizational measures which Customer reasonably requests.
5. Disclosure of Personal Data and Information etc.
5.1 The Supplier shall forward any request to Customer from a Data Subject, the Supervisory Authority or any other third party, who is requesting receipt of information regarding Personal Data that the Supplier Processes under the DPA. The Supplier, or anyone working under the Supplier´s supervision, shall not disclose Personal Data, or information about the Processing of Personal Data, without Customer’ expressed instruction or as provided in the DPA, unless required by the Data Protection Rules.
5.2 The Supplier shall inform the Customer of any inquiries from the Supervisory Authority concerning the Processing of Personal Data under the DPA. The Supplier is not entitled to represent Customer or the Customer or act on their behalf in relation to the Supervisory Authority.
6. Supplier’s Sub-Processors
6.1 Customer hereby gives the Supplier prior, general authorisation
to engage Sup-Processors in the Processing of Personal Data, provided that the Supplier enters into a data processing agreement with each Sub-Processor, under which data protection obligations corresponding to what is set out in the DPA are imposed on the Sub-Processor.
6.2 In particular, the Supplier is responsible for ensuring (i) the compliance with Articles 28.2 and 28.4 of GDPR when engaging the Supplier’s Sub-Processors, and (ii) that Supplier’s Sub-Processors provide sufficient guarantees to implement appropriate technical and organizational measures, in such a manner that the Processing meets the requirements of the Data Protection Rules.
6.3 Upon Customer’ request, the Supplier shall provide such specified information regarding Processing by the Supplier’s Sub-Processors, which Customer reasonably may request according to the Data Protection Rules. The Supplier shall inform Customer of any intended changes concerning the addition or replacement of any of the Supplier’s Sub-Processors.
7. Transfer of Personal Data outside the EU/EEA
7.1 If the Supplier or the Supplier’s Sub-Processors transfer Personal Data to a location outside of the EU or the EEA, the Supplier shall ensure that the Supplier or the Supplier’s Sub-Processor transfers the Personal Data in compliance with applicable Data Protection Rules.
8. Audits etc.
8.1 Upon Customer’ request, the Supplier shall without undue delay make available all information necessary to demonstrate the Supplier´s compliance with its obligations under the DPA and the Data Protection Rules, including as part of audits or inspections carried out by the Customer or an independent auditor mandated by them.
9.1 The Supplier shall ensure that persons authorised to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Such commitment does not apply to information that the Supplier is required to disclose to an authority, or in order to comply with the Data Protection Rules or other statutory rules. This confidentiality obligation shall remain in force after termination of the DPA.
10.1 The Supplier is not entitled to compensation for the performance of any of its obligations under the DPA, unless clearly documented in writing.
11.1 Notwithstanding anything to the contrary stipulated in the Agreement, in the event that the Supplier, anyone working under the Supplier´s supervision or the Supplier’s Sub-Processors, Process Personal Data in breach of the DPA, the Data Protection Rules or contrary to lawful instructions given by Customer, the Supplier shall indemnify and hold Customer harmless from and against any damage under any legal theory, including any administrative fines and compensations that the Customer has paid to Data Subjects.
12. Term and Termination
12.1 Upon termination of the Agreement or the DPA (depending on which is first terminated), the Supplier shall, upon instructions given by Customer, delete or return the Personal Data that Customer has transferred to the Supplier and delete any existing copies, unless storage of the Personal Data is required by EU law or applicable EU member state law, and send a confirmation to Customer of the deletion. The Suppler shall ensure that each of the Supplier’s Sub-Processors does the same.
13. Changes and Additions
13.1 If the Data Protection Rules are changed during the term of the DPA, or if the Supervisory Authority issues guidelines, decisions or regulations concerning the application of the Data Protection Rules that result in the DPA no longer meeting the requirements for a data processing agreement, the Parties shall make the necessary changes to the DPA, in order to meet such new or additional requirements. Such changes shall enter into force no later than prescribed by the Data Protection Rules, including guidelines, decisions or regulations of the Supervisory Authority.
13.2 Other changes and additions to the DPA must be made in writing and duly signed by both Parties in order to be binding.
14.1 The DPA supersedes and replaces all prior data processing agreements between the Parties and supersedes any deviating provisions of the Agreement concerning the subject matter of the DPA, notwithstanding anything to the contrary in the Agreement.
14.2 Swedish law applies in all aspects to the Supplier´s Processing of Personal Data under the DPA. Any dispute arising out of or in connection with the DPA shall be settled in accordance with the dispute resolution provision in the Agreement.