Valid from May 25th, 2018
Data Controller (DC):
Data Processor (DP):
Xenolith AB, org nr 559149-9081.
The Data Controller is referred to as DC in this document. The parties have entered into an agreement whereby Xenolith AB undertakes to perform services under the agreement "Service Agreement" for DC's behalf. In performing these services under the Service Agreement, Xenolith AB will process personal data for DC's behalf. Accordingly, Xenolith AB will act as a personal data processor, DP, for DC in the performance of the relevant services, which is the personally responsible person for the personal data to be processed.
Xenolith AB may only process personal data for the purposes stated in the Service Agreement or written additional agreements that refer to this Agreement and not for any other purpose than what is necessary for the performance of the Service Agreement.
Xenolith AB uses cloud services within the EU and other geographical areas as a subcontractor. Xenolith AB may, without written consent, provide personal information to be processed by a subcontractor. If a general consent is given, Xenolith AB shall inform DC of any plans to change or hire new subcontractors. DC shall promptly object to such changes, but no later than one week from Xenolith AB announced that the change will occur.
If DC opposes changes, the account may be terminated if Xenolith is not able to deliver the service using subcontractors that the DC agree with. Xenolith AB is responsible for entering into written agreements with subcontractors.
For Xenolith AB's processing, the following applies.
Furthermore, Xenolith AB commits to keep records of the processes and to cooperate with the regulatory authority and make this registry available to the regulatory authority.
Xenolith AB will assist the DC, as required and upon request, with the fulfillment of the obligations arising from the conduct of consequence analysis regarding data protection and prior consultation with the regulatory authority.
Xenolith AB shall restrict access to personal data to persons who need such access to perform their duties.
Xenolith AB will ensure that personal data are not processed in violation of the provisions of current legislation, etc. regarding data protection for personal data such as data protection regulation and data inspection regulations. Xenolith AB shall take appropriate technical and organizational measures to protect personal data from unauthorized access, destruction and modification.
Xenolith AB undertakes to inform the DC immediately if an instruction violates the General Data Protection Regulation or against other personal data protection provisions.
Xenolith AB and DC are committed to, taking into account the latest developments, implementation costs and the processes’ scope, context and objectives and the risks, of varying degrees of probability and severity, of natural persons rights and freedoms, take appropriate technical and organizational measures to ensure a level of safety appropriate to the risk, including, where appropriate
In assessing the appropriate level of security should have particular regard to the risks that the process involves, in particular, from the accidental or unlawful destruction, loss or alteration or unauthorized disclosure of, or unauthorized access to personal data transmitted, stored or otherwise processed.
The DC and Xenolith AB shall take measures to ensure that any individual who performs work in the DCs or Xenolith AB's supervision, and who has access to personal data, only will process those on the instruction from the DC, if not the European Union law or the national law of the Member States obliges him or her to do so.
Xenolith AB shall notify the DC without unnecessary delay after having been informed of a personal data incident. The notification shall describe the nature of the personal data incident, including, if possible, the categories of and the approximate number of registered persons involved, as well as the categories and the approximate number of personal data items concerned. If, and to the extent, that it is not possible to provide the information simultaneously, the information may be provided in a parts, without unnecessary further delay.
Xenolith AB shall assist the DC and provide documentation of all personal data incidents, including the circumstances surrounding the personal data incident, its effects and the corrective actions taken.
If a third party (eg authority other than the supervisory authority or any other person) addresses Xenolith AB with a request for information regarding the processing of personal data, Xenolith AB shall forthwith forward such a request to DC.
Xenolith AB is not entitled to represent DC against third parties in the processing of personal data unless DC expressly acknowledges this. DC will replace Xenolith AB for costs, etc. which may arise due to the fact that Xenolith AB does not provide information about the processing under this paragraph.
Xenolith AB, and its employees and sub-consultants, have confidentiality for all personal data processed unless otherwise agreed in writing with DC. Confidentiality also does not concern the data subject regarding their own personal data or for information that is generally known.
All intellectual property rights to the personal data are held by DC or the registered person. Xenolith AB has a non-exclusive right to use the personal data and possibly intellectual property rights attached thereto solely for the performance of its obligations under the Service Agreement.
If a registered or other third party claims a claim against DC due to the processing of personal data by Xenolith AB, Xenolith AB shall compensate DC for any claims arising from Xenolith AB failing to comply with this agreement. The compensation is limited to a maximum of half (½) of the Price Base Amount (Prisbasbelopp).
If a registered or other third party claims a claim against Xenolith AB due to DC's personal data processing instruction, DC shall compensate Xenolith AB for such requirements, but not if Xenolith AB should have notified DC that processing is in violation of current data protection rules.
Any DC or DP involved in the processing of personal data may be held liable for the entire damage to the registered person. However, if they are joined in the same legal proceedings in accordance with the national law of the Member States, compensation may be distributed according to the responsibility of each DC or DP for the damage caused by the process, provided that the registered person is insured for full and effective compensation. Any DC or DP who has paid full compensation may then initiate recovery procedures against other DC or DP involved in the same process. However, the right of subrogation between DC and Xenolith AB is limited as above.
Xenolith AB is, after termination of the Service Agreement, required to delete all personal data processed for DC, unless previously agreed upon. Xenolith AB is obliged, in connection with the termination of the Service Agreement, to return processed data in appropriate format to DC. Deletion is only done on the insistence of the customer or after the termination of the service. Xenolith AB use backups so the service can be restored if something critical were to happen eg server fails completetly. Deleted information can therefore be saved up to twelve months on backups. If a backup were to be restored the information that has previosly been deleted will be deleted again. All backups are deleted when they are no longer needed (12 months).
Changes or additions to this Agreement shall be in writing and accepted by both parties to be considered valid.
This Agreement enters into force when accepted by both Parties. The agreement expires when the Service Agreement expires. However, paragraph 8 shall continue to apply for one year after the termination of the contract.
Disputes arising from the agreement shall primarily be resolved through good faith negotiations between the parties. Swedish law is applicable to the contract. Disputes arising in connection with this agreement shall be finally assessed in the general court of Skaraborg District Court (Skaraborgs tingsrätt).
By using our Services or otherwise by interacting with us, you agree to this Data Processor Agreement.