1.1 This Data Processing Agreement (“DPA”)” is entered into between Customer (the “Controller”) and Qbrick AB, reg. no. 556579-1380 (the “Processor”) and becomes effective automatically when the Customer subscribes to the Service. The Controller and Processor are referred to jointly as the “Parties” and individually as a “Party”.
1.2 This DPA specifies the data protection obligations arising from the Processing of the Controller’s Personal Data under the agreement/s relating to Video Platform related services entered into between the Parties (the “Agreement”). This DPA shall form an integral part of the Agreement and applies to all Processing activities performed by the Processor or any third party acting on behalf of the Processor (a “Sub-processor”). This DPA replaces any existing data processing agreement in place between the Parties.
1.3 “Data protection legislation” means the data protection legislation framework applicable to the Controller, including but not limited to the General Data Protection Regulation (EU) 2016/679 (the GDPR) applicable from 25 May 2018. The Data protection legislation is also applicable national law regulating the Processing of Personal Data.
1.4 “Controller”, “Data Subject”, “Personal Data”, “Processor”, “Processing”, “Personal Data Breach”, “Supervisory Authority” and “Third Party” have the meanings described in applicable Data protection legislation.
1.5 This DPA ensures that the Processing complies with applicable Data protection legislation.
1.6 The Processor undertakes to Process Personal Data in accordance with this DPA and the Controller’s instructions as set out below, solely for purposes of providing the services under the Agreement. Personal Data may not in any way be Processed for any other purposes.
1.7 In addition to the Agreement which shall form part of the Controllers instruction, the instructions with respect to the nature and content of the Processing are as follows:
i. General nature and purpose of the Processing:
The Processor Process Personal Data in accordance with the Agreement and for the purpose of providing the services under the Agreement.
ii. Categories of Data Subjects:
The Controller may submit Personal Data related to Data Subjects to the Processor which may include, but is not limited to, the following categories of Data Subjects:
iii. Categories of Personal Data
The Controller may submit Personal Data to the Processor which may include, but is not limited to, the following categories of Personal Data:
1.8 The Processor shall maintain a record of all categories of Processing activities carried out on behalf of the Controller containing:
1.9 This DPA takes precedence over any contrary provisions in the Agreement (including any document attached thereto or referenced therein) with regard to the Processing of Personal Data.
2.1 The Processor guarantees that is has implemented appropriate technical and organizational measures providing a level of security that is appropriate taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedom of the Data Subjects.
2.2 In assessing the appropriate level of security, account shall be taken of the risks that are presented by Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise Processed.
2.3 The Processor shall ensure that any personnel, consultants or other persons entrusted with Processing Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
2.4 Section 3 shall continue in force after the expiry or termination of this DPA.
3.1 If the Processor suspects or becomes aware of any Personal Data Breach or any other circumstance, within its own control, in which the Controller or Processor is required to act under applicable Data protection legislation, the Processor shall without undue delay and no later than 48 hours notify the Controller thereof by email or other appropriate means of communication.
3.2 The Processor shall, where appropriate, investigate the Personal Data Breach and take appropriate measures to rectify the breach, identify its root causes and prevent a recurrence.
3.3 The Processor shall provide the Customer with a description of the Personal Data Breach. Such a description shall detail (i) the nature of the Personal Data Breach including where possible, the categories and number of Data Subjects concerned and the categories and number of Personal Data Records concerned; (ii)the likely consequences of the Personal Data Breach; and (iii) the measures taken or proposed to be taken, along with measures to mitigate the Personal Data Breach’s possible adverse effects.
4.1 The Processor undertakes to assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller’s obligation to respond to requests for exercising the Data Subject’s rights laid down in the Data protection legislation and, where necessary, carry out data protection impact assessments regarding data protection and prior consultation with the relevant supervisory authority under Data protection legislation.
4.2 Should any Personal Data become subject to search and seizure, an attachment order, confiscation during bankruptcy or insolvency proceedings or similar, the Processor shall inform the Controller immediately by email or other appropriate means of communication. The Processor shall use its best efforts to protect the Controller’s Personal Data and notify the Third Party with access to the Personal Data that the affected Personal Data is confidential information.
5.1 The Controller is entitled to, upon reasonable notice, audit in a manner mutually agreed with the Processor, the Processor’s (and any Sub-processor’s) compliance with this DPA. The Processor shall make available all information necessary to demonstrate compliance with this DPA and shall assist the Controller in such audits. Each Party will carry its own related cost for an audit.
