Spirri Data Processing Agreement

This Data Processing Agreement (the “Data Processing Agreement”) is entered into between

Spirri AB, org. no.559375-8674, (“Spirri”) and the Practitioner.

Spirri and the Practitioner are referred to below individually as “Party” and jointly as the “Parties”.

The Parties agree that this Data Processing Agreement applies where in the course of providing services to the Practitioner (“Services”), Spirri is Processing Personal Data on behalf of the Practitioner.

This Data Processing Agreement serves as a written data processing agreement between Spirri and the Practitioner being the Data Controller of personal data of its own customers. It further defines the applicable technical and organisational measures Spirri implements and maintains to protect Personal Data when providing the Services, as required in Art. 32 GDPR.

This Data Processing Agreement has been designed to ensure the Parties' compliance with Art. 28(3) of GDPR.

Definitions

The following terms shall have the following meanings in this Data Processing Agreement:

  • “Data Controller”, shall mean an entity that alone or jointly with others determines the purposes and means of the Processing of Personal Data.
  • “Data Processor”, shall mean an entity that Processes Personal Data on behalf of the Data Controller.
  • “Data Protection Laws”, shall mean the relevant data protection and privacy laws to which the Parties are subject, in particular (but not limited to) Regulation (EU) 2016/679 of the European parliament and of the council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“General Data Protection Regulation” or “GDPR”).
  • “Personal Data”, shall mean any information relating to an identified or identifiable natural person (“Data Subject”). An identifiable person is one who can be identified directly or indirectly in particular by reference to an identifier such as name, an identification number, location data, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
  • “Process” or “Processing”, shall mean any operation which is performed on Personal Data, whether or not by automated means, such as collection, organisation, structuring, storage, use, dissemination or otherwise making available, erasure or destruction.
  • “Sub processor”, shall mean any processor which the Data Processor engages to carry out specific Processing activities on behalf of the Data Controller.
  • “Standard Data Protection Clauses” shall mean the model clauses for the transfer of Personal Data to Data Processors established in third countries as approved by the European Commission from time to time, at present the model clauses set out in the European Commission's Decision (EU) 2021/914 of 4 June 2021.

  1. PROCESSING OF PERSONAL DATA

    1. The objective of the Personal Data Processing under this Data Processing Agreement is the performance of the Services and the Processing will be carried out as further defined in the Terms of Use. The persons affected by the Processing, the nature of Personal Data to be used as well as the scope, nature and purpose of the Processing by Spirri are set out in the Terms of Use of Spirri.
    2. The Parties acknowledge and agree that with regard to the Processing of Personal Data, the Practitioner is the Data Controller and Spirri is the Data Processor. Spirri may also act as an independent Data Controller with regards to the Personal Data that the Practitioner is providing to Spirri or that Spirri collects on behalf of the Practitioner when Spirri is Processing for its own purposes. The Processing performed by Spirri as a Data Controller do not fall under the scope of this Data Processing Agreement.
    3. In case it is expressly agreed under the Terms of Use that affiliates of the Practitioner or any other third parties shall also benefit from the Services; the following shall apply: If the Practitioner acts in this respect on behalf of and in the name of its affiliates and/or third parties in their capacity as Data Controllers, the Practitioner shall enter into data processing agreements with its Data Controllers. The data processing agreements shall in such case expressly allow Spirri and its Subprocessors to Process any Personal Data as described in this Data Processing Agreement. The Practitioner shall serve as a single point of contact for Spirri and shall be solely responsible for the internal coordination, review and submission of instructions or requests of other Data Controllers to Spirri and Spirri shall be entitled to refuse any requests or instructions provided directly by a Data Controller that is not the Practitioner. Spirri shall further have no obligation to inform or notify a Data Controller when it has provided such information or notice to the Practitioner.
    4. Spirri shall as a Data Processor:
      1. Comply with all Data Protection Laws applicable to its provision of the Services. However, Spirri is not responsible for compliance with any laws applicable to the Practitioner or the Practitioner's industry that are not generally applicable to information technology service providers.
      2. Process the Personal Data in accordance with the terms set out exclusively in the Terms of Use and this Data Processing Agreement. The Practitioner's instructions for the Processing of Personal Data shall comply with Data Protection Laws and the Practitioner shall have sole responsibility for the accuracy, quality and legality of the Personal Data and the means by which the Practitioner acquired the Personal Data.
      3. All third party requests regarding Personal Data or information about the Processing activities with regard to the use of the Services shall be redirected to the Practitioner, whether the request is made by a Data Subject, a data protection authority or any other third party. In the event such requests cannot legally be redirected, Spirri shall promptly notify the Practitioner of all third party requests for information related to this Data Processing Agreement and shall procure to assist the Practitioner by appropriate technical and organisational measures, insofar as this is possible and at the Practitioner's expense, for the fulfilment of the Practitioner's obligation to respond to requests for exercising the Data Subject's rights.
      4. Without any obligation to perform a legal examination, Spirri shall notify the Practitioner if it considers an instruction submitted by the Practitioner to be in violation of applicable Data Protection Laws. Spirri shall follow and comply with any additional instructions received from the Practitioner provided that they are legally required, technically feasible and do not require any material modifications of the Services. In case of additional instructions of the Practitioner (i.e. instructions that are not covered by the Services as agreed in the Terms of Use), the Practitioner shall compensate Spirri based on time and material. If and to the extent Spirri is unable to comply with an additional instruction it shall promptly notify the Practitioner hereof. Spirri shall;
        1. Process the Personal Data only to the extent, and in such manner, as is necessary for the provision of the Services;
        2. ensure that access to the Personal Data is limited to those personnel who require such access to perform the Services;
        3. ensure that all of its personnel engaged in the Processing of Personal Data are (i) informed of the confidential nature of the Personal Data, (ii) have received appropriate training of their responsibilities, (iii) have executed written confidentiality agreements and (iv) are obliged to observe data secrecy to the extent applicable according to applicable Data Protection Laws. Spirri shall ensure that such confidentiality obligations survive the termination of their personnel arrangement; and promptly notify the Practitioner of any unauthorised disclosure of Personal Data as required by applicable Data Protection Laws.

