Personal data processor agreement
1.1. The Customer is the personal data controller for all personal data processing that is carried out by means of the Service or the Software, unless otherwise specified in this Agreement. Infobric will, as part of the Service, process personal data on behalf of the Customer in the capacity of personal data processor. The object of the processing, the duration of the processing, its nature and purpose, the type of personal data and categories of data subjects affected by the processing are described in more detail in Sub-annex 1. The Customer is responsible for ensuring that all processing of personal data is carried out in accordance with the currently applicable privacy laws, including the Data Protection Regulation (EU 2016/679) (“Applicable Legislation”) on that date.
1.2. Paragraph 1.2 only applies if the Customer’s operations giving rise to the personal data processing are conducted in Sweden. When the Customer invites subcontractors to use Infobric’s equipment by providing Infobric’s equipment on a work site in order to fulfil its obligation to be registered in a personnel ledger, the subcontractor is responsible for its Personnel data in the Service. The Customer is the personal data processor for its subcontractor’s processing of personal data and a personal data agreement should therefore be concluded between the subcontractor and the Customer with content similar to that of the Personal Data Processor Agreement. In the event that the Customer provides equipment on behalf of a builder, the Customer is similarly the personal data processor for the builder’s personal data processing and must enter into a personal data agreement with the builder. Infobric has the role of the Customer’s sub-processor in relation to the subcontractor and the builder. The Customer is responsible for obtaining instructions from the subcontractor and the builder for Infobric’s processing of personal data, and for ensuring that the sub-processor and the Customer function in general as a point of contact in the fulfilment of Infobric’s obligations under the Applicable Legislation towards the subcontractor and the builder. The terms and conditions of the Agreement in respect of Infobric’s role as a processor of personal data shall also apply to the role of sub-processor of personal data.
2. Infobric’s General Obligations
2.1. Infobric shall only process personal data in its capacity as data processor in accordance with Customer’s written instructions pursuant to this Agreement, and the additional documented instructions provided by the Customer from time to time.
2.2. If Infobric is not given instructions that Infobric deems necessary to carry out its assignment, Infobric shall inform the Customer without delay and await further instructions. If Infobric finds that an instruction contravenes the Applicable Legislation, Infobric shall inform the Customer of this without undue delay.
2.3. Regardless of what is stated in Paragraph 2.1 above, Infobric has the right to process personal data to the extent that it is necessary for Infobric to be able to meet the obligations that Applicable Legislation imposes on Infobric from time to time, such as compliance with injuctions from authorities. Infobric must, however, inform the Customer of the legal obligation before such processing is carried out, unless mandatory legislation prevents Infobric from providing such information.
2.4. If anyone requests information from Infobric concerning the Customer’s processing of personal data, Infobric shall refer to the Customer. Infobric may not disclose personal or other information about the processing of personal data without a written instruction from the Customer. Infobric does not have the right to represent the Customer or act on behalf of the Customer vis-à-vis any third party, including the Swedish Data Inspection Authority.
3. Technical and Organisational Measures
3.1. Infobric shall take the technical and organisational measures required under the Applicable Legislation to protect the personal data processed in the Service.
3.2. Infobric shall, at the Customer’s request, provide the Customer with the necessary information that Infobric has available for the Customer to be able to fulfil its obligations, if applicable, to carry out an impact assessment and prior consultation with the relevant supervisory authorities regarding the processing that Infobric carries out on behalf of the Customer as part of the Service.
3.3. Infobric shall assist the Customer as far as possible by taking the appropriate technical and organisational measures to enable the Customer to meet its obligation to respond to a request from a data subject to exercise his or her right, of which the data subject is assured under the Applicable Legislation.
3.4. Infobric shall ensure that access to personal information is restricted only to the staff of Infobric who need access in order for Infobric to be able to meet its commitments vis-à-vis the Customer. Moreover, Infobric shall ensure that such authorised staff respect the duty of confidentiality as described in the Paragraph 8 below.
4. Personal Data Incidents
4.1 In the event of a personal data incident (as defined in the Applicable Law), Infobric shall notify the Customer in writing as soon as possible after Infobric is made aware the incident. The notification shall contain information about the nature of the incident, the categories and number of data subjects and personal data items affected, the likely consequences of the incident, and a description of the measures Infobric has taken (if any) to limit any negative effects of the incident. If this is not possible, it is not necessary to notify all of the information at the same time, as Infobric will provide the Customer with the information as soon as it becomes available to Infobric.
4.2. If a personal data incident is likely to present a risk to the personal privacy of the data subjects, Infobric shall take appropriate remedial measures to prevent or limit any negative effects of the incident as far as possible immediately after Infobric is made aware of the incident.
