Data Processing Addendum (DPA)
1. Introductory Provisions
1.1 The Customer has in conjunction with this DPA entered into a Main Services Agreement regarding Processor’s provision of services to the Controller. Pursuant to the Main Services Agreement, the Processor will process personal data on behalf of the Controller in the capacity of a data processor. This DPA governs the rights and obligations of the Parties when the Processor processes personal data on behalf of the Controller pursuant to the Main Services Agreement.
1.2 This DPA, including its appendices, together with the Main Services Agreement, constitute the Controller’s complete instructions to the Processors for the processing of the personal data.
1.3 If the information stipulated in the Main Services Agreement conflicts with this DPA, this DPA shall take precedence.
1.4 This DPA aims to meet the current requirements for a DPA in accordance with Applicable Data Protection Legislation.
To the extent that Regulation (EU) 2016/679 of the European Parliament and of the Council, hereinafter referred to as the General Data Protection Regulation (“GDPR”), contains terms similar to those used in this DPA, such terms shall have the same meaning as in the GDPR.
3. Processing of Personal Data
3.1 The Processor shall ensure compliance with Applicable Data Protection Legislation and its obligations under this DPA when processing personal data on behalf of the Controller.
3.2 The Processor may only process personal data on behalf of the Controller in accordance with the Controller’s documented instructions unless required to do so by the laws of the European Union or a member state of the union to which the Processor is subject, in which case the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest. The Controller’s instructions are set out in Appendix 1.
3.3 Except as set out in Section 3.2, the Processor may not process any personal data for its own purposes or other purposes not set out in this DPA.
3.4 The Processor shall immediately inform the Controller if, in the Processor´s opinion, the Processor has not received sufficient instructions to process personal data in accordance with its obligations or if, in the Processor’s opinion, an instruction infringes Applicable Data Protection Legislation, and defer the processing until receipt of further instructions from the Controller.
3.5 Any changes to the Controller’s instructions shall be negotiated separately and documented in writing. The Processor shall be entitled to compensation for additional costs incurred as result of any such amendments provided that the Processor has informed the Controller of such additional costs.
4. The Processor’s Obligation to Assist the Controller
4.1 The Processor shall assist the Controller in fulfilling its obligations in accordance with Applicable Data Protection Legislation per the Controllers request. This means that the Processor shall:
a) through appropriate technical and organisational measures, to the extent possible and with due regard to the nature of the processing, assist the Controller in fulfilling the Controller’s obligations to comply with the data subjects’ requests for exercising their rights under the GDPR (such as rectification, deletion, restriction, data portability and request of access);
b) assist the Controller in fulfilling the Controller’s obligations to take appropriate security measures for the processing of personal data under this DPA to ensure a level of security appropriate considering the level of risk which the processing of personal data in question entails;
c) assist the Controller by providing the information, assistance and resources that are reasonably necessary for fulfilling the Controller’s obligation to report personal data breaches to the competent supervisory authority;
d) assist the Controller with the information, assistance and resources that may reasonably be required to fulfil the Controller’s obligation to inform the data subjects, within the framework of this DPA, in the event of a data breach that is likely to result in a high risk to the rights and freedoms of natural persons;
e) assist the Controller in fulfilling the Controller’s obligation to carry out impact assessments for processing under this DPA, which is likely to result in a high risk to the rights and freedoms of individuals; and
f) assist the Controller by providing the Controller with the information, assistance and resources that may reasonably be required to fulfil the Controller’s obligation to provide information and documentation to the supervisory authority for prior consultation, and when necessary, and to a reasonable extent, attend meetings with the competent supervisory authority.
4.2 When the Processor assists the Controller in fulfilling the Controller’s obligations under Applicable Data Protection Legislation in accordance with Sections 4.1 b) – f) above, consideration shall be given to the type of processing it refers to, and the information available to the Processor. In order to avoid any misunderstandings, nothing in this Section 4 shall be interpreted as indicating that the Processor may act on behalf of the Controller. The Processor may only act to fulfil its obligations vis-à-vis the Controller.
5. Security and Confidentiality
5.1 The Parties’ obligations to observe confidentiality is regulated in the Main Services Agreement.
5.2 The Processor undertakes to take appropriate technical and organisational measures to protect the personal data being processed under this DPA in accordance with Applicable Data Protection Legislation.
5.3 The Processor shall ensure that only the personnel who must have access to the personal data in order to fulfil the Processor’s obligations under this DPA will have access to such personal data. The Processor shall ensure that all such personnel are bound by appropriate confidentiality obligations, either by law or by agreement.
6. Personal and Data Breaches
6.1 The Processor shall without undue delay inform the Controller after becoming aware of any personal data breach.
6.2 A notification pursuant to Section 6.1 shall include all information which may reasonably be required by the Controller to fulfil its obligations under Applicable Data Protection Legislation. Such information includes e.g. a description of:
a. the nature of the personal data breach, categories of and the approximate number of data subjects affected, categories of and the approximate number categories of personal data included;
b. likely consequences as a result of the data breach; and
c. a description of the measures taken to rectify the personal data breach or to mitigate its potential adverse effects.
6.3 If and to the extent it is not possible to provide all the information at the same time, the information may be provided in instalments without undue further delay.
6.4 The Controller shall compensate the Processor for any direct costs that the Processor incurs if the measures taken under this Section 6 are due to the Controller’s non-compliance of Applicable Data Protection Legislation.
7.1 The Processor is entitled to engage Sub-processors to process personal data on behalf of the Controller. The Processor shall enter into an agreement with all Sub-processors which imposes corresponding obligations as are applicable to the Processor in accordance with this DPA. The Processor shall be fully accountable towards the Controller for the performance of the Sub-processors’ obligations.
