VENTUREPORT Data Processing Agreement
This Data Processing Agreement (“DPA”) is entered into between:
- You (“Controller”); and Fleet St. Technologies AB, reg. no. 559205-2699, Malmskillnadsgatan 32, 111 51 Stockholm, Sweden, a company registered under the laws of Sweden (“Processor”).
- Each of Controller and Processor are referred to as a “Party” and jointly as the “Parties”.
- The Parties have entered into the Ventureport terms of service (“Agreement”), where Controller has contracted Processor in order to use Ventureport (“Service”), which forms the subject matter of the processing of personal data under this Agreement.
- Terms such as “personal data”, “processing” and “data subject” and other expressions not defined in this DPA shall have the same meaning as set out in in the Regulation of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC ("GDPR"), as may be amended, updated, replaced or superseded from time to time, if not expressly stated otherwise.
- The Service is a SaaS-solution rendering Controller the data controller, whilst Processor qualifies as data processor under the applicable data protection laws. In light of the above, Processor and Controller have agreed on the following terms and conditions set out in the DPA concerning the Processing of personal data under the DPA.
- The DPA shall supersede any prior agreements, arrangements and understandings between the parties and constitutes the entire agreement between the parties relating to the subject matter hereof. In case of conflict between the Agreement and the DPA, the DPA shall take precedence.
- Processor’s obligations
- Processor shall to the extent any personal data is processed by Processor on behalf of Controller under the Agreement: (i) only process personal data in accordance with Controller’s documented instructions specified in Schedule 1 of the DPA, unless when required to do so under applicable European Union (“EU”) or Member State law to which the Processor is subject. Processor shall in such case inform Controller of such legal obligation unless prohibited by law. Processor shall immediately inform Controller if the Controller’s documented instructions, in the Processor’s opinion, are infringing applicable laws, rules and regulations. Such information shall not be considered as legal advice provided by Processor; (ii) ensure that the employees/agents/sub-contractors or other third parties that are authorized to process personal data are subject to an obligation of confidentiality with regards to the personal data. Processor is only allowed to disclose personal data to third parties if Controller has given its written consent or if it is required by applicable law; (iii) implement appropriate technical and organizational measures required pursuant to Article 32 of the GDPR; (iv) hereby be given a general authorization to engage other processors (“Sub-processors”) for the processing of personal data on behalf of Controller. Where Processor engages a Sub-processor under this clause, Processor undertakes to ensure that the contract entered into between Processor and any Sub-processor shall impose, as a minimum, data protection obligations not less stringent than those set out in the DPA. Processor shall notify Controller of any intended changes concerning the addition or replacement of Sub-processors, to which the Controller may object. If Controller has made no such objection within ten (10) days from the date of receipt of the notification, Controller is assumed to have made no objection; (v) have the right to cure an objection from Controller as described in (iv) above, at Processors sole discretion. If no corrective option is reasonably available and the objection has not been cured within thirty (30) days after receiving the objection, either Party may terminate the affected Service or the Agreement with reasonable written notice; (vi) be allowed to transfer personal data to third countries outside the EU or European Economic Area (“EEA”) in accordance with Controller’s documented instructions. When personal data is transferred to a country that does not ensure an adequate level of data protection, Processor ensures that the transfer is subject to adequate safeguards as stated in Chapter V of the GDPR. Processor is hereby given clear mandate, on behalf of the Controller, to enter into: 2010/87/EU: Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council (notified under document C(2010) 593) or decisions and clauses that may replace or amend these; (vii) taking into account the nature of the processing and the information available for Processor, at Controller’s cost, assist Controller in its obligation to respond to requests from data subjects pursuant to chapter III of the GDPR by implementing appropriate technical and organizational measures, insofar as this is possible; (viii) taking into account the nature of processing and the information available to Processor, at Controller’s cost, assist Controller to fulfil its obligations pursuant to Articles 32 to 36 of the GDPR; (ix) on termination or expiration of the Agreement or on instruction from Controller, upon written request and at Controller’s choice, return or delete all personal data processed under the Agreement, at Controller’s cost, unless Processor is required to retain the personal data in accordance with applicable laws, rules and regulations. Controller must make such written request fourteen (14) days from termination or expiration of the Agreement; and (x) upon Controller’ request and at the cost of Controller, make available all information necessary to demonstrate Processor's compliance with the obligations laid down in Article 28 of the GDPR and in this DPA and allow for and contribute to audits, including inspections, conducted by Controller or another auditor mandated by Controller who shall not be a competitor to Processor and accepted by Processor. Processor shall not unreasonably withhold its acceptance. The audit shall be carried out maximum once (1) per calendar year, and a written notice shall be sent to Processor with a notice period of at least sixty (60) days, before the audit commences. The audit shall be conducted during Processor’s normal working hours without disturbance to the normal operations of Processor.
- INTERPRETATIVE PREROGATIVE
- In the event that the clauses of the Agreement or the DPA are in conflict with the data protection provisions set forth in the data processing agreement that Processor has signed with a Sub-processor (“Sub-processor Agreement”) set out in Schedule 2 to this DPA, the data protection provisions set out in the prevailing Sub-Processor Agreement, to the extent it is applicable, shall take precedence with due changes. The above applies, insofar these data protection obligations in the Sub-Processor Agreement are at least as stringent as the obligations in this DPA or constitutes data protection obligations for which the Processor must comply with.
- Notwithstanding the above clause 3.1, other applicable data protection provisions stated in the DPA remain unaffected.
- Limitation of liability AND INDEMNIFICATION
- Processors liability shall be governed by the limitation of liability set out in the Agreement.
- Regardless of section 4.1 above, each Party shall bear its own administrative fines and Controller shall indemnify and hold Processor harmless from all liability and any loss incurred by Processor, if such liability arises as a result of the Controller’s breach of this DPA, the GDPR and/or other applicable laws.
- Governing lAw And Disputes
- The DPA shall be governed by and construed in accordance with Swedish laws, without regard to its conflict of law rules.
- Any dispute or claim arising out of or in connection with the DPA, or the breach, termination or invalidity thereof, shall be finally settled by Swedish courts, with the Stockholm District Court as the first instance, unless otherwise provided by mandatory law.
Schedule 1 - Controller's instructions
The following is instructions from the Controller to the Processor for the processing of personal data which covers this DPA.
The Processor shall carry out the processing activities necessary in order to provide the Controller the Service as set out in the Agreement, including but not limited to, collection, registration and deletion of personal data.
Categories of personal data
Contact details, including but not limited to, name, address, social security number, phone number and e-mail.
Categories of data subjects
Shareholders of the Controller.
The personal data is processed as long as necessary in order to provide the Service to the Controller as set out in the Agreement.