Data Processing Agreement
Updated: 2023-10-25
Welcome to our Data Processing Agreement
This Data Processing Agreement (“DPA”) and its annexes, including links, governs the Processing of Personal Data by GetAccept AB, 559023-1402, as a Processor, on behalf of Customer or Customer Affiliates, as applicable and as defined in the Main Agreement, including our Terms, which can be found at https://www.getaccept.com/terms.html.
Contact information to responsible GetAccept party: legal@getaccept.com
Preamble
(A) This data processing agreement (“Agreement”) applies to all activities where the Processor processes personal data on behalf of the Controller, as required by Article 28 (3) of the GDPR, in connection with the GetAccept Service, including any sub-agreements and similar concluded thereunder (“Main Agreement“).
(B) The Processor uses the personal data of the Controller solely in the interest and on behalf of the Controller.
(C) If the Processor is also providing services and/or products under the Agreement to the Controller’s Affiliates, or otherwise gains access to the Affiliate’s data relating to identified or identifiable natural person(s) for the purposes of fulfilling the Main Agreement, such data shall be regarded as Personal Data and this Agreement shall be applicable to the Processor’s processing of such Personal Data. Such Affiliates have the same rights and obligations as the Controller under this Agreement.
(D) This Agreement is an integral part of the Main Agreement. In the event of any conflict between the terms of the Main Agreement and the terms of this Agreement, this Agreement shall prevail with respect to the subject matter of this Agreement.
1. Definitions
1.1 Affiliate: Affiliate: Companies (a) directly or indirectly owning or controlling the Controller; or (b) under the same direct or indirect ownership or control as the Controller; or (c) directly or indirectly controlled by the Controller. Ownership or control shall be understood to exist through direct or indirect ownership of fifty percent (50%) or more of the nominal value of the issued equity share capital or of fifty percent (50%) or more of the shares entitling the holders to vote for the election of the members of the board of directors or persons performing similar functions or the minimum share entitling to control prescribed in applicable legislations in such jurisdictions where the ownership of fifty percent (50%) or more would not be possible.
1.2 Commissioned Processing of Personal Data: Commissioned Processing of Personal Data is the access to Personal Data by the Processor as well as collection, modification, transfer, blocking, deletion, storing, hosting or any other type of processing of Personal Data by the Processor on behalf of the Controller in connection with the Main Agreement and as further specified under this Agreement.
1.3 Data Subject: An individual whose Personal Data is being processed by the Processor under this Agreement and the Main Agreement.
1.4 Instruction: The Processor shall process Personal Data in accordance with the Controller’s written instructions. The initial instructions derive from Section 2 of this Agreement; the Controller can change, amend or replace these initial instructions by single instructions in writing at any time.
1.5 Personal Data: Personal Data means any information relating to an identified or identifiable natural person(s) as defined in the applicable data protection laws, and that is subject to Commissioned Processing of Personal Data.
1.6 Personal Data Breach: means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
2. Scope of the Commissioned Processing
2.1 The Processor shall process or otherwise use Personal Data solely on behalf of the Controller and according to the Controller’s instructions as set out in Section 2 and the requirements of the applicable data protection laws. The Document Data is processed and stored in the EU at selected data centers (eg Frankfurt, Stockholm). For the application with its metadata, we have redundancy between the US / EU depending on where the user is located to guarantee a fast system regardless of geography.
2.2 The scope, manner and purpose of the collection, processing and use of the Personal Data under this Agreement are defined as follows:
Categories of subject |
Type of personal data |
Scope of use & purpose |
Sensitive data |
Customers, clients and recipients |
Name, email, mobile number, address, IP-information. |
Signing of contracts and account management |
|
Partners |
Name, email, mobile number, address, IP-information. |
Signing of contracts |
|
Employees |
Name, email, mobile number, address, IP-information. |
Signing of employee contracts |
Yes, if salary is applied on contract. |
3. Obligations of the Processor
3.1 The Processor shall only collect, process or utilise Personal Data of the Controller in accordance with the Instructions of the Controller and applicable laws and not for other own purposes or purposes of third parties. The Controller shall confirm any oral instructions in writing or via email to legal@getaccept.com. Where the Processor believes that compliance with any Instructions by the Controller would result in a violation of applicable law on data protection, the Processor shall immediately notify the Controller thereof.
