This Data Processing Agreement (“DPA”) is an integral part of the Agreement (the“Agreement”), entered into between you (the "Customer") and Roaring, and shall apply to all relations that are formed between Roaring and the Customer in the course of using RoaringServices and relate to processing of the Personal data. Capitalized terms used in this DPA that are not defined herein have the meanings given to them in the Agreement.
Included personal information: refers to Personal data which is defined below and which under the Agreement is processed by the Data Processor on behalf of the Data Controller.
Data Controller: refers to the entity who alone or together with others determines the purposes and means of processing the Included personal information.
Data Processor: refers to the entity who deals with Included personal information on behalf of the Data Controller.
GDPR: refers to REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of individuals with regard to the processing ofPersonal data and on the free movement of such data and repealing Directive 95/46 / EC(General Data Protection Regulation), as well as other data protection legislation that supplements or implements the general data protection regulation.
Processing: refers to an action or combination of actions concerning personal data or sets of personal data, regardless of whether they are performed automatically or not, such as collection, registration, organization, structuring, storage, processing or modification, production, reading, use, disclosure by transmission, dissemination or otherwise providing, adjusting or combining, limiting, erasing or destroying;
Registered: refers to the person to whom Personal data relates.
Personal Data: means any information relating to an identified or identifiable natural person.An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, address, phone number, photos or any other way defined in GDPR.
Sub-Processors: a third party data processor engaged by the Data Processor who has or will have access to or process Personal data from a Data Controller.
According to GDPR, an agreement is required when a legal entity handles Personal data on behalf of another legal entity. The Agreement between Roaring and the Customer constitutes that Roaring, the Data Processor, will process Personal data on behalf of theCustomer, the Data Controller, on the provision of the Services in accordance with the Agreement.
Data Processor shall provide the Services to The Data Controller to the extent and in the manner described in the Agreement. Unless otherwise stated in the description of theServices in the Agreement, the Services include the following: API:s (Integrations), Roaring Web (Web) and Webhooks (Monitoring) that contain Included personal information. TheData Controller needs to have updated customer records, to be able to carry out checks required by the Money Laundering Act and otherwise be able to ensure that business is conducted in a secure way with their customers. It is therefore necessary for the DataController to follow the GDPR regarding the Included personal information. The DataController is responsible for ensuring that Included Personal Information is accurate and updated at any given time.
The processing of Personal data in accordance with this DPA covers the following categories of data subjects: The Data controller's customers, employees, consultants and individual users. The processing of Personal data under this DPA covers for example the following categories of Personal data: name, title, role, e-mail address and IP address.
Data Processor shall only process Included Personal Information in accordance with the written instructions of the Data Controller. Data Processor shall not use or disclose IncludedPersonal Data for any other purpose.
If the Data Processor considers that an instruction from the Data Controller is in violation ofGDPR, the Data Processor shall immediately inform The Data Controller of this and await further instructions.
Data Processor shall not, without order from the relevant supervisory authority or mandatory legislation, disclose Included Personal Data to any third party unless otherwise agreed in writing or needed for Data Processor to be able to provide the Services.
The Data Processor shall assist The Data Controller in ensuring that the obligations underArticles 32-36 of the GDPR are fulfilled, taking into account the type of processing and the information available to the Data Processor.
In the nature of the processing, Data Processor shall, at the request of the Data Controller,assist The Data Controller through appropriate technical and organizational measures, to the extent that this is possible, so that The Data Controller can fulfill its obligation to respond to the request for the exercise of the Registered's rights in according to the GDPR Chapter III.
Included Personal Information, which is processed by the Data Processor on behalf of theData Controller, shall only be transferred to countries outside the EU/EEA (third countries)according to instructions from the Data Controller or as otherwise agreed between theParties. Transfer to third countries requires, even with instructions and/or agreement in place, that the requirements for security and protection of the data subjects' rights according to the data protection legislation are met.
