Privacy Policy

Wide Ideas – Privacy Policy

Last updated: 17 January 2019


1. Parties

1.1 Idea2Innovation Sweden AB, company reg. no. 556820-0538, House Be Idea2Innovation, Kurortsvägen 20, 837 51 Åre (”Data Processor”)

1.2 CUSTOMER and the Data Processor are individually referred to as “Party” and jointly as the “Parties”.

2. Background
2.1 The Parties have entered into an agreement dated [] under which a web application shall be provided (the “License Agreement”). When fulfilling the License Agreement, the Data Processor will process personal data on behalf of CUSTOMER as a Data Processor.

2.2 This agreement (the “Data Processing Agreement”) constitutes such an agreement between a data controller and a data processor which shall be executed pursuant to Applicable Data Protection Laws (as defined below).

3. Definitions
3.1 Terms legally defined under Applicable Data Protection Laws, such as “data controller”, “data processor”, “personal data”, “processing” and “data subject” shall apply and be interpreted in accordance with Applicable Data Protection Laws when initial letter is stated in lower-case.

3.2 Without prejudice to previous section and in addition to the terms defined above, the following definitions shall have the meaning as set out below when the initial letter is stated in upper-case:

”Applicable Data Protection Laws”
i. GDPR and supplementary legislation;
ii. applicable Swedish law; and
iii. to i) and ii) related ordinances and instructions, including guidelines issued by Supervisory Authority, which apply to CUSTOMER or the Data Processor.

In the event of any conflict between the legal frameworks stated in the sections (i) to (iii) above, they shall take precedence in the order as stated above.

”Data Controller”
CUSTOMER, unless the Parties have agreed otherwise in this Data Processing Agreement.

”Data Processor”
Idea2Innovation Sweden AB, unless the Parties have agreed otherwise in this Data Processing Agreement.

”Data Subject”
Individual whose personal data form part of Relevant Personal Data.

”GDPR”
The Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

”Relevant Personal Data”
Personal data transferred to, stored or otherwise being processed by the Data Processor on behalf of CUSTOMER under the License Agreement, as specified in Appendix 1.1 (Specification) to this Data Processing Agreement).

“Supervisory Authority”
Swedish or EU authority such as the Swedish Data Inspection Board (Swe. Datainspektionen) and, where applicable, any other supervisory authority that exercise its supervision under law in relation to the processing of Relevant Personal Data.

4. Applicable Documents
4.1 The Data Processing Agreement consists of this main document and Appendix 1.1 (Specification) where the processing of personal data carried out by the Data Processor and the duration of the processing, the nature and purpose of the processing, the type of personal data and categories of Data Subjects. In the event of any conflict between this Data Processing Agreement and the License Agreement, the provisions in this Data Processing Agreement shall take precedence.

5. Lawful Processing
5.1 The Data Processor undertakes to process Relevant Personal Data in accordance with this Data Processing Agreement, the License Agreement, Applicable Data Protection Laws and CUSTOMER from time to time documented instructions.

6. Instructions
6.1 CUSTOMER has the right to continuously instruct the Data Processor in writing as regards the processing of Relevant Personal Data by the Data Processor, where the Data Processor is obligated to comply with such instructions. The Data Processor and the individuals who act under the supervision of the Data Processor may only process Relevant Personal Data in accordance with the instructions as follows by this Data Processing Agreement and the additional instructions as given by CUSTOMER from time to time.

6.2 If the Data Processor is of the view that an instruction would be in breach of Applicable Data Protection Laws, the Data Processor shall without undue delay notify CUSTOMER and await further instructions before the Data Processor continues to process Relevant Personal Data.

6.3 Notwithstanding what is stated in sections 6.1 and 6.2 above, the Data Processor has the right to process Relevant Personal Data to the extent necessary according to Applicable Data Protection Laws. The Data Processor shall, however, before carrying out such processing, notify CUSTOMER of the legal obligation, unless the Data Processor is prohibited to notify CUSTOMER under Applicable Data Protection Laws.

7. Appropriate technical and organisational security measures
7.1 The Data Processor shall implement such technical and organisational security measures in accordance with Applicable Data Protection Laws for the protection of the Relevant Personal Data against any accidental or unlawful destruction, loss or alteration as well as unauthorised disclosure or access. CUSTOMER shall at request be notified of the measures being taken.

7.2 The Data Processor shall allow for inspections that the Supervisory Authority may request to ensure a lawful processing of Relevant Personal Data. The Data Processor shall, without any costs for CUSTOMER, comply with decisions made by Supervisory Authorities on measures to comply with security obligations according to Applicable Data Protection Laws.

