Dansk
Deutsch
English
Español
Français
Italiano
Nederlands
Suomi
SvenskaDATA PROCESSING AGREEMENT
BETWEEN:
The Customer as defined in the General Terms and Conditions (hereinafter to be referred to as: the “Controller”),
AND
XD Connects as defined in the General Terms and Conditions (hereinafter to be referred to as: the “Processor”).
Hereinafter individually “Party” and jointly “Parties”
HEREBY AGREE AS FOLLOWS:
1. Subject matter of this Data Processing Agreement
1.1. This Data Processing Agreement applies exclusively to the processing of personal data in the scope of the Agreement as defined in the General Terms and Conditions, on behalf of the Controller as further detailed in Paragraph 1.3 and Annex 1 Part A of this Data Processing Agreement.
1.2. Terms defined in the General Data Protection Regulation (2016/679/EU, hereinafter to be referred to as: the “GDPR”) such as “processing”, “personal data”, “controller”, “processor” and “personal data breach” shall have the same meaning as in the GDPR. Terms as defined in the General Terms and Conditions will have the same meaning, unless specifically stated otherwise.
1.3. The Processor will be processing personal data on behalf of the Controller in the course of the performance of the Agreement (hereinafter to be referred to as: the “Personal Data”). An overview of the details of the processing of Personal Data is provided in Annex 1 part A. For all other processing of personal data in the course of providing its services which is not specified in this Data Processing Agreement, XD Connects is a controller in its own right.
2. The Controller and the Processor
2.1. The Processor will act as the processor and the Controller will act as the controller. The Processor will act in accordance with documented instructions of the Controller, as set out in the Agreement and this Data Processing Agreement. The Controller warrants that it has a legal basis for processing within scope of the Agreement, including demonstrable consent where necessary.
2.2. The Processor will only process the Personal Data in such manner as - and to the extent that - this is necessary for the provision of the services under the Agreement or to comply with a legal obligation to which the Processor is subject, in which case the Processor will notify the Controller of such legal obligation, unless that law prohibits such notification on important grounds of public interest.
2.3. The Controller warrants that its instructions to Processor are not in violation of, or will cause a breach with this Data Processing Agreement or applicable legislation, including the GDPR.
3. Confidentiality
3.1. Without prejudice to any existing contractual arrangements between the Parties, the Processor will take care that it shall treat all Personal Data as strictly confidential. The Processor shall ensure that all persons authorized to process the Personal Data are bound to confidentiality. These obligations will not prevent Processor from sharing information with a third party in accordance with the Agreement, this Data Processing Agreement or to the extent such disclosure is mandatory under applicable law.
4. Security
4.1. The Processor shall take appropriate technical and organisational measures to ensure a level of security appropriate to the risk of the processing of the Personal Data. These measures are agreed upon by the Parties in Annex 2. The Processor may change these from time to time, provided such will amendments will not result in a lower level of protection.
5. Information and Audit
5.1. At the request of the Controller, the Processor shall provide the information strictly necessary for the Controller to comply with its obligations under the GDPR.
5.2. The Controller has the right to perform an audit of the Processor once per twelve months in order to determine to what extent the Processor complies with the provisions of the Data Processing Agreement. Such audit will be performed by an independent third party and will take place at a time defined by both Parties together. The Processor shall provide the auditor access – on request of the auditor – to the facilities, personnel, policies and documents that are reasonably necessary for the purpose of the audit. The Controller shall bear the costs of such an audit.
5.3. The Processor will immediately inform the Controller in case a request from (the auditor of) Controller is in violation of the law.
6. International Data Transfer
6.1 The Processor shall only transfer Personal Data to a country outside of the European Economic Area if it observes Chapter V of the GDPR.
6.2 The Controller agrees that where the Processor engages a Sub-Processor in accordance with Clause 7 for carrying out specific processing activities (on behalf of the Controller) and those processing activities involve a transfer of Personal Data within the meaning of Chapter V of the GDPR, the Processor and the Sub-Processor can ensure compliance with the same by using standard contractual clauses adopted by the European Commission in accordance with of Article 46(2) of the GDPR.
