Data Processing Agreement
MOBLRN's GENERAL DATA PROCESSING AGREEMENT
1.1 GENERAL Data Processing agreement between Moblrn - Mobilized Learning AB (hereinafter referred to as data processor “DP“), organisation number 556930-0535, with address Katarinavägen 15, 102 61 Stockholm and the CUSTOMER, i.e. companies that use Moblrns digital training cloud service (hereafter referred to as Data Controller “DC“).
1.2 This data processing agreement (“Processing agreement“) only governs questions regarding MOBLRN's processing of personal data on behalf of the customer. In the case of disputes between a separate agreement and the general processing agreement, the separate agreement shall take precedence.
2.1 Concepts defined in capital letters in the Processing agreement, which are also contained in the General Data Protection Regulation (EU) 2016/679 (“GDPR“) have the same definition as in the regulations. The agreement refers to the agreement on use of MOBLRN's services that have been concluded before or upon the undertaking of this agreement. Processing agreement refers to this data processing agreement. Applicable legislation refers to (a) the General Data Protection Regulation (GDPR) (b) applicable Swedish legislation that complements GDPR and (c) applicable practices, regulations, opinions, general advice and recommendations issued by the Swedish Data Protection Authorities or other relevant supervisory authority (including institutions within the European Union). All terms and definitions in this Agreement shall have the same meaning as and be interpreted in accordance with the applicable law. Data controller (DC) refers to the customer/organization, who defines the purpose and means of the processing. Data processor (DP) refers to MOBLRN, who process personal data for the data controller. Standard Contractual Clauses (SCC) refers to conditions for the protection of personal data transferred to third countries in accordance with European commission decision C (2010) 593 of 5 February 2010 or equivalent terms that replace them. Subcontractor (SC) refers to a party assigned to the Data processor, under the responsibility of the Data processor, to perform processing in accordance with this Processing agreement and instructions from the Data controller.
3.1 The purpose of the Processing agreement is to establish such a binding written agreement regarding Data Processor (DP) as required by the legislation.
3.2 The aim is to further ensure that the security and the secrecy of the Data Processor is maintained by DP's processing of personal data.
4.1 The Data Controller (DC) is responsible for processing in accordance with the legislation in force at any time.
4.2 The parties understand and agree that, in the event that the legislation or applicable governmental instructions change significantly, the terms of this Processing agreement shall be adjusted to the extent that they once more correspond to the principles that the parties originally intended when entering into this Processing agreement.
5. RIGHTS AND OBLIGATIONS OF THE DATA CONTROLLER
5.1 The Data controller (DC) shall; (a) give the DP such detailed and documented instructions regarding the processing, that the DP will be able to carry out the processing in agreement with this Processing agreement and legislation. (b) be entitled and obliged to specify the purpose and means of processing of personal data. (c) ensure that all persons whose personal data have been registered have received the required messages and information, and ensure that the required legal bases for transferring personal data to the DP exist for the relevant time period which allows the DP to perform the process as provided herein.
(d) in the event that the DC represents their group company or third party in accordance with this Processing agreement, ensure that the data controller has all legal powers to enter into the name of the company and to complete this Processing agreement with the DP and to allow the DP to process personal data in accordance with the terms of this Processing agreement and The Agreement; and e) ensure that the DP has obtained all necessary information from the DC to enable the DP to perform the processing in accordance with the legislation.
