Grade Data Processing Agreement
LAST UPDATED: MAY 26, 2020
Welcome to our Data Processing Agreement (DPA). This agreement is valid as an appendix to our general terms, which can be found at https://www.grade.com/integritetspolicy and clarifies how data is handled with regards to the EU General Data Protection Regulation (2016/679) (hereinafter “GDPR”) applied when processing personal data concerning european civilians. By using our platform, you accept our terms, and also this sub-agreement. If you don’t agree, don’t use our services.
- A) This data processing agreement (“Agreement”) applies to all activities where Grade gets in contact with personal data of the Controller or other affected persons in connection with the Grade Service including any sub-agreements and similar concluded thereunder (“Main Agreement“).B) Grade uses the personal data of the Controller solely in the interest and on behalf of the Controller.
C) If Grade is also providing services and/or products under the Agreement to the Controller’s Affiliates, or otherwise gains access to the Affiliate’s data relating to identified or identifiable natural person(s) for the purposes of fulfilling the Main Agreement, such data shall be regarded as Personal Data and this Agreement shall be applicable to Grade’s processing of such Personal Data. Such Affiliates have the same rights and obligations as the Controller under this Agreement.
D) This Agreement is an integral part of the Main Agreement. In the event of any conflict between the terms of the Main Agreement and the terms of this Agreement, this Agreement shall prevail with respect to the subject matter of this Agreement.
1.1 Affiliate: Companies (a) directly or indirectly owning or controlling the Controller; or (b) under the same direct or indirect ownership or control as the Controller; or (c) directly or indirectly controlled by the Controller. Ownership or control shall be understood to exist through direct or indirect ownership of fifty percent (50%) or more of the nominal value of the issued equity share capital or of fifty percent (50%) or more of the shares entitling the holders to vote for the election of the members of the board of directors or persons performing similar functions or the minimum share entitling to control prescribed in applicable legislations in such jurisdictions where the ownership of fifty percent (50%) or more would not be possible.
1.2 Commissioned Processing of Personal Data: Commissioned Processing of Personal Data is the access to Personal Data by Grade as well as collection, modification, transfer, blocking, deletion, storing, hosting or any other type of processing of Personal Data by Grade on behalf of the Controller in connection with the Main Agreement and as further specified under this Agreement.
1.3 Data Subject: An individual whose Personal Data is being processed by Grade under this Agreement and the Main Agreement.
1.4 Instruction: Grade shall process Personal Data in accordance with the Controller’s written instructions. The initial instructions derive from Section 2 of this Agreement; the Controller can change, amend or replace these initial instructions by single instructions in writing at any time.
1.5 Personal Data: Personal Data is any data relating to an identified or identifiable natural person(s) as defined in the applicable data protection laws, and that is subject to Commissioned Processing of Personal Data.
1.6 Personal Data Breach: accidental, unlawful or unauthorised destruction, loss, alteration, disclosure of or access to the Personal Data as well as any events endangering the security, confidentiality or integrity of the Personal Data.
- Scope of the Commissioned Processing
2.1 Grade shall process or otherwise use Personal Data solely on behalf of the Controller and according to the Controller’s instructions as set out in this Section 2 and the requirements of the applicable data protection laws.
2.2 The scope, manner and purpose of the collection, processing and use of the Personal Data under this Agreement are defined in Annex B as follows:
|Categories of subject||Type of personal data||Scope of use & purpose|
|Employees||Name, email, mobile number, IP-information||Use of engagement surveys (Engage) and creation of e-learning (Composer)|
2.3 The Parties may modify or supplement Annex B during the term of the Agreement by concluding an amendment to Annex B which shall be made in writing and which shall incorporate unaltered all of the substantive terms as set forth in the Annex B.
- Obligations of Grade
3.1 Grade shall only collect, process or utilise Personal Data of the Controller in accordance with the Instructions of the Controller and applicable laws and not for other own purposes or purposes of third parties. The Controller shall confirm any oral instructions in writing or via email. Where Grade believes that compliance with any Instructions by the Controller would result in a violation of applicable law on data protection, Grade shall immediately notify the Controller thereof.