3.2 The Processor shall ensure within his area of responsibility the implementation and compliance with technical and organisational measures. In particular, the Processor shall take such technical and organisational measures to protect the Personal Data of the Controller against accidental, unlawful or unauthorised destruction, loss, alteration, disclosure and access as well as against other events that endanger the security, confidentiality or integrity of the Personal Data, appropriate to the risk of varying likelihood and severity for the rights and freedoms of natural persons. This including, inter alia as appropriate the following measures:
- The pseudonymisation and encryption of personal data,
- The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services,
- The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident,
- A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing,
- Taking steps to ensure that any natural person acting under the authority of the processor who has access to commissioned personal data does not process them except on instructions from the controller, unless he or she is required to do so by Union or Member State law,
- To prevent unauthorised persons from gaining access to data processing systems with which Personal Data is processed or used,
- To prevent data processing systems from being used without authorisation,
- To ensure the availability and resilience of processing systems and services,
The Processor shall in particular ensure a strict separation between the Personal Data of the Controller, the Processor’s own data, and data of third parties.
3.3 The Processor shall inform the Controller in the event of (i) substantial disruptions of the service, (ii) possible infringements of applicable data protection laws or of this Agreement by itself, its employees or third parties, and (iii) any other irregularity in relation to the processing of the Controller’s Personal Data.
3.4 The Processor shall inform the Controller if the Personal Data of the Controller will be at risk on the site of the Processor by distrainment, seizures, insolvency or bankruptcy measures or by any other activities or measures of third parties. The Processor shall inform all people responsible in this context that the Personal Data are in sovereignty of the Controller..
3.5 All data storage media, if any, and all copies or reproductions thereof shall remain the property of the Controller. The Processor shall store them carefully without granting access to third parties. The Processor shall at any time give information to the Controller relating to its Personal Data and materials. According to the Controller’s individual orders, the Processor shall be responsible for the erasure of test or excess data and materials in compliance with data protection requirements, except in certain cases, to be defined by the Controller, where storage and/or disclosure of the test or excess data shall be performed.
4. Notification obligation
4.1 In case of a Personal Data Breach, the Processor shall, without undue delay and in any case within 48 hours, after having become aware of the Personal Data Breach, notify the Controller of the Personal Data Breach in writing. The notification must, to the extent such information is available to the Processor: (i) describe the nature of the Personal Data Breach including the categories and number of Data Subjects concerned and the categories and number of data records concerned; (ii) communicate the identity and contact details of the data protection officer of the Processor or other contact point where more information can be obtained; (iii) recommend measures to mitigate the possible adverse effects of the Personal Data Breach; (iv) describe the consequences and potential risk to the Data Subjects due to the Personal Data Breach; (v) describe the measures proposed or taken by the Processor to address the Personal Data Breach; and (v) any other information reasonably required in order for the Controller to comply with its own data protection requirements, including duties of notification and disclosure in relation to public authorities..
4.2 The Processor shall, without undue delay after becoming aware of any further details surrounding the Personal Data Breach, supplement the notification described above in Section 4.1 as well as provide the Controller with any other information relating to the respective Data Breach as reasonably requested by the Controller and available to the Processor.
4.3 The Processor will document any Personal Data Breaches, comprising the facts surrounding the breach, its effects and the remedial actions taken. This Documentation must enable the supervisory authority to verify compliance with this Section 4. The Documentation will only include information necessary for such purpose, and shall be marked as confidential.
5. Confidentiality
5.1 Each Party shall keep confidential all material and information, including but not limited to Personal Data, marked as confidential or that should be under-stood to be confidential, regardless of whether personal, technical, financial or commercial and received in whatever form from the other Party (‘Confidential Information’). A Party shall have the right to:
(a) use Confidential Information only for the purposes of this DPA and the Agreement;
(b) copy Confidential Information only to the extent necessary for the purposes of this DPA and the Agreement; and
(c) disclose Confidential Information only to those of its employees, subcontractors or advisors that need the Confidential Information for the purposes of this DPA and the Agreement. The disclosing Party is responsible for ensuring that the parties that receive Confidential Information comply with the terms relating to confidentiality agreed in this DPA.
5.2 Except for personal data, the confidentiality obligations set out in this Clause 5 shall not, however, be applied to any material or information (i) that was in the possession of the receiving Party prior to receipt of the same from the other Party without any obligation of confidentiality related thereto; or (ii) that is generally available or otherwise public, other than if it is public through a breach of this DPA or the Agreement on the part of the receiving Party; or (iii) that a Party has received from a third party without any obligation of confidentiality; or (iv) that a Par-ty has independently developed without using any material or information received from the other Party; or (v) that a Party is obliged to disclose pursuant to Law or other order issued by a Supervisory Authority.
