Seenthis logo

Data Processing Agreement

This Data Processing Agreement regulates the processing of personal data in connection with the Services delivered by SeenThis to Customer according the main agreement (the “Agreement”). This Data Processing Agreement constitutes an incorporated appendix to the Agreement.

 

This Data Processing Agreement shall enter into force once the Agreement is entered into between the Parties.

 

1. PARTIES AND ROLES
SeenThis (“SeenThis“) Is either a data processor or a data sub -processor (as the case may be). Customer (“Customer“) Is either a data controller or a data processor (as the case may be).

 

2. SCHEDULES
This Data Processing Agreement includes the followin g schedules

SCHEDULE 1A – Terms and conditions for processing of personal data

SCHEDULE 1B – Authorised sub-processors

3. COMPLIANCE WITH THE REGULATORY REQUIREMENTS

The Parties shall comply with the Regulatory Requirements (as defined in Schedule 1A). The Parties agree to make any amendment to this Data Processing Agreement and/or implement any additional measure or safeguard as may be required to ensure compliance with the Regulatory Requirements.

 

4. DESCRIPTION OF PROCESSING ACTIVITIES

4.1. CATEGORIES OF DATA SUBJECTS

Actors and models engaged by the Customer or third parties and contact details to individuals representing entities marketed in Raw Material.

4.2. CATEGORIES OF PERSONAL DATA

Pictures and videos identifying data subjects and other personal details included  inRaw Material.

4.3. PURPOSE (THE “PURPOSE”)

The purpose of the processing of personal data is to enable formatting of Raw Material (video) to enable added functionalities as further set out in the Agreement.

4.4. PROCESSING ACTIVITIES

Personal data included in Raw Material will be processed as part of the formatting, displaying and/or hosting services described in the Agreement.

4.5. DURATION OF PROCESSING

The personal data processed under this Data Processing Agreement will only be processed for the duration of the Services delivered by SeenThis to the Customer.

 

4.6. TECHNICAL AND ORGANISATIONAL SECURITY MEASURES

SeenThis has:

  • An appointed person designated to be responsible for the internal supervision of the processing of personal data and ensure that all relevant SeenThis employees are aware of and comply with this Data Processing Agreement (e.g. a data protection officer or equivalent);
  • ensured that its offices is secured through appropriate access control systems;
  • implemented appropriate authorisation levels when granting access to systems
  • storing and processing personal data including granting authorisation to add, delete, or modify users;
  • ensured that all users of systems storing and processing personal data will have unique identifiers (user IDs);
  • ensured that its network is protected from public networks by firewalls;
  • installed up–to-date antivirus software at access points to its network (for e -mail accounts), as well as on all file servers and all workstations;
  • ensured that access to personal data will be granted on a need -to-know basis;
  • implemented standard routines to govern how data and data carriers are deleted or destroyed once they are no longer required; and
  • secured all personal data against accident al or unauthorised destruction or loss by implementing backup and contingency processes and other measures for protection and restoration of personal data and systems used for processing or storing personal data.

 

SCHEDULE 1A – TERMS AND CONDITIONS FOR PROCESSING OF PERSONAL DATA

INTRODUCTION

1.1. This is a schedule and an integral part to the Data Processing Agreement entered into by the Customer and SeenThis.

1.2. Defined terms that are used but not defined in this document shall have the meaning set out on the Cover Page or the Agreement (as applicable). Unless otherwise stated, terms used in this Data Processing Agreement (e.g.‘personal data’, ‘processing’ etc.) shall be construed in accordance with the Regulatory Requirements.

 

2. DEFINITIONS

Affiliate” means a legal entity that directly or indirectly through one or more intermediaries is controlled by a Party or under common control with a Party’s ultimate parent company. For the purposes of this definition, the term “control” shall be understood as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of a legal entity, whether through the ownership of voting stock, by contract, or otherwise;

Data Controller” means the Customer SeenThis processes personal data on behalf of under the Agreement;

 

GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing the Directive 95/46/EC (General Data Protection Regulation), and any amendments made thereto;

Regulatory Requirements” means the GDPR and the legislation applicable to the processing of personal data in the jurisdiction in which SeenThis is established, as stated on the Cover Page, and any successor legislation to the GDPR.

