Data processing agreement
Last updated: 2023-11-08
1. Scope and background
1.1 This Data Processing Agreement (“DPA”)” is entered into between Customer (the “Controller”) and Qbrick AB, reg. no. 556579-1380 (the “Processor”) and becomes effective automatically when the Customer subscribes to the Service. The Controller and Processor are referred to jointly as the “Parties” and individually as a “Party”.
1.2 This DPA specifies the data protection obligations arising from the Processing of the Controller’s Personal Data under the agreement/s relating to Video Platform related services entered into between the Parties (the “Agreement”). This DPA shall form an integral part of the Agreement and applies to all Processing activities performed by the Processor or any third party acting on behalf of the Processor (a “Sub-processor”). This DPA replaces any existing data processing agreement in place between the Parties.
1.3 “Data protection legislation” means the data protection legislation framework applicable to the Controller, including but not limited to the General Data Protection Regulation (EU) 2016/679 (the GDPR) applicable from 25 May 2018. The Data protection legislation is also applicable national law regulating the Processing of Personal Data.
1.4 “Controller”, “Data Subject”, “Personal Data”, “Processor”, “Processing”, “Personal Data Breach”, “Supervisory Authority” and “Third Party” have the meanings described in applicable Data protection legislation.
1.5 This DPA ensures that the Processing complies with applicable Data protection legislation.
1.6 The Processor undertakes to Process Personal Data in accordance with this DPA and the Controller’s instructions as set out below, solely for purposes of providing the services under the Agreement. Personal Data may not in any way be Processed for any other purposes.
1.7 In addition to the Agreement which shall form part of the Controllers instruction, the instructions with respect to the nature and content of the Processing are as follows:
i. General nature and purpose of the Processing:
The Processor Process Personal Data in accordance with the Agreement and for the purpose of providing the services under the Agreement.
ii. Categories of Data Subjects:
The Controller may submit Personal Data related to Data Subjects to the Processor which may include, but is not limited to, the following categories of Data Subjects:
- The Controller itself
- The Controller’s end-customers
- The Controller’s employees, other staff and corporate representatives
iii. Categories of Personal Data
The Controller may submit Personal Data to the Processor which may include, but is not limited to, the following categories of Personal Data:
- Personal identification (name, surname, signature)
- Contact information (address, email, phone number)
- Personal data as part of the video/audio content uploaded.
- Device information (Internet Protocol (IP) address, Cookie information)
1.8 The Processor shall maintain a record of all categories of Processing activities carried out on behalf of the Controller containing:
- the name and contact details of the Processor and of the Controller, and, where applicable, of the Controller’s or the Processor’s representative, and the data protection officer;
- the categories of Processing carried out on behalf of the Controller;
- where applicable, transfers of Personal Data to a third country or an international organisation, including the identification of that third country or international organisation;
- where possible, a general description of the technical and organisational security measures referred to in Section 1.
1.9 This DPA takes precedence over any contrary provisions in the Agreement (including any document attached thereto or referenced therein) with regard to the Processing of Personal Data.
2. Security of Processing
2.1 The Processor guarantees that is has implemented appropriate technical and organizational measures providing a level of security that is appropriate taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedom of the Data Subjects.
2.2 In assessing the appropriate level of security, account shall be taken of the risks that are presented by Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise Processed.
2.3 The Processor shall ensure that any personnel, consultants or other persons entrusted with Processing Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
2.4 Section 3 shall continue in force after the expiry or termination of this DPA.
3. Incident management, breach notification, etc.
3.1 If the Processor suspects or becomes aware of any Personal Data Breach or any other circumstance, within its own control, in which the Controller or Processor is required to act under applicable Data protection legislation, the Processor shall without undue delay and no later than 48 hours notify the Controller thereof by email or other appropriate means of communication.
3.2 The Processor shall, where appropriate, investigate the Personal Data Breach and take appropriate measures to rectify the breach, identify its root causes and prevent a recurrence.
3.3 The Processor shall provide the Customer with a description of the Personal Data Breach. Such a description shall detail (i) the nature of the Personal Data Breach including where possible, the categories and number of Data Subjects concerned and the categories and number of Personal Data Records concerned; (ii)the likely consequences of the Personal Data Breach; and (iii) the measures taken or proposed to be taken, along with measures to mitigate the Personal Data Breach’s possible adverse effects.
4. Enquiries by Data Subjects, Supervisory Authorities and Third Parties
4.1 The Processor undertakes to assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller’s obligation to respond to requests for exercising the Data Subject’s rights laid down in the Data protection legislation and, where necessary, carry out data protection impact assessments regarding data protection and prior consultation with the relevant supervisory authority under Data protection legislation.
4.2 Should any Personal Data become subject to search and seizure, an attachment order, confiscation during bankruptcy or insolvency proceedings or similar, the Processor shall inform the Controller immediately by email or other appropriate means of communication. The Processor shall use its best efforts to protect the Controller’s Personal Data and notify the Third Party with access to the Personal Data that the affected Personal Data is confidential information.