7. Sub-Processors
7.1. The Controller provides the Processor with specific authorization to engage the Sub-Processors listed in Annex 1 part B.
7.2. The Controller provides the Processor with general authorization to engage other Sub-Processors. The Processor shall inform the Controller in advance of the engagement of a Sub-Processor, in which event the Controller has the right to argue its objection to the engagement of that Sub-Processor within four weeks. If the Controller has not made an objection within those four weeks, the Controller is presumed to have given its specific authorization to the engagement of that Sub-Processor.
7.3. The Processor shall remain liable vis-à-vis the Controller for the performance of – or the failure to perform – the obligations set out in this Data Processing Agreement by Sub-Processors, in accordance with Article 10.
7.4. The Processor shall ensure that the Sub-Processor is bound in writing by similar obligations as the Processor under this Data Processing Agreement.
8. Data Breaches and Cooperation with Data Subject Rights
8.1. In case of a personal data breach the Processor shall notify the Controller without undue delay after discovery.
8.2. In case the Processor receives a complaint or a request of a natural person with regard to the Personal Data, as described in Chapter 3 of the GDPR, the Processor shall notify the Controller within a week after receiving the complaint or request.
9. Returning or Destruction of Personal Data
9.1. Unless required by applicable law to retain the data, the Processor shall delete the Personal Data in accordance with the retention period as specified in Annex A. Upon written request of the Controller, the Processor shall return the Personal Data to the Controller.
10. Liability and Indemnity
10.1. The Processor is solely liable if and to the extent set out in the Agreement. Processor’s liability for damages occurring out of or related to the processing of Personal Data is further limited to only direct damages which are caused solely by a breach of the Data Processing Agreement by Processor and excludes any indirect damages. Indirect damages includes in any event: loss of data, claims by third parties including customers, fines for supervisory authorities and lost turnover or profit.
10.2. The maximum amount for which Processor can be held liable per event, where a series of related events counts as one single event, is equal to the total fees paid by Controller to Processor in the twelve months leading up to that event.
11. Duration and Termination
11.1. This Data Processing Agreement shall come into effect and expire simultaneously with the Agreement.
11.2. Termination or expiration of this Data Processing Agreement shall not discharge the Processor from its obligations meant to survive the termination or expiration of the Data Processing Agreement, including the obligations deriving from Article 3, 4, 8, 9 and 10 of this Data Processing Agreement.
12. Miscellaneous
12.1. In the event of any inconsistency between the provisions of this Data Processing Agreement and the provisions of the Agreement, the provisions of this Data Processing Agreement shall prevail.
12.2. Any notifications performed pursuant to this Data Processing Agreement by the Processor to the Controller, for instance the notifications pursuant to Articles 7 and 8, shall be sent by email to the contact information of Controller as available at XD Connects. It is the responsibility of Controller to ensure the contact details are at all times correct and up – to – date.
12.3. This Data Processing Agreement is governed by the laws of The Netherlands. Any disputes arising out or in connection with this Data Processing Agreement shall be brought exclusively before the competent court of The Hague.
Annex 1:
A) Details of the processing of Personal Data
Categories of data subjects whose personal data is processed
• Recipients when this business does not have legal personality; and
• Recipients receiving drop shipping products.
Categories of personal data processed
• (Company) name
• (Business) email address
• (Business) phone number
• (Business) address
Sensitive data processed (if applicable)
N/A
Nature of the processing
Processor is a supplier of promotional items and gifts. Controller (Customer) can place orders for these items through Processor's digital portal. When an order is placed, processing of recipients (personal) data is necessary to complete and dispatch the order. If the recipient to whom Controller sends an order is a business without legal personality or a natural persons as recipients of drop shipping services, Personal Data is processed for which Processor (XD Connects) is processor.