6. DATA PROCESSOR'S RIGHTS AND OBLIGATIONS
6.1 The Data Processor (DP) shall; (a) Process personal data in accordance with documented, legal and fair instructions from the DC, unless otherwise required by the legislation, and in the latter case the DP shall inform the DC of the deviating legal requirement, provided that the legislation does not prohibit such notice. (b) ensure that persons authorized to perform the processing in accordance with this Processing agreement have undertaken to observe confidentiality or are subject to statutory confidentiality, as further specified in this Processing agreement. (c) take all security measures required by the DP under the legislation, as further specified in this Processing agreement. (d) fulfil the conditions laid down in the legislation in the case of a subcontractor, as further specified in this Processing agreement. (e) to the extent possible and taking into account the nature of the processing, assist the DC through appropriate technical and organizational measures so that the DC can fulfil their obligation to respond to the request for the exercise of the data subject's rights in accordance with the legislation. (f) assist the DC in fulfilling their legal obligations, including data security, notification of personal data incidents, conformity assessment of data protection and obligations for prior consultation, as required by the DP in accordance with the legislation, taking into consideration the type of processing and the information that the DP has available. (g) on the DC's instructions, delete or return all personal data to the DC and delete existing copies unless storage of personal data is required under the applicable legislation. The deletion and return methods shall be established between the parties; and (h) maintain the necessary records of the processing and provide the DC with all information required to demonstrate that the obligations established for the DP have been fulfilled as provided for in the legislation, as well as enable and contribute to audits, including inspections conducted by the DC or by a third party authorized by the DC.
6.2 The DP does not own, in addition to the instructions given by the DC, the right to change the purpose of the processing or the processing resources.
7. SECURITY REQUIREMENTS
7.1 The DP shall take and maintain appropriate technical and organizational measures to protect personal data, taking into account: (a) recent developments, implementation costs and nature, scope, context and purpose of the processing and the risks, of varying probability and seriousness posed to the rights and freedoms of real physical persons; and (b) the risks the processing entails, in particular from accidental or illegal destruction, loss or alteration or unauthorized disclosure or unauthorized access to the personal data transferred, stored or otherwise processed
7.2 The DC is responsible for ensuring that the DP is informed of all circumstances (including risk assessment and processing of special categories of personal data) regarding the personal data provided by the DC which affect the technical and organizational measures covered by this Processing agreement.
7.3 The DP shall notify the DC of the occurrence or risk of a personal data incident, without undue delay, at the latest 24 hours after it has become known to the DP.
8.1 The DP has the right to hire one or more subcontractors for the performance of their commitments in this Processing agreement.
8.2 A subcontractor employed under this Processing agreement shall comply with all applicable provisions regarding the protection of personal data and, in essence, fulfill the other obligations of the data processors governed by this Processing agreement.
8.3 The DP shall inform the DC in advance of any planned changes, appointments or substitutions.
8.4 Approved subcontractors are listed in Annex 2.
9. GENERAL INSTRUCTIONS FOR MOBLRN's SERVICES
9.1 Processing Goals: (a) Provide digital training service (via a smart phone-app) to DC's employees, resellers, consultants or other categories of individuals who have a legitimate reason to communicate with the DC. (b) Enable follow-up of completed training for employees and consultants.
9.2 The nature and length of the processing: (a) The personal data transmitted will be processed to administer users and obtain statistics for the training covered by the agreement. Processing may also be relevant in connection with technical support. (b) The processing will be valid during the term of validity of the agreement and in case of renewal of the term of validity of the agreement. After the termination of the agreement, all personal data shall be deleted.
9.3 Categories of personal data: (a) e-mail address (required) (b) First and last name (optional) (c) Department (optional) (d) Company/sender (required) (e) Results from knowledge test and course evaluations
9.4 It is the sole responsibility of the DC that the processing of personal data in the service complies with the requirements of the legislation. It can be noted in particular, that saving of address lists, results of tests and obtaining surveys with free text answers, should be given particular consideration to comply with the legal requirements for (including) legal basis, correctness and editing.
9.5 Special instruction from the DC to the DP is shown in Annex 1.
10. PROVIDING PERSONAL DATA TO OTHER COUNTRIES
10.1 In cases where the DC, in connection with the processing, transfers personal data to a country outside the European Economic Area (“EEA“) and which the European Commission does not consider to have an adequate level of protection in relation to the legislation, the parties shall conclude an additional agreement based on Standard Contractual Clauses (SCC) or Binding Corporate Rules (BCR).
