Data processing agreement

1. Background
1.1 GWS and Customer have entered into a subscription agreement, (the “Agreement”). This data processing agreement, (the “DPA”), forms an integral part of the Agreement. Terms not defined in this DPA shall have the meaning ascribed to them elsewhere in the Agreement.
1.2 GWS has undertaken, or will undertake, to perform services for the Customer of the nature and scope and on the terms set forth in the Agreement or any other separate agreement between the Parties, (the “Services”). Within the scope of the Services, GWS will process personal data on behalf of the Customer.
1.3 In light of the above, the Parties have reached the following DPA.

2. Relationship between the DPA and other agreements between the Parties
In the event that the provisions of this DPA are contradictory to the provisions of any other agreement between the Parties, the provisions of this DPA shall prevail. However, the foregoing does not apply to provisions of a subsequent agreement that expressly supersede the provisions of this DPA.

3. Processing of personal data
3.1 In the context of the performance of the Services, GWS may receive personal data, as defined in article 4.1 of the general data protection regulation (EU 2016/679), (the “GDPR”), processed for purposes determined by the Customer, (the “Personal Data”). The Customer is the data controller of the Personal Data in accordance with the personal data protection laws applicable from time to time, as well as any other applicable law, regulation or equivalent ordinance.
3.2 GWS undertakes to only process the Personal Data in accordance with the terms of the DPA or other written agreement between the Parties, and only in accordance with the Customer’s instructions, Appendix 1, as well as with the from time to time applicable data protection legislation and any other applicable law, regulation or equivalent ordinance. The Customer is responsible for ensuring that the GWS does not process any other categories of Personal Data than those listed in Appendix 1, and in accordance with the scope stated therein. In case of changes in the documented instructions by the Customer, GWS is entitled to reasonable compensation.
3.3 In case GWS lacks the instructions that the Customer considers necessary to perform the tasks that GWS has acquired from the Customer within the scope of the Services, GWS shall, without delay, notify the Customer of its position and await such instructions that GWS deems necessary.
3.4 Access to the Personal Data shall, within GWS’ organization, be limited to those who require it for the performance of the Services and who are obligated to observe secrecy by agreement or by law. GWS shall take appropriate technical and organizational measures to protect the Personal Data. Such measures shall provide a level of security that is appropriate with regard to the available technology and the cost of the measures, taking into account whether there are any specific risks involved with the processing and the level of sensitivity of the Personal Data. Such measures include
a) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
b) the ability to restore the availability of and access to the Personal Data in a timely manner in the event of a physical or technical incident;
c) the pseudonymisation and encryption of the Personal Data when the processing so requires under the applicable law;
d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing, when required under the applicable law;
e) keeping and updating logs of the Personal Data, the maintenance of a secure IT environment, and establishment and maintenance of physical security measures and procedures; and
f) ensuring procedures to immediately notify the Customer of any completed unauthorized access to the data provided by the Customer (including destruction or alteration of the Personal Data).
3.5 GWS undertakes to, at all times, ensure that relevant personnel complies with this DPA and the Customer instructions, and to ensure that they are kept informed regarding the from time to time applicable data protection legislation.
3.6 GWS shall, through suitable technical and organizational measures and to the degree it is possible in relation to the nature of the processing, assist the Customer in order for the Customer to be able to fulfil its obligation to respond to requests from the individual data subjects in accordance with the applicable law or regulation. GWS shall also in all other aspects assist the Customer in fulfilling its obligations, taking into account the type of processing and the information available to GWS, regarding
(a) security in connection to the processing;
(b) notification of any personal data breach to the supervisory authority;
(c) communication to the data subject of a personal data breach; and
(d) data protection impact assessment and prior consultation;
to the extent that the obligations in (a)-(d) above are required according to the applicable law or regulation. GWS shall be entitled to reasonable compensation for its assistance in accordance with this Section 3.6.
3.7 GWS undertakes to maintain a written record of the processing of Personal Data including the content stated in article 30.2 of the GDPR. Upon request, the records shall be provided to the Customer.
3.8 If, contrary to the GDPR, the Customer does not inform the individual data subject of a personal data breach and the supervisory authority orders GWS to rectify the deficiency, the Customer shall compensate the costs of GWS to adhere to the order of supervisory authority.
3.9 GWS has the right to appoint another processor (a so-called sub-processor) for the processing of the Personal Data. GWS shall inform the Customer that GWS intends to appoint another or replace a sub-processor at least 10 working days before such an appointment or replacement takes place. GWS may notify the Customer of new sub-processors by updating a list available on GWS’ website. If the Customer objects to the appointment of such sub-processor that the Customer has been informed of according to this Section 3.9 before the appointment, GWS cannot appoint the sub-processor for the processing of the Personal Data, provided that the Customer had a justifiable reason for its objection. The term “justifiable reason” as referred to in this Section refers to circumstances on behalf of the sub-processor that, to a considerable degree affects, or likely will affect, the protection of the personal integrity of the individual data subject, for example if the new sub-processor does not fulfil the requirements on personal data processors in the GDPR or any other relevant privacy legislation. If GWS engages such sub-processor, GWS shall ensure that the data processor by agreement undertakes the same data privacy obligations as arising out of this DPA. GWS is fully responsible towards the Customer for such undertakings of the sub-processor.
3.10 Unless otherwise agreed upon in writing between the Parties, GWS has the right to transfer personal data outside the EU/EEA. GWS undertakes to only transfer or process personal data outside the EU/EEA when such transfer or processing is lawful under article 45-47 of the GDPR.
3.11 The Customer has the right to information and the right to audit the performance of GWS’ obligations under the DPA. GWS shall allow and contribute to such audits, including inspections, carried out by the Customer or an auditor engaged by the Customer. If the Customer wishes to carry out an inspection, the Customer shall inform GWS of such inspection within reasonable time before the inspection and at the same time specify the content and scope of the inspection. GWS has right to compensation of its reasonable costs in relation to such an inspection or other audit. Unless otherwise agreed upon in writing, the inspection can only be performed if an audit according to the GDPR cannot be fulfilled through the provision of information by GWS.
3.12 An inspection according to Section 3.11 requires that the Customer, or an auditor appointed by the Customer, has agreed upon necessary confidentiality obligations and adheres to the safety regulations on the place of inspection. It also requires that the inspection is performed without the risk of disrupting the business operations of GWS or the protection of the information of other controllers and personal data. Information that is gathered as part of an audit, including inspections, shall be deleted after the audit is completed or when it is not necessary for the purpose of the audit.
3.13 GWS shall immediately inform the Customer if GWS believes that an instruction is contrary to applicable law, regulation or equivalent ordinance. GWS shall be prepared to comply with decisions made by the Swedish Data Protection Authority on measures to comply with the safety requirements of applicable law.
3.14 GWS shall without delay notify the Customer regarding any contact with a competent supervisory authority that concerns, or could be of importance for, GWS’ processing of Personal Data. GWS does not have the right to represent the Customer or act on its behalf in relation to the supervisory authority.
3.15 Upon discontinuation of GWS’ processing of the Personal Data (e.g. due to the Customer giving instructions that the processing should be discontinued or that the DPA is terminated in accordance with Section 4.1 below), GWS shall return or anonymize all data containing personal data covered by this DPA and all media on which such data is stored. GWS shall also delete or anonymize existing copies of all such data, e.g. from backup systems, unless GWS has a legal obligation to retain the Personal Data under union or member state law.

