This Data Processing Agreement (“DPA”) is entered into between:
United World Telecom L.C. (”UWT”); and
The company or entity you are representing, (the “Customer”)
hereinafter jointly referred to as “Parties” or individually a “Party”.
1. Recitals
1.1 This DPA constitutes an integral part of the Services Agreement (the “Agreement“) between UWT and the Customer.
1.2 Upon entering of the DPA, UWT will process Personal Data on behalf of the Customer, as a Processor. The Customer is the Controller for the processing of the Personal data.
1.3 If the Customer is joint Controller with another party for the relevant Personal Data, the Customer shall inform UWT accordingly.
1.4 The purpose of this Agreement is to ensure that Processing is carried out in accordance with the applicable requirements for data processing and obligations under Data Protection Laws and to ensure adequate protection of personal integrity and fundamental rights of individuals during the transfer of Personal Data from the Customer to UWT within the framework of the Services that UWT performs under the Agreement.
2. Definitions
”Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
”Data Protection Law(s)” means the applicable laws and regulations in respect of Processing of Personal Data, including but not limited to, Regulation (EU) 2016/679 of the European Parliament and of the Council (the “GDPR”), Supervisory Authority’s binding decisions, regulations and recommendations and supplementary local adaptations and regulations in respect of data protection.
”Data subject” means the natural person to whom the Personal data relates to.
”Effective Date means July 1st, 2018 if Customer started Service prior or on such date; or the date on which Customer started service if such date is after July 1st, 2018.
”GDPR” means the General Data Protection Regulation (Regulation (EU) 2016/679)
”Personal data” means any information relating to an identified or identifiable natural person, as further defined in applicable law and EU- Regulation 2016/679.;
”Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
”Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
”Service” means the telecommunications services provided by UWT and that Customer has subscribed to.
”Sub-processor” means any third parties authorized by the Data Controller, Data Processor or by any other sub-processor of the Data Processor to have access and process Personal Data in order to support the provision of the Service.
”Supervisory Authority” means an independent public authority which is established by a Member State pursuant to Article 51. The Supervisory Authority in Sweden is the Swedish Data Protection Authority.
Unless otherwise stated, any other term or concept used in capitalized letters in this DPA (except in some cases as part of a heading) shall have the meaning and conception that is established in the Data Protection Laws and otherwise in the Agreement, unless the circumstances obviously require another interpretation.
3. Responsibilities and instructions
3.1 The Customer is Controller for all the Personal Data that UWT Processes on behalf of the Customer under the Agreement. The Customer is therefore responsible for complying with Data Protection Laws. The Customer undertakes to inform UWT of the Data Protection Laws that are relevant to carry out the Processing under this Agreement. In addition to the requirements that apply directly to a Processor in accordance with Data Protection Laws, UWT shall be obliged to comply with other applicable requirements according to Data Protection Laws and recommendations from the Supervisory Authority which UWT has been informed of by the Customer. The Customer shall also continuously inform UWT of third parties, including the Supervisory Authority’s and the Data Subject’s, actions as a result of the Processing.
3.2 UWT and any person acting under the authority of UWT, who has access to Personal Data, shall not Process those data for any other purposes than in accordance with the Customers written instructions or according to Data Protection Laws. The instructions that apply to this DPA are set out in Appendix A. In addition to the instructions set out in Appendix A, this DPA and the Agreement constitute Customer’s instructions to UWT regarding the Processing of Personal Data. The Customer shall immediately inform UWT of any changes that affect UWT’s obligations under this DPA.
3.3 Personal Data under this DPA may also be Processed if such Processing is required by Union law or under the national law of a Member State to which UWT or the Sub-processor is subject. If such Processing is required, UWT or Sub-processor shall inform the Customer of the legal requirement before the Processing, unless such information is prohibited according to a public interest under this law.
3.4 UWT has the right to store and Process data derived from the Customer in aggregated or anonymized format, containing no Personal Data, under this DPA.
4. Security
4.1 In order to comply with article 32 of the GDPR and taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of Processing as well as the risk of varying likelihood and severity for the rights of Data Subjects, the Parties shall maintain appropriate organizational and technical security measures to protect Personal Data against unauthorized or accidental access, loss, alteration, damage, theft, disclosure or destruction of Customers’ Personal Data. These measures shall be appropriate to the harm which might result from any unauthorized or unlawful processing, accidental loss, damage, destruction or theft of the Personal Data.
