Din Studio

Appendix 1 – Data Processing Agreement

This Data Processing Agreement between

  1. Din Studio Sverige AB, reg. no. 556668-4188 ("Din Studio"); and
  2. Customers who use our services ("Customer"),

(each "Party" and jointly "Parties").

In this data processing agreement "Data Processor" refers to Din Studio Sverige AB for the Services stipulated in Din Studio's General Terms and Conditions, §1 General. "Data Controller" refers to the Customer. Din Studio's processing of personal data can be found at support/privacypolicy.

1 Introduction

1.1 Both parties confirm that the undersigned are authorised to enter into this data processing agreement ("DPA") which is an integrated part of the service agreement(s) which the parties have entered into (the "General Terms and Conditions Service"). This DPA governs the Processing of Personal Data in connection with the at every time applicable Service Agreement.

1.2 Din Studio complies with Din Studio's Privacy policy, which is available at support/privacypolicy.

2 Definitions

2.1 The definition of Personal Data, Special Categories of Personal Data (Sensitive Information), Processing of Personal Data, Data Subject, Data Controller and Data Processor are the same as in applicable privacy legislation including the General Data Protection Regulation (GDPR), applicable in the DPA and in Europe from May 25, 2018 and the at every time complementary applicable national legislation, together Applicable Privacy Law.

2.2 In this appendix, Data Controller is referred to as "Customer" or “Party", the Data Processor is referred to as “Din Studio" or “Party", and together the parties are referred to as “Parties".

3 Scope

3.1 This DPA governs Din Studio's Processing of Personal Data on behalf of the Customer, and stipulates how Din Studio shall ensure data security, through technical and organisational measures according to Applicable Privacy Law.

3.2 The purpose of Din Studio's Processing of Personal Data on behalf of the Customer is to ful l Din Studio's obligations according to the Service Agreement.

3.3 This DPA takes precedence over any contradictory stipulations of Processing of Personal Data in the Service Agreement or other agreements entered into by the Parties.

4 Din Studio's Liabilities

4.1 Din Studio may only Process Personal Data on behalf of, and in accordance with the Customer's documented instructions. By entering into this DPA, the Customer instructs Din Studio to Process Personal Data as follows:

i) solely in accordance with applicable law,
ii) to ful l all obligations according to the Service Agreement,
iii) as is further specified through the Customer's normal use of Din Studio's services and
iv) as stated in this DPA.

4.2 Din Studio has no reason to believe there is any legislation that prevents Din Studio from fulfilling the instructions stated above. Din Studio shall inform the Customer, upon knowledge, in the event the Customer's instructions or Processing, in Din Studio's opinion, infringes Applicable Data Privacy Law.

4.3 The Categories of Data Subjects and Personal Data which are the subject of Processing according to this DPA is stated in this document.

4.4 Din Studio shall ensure the confidentiality, integrity and availability of Personal Data in accordance with Applicable Privacy Law. Din Studio shall implement systematic, organisational and technical measures to ensure an appropriate level of security, taking into consideration the state of the art and the cost of implementation in relation to the risk of the Processing, and the type of Personal Data.

4.5 Din Studio shall, taking into account the nature of the processing, assist the Controller with appropriate technical and organisational measures, insofar as this is possible and considering the information available to Din Studio, for the fulfilment of the Data Controller's obligations to respond to requests from the Data Subject and general data protection according to Article 32-36 in the GDPR.

4.6 If the Customer requires information regarding security measures, documentation or other information regarding how Din Studio Processes Personal Data, and such requests involve more information than the standard information provided by Din Studio in order to comply with applicable Privacy Laws as Data Processor, and this in turn means that the amount of work on Din Studio's part increases, Din Studio may charge Customer for such additional services.

4.7 Din Studio and its personnel shall ensure the confidentiality of Personal Data Processed under this DPA. This condition also applies after the DPA has expired.

4.8 Din Studio shall promptly and without unnecessary delay, notify the Customer to enable the Customer to comply with the legal requirements of information to the relevant supervisory authorities and Data Subjects regarding a Personal Data breach.

4.9 Furthermore, as far as is practically possible and lawful, Din Studio shall notify the Customer in the event of:

i) requests regarding disclosures of Personal Data from a Data Subject,
ii) requests from public authorities, such as the Police Authority, regarding disclosure of Personal Data.

4.10 Din Studio may not respond directly to requests from Data Subjects without the Customer's consent. Din Studio may not disclose content relating to the General Terms and Conditions to authorities such as the Police Authority, including Personal Data, with the exception of statutory provisions, such as court decisions or similar decisions.

