GDPR

MOBLRN's GENERAL DATA PROCESSING AGREEMENT

04/10/2018

1. BACKGROUND
1.1 GENERAL Data Processing agreement between Moblrn - Mobilized Learning AB (hereinafter referred to as data processor “DP“),
organisation number 556930-0535, with address Baldersuddevägen 15A, 134 38 Gustavsberg and the CUSTOMER, i.e. companies that use Moblrns Molntjenester (hereafter referred to as Data Controller “DC“).
1.2 This data processing agreement (“Processing agreement“) only governs questions regarding
MOBLRN's processing of personal data on behalf of the customer. In the case of disputes between a separate agreement and the general processing agreement, the separate agreement shall take precedence.

2. DEFINITIONS
2.1 Concepts defined in capital letters in the Processing agreement, which are also contained in the General Data Protection Regulation (EU) 2016/679 (“GDPR“) have the same definition as in the regulations.
The agreement refers to the agreement on use of MOBLRN's services that have been concluded before or upon the undertaking of this agreement. Processing agreement refers to this data
processing agreement Legislation refers to the Swedish legislation at any given time.
Personal data is legislated by the Personal Data Act (1998: 204) and the Personal Information Regulation (1998: 1191) at the time of the undertaking of the agreement.
However, these statutes will be replaced on 25 May, 2018. At this time such technologies will be primarily legislated by the General Data Protection Regulation (EU)
2016/679 (“GDPR“) and (not yet incorporated) Act of complementary provisions to the EU Data Protection Regulation.
The parties understand and agree that this Processing agreement shall be interpreted in accordance with the Swedish legislation applicable at all given times.
Data controller (DC) refers to the customer, who defines the purpose and means of the processing.
Data processor (DP) refers to MOBLRN, who process personal data for the data controller.
Standard contract terms refers to conditions for the protection of personal data transferred to third countries in accordance with European commission
decision C (2010) 593 of 5 February 2010 or equivalent terms that replace them.
Subcontractor (SC) refers to a party assigned to the Data processor, under the responsibility of the Data processor, to perform processing in accordance with this Processing agreement and
instructions from the Data controller.

3. AIMS
3.1 The purpose of the Processing agreement is to establish such a binding written agreement regarding DP as required by the legislation.

3.2 The aim is to further ensure that the security and the secrecy of the Data Processor is maintained by DP's processing of personal data.

4. LEGISLATION
4.1 The DC is responsible for processing in accordance with the legislation in force at any time.
4.2 The parties understand and agree that, in the event that the legislation or applicable governmental instructions change significantly, the terms of this Processing
agreement shall be adjusted to the extent that they once more correspond to the principles that the parties originally intended when entering into this Processing agreement.

5. RIGHTS AND OBLIGATIONS OF THE DATA CONTROLLER
5.1 The Data controller (DC) shall
1. (a) give the DP such detailed and documented instructions regarding the processing, that the DP will be able to carry out the processing in agreement with this Processing agreement and legislation.
2. (b) be entitled and obliged to specify the purpose and means of processing of personal data.
3. c) ensure that all persons whose personal data have been registered have received the required messages and information, and ensure that the required legal bases
for transferring personal data to the DP exist for the relevant time period which allows the DP to perform the process as provided herein
4. (d) in the event that the DC represents their group company or third party in accordance with this Processing agreement, ensure that the data controller has all legal powers to enter into the name
of the company and to complete this Processing agreement with the DP and to allow the DP to process personal data in accordance with the terms of this Processing agreement and The
Agreement; and
5. e) ensure that the DP has obtained all necessary information from the DC to enable the DP to perform the processing in accordance with the legislation.

