Data processing agreement

This data processing agreement (the “Processing Agreement“) forms part of the TERMS OF SERVICE FOR EASY-LASER PLUS (the “Service Agreement“) between Customer (as defined in the Service Agreement) and Easy-Laser AB (“Easy-Laser”), jointly the “Parties”. 

WHEREAS, the Parties have in a separate agreement (“the Service Agreement”) agreed to use the Processor’s services for the purposes specified in the Service Agreement (“the Services”). 

WHEREAS, Customer acts as a Data Controller of certain data that may be transferred under the Service Agreement. 

WHEREAS, the Parties wish to implement a data processing agreement that complies with the requirements of applicable laws and regulations relating to data processing. 

In light hereof, the Parties agree as follows. 


Unless explicitly stated herein, capitalized terms and expressions used in this Agreement shall have the following meaning: 

  •  “Customer Personal Data” means any Personal Data Processed by a Sub-Processor on behalf of Customer pursuant to or in connection with the Service Agreement; 
  •  “Data Protection Laws” means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country; 
  • EU Data Protection Laws” means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR; 
  • GDPR” means EU General Data Protection Regulation 2016/679; 
  • Data Transfer” means a transfer of Customer Personal Data from the Customer to a Sub-Processor; or an onward transfer of Customer Personal Data from a Sub-Processor to a Subcontracted Processor, or between two establishments of a Sub-Processor, in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws); 
  • Processing Agreement” means this data processing agreement and all Schedules; 
  • Services” means the services Easy-Laser provides under the Service Agreement; and 
  • Sub-processor” means any person appointed by or on behalf of Easy-Laser to process Personal Data on behalf of the Customer in connection with the Processing Agreement. 

The terms, “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR, and their corresponding terms shall be construed accordingly. 


The Customer instructs Easy-Laser to process Customer Personal Data in order to facilitate normal operation of the Service and as otherwise set out in the Service Agreement and this Processing Agreement. 

Easy-Laser shall comply with all applicable Data Protection Laws in the Processing of Customer Personal Data and shall not Process Customer Personal Data other than as in accordance with Customer’s documented instructions. 


Easy-Laser is entitled to engage Sub-processors identified in the Service Agreement to perform its obligations under the Service Agreement, including processing of personal data under this Processing Agreement. If Easy-Laser engages a Sub-processor, a separate data processing agreement will be concluded in writing between Easy-Laser and the Sub-processor. Such a data processing agreement shall impose the same data protection obligations as set out in the Processing Agreement.  

Easy-Laser shall notify the Customer in advance if a Sub-processor is to be replaced or if an additional sub-processor will be engaged to process personal data.  

The Customer may object to any changes of the Sub-processors within 30 days of the Easy-Laser’s notification thereof. An objection shall include legitimate reasons for the objection and possible solutions. If the Customer raises such legitimate objections, Easy-Laser shall be given the possibility to allow the sub-processor to modify the services in order to meet the requirements of the applicable Data Protection Laws. 

If Easy-Laser does not accommodate the Customer’s legitimate objections, Easy-Laser shall notify the Customer in writing. The Customer may terminate the Service Agreement by providing Easy-Laser with a written notice within 30 days of Eas-Laser’s notice. 

If the Customer neither approves nor objects a sub-processor within the time mentioned above, the sub-processor shall be considered approved. 


Easy-Laser shall ensure that there is a legal basis for transferring personal data to, or make available from, a location outside the EU or EEA as well as entering into the EU standard contractual clauses for the transfer of personal data to third countries or provisions that replace them. Easy-Laser shall be entitled to enter into such standard contractual clauses with Sub-processors on behalf of the Controller. 


The Processor shall implement and maintain the technical and organizational measures required by the Data Protection Laws and to ensure an appropriate level of security for the processing of personal data.  

The Processor shall not disclose the Controller’s personal data to a third party unless authorized by the Controller or required by law, governmental- or supervisory authority decision. If the Processor is required by law, governmental- or supervisory authority decision to disclose the Controller’s personal data to a third party, the Processor will notify the Controller prior to disclosure unless prohibited by law. 

The Processor shall ensure that persons authorized to process personal data have committed themselves to confidentiality or are covered by a legal confidentiality obligation.  


Taking into account the nature of the processing, Easy-Laser shall assist the Customer by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Customer obligations, as reasonably understood by Customer, to respond to requests to exercise Data Subject rights under the Data Protection Laws. 

Easy-Laser shall: 

  • promptly notify Customer if it receives a request from a Data Subject under any Data Protection Law in respect of Customer Personal Data; and 
  • ensure that it does not respond to that request except on the documented instructions of Customer or as required by Applicable Laws to which Easy-Laser is subject, in which case Easy-Laser shall to the extent permitted by Applicable Laws inform Customer of that legal requirement before the Sub-Processor responds to the request. 


Easy-Laser shall notify Customer without undue delay upon Easy-Laser becoming aware of a Personal Data Breach affecting Customer Personal Data, providing Customer with sufficient information to allow the Customer to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws. 

Easy-Laser shall co-operate with the Customer and take reasonable commercial steps as are directed by Customer to assist in the investigation, mitigation and remediation of each such Personal Data Breach. 


Easy-Laser shall provide reasonable assistance to the Customer with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Customer reasonably considers to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Customer Personal Data by, and taking into account the nature of the Processing and information available to, the Sub-Processors. 


This Processing Agreement applies between the Parties as long as Easy-Laser processes personal data under the Service Agreement. 

Easy-Laser shall in the event of cessation of the Service involving the processing of Customer Personal Data, delete and procure the deletion of all copies of those Customer Personal Data, unless otherwise stipulated by an applicable agreement between the Parties. 


Subject to this Section 26, Easy-Laser shall make available to the Customer on request all information necessary to demonstrate compliance with this Processing Agreement, and shall allow for and contribute to audits, including inspections, by the Customer or an auditor mandated by the Customer in relation to the Processing of the Customer Personal Data by the Sub-Processors. 

Information and audit rights of the Customer only arise under this Section 26 to the extent that the Processing Agreement does not otherwise give them information and audit rights meeting the relevant requirements of Data Protection Law. 


This Agreement shall be governed by and construed and enforced in accordance with the laws of Sweden. 

Any dispute, controversy or claim arising out of or in connection with the Agreement, or the breach, termination or invalidity thereof, shall be finally settled by arbitration administered by the Arbitration Institute of the Stockholm Chamber of Commerce (the “SCC”). 

The Rules for Expedited Arbitrations shall apply, unless the SCC in its discretion determines, taking into account the complexity of the case, the amount in dispute and other circumstances, that the Arbitration Rules shall apply. In the latter case, the SCC shall also decide whether the Arbitral Tribunal shall be composed of one or three arbitrators. 

The place of proceedings shall be Gothenburg, Sweden. The proceedings shall be conducted in the English language.