PERSONAL DATA PROCESSOR AGREEMENT

This personal data processor agreement (this “Data Processor Agreement”) is entered into on this day

BETWEEN:

(1) The Client (the “Controller”); and

(2) AlexisHR AB, reg. no. 559225-7132 (“AlexisHR” or the “Processor”).

The above parties are hereinafter each referred to as a “Party” and jointly as the “Parties”.

1 Introduction

1.1 The Parties have entered into an agreement regarding online human resources services to be provided to the Client by AlexisHR, hereinafter the “Agreement”. The terms used in the Agreement shall have the same meaning when used herein. 

1.2 Pursuant to the undertakings which follow from the Agreement, AlexisHR may process personal data as well as other information on behalf of the Client.

1.3 As a consequence thereof, the Parties are entering into this Data Processor Agreement to govern the conditions for AlexisHR’s Processing of, and access to, Personal Data belonging to the Client. 

2 Definitions

Unless the circumstances clearly indicate otherwise, definitions or terms used in this document shall be defined as set forth below and any term which is used in the General Data Protection Regulation and which is not stated below shall be defined as follows from Article 4 of the General Data Protection Regulation.

Controller

means a natural or legal person, public authority, institution, or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data; where the purposes and means of such Processing are determined by Union law or Member State law, the Controller or the specific criteria for its nomination may be provided for by Union law or Member State law;

Data Subject

means the living natural person who is alive and whose Personal Data is Processed.

“General Data Protection Regulation”

means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation);

Instruction

means the instructions which the Client gives to AlexisHR within the scope of this Data Processor Agreement;

Other Regulation

means national laws which, from time to time, apply to Processing of Personal Data (excluding the General Data Protection Regulation);

Personal Data Breach

means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored, or otherwise Processed; and

Personal Data

means any information relating to an identified or identifiable natural person, whereupon an identifiable natural person is a person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data or online identifiers, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person;

Processing

means an operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction;

Processor

means a natural or legal person, public authority, institution, or other body which processes Personal Data on behalf of the Controller;

3 Documents

3.1 The Data Processor Agreement comprises this document and the appended Instruction.

3.2 In the event of any contradictions between this document and the Instruction, this document shall take precedence, unless otherwise specifically stipulated or clearly indicated by the circumstances.

4 Generally regarding the Processing of Personal Data

4.1 The Client is the Controller of the Personal Data, which is Processed within the scope of the Agreement.

4.2 AlexisHR is regarded as the Processor on behalf of the Client.

4.3 AlexisHR has provided sufficient guarantees that it shall take suitable technical and organisational measures to ensure that the Processing of Personal Data meets the requirements of the General Data Protection Regulation and any Other Regulation, and ensures protection of the rights of the Data Subject.

4.4 Taking into consideration the nature of the Processing, AlexisHR shall assist the Client by taking suitable technical and organisational measures, to the extent possible, to enable the Client to perform its obligation to respond to requests regarding the exercise of the Data Subject’s rights in accordance with Chapter III of the General Data Protection Regulation.

4.5 If AlexisHR believes that the Instruction or other instruction or notification from the Client would conflict with the General Data Protection Regulation or any Other Regulation, AlexisHR shall be entitled to notify the Client and defer the Processing in question.

5 Purpose and type of Personal Data, etc.

The Instruction shall, inter alia, state the subject of the Processing, the duration of the Processing, the nature and purpose of the Processing, the type of Personal Data, and categories of Data Subjects.

6 AlexisHR’s personnel, etc.

6.1 AlexisHR, its employees, and other persons who perform work under AlexisHR’s supervision and who gain access to Personal Data belonging to the Client may only process such Personal Data on the Client’s instruction, unless such person is obligated to do so pursuant to Union law or Swedish national law.

6.2 AlexisHR shall ensure that its employees and all other persons for whom AlexisHR is liable and who are authorised to process Personal Data covered by this Data Processor Agreement have undertaken to maintain confidentiality (unless such person is subject to an appropriate statutory confidentiality obligation).

7 Security

7.1 AlexisHR shall take all safeguards required under Article 32 of the General Data Protection Regulation.

7.2 Taking into consideration the type of Processing and the information which AlexisHR has, AlexisHR shall assist the Client in ensuring that the obligations regarding security can be satisfied in a manner which follows from Article 32 of the General Data Protection Regulation.

7.3 In conjunction with the assessment of an appropriate security level, particular consideration shall be given to the risks which follow from the Processing, particularly resulting from unintentional or unlawful destruction, loss, or modification, from unauthorised disclosure, or from unauthorised access to the Personal Data which is transferred, stored, or otherwise processed.

