Data Processing Addendum
This data processing addendum and attached schedules (the ”Addendum”) apply to the Processing of Personal Data where Abion AB, in the capacity of Processor, on behalf of Client, in the capacity of Controller, provides the services agreed upon in the Agreement (Services).
This Addendum is not applicable on the situations where Abion AB is the Controller. This Addendum is subject to the terms as defined in Abion AB’s general Terms and Conditions for Legal Services and Abion AB’s general terms for registrar services. Capitalized terms used and not defined herein have the meanings given them in the General Data Protection Regulation (Regulation (EU) 2016/679 (the “GDPR”).
1. Background
(a) The Processor will Process Personal Data for the Controller as part of providing Services to the Controller, further detailed in Schedule 1.
(b) This Addendum is applicable where Client is Personal Data Controller and Abion AB is Personal Data Processor as defined in the GDPR.
(c) Client is the sole Controller of Client Personal Data. Client appoints Abion as Processor to Process Client Personal Data as set out in this Addendum. To demand changes to this Addendum Client can contact Abion via the contact information under section 8.
2. The Controller´s instructions
2.1 The Processor shall Process Personal Data only in accordance with documented instructions from the Controller, as set out in Schedule 1, and in accordance with the GDPR. Accordingly, the Controller undertakes to keep the Processor harmless for such damage as the Processor suffers as a direct consequence of the Controller’s instructions leading to the Processor Processing Personal Data in violation of the GDPR. In the event that the Processor does not have necessary instructions, the Processor shall inform the Controller and thereafter await instructions that the Controller deems necessary. The Processor shall also immediately inform the Controller if, in its opinion, an instruction infringes the GDPR.
3. Commitments of the Processor
3.1 Furthermore, the Processor shall in particular:
(a) have an appropriate technical and organisational safety and take all measures required pursuant to Article 32 in the GDPR to protect the Personal Data Processed under this Addendum, including but not limited to, ensuring that persons authorized to Process Personal Data have committed themselves to confidentiality or are under an appropriate statuary obligation of confidentiality;
(b) assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 in the GDPR (such as technical and organisational measures, notification and information in case of a Personal Data Breach, data protection impact assessment and prior consultation) and the Controller’s obligations pursuant to Chapter III in the GDPR regarding Data Subjects’ rights (such as the right to information, access, rectification, erasure, restriction of Processing, data portability, objection to automated decisionmaking);
(c) refer any request to access Personal Data from a Data Subject, the Data Protection Authority or any other Third Party to the Controller. The Processor shall also without delay notify the Controller of any contact with the Data Protection Authority concerning, or possibly concerning, the Processing of Personal Data under this Addendum;
(d) at the choice of the Controller, delete, anonymize or return all Personal Data to the Controller after the termination of the Agreement, irrespective of the reason thereto, including the deletion of existing copies, unless the GDPR, domain name registries or Member State law requires storage of the Personal Data;
(e) promptly notify the Controller of any security incidents where such incidents have resulted in or are likely to result in accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to the Personal Data covered by this Data Processing Addendum;
(f) upon request from the Controller, promptly provide the Controller with all requested information about the incident such as the facts relating to the incident, its effects and the remedial action taken and cooperate with the Controller in communicating about the incident with the supervisory authority where necessary;
(g) upon instruction to delete Personal Data from the Controller’s Data Subject, destroy, overwrite or otherwise delete the data within no more than 180 days;
(h) assist the Controller with information necessary for the Controller to comply with its obligations as a Controller towards the Data Protection Authority and/or Data Subjects.
3.2 Furthermore, the Processor shall always Process Personal Data in compliance with the GDPR. This includes, but is not limited to, maintaining a record of Processing activities, provide access to the record of Processing activities when requested by the Data Subject or the Controller, and to immediately notify the Controller of if the Processor suspects that there is a risk that individuals’ rights and freedoms are violated.
3.3 The client authorize Abion to, on the Client’s behalf, enter into standard contractual clauses with sub-Processors in third countries, specifically standard contractual clauses for the transfer of personal data to Processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council (2010/87/EU)
4. Liability
4.1 Neither party shall be liable to the other party in any event for indirect damages such as loss of profits, reduced turnover, loss and corruption of data, failure to comply with Third Party obligations or loss of benefit of the Processing or the Addendum otherwise.
5. Term
5.1 This Addendum is valid by accepting the Agreement, alternatively by specifically accepting the Addendum. The Addendum shall last as long as the Processor Processes Personal Data on behalf of the Controller. The Addendum may be terminated by either party by terminating the Agreement in accordance with the rules of termination specified in the Agreement.
6. Third Party Request and Confidentiality
6.1 Abion will not disclose Client Personal Data to any third party, unless authorised by the Client or required by law. If a government or Supervisory Authority demands access to Client Personal Data, Abion will notify Client prior to disclosure, unless prohibited by law.
6.2 Abion requires all of its personnel authorized to Process Client Personal Data to commit themselves to confidentiality and not Process such Client Personal data for any other purposes, except on instructions from Client or unless required by applicable law.
