Last updated: September 10, 2024
This Data Processing Agreement (“DPA”) is between Ambition Profile AB (“Processor”) and the entity using the Processor’s services (“Controller”).
1. INTRODUCTION
This agreement document constitutes the DPA between the parties and sets out the principles for processing Personal Data. The DPA constitutes an integral part of any existing service agreement between the parties (the “Agreement”).
2. PRINCIPLES OF PROCESSING OF PERSONAL DATA
The Processor is committed to protecting the security and privacy of Personal Data and will handle all such information in compliance with applicable Data Protection Legislation and the terms of the Agreement. The Processor’s processing of Personal Data, including information about end users and other individuals accessing the services, is necessary to provide the services outlined in the Agreement.
Details regarding processing Personal Data related to the services are available in the Processor’s Privacy Notice, found at https://ambitionprofile.com/legal/privacy-policy.
3. PURPOSE OF THE DPA
The purpose of the DPA is to regulate rights and obligations under applicable Data Protection Legislation relating to the Processor’s processing of Personal Data on behalf of the Controller.
“Data Protection Legislation” shall mean the EU General Data Protection Regulation 2016/679 (“GDPR”) and national provisions on the protection of privacy in the country in which the Controller is established, as amended, replaced, or superseded from time to time, including laws implementing or supplementing the GDPR.
“Personal Data” means any information relating to an identified or identifiable natural person (the “Data Subject“).
The DPA shall ensure that Personal Data is processed under Data Protection Legislation and is not used unlawfully or in the possession of any unauthorized party.
4. SCOPE OF PROCESSING
The Controller is determining the purposes and means of processing Personal Data. The Processor, including its Sub-processors and any personnel acting under its authority with access to Personal Data, shall process such data exclusively on behalf of the Controller and strictly under the Agreement, the Controller’s documented instructions, and the DPA. Should the Processor believe that an instruction from the Controller violates Data Protection Legislation, the Processor shall immediately notify the Controller.
The DPA concerns the Processor’s processing of Personal Data on behalf of the Controller in connection with the provision of the services as further described in the Agreement.
The processing’s nature and purpose, including operations and basic processing activities, are to provide the services as further described in the Agreement.
The processing involves processing Personal Data related to the Controller’s end-users or employees.
The Processing relates to the following categories of Personal Data:
5. THE CONTROLLER’S OBLIGATIONS
The Controller assures the Processor that it will only process Personal Data for lawful reasons and specific business needs according to the Agreement and that the Processor’s access will be limited to the minimum amount of Personal Data necessary to fulfill those needs.
Before sharing any Personal Data with the Processor, the Controller confirms that it has a valid legal basis, such as consent that is freely given, transparent, and based on an understanding of the processing. The Controller also confirms that it has adequately informed the Data Subjects about how their Personal Data will be used.
6. CONFIDENTIALITY
The Processor, its Sub-processors, and other persons acting under the authority of the Processor who has access to the Personal Data are subject to a duty of confidentiality and shall observe professional secrecy regarding the processing of Personal Data and security documentation under applicable Data Protection Legislation. The Processor is responsible for ensuring that any Sub-processor or other persons acting under its authority are subject to such duty of confidentiality.
The Controller is subject to a duty of confidentiality regarding any documentation and information related to the Processor’s and its Sub-processors’ implemented technical and organizational security measures or information that the Processor otherwise wants to keep confidential. However, the Controller may always share such information with supervisory authorities to comply with the Controller’s obligations under Data Protection Legislation or other statutory obligations.
The confidentiality obligations also apply after the termination of the DPA.
7. SECURITY
The security requirements for the Processor’s processing of personal data are governed by Annex A of the DPA.
8. ACCESS TO PERSONAL DATA AND DATA SUBJECT’S RIGHTS
Unless otherwise agreed or under applicable statutory laws, the Controller is entitled to request access to Personal Data being processed by the Processor on behalf of the Controller.
Suppose the Processor or Sub-processor receives a request from a Data Subject relating to processing Personal Data. In that case, the Processor shall send such request to the Controller for the Controller’s further handling unless otherwise stipulated in statutory law or the Controller’s instructions.
The Processor shall assist the Controller in the fulfillment of the Controller’s obligation to respond to requests for exercising the Data Subject’s rights stipulated in Data Protection Legislation, including the Data Subject’s right to (i) access to its Personal Data, (ii) rectification of its inaccurate Personal Data; (iii) erasure of its Personal Data; (iv) restriction of, or objection to, processing of its Personal Data; and (v) the right to receive its Personal Data in a structured, commonly used and machine-readable format (data portability). Unless otherwise agreed, the Processor shall be compensated for such assistance at the then-current rates.
9. OTHER ASSISTANCE
Suppose the Processor, or a Sub-processor, receives a request for access or information from the relevant supervisory authority relating to the registered Personal Data or processing activities subject to the DPA. In that case, the Processor shall notify the Controller for the Controller’s further handling unless the Processor is entitled to handle such request itself.
Suppose the Controller is obliged to perform an impact assessment and/or consult the supervisory authority concerning the processing of Personal Data under the DPA. In that case, the Processor shall assist the Controller. The Controller shall bear any costs accrued by the Processor related to such assistance.
