Schedule 1 - DATA PROCESSING AGREEMENT
This notice sets out which types of tracking technologies such as tracking pixels, cookies and other technologies (“Cookies”) are used by Riddle’s services, app and website (the “Service”). You can read more about how Riddle processes personal data in Riddle’s privacy notice. Magic Riddle Technology AB is incorporated in Sweden with company number […]. If you have any questions on our use of Cookies you can email us at […].
1.
PARTIES
1.1
Magic Riddle Technology AB with the company registration number 559431-0400 having its registered office at Östra Boulevarden 22, hereinafter “Riddle”. Riddle is data processor under this Data Processing Agreement.
1.2
The entity that has entered into the Terms of Service with Riddle, to which this data processing agreement has been attached as Schedule 1, hereinafter the “Customer”. The Customer is data controller under this Data Processing Agreement.
1.3
Both the Customer and Ankor shall hereinafter be collectively referred to as “Parties” and individually referred to as “Party”.
2.
BACKGROUND
2.1
Data Protection Law (as defined below) requires a written agreement that governs under which circumstances and conditions Riddle, may process personal data on behalf of the Customer.
2.2
The Parties have entered into Terms of Service regarding the use of Riddle’s web-based software solution for reconciliation of payments between sales channels and payment services to which this Data Processing Agreement has been attached as an integrated part, collectively referred to herein as the ( “Agreement”). This Data Protection Agreement (“DPA”) regulates the processing of personal data by Riddle on behalf of the Customer as further described in Appendix 1.
3.
DEFINITIONS
3.1
In this DPA, including in the recitals hereof, the following terms shall have the following meaning.
“Customer Data”means the personal data that is processed by Riddle on behalf of the Customer according to the Agreement and detailed in paragraph 1.2 in Appendix 1.
“Relevant Subjects” means the data subjects to which the Customer Data refers, mentioned in clause 1.3 of Appendix 1.
“Data Protection Law”means Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation “GDPR”), as supplemented by Swedish legislation, as well as related statutes and guidelines from the Supervisory Authority.
“Subcontractor” means a third party which is hired by Riddle for the processing of Customer Data on the Customer´s behalf. “Subcontractor” shall also be understood as any third party processing Customer Data on behalf of an existing subcontractor.
“Supervisory Authority”means the Swedish Privacy Protection Authority (Sw: Integritetsskyddsmyndigheten).
3.2
All terms defined in the Data Protection Law shall have the same meaning in this DPA, unless otherwise is stated in clause 3.1.
4.
THE PROCESSING AND ITS PURPOSE
4.1
Riddle shall ensure that, when processing Customer Data in accordance with the Agreement, only processing which is compatible with the purposes mentioned in the Agreement, this DPA, and the Customer´s documented instructions is executed.
5.
INSTRUCTIONS
5.1
Riddle is only allowed to process Customer Data in accordance with the instructions in Appendix 1.
5.2
Riddle shall immediately inform the Customer if, in Riddle´s opinion, the instructions infringes the Data Protection Law or other data protection provisions.
6.
APPROPRIATE SAFEGUARDS
6.1
Riddle shall, to the extent required by Data Protection Law, implement appropriate technical and organisational measures in order to prevent accidental or unlawful erasure, loss or alteration, as well as unauthorized disclosure off, or access to, Customer Data, including, when appropriate:
Pseudonymisation and encryption of Customer Data
The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services
The ability to restore the Customer Data in the event of a physical or technical incident
A process for regularly testing the effectiveness of the measures for ensuring the security of the processing.
6.2
The measures shall include at least what is specified in Appendix 2.
7
ANKOR´S OBLIGATION TO ASSIST THE CUSTOMER
7.1
Riddle must assist the Customer in fulfilling its obligation to respond to requests made by Relevant Subjects to exercise his or her rights according to Data Protection Law, including the right to access and data portability.
7.2
Riddle shall provide the Customer with all information that the Customer may need to validate the fulfilment of Riddle´s obligations under the Data Protection Law.
7.3
Riddle shall assist the Customer in fulfilling its obligations under article 32-36 of the GDPR as Controller.
