Data Processing Agreement

Between customers using Tagd’s contract management system, hereinafter referred to as the “Customer”, and Tagd AB, (559364-3058), hereinafter referred to as the “Supplier”.

The Customer has entered into an agreement, hereinafter referred to as the “Agreement”, with the Supplier or with a partner of the Supplier to use the Supplier’s contract management system provided as a software as a service, hereinafter referred to as the “Product”. This means that the Customer has the right to use the system during the subscription period. In connection with the Customer starting to use the Product, the Supplier will process personal data on behalf of the Customer. In this case, the Customer is to be regarded as the data controller and the Supplier becomes the data processor. The purpose of this agreement (the “Data Processing Agreement”) is to regulate this processing of personal data.

This Data Processing Agreement complies with the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data) in relation to the processing that the Supplier performs on behalf of the Customer within the framework of the Parties’ cooperation under the Agreement.

1. Definitions

In this Data Processing Agreement, the following terms shall have the following meanings:

“Data Protection Law” Intends:
(i) The General Data Protection Regulation and its replacement acts;
(ii) applicable Swedish data protection law; and
(iii) to (i) and (ii) the above-mentioned regulations and regulations and guidelines issued by the Supervisory Authority and applicable to the Party’s business.

“Supervisory authority”
The Authority for Privacy Protection in respective country and, where applicable, other competent supervisory authority that exercises supervision over Party’s activities by virtue of law.

2. Agreement documents and application

2.1. Appendix 1 to this Agreement sets out below what personal data is processed, categories of data subjects and the purpose of the processing. Sub-processors who are granted and who have access to the Customer’s personal data are listed from time to time on www.tagd.ai.

3. General information about the processing under this Data Processing Agreement

3.1. The Supplier, as a Data Processor, undertakes to process personal data in accordance with Data Protection Legislation, this Data Processing Agreement, the Agreement, and the Customer’s documented instructions from time to time. Any processing of personal data other than what is necessary to fulfil the Supplier’s obligations under the Agreement, including that the Supplier carries out processing for its own purposes, is not permitted.

3.2. The Customer has the right to instruct the Supplier in writing on an ongoing basis regarding the Supplier’s processing of personal data processed in the light of this agreement.

3.3. The Data Processor shall inform the Data Controller if the Data Processor becomes aware that Personal Data has been Processed in violation of the Data Controller’s instructions, this Data Processing Agreement or Applicable Law.

4. Safety

4.1. Through this Data Processing Agreement, the Provider guarantees that the Provider implements such technical and organizational protection measures that meet the requirements of the Applicable Data Protection Legislation, in particular Article 32 of the General Data Protection Regulation, and thereby ensure that the rights of the Data Subjects are protected. Such measures entail, among other things, that the Supplier protects personal data against accidental or unlawful destruction, loss or alteration as well as against unauthorized disclosure and unauthorized access. The customer has the right to be informed of the measures taken upon request.

4.2. The Provider shall allow such inspections as the Supervisory Authority may require to ensure that the personal data is processed in accordance with applicable law and this Agreement. The Supplier shall comply with decisions made by the Supervisory Authority on measures to meet security requirements in accordance with the Applicable Data Protection Legislation.

4.3. The Supplier further guarantees that the Supplier has the competence and resources to implement technical and organisational measures that meet the requirements of the Data Protection Legislation.

5. Transfer of personal data outside the EU/EEA

5.1. The Supplier may not, without the Customer’s written consent, transfer personal data covered by this agreement outside the EU/EEA area. This means, among other things, that the Supplier may not carry out the processing of personal data with equipment or resources located outside the EU/EEA area. If, taking into account the above, the Parties agree that personal data shall be transferred to a location outside the EU/EEA area, the Parties shall ensure that the transfer is permitted under Data Protection Legislation and, if necessary, sign the necessary standard contractual clauses or take other necessary measures.

6. Notification of Personal Data Breach and obligation to assist the Customer

6.1. The Supplier undertakes to inform the Customer in writing of the personal data breach without delay from the time the personal data breach was discovered by the Supplier. The information shall contain all necessary information required for the Customer, where applicable, to be able to fulfil its reporting and/or information obligation towards the Supervisory Authority and/or data subjects.

