data processing agreement

 

Last update: 2022-10-13

1. PARTIES

This data Processing agreement (hereinafter referred to as the “DPA”), has been entered into by and between

 a) BoardClic AB, reg. no 559152-7063, Mosebacke torg 3, 116 46 Stockholm (hereinafter referred to as the “Data Processor”), and

 b) The licensee registered and entered the License Agreement (hereinafter referred to as the “Data Controller”).

The Data Processor and the Data Controller are jointly referred to as the “Parties” and separately as a “Party”.

2. DEFINITIONS

 Should  General Data Protection Regulation contain terms that conflict with those used in the DPA, such terms shall be interpreted and applied in accordance with the General Data Protection Regulation .

 Except for the definitions stated in Section 1, the terms listed below shall have the following meaning in the DPA:

 2.1 The DPA means the main body of this agreement and the appendices applicable at any given time.

 2.2 Processing refers to an action or combination of actions taken in respect of Personal Data or sets of Personal Data, regardless of whether they are taken in an automated way or not, such as collection, registration, organisation, structuring, storage, handling or modification, development, reading, utilisation, disclosure by means of transfer, dissemination or provision by other means, adjustment or compilation, limitation, deletion or destruction.

2.3 Personal Data refers to any information that relates to an identified or identifiable natural person, whereby an identifiable natural person is a person that can be identified directly or indirectly, in particular with reference to an identifier such as a name, identification number, location or online identifier or one or more factors that are specific to the physical, physiological, genetic, psychological, financial, cultural or social identity of the natural person.

2.4 A Personal Data Breach refers to a security breach that leads to the accidental or unlawful destruction, loss, modification or unauthorised disclosure of or access to the Personal Data that are transferred, stored or otherwise processed.

2.5 Applicable Regulations refer to regulations and practice relating to the General Data Protection Regulation, national legislation supplementary to the General Data Protection Regulation, provisions and opinions of supervisory authorities, including the European Data Protection Board, and the Commission’s legal acts concerning Personal Data.

2.6 Sub-Processor refers to the party Processing Personal Data in accordance with instructions from the Data Processor.

2.7 The Service refers to BoardClic Board, Committee and CEO Evaluation tool which is licensed to the Data Controller by the Data Processor and under which scope the Data Processor is Processing Personal Data for the Data Controller.

2.8 The Users refers to the users of the Service, whom may be any of the employees, officers, committee members and board directors at the Data Controller, at third-party portfolio companies of the Data Controller and subsidiaries of the Data Controller.

2.9 Sensitive Personal Data refers to Personal Data that reveals a person’s race or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership and personal data concerning a person’s health and sex life.

2.10 License Agreement refers to the License Agreement between the Parties stating that the Data Processor grants the Data Controller a license to the Service.

3. Instructions on the processing

On signing of the DPA, the Data Processor undertakes to Process Personal Data on behalf of the Data Controller. The Parties have agreed to regulate the scope and the detailed structuring of the Processing by entering the DPA.

3.1 Purpose of the Processing

 The purpose of the Data Processor’s Processing of Personal Data is to enable the Data Controller’s full usage of the Service in accordance with the License Agreement including the additional services that may be added to the Service.

 3.2 Categories of the data subjects that are applicable for the DPA

 The Users of the Service.

 3.4 Categories of the Personal Data

 Full name, contact information, year of birth, gender, professional role, competencies, affiliated companies and other Personal Data that may be submitted by the Users in the scope of the Service.

 It is hereby noted that Sensitive Personal Data may be part of the processed Personal Data if the Users choose to submit Sensitive Personal Data by free will, by stating the data in the free text box. The Service does not ask for such data. What is stated about Personal Data in the DPA shall then be applicable for Sensitive Personal Data unless stated otherwise in the DPA.

3.5 Time of the Processing 

The Processor shall Process the Personal Data as long as the Parties have a License Agreement in place. After the termination of the License Agreement the Processor shall anonymize or delete Personal Data within ninety (90) days.

4. Obligations of the data controller

 4.1 Processing in compliance with the DPA and Applicable Regulations

 The Data Controller is responsible for ensuring that all Processing of Personal Data, and when applicable, Sensitive Personal Data, by the Data Controller in connection with the DPA complies with the DPA and the Applicable Regulations.

4.2 Provision of Personal Data

The Data Controller shall provide the Data Processor with the information and Personal Data relating to the Users that are necessary and appropriate for the purpose of the Service.

