Happy at Work logo

Personal data processing agreement

1. PARTIES

This Personal Data Processing Agreement (herein referred to as “the Agreement”) which has been agreed upon between:

1.1 You, also referred to as the Company, its employees and other parties related, as mentioned previously in the Terms of Service agreement (www.happyatwork.se/terms) , herein referred to as "Personal Data Client"; and

1.2 Interactive Happiness Survey AB, 559144-8773, Västra Hamngatan 11, 411 17, Gothenburg, hereinafter referred to as “Personal Data Processor”.

This Agreement will be considered as agreed upon during the point of accepting the Terms and Service that the Personal Data Client accepted during signing up, joining, or similar, to use the Services provided by the Personal Data Processor. The Personal Data Client and the Personal Data Processor are hereinafter also referred to as “Party” and jointly as “Parties”. In this Agreement, terms and concepts are used to some extent, the meaning of which is set out in Regulation (EU) 2016/679 of 27 April 2016 and enforced on 25 May 2018 on the protection of individuals with regard to the processing of personal data and on the free flow of such data and on the repeal of the EU Directive (the "Data Protection Regulation").

2. SCOPE OF THE AGREEMENT

Parties that have entered into agreements regarding a cloud-based HR tool to easily measure well-being and workload in an organization (the Agreement). The Personal Data Processor will, during the term of the General Agreement and this Agreement, process personal data on behalf of the Personal Data Client in order to make pulse surveys according to the areas desired. The Personal Data Processor agrees not to process personal data for any other purpose and only in accordance with the Data Protection Act (as defined in section 3.3 below) and the terms set out in this Agreement

2.1 Within the framework of this Agreement, the Personal Data Processor will process the following categories of personal data:

2.1.1 Surveys do not contain any personal data. However, the administrators will collect and store the following information through the service: (a) First Name / Last Name (b) E-mail (c) Telephone number (optional) (d) Slack ID (Optional) Administrators also receive a password, which is encrypted (with AES256) and stored in encrypted form.

2.2 The personal data applies to the following categories of registered persons:

2.2.1 Employees – registered with name, telephone number (optional) and e-mail.

2.2.2 Managers – registered with name, e-mail and then assigned a password as well as a login.

2.3 Unless otherwise specified herein, the Personal Data Processor shall not be entitled to any compensation to meet the obligations set out in this Agreement.

3. INSTRUCTIONS, SECURITY, ETC.

3.1 Under the terms of this Agreement, the Personal Data Client maintains a general right to issue instructions regarding the nature, scope and method of processing personal data. These instructions can be supplemented with individual instructions.

3.2 The Personal Data Processor shall only process personal data on behalf of the Personal Data Client on the instructions of the Personal Data Client.

3.3 The Personal Data Processor shall take appropriate technical and organizational security measures to protect personal data against accidental or unlawful destruction, loss or alteration as well as against unauthorized disclosure, abuse or other processing contrary to Directive 95/46/EG of the European Parliament and of the Council and applicable law transposing this Directive and / or the Data Protection Regulation (hereinafter collectively referred to as "Data Protection Act").

3.4 Without prejudice to the Personal Data Processor's obligations under point 3.3 above, the Personal Data Processor shall ensure that this and its possible subordinates who are involved in the processing of personal data always comply with the EU Commission, data protection authorities or other authorities' latest requirements and minimum security requirements according to Appendix 1 (Data Security).

3.5 At the Personal Data Client's written request, the Personal Data Processor shall provide the Personal Data Client, or any third party designated by the Personal Data Client (provided that reasonable and appropriate confidentiality commitments are entered into), the opportunity to review the Personal Data Processor's data processing and meet the Personal Data Client's reasonable requests, instructions or instructions for it to the Personal Data Client must be able to check and / or ensure that the Personal Data Processor and / or its subordinates fully fulfill their obligations under this Agreement and the Data Protection Act.

