This page, as all other English pages on www.ledningssystemet.se, has been subject to more or less machine translation. The information on the Swedish page take precedence over the corresponding information on the English page.
These general terms and conditions (the Terms) govern the contractual relationship between Ledningssystemet Sverige AB (the Supplier) and the party (the Customer and/or the Partner) with whom the Supplier has entered into an agreement (the Service Agreement) for one or more services (the Service) which refer to these Terms. If no separate agreement has been signed, use of the Service in combination with the Terms and Conditions constitutes the Service Agreement.
The supplier primarily provides the market with the service ledningssystemet.se, which is a multimodular product consisting primarily of customer instances and partner instances.
Ledningssystemet.se is used by organizations to establish and manage a management system related to their given business, either with or without the support of one or more connected partners.
Ledningssystemet.se is provided to the Customer partly as a cloud service (SaaS), and is then operated by an operating supplier procured by the Supplier, and partly as an installed instance in the Customer’s own operating environment. The Customer and the Supplier agree on the form in which the service is to be provided.
Ledningssystemet.se is provided to the Partner as a cloud service (SaaS) and is then operated by an operating supplier procured by the Supplier.
The terms and conditions only regulate the relationship between the Supplier and the Customer or Partner. The Terms and Conditions do not give rise to rights or obligations in relation to the Supplier’s operating supplier or other suppliers. The Supplier is responsible for ensuring that the necessary agreements (e.g. Personal Data Processing Agreements) are signed between the Supplier and the suppliers engaged.
In the event that a separate agreement is signed between the Supplier and the Customer or Partner, this separate agreement shall, as far as possible, be interpreted in accordance with the Terms and Conditions and the current price list published on the website.
When interpreting the Terms and Conditions, the following terms shall, as far as possible, be given the
following meaning:
– Supplier: The provider of the Service and who, through the provision or other
agreement, has signed a Service Agreement with the Customer or Partner.
– Subcontractor: A supplier
procured and provided by the Supplier who may be directly involved in the provision of the Service to the
Customer or Partner.
– Customer: The party who, by using the Service or by other agreement, has signed a
Service Agreement with the Supplier.
– Partner: The party that, through use of the Service’s Partner
Instance or by other agreement, provides documentation and support to Customers.
– Administrator: Anyone
who has an administrator role in a Customer Instance or Partner Instance. An administrator is also the
contact person at the Customer or Partner who has payment responsibility towards the Supplier. Furthermore,
the administrator is responsible for user administration in a customer instance or partner instance.
–
User: An individual / person (e.g. employee or contractor of the Customer or Partner) who is given access to
the Service via the Customer or Partner. All individuals / persons using the Service shall be identified by
a unique account provided by the Supplier or an Administrator.
– The Service: ledningssystemet.se through
a Customer Instance or Partner Instance. A customer instance and a partner instance can be linked to the
same organization, in which case the organization becomes both Customer and Partner.
The Supplier undertakes to provide the Customer or the Partner with access to the Service. The Supplier undertakes to take reasonable and proportionate measures to ensure that the Service is available over the Internet, except during periods when the Supplier or its subcontractors are performing system updates or system maintenance.
The Supplier will, through its own efforts or through the efforts of its subcontractors, carry out monitoring activities to maintain the availability of the Service as far as possible.
The Supplier is not conditionally liable for loss of data, deletion of data or failure to store data or other information; however, the Supplier will rely on industry practices and standards to seek to ensure that data and information are stored and backed up securely in accordance with the Service specification.
The Customer or Partner understands that access to the relevant Internet connection cannot be guaranteed by the Supplier, as the Supplier’s Customers and Partners are responsible professional organizations.
The Customer and/or the Partner shall comply with the security provisions communicated by the Supplier, either in writing or through the configuration of the Service, from time to time.
The Customer and/or the Partner shall ensure that the administrator and user details are correct and update these details if necessary.
The Customer and/or the Partner shall ensure that there is a designated contact person (often the Administrator) with whom the Supplier can get in touch.
The Customer and/or Partner is responsible for the activities and operations conducted in the Service and that these comply with applicable legislation.