6. DATA PROCESSOR'S RIGHTS AND OBLIGATIONS
6.1 The Data Processor (DP) shall
1. (a) Process personal data in accordance with documented, legal and fair instructions from the DC, unless otherwise required by the legislation, and in the latter case the
DP shall inform the DC of the deviating legal requirement, provided that the legislation does not prohibit such notice
2. (b) ensure that persons authorised to perform the processing in accordance with this Processing agreement have undertaken to observe confidentiality or are subject to statutory confidentiality, as further specified in this Processing agreement
3. c) take all security measures required by the DP under the legislation, as further specified in this Processing agreement
4. (d) fulfil the conditions laid down in the legislation in the case of a subcontractor, as further specified in this Processing agreement
5. (e) to the extent possible and taking into account the nature of the processing, assist the DC through appropriate technical and organisational measures so that the
DC can fulfil their obligation to respond to the request for the exercise of the data subject's rights in accordance with the legislation
6. f) assist the DC in fulfilling their legal obligations, including data security, notification of personal data incidents, conformity assessment of data protection and obligations for prior consultation, as required by the DP in accordance with the legislation,
taking into consideration the type of processing and the information that the DP has available
7. g) on the DC's instructions, delete or return all personal data to the DC and delete existing copies unless storage of personal data is required under the applicable
legislation. The deletion and return methods shall be established between the parties; and
8. (h) maintain the necessary records of the processing and provide the DC with all information required to demonstrate that the obligations established for the DP have
been fulfilled as provided for in the legislation, as well as enable and contribute to audits, including inspections conducted by the DC or by a third party authorized by the DC.
6.2 The DP does not own, in addition to the instructions given by the DC, the right to change the purpose of the processing or the processing resources.

7. SECURITY REQUIREMENTS ETC
7.1 The DP shall take and maintain appropriate technical and organisational measures to protect personal data, taking into account:
1. (a) recent developments, implementation costs and nature, scope, context and purpose of the processing and the risks, of varying probability and seriousness posed to the rights and freedoms of real physical persons; and
2. b) the risks the processing entails, in particular from accidental or illegal destruction, loss or alteration or unauthorized disclosure or unauthorized access to the personal data transferred,
stored or otherwise processed
7.2 The DC is responsible for ensuring that the DP is informed of all circumstances (including risk assessment and processing of special categories of personal data) regarding the personal data provided
by the DC which affect the technical and organisational measures covered by this Processing agreement.
7.3 The DP shall notify the DC of the occurrence or risk of a personal data incident, without undue delay, at the latest 48 hours after it has become known to the DP.

8. SUBCONTRACTORS
8.1 The DP has the right to hire one or more subcontractors for the performance of their commitments in this Processing agreement.
8.2 A subcontractor employed under this Processing agreement shall comply with all applicable provisions regarding the protection of personal data
and, in essence, fulfill the other obligations of the data processors governed by this Processing agreement.
8.3 The DP shall inform the DC in advance of any planned changes, appointments or substitutions.
8.4 Approved subcontractors are listed in Annex 2.

9. GENERAL INSTRUCTIONS FOR MOBLRN's SERVICES
9.1 Processing Goals:
1. a) Provide digital training service (via mobile app) to DC's employees, re sellers, consultants or other categories of individuals who have a legitimate reason to communicate with the DC.
2. b) Enable follow-up of completed training/awareness raising for employees and consultants.
9.2 The nature and length of the processing:
1. (a) The personal data transmitted will be processed to administer users and obtain statistics for the training covered by the agreement.
Processing may also be relevant in connection with technical support.
2. b) The processing will be valid during the term of validity of the agreement and in case of renewal of the term of validity of the agreement.
After the termination of the agreement, all personal data shall be deleted.

9.3 Categories of personal data:
1. a) e-mail address (required)
2. b) First and last name (optional)
3. c) Department (optional)
4. d) Company/sender (required)
5. e) Results from knowledge test and course evaluations

9.4 It is the sole responsibility of the DC that the processing of personal data in the service complies with the requirements of the legislation.
It is worth noting, in particular, that the safeguarding of address lists, results of tests and the receipt of questionnaires with “comment“ responses should be given particular consideration to comply with the
legal requirements for (including) legal basis, correctness and editing.
9.5 Special instruction from the DC to the DP is shown in Annex 1.

10. PROVIDING PERSONAL DATA TO OTHER COUNTRIES
10.1 In cases where the DC, in connection with the processing, transfers personal data to a country outside the European Economic Area (“EEA“) and which the European Commission does not consider
to have an adequate level of protection in relation to the legislation, the parties shall conclude an additional agreement based on standard agreement terms.
10.2 If the DP has hired a subcontractor with the purpose of transferring personal data to a non-EEA country that the European Commission does not consider to meet an adequate level of protection in
relation to the legislation, the DP and subcontractors shall conclude an additional agreement based on standard agreement terms.
Where applicable, the DP shall, upon request, provide the DC with a signed copy of such an additional agreement referred to above.
In the event of a conflict between this Processing agreement and standard agreement clauses, the standard agreement clauses shall prevail.

11. RIGHT TO TRANSPARENCY
11.1 At the request of the DC, without undue delay, the DP shall provide this, or an independent third party such as this, with access to such information and documents as are necessary for the DC to
exercise effective control of the DP's actions under this Processing agreement or legislation.
11.2 The DC shall bear the costs incurred in checking the processing of personal data by the DP.

