Data processing agreement

This Data Processing Agreement (this “DPA”) is reached between the Customer (as defined in PLAYipp’s terms and conditions) and PLAYipp AB (Reg. No.: 556712-3012) (“we”, “PLAYipp”). The Customer is hereinafter referred to in this DPA as “Controller” and PLAYipp as the “Processor”. The Customer and PLAYipp are hereinafter together referred to as the “Parties”.

1 Background

1.1

The Parties have entered into an agreement, the terms and conditions, regarding Processor’s provision of its services (the “Terms and Conditions“). This DPA shall be deemed to form part of the Terms and Conditions.

1.2

This DPA governs the Controller’s rights and obligations as a personal data controller and the Processor’s rights and obligations as a personal data processor when the Processor processes personal data on behalf of the Controller and according to the written instructions included in this DPA.

1.3

Both Parties shall each act in accordance and comply with their respective obligations under all applicable regulations, legal requirements and laws relating to the processing of personal data, such as for example regarding disposal, disclosure, use, security, storage, collection, transfer of Personal Data (“Privacy Laws”). With regard to EU Personal Data, the Parties will comply with each of their respective obligations under the European Union Regulation on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data and repealing Directive 95/46/EC (“GDPR”) and any subordinate legislation and regulation implementing the GDPR which may apply (collectively, with Privacy Laws, the “Applicable Data Protection Legislation”).

2 Definitions

2.1

Unless otherwise stated, terms and expressions in this DPA shall be interpreted in accordance with the GDPR.

2.2

Terms and expressions used in this DPA, but not defined in this DPA, shall be defined in accordance with the Terms and Conditions.

3 Appendices

Appendix 1: Specification of the processing of personal data 
Appendix 2: Pre-approved sub-processors 

4 Processing of personal data

4.1. Obligations of the Processor

4.1.1

Processor undertakes to process personal data only in accordance with documented instructions from Controller, unless otherwise provided by Applicable Data Protection Legislation. This DPA and Appendix 1 sets out Controller’s initial instructions to Processor about the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects.

4.1.2

Controller confirms that Processor’s obligations under this DPA, including Appendix 1, constitute the complete instructions to be followed by Processor. Any changes to the Controller’s instructions shall be negotiated separately and shall, in order to be valid, be documented in writing and signed by both Parties. The Controller is required to not, without such written agreement, allow Processor to process other categories of personal data, or to process personal data about other categories of data subjects than specified in Appendix 1.

4.1.3

Processor shall without undue delay inform Controller if Processor believes that Controller’s instructions regarding the processing of personal data are in violation of Applicable Data Protection Legislation.

4.1.4

Processor shall, to the extent required by Applicable Data Protection Legislation and in accordance with Controller’s written instructions in each case, assist Controller in fulfilling its obligations under Applicable Data Protection Legislation, such as regarding requests from data subjects, respond to the request for exercise of the data subject’s rights and general data protection pursuant to Articles 32-36 of the GDPR.

4.1.5

Processor shall, at the Controllers request, correct, delete or transmit incorrect, incomplete or outdated personal data without undue delay.

4.1.6

Processor shall ensure the confidentiality, integrity and accessibility of the personal data. The Processor shall ensure the confidentiality of personal data processed under this DPA even after the agreement between the Parties has expired.

4.2 Obligations of the Controller

4.2.1

Controller is obliged to comply with the provisions of the Applicable Data Protection Legislation with regard to the processing of personal data.

4.2.2

Controller hereby confirms to process personal data in accordance with the requirements of the Applicable Data Protection Legislation.

4.2.3

Controller confirms to have the legal basis to process and disclose the personal data in question to the Processor, including to any subcontractor that processes personal data on behalf of the Processor.

4.2.4

Controller is solely responsible for the accuracy, integrity, content, reliability and legality of the personal data provided to the Processor, 

4.2.5

Controller agrees that the Processor’s implementation of technical and organizational security measures is sufficient to protect the privacy and personal data of data subjects.

4.2.6

Controller shall not transmit any sensitive personal data, such as information on ethnic origin, health, sexual orientation, political opinions, religious beliefs and others.

5 Sub-Processors and Transfers of Personal Data to third Countries

5.1

Controller approves that Processor may hire sub-processors within and outside the EU/EEA and may transfer personal data outside the EU/EEA. Processor shall ensure that sub-processors are bound by written agreements which impose on them corresponding data processing obligations as the obligations under this DPA in respect of data protection. Appendix 2 contains a list of sub-processors that from the date of entry into force of this DPA have been pre-approved.

