TERMS AND CONDITIONS FOR PROCESSING OF PERSONAL DATA

Background

These are our terms and conditions for processing personal data within the scope of our services. This document forms an annex to our general terms and conditions, which are available at https://inyett.com/terms-general. By agreeing to our terms and conditions, you also accept these terms and conditions for our processing of personal data. The purpose of the terms and conditions is to safeguard the rights and freedoms of the Data Subject in the Processing, as stipulated in the General Data Protection Regulation EU 2016/679 (the ”Data Protection Regulation”), Art. 28.3.

Definitions

The Agreement: The quotation or document signed by both parties that shows the Parties’ agreement together with the annexes specified therein, including the general terms and conditions and thereby also these terms and conditions for processing personal data.

Processing: An action or combination of actions relating to Personal Data or sets of Personal Data, regardless of whether or not they are carried out automatically, such as collection, registration, storage or amendment, reading, use, issue, dissemination or deletion or destruction.

Data Protection Legislation: Means all privacy and personal data legislation and all other legislation (including ordinances and regulations) that is applicable to the personal data processing that takes place under this Agreement, including national legislation and EU legislation.

Instructions: The written instructions specifying in more detail the object, duration, nature and purpose, type of Personal Data and categories of Data Subject and specific needs covered by the Processing. Initial instructions are provided in the paragraph entitled ”Instructions for processing”.

Logging: Logging is a continuous collection of information on the Processing of Personal Data that takes place within the context of the Agreement and that can be linked to an individual natural person.

Personal Data Controller: A natural person or legal entity, public authority, institution or other body that, alone or with others, determines the purpose of and means for Processing of Personal Data.

Personal Data Processor: A natural person or legal entity, public authority, institution or other body that Processes Personal Data on behalf of the Personal Data Controller.

Personal Data Breach: A breach of security that leads to unintentional or unlawful destruction, loss, alteration or unauthorised disclosure of or unauthorised access to Personal Data that is being transferred, stored or otherwise Processed.

Data Subject: A natural person whose Personal Data is Processed.

Third Country: A State that is not part of the European Union (EU) and is not a member of the European Economic Area (EEA).

Sub-Processor: A physical or juridical person, public authority, institution or other body that Processes Personal Data on behalf of the Personal Data Controller in the capacity of a subcontractor of the Personal Data Processor.

  1. Processing of personal data
    1. Within the framework of the performance of the Agreement, the Supplier may process personal data on behalf of the Customer and on the Customer’s instructions. During such processing, the Supplier will be considered as a personal data processor and the Customer is considered as the personal data controller. These terms and conditions for processing personal data govern the processing of personal data by the personal data processor on behalf of the personal data controller. In the event that a provision of these terms and conditions for processing personal data is contrary to the Agreement in general, the Agreement in general will take precedence over the provision of these terms and conditions for processing personal data unless otherwise specified in the provision and unless this leads to a manifestly unreasonable outcome.
    2. The information in the terms and conditions, in the form of provisions and other information affecting the application of the terms and conditions, and the references by the terms and conditions to that information, e.g. legislation (including ordinances and regulations) relates to the information applicable at any given time.
    3. The Personal Data Controller must provide written instructions for the Personal Data Processor on how to carry out the Processing. Initial instructions are contained in the Paragraph entitled ”Instructions for processing”.
    4. The Personal Data Processor may only carry out the Processing in accordance with the Agreement, the Data Protection Legislation and Instructions applicable at any given time.
  2. The Personal Data Controller’s responsibilities
    1. The Personal Data Controller is responsible for ensuring that there is a legal basis for the Processing at any given time and for designing correct Instructions so that the Personal Data Processor and the Sub-Processor are able to fulfil its/their duties in accordance with these terms and conditions for processing personal data and the Agreement in general.
    2. The Personal Data Controller must inform the Personal Data Processor without undue delay of any changes in the Processing that affect the Personal Data Processor’s obligations in accordance with the Data Protection Legislation.
    3. The Personal Data Controller is responsible for informing Data Subjects of the Processing and for safeguarding the rights of Data Subjects in accordance with the Data Protection Legislation and for adopting any other measure incumbent on the Personal Data Controller in accordance with the Data Protection Legislation.
  3. The Personal Data Processor’s undertakings
    1. The Personal Data Processor undertakes to:

      a) only carry out the Processing in accordance with the Agreement and Instructions and to comply with the Data Protection Legislation;

      b) keep itself informed at all times of the applicable law in this area;

      c) adopt measures to protect the Personal Data against all types of Processing that are inconsistent with the Agreement, Instructions and the Data Protection Legislation;

      d) ensure that all natural persons working under its management comply with the Agreement and Instructions and that the natural persons are informed of relevant legislation;

      e) at the request of the Personal Data Controller, assist it in ensuring that the obligations in accordance with the General Data Protection Regulation, Art. 32–36 are fulfilled and respond to requests for exercise of the Data Subject’s rights in accordance with Chapter III of the Data Protection Regulation, taking into consideration the type of Processing and the information available to the Personal Data Processor;

      f) in the event that the Personal Data Processor finds that Instructions are unclear, are contrary to the Data Protection Legislation or are missing and the Personal Data Processor considers that new or supplementary Instructions are necessary in order to meet its obligations, the Personal Data Processor must inform the Personal Data Controller without delay, temporarily cease the Processing and await new Instructions;

      g) In the event that the Personal Data Controller provides the Personal Data Processor with new or amended instructions, the Personal Data Processor must, without undue delay from when it receives them, notify the Personal Data Controller of whether the implementation of the new Instructions leads to a change in costs for the Personal Data Processor.

