Data processing agreement - Template
Faculty/department/office/centre/ AgreementSLU ID: SLU.[Skriv numret här]
2015-12-09
The Swedish University of Agricultural Sciences (SLU), office/department/faculty/centre, org.nr. 202100-2817, box 7070, postal address, hereinafter the Controller, andname of the other party, org.nr.xxxxx-xxxxx, address, postal address(the Processor)have, as of the above date, entered into the following agreement.
Data processing agreement - Template
Background
Regulation (EU) 2016/679 of the European Parliament and of the Council(General Data Protection Regulation) of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter the Regulation, requires that a written data processing agreementbe drawn up when a party processes personal data on behalf of another party. Consequently, the Controller and the Processor have agreed to enter into this data processing agreement, as an appendix to main agreementXXXX (replace this sentence with the name of the agreement that this data processing agreement is added to).
1.Definitions
1.1.‘Personal Data’ means any information relating to an identified or identifiable natural person (‘Data Subject’). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
1.2.’Data Subject(s)’ means the natural person(s) whose Personal Data is to be processed.
1.3.‘Processing’ means any operation or set of operations which is performed on Personal Data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
1.4.In case of uncertainty, the definitions in the Regulation apply.
2.Commitments of the Processor
2.1.The Processor commits to performing the Processing, as specified in the main agreement XXXX (The agreement, contract, appendix etc. that makes this DPA relevant.In that agreement the following needs to be specified:
a) what personal data will be processed;
b) the categories of natural persons whose data will be processed;
c) how the processing will be designed;
d) for how long the processing will take place. For this purpose, note if the personal data will be archived, following Swedish laws on public access to information and archiving.)
2.2.The Processor commits to abide by the Regulation, and to keeping up-to-date regarding the development of the Regulation and related legislation relevant to the Processing covered by this agreement.
2.3.The Processor, including any and all persons working under the Processor’s supervision, may only Process Personal Data pursuant to the main agreementand in accordance with the instructions given by the Controller to the Processor in this DPA, the main agreement, or as otherwise received from the Controller in writing. If the Processor deems that they are lacking the instructions necessary to perform the Processing assignedto the Processor through the main agreement, the Processor shall contact the Controller without delay, in order to receive such instructions. All instructions received shall be documented by the Processor.
2.4.In case the Controller plans to engage a sub-Processor in order to fulfil the duties of the main agreement, the Processor shall obtain written authorisation to do so from the Controller. If a general authorisation has been obtained from the Controller, the Processor shall instead inform the Controller of the sub-processors engaged, to give the Controller opportunity to object against the choice of sub-processor. When hiring a sub-processor, the Processor shall ensure that the sub-processor only Processes Personal Data under the same terms, and to the same standard as the Processor themselves.
2.5.The Processor shall only Process Personal Data using equipment located within the EU/EEA, including the use of cloud services. The Processor may move said equipment, or Process Personal Data using other equipment, only after receiving the Controller’s approval.
2.6.In the case of a request for information regarding Personal Data from a Data Subject, the Swedish Data Protection Authority or another third party, the Processor shall direct the requester to the Controller. From section 2.4, as well as section 4 below, follows that the Processor may not release Personal Data or information regarding the Data Processing without clear instructions or authorisation from the Controller.
2.7.The Processor shall without delay inform the Controller of any requests by the Swedish Data Protection Authority that relate to or could be of relevance in regard to the Processing.The Processor does not have the right to represent the Controller, or act on the Controller’s behalf vis-a-vis the Swedish Data Protection Authority or any other third party.
2.8.On discovery of a data breach, the Processor shall inform the Controller of the data breach without undue delay, but no later than 24 hours from discovery.
2.9.The Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk to the rights and freedoms of natural persons associated with the Processing, particularly to prevent unauthorised access to, destruction of, or alteration of Personal Data. To this end, the measures in Article 32 of the Regulation and the general recommendations of the Swedish Data Protection Authority shall be taken into account.