3.6 The Personal Data Processor hereby confirms that the Personal Data Processor will carry out appropriate technical and organizational measures in such a way that the processing that follows from this Agreement meets the requirements of the Data Protection Act and the Personal Data Processor shall ensure that the data subject's rights are protected. The Personal Data Processor hereby further confirms that it has expertise, reliability and resources, to implement technical and organizational measures that meet the requirements of the Data Protection Act, among other things regarding security in connection with processing of data, and that the measures taken will be reviewed and updated as necessary. The Personal Data Processor shall assist the Personal Data Client through appropriate technical and organizational measures so that the Personal Data Client can fulfill his or her obligation to respond and comply with a request for the exercise of the data subject's rights in accordance with the Data Protection Act.

3.7 The Personal Data Processor shall ensure that the personnel, consultants and other persons responsible for the Personal Data Processor who process personal data on his behalf have undertaken to observe confidentiality regarding the personal data processed under this Agreement. Such confidentiality obligation shall continue to apply even after the Agreement has expired.

3.8 The Personal Data Processor must document the different categories of personal data that are processed and how the treatment is provided. The documentation must be available to the Personal Data Client without delay upon written request.

3.8.1 The Personal Data Processor shall immediately inform the Personal Data Client if the Personal Data Processor considers that an instruction is in violation of the Data Protection Act.

3.8.2 The Personal Data Processor shall assist the Personal Data Client in ensuring that the obligations under Art. 32-36 of the Data Protection Ordinance and in accordance with instructions from the Personal Data Client (taking security measures, managing personal data incidents, conducting impact assessments and participating in prior consultation with the supervisory authority) are fulfilled, taking into account the type of processing, and the information available to the Personal Data Processor.

4. INFORMATION FLOW

The Personal Data Processor has prepared a detailed overview of the information flows that arise as a result of the Personal Data Processor's processing of personal data in accordance with this Agreement. This can be found in Appendix 2 (Information Flow). The Personal Data Processor warrants that neither the Personal Data Processor nor any of its subordinates will transmit any personal data other than those specified in this Agreement.

5. SUBORDINATES

5.1 The Personal Data Processor may not, without the prior written consent of the Personal Data Client, engage a third party (a subordinate) in order to fulfill any part of the processing that the Personal Data Client is responsible for under this Agreement.

5.2 Before the Personal Data Processor engages in a subordinate under point 5.1 above, the Personal Data Processor must enter into a written agreement with the subordinate, whereby the subordinate is required to fulfill the same obligations that are incumbent on the Personal Data Processor under this Agreement including, but not limited to, verifying that the security measures implemented by the subordinate at least correspond to that level of protection specified in Appendix 1 and other instructions provided by the Personal Data Client under this Agreement. The Personal Data Processor shall without delay report on his / her safety assessments of any subordinates and shall, upon request, provide a copy to the Personal Data Client. The Personal Data Processor shall also, upon request, immediately provide information about any subclaimer's geographical location and the geographical location of personal data that is discussed below. If the subordinate does not fulfill his obligations under such a written agreement, the Personal Data Processor shall be fully liable to the Personal Data Client for the performance of the subordinate's obligations.

5.3 The Personal Data Processor shall, at the request of the Personal Data Client, provide a copy of parts of the Personal Data Processor's agreement with subordinates required to demonstrate that the Personal Data Processor has fulfilled his obligations under this Agreement.

5.3.1 The Personal Data Processor may not transfer personal data outside the EU / EEA without the prior written consent of the Personal Data Client. If such consent is given, the Personal Data Processor must fulfill all requirements from data protection authorities or other authorities regarding a transfer of personal data outside the EU / EEA. The Personal Data Processor shall include the so-called Data Transfer Agreement, which at least must contain, among other things, the EU Commission's standard contract clauses, according to the Commission's decision of 5 February 2010 with subsequent amendments.

6. NOTIFICATION OF PERSONAL DATA INCIDENT

6.1 The Personal Data Processor shall, without undue delay and always within such time that the Personal Data Client reasonably has the opportunity to comply with the Data Protection Act (though not later than 24 hours after a personal data incident or potential personal data incident was brought to attention), notify the Personal Data Client in writing about identified or potential personal data incidents relating to the personal data which is dealt with under this Agreement. The notification shall include all information required for the Personal Data Client to be able to comply with the Data Protection Act, including information on the nature of the personal data incident and the measures that have been taken to limit the effects thereof.