  4. Security measures
    1. The Personal Data Processor must adopt all technical and organisational security measures required to prevent Personal Data Breaches by ensuring that the Processing complies with the requirements of the Data Protection Regulation and that the Data Subject’s rights are protected.
    2. The Personal Data Processor must continually ensure that the technical and organisational security associated with the Processing entails an appropriate level of confidentiality, integrity, availability and resilience.
    3. Any additional or amended requirements for protective measures issued by the Personal Data Controller after the parties have signed the Agreement must be considered as new Instructions for processing personal data.
    4. The Personal Data Processor must, by means of an authorisation control system, only provide access to the Personal Data for the natural persons working under the management of the Personal Data Processor and who require access to enable them to perform their duties.
    5. The Personal Data Processor undertakes to continually Log access to the Personal Data in accordance with the Agreement to the extent required in accordance with the Instructions. Logs may only be thinned five (5) years after the Time of Logging, unless otherwise specified in the Instructions. Logs must be subject to necessary protective measures in accordance with the Data Protection Legislation.
    6. The Personal Data Processor must systematically test, examine and evaluate the effectiveness of the technical and organisational measures to ensure the security of the Processing.
  5. Confidentiality & professional secrecy
    1. The Personal Data Processor and all natural persons working under its management must observe both confidentiality and professional secrecy in the Processing. The Personal Data may not be used or disseminated for other purposes, either directly or indirectly, unless otherwise agreed.
    2. The Personal Data Processor must ensure that all natural persons working under its management who are involved in the Processing are bound by a confidentiality undertaking in relation to the Processing. Nevertheless, this is not required if they are already covered by professional secrecy punishable by sanctions that derive from the law. The Personal Data Processor also undertakes to ensure that there is a confidentiality agreement with the Sub-Processor and confidentiality undertakings between the Sub-Processor and all the natural persons working under its management who participate in the Processing.
    3. The Personal Data Processor must promptly inform the Personal Data Controller of any contact with a supervisory authority regarding the Processing. The Personal Data Processor is not entitled to represent the Personal Data Controller or act on behalf of the Personal Data Controller before supervisory authorities in matters regarding the Processing.
    4. If the Data Subject, supervisory authority or a third party requests information from the Personal Data Processor which relates to the Processing, the Personal Data Processor must inform the Personal Data Controller of the matter. Information on the Processing may not be provided to the Data Subject, a supervisory authority or a third party without prior consent in writing from the Personal Data Controller, unless it is clearly stated by an imperative law that information must be provided. The Personal Data Processor must help procure the information covered by consent or a legal requirement.
  6. Inspection, transparency and auditing
    1. The Personal Data Processor must provide, without undue delay, at the request of the Personal Data Controller, the information on technical and organisational security measures that the Personal Data Controller needs to enable it to establish that the Personal Data Processor is complying with its obligations under the Agreement and the Data protection Regulation, Art. 28.3(h).
    2. The Personal Data Processor undertakes, on at least one (1) occasion a year, to inspect the security of the Processing through self-monitoring in order to ensure that the Processing complies with the Agreement. The Personal Data Controller must be informed of the result of such self-monitoring on request.
    3. The Personal Data Controller is entitled, either itself or through a third party appointed by it (which may not be a competitor of the Personal Data Processor), to monitor the Personal Data Processor’s compliance with requirements imposed by the Agreement, the Instructions and the Data Protection Legislation. In the event of such an inspection, the Personal Data Processor must assist the Personal Data Controller or the person that carries out the inspection in the Personal Data Controller’s place with documentation, access to premises, IT systems and other assets required to enable it to inspect the Personal Data Processor’s compliance. The Personal Data Controller must ensure that personnel carrying out the inspection are subject to confidentiality or professional secrecy by law or in accordance with an agreement.
    4. The Personal Data Processor is entitled, as an alternative to the provisions set out in paragraphs 6.2–6.3, to offer other procedures for inspection of the Processing, such as an inspection carried out by an independent third party. In such a case, the Personal Data Controller will have a right but not an obligation to apply this alternative approach to inspection. In the case of such an inspection, the Personal Data Processor must provide the Personal Data Controller or a third party with the assistance required to carry out the inspection.
    5. The Personal Data Processor must inform the supervisory authority or other authority legally entitled to carry out the inspection, of the possibility of carrying out an inspection at the request of the authority in accordance with the legislation in force at any given time, even if such an inspection would otherwise be contrary to the provisions of the Agreement.
    6. The Personal Data Processor must safeguard the rights of the Personal Data Controller vis-à-vis the Sub-Processor which correspond to all rights of the Personal Data Controller vis-à-vis the Personal Data Processor in accordance with Chapter 6 of the terms and conditions for processing personal data.
  7. Dealing with corrections and erasure, etc.
    1. In the event that the Personal Data Controller has requested correction or erasure on the basis of incorrect Processing by the Personal Data Processor, the Personal Data Processor must take the appropriate action without undue delay, no later than within thirty (30) days from the date when the Personal Data Processor received necessary information from the Personal Data Controller. When the Personal Data Controller has requested erasure, the Personal Data Processor may only carry out Processing of the Personal Data in question as part of the erasure process.
    2. If technical and organisational measures (e.g. upgrades or troubleshooting) are adopted by the Personal Data Processor in the Processing and may be expected to affect the Processing, the Personal Data Processor must inform the Personal Data Controller in writing in accordance with the provisions on notices in the Agreement. The information must be provided in good time before the measures are adopted.
  8. Personal data breaches
    1. The Personal Data Processor must have the ability to restore the availability of and access to the Personal Data within a reasonable time in the case of a physical or technical breach in accordance with the Data Protection Regulation, Art. 32.1(c).
    2. The Personal Data Processor undertakes, taking into account the nature of the Processing and the information available to the Personal Data Processor, to provide assistance to the Personal Data Controller to fulfil its obligations in the event of a Personal Data Breach in relation to the Processing. The Personal Data Processor must also provide assistance, at the Personal Data Controller’s request, to investigate suspicions of any Processing and/or access to the Personal Data by unauthorised persons.
    3. In the event of Personal Data Breaches of which the Personal Data Processor has become aware, the Personal Data Processor must inform the Personal Data Controller of the incident in writing without undue delay. The Personal Data Processor, taking into account the type of Processing and the information that the Personal Data Processor has available, must provide the Personal Data Controller with a written description of the Personal Data Breach. The description must describe:

      1. the nature of the Personal Data Breach and, if possible, thec ategoriesand number of Data Subjects affected and the categories and number of personal data items affected,

      2. the likely consequences of the Personal Data Breach, and

      3. measures that have been adopted or proposed and measures to mitigate the potential adverse effects of the Personal Data Breach.

