DATA PROCESSING AGREEMENT
This agreement (the “Agreement”) is made this day between
(a) The undersigned ("Client")
(b) MyFlow Learning AB, reg. no. 559310-5306 ("Supplier")
collectively referred to as the “Parties” and individually as a “Party”.
The agreement is between the companies, even though it is you as a person who will act on the platform.
01. BACKGROUND
1.1 The Parties have entered into an agreement whereby the Supplier will provide its services to the Client (“Services”). The Services require the Supplier, as a data processor, to process personal data for which the Client is the data controller.
1.2 The Data Processing Agreement is similarly applicable if the Client is itself a data processor on behalf of other parties, whereby the Supplier becomes a sub-processor to the Client for its data processing.
1.3 The Data Processing Agreement is entered into to regulate the Parties' rights and obligations related to the Supplier's processing of personal data, ensuring that the personal data is processed in accordance with applicable data protection legislation.
The agreement is about how we will handle your customers' personal data.
02. DEFINITIONS
The following terms shall have the meaning ascribed to them below in the Data Processing Agreement:
“Personal Data” refers to personal data (as defined in Applicable Law) that is transferred to, stored with, or otherwise processed by the Supplier on behalf of the Client to perform the Services. The term does not include data that has been anonymized to the extent that it is permanently impossible to directly or indirectly link it to a living individual.
“Applicable Law” refers to (i) when the Data Processing Agreement is entered into, the Data Protection Directive 95/46/EC as implemented in Swedish law through the Personal Data Act (1998:204) and the Personal Data Ordinance (1998:1191), and (ii) when applicable, the General Data Protection Regulation (EU) 2016/679 and associated implementing regulations and any other legislation (including regulations and ordinances) applicable to the processing of personal data under the Data Processing Agreement, as it may be amended over time.
“Sub-processor” refers to a third party that the Supplier engages as a subcontractor and that processes Personal Data on behalf of the Client.
03. CLIENT'S RESPONSIBILITIES
The Client must ensure that the processing of Personal Data is lawful. The Client shall provide the Supplier with documented instructions and other guidance as necessary for the Supplier to fulfill its obligations under the Data Processing Agreement and Applicable Law.
Our technology holds the personal data, but you ensure that you have the right to handle it.
Keep in mind...We cannot always know what data you store, so it is your responsibility to double-check with us if it is particularly sensitive.
04. PROCESSING OF PERSONAL DATA
4.1 The Supplier may only process Personal Data to perform the Services and in accordance with the Data Processing Agreement, Applicable Law, and the Client's documented instructions as per Annex 1. If the processing changes during the term of the agreement, the Parties shall update the Data Processing Agreement through an addendum.
4.2 If the Supplier is required by law to process Personal Data for purposes or in ways other than as described in the Client's instructions, the Supplier shall first inform the Client of the legal obligation unless the Supplier is prohibited from doing so by law or government decision.
4.3 If the Supplier lacks instructions, believes it needs new or supplementary instructions to fulfill its obligations, or believes existing instructions may conflict with Applicable Law, the Supplier shall promptly inform the Client and await further instructions.
To use many of the features on the platform, we need to process your personal data, but we will not process anything beyond that.
05. CHANGES TO THE SERVICE AFFECTING PERSONAL DATA
If the Services are changed, by new features being added or existing features being modified in a way that results in new categories of Personal Data being processed or Personal Data being processed for purposes other than as stated in the Data Processing Agreement, the Client shall be immediately informed. The Client has the right to object to such a change to the Services if there are valid reasons for doing so and the Client notifies the Supplier without undue delay, but no later than thirty (30) days from the date the Supplier informed the Client.
If we make updates to our offerings, we will inform you 30 days in advance so you know if you need to make any adjustments.
06. SECURITY & CONFIDENTIALITY
6.1 The Supplier shall, through appropriate technical and organizational measures, ensure a suitable level of security to protect Personal Data against accidental or unlawful destruction, loss, or alteration, as well as unauthorized disclosure or access.
6.2 If the Client deems the Supplier's measures insufficient, the Client has the right to request that the Supplier take and maintain additional measures to protect Personal Data. The Supplier is entitled to compensation for its costs for such measures requested by the Client if and to the extent these are clearly unreasonable given the actual need for protection of Personal Data under Applicable Law.
6.3 The Supplier shall ensure that all persons or third parties who have access to Personal Data are committed to confidentiality or are subject to appropriate statutory confidentiality obligations and are informed about how Personal Data may be processed.
6.4 The Supplier shall promptly notify the Client if the Supplier discovers a personal data incident affecting the Personal Data. The Client shall be notified as soon as possible and, if possible, no later than twenty-four (24) hours from the time the personal data incident was discovered by the Supplier. The notification shall include all necessary and available information required for the Client to fulfill its reporting and information obligations to the competent supervisory authority and affected data subjects.
It is our responsibility to keep the platform technically secure so that all data has the protection it deserves.
07. ENGAGEMENT & SUB-PROCESSORS
7.1 The Supplier may engage one or more Sub-processors for the processing of Personal Data without obtaining specific permission from the Client in each individual case. However, this is only provided that the Supplier enters into a written sub-processor agreement with the Sub-processor, which results in the Sub-processor having the same obligations as the Supplier under the Data Processing Agreement. The Supplier may allow the Sub-processor to engage third parties, provided that this is done in the same way and with the same obligations as set out in the Data Processing Agreement.