The Customer and/or the Partner has the right to use the Service and to grant administrators and users access to the Service. The Customer and/or the Partner is responsible for the persons granted access to the Service.
The Supplier holds the ownership of all intellectual property rights and technical solutions related to the Service or, alternatively, the exclusive right to use technical solutions related to the Service. Such intellectual property rights may only be used by the Customer and/or the Partner in accordance with the Terms and the Service Agreement. The Customer and/or the Partner or any third party may not unlawfully acquire or otherwise appropriate intellectual property rights relating to services, software or technical solutions used in the Service; the same applies to trademarks belonging to or used by the Supplier or Subcontractors.
The Partner retains intellectual property rights and copyrights for the content in the form of risk templates, document templates and other similar content that is created and stored in the Partner’s instance and which was not originally provided by the Supplier.
The Customer retains intellectual property rights and copyright for the content in the form of risk templates, document templates and other similar content that is created and stored in the Customer’s instance and that was not originally provided by the Supplier.
The Supplier provides the Partner with relevant support regarding specific questions about the Service. Customers receive support via Partner. The Supplier offers support via e-mail and via direct messages in the Service.
Customers can submit error reports and incident messages to the Supplier via e-mail and via direct messages in the Service.
Support is primarily provided during office hours and to a reasonable extent.
In addition to the limitations set out in the Conditions, the Supplier shall be liable for losses resulting from the Supplier’s direct negligence. In the event of such negligence, the Supplier undertakes to act to rectify the defects caused without undue delay.
In the absence of the Supplier’s direct negligence, the Supplier assumes no liability for errors or deficiencies in the Service, however, measures will be taken to ensure the availability of the Service as far as possible.
The right to price reductions, damages or other penalties related to operational disruptions or errors does not exist if said events are related to the Supplier’s direct negligence. Where disruptions or errors occur to such an extent that Customer and/or Partner do not have access to the Service for a period exceeding one (1) month, all parties have the right to unilaterally terminate the Service Agreement with immediate effect.
The Supplier’s liability under the Terms and the Service Agreement shall be limited as follows:
–
Supplier’s total liability for damages shall be limited to direct losses up to a maximum amount equal to
three (3) months of license fees for a Customer Instance, provided that such license fees were paid by
Customer and/or Partner during the period immediately preceding the breach entitling to damages.
– In the
absence of willful misconduct or gross negligence, the Supplier shall under no circumstances be liable for
indirect losses, loss of revenue, anticipated savings, loss of income, loss of data or claims by third
parties in relation to the Customer and/or Partner.
– The Customer and/or Partner may only claim damages
in accordance with the above if the Supplier is notified of this no later than 30 days after the Customer
and/or Partner has been informed or should have been informed of the reasons for the claim.
The Customer and/or the Partner shall ensure that individuals and persons who are assigned administrator or user accounts in the Service handle login information in a secure manner. The Service has functionality for SSO through Microsoft 365 and thereby support for multi-factor authentication. In the event that login credentials are exposed to unauthorized persons, the Supplier shall be notified immediately.
Customer and/or Partner shall be liable for any loss or damage caused to Supplier by Customer and/or Partner’s administrators’ or users’ login credentials being exposed to unauthorized persons or third parties in an unauthorized manner; this unless Customer and/or Partner notifies Supplier immediately after suspicion of exposed login credentials has arisen. After the Supplier has been notified of the suspicion of exposed login credentials, the Customer and/or the Partner shall only be held liable if it has acted with intent or gross negligence.
In the event that Customer’s and/or Partner’s use of the Service may result in loss or risk of loss for the Supplier, the Supplier is entitled to restrict access to the Service and take justifiable measures. The Supplier shall promptly notify the parties concerned of the restrictions and any additional measures.
The Supplier has the right, and partly the obligation, to immediately prevent the dissemination of information in the Service if it can be reasonably suspected that the activities violate applicable legislation or the Terms. The Supplier shall promptly notify affected parties if information is removed from the Service.