7.4
Riddle must assist the Customer with the necessary information to enable the Customer to carry out impact assessments.
7.5
When a personal data breach is likely to result in a risk to the Privacy of Relevant Subjects, Riddle must give written notice to the Customer as soon as reasonably possible after Riddle became aware of the breach. The notice shall contain all information necessary for the Customer´s fulfilment of its reporting and information obligations to the Supervisory Authority and, if the personal data breach is likely to result in a high risk, to the Relevant Subjects.
7.6
If a personal data breach is likely to result in a risk to the Privacy of Relevant Subjects, Riddle shall take appropriate measures to prevent or mitigare the risks for the Relevant Subjects. The information shall in each case fulfil the requirements of article 33-34 of the GDPR and will be sent to the email address provided by the Customer when enterering into the Agreement.
7.7
Ankor´s obligations according to clause 7.1 – 7.5 above shall be fulfilled upon request by, and at the expense of, the Customer in each case and shall be fulfilled to the extent possible and reasonable.
8.
HIRING OF SUBCONTRACTORS
8.1
Riddle has a general written authorization to engage Subcontractors in accordance with Article 28.2 of the GDPR to process Customer Data on behalf of the Customer.
8.2
Riddle shall enter into a data processing agreement and impose at least the same data protection obligations on a Subcontractor as set out in this DPA, including to provide sufficient guarantess to implement appropriate technical and organisational requirements so that the processing will meet the requirements of the Data Protection Law. The Subcontractors who process Customer Data on behalf of the Customer shall at all times be listed on [insert link to a list on Subcontractors provided on your website].
8.3
If Riddle intends to change or engage a new Subcontractor, Riddle shall update the list referred to in 8.2, ninety (90) days before the change takes effect and in writing inform the Customer about the Subcontractors that has been added to the list. Such information shall include the Subcontractor’s place of establishment and the geographical location where the processing of Customer Data is taking place.
8.4
The Customer is entiteled to object to the new Subcontractor in writing within thirty (30) days from the time the Subcontractor was added to the list. Such objection may only relate to objective grounds. If the Customer does not object within the given timeframe, the new Subcontractor shall be deemed accepted.
8.5
If the Customer makes a legitimate objection and Riddle does not accept the objection against the Subcontractor in question, Riddle shall be entitled to at its own discretion, either perform the service without the intended change or, terminate the Agreement, including this DPA, by giving thirty (30) days written notice from Riddle´s receipt of the Customer´s objection.
8.6
If a Subcontractor does not fulfil its data protection obligations, Riddle shall be liable to the Customer for the performance of the Subcontractors obligations.
9.
THIRD COUNTRY TRANSFERS
9.1
Riddle, or its Subcontractors, are entiteled to transfer Customer Data belonging to the Customer to a third country in accordance with the Customer´s documented instructions only when one of the following conditions are met:
the third country ensures an adequate level of protection for the Customer Data pursuant to a decision of the European Commission,
there are appropriate safeguards in place under the Data Protection Law, such as standard data protection clauses adopted by the European Commission, which cover the transfer and processing of Customer Data as well as other necessary safeguards required in the individual case, or
it is possible to rely on another exemption under Data Protection Law for the transfer of Customer Data.
10.
SUPERVISION AND CONTROL
10.1
Riddle shall provide the Customer with all necessary information to demonstrate the compliance with the clauses set out in this DPA.
10.2
The Customer shall have the right to, to the extent needed, either alone or by using a third party, inspect Riddle´s operations to verify that Riddle and any Subcontractors according to clause 8 comply with the DPA and Data Protection Law. Any visit to Riddle´s premises must be done during normal office hours and with reasonable notice, which usually refers to ten (10) working days.
10.3
When the Customer is exercising its right to inspection under clause 10.2, Riddle shall provide the Customer with all the necessary information and assistance that the Customer can reasonably require. This shall be done at the Customer´s expense.
