This Data Processing Agreement (this “DPA”) is reached between the User (as defined in PLAYipp’s terms and conditions) and PLAYipp AB. The User is hereinafter referred to in this DPA as “Controller” and PLAYipp AB as the “Processor”. The User and PLAYipp are hereinafter together referred to as the “Parties”.
The Parties have entered into an agreement, the terms and conditions, regarding Processor’s provision of services (the “Terms and Conditions“). This Data Processing Agreement shall be deemed to form part of the Terms and Conditions.
This DPA governs the Controller’s rights and obligations as a controller and the Processor’s rights and obligations as a processor when Processor processes personal data for Controller.
Unless otherwise stated, terms and expressions in this DPA shall be interpreted in accordance with applicable data protection legislation (“Applicable Data Protection Legislation”).
Terms and expressions used in this DPA, but not defined in this DPA, shall be defined in accordance with the Terms and Conditions.
Specification of the processing of personal data Appendix 1
Pre-approved sub-processors Appendix 2
Processing of personal data
Processor undertakes to process personal data only in accordance with documented instructions from Controller, unless otherwise provided by Applicable Data Protection Legislation. This DPA and Appendix 1 sets out Controller’s initial instructions to Processor about the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects.
Controller confirms that Processor’s obligations under this DPA, including Appendix 1, constitute the complete instructions to be followed by Processor. Any changes to the Controller’s instructions shall be negotiated separately and shall, in order to be valid, be documented in writing and signed by both Parties. The Controller is required to not, without such written agreement, allow Processor to process other categories of personal data, or to process personal data about other categories of data subjects than specified in Appendix 1.
Processor shall without undue delay inform Controller if Processor believes that Controller’s instructions regarding the processing of personal data are in violation of Applicable Data Protection Legislation.
Processor shall, to the extent required by Applicable Data Protection Legislation and in accordance with Controller’s written instructions in each case, assist Controller in fulfilling its obligations under Applicable Data Protection Legislation.
Sub-Processors and Transfers of Personal Data to third Countries
Controller approves that Processor may hire sub-processors within and outside the EU / EEA and may transfer personal data outside the EU / EEA. Processor shall ensure that sub-processors are bound by written agreements which impose on them corresponding data processing obligations as the obligations under this DPA in respect of data protection. Appendix 2 contains a list of sub-processors that from the date of entry into force of this DPA have been pre-approved.
If Processor intends to hire a new sub-processor or replace an existing sub-processor to process personal data covered by this DPA, Processor shall inform Controller of this in advance and give Controller the opportunity to object to such changes. Such objections by Controller shall be made in writing without undue delay from receipt of the information by the Controller. Processor shall provide Controller with all information that Controller may reasonably request to assess whether the appointment of the proposed sub-processor complies with the Controller’s obligations under this DPA and Applicable Data Protection Legislation. If, in accordance with Controller’s justifiable opinion, compliance with these obligations is not possible through the proposed sub-processor and Processor despite Controllers objection wants to hire the proposed sub-processor, Controller is entitled to terminate this DPA at no extra cost. If the objection is not justified, the Controller is not entitled to terminate this DPA.
If personal data is transferred to or made available from outside EU / EEA, Processor shall ensure that the transfer is subject to an appropriate safeguard under Applicable Data Protection Legislation, such as standard data protection clauses adopted by the Commission. Controller hereby authorizes Processor to enter into such standard data protection clauses with sub-processors on behalf of Controller.
Data protection and confidentiality
Processor is obliged to fulfill its legal obligations regarding data protection under Applicable Data Protection Legislation and shall in all cases take appropriate technical and organizational measures to protect the personal data being processed.
Processor shall ensure that only such personnel who directly need access to personal data in order to fulfill Processor’s obligations under this DPA has access to such data. Processor shall ensure that such personnel are subject to appropriate means of confidentiality.
Disclosure of personal data and contacts with competent authorities
Without the prior written consent of Controller, Processor undertakes not to disclose or otherwise make personal data processed under this DPA available to third parties, unless otherwise required by Swedish or European law or pursuant to a decision by a competent court or authority.
If a data subject requests information from Processor regarding the processing of the data subject’s personal data, Processor shall without undue delay refer such request to the Controller.
If a competent authority requests information from Processor regarding the processing of personal data, Processor shall inform the Controller thereof without undue delay. Processor may not act in any way on behalf of the Controller or as its agent and may not transfer or otherwise disclose personal data or other information relating to the processing of personal data to third parties without the prior consent of Controller, unless otherwise required by Swedish or European law or pursuant to a non-appealable decision by a competent court or authority.
If, in accordance with applicable Swedish or European laws and regulations, Processor is requested to disclose personal data processed by Processor on behalf of Controller, Processor shall promptly notify Controller thereof, unless otherwise provided by applicable law or pursuant to a decision by a competent court or authority, and in connection with the disclosure request that the personal data be given confidential treatment.
Personal data breach
Processor shall notify Controller without undue delay after having become aware of a personal data breach.
Processor shall assist Controller with the information reasonably required to fulfill Controller’s obligation to report personal data breaches.
Right to Audit
In its capacity as controller, Controller shall have the right to take the necessary steps to verify that Processor is able to fulfill its obligations under this DPA and actually has taken the necessary measures to ensure that such obligations are fulfilled.
Processor undertakes to provide Controller with all information required to demonstrate Processor’s compliance with its obligations under this DPA, and to enable and participate in such audit, including on-site inspections, carried out by Controller or other examiner appointed by Controller, provided that the persons performing the audit enter into customary confidentiality agreements.
Processor is entitled to compensation in accordance with Processor’s prevailing price list for work performed or assistance provided pursuant to the obligations in sections 4.4, 7, 8.2, 9 and 13 of this DPA.
Limitations of liability
The limitations of liability set out in section 21 of the Terms and Conditions shall apply to Processor’s liability under this DPA as if set out herein.
Processor shall only process personal data in accordance with Controller’s Instructions. Therefore, Processor is not liable in circumstances where Processor’s actions result from instructions received from Controller.
Term of agreement
The provisions of this DPA shall apply as long as Processor processes personal data for which Controller is the controller.
Measures after termination of this dpa
Upon termination of this DPA, Processor, at Controller’s discretion, shall delete or return all personal data processed under this DPA within thirty (30) days after the termination of the services provided by the Processor to the Controller, unless continued storage of personal data is required under Swedish or European law.
At the request of the Controller, Processor shall without undue delay confirm in writing the measures taken regarding the personal data, even where the provision of services has ended in accordance with 12 above.
Changes to this dpa
Changes to, and additions to, this DPA shall be made in writing and be signed by the Parties.
Applicable law and disputes
This DPA shall be interpreted and applied in accordance with Swedish law.