Updated 2024-05-28
1 Introduction
2 Agreements Documents
3 Processing of Personal Data
4 Security Measures
5 Transfer Outside of the EU/EEA
6 Use of Sub-Processors
7 Duties of Processor
8 Personal Data Breach
9 Confidentiality
10 Remuneration
11 Liability
12 Term and Termination
13 Return and Destruction of Personal Data
14 Governing Law and Dispute Resolution
Appendix I – List of Parties and Description of Processing
Appendix II - Technical and Organisational Measures
Appendix III – List of Sub-Processor
This data processing agreement ("DPA") forms part of the Agreement between 360Player AB ("Processor"), as data processor, and the customer that is party to the Agreement ("Controller"), as data controller. If there is any conflict between this DPA and the Agreement, this DPA shall prevail in relation to the processing of personal data.
Controller and Processor are jointly referred to as the “Parties” and each of them as a “Party”.
1.1 In order to perform its obligations under the Agreement, Processor will process personal data on behalf of Controller. This DPA is an appendix to the Agreement and regulates processing of personal data in accordance with the provisions of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation “GDPR”) and any national or European Union law as applicable from time to time (“Applicable Data Protection Legislation”).
1.2 In the event of any conflict or inconsistency between the Agreement and this DPA related to the processing of personal data, the provisions of the DPA shall prevail.
2.1 The following appendices are hereby incorporated by reference into this DPA:
Appendix I – ´Description of Processing
Appendix II – Technical and Organisational Measures
Appendix III – List of Sub-Processors
3.1 The subject-matter, duration, nature and purpose of the processing are set out in Appendix I (Description of Processing)
3.2 Controller is responsible to ensure that the processing is carried out in accordance with Applicable Data Protection Legislation and for providing Processor with accurate and sufficient instructions.
3.3 Processor undertakes to process personal data only in accordance with the instructions under this DPA, the Agreement and documented instructions given by Controller from time to time, unless the processing is required by Applicable Data Protection Legislation. In such case, Processor shall inform Controller of the processing and the legal requirements on which the processing is based, prior to processing the personal data, unless providing such information is prohibited under Applicable Data Protection Legislation.
3.4 Processor shall promptly inform Controller if:
(i) Processor is unable to fulfil its obligations under the DPA;
(ii) Processor deems that the instructions provided by Controller infringe Applicable Data Protection Legislation; or
(iii) Processor deems that the instructions provided by Controller are inadequate or incorrect.
In such case Controller shall adjust its instructions.
4.1 The Parties shall take appropriate technical and organisational security measures necessary to ensure a level of security appropriate to the risks presented when processing personal data, and when necessary implement and maintain the technical and organisational security measures set out in Article 32 GDPR.
4.2 The technical and organisational security measures agreed upon between the Parties are set out in Appendix II (Technical and Organisational Measures). Controller shall ensure that such measures comply with the provisions of Applicable Data Protection Legislation.
5.1 Processor may at times transfer personal data to a country outside the EU/EEA in accordance with instructions provided by Controller, as further set out in the appendices to this DPA as updated from time to time. If personal data is transferred to a country outside the EU/EEA, the Parties shall ensure that the transfer is subject to an adequate transfer mechanism in accordance with Chapter V of the GDPR, for example by executing the applicable module of EU Commission’s approved Standard Contractual Clauses or binding corporate rules. To the extent necessary to ensure an adequate protection of personal data, the Parties shall agree upon additional safeguards in Appendix III (List of Sub-Processor).
6.1 Processor hereby obtains a general written authorisation from Controller to use sub-processors to process personal data on behalf of Controller. The list of sub-processors authorised by Controller for the processing of personal data upon the effective date of this DPA is set out in Appendix III (List of Sub-Processor). Processor shall inform Controller in writing of the addition or replacement of sub-processors at least 30 days before the change takes place, in order to give the Controller opportunity to object to the change.
6.2 Controller shall have the right to object in writing within 20 days of Processor informing the Controller of the change. Controller may object to the use of a sub-processor only if there is reason to believe that the sub-processor does not comply with the requirements of the Applicable Data Protection Legislation and state the reasons for the objection. Processor shall provide Controller with the information necessary for Controller to exercise its right to object.
6.3 Processor shall ensure that a written agreement imposes on sub-processors at least equivalent obligations in relation to the processing of personal data as those imposed on Processor under this DPA. Processor shall be fully liable to Controller for the performance by the sub-processor of its obligations, as for its own under this DPA.
7.1 Processor shall, upon Controllers reasonable request, assist Controller as far as reasonably possible and with regard to the nature of the processing, in fulfilling its obligations to respond to requests from data subjects to exercise their rights under the Applicable Data Protection Legislation. Processor shall notify Controller within 30 days if Processor receives any requests from data subjects. Processor may not respond to any requests without Controller’s specific prior written instruction to do so.
´7.2 Processor shall, to the extent possible, taking into account the nature of processing and the information available to Processor, assist Controller in fulfilling Controller’s obligations under Articles 32–36 GDPR.