7.2 The Supplier shall, at the Client's request, provide the Client with (i) a correct and updated list of Sub-processors engaged and their geographical location, and (ii) a copy of relevant parts of the sub-processor agreements with Sub-processors needed to demonstrate that the Supplier has fulfilled its obligations under the Data Processing Agreement.
7.3 The Supplier is fully responsible to the Client for the Sub-processors' obligations regarding the processing of Personal Data under the Data Processing Agreement.
We may engage consultants (sub-processors) to assist us, and they may also process your data.
08. TRANSFERS TO THIRD COUNTRIES
8.1 The Supplier may not, either itself or through a Sub-processor, transfer Personal Data to a country outside the EU/EEA.
All data on the platform will be kept within the EU.
09. COMMUNICATION
9.1 If a data subject, competent supervisory authority, or other third party requests information from the Supplier concerning the processing of Personal Data, the Supplier shall refer such request to the Client and await the Client's instructions.
9.2 The Supplier may not disclose Personal Data or information about the processing of Personal Data without instructions from the Client unless required by law. In such a case, the Supplier shall first inform the Client of the legal obligation unless the Supplier is prohibited from doing so by law or government decision.
9.3 The Supplier shall, given the nature of the processing, assist the Client through appropriate technical and organizational measures to fulfill its obligations towards data subjects under Applicable Law, including their right to access and data portability.
We will not disclose any of your data unless there are legal requirements to do so.
Keep in mind...Should you need to retrieve your data, we will help ensure everything is provided to you.
10. AUDIT & CONTROL
10.1 The Client has the right to either independently or with the assistance of a third party, access premises, equipment, information, and records to verify that the Supplier, as well as any Sub-processors, fulfill their obligations under the Data Processing Agreement. All persons participating in the inspections must first sign confidentiality agreements with the Supplier. The Supplier shall provide access to the information and assistance the Client reasonably needs to effectively audit the Supplier free of charge.
10.2 The Supplier shall allow and contribute to inspections that the competent supervisory authority may require to ensure the correct processing of Personal Data, and comply with any decisions by the competent supervisory authority regarding measures to meet security requirements under Applicable Law.
10.3 The Supplier shall compensate the Client for the Client's costs in connection with audits and inspections if they show that the Supplier has significantly breached its obligations under the Data Processing Agreement.
If you need to review the storage of your data, technically or physically, you have the right to do so.
Keep in mind...If you want to audit the storage, there may be costs associated with this.
11. TERM
11.1 The Data Processing Agreement is effective from the date the Parties sign it and as long as the Supplier processes Personal Data on behalf of the Client, or until the Data Processing Agreement is replaced by another data processing agreement.
11.2 The Supplier shall within thirty (30) days from the termination of the Data Processing Agreement, at the Client's instruction, either (i) permanently delete all Personal Data or (ii) transfer all Personal Data to the Client in a common and readable format and then delete all existing copies of Personal Data. This does not apply if and to the extent that such action would be contrary to law.
As long as we work together, the agreement stands.
Keep in mind...When we no longer work together, we will keep the data for 30 days and then delete it unless we have received other instructions from you.
12. LIABILITY FOR DAMAGE
If a data subject, competent supervisory authority, or other third party makes a claim for compensation or decides on sanctions against the Client, the Supplier shall indemnify the Client to the extent that the Supplier's actions or omissions in violation of the Data Processing Agreement contributed to the damage. The Client shall similarly indemnify the Supplier for claims for compensation or sanctions directed against the Supplier if and to the extent it is due to the Client.
We do not point fingers at each other but take responsibility for our own mistakes.
13. COMPENSATION
Unless the Parties agree otherwise, the Supplier shall not be entitled to special compensation for fulfilling its obligations under the Data Processing Agreement.
We do not charge extra for handling your data in a fair manner.
14. ADDITIONS, CHANGES, ETC.
The Parties agree to amend and supplement the Data Processing Agreement as necessary to meet the requirements of Applicable Law or in light of upcoming practices or guidelines from the competent supervisory authority.
Laws change, and this means that this agreement may also need to change.
15. APPLICABLE LAW & DISPUTES
The Data Processing Agreement shall be interpreted and applied in accordance with Swedish law. The dispute resolution provisions in the Parties' agreement on the Services also apply to the Data Processing Agreement.
If a dispute arises, it will be handled in the same way as in other agreements.
16. TERMINATION
The Data Processing Agreement has been signed electronically, and each Party has received a digital copy.
ANNEX 1 – DESCRIPTION OF PROCESSING
The Supplier's processing of Personal Data shall be carried out according to the Client's documented instructions. This annex constitutes part of these instructions.
SUBJECT MATTER OF THE PROCESSING
The processing will take place within the scope of the service description set out in the Parties' agreement on the Services.
NATURE AND PURPOSE OF THE PROCESSING
The Supplier will process Personal Data for the purpose of providing the Services and otherwise only in accordance with the Client's instructions.
TYPES OF PERSONAL DATA AND CATEGORIES OF DATA SUBJECTS
The Supplier will process Personal Data from: the Client's employees, consultants, and customers.
Personal Data that will be processed from these individuals may include Personal Data belonging to the following categories: name, social security number, email address, phone number, notes, call recordings, images, and activity occurring on the platform provided by the Supplier.
DURATION OF THE PROCESSING
The processing will continue as long as the Supplier provides the Services to the Client and for a limited time thereafter as per the Data Processing Agreement. The Supplier will work with the Client to determine retention periods for Personal Data in individual cases. If no specific agreement has been made, all Personal Data stored by the Supplier will be deleted within six (6) months from the most recent Client-instructed processing.