4.2 The Parties shall ensure that Personal Data cannot be read, modified, copied or removed without authorization during electronic transmission, storage or transport and that is possible to examine, establish and control to which Parties the transfer of Personal Data is envisaged.
4.3 UWT shall notify the Customer without undue delay after becoming aware of a personal data breach.
5. Disclosure of Personal Data and Information
5.1 In the event that UWT receives a request from the Data Subject, Supervisory Authority or other third party to obtain information regarding Personal Data which UWT Processes on behalf of the Customer, UWT shall without delay forward the request to the Customer. UWT and any person acting under the authority of UWT, may not disclose Personal Data or other information about the Processing of Personal Data without explicit instructions from the Customer unless such disclosure is required according to applicable Data Protection Laws.
5.2 UWT shall assist the Customer in complying with their obligation to respond to requests regarding a Data Subject’s right of access, rectification and erasure, by taking technical and organizational measures, which are appropriate taking into account the nature of the Processing and assist in disclosing Personal Data when required by applicable national law.
6. Contact with Supervisory Authority
UWT shall inform the Customer of any contacts from the Supervisory Authority concerning the Processing of Personal Data under this DPA. UWT is not entitled to represent the Customer or act on behalf of the Customer in relation to the Supervisory Authority if not required by Data Protection Laws.
7. Sub-processors
7.1 Personal Data may be Processed by a Sub-processor provided that UWT enters into a written agreement with the Sub-processor which impose on them the corresponding obligations when Processing Personal Data as per this DPA.
7.2 UWT undertakes to inform the Customer of any plans to retain new Sub-processors or to replace Sub-processors. The Customer is entitled to object to such changes. Such objection may relate only to objective grounds linked to the fulfilment of technical and organizational security requirements when Processing Personal Data under the DPA.
7.3 UWT is responsible for ensuring that the requirements for the use of Sub-processors under Data Protection Laws are taken into account and to ensure that such Sub-processors provide sufficient guarantees to implement appropriate technical and organizational measures in such a way that the Processing meets the requirements of Data Protection Laws.
7.4 If a Sub-processor fails to fulfill the obligations under the Agreement, this DPA and/or according to Data Protection Laws, UWT shall be responsible for performing the Sub-processor’s obligations in relation to the Customer.
8. Audits
8.1 The Customer has the right to demand security audits performed by an independent third party at the Customer’s choice. The third party will provide a report to be delivered to UWT upon request. The Customer accepts that UWT may claim compensation for the performance of the audit.
8.2 UWT shall immediately inform the Customer if UWT considers an instruction to be in violation of Data Protection Laws.
9. Transfers of Personal Data outside the EU/EEA
The Customer hereby grants a general written authorization to UWT to transfer the personal data to a country located outside the European Economic Area or to a country which has not been recognized by the European Commission as ensuring an adequate level of data protection, provided that (i) UWT has provided appropriate safeguards in accordance with the Applicable Data Protection Legislation or (ii) a derogation provided in the Applicable Data
Protection Legislation enables such transfer. Where reasonably required by UWT, the Customer shall execute the documents and perform the acts which are necessary to implement any such appropriate safeguards.
10. Confidentiality
UWT shall keep confidential all Personal Data and other confidential information. UWT shall ensure that each member of its staff, whether employed or hired employee, having access to or being involved with the Processing of Personal Data under the agreement (i) undertakes a duty of confidentiality and (ii) is informed of and complies with the obligations of this Data Processing Agreement. The duty of confidentiality shall also apply 1 year after termination of the agreement or this Data Processing Agreement.
11. Data portability
UWT shall ensure that the Customer is able to fulfill any obligation regarding Data Portability relating to Personal Data which UWT Processes on behalf of the Customer.
12. Compensation
12.1 In the event that the obligations imposed on UWT in accordance with Sections 5, 8, 9 and 11 results in extensive work for UWT, UWT shall be entitled to reasonable compensation from the Customer.
12.2 In the event that the Customer submits a legitimate objection to a new Sub-processor pursuant to Section 7 and UWT does not agree to replace the Sub-processor, UWT shall be entitled to additional compensation from the Customer for the costs incurred by UWT due to the fact that the Sub-processor cannot be used.
12.3 UWT shall be entitled to reasonable compensation for all work and all costs that arise due to the Customer’s Instructions for Processing if these exceeds the features and level of security based on the services that UWT normally provides to its customers, e.g. in the case that UWT’s system / services or other that requires UWT to make special adjustments on behalf of the Customer.