6.2. The Supplier shall otherwise assist the Customer at the Customer’s request to ensure that the Customer can fulfil its obligations under Data Protection Legislation. This may mean, for example, that the Supplier assists the Customer; (i) in the performance of its reporting/disclosure obligations to the Supervisory Authority and/or data subjects; (ii) by providing the Customer with all information reasonably required to certify the fulfilment of the Supplier’s obligations as a data processor under Data Protection Legislation; (iii) in fulfilment of the Customer’s obligations with respect to data subjects’ rights; (iv) when conducting risk analyses and data protection impact assessments; and (v) prior consultation with the Supervisory Authority.

7. Contact with Data Subjects and Supervisory Authorities

7.1. In the event that a Data Subject, Supervisory Authority or other third party requests information from the Supplier concerning the processing of personal data processed under this Agreement, the Supplier shall immediately refer such request to the Customer and await its instructions.

7.2. The Supplier shall without delay inform the Customer of any contact with data subjects, supervisory authorities or other third parties, which relates to the Supplier’s processing of the personal data. The Supplier is not entitled to represent the Customer or otherwise act on behalf of the Customer in relation to data subjects, supervisory authorities or other third parties.

8. Subcontractors

8.1. The Customer hereby approves the use of the sub-processors that the Supplier has already engaged and informed the Customer about on its website www.tagd.ai.

8.2. The Supplier undertakes to inform the Customer of any plans to engage new sub-processors and/or replace existing sub-processors at least thirty (30) days prior to such plans being implemented with a right for the Customer to terminate the Agreement including this Data Processor Agreement if the Customer has reasonable grounds not to accept the Supplier’s engagement of a new sub-processor. If the Customer does not return to the Supplier within the thirty (30) days, the Customer will be deemed to have approved the Supplier’s plan to engage/replace the sub-processor(s) that the Supplier has informed the Customer of.

8.3. The Customer’s approval in accordance with sections 9.1 and 9.2 above shall be regarded as a special permission for the Supplier to enter into a personal data processing agreement on behalf of the Customer with sub-processors who will process personal data. Such data processing agreement between the Supplier and a sub-processor must be a written agreement whereby the sub-processor is subject to the same obligations and obligations as this Data Processing Agreement imposes on the Supplier.

8.4. The Supplier is responsible for ensuring that the applicable rules of the Data Protection Act are taken into account when employing sub-processors. The Supplier shall take all necessary measures to ensure that the subcontractor processes the personal data in accordance with the Data Processing Agreement and ensure that these provide sufficient guarantees to implement appropriate technical and organisational measures.

9. Right of access

9.1. The Supplier shall, at the request of the Customer, in order to ensure that processing takes place in accordance with this Agreement, enable and contribute to a reasonable extent to audits, including inspections and access to the Supplier’s premises, which are carried out by the Customer or by another third party on behalf of the Customer.

9.2. If the Customer engages a third party to carry out an inspection of the Supplier’s processing of personal data on behalf of the Customer, the Customer shall ensure that such third party signs an appropriate confidentiality agreement not to disclose information to third parties prior to any inspection.

9.3. Transparency for review, disclosure of information and the like shall take place at the time requested by the Customer or the Supervisory Authority, which shall, as far as possible, be scheduled at times of the day and otherwise take place in a manner that causes the least possible impact on the Parties’ respective ordinary operations. The audit of the Supplier shall be carried out in compliance with the security measures set by the Supplier, provided that the measures do not prevent or cause significant difficulties in carrying out the audit. Unless otherwise provided in a separate written agreement, each Party shall bear its own costs in connection with such review and for the provision of information.

10. Confidentiality

10.1. In addition to the confidentiality obligations arising from the Agreement, the Supplier undertakes not to disclose personal data or other information about the processing of personal data to third parties without explicit instructions from the Customer. The Provider shall ensure that each person who is granted access to the processing of personal data has undertaken to observe confidentiality or is subject to an appropriate statutory duty of confidentiality in accordance with the requirements of Data Protection Legislation. This confidentiality obligation does not apply in relation to subcontractors with whom sub-processor agreements exist. However, such a sub-processor agreement must contain a corresponding confidentiality obligation for the subcontractor.