Purpose(s) for which the personal data is processed on behalf of the Controller
• To send orders to recipients
Duration of the processing
Processing lasts from the time the order is placed until the end of the retention period. The retention for Personal Data is as follows:
• Recipient information in order details: 2 years
• Recipient information in drop shipping overview: 2 years
B) Sub-Processors
Sub-Processors engaged by the Processor:
• B2C Europe (Maersk) for the delivery of drop shipment orders
• Elanders Sverige AB for warehouse facilities
• Early Bird Sverige for the delivery of orders
Annex 2:
Security measures
The Processor shall take appropriate technical and organisational measures to ensure a level of security appropriate to the risk of the processing of the Personal Data, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. The security measures implemented by the Processor include:
• Access security
For example: access to Personal Data is granted only to individuals with a need to know for the performance of their role and access rights are evaluated periodically, strong password requirement and use of password tool, use of MFA with end point requirements set.
• Data integrity
For example: data is backed up regularly based on the 1-2-3- principle, data input is validated. Personal Data is destroyed at the end of the retention period.
• Organizational security
For example: the classification of information, providing information to the personnel with access to the Personal Data and disciplinary consequences, check on network policy use and clean-up of any unused policies.
• Physical security
For example: restricted access to physical storage location, surveillance of areas where the Personal Data are stored, prevention, detection and operating procedure in case of emergencies (such as fire, intrusion and water) and redundant systems.
• Network and data security
For example: extensive segmentation of the network based on ZTN, using firewalls and EDR, employing and constantly updating antivirus software, using secure communications channels and employing an intrusion detection and prevention system.
• Security incident management
For example: incident response training and developing a security incident plan and business continuity plan.
• Testing and evaluation procedures
For example: procedures to regularly evaluate and improve the effectiveness of the security measures, such as an independent external audit cycle and certifying for relevant security standards.
• Data disposal
For example: Personal Data is irretrievable deleted when no longer necessary and discarded storage hardware is wiped in accordance with industry practice.
[LAST UPDATE: AUGUST 2024]
DATA PROCESSING AGREEMENT
BETWEEN:
The Customer as defined in the General Terms and Conditions (hereinafter to be referred to as: the “Controller”),
AND
XD Connects as defined in the General Terms and Conditions (hereinafter to be referred to as: the “Processor”).
Hereinafter individually “Party” and jointly “Parties”
HEREBY AGREE AS FOLLOWS:
1. Subject matter of this Data Processing Agreement
1.1. This Data Processing Agreement applies exclusively to the processing of personal data in the scope of the Agreement as defined in the General Terms and Conditions, on behalf of the Controller as further detailed in Paragraph 1.3 and Annex 1 Part A of this Data Processing Agreement.
1.2. Terms defined in the General Data Protection Regulation (2016/679/EU, hereinafter to be referred to as: the “GDPR”) such as “processing”, “personal data”, “controller”, “processor” and “personal data breach” shall have the same meaning as in the GDPR. Terms as defined in the General Terms and Conditions will have the same meaning, unless specifically stated otherwise.
1.3. The Processor will be processing personal data on behalf of the Controller in the course of the performance of the Agreement (hereinafter to be referred to as: the “Personal Data”). An overview of the details of the processing of Personal Data is provided in Annex 1 part A. For all other processing of personal data in the course of providing its services which is not specified in this Data Processing Agreement, XD Connects is a controller in its own right.
2. The Controller and the Processor
2.1. The Processor will act as the processor and the Controller will act as the controller. The Processor will act in accordance with documented instructions of the Controller, as set out in the Agreement and this Data Processing Agreement. The Controller warrants that it has a legal basis for processing within scope of the Agreement, including demonstrable consent where necessary.
2.2. The Processor will only process the Personal Data in such manner as - and to the extent that - this is necessary for the provision of the services under the Agreement or to comply with a legal obligation to which the Processor is subject, in which case the Processor will notify the Controller of such legal obligation, unless that law prohibits such notification on important grounds of public interest.