5.2

If Processor intends to hire a new sub-processor or replace an existing sub-processor to process personal data covered by this DPA, Processor shall inform Controller of this in advance and give Controller the opportunity to object to such changes. Such objections by Controller shall be made in writing without undue delay from receipt of the information by the Controller. Processor shall provide Controller with all information that Controller may reasonably request to assess whether the appointment of the proposed sub-processor complies with the Controller’s obligations under this DPA and Applicable Data Protection Legislation. If, in accordance with Controller’s justifiable opinion, compliance with these obligations is not possible through the proposed sub-processor and Processor despite Controllers objection wants to hire the proposed sub-processor, Controller is entitled to terminate this DPA at no extra cost. If the objection is not justified, the Controller is not entitled to terminate this DPA.

5.3

If personal data is transferred to or made available from outside EU/EEA, Processor shall ensure that the transfer is subject to an appropriate safeguard under Applicable Data Protection Legislation, such as standard data protection clauses adopted by the Commission. Controller hereby authorizes Processor to enter into such standard data protection clauses with sub-processors on behalf of Controller.

5.4 

If the Processor or the sub-contractor’s processing of personal data is in violation of this DPA or the instructions from the Controller and causes Controller or data subjects damage, such damage shall be compensated by the Processor.

6 Data protection and confidentiality

6.1

Processor shall implement systematic, organizational and technical measures to ensure an appropriate level of security, taking into account the latest technology and implementation costs in relation to the risk involved in the processing and the type of personal data to be protected. When assessing the appropriate level of security, special consideration shall be given to the risk of accidental or unlawful destruction, loss, alteration or unauthorized disclosure or access to personal data.

6.2

Processor is obliged to fulfill its legal obligations regarding data protection under Applicable Data Protection Legislation and shall in all cases take appropriate technical and organizational measures to protect the personal data being processed.

6.3

Processor shall ensure that only such personnel who directly need access to personal data in order to fulfill Processor’s obligations under this DPA has access to such data. Processor shall ensure that such personnel are subject to appropriate means of confidentiality.

6.4

Processor certifies that its activities are conducted in a manner that ensures compliance with the provisions and requirements of the Applicable Data Protection Legislation regarding adequate protection of personal data processing.

7 Disclosure of personal data and contacts with competent authorities

7.1

Without the prior written consent of Controller, Processor undertakes not to disclose or otherwise make personal data processed under this DPA available to third parties, unless otherwise required by Swedish or European law or pursuant to a decision by a competent court or authority.

7.2

If a data subject requests information from Processor regarding the processing of the data subject’s personal data, Processor shall without undue delay refer such request to the Controller.

7.3

If a competent authority requests information from Processor regarding the processing of personal data, Processor shall inform the Controller thereof without undue delay. Processor may not act in any way on behalf of the Controller or as its agent and may not transfer or otherwise disclose personal data or other information relating to the processing of personal data to third parties without the prior consent of Controller, unless otherwise required by Swedish or European law or pursuant to a non-appealable decision by a competent court or authority.

7.4

If, in accordance with applicable Swedish or European laws and regulations, Processor is requested to disclose personal data processed by Processor on behalf of Controller, Processor shall promptly notify Controller thereof, unless otherwise provided by applicable law or pursuant to a decision by a competent court or authority, and in connection with the disclosure request that the personal data be given confidential treatment.

8 Personal data breach

8.1

Processor shall notify Controller without undue delay after having become aware of a personal data breach.

8.2

Processor shall assist Controller with the information reasonably required to fulfill Controller’s obligation to report personal data breaches.

8.3

Processor shall enable the Controller to comply with all legal obligations regarding information to be provided to relevant data protection authorities and data subjects in personal data breaches or incidents.

8.4

Processor shall provide the Controller with a description of the personal data breach. The description must contain at least the following:

  • Description of the nature of the personal data breach, including, if possible, the categories and approximate number of data subjects affected, and the categories and approximate number of personal data items concerned. 
  • Name of the person who can provide more information about the breach or answer questions.
  • Description of the likely consequences of the personal data breach. 
  • Description of the measures taken or proposed by the Processor to address the personal data breach, including, where appropriate, measures to mitigate its potential adverse effects.