5.3 Each Party shall cease using Confidential Information received from the other Party promptly upon the termination of this DPA or the Agreement or when the respective Party no longer needs the Confidential Information in question for the purposes of this DPA and/or the Agreement and shall return the material in question (including all copies thereof). Each Party shall, however, be entitled to retain copies as and to the extent required by the applicable law.
5.4 Each Party guarantees the observance and proper performance of this DPA by its personnel and advisors to whom Confidential Information may be disclosed pursuant to this Clause 5. The Processor ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
5.5 The confidentiality obligations set out in this Clause 5 shall survive any termination or cancellation of this DPA or the Agreement.
6. Obligations of the Controller
6.1 The Controller shall collect, process, and utilize Personal Data in accordance with applicable laws.
7. Obligation to Assist
7.1 The Processor shall duly assist and cooperate with Controller to allow Controller to comply with its obligations under (i) applicable law, inter alia pursuant to Articles 32 to 36 of the GDPR taking into account the nature of processing and the information available to the Processor, (ii) the rights of data subjects and (iii) with requests or notices served by public authorities on Company in relation to the Services, the Personal Data or the Processing activities performed under this Data Processing Agreement. The Controller shall reimburse any reasonable incurring costs by the Processor in connection with the fullfilment of the duties. In case the inquiries relate to the duties of the Processor, the Processor shall assist the Controller free of charge.
8. Control Rights and Certificates
8.1 The Controller may itself – or with a third party being subject to statutory professional confidentiality obligations – carry out an audit at the Processor’s establishment, during the usual business hours and without disturbing the Processor’s business processes, to convince itself of the Processor’s compliance with the technical and organisational measures, this Agreement and data protection laws. The Processor shall tolerate such audit and shall comprehensively support the Controller in such audit. Furthermore, the Processor shall provide to the Controller, upon written request, within a reasonable period all information which is necessary to carry out a comprehensive review of the Commissioned Processing of Personal Data and release those persons from their confidentiality obligations vis-à-vis the Controller for the purpose of the audit. However, the Processor is not obliged to disclose business and trade secrets, operational know-how and other data being protected by law, such as data of other controllers, within such an audit. Controls and audits shall be announced at least four (4) weeks in advance and shall be coordinated with the Processor. Any costs of such controls and audits, including possible costs of the Processor, shall be borne by the Controller.
8.2 In the event of an audit or an information request from a regulatory authority supervising the Controller’s business, the Processor shall assist the Controller in answering the request and organising the audit. The Processor shall always allow any such regulatory authority to conduct audits of the Processor’s operations. Each Party shall bear its own costs in connection with audits initiated by such regulatory authority.
8.3 In case an audit reveals that the Processor has breached this Agreement, relevant provisions of the Main Agreement and/or the applicable data protection laws and such breach is considered more than just a minor breach, the Processor shall bear all costs of the respective audit. The Processor shall take, at its own cost, all corrective actions in case of all identified breaches.
9. International transfers
9.1 Any transfer of data to a third country or an international organisation by the processor shall be done only on the basis of documented instructions from the Controller or in order to fulfil a specific requirement under Union or Member State law to which the Processor is subject and shall take place in compliance with Chapter V of the GDPR.
9.2 The Controller agrees that where the Processor engages a sub processor in accordance with Clause 10 for carrying out specific processing activities (on behalf of the Controller) and those processing activities involve a transfer of personal data within the meaning of Chapter V of the GDPR, the Processor and the sub processor can ensure compliance by GetAccept. GetAccept complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. GetAccept and its US based sub-processors has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. To learn more about the Data Privacy Framework (DPF) Program, and to view certifications, please visit https://www.dataprivacyframework.gov/
9.3 At the request of the Controller, the Processor shall provide a copy of the agreement or other legal act concerning processing of Personal Data on behalf of the Controller, entered into between the Processor and the sub processor (for Commissioned Processing of Personal Data).