4. Miscellaneous
4.1 This DPA shall enter into force upon signing of the Agreement by authorised representatives of both Parties. The DPA shall terminate simultaneously with the Agreement, however, at the earliest when GWS has ceased all processing of the Personal Data.
4.2 GWS has no right to transfer its rights or obligations under this DPA, in whole or in part, without the Customer’s prior written consent.
4.3 If applicable data protection legislation change during the period of this DPA, or if a competent supervisory authority issues guidelines, decisions or rules regarding the application of the applicable data protection legislation, that results in this DPA to no longer meet the requirements provided for data processing agreements, or if the agreement or agreements that regulate the Services change, this DPA shall change to accommodate such new or additional requirements and/or changes. Any such change shall enter into force on the day that the Customer states, but not earlier than five days after notice of such change was sent to GWS. GWS has right to compensation for its reasonable costs incurred by such a change of this DPA.
4.4 In addition to what is applicable under the Agreement, for the period of this DPA and thereafter, GWS undertakes not to disclose the Personal Data to any third party. The Personal Data may only be disclosed to such employees of GWS for which the Personal Data is necessary to perform their tasks, to a competent supervisory authority, or otherwise when disclosure of the Personal Data is required by law. It is the responsibility of GWS to ensure that employees that are likely to come in contact with the Personal Data have undertaken to keep the Personal Data confidential to the same extent as GWS is required under this DPA.
4.5 This DPA shall be governed by and construed in accordance with Swedish law. Disputes concerning the interpretation or application of this DPA shall be settled in accordance with the Agreement.

Appendix 1: Customer’s instructions

Below are the instructions of the Customer, as stated in Section 3.2 of the DPA. Instructions given at a later date which makes reference to the DPA replace the ones provided below.

Categories of data subjects Customers and Customer’s employees (end users).
Types of Personal Data Name, telephone number, address, e-mail address, gender, passport number, nationality, job title, manager, department/group, location, imsi, base station information, IP address, considered home country.
Processing purposes Data is processed to create and visualize corporate information and corporate structure, to keep track of end user’s location in order to fulfill the security service. Anonymized data is processed for statistical purposes and future optimization of the Services.
Nature of the processing Collecting, storing, viewing, analyzing, anonymization and use.
Retention period As long as Customer has an active subscription, however personal data will not be kept for a period longer than eighteen (18) months.