10.4
If the Customer uses a third party to inspect Riddle´s operations and equipment, the Customer shall ensure that such third party is bound by confidentiality in relation to any information accessed by the third party in the course of the inspection, and that such confidentiality is no less restrictive than the confidentiality set out in clause 11 of this DPA.
11.
NON-DISCLOSURE
11.1
In addition to the confidentiality undertakings which follow from the Agreement, Riddle shall undertake to not reveal Customer Data or any information regarding the processing of such data to a third party without the explicit instruction to do so from the Customer. This clause does not apply to information which has been submitted to Subcontractors to fulfil their obligations or information that, as a result of something other than a violation of this DPA, is in the public domain and information which Riddle is legally obliged to disclose according to mandatory law, decision from a court or authority.
11.2
Riddle shall ensure that each person or third party which gains access to Customer Data has committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
11.3
The confidentiality undertakings in clause 11.2 shall also apply in relation to any Subcontractors, and shall therefore be part of any agreement which Riddle meets with a Subcontractor.
11.4
The provisions in clause 11.1 och 11.2 shall continue to apply without limitation in time.
12.
RETURN OR ERASURE OF CUSTOMER DATA
12.1
When Riddle discontinues the processing of Customer Data, Riddle shall, in accordance with instructions provided by the Customer, either transfer all Customer Data to the Customer or permanently erase or restrict all Customer Data, provided that this is not hindered by Union or Swedish law (such as for example, but not limited to, accounting and anti money laundering regulations).
12.2
After carrying out such transfer or erasure, Riddle shall ensure that Customer Data cannot be recreated.
13.
AMENDMENTS AND TERMINATION
13.1
This DPA comes into effect at the same time as the Agreement. It expires at the later of (a) the expiration of the Agreement and (b) Riddle has fulfilled its obligations under clause 12 above.
14.
AMENDMENTS AND ADDITIONS
14.1
If the Data Protection Law changes during the term of the DPA, or if the Supervisory Authority issues guidelines, decisions, or regulations concerning the application of the Data Protection Law result in the DPA no longer meeting the requirements for a data protection agreement, the parties shall make the necessary changes to the DPA, in order to meet such new or additional requirements.
15.
APPLICABLE LAW AND DISPUTE RESOLUTION
15.1
This DPA and all processing of Customer Data taking place according to the DPA are subject to Swedish law, with the exception of applicable rules regarding the choice of law. Any dispute regarding the interpretation or application of this DPA shall be settled according to the provisions about dispute resolution in the Agreement.
Appendix 1 to the data processing agreement
The Customer´s instruction regarding the processing
In addition to what has been set out in the data processing agreement, the following instructions shall apply to the processing:
1.
PARTIES
1.1
The purpose of the processing is the fulfilment of Riddle´s obligations according to the Agreement.
1.2
The Customer Data processed are:
[Name]
[Cutomer ID]
[Contact details]
[Address for delivery and billing]
[Payment method]
[Account number (not last four digits)]
[Order ID]
[Link to order]
[Order number]
[Ordered items]
[etc. etc.]
1.3
The Relevant Subjects whose personal data is being processed are:
[The Customer´s customers]
1.4
The processing activities regulated by the DPA are:
[Collection]
[Storage]
[Matching]
[Transmission]
[Deletion]
[etc. etc.]
1.5
Retention of Customer Data
Riddle shall retain Customer Data for six (6) months after the end of the provision of services relating to processing, unless Union or Swedish law requires longer storage.
1.6
Geographical location
Riddle shall process the Customer Data in Sweden. The geographical location of data processed by Subcontractors can be found at [insert link to a list of Subcontractors provided on your website].
Appendix 2 to the data processing agreement
Technical and organizational safety measures
In addition to what has been set out in the data processing agreement, the following instructions shall apply to the processing:
1.
Organizational measures
[Governing Internal Rules]
[Quality Controls]
[Education and training]
[Yearly testing of recovery from backup]
[etc. etc.]
2.
Technical measures
[Encryption of data at rest and in transfer]
[Multifactor authentication of all users]
[Authentication of API calls]
[Logging of access and changes]
[Backup and recovery]
[etc. etc.]
