Skip to content

Data Processing Agreement (DPA)#

Version: 18 September 2023

  1. Objectives of DPA

    1. The Parties, STAKATER and the Customer, have entered into a contract for specific IT services, referred to as the "Framework Agreement." In the performance of the "Framework Agreement", STAKATER processes personal data, referred to as the "Data," on behalf of the Customer.

    2. This Data Processing Agreement (DPA) governs the processing of Customer Data by STAKATER in accordance with Article 28 of the EU General Data Protection Regulation (GDPR).

  2. Data Control and Management

    1. The characteristics of the Data, the categories of individuals whose data is being processed, and the duration and objectives of the processing are as follows, unless otherwise explicitly stated in the Framework Agreement:

      1. Data type: The processed Data includes personal data, communication data (e.g. email, chat), registration data, documents, and other data in electronic format that the Processor processes for the Controller in connection with the main contractual services. The Controller assures that no data that requires special protection will be transferred for processing without prior agreement.

      2. Categorization of data subjects: Employees, customers, suppliers, and any other individuals associated with the data controller whose data the Controller transmits to the Processor under the Framework Agreement.

      3. Duration and purpose: The duration of this DPA is defined by the duration of the Framework Agreement. The purpose is restricted to the provision of services under the Framework Agreement.

    2. This DPA applies solely to the processing of Data by the Processor and its subcontractors. If the Customer hires the Processor to process Data on infrastructure or with software from third parties, the Customer is accountable for ensuring that this third party complies with data protection regulations.

  3. Responsibilities of Data Controller

    1. The Controller bears sole responsibility for complying with data protection laws, including ensuring the legality of data transfers to the Processor and the legality of data processing and instructions under the GDPR.
    2. The Processor shall process Data only for the purposes of the Framework Agreement and in accordance with documented instructions from the Controller. All instructions must be in writing or electronic form. Oral instructions must be confirmed in writing or text immediately.
    3. If the Processor believes that an instruction violates applicable laws, it shall promptly notify the Controller. The Processor may suspend implementation of the instruction until it has been confirmed or amended by the Controller.
    4. If Data are processed according to legal provisions and contrary to Controller instructions, the Processor must inform the Controller in advance of the processing operation and the lawfulness of processing, except when contrary to an important public interest. The Controller is accountable for evaluating the lawfulness of the Data processing and ensuring the rights of the data subjects are protected. The Controller ensures that the processing of the Data by the Processor, in accordance with this DPA and the instructions, does not contravene any applicable legal provisions.
    5. The Controller must promptly inform the Processor if it detects any errors or irregularities while reviewing the order processing.
    6. The Controller is obligated to maintain the confidentiality of any knowledge of the Processor's trade secrets obtained within the contractual relationship.
    7. The Controller is required to document their instructions to the Processor.
  4. Measures to Improve Data Protection

    1. The Data Processor shall ensure that all authorized persons who process the Data, such as employees and subcontractors, have agreed in writing to maintain confidentiality and security, or are subject to an appropriate legal obligation of confidentiality and security.
    2. The Processor shall design their internal organization to meet the specific data protection requirements within their area of responsibility. They must take appropriate technical and organizational measures to ensure the confidentiality, integrity, availability, and capacity of the systems and services for long-term processing in compliance with GDPR requirements.
    3. The Controller is responsible for ensuring that the technical and organizational measures implemented by the Processor provide adequate protection for the risks associated with processing the Data. The Controller is also aware of the current technical and organizational measures and the procedure for reviewing, assessing, and evaluating their effectiveness.
    4. The Processor may adjust the measures during the contractual relationship due to technical and organizational developments, provided there is no compromise on agreed-upon standards.
  5. Subcontracting

    Prior written consent of the Controller is required for awarding contracts with subcontractors for processing Personal Data covered by the contract.

    The Controller grants the Processor general authorization to use subcontractors in accordance with the provisions of this DPA. The Processor shall inform the Controller in a timely manner of any intended change with respect to the use or replacement of other subcontractors. The Controller may object to the change within thirty (30) days if there is a valid reason. The objection must be in writing, specifying the reasons for the objection. Any further outsourcing by the subcontractor requires the express consent of the Controller.