5. Audit rights, etc.
5.1 The Controller is entitled to, upon reasonable notice, audit in a manner mutually agreed with the Processor, the Processor’s (and any Sub-processor’s) compliance with this DPA. The Processor shall make available all information necessary to demonstrate compliance with this DPA and shall assist the Controller in such audits. Each Party will carry its own related cost for an audit.
6. Cross-border data transfer
6.1 The Processor may Process and transfer Personal Data to a third country outside of the EU. In case of such a transfer, the Processor is responsible for ensuring that the transfer is lawful under the Data protection legislation. (Appendix A)
7. Sub-processors
7.1 The Processor may engage Sub-processors for the Processing of Personal Data. The Processor shall inform the Controller of intended changes of Sub-processors in order for the Controller to object to such engagements. Such objections shall not be deemed valid unless the Controller can prove a reasonable causefor the objection, specifying what kind of change the Controller wishes to achieve. If the Processor is unable to make the necessary changes based on the Customer’s objection within a reasonable period of time without incurring unreasonable cost or inconvenience, the Parties shall work together to identify a suitable solution to the objection.
7.2 The Processor shall ensure that a data processing agreement is concluded with the Sub-processor which includes obligations on the Sub-processor not less strict than the Processor’s obligations under this DPA. The Processor is fully liable for the performance of any Sub-processors Processing of Personal Data. If the Processor intends to engage a new Sub-processor, the Processor shall notify the Controller in writing the following information:
- Name, organization number and registered office (address and country) of the Deputy
- The type of data and categories of data subjects treated
- Where the Personal Data is to be processed.
7.3 The current list of all subcontractors who, at the conclusion of the agreement, are hired by the Processor as sub-assistants for the processing of personal data on behalf of the Controller can be found in Appendix A. The Controller hereby approves of the Sub-processers in Appendix A.
8. Term and termination, etc.
8.1 This DPA is effective as long as the Processor (or any Sub-processor) Processes Personal Data on behalf of the Controller.
8.2 Upon termination or expiry of the Agreement and prior to deletion/destruction as set out in Section 8.4 below, the Processor will either (i) provide the Controller or a party appointed by the Controller with all Personal Data, unless already deleted according to the instructions from the Controller or by mandatory law, or (ii) confirm to the Controller that the Processor is not Processing any Personal Data.
8.3 Unless there is a statutory obligation to store Personal Data, the Processor (and any Sub-processor) shall delete or destroy all Personal Data without undue delay, and not later than 90 days, after termination or expiry of the Agreement and following delivery of the Personal Data as set out in Section 3 above.
9. Changes
9.1 The Parties agree that where the applicable Data protection legislation changes as a result of legislative, regulatory or judicial developments, thereby altering the Parties’ legal rights and/or obligations, or impacting either Party’s ability to perform its rights and/or obligations under this DPA, the Parties will negotiate in good faith the terms of this DPA to comply with the new developments with the goal to continue the commercial relationship between the Parties.
9.2 No change of this DPA shall be valid unless made in writing.
10. Miscellaneous
10.1 This DPA is governed by the laws of Sweden, excluding its conflict of law principles. Any dispute, controversy or claim arising out of or in connection with this DPA, or the breach, termination or invalidity thereof, shall be settled in accordance with the principles set out in the Agreement.
10.2 In the event that the Controller becomes liable against Data Subjects, relevant supervisory authority or other third parties and this liability is due to the Processor or its Sub-Processors processing of Personal Data in violation of the Data Protection Legislation, the DPA or instructions received, the Processor shall indemnify the Controller for all material and/or intellectual property damages/loss.
APPENDIX A
Below is the current list of all subcontractors who, at the conclusion of the agreement, are hired by the Processor as sub-assistants for the processing of personal data on behalf of the Controller:
| Company name | Org. number | Contact information | Location of processing | Mechanism for third country transfer | Data processing |
|---|---|---|---|---|---|
| GlobalConnect AB | 556597-6122 | Bäverns Gränd 17, 752 19 Uppsala. 0188431000, info@globalconnect.se | Sweden, Norway, Finland, Denmark | N/A | Storage of QVP and it’s related data as well as distribution of video content. |
| Cantab Research Limited | 05697423 | Unit 296 Cambridge, Science Park, Milton Road, Cambridge, CB4 0WD | Netherlands, UK | EU GDPR adequacy decision | Speech to text - Processing of uploaded audio files using AI to generate voice transcription. |
| Google Ireland Limited | 368047 | Google Building Gordon House, Barrow St, Dublin 4, Ireland | Finland, USA | EU-U.S. Data Privacy Framework EU Standard Contractual Clauses | Speech to text – Using Google translation services to translate the transcript of the audio. |
| Ironstone AB | 559059-1144 | Jungfrugatan 47, 11444 Stockholm, Sweden | Netherlands | N/A | Video editing and rendition. |
PRODUCT
CONTACT & SUPPORT