8. Transfer of personal data outside the EU/EEA
8.1 The Data Processor has the right to transfer Relevant Personal Data to a country outside the EU/EEA area, provided that:

8.1.1 the country outside the EU/EEA area ensures an adequate level of protection for personal data in accordance with a decision issued by the EU Commission which comprises Relevant Personal Data;

8.1.2 the Data Processor ensures there are appropriate safeguards in place in accordance with Applicable Data Protection Laws, e.g. standard data protection clauses adopted by the EU Commission that comprises the transfer and the processing of Relevant Personal Data; or

8.1.3 if there are any other exemptions under Applicable Data Protection Laws that comprise the processing of Relevant Personal Data.

8.2 For the avoidance of doubt, Relevant Personal Data may not be transferred to or processed in a country outside the EU/EEA area if none of the conditions outlined in section 8.1 above exists.

9. Obligation to notify and assist CUSTOMER
9.1 The Data Processor shall, to the extent possible having regard to the nature of the processing, implement appropriate technical and organisational measures to assist CUSTOMER in fulfilling its obligations e.g. to respond to requests from data subject to exercise its rights and without undue delay rectify, delete, restrict the processing of, and/or suppress Relevant Personal Data in accordance with the instructions of CUSTOMER and Applicable Data Protection Laws.

9.2 The Data Processor undertakes to notify CUSTOMER of each personal data breach in writing without undue delay after becoming aware of the personal data breach. The information shall include all information necessary to enable CUSTOMER to fulfil its obligation to report/notify Supervisory authority and/or the Data Subjects.

9.3 Furthermore, the Data Processor shall, upon CUSTOMER request, assist CUSTOMER to ensure that CUSTOMER is able to fulfil its obligations under the articles 32-36 in the GDPR, including but not limited to, the provision of all information which reasonably may be required to demonstrate that the Data Processor has fulfilled its obligations as a data processor under Applicable Data Protection Laws. The Data Processor is entitled to compensation from CUSTOMER for any costs relating to the Data Processor’s assistance in accordance with CUSTOMER request regarding data protection impact assessments and prior consultations.

10. Contact with Data Subjects and Supervisory authorities
10.1 If a Data Subject, Supervisory Authority or other third party request information from the Data Processor regarding the processing of Relevant Personal Data, the Data Processor shall immediately forward such request to CUSTOMER and await further instructions according to section 6.2 above.

10.2 The Data Processor shall without undue delay notify CUSTOMER of all contact with Data Subjects, Supervisory Authorities or other third party regarding the Data Processor’s processing of Relevant Personal Data.

11. Sub-contractor
11.1 The Data Processor has the right to engage sub-contractors to process Relevant Personal Data on behalf of CUSTOMER. CUSTOMER has the right to object to Data Processor’s engagement of a sub-contractor that will process Relevant Personal Data on behalf of CUSTOMER, whereby the Parties shall seek to agree on a solution which is acceptable to both Parties.

11.2 Furthermore, CUSTOMER hereby grants the Data Processor a right to enter into data processing agreements directly with the sub-contractor. Such data processing agreement shall impose obligations on the sub-contractor correspondent to what is set out in this Data Processing Agreement in relation to the Data Processor. The Data Processor shall take all measures necessary to ensure that sub-contractor does not process Relevant Personal Data in breach of this Data Processing Agreement.

11.3 The Data Processor shall remain fully liable to CUSTOMER for the performance of the sub-contractor’s obligations according to the Data Processing Agreement and/or Applicable Data Protection Laws.

12. Audit right
12.1 CUSTOMER or a third party appointed jointly by the Parties has the right to audit the Data Processor’s business and data processing equipment to ensure that the Data Processor, as well as potential sub-contractors according to section 11 above, fulfil their obligations under this Data Processing Agreement and Applicable Data Protection Laws. For the avoidance of doubt, an audit shall only comprise such information necessary in order for CUSTOMER to establish whether the Data Processor has implemented appropriate technical and organisational measures to fulfil its obligations under this Data Processing Agreement. The information shall under no circumstances comprise information regarding the Data Processor’s business or intellectual property, unless it is strictly necessary in order to ensure that the Data Processor complies with Applicable Data Protection Laws.

12.2 CUSTOMER shall ensure that a third party that carries out an audit signs a confidentiality agreement in relation to any information that the third party receives within the scope of the inspection, which is not less restrictive than what is stated under section 13 below. CUSTOMER shall notify the Data Processor in writing at least thirty (30) days in advance if CUSTOMER wishes to exercise its right to conduct an audit. All costs related to an audit shall be borne by CUSTOMER, including any potential costs incurred by the Data Processor due to the Data Processor’s participation during an audit.

12.3 The Data Processor undertakes to provide the information and/or the assistance that CUSTOMER requests in connection to an audit according to section 12.1 above.

13. Confidentiality
13.1 In addition to the confidentiality undertakings included in the License Agreement, the Data Processor undertakes to not disclose Relevant Personal Data or other information regarding the processing of Relevant Personal Data to a third party without express instructions from CUSTOMER.

13.2 The Data Processor shall ensure that any person who has access to Relevant Personal Data is subject to a confidentiality undertaking in accordance with section 13.1 above.

