the “Data Controller”
Bookboost AB, having its registered office at Anckargripsgatan 3, 211 19 Malmö, Skåne län, Sweden, registered with the Chamber of Commerce with number 5590918974; hereafter: (de “Data Processor”)
Data Controller and Data Processor hereinafter also to be referred to as the “Parties”.
- Data Controller is a company active in the field of “guest messaging and engagement”.
- For the execution of its services, Data Controller processes various data, including personal data of various people (the “Data Subjects”) within the meaning of the General Data Protection Regulation (GDPR).
- Data Controller wishes to make use of the services of Data Processor for the storage, processing and security of these personal data (the “Assignment”). Data Processor accepts this Assignment.
- The GDPR requires a data processing agreement between Data Controller and Data Processor.
- Parties now wish to enter into this Data Processing Agreement (the “Agreement”) in order to regulate their rights and obligations regarding the processing of personal data by Data Processor.
Article 1 – Execution of the processing
- In the execution of the Assignment, Data Processor will handle the personal data in a careful manner and only process the personal data based on the assignment of Data Controller, in accordance with its written instructions and in accordance with this Agreement and the GDPR.
- Data Processor will not process the personal data for any other purpose than as established by Data Controller. Data Processor has no control over the purpose and means of the processing of the personal data.
- Data Processor further guarantees that every person acting under its authority will process the personal data lawfully and in accordance with this Agreement and the GDPR.
- At the request of Data Controller, Data Processor will provide Data Controller with information about the (security) measures taken in order to comply with the obligations under the GDPR, this Agreement and other instructions from Data Controller.
Article 2 – Warranty Data Controller
Data Controller guarantees the processing of the personal data of the Data Subjects, as referred to in this Agreement, is not unlawful and does not violate the rights of others. Data Controller indemnifies Data Processor against all claims relating to this.
Article 3 – Transfer of the personal data
In principle, Data Processor will process the personal data within the European Union. Transfer of personal data outside the European Union is only permitted to countries that provide an adequate level of protection for the processing of personal data in accordance with the GDPR. Data Processor will notify Data Controller in advance of any processing of personal data outside the European Union, unless such notification is prohibited by law.
Article 4 – Security measures
- Data Processor implements all appropriate technical and organisational measures to prevent loss of personal data or any form of unlawful processing. These measures shall guarantee an adequate level of protection of the personal data being processed.
- Data Processor will at least take the following security measures:
- Encryption of digital files containing personal data
- Security of the network connection with Secure Socket Layer (SSL) technology or a similar technology
- Restriction of access to the personal data to authorised employees
- Back-ups of the personal data to restore them in time in case of physical or technical incidents
- Data Processor will provide Data Controller with all available information to provide Data Controller assistance in carrying out security measures, conducting audits and inspections and carrying out data protection impact assessments.
Article 5 – Security incidents
- Data Processor will report any theft, loss, misuse or other form of data breach to Data Controller as soon as possible. This report includes, as far as possible, at least the following: the nature of the breach, the categories and scope of the personal data concerned, the likely consequences of the data breach, the measures Data Processor has taken and the contact details for Data Controller to obtain more information.
- If needed, Data Processor will fully cooperate to inform the Data Subjects about such security incidents or data breaches. In addition, Data Processor will fully cooperate in carrying out risk assessments, analysing the cause of the incident or breach, identifying required corrective measures and implementing those measures.
Article 6 – Duration and termination
- This Agreement shall become effective on 25 May 2018. Parties enter into this Agreement for an indefinite period.
- This Agreement may be terminated by the end of each month, subject to a one months notice.
- If this Agreement is terminated or dissolved, Parties must continue to comply with the provisions of this Agreement regarding confidentiality, liability, indemnification and all other provisions that are intended by nature to remain applicable between the parties after terminations or dissolution of this Agreement.
- If this Agreement is terminated or dissolved, Data Processor will return all data, including personal data, which are processed by Data Processor based on this Agreement, to Data Controller at his request. Data Controller must submit this request to Data Processor within three months. After this period, Data Processor will safely remove or destroy all personal data, including any copies of it, unless Data Processor is legally obliged to store the (personal) data for a longer period.
Article 7 – Confidentiality and non-disclosure
- Data Processor will treat all personal data and other data received by Data Controller as confidential. Data Processor will limit the access to this data to persons working for Data Processor, who need access to correctly process the data on behalf of the Data Controller.
- All (personal) data Data Processor receives based on this Agreement are subject to a non-disclosure obligation towards third parties. All persons employed by or working for Data Processor, as well as Data Processor itself, are required to remain secrecy regarding the (personal) data.
- Data Processor will not provide third parties with the personal data or copy, multiply or otherwise make the personal data public, without permission of the Data Controller.
Article 8 – Requests from Data Subjects
- Data Processor will assist Data Controller with all requests which may be received from Data Subjects, such as the right to access, rectification or erasure.
- If Data Processor receives a request from a third party to provide access to the personal data based on an alleged (legal) obligation, data Processor will inform Data Controller in writing before he provides the third party access, so Data Controller can assess whether the request is legitimate.
Article 9 – People working under the authority of Data Processor
The obligations for Data Processor arising from this Agreement also apply to those who process personal data under the authority of Data Processor, including but not limited to employees.
Article 10 – Sub Contractors
- Data Processor may sub-contract the processing of the personal data to external parties. Data Processor has sub-contracted (part of) the processing of the personal data to the following “Sub Contractors”: Smooch.
- Data Processor may appoint new Sub Contractors for the processing of the personal data. Data Processor will notify Data Controller of the addition or replacement of any Sub Contractors. In addition, Data Controller may request an overview of all appointed Sub Contractors.
Article 11 – Liability and indemnification
- Data Processor is liable for all damage suffered by Data Controller, if this damage is the result of not following the instructions of Data Controller, this Agreement, the GDPR or any other applicable laws and regulations regarding privacy and the protection of personal data.
- Data Processor is liable for all damage suffered by third parties, if such damages are caused by not complying with the lawful instructions of Data Controller or directly applicable obligations for Data Processor under the GDPR.
- Data Processor is not liable for any damage resulting from following the written instructions of Data Controller, if those instructions do not comply with the GDPR or any other applicable laws and regulations regarding privacy and the protection of personal data.
- Data Processor indemnifies Data Controller against all claims of third parties, insofar as Data Processor is liable for the damage suffered by those third parties.
Article 12 – Costs and default
- Data Processor must reimburse all costs incurred by Data Controller to force Data Processor to comply with this Agreement.
- If a certain obligation is not fulfilled or a certain period for compliance has expired, Data Processor is automatically in default. In such case a notice of default is not required.
Article 13 – Nullity
If a part of this Agreement is deemed void or voidable, this does not change the validity of the rest of this Agreement. Any invalid provision shall be replaced by a provision that is valid and which interpretation shall be as close as possible to the intent of the invalid provision.
Article 14 – Final provision
- This Agreement can only be changed in writing.
- This Agreement replaces all prior agreements between the parties regarding the processing of personal data.