10. Subprocessors
10.1 The Controller specifically authorizes the engagement of sub processors as listed below:
(Name, Location of processing, Processing(s) performed by subprocessor, Transfer mechanism when applicable)
- Amazon AWS, USA, Storage, EU-U.S. DPF with UK and Swiss extensions
- Sendgrid, USA, Email service provider, EU-U.S. DPF with UK and Swiss extensions
- CloudConvert, Germany, File converter
- Sinch, Germany, SMS service provider
- Brevo / SendInBlue, France, Email service provider
10.2 The Processor is authorized to engage or replace Sub processors. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of any Subprocessor. The Controller is entitled to, within five (5) days of receiving notification, lodge reasonable objections to such changes. The Processor shall notify the Controller of the following:
(a) The identity, corporate domicile and corporate ID of the Subprocessor;
(b) The types of Customer Personal Data and categories of data subjects that will processed by the Subprocessor;
(c) The location(s) where the Subprocessor will process Customer Personal Data; and
(d) If the engagement or replacement of the Subprocessor would constitute a transfer of Personal Data to a third country or international organization and under what transfer mechanism.
10.3 In all cases, such approval shall be granted only provided that the contractual agreement between the Processor and the subcontractor protects the Personal Data of the Controller essentially as this Agreement does (especially as regards confidentiality, data protection and data security) and in no regards contains data protection obligations less stringent than those contained in this Agreement. The Processor shall be responsible for the subcontractors’ obligations as for its own. The Controller shall have control rights vis-à-vis the Processor and the subprocessor as agreed in Section 7 of this Agreement. Furthermore, the Controller shall receive, upon request, information on the subprocessor as well as on the implementation of technical and organisational measures.
10.4 The Controller is entitled to prohibit the use of a specific subcontractor engaged in the Commissioned Processing of Personal Data for justified reason. Such justified reason should concern adequate guarantees to carry out appropriate technical and organisational measures to ensure that the Processing fulfils the requirements of GDPR and any further requirement(s) as regulated under this DPA.
In order to avoid any adverse effects to the provision of the services and/or products under the Main Agreement, the Controller shall give the Processor a reasonable time to find a replacing subcontractor or respond to the objection. The Controller is, in any case, after thirty (30) days of lodging an objection, pursuant to item 10.2, due to such an objection and the Processor failing to show that such objection is not justified, entitled to cancel the Main Agreement and this DPA.
10.5 The Processor shall make available to the Controller an accurate and up-to-date list indicating the sub processors engaged, as well as the geographical location where their processing activities in respect of the personal data for which you are the data controller of are performed.
11. Liability
11.1 The Parties agree that the general principle of division of responsibility between the Parties under this Agreement relating to fines and/or damages to the Data Subjects imposed by any relevant supervisory authority and/or competent court authorised to impose such fines or damages is based on the respective Parties need to fulfil its obligations under the applicable data protection laws and that any fines and/or damages to the Data Subjects imposed by a supervisory authority and/or competent court shall be paid by the party that has failed in its performance of its legal obligations under the applicable data protection laws.
12. Term and Termination
12.1 This DPA applies to the identical term as the Main Agreement. For the sake of clarity, termination of the Main Agreement by either Party, for whatever reason, is a termination of this DPA. Either Party’s right to terminate this Agreement for cause shall remain unaffected.
12.2 If the Processor materially breaches its obligations under this Agreement and fails to remedy such breach within thirty (30) days from the Controller’s notification of the breach to the Processor, or within thirty (30) days from the date when the Processor should have noticed the breach, the Controller shall have the right to terminate with immediate effect any and all services and other agreements which the breach affects or relates to.
12.3 Upon termination of this Agreement for whatsoever reason, the Processor shall return all data storage media and copies thereof as well as all Personal Data in its possession to the Controller and shall thereafter delete any Personal Data stored at the Processor. Upon request of the Controller, the Processor shall confirm compliance with such obligations in writing within one (1) week from such request.
13. General Provisions
13.1 Amendments and additions to this Agreement must be in writing. This also applies to a waiver of the requirement for this form.
13.2 Should one or more clauses of this Agreement be or become invalid and/or unenforceable, the validity of the other clauses of this Agreement shall remain unaffected thereby. In such a case, the Parties shall amend this agreement and amicably replace the invalid clauses.
13.3 Swedish law shall govern the Agreement.
13.4 Any dispute, controversy or claim arising out of or in connection with this Agreement, or the breach, termination or validity thereof, shall be finally settled by arbitration in accordance with the Rules of the Arbitration Institute of the Swedish Chamber of Commerce. The arbitral tribunal shall be composed of a sole arbitrator who shall be appointed by the Board of Arbitration of the Central Chamber of Commerce. The place of arbitration shall be Sweden. The language used in the arbitral proceedings shall be English.