Data Processing Addendum
Last updated: October 10, 2023
This Data Processing Addendum (DPA) is hereby incorporated by reference into and is part of the
Agreement under which Validio AB provides the Services to the Customer specified in the Order,
solely to the extent and for the purposes outlined herein. Except for the changes made by this
DPA, the Agreement remains unchanged and in full force and effect. In the event of a conflict
between the Agreement and this DPA, this DPA shall control.
DEFINITIONS
1. Words and expressions defined in the Agreement shall have the same meaning herein.
2. Applicable Laws: means the law of the European Union or any member state of the European Union to which Validio is subject.
3. Data Protection Laws: means the General Data Protection Regulation ((EU) 2016/679) and the law of the European Union or any member state of the European Union to which Validio is subject, which relates to the protection of personal data.
4. Customer Personal Data: any Customer Data which includes personal data that Validio processes in connection with the Agreement, in the capacity of a processor on behalf of the Customer.
5. Purpose: the purposes for which the Customer Personal Data is processed, as set out in clause 2.1.
1. DATA PROTECTION
1.1 For the purposes of this DPA, the terms controller, processor, data subject, personal data,
personal data breach, special categories of data and processing shall have the meaning given to
them in the Data Protection Laws.
1.2 Both parties will comply with all applicable requirements of Data Protection Laws. The terms of
this DPA are in addition to, and do not relieve, remove or replace, a party's obligations or rights
under Data Protection Laws.
1.3 To the extent the Customer uploads or inputs any Customer Personal Data into the Services, the
parties have determined and acknowledge that the Customer shall act as a controller in respect
of such data and Validio shall process such data as a processor on behalf of the Customer for
the purpose of providing the Services. Should the determination in this clause 1.3 change, then
each party shall work together in good faith to make any changes which are necessary to this DPA.
1.4 As the Services are cloud based the parties acknowledge and agree that:
(a) Customer Personal Data is only processed by Validio if the Customer uploads it to or inputs it through the Services; and
(b) it is the responsibility of the Customer to inform Validio if Customer Data includes any Customer Personal Data by indicating this in the applicable Order or by notice in writing.
1.5 Without prejudice to the generality of clause 1.2, the Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Customer Personal Data to Validio for the duration and purposes of the Agreement.
2. DESCRIPTION OF PROCESSING
2.1 Purpose of processing. The purpose of the processing is to provide the Services in accordance with the terms of the Agreement.
2.2 Nature of processing. Hosting of Customer Data, which may contain Customer Personal Data, as a result of the Customer uploading it to or inputting it through the Services at Customer’s sole discretion, for the provision of the Services by Validio and receipt of the Services by the Customer.
2.3 Duration of processing. The duration of the processing shall be for the provision of the Services during the term specified in the applicable Order.
2.4 Categories of data subjects. Any categories of data subjects that the Customer includes in the Customer Personal Data at the Customer’s sole discretion including without limitation the Customers’ clients, employees, suppliers and end users.
2.5 Categories of personal data. Any form of Customer Personal Data that the Customer uploads to or inputs through the Services at Customer’s sole discretion. The inclusion of any special categories of personal data in the Customer Personal Data is not permitted and any use of the Services in respect of such data is at the Customer’s sole discretion and liability.
3. VALIDIO’S OBLIGATIONS
3.1 Without prejudice to the generality of clause 1.2 Validio shall, in relation to Customer Personal Data:
(a) process that Customer Personal Data only on the documented instructions of the Customer, unless Validio is required by Applicable Laws to otherwise process that Customer Personal Data. Where Validio is relying on Applicable Laws as the basis for processing Customer Processor Data, Validio shall notify the Customer of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit Validio from so notifying the Customer on important grounds of public interest. Validio shall inform the Customer if, in the opinion of Validio, the instructions of the Customer infringe Data Protection Laws;
(b) implement the technical and organisational measures to protect against unauthorised or unlawful processing of Customer Personal Data and against accidental loss or destruction of, or damage to, Customer Personal Data, which are appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures;
(c ) ensure that any personnel engaged and authorised by Validio to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory or other legal obligation of confidentiality;
(d) assist the Customer insofar as this is possible (taking into account the nature of the processing and the information available to Validio), and at the Customer's cost and written request, in responding to any request from a data subject and in ensuring the Customer's compliance with its obligations under Data Protection Laws with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
(e) notify the Customer without undue delay on becoming aware of a personal data breach involving the Customer Personal Data and take reasonable steps to mitigate any damage resulting from such breach;
(f) at the written direction of the Customer, delete or return Customer Personal Data and copies thereof to the Customer on termination of the Agreement unless Validio is required by Applicable Law to continue to process that Customer Personal Data. For the purposes of this clause 3.1(f) Customer Personal Data shall be considered deleted where it is put beyond further use by Validio; and
(g) maintain records to demonstrate its compliance with this DPA and at the Customer’s sole expense and cost allow for reasonable audits by the Customer or the Customer's designated auditor, for this purpose, on reasonable written notice.
4. SUBCONTRACTING
4.1 The Customer hereby provides its prior, general authorisation for Validio to:
(a) appoint processors to process the Customer Personal Data, including those listed on its website, provided that Validio:
5. TRANSFERS
5.1 The Customer hereby provides its prior, general authorisation for Validio to transfer Customer Personal Data outside of the European Economic Area (EEA) as required for the Purpose, provided that Validio shall ensure that all such transfers are effected in accordance with Data Protection Laws. For these purposes, the Customer shall promptly comply with any reasonable request of Validio, including any request to enter into standard data protection clauses adopted by the EU Commission from time to time.