    4. If it is not possible for the Personal Data Processor to provide the full description in accordance with paragraph 8.3 of the Agreement at the same time, the description may be provided in batches without undue further delay.
  9. Sub-Processor
    1. The Personal Data Processor is fully liable vis-à-vis the Personal Data Controller for Processing by the Sub-Processor.
    2. The Personal Data Processor is entitled to engage a new sub-processor. When the Personal Data Processor intends to engage a new sub-processor, the Personal Data Processor must inform the Personal Data Controller in writing and guarantee the Sub-Processor’s capacity and ability to fulfil its obligations under the Data Protection Legislation. The Personal Data Processor must notify the Personal Data Controller in writing of

      – the Sub-Processor’s name, organisation registration number and registered office (address and country);

      – the type of data and categories of Data Subjects processed, and

      – where the Personal Data will be processed.

    3. The Personal Data Processor is entitled to terminate the Sub-Processor’s engagement. When the Personal Data Processor terminates the Sub-Processor’s engagement, the Personal Data Processor must notify the Personal Data Controller in writing that it is terminating the Sub-Processor’s engagement.
    4. The Personal Data Processor undertakes to sign a written personal data processing agreement with the new Sub-Processor and ensure that the new Sub- Processor is subject to the same obligations as those imposed on the Personal Data Processor under this Agreement.
    5. The Personal Data Processor must send, at the request of the Personal Data Controller, a copy of the personal data processing agreement signed by the Personal Data Processor with the Sub-Processor.
    6. The Personal Data Controller is entitled to object to the Personal Data Processor’s engagement of a Sub-Processor within 5 days from when the Personal Data Controller received the Personal Data Processor’s notice to that effect. The Personal Data Processor may not engage the selected Sub-Processor if the Personal Data Controller has put forward reasonable objections.
    7. The Parties agree that the Personal Data Controller, by signing this Agreement, may be considered to be informed and agrees that the Personal Data Processor intends to engage the Sub-Processors listed in the paragraph entitled ”Sub- Processors approved by the Personal Data Controller”.
  10. Localisation and transfer of personal data to a third country
    1. The Personal Data Processor must ensure that the Personal Data is processed and stored within the EU/EEA by a natural person or legal entity established within the EU/EEA, unless otherwise agreed by the Parties to the Agreement.
    2. The Personal Data Processor is only entitled to transfer Personal Data to a Third Country for Processing (e.g. service, support, maintenance, development, operation or similar processing) if the Personal Data Controller has approved such transfer in writing in advance and issued instructions for that purpose.
    3. Transfer to a Third Country for Processing in accordance with paragraph 10.2 may only take place if it is consistent with the Data Protection Legislation and meets the requirements for Processing as set out in the Agreement and Instructions.
  11. Liability for damage in connection with processing
    1. In the case of compensation for damage in connection with Processing which is payable to the Data Subject through an established judgment or settlement due to a breach of a provision of the Agreement, Instructions and/or applicable provision of the Data Protection Legislation, Art. 82 of the Date Protection Regulation must be applied.
    2. Penalty fees in accordance with the Data Protection Regulation, Art. 83, or Act (2018:218) with supplementary provisions to the EU Data Protection Regulation, Chapter 6, section 2 must be paid by the party to the Agreement that has had such a fee imposed on it.
    3. If either Party becomes aware of any circumstance that may lead to damage to the other party, that Party must immediately inform the other Party of the circumstance and actively work with the other Party to prevent and minimise such damage.
    4. Notwithstanding the contents of the provisions of the Agreement in general, paragraphs 11.1 and 11.2 take precedence over other rules on allocation between the Parties of claims between themselves in relation to the Processing.
  12. Term of validity
    1. The terms and conditions for processing personal data apply from the moment when the Agreement is signed by both parties and until further notice as long as the Personal Data Processor processes personal data on behalf of the Personal Data Controller.
  13. Changes, etc.
    1. Either party to the Agreement is entitled to call for renegotiation of these terms and conditions for processing personal data if the other party’s ownership structure changes significantly or if applicable legislation, or the interpretation thereof, is changed in a manner that is decisive for the Processing. A request for renegotiation in accordance with the first sentence does not mean that the Agreement will cease to apply to any extent, but merely that a renegotiation of the terms and conditions for processing personal data will commence.
    2. When one of the Parties becomes aware that the other Party is acting in breach of the terms and conditions for processing personal data, Instructions and/or Data Protection Legislation, the Party must notify the other Party of the conduct without delay.
  14. Actions when the Agreement ceases
    1. Upon termination of the Agreement, the Personal Data Controller must ask the Personal Data Processor without undue delay to hand over all Personal Data to the Personal Data Controller or delete it, according to its wishes. If the Personal Data is handed over, such must take place in an open and standardised format. All Personal Data means all Personal Data that has been subject to the Processing and other related data such as Logs, Instructions, system solutions, descriptions and other documents received by the Personal Data Processor through exchange of information under the Agreement.
    2. The handover and deletion in accordance with paragraph 14.1 must be carried out no later than thirty (30) days from the date when the Agreement ceases to apply in accordance with paragraph 12.1.
    3. Processing carried out by the Personal Data Processor after the date stipulated in paragraph 14.2 must be regarded as unlawful Processing.
    4. The provisions on confidentiality/professional secrecy in the Agreement will continue to apply even if the Agreement otherwise ceases to apply.
  15. Contact persons and notices
    1. The Parties must each appoint a contact person for the Agreement.
    2. Notices on the Agreement and its administration must be sent to each Party’s contact person.
    3. Notices within the framework of the Agreement and Instructions must be sent in writing. A notice must be considered to reached the recipient no later than one (1) working day after the notice was sent.
    4. Each Party is responsible for ensuring that the information specified in the Quotation and in Annexes is always up-to-date. Changes to the above information must be communicated in writing in accordance with paragraph 15.3.
  16. Instructions for Processing
    Except as provided in the Agreement, the following Instructions must apply and be taken into consideration by the Personal Data Processor when carrying out the Processing.

