Data Processing Agreement

This data processing agreement (“DPA”) forms part of the Agreement between OneLab AB (“Processor”), as data processor, and the Customer that is party to the Agreement (“Controller”), as data controller. If there is any conflict between this DPA and the Agreement, this DPA shall prevail in relation to the processing of personal data. Controller and Processor are jointly referred to as the “Parties” and each of them as a “Party”.

1 Introduction

1.1 In order to perform its obligations under the Agreement, Processor will process personal data on behalf of Controller. This DPA is an appendix to the Agreement and regulates processing of personal data in accordance with the provisions of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation “GDPR”) and any national or European Union law as applicable from time to time (“Applicable Data Protection Legislation”).

1.2 In the event of any conflict or inconsistency between the Agreement and this DPA related to the processing of personal data, the provisions of the DPA shall prevail.

2 Agreement Documents

2.1 The following appendices are hereby incorporated by reference into this DPA:

Appendix I – List of Parties and Description of Processing
Appendix II – Technical and Organisational Measures
Appendix III – List of Sub-Processors

3 Processing of Personal Data

3.1 The subject-matter, duration, nature and purpose of the processing are set out in Appendix I (List of Parties and Description of Processing).

3.2 Controller is responsible to ensure that the processing is carried out in accordance with Applicable Data Protection Legislation and for providing Processor with accurate and sufficient instructions.

3.3 Processor undertakes to process personal data only in accordance with the instructions under this DPA, the Agreement and documented instructions given by Controller from time to time, unless the processing is required by Applicable Data Protection Legislation. In such case, Processor shall inform Controller of the processing and the legal requirements on which the processing is based, prior to processing the personal data, unless providing such information is prohibited under Applicable Data Protection Legislation.

3.4 Processor shall promptly inform Controller if (i) Processor is unable to fulfil its obligations under the DPA; (ii) Processor deems that the instructions provided by Controller infringe Applicable Data Protection Legislation; or (iii) Processor deems that the instructions provided by Controller are inadequate or incorrect. In such case Controller shall adjust its instructions.

4 Security Measures

The Parties shall take appropriate technical and organisational security measures necessary to ensure a level of security appropriate to the risks presented when processing personal data, and when necessary, implement and maintain the technical and organisational security measures set out in Article 32 GDPR. The technical and organisational security measures agreed upon between the Parties are set out in Appendix II (Technical and Organisational Measures). Controller shall ensure that such measures comply with the provisions of Applicable Data Protection Legislation.

5 Transfer outside of the EU/EEA

Processor may only transfer personal data to a country outside the EU/EEA in accordance with instructions provided by Controller, as further set out in the appendices to this DPA as updated from time to time. If personal data is transferred to a country outside the EU/EEA, the Parties shall ensure that the transfer is subject to an adequate transfer mechanism in accordance with Chapter V of the GDPR, for example by executing the applicable module of EU Commission’s approved Standard Contractual Clauses or binding corporate rules. To the extent necessary to ensure an adequate protection of personal data, the Parties shall agree upon additional safeguards in Appendix III (List of Sub-Processor).

6 Use of Sub-Processors

6.1 Processor hereby obtains a general written authorization from Controller to use sub-processors to process personal data on behalf of Controller. The list of sub-processors authorised by Controller for the processing of personal data upon the effective date of this DPA is set out in Appendix III (List of Sub-Processor). Processor shall inform Controller in writing of the addition or replacement of sub- processors at least 30 days before the change takes place, in order to give the Controller opportunity to object to the change.

6.2 Controller shall have the right to object in writing within 20 days of Processor informing the Controller of the change. Controller may object to the use of a sub-processor only if there is reason to believe that the sub-processor does not comply with the requirements of the Applicable Data Protection Legislation and state the reasons for the objection. Processor shall provide Controller with the information necessary for Controller to exercise its right to object.

6.3 Processor shall ensure that a written agreement imposes on sub-processors at least equivalent obligations in relation to the processing of personal data as those imposed on Processor under this DPA. Processor shall be fully liable to Controller for the performance by the sub-processor of its obligations, as for its own under this DPA.

7 Duties of Processor

7.1 Processor shall, upon Controllers reasonable request, assist Controller as far as reasonably possible and with regard to the nature of the processing, in fulfilling its obligations to respond to requests from data subjects to exercise their rights under the Applicable Data Protection Legislation. Processor shall notify Controller within 30 days if Processor receives any requests from data subjects. Processor may not respond to any requests without Controller’s specific prior written instruction to do so.

7.2 Processor shall, to the extent possible, taking into account the nature of processing and the information available to Processor, assist Controller in fulfilling Controller’s obligations under Articles 32–36 GDPR.

7.3 Processor shall, upon Controller’s reasonable request, provide Controller with the information necessary to demonstrate compliance with the obligations of the DPA.

