Agreement on Personal Data Processing

between

The Personal Data Controller “The Customer” and

the Personal Data Processor: Ngenic AB Corporate identity number: 556817-4790 Country of establishment: Sweden

“The Personal Data Processor” refers to Ngenic AB for the services specified in Ngenic AB General Terms and Conditions, section 1, General provisions. The “Personal Data Controller” refers to the Customer. Ngenic’s contact person for general questions about the agreement and Ngenic’s processing of personal data is presented at https://ngenic.se/en/data-protection/.

 

1. Introduction

1.1 Both Parties confirm that the undersigned are authorised to enter into this Agreement on Personal Data Processing (the “Agreement”), which is an integrated part of the service agreement(s) entered into between the Parties (the “Service Agreement”). This Agreement regulates the Processing of Personal Data for any applicable Service Agreement.

1.2 Ngenic acts in accordance with Ngenic’s Privacy Statement, which is available at https://ngenic.se/en/data-protection/.

 

2. Definitions

2.1 The definitions of Personal Data, Special Categories of Personal Data (Sensitive Personal Data), Personal Data Processing, Data Subject, Personal Data Controller and Personal Data Processor are the same as used in applicable data protection laws, including the General Data Protection Regulation (GDPR) applying to this Agreement and in Europe as of 25 May 2018, and any applicable national legislation supplementing this, collectively referred to below as “Applicable Data Protection Regulations”.

2.2 In this appendix, the Personal Data Controller is referred to as the “Customer” or the “Party”, and the Personal Data Processor is referred to as “Ngenic” or as the “Party”, and these are collectively referred to as the “Parties”.

 

3. Scope

3.1 The Agreement regulates Ngenic’s Processing of Personal Data on the Customer’s behalf and describes how Ngenic shall ensure data protection, through technical and organisational measures in accordance with Applicable Data Protection Regulations.

3.2 The purpose of Ngenic’s Personal Data Processing on the Customer’s behalf is to fulfil its obligations under the Service Agreement.

3.3 This Agreement supersedes any contradictory provisions about Personal Data Processing in Service Agreements or in other agreements entered into between the Parties.

 

4. Ngenic’s obligations

4.1 Ngenic may process Personal Data only by commission from and in accordance with the Customer’s written instruction. By entering into this Agreement, the Customer instructs Ngenic to Process Personal Data in the following ways:
i) only in accordance with applicable law,
ii) to fulfil all obligations under the Service Agreement,
iii) as further specified by the Customer’s normal use of Ngenic’s services and
iv) in the manner specified in this Agreement.

4.2 Ngenic has no reason to believe that there is any legislation preventing Ngenic from complying with the above instruction. In the event that Ngenic becomes aware that the Customer’s instruction or Processing breaches Applicable Data Protection Regulation, Ngenic shall notify the Customer.

4.3 The categories of Data Subjects and Personal Data that are in scope for Processing are specified in this Agreement.

4.4 Ngenic shall safeguard the confidentiality, privacy and accessibility of the Personal Data in accordance with Applicable Data Protection Regulation. Ngenic shall take systematic, organisational and technical measures to ensure an appropriate level of security, taking into consideration the latest technology and implementation costs in relation to the risk that the Processing entails, and the type of Personal Data that is being protected.

4.5 Ngenic shall support the Customer with appropriate technical and organisational measures to the fullest extent possible, considering the type of Processing and the information available to Ngenic, to fulfil the Customer’s obligations under Applicable Data Protection Regulation relating to Data Subject requests and general data protection under articles 32-36 of the General Data Protection Regulation.

4.6 If the Customer needs information about security measures, documentation or other information about how Ngenic Processes the Personal Data, and such requests require more information than the standard disclosures provided by Ngenic in accordance with their obligations as a Personal Data Processor under the Applicable Data Protection Regulations, and this results in added labour for Ngenic, Ngenic may charge the Customer for such additional services.

4.7 Ngenic and its staff shall ensure the confidentiality of Personal Data being Processed under this Agreement. This condition shall continue to apply even after this Agreement has ceased to be in force.

