3 THE RIGHTS AND OBLIGATIONS OF THE DATA CONTROLLER

3.1 The Data Controller is responsible for ensuring that the Processing of Personal Data takes place in compliance with applicable Data Privacy Laws.

3.2 The Data Controller has the right and obligation to make decisions about the purposes and means of the Processing of Personal Data. The Data Controller shall be responsible, among other things, for ensuring that the Processing of Personal Data, which the Data Processor is instructed to perform, has a legal basis.

3.3 The Data Controller shall provide clear and documented instructions to the Data Processor. Updated instructions shall be communicated using the form in Appendix 1 or as otherwise agreed by the Parties.

4 PROCESSING OF PERSONAL DATA

4.1 The Data Processor undertakes to comply with applicable Data Privacy Laws and recommendations by the Supervisory Authority or other competent authorities.

4.2 The Data Processor shall Process Personal Data only on documented instructions from the Data Controller, and only to the extent necessary to fulfil its undertakings under the Main Agreement, unless required to do so by Union or Member State law
to which the Data Processor is subject. Such instructions are listed in Appendix 1.

4.3 The Data Processor shall be entitled to de-identify by anonymisation any test results processed under this DPA and/or data generated through the Data Subject’s use of the service, to the extent such data constitutes Personal Data, provided that such deidentification ensures that the data cannot, directly or indirectly, be attributed to an identified or identifiable natural person. Once de-identified, the Data Processor may use the resulting data set for statistical, analytical, research, and product or service development purposes, as well as for the improvement of its business operations. The Data Processor’s use of such de-identified data shall not constitute Processing of Personal Data under this DPA.

4.4 The Data Processor shall inform the Data Controller if the Data Processor lacks an instruction on how to Process Personal Data in a particular situation or if it believes an instruction provided under this DPA contravene applicable Data Privacy Laws.

4.5 If the Data Processor Processes Personal Data in addition to or in violation of the Data Controller’s instructions, due to being required to do so by Union or Member State law to which the Data Processor is subject, the Data Processor shall inform the Data Controller of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.

4.6 If Data Subjects, Supervisory Authorities, or any other third parties request information from the Data Processor regarding the Processing of Personal Data covered by this DPA, the Data Processor shall refer such request to the Data Controller as soon as possible after receipt of such request. Taking into account the nature of the Processing, the Data Processor shall assist the Data Controller by appropriate technical and organisational measures, insofar as this is possible, in fulfilling its obligations to respond to requests from Supervisory Authorities and Data Subjects to exercise their rights under Chapter III of the GDPR.

4.7 The Data Processor shall, upon the Data Controller’s reasonable request, assist the Data Controller with carrying out Data Protection Impact Assessment(s) where required under applicable Data Privacy Laws, taking into account the nature of the Processing and the information available to the Data Processor.

4.8 Upon the Data Controller’s request, the Data Processor shall assist the Data Controller with carrying out prior consultations with the Supervisory Authority, where such consultations are required under applicable Data Privacy Laws, taking into account the nature of the Processing and the information available to the Data Processor.

5 CONFIDENTIALITY

5.1 The Data Processor undertakes not to disclose or reveal the Personal Data or other information received by the Data Processor as a result of this DPA, to third parties other than Sub-Processors that have been engaged in accordance with this DPA.

5.2 The Data Processor shall only grant access to the Personal Data being Processed on behalf of the Data Controller to persons that directly require access to Personal Data in order to fulfil the Data Processor’s obligations in accordance with this DPA. The Data Processor shall ensure that such personnel are bound by a confidentiality obligation to the same extent as the Data Processor in accordance with this DPA and that they are informed how they may process the Personal Data.

5.3 The obligations set out in this section 5 do not include information disclosed in accordance with the instructions of the Data Controller or that the Data Processor is required to disclose pursuant to law, enactment, court’s or other governmental authority’s decision or stock exchange regulation. The Data Processor shall promptly and in writing notify the Data Controller if the Data Processor is required to disclose such information.

6 PERSONAL DATA BREACHES

6.1 Taking into account the nature of the Processing and the information available to the Data Processor, the Data Processor shall assist the Data Controller in fulfilling the Data Controller’s obligations under Articles 33 and 34 of the GDPR.

6.2 The Data Processor shall without undue delay (and in no case later than forty-eight (48) hours) upon becoming aware of a Personal Data Breach notify the Data Controller in writing thereof. Such notification shall include information on at least the following matters, taking into account the nature of the Processing and the information available to the Data Processor:

I. the nature of the Personal Data including, where possible, the categories and approximate number of Data Subjects concerned, and the categories and approximate number of Personal Data records concerned;

II. the likely consequences of the Personal Data Breach;

III. the measures taken or proposed to be taken by the by Data Processor, to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

6.3 Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.

6.4 The Data Processor shall thereafter implement all such measures as soon as possible and provide any and all reasonable cooperation requested by the Data Controller.

7 SUB-PROCESSORS

7.1 The Data Processor is given a general authorisation to engage Sub-Processors for the performance of the Data Processor’s Processing of Personal Data under the DPA. The Data Processor shall notify the Data Controller in writing of the intention to engage new Sub-Processors, giving the Data Controller at least fourteen (14) days to object to such changes. The Data Controller gives its approval to the Data Processor’s current Sub-Processors as listed in Appendix 1 (to be updated in case of changes).

