Personal Data Processor Agreement

This personal data processor agreement (this “Data Processor Agreement”) is entered into on this day

BETWEEN:

1. The Client (the “Controller”); and
2. AlexisHR AB, reg. no. 559225-7132 (“AlexisHR” or the “Processor”).

The above parties are hereinafter each referred to as a “Party” and jointly as the “Parties”.

1 . Introduction

1. The Parties have entered into an agreement regarding online human resources services to be provided to the Client by AlexisHR, hereinafter the “Agreement”. The terms used in the Agreement shall have the same meaning when used herein. The provisions in this Data Processor Agreement shall take precedence over conflicting provisions in the Agreement. 
2. Pursuant to the undertakings which follow from the Agreement, AlexisHR may Process Personal Data as well as other information on behalf of the Client.
3. As a consequence thereof, the Parties are entering into this Data Processor Agreement, which is an integrated part of the Agreement, to govern the conditions for AlexisHR’s Processing of, and access to, Personal Data belonging to the Client. 

2. Definitions

Unless the circumstances clearly indicate otherwise, definitions or terms used in this document shall be defined as set forth below and any term which is used in the General Data Protection Regulation and which is not stated below shall be defined as follows from Article 4 of the General Data Protection Regulation.

“Controller”

means a natural or legal person, public authority, institution, or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data; where the purposes and means of such Processing are determined by Union law or Member State law, the Controller or the specific criteria for its nomination may be provided for by Union law or Member State law;

“Data Subject”

means the living natural person who is alive and whose Personal Data is Processed.

“General Data Protection Regulation”

means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation);

“Instruction”

means the written instructions which the Client gives to AlexisHR within the scope of this Data Processor Agreement, as set out in Appendix 1 hereto;

“Other Regulation”

means national laws which, from time to time, apply to Processing of Personal Data (excluding the General Data Protection Regulation);

“Personal Data Breach”

means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored, or otherwise Processed; 

“Personal Data”

means any information relating to an identified or identifiable natural person, whereupon an identifiable natural person is a person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data or online identifiers, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person;

“Process(ing)”

means an operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction; and

“Processor”

means a natural or legal person, public authority, institution, or other body which Processes Personal Data on behalf of the Controller;

3. Documents

1. The Data Processor Agreement comprises this document and the appended Instruction.
2. In the event of any contradictions between this document and the Instruction, this document shall take precedence, unless otherwise specifically stipulated or clearly indicated by the circumstances.

4. Generally regarding the Processing of Personal Data

1. The Client is the Controller of the Personal Data, which is Processed within the scope of the Agreement.
2. AlexisHR is regarded as the Processor on behalf of the Client.
3. AlexisHR has provided sufficient guarantees that it shall take suitable technical and organisational measures to ensure that the Processing of Personal Data meets the requirements of the General Data Protection Regulation and any Other Regulation, and ensures protection of the rights of the Data Subject.
4. Taking into consideration the nature of the Processing, AlexisHR shall assist the Client by taking suitable technical and organisational measures, to the extent possible, to enable the Client to perform its obligation to respond to requests regarding the exercise of the Data Subject’s rights in accordance with Chapter III of the General Data Protection Regulation.
5. If AlexisHR believes that the Instruction or other instruction or notification from the Client would conflict with the General Data Protection Regulation or any Other Regulation, AlexisHR shall be entitled to notify the Client and defer the Processing in question.

5. Purpose and type of Personal Data, etc.

The Instruction shall, inter alia, state the subject of the Processing, the duration of the Processing, the nature and purpose of the Processing, the type of Personal Data, and categories of Data Subjects.

6. AlexisHR’s personnel, etc.

1. AlexisHR, its employees, and other persons who perform work under AlexisHR’s supervision and who gain access to Personal Data belonging to the Client may only Process such Personal Data on the Client’s instruction, unless such person is obligated to do so pursuant to Union law or Swedish national law.
2. AlexisHR shall ensure that its employees and all other persons for whom AlexisHR is liable and who are authorised to Process Personal Data covered by this Data Processor Agreement have undertaken to maintain confidentiality (unless such person is subject to an appropriate statutory confidentiality obligation).

7. Security

1. AlexisHR shall take all safeguards required under Article 32 of the General Data Protection Regulation.
2. Taking into consideration the type of Processing and the information which AlexisHR has, AlexisHR shall assist the Client in ensuring that the obligations regarding security can be satisfied in a manner which follows from Article 32 of the General Data Protection Regulation.
3. In conjunction with the assessment of an appropriate security level, particular consideration shall be given to the risks which follow from the Processing, particularly resulting from unintentional or unlawful destruction, loss, or modification, from unauthorised disclosure, or from unauthorised access to the Personal Data which is transferred, stored, or otherwise Processed.

8. Personal Data Breach

Taking into consideration the type of Processing and the information available to AlexisHR, AlexisHR shall assist the Client in ensuring that the obligations arising due to any Personal Data Breach can be fulfilled in a manner as required in Articles 33-34 of the General Data Protection Regulation.

9. Impact assessment and prior consultation

Taking into consideration the nature of the Processing and the information which is available to AlexisHR, AlexisHR shall assist the Client in fulfilling its obligations, if any, to conduct an impact assessment and/or prior consultation with a supervisory authority pursuant to Articles 35 and 36 of the General Data Protection Regulation.

10. The Instruction

1. AlexisHR may only Process Personal Data, which is covered under this Data Processor Agreement on the documented Instructions (including in respect of transfers of Personal Data to a third country or an international organisation, provided such Processing is not required pursuant to EU law or the national law of a Member State to which AlexisHR is subject and, in such case, AlexisHR shall inform the Client of the legal requirement before the data is Processed, unless such information is prohibited with reference to an important public interest under relevant national law).
2. The Client shall be entitled to update the Instruction from time to time. AlexisHR shall be entitled to compensation for additional costs incurred if the Client modifies the Instruction.