2.10. The Processor shall, where relevant considering the nature, scope, context and purpose of the Processing, perform a Data Protection Impact Assessment as stipulated in Article 35 of the Regulation, if the processing is likely to result in a high risk to the rights and freedoms of the Data Subjects.
The Processor shall consult with the Swedish Data Protection Authority where the Data Protection Impact Assessmentindicates that the processing would result in a high risk to the rights and freedoms of the Data Subjects.
2.11.The Controller reserves the right to, at its own expense, itself or through an intermediary, verify the Processor’s compliance with this DPA. To achieve this verification, the Processor shall provide the Controller with assistance as required.
2.12.The Processor shall, when this agreement is terminated, transmit the personal data to the Controller using a technical medium chosen by the Controller. The medium chosen shall be generally available and not require special development by either the Controller or the Processor. Once the Personal Data has been transmitted, all copies of the Personal Data in the Processor’s possession shall be terminated in such a way that it cannot be recreated and remain in the Processor’s possession.
2.13.The Processor shall assist the Controller in retrieving information required in order to comply with a request by either the Swedish Data Protection Agency or a Data Subject, or otherwise help the Controller ensure a Data Subject’s rights according to the Regulation.
2.14.The Processor may under no circumstances transfer Personal Data outside of the EU/EEA without the Controller’s explicit permission.
3.The Controller’s responsibilities
3.1.The Controller is responsible for the Processing being compliant with the Regulation.The Controller is also responsible for ensuring that the Data Subjects receive the information required by the Regulation, that consent is collected in a legitimate fashion where required and that prior consultation with the Swedish Data Protection Agency takes place when necessary.
3.2.The Controller shall, without delay, inform the Processor of changes in the Processing that affect the Processor’s duties. Furthermore, the Controller shall inform the Processor of actions taken by third parties, among others the Swedish Data Protection Agency, with regards to the Processing.
4.Confidentiality
4.1.The Processor agrees not to reveal, by sharing information with a third party or in any other way, information regarding the Processing of Personal Data set out in this agreement or the main agreement, information the Processor has received as a result of this agreement or information the Processor has received intheir role as Processor. This commitment does not apply to information that the Processor is ordered to submit by a government agency, or that is otherwise required by Swedish law. This confidentiality shall extend beyond the point of termination of this agreement.
4.2.The Processor agrees to ensure that physical persons under its supervisionauthorised to Process Personal Data maintain the same level of confidentiality as the Processor themselves, as stipulated by this agreement or law.
5.Remuneration
The Processor may only charge the Controller for Processing if such a right is stipulated in the main agreement, to which this agreement is an annex.
6.Limitation of liability
In the event a Data Subject or anotherthird party directs claims against the Controller as a result of the Processor’s Processing of Personal Data, the Processor shall not hold the Controller liable for damages that arise as a result of the Processor not having followed this agreement, the main agreement or otherwise the Controller’s written instructions.
7.Reformulation
If required with regard to legislation or binding regulations from a government agency, the parties to this agreement shall reformulate this agreement in such a way that it complies with the legal provisions that made the changes relevant.
8.Duration of the agreement
This agreement is valid from its being signed and remains valid for as long as the Processor continues to Process Personal Data in accordance with the main agreement, or until such time as either party notifies the other of termination of this agreement. In case of such termination, a six month notice shall be observed.
At the time of this agreement’s termination, the Processor shall transmit the Personal Data to the Controller in accordance with section 2.13 above.
9.Dispute resolution
In case of dispute between the parties following this agreement, the dispute shall be settled in the manner specified in the main agreement.
This data processing agreement has been drawn up in duplicate, of which each party holds one.
Location anddate / Location and dateSwedish University of Agricultural Sciences / XXX AB
Signature / Signature
Name/Title
Department of XX
(The authorised signee) / Name in block letters
1/5