4.3 Correct information

 The Data Controller shall provide the Data Processor with correct information promptly in the event that the documented instructions (including instructions in the DPA as well as other future written instructions to the Data Processor) are incorrect, incomplete or otherwise need to be amended.

4.4 Documented instructions

The Data Controller shall provide the Data Processor with documented instructions in the case Data Controller wish to add further or other instructions to the Data Processor than the instructions provided in the DPA and the existing License Agreement between the Parties. These further instructions shall then regulate, amongst other things but not exclusively, what Personal Data is to be processed, the object of the Processing, the duration, extent, nature and purpose of the Processing, the type of Personal Data and categories of data subjects, the obligations and rights of the Data Controller and the Data Processor, as well as the scope of the protective measures and other IT and security-related obligations.

5. The data processors’s areas of responsibility

5.1 Processing of Personal Data

5.1.1  Processing in compliance with the DPA and Applicable Regulations

The Data Processor shall only process Personal Data on behalf of the Data Controller in compliance with the DPA, the License Agreement between the Parties and Applicable Regulations.

Without the consent from the Data Controller, an order from the relevant supervisory authority or mandatory legislation, the Data Processor may not 

  • collect or disclose Personal Data from or to any third party, unless otherwise agreed in writing between the Parties,
  • change the method of Processing,
  • copy or reproduce Personal Data, or
  • otherwise Process Personal Data for other purposes than those specified in the DPA and future documented instructions.

 5.1.2 Storage and thinning

 The Data Processor shall ensure that the principles for the Processing of Personal Data are respected, including, in particular, storage minimisation. The Data Processor is responsible for thinning Personal Data that are no longer required for the purpose. The Data Processor shall establish procedures for how the Personal Data are thinned, what Personal Data are thinned and how often the thinning is carried out.

 The Data Processor shall, as soon it is technically possible for the Data Processor, delete Sensitive Personal Data.

For the avoidance of doubt, any Personal Data shall be deleted, or anonymized so it is no longer constitute personal data in accordance with Applicable Regulations, by the Data Processor when the Service is finalized and no longer than three (3) months after, unless consent not to do so has been given by the Data Controller.

5.1.3 Transfer of Personal Data

The Data Processor may not transfer any Personal Data to a state outside of the EU/EES if necessary transfer mechanisms stated in the Applicable Regulations are not in place.

The Data Processor transfers Personal Data to Heroku Inc. which is the provider of the Data Processor’s CRM-system. Heroku Inc. has its servers within EU but is itself a third country entity (US). At the time of the DPA, US is not a third country considered to have an adequate level of protection in accordance to the Applicable Regulations. Therefore the following transfer mechanisms are in place:

Binding Corporate Rules – can be found here: [link]

EU Standard Contractual Clauses – can be found here: [link]

The Data Processor has also performed a transfer impact analysis that can be obtained upon request made to info@boardclic.com.

5.1.4 Written consent for transfer

A transfer to a third country that is, except for what is stated in clause 5.1.4 above, requires a written consent of the Data Controller and an assurance from the Data Processor that such transfer complies with the Applicable Regulations.

5.1.5  Implementation of modifications

The Data Processor shall carry out modifications, deletions, limitations and transfers at the explicit request of the Data Controller, but not, however, if such request contravenes the DPA, the License Agreement between the Parties or Applicable Regulations.

5.2 Technical and organisational measures

5.2.1 Carry out technical and organisational measures

 In view of the latest development, implementation costs and the nature, scope, context and purpose of the Processing, as well as the risks, of varying degrees of likelihood and gravity, for natural persons’ rights and freedoms, the Data Processor shall take suitable technical and organisational measures to ensure a level of security that is appropriate for the risk, including, where applicable,

  • pseudonymisation and encryption of Personal Data,
  • the capacity to ensure the confidentiality, privacy, accessibility and resistance of Processing systems and services on a continuous basis,
  • the capacity to reinstate accessibility and access to Personal Data within a reasonable time scale in the event of a physical or technical breach,
  • a procedure for the regular testing, investigation and assessment of the efficiency of the technical and organisational measures that are to ensure the security of the Processing.

5.2.2 Code of conduct and certification mechanism

The Data Processor may adopt an approved code of conduct or approved certification mechanism to show that the above-mentioned obligations are met.

