This data processing agreement (the “Processing Agreement“) forms part of the TERMS OF SERVICE FOR EASY-LASER PLUS (the “Service Agreement“) between Customer (as defined in the Service Agreement) and Easy-Laser AB (“Easy-Laser”), jointly the “Parties”.
WHEREAS, the Parties have in a separate agreement (“the Service Agreement”) agreed to use the Processor’s services for the purposes specified in the Service Agreement (“the Services”).
WHEREAS, Customer acts as a Data Controller of certain data that may be transferred under the Service Agreement.
WHEREAS, the Parties wish to implement a data processing agreement that complies with the requirements of applicable laws and regulations relating to data processing.
In light hereof, the Parties agree as follows.
Unless explicitly stated herein, capitalized terms and expressions used in this Agreement shall have the following meaning:
The terms, “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR, and their corresponding terms shall be construed accordingly.
The Customer instructs Easy-Laser to process Customer Personal Data in order to facilitate normal operation of the Service and as otherwise set out in the Service Agreement and this Processing Agreement.
Easy-Laser shall comply with all applicable Data Protection Laws in the Processing of Customer Personal Data and shall not Process Customer Personal Data other than as in accordance with Customer’s documented instructions.
Easy-Laser is entitled to engage Sub-processors identified in the Service Agreement to perform its obligations under the Service Agreement, including processing of personal data under this Processing Agreement. If Easy-Laser engages a Sub-processor, a separate data processing agreement will be concluded in writing between Easy-Laser and the Sub-processor. Such a data processing agreement shall impose the same data protection obligations as set out in the Processing Agreement.
Easy-Laser shall notify the Customer in advance if a Sub-processor is to be replaced or if an additional sub-processor will be engaged to process personal data.
The Customer may object to any changes of the Sub-processors within 30 days of the Easy-Laser’s notification thereof. An objection shall include legitimate reasons for the objection and possible solutions. If the Customer raises such legitimate objections, Easy-Laser shall be given the possibility to allow the sub-processor to modify the services in order to meet the requirements of the applicable Data Protection Laws.
If Easy-Laser does not accommodate the Customer’s legitimate objections, Easy-Laser shall notify the Customer in writing. The Customer may terminate the Service Agreement by providing Easy-Laser with a written notice within 30 days of Eas-Laser’s notice.
If the Customer neither approves nor objects a sub-processor within the time mentioned above, the sub-processor shall be considered approved.
Easy-Laser shall ensure that there is a legal basis for transferring personal data to, or make available from, a location outside the EU or EEA as well as entering into the EU standard contractual clauses for the transfer of personal data to third countries or provisions that replace them. Easy-Laser shall be entitled to enter into such standard contractual clauses with Sub-processors on behalf of the Controller.
The Processor shall implement and maintain the technical and organizational measures required by the Data Protection Laws and to ensure an appropriate level of security for the processing of personal data.
The Processor shall not disclose the Controller’s personal data to a third party unless authorized by the Controller or required by law, governmental- or supervisory authority decision. If the Processor is required by law, governmental- or supervisory authority decision to disclose the Controller’s personal data to a third party, the Processor will notify the Controller prior to disclosure unless prohibited by law.
The Processor shall ensure that persons authorized to process personal data have committed themselves to confidentiality or are covered by a legal confidentiality obligation.
Taking into account the nature of the processing, Easy-Laser shall assist the Customer by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Customer obligations, as reasonably understood by Customer, to respond to requests to exercise Data Subject rights under the Data Protection Laws.
Easy-Laser shall:
Easy-Laser shall notify Customer without undue delay upon Easy-Laser becoming aware of a Personal Data Breach affecting Customer Personal Data, providing Customer with sufficient information to allow the Customer to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.
Easy-Laser shall co-operate with the Customer and take reasonable commercial steps as are directed by Customer to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
Easy-Laser shall provide reasonable assistance to the Customer with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Customer reasonably considers to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Customer Personal Data by, and taking into account the nature of the Processing and information available to, the Sub-Processors.
This Processing Agreement applies between the Parties as long as Easy-Laser processes personal data under the Service Agreement.
Easy-Laser shall in the event of cessation of the Service involving the processing of Customer Personal Data, delete and procure the deletion of all copies of those Customer Personal Data, unless otherwise stipulated by an applicable agreement between the Parties.
Subject to this Section 26, Easy-Laser shall make available to the Customer on request all information necessary to demonstrate compliance with this Processing Agreement, and shall allow for and contribute to audits, including inspections, by the Customer or an auditor mandated by the Customer in relation to the Processing of the Customer Personal Data by the Sub-Processors.
Information and audit rights of the Customer only arise under this Section 26 to the extent that the Processing Agreement does not otherwise give them information and audit rights meeting the relevant requirements of Data Protection Law.
This Agreement shall be governed by and construed and enforced in accordance with the laws of Sweden.
Any dispute, controversy or claim arising out of or in connection with the Agreement, or the breach, termination or invalidity thereof, shall be finally settled by arbitration administered by the Arbitration Institute of the Stockholm Chamber of Commerce (the “SCC”).
The Rules for Expedited Arbitrations shall apply, unless the SCC in its discretion determines, taking into account the complexity of the case, the amount in dispute and other circumstances, that the Arbitration Rules shall apply. In the latter case, the SCC shall also decide whether the Arbitral Tribunal shall be composed of one or three arbitrators.
The place of proceedings shall be Gothenburg, Sweden. The proceedings shall be conducted in the English language.
