Data Processing Agreement

Jun 15, 2020

between

(1) Scrintal User ("the Data Controller")

and

(2) Scrintal Labs AB, reg no 559258–1614, Villa Bellona, Universitetsvägen 8, 106 91, Stockholm, Sweden ("the Data Processor”).

1. BACKGROUND AND AIM

1.1 The Data Controller has signed up for transcription services offered by the Data Processor (the "Main Agreement"). In the assignment according to the Main Agreement is included that the Data Processor will be processing personal data provided by the Data Controller in accordance with the Main Agreement and in accordance with instructions of the Data Controller under the Main Agreement.

1.2 In case of a conflict between the Main Agreement and this agreement, this agreement shall prevail.

1.3 This agreement has as its aim to secure that the processing of personal data is made in accordance with applicable data protection laws, including inter alia the requirements stipulated in article 28.3 of the General Data Protection Regulation 2016/679 of 27 April 2016 (the GDPR).

2. DEFINITIONS

2.1 The definitions in this agreement are the same as in the GDPR meaning inter alia the following:

"processing" in this agreement means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

"personal data" in this agreement means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

"personal data breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

"registered person" in this agreement means a person to whom the personal data relates.

3. THE DATA CONTROLLER’S OBLIGATIONS

3.1 The Data Controller shall establish instructions so that the Data Processor can perform the processing of personal data in accordance with this agreement, see Appendix 1.

3.2 The Data Controller is liable for providing information about the processing which is performed and shall see to it that consent to the processing is provided by the registered persons if required.

4. THE DATA PROCESSOR’S OBLIGATIONS

4.1 The Data Processor undertakes to secure that all processing of personal data is made in accordance with the purposes of this agreement, the GDPR, the Swedish supplementary data protection act and other applicable laws and regulations and industry standards. The Data Processor undertakes to keep itself informed about the data protection legislation and amendments therein.

4.2 The Data Processor, and the person/s working for the Data Processor, may only process personal data in accordance with the instructions which from time to time are provided by the Data Controller, including with regard to transfers of personal data to a third country or an international organization, unless required to do so by Union or Member State law to which the Data Processor is subject. In such a case, the Data Processor shall inform the Data Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

4.3 Instruction for the Data Processor’s processing of the personal data is attached as Appendix 1 to this agreement. The Data Processor shall immediately inform the Data Controller if, in its opinion, an instruction is vague, erroneous, illegal or is missing and await new instructions.

4.4 In case a registered person, the Data Protection Authority (Sw. Datainspektionen) or another third-party requests information from the Data Processor, which concerns the processing of personal data according to this agreement, the Data Processor shall refer the request to the Data Controller. The Data Processor may thus not submit personal data or other information on the processing of personal data without the express approval of the Data Controller.

4.5 The Data Processor shall support the Data Controller in providing information which has been requested by the Data Protection Authority or by a registered person in order for the Data Controller to be able to fulfil its obligation to answer a request regarding the performance of the data subject’s rights in accordance with chapter III of the GDPR.

4.6 The Data Processor shall without delay inform the Data Controller about possible contacts from the Data Protection Authority, which concern or may be of importance for the processing of personal data. The Data Processor is not entitled to represent the Data Controller or act on behalf of the Data Controller towards the Data Protection Authority or other third party.

4.7 The Data Processor shall assist the Data Controller in performing the obligations set out in articles 32-36 (security of processing, personal data breach notifications, data protection impact assessment and prior consultation) of the GDPR, taking into consideration the type of processing and the information available to the Data Processor.

4.8 The Data Processor shall make available to the Data Controller all information necessary to demonstrate compliance with the obligations laid down in this agreement and allow for and contribute to audits, including inspections, conducted by the Data Controller or an auditor mandated by the Data Controller.

4.9 The Data Processor shall notify the Data Controller without undue delay after becoming aware of a personal data breach.

5. SECURITY

5.1 The Data Processor shall, during the term of this agreement, maintain a proper security for the personal data. The Data Processor shall protect the personal data against destruction, changes, prohibited distribution or prohibited access.

5.2 The Data Processor shall in accordance with article 32 (security of processing) of the GDPR and the instructions from the Data Controller, take those technical and organizational measures, which are required to protect the personal data.

5.3 The Data Processor shall after request from the Data Controller provide the Data Controller with a presentation of the technical and organizational measures which have been implemented.

5.4 The measures shall result in a security level which is appropriate taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. When assessing the appropriate level of security consideration shall be taken to the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed.

