Data Processing Agreement

Gilion platform

1.1. The Controller (or any of its affiliates) has in conjunction with this Data Processing Agreement (“DPA”) entered into, or may potentially enter into, an agreement with an affiliate of the Processor or a third party lender (“Lending Entity”) arranged by the Processor (or an affiliate of the Processor) concerning financing made available to the Controller (or any of its affiliates) by the Lending Entity (“Loan Agreement”). Pursuant to the Loan Agreement or the Terms of service (as defined below), the Controller will have access to the Services (as defined below) delivered by the Processor and as a result thereof the Processor will process personal data on behalf of the Controller (or any of its affiliates) in the capacity of a data processor.

1.2. This DPA governs the rights and obligations of the Parties when the Processor processes personal data on behalf of the Controller (or any of its affiliates) pursuant to the Loan Agreement or the Terms of service (as applicable).

1.3. This DPA, including its appendices, together with the Loan Agreement or Terms of service (as applicable), constitute the Controller’s (or any of its affiliates) complete instructions to the Processor for the processing of the personal data.

1.4. If the information stipulated in the Loan Agreement (if entered into) or the Terms of service conflicts with this DPA, this DPA shall take precedence.

1.5. This DPA aims to meet the current requirements for a DPA in accordance with Applicable Data Protection Legislation.

To the extent that Regulation (EU) 2016/679 of the European Parliament and of the Council, hereinafter referred to as the General Data Protection Regulation (“GDPR”), contains terms similar to those used in this DPA, such terms shall have the same meaning as in the GDPR.

“Applicable Data Protection Legislation” means all applicable privacy and personal data legislation applicable to the personal data processing that is carried out under this DPA.

“Controller” means the company on whose behalf the registration for the Platform as a customer has been completed and in connection therewith this DPA was entered into.

“DPA” means this Data Processing Agreement and its appendices.

“GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council.
“Loan Agreement” means (if entered into) an agreement with the Lending Entity concerning financing made available to the Controller (or any of its affiliate).

“Lending Entity” means an affiliate of the Processor or a third party lender under a Loan Agreement (if entered into).

“Party” means the Controller or the Processor.

“Platform” means the digital platform provided by the Processor to which the Controller is granted access in accordance with the Terms of service.

“Processor” means Gilion AB, reg. no. 559264-9726, Eriksbergsgatan 27, 114 30 Stockholm.

“Services” means the Platform and its content including the Result (as defined in the Terms of service), features, functionalities, tools, data, software and services related thereto provided by Gilion.

“SCC” means the standard contractual clauses for the transfer of Personal Data to processors established in third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, implemented by the European Commission decision (EU) 2021/914 of 4 June 2021.

“Sub-processor” means the legal person who processes personal data on behalf of the Processor.

“Terms of service” means the Terms of service governing the use of the Services as entered into by the Parties.

3.1. The Processor shall ensure compliance with Applicable Data Protection Legislation and its obligations under this DPA when processing personal data on behalf of the Controller.

3.2. The Processor may only process personal data on behalf of the Controller in accordance with the Controller’s documented instructions unless required to do so by the laws of the European Union or a member state of the union to which the Processor is subject, in which case the Processor shall inform the Controller of that legal requirement before processing unless that law prohibits such information on important grounds of public interest. The Controller’s instructions are set out in Appendix 1.

3.3. The Controller warrants that it is entitled under Applicable Data Protection Legislation to instruct the Processor to process the personal data in accordance with this DPA also on behalf of any affiliates (to the extent relevant or applicable).

3.4. Except as set out in Section 3.2, the Processor may not process any personal data for its own purposes or other purposes not set out in this DPA.

3.5. The Processor shall immediately inform the Controller if, in the Processor´s opinion, the Processor has not received sufficient instructions to process personal data in accordance with its obligations or if, in the Processor’s opinion, an instruction infringes Applicable Data Protection Legislation, and defer the processing until receipt of further instructions from the Controller.

3.6. Any changes to the Controller’s instructions shall be negotiated separately and documented in writing. The Processor shall be entitled to compensation for additional costs incurred as a result of any such amendments provided that the Processor has informed the Controller of such additional costs.