 

Supervisory Authority ” means any court, regulatory agency or authority which, according to applicable laws and/or regulations (including the Regulatory Requirements), supervises privacy issues and/or the processing of personal data; and

Third Country” means a country which is not a member of the European Union (EU) or the European Economic Area (EEA).

 

3. ROLES, PROCESSING AND PURPOSE

3.1. In relation to SeenThis, the Customer shall be regarded as the Data Controller for all personal data included in the Raw Material and any other personal data processed on behalf of the Customer in connection with the Services and in accordance with its instructions. SeenThis shall be considered the processor or sub-processor (as the case may be) of the personal data included in the Raw Material and any other personal data processed on behalf of the Customer in connection with the Services and in accordance with its instructions.

 

3.2. SeenThis shall process the Customer’s personal data for the Purpose and to the extent it is necessary for the fulfilment of SeenThis’ obligations under this Data Processing Agreement and/or any other Agreement.

 

4. SPECIAL UNDERTAKINGS OF THE CUSTOMER

4.1. The Customer undertakes to:

a. Ensure that there is a legal basis for processing the personal data covered by the Data Processing Agreement;

b. Ensure that the data subjects, as re quired by the Regulatory Requirements, have received sufficient information regarding the processing by the Data Controller, including information that SeenThis may process the personal data on behalf of the Customer.

c. Immediately after it is brought to the Customer’s attention, inform SeenThis of any erroneous, rectified, updated or deleted personal data subject to SeenThis’ processing;

d. In a timely manner, provide SeenThis with lawful and documented instructions regarding SeenThis’ processing of per sonal data;

e. Provide SeenThis with the Customer’s applicable policies and guidelines for processing personal data before this Data Processing Agreement enters into force and thereafter prior to any changes or updates thereto; and

f. Act as the data subject’s sole point of contact.

5. SPECIAL UNDERTAKINGS OF SEENTHIS

5.1. SeenThis undertakes to:a. Only process personal data in accordance with the Customer’s documented instructions unless required to do so under the Regulatory Requirements. In such a case, SeenThis shall inform the Customer of that legal requirement before processing the personal data, unless providing such information is prohibited by the Regulatory Requirements;

b. Ensure that employees (of SeenThis or its subcontractors) which process personal data on behalf of the Customer have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

c. Take the measures required pursuant to GDPR, Article 32;

d. Taking into account the nature of the processing, assist the Customer by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Data Controller’s obligation to respond to requests for exercising the data subject’s rights laid down in t he Regulatory Requirements;

e. Upon a timely request by the Customer, assist the Data Controller in ensuring compliance with the obligations pursuant to Article 32 to 36 of the GDPR taking into account the nature of the processing and the information available to SeenThis; and

f. Make available to the Customer the information necessary to demonstrate compliance with SeenThis’ obligations laid down in the Data Processing Agreement and allow for and contribute to audits, including inspections, conducted by the Customer or another third party mandated by it, in accordance with Clause 8.

5.2. SeenThis shall immediately inform the Customer if, in its opinion, an instruction from the Customer infringes the Regulatory Requirements.

 

6. REMUNERATION

6.1. To the extent SeenThis’ processing of personal data under this Data Processing Agreement is an intrinsic part of the services rendered by SeenThis under the Agreement, the remuneration under the Agreement for said services shall cover also SeenThis’ undertakings under this Data Processing Agreement.

6.2. If (i) the Customer amends its written instructions (ref. Clause 4.1), (ii) the Customer would require the implementation of technical or organisational measures in addition to those set out on the Cover Page, (iii) additional efforts are required by SeenThis to fulfil the provisions in Clause 5.1  (d)–(f) (e.g. to handle data subjectrequests), or (iv) the Customer requires SeenThis to utilise a different sub -processor than the one originally proposed by SeenThis (ref. Clause 1.1), then SeenThis shall be entitled to compensation for any costs incurred as a result thereof from the Customer (including a reasonable profit margin), calculated on a time and material basis. Any payments in this regard shall be handled applying the provisions of the Agreement.

6.3. Unless otherwise stated in the Agreement, the Customer shall pay amounts due hereunder to SeenThis within ten (10) days of the date of the invoice. In the case of a non – payment of an invoice, SeenThis shall be entitled to notify the Customer that it will suspend its performance hereunder unless the invoice is paid within a reasonable time period. Should the invoice remain unpaid after the expiry of said time period, SeenThis shall be entitled to suspend its performance hereunder. Should the invoice remain unpaid for a period twice the length of said time period, SeenThis may terminate this Data Processing Agreement with immediate effect in accordance with Clause 10.1.

