Data processing agreement

This Data Processing Agreement (this “DPA”) is reached between the Customer (as defined in PLAYipp’s terms and conditions) and PLAYipp AB (reg. no.: 556712-3012) (“we”, “PLAYipp”). The Customer is hereinafter referred to in this DPA as “Controller” and PLAYipp as the “Processor”. The Customer and PLAYipp are hereinafter together referred to as the “Parties”.

1 Background

1.1

The Parties have entered into an agreement, the terms and conditions, regarding Processor’s provision of its services (the “Terms and Conditions“). This DPA shall be deemed to form part of the Terms and Conditions.

1.2

This DPA governs the Controller’s rights and obligations as a personal data controller and the Processor’s rights and obligations as a personal data processor when the Processor processes personal data on behalf of the Controller and according to the written instructions included in this DPA.

1.3

Both Parties shall each act in accordance and comply with their respective obligations under all applicable regulations, legal requirements and laws relating to the processing of personal data, such as for example regarding disposal, disclosure, use, security, storage, collection, transfer of Personal Data (“Privacy Laws”). With regard to EU Personal Data, the Parties will comply with each of their respective obligations under the GDPR and any subordinate legislation and regulation implementing the GDPR and/or SCC which may apply (collectively, with Privacy Laws, the “Applicable Data Protection Legislation”).

2 Definitions

GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).

Unless otherwise stated, all references to “personal data”, “processing”, “data subject”, “personal data breach”, “sub-processor”, “supervisory authority” shall have the same meaning in this DPA as stated in article 4 of the GDPR.

SCC: Commission implementing decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, or the Standard Contractual Clauses for the transfer of Personal Data to processors established in third countries, set forth in the European Commission Decision of 5 February 2010. 

Terms and expressions used in this DPA, but not defined in this DPA, shall be defined in accordance with the Terms and Conditions.

3 Appendices

Appendix 1: Specification of the processing of personal data 
Appendix 2: Pre-approved sub-processors 

4 Processing of personal data

4.1. Obligations of the Processor

4.1.1

Processor undertakes to process personal data only in accordance with documented instructions from Controller, unless otherwise provided by Applicable Data Protection Legislation.  If Processing is required under Applicable Data Protection Legislation, the Processor shall inform the Controller of the legal requirement before Personal Data is processed for that purpose, unless such information is prohibited with reference to an important public interest under Applicable Data Protection Legislation.This DPA and Appendix 1 sets out Controller’s initial instructions to Processor about the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects.

4.1.2

Controller confirms that Processor’s obligations under this DPA, including Appendix 1, constitute the complete instructions to be followed by Processor. Any changes to the Controller’s instructions shall be negotiated separately and shall, in order to be valid, be documented in writing and signed by both Parties. The Controller is required to not, without such written agreement, allow Processor to process other categories of personal data, or to process personal data about other categories of data subjects than specified in Appendix 1.

4.1.3

Processor shall without undue delay inform Controller if Processor believes that Controller’s instructions regarding the processing of personal data are in violation of Applicable Data Protection Legislation.

4.1.4

Processor shall, to the extent required by Applicable Data Protection Legislation and in accordance with Controller’s written instructions in each case, assist Controller in fulfilling its obligations under Applicable Data Protection Legislation, such as regarding requests from data subjects, respond to the request for exercise of the data subject’s rights and general data protection pursuant to Articles 32-36 of the GDPR. These obligations shall e.g. include the following situations:

a)    Where a type of Processing, in particular using new technologies, and taking into account the nature, scope, context and purposes of the Processing, is likely to result in a high risk to the rights and freedoms of natural persons, the Processor shall, prior to the Processing, assist the Controller in carrying out an assessment of the impact of the envisaged Processing operations on the protection of Personal Data. A single assessment may address a set of similar Processing operations that present similar high risks.

b)    The Processor shall provide assistance to the Controller through appropriate technical and organisational measures so that the Controller can fulfil their duty regarding the rights of Data Subjects in accordance with Chapter III of the GDPR.

4.1.5

Processor shall, at the Controllers request, correct, delete or transmit incorrect, incomplete or outdated personal data without undue delay.

4.1.6

Processor shall ensure the confidentiality, integrity and accessibility of the personal data. The Processor shall ensure the confidentiality of personal data processed under this DPA even after the agreement between the Parties has expired.

4.2 Obligations of the Controller

4.2.1

Controller is obliged to comply with the provisions of the Applicable Data Protection Legislation with regard to the processing of personal data.