4.8 Ngenic shall, by expeditiously and without undue delay notifying the Customer, enable the Customer to meet the statutory requirements that apply to informing relevant data protection authorities and Data Subjects about personal data incidents.

4.9 Moreover, Ngenic shall, to the extent practically possible and legally permissible, notify the Customer of: i) requests for disclosures of Personal Data that have been received from Data Subjects ii) requests from authorities, e.g. the police, about disclosures of Personal Data.

4.10 Ngenic may not directly answer Data Subject Requests without the Customer’s consent. Ngenic may not disclose contents relating to the Agreement to authorities such as the police, including Personal Data, except insofar as such disclosures are legally required, such as following a court decision or similar decision.

4.11 Ngenic cannot control whether and how the Customer chooses to use third party integrations via Ngenic’s API, via direct database connection or similar connections. The responsibility for such third party integrations rests solely with the Customer. Ngenic is not responsible as Ngenic for any processing of Personal Data through such third party integration.

 

5. The Customer’s obligations

5.1 By signing this Agreement, the Customer confirms that the Customer:

  • when using the services provided by Ngenic under the Service Agreement, Processes Personal Data in accordance with the requirements in Applicable Data Protection Regulation.
  • has a legal basis to Process and disclose the Personal Data in question to Ngenic (including any sub-processors that Ngenic may use).
  • is solely responsible for the accuracy, privacy, contents, reliability and legality of the Personal Data that has been submitted to Ngenic.
  • has met any mandatory requirements and obligations to notify or receive permits from relevant authorities for the Personal Data Processing.
  • has fulfilled its obligations to provide relevant information to Data Subjects relating to Personal Data Processing under the Applicable Data Protection Regulation.
  • agrees that Ngenic has provided warranties regarding the implementation of technical and organisational security measures that are sufficient to protect the privacy of the Data Subjects and their Personal Data.
  • when using the services provided by Ngenic under the Service Agreement, will not transfer any Sensitive Personal Data, or information that pertains to convictions in criminal cases and offences to Ngenic. If such data is transferred, Ngenic cannot be held liable for the inappropriate processing of such Sensitive Personal Data.
  • shall maintain an up-to-date register of the types and categories of Personal Data that the Customer Processes.

 

6. The use of sub-processors and transfers of data

6.1 As part of its delivery of the Service to the Customer under the Service Agreement and this Agreement, Ngenic may use subcontractors as sub-processors. Such sub-processors may be fellow subsidiaries of the same group, or external (third party) subcontractors within or outside the EU. Ngenic shall ensure that all subcontractors have contractually consented to take on responsibility corresponding to the obligations specified in this Agreement.

6.2 The current subcontractors that have access to Personal Data are published on Ngenic’s Privacy page, https://ngenic.se/en/data-protection/. These have, through this Agreement, been accepted as sub-processors by the Customer.

6.3 The Customer may at any time request a complete overview and more detailed information about the subcontractors that are involved in delivering the service under the Service Agreement.

6.4 If the Subcontractor is based in a country outside the EU/EEA, Ngenic shall ensure that the Subcontractor can provide an appropriate level of protection for the Processing. The Customer hereby authorises and licenses Ngenic to ensure appropriate legal basis for the transfer of Personal Data outside the EU/EEA on the Customer’s behalf, e.g. by signing standard EU agreement clauses on the Customer’s behalf or transferring Personal Data in accordance with applicable standard terms or the equivalent which have been issued by relevant authorities in the EU or nationally.

6.5 The Customer shall be notified in advance of any changes to subcontractors that Process Personal Data. If a new subcontractor evidently does not comply with Applicable Data Protection Regulation and the subcontractor continues not to comply with Applicable Data Protection Regulation after Ngenic has been provided a reasonable time to ensure that the subcontractor complies with the regulations, the Customer may terminate the agreement. Such termination may entail a right to terminate the Service Agreement, in entirety or in part, in accordance with the termination clauses of the Service Agreement in question. An important part of such assessments shall be to what extent the subcontractor’s Personal Data Processing is a necessary part of the services to be provided under the Service Agreement. A change of subcontractor is not in itself to be construed as a breach of the Service Agreement.