7. Audit
7.1 Upon Client’s written request Abion shall allow for and contribute to audits, including inspections, conducted by the Client or another auditor mandated by the Client.
7.2 Abion will provide Client or its mandated auditor with the information necessary to demonstrate compliance with the obligations laid down in this Addendum.
7.3 Each party will bear its own costs in respect to clauses 7.1 and 7.2.
8. Miscellaneous
8.1 Survival of obligations:
On termination of this Addendum, regardless of the reason for such termination, the following Clauses shall survive and continue in full force and effect; clause 8.1 (Survival of obligations) and clause 8.4 (Governing law and disputes).
8.2 Changes and additions:
Changes and additions to this Addendum must be in writing (with express reference to this Addendum) and duly executed by the Parties.
8.3 Sub-Processors:
The Processor is entitled to hire sub-Processors for Processing Personal Data on behalf of the Controller. The Processor undertakes to inform the Controller regarding the Processor’s possible plans to hire and/or substitute a sub-Processor, giving the Controller the opportunity to object to such changes.
If the Processor hires sub-Processors for Processing Personal Data on behalf of the Controller, the Processor is fully liable towards the Controller for such sub-Processors’ activities
The Processor shall hire sub-Processors in accordance with the Categories defined in Schedule 2.
8.4 Governing law and disputes
This Addendum shall be governed by and construed in accordance with the laws of Sweden. Any dispute, controversy or claim arising out of, or in connection with, this Addendum, or the breach, termination or invalidity thereof, shall be finally settled by arbitration administered by the Arbitration Institute of the Stockholm Chamber of Commerce (“the Institute”). The seat of arbitration shall be Gothenburg, Sweden.
The Rules for Expedited Arbitrations of the Arbitration Institute of the Stockholm Chamber of Commerce shall apply, unless the Institute, taking into account the complexity of the case, the amount in dispute and other circumstances, determines, in its discretion, that the Arbitration Rules of the Arbitration Institute of the Stockholm Chamber of Commerce shall apply. In the latter case, the institute shall also decide whether the arbitral tribunal shall be composed of one or three arbitrators.
The Parties agree, without limitation in time, not to disclose the existence or contents or any decisions or awards with regards to this Addendum or information about proceedings, arbitration or mediation due to the same. The provisions set forth in this Clause 7.4.4, shall not apply unless in compliance with law, other legislation, authority’s order, securities exchange regulations or practice on the securities exchange or is otherwise required for the enforcement of a decision.
9. Contact details
9.1 Company Contact details
For any changes to this Addendum, questions about how we Process your Personal Data or information and contact information for the designated responsible person for Personal Data, please feel free to contact us via the following contact information:
gdpr@abion.com and legal@abion.com
Schedule 1
Purpose of the Processing
1. Instructions
1.1 The Processor undertakes to follow the instructions set out in this Schedule 1, which can be amended from time to time through a written message from the Controller to the Processor.
1.2 The Processor shall Process Personal Data in order to perform in accordance with the Framework Agreement and other associated agreements with the Customer regarding the filing, registration, management, renewal and watching of domain names and/or trade marks; providing consultation and services regarding web security; generating and renewal of SSL certificates; administration of DNS servers; consultation, mainly in regard to intellectual property; providing and maintaining IP portal for administration of intellectual property rights; and hosting solutions for rental of virtual and physical server space.
1.3 The nature, purpose and subject matter of the Processing is the provision of the Service as described in the Agreement.
2. Duration of the Processing
2.1 The Processor shall Process Personal Data for the Duration of the Agreement, unless otherwise agreed on in writing.
2.2 Certain data must be stored for a longer period of time, even after a business relationship has been terminated, when this is required by national law. Such requirements may for example be included in tax or book keeping laws.
3. Security
3.1 The Processor will endeavour to take adequate technical and organizational measures against loss or any form of unlawful Processing (such as unauthorized disclosure, deterioration, alteration or disclosure of Personal Data) in connection with the performance of Processing Personal Data under this Data Processing Addendum.
3.2 The Processor does not guarantee that the security measures are effective under all circumstances. The Processor will endeavour to ensure that the security measures are of a reasonable level, having regard to the state of the art, the sensitivity of the Personal Data and the costs related to the security measures.
4. Type of Personal Data
4.1 The Processor Process Personal Data which is necessary to administer the relation with the Controller and to provide services in accordance with the Agreement. The Processing consists of all Personal Data which the Controller chooses to store on the servers. The Processor only Processes this Personal Data by storing it. Since the type of Personal Data depends on what the Controller chooses to store, it is not possible to specify the type of Personal Data which will be Processed.
5. Categories of Data Subjects
5.1 The Data Subjects of the Controller may include the Controller’s end users, employees, contractors, suppliers and other third parties.
Schedule 2
Sub Processors
1. Sub Processors
1.1 The Processor shall use the following Sub-Processors:
1.1.1 Management and maintenance of redundancy severs Gridcore
Byfogdegatan 6, 415 05 Göteborg
1.1.2 Supplying of Office365 Microsoft Ireland
One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Irland