5.3 Drawing up a record of Processing activities

5.3.1  Draw up a record of Processing activities

 The Data Processor shall maintain a record of Processing activities of all categories of Processing that is carried out on behalf of the Data Controller, to include the following:

  • Name and contact details of the Data Processor and the Data Controller on whose behalf the Data Processor acts, and, where applicable, of the Data Processor’s and Data Controller’s representative and data protection officer,
  • The categories of Processing that has been carried out on behalf of the Data Controller,
  • Where applicable, transfers of Personal Data to a third country or an international organisation, including the identification of the third country or international organisation and the documentation of suitable protection measures,
  • If possible, a general description of the technical and organisational security measures.

5.3.2  Written record of Processing activities

The Data Processor shall draw up the record of Processing activities in writing, including in electronic form.

5.4 Duty to notify

The Data Processor shall notify the Data Controller without undue delay in the event that the Personal Data Processing contravenes the DPA or the Applicable Regulations. The Data Processor shall then await instructions from the Data Controller.

5.5 Information

 5.5.1 Disclosure of Personal Data

 The Data Processor may not disclose Personal Data or information about the Processing of Personal Data without the prior consent of the Data Controller, except in the event that the relevant supervisory authority has issued an order to do so, or if the Applicable Regulations oblige the Data Processor to do so.

5.5.2  Duty to notify in the event of contact

 The Data Processor shall notify the Data Controller without undue delay if the Data Processor is contacted by a supervisory authority, data subject or third party for the purpose of viewing the Personal Data that is processed by the Data Processor.

5.6 Audit

5.6.1 Monitoring of compliance

The Data Controller has the right to carry out, or to employ a third party to carry out, an audit of the work of the Data Processor or otherwise check that the Data Processor’s Processing of Personal Data complies with the DPA and Applicable Regulations. The Data Processor shall give the Data Controller the assistance that is required for the implementation of such audit.

The Parties shall agree in writing on a suitable audit date which shall be at least thirty (30) days after such written agreement. The audit shall occur during the Data Processor’s business hours and must not disturb the Data Processor’s business. Any costs arising in connection to the audit, other than costs caused by the Data Processor’s failure to comply with the DPA and Applicable Regulations, shall be carried by the Data Controller.

5.6.2 Access to premises and equipment

 The Data Processor shall allow the Data Controller access to premises and equipment for inspection for the purpose of ensuring that the Data Processor is meeting its obligations in accordance with the Agreement and the Applicable Regulations. The Data Controller does not have such right, however, if the access and/or inspection may put the security or privacy of the data subjects at risk.

 The Parties shall agree in writing on a suitable date for the access stated above, which shall be at least thirty (30) days after such written agreement. The visit shall occur during the Data Processor’s business hours and must not disturb the Data Processor’s business. Any costs arising in connection to the visit, other than costs caused by the Data Processor’s failure to comply with the DPA and Applicable Regulations, shall be carried by the Data Controller.

5.6.2 Demonstration of compliance with the DPA and Applicable Regulations

The Data Processor shall demonstrate that the obligations of the DPA and Applicable Regulations are being fulfilled, on request and without undue delay. This includes, amongst other things but not exclusively, an obligation to provide documentation, to show, if applicable, that approved codes of conduct or certifications are being complied with, and to enable and assist the Data Controller in carrying out the necessary examinations and inspections.

5.6.3 Access to Personal Data

The Data Processor shall give the Data Controller access to all of the Personal Data that are processed by the Data Processor on behalf of the Data Controller. This also includes access to information and documents that the Data Controller needs to carry out monitoring of the Data Processor’s compliance with the DPA and Applicable Regulations. Such access shall be given without unreasonable delay, but no later than thirty (30) days from the date of the explicit and written request of the Data Controller.

5.7 Security and confidentiality

5.7.1 Assess the risks

 The Data Processor shall assess the risks of the Processing and take measures, such as encryption, to reduce them. These measures should ensure an appropriate level of security, including confidentiality, and take account of the most recent development and implementation costs in respect of the risks and what type of Personal Data are to be protected.

5.7.2 Carry out security measures

 The Data Processor shall take measures to ensure that all natural persons and legal persons that carry out work under the Data Processor’s supervision, and that are given access to Personal Data, only process these on the instructions of the Data Controller through the Data Processor.

The security measures include technical as well as organizational measures. The scope of the measures shall be undertaken in consideration of the latest development, the implementation costs and the nature, extent, context and purpose of the Processing, as well as the risks, of varying degrees of likelihood and gravity, for the rights and freedoms of natural persons. The level of security that is to be ensured shall be appropriate for the risks.