4.1. The Processor shall assist the Controller in fulfilling its obligations in accordance with Applicable Data Protection Legislation per the Controller's request. This means that the Processor shall:

a) Through appropriate technical and organizational measures, to the extent possible and with due regard to the nature of the processing, assist the Controller in fulfilling the Controller's obligations to comply with the data subjects’ requests for exercising their rights under the GDPR (such as rectification, deletion, restriction, data portability and request of access);

b) Assist the Controller in fulfilling the Controller's obligations to take appropriate security measures for the processing of personal data under this DPA to ensure a level of security appropriate considering the level of risk that the processing of personal data in question entails;

c) Assist the Controller by providing the information, assistance and resources that are reasonably necessary for fulfilling the Controller’s obligation to report personal data breaches to the competent supervisory authority;

d) Assist the Controller with the information, assistance and resources that may reasonably be required to fulfill the Controller's obligation to inform the data subjects, within the framework of this DPA, in the event of a data breach that is likely to result in a high risk to the rights and freedoms of natural persons;

e) Assist the Controller in fulfilling the Controller's obligation to carry out impact assessments for processing under this DPA, which is likely to result in a high risk to the rights and freedoms of individuals; and

f) Assist the Controller by providing the Controller with the information, assistance and resources that may reasonably be required to fulfill the Controller's obligation to provide information and documentation to the supervisory authority for prior consultation, and when necessary, and to a reasonable extent, attend meetings with the competent supervisory authority.

4.2. When the Processor assists the Controller in fulfilling the Controller’s obligations under Applicable Data Protection Legislation in accordance with Sections 4.1 b) - f) above, consideration shall be given to the type of processing it refers to, and the information available to the Processor. In order to avoid any misunderstandings, nothing in this Section 4 shall be interpreted as indicating that the Processor may act on behalf of the Controller. The Processor may only act to fulfill its obligations vis-à-vis the Controller.

5.1. The Parties' obligations to observe confidentiality are regulated in the Loan Agreement or the Terms of service (as applicable).

5.2. The Processor undertakes to take appropriate technical and organizational measures to protect the personal data being processed under this DPA in accordance with Applicable Data Protection Legislation.

5.3. The Processor shall ensure that only the personnel who must have access to the personal data in order to fulfill the Processor's obligations under this DPA will have access to such personal data. The Processor shall ensure that all such personnel are bound by appropriate confidentiality obligations, either by law or by agreement.

6.1. The Processor shall without undue delay inform the Controller after becoming aware of any personal data breach.

6.2. A notification pursuant to Section 6.1 shall include all information that may reasonably be required by the Controller to fulfill its obligations under Applicable Data Protection Legislation. Such information includes e.g. a description of:

a) the nature of the personal data breach, categories of and the approximate number of data subjects affected, categories of and the approximate number categories of personal data included;

b) likely consequences as a result of the data breach; and

c) a description of the measures taken to rectify the personal data breach or to mitigate its potential adverse effects.

6.3. If and to the extent it is not possible to provide all the information at the same time, the information may be provided in installments without undue further delay.

6.4. The Controller shall compensate the Processor for any direct costs that the Processor incurs if the measures taken under this Section 6 are due to the Controller’s non-compliance of Applicable Data Protection Legislation.

7.1. The Processor is entitled to engage Sub-processors to process personal data on behalf of the Controller. The Processor shall enter into an agreement with all Sub-processors which imposes corresponding obligations as are applicable to the Processor in accordance with this DPA. The Processor shall be fully accountable to the Controller for the performance of the Sub-processors’ obligations.

7.2. A list of pre-approved Sub-processors is available here.  

7.3. If the Processor intends to engage or replace a Sub-processor, the Processor shall, prior to such engagement, inform the Controller thereof in writing and enable the Controller to object to the engagement. Any objections by the Controller shall be made by the Controller in writing without any undue delay, and at the latest within thirty (30) days, as from the time the Controller receives the information. The Processor shall provide the Controller with any information reasonably requested by the Controller to enable the Controller to assess whether the use of the proposed Sub-processor will be in compliance with this DPA and Applicable Data Protection Legislation. If such compliance, in the Controller’s legitimate and reasonable opinion, will not be enabled through the engagement of the proposed new Sub-processor and the Processor, despite the objections of the Controller, want to engage the proposed sub-processor, the Controller shall have the right to terminate the Terms of service. If the objection is not legitimate, the Controller shall not have the right to terminate the Terms of service.

