These general terms and conditions (“Terms”) apply to Leadsius AB:s, reg. no. 556776-5606 (“Supplier”) processing of Personal Data on behalf of the Customer following the Main Arrangement. The Supplier and Customer are hereinafter each referred to as a “Party” and jointly as the “Parties”. These Terms govern the conditions for the Supplier’s processing of, and access to, Personal Data belonging to the Customer.
Any term which is used in the General Data Protection Regulation and which is not stated below shall be defined as follows from Article 4 of the General Data Protection Regulation.
means national laws which, from time to time, apply to Processing of Personal Data (excluding the General Data Protection Regulation);
means an operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction;
General Data Protection Regulation
means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation);
means any written and signed (by both Parties) instructions concerning Personal Data Processing that the Customer, from time to time, may provide to the Supplier;
means any information relating to an identified or identifiable natural person, whereupon an identifiable natural person is a person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data or online identifiers, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person;
means a natural or legal person, public authority, institution, or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data; where the purposes and means of such Processing are determined by Union law or Member State law, the Controller or the specific criteria for its nomination may be provided for by Union law or Member State law;
means the Suppliers’ provision of IT-services to the Customer which has been agreed between the Parties through the Customer’s acceptance of Supplier’s Terms of Service.
means a natural or legal person, public authority, institution, or other body which processes Personal Data on behalf of the Controller;
Personal Data Breach
means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored, or otherwise Processed; and
means the living natural person who is alive and whose Personal Data is Processed.
2.1 The Customer is the Controller of the Personal Data which is Processed within the scope of the Main Arrangement.
2.2 The Supplier is regarded as the Processor on behalf of the Customer.
2.3 The Supplier has provided sufficient guarantees that it shall take suitable technical and organisational measures to ensure that the Processing of Personal Data meets the requirements of the General Data Protection Regulation and any Other Regulation, and ensures protection of the rights of the Data Subject.
2.4 Taking into consideration the nature of the Processing, the Supplier shall assist the Customer by taking suitable technical and organisational measures, to the extent possible, to enable the Customer to perform its obligation to respond to requests regarding the exercise of the Data Subject’s rights in accordance with Chapter III of the General Data Protection Regulation.
2.5 If the Supplier believes that the Instruction or other instruction or notification from the Customer would conflict with the General Data Protection Regulation or any Other Regulation, the Supplier shall be entitled to notify the Customer and defer the Processing in question.
3.1 The Supplier shall process Personal Data in behalf of the Customer pursuant to the Main Arrangement subject to the conditions below.
3.1.1 Categories of Personal Data
The Supplier shall Process the following categories of Personal Data:
3.1.2 Categories of Processing
3.1.3 Categories of Data Subjects
The following categories of Data Subjects are included: Customer’s end customers/users/potential customers.
3.1.4 Purpose of each Processing activity
The purpose of each Processing activity is as follows: send emails to the Data Subjects, track the Data Subjects online behaviour.
4.1 The Supplier shall take all safeguards required under Article 32 of the General Data Protection Regulation.
4.2 Taking into consideration the type of Processing and the information which the Supplier has, the Supplier shall assist the Customer in ensuring that the obligations regarding security can be satisfied in a manner which follows from Article 32 of the General Data Protection Regulation.
4.3 In conjunction with the assessment of an appropriate security level, particular consideration shall be given to the risks which follow from the Processing, particularly resulting from unintentional or unlawful destruction, loss, or modification, from unauthorised disclosure, or from unauthorised access to the Personal Data which is transferred, stored, or otherwise processed.
5.1 Taking into consideration the type of Processing and the information available to the Supplier, the Supplier shall assist the Customer in ensuring that the obligations arising due to any Personal Data Breach can be fulfilled in a manner as required in Articles 33-34 of the General Data Protection Regulation.
6.1 Taking into consideration the nature of the Processing and the information which is available to the Supplier, the Supplier shall assist the Customer in fulfilling its obligations, if any, to conduct an impact assessment and/or prior consultation with a supervisory authority pursuant to Articles 35 and 36 of the General Data Protection Regulation.
7.1 The Customer shall be entitled to provide Instructions to the Supplier from time to time. The Supplier shall be entitled to compensation for additional costs incurred as a result of the Customers Instructions. The Supplier undertakes to Process Personal Data for which the Customer is Controller for in accordance with these Terms and any Instructions.
8.1 The Supplier shall take steps to ensure that any subprocessor acting under the authority of the Supplier who has access to personal data belonging to the Customer does not process them except in accordance with these Terms and applicable law.
8.2 In the event the subprocessor fails to fill its obligations, the Supplier shall be liable to the Customer for the performance of the subprocessor’s obligations.
8.3 The Supplier is aware that it must comply with the provisions regarding retention of subprocessors.
9.1 The Supplier may move, store, transfer, or otherwise process Personal Data belonging to the Customer outside of the EU/EEA, provided such transfer meets the requirements and undertakings which follow from the General Data Protection Regulation.
10.1 The Supplier shall grant the Customer access to all information which is required and necessary to enable the Customer to verify compliance with the obligations which follow from Article 28 of the General Data Protection Regulation and to enable and assist in audits, including inspections, which are conducted by the Customer or by an examiner authorised by the Customer. The Supplier shall, at all times, be entitled to reasonable notice in the event the Customer wishes to exercise its right to conduct an audit or inspection and the Customer shall compensate the Supplier for its costs incurred in connection with any such audit or inspection.
