Data Processing Agreement
- Definitions
- Processing of Personal Data
- Rights of Data Subjects
- Netsolutions Personnel and Visitors
- Sub-processors
- Security
- Security Breach Management and Notification
- Deletion of Customer Data
- Additional Terms
- Indemnity and Limitation of Liability
Data Processing Agreement
This Data Processing Agreement (“DPA”) is incorporated by reference in our Terms of Service (the “Agreement”). Capitalized terms used in this DPA shall have the meaning given in the Agreement. Direct all inquiries concerning this DPA to info@netsolutions.se.
1. Definitions
• “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. Control, for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
- Customer” means either Partner, customer or Partner’s customer(s).
- “Customer Data” means what is defined in the Agreement as Partner Data or Customer Data.
- “Personal Data” means any information relating to (i) an identified or identifiable person and, (ii) an identified or identifiable legal entity (where such information is protected similarly as personal data or personally identifiable information under applicable Data Protection Laws and Regulations), where such data is Customer Data.
- “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, blocking, erasure or destruction.
- “Data Controller” means the entity which determines the purposes and means of the Processing of Personal Data.
- “Data Processor” means the entity which Processes Personal Data on behalf of the Data Controller.
- “Data Protection Laws and Regulations” means all laws and regulations, including laws and regulations of the European Union, the European Economic Area and their member states, Switzerland and Sweden, applicable to the Processing of Personal Data under the Agreement.
- “Data Subject” means the individual to whom Personal Data relates.
2. Processing of Personal Data
2.1 Scope of Processing.
Customer use Services to transmit, store or process data which may include Personal Data. Netsolutions will not review, share, distribute nor reference any such Customer Data except as required by law or as provided in the Agreement and/or Addendum in place with Partner. Customer is responsible for maintaining the security and confidentiality regarding accounts and access to Services as well as encrypting Personal Data that may be stored on or transmitted to/from the Services.
2.2 Roles of the Parties. Roles of the Parties.
The parties acknowledge and agree that regarding the Processing of Personal Data, Customer is the Data Controller and/or Data Processor when referring primarily to Customer Data within the Services. Customer is Data Controller or Data Processor and Netsolutions is Data Processor or Sub-Processor when referring to Personal Data used as meta data to setup, maintain and deliver Services. Details and references per Service are to be found in Privacy Policy.
2.3 Customers Processing of Personal Data.
Customer shall, in its use of the Services, Process Personal Data in accordance with the requirements of Data Protection Laws and Regulations. For the avoidance of doubt, Customer’s instructions to Netsolutions for the Processing of Personal Data shall comply with Data Protection Laws and Regulations at all times. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data. If Netsolutions becomes aware of any non-compliance with Data Protection Laws and Regulations, Netsolutions shall immediately inform the Partner/Customer.
2.4 Processing of Personal Data.
Netsolutions shall only Process Personal Data on behalf of and in accordance with Customers instructions and shall treat Personal Data as Confidential Information. Customer guarantees that all instructions to Netsolutions is in accordance with Data Protection Laws and Regulations.
2.5 Details of the Processing.
In the Customer Agreement, if required by law, details of the Processing will be specified, e.g. the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects.
3. Rights of Data Subjects
3.1 Correction, Blocking and Deletion.
To the extent Customer, in its use of the Services, does not have the ability to correct, amend, block or delete Personal Data, as required by Data Protection Laws and Regulations, Partner shall comply with any commercially reasonable request by Customer to facilitate such actions. Should Partner not have the ability to perform any of above mentioned actions, Netsolutions shall comply with any commercially reasonable request by Partner to facilitate such actions to the extent Netsolutions is legally permitted to do so. If legally permitted, Partner shall be responsible for any costs arising from Netsolutions’s provision of such assistance.
3.2 Data Subject Requests.
Netsolutions shall, to the extent legally permitted, promptly notify Partner if it receives a request from a Data Subject for access to, correction, amendment or deletion of that person’s Personal Data. Netsolutions shall not respond to any such Data Subject request without Partner’s prior written consent except to confirm that the request relates to Partner to which Partner hereby agrees. Netsolutions shall provide Partner with commercially reasonable cooperation and assistance in relation to handling of a Data Subject’s request for access to that person’s Personal Data, to the extent legally permitted and to the extent Partner does not have access to such Personal Data through its use of the Services. If legally permitted, Partner shall be responsible for any costs arising from Netsolutions’s provision of such assistance.
4. Netsolutions Personnel and Visitors
4.1 Confidentiality.
Netsolutions shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements. Netsolutions shall ensure that such confidentiality obligations survive the termination of the personnel engagement.
4.2 Reliability.
Netsolutions shall take commercially reasonable steps to ensure the reliability of any Netsolutions personnel engaged in the Processing of Personal Data.
4.3 Limitation of Access.
Netsolutions shall ensure that Netsolutions’s access to Personal Data is limited to those personnel performing services in accordance with an agreement with the Customer.