A Party shall be relieved of liability for damages and other corresponding penalties in cases where obligations are prevented due to circumstances beyond its control. Such circumstances include, for example: bankruptcy, workplace conflicts, lightning, fire, decisions by the authorities, faults in operators’ networks, general shortages of transport, goods or energy and significant delays in subcontractors’ deliveries related to corresponding circumstances.
If circumstances as described above result in operational disruptions or errors occurring to such an extent that the Customer and/or Partner does not have access to the Service for a period exceeding one (1) month, all parties have the right to unilaterally terminate the Service Agreement with immediate effect.
If Customer and/or Partner are prevented from exercising their obligations for a period corresponding to one (1) month due to the above or similar circumstances, Supplier is entitled to unilaterally terminate the Service Agreement with immediate effect.
The Supplier shall not disclose to third parties, or otherwise make available, information obtained through the provision of the Service to the Customer and/or Partner.
Confidentiality does not apply to such information that the Supplier can show has become known to the Supplier other than through the provision of the Service or if the Supplier is obliged to pass on the information based on a decision by the authorities or applicable legislation.
Corresponding confidentiality applies to the extent applicable to the Customer and/or Partner in relation to information about the Service and the Supplier’s circumstances.
Confidentiality also applies after termination of the Service Agreement.
The Supplier acts as a data processor for the Customer and the Partner. The personal data processing carried out by the Supplier in its capacity as data processor is governed by the conditions set out in the Data Processing Agreement below.
The Supplier may act as a sub-processor to a Partner in the event that a Partner and the Supplier agree through a separate agreement that the Partner will pass on the Service. Personal data processing in the capacity of sub-processor is governed by the Data Processing Agreement below.
For a number of processing activities, the Supplier and the Customer and/or the Partner act as separate data controllers. The Supplier’s processing activities are clarified through the Supplier’s Information to Data Subjects.
The Customer shall pay the Supplier compensation in accordance with the applicable and published price list for use of the Service. Compensation is invoiced monthly in arrears with payment terms of 30 days. In the event that the Service is to be available to the Customer with a partner connection from the start, the first month is charged when the Service is set up. For customers where the Service is to be operated in the customer’s operating environment from the start, the first month is charged when the Service is set up.
Invoices must be paid on time, to the bank account stated on the invoice and in the currency stated on the invoice. In the event that the customer does not pay the invoice on time, the Supplier will charge a reminder fee and any penalty interest.
The Service must be terminated by written notice to the Supplier at least one day before the end of a given calendar month if the Customer wishes to ensure that invoicing does not take place for the following month. In the event of early termination of the Service, the Customer is not entitled to a refund of prepaid fees.
In order to ensure the possibility of further development, the Supplier is entitled to make changes to the Service, including changes to functionality, technical solution, system specification and security measures. Changes are notified to the Customer and/or Partner by means of a notice on the website www.ledningssystemet.se and by direct notification to Administrators.
The Supplier reserves the right to change the Terms and Conditions and any attached Service Agreement including, but in no way limited to, pricing. Changes are communicated to the Customer and/or Partner by means of a message on the website www.ledningssystemet.se and by direct message to Administrators. Changes are deemed to have been communicated to the Customer and/or Partner one (1) week after changes have been published on the website or sent to Administrators. If the Customer and/or Partner objects to the change, it has 30 days from the communication of the change to terminate the agreement with immediate effect. If the agreement is not terminated, the change is deemed to be accepted.
The Service Agreement and the Terms and Conditions enter into force when the Customer and/or Partner have instructed the Supplier to set up an instance. The Service Agreement and the Terms and Conditions remain in force indefinitely with one month’s notice from either party.
The Supplier has the right to block the Customer and/or Partner’s access to the Service with immediate effect
and to terminate the Service Agreement prematurely if
– Customer and/or Partner uses the Service to
commit a crime.
– Customer and/or Partner uses the service in a way that causes loss or entails a risk of
loss for the Supplier or a third party.
– The Customer and/or Partner uses the Service in a way that is
contrary to the Supplier’s safety instructions or other regulations.
– Customer and/or Partner does not
pay the agreed compensation despite reminders.
– Customer and/or Partner seeks unauthorized access to the
Service or related services.
– Customer and/or Partner is insolvent, at risk of bankruptcy or insolvent.
