Data Processing Agreement



This Data Processing Agreement (“DPA”) is entered between:

 

Data Controller

(the “Customer”)

 

Data Processor

Insert Coin AB, Reg. No. 556864-0527, Vasagatan 33 BV, 411 37 Göteborg, (the “Supplier”)




1 Background

The parties have entered into an agreement regarding the Supplier’s gamification service, (the “Service Agreement”) under which the Supplier will process the Customer’s Personal Data on the Customer’s behalf (“Personal Data”). This DPA in an appendix to the Service Agreement.

In the event of inconsistencies between the provisions of this DPA and the Service Agreement or the other appendices in respect of personal data, the provisions of this DPA shall prevail.

 

2 Definitions

Terms used but not defined herein, such as ”processing”, ”data subject”, ”personal data breach” and ”supervisory authority”, shall have the same meanings as in the EU General Data Protection Regulation (679/2016) (“GDPR”), and their cognate terms shall be construed accordingly.

Defined terms in the Service Agreement shall have the same meanings when used in the DPA.

 

3 Processing

The parties undertake to fulfil its obligations under the GDPR and any laws implementing or supplementing the GDPR (“Applicable Laws”). As the controller, the Customer is responsible for the processing of the Personal Data being compatible with the purposes and lawful, and for giving information to the data subjects.

The Supplier shall only process the Personal Data in accordance with appendix A and/or the written instructions of the Customer. The Supplier is entitled to collect anonymous and deidentified data of the use of the Service, that does not specify the Customer nor data subjects, and use it for analysing and developing its services.

The Supplier shall, without undue delay, notify the Customer if any conflict with Applicable Laws is detected in the instructions.

 

4 Security and confidentiality

The Supplier shall implement and maintain the appropriate technical and organizational measures in accordance with article 32 of the GDPR.

The Supplier shall ensure that everyone with authorization to process Personal Data abides by the appropriate non-disclosure commitments.

 

5 Personal Data Breaches

The Supplier shall without undue delay (if possible, no later than twenty-four (24) hours notify the Customer upon receiving information of a personal data breach affecting Personal Data.  

The Supplier shall provide the Customer with the information necessary for the Customer to fulfil its obligations according to article 33–34 of the GDPR.

 

6 Data Protection Impact Assessments and Prior Consultations

The Supplier shall, upon the Customer’s request, help the Customer in its performance of data protection impact assessments and prior consultations with supervisory authorities in accordance with article 35–36 of the GDPR.

 

7 Requests from Data Subjects

The Supplier shall, upon receipt of a request from a data subject, supervisory authority or other regarding Personal Data, immediately refer the request to the Customer. 

 

8 Data Subjects’ Rights

The Supplier shall, if possible and with regard to the art of the processing, through technical and organizational measures assist the Customer in responding to requests regarding Data Subjects’ rights in accordance with the GDPR. 

 

9 Sub-processors

The Supplier shall have the right to engage subcontractors for the processing of Personal Data (”Sub-processors”). 

The Supplier shall enter into written data processing agreements with its Sub-processors that ensure as a minimum the same commitments and obligations that the Supplier has according to this DPA.

The Supplier shall inform the Customer beforehand of new Sub-processors the Supplier intends to use in processing the Personal Data pursuant to the Service Agreement and this DPA. The Customer has the right to object to the use of a new Sub-processor. The Customer shall notify the Supplier of such objection within thirty (30) days of the Supplier’s notice to the Customer. If the Customer does not object within thirty (30) days of the Supplier’s notice to the Customer, the Customer shall be deemed to having accepted the use of the new Sub-processor.

In the event that opposition to such Sub-processor, in the Supplier’s opinion, prevents effective provision of Supplier’s services in accordance with the Service Agreement, the Supplier may terminate the Service Agreement without penalty or liability, with thirty (30) days’ notice.

The Supplier is fully liable toward the Customer for the Sub-processor’s actions and any failure by the Sub-processor to adhere to its data protection obligations when processing Personal Data.