5.7.3 Sufficient knowledge and training

 The Data Processor is responsible for ensuring that each natural person who has access to the Personal Data processed in accordance with the DPA has sufficient knowledge and training to be able to process the Personal Data in a secure and appropriate manner.

5.7.4 Changes to the Personal Data Processing

 If the Data Processor intends to implement changes to the way in which the Personal Data is processed or otherwise implement changes that may affect security for the data subjects, the rights of the data subjects or compliance with the DPA or Applicable Regulations, the Data Processor shall inform the Data Controller of this in writing beforehand. The Data Controller shall give its consent to such changes.

5.7.5 Secrecy and duty of confidentiality

The Data Processor undertakes to process Personal Data and other information associated with the DPA in compliance with the applicable legislation on secrecy and the Applicable Regulations. The staff who process Personal Data have signed special confidentiality clauses and have been informed that a duty of confidentiality exists in accordance with the DPA or national law.

5.7.6 Appropriate undertaking of confidentiality

The Data Processor shall make sure that all employees, consultants and other persons for whom the Data Processor is responsible and who process Personal Data are bound by an appropriate confidentiality undertaking, and that they are informed of how the Processing of Personal Data is to be carried out.

5.7.7 Information for persons with access

 The Data Processor is responsible for ensuring that the persons who have access to the Personal Data are informed of how they are to process the Personal Data in accordance with the documented instructions from the Data Controller. The Data Processor shall also make sure that an adequate control of authorisations is in place.

 5.8 Personal Data Breaches

5.8.1 Take measures to reduce damage

 In the event of a suspected or discovered Personal Data Breach, the Data Processor shall investigate the breach immediately and take suitable measures to mitigate its potential negative effects.

5.8.2 Description of a Personal Data Breach

 The Data Controller shall be provided with a description of the Personal Data Breach at the latter’s request within thirty (30) hours of being made aware of the breach. Such description shall contain at least

  1. a description of the type of Personal Data Breach, including where possible the categories of and the approximate number of data subjects concerned, as well as the categories of and approximate number of Personal Data items concerned,
  2. the name of and contact details for the contact points from where further information may be obtained,
  3. a description of the likely consequences of the Personal Data Breach, and
  4. a description of the measures that have been taken or proposed by the Data Processor to remedy the Personal Data Breach, including, where appropriate, measures to mitigate its potential negative effects.

 If it is not possible to provide the information at the same time, the information may be provided in stages without further unnecessary delay.

5.8.3 Assistance with obligations regarding Personal Data Breaches

The Data Processor shall assist the Data Controller in ensuring that the latter’s obligations according to the Applicable Regulations concerning Personal Data Breaches are met, taking account of the type of Processing and the information that the Data Processor has access to. This also applies if the Data Controller suspects or discovers a Personal Data Breach.

5.8.4 Notification of a Personal Data Breach

 The Data Processor shall notify the Data Controller of a Personal Data Breach without unnecessary delay, but at the latest within thirty (30) hours of being made aware of the breach.

5.8.5 Information about a Personal Data Breach

 A notification in accordance with the above shall contain all the information the Data Controller needs to fulfil its obligations towards the supervisory authority.

5.8.6 Unconditional duty to notify

The above duty to notify the Data Controller also applies if the Data Processor is unable to fulfil its obligations according to the DPA or the documented instructions for some other reason or, alternatively, becomes aware that the Personal Data have been processed in contravention of the DPA.

5.9 Assisting the Data Controller

5.9.1 Impact assessments and prior consultation

 If necessary and on request, the Data Processor shall assist the Data Controller in the fulfilment of its obligations pursuant to the provisions of the General Data Protection Regulation in respect of the implementation of impact assessments concerning data protection and prior consultation with the supervisory authority. Prior the assistance the Parties shall agree in writing on the Data Processor’s fee for such services.

5.9.2 Fulfilment of obligations in respect of the rights of data subjects

If necessary and on request, the Data Processor shall assist the Data Controller in the fulfilment of its duty to respond to requests from data subjects to exercise their rights pursuant to the General Data Protection Regulation by taking suitable technical and organisational measures as far as this is possible.

6. The hiriing of a sub-processor by the data processor

 6.1 Written authorisation to hire a Sub-Processor

 The Data Processor may not hire another data processor (Sub-Processor) without obtaining a specific or general written prior authorisation from the Data Controller.

The approved Sub-Processors by the time of the Parties’ entrance of the DPA are the following: 

Sub-Processor

Type of Processing

Place of Processing

Transfer mechanisms (if applicable)

Heroku Inc.