Customer and/or Partner has the right to terminate the Service Agreement with immediate effect if
– The
Supplier materially breaches its obligations under the Service Agreement, the Terms and Conditions or the
Personal Data Processing Agreement and fails to make the necessary corrections upon request.
– The
Supplier is insolvent, at risk of bankruptcy or insolvent.
In the event of termination of the agreement, the Supplier is not responsible for information created, collected or generated in the Service. The Customer and/or the Partner needs to ensure that the required exports and backups are secured before the Service Agreement is terminated and the Supplier deletes the relevant instances and thus the information.
The Supplier has the right to delete instances of the Service, and thereby all information, after one (1) month from the termination of the Service Agreement and the terms and conditions. The Data Processing Agreement remains valid until backups at the Supplier’s subcontractor are deleted.
The Supplier is entitled to transfer its rights and obligations under the Service Agreement and the Terms and Conditions, in whole or in part, to a company within the same group or with the same owner as the ownership of Ledningssystemet Sverige AB.
Assignments are notified to the Customer and/or Partner by notice on the website www.ledningssystemet.se and by direct notification to Administrators. Transfers are deemed to have been communicated to the Customer and/or Partner one (1) week after the transfer was published on the website or sent to Administrators. If the Customer and/or Partner objects to the transfer, it has 30 days from the communication of the change to terminate the agreement with immediate effect. If the agreement is not terminated, the transfer is deemed to be accepted.
The Customer and/or Partner are not entitled to assign their rights or obligations under the Service Agreement and the Conditions without the Supplier’s written consent.
Customer and/or Partner shall not be entitled to reproduce, duplicate, copy, sell, resell or exploit the Service or access to the Service. Resale of the Service is only permitted as a result of written consent and a reseller agreement from the Supplier.
The Service Agreement and the Terms and Conditions and the subsequent relationship between the Supplier and the Customer and/or Partner shall be interpreted in accordance with, and governed by, Swedish law.
In the event of a dispute in connection with this Agreement, the dispute shall initially be fully and in good faith attempted to be resolved by negotiation at the executive level, to the extent deemed reasonable under the circumstances. In the event that a dispute cannot be resolved through negotiations at the executive level, the dispute shall be tried through simplified dispute resolution in accordance with ABK 09 Chapter 10.
By using the Service, the Customer and/or the Partner has accepted the Service Agreement. The person who orders the Service from the Supplier is responsible for ensuring the right to enter into the Service Agreement.
Change log
2024-09-25: Establishment of this processor agreement.
2025-11-02: Editorial change
regarding operating relationship where web hosting service->cloud operating service.
This Personal Data Processing Agreement (hereinafter referred to as the Agreement or the Agreement) is established between Ledningssystemet Sverige AB (the Personal Data Processor, or the Subprocessor) and the Customer and/or Partner (the Data Controller, or the Personal Data Processor in the context where Ledningssystemet Sverige AB acts as the Personal Data Subprocessor) who uses the Service ledningssystemet.se in accordance with the Service Agreement above and thereby authorizes the Personal Data Processor to process personal data on its behalf.
Contact details of the Data Processor:
Ledningssystemet Sverige AB
Village Källekullen
511 74
SKEPHULT
Organisationsnummer: 559475-0530
info@ledningssystemet.se
The Processor may only process personal data on behalf of the Controller in accordance with the instructions below.
Description of the processing
Service and purpose of processing: Processing of personal data in
connection with the provision of the Service ledningssystemet.se.
Processing activities:
Collection, registration, logging, storage, copying and deletion of personal data related to the use of the
service.
Categories of data subjects: Customer and/or Partner’s Administrators and Users as well
as the personal data that Administrators and Users enter into the Service.
Categories of personal
data: Name, e-mail, contact details, IP addresses, geolocation data and any additional personal
data in the context of the information Users and Administrators bring to the Service in the context of
utilization. The Service is not constructed or designed to process special categories of personal
data.
Place of processing: Personal data is processed within the EU/EEA and in the context of
the provision of the Service in data centers provided by the Data Processor’s operating supplier as listed
below. The current Data Processor has its data centers located in Sweden.