The Processor may move, store, transfer, or otherwise process the personal data outside of the EU/EEA, provided that such transfers meet the requirements and undertakings that follow from Applicable Data Protection Law. The Processor undertakes to enter into the relevant module of the EU Commission’s Standard Contractual Clauses with its Sub-processors that transfer personal data outside EU/EEA, unless another applicable transfer mechanism applies, and to take all reasonable measures to control that the engaged Sub-processors ensure the lawfulness of any further transfers of personal data that the Sub-processors’ sub-processors may undertake.

9.1. In cases where a data subject or other third party requests information from the Processor about the processing of personal data that belongs to the Controller, the Processor shall refer such data subject or third party to the Controller.

9.2. In the event a public authority requests the type of data as set forth in Section 9.1, the Processor shall immediately inform the Controller of the request unless prevented by law, and the Processor and the Controller shall thereafter, in consultation, agree on a suitable course of action. Unless expressly agreed between the Parties, the Processor shall not act on behalf of the Controller.

9.3. The Processor shall not disclose or make any personal data available to third parties unless the Processor is under a legal obligation deriving from the laws of the European Union or a member state, or court or public authorities’ order to disclose the personal data.

9.4. If an obligation to disclose information as stipulated in this Section 9 emerges, the Processor shall immediately inform the Controller of such situation.

10.1. The Processor undertakes to document and keep records of the measures taken by the Processor in order to comply with its obligations under this DPA and Applicable Data Protection Legislation.

10.2. The Processor shall assist the Controller in obtaining information and documentation relating to the processing of personal data carried out on behalf of the Controller to the extent required to demonstrate that the Processor has fulfilled its obligations in accordance with Applicable Data Protection Legislation. The right to information shall include the right of access to the Processor’s premises. The Controller shall be entitled to request an audit for this purpose which may be conducted either by the Controller or by an independent third party provided that such third party is subject to confidentiality and does not constitute a competitor to the Processor.

The Processor shall receive compensation for any reasonable costs for measures which it takes in respect of processing personal data in accordance with this DPA.

12.1. In the event of compensation for damages in connection with wrongful processing of personal data, which, through an established judgment or settlement, shall be payable to data subjects due to a breach of the provisions in this DPA, the Controller’s instructions or Applicable Data Protection Legislation, Article 82 GDPR shall apply.

12.2. Any administrative fines pursuant to Article 83 GDPR or Chapter 6 of the Swedish Data Protection Act (2018:218) shall be borne by the Party upon whom such a charge is imposed.

12.3. The breaching Party’s liability towards the other Party for such claims referred to in Section 12.1 above is (i) if a Loan Agreement is entered into, limited to 200% of the average aggregated interest paid by the Controller (or any of its affiliates) to the Processor under the Loan Agreement the relevant year and (ii) if no Loan Agreement is entered into, limited to the amount set out in the Terms of service.

12.4. The Controller shall fully indemnify the Processor against any damages, fines or costs that the Processor incurs as a result of any breach by the Controller of the warranty set out in Section 3.3.

With the exception of Sections 5 and 12, the provisions of this DPA shall apply for as long as the Processor processes personal data on the Controller’s behalf.

14.1. When the Loan Agreement expires (or if no Loan Agreement is entered into, the Terms of service are terminated), the Processor shall, at the Controller’s request and per the Controller’s instructions, permanently delete, or return in a format that the Controller chooses, all personal data processed in accordance with the DPA to the Controller, unless the Processor is required by law to save a copy of the personal data.

14.2. In this context, deletion means that the personal data is deleted by the industry standard in force at any given time to make it impossible for the data to be recreated using any technology or method known at the time of deletion. This shall also apply to personal data that has been processed for logging and security purposes.A Loan Customer may not terminate this Agreement during the Term.

Any amendments and additions to the DPA shall, in order to be binding, be in writing and duly accepted by both Parties.

Neither Party shall be entitled to assign its rights or obligations under this DPA, in whole or in part, without the prior written consent of the other Party. However, the Processor may, without the prior written consent of the Controller, assign any of its rights or obligations under this DPA to an affiliate, or to another third party as part of a corporate reorganization, upon a change of control, consolidation, merger, sale of all or substantially all of its business or assets of the Processor.

17.1. This DPA shall be governed by the substantive law of Sweden, without regard to its choice of law provisions.

17.2. Any dispute, controversy or claim that solely regards this DPA shall be finally settled by arbitration in accordance with the Rules for Expedited Arbitrations of the Arbitration Institute of the Stockholm Chamber of Commerce. The seat of arbitration shall be Stockholm and the language to be used in the arbitral proceedings shall, unless otherwise agreed between the Parties, be English. Any other dispute, controversy or claim shall be settled in accordance with the Loan Agreement (if entered into).

