DATA PROCESSING AGREEMENT
For the purposes of Article 28(3) of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”) by and between
CUSTOMER
and
CADcog AB, org. no. 559333-0318, with registered address Brisgatan 54, 802 74 Gävle, Sweden (“CADcog”).
individually referred to as “Party” and collectively as “Parties”
HAVE AGREED on the following Data Processing Agreement (the “DPA”) in order to meet the requirements of the GDPR and to ensure the protection of the rights of the Data Subjects.
PREAMBLE
This DPA set out the rights and obligations of the CUSTOMER acting as the Data Controller and CADcog the Data Processor, when Processing Personal Data on behalf of the Data Controller.
This DPA form part of and supplements CADcog’s Terms of Use for use of the Services and Privacy Policy.
This DPA has been designed to ensure the Parties’ compliance with Art. 28(3) of GDPR.
​
This DPA further defines in Schedule 1 the applicable technical and organizational measures CADcog implements and maintains to protect Personal Data when performing its obligations under this DPA. Furthermore, Schedule 2 contains details about the purpose and nature of the Processing, the type of Personal Data and the categories of Data Subjects.
Unless otherwise defined herein, all capitalized terms shall have the meaning given to them in CADcog’s Terms of Use and/or Privacy Policy.
1. DEFINITIONS
​
The terms below shall have the following meanings in this DPA.
​
“Data Controller” shall mean the entity that alone or jointly with others determines the purposes and means of the Processing of Personal Data.
​
“Data Processor” shall mean the entity that Processes Personal Data on behalf of the Data Controller.
​
“Data Protection Laws” shall mean the relevant data protection and privacy laws to which the Parties are subject, in particular (but not limited to) GDPR.
​
“Personal Data” shall mean any information relating to an identified or identifiable natural person (“Data Subject”). An identifiable person is one who can be identified directly or indirectly in particular by reference to an identifier such as name, an identification number, location data, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Process” or “Processing” shall mean any operation which is performed on Personal Data, whether or not by automated means, such as collection, organization, structuring, storage, use, dissemination or otherwise making available, erasure or destruction.
“Subprocessor” shall mean any processor which the Data Processor, may engage to carry out specific Processing activities on behalf of the Data Controller.
2. PURPOSE OF THE DPA
-
The purpose of the Personal Data Processing under this DPA is the performance of Services. The persons affected by the Processing, the nature of Personal Data to be Processed as well as the scope, nature and purpose of the Processing by CADcog are set out in Schedule 2.
​
-
The Parties agree that no special categories of Personal Data (“Sensitive Data”) shall be Processed under this DPA. For the avoidance of doubt, Sensitive Data shall mean Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the Processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation. In the event that the CUSTOMER foresees that it requires to instruct CADcog to Process Sensitive Data on its behalf, the CUSTOMER must inform CADcog immediately in writing.
3. Processing of Personal Data
-
The Parties acknowledge and agree that with regard to the Processing of Personal Data provided by CUSTOMER to CADcog, CUSTOMER is the Data Controller and CADcog is the Data Processor. CADcog may also act as an independent Data Controller in regard of the Personal Data that CUSTOMER is providing to CADcog, which CADcog is Processing for its own purposes, as furtherly described in the Privacy Policy. The Processing performed by CADcog as a Data Controller do not fall under the scope of this DPA.
​
-
In case it is expressly agreed that affiliates of CUSTOMER or any other third parties shall also benefit from the Services; the following shall apply. If CUSTOMER acts in this respect on behalf of and in the name of its affiliates and/or third parties in their capacity as Data Controllers, CUSTOMER shall ensure that the agreements it enters into with its Data Controllers are fully compatible with this DPA, by expressly allowing CADcog and its Subprocessors to Process any Personal Data as described in this DPA. CUSTOMER shall serve as a single point of contact for CADcog and shall be solely responsible for the internal coordination, review and submission of instructions or requests of other Data Controllers to CADcog and CADcog shall be entitled to refuse any requests or instructions provided directly by a Data Controller that is not CUSTOMER. CADcog shall further have no obligation to inform or notify a Data Controller when it has provided such information or notice to CUSTOMER.
​
-
CADcog shall as a Data Processor:
​
(a) Comply with all Data Protection Laws and other laws generally applicable to the Services. However, CADcog is not responsible for compliance with any laws applicable to CUSTOMER or CUSTOMER’s industry that are not generally applicable to information technology service providers.
​
(b) Process the Personal Data only in accordance with the written instructions from CUSTOMER as set out in this DPA. CADcog shall not use or disclose the Personal Data for any other purposes, except for such purposes described in the Privacy Policy.