  2. Use of Subprocessors

    1. Spirri may use other affiliates and subcontractors to provide certain parts of the Services on the Practitioner's behalf, such as providing the Practitioner support services and Professional Services. The Practitioner hereby authorises Spirri (also on behalf of its Data Controllers) to engage subcontractors for the Processing of Personal Data as Subprocessors.
    2. Any such subcontractors will be permitted to Process Personal Data only to deliver the Services Spirri has retained them to provide, and they are prohibited from using Personal Data for any other purpose. Spirri remains responsible for its affiliates and Subprocessors' compliance with the obligations of this Data Processing Agreement.
    3. Any affiliates or Subprocessors which Spirri permits to Process Personal Data will have entered into written terms with Spirri.
    4. Spirri shall inform the Practitioner upon its request by email about the name, address and role of each Subprocessor it uses to provide the Services. Spirri may remove or appoint other suitable and reliable Subprocessors at its own discretion in accordancewith this section. If a list of Subprocessors was requested by the Practitioner, Spirri will inform the Practitioner by email with at least fourteen (14) days prior notice of any changes to the list of Subprocessors, which shall be deemed accepted as long as they comply with and are bound by applicable Data Protection Laws and, if a Subprocessor is incorporated outside the EU/EEA, ensure that an adequate level of protection is maintained in compliance with Data Protection Laws on third country transfers.

  3. THIRD COUNTRY TRANSFERS

    1. The Parties understand and agree that Personal Data may be transferred, to subsuppliers from countries outside of the EU/EEA by the affiliates and subcontractors of Spirri when providing the Services. The Parties are responsible to keep up to date with any legal developments on the issue of third party transfers to a third country and in particular to the US.

  4. AUDIT

    1. Spirri shall make all information available to the Practitioner which is necessary to demonstrate compliance with the obligations laid down in Art. 28 GDPR and allow for and contribute to audits, including inspections, conducted by the Practitioner or another auditor mandated by the Practitioner.
    2. Nothing in this section of this Data Processing Agreement varies or modifies applicable Data Protection Laws.
  5. Liability
    1. The Practitioner shall indemnify and keep indemnified and defend at its expense Supplier against all direct costs, claims, damages or expenses incurred by Supplier or for which Supplier may become liable due to any failure by the Practitioner or its employees or agents to comply with the obligations under this Data Processing Agreement.
    2. Except for gross negligence or wilful intent, neither Party shall be liable for any indirect or consequential damages of the other Party, such as, but not limited to loss of revenue, loss of profit, loss of opportunity, loss of goodwill and third party claims.

  6. MISCELLANEOUS

    1. This Data Processing Agreement shall automatically terminate upon any termination or expiration of the Terms of Use.
    2. If there is any conflict between any provision of this Data Processing Agreement and any provision of the Terms of Use, this Data Processing Agreement shall prevail.
    3. Swedish law shall be applicable to this Data Processing Agreement and the Swedish courts shall have jurisdiction.

This Data Processing Agreement is executed by the authorised representatives of the Parties as of the effective date. Valid signature will be by accepting the Terms of Use on-line.

Last updated: 30 May 2023.