10. NOTIFICATION OF PERSONAL DATA BREACH
The Processor shall notify the Controller without undue delay after becoming aware of a breach related to the processing of Personal Data (“Personal Data Breach“). The Controller is responsible for notifying the Personal Data Breach to the relevant supervisory authority.
The notification to the Controller shall, as a minimum, describe (i) the nature of the Personal Data Breach, including, where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned; (ii) the likely consequences of the Personal Data Breach; (iii) the measures taken or proposed to be taken by the Processor to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.
Suppose the Controller is obliged to communicate a Personal Data Breach to the Data Subjects. In that case, the Processor shall assist the Controller, including providing necessary contact information to the affected Data Subjects if available. The Controller shall bear any costs related to such communication to the Data Subject. The Processor shall nevertheless bear such costs if the Personal Data Breach is caused by circumstances for which the Processor is responsible.
11. TRANSFER
Disclosure, transfer, or access to Personal Data (“Transfer“) from countries located outside the EU/EEA (“Third Country“) may only occur with approval from the Controller. Such transfer is subject to EU standard contractual clauses between the Controller and the relevant company at the location or other legal basis for such Transfer.
12. USE OF SUB-PROCESSORS
The Processor may appoint another processor (“Sub-processor“) to assist in providing the services and processing Personal Data under the Agreement, provided that the Processor ensures that;
The Processor shall remain fully liable to the Controller for the performance of any Sub-processor.
13. PROCEDURE FOR USE OF SUB-PROCESSORS
The Processor shall maintain an up-to-date list of any Sub-processors and locations used by such Sub-processors to process Personal Data on the Controller’s behalf. Processor shall update the list to reflect any addition or replacement of Sub-processors and notify the Controller at least two months before the date on which such Sub-processor shall commence processing of Personal Data. The Controller has the right to object to such changes within three weeks of receipt of such notification. If the parties do not agree on such a change of Sub-processor, the Processor may terminate the Agreement and this DPA with one month’s notice.
By entering into this DPA, the Controller grants the Processor authority to enter into EU standard contractual clauses on behalf of the Controller or to secure another legal basis for Transfer to Third Countries for any Sub-processor approved under the procedure stipulated above. Without undue delay, the Processor shall provide the Controller with a copy of such EU standard contractual clauses or description of such other legal basis for Transfer, as well as documentation of the risk assessment performed by the Processor concerning the use of the Sub-processor.
The Processor shall provide reasonable assistance and documentation for the Controller’s independent risk assessment concerning the use of Sub-processors or the Transfer of Personal Data to a Third Country.
14. AUDITS
The Processor shall, upon request, provide the Controller with documentation of implemented technical and organizational measures to ensure an appropriate level of security and other information necessary to demonstrate the Processor’s compliance with its obligations under the DPA and relevant Data Protection Legislation.
The Controller and the supervisory authority under the relevant Data Protection Legislation shall be entitled to conduct audits. The Controller shall not be given access to information concerning the Processor’s other customers and information subject to confidentiality obligations.
The Controller is entitled to conduct such audits once a year. If the Controller appoints an external auditor to perform the audits, such external auditor shall be bound by a duty of confidentiality.
The Controller shall bear any costs related to audits initiated by the Controller or accrued concerning audits of the Controller, including compensation to the Processor for reasonable time spent by it.
15. TERM AND TERMINATION
The DPA is valid for as long as the Processor processes Personal Data on behalf of the Controller.
In the event of the Processor’s breach of the DPA or non-compliance of the Data Protection Legislation, the Controller may (i) instruct the Processor to stop further processing of Personal Data with immediate effect and/or (ii) terminate the DPA with immediate effect.
16. EFFECTS OF TERMINATION
The Processor shall, upon the termination of the DPA and at the choice of the Controller, delete or return all the Personal Data to the Controller unless otherwise stipulated in applicable statutory law.
17. LIMITATION OF LIABILITY
Neither party shall be liable to the other party for any incidental, special, consequential, or indirect damages of any kind (including without limitation damages for interruption of business, loss of data, loss of profits, or the like) regardless of the form of action, whether in contract, tort (including without limitation negligence), strict product liability, or other, even if advised of the possibility of such damages (jointly “Indirect Damages“).
Neither party shall be liable to the other party for
The total and maximum liability of either party towards the other party under any provision of the DPA or any transaction contemplated by the DPA shall not exceed an amount equal to the total amounts paid for the services under the Agreement in the twelve months preceding the event that incurs liability.
The above limitations shall not apply to damages attributable to fraud, gross negligence, or intentional misconduct.
18. AMENDMENTS
In case changes in Data Protection Legislation, a judgment or opinion from another authoritative source causes another interpretation of Data Protection Legislation, or changes to the services under the Agreement require changes to the DPA, the parties shall, in good faith, cooperate to update the DPA accordingly.
19. GOVERNING LAW AND LEGAL VENUE
The Agreement’s governing law, dispute resolution method, and legal venue shall apply accordingly.
***
Annex A – Security Measures
Available upon request.