Personal Data Processing Agreement
This personal data processor agreement (this “Data Processing Agreement”) is entered into on this day between you, the Client, and us, AlexisHR AB.
1 . Introduction
1.1 The Parties have entered into an agreement (the “Agreement”) regarding online human resources services to be provided by AlexisHR to the Client.
1.2 AlexisHR will process personal data on behalf of the Client when providing services under the Agreement and therefore act as its data processor. The Client is the data controller.
1.3 This Data Processing Agreement constitutes such agreement between the data controller and the data processor as set out in Art 28.3 of the GDPR.
2.1 Terms defined in Applicable Data Protection Legislation, such as "data controller", "data processor", "personal data", "processing", "data subject" and "supervisory authority" shall be interpreted and applied in accordance with Applicable Data Protection Legislation.
2.2 In addition, the definitions below shall have the following meanings:
"Applicable Data Protection Legislation"
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), "GDPR") and applicable Swedish data protection law.
"Client Personal Data" Personal data that is transferred to, stored or otherwise processed, by AlexisHR on behalf of the data controller under the Agreement, as described in more detail in Appendix 1 (Specification).
"The Specification" Appendix 1 (Specification) to this Data Processing Agreement.
3. Agreement Documents and Applicability
3.1 This Data Processing Agreement consists of this main document and Appendix 1 (Specification), which specifies the subject-matter and duration of the processing performed by AlexisHR, the nature and purpose of the processing, the type of Client Personal Data and categories of data subjects. In the event of any conflict or inconsistency between this Data Processing Agreement and the Agreement, the provisions of this Data Processing Agreement shall prevail.
4. Processing and Instructions
4.1 AlexisHR undertakes to only process Client Personal Data in accordance with this Data Processing Agreement, the Agreement, and the Client's written instructions. Such instructions are set out in this Data Processing Agreement and the Specification in Appendix 1.
4.2 Both parties undertake to comply with Applicable Data Protection Legislation to the extent that such legislation is applicable to the party's obligations under the Agreement.
4.3 If AlexisHR considers the Client’s instructions to be in conflict with Applicable Data Protection Legislation, AlexisHR shall notify the Client and await further instructions.
5. Appropriate technical and organizational measures
5.1 AlexisHR shall take appropriate technical and organizational measures as set out in Art 32 of the GDPR to ensure a level of security appropriate to the risks associated with the processing of Client Personal Data. In doing so, AlexisHR shall take into account the latest developments, the implementation costs and the nature, scope, context and purpose of the processing, as well as the risks, of varying likelihood and severity, to the rights and freedoms of the data subjects. A description of AlexisHR´s security work can be found in Appendix 1 (Specification).
5.2 The Client considers the security measures that follow from this Data Processing Agreement, the Specification and the Agreement constitute appropriate measures for the processing AlexisHR shall carry out under the Data Processing Agreement.
6. Transfer of personal data to a third country
6.1 All Client Personal Data will be stored on servers within the EU/EEA as further set out in Appendix 1 (Specification)..
6.2 AlexisHR may only transfer personal data to a location outside of the EU/EEA or a country that are not subject to an adequacy decision by the European Commission pursuant to Article 45 of the GDPR if (i) AlexisHR has obtained the Client's prior, specific consent for such transfer, (ii) such transfer complies with Applicable Data Protection Legislation and is based on a valid transfer mechanism (e.g. standard contractual clauses) and (iii) an assessment of such third country has been made and documented.
6.3 If the prerequisites in Section 6.2. above are met, the Client gives general permission for AlexisHR to enter into the required standard contractual clauses with the receiving party when transferring Client Personal Data to locations outside of EU/EEA.
7. Information and Disclosure
7.1 AlexisHR shall assist the Client by appropriate technical and organizational measures, to the extent possible, so that the Client can fulfill its obligation to respond to requests for the exercise of the data subject's rights in accordance with Applicable Data Protection Legislation.
7.2 AlexisHR shall assist the Client, taking into account the type of processing and the information available to AlexisHR, to ensure compliance with the obligations under Articles 32-36 of the GDPR.
7.3 AlexisHR shall, in accordance with the Client's instructions, delete or return Client Personal Data to the Client after the processing of Client Personal Data has ended and delete existing copies of Client Personal Data, unless the deletion of the personal data is necessary according to EU member state law or otherwise agreed.
7.4 AlexisHR shall give the Client access to all information necessary for the Client to be able to demonstrate that the obligations laid down in Article 28 of the GDPR are complied with.
7.5 AlexisHR shall enable and contribute to audits, including inspections, carried out by the Customer or by another auditor authorized by the Client.
8. Contact with Data Subjects and Supervisory Authorities
8.1 If a data subject, supervisory authority or other third party requests information from AlexisHR, that concerns the processing of Client Personal Data, AlexisHR shall, without undue delay, refer such request to the Client and await further instructions, unless required to act according to Applicable Data Protection Legislation.
9.1 The Client hereby grants AlexisHR general prior authorisation pursuant to Art 28 (2) of the GDPR to use sub processors on behalf of the Client for the processing of Client Personal Data. AlexisHR shall impose corresponding data protection obligations on the subprocessor that AlexisHR has under this Data Processing Agreement. Appendix 1 (Specification) specifies the sub processors that AlexisHR has engaged at the time of entering into this Data Processing Agreement. 1
9.2 AlexisHR shall inform the Client of any intended changes concerning the addition or replacement of other subprocessors. Such information will be provided on www.alexishr.com. The Client shall be given the opportunity to object to such changes and have the right to terminate the Agreement prematurely as set out in Section 17.2 of the Agreement.