11. Compensation

11.1 Unless otherwise stated herein, the Supplier is not entitled to any compensation for the processing of personal data or for otherwise fulfilling its obligations under the Data Processing Agreement.

11.2 In the event of amended instructions, the Customer shall compensate the Supplier for reasonable and documented increased costs as a result of the amended instructions, provided, however, that (i) the amended instructions are specific to the Customer and do not follow from general requirements for the Services provided by the Supplier under the Agreement, such as changed legislation or market practice, and (ii) the Supplier, in writing, notifies the Customer of the cost increases, no later than three months after the Customer has issued the amended instruction.

12. Responsibility

12.1. In the case of compensation for damage in connection with processing which, by way of a confirmed judgment or settlement, is to be paid to the data subject due to a breach of a provision in the Data Processing Agreement and/or the applicable provision in the Data Protection Legislation, Article 82 of the General Data Protection Regulation shall apply.

12.2. Fines under Article 83 of the General Data Protection Regulation, or Chapter 6. Section 2 of the Act (2018:218) with supplementary provisions to the EU’s General Data Protection Regulation shall be borne by the party who has been charged with such a fee.

12.3. If either party becomes aware of a circumstance that may lead to harm to the other party, the party shall immediately inform the other party of the circumstance and actively work together with the other party to prevent and minimize such damage. Further, each Party shall be liable to Data Subjects for any damage it causes through breach of its obligations under Data Protection Laws or this Data Protection Agreement. A Party that is the subject of a claim for damages from data subjects and where it is likely that such damage has been caused by the other Party shall, in order to be entitled to pass on any part of the damage to the other Party, without undue delay notify the other Party in writing of the claim and shall allow the other Party, at its own expense, to do so; to participate in the defence against the claims.

12.4. It is specifically agreed that any limitations of liability agreed elsewhere between the Customer and the Supplier shall also apply to this Data Processing Agreement.

13. Cessation of processing of personal data

Upon termination of the Supplier’s processing of personal data, for whatever reason, the Supplier shall, in accordance with the Customer’s instructions, either (i) transfer all personal data to the Customer in such manner, on such medium and in such format as is consistent with the Customer’s reasonable instructions; or (ii) permanently delete and delete personal data and delete existing copies. In the event of transfer or deletion pursuant to this section, the Provider shall ensure that the data cannot be recreated.

14. Term

This Data Processing Agreement applies from its signature and for as long as the Supplier processes personal data.

15. Transfer

No party is entitled to assign any obligations or rights under this Data Processing Agreement to a third party, in whole or in part.

16. Applicable law and dispute resolution

This Data Processing Agreement and all processing of personal data under the Data Processing Agreement are governed by Swedish law with the exception of applicable conflict of law rules. Any dispute regarding the interpretation or application of this Data Processing Agreement shall be settled in accordance with the Agreement’s dispute resolution provisions.

ANNEX 1

1. Overview of the processing of personal data:

For the use of the services, user accounts are created, which means that personal data is recorded about the users. Contact persons at the Customers’ customers are also registered. In addition, personal data about others than users may be registered in the Services by the Customer’s administrators. Only personal data that the Customer registers in the Services will be processed.

2. Purpose:

  • Create and administer user accounts (incl. to ensure secure login/access control)
  • Communicate with users
  • in order for the Customer to be able to create an overview of and gain control regarding which individuals are representatives/contact persons/responsible for a particular activity

3. Categories of Data Subjects:

  • Individuals in the Customer’s organization who have been granted the right to use the Provider’s services and thus registered as users
  • Individuals registered in the Services by the Customer’s users as a contact person, representative and/or responsible for the agreements registered in the Service.

4. Information where someone is the contact person for the agreement

User information:

Name, E-mail, password.

Telephonenumber, Organisation, Department, Title.

Contractual related information

Information about contact persons

Name, email address and tel no.

Execution of tasks related to a specific physical persons.

User log information.