-
Purpose
The purpose of this Data Processing Agreement (“DPA”) is to regulate the Processor’s processing of personal data on behalf of the Controller whilst providing the eMarketeer service (“the Service”) and constitute an integrated part of the eMarketeer Terms of Service (“TOS”).
This Data Processing Agreement governs the Processor’s rights and obligations, in order to ensure that all Processing of Personal Data is conducted in compliance with applicable data protection legislation.
Processing of Personal Data (as defined below) is subject to requirements and obligations pursuant to applicable law. When the Controller is a legal entity established in the European Economic Area (the “EEA”) relevant data protection legislation will include the Norwegian data protection legislation and the present EU- Regulation 2016/679 dated April 27th 2016. The parties agree to amend this Data Processing Agreement to the extent necessary due to any mandatory new requirements following from the EU Regulation 2016/679 and the revised Electronic Communications Regulation (“ePrivacy”)
“Personal Data” shall mean any information relating to an identified or identifiable natural person, as further defined in applicable law and EU- Regulation 2016/679
“Processing” of Personal Data shall mean any use, operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, transfer, storage, alteration, disclosure as further defined in applicable law and EU- Regulation 2016/679
“Third Countries” shall mean countries outside of the EU/EEA area which are not recognized as countries providing adequate protection of Personal Data.
2. Controller’s responsibilities (Customer)
In order to access the Service, the Controller must provide certain data to the Processor, including correct name, contact data and email addresses of the users. In addition, the users of the Service must allow the Processor to store and retrieve session information through the use of “cookies” which are necessary to enable the login/logout procedures used in the Service and to ensure that unauthorized persons do not gain access to the Services.
The Controller acknowledges and accepts that any personal data that the Controller uploads onto the Service, such as uploaded personal data pertaining to the Controller’s own customers, may be transferred to a third party (sub processor) based in the European Economic Area (EEA) which will provide for hosting of the Service, including the provisioning of all hardware, infrastructure, data storage and communication lines. The obligations of the third party in regards to personal data are set forth in a separate data processing agreement between Processor and the third party within the framework of this DPA. All data in the Service are stored on servers located in the EU.
“The Controller accepts the use of subcontractors listed in Annex [1]. If the Processor plans to change subcontractors or plans to use a new sub-contractor, Processor shall notify the Controller in writing 3 months prior to any processing by the new sub-contractor, and the Controller is entitled to object to the change of subcontractors within 1 month. If the Controller objects to the change, the Parties shall negotiate in good faith in order to agree on a reasonable solution for how the Processor may continue to process personal data. If the Parties cannot agree on a solution within 1 month from the date the Controller submitted its objection, the Controller is entitled to terminate the performance of the affected parts of the Agreement with a 3 month termination period.”
The data processor shall meet the requirements specified in Article 28(2) and (4) GDPR in order to engage another processor (a sub-processor).
The Controller is responsible for complying with the Service’s procedures, guidelines, updates and changes at any given time.
The Controller can process personal data only with the requirements of Data Protection Laws and Regulations. For the avoidance of doubt, Controller’s instructions for the Processing of Personal Data shall comply with Data Protection Laws and Regulations.
The Controller confirms that the Controller:
- Has sufficient lawful basis for Processing of Personal Data;
- Has the right to use the Processor for Processing of the Personal Data;
- Has the responsibility for the correctness, integrity, content, reliability and legality of the Personal Data;
- Complies with applicable law on notification to and authorizations from relevant authorities;
- Has informed the Data Subject in accordance with applicable law
The Controller shall:
- Reply to requests from the Data Subjects regarding the Processing of Personal Data pursuant to this Data Processing Agreement;
- Assess the necessity for specific measures as set forth in this Data Processing Agreement Art. 3.3.2 and 3.3.4, and order such measures from the Processor.
The Controller shall implement sufficient technical and organizational measures to ensure and demonstrate compliance with the EU Regulation 2016/679.
The Controller has a duty to notify any personal data breaches to the relevant authorities and, if necessary, the Data Subjects without undue delay in accordance with applicable law.
3. Processor’s responsibilities (eMarketeer AB)
3.1 Compliance
The Processor shall comply with all provisions for the protection of Personal Data set out in this Data Processing Agreement and in applicable data protection legislation with relevance for Processing of Personal Data. The Processor shall provide the Controller with assistance to ensure and document that the Controller complies with its requirements under the applicable data protection legislation.