6.1 The Processor may Process and transfer Personal Data to a third country outside of the EU. In case of such a transfer, the Processor is responsible for ensuring that the transfer is lawful under the Data protection legislation. (Appendix A)
7.1 The Processor may engage Sub-processors for the Processing of Personal Data. The Processor shall inform the Controller of intended changes of Sub-processors in order for the Controller to object to such engagements. Such objections shall not be deemed valid unless the Controller can prove a reasonable causefor the objection, specifying what kind of change the Controller wishes to achieve. If the Processor is unable to make the necessary changes based on the Customer’s objection within a reasonable period of time without incurring unreasonable cost or inconvenience, the Parties shall work together to identify a suitable solution to the objection.
7.2 The Processor shall ensure that a data processing agreement is concluded with the Sub-processor which includes obligations on the Sub-processor not less strict than the Processor’s obligations under this DPA. The Processor is fully liable for the performance of any Sub-processors Processing of Personal Data. If the Processor intends to engage a new Sub-processor, the Processor shall notify the Controller in writing the following information:
7.3 The current list of all subcontractors who, at the conclusion of the agreement, are hired by the Processor as sub-assistants for the processing of personal data on behalf of the Controller can be found in Appendix A. The Controller hereby approves of the Sub-processers in Appendix A.
8.1 This DPA is effective as long as the Processor (or any Sub-processor) Processes Personal Data on behalf of the Controller.
8.2 Upon termination or expiry of the Agreement and prior to deletion/destruction as set out in Section 8.4 below, the Processor will either (i) provide the Controller or a party appointed by the Controller with all Personal Data, unless already deleted according to the instructions from the Controller or by mandatory law, or (ii) confirm to the Controller that the Processor is not Processing any Personal Data.
8.3 Unless there is a statutory obligation to store Personal Data, the Processor (and any Sub-processor) shall delete or destroy all Personal Data without undue delay, and not later than 90 days, after termination or expiry of the Agreement and following delivery of the Personal Data as set out in Section 3 above.
9.1 The Parties agree that where the applicable Data protection legislation changes as a result of legislative, regulatory or judicial developments, thereby altering the Parties’ legal rights and/or obligations, or impacting either Party’s ability to perform its rights and/or obligations under this DPA, the Parties will negotiate in good faith the terms of this DPA to comply with the new developments with the goal to continue the commercial relationship between the Parties.
9.2 No change of this DPA shall be valid unless made in writing.
10.1 This DPA is governed by the laws of Sweden, excluding its conflict of law principles. Any dispute, controversy or claim arising out of or in connection with this DPA, or the breach, termination or invalidity thereof, shall be settled in accordance with the principles set out in the Agreement.
10.2 In the event that the Controller becomes liable against Data Subjects, relevant supervisory authority or other third parties and this liability is due to the Processor or its Sub-Processors processing of Personal Data in violation of the Data Protection Legislation, the DPA or instructions received, the Processor shall indemnify the Controller for all material and/or intellectual property damages/loss.
Below is the current list of all subcontractors who, at the conclusion of the agreement, are hired by the Processor as sub-assistants for the processing of personal data on behalf of the Controller:
Company name | Org. number | Contact information | Location of processing | Mechanism for third country transfer | Data processing |
---|---|---|---|---|---|
GlobalConnect AB | 556597-6122 | Bäverns Gränd 17, 752 19 Uppsala. 0188431000, info@globalconnect.se | Sweden, Norway, Finland, Denmark | N/A | Storage of QVP and it’s related data as well as distribution of video content. |
Cantab Research Limited | 05697423 | Unit 296 Cambridge, Science Park, Milton Road, Cambridge, CB4 0WD | Netherlands, UK | EU GDPR adequacy decision | Speech to text - Processing of uploaded audio files using AI to generate voice transcription. |
Google Ireland Limited | 368047 | Google Building Gordon House, Barrow St, Dublin 4, Ireland | Finland, USA | EU-U.S. Data Privacy Framework EU Standard Contractual Clauses | Speech to text – Using Google translation services to translate the transcript of the audio. |
Adobe Systems Software Ireland Limited | 344992 | 4-6 Riverwalk, City West Business Campus, Saggart D24, Dublin, Ireland | Ireland | EU Standard Contractual Clauses EU-U.S. Data Privacy Framework | Video editing and rendition. |
PRODUCT
CONTACT & SUPPORT