Personal Data Processing Agreement

This personal data processor agreement (this “Data Processing Agreement”) is entered into on this day between you, the Client, and us, AlexisHR AB.

1 . Introduction

1.1 The Parties have entered into an agreement (the “Agreement”) regarding online human resources services to be provided by AlexisHR to the Client.

1.2 AlexisHR will process personal data on behalf of the Client when providing services under the Agreement and therefore act as its data processor. The Client is the data controller.

1.3 This Data Processing Agreement constitutes such agreement between the data controller and the data processor as set out in Art 28.3 of the GDPR.

2. Definitions

2.1 Terms defined in Applicable Data Protection Legislation, such as "data controller", "data processor", "personal data", "processing", "data subject" and "supervisory authority" shall be interpreted and applied in accordance with Applicable Data Protection Legislation.

2.2 In addition, the definitions below shall have the following meanings:

"Applicable Data Protection Legislation"
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), "GDPR") and applicable Swedish data protection law.


"Client Personal Data"
Personal data that is transferred to, stored or otherwise processed, by AlexisHR on behalf of the data controller under the Agreement, as described in more detail in Appendix 1 (Specification).

"The Specification" Appendix 1 (Specification) to this Data Processing Agreement.

3. Agreement Documents and Applicability

3.1 This Data Processing Agreement consists of this main document and Appendix 1 (Specification), which specifies the subject-matter and duration of the processing performed by AlexisHR, the nature and purpose of the processing, the type of Client Personal Data and categories of data subjects. In the event of any conflict or inconsistency between this Data Processing Agreement and the Agreement, the provisions of this Data Processing Agreement shall prevail.

4. Processing and Instructions

4.1 AlexisHR undertakes to only process Client Personal Data in accordance with this Data Processing Agreement, the Agreement, and the Client's written instructions. Such instructions are set out in this Data Processing Agreement and the Specification in Appendix 1.

4.2 Both parties undertake to comply with Applicable Data Protection Legislation to the extent that such legislation is applicable to the party's obligations under the Agreement.

4.3 If AlexisHR considers the Client’s instructions to be in conflict with Applicable Data Protection Legislation, AlexisHR shall notify the Client and await further instructions.

5. Appropriate technical and organizational measures

5.1 AlexisHR shall take appropriate technical and organizational measures as set out in Art 32 of the GDPR to ensure a level of security appropriate to the risks associated with the processing of Client Personal Data. In doing so, AlexisHR shall take into account the latest developments, the implementation costs and the nature, scope, context and purpose of the processing, as well as the risks, of varying likelihood and severity, to the rights and freedoms of the data subjects. A description of AlexisHR´s security work can be found in Appendix 1 (Specification).


5.2 The Client considers the security measures that follow from this Data Processing Agreement, the Specification and the Agreement constitute appropriate measures for the processing AlexisHR shall carry out under the Data Processing Agreement.

6. Transfer of personal data to a third country

6.1 All Client Personal Data will be stored on servers within the EU/EEA as further set out in Appendix 1 (Specification).


6.2 AlexisHR may only transfer personal data to a location outside of the EU/EEA or a country that is  not subject to an adequacy decision by the European Commission pursuant to Article 45 of the GDPR if (i) AlexisHR has obtained the Client's prior, specific consent for such transfer, (ii) such transfer complies with Applicable Data Protection Legislation and is based on a valid transfer mechanism (e.g. standard contractual clauses) and (iii) an assessment of such third country has been made and documented.

6.3 If the prerequisites in Section 6.2. above are met, the Client gives general permission for AlexisHR to enter into the required standard contractual clauses with the receiving party when transferring Client Personal Data to locations outside of EU/EEA.

7. Information and Disclosure

7.1 AlexisHR shall assist the Client by appropriate technical and organizational measures, to the extent possible, so that the Client can fulfill its obligation to respond to requests for the exercise of the data subject's rights in accordance with Applicable Data Protection Legislation.


7.2 AlexisHR shall assist the Client, taking into account the type of processing and the information available to AlexisHR, to ensure compliance with the obligations under Articles 32-36 of the GDPR.


7.3 AlexisHR shall, in accordance with the Client's instructions, delete or return Client Personal Data to the Client after the processing of Client Personal Data has ended and delete existing copies of Client Personal Data, unless the deletion of the personal data is necessary according to EU member state law or otherwise agreed.


7.4 AlexisHR shall give the Client access to all information necessary for the Client to  be able to demonstrate that the obligations laid down in Article 28 of the GDPR are complied with.