Retention period / Deletion
period: The Data Processor deletes personal data within the framework of the delivery of the
Service 30 days after the termination of the Service Agreement. Personal data will continue to be stored
within the framework of the Data Processor’s backups for another three (3) months.
Security measures
Physical access: Servers are locked in server halls and access is controlled by
physical key and code which is limited to authorized personnel with operational and maintenance
responsibilities.
System access / Logical access: The processor controls access to the Service
instances through authorization control and through login credentials which include multi-factor
authentication. The Controller is responsible for controlling access for Administrators and Users.
Transfer
of personal data: Personal data is not transferred to external parties through the processor within
the framework of the delivery of the Service. Personal data is not transferred to third countries.
Access
control: The Processor does not gain access to the Controller’s instances beyond what is required
for operation, maintenance and possible support. Administrator rights are kept limited to those individuals
at the Processor who have tasks that require these rights.
Encryption of stored data: The
Service is provided through a cloud service where the Service is continuously available, thus stored data is
not encrypted.
Encryption of data communication: The processor ensures that communication to and
from the service is encrypted.
Secure authentication: The Processor ensures that personnel with
access to the Service and the operating environment are authenticated and verified. The Controller is
responsible for the authentication and identification of Administrators and Users.
Handling of
storage media: Destruction of storage media is handled by the Data Processor’s service
provider.
Capacity and continuity planning: The Processor refers to the service provider’s
continuity and capacity planning with regard to the ongoing operation of the called services. In order to
ensure the required capacity, the Processor has ensured access to capacity at the service provider.
Separation
of data: Each Data Controller receives its own instance. Thereby, data is regularly logically
separated in a virtualized operating environment.
Logging: Logging of activities in the Service
is handled by the Processor at the application level and regarding traffic calls to the Controller’s
instance. Logging at infrastructure level is handled by the service provider.
Management of technical
vulnerabilities: The Processor is responsible for seeking to identify and remedy technical
vulnerabilities at application level. The hosting provider is responsible for the identification and
remediation of technical vulnerabilities at the infrastructure level.
Redundancy: The Processor
is responsible for ensuring that the Service is allocated the required capacity. Redundancy at
infrastructure level is ensured by the hosting provider.
This agreement has been drawn up to fulfill the requirements for agreements between the Controller and the Processor in accordance with Article 28 of the Data Protection Regulation (EU 2016/679). The purpose of the agreement is to uphold the protection of the fundamental rights of data subjects regarding the processing of personal data in accordance with the EU Data Protection Regulation 2016/679 (GDPR), other applicable laws, regulations and orders and decisions and general advice from the supervisory authority regarding the processing of personal data (collectively referred to as the “Data Protection Legislation”).
The Processor is informed that in certain situations the Controller acts as Processor on behalf of another party. When processing personal data, the Processor may, where appropriate, act as a sub-processor. In the role of sub-processor, the Processor has identical obligations when processing personal data under this agreement and the terms of this Data Processing Agreement also apply in the event that the Processor acts as a sub-processor.
The Controller is responsible for all processing of personal data that takes place in connection with the Service Agreement and is responsible for ensuring that the Controller’s processing of personal data takes place in accordance with Data Protection Legislation.
The Processor undertakes to process the agreed personal data only to fulfill its obligations under this Agreement, the Service Agreement and the Controller’s documented instructions communicated from time to time. The Processor may not process the personal data for which the Controller is responsible for any purpose other than to deliver in accordance with the Agreement. The Controller is responsible for ensuring that personal data not covered by this agreement, the Service Agreement or other instructions are not processed within the framework of the service.
The Processor further undertakes to process the personal data in accordance with the Data Protection Act. The Processor shall take such steps as are reasonably necessary to comply with the Controller’s instructions regarding the processing of its personal data. The Processor shall immediately inform the Controller if the Processor considers that an instruction from the Controller would be in breach of Data Protection Legislation or cause the Processor disproportionate cost or inconvenience.
The Processor may not transfer any personal data to a country outside the EU/EEA area or to a country that is not covered by the exceptions to the prohibition on transfer to third countries under the Data Protection Legislation, without having the Controller’s prior written consent and having ensured that such transfer is in accordance with applicable law.