3.2 Grade shall ensure within his area of responsibility the implementation and compliance with the agreed and sufficient technical and organisational measures. In particular, Grade shall take such technical and organisational measures to protect the Personal Data of the Controller against accidental, unlawful or unauthorised destruction, loss, alteration, disclosure and access as well as against other events that endanger the security, confidentiality or integrity of the Personal Data. This shall include the following measures;
3.3 To prevent unauthorised persons from gaining access to data processing systems with which Personal Data is processed or used;
- To prevent data processing systems from being used without authorisation,
- To ensure that persons entitled to use a data processing system only have access to the Personal Data to which they have a right of access, and that Personal Data cannot be read, copied, modified or removed without authorisation in the course of processing or use and after storage,
- To ensure that Personal Data cannot be read, copied, modified or removed without authorisation during electronic transmission or transport, and that it is possible to check and establish which bodies may have or may have had access to the Personal Data during or as a result of the transmission or transport,
- To ensure that it is possible to check and establish subsequently whether and by whom Personal Data have been entered into data processing systems, modified or removed,
- To ensure that the Personal Data are processed strictly in accordance with the Instructions of the Controller,
- To ensure that Personal Data is protected from accidental, unlawful or unauthorised destruction, loss and alteration,
- To ensure that Personal Data collected for different purposes can be processed separately,
- To ensure the availability and resilience of processing systems and services,
- To ensure the ability to restore the availability and access to the Personal Data in a timely manner in the event of a physical or technical incident,
- To ensure it has a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the Commissioned Processing of Personal Data.
3.4 Grade shall in particular ensure a strict separation between the Personal Data of the Controller, Grades own data, and data of third parties.
3.5 Grade shall provide to the Controller the information necessary to fulfil its obligation to register the outsourced personal data processing, such as name of Grade, persons being instructed with data processing, statutory periods for the deletion of data, purposes for the data processing.
3.6 Grade shall submit to the Controller contact details of the employee being responsible for data protection.
3.7 Grade shall inform the Controller in the event of (i) substantial disruptions of the service, (ii) possible infringements of applicable data protection laws or of this Agreement by itself, its employees or third parties, and (iii) any other irregularity in relation to the processing of the Controller’s Personal Data.
3.8 Grade shall inform the Controller if the Personal Data of the Controller will be at risk on the site of Grade by distrainment, seizures, insolvency or bankruptcy measures or by any other activities or measures of third parties. Grade shall inform all people responsible in this context that the Personal Data are in sovereignty of the Controller.
3.9 All data storage medias, if any, and all copies or reproductions thereof shall remain the property of the Controller. Grade shall store them carefully without granting access to third parties. Grade shall at any time give information to the Controller relating to its Personal Data and materials. According to the Controller’s individual orders, Grade shall be responsible for the erasure of test or excess data and materials in compliance with data protection requirements, except in certain cases, to be defined by the Controller, where storage and/or disclosure of the test or excess data shall be performed.
- Notification obligation
4.1 In case of a Personal Data Breach, Grade shall, without undue delay and in any case within 48 hours, after having become aware of the Personal Data Breach, notify the Controller of the Personal Data Breach in writing. The notification must, to the extent such information is available to Grade: (i) describe the nature of the Personal Data Breach including the categories and number of Data Subjects concerned and the categories and number of data records concerned; (ii) communicate the identity and contact details of the data protection officer of Grade or other contact point where more information can be obtained; (iii) recommend measures to mitigate the possible adverse effects of the Personal Data Breach; (iv) describe the consequences and potential risk to the Data Subjects due to the Personal Data Breach; (v) describe the measures proposed or taken by Grade to address the Personal Data Breach; and (v) any other information reasonably required in order for the Controller to comply with its own data protection requirements, including duties of notification and disclosure in relation to public authorities.
4.2 Grade shall, without undue delay after becoming aware of any further details surrounding the Personal Data Breach, supplement the notification described above in Section 4.1 as well as provide the Controller with and any other information relating to the respective Data Breach as reasonably requested by the Controller and available to Grade.
4.3 Grade will document any Personal Data Breaches, comprising the facts surrounding the breach, its effects and the remedial actions taken. This Documentation must enable the supervisory authority to verify compliance with this Section 4. The Documentation will only include information necessary for such purpose.
5.1 Each Party shall keep confidential all material and information, including but not limited to Personal Data, marked as confidential or that should be understood to be confidential, regardless of whether personal, technical, financial or commercial and received in whatever form from the other Party (‘Confidential Information’). A Party shall have the right to:
(i) use Confidential Information only for the purposes of this DPA and the Agreement;
(ii) copy Confidential Information only to the extent necessary for the purposes of this DPA and the Agreement; and
(iii) disclose Confidential Information only to those of its employees, subcontractors or advisors that need the Confidential Information for the purposes of this DPA and the Agreement. The disclosing Party is responsible for ensuring that the parties that receive Confidential Information comply with the terms relating to confidentiality agreed in this DPA.