7. SUB-PROCESSORS

7.1. SeenThis shall be entitled to engage subcontractors acting as sub-processors provided that such sub-processors are bound by a written contract which states that it must adhere to data protection, privacy and audit obligations correspondent to and no less restrictive as those under this Data Processing Agreement.

7.2. Should SeenThis wish to engage a sub – processor, it shall notify the Customer in advance. The Customer may always, with reasonable cause and within ten (10) business days from receipt of the notification, object to SeenThis appointing that specific sub – processor. Should the Customer object to the appointment of a sub-processor, and this would cause costs or operational consequences which, in SeenThis’ opinion, would not be commercially reasonable, SeenThis or Customer may, upon reasonable written notice, terminate the Data Processing Agreement and the Agreement in its relevant parts as a result of not engaging the relevant sub-processor.7.3. If the Customer has not objected to a sub – processor proposed by SeenThis in accordance with Clause 7.2 above, the Parties agree that the Customer has forfeited its right to objection under Clause 7.2 above and where such a sub-processor fails to fulfil its data protection obligations, SeenThis shall remain fully liable to the Customer for the performance of the sub-processors obligations.

7.4. SeenThis shall remain the Customer’s sole point of contact, unless otherwise agreed.

7.5. By signing this Data Processing Agreement, the Customer explicitly consent to t he use of the sub-processors with whom SeenThis has agreements in place at the time this Data Processing Agreement enters into force, including all Affiliates of SeenThis, regardless if they have been engaged as sub-processors at the time of this Data Processing Agreement. The sub-processors engaged by SeenThis at the time of this Data Processing Agreement being entered into by the Parties are set forth in Schedule 1B.

 

8. AUDIT RIGHTS AND LOCATIONS

8.1. The Customer shall have the right to perform audits of SeenThis’ processing of the Customer’s personal data (including such processing as may be carried out by SeenThis’ sub-processors, if any) in order to verify SeenThis’, and any sub-processor’s, compliance with this Data Processing Agreement.

8.2. SeenThis will, during normal business hours and upon reasonable notice (whereby a notice period of twenty (20) business days shall always be deemed reasonable), provide an independent auditor, appointed by the Customer and approved by SeenThis, reasonable access to the parts of facilities where SeenThis is carrying out processing activities on behalf of the Customer, to personnel and information relating to the processing of the Customer’s personal data. The auditor shall comply with SeenThis’ work rules, security requirements and standards when conducting site/office visits.

8.3. A Supervisory Authority shall, upon request, be given direct and unrestricted access to the Parties’ premises, data processing equipment and documentation in order to investigate that the Parties’ processing of the personal data is performed in accordance with the Regulatory Requirements.

8.4. The Customer is responsible for all costs associated with an audit mentioned in this Clause 8, save for when the audit concludes a material breach of SeenThis’ undertakings in violation of this Data Processing Agreement. If so, SeenThis shall bear its own costs associated with the audit.

 

9. INTERNATIONAL PERSONAL DATA TRANSFERS

9.1. SeenThis is entitled to transfer personal data under this Data Processing Agreement, to a Third Country, provided that SeenThis prior to such transfer of the personal data has:

a. verified whether the Third Country according to an adequacy decision issued by the EU Commission provides an adequate level of protection for the personal data in which case the personal data may be transferred to the Third Country; and if not

b. ensured that there are appropriate safeguards in place in accordance with Regulatory Requirements, e.g. standard data protection clauses adopted b y the EU Commission under the GDPR, covering the transfer and processing of the personal data; or (in the absence of such safeguards)

c. verified if it is possible to rely on any specific derogation provided for under Regulatory Requirements for the transfer of personal data in which case the personal data may be transferred to the Third Country.

d. For the avoidance of doubt, the personal data may not be transferred to or processed in a Third Country if none of the conditions outlined in section 9.1 abov e exists.

 

10. TERM AND TERMINATION

10.1. This Data Processing Agreement shall enter into force once the Agreement is entered into between the Parties. Unless terminated earlier (i) due to a material breach of the terms or (ii) in accordance with Clause 6.3 and/or Clause 7.2, this Data Processing Agreement shall remain in force until the termination or expiration of the Agreement and until SeenThis ceases to process personal data on behalf of the Data Controller, whereupon it shall terminate automatically without further notice.