7.2 In the event the Data Processor wishes to engage a Sub-Processor that the Data Controller has objected to, each Party shall be entitled to terminate the Main Agreement and this DPA, unless a suitable work around is identified.

7.3 The Data Processor shall ensure that all Sub-Processors are bound by written agreements that require them to comply with corresponding data Processing obligations to those contained in this DPA and that meet the requirements of Article 28(3) of the GDPR.

7.4 If the Sub-Processor fails to perform its obligations, the Data Processor shall be fully liable to the Data Controller for the due performance of the Sub-Processor’s obligations.

8 TECHNICAL AND ORGANISATIONAL MEASURES

8.1 The Data Processor has implemented and, during the term of this DPA, will continue to implement and maintain appropriate technical and organizational measures to ensure that the Data Processor’s Processing of the Personal Data under this DPA meets the requirements of the Data Privacy Laws (such as Article 32 of the GDPR) and ensures that the rights of Data Subjects can be upheld. The measures implemented by the Data Processor shall provide a level of security appropriate to the risk, taking into account the art technology, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.

8.2 The security measures agreed between the Parties are set out in Appendix 1.

8.3 Furthermore, the Data Processor shall assist the Data Controller in ensuring compliance with the Data Controller’s obligations pursuant to Article 32 of the GDPR.

9 DATA LOCALISATION

9.1 The Data Processor may not, without the prior written consent of the Data Controller, transfer Personal Data outside the EU/EEA. If the Data Controller approves of the transfer, the Parties shall ensure that there is a valid transfer mechanism in place (including additional safeguards, if necessary), before the transfer commence.

9.2 If, subject to the approval of the Data Controller, the Data Processor will transfer Personal Data to a third party outside the EU/EEA, which is not subject to an applicable Adequacy Decision, the Data Processor shall enter into the applicable EU Model Clauses with the data importer – if this is identified as the most appropriate transfer mechanism.

9.3 The Data Controller shall, at any time, have the right to revoke its consent to third country transfers in accordance with sections 9.1 – 9.2. In such event, the Data Processor shall immediately cease with transfer and shall, at the request of the Data Controller, provide written confirmation that the transfer has ceased.

9.4 If the Data Controller does not approve of the transfer or revokes its consent to third country transfers in accordance with this section 9, the Data Processor shall be entitled to terminate the Main Agreement and this DPA, unless a suitable work around is identified.

10 AUDIT AND INSPECTION

10.1 Upon the Data Controller’s request, the Data Processor shall make available to the Data Controller all information necessary to demonstrate compliance with this DPA and applicable Data Privacy Laws.

10.2 The Data Controller may request audit of the Data Processor’s Processing of Personal Data one (1) time per calendar year – unless the previous audit identified deviations from this DPA or applicable Data Privacy Laws. If so, the Data Controller may request additional audits until such deviations have been managed and the Data Processor provides sufficient evidence that it is in full compliance with this DPA and applicable Data Privacy Laws.

10.3 The Data Processor will, during normal business hours and upon reasonable notice (whereby a notice period of twenty (20) business days shall always be deemed reasonable), provide to the Data Controller’s personnel or its hired consultants, its internal or external auditors, inspectors, and regulators reasonable access to data and records (including tools and procedures) relating to the Processing covered by this DPA. The Data Controller’s auditors and other representatives shall comply with the Data Processor’s reasonable work rules, security requirements and standards when conducting site visits.

10.4 The Data Controller shall reimburse the Data Processor for any costs incurred by the Data Processor during an audit performed at the request of the Data Controller, unless a deficiency is found.

11 COMPENSATION

The Data Processor shall be entitled to reasonable compensation for all work carried out and all costs incurred by the Data Processor due to the Data Controller issuing instructions that go beyond the functions and levels of protection necessary in relation to the services that the Data Processor normally offers its customers, e.g., if the Data Controller requires the Data Processor to make changes in its systems, or if the Data Processor for any other reason is forced to make special adjustments for the Data Controller.

12 LIABILITY

12.1 Breaches of this DPA shall be treated as breaches of the Main Agreement. Any limitation of liability in the Main Agreement shall apply.

12.2 Each Party shall be liable for its own breaches of applicable Data Privacy Laws and shall indemnify the other Party accordingly in case the other Party suffers damage following such breach. For the avoidance of doubt, the Parties shall be liable for administrative fines in relation to their acts and omissions imposing the fine.

13 DELETION AND RETURN OF DATA

Upon expiry of this DPA, the Data Processor shall, at the choice of the Data Controller, delete or return all Personal Data to the Data Controller and shall ensure that any Sub-Processor does the same, unless it is required to keep copies of the data under Union or Member State law to which the Data Processor is subject.

14 TERM

This DPA shall take effect as of the date of the Parties’ conclusion of the Main Agreement and remain effective as long as the Data Processor Processes Personal Data on behalf of the Data Controller, unless terminated in accordance with the Main Agreement and/or this DPA.

15 APPLICABLE LAW AND DISPUTES

This DPA shall be governed by the laws of Sweden. Any dispute shall be processed in accordance with the Main Agreement.

APPENDIX 1 – INSTRUCTION REGARDING PROCESSING

This Appendix 1 specifies the Processing of Personal Data carried out by the Data Processor on behalf of the Data Controller under the DPA. The purpose is to clarify the Processing and Personal Data that is covered by the Main Agreement and to comply with the GDPR’s requirements.

1 DETAILS OF PROCESSING