13. Liability
13.1 In the event UWT, or a person acting under the authority of UWT, or a Sub-processor, processes Personal Data in violation of this DPA or the Instructions for Data Processing provided by the Customer, UWT shall, in consideration of the limitation of liability arising from the Agreement, compensate the Customer for the direct damage suffered by the Customer due to the wrongful Processing. Regardless of the limitation of liability in this Agreement, UWT’s liability under paragraph 13.1 shall always be limited to an amount equivalent to the fees paid by the Customer to UWT under the Agreement for a period of twelve (12) months before the damage occurred. In the event that the Agreement has not been valid during a full contract year, such amount shall be calculated on the costs that the Customer is expected to pay during a contract year under the Agreement.
13.2 During the term of this DPA and thereafter, the Customer shall indemnify and hold UWT harmless from any direct damage, including claims from Data Subjects and third parties, which UWT has suffered due to unclear, inadequate or unlawful instructions from the Customer, or otherwise, depending on the circumstances deriving from the Customer.
13.3 UWT’s obligation to pay damages, laid down in section 13.1 above, only applies, provided that i) the Customer without undue delay informs UWT in writing of any claims against the Customer; and ii) the Customer allows UWT to control the defense of the claim and make independent decisions regarding settlement.
14. Term and Termination
14.1 This DPA enters into force when duly signed by both Parties either separately as an amendment to the Agreement or as a part of the Agreement and remains in force as long as UWT Processes Personal Data on behalf of the Customer.
14.2 Upon termination of the Agreement or this DPA (depending on which occurs first), UWT shall in accordance with the Customer’s instructions delete or return all Personal Data to the Customer and make sure that all Sub-processors do the same.
14.3 If the Customer has not requested that the Personal Data should be returned, UWT shall delete the data within 90 days after the termination of the DPA or the Agreement (whichever occurs first). UWT shall delete any existing copies unless the storage of Personal Data is required by Union law or the national law of the Member State.
15. Changes and additions
15.1 If the Data Protection Laws are changed during the term of this DPA, or if the Supervisory Authority issues guidelines, decisions or regulations concerning the application of the Data Protection Laws that result in this DPA no longer meeting the requirements for a DPA, shall the Parties make the necessary changes to this DPA, in order to meet such new or additional requirements.Such changes shall enter into force no later than thirty (30) days after a Party sends a notice of change to the other Party or otherwise no later than prescribed by the Data Protection Laws, guidelines, decisions or regulations of the Supervisory Authority.
15.2 Other changes and additions to this DPA, in order to be binding, must be made in writing and duly signed by both Parties.
16. Miscellaneous
16.1 This DPA supersedes and replaces all prior DPAs between the Parties and supersedes any deviating provisions of the Agreement concerning the subject matter of this DPA, regardless if otherwise stated in the Agreement.
16.2 This DPA shall be governed by the same law and subject to the same forum as the Agreement.
16.3 In addition, the terms of the Agreement shall also apply to UWT’s Processing of Personal Data and the obligations under this DPA. However, in the event of contradictions between the provisions of the Agreement and this DPA, the provisions of the DPA will supersede regarding all Processing of Personal Data. The provisions of the Agreement may not restrict or modify any of the obligations of this DPA.
16.4 This DPA shall be governed by the same law and be subject to the same forum as stated in the Agreement.
Appendix A – Data Processing Instructions
In these data processing instructions, all capitalised words shall have the same meaning as defined in the DPA, unless otherwise is expressly stated.
Purposes
UWT processes personal data for the purpose of fulfilling the service under the Agreement. Personal data may also be processed for IT-support and related services. Further, UWT processes data for fraud detection and other preventive actions.
Categories of data
UWT processes the following categories of personal data:
Information and data transferred by the Customer to UWT when using UWT’s services, user data and information related to the use of UWT’s services, end user generated content, and
other information relevant to IT-support and related services.
UWT does not Process sensitive personal data, the Customer is responsible for ensuring that sensitive personal data is not transferred to UWT’s services unless UWT has provided the Customer with written consent in advance to such Processing.
Categories of data subjects
UWT processes the following categories of Data Subjects:
Information about registered users, and
Information about Data subjects which appear in such material that the Customer transfers to UWT through the use of any of UWT’s services, and
End user information.
Retention requirements
The personal data must be deleted at the Customer’s request and according to the Customer’s instructions.
UWT has a retention period of 90 days after the termination of the Agreement or DPA.