In the event that the Processor suspects or discovers a security breach such as unauthorized access, destruction, alteration or similar of personal data, or if the Processor for any other reason is unable to fulfill the obligations of this Data Processing Agreement, the Processor shall immediately investigate the incident and take appropriate measures to heal the incident and prevent recurrence, and provide the Controller with a description of the incident. The Processor shall without undue delay, and at the latest within 24 hours, initiate incident reporting to the Controller.
The description of the incident shall at least:
– Describe the nature of the personal data breach
including, where possible, the categories and approximate number of data subjects concerned, and the
categories and approximate number of personal data affected.
– communicate the name and contact details
of the data protection officer or other contact points where more information can be obtained
– describe
the likely consequences of the personal data breach
– Describe the measures taken or proposed by the
Processor to address the personal data breach, including, where appropriate, measures to mitigate its
potential effects.
The Processor shall immediately inform the Controller in writing if the Processor becomes aware that personal data has been processed in breach of the Controller’s instructions or this Processor Agreement.
Where a type of processing, in particular using new technologies and taking into account its nature, scope, context and purposes, is likely to result in a high risk to the rights and freedoms of natural persons, the Processor shall, prior to the processing, assist the Controller in carrying out an assessment of the impact of the envisaged processing on the protection of personal data. A single assessment may cover a series of similar processing operations presenting similar high risks.
The Processor shall, at the Controller’s written request, provide the Controller with such necessary information and reasonable assistance as is required to enable the Controller to fulfill its obligation to respond to requests to exercise data subjects’ rights under the Data Protection Legislation. Where necessary, the Processor shall assist the Controller in fulfilling other obligations under the Data Protection Legislation, including but not limited to, notifying and informing about personal data breaches, conducting data protection impact assessments and prior consultation with the relevant supervisory authority regarding such processing of personal data covered by this Data Processing Agreement. For such work, the Processor is compensated with reasonable agreed costs, or actual verifiable costs.
The processor shall implement appropriate technical and organizational measures to protect the personal data
being processed. The measures shall provide a level of security which at least complies with the Data
Protection Legislation and is appropriate taking into account
– the technical possibilities available,
taking into account the latest technological developments
– The cost of implementation
– The risks
associated with the processing of personal data, taking into account, inter alia
– The consequences of
the loss of accuracy, confidentiality and availability of the personal data during storage, transmission and
other processing activities
– The purposes of the processing in relation to the risks
– The
sensitivity of the personal data to the rights and freedoms of natural persons
– The amount of personal
data processed
– The vulnerability of the categories of data subjects to whom the personal data
relate
Agreed measures, which fulfill this paragraph, shall achieve a level of security that the Data
Controller, after consultation with any Data Protection Officer, deems appropriate.
When designing appropriate security measures, the Processor shall take into account generally accepted principles for information security by applying ISO/IEC 27001 or an equivalent standard.
The Processor shall regularly and systematically evaluate the effectiveness of the security measures taken to protect the personal data processing carried out on behalf of the Controller.
The Processor shall immediately notify the Controller in writing in the event that the security of the personal data processing cannot be maintained.
All extensive changes to technical and organizational measures shall be documented by the Processor and made available upon request by the Controller.
The measures taken shall include at least the following areas of action in accordance with Data Protection
Legislation
– pseudonymization and encryption of personal data
– the ability to ensure the
confidentiality, integrity, availability and resilience of the processing systems and services on an ongoing
basis
– the ability to restore the availability and access to personal data in a reasonable time in the
event of a physical or technical incident
– a procedure to regularly test, examine and evaluate the
effectiveness of the technical and organizational measures to ensure the security of processing.
The processor shall ensure that authorization management is correct and that confidentiality is respected. The Processor shall take the necessary measures to ensure that the information received is communicated only to those persons within its own organization who are relevant for the purpose of the Service Contract. The Data Processor shall ensure that all employees, consultants, subcontractors and others for whom the Data Processor is responsible and who process the personal data are bound by a necessary confidentiality undertaking and that they are informed of how the personal data may be processed. The Data Processor is responsible for ensuring that the persons who have access to the personal data are informed and how they may process the personal data in accordance with instructions from the Data Controller.