7.4 In the event that Processor, according to Applicable Data Protection Legislation, is required to disclose personal data that Processor processes on behalf of Controller to supervisory authorities, Processor shall inform Controller thereof and request confidentiality in connection with the disclosure of the requested information.

7.5 Upon the reasonable request made by Controller or by an external auditor appointed by Controller, Processor shall allow an audit for the purpose of verifying that the processing of personal data by the Processor is carried out in accordance with the Applicable Data Protection Legislation and this DPA. Any third-party auditor is at the expense of the Controller.

8 Personal Data Breach

Processor shall notify Controller in writing without undue delay after becoming aware of a personal data breach in relation to personal data processed by Processor on behalf of Controller. Processor shall, to the extent such breach has taken place at Processor, provide Controller with a description of the breach, its nature, its likely consequences and information on the measures taken or proposed to be taken to remedy and mitigate the consequences of the breach. If Controller notifies a breach to the supervisory authority, Processor shall upon Controller’s reasonable request assist Controller and provide the requested information.

9 Confidentiality

Processor undertakes not to disclose or otherwise make personal data processed under this DPA available to any third party without Controller’s prior written consent, except for sub-processors engaged in accordance with this DPA. Processor shall ensure that only staff and other representatives that require access to personal data have access to such information. Processor shall ensure that such persons are bound by confidentiality undertakings or subject to a statutory obligation of confidentiality. In addition, Processor undertakes to ensure that confidentiality undertakings are in place with any sub-processors engaged under this DPA.

10 Liability

The Parties acknowledge that they each respectively are liable, accountable and responsible in their respective roles as Controller and Processor under the requirements set forth in the GDPR and this DPA. Any administrative fines, fees or sanctions imposed by the supervisory authority and/or compensation to data subjects shall be subject to the liability provisions set out in Articles 82–84 GDPR. If a Party processes personal data in violation of this DPA or Applicable Data Protection Legislation, the Party shall compensate the other party for direct damages suffered due to such wrongful processing and/or violation of this DPA in accordance with the limitations of liability set out in the Agreement.

11 Term and Termination

11.1 This DPA enters into force when signed by both Parties and remains in force thereafter for as long as Processor processes personal data on behalf of Controller.

11.2 Processor has the right to terminate the DPA immediately by written notice to Controller if instructions given by Controller infringe Applicable Data Protection Legislation and Controller, after being notified of such circumstances, subsequently insist on applying to such instructions.

11.3 Upon termination or expiry of this DPA, Processor shall without undue delay stop processing personal data and at Controller’s request either delete or return all personal data to Controller or to the party designated by Controller and delete any remaining copies, unless required by Applicable Data Protection Legislation.

12 Governing Law and Dispute Resolution

12.1 The DPA shall be governed by Swedish law, excluding applicable conflicts of law rules.

12.2 Any dispute arising out of or in connection with the DPA shall be finally settled in accordance with the dispute resolution provision set out in the Agreement.

Appendix I - List of Parties and Description of Processing

This Appendix I (List of Parties and Description of Processing) sets out the Parties to the DPA and describes the processing of personal data under the DPA.

 

Description of processing

 

Categories of data subjects The following categories of data subjects will be included in the processing:

☒ Controller’s employees, consultants and/or other personnel

Categories of personal data The following personal data will be processed:

☒ Name
☒ E-mail
☒ Employee survey filters (as provided by Controller)
☒ Employee survey answers

Special categories of personal data The Parties agree that no special categories of personal data (article 9 GDPR) will be processed by Processor under the Agreement.
Nature and purpose of the processing Processor processes personal data for the following purposes:

The personal data will be processed in order for Processor to deliver the services and fulfil its obligations under the Agreement.

Duration of processing Personal data will be processed in accordance with the following:

The duration of the processing corresponds to the duration of the Agreement. Thereafter, the personal data will be processed for as long as required by Applicable Data Protection Legislation.

Appendix II - Technical and Organisational Measures

This Appendix II (Technical and Organisational Measures) specifies the technical and organisational measures taken to ensure a high level of security for the processing of personal data.

List of Technical and Organisational Measures

OneLab shall at all times ensure that security measures described in the OneLab Information Security White Paper, as applicable and updated from time to time, are taken and maintained when processing personal data.

Appendix III – List of Sub-Processors

This Appendix III (List of Sub-Processor) sets out the sub-processors of Processor approved by Controller.

Controller has approved the sub-processors listed in the table below upon the effective date of the DPA. The table is updated from time to time:

Company name and reg. no. Location of the processing (country) Description of processing Categories of personal data Transfer mechanism (for transfer outside of EU/EEA)
Amazon Web Services Europe (Stockholm) Stockholm, Sweden Hosting As specified in Appendix I N/A