3.1.1 Processor shall
comply with all applicable Data Protection Laws in the Processing of Company Personal Data
3.2 Restrictions on use
The Processor shall only Process Personal Data on, and in accordance with the instructions from the Controller. The Processor shall not Process Personal Data without prior written agreement with the Controller or without written instructions from the Controller beyond what is necessary to fulfil its obligations towards the Controller under the Agreement.
3.3 Information Security
3.3.1 Duty to ensure information security
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Processor shall in relation to the Company Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.
3.3.2 Assessment of measures
See “eMarketeer Cloud Security Measures” and ”eMarketeer Information Security Policy” weich describe the measurement taken by eMarketeer
3.3.3 Requests from the data subjects
Considering the nature of the Processing, the Processors shall implement appropriate technical and organisational measures to support the Controller’s obligation to respond to requests regarding exercising the rights of the data subject.
3.3.3.4 Processor shall
ensure that it does not respond to that request except on the documented instructions of Company or as required by Applicable Laws to which the Processor is subject, in which case Processor shall to the extent permitted by Applicable Laws inform Company of that legal requirement before the Contracted Processor responds to the request.
3.3.4 Personal Data Breach
3.3.4.1
Processor shall notify Company without undue delay upon Processor becoming aware of a Personal Data Breach affecting Company Personal Data, providing Company with sufficient information to allow the Company to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.
3.3.4.2
Processors shall cooperate with the Company and take reasonable commercial steps as are directed by Company to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
3.3.4.3
Taking into account the nature of the processing, the data processor shall assist the data controller by appropriate technical and organisational measures, insofar as this is possible, in the fulfilment of the data controller’s obligations to respond to requests for exercising the data subject’s rights laid down in Chapter III GDPR.
This entails that the data processor shall, insofar as this is possible, assist the data controller in the data controller’s compliance with:
the right to be informed when collecting personal data from the data subject
the right to be informed when personal data have not been obtained from the data subject
the right of access by the data subject
the right to rectification
the right to erasure (‘the right to be forgotten’)
the right to restriction of processing
notification obligation regarding rectification or erasure of personal data or restriction of processing
the right to data portability
the right to object
the right not to be subject to a decision based solely on automated processing, including profiling
3.3.5 Compensation
Assistance from the Processor as set down in the Data Processing Agreement, shall be deemed as an integral part of the Processors obligations under the Agreement and is therefore not subjected to additional compensation.
Assistance from the Processor in relation to specific routines and instructions imposed by the Controller that are outside the legal scope of GDPR, shall be compensated by the Controller in accordance with the Processor’s regular terms and prices.
3.4 Discrepancies and data breach notifications
Any use of the information systems and the Personal Data not compliant with established routines, instructions from the Controller or applicable data protection legislation, as well as any security breaches, shall be treated as a discrepancy.
The Processor shall have in place routines and systematic processes to follow up discrepancies, which shall include re-establishing of the normal state of affairs, eliminating the cause of the discrepancy and preventing its recurrence.
The Processor shall immediately notify the Controller of any breach of this Agreement or of accidental, unlawful or unauthorized access to, use or disclosure of Personal Data, or that the Personal Data may have been compromised or a breach of the integrity of the Personal Data. The Processor shall provide the Controller with all information necessary to enable the Controller to comply with applicable data protection legislation and enabling the Controller to answer any inquiries from the applicable data protection authorities. It is the Controller’s responsibility to notify the applicable Data Protection Authority of discrepancies in accordance with applicable law.
3.5 Confidentiality
The Processor shall keep confidential all Personal Data and other confidential information. The Processor shall ensure that each member of the staff of the Processor, whether employed or hired employee, having access to or being involved with the Processing of Personal Data under the Agreement (i) undertakes a duty of confidentiality and (ii) is informed of and complies with the obligations of this Data Processing Agreement. The duty of confidentiality shall also apply after termination of the Agreement or this Data Processing Agreement.
3.6. Security Audits
The Processor shall on a regular basis carry out security audits for systems and similar relevant for the Processing of Personal Data covered by this Data Processing Agreement. Reports documenting the result and dates of security audits shall be available to the Controller.
The Controller has the right to demand security audits performed by an independent third party, which shall be approved by the Processor. The third party will provide a report to be delivered to the Controller upon request. The Controller accepts that the Processor may claim compensation for the performance of the audit.