​
(c) Notify CUSTOMER if it considers an instruction from CUSTOMER to be in violation of Data Protection Laws. CADcog shall follow and comply with any additional instructions received from CUSTOMER provided that they are legally required, technically feasible and do not require any material modifications. If CADcog is unable to comply with an additional instruction, it shall promptly notify CUSTOMER hereof.
​
(d) Process the Personal Data only to the extent, and in such manner, as is necessary for the CUSTOMER’s use of the Services.
​
(e) Implement and maintain appropriate technical and organizational measures as set out in Schedule 1. CUSTOMER understands and agrees that these measures are subject to technical progress and development and the CADcog is therefore expressly allowed to implement alternative measures provided that they maintain or exceed the general security level described in Schedule 1.
​
(f) Ensure that confidentiality applies to Personal Data and that access is strictly limited to the personnel who require access for the Services.
​
(g) Ensure that all of its personnel engaged in the Processing of Personal Data (i) are informed of the confidential nature of the Personal Data, (ii) have received appropriate training of their responsibilities and (iii) have executed written confidentiality agreements or are under an appropriate statutory obligation of confidentiality. CADcog shall ensure that such confidentiality obligations survive the termination of their personnel arrangement.
​
(h) Assist CUSTOMER in meeting the obligations CUSTOMER is made subject to by Data Protection Laws, in particular to facilitate the exercise of the Data Subjects’ rights under such laws. That includes, but is not limited to, an obligation for CADcog to (i) block, erase or anonymize Personal Data, (ii) provide information about the Processing activities, (iii) furnish Data Subjects with information about and access to their Personal Data, (iv) rectify incorrect Personal Data and (v) provide CUSTOMER with Personal Data in a structured, commonly used and machine-readable format. CADcog undertakes to perform such actions when required and as instructed by CUSTOMER, however always at CUSTOMER’s costs and expenses; and
​
(i) All third party requests regarding Personal Data or information about the Processing activities in regard of the use of the Services shall be redirected to CUSTOMER, whether the request is made by a Data Subject, a data protection authority or any other third party, unless such requests cannot legally be redirected to CUSTOMER. CADcog shall promptly notify CUSTOMER of all third party requests for information related to this DPA and shall procure to assist CUSTOMER by appropriate technical and organizational measures, insofar as this is possible and at CUSTOMER’s expense, for the fulfilment of the CUSTOMER's obligation to respond to requests for exercising the Data Subject’s rights.
​
-
CADcog shall make all information available to CUSTOMER which is necessary to demonstrate compliance with the obligations laid down in Art. 28 GDPR and allow for and contribute to audits, including inspections, conducted by CUSTOMER or another auditor mandated by CUSTOMER.
​
-
CADcog shall ensure that a data inspection authority may perform audits as provided for according to Data Protection Laws. In the event Personal Data is requested from any data inspection authority, CADcog shall without undue delay refer such requests to CUSTOMER.
4. Use of SUBPROCESSORS
-
CADcog may use other affiliates and subcontractors to perform certain obligations under the Services on CADcog’s behalf, such as but not limited to providing software maintanence and support. CUSTOMER hereby authorizes CADcog to engage its affiliates and subcontractors for the Processing of Personal Data as Subprocessors. In such case, CADcog shall enter into a written agreement with each Subprocessor which requires the Subprocessor to comply with terms no less protective than the terms that CADcog, as a Data Processor, is made subject to under this DPA.
​
-
CADcog shall inform CUSTOMER upon its request by e-mail about the name, address and role of each Subprocessor it uses. CADcog may remove it or appoint other suitable and reliable Subprocessors at its own discretion.
​
-
CADcog shall inform CUSTOMER by e-mail of any changes to the list of Subprocessors, thereby giving the CUSTOMER the opportunity to object to such changes.
5. THIRD COUNTRY TRANSFERS
-
The Parties understand and agree that Personal Data may be transferred, to respectively from, countries outside of the EU/EEA by the affiliates and Subprocessors of CADcog used to perform certain obligations under this DPA, Privacy Policy and/or Terms of Use.
​
-
If a Subprocessor is incorporated outside the EU/EEA, CADcog shall procure to ensure that an adequate level of protection is maintained in compliance with Data Protection Laws on third country transfers.
6. LIABILITY
-
CUSTOMER shall indemnify and keep indemnified and defend at its expense CADcog against all direct costs, claims, damages or expenses incurred by CADcog or for which CADcog may become liable due to any failure by the CUSTOMER or its employees or agents to comply with the obligations under this DPA.