5 Customer Obligations

5.1 By entering into this DPA, the Customer acknowledges that the Customer:

  • when using the services provided by Din Studio according to the Service Agreement, Processes Personal Data in compliance with Applicable Privacy Law.
  • has legal grounds to Process and disclose the relevant Personal Data to Din Studio (including any sub-processors used by Din Studio).
  • is solely responsible for the validity, integrity, content and lawfulness of the Personal Information transferred to Din Studio.
  • has fulfilled any mandatory requirements and obligations to notify, or obtain permissions from, applicable public authorities for the Processing of Personal Data.
  • has fulfilled its obligations to provide relevant information to Data Subjects regarding Processing of Personal Data in compliance with Applicable Privacy Law.
  • agrees that Din Studio has provided guarantees regarding the implementation of technical and organisational security measures that are sufficient to protect the Data Subject's integrity and Personal Data.
  • when using the services provided by Din Studio under the Service Agreement, does not transmit any Sensitive Personal Data, or data relating to criminal convictions and offences to Din Studio. In the event of such a transfer, Din Studio can not be held liable for the improper processing of such Personal Data.
  • maintain an updated record of the types and categories of Personal Data that the Customer Processes.

6 Use of Sub-processors and Transfer of Data

6.1 As part of the delivery of Services to the Customer according to the Service Agreement and this DPA, Din Studio may engage sub- contractors who may act as sub-processors. Such sub-processors may be affiliates of Din Studio, or external subcontractors (third parties) within or outside the EU/EES. Din Studio shall ensure that the same data protection obligations as set out in this DPA are imposed on the sub-processors by way of an agreement.

6.2 The Customer may at any time request a full overview and additional detailed information relating to the sub-processors involved in the service delivery, regulated by the Service Agreement.

6.3 If sub-processors are outside the EU/ EES, Din Studio shall ensure that transfer is made in accordance with Applicable Privacy Law. The Customer hereby grants Din Studio the power and authority to ensure appropriate legal grounds for the transfer of personal data outside the EU on behalf of the Customer, for example, by signing EU Standard Contract Clauses or transferring Personal Data in accordance with the EU/ US Privacy Shield.

6.4 The Customer shall be notified prior to changes to sub-contractors who process Personal Data. If a new sub-contractor evidently fails to comply with Applicable Privacy Law and the sub-contractor continues to fail to comply with Applicable Privacy Law, after Din Studio has had reasonable time to ensure that the sub-contractor complies with the regulations, the Customer may terminate the DPA. Such termination may include the right to terminate the Service Agreement, in whole or in part, in accordance with the termination clauses contained in the respective Service Agreement. An important part of such assessments should be to what extent the sub-contractor's Processing of Personal Data is an essential part of the services provided under the Service Agreement. A change of sub-contractor shall not in itself be regarded as a breach of the Service Agreement.

6.5 By signing this Agreement, the Customer agrees to Din Studio using sub-contractors as described above.

7 Security

7.1 Din Studio is obligated to provide a high level of security in its products and services. Din Studio provides security through organisational, technical and physical security measures, in accordance with the information security requirements described in Article 32 of the GDPR. Furthermore, the internal data protection framework which is implemented by Din Studio, aims to protect the confidentiality, integrity and availability of and access to Personal Data. The following measures are of particular importance in this regard:

  • classification of Personal Data to ensure the implementation of safety measures that correspond to the risk assessment.
  • evaluation of the use of encryption and pseudonymisation as risk-reducing factors.
  • limitation of access to Personal Data to those who need access to ful l the obligations of this DPA or the Service Agreement.
  • use of systems that detect, restore, prevent and report personal data incidents.
  • implementation of security analyses to assess the quality of current technical and organisational measures to protect Personal Data, taking into account the requirements of Applicable Data Privacy Law.

8 Term and Termination

8.1 This DPA is applicable as long as Din Studio is Processing Personal Data on behalf of the Customer according to the applicable Service Agreements.

8.2 This DPA terminates automatically upon the expiration of the Service Agreement. When the DPA expires, Din Studio will delete or return the Personal Data processed by Din Studio on behalf of the Customer, in accordance with the applicable sections in the respective Service Agreement. Unless otherwise agreed in writing, the cost for such actions shall be based on:

i) hourly fee for time spent by Din Studio and
ii) the complexity of the requested process.

8.3 Din Studio may retain Personal Data after the expiry of the DPA, to the extent required by law, however observing the same technical and organisational measures as described in this DPA.

9 Liability

9.1 Liability for breach of the terms of this DPA shall be governed by liability clauses in the respective Service Agreement between the Parties. This also applies to any breaches by the sub-processor.

10 Applicable Law and Jurisdiction

10.1 This DPA shall be governed by the law applicable as stated in the respective Service Agreement between the Parties.

11 Categories of Personal Data and Data Subjects

11.1 As Din Studio's services allow the Customer to arbitrarily process Personal Data, it is not possible to generally state the categories of Data Subjects or Personal Data which are governed by this DPA. The Customer is obligated to register this information.

11.2 The Customer may not transfer any Sensitive Data to Din Studio. In the event such transfers are made, Din Studio cannot be held responsible for any Processing that is not compliant with Applicable Privacy Law. Sensitive Data is de ned in the Applicable Privacy Law, as follows:

  • racial or ethnic origin, political opinions, religious or philosophical beliefs,
  • data concerning health,
  • data concerning a natural person's sex life or sexual orientation,
  • trade union membership,
  • genetic or biometric data for the purpose of uniquely identifying a natural person.

11.3 The Customer may not transfer any Personal Data concerning criminal convictions and offences.