A list of Sub-processors deemed approved when this DPA is concluded is attached in appendix A. 

 

10 Transfer of Personal Data outside the EU/EEA

The Supplier may only transfer Personal Data outside the EU/EEA provided that the Supplier ensures that the transfer is allowed in accordance with Applicable Laws.

If the transfer mechanism used to ensure that the transfer is allowed in accordance with Applicable Laws would be declared invalid or illegal by the European Court of Justice, the European Commission or any other competent EU institution or national court or authority, the Supplier shall ensure that all processing of Personal Data outside the EU/EEA is based on another permitted transfer mechanism under Applicable Laws.

By entering into this DPA the Customer authorizes the Supplier to represent the Customer in the signing of the standard contractual clauses annexed to European Commission Decision 2010/87/EU of 5 February 2010 concerning the transfer of personal data outside the EU / EEA, or such approved clauses replacing or supplementing them. Standard Contractual Clauses on behalf of and in the name of the Customer. 

 

11 Audit

The Supplier shall provide the Customer with access to all information that the Customer needs to verify that the Supplier complies with its obligations under this DPA. 

The Supplier shall enable and contribute to inspections and audits that the Customer, with at least twenty (20) days’ notice conducts itself or through a third party (however not a competitor of the Supplier). 

The audits may only be conducted at the Suppliers premises during normal office hours. The representatives of the Customer and all others assisting in the audit must sign conventional non-disclosure commitments. 

The Supplier has the right to invoice the Customer for the Supplier’s costs (cost price) associated to the audit, unless the audit reveals a material breach by the Supplier of its obligations under this DPA.

 

12 Return or deletion

Upon termination of the Service Agreement, or upon the Customer’s request, the Supplier shall without undue delay, at the choice of the Customer, return all Personal Data to the Customer or delete the Personal data, and thereafter delete all copies of Personal Data.

 

13 Dispute resolution

The terms regulating governing law and dispute resolution in the Service Agreement shall apply to this DPA. 

 

14 Liability

The terms regulating liability in the Service Agreement shall apply to this DPA. 

 

15 Duration of the DPA

This DPA shall enter into force upon signing of the Service Agreement by the parties and remain in force as long as the Supplier processed Personal Data. 

 

16 Compensation

The Supplier has the right to invoice the Customer for costs (cost price) incurred by the Supplier when assisting the Customer with data protection impact assessments, prior consultations, requests from data subjects and when deleting and returning Personal Data. 

 

17 Miscellaneous

If the terms concerning the processing of Personal Data of the DPA and the Service Agreement are in conflict, the parties shall apply the terms of this DPA.



APPENDIX A

 

Subject matter

The subject matter of the processing of the Personal Data are set out in the Service Agreement and this DPA. 

Nature and purpose of processing

Processing for the purpose of providing the Service in accordance with the Service Agreement and, in connection therewith, continuously improve the Service, including troubleshooting, data analysis, testing, research, and statistical purposes, and in accordance with the Customer’s instructions. The Supplier will process the personal data mainly according to the following: 

  • Real time collection of User behavior data through the Customer’s URL/ application, using unique User ID.

  • Compilation of User behavior data with the Customer’s Modules Package (“User Feedback”).

  • Transfer of the User Feedback to User in the Customer’s URL/application.

  • Aggregation of User behavior data with other behavior data and consequent deidentification, for statistics to be shown to the Customer in the Service.

Categories of data subjects

  • Users of the Service provided to the User by the Customer.

Categories of Personal Data

User behavior data

  • User ID

Retention periods

Processing will take place during the duration of the Service Agreement, and for a limited period thereafter under this DPA. 

The Customer has given the Supplier the following instructions for deletion: 

  • The personal data shall be deleted upon notification from the Customer to the Supplier that a User is no longer a User of the Service or upon termination of the Service Agreement.

Sub-processors

Updated list of sub-processors is found here: https://www.gwenplatform.com/sub-processors

Transfers outside the EU/EEA

See list of sub-processors.