5. Access to Information
5.1. Infobric documents on an ongoing basis the measures it has taken to fulfil its obligations under this Personal Data Processor Agreement. The Customer is entitled to view the latest version of such documentation, on request.
5.2. Moreover, Infobric shall enable and assist the Customer, or a third party appointed by the Customer, to carry out a review, including inspection, of the technical and organisational measures that Infobric takes in order to meet its obligations under this Personal Data Processor Agreement. Infobric shall be informed of such review in writing at least thirty (30) days in advance. All costs of the review shall be borne by the Customer, including any costs incurred by Infobric in its participation in the review. The Customer shall ensure that any third party who conducts the review on behalf of the Customer shall observe a duty of confidentiality that is no less restrictive than that described in Paragraph 8 below.
6. The Hiring of Sub-processors
6.1. The Customer hereby gives it consent that the subcontractors hired by Infobric, as indicated on the website specified by Infobric from time to time, may process personal data on behalf of the Customer in connection with the Service (“Sub-processors”). Infobric shall enter into a personal data processor agreement with the Sub-processor. Such personal data processor agreement shall contain provisions corresponding to what is stipulated in this Annex 1.
6.2. If Infobric intends to hire a new Sub-processor, Infobric shall inform the Customer of the identity of the Sub-processor (including full company name, company number and address), the location (geographical) where the Sub-processor will be processing the personal data, and the type of service the Sub-processor provides. The Customer has the right within two weeks to object to Infobric’s hiring of the Sub-processor for the processing of personal data on behalf of the Customer, in which case Infobric and the Customer shall jointly seek a consensus and otherwise this Agreement can be terminated in advance in accordance with the General Terms and Conditions.
7. The Transfer to and Processing of Personal Data outside the EU/EEA Area
7.1. The Customer hereby gives its consent for Infobric to transfer, where appropriate, the Customer’s personal data outside the EU/EEA-area. Such transfer may only occur, however, if (i) the country has an adequate level of protection for personal data, according to the decision announced by the EU Commission, which covers the processing of personal data, (ii) if Infobric ensures that there are appropriate safeguards in place, such as standardised data protection provisions, as adopted by the EU Commission, or (iii) if any other exception to the Applicable Legislation enables the transfer to be made.
8.1. Without prejudice to the duty of confidentiality referred to in Paragraph 17 of the Agreement, the following shall also apply.
8.2. Infobric shall keep the personal data processed on behalf of the Customer strictly confidential. Infobric shall not disclose any personal information to third parties, directly or indirectly, unless the Customer has approved this in writing, unless Infobric is required to disclose personal information by law, or if it is necessary to do so for the performance of the Agreement. Infobric agrees that this duty of confidentiality shall continue to apply even after termination of the Agreement.
8.3. The Customer undertakes to keep all information the Customer receives in respect of Infobric’s security measures, procedures, IT systems, or which is otherwise of a confidential nature, strictly confidential, and further undertakes not to disclose any confidential information derived from Infobric or its Sub-processor to any party this information does not concern. The Customer has the right, however, to disclose such information as the Customer is obliged to disclose in accordance with the law or the Agreement. The Customer agrees that this duty of confidentiality shall continue to apply even after termination of the Agreement.
9.1. In the event that Infobric incurs damage or has a claim brought against it as a result of Infobric’s processing of personal data in accordance with the Customer’s instructions, or as a consequence of a breach by the Customer of Paragraph 1.2, the Customer shall indemnify Infobric against all damages arising as a result thereof. Infobric is liable, however, for the fulfilment of the Sub-processor’s obligations to the Customer if the Sub-processor fails to meet its obligations. Any limitation of liability under this Agreement shall not apply in respect of the Customer’s liability under this Annex 1.
9.2. If the Customer’s additional documented instructions regarding the processing of personal data are not supported by the Service or otherwise included in Infobric’s commitments under the Agreement and which Infobric could not reasonably have expected, and Infobric incurs additional costs as a result of these requirements, Infobric has the right to choose either to terminate the Agreement with immediate effect or, alternatively, receive compensation from the Customer for these costs.
10. Termination of the Agreement
10.1. Upon termination of this Agreement, Infobric shall either return or delete all of the personal data that Infobric has processed on the Customer’s behalf, as the Customer chooses. If the Customer does not make such a request within fourteen (14) days of the cessation of the processing, Infobric shall delete the personal data. If the Customer has requested back up storage according to Paragraph 18.7 in the General Terms and Conditions Infobric shall store back ups during the time stated therein subject to conditions set forth in this Agreement. When the time limit set forth in Paragraph 18.7 in the General Terms and Conditions has expired, Infobic shall delete the back-ups unless otherwise agreed with the Customer.