7.5 The Client acknowledges that their right to conduct audits under GDPR is fulfilled through the fact that AlexisHR ensures that an independent third party, appointed by AlexisHR, performs a systemic audit of the system on a regular basis. The results of the audit are made available to the Client on request. ‍

8. Contact with Data Subjects and Supervisory Authorities

8.1 If a data subject, supervisory authority or other third party requests information from AlexisHR, that concerns the processing of Client Personal Data, AlexisHR shall, without undue delay, refer such request to the Client and await further instructions, unless required to act according to Applicable Data Protection Legislation.

9. Subprocessors

9.1 The Client hereby grants AlexisHR general prior authorisation pursuant to Art 28 (2) of the GDPR to use sub processors on behalf of the Client for the processing of Client Personal Data. AlexisHR shall impose corresponding data protection obligations on the subprocessor that AlexisHR has under this Data Processing Agreement. Appendix 1 (Specification) specifies the sub processors that AlexisHR has engaged at the time of entering into this Data Processing Agreement. 1

9.2 AlexisHR shall inform the Client of any intended changes concerning the addition or replacement of other subprocessors. Such information will be provided on www.alexishr.com. The Client shall be given the opportunity to object to such changes and have the right to terminate the Agreement prematurely as set out in Section 17.2 of the Agreement.

9.3 If the subprocessor does not fulfill its obligations regarding data protection, AlexisHR shall be fully liable to the Client for the performance of the subprocessor's obligations.

----
1 Art 28.3 (d)


10. Confidentiality

10.1 In addition to the confidentiality obligations set out in the Agreement, neither party shall disclose to third parties Client Personal Data or other  information that emerges under this  Data Protection Agreement ("Confidential Information"), unless such obligation exists under Applicable Data Protection Legislation or is instructed by the Client. Neither party will, directly or indirectly, on its own behalf or on behalf of others, use Confidential Information for any purpose other than to fulfill its obligations under Applicable Data Protection Legislation or this Data Processing Agreement.

10.2 AlexisHR shall ensure that persons authorized to process Client Personal Data have undertaken to observe confidentiality or are subject to an appropriate statutory obligation of confidentiality.

11. Compensation

11.1 AlexisHR’s Processing of Client Personal Data is a natural part of providing the services according to the Agreement and will thus be included in the fees for such services. AlexisHR is however entitled to additional compensation on a time and material basis for any cost incurred in relation to i) AlexisHR assisting the Client as set out in Section 7 or 8 above or ii) AlexisHR’s response to any request for information related to a data subject.

12. Liability

12.1 If AlexisHR or anyone for which AlexisHR is responsible for according to this Data Processing Agreement negligently processes Client Personal Data in violation of this Data Processing Agreement or contrary to lawful instructions of the Customer, AlexisHR shall reimburse the Client for damages  suffered due to AlexisHR´s incorrect processing.

12.2 The Client shall reimburse AlexisHR for damages  incurred as a consequence of the Client's, or anyone for which the Client is responsible for, non-fulfilment of its obligations hereunder.

12.3 A party shall not be liable for the other party’s loss of revenue, business opportunities, goodwill or other indirect damages.

12.4 A party’s obligation to pay damages, laid down in this section 12, only applies, provided that the non-breaching party without delay provides a written notification of any claims against the breaching party and the grounds for such claims.12.5 The general limitation of liability in section 14 in the Agreement shall also apply to this Data Processing Agreement.

13. Changes

13.1 If the Applicable Data Protection Legislation is changed or if the supervisory authority issues guidelines, decisions or regulations concerning Applicable Data Protection Legislation that result in this Data Processing Agreement needs to be amended, AlexisHR shall make the necessary changes in order to meet such new or additional requirements and communicate such changes to the Client, taking effect 30 days from the notice.

13.2 AlexisHR may also amend the content of the Data Processing Agreement for other reasons (i.e. altered or new services, new processing based on new features, or implementation of new routines). Such amendments will be notified 90 calendar days before coming into effect. The Client can oppose such changes within 30 calendar days from the notice is sent. If the Client opposes the amendment, AlexisHR may terminate an affected service(s) and corresponding amendment, or ultimately the Terms of Use Agreement before the amendment comes into effect. If the Client does not oppose the change within 30 days from notice, the amendment is deemed to be accepted.

14. Term and Termination

14.1 This Data Processing Agreement applies from its signature and for as long as AlexisHR processes Client Personal Data.

14.2 Upon termination of AlexisHR´s processing of Client Personal Data, AlexisHR shall, in accordance with the Client's instructions (provided storage of such data is not required pursuant to national law or EU law, or AlexisHR has legal grounds to process such data), either (i) transfer all Client Personal Data to the Client; or (ii) permanently delete Client Personal Data.