7. COOPERATION WITH REGULATORS

7.1 In the event that a request for access to information, premises or equipment comes to the Personal Data Processor from the supervisory authority or the European Data Protection Agency, the Personal Data Processor shall immediately notify the Personal Data Client of the request and - to the extent possible with regard to the provisions of the Data Protection Act - allow the Personal Data Client to participate in the production of information and any visits to the Personal Data Processor’s premises or the like. The same applies if the said authority requests information or transparency from the Personal Data Processor in order to examine that the Personal Data Processor's processing is done in accordance with the Data Protection Act or other applicable privacy legislation in Sweden.

8. TERMINATION

8.1 This Agreement shall enter into force with the initial acceptance of the Terms and Service that the Personal Data Client has accepted when agreeing during signing up, joining, or similar, to use the Services provided by the Personal Data Processor. This Agreement may be terminated by either Party in compliance with three (3) months' notice period. However, the provisions of this Agreement shall apply as long as the Personal Data Processor processes personal data on behalf of the Personal Data Client.

8.2 At the termination of the Agreement, the Personal Data Processor shall return all material relating to the personal data which he/she has processed for the Personal Data Client's account, or, at the request of the Personal Data Client, submit documentation that shows that such personal data has been deleted.

9. NOTICES

9.1 Notices or other correspondence in connection with this Agreement shall be in writing and drafted in English or Swedish, sent by a messenger, recommended letter or e-mail to the addresses, postal addresses and e-mail addresses stated in the preamble of this Agreement or other such addresses, postal addresses and e-mail addresses that were later notified in accordance with this section 9.

9.2 A notice shall be deemed to have come to the party (i) if it has been submitted with a bid: at the time of delivery, (ii) if it has been sent by registered letter and not received before: three (3) days after the dispatch, or (iii) if sent by e-mail: on the date the recipient of the email confirms the receipt in writing (to avoid misunderstandings, receipt messages, auto-generated reply messages, and other automatically generated emails should not be considered as written confirmations).

10. OTHER PROVISIONS

10.1 The failure of any Party to exercise any right under this Agreement or failure to impose certain circumstances relating thereto shall not mean that Party has waived its right in such respect. Should the Party wish to refrain from exercising certain rights or to impose certain circumstances, such waiver shall in each case be made in writing.

10.2 A Party may not, without the other Party's written consent, assign any rights or obligations under this Agreement.

10.3 Amendments and additions to this Agreement shall, in order to be binding, be drafted in writing and be signed by the competent deputies of the Parties.

10.4 The Agreement constitutes the parties' complete regulation of all matters affecting the Agreement. All written or oral commitments and representations prior to the Agreement are superseded by the contents of this Agreement.

10.5 Should any provision of this Agreement be found to be invalid, this shall not mean that the Agreement as a whole is invalid, but instead, reasonable adjustment of the Agreement shall take place if and to the extent that the invalidity substantially affects the Party's exchange of the Agreement or performance in accordance therewith.

11. APPLICABLE LAW AND DISPUTE RESOLUTION

11.1 This agreement will be subject to Swedish law without regard to Swedish law’s conflicts of laws.

11.2 Disputes in connection with this Agreement shall be finally settled by arbitration in accordance with the Arbitration Rules for the Arbitration Institute of the Stockholm Chamber of Commerce. The arbitral tribunal shall consist of an arbitrator if the disputed value amounts to less than SEK 1 million. If the disputed value amounts to SEK 1 million or more, the arbitral tribunal shall consist of three arbitrators. Arbitration proceedings shall take place in Stockholm. The language of the procedure must be Swedish.

11.3 Arbitration proceedings invoked with reference to this arbitration clause are subject to confidentiality. The confidentiality covers all information that emerges during the procedure as well as the decision or arbitration that is given in connection with the procedure. Information covered by confidentiality under this item may not be disclosed to third parties without the other Party's written consent. However, a Party shall not be prevented from providing such information in order to best utilize its right against the other Party on account of the dispute or if, pursuant to the statutes, regulations, authority decisions, applicable stock exchange rules or equivalent, the Party is obliged to provide such information. * * * This Agreement has been drawn up in so many identical copies that the Parties have each received a copy, either in printed format or digitally.