3.7 Transfer of Personal Data to Third Countries
The Processor may not transfer or authorize the transfer of Data to countries outside the EU and/or the European Economic Area (EEA) without the prior written consent of the Company. If personal data processed under this Agreement is transferred from a country within the European Economic Area to a country outside the European Economic Area, the Parties shall ensure that the personal data are adequately protected. To achieve this, the Parties shall, unless agreed otherwise, rely on EU approved standard contractual clauses for the transfer of personal data.
3.8 Subprocessing
3.8.1 Processor shall not appoint (or disclose any Company Personal Data to) any Subprocessor unless required or authorized by the Company.
3.8.2 will be liable to the data controller for the money that the data controller paid to the data subject, even if the incident was the fault of its subprocessor.
4. Liability, breach
In the event of breach of this Data Protection Agreement, or a breach of obligations according to applicable law on Processing of Personal Data, the relevant provisions regarding breach in the TOS shall apply.
Claims from one party due to the other party’s non-compliance with the Data Processing Agreement shall be subject to the same limitations as in the TOS. In assessing whether the limitation in the TOS is reached, claims under this Data Processing Agreement and the TOS shall be viewed in conjunction, and the limitation in the TOS shall be viewed as a total limitation.
The Processor shall notify the Controller without undue delay if it will or has reason to believe it will be unable to comply with any of its obligations under this Data Protection Agreement.
Term and termination of the Data Processing Agreement, changes
This Data Processing Agreement shall be effective from the date it is signed by both parties and until the Processor’s obligations in relation to the performance of services in accordance with the TOS is terminated, except for those provisions in the TOS and Data Processing Agreement that continues to apply after such termination.
Upon termination of this Data Processing Agreement the Personal Data/data shall be returned in a standardised format and medium along with necessary instructions to facilitate the Controller’s further use of the Personal Data/data. The Processor shall first return and subsequently delete all Personal Data and other data. The Processor (and its subcontractors) shall immediately stop the Processing of Personal Data from the date stipulated by the Controller
As an alternative to returning the Personal Data (or other data), the Controller may, at its sole discretion, instruct the Processor in writing, that all or parts of the Personal Data (or other data) shall be deleted by the Processor, unless the Processor is prevented by mandatory law from deleting the Personal Data.
The Processor has no right to keep a copy of any data provided by the Controller in relation to the TOS or this Data Protection Agreement in any format, and all physical and logical access to such Personal Data or other data shall be deleted.
The Processor shall provide the Controller when requested with a written declaration whereby the Processor warrants that all Personal Data or other data mentioned above has been returned or deleted according to the Controller’s instructions and that the Processor has not kept any copy, print out or kept the data on any medium.
The obligations pursuant to sections 3.5 and 4 shall continue to apply after termination. Further, the provisions of the Data Processing Agreement shall apply in full to any Personal Data retained by the Processor in violation of this section 5.
The parties shall amend this Data Protection Agreement upon relevant changes in applicable law.
5. Dispute and jurisdiction
This Data Processing Agreement shall be governed by and construed in accordance with the laws of Sweden. The legal venue shall be Stockholm District Court.
Appendix:
Privacy Data details and the use of sub-Processors
This Appendix forms part of the Data Processing Agreement and must be completed by the parties. The Annex specifies the Data Subjects, Categories of Personal Data and the Processing Operations of the data. This Appendix also specifies pre-approved sub-Processors.
eMarketeer processing of Personal Data
| Entity Company Name | eMarketeer AB |
| Entity Country | Sweden |
| Processing Country | EU (AWS) |
| Entity Type and description of Service | Cloud Service Provider. eMarketeer offers functionality for marketing as well as specialized functionality for marketing automation, sales and service. |
| The Personal Data to be Processed concerns the following categories of Data Subjects (Persons): | Registered users of the service eMarketeer and end users targeted by the solution. |
| Categories of Personal Data | Name, contact details, Professional life data, Connection Data; Localisations Data; IP addresses; behaviour details. |
| Sensitive personal Data (if relevant) | None |
| The Personal Data will be subject to the following Processing activities. | Personalizing marketing material and using phone numbers and emails to contact end-users. |
| Additional information regarding Privacy and Security Governance. | See eMarketeer Privacy Policy & Information Security Policy. |
Pre-approved Sub-Processor’s
The eMarketeer application uses third party applications (sub-processors) for certain subtasks related to the deliverability and operability of the application. Below is a list of the third parties we use.