When transferring or otherwise giving a third country access to Personal Data, or when a sub-processor is incorporated in a third country or has ultimate ownership in a third country,the Data Controller or Data Processor on behalf of the Data Controller shall ensure that theData Processor or Data Processor's sub-processors have provided the necessary guarantees to ensure an adequate level of protection of the Personal Data. Such necessary guarantees include, but are not limited to, establishing that there is an adequate level of protection.
Data Processor shall implement and maintain appropriate technical and organizational measures in accordance with the instructions of the Data Controller. The Data Controller acknowledges that certain measures may be sensitive to technical progress and development, which is why Data Processor is given the right to implement and maintain alternative measures that achieve a corresponding or higher level of security in relation to what is instructed by the Data Controller.
If the Data Controller instructs Data Processor to take technical and/or organizational measures of such a nature that Data Processor does not consider these to be generally necessary or applicable to the other Data Processor's customers, and thus customer unique to the Data Controller, the Data Processor shall inform The Data Controller of this before the additional measures are taken. The Parties must agree on a reasonable remuneration for theData Processor to take the proposed measures.
Data Processor shall ensure that all employees, consultants and other persons that DataProcessor is responsible for and who deal with Included Personal Information, have undertaken to observe confidentiality or are subject to an appropriate statutory duty of confidentiality.
The Data Processor shall, without undue delay, inform The Data Controller of any contacts with the Swedish Authority for Privacy Protection, or any other authority that concerns or may be of importance for the processing of Included Personal Data, unless the DataProcessor is prevented from providing such information to the Data Controller. DataProcessor is not entitled to represent The Data Controller, or in any other way act on behalf of The Data Controller, against the Swedish Authority for Privacy Protection or other third party without the written consent of the Data Controller.
The Data Controller is entitled to carry out audits itself or through well-reputed and appropriate third parties against the Data Processor, in the least interfering way possible inorder to verify that the Data Processor's processing of Included Personal Information follows GDPR. In such audits or inspections, the Data Processor shall provide The Data Controller with the assistance that may reasonably be needed for the performance of the audit on the basis of the purpose. Data Processor is entitled to compensation from The Data Controller for the reasonable costs that arise as a result of such an audit or control.
The Data Controller is aware of and accepts that the Data Processor may use Sub-processors and suppliers to fulfill its obligations under the Agreement and the DPA. All sub-processors are listed at app.roaring.io (https://app.roaring.io/v2/about-service). Included Personal data,which is processed by the Data Processor on behalf of the Data Controller, may also be treated by Sub-processors.
The Data Processor shall inform The Data Controller of any plans to employ newSub-processors or replace Sub-processors, so that The Data Controller is able to object to such changes. The Processor should notify the Data Controller at least thirty (30) days in advance before the new sub-processor is added. Any objections must be notified to the DataProcessor within thirty (30) days from notice from Roaring. The Data Controller will get a notification in Roaring's Service (app.roaring.io). If the Data Controller has reasonable objections, the Data Processor must consider these objections. If the Data Processor considers that it is not commercially possible and / or reasonable to consider the objections,the Data Controller has the right to terminate the Agreement and this DPA in writing at one(1) month notice. Such termination shall not in any circumstances be regarded as a breach of contract.
The Data Processor shall have a Data Processing Agreement with each Sub-processor. In suchData Processing Agreement, the Sub-processor shall be subject to the same obligations with respect to data protection as those laid down in this DPA. If the Sub-processor does not fulfill its obligations with respect to data protection, Data Processor shall be fully liable to The DataController for the performance of the Sub-processor's obligations.
If a security incident occurs which leads to accidental or unlawful destruction, loss or alteration or to unauthorized disclosure of or unauthorized access to the Included PersonalInformation transmitted, stored or otherwise processed, the Data Processor shall notify theData Controller without unnecessary delay and at the latest 48 hours after getting to know the incident. Thereafter, the Data Processor shall assist the Data Controller with such information as may reasonably be required by the Data Controller, which The Data Controller does not possess itself, to notify the incident to the competent supervisory authority and inform the Registered.