2.3. The Controller warrants that its instructions to Processor are not in violation of, or will cause a breach with this Data Processing Agreement or applicable legislation, including the GDPR.
3. Confidentiality
3.1. Without prejudice to any existing contractual arrangements between the Parties, the Processor will take care that it shall treat all Personal Data as strictly confidential. The Processor shall ensure that all persons authorized to process the Personal Data are bound to confidentiality. These obligations will not prevent Processor from sharing information with a third party in accordance with the Agreement, this Data Processing Agreement or to the extent such disclosure is mandatory under applicable law.
4. Security
4.1. The Processor shall take appropriate technical and organisational measures to ensure a level of security appropriate to the risk of the processing of the Personal Data. These measures are agreed upon by the Parties in Annex 2. The Processor may change these from time to time, provided such will amendments will not result in a lower level of protection.
5. Information and Audit
5.1. At the request of the Controller, the Processor shall provide the information strictly necessary for the Controller to comply with its obligations under the GDPR.
5.2. The Controller has the right to perform an audit of the Processor once per twelve months in order to determine to what extent the Processor complies with the provisions of the Data Processing Agreement. Such audit will be performed by an independent third party and will take place at a time defined by both Parties together. The Processor shall provide the auditor access – on request of the auditor – to the facilities, personnel, policies and documents that are reasonably necessary for the purpose of the audit. The Controller shall bear the costs of such an audit.
5.3. The Processor will immediately inform the Controller in case a request from (the auditor of) Controller is in violation of the law.
6. International Data Transfer
6.1 The Processor shall only transfer Personal Data to a country outside of the European Economic Area if it observes Chapter V of the GDPR.
6.2 The Controller agrees that where the Processor engages a Sub-Processor in accordance with Clause 7 for carrying out specific processing activities (on behalf of the Controller) and those processing activities involve a transfer of Personal Data within the meaning of Chapter V of the GDPR, the Processor and the Sub-Processor can ensure compliance with the same by using standard contractual clauses adopted by the European Commission in accordance with of Article 46(2) of the GDPR.
7. Sub-Processors
7.1. The Controller provides the Processor with specific authorization to engage the Sub-Processors listed in Annex 1 part B.
7.2. The Controller provides the Processor with general authorization to engage other Sub-Processors. The Processor shall inform the Controller in advance of the engagement of a Sub-Processor, in which event the Controller has the right to argue its objection to the engagement of that Sub-Processor within four weeks. If the Controller has not made an objection within those four weeks, the Controller is presumed to have given its specific authorization to the engagement of that Sub-Processor.
7.3. The Processor shall remain liable vis-à-vis the Controller for the performance of – or the failure to perform – the obligations set out in this Data Processing Agreement by Sub-Processors, in accordance with Article 10.
7.4. The Processor shall ensure that the Sub-Processor is bound in writing by similar obligations as the Processor under this Data Processing Agreement.
8. Data Breaches and Cooperation with Data Subject Rights
8.1. In case of a personal data breach the Processor shall notify the Controller without undue delay after discovery.
8.2. In case the Processor receives a complaint or a request of a natural person with regard to the Personal Data, as described in Chapter 3 of the GDPR, the Processor shall notify the Controller within a week after receiving the complaint or request.
9. Returning or Destruction of Personal Data
9.1. Unless required by applicable law to retain the data, the Processor shall delete the Personal Data in accordance with the retention period as specified in Annex A. Upon written request of the Controller, the Processor shall return the Personal Data to the Controller.
10. Liability and Indemnity
10.1. The Processor is solely liable if and to the extent set out in the Agreement. Processor’s liability for damages occurring out of or related to the processing of Personal Data is further limited to only direct damages which are caused solely by a breach of the Data Processing Agreement by Processor and excludes any indirect damages. Indirect damages includes in any event: loss of data, claims by third parties including customers, fines for supervisory authorities and lost turnover or profit.