13.3 The confidentiality undertaking under section 13.1 above is not applicable in relation to sub-contractors that have entered into a sub-processing agreement in accordance with section 11 above. Such sub-processing agreement shall contain a correspondent confidentiality undertaking in relation to the sub-contractor.

14. Liability
14.1 As a result of an infringement of Applicable Data Protection Laws or this Data Processing Agreement, the Parties shall be liable for the part of the infringement relating to each Party’s violation of Applicable Data Protection Laws or this Data Processing Agreement. The provisions regarding liability under Applicable Data Protection Laws shall fully apply to this Data Processing Agreement.

15. Compensation
15.1 The Data Processor is not entitled to any compensation for its performance under this Data Processing Agreement, unless explicitly stated in this Data Processing Agreement or if the Parties agree otherwise.

16. Cessation of processing
16.1 When the Data Processor ceases to process Relevant Personal Data, irrespective of the reason, the Data Processor shall in accordance with CUSTOMER instructions, either (i) transfer all Relevant Personal Data to CUSTOMER in such way, on such medium and in such format in accordance with CUSTOMER reasonable instructions; or (ii) permanently delete Relevant Personal Data and delete existing copies, unless the Data Processor is obligated under Applicable Data Protection Laws to store Relevant Personal Data. When data is transferred or deleted, depending on the choice of CUSTOMER, the Data Processor shall ensure that the data cannot be restored.

16.2 In the event CUSTOMER, within thirty (30) days from when the Data Processor ceased to process Relevant Personal Data, has not instructed the Data Processor whether CUSTOMER wishes that the Data Processor returns or in a secure manner deletes Relevant Personal Data, the Data Processor shall delete Relevant Personal Data in a secure way without undue delay, unless the Data Processor is obligated to store Relevant Personal Data under Applicable Data Protection Laws.

17. Amendments and additions
17.1 Amendments and additions to this Data Processing Agreement shall be in writing and duly signed by both Parties to be valid.

18. Term of agreement
18.1 This Data Processing Agreement shall be effective when duly signed by both Parties and shall continue to apply as long as the Data Processor processes Relevant Personal Data.

19. Assignment
19.1 CUSTOMER is not entitled, in whole or in part, to assign obligations or rights under this Data Processing Agreement. The Data Processor is however entitled to assign this Data Processing Agreement to another company or organisation.

20. Applicable law and dispute
20.1 This Data Processing Agreement and all processing of Relevant Personal Data carried out under the Data Processing Agreement shall be governed by Swedish law, except for applicable provisions regarding conflict of laws. Any dispute regarding the interpretation or application of this Data Processing Agreement shall be settled in accordance with the provisions of the License Agreement on dispute resolution.

———————————————————————————————-

APPENDIX 1.1 – DESCRIPTION OF THE PROCESSING OF PERSONAL DATA

1. Purpose
This Appendix 1.1 describes the processing of Relevant Personal Data, which the Data Processor carries out on behalf of CUSTOMER under the Data Processing Agreement.

The purpose of this Appendix 1.1 is to clarify the processing activities and the personal data that are comprised by the License Agreement and in order to comply with the requirement under Applicable Data Protection Laws to specify a data processor’s processing of personal data.

2. The scope, nature and purpose of the processing of Relevant Personal Data
The Data Processor shall, in accordance with what is set out in the License Agreement, deliver Wide Ideas to CUSTOMER. The delivery will entail processing of personal data on behalf of CUSTOMER. The purpose of the processing of personal data is to enable CUSTOMER to use Wide Ideas within the scope of its idea and innovation work. The processing of personal data will be carried out by means of customary and for the purpose adapted IT systems in the Data Processor’s IT environment.

3. The duration of the processing
The Relevant Personal Data shall be processed during the term of the License Agreement, unless an instruction from CUSTOMER provides otherwise. For example, CUSTOMER will instruct erasure or return of personal data upon the expiry of its employees’ employment. Erasure of Relevant Personal Data may not be carried out unless the Data Processor has received or obtained instructions from CUSTOMER in accordance with the Data Processing Agreement.

4. Relevant Personal Data
The personal data that are processed includes the following categories of personal data:
a) Name
b) E-mail address
c) Company
d) Profile picture
e) Personal data pertaining to contact persons at CUSTOMER within the scope of the License Agreement

5. Categories of data subjects
The Relevant Personal Data includes the following categories of data subjects:
a) Employees at CUSTOMER
b) Contact persons at CUSTOMER
c) External consultants at CUSTOMER

6. Processing activities
Without limiting the application of the License Agreement, the following processing activities shall be comprised by the Data Processor’s processing of personal data:
a) Processing by receiving personal data from CUSTOMER
b) Storage
c) Structuring
d) Processing and reading when carrying out obligations under the License Agreement
e) Correction (where applicable)
f) Erasure in accordance with CUSTOMER instructions

Pin It on Pinterest