4.2.2

Controller hereby confirms to process personal data in accordance with the requirements of the Applicable Data Protection Legislation.

4.2.3

Controller confirms to have the legal basis to process and disclose the personal data in question to the Processor, including to any subcontractor that processes personal data on behalf of the Processor.

4.2.4

Controller is solely responsible for the accuracy, integrity, content, reliability and legality of the personal data provided to the Processor.

 

4.2.5

Controller agrees that the Processor’s implementation of technical and organizational security measures is sufficient to protect the privacy and personal data of data subjects.

4.2.6

Controller shall not transmit any sensitive personal data, such as information on ethnic origin, health, sexual orientation, political opinions, religious beliefs and others.

5 Sub-Processors and Transfers of Personal Data to third Countries

5.1

Controller approves that Processor may hire sub-processors within and outside the EU/EEA and may transfer personal data outside the EU/EEA. Processor shall ensure that sub-processors are bound by written agreements which impose on them corresponding data processing obligations as the obligations under this DPA in respect of data protection. If the sub-processor does not fulfil its obligations in accordance with the agreement between the Processor and the sub-processor, the Processor shall be fully liable to the Controller for the performance of the Subprocessor’s obligations.Appendix 2 contains a list of sub-processors that from the date of entry into force of this DPA have been pre-approved.

5.2

If Processor intends to hire a new sub-processor or replace an existing sub-processor to process personal data covered by this DPA, Processor shall inform Controller of this in advance and give Controller the opportunity to object to such changes. Such objections by Controller shall be made in writing without undue delay from receipt of the information by the Controller. Processor shall provide Controller with all information that Controller may reasonably request to assess whether the appointment of the proposed sub-processor complies with the Controller’s obligations under this DPA and Applicable Data Protection Legislation. If, in accordance with Controller’s justifiable opinion, compliance with these obligations is not possible through the proposed sub-processor and Processor despite Controllers objection wants to hire the proposed sub-processor, Controller is entitled to terminate this DPA at no extra cost. If the objection is not justified, the Controller is not entitled to terminate this DPA.

5.3

If personal data is transferred to or made available from outside EU/EEA, Processor shall ensure that the transfer is subject to an appropriate safeguard under Applicable Data Protection Legislation, such as SCC adopted by the Commission.

5.4 

If the Processor or the sub-contractor’s processing of personal data is in violation of this DPA or the instructions from the Controller and causes Controller or data subjects damage, such damage shall be compensated by the Processor.

6 Data protection and confidentiality

6.1

Processor shall implement systematic, organizational and technical measures to ensure an appropriate level of security, taking into account the latest technology and implementation costs in relation to the risk involved in the processing and the type of personal data to be protected. When assessing the appropriate level of security, special consideration shall be given to the risk of accidental or unlawful destruction, loss, alteration or unauthorized disclosure or access to personal data.

6.2

Processor is obliged to fulfill its legal obligations regarding data protection under Applicable Data Protection Legislation and shall in all cases take appropriate technical and organizational measures to protect the personal data being processed.

6.3

Processor shall ensure that only such personnel who directly need access to personal data in order to fulfill Processor’s obligations under this DPA has access to such data. Processor shall ensure that such personnel are subject to appropriate means of confidentiality.

6.4

Processor certifies that its activities are conducted in a manner that ensures compliance with the provisions and requirements of the Applicable Data Protection Legislation regarding adequate protection of personal data processing.

7 Disclosure of personal data and contacts with competent authorities

7.1

Without the prior written consent of Controller, Processor undertakes not to disclose or otherwise make personal data processed under this DPA available to third parties, unless otherwise required by Swedish or European law or pursuant to a decision by a competent court or authority.

7.2

If a data subject requests information from Processor regarding the processing of the data subject’s personal data, Processor shall without undue delay refer such request to the Controller.

7.3

If a competent authority requests information from Processor regarding the processing of personal data, Processor shall inform the Controller thereof without undue delay. Processor may not act in any way on behalf of the Controller or as its agent and may not transfer or otherwise disclose personal data or other information relating to the processing of personal data to third parties without the prior consent of Controller, unless otherwise required by Swedish or European law or pursuant to a non-appealable decision by a competent court or authority.

7.4

If, in accordance with applicable Swedish or European laws and regulations, Processor is requested to disclose personal data processed by Processor on behalf of Controller, Processor shall promptly notify Controller thereof, unless otherwise provided by applicable law or pursuant to a decision by a competent court or authority, and in connection with the disclosure request that the personal data be given confidential treatment.