10.2. The maximum amount for which Processor can be held liable per event, where a series of related events counts as one single event, is equal to the total fees paid by Controller to Processor in the twelve months leading up to that event.
11. Duration and Termination
11.1. This Data Processing Agreement shall come into effect and expire simultaneously with the Agreement.
11.2. Termination or expiration of this Data Processing Agreement shall not discharge the Processor from its obligations meant to survive the termination or expiration of the Data Processing Agreement, including the obligations deriving from Article 3, 4, 8, 9 and 10 of this Data Processing Agreement.
12. Miscellaneous
12.1. In the event of any inconsistency between the provisions of this Data Processing Agreement and the provisions of the Agreement, the provisions of this Data Processing Agreement shall prevail.
12.2. Any notifications performed pursuant to this Data Processing Agreement by the Processor to the Controller, for instance the notifications pursuant to Articles 7 and 8, shall be sent by email to the contact information of Controller as available at XD Connects. It is the responsibility of Controller to ensure the contact details are at all times correct and up – to – date.
12.3. This Data Processing Agreement is governed by the laws of The Netherlands. Any disputes arising out or in connection with this Data Processing Agreement shall be brought exclusively before the competent court of The Hague.
Annex 1:
A) Details of the processing of Personal Data
Categories of data subjects whose personal data is processed
• Recipients when this business does not have legal personality; and
• Recipients receiving drop shipping products.
Categories of personal data processed
• (Company) name
• (Business) email address
• (Business) phone number
• (Business) address
Sensitive data processed (if applicable)
N/A
Nature of the processing
Processor is a supplier of promotional items and gifts. Controller (Customer) can place orders for these items through Processor's digital portal. When an order is placed, processing of recipients (personal) data is necessary to complete and dispatch the order. If the recipient to whom Controller sends an order is a business without legal personality or a natural persons as recipients of drop shipping services, Personal Data is processed for which Processor (XD Connects) is processor.
Purpose(s) for which the personal data is processed on behalf of the Controller
• To send orders to recipients
Duration of the processing
Processing lasts from the time the order is placed until the end of the retention period. The retention for Personal Data is as follows:
• Recipient information in order details: 2 years
• Recipient information in drop shipping overview: 2 years
B) Sub-Processors
Sub-Processors engaged by the Processor:
• B2C Europe (Maersk) for the delivery of drop shipment orders
• Elanders Sverige AB for warehouse facilities
• Early Bird Sverige for the delivery of orders
Annex 2:
Security measures
The Processor shall take appropriate technical and organisational measures to ensure a level of security appropriate to the risk of the processing of the Personal Data, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. The security measures implemented by the Processor include:
• Access security
For example: access to Personal Data is granted only to individuals with a need to know for the performance of their role and access rights are evaluated periodically, strong password requirement and use of password tool, use of MFA with end point requirements set.
• Data integrity
For example: data is backed up regularly based on the 1-2-3- principle, data input is validated. Personal Data is destroyed at the end of the retention period.
• Organizational security
For example: the classification of information, providing information to the personnel with access to the Personal Data and disciplinary consequences, check on network policy use and clean-up of any unused policies.
• Physical security
For example: restricted access to physical storage location, surveillance of areas where the Personal Data are stored, prevention, detection and operating procedure in case of emergencies (such as fire, intrusion and water) and redundant systems.
• Network and data security
For example: extensive segmentation of the network based on ZTN, using firewalls and EDR, employing and constantly updating antivirus software, using secure communications channels and employing an intrusion detection and prevention system.
• Security incident management
For example: incident response training and developing a security incident plan and business continuity plan.
• Testing and evaluation procedures
For example: procedures to regularly evaluate and improve the effectiveness of the security measures, such as an independent external audit cycle and certifying for relevant security standards.
• Data disposal
For example: Personal Data is irretrievable deleted when no longer necessary and discarded storage hardware is wiped in accordance with industry practice.
[LAST UPDATE: AUGUST 2024]