9 Right to Audit

9.1

In its capacity as controller, Controller shall have the right to take the necessary steps to verify that Processor is able to fulfill its obligations under this DPA and actually has taken the necessary measures to ensure that such obligations are fulfilled.

9.2

Processor undertakes to provide Controller with all information required to demonstrate Processor’s compliance with its obligations under this DPA, and to enable and participate in such audit, including on-site inspections, carried out by Controller or other examiner appointed by Controller, provided that the persons performing the audit enter into customary confidentiality agreements.

10 Remuneration

10.1

Processor is entitled to compensation in accordance with Processor’s prevailing price list for work performed or assistance provided pursuant to the obligations in sections 4.1.4, 7, 8.2, 9 and 13 of this DPA.

11 Limitations of liability

11.1

The limitations of liability set out in section 18 of the Terms and Conditions shall apply to Processor’s liability under this DPA as if set out herein.

11.2

Processor shall only process personal data in accordance with Controller’s Instructions. Therefore, Processor is not liable in circumstances where Processor’s actions result from instructions received from Controller.

12 Term of agreement

12.1

The provisions of this DPA shall apply as long as Processor processes personal data for which Controller is the controller.

12.2

This DPA supersedes previously entered personal data processor agreement between the Parties and this DPA applies from 2021-03-11.

13 Measures after termination of this DPA

13.1

Upon termination of this DPA, Processor, at Controller’s discretion, shall delete or return all personal data processed under this DPA within thirty (30) days after the termination of the services provided by the Processor to the Controller, unless continued storage of personal data is required under Swedish or European law. If the Processor retains personal data after the termination of the agreement to the extent required by law, the Processor shall apply the same type of technical and organizational security measures as described in this DPA.

13.2

At the request of the Controller, Processor shall without undue delay confirm in writing the measures taken regarding the personal data, even where the provision of services has ended in accordance with section 12 above.

14 Changes to this DPA

14.1

Changes to, and additions to, this DPA shall be made in writing and be accepted by the Parties.

15 Applicable law and disputes

15.1

This DPA shall be interpreted and applied in accordance with Swedish law.

15.2

Disputes concerning the interpretation or application of this DPA shall be resolved in accordance with section 20 of the Terms and Conditions.

Appendix 1

Specification of the processing of personal data

Purposes

The purpose for which personal data will be processed by Processor:

– To enable the Controller to use the Processor’s Services or software in accordance with the Agreement.

Categories of personal data

Categories of personal data that the Processor will process:

– End users log in-information and contact information.
– Information about how the end user uses Processor’s service or Software, such as the end user’s search queries;
– Phone-related information, such as the end user’s phone number, the caller’s number, forwarding number, call lengths, SMS routing and call types;
– Recordings of phone calls to the Processor’s support are recorded and can be used to get background information to help resolve or deal with a support request.
– When the end user contacts the Processor, the end user’s messages are saved in order to help the end user with a problem or provide information about the Processor’s services, whether immediately or at a later time; and
– Information about activity on a Media Player such as crashes, system activity, hardware settings, browser type, browser language, date and time of the end user’s request and address.

Categories of data subjects

Categories of data subjects that the Processor will process personal data:

– Employees and consultants of the Controller, including end users of the Software.

Processing activities

Processing activities that will be performed by the Processor:

– Processing activities linked to the performance of the Processor’s Services in relation to the software, such as storing, collecting, deleting, changing and analyzing.

Location for the processing of personal data

Locations where personal data will be processed by the Processor:

– EU/EEA and the USA.

Data protection

Data protection measures:

– Access to personal data is limited both physically and virtually, and all data transfer and cold backup data is encrypted. 

– Any PLAYipp staff-member that requires access to the Controller’s PLAYipp Manager account to fulfill the Controller’s instructions require the use of two factor authentication.

More information about PLAYipp Data protection measures can be found in the Data Processing Agreement.

Appendix 2

Pre-approved sub-processors

Sub-processor

Glesys AB

Google LLC

Zendesk Inc

Briljant Ekonomisystem AB

Inexchange AB

YouCanBookMe Limited

Upsales Nordic AB

Visma Software AB

Algolia Inc.

Location of processing (country)

Sweden

USA

USA

Sweden

Sweden

United Kingdom

Sweden

Sweden

USA