8 Personal Data Breach

Taking into consideration the type of Processing and the information available to AlexisHR, AlexisHR shall assist the Client in ensuring that the obligations arising due to any Personal Data Breach can be fulfilled in a manner as required in Articles 33-34 of the General Data Protection Regulation.

9 Impact assessment and prior consultation

Taking into consideration the nature of the Processing and the information which is available to AlexisHR, AlexisHR shall assist the Client in fulfilling its obligations, if any, to conduct an impact assessment and/or prior consultation with a supervisory authority pursuant to Articles 35 and 36 of the General Data Protection Regulation.

10 The Instruction

10.1 AlexisHR may only process Personal Data, which is covered under this Data Processor Agreement on the documented Instructions (including in respect of transfers of Personal Data to a third country or an international organisation, provided such Processing is not required pursuant to EU law or the national law of a Member State to which AlexisHR is subject and, in such case, AlexisHR shall inform the Client of the legal requirement before the data is Processed, unless such information is prohibited with reference to an important public interest under relevant national law).

10.2 The Client shall be entitled to update the Instruction from time to time. AlexisHR shall be entitled to compensation for additional costs incurred if the Client modifies the Instruction.

11 Subprocessors

11.1 Client accept that AlexisHR may use sub-processors and approve of the sub-processors in use at the time of entering into this Data processor Agreement. 

11.2 AlexisHR shall inform the Client of any plans to retain a new subprocessor or to replace an existing subprocessor, in order to allow the Client to make objections to any such change (however, any objection must be based on an objectively acceptable reason). Such information may be provided via the Site. Should the Client not accept the use of the subprocessor, Client may terminate the Services as set out in the Agreement. 

11.3 AlexisHR shall ensure that any such subprocessor enters into a written personal data processor agreement before the subprocessor begins work related to the Client. Any such personal data processor agreement must contain the undertakings and obligations which follow from this Data Processor Agreement. In any such personal data processor agreement, the subprocessor shall provide sufficient warranties in respect of taking suitable technical and organisational measures so that the Processing meets the requirements of the General Data Protection Regulation.

11.4 In the event the subprocessor fails to fill its obligations, AlexisHR shall be liable to the Client for the performance of the subprocessor’s obligations.

11.5 AlexisHR is aware that it must comply with the provisions regarding retention of subprocessors.

12 Transfer to a third country

AlexisHR may move, store, transfer, or otherwise process Personal Data belonging to the Client outside of the EU/EEA, provided such transfer meets the requirements and undertakings which follow from the General Data Protection Regulation.

13 Right to transparency

AlexisHR shall grant the Client access to all information which is required and necessary to enable the Client to verify compliance with the obligations which follow from Article 28 of the General Data Protection Regulation and to enable and assist in audits, including inspections, which are conducted by the Client or by an examiner authorised by the Client. AlexisHR shall, at all times, be entitled to reasonable notice in the event the Client wishes to exercise its right to conduct an audit or inspection and the Client shall compensate AlexisHR for its costs incurred in connection with any such audit or inspection.

14 Compensation

AlexisHR shall receive compensation for measures which it takes in respect of Processing of Personal Data in accordance with the Data Processor Agreement or as a consequence of the Data Processor Agreement otherwise.

15 Liability

In the event the Parties have reached an agreement regarding limitation of liability in the Agreement, such limitation of liability shall also apply to this Data Processor Agreement. In the event the Parties have not reached an agreement regarding such a limitation of liability, a Party’s liability under this Data Processor Agreement or as a result of the Processing which is covered under the Data Processor Agreement shall be limited to one five hundred thousand kronor (SEK 500,000).

16 Termination of the Data Processor Agreement

16.1 When AlexisHR discontinues Processing Personal Data on behalf of the Client, AlexisHR shall return all Personal Data to the Client in the manner instructed by the Client or, upon the Client’s written notice, destroy and erase all Personal Data which is associated with the Data Processor Agreement.

16.2 Following termination of the Data Processor Agreement, AlexisHR shall not be entitled to save any Personal Data belonging to the Client and, as soon as AlexisHR has complied with the provisions of subsection 16.1 above, AlexisHR’s right to process or otherwise use Personal Data belonging to the Client shall cease (provided storage of Personal Data is not required pursuant to national law or Union law, or AlexisHR has legal grounds to process relevant Personal Data).

Read the full appendix here.