9.3 If the subprocessor does not fulfill its obligations regarding data protection, AlexisHR shall be fully liable to the Client for the performance of the subprocessor's obligations.
1 Art 28.3 (d)
10.1 In addition to the confidentiality obligations set out in the Agreement, neither party shall disclose to third parties Client Personal Data or other information that emerges under this Data Protection Agreement ("Confidential Information"), unless such obligation exists under Applicable Data Protection Legislation or is instructed by the Client. Neither party will, directly or indirectly, on its own behalf or on behalf of others, use Confidential Information for any purpose other than to fulfill its obligations under Applicable Data Protection Legislation or this Data Processing Agreement.
10.2 AlexisHR shall ensure that persons authorized to process Client Personal Data have undertaken to observe confidentiality or are subject to an appropriate statutory obligation of confidentiality.
11.1 AlexisHR’s Processing of Client Personal Data is a natural part of providing the services according to the Agreement and will thus be included in the fees for such services. AlexisHR is however entitled to additional compensation on a time and material basis for any cost incurred in relation to i) audits conducted by the Client, ii) AlexisHR assisting the Client as set out in Section 7 or 8 above or iii) AlexisHR’s response to any request for information related to a data subject.
12.1 If AlexisHR or anyone for which AlexisHR is responsible for according to this Data Processing Agreement negligently processes Client Personal Data in violation of this Data Processing Agreement or contrary to lawful instructions of the Customer, AlexisHR shall reimburse the Client for any damages (of whatever kind) suffered due to AlexisHR´s incorrect processing.
12.2 The Client shall reimburse AlexisHR for any damage (of whatever kind) incurred as a consequence of the Client's, or anyone for which the Client is responsible for, non-fulfilment of its obligations hereunder.
12.3 A party shall not be liable for the other party’s loss of revenue, business opportunities, goodwill or other indirect damages.
12.4 A party’s obligation to pay damages, laid down in this section 12, only applies, provided that the non-breaching party without delay provides a written notification of any claims against the breaching party and the grounds for such claims.
12.5 The general limitation of the liability section in the Agreement (Section 14) shall not apply to this Data Processing Agreement. Instead, each party's total liability hereunder shall be limited to an amount corresponding to ten (10) times the general liability set out in Section 14 of the Agreement.
13.1 If the Applicable Data Protection Legislation is changed or if the supervisory authority issues guidelines, decisions or regulations concerning Applicable Data Protection Legislation that result in this Data Processing Agreement needs to be amended, the parties shall make the necessary changes in order to meet such new or additional requirements.
14. Term and Termination
14.1 This Data Processing Agreement applies from its signature and for as long as AlexisHR processes Client Personal Data.
14.2 Upon termination of AlexisHR´s processing of Client Personal Data, AlexisHR shall, in accordance with the Client's instructions (provided storage of such data is not required pursuant to national law or EU law, or AlexisHR has legal grounds to process such data), either (i) transfer all Client Personal Data to the Client; or (ii) permanently delete Client Personal Data.
* * *
Appendix 1 – Specification
1.1 This Appendix 1 (Specification) sets out the details concerning the processing of Client Personal Data, which AlexisHR processes on behalf of the Client under the Data Processing Agreement. The purpose of this Appendix 1 (Specification) is to clarify which processing and personal data that is covered by the Service Agreement, and to fulfill the requirements of Applicable Data Protection Legislation regarding the obligation to specify the categories of a processor’s processing of personal data, see for example Article 28.3 of the GDPR.
2. Contact information
2.1 The Client (the data controller)
The Client identified in the Agreement
2.2 AlexisHR (the data processor)
Company: AlexisHR AB, reg. no. 559225-7132
Address: Söder Mälarstrand 65, 118 25 Stockholm, Sweden
Phone number: 010-750 05 48
E-mail address: BILLING@ALEXISHR.COM
3. Processing of Personal Data
3.1 Categories of Personal Data
The Supplier may Process the following categories of Personal data:
a) Contact information (such as name, address, e-mail, telephone number, working title, workplace)
b) Social security number
c) Education and experience
d) Financial information (such as salary, tax and bank account information)
e) Information about absence from work (such as leave of absence, holiday, parental leave etc)
f) Sensitive personal data (to the extent submitted by the Client)
3.2 Categories of Processing
The following categories of Processing may e.g. take place:
Collection, structuring, storage, back-up, testing, incident handling, adaptation or alteration, alignment or combination, restriction, erasure or destruction.
3.3 Categories of Data Subjects
The following categories of data subjects are included:
a) Employees and former employees of the Client
b) Consultants and other individuals working or which have worked on behalf of the data controller
3.4 Purpose of the Processing activities
The purpose of the Processing activities is for AlexisHR to provide the Services to the Client as set out in, and for the duration of, the Agreement.
3.5 Duration of the Processing
AlexisHR will Process the Personal data during the term of the Agreement and until the Client has retrieved the Personal data, however no longer than 30 days after the Agreement has been terminated.
4. Security Measures
4.1 Technical and organisational security measures
The Supplier shall take the following technical and organizational security measures:
a) Encryption of data at rest and transit
b) Control and log of access to the Personal data
c) Ensure that availability and access to personal data is restored in case of incidents
d) Internal policies and process for handling passwords and devices
More information about AlexisHR’s work with IT and information security can be found at https://alexishr.com/resources/data-security.
At the time of entering into the Data Processing agreement AlexisHR has engaged the following sub processors. The process for changing sub processors is set out in Section 9 of the Data Processing Agreement.