Data Processing Agreement

Effective date: 22/10/2019

Download DPA

This DATA PROCESSING AGREEMENT (”DPA”) is entered into and made between:

  1. Eurostep (as defined in the Master Services Agreement); and
  2. Customer (as defined in the Master Services Agreement).

The above parties are hereinafter each referred to as a “Party” and jointly as the “Parties”.

1 Background

1.1    The Parties have entered into an agreement under which Eurostep grants Customer a limited license to use the Service or other services.

1.2    This DPA shall be deemed to be part of the Agreement between the Parties. In case of any discrepancies between the Agreement and this DPA, the wording of this DPA shall prevail.

1.3    This DPA regulates Customer’s rights and obligations in its capacity as data controller as well as Eurostep’s rights and obligations in its capacity as data processor when Eurostep processes personal data on behalf of Customer under the Agreement.

2 Definitions

2.1   Capitalized terms used but not defined in this DPA have the meanings given elsewhere in the Agreement (primarily in the Master Services Agreement).

2.2   Concepts, terms and expressions in this DPA shall be interpreted in accordance with “Applicable Data Protection Laws”.

2.3   The term ”Applicable Data Protection Laws” shall for the purpose of this DPA mean any nationally or internationally binding data protection laws, case law and regulations, applicable within the European Union (the “EU”) or the European Economic Area (“EEA”) at any time during the term of this DPA, including the EU General Data Protection Regulation (“GDPR”), and which is applicable to Eurostep’s processing of personal data under this DPA.

3 List of appendices

The following appendices shall form part of the DPA:

  • Specification of data processing – Appendix 1
  • List of pre-approved sub-processors – Appendix 2

4 Processing of personal data

4.1    Eurostep undertakes to process personal data in accordance with Customer’s written instructions, unless otherwise required by Applicable Data Protection Laws to which Eurostep is subject. Customer’s instructions to Eurostep regarding the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects are set forth in this DPA and in Appendix 1. The Customer may not process any sensitive personal data in the Service.

4.2    Eurostep shall when processing personal data under this DPA comply with all Applicable Data Protection Laws.

5 Disclosure of personal data

5.1   Eurostep undertakes not to, with the exception of sub-processors that have been approved by Customer in accordance with Clause 6 below, without Customer’s prior written consent, disclose or otherwise make personal data processed under this DPA available to any third party, unless otherwise provided by Swedish or European law, judicial or administrative decision to which Eurostep is subject.

5.2   If data subjects, competent authorities or any other third parties request information from Eurostep regarding the processing of personal data covered by this DPA, Eurostep shall refer such request to Customer. Eurostep may not in any way act on behalf of or as a representative of Customer and may not, without prior instructions from Customer, transfer or in any other way disclose personal data or any other information relating to the processing of personal data to any third party.

5.3   In the event that Eurostep, according to Swedish or European law, judicial or administrative decision to which Eurostep is subject, is required to disclose personal data processed under this DPA, Eurostep shall inform Customer thereof, unless that law or regulation prohibits such information, and request confidentiality in conjunction with the disclosure of requested information.

6 Sub-processors and third-country transfers

6.1   Eurostep may engage sub-processors within and outside the EU/EEA and may transfer and process personal data outside the EU/EEA. Eurostep shall ensure that sub-processors are bound by written agreements which impose on them the same data processing obligations as the obligations under this DPA in respect of data protection. Appendix 2 contains a complete list of Eurostep’s sub-processors that from the date of entry into force of this DPA have been pre-approved by Customer.

6.2   Eurostep shall inform Customer of any new sub-processors and give Customer the opportunity to object to such changes. Such objections by Customer shall be based on grounds regarding the new sub-processor’s ability to comply with Applicable Data Protection Laws and be made in writing without any undue delay from receipt of the information. Eurostep shall upon request provide Customer with all information that Customer may reasonably request to assess the proposed sub-processor’s ability to comply with Applicable Data Protection Laws. If Eurostep despite Customer’s objection wishes to engage the proposed sub-processor, Customer is entitled to terminate the Agreement at no extra cost. If the objection is not justified, Customer is not entitled to terminate the Agreement.

6.3   If personal data is transferred to, or made available from, outside EU/EEA, Eurostep shall ensure that the transfer is subject to an appropriate safeguard under Applicable Data Protection Laws, such as standard contractual clauses adopted by the European Commission. The Customer hereby authorizes Eurostep to enter into such standard data protection clauses with sub-processors on behalf of Customer.

7 Information security and confidentiality

7.1   Eurostep shall fulfil, and shall assist Customer in fulfilling, its legal obligations regarding information security under Applicable Data Protection Laws. Eurostep shall thereby take appropriate technical and organizational measures to maintain an adequate level of security for the protection of personal data. Eurostep shall protect the personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed. The personal data shall also be protected against all other forms of unlawful processing.

7.2   Eurostep shall be obliged to ensure that only such staff and other representatives of Eurostep that directly require access to personal data in order to fulfil Eurostep’s obligations in accordance with this DPA have access to such information. Eurostep shall ensure that all persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

8 Data subjects rights

Eurostep shall, insofar as it is possible and taking into account the nature of the processing, through technical and organisational measures assist Customer in responding to requests for exercising the data subject’s rights as laid down in Chapter III of the GDPR.

9 Data breach notifications

9.1   Eurostep shall without undue delay inform Customer after becoming aware of any personal data breach.

9.2   Eurostep shall assist Customer with any information reasonably required to fulfil Customer’s data breach notification requirements under Applicable Data Protection Laws.