8 Personal data breach

8.1

Processor shall notify Controller without undue delay after having become aware of a personal data breach.

8.2

Processor shall assist Controller with the information reasonably required to fulfill Controller’s obligation to report personal data breaches.

8.3

Processor shall enable the Controller to comply with all legal obligations regarding information to be provided to relevant data protection authorities and data subjects in personal data breaches or incidents.

8.4

Processor shall provide the Controller with a description of the personal data breach. The description must contain at least the following:

  • Description of the nature of the personal data breach, including, if possible, the categories and approximate number of data subjects affected, and the categories and approximate number of personal data items concerned. 
  • Name of the person who can provide more information about the breach or answer questions.
  • Description of the likely consequences of the personal data breach. 
  • Description of the measures taken or proposed by the Processor to address the personal data breach, including, where appropriate, measures to mitigate its potential adverse effects.

9 Right to Audit

9.1

In its capacity as controller, Controller shall have the right to take the necessary steps to verify that Processor is able to fulfill its obligations under this DPA and actually has taken the necessary measures to ensure that such obligations are fulfilled.

9.2

Processor undertakes to provide Controller with all information required to demonstrate Processor’s compliance with its obligations under this DPA, and to enable and participate in such audit, including on-site inspections, carried out by Controller or other examiner appointed by Controller, provided that the persons performing the audit enter into customary confidentiality agreements.

10 Remuneration

10.1

Processor is entitled to compensation in accordance with Processor’s prevailing price list for work performed or assistance provided pursuant to the obligations in sections 4.1.4, 7, 8.2, 9 and 13 of this DPA.

11 Limitations of liability

11.1

The limitations of liability set out in section 18 of the Terms and Conditions shall apply to Processor’s liability under this DPA as if set out herein.

11.2

Processor shall only process personal data in accordance with Controller’s Instructions. Therefore, Processor is not liable in circumstances where Processor’s actions result from instructions received from Controller.

12 Term of agreement

12.1

The provisions of this DPA shall apply as long as Processor processes personal data for which Controller is the controller.

12.2

This DPA supersedes previously entered personal data processor agreement between the Parties and this DPA applies from 2021-03-11.

13 Measures after termination of this DPA

13.1

Upon termination of this DPA, Processor, at Controller’s discretion, shall delete or return all personal data processed under this DPA within thirty (30) days after the termination of the services provided by the Processor to the Controller, unless continued storage of personal data is required under Swedish or European law. If the Processor retains personal data after the termination of the agreement to the extent required by law, the Processor shall apply the same type of technical and organizational security measures as described in this DPA.

13.2

At the request of the Controller, Processor shall without undue delay confirm in writing the measures taken regarding the personal data, even where the provision of services has ended in accordance with section 12 above.

14 Changes to this DPA

14.1

Changes to, and additions to, this DPA shall be made in writing and be accepted by the Parties.

15 Applicable law and disputes

15.1

This DPA shall be interpreted and applied in accordance with Swedish law.

15.2

Disputes concerning the interpretation or application of this DPA shall be resolved in accordance with section 20 of the Terms and Conditions.

Appendix 1

Specification of the processing of personal data

Purposes

The purpose for which personal data will be processed by Processor:

– To enable the Controller to use the Processor’s Services or software in accordance with the Agreement.

Categories of personal data

Categories of personal data that the Processor will process:

– End users log in-information and contact information.
– Information about how the end user uses Processor’s service or Software, such as the end user’s search queries;
– Phone-related information, such as the end user’s phone number, the caller’s number, forwarding number, call lengths, SMS routing and call types;
– Recordings of phone calls to the Processor’s support are recorded and can be used to get background information to help resolve or deal with a support request.
– When the end user contacts the Processor, the end user’s messages are saved in order to help the end user with a problem or provide information about the Processor’s services, whether immediately or at a later time; and
– Information about activity on a Media Player such as crashes, system activity, hardware settings, browser type, browser language, date and time of the end user’s request and address.

Categories of data subjects

Categories of data subjects that the Processor will process personal data:

– Employees and consultants of the Controller, including end users of the Software.

Processing activities

Processing activities that will be performed by the Processor:

– Processing activities linked to the performance of the Processor’s Services in relation to the software, such as storing, collecting, deleting, changing and analyzing.

Location for the processing of personal data

Locations where personal data will be processed by the Processor:

– Within EU/EEA and through approved sub-processors located within or outside of the EU/EEA (see Appendix 2).