10.2 If the DP has hired a subcontractor with the purpose of transferring personal data to a non-EEA country that the European Commission does not consider to meet an adequate level of protection in relation to the legislation, the DP and subcontractors shall conclude an additional agreement based on SCC.s or BCRs. Where applicable, the DP shall, upon request, provide the DC with a signed copy of such an additional agreement referred to above. In the event of a conflict between this Processing agreement and standard contractual clauses, the Standard Contractual Clauses or the Binding Corporate Rules shall prevail.
11. RIGHT TO TRANSPARENCY
11.1 At the request of the DC, without undue delay, the DP shall provide DC, or an independent third party, access to such information and documents as are necessary for the DC to exercise effective control of the DP's actions under this Processing agreement or legislation.
11.2 The DC shall bear the costs incurred in checking the processing of personal data by the DP.
12.1 The DP shall, except in cases where the DC's instructions say differently, (a) keep all personal data provided by the DC confidential (b) ensure that persons authorized to process personal data have undertaken to observe confidentiality; and c) ensure that personal data is not disclosed to third parties without the DC's prior approval, unless the DP is not required by mandatory legislation or regulation to disclose the information.
12.2 If a registrant or authority makes a request related to the personal data covered by this Processing agreement, the DP shall promptly notify the DC of the request before the DP provides a response or takes other action regarding the personal data.
12.3 If the DP is prevented by mandatory laws or regulations from disclosing such information, the DP is not obliged to notify the DC of the request.
13. LIABILITY AND ACCOUNTABILITY
13.1 The DC shall - irrespective of the terms of the Processing agreement - hold the DP unaccountable for damage or loss (for example, but not limited to, administrative penalty, damages to registered or attorney fees) incurred by the DP due to the DC, or anyone for which the DC is responsible, acting in violation of the Processing agreement. For waiver of this provision, the parties must in writing agree on other regulations and expressly state that the regulation is a derogation from this provision.
13.2 In the case of compensation for damages as described above, the DP shall take measures to limit the damage, unless these measures do not cause unreasonable costs or otherwise are unreasonably burdensome.
13.3 In the event that the DC acted in violation of the Processing agreement in a non-essential manner, the DP has the right to terminate the Agreement on the expiration date at the time determined by the DP.
14. AGREEMENT TERM
14.1 This Processing agreement applies between the parties as long as the DP processes personal data as a consequence of their commitment under the Agreement to provide services to the customer. If the Agreement terminates and a new such agreement is reached without a new data processor agreement being reached, this Agreement will also apply to the new agreement. This Processing agreement may be terminated under the terms of the Agreement.
15. CONCLUDING THE PROCESSING EXPIRY
15.1 Once the processing has been terminated, or before if the DC so requests, the DP will disclose or destroy all personal data that the DP has processed.
16. ARBITRATION CLAUSE
16.1 Swedish law shall apply to this Agreement.
16.2 Disputes arising from this Agreement shall be resolved by mediation in accordance with the rules of the Stockholm Chamber of Commerce Mediation Institute (Mediation Regulations).
16.3 If mediation does not result in the dispute being resolved within the time stipulated in the mediation regulations; it will instead be settled by arbitration at the Stockholm Chamber of Commerce's Arbitration Institute (The Institute).
16.4 The Institute's rules for simplified arbitration shall apply unless the Institute, taking into consideration the severity of the case, the value of the dispute and other circumstances, decides that the Rules of the Stockholm Chamber of Commerce Tribunal shall apply to the proceedings. In the latter case, the Institute shall also decide whether the arbitration board shall consist of one or three arbitrators. The arbitration board, the parties, their agents and others who participate in the arbitration procedure shall observe confidentiality regarding the proceedings and what has taken place there.
16.5 The mediation and arbitration procedure under this section shall take place in Stockholm.