4.4 Visitors.
The Customers personnel visiting the Netsolutions premises shall always be escorted by Netsolutions personnel or shall wear identity cards with photo to ensure visual identification. Customer shall ensure that such visiting personnel are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements. Customer shall ensure that such confidentiality obligations survive the termination of the personnel engagement.
5. Sub-processors
5.1 Appointment of Sub-processors.
Customer acknowledges and agrees that
a) Netsolutions’s Affiliates may be retained as Sub-processors; and
b) Netsolutions and Netsolutions’s Affiliates respectively may engage third-party Sub-processors in connection with the provision of the Services.
5.2 Objection Right for New Sub-processors.
In order to exercise its right to object to Netsolutions’s use of a new Sub-processor, Customer shall notify Netsolutions promptly in writing within ten (10) business days after receipt of Netsolutions’s notice in accordance with the mechanism set out in Section 5.2.
In the event Customer objects to a new Sub-processor, and that objection is not unreasonable, Netsolutions will use reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customers configuration or use of the Services to avoid Processing of Personal Data by the objected-to new Sub-processor without unreasonably burdening the Customer. If Netsolutions is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, Customer may terminate the applicable Services with respect only to those Services which cannot be provided by Netsolutions without the use of the objected-to new Sub-processor by providing written notice to Netsolutions. Netsolutions will refund Customer any prepaid fees covering the remainder of the term of such Services following the effective date of termination with respect to such terminated Services.
5.3 Liability.
Netsolutions shall be liable for the acts and omissions of its Sub-processors to the same extent Netsolutions would be liable if performing the services of each Sub-processor directly under the terms of this DPA, except as otherwise set forth in the Agreement.
6. Security
6.1 Controls for the Protection of Personal Data.
Netsolutions shall maintain administrative, physical and technical safeguards for protection of the security (including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage), confidentiality and integrity of Customer Data, including Personal Data.
6.2 Audits.
Upon Customers request, and subject to confidentiality obligations set forth in the agreement between the parties, Netsolutions shall make available to Customer that is not a competitor of Netsolutions (or Customers independent, third-party auditor that is not a competitor of Netsolutions) information regarding the Netsolutions’s compliance with the obligations set forth in this Agreement. Customer may request an on-site audit of the architecture, systems and procedures relevant to the protection of Personal Data at locations where Personal Data is stored. Customer shall reimburse Netsolutions for any time expended by Netsolutions or its third-party Sub-processors for any such onsite audit at the Netsolutions then-current professional services rates, which shall be made available to Customer upon request.
Before the commencement of any such on-site audit, Customer and Netsolutions shall mutually agree upon the scope, timing, and duration of the audit in addition to the reimbursement rate for which Customer shall be responsible. All reimbursement rates shall be reasonable, taking into account the sources expended by Netsolutions, or its third-party Sub-processors. Customer shall promptly notify Netsolutions with information regarding any non-compliance discovered during the course of an audit.
7. Security Breach Management and Notification
Netsolutions maintains security
incident management policies and procedures and shall, to the extent permitted by law, promptly notify Customer of any actual or reasonably suspected unauthorized disclosure of Customer Data, including Personal Data, by Netsolutions or its Sub-processors of which Netsolutions becomes aware (a Security Breach). To the extent such Security Breach is caused by a violation of the requirements of this Agreement by Netsolutions, Netsolutions shall make reasonable efforts to identify and remediate the cause of such Security Breach.
8. Deletion of Customer Data
8.1 Customer Data in Services.
Customer may at it’s sole discretion delete Services via the Control Panel. After such deletion Netsolutions may retain Customer Data in limbo for a period of time, which shall not exceed thirty (30) days before permanently deleting the Customer Data. To the extend Customer is not able to delete certain Services via the Control Panel, Netsolutions shall, after request and within reasonable time, assist Customer to delete the Services and the Customer Data.
8.2 Customer Data in Backups.
Backup data are only kept for a limited and specified time, which may vary from for different Services, and if the Customer Data is part of such backup Netsolutions is allowed to wait with deletion up to the standard deletion of such backup. This deletion cycle may never exceed ninety (90) days unless specifically agreed upon in writing between the parties.
9. Additional Terms
9.1 Change in Data Protection Laws and Regulations.
The Parties agree that any changes in the Data Protection Laws and Regulations that have an effect on the services under this Agreement shall immediately after coming into force be implemented into and part of this Agreement and Netsolutions is responsible for informing the Customer about such changes and distribute the amended wording of this Agreement.
9.2 General co-operation.
The parties shall assist each other in ensuring compliance with the obligations in the Data Protection Laws and Regulations of the respective parties.
9.3 Terms of Service.
The Netsolutions Terms of Service will apply for all other aspects of the relation between Netsolutions and Customer, than the specific regulation of Data processing in this Agreement.
10. Indemnity and Limitation of Liability
10.1 Indemnity.
The Customer and Netsolutions, shall indemnify each other for any third party claim caused by the other partys breach of this Agreement.
10.2 Limitation of liability.
Neither party shall in any event be liable to the other party under this Agreement for loss of production, loss of use, loss of business, loss of data or revenue or for any special, indirect, incidental or consequential damages, whether or not the possibility of such damages could have been reasonably foreseen.