10.2. On termination of this Data Processing Agreement for any reason, SeenThis shall cease to process the personal data processed on behalf of the Customer and shall, at the Customer’s expense, provide for the return to the C ustomer of all such personal data together with all copies in itspossession or control unless storage of the personal data is required under the Regulatory Requirements. If the Customer does not respond to a SeenThis offer to return the personal data proc essed by it under this Data Processing Agreement, within a period of three (3) months from when the offer was made, SeenThis will be entitled to delete any such personal data, including copies thereof, unless storage of the personal data is required under the Regulatory Requirements.

 

11. INDEMNIFICATION, LIABILITY AND LIMITATIONS OF LIABILITY

11.1. Each Party shall indemnify and hold the other Party harmless from and against all costs, losses and/or expenses (including costs for legal advice) incurred as a result of any claim brought by a third party arising out of or relating to any breach by such first-mentioned Party of any obligation under this Data Processing Agreement.

11.2. Notwithstanding Clause 11.1, SeenThis shall never be liable towards the Customer, whether for negligence, breach of contract, non-compliance with the GDPR or any other applicable Regulatory Requirement, misrepresentation or otherwise, for any (a) loss of profit, revenue, business, value, market share, use, production, contracts, goodwill, actual or anticipated savings, lost or unauthorised access to content or data (including personal data) or (b) any special, indirect, incidental, punitive, or consequential loss or damage in any way.

11.3. Notwithstanding Clause 11.1, SeenThis’ total liability under this Data Processing Agreement shall never exceed the lower amount of (i) any applicable liability limitation amount set out in the Agreement and (ii) an amount corresponding to fifty (50) per cent of the total amounts paid by the Customer to SeenThis under the Agreement during the last twelve months’ period.

11.4. SeenThis shall not be liable for any default or delay in the performance of its obligations under this Data Processing Agreement if and to the extent the default or delay is caused by circumstances that are outside SeenThis’ control and that SeenThis could not reasonably have foreseen or prevented by reasonable precaution (i.e. ‘force majeure’). A failure by a sub-processor will be considered a force majeure event provided that the underlying reason for the sub-processor’s non-performance is an event which, if it had been related directly to SeenThis, would have qualified as a force majeure event under this Clause 11.4.

11.5. None of the provisions set forth in this Clause 11 shall be read so as to limit a party’s liability to the extent that would not be permitted under any applicable mandatory laws including the Regulatory Requirements.

11.6. The limitations of liability and exceptions from liability set out in this Clause 11 apply to each party and its employees, sub-processors and Affiliates collectively.

12. GOVERNING LAW AND DISPUTE RESOLUTION

12.1. This Data Processing Agreement shall be governed by the laws of Sweden.

12.2. The provisions regarding dispute resolution set out the Agreement will also apply to this Data Processing Agreement. If there is no Agreement in force or if the Agreement does not contain any provisions regarding dispute resolution, any dispute, controversy or claim arising out of or in connection with the Data Processing Agreement shall be finally settled by arbitration administered by the Arbitration Institute of the Stockholm Chamber of Commerce (the “SCC”). The Rules for Expedited Arbitrations shall apply, unless the SCC in its discretion determines, taking into account the complexity of the case, the amount in dispute and other circumstances, that the Arbitration Rules shall apply. In the latter case, the SCC shall also decide whether the Arbitral Tribunal shall be composed of one or three arbitrators. The seat of arbitration shall be Stockholm and the language to be used in the arbitral proceedings shall be Swedish.

 

SCHEDULE 1B – AUTHORISED SUB PROCESSORS

NAME: Fastly, Inc

TYPE OF SERVICE/PROCESSING: Content network provider

LOCATION/COUNTRY FOR THE SUB PROCESSORS PROCESSING: See locations, as applicable from time to time, here: https://www.fastly.com/network-map/

 

NAME: Amazon Web Services EMEA SARL

TYPE OF SERVICE/PROCESSING: Cloud hosting service provider

LOCATION/COUNTRY FOR THE SUB PROCESSORS PROCESSING: Ireland

 

NAME: Google LLC

TYPE OF SERVICE/PROCESSING: Workplace, collaboration, and file storage services provider

LOCATION/COUNTRY FOR THE SUB PROCESSORS PROCESSING: EU