Customer Data Processing Agreement
Last Modified: December 9, 2019
This Data Processing Agreement "Agreement" is an addendum to the Terms of Service (“Service Agreement”) between Planhat AB ("Planhat") and the Customer (the "Controller"), under which Planhat may process personal data, which the Controller is responsible for as a controller of personal data (“Personal Data”), on the Controller’s behalf. Planhat undertakes to process Personal Data only in accordance with the Agreement, for the purpose(s) derived from the Service Agreement, Planhat’s instructions and applicable personal data legislation, as well as to stay informed and updated with regards thereto.
INSTRUCTIONS FROM, AND CONTROL BY, THE CONTROLLER
Planhat and any persons who require access within its organization may only process Personal Data for the purpose(s) derived from the Service Agreement or in accordance with such instructions that otherwise are given by the Controller. For the purpose of giving instructions, the Controller has in the service appointed a point of contact for data ("POC Data") to have the sole authority to give such instructions. The POC Data shall be able to appoint additional persons to give such instructions, and to remove such person’s authority to give instructions. The authority of the POC Data to give instructions in the name of Company name can only be removed by the order of the legal signatory/signatories of Company name. If Planhat deems the instructions insufficient for the fulfilment of this Agreement, Planhat shall, without delay, inform the Controller thereof and fulfilment of the Service Agreement or this Agreement may be affected by the lack of instructions while Planhat awaits further instructions from the Controller. For the avoidance of doubt, the Controller expressly consents to Processor’s processing of Personal Data as required in order to provide Processor’s web-based services to the Controller, pursuant to the Service Agreement. The Controller shall have the right to, entirely at its own cost and upon at least thirty (30) days’ advance written notice to Planhat, verify that Planhat complies with this Agreement, through review of Planhat’s policies, procedures and documentation, solely as they relate to compliance with this Agreement. Such review (i) must be conducted during Processor’s regular business hours such as not to cause disruption to the Controller’s business; (ii) may only be conducted by a party approved by Processor who is subject to a confidentiality agreement with Processor; and (iii) must be performed in accordance with Processor’s security requirements. Planhat may not refuse review by chosen party unless reasonable basis exists. Planhat shall be obligated to, without any charge (other than for costs incurred as a result of assisting the foregoing review), give such assistance as is reasonably necessary to perform such verification. If the Controller should find breaches or flaws of importance to the Controller, the Controller shall have the right to terminate this Agreement and the Service Agreement effective immediately. This right does not include on-site access to Planhat’s offices or facilities, unless absolutely necessary.
NEW FEATURES AFFECTING THE SERVICE AGREEMENT
If Planhat’s commitment in accordance with the Service Agreement changes due to addition of new features, which may lead to new categories of processing or processing of new personal data types, the Controller shall immediately be informed about such changes and have the right to oppose such changes, where feasible. In the event that opposition to such changes, in Processor’s opinion, prevents effective provision of Processor’s services, Processor may terminate the Service Agreement without penalty or liability.
TRANSFER TO THIRD COUNTRY
Planhat shall process Personal Data only within, and on devices physically located within, the EU/EEA or such third country deemed to offer an adequate level of security by the European Commission. The Controller is aware that development of Planhat’s services is to some extent performed by developers outside the EEA (“Developers in third country”). Such development is considered to be part of the Service and the Controller hereby accepts and instructs Planhat to transfer data to Developers in third countries for this purpose. The Controller shall remain as controller of transferred data and the Developer in third country shall be processor. Planhat shall answer for the Developer in third country’s fulfilment of its duties as processor, including liability for damages. Planhat shall ensure that such transfer is lawful and is for this purpose hereby granted power of attorney to enter into data processing agreements as well as “model contracts” as laid forth by the European Commission in Decision 2010/87/EU, dated 5th February 2010, or other decision or legal act that replaces said decision.
REQUESTS FROM AND CONTACTS WITH AUTHORITIES AND DATA SUBJECTS
In case a data subject, the Swedish Data Protection Authority (Datainspektionen/Integritetsskyddsmyndigheten) or any third party requests information regarding the processing of Personal Data from Planhat, Planhat shall refer the request to the Controller. Planhat shall not be entitled to disclose any Personal Data or information regarding the processing of Personal Data unless otherwise explicitly instructed by the Controller or otherwise obligated to do so according to law or other regulation. Planhat shall, without delay, inform the Controller about any request or other contacts with the Swedish Data Protection Authority or any other data protection authority that affects the processing of Personal Data provided by the Controller to Planhat. Planhat has no right to represent or act on behalf of the Controller in relation to the data subject, the Swedish Data Protection Authority, any other authority or any third party. Planhat shall, at Controller’s sole cost, reasonably assist the Controller in presenting such information that has been requested by the Swedish Data Protection Authority, another authority or the data subject. Additionally Planhat will provide commercially reasonable assistance and cooperation in relation to any exercise of a data subject’s rights under the GDPR.