    The Processor must ensure that authorized subcontractors have data protection obligations fundamentally comparable to those contained in this Agreement before processing Personal Data of the Controller.

    Subcontractors are service providers whose services are directly related to the provision of the main service under the Framework Agreement and concern the processing of Data. Ancillary services, such as telecommunications services, postal or transport services, maintenance and user service, or the disposal of data carriers, are excluded from this definition.

    The Processor is obliged to take appropriate and legally compliant contractual agreements and control measures to ensure that the Data of the Controller is protected, even in the case of outsourced ancillary services. The Processor or its subcontractors process the Data in Sweden unless otherwise agreed. Processing of Data outside the EU and Sweden requires the Processor to ensure that the conditions for transferring the data to third countries in accordance with the DPA are met. The Processor shall provide proof of compliance upon request.

  6. Data and Personal Locations

    Employees of the Processor may process the Data from personal locations as part of distant or hybrid work conditions, subject to appropriate measures being in place. The Controller authorizes the processing of such Data only, if necessary, Data protection and data security measures are in place.

    If Data is processed in or from private space, access to the such space for the purpose of order control must be agreed with the Controller in advance. The Processor assures that all residents of these private apartments understand that severity and agree with this provision.

  7. Responsibilities of the Processor

    1. The Processor must assist the Controller in fulfilling requests and claims made by affected individuals in accordance with Chapter III of the GDPR and in fulfilling the obligations outlined in Articles 33 to 36 of the GDPR.

    2. The Controller is primarily responsible for executing data subject rights. However, the Processor will follow the documented instructions of the Controller for handling requests related to the deletion concept, the right to be forgotten, correction, data portability, and information. If the services under the Framework Agreement do not already include this, the Controller will pay a reasonable fee to the Processor for this assistance.

    3. If a data subject request can be attributed to the Controller, the Processor will forward the request to the Controller.

    4. The Processor will immediately notify the Controller if it discovers any breaches related to the protection of the Controller's Data.

  8. Proof of Compliance

    1. The Processor shall provide the Controller with sufficient proof or information of compliance with the obligations stated in this contract through appropriate means, which may include regular reports, audit reports, certifications, or other similar documentation.

    2. In the event that inspections by the Controller or an appointed auditor are necessary, they shall be conducted during normal business hours after reasonable notification to the Processor. The inspection must take into account any legitimate confidentiality interests and legal or contractual confidentiality obligations.

    3. Prior to the audit, the auditing persons must sign a confidentiality agreement with regard to the Processor's data, as well as any other customer data and technical and organizational measures established by the Processor.

    4. The Controller shall bear all costs associated with inspections, including those for the employee provided by the Processor.

  9. Duties after Completion of Agreement

    The Processor shall transfer to the Controller all Personal Data under its control that are associated with the contractual relationship, or destroy them in accordance with applicable data protection regulations, or completely anonymize them upon completion of the contractually agreed work or upon the Controller's request, at the latest upon termination of the service agreement. The Processor shall also include test and defective materials in this transfer or destruction. The Processor shall provide a record of the deletion upon request.

  10. Liability and Limitations

    1. Both the Controller and the Processor are accountable to data subjects under the provisions of Art. 82 of the GDPR. However, regarding their internal relationship, the Processor shall only be held liable for damages resulting from a processing operation if it fails to comply with the obligations specifically imposed on it by the DPA, or if it acts in breach or contrary to the lawful instructions of the Controller.

    2. Additionally, the liability limitations outlined in the Framework Agreement shall be applicable.

  11. Other Provisions

    1. STAKATER reserves the right to modify this DPA at any time and will notify customers of the changes in a suitable manner, including electronically.

    2. Any changes or additions to this DPA will become a binding part of the agreement unless the Customer objects within thirty (30) days of being informed of the amended provisions.

    3. If any provision of this DPA or the remaining contract is found to be invalid, ineffective, or unenforceable, such provision shall be replaced with a valid and enforceable provision that best reflects the intent of the original provision and corresponds to the economic balance of the Parties.

    4. This contract and any disputes arising from it shall be governed exclusively by Swedish law.