Last update: 10 October 2018
Data processing addendum
Qinematic values personal integrity, and does it best to comply with the Data Protection Act (DPA) of each region. We ask that our Customers who provide a service using Qinematic to do the same.
Qinematic enters into a Service Agreement that recognises Qinematic AB as a "Data Processor", and the Customer as the "Data Controller".
The Data Controller and the Data Processor are each referred to as a "Party" and collectively as the "Parties".
The Parties have entered into a Service Agreement under which the Data Processor will process Personal Data on behalf of the Data Controller. This Data Protection Addendum has been entered into in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the Data Controller to the Data Processor of personal data and the processing of personal data by the Data Processor on behalf of the Data Controller.
The specific terms and expressions relating to data processing that are not defined herein shall have the same meaning as in the EU General Data Protection Regulation (GDPR).
The following terms, used in this Data Processing Addendum, shall have the following meanings:
"Business Day" means a day on which banks are open for business in Sweden other than for Internet banking services only (excluding Saturdays, Sundays and public holidays);
The "Data Protection Act" means the GDPR, or the local legal requirements for Third Countries;
"Personal Data" means all kinds of information that directly or indirectly may be referable to a natural person who is alive, for which the Data Controller is the controller and which the Data Processor shall process on behalf of the Data Controller under the Service Agreement;
"Third Country" means a state or region that is not included in the European Union or part of the European Economic Area.
2. Obligations and responsibilities
2.1 The Data Controller is responsible for that all collection and processing of Personal Data is legal and made in accordance with the local Data Protection Act, including that there is a legal ground for the processing and that consent has been collected from the registered persons where necessary.
2.2 The Data Processor agrees and warrants:
(a) that the processing of Personal Data is carried out in accordance with the relevant provisions of the local or applicable Data Protection Act;
(b) to process the Personal Data only on behalf of the Data Controller and in compliance with its instructions and the Service Agreement (which for the sake of clarity shall imply that the processing is carried out only for the purposes decided by the Data Controller); if it cannot comply with such instructions for whatever reasons, it agrees to inform promptly the Data Controller of its inability to comply, in which case the Data Controller is entitled (as its sole and exclusive remedy) to suspend the transfer of data, request the immediate return thereof and/or terminate the Service Agreement;
(c) to deal promptly and properly with all inquiries from the Data Controller relating to its processing of the Personal Data;
(d) to, at the request of the Data Controller, provide a list of the locations where the Personal Data is being processed or may be processed;
(e) to implement the appropriate technical and organisational measures to safeguard the Personal Data from unauthorised or unlawful processing or accidental loss, destruction or damage, and (taking into account the technological development and the cost of implementing any measures), ensure that such measures shall provide for a level of security proportionate to the harm that might result from unauthorised or unlawful processing or accidental loss, destruction or damage and to the nature of the Personal Data;
(f) that it will promptly notify the Data Controller about any completed unauthorised access;
(g) that it will without undue delay refer any third party requesting information relating to the Personal Data to the Data Controller, unless such reference is prohibited under criminal law (i.e. to preserve the confidentiality of a law enforcement investigation);
(h) at the request of the Data Controller, to submit its data-processing facilities for audit of the processing activities covered by the Agreement which shall be carried out by the Data Controller or such person that the Data Controller appoints, provided that such person is bound by a duty of confidentiality; and
(i) not to transfer Personal Data from the EU to a Third Country unless approved in writing by the Data Controller or executed by the Data Controller.
3.1 The Data Processor is entitled to sub-contract the processing of the Personal Data described herein. Consequently the Data Processor does not need to obtain any specific consent for sub-processing of Personal Data. The Data Controller hereby authorises the Data Processor to enter into agreements with such sub-processors on behalf of the Data Controller, on materially the same terms as those included in this Data Protection Addendum.
3.2 The Data Controller acknowledges that the services provided under the Service Agreement are delivered over the Microsoft Azure and the Data Controller consequently accepts the use of Microsoft as a sub-processor to the Data Processor. Generic information around security, compliancy, privacy, SLAs, support etc. can be found on https://azure.microsoft.com/en-us/support/trust-center/
In addition, the Data Controller acknowledges and agrees that the terms set forth in the Microsoft Online Service Agreement http://www.microsoftvolumelicensing.com/DocumentSearch.aspx?Mode=3&DocumentTypeId=31 is acceptable and in a sufficiently clear manner mirrors the terms of this Data Protection Addendum and reflects the instructions of the Data Controller.
3.3 If the Data Processor engages additional sub-processors it agrees to without delay inform the Data Controller of the identity of the sub-processor, as well upon the request of the Data Controller other relevant information related thereto such as a copy of the agreement entered into with between the Data Processor and such sub-processor.
3.4 The Data Processor shall not be held liable to the Data Controller for the performance of sub-processors, but will endeavour to take reasonable steps to maintain optimal performance.
4. Obligation after the termination of personal data-processing services
4.1 The Parties agree that on the termination of the Service Agreement, the following shall apply. The Data Processor shall, and where applicable see to it that the sub-processor shall, return all Personal Data to the Data Controller or, at the request of the Data Controller, as soon as practically possible under the Microsoft Online Service Terms deletes all Personal Data and confirm to the Data Controller when completed.
4.2 The Parties agree that all external records containing or referring to data used or created during the term of the service, remain the responsibility of the Data Controller. This may include, but is not limited to emails, web links, printed reports, images or other data.
4.3 In the event legislation imposed upon the Data Processor prevents it from returning or deleting all or part of the Personal Data, the Data Processor warrants that it will guarantee the confidentiality of the Personal Data and that it will not actively process the Personal Data or else anonymize the Personal Data in a manner that makes it impossible to recreate the Personal Data.
5. Term and termination
5.1 This Data Protection Addendum is a fully integrated part of the Services Agreement and shall remain valid until the termination of the Service Agreement.
6. Limitation of liability
6.1 Regardless of what is set forth in the Service Agreement, the Data Processor's liability under the Data Protection Addendum shall be limited to liability for direct costs, and consequently excluding any form of indirect or consequential loss or damage.
7.1 The Data Controller shall compensate the Data Processor for any costs arising in conjunction with the fulfilment of its obligations under the Agreement. This includes, but is not limited to, compensation (by the hour) for resources provided by the Data Processor for the provision of information upon request and other forms of assistance.
8. Acknowledgement of processing for research purposes etc.