Planhat shall take appropriate technical and organizational measures to protect the Personal Data in accordance with article 32 GDPR from unauthorized access, destruction, loss or alteration. The measures shall be appropriate with respect to (a) available technology, (b) costs, (c) specific risks associated with the processing, and (d) the sensitivity of the Personal Data. Planhat shall for this purpose comply with the Swedish Data Protection Authority’s instructions. Planhat shall take appropriate technical and practical measures to enable investigations of possible and suspected security breaches regarding Personal Data, such as unauthorized access, destruction, loss or alteration. Planhat warrants that all who have access to Personal Data are bound by confidentiality. For the avoidance of any doubt, such confidentiality shall apply also in contacts with authorities and data subjects. Planhat shall notify the Controller without undue delay, but not more than 48 hours, after becoming aware of a personal data breach and provide all relevant information Controller is required to provide to data subject and supervisory authorities in relation to the personal data breach. Personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.
NATURE AND PURPOSES OF THE PROCESSING
As a Processor, Planhat shall process Personal Data only for the following purposes: (i) processing to perform the Services in accordance with the Agreement; (ii) processing to perform any steps necessary for the performance of the Agreement; and (iii) to comply with other reasonable instructions provided by Customer to the extent they are consistent with the terms of this Agreement and only in accordance with Customer’s documented lawful instructions.
The Customer Data may be subject to the following processing activities: (i) storage and other processing necessary to provide, maintain and improve the Services provided to the Customer; (ii) to provide customer and technical support to the Customer; and (iii) disclosures as required by law or otherwise set forth in the Agreement.
Planhat shall have the right to use subcontractors for the processing of Personal Data (“Sub-processors”), provided that the Sub-processors are bound by way of contract to at least the same commitments and obligations toward the Controller as Planhat, in accordance with this Agreement. Subject to the limitations of liability contained in the Service Agreement, Planhat is fully liable toward the Controller for the Sub-processors’ actions and any failure by the Sub-processor to adhere to its data protection obligations when processing Personal Data received by Planhat from the Controller. A list of Planhat Sub-processors is available upon request. Planhat will take all reasonable steps to ensure the reliability of all sub-processors. Clients can request to be informed of additional sub-processors by putting in writing the request. If informed and the additional sub-processor is deemed unacceptable, client must notify Planhat in writing within 10 days of being informed. Planhat will then take one of the following actions:
1. No longer use the additional sub-processor.
2. Cease to use the sub-processor with regards the customer’s personal data.
3. Cease to provide the specific service requiring processing or personal data to the customer without unreasonably burdening the customer.
If Planhat is unable to provide one of the remedial steps above within reasonable time, customer may cancel their subscription with respect only to those services which cannot be provided by Planhat without use of the objected to sub-processor by providing written notice to Planhat. Planhat will refund any respective pre-paid fees for the corresponding services for the remaining term of the subscription
ERASURE AND RETURNING OF PERSONAL DATA
Planhat and any of its Sub-processors shall, following the Controller’s decision on erasure of Personal Data, either completely erase such Personal Data from any medium where it is stored, in a way that the Personal Data cannot be restored, or ensure that it is anonymized in such way that it is not possible to connect to an individual or possible to recreate. The erasure or anonymization shall be completed within twenty (20) days following the Controller’s notice to Processor stating its request for erasure of Personal Data. This Agreement shall remain in force during the time Planhat is processing Personal Data for the Controller. Planhat and The Controller agree that Planhat and any Sub-processors shall, following the termination of processing and this Agreement, either return all transferred Personal Data, including copies, to the Controller, or to erase them in accordance with the above paragraph. Planhat commits to attest in writing that such return and/or erasure or anonymization has been completed.
Subject to the limitations of liability contained in the Service Agreement, Planhat shall be liable for any damages caused to the Controller following Planhat’s processing of Personal Data in violation with the Controller’s instructions, this Agreement or the Service Agreement. Planhat shall not be liable for the Controllers legal expenses or costs related to conciliation agreements between the Controller and a third party. Liability is limited to an amount corresponding the fee that the Controller has paid Planhat for the Service the eighteen (18) months before the event that caused liability.
THE GENERAL DATA PROTECTION REGULATION
With regard to the General Data Protection Regulation (the “GDPR”) being a new legislation, the parties to this Agreement agree that they will make any necessary changes and amendments to this Agreement in order for it to be continuously compliant with the GDPR with regards to subsequent interpretations, national legislation, other regulations and advice from authorities.
DISPUTE AND APPLICABLE LAW
Any dispute, controversy or claim arising out of or in connection with this Agreement, or the breach, termination or invalidity thereof, shall be settled by the public courts of Sweden, whereas Stockholm District Court shall be the first instance. The laws of Sweden shall govern this Agreement and any dispute regarding this Agreement.