12. CONFIDENTIALITY
12.1 The DP shall, except in cases where the DC's instructions say differently,
1. (a) keep all personal data provided by the DC confidential
2. (b) ensure that persons authorised to process personal data have undertaken to observe confidentiality; and
3. c) ensure that personal data is not disclosed to third parties without the DC's prior approval, unless the DP is not required by mandatory legislation or regulation to disclose the information.
12.2 If a registrant or authority makes a request related to the personal data covered by this Processing agreement, the DP shall promptly notify the DC of the request before the DP provides a
response or takes other action regarding the personal data.
12.3 If the DP is prevented by mandatory laws or regulations from disclosing such information, the DP is not obliged to notify the DC of the request.

13. LIABILITY AND ACCOUNTABILITY
13.1 The DC shall - irrespective of the terms of the Processing agreement - hold the DP unaccountable for damage or loss (for example, but not limited to, administrative penalty, damages to registered or
attorney fees) incurred by the DP due to the DC, or anyone for which the DC is responsible, acting in violation of the Processing agreement.
For waiver of this provision, the parties must in writing agree on other regulations and expressly state that the regulation is a derogation from this provision.
13.2 In the case of compensation for damages as described above, the DP shall take measures to limit the damage, unless these measures do not cause unreasonable costs or otherwise are unreasonably burdensome.
13.3 In the event that the DC acted in violation of the Processing agreement in a non-essential manner, the DP has the right to terminate the Agreement on the expiration date at the time determined by the DP.
13.4 Agreement term
13.5 This Processing agreement applies between the parties as long as the DP processes personal data as a consequence of their commitment under the Agreement to provide services to the customer.
If the Agreement terminates and a new such agreement is reached without a new data processor agreement being reached, this Agreement will also apply to the new agreement.
This Processing agreement may be terminated under the terms of the Agreement.

14. CONCLUDING THE PROCESSING EXPIRY
14.1 Once the processing has been terminated, or before if the DC so requests, the DP will disclose or destroy all personal data that the DP has processed.

15. ARBITRATION CLAUSE
15.1 Swedish law shall apply to this Agreement.
15.2 Disputes arising from this Agreement shall be resolved by mediation in accordance with the rules of the Stockholm Chamber of Commerce Mediation Institute (Mediation Regulations).
15.3 If mediation does not result in the dispute being resolved within the time stipulated in the mediation regulations; it will instead be settled by arbitration at the Stockholm Chamber of Commerce's Arbitration Institute (The Institute).
15.4 The Institute's rules for simplified arbitration shall apply unless the Institute, taking into consideration the severity of the case, the value of the dispute and other circumstances, decides that
the Rules of the Stockholm Chamber of Commerce Tribunal shall apply to the proceedings. In the latter case, the Institute shall also decide whether the arbitration board shall consist of one or three arbitrators.
The arbitration board, the parties, their agents and others who participate in the arbitration procedure shall observe confidentiality regarding the proceedings and what has taken place there.
15.5 The mediation and arbitration procedure under this section shall take place in Stockholm.

ANNEX 1. OBJECTIVES AND INSTRUCTIONS
All processing of personal data performed by the Data processor (DP) Moblrn on account of the Data controller (DC) shall be in accordance with these instructions.

ANNEX 2
SUBCONTRACTORS
The table below provides a complete list of subcontractors approved in connection with the agreement's undertaking.
Please note that the subcontractor Sendgrid is affiliated with the Privacy Shield agreement and is therefore approved for processing of personal data under the General Data Protection Regulation (GDPR).


* Transferral of personal data to the United States
(From the data inspection website). On 12 July, 2016, the EU Commission adopted a decision on adequate protection for
certain recipients of personal data in the United States, namely those covered by the so-called Privacy Shield. The decision
means that personal data is to be transferred to such recipients in the United States that are affiliated with Privacy Shield.
“The EU-U.S. and Swiss-U.S. Privacy Shield Frameworks were designed by the U.S. Department of Commerce,
and the European Commission and Swiss Administration, respectively, to provide companies on both sides of the
Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the
European Union and Switzerland to the United States in support of transatlantic commerce. On July 12, 2016, the
European Commission deemed the EU-U.S. Privacy Shield Framework adequate to enable data transfers under
EU law.”


Link to “Privacy Shield Framework“
https://www.privacyshield.gov/Program-Overview

>