The Data Controller is responsible for ensuring that the processing is done in accordance with the GDPR and for issuing adequate and legal instructions to the Data Processor. DataProcessor processes Personal data as received from The Data Controller and has no responsibility for any consequences of the Personal data received being found to be incorrect. The Data Controller is furthermore responsible for ensuring that Included PersonalInformation is collected and that the Registered are informed according to the GDPR and that a legal basis exists for the processing.
If a Registered raises an action against The Data Controller for damages, which is based on an injury that has been deliberately or through gross negligence caused by Data Processor or itsSub-processors in the processing of Included Personal Information, the Data Processor shall compensate the Data Controller for the direct damages imposed on The Data Controller by a decision from the supervisory authority or a judgment in a court of law. This applies provided that The Data Controller can demonstrate that the requirement is based on the DataProcessor's wilful or grossly negligent non-fulfilment of its obligations under this DPA.
The Data Controller and the Data Processor confirm that they are responsible in accordance with their respective roles as personal data controller and data processor according to the requirements of the applicable GDPR and the Agreement. Article 82 (5) of the General DataProtection Regulation shall apply to any recourse requirements relating to administrative penalties.
Any compensation that the Data Processor has to pay to The Data Controller in accordance with this section 8 regarding direct damages and/or claims for direct damages shall be limited per calendar year to the maximum amount of SEK 2 million.
The Data Controller shall, in relation to the Data Processor, be liable for direct damages that affects Data Processor, provided that the claim is due to the Data Controller's inadequate instructions to the Data Processor, violation of this DPA or GDPR.
A Party shall not be liable for damage if the Party can prove that the Party is in no way responsible for the event that caused the damage.
The Data Processor is entitled to compensation from The Data Controller for work carried out within the framework of the provisions of this DPA. Compensation under Section 11 shall be payable if the Data Controller's choice of means for returning or deleting Included PersonalData means additional work for Data Processor, however, that Data Processor shall at its own discretion offer the Data Controller a free alternative. Data Processor also has the right to compensation for work resulting from the Data Controller issuing additional instructions,modifying existing instructions or otherwise instructing the Data Processor to take measures of such nature that the Data Processor does not consider these to be generally necessary or applicable to Data Processor's other customers.
Remuneration shall be paid in accordance with what is agreed in writing between the Parties when the need for compensation occurs.
This DPA shall enter into force on the date of the Agreement and shall remain in force for as long as the Data Processor processes the Included Personal Data to provide the Services.Termination of the agreement takes place in the manner specified in the Agreement. Date of signature is considered as the date when the Data Controller agrees to the Agreement by >signing up to any of Roaring's Services as defined in the Agreement.
None of the parties has the right to wholly or partly transfer the rights and obligations under this DPA to a third party.
In the event of termination of this DPA, Data Processor shall delete the Included PersonalData or return them to the Data Controller in accordance with the Data Controller's instructions and ensure that no Included Personal Data or copies thereof remain in the DataProcessor's possession. If The Data Controller does not within thirty (30) days from the termination of the Agreement announce their instructions to Data Processor in accordance with this section or, within this period, requested reasonable additional time, the DataProcessor shall be entitled to delete the Included Personal Information which the DataProcessor continues to process.
Upon termination of the Personal Data Processor's processing of Included Personal Data, thePersonal Data Processor shall, in accordance with the Controllers instructions, either transfer all Relevant Personal Data to the Controller in such a way, on such a medium and in such a format as is consistent with the Controllers instructions, or permanently delete and deleteRelevant Personal Data. When transferring or deleting, the Personal Data Officer must ensure that the data cannot be reproduced. If the Controller has not within 90 days from the termination of the Main Agreement communicated its instructions to the Personal DataProcessor in accordance with this section or within this time requested a reasonable additional time extension, the Personal Data Processor has the right to transfer all RelevantPersonal Data to the Controller in such a way that the Personal Data Processor reasonably deems appropriate.
Swedish law shall apply to this DPA. Disputes regarding the interpretation or application of this DPA shall be settled in accordance with what is stated regarding disputes in theAgreement.