The Data Controller is entitled to audit the Data Processor itself or through a third party or otherwise verify that the Data Processor’s processing of personal data complies with this Data Processing Agreement. In the event of such audit or control, the Processor shall without undue delay provide the Controller with the assistance necessary to carry out the audit.
The Processor shall, at the request of the Controller, provide all available information relating to the processing of personal data in order for the Controller to fulfill its obligations as Controller under the Data Protection Legislation.
Where data subjects, supervisory authorities or other third parties request information from the Controller or Processor regarding the processing of personal data, the Parties shall cooperate and exchange information to the extent necessary. The Processor may not disclose personal data or information about the processing of personal data without the prior documented consent of the Controller, unless ordered to do so by the relevant authority or if the Processor is required to do so by mandatory legislation.
The Processor shall assist the Controller by appropriate technical and organizational measures, so that the Controller can fulfill its obligations regarding the rights of data subjects in accordance with Chapter III of the Data Protection Regulation.
The Processor has the right to engage sub-processors to fulfill its obligations under the Service Agreement.
If the Processor engages a sub-processor under the terms of the Service Agreement, the Processor is authorized and obliged to enter into a separate data processing agreement with such sub-processor regarding the sub-processor’s processing of personal data. Such an agreement shall stipulate that the sub-processor has corresponding obligations as the Data Processor has under this Data Processing Agreement.
The Processor shall, at the Controller’s request, provide a copy of the parts of the Processor’s agreement with the sub-processor that are required to demonstrate that the Processor has fulfilled its obligations under this Data Processing Agreement.
The Processor shall at all times keep an accurate and up-to-date list of the sub-processors engaged for the processing of personal data and their geographical location. The Processor shall furthermore, at the Controller’s request, promptly provide contact details of the sub-processors processing personal data.
The Processor shall inform the Controller of any plans to engage new sub-processors or replace sub-processors, so that the Controller has the opportunity to object to such changes. Such information shall be provided at least 30 days before the change takes effect. The Controller shall inform the Processor in writing, within 30 days of being informed of the change, if the Controller objects to the new sub-processor processing its personal data and give a reasonable reason for the objection. If the Processor cannot comply with the Controller’s objection within a reasonable time without unreasonable cost or inconvenience, the Parties shall cooperate to find an appropriate solution relating to the reason for the objection. If the Parties do not reach an agreement, the Controller shall be entitled to terminate the agreement with immediate effect.
Any dispute concerning the interpretation or application of this agreement shall be settled in accordance with Swedish law and the dispute provision of the Service Agreement.
In the event that the Controller becomes liable to third parties as a result of the Processor’s non-compliance with this Agreement or the Service Agreement within the framework of the processing of personal data, the Processor shall compensate the Controller for the damage incurred in accordance with the Service Agreement.
This Data Processing Agreement enters into force with the entry into force of the Service Agreement and applies thereafter between the Parties for as long as the Processor processes Personal Data for the Controller in accordance with the Service Agreement. This Data Processing Agreement shall automatically terminate without prior notice when the Service Agreement expires.
Amendments and additions to this agreement shall, in order to be valid, be communicated in accordance with the terms of the Service Agreement. This paragraph does not prevent the Controller from amending or issuing further written instructions as set out in this Agreement, provided, however, that such further amendments may result in the termination of the Service Agreement by the Processor in accordance with the Terms and Conditions.
Upon termination of the Agreement, the Processor shall delete personal data in accordance with the Instructions.
This Data Processing Agreement may be transferred in accordance with the transfer provisions in the Service Agreement and only in connection with the transfer of the Service Agreement.
Oderland Webbhotell AB
Organisationsnummer: 556680-8746
Services: Operational provider of web hosting
services and associated security services.
Storage location: Within the EU/EEA, Sweden
Business focus Sweden AB
Organisationsnummer: 559105-6501
Services: Consulting services in development,
support, troubleshooting and provision of services for e-mail (through Microsoft 365).
Storage location:
Within the EU/EEA