7.3 ´Processor shall, upon Controller’s reasonable request, provide Controller with the information necessary to demonstrate compliance with the obligations of the DPA.
7.4 ´In the event that Processor, according to Applicable Data Protection Legislation, is required to disclose personal data that Processor processes on behalf of Controller to supervisory authorities, Processor shall inform Controller thereof and request confidentiality in connection with the disclosure of the requested information.
7.5 ´Upon the reasonable request made by Controller or by an external auditor appointed by Controller, Processor shall allow an audit for the purpose of verifying that the processing of personal data by the Processor is carried out in accordance with the Applicable Data Protection Legislation and this DPA. Any third-party auditor is at the expense of the Controller.
8.1 Processor shall notify Controller in writing without undue delay after becoming aware of a personal data breach in relation to personal data processed by Processor on behalf of Controller. Processor shall, to the extent such breach has taken place at Processor, provide Controller with a description of the breach, its nature, its likely consequences and information on the measures taken or proposed to be taken to remedy and mitigate the consequences of the breach.
8.2 If Controller notifies a breach to the supervisory authority, Processor shall upon Controller’s reasonable request assist Controller and provide the requested information.
9.1 Processor undertakes not to disclose or otherwise make personal data processed under this DPA available to any third party without Controller's prior written consent, except for sub-processors engaged in accordance with this DPA.
9.2 Processor shall ensure that only staff and other representatives that require access to personal data have access to such information. Processor shall ensure that such persons are bound by confidentiality undertakings or subject to a statutory obligation of confidentiality.
9.3 Processor undertakes to ensure that confidentiality agreements are in place with any sub-processors engaged under this DPA.
10.1 Processor is entitled to reasonable remuneration for costs and work incurred by Processor as a result of its obligations as specified below:
(i) Controller adjusts its instructions under section 3.1 above.
(ii) Controller adjusts its instructions under section 4.2 above.
(iii) Processor assists Controller in an audit in accordance with section 7.5 above.
11.1 The Parties acknowledge that they each respectively are liable, accountable and responsible in their respective roles as Controller and Processor under the requirements set forth in the GDPR and this DPA. Any administrative fines, fees or sanctions imposed by the supervisory authority and/or compensation to data subjects shall be subject to the liability provisions set out in Articles 82–84 GDPR. If a Party processes personal data in violation of this DPA or Applicable Data Protection Legislation, the Party shall compensate the other party for direct damages suffered due to such wrongful processing and/or violation of this DPA in accordance with the limitations of liability set out in the Agreement.
12.1 This DPA enters into force when the Agreement is signed by both Parties and remains in force thereafter for as long as Processor processes personal data on behalf of Controller.
12.2 Processor has the right to terminate the DPA immediately by written notice to Controller if instructions given by Controller infringe Applicable Data Protection Legislation and Controller, after being notified of such circumstances, subsequently insist on applying to such instructions.
13.1 Upon termination or expiry of this DPA, Processor shall without undue delay stop processing personal data and at Controller’s written request delete all personal data of the Controller and delete any remaining copies, unless required by Applicable Data Protection Legislation.
14.1 The DPA shall be governed by Swedish law, excluding applicable conflicts of law rules.
14.2 Any dispute arising out of or in connection with the DPA shall be finally settled in accordance with the dispute resolution provision set out in the Agreement.
1 Introduction
Appendix I (Description of Processing) describes the processing of personal data under the DPA.
2 Description of Processing
For Controllers with local privacy policy legislation, it is vital for Controller to understand what data that has special classification in local privacy law. Minimizing sensitive data collection is recommended and 360Player will always have users consent to user terms and privacy policy.
Categories of data subjects
The following categories of data subjects will be included in the processing:
☐ Controller’s employees/staff
☐ Controller’s members and legal guardian/s of members
Categories of personal data that controller will process
The following personal data will be processed:
☐ Name
☐ Date of birth
☐ Phone number
☐ Address
Special categories of personal data that controllers may process
The following special categories of personal data will be included in the processing:
☐ Genetic data
☐ Biometric data
☐ Data concerning health
☐ Other data controller needs to collect (custom data fields)
Nature and purpose of the processing
Processor processes personal data for the following purposes:
The personal data will be processed for controller to be able to use the system according to the purpose of the platform.
Duration of processing
Personal data will be processed in accordance with the following:
The duration of the processing corresponds to the duration of the Agreement or until controller removes data. Thereafter, the personal data will be processed for as long as required by Applicable Data Protection Legislation.
1 Introduction
Appendix II (Technical and Organisational Measures) specifies the technical and organisational measures taken to ensure a high level of security for the processing of personal data.
2 List of Technical and Organisational Measures
The following security measures have been explicitly agreed between the Parties:
1 Introduction
Appendix III (List of Sub-Processor) sets out the sub-processors of Processor approved by Controller. SCC stnas for “Standard Contractual Clauses” and means the latest version of the standard contractual clauses for the transfer of personal data to processors established in third countries under the GDPR.
2 List of Sub-Processors
Controller has approved the sub-processors listed in the table below upon the effective date of the DPA. The table is updated from time to time: