Data Processing Agreement

Data Processing Agreement

Sony Network Communications Nordics filial till Sony Network Communications Europe B.V. (NL) (registered at The Point, Hyllie Stationstorg 32, 215 32 Malmö, Sweden and with Organisation No. 516412-1450, hereinafter referred to as “Data Processor”) provides certain digital solutions directly and via resellers to corporate users who determine how and why the digital solutions are used (hereinafter “Data Controller”).

This Data Processing Agreement (the “DPA”) reflects the default agreement between the Data Controller and Data Processor in relation to processing of personal data by Data Controller during provision, servicing, and improvement of the digital solutions it provides. The Data Controller and Data Processor can agree to replace this DPA as between them in whole or part by explicitly stating so in writing duly signed by both of them. This DPA does not apply to any Sony products or services other than those provided by Sony Network Communications Europe. Data Controller and Data Processor are each a “Party”, and jointly “Parties”.

By using the Service to instruct Data Processor to process personal data you: (a) acknowledge that data protection laws may apply to your, and Data Controller’s, use of the Service and agree to comply with them; (b) represent to Data Processor that you (as an employee, agent, or otherwise) are legally entitled to bind the Data Controller and instruct Data Processor to process the personal data; and (c) undertake only to assign Service admin rights to persons who have accepted these terms in writing.

1. Background

Data Processor provides services to Data Controller that require Data Processor to process Personal Data. This DPA sets out the respective obligations of Data Controller and Data Processor concerning the processing of the relevant Personal Data to ensure the protection and security of Personal Data in accordance with applicable data protection laws.

2. Definitions

Applicable Data Protection Laws” shall mean all applicable laws, regulations, guidelines, policies, and decisions of regulatory bodies relating to the protection of personal data, including without limitation EU Directive 2002/58/EC and Regulation 2016/679/EC (GDPR), any binding national implementing legislation, and any amendments and updates thereto.

GDPR” means Regulation 2016/679/EC on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and any amendments thereto.

Incident” means a breach of Data Processor’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data in Data Processor’s systems. This does not include unsuccessful attempts or activities that do not compromise security of Personal Data;

Instructions” has the meaning set out in clause 3.1

International Data Transfer” shall mean transfer of Personal Data to recipients outside EU Member State or EEA Country, per the GDPR.

Personal Data” means personal data (as defined in Article 4(1) of the GDPR) processed in the course of providing the Services by Data Processor for which Data Controller is the controller.

Processing” (and inflexions thereof) has the meaning set out in Article 4(2) of the GDPR.

Regulator” shall mean any governmental agency with jurisdiction over the processing and legal authority over data protection within that jurisdiction;

Services” shall mean the service provided to you by Sony Network Communications Nordics (or its affiliate) in the context of which the Personal Data is processed. Any definition of Services in Sony’s agreement for the supply of such services shall apply.

Terms used but not defined in this DPA shall have the meaning provided for under Applicable Data Protection Laws or, if not defined under Applicable Data Protection Laws, any agreement relating to the Services between the Parties.

3. Specification of personal data and processing instructions

Data Controller shall provide Data Controller written instructions on the processing of Personal Data (“Instructions”). Data Controller shall provide initial Instructions in conjunction with contracting to use the Services. Any instructions provided via configurable options in the Services or subsequently in writing by Data Controller and accepted by Data Processor shall also constitute Instructions. Data Processor will process the Personal Data under this DPA per these Instructions unless otherwise required by applicable law. Processor may update the services to offer new functionalities and this may require new Instructions; in this case Data Processor will update the Instruction and make a copy available to Data Controller, and Data Controller’s written acceptance or use of the functionality will be deemed issuance of the instruction to process.

Data Controller warrants that its Instructions, and processing in accordance with those instructions, complies with Applicable Data Protection Laws, especially that: (i) the processing of Personal Data is based on legitimate purposes with valid legal grounds; (ii) data subjects have received appropriate information about the processing of Personal Data; and (iii) Data Controller is entitled to transfer Personal Data to Data Processor for the processing.

Data Controller may change the Instructions (including those in section 3) where necessary to comply with Applicable Data Protection Laws in the assessment of Data Controller. Data Controller will give Data Processor as much advance notice, in writing, as possible under all the circumstances of changes to Instructions and grounds thereof. Data Processor will endeavor to implement changes within a reasonable time or as agreed by the Parties and may charge Data Controller for any reasonable implementation costs. If Data Processor cannot comply with a change to Instructions Data Processor shall promptly inform Data Controller and stop processing the affected Personal Data (other than securely storing Personal Data) until revised instructions are agreed.

4. Data controller's obligations

Provide information. Upon request Data Controller shall, without undue delay, provide all information and documentation to Data Processor reasonably necessary for the fulfilment of Data Processor’s obligations under Applicable Data Protection Laws.

Other responsibilities. Data Controller is responsible for: (i) ensuring its use of the Services complies with applicable law, including Applicable Data Protection Laws; and (ii) securing any account credentials and systems used to access the Services.

5. Data processor's obligations

Inform Data Controller of conflicts. Data Processor shall promptly inform Data Controller if: applicable law prevents Data Processor from complying with this DPA or documented instructions; or, in its opinion, Instructions or continued processing under this DPA infringe Applicable Data Protection Laws.

Processor Confidentiality. Data Processor shall ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

Implement appropriate protection measures. Data Processor shall implement appropriate technical and organizational measures to protect the Personal Data processed against unauthorized or unlawful processing and against accidental loss, destruction or disclosure. Data Processor warrants that these measures have been implemented before any processing of Personal Data takes place. Data Processor will assist the Data Controller in ensuring compliance with its obligations relating to the security of processing, engagement with supervisory authorities and data protection impact assessments, as required by Applicable Data Protection Laws.

Handling Incidents. Data Processor shall document the facts surrounding the personal data breach in accordance with the Applicable Data Protection Laws, take such commercially reasonable actions to remedy the cause of the breach. Data Processor shall notify Data Controller in writing without undue delay (and in any event within three (3) working days) if it becomes aware of an Incident. The notice shall include as far as possible details of the Incident, mitigating measures taken, and recommendations of measures Data Controller should take; as necessary for Data Controller to fulfil its notification obligations under Applicable Data Protection Laws. Data Processor will afford all commercially reasonable cooperation if in respect of any Investigation by the Data Controller or a Regulator into the Incident under Applicable Data Protection Laws. Parties agree that an Incident de facto and it’s notification do not constitute evidence of fault or infringement of this DPA or Applicable Data Protection Laws, particularly where the data breach procedures required by Applicable Data Protection Laws have been followed.

Data subject requests. Parties agree that data subject has the following rights against any controllers and processors: right of access, right of rectification, right to erasure (‘the right to be forgotten’), the right to restrict or object to processing. Data Processor shall assist the Data Controller, by appropriate technical and organizational measures to respond and fulfil requests from individuals exercising their rights under Applicable Data Protection Laws (including Article 15 to 22 GDPR).

Supply compliance documentation. Data Processor shall maintain appropriate records of the processing as required by Applicable Data Protection Laws. Upon reasonable request Data Processor shall provide all information, documentation and assistance relating to Data Processor’s processing of Personal Data as is necessary for Data Controller to comply and demonstrate compliance with Applicable Data Protection Laws.

Personal Data audits. Per the terms of this section, Data Processor shall permit Data Controller to, once a year, audit Data Processor to verify compliance with its obligations under this DPA. Data Processor shall also permit such audits lawfully required by a Regulator under Applicable Data Protection Laws in relation to the processing of Personal Data. Data Processor may request that Data Controller retain an independent third party (to Data Processor’s reasonable satisfaction) to conduct the audit. Data Controller shall ensure that anyone conducting an audit is subject to confidentiality obligations reasonably acceptable to Data Processor. Data Processor is not required to grant access to unrelated confidential information or Personal Data of third parties. Scope and timing of audits will be agreed in advance by Parties. Audits must minimize any interference with Data Processor’s business and may only be carried out during Data Processor’s regular business hours. Data Controller shall bear the costs for audits (including third party costs) unless they reveal any significant non-compliance by the Data Processor of this DPA, in which case Data Processor shall bear the costs of audits.

6. Sub-processing

Restriction. Data Processor may only transfer Personal Data to a third party or engage sub-processors for the processing of Personal Data with Data Controller’s prior written consent.

Liability for sub-processing. Data Processor shall impose substantially similar terms to those contained herein on any sub-processor and be liable for ensuring such third-parties’ processing complies with the terms of this DPA and Applicable Data Protection Laws.

Approved Sub-processors. Data Controller authorizes Data Processor to use the sub-processors listed in Appendix 1 (“Approved sub-processors”) for the processing of Personal Data to the extent required for the provision of the Services. Data Processor may update Appendix 1 as it deems necessary, provided: (i) Data Processor shall provide Data Controller reasonable advance notice of any intended changes of sub-processors; (ii) Data Controller may object to such changes according to sub-section (i) above by providing justified reasons based on data protection concerns, such as that sub-processor is not capable to fulfil data protection obligations required by law; and, (iii) should Data Controller object to use a specific sub-processor in Personal Data processing with justified reasons for data protection, the Parties shall in good faith negotiate and agree to a fair