17.3. The Parties undertake and agree that any arbitral proceedings conducted with reference to this arbitration clause shall be kept strictly confidential. This confidentiality undertaking shall cover all information disclosed in the course of such arbitral proceedings, as well as any decision or award that is made or declared during the proceedings. Information covered by this confidentiality undertaking may not, in any form, be disclosed to a third party without the written consent of the other Party. This notwithstanding, a Party shall not be prevented from disclosing such information in order to safeguard in the best possible way its rights vis-à-vis the other Party in connection with the dispute, or if the Party is obliged to so disclose pursuant to statute, regulation, a decision by an authority, applicable stock exchange regulations or the regulations of any other recognized marketplace.

The Services are delivered as part of the Platform, an online business intelligence portal provided by the Processor. The primary users of the Services are companies wanting to get a better understanding of their business performance, such as the Controller. The Services can also be used by the Processor’s representatives to understand the Controller’s business.

The Services include access to the Platform where dashboards with metrics and Key Performance Indicators (“KPI”) are presented to the customer. The Platform aims to enhance understanding of various aspects of the company’s business, including revenue trends, user retention and churn, marketing efficiency, and future projections.

The Platform requires access to data regarding financials and sales records to calculate these metrics. The necessary data sets are either provided directly by the Controller or by a 3rd party service APIs managed by the Controller. These data sets are aggregated into statistics and presented in the Platform’s interface.

The data sets fetched by the Platform are used to calculate business metrics for the Controller. These business metrics are presented to the Controller as a self-service tool where the Controller can log in to learn more about their business performance. The business metrics may also be used together with insights from the Platform to evaluate and follow the health of the Controller’s business, as a foundation for extending loans to the Controller, or tracking of covenants or other obligations set out in the facilitate documentation.

In the process of acquiring the raw data necessary to provide the Services, the processing may include a limited amount of personal data. As such personal data is not intentionally collected, and any such processing of personal data will be limited to either (i) downloading it together with other business data only to immediately delete it, or (ii) downloading it together with other business data, whereafter such data will be subject to pseudonymization by way of aggregating, hashing or encrypting such personal data only in situations where required to provide the Services. Whenever possible, the Processor will abstain from downloading the personal data in the first place, although not all 3rd party services provide anonymous views of data over their APIs.

Since the Platform discards any personal data during ingestion, the Platform’s systems do not (subject to section 5 below) store any personal data. To the extent personal data will be processed to determine what other types of data to store, such personal data may contain information regarding data subjects such as:

● Full names
● Contact details (including such as home and billing addresses, email addresses, and telephone numbers)
● Social security numbers
● Usernames, user- and customer identifiers, customer numbers
● Geographical location information
● Invoice details (including invoice number and purchase details)
● Partial credit card numbers.

The personal data processed contains information about the Controller’s employees and customers.

Employees in the context of this DPA refer to individuals who are or have been employed by the Controller.

Customers in the context of this DPA refer to existing or previous customers or end users of the Controller’s goods or services.

The Controller’s login details are encrypted and stored in systems using AES-256 encryption algorithm (Google Secret Manager, Google Cloud SQL).

During the data ingestion process, the Processor processes personal data on the designated encrypted shared host located in Europe which communicates with Google BigQuery using TLS. Cross host data transformation takes place and it is done in a closed, secure, and shielded environment. Data in the ingestion process is short-lived and after the process is irretrievably deleted.

After data ingestion, personal data is stored and transformed only in Google BigQuery service which provides encryption in transit and at rest. The Platform is using raw data without personal data to calculate metrics and KPI.

All data is stored and processed in Europe (multi-region EU).

The processing of personal data is either:

i) limited to receiving the raw data, and immediately deleting any personal data from the datasets the Processor receives; or

ii) limited to receiving the raw data, and immediately pseudonymizing any personal data from the datasets the Processor receives, which will be retained only as long as required to provide the Platform and in any event be deleted within 30 days of the termination of the provision of the Platform.

Data deletion is primarily done using the standard Google BigQuery process, which means personal data may persist for a few days before being fully erased.

The Processor will also apply manual processes to ensure that any stored personal data is deleted within 30 days of detection.

Sprache
Meine Daten anfordern
Impressum
Privacy Notice
Nutzungsbedingungen
Tracking-Technologie Hinweis
VC-Mapping
Whistleblowing

GILION AB 2024