5.2 The confidentiality obligation set out in this Clause 4 shall not, however, be applied to any material or information (i) that was in the possession of the receiving Party prior to receipt of the same from the other Party without any obligation of confidentiality related thereto; or (ii) that is generally available or otherwise public, other than if it is public through a breach of this DPA or the Agreement on the part of the receiving Party; or (iii) that a Party has received from a third party without any obligation of confidentiality; or (iv) that a Party has independently developed without using any material or information received from the other Party; or (v) that a Party is obliged to disclose pursuant to Law or other order issued by a Supervisory Authority.
5.3 Each Party shall cease using Confidential Information received from the other Party promptly upon the termination of this DPA or the Agreement or when the respective Party no longer needs the Confidential Information in question for the purposes of this DPA and/or the Agreement and shall return the material in question (including all copies thereof). Each Party shall, however, be entitled to retain copies as and to the extent required by the applicable law.
5.4 Each Party guarantees the observance and proper performance of this DPA by its personnel and advisors to whom Confidential Information may be disclosed pursuant to this Clause 5.
5.5 Each Party shall cease using Confidential Information received from the other Party promptly upon the termination of this DPA or the Agreement or when the respective Party.
5.6 Each Party shall cease using Confidential Information received from the other Party promptly upon the termination of this DPA or the Agreement or when the respective Party.
5.7 The confidentiality obligations set out in this Clause 5 shall survive any termination or cancellation of this DPA or the Agreement.
- Obligations of the Controller
6.1 The Controller warrants that all data are collected, processed and utilised fairly and lawfully with respect to one or several of the legal grounds stipulated in the GDPR. 6.2 The Controller shall inform Grade immediately and completely on any disruptions.
- Obligation to Assist
7.1 If the Controller, on the basis of applicable data protection laws, is obliged to answer to inquiries from Data Subjects on the collection, processing or utilisation of Personal Data relating to such Data Subject, upon request of the Controller, Grade shall support the Controller in order to provide such information. Grade shall pass on such inquiries of affected Data Subjects to the Controller for answering these inquiries; Grade shall adequately support the Controller in this respect. Unless otherwise agreed in writing, the Controller shall reimburse any reasonable incurring costs by Grade in connection with the fulfilment of the duties of this Section in accordance with the prices and pricing principles agreed in the Main Agreement. In case the inquiries relate to the duties of Grade, Grade shall assist the Controller free of charge.
7.2 If the Controller, on the basis of applicable data protection laws, is obliged to erase or rectify personal data concerning Individuals, Grade shall erase or rectify that personal data also from its data registers, upon the request of the Controller. Unless otherwise agreed in writing, the Controller shall reimburse any reasonable incurring costs by Grade in connection with the fulfilment of the duties of this Section in accordance with the prices and pricing principles agreed in the Main Agreement.
7.3 Grade shall assist the Controller also in the fulfilment of the Controller’s other obligations under the applicable data protection laws.
- Control Rights and Certificates
8.1 The Controller may itself – or, if required by Grade, by a third party being subject to statutory professional confidentiality obligations – carry out an audit at Grade’s establishment, during the usual business hours and without disturbing Grade’s business processes, to convince itself of Grade’s compliance with the technical and organisational measures, this Agreement and data protection laws. Grade shall tolerate such audit and shall comprehensively support the Controller in such audit. Furthermore, Grade shall provide to the Controller, upon written request, within a reasonable period all information which is necessary to carry out a comprehensive review of the Commissioned Processing of Personal Data and release those persons from their confidentiality obligations vis-à-vis the Controller for the purpose of the audit. However, Grade is not obliged to disclose business and trade secrets, operational know-how and other data being protected by law, such as data of other controllers, within such an audit. Controls and audits shall be announced at least two (2) weeks in advance and shall be coordinated with Grade. Any costs of such controls and audits, including possible costs of Grade, shall be borne by the Controller.
8.2 In the event an audit or an information request from a regulatory authority supervising the Controller’s business, Grade shall assist the Controller in answering the request and organising the audit. Grade shall always allow any such regulatory authority to conduct audits of Grade’s operations. Each Party shall bear its own costs in connection with audits initiated by such regulatory authority.
8.3 In case an audit reveals that Grade has breached this Agreement, relevant provisions of the Main Agreement and/or the applicable data protection laws and such breach is considered more than just a minor breach, Grade shall bear all costs of the respective audit. Grade shall take, at its own cost, all corrective actions in case of all identified breaches.