​
-
CADcog shall indemnify and keep indemnified and defend at its expense CUSTOMER against all direct costs, claims, damages or expenses incurred by the CUSTOMER or for which the CUSTOMER may become liable due to any failure by CADcog or its employees or agents to comply with the obligations under this DPA.
​
-
Except for gross negligence or willful intent, neither Party shall be liable for any indirect or consequential damages of the other Party, such as, but not limited to loss of revenue, loss of profit, loss of opportunity, loss of goodwill and third party claims.
7. MISCELLANEOUS
-
This DPA shall apply for the duration of the provision of Personal Data Processing. This DPA shall automatically terminate upon any termination or expiration of the use of Services.
​
-
At the request of CUSTOMER and/or upon termination of this DPA, the Data Processor shall either return or delete the Personal Data in such a way that it cannot be recovered, as instructed by CUSTOMER,. In the event CUSTOMER directs that Personal Data is returned, it shall be returned within thirty (30) days of completion from the termination of this DPA.
​
-
In case of discrepancies between the CADcog’s Terms of Service, Privacy Policy and this DPA, this DPA shall take priority.
8. GOVERNING LAW AND JURISDICTION
-
This DPA is governed by the laws of Sweden. Any dispute arising out of or in connection with this DPA shall be settled by the courts of Sweden.
SCHEDULE 1
TECHNICAL AND ORGANIZATIONAL MEASURES
Art. 32 GDPR stipulates that, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Data Controller and Data Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
​
Data Controller shall evaluate the risks to the rights and freedoms of natural persons inherent in the Processing and implement measures to mitigate those risks. Depending on their relevance, the measures may include the following:
​
-
Any computer equipment and portable storage media that is not supervised must be securely locked up in order to protect against unauthorized access, manipulation and theft. Premises containing such equipment shall always be protected with such physical security measures deemed necessary to ensure that only authorized personnel is granted access.
-
Personal Data shall regularly be backed up. Backup copies shall be kept separate and protected as to allow restoration in case of a disruption. CADcog shall implement routine testing of readback capability.
-
Access to Personal Data shall be controlled with a technical solution for authentication. Authorization shall be limited to only those in need of the data for their work. User identity and passwords shall be personal and may not be transferred to someone else. CADcog shall implement routines for the granting and revoking of rights.
-
Access to Personal Data shall be traceable through the use of logs or similar solutions that allows the Data Processor to verify access and report back to the CUSTOMER.
-
Any external connection for communication of data must be protected by a technical solution that ensures that the connection is authorized.
-
The transfer of Personal Data by technical means outside of CADcog’s control and supervision shall employ encryption.
-
Systems and components shall carry active security measures configured in such a way that they provide adequate levels of protection for the Personal Data.
-
Whenever mounted or portable storage media containing Personal Data are taken out of use, all Personal Data shall be deleted in such a way that it cannot be recovered.
-
Written agreements ensuring security and confidentiality must be executed between CADcog and any third party carrying out repairs or service of equipment used for the storage of Personal Data.
-
On-site visits by third parties for repairs and service must be supervised by CADcog. If that is not possible, any storage media containing Personal Data must be removed prior to any such visit.\
-
Service by remote communication is only allowed provided it can be done through a secure connection and a reliable electronic identification of the person performing the service. Access shall only be given for the time required to perform the service. Any separate access way for service shall be closed whenever service is not actively being performed.
SCHEDULE 2
DESCRIPTION OF THE PROCESSING OF PERSONAL DATA
Purpose(s) of the Processing
Performance of the obligations undertaken by CADcog under the Services.
Categories of Data Subjects
The Personal Data Processed may relate to CUSTOMER employees, prospective CUSTOMER employees and other individuals to which the access and use of the Services may relate.
Type of Personal Data
The Personal Data Processed may concern the following types of data:
-
Network ID or connection data (ID, password, etc.)
-
Identity information (name, email, address, phone number, photo, etc.)
-
Personal life data (marital status, children, etc.)
-
Professional life data (qualifications, skills, position, professional goals, etc.)
-
Economical/financial information (bank account details, income, etc.)
-
Location data (GPS, etc.).
​
Nature of the Processing
The Processing of the Personal Data by CADcog includes the following operations:
​
-
Collection
-
Consultation
-
Recording
-
Use
-
Organization
-
Disclosure
-
Structuring
-
Making available
-
Storage
-
Alignment / Combination / Matching
-
Adaptation
-
Restriction of use or access
-
Retrieval
-
Erasure or destruction
-
Remote access
-
Media handling (e.g. transportation of media containing Personal Data)