The following sub-Processors are pre-approved by eMarketeer AB:
All data stored and processed at Amazon Data Service (AWS), is controlled and encrypted by eMarketeer. AWS can
not see any data in transit or at rest.
| Entity Company Name | Amazon Data Services Ireland Ltd |
| Company website | https://aws.amazon.com/ |
| Entity Country | Ireland |
| Processing Country | Ireland |
| Entity Type and description of Service | Cloud Service Provider |
| The Personal Data to be Processed concerns the following categories of Data Subjects (Persons): | Registered users of the service eMarketeer and end users targeted by the solution. |
| Categories of Personal Data | Name, contact details, Professional life data, Connection Data; Localisations Data; IP addresses; behaviour details. |
| Sensitive personal Data (if relevant) | None |
| The Personal Data will be subject to the following Processing activities. | Personalizing marketing material and using phone numbers and emails to contact end-users. |
| Additional information regarding Privacy and Security Governance. | https://aws.amazon.com/compliance/eu-data-protection/ |
Pre-approved Sub-Processor:
| Entity Company Name | Superoffice AS |
| Company website | https://www.superoffice.com |
| Entity Country | Norway |
| Processing Country | Norway |
| Entity Type and description of Service | CRM |
| The Personal Data to be Processed concerns the following categories of Data Subjects (Persons): | Registered users of the service eMarketeer |
| Categories of Personal Data | Name, contact details, Professional life data |
| Sensitive personal Data (if relevant) | None |
| The Personal Data will be subject to the following Processing activities. | Personalizing marketing material and using phone numbers and emails to contact end-users. |
| Additional information regarding Privacy and Security Governance. | https://www.superoffice.com/trust-center/governance/ |
Pre-approved Sub-Processor:
| Entity Company Name | 46elks |
| Company website | https://www.46elks.se/ |
| Entity Country | Sweden |
| Processing Country | Sweden |
| Entity Type and description of Service | SMS Gateway Services |
| The Personal Data to be Processed concerns the following categories of Data Subjects (Persons): | End-users |
| Categories of Personal Data | Phone number |
| Sensitive personal Data (if relevant) | None |
| The Personal Data will be subject to the following Processing activities. | Sending SMS |
| Additional information regarding Privacy and Security Governance. | https://46elks.com/data-protection |
Pre-approved Sub-Processor:
| Entity Company Name | Auth0 |
| Company website | https://auth0.com |
| Entity Country | USA |
| Processing Country | EU |
| Entity Type and description of Service | Authentication of users |
| The Personal Data to be Processed concerns the following categories of Data Subjects (Persons): | End-users |
| Categories of Personal Data | email address |
| Sensitive personal Data (if relevant) | None |
| The Personal Data will be subject to the following Processing activities. | Authentication of users |
| Additional information regarding Privacy and Security Governance. | https://auth0.com/docs/compliance/gdpr |
Pre-approved Sub-Processor:
| Entity Company Name | FullContact |
| Company website | https://www.fullcontact.com/ |
| Entity Country | USA |
| Processing Country | USA |
| Entity Type and description of Service | data enrichment |
| The Personal Data to be Processed concerns the following categories of Data Subjects (Persons): | web visitors |
| Categories of Personal Data | emails |
| Sensitive personal Data (if relevant) | |
| The Personal Data will be subject to the following Processing activities. | enrichment |
| Additional information regarding Privacy and Security Governance. | https://www.fullcontact.com/privacy/privacy-policy/ Integration can be disabled on account level. |
Pre-approved Sub-Processor:
| Entity Company Name | Google Inc |
| Company website | https://www.google.com/ Google Inc., 1600 Amphitheater Parkway, Mountain View, CA 94043, USA (“Google”). |
| Entity Country | USA |
| Processing Country | USA |
| Entity Type and description of Service | spam and attack prevention |
| The Personal Data to be Processed concerns the following categories of Data Subjects (Persons): | web visitors submitting an eMarketeer form |
| Categories of Personal Data | emails |
| Sensitive personal Data (if relevant) | |
| The Personal Data will be subject to the following Processing activities. | Recaptcha is used to determine whether data submitted to our website (eg via forms) comes from a person or an automated program
The use of Recaptcha and the data it collects are supported in Art. 6 (1) (e) GDPR. This means that the owner of the website has the right to protect his website from automated spam and other attacks. |
| Additional information regarding Privacy and Security Governance. | https://support.emarketeer.com/documentation/recaptcha-em-forms/ Can be disabled under integration settings. |