7.2 A list of approved Sub-processors at the time of entering into this DPA is set forth in Appendix 2.
7.3 If the Processor intends to engage or replace a Sub-processor, the Processor shall, prior to such engagement, inform the Controller thereof in writing and enable the Controller to object to the engagement. Any objections by the Controller shall be made by the Controller in writing without any undue delay, and at the latest within thirty (30) days, as from the time the Controller receives the information. The Processor shall provide the Controller with any information reasonably requested by the Controller to enable the Controller to assess whether the use of the proposed Sub-processor will be in compliance with this DPA and Applicable Data Protection Legislation. If such compliance, in the Controller’s legitimate and reasonable opinion, will not be enabled through the engagement of the proposed new Sub-processor and the Processor, despite the objections of the Controller, want to engage the proposed sub-processor, the Controller shall have the right to terminate the Main Services Agreement. If the objection is not legitimate, the Controller shall not have the right to terminate the Main Services Agreement.
8. Transferring personal data to a third country
The Processor may move, store, transfer, or otherwise process the personal data outside of the EU/EEA, provided that such transfers meet the requirements and undertakings which follow from Applicable Data Protection Law. The Processor undertakes to enter into the relevant module of the EU Commission’s Standard Contractual Clauses with its Sub-processors that transfer personal data outside EU/EEA, unless another applicable transfer mechanism applies, and to take all reasonable measures to control that the engaged Sub-processors ensure the lawfulness of any further transfers of personal data that the Sub-processors’ sub-processors may undertake.
9. Request for information and disclosure of personal information
9.1 In cases where a data subject or other third-party requests information from the Processor in respect of processing of personal data which belongs to the Controller, the Processor shall refer such data subject or third party to the Controller.
9.2 In the event a public authority requests the type of data as set forth in Section 9.1, the Processor shall immediately inform the Controller of the request, unless prevented by law, and the Processor and the Controller shall thereafter, in consultation, agree on a suitable course of action. Unless expressly agreed between the Parties, the Processor shall not act on behalf of the Controller.
9.3 The Processor shall not disclose or make any personal data available to third parties unless the Processor is under a legal obligation deriving from the laws of the European Union or a member state, or court or public authorities’ order to disclose the personal data.
9.4 If an obligation to disclose information as stipulated in this Section 9 emerges, the Processor shall immediately inform the Controller of such situation.
10. Audit and documentation
10.1 The Processor undertakes to document and keep records of the measures taken by the Processor in order to comply with its obligations under this DPA and Applicable Data Protection Legislation.
10.2 The Processor shall assist the Controller in obtaining information and documentation relating to the processing of personal data carried out on behalf of the Controller to the extent required to demonstrate that the Processor has fulfilled its obligations in accordance with Applicable Data Protection Legislation. The right to information shall include the right of access to the Processor’s premises. The Controller shall be entitled to request an audit for this purpose which may be conducted either by the Controller or by an independent third party provided that such third party is subject to confidentiality and does not constitute a competitor to the Processor.
The Processor shall receive compensation for any reasonable costs for measures which it takes in respect of processing of personal data in accordance with this DPA.
12.1 In the event of compensation for damages in connection with wrongful processing of personal data, which, through an established judgment or settlement, shall be payable to data subjects due to a breach of the provisions in this DPA, the Controller’s instructions and/or Applicable Data Protection Legislation, Article 82 GDPR shall apply.
12.2 Any administrative fines pursuant to Article 83 GDPR or Chapter 6 of the Swedish Data Protection Act (2018:218) shall be borne by the Party upon whom such a charge is imposed.
12.3 The breaching Party’s liability towards the other Party for such claims referred to in Section 12.1 above shall be subject to the limitations of liability set out in the Main Services Agreement.
With the exception of Sections 5 and 12, the provisions of this DPA shall apply for as long as the Processor processes personal data on the Controller’s behalf.
14. Measures in connection with the termination
14.1 When the Main Services Agreement expires, the Processor shall, at the Controller’s request and per the Controllers instructions, permanently delete, or return in a format that the Controller chooses, all personal data processed in accordance with the DPA to the Controller, unless the Processor is required by law to save a copy of the personal data.
14.2 In this context, deletion mean that the personal data is deleted in accordance with the industry standard in force at any given time in order to make it impossible for the data to be recreated using technology or method known at the time of deletion. This shall also apply to personal data that has been processed for logging and security purposes.
Any amendments and additions to the DPA shall, in order to be binding, be in writing and duly signed by both Parties.
16. Dispute and applicable law
What is stipulated in the Main Services Agreement applies to dispute settlement and choice of law.
Specification of the processing
1. Brief description of the service
The nature of the Processing is the performance of the Services pursuant to the Agreement.
The Services allows Customer to screen, assess, mitigate, audit and report the organisation and AI applications for ethical risks.
2. Purpose and subject- matter of the processing
Anch.AI will Process Personal Data as necessary to perform the Services pursuant to the Agreement, as further specified in the Documentation, and as further instructed by Customer in its use of the Services.
3. Categories of personal data
Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:
4. Categories of data subjects
Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects:
5. Processing operations (Storing, managing, Cross-referencing Etc.)
Processing operations includes, but are not limited to:
6. Location of processing operations
anch.AI will process personal data at Mäster Samuelsgatan 36, 111 57 Stockholm, Sweden.
As per 7 above, Sub-processors will Process Personal Data as necessary to perform the Services pursuant to the Agreement. Subject to section 9 of this DPA, the Sub-processors will Process Personal Data for the duration of the Agreement, unless otherwise agreed in writing.
Identities of the Sub-processors used for the provision of the Services and their country of location are listed in Appendix 2.
7. Duration of the processing/retention period
Subject to section 13 of the DPA, Anch.AI will Process Personal Data for the duration of the Agreement, unless otherwise agreed upon in writing.