11. Subprocessors

1. Client accept that AlexisHR may use subprocessors and approve of the subprocessors in use at the time of entering into this Data Processor Agreement. 
2. AlexisHR shall inform the Client of any plans to retain a new subprocessor or to replace an existing subprocessor, in order to allow the Client to make objections to any such change (however, any objection must be based on an objectively acceptable reason). Such information may be provided via the Site. Should the Client not accept the use of the subprocessor, Client may terminate the Services as set out in the Agreement. 
3. AlexisHR shall ensure that any such subprocessor enters into a written personal data processor agreement before the subprocessor begins work related to the Client. Any such personal data processor agreement must contain the undertakings and obligations which follow from this Data Processor Agreement. In any such personal data processor agreement, the subprocessor shall provide sufficient warranties in respect of taking suitable technical and organisational measures so that the Processing meets the requirements of the General Data Protection Regulation.
4. In the event the subprocessor fails to fulfil its obligations, AlexisHR shall be liable to the Client for the performance of the subprocessor’s obligations.

12. Transfer to a third country

The Personal Data is stored on servers within the EU/EEA. The Instruction sets out the locations where the Personal Data is actually being stored. AlexisHR has no interest in moving, storing, transferring, or otherwise processing Personal Data outside of the EU/EEA. It is however acknowledged that the use of certain sub-processors (including sub-processors to increase security and data protection) may require that limited Personal Data is transferred to locations outside of the EU/EEA for e.g. handling support tickets or other reasons. Should any transfer of Personal Data take place, such transfer shall meet the requirements and undertakings which follow from the General Data Protection Regulation. This means that only valid transfer mechanisms will be used, supplemented by necessary technical and organisational measures to meet the EU level of protection of the Personal Data.

13. Right to transparency

AlexisHR shall grant the Client access to all information which is required and necessary to enable the Client to verify compliance with the obligations which follow from Article 28 of the General Data Protection Regulation and to enable and assist in audits, including inspections, which are conducted by the Client or by an examiner authorised by the Client. AlexisHR shall, at all times, be entitled to reasonable notice in the event the Client wishes to exercise its right to conduct an audit or inspection and the Client shall compensate AlexisHR for its costs incurred in connection with any such audit or inspection.

14. Compensation

AlexisHR’s Processing of Personal Data is a natural part of providing the services according to the Agreement and will thus be included in the fees for such services. AlexisHR is however entitled to additional compensation on a time and material basis for any cost incurred in relation to i) audits conducted by the Client, ii) AlexisHR assisting the Client as set out in Section 8 or 9 above or iii) AlexisHR’s response to any request for information related to a Data Subject. 

15. Liability

Each Party’s liability and limitation of liability with respect to its undertakings set out herein are set out in the Agreement.

16. Termination of the Data Processor Agreement

1. When AlexisHR discontinues Processing Personal Data on behalf of the Client, AlexisHR shall return all Personal Data to the Client as set out in the Agreement.
2. Following termination of the Data Processor Agreement, AlexisHR shall not be entitled to save any Personal Data belonging to the Client and, as soon as AlexisHR has complied with the provisions of subsection 16.1 above, AlexisHR’s right to Process or otherwise use Personal Data belonging to the Client shall cease (provided storage of Personal Data is not required pursuant to national law or Union law, or AlexisHR has legal grounds to Process relevant Personal Data).

* * *

Appendix 1 to Data processor Agreement

Instruction

The following document is the documented instruction according to which the Personal Data shall be Processed.

Definitions used in this Instruction shall have the same meaning as in the Data Processor Agreement, unless the circumstances clearly indicate otherwise.

1. Contact information

1.1 Controller

The Client identified in the Agreement.‍

1.2 Processor

Supplier: AlexisHR AB, reg. no. 559225-7132
Address: Magnus Ladulåsgatan 3, 118 65 Stockholm
Phone number: 010-750 05 48
E-mail address: BILLING@ALEXISHR.COM

1 Processing of Personal Data

1.1 Categories of Personal Data

The Supplier shall Process the following categories of Personal Data:

The categories which is part of the Client Data submitted by the Client and User by using the Services, which may include

a) Contact information (such as name, address, e-mail, telephone number, working title, workplace)  

b) Social security number

c) Education and experience

d) Financial information (such as salary, tax and bank account information)

e) Information about absence from work (such as leave of absence, holiday, parental leave etc)

f) Sensitive personal data (to the extent submitted by the Client)

1.2 Categories of Processing

The following categories of Processing shall take place:

Collection, structuring, storage, adaptation or alteration, alignment or combination, restriction, erasure or destruction.

1.3 Categories of Data Subjects

The following categories of Data Subjects are included:

1. Employees of the Controller
2. Consultants and other individuals working on behalf of the Data Controller

1.4 Purpose of the Processing activities

The purpose of the Processing activities is for AlexisHR to provide the Services to the Client as set out in, and for the duration of, the Agreement.

1.5 Duration of the Processing

AlexisHR will Process the Personal Data during the term of the Agreement and until the Client has retrieved the Personal Data, however no longer than 30 days after the Agreement has been terminated.

2 Security measures

2.1 Technical and organisational security measures

The Supplier shall take the following technical and organisational security measures: 

a) Encryption of data at rest and transit

b) Control and log of access to the Personal Data

c) Ensure that availability and access to personal data is restored in case of incidents

d) Internal Policies and process for handling passwords and devices

More information about AlexisHR’s work with IT and information security can be found at https://alexishr.com/resources/data-security.

3 Subprocessor‍