* * *

Appendix 1 – Specification

1. Purpose

1.1 This Appendix 1 (Specification) sets out the details concerning the processing of Client Personal Data, which AlexisHR processes on behalf of the Client under the Data Processing Agreement. The purpose of this Appendix 1 (Specification) is to clarify which processing and personal data that is covered by the Service Agreement, and to fulfill the requirements of Applicable Data Protection Legislation regarding the obligation to specify the categories of a processor’s processing of personal data, see for example Article 28.3 of the GDPR.

2. Contact information

2.1 The Client (the data controller)

The Client identified in the Agreement

2.2 AlexisHR (the data processor)

Company: AlexisHR AB, reg. no. 559225-7132

Address: Söder Mälarstrand 65, 118 25 Stockholm, Sweden

Phone number: 010-750 05 48

E-mail address: finance@aleixshr.com

Data Protection Officer: dpo@simployer.com 

3. Processing of Personal Data

3.1 Categories of Personal Data

The Supplier may Process the following categories of Personal data:

a) Contact information (such as name, address, e-mail, telephone number, working title, workplace)  

b) Social security number

c) Education and experience

d) Financial information (such as salary, tax and bank account information)

e) Information about absence from work (such as leave of absence, holiday, parental leave etc)

f) Sensitive personal data (to the extent submitted by the Client)

3.2 Categories of Processing

The following categories of Processing may e.g. take place:

Collection, structuring, storage, back-up, testing, incident handling, adaptation or alteration, alignment or combination, restriction, erasure or destruction.

3.3 Categories of Data Subjects

The following categories of data subjects are included:

a) Employees and former employees of the Client

b) Consultants and other individuals working or which have worked on behalf of the data controller

3.4 Purpose of the Processing activities

The purpose of the Processing activities is for AlexisHR to provide the Services to the Client as set out in, and for the duration of, the Agreement.

3.5 Duration of the Processing

AlexisHR will Process the Personal data during the term of the Agreement and until the Client has retrieved the Personal data, however no longer than 30 days after the Agreement has been terminated.

4. Security Measures

4.1 Technical and organisational security measures

The Supplier shall take the following technical and organizational security measures:

a) Encryption of data at rest and transit

b) Control and log of access to the Personal data

c) Ensure that availability and access to personal data is restored in case of incidents

d) Internal policies and process for handling passwords and devices

More information about AlexisHR’s work with IT and information security can be found at https://alexishr.com/resources/data-security.

5. Subprocessors

At the time of entering into the Data Processing agreement AlexisHR has engaged the following. The process for changing sub processors is set out in Section 9 of the Data Processing Agreement.

Subprocessor
Services provided
Location of data storage (server location)
Segment.io
User analytics
Ireland
Intercom
Support and analytics
Ireland
AuthO
Authentication infrastructure services
Germany
Google Ireland Ltd
Infrastructure services
Ireland
MongoDB Atlas
Database services
Belgium
Sinch AB, Sweden
E-mail sending infrastructure
Germany
Planhat
Customer Success Management system
EU
Companies in the Simployer-group: Simployer AS, Simployer AB, Simployer Tech Polska, Simployer Consulting Polska
Development and operation of modules
Norway, Sweden, Poland
5.1 Subprocessors when using the Engagement module

When using the Engagement module (Employee Surveys), the Client accepts the additional sub-processors as described here: List of additional subprocessors when using Engagement. This list is kept up to date on the website mentioned above and any changes will be communicated as described in section 9 of this Data Processing Agreement. 

Please note the possibility of “Reduced Processing Mode” which ensures data-processing only within the EU/EEA for the Engagement module.

At the time of entering into the Data Processing agreement AlexisHR has engaged the following. The process for changing sub processors is set out in Section 9 of the Data Processing Agreement.

Appendix 2 to Data Processing Agreement – Engagement

Appendix 2 only applies if the Customer has purchased the Engagement module. 

Regarding the disclosure of data from this module, the Data Processor cannot provide the Controller (the Client) with response information in any other way than in anonymized and de-identified form.  Response information means the answers employees have given to employee surveys collected using the Engagement module. The reason for this is because anonymization of the response information is an integral part of the service in Engagement. 

If the Client intends to use the service also for employees of companies other than their own, they shall on their own obtain the companies' permission to process personal data about the affected employees. In the case of companies and employees residing outside the EU/EEA, the Client shall independently supervise and be responsible for compliance with legal requirements in accordance with applicable foreign law.

The Client is also responsible for ensuring that their use of-, and the content of the questions and answers stored in the Engagement module. The Client should avoid and or exercise caution in asking questions that involves, or results in, response information that contains personal data and that they do not need or have legal grounds to process. This may i.e. be categories of sensitive information such as health information, or information that is regulated distinctly, such as trade secrets, etc.