9.1 Controller agrees that Processor may use subcontractors to fulfil its contractual obligations under this Addendum or to provide certain services on its behalf, such as providing support services.
9.2 Due to confidentially and security reasons, Grade has chosen not to publicly list current subcontractos. Upon request by Controller, Processor shall however inform Controller of the name(s) of the subcontractor(s) that are used and what kind of service the subcontractor performs.
9.3 Where Processor authorises any subcontractor as described in this Section 9:
(i) Processor will restrict the subcontractor’s access to Customer Data only to what is necessary to maintain the Services or to provide the Services to Customer and any End Users in accordance with the Documentation.
(ii) Processor will impose appropriate contractual obligations in writing upon the subcontractor that are no less protective than this Addendum, including relevant contractual obligations regarding confidentiality, data protection, data security and audit rights; and
(iii) Processor will remain responsible for its compliance with the obligations of this Addendum and for any acts or omissions of the subcontractor that cause Grade to breach any of Grade’s obligations under this Addendum.
10.1 The Parties agree that the general principle of division of responsibility between the Parties under this Agreement relating to fines and/or damages to the Data Subjects imposed by any relevant supervisory authority and/or competent court authorised to impose such fines or damages is based on the respective Party’s need to fulfil its obligations under the applicable data protection laws and that any fines and/or damages to the Data Subjects imposed by a supervisory authority and/or competent court shall be paid by the party that has failed in its performance of its legal obligations under the applicable data protection laws.
10.2 The Parties agree that any Data Subject, who has suffered damage as a result of any breach of the obligations by any Party or subcontractor is entitled to receive compensation from the Controller for the damage suffered. Neither Party shall be liable to the other Party under the agreement for any indirect damages. The Parties aggregate liability under this Agreement shall be limited to not exceed the amount that Controller has paid for the use of the services (limited to the amount specified in Grade terms) and service content regardless of the claim.
10.3 The Controller shall defend, indemnify and hold Grade harmless against all reasonable cost and damages finally awarded to Grade by a competent supervisory authority and/or a court of competent jurisdiction (i.e. by an award not capable of appeal) and resulting from claims and actions alleging that Grade is in breach of the applicable data protection laws provided that (i) such breach results directly from the Controller’s written instructions or requirements that are in breach of applicable data protection laws; and (ii) Grade has notified the Controller beforehand that such requirements or instructions constitute a violation of the data protection laws applicable to Grade but the Controller has not amended such requirements or instructions in accordance with Processor’s advice in order to avoid such violation by Grade; and (iii) Grade notifies the Controller without any delay of such claims and actions; and (iv) Grade gives the Controller all necessary information, assistance and authorisations as requested by the Controller from time to time and shall authorise the Controller to settle the matter at its discretion. The indemnification obligation of the Controller shall be the sole and exclusive remedy of Grade regarding any breach of applicable data protection regulation by the Controller.
- Term and Termination
11.1 This Agreement shall be concluded for an indefinite period of time. This Agreement shall automatically be terminated in case of termination of the Main Agreement for whatsoever reason. Either Party’s right to terminate this Agreement for cause shall remain unaffected.
11.2 If Grade materially breaches its obligations under this Agreement and fails to remedy such breach within thirty (30) days from the Controller’s notification of the breach to Grade, or within thirty (30) days from the date when Grade should have noticed the breach, the Controller shall have the right to terminate with immediate effect any and all services and other agreements which the breach affects or relates to.
11.3 Upon termination of this Agreement for whatsoever reason, Grade shall return all data storage media and copies thereof as well as all Personal Data being in its possession to the Controller and shall thereafter delete any Personal Data stored at Grade. Upon request of the Controller, Grade shall confirm compliance with such obligations in writing within one (1) week from such request.
- General Provisions
12.1 Amendments and additions to this Agreement must be in writing. This also applies to a waiver of the requirement for this form.
12.2 Should one or more clauses of this Agreement be or become invalid and/or unenforceable, the validity of the other clauses of this Agreement shall remain unaffected thereby. In such case, the Parties shall amend this agreement and amicably replace the invalid clauses.
12.3 Swedish law shall govern the Agreement.
12.4 Any dispute, controversy or claim arising out of or in connection with this Agreement, or the breach, termination or validity thereof, shall be finally settled by arbitration in accordance with the Rules of the Arbitration Institute of the Swedish Chamber of Commerce. The arbitral tribunal shall be composed of a sole arbitrator who shall be appointed by the Board of Arbitration of the Central Chamber of Commerce. The place of arbitration shall be Sweden. The language used in the arbitral proceedings shall be Swedish.