Appendix 1 – Data Security and Data Retention Policy

1. INTRODUCTION

1.1 This Appendix 1 (Data Security and Data retention policy) outlines the minimum requirements for security that the Personal Data Processor and its subcontractors are to follow when personal data is processed are established. For all requests - please contact us on info@happyatwork.se.

2. MINIMUM SECURITY REQUIREMENTS

2.1 The Personal Data Processor must, for his/her own part, fulfill and ensure that all of its subordinates always meet the following minimum requirements regarding security:

2.2 Accessibility The Personal Data Processor shall ensure that, upon request, a detailed description can be provided of the security measures that have been taken to ensure that information is available, for example: by using technologies that counteract viruses and DDoS attacks.

2.3 Integrity The Personal Data Processor shall ensure that, upon request, a detailed description can be provided of the measures taken to ensure that the personal data is authentic and not intentionally or unintentionally altered during processing, storage or transmission, e.g. in terms of backup, authentication codes and signatures.

2.4 Confidentiality The Personal Data Processor shall ensure that, upon request, a detailed description can be provided of the measures taken to ensure the confidentiality of personal data, including, for example, encryption technology, training programs, authorization assignments and contract clauses.

2.5 Transparency The Personal Data Processor shall ensure that, upon request, a detailed description can be provided of the possible additional measures that have been taken to ensure that the Personal Data Client receives sufficient insight into the Personal Data Client's and (possibly) its subcontractors' processing of personal data, e.g. through real-time information available through information portals.

2.6 Purpose Limitation The Personal Data Processor shall ensure that, upon request, a detailed description can be provided of the methods and controls introduced by the Personal Data Processor and its subcontractors to ensure that personal data is only accessible and used for legitimate purposes, e.g. through access management and distribution of roles and areas of responsibility. The Personal Data Processor shall ensure that only such personal data are processed as are necessary to achieve the purpose of the processing. This obligation applies, for example, to the amount of personal data collected, the scope of the processing, the time for the data storage and its accessibility to the Personal Data Client and the Personal Data Processor.

2.7 Possibility of Intervention The Personal Data Processor shall ensure that the Personal Data Client has access to correcting, deleting, blocking and handling objections to the processing of personal data, and upon request, be able to provide a detailed description of the mechanisms available to the Personal Data Client in order to gain access to correcting, deleting, blocking and handle objections to the processing of personal data.

2.8 Portability The Personal Data Processor shall ensure that, upon request, a detailed description can be provided of how the Personal Data Processor will ensure the personal data's portability, e.g. by using standard or open data formats and interfaces.

2.9 Accountability The Personal Data Processor shall ensure that, upon request, a detailed description can be provided of the technical and organizational measures that have been taken to ensure accountability and traceability regarding the processing of personal data, for example by use logging and self-examination. The Personal Data Processor shall ensure that its services, systems, products and other technology solutions used have built-in data protection and, as a standard, possess data protection that corresponds to requirements according to the Data Protection Pollution and this Agreement.

2.10 Data Storage and Deletion The Personal Data Processor shall ensure that the Personal Data Client can fulfill his or her duties as the Personal Data Client in respect to, for example, (i) deletion, (ii) limitation of processing, (iii) obtaining register extracts relating to registered and (iv) possibility for the data subject to have the right to be forgotten and on the request can provide a detailed description of the technical and organizational measures and methods that have been taken and implemented, respectively, regarding the storage and deletion of data.

2.11 Physical Security The Personal Data Processor shall ensure that the physical security measures and security procedures that have been taken in the places used for the processing of personal data, e.g. Locking of premises and alarm systems are reliable and on request provide a detailed description of which security measures and security procedures have been implemented.

Appendix 2 – Information Flow

1. INTRODUCTION

1.1 In this Appendix 2 (Information Flow), the information flowchart that follows represents the processing of personal data by the Personal Data Processor and its subordinates which is based in accordance with the Agreement.

1.2 Overview

1.3 Information flow