5.5 The Data Controller has the right to take necessary measures to make sure that the Data Processor can implement the security measures which shall be taken in accordance with the above, and to make sure that the Data Processor takes such measures. The Data Processor undertakes to make sure that the Data Controller is provided with the assistance which is reasonably required for the Data Controller to check this in the easiest possible way.

6. CONFIDENTIALITY

6.1 The Data Processor shall limit access to the personal data to individuals who need the data when fulfilling the obligations according to the Main Agreement and this agreement. The Data Processor undertakes to make sure that persons with authority to process the personal data have committed themselves to observe confidentiality.

6.2 The Data Processor undertakes to make sure that all staff, consultants and other which the Data Processor is responsible for and who process the personal data, are bound by secrecy agreements. The Data Processor further undertakes to enter into appropriate secrecy agreements with possible sub-processors and their staff.

6.3 The Data Processor undertakes not to divulge information to third parties on the processing of personal data which is covered by this agreement or other information which the Data Processor has received following this agreement or other information which the Data Processor has received in its role as Data Processor. The Data Processor undertakes not to process the personal data for its own purposes.

6.4 The commitment in section 6.3, first sentence, does not cover

(a) information which a party can show was generally known at the point in time of the receipt, or

(b) information which a party is obliged to submit to an authority.

6.5 The secrecy commitment continues to apply also after the termination of this agreement.

7. SUB-PROCESSORS

7.1 The Data Processor may engage another data processor (a sub-processor). The Data Processor shall inform the Data Controller about plans to engage a new sub-processor. In case a sub-processor is engaged the sub-processor shall in a written agreement be required to perform the same data protection obligations as set out in this agreement. If the sub-processor does not fulfill its obligations the Data Processor is fully liable against the Data Controller for the performance of all obligations of the sub-processor.

8. REMUNERATION

8.1 If the Data Controller’s instructions or otherwise this agreement imposes requirements regarding the processing of personal data, which do not follow from the Data Processor’s commitments according to the Main Agreement and which the Data Processor could not have expected and these requirements means that the Data Processor is caused extra costs, the Data Controller shall be liable to pay the Data Processor for these costs.

9. LIABILITY

9.1 In case a registered person, or other third party, demands damages from the Data Controller due to the Data Processor’s processing of the personal data, the Data Controller shall be liable to pay such damages in case the Data Processor has processed the personal data in accordance with instructions from the Data Controller.

10. CONSEQUENCES OF THE TERMINATION OF THIS AGREEMENT

10.1 The Data Processor shall, when this agreement is terminated, delete all data which include personal data, and, confirm in writing that the personal data have been destroyed on all media which have been used for the processing in such a way that they cannot be recreated.

10.2 The Data Processor undertakes to delete all personal data which have been processed in accordance with the agreement within 60 days from the date of the termination of this agreement.

11. TERM OF AGREEMENT

11.1 This agreement shall be valid from the signing of the agreement and as long as the Data Processor is processing personal data on behalf of the Data Controller.

12. MISCELLANEOUS

12.1 Amendments to this agreement shall be made in writing and signed by both parties unless expressly stated otherwise in this agreement.

13. DISPUTES

13.1 Any dispute, controversy or claim arising out of or in connection with this agreement, or the breach, termination or invalidity thereof, shall be settled by a Swedish civil court.

Appendix 1

Instructions regarding the Data Processor’s processing of personal data

In addition to what is stated in the agreement the Data Processor shall also adhere to the following instructions:

Processing of personal data

Subject-matter, nature and purpose

Specify the subject-matter, the nature and all purposes for which the Data Processor will process the personal data.

The subject-matter of the processing of personal data is to provide the service under the Main Agreement.

The nature of the processing is to store and analyze data uploaded by the Data Controller.

The Data Processor will process the personal data for the purpose to provide the services in accordance with the Main Agreement.

Categories of personal data

Specify the categories or personal data which will be processed by the Data Processor.

The following categories of personal and sensitive data may be included in the processing:

- Personal data, any information which are related to an identified or identifiable natural person
- Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs
- Trade-union membership
- Genetic data, biometric data processed solely to identify a human being
- Health-related data
- Data concerning a person’s sex life or sexual orientation

Categories of data subjects

Specify all categories of data subjects whose personal data will be processed by the Data Processor.

Categories of data subjects include:

Interviewees.

Practical handling

Specify how the processing will be performed.

The personal data may be processed by the Data Processor if it is required to provide the services according to the Main Agreement.

This may include e.g.:

1) Analyzing recorded interviews for the purpose of providing the transcription service.  

Previous versions of this document