Hosting provider

https://www.heroku.com/support 

Germany

 

MailPace

SMPTP server (e-mail)

https://mailpace.com/privacy 

France

 

HubSpot

CRM system

https://hubspot.com 

Germany

 

Custify

Germany

 

Mixpanel

Netherlands

 

 

6.2 General written authorisation

If a general written authorisation is obtained, the Data Processor shall inform the Data Controller of any plans to hire new data processors or replace data processors, so that the Data Controller has the opportunity to raise qualified objections to such changes.

6.3 Distribution of risks

The Data Processor hires a Sub-Processor at its own risk. This will not result in any change to the allocation of responsibilities between the Parties, as specified in the DPA.

 6.4 Adequate level of protection

If the Data Controller approves the Data Processor’s application to hire a Sub-Processor, the Data Processor shall take the measures that are required to ensure that the Sub-Processor maintains an adequate level of protection and otherwise observes the relevant parts of the DPA and applicable data protection legislation.

 6.5 Notification of the hiring or replacement of a Sub-Processor

The Data Processor shall inform the Data Controller of the hiring or replacement of a Sub-Processor before measures are taken and on condition that the application for the Sub-Processor is accepted by the Controller. The Data Controller shall have the opportunity to raise objections to the Data Processor’s proposal for the change. The Data Processor must not implement the proposed change if such an objection has been raised.

 7. Liability for damage

7.1 The Data Processor’s liability

 The Data Processor shall only be liable to the Data Controller for damage caused as a result of the Processing of Personal Data if it has not fulfilled the obligations according to the Applicable Regulations that apply specifically to the Data Processor or has acted outside or in conflict with the DPA.

 The Data Processor shall avoid liability according to the above if it can demonstrate that it is not in any way liable for the breach that caused the damage.

 7.2 The Data Controller’s liability

The Data Controller shall compensate the Data Processor for the claims made against the Data Processor in regards of the processing of the Data Controller’s Personal Data submitted by the Data Controller, through the Users, in connection with this Agreement, on condition that the claim is based on the Data Controller’s instructions to the Data Processor that are deficient or erroneous.

 8. the duration of the agreement and its amendments

8.1 Duration

The Agreement is valid from the date of signing by the Parties and for as long as the Data Processor processes Personal Data in accordance with the Data Controller’s instructions.

8.2 Deletion of Personal Data

As soon as Processing of Personal Data no longer is required under the License Agreement, the Data Processor shall anonymize or delete the Personal Data within ninety (90) days, unless storage of the Personal Data is required according to the law by which the Data Processor is governed or if the Data Controller has instructed the Data Processor otherwise.

 8.3 The Data Controller’s right to make changes

The Data Controller may only make changes to the DPA if they are needed to ensure compliance with the Applicable Regulations.

 8.4 Modification of the DPA

 Any changes to the DPA, including new types of Processing, shall be made in writing and be signed by both Parties.

 9. Notifications

9.1 Notifications according to the DPA shall be sent by e-mail and shall be considered delivered when the e-mail has been sent.

9.2 Notifications to the Data Processor shall be sent to the following e-mail address: malin@boardclic.com.

9.3 Notifications to the Data Controller shall be sent to such email address as is notified by the Data Controller to the Data Processor in writing from time to time.

10. Applicable law and dispute resolution

10.1 The DPA shall be exclusively governed by and construed in accordance with the substantive laws of Sweden, excluding its conflict of laws principles.

10.2 Any dispute, controversy or claim arising out of or in connection with the DPA, or the breach, termination or invalidity thereof, shall be finally settled by arbitration in accordance with the Rules for Expedited Arbitrations of the Arbitration Institute of the Stockholm Chamber of Commerce. The seat of arbitration shall be Stockholm. The language to be used in the arbitral proceedings shall be Swedish or, if the Data Controller so requests, English.

The Parties undertake and agree that all arbitral proceedings conducted with reference to this arbitration clause will be kept strictly confidential. This confidentiality undertaking shall cover all information disclosed in the course of such arbitral proceedings, as well as any decision or award that is made or declared during the proceedings. Information covered by this confidentiality undertaking may not, in any form, be disclosed to a third party without the written consent of the other Party. This notwithstanding, a Party shall not be prevented from disclosing such information in order to safeguard in the best possible way its rights vis-à-vis the other Party in connection with the dispute, the enforcement of an award or if such a right exists pursuant to statute, regulation, a decision by an authority, a stock exchange contract or similar.