10 Data protection impact assessment and prior consultations

Eurostep shall, taking into account the nature of the processing and the information available to Eurostep, assist Customer in fulfilling Customer’s obligation to, when applicable, carry out data protection impact assessments and prior consultations with the Data Protection Authority.

11 Audit rights

11.1   At Customer’s request, Eurostep will conduct audits to verify that Eurostep is able to comply with its obligations under this DPA. Such audit will be performed by a qualified, independent, third-party auditor at Eurostep’s selection and will result in the generation of an audit report which Eurostep will make available to Customer in whole or in part. The audit report will be Eurostep’s confidential information and will be subject to non-disclosure and distribution limitations of Eurostep and the auditor.

11.2   Customer agrees to exercise its audit rights by instructing Eurostep to execute the audit as described in this Clause 11. If Customer desires to change this instruction and pursuant to Clause 15, then Customer has the right to do so, which change shall be requested in writing.

11.3   Eurostep shall immediately inform Customer if, in its opinion, an instruction provided to Eurostep when Customer exercises its rights under this Clause 11, infringes Applicable Data Protection Laws.

11.4   Notwithstanding Clause 6.1, and to the extent that it does not result in any breach of Applicable Data Protection Laws by Customer or Eurostep, Eurostep shall not be obliged to impose on its sub-contractors any other obligations regarding audits than those set out in the sub-contractors’ own agreements.

12 Term of agreement

The provisions of this DPA shall apply as long as Eurostep processes personal data for which Customer is data controller.

13 Measures upon completion of processing of personal data

13.1   Upon expiration of this DPA, Eurostep shall, at the choice of Customer, delete or return all personal data to Customer within any undue delay, unless Swedish or European law requires Eurostep to store the personal data.

13.2   Upon request by Customer, Eurostep shall provide a written notice of the measures taken regarding the personal data upon completion of the processing as set out in Clause 13.1 above.

14 Amendments

14.1   Any amendments to this DPA shall, in order to be valid, be agreed in writing and duly signed by authorised representatives of both Parties.

14.2   Notwithstanding Section 14.1 above, Customer is entitled to make updates to its written instructions regarding the processing set out in Appendix 1 to the extent required by Applicable Data Protection Laws.

15 Compensation

Eurostep shall be entitled to reasonable remuneration from Customer for any assistance in accordance with Clause 6.2, 7.1, 8, 9.2, 10, 11 and 13. Eurostep shall also be entitled to reasonable remuneration for any additional costs that arise due to Customer having made amendments to its written instructions regarding the processing. Such remuneration shall be paid in accordance with Eurostep’s price list, as applicable from time to time.

16 Liability

The liability provisions and limitations thereof set out in the Agreement shall apply to this DPA.

17 Governing law and disputes

17.1   This DPA shall be governed by and construed in accordance with Swedish law, without application of its conflict of laws principles.

17.2   Any dispute, controversy or claim arising out of or in connection with this DPA, or the breach, termination or invalidity thereof, shall be finally settled in accordance with the dispute resolution provisions set out in the Agreement.

 

________________

 

APPENDIX 1

Specification of data processing

 

1 Instructions

1.1 Short description of the service and the purposes of the processing

Eurostep provides the ShareAspace cloud storage service where Customer can store and share data with others. Eurostep shall process personal data on behalf of Customer for the purpose of enabling Customer to receive the Services.

1.2 Duration of the processing

The term of the Agreement plus the period from expiry of such term until the deletion of all Customer’s Data by Customer or Eurostep in accordance with this DPA and the Agreement.

1.3 Categories of personal data

Eurostep will process the personal data submitted, stored, sent or received by Customer or Users via the Service which may include any data related to the customer’s business operation using our Service.

1.4 Categories of data subjects

Eurostep may process personal data regarding the following categories of data subjects: our Customer, Users, the employees of Customer’s customers, suppliers, consultants and sub-contractors.

1.5 Processing operations (storing, managing, cross-referencing etc.)

Eurostep will store personal data for the purpose of providing the Service. Eurostep may also, for technical reasons, transfer personal data in the Services to another data medium for the purpose of remedy faults within the Service or doing backup copying at Customers request. Eurostep will also process personal data upon Customers instruction in order to respond to requests from data subjects, such as deletion and rectification, and deletion or anonymization upon the termination of the Agreement.

1.6 Location of processing operations

Physical location includes Sweden, France, UK, and Finland.

1.7  Security measures

Eurostep shall implement technical and organisational measures to protect the Data from accidental or unlawful destruction, and loss, alteration, unauthorised disclosure of, or access to the Data.

 

 

Appendix 2

pre-approved Sub-processors

Name

Location

Processing activities

Microsoft Azure

Privacy at Microsoft: https://www.microsoft.com/en-us/trust-center/privacy

  • Location

  • EU, North Europe
  • Processing activities

  • Data processes include but not limited to: collection, organisation, structuring, storage, retrieval, consultation, use, restriction, erasure or destruction.

WalkMe, Ltd.

Security: https://www.walkme.com/walkme-security/ Privacy Policy: https://www.walkme.com/privacy-policy/

  • Location

  • USA Certified under: EU-US Privacy Shield
  • Processing activities

  • By default, WalkMe does not collect personally identifiable information (PII) other than IP addresses in logs for security purposes, end-user’s approximate geolocation (country and city in which they are located) and masked IP addresses for the ongoing operation of the WalkMe system, and assigns collected metadata to anonymous random GUID. Moreover, WalkMe collects and transfers environment properties such as browser and OS, page URL, and title.