Data protection

Data protection measures:

– Access to personal data is limited both physically and virtually, and all data transfer and cold backup data is encrypted. 

– Any PLAYipp staff-member that requires access to the Controller’s PLAYipp Manager account to fulfill the Controller’s instructions requires the use of two factor authentication.More information about PLAYipp data protection measures can be found in the Data Processing Agreement.

Appendix 2

Pre-approved sub-processors

Sub-Processor and descriptionHeadquartersData location Types of informationProductsStorage time
Glesys AB
The hosting provider for PLAYipp Digital Signage. They provide the virtual server nodes where PLAYipp Digital Signage is hosted.
SwedenSwedenAny information stored within PLAYipp Digital Signage, such as: 
– Firstname
– Surname
– Email
– Phone number
– IP address
– Absence information (if used)
– Anonymous analytics data
– Crash reports
– Any information manually stored in text fields, media, posts etc.
PLAYipp Digital SignageAs long as you are a customer, or until the data is removed by the user, and up to 180 days thereafter (backup storage),
Google Cloud EMEA Ltd

The hosting provider for PLAYipp Connect, as well as the administrative products (email, file storage etc.) that PLAYipp uses internally.
IrelandEUAny information stored within Connect, such as: 
– Firstname
– Surname
– Email
– Phone number
– IP address
– Absence information (if used)
– Any information manually stored in free text fields, posts, media etc.
– Anonymous analytics data
– Crash reports

Email correspondence between PLAYipp Staff and customers.

Anonymous analytics data for PLAYipp Digital Signage
PLAYipp Connect

PLAYipp Digital signage (optional analytics data only)

Anyone contacting PLAYipp using email.
As long as you are a customer, or until the data is removed by the user and up to 180 days thereafter (backup storage)
Zendesk Inc.

PLAYipp’s support tool and help center.
USAUSA/EU– Firstname
– Surname 
– Email address
– Phone number
– Voice recordings.
Anyone contacting PLAYipp Support through chat, email or phone.As long as you are a customer, and up to 180 days thereafter (backup storage)
Briljant Ekonomisystem AB

Old business software for legacy accounts.
SwedenSwedenCompany contact persons:
– Firstname 
– Surname
– Email address
– Phone number
Old customer accounts created before 2020-01-01.According to the Swedish financial laws. Currently 7 years.
Inexchange AB

System for sending and receiving invoices.
SwedenSwedenCompany contact persons:
– Firstname 
– Surname
– Email address
– Phone number
All invoices are sent and received through this system.According to the Swedish financial laws. Currently 7 years.
YouCanBookMe Limited

To find and book an appointment with a person on playipp
UKUKCompany contact persons:
– Firstname 
– Surname
– Email address
– Phone number
– IP address
When booking a meeting with us through Up to the date of the relevant booking and for up to 24 months after the time and date of the booking. The data will be automatically deleted after 24 months.
Upsales Nordic AB

CRM software
SwedenSwedenCompany contact persons:
– Firstname 
– Surname
– Email address
– Phone number
– IP address
All customers are managed through this system.As long as you are a customer, a potential customer or until data removal is requested by the user and for up to 6 weeks after (backup storage).
Visma Software AB

PLAYipp’s main business software
SwedenSwedenCompany contact persons:
– Firstname 
– Surname
– Email address
– Phone number
All customers are managed through this system.According to the swedish financial laws. Currently 7 years.
Algolia Inc.

The search engine used to find data in Connect. It aggregates the data in the Google Firestore databases and makes it searchable.
USAEUAny information entered into the Connect system is indexed by Algolia. This may include:
– Firstname
– Surname
– Email
– Phone number
– IP address
– Absence information (if used)
– Any information manually stored in free text fields, posts, media etc.
– Anonymous analytics data
– Crash reports
PLAYipp ConnectAs long as you are a customer, or until the data is removed by the user, and up to 90 days thereafter (backup storage).
Canny Inc.

The feedback management system used by PLAYipp.
USAUSA– Firstname
– Surname
– Email address
– Any information entered in any clear text fields by the user.
If you leave feedback through feedback.playipp.comAs long as the system is in use by us, or when the information is deleted and up to 12 months (backup storage).
TypeformBarcelona, SpainEUCompany contact persons:
– Firstname 
– Surname
– Email address
– Phone number
If you sign a form on our website. As long as the system is in use by us, or when the information is deleted and up to 12 months (backup storage).