6.6 By signing this Agreement, the Customer accepts that Ngenic uses subcontractors in a way as described above.

 

7. Security

7.1 Ngenic commits to providing a high degree of security in its products and services. Ngenic provides this level of security using organisational, technical and physical security measures, in accordance with the requirements on information security that are described in article 32 of the General Data Protection Regulation. Moreover, the internal data protection framework used by Ngenic aims to protect the confidentiality, privacy, accuracy and accessibility of Personal Data. The following measures are of particular import in this regard:

  • Classification of Personal Data to ensure the implementation of the security measures corresponding to the assessed risk.
  • Evaluation of use of cryptography and pseudonymisation as risk-reducing factors.
  • Limiting access to Personal Data to those who need access in order to fulfil obligations in this Agreement or in the Service Agreement.
  • Use of systems that detect, recover, prevent and report Personal Data Breaches.
  • Implementation of security analyses to assess the quality of current technical and organisational measures to protect Personal Data, considering the requirements under Applicable Data Protection Regulation.

 

8. Rights to audit

8.1 The Customer retains a right to conduct an annual audit of Ngenic’s fulfilment of the conditions in the Agreement. The Customer may request audits more frequently if required by legislation. As Ngenic AB’s services constitute multi-user environments, the Customer authorises Ngenic, for security reasons, to decide that this audit shall be conducted by a neutral third-party auditor of Ngenic’s choosing.

8.2 If the area subject to a requested audit is taken up in an ISAF, ISO or similar audit report that has been prepared by a qualified third-party auditor during the preceding twelve months, and Ngenic confirms that there are no known material changes to the measures that were audited, the Customer accepts this audit report in lieu of requesting a new audit of measures already audited.

8.3 If the Customer does not accept the neutral third-party auditor selected by Ngenic, the Customer together with Ngenic may choose another neutral third-party auditor.

8.4 The Customer is liable for any costs arising in connection with requested audits. Help from Ngenic exceeding the standard service provided by Ngenic and/or Ngenic’s subcontractors to comply with Applicable Data Protection Regulation will be charged.

 

9. Term and termination

9.1 This Agreement is in force as long as Ngenic Processes Personal Data on behalf of the Customer under an applicable Service Agreement.

9.2 The Agreement automatically terminates when the Service Agreement ceases to be in force. When the Agreement terminates, Ngenic will delete or return Personal Data that was Processed on behalf of the Customer, in accordance with applicable clauses in the applicable Service Agreement. If not otherwise agreed in writing, the costs for such measures will be based on:
i) an hourly rate for Ngenic’s time and
ii) the complexity of the requested process.

9.3 Ngenic may retain Personal Data after the end of the Agreement to the extent that this is required by law, with the same type of technical and organisational security measures as are described in this Agreement.

 

10. Liability

10.1 Liability for breaches of the terms in this Agreement shall be regulated by the liability clauses of each Service Agreement between the Parties. This also applies for any breaches committed by Ngenic’s subcontractors.

 

11. Applicable law and jurisdiction

11.1 This Agreement is subject to applicable law and the jurisdiction as specified in the Service Agreement between the Parties.

 

12. Categories of Personal Data and Data Subjects

12.1 As Ngenic’s services enable the Customer to arbitrarily Process Personal Data within the services, it is not possible to generally present the categories of Data Subjects and Personal Data that are subject to such Processing. It is the responsibility of the Customer to keep a register of this information.

12.2 The Customer may not transfer Sensitive Personal Data to Ngenic. If such data is transferred, Ngenic cannot be held liable for the inappropriate processing of such Sensitive Personal Data. Sensitive Personal Data are defined in Applicable Data Protection Regulation as:

  • racial or ethnic origin, political views, religious or philosophical conviction,
  • information about health
  • information about a person’s sexual life or sexual orientation, membership in trade unions,
  • genetic information or biometric information serving to unambiguously identify a physical person

12.3 The Customer may also not transfer Personal Data relating to convictions in criminal cases and breaches of the law.

 

13. Overview of current subcontractors

The current subcontractors of Ngenic that have access to the Customer’s Personal Data are presented at https://ngenic.se/en/data-protection/