11.1 Irrespective of whether the General Data Protection Regulation obligates the Supplier to maintain records, the Supplier shall, pursuant to these Terms, maintain an electronic record regarding all categories of Processing activities carried out on behalf of the Customer. Where a record need not be maintained pursuant to the provisions of the General Data Protection Regulation, the record must contain, at a minimum, the following information:
a) name and contact details of the Supplier and the Customer and, where applicable, the data protection officers at the Supplier and the Customer;
b) the purposes of the Processing;
c) a description of the categories of Data Subjects and of the categories of Personal Data;
d) the categories of Processing which have been, and are being, carried out on behalf of the Customer;
e) the categories of recipients to whom the Personal Data has been, or will be, disclosed, including recipients in third countries or international organisations;
f) the envisaged time limits for erasure of the different categories of data;
g) any transfers of Personal Data to a third country or an international organisation, including the identification of that third country or international organisation and documentation of suitable safeguards;
h) a general description of the technical and organisational security measures taken by the Supplier pursuant to section 7 of these Terms.
12.1 The Supplier shall receive compensation for measures which it takes in respect of Processing of Personal Data in accordance with these Terms or as a consequence of these Terms otherwise.
13.1 A Party’s liability under these Terms or as a result of the Processing which is covered under these Terms shall be limited to one hundred thousand kronor (SEK 100,000). The Parties are aware that the limitation of liability shall not apply: (i) in the event the supervisory authority or a court orders any of the Parties to pay an administrative fine; (ii) a Party has a right of subrogation against the other Party because such Party was ordered to pay an administrative fine which legitimately (or through joint and several liability) should have been imposed on the other Party; or (iii) in conjunction with a claim for damages brought by a Data Subject.
14.1 When the Supplier discontinues Processing Personal Data on behalf of the Customer, the Supplier shall return all Personal Data to the Customer in the manner instructed by the Customer or, upon the Customer’s written notice, destroy and erase all Personal Data which is associated with these Terms.
14.2 Following termination of these Terms, the Supplier shall not be entitled to save any Personal Data belonging to the Customer and, as soon as the Supplier has complied with the provisions of subsection 16.1 above, the Supplier’s right to process or otherwise use Personal Data belonging to the Customer shall cease (provided storage of Personal Data is not required pursuant to national law or Union law, or the Supplier has legal grounds to process relevant Personal Data).
15.1 The Parties hereby undertake, during the term of these Terms and thereafter, not to disclose to any third party information regarding these Terms, nor any other information which the Parties have learned as a result of these Terms, whether written or oral and irrespective of form (“Confidential Information”). The Parties agree and acknowledge that the Confidential Information may be used solely for the fulfilment of the obligations under these Terms and not for any other purpose. The receiving Party further agrees to use, and cause its directors, officers, employees, sub-contractors or other intermediaries to use, the same degree of care (but not less than reasonable care) to avoid disclosure or use of Confidential Information as it uses with respect to its own confidential and/or proprietary information.
15.2 This confidentiality undertaking does not apply to information which
a) at the date of its disclosure is in the public domain or at any time thereafter comes into the public domain (other than by breach of these Terms); or
b) the receiving Party can evidence was in its possession or was independently developed at the time of disclosure and was not obtained, directly or indirectly, by or as a result of breach of a confidentiality obligation.
15.3 Neither shall this confidentiality undertaking apply to the extent that any Party is required to make a disclosure of information by law or pursuant to any order of court or other competent authority or tribunal or by any applicable stock exchange regulations or the regulations of any other recognised market place. In the event that any Party would be required to make any such disclosure, each Party undertakes to give the other Party immediate notice prior to any such disclosure, in order to make it possible for the other Party to seek an appropriate protective order or other remedy. Each Party also agrees and undertakes to use its best efforts to ensure that any information disclosed under this section, to the extent possible, shall be treated confidentially by anyone receiving such information.
16.1 Neither Party shall be entitled to assign its rights and/or obligations under these Terms, in whole or in part, without the prior written consent of the other Party.
17.1 These Terms shall be governed by and construed in accordance with the laws of Sweden without regard to its principles of conflict of laws.
17.2 Any dispute, controversy or claim arising out of or in connection with these Terms, or the breach, termination or invalidity thereof, shall be finally settled by arbitration administered by the Arbitration Institute of the Stockholm Chamber of Commerce (the “SCC”). The Rules for Expedited Arbitrations shall apply, unless the SCC in its discretion determines, taking into account the complexity of the case, the amount in dispute and other circumstances, that the Arbitration Rules shall apply. In the latter case, the SCC shall also decide whether the Arbitral Tribunal shall be composed of one or three arbitrators.
17.3 The seat of arbitration shall be Stockholm, Sweden.
17.4 The language to be used in the arbitral proceedings shall be English.
17.5 The Parties undertake and agree that all arbitral proceedings conducted with reference to this arbitration clause will be kept strictly confidential. This confidentiality undertaking shall cover all information disclosed in the course of such arbitral proceedings, as well as any decision or award that is made or declared during the proceedings. Information covered by this confidentiality undertaking may not, in any form, be disclosed to a third party without the prior consent by the other Party.