     

    Purpose The Processing may only be carried out for the purpose of providing the services set out in the Main Agreement, i.e. mainly for the purpose of processing Personal Data in order to securely identify companies and private individuals in order to detect double payments, payments to fake companies, payments to companies not registered for Swedish Company Tax, payments to companies that have debts with the Swedish Enforcement Service, deviating payment patterns and payments exceeding a set limit. The Personal Data may not be processed or used by the Personal Data Processor for its own or any other purpose.
    Types of processing The Personal Data Processor may use the types of processing of personal data that are necessary to provide the services set out in the Main Agreement, including registration, organisation, storage, amendment, use and/or erasure.
    Types of personal data The Personal Data Processor may only process the following types of personal data: name and surname, customer number, personal identity number, address, telephone number, e-mail address. The Personal Data Processor may also process other personal data if necessary to provide the services set out in the Main Agreement.
    Categories of data subject The Processing must only include employees, customers, suppliers provided by the Personal Data Controller.
    Duration of the processing The Personal Data must be erased by the Personal Data Processor when the Agreement ceases in accordance with the provisions of the Agreement. Personal Data must also be erased by the Personal Data Processor on a case-by-case basis in accordance with the Personal Data Controller’s written instructions.
    Place for processing The Processing may only be carried out within the EU on infrastructure over which the Personal Data Processor has direct or or indirect control (i.e. through approved Sub- Processors).
  17. Sub-Processors approved by the Personal Data Controller

    The Personal Data Controller approves and is informed that the Personal Data Processor engages the following Sub-Processors in accordance with paragraph 9.7 of the terms and conditions for processing personal data.

    IT Gården AB; 556571-3806, Landskrona, Sweden
    Provides and operates Inyett’s server environment: databases, applications and other peripheral services.

    SMS Teknik AB; 556644-7784, Munkedal, Sweden
    Used as a sub-processor to enable passwords to be securely sent by text message to the users of the service.

    ZignSec; 559016-5261, Solna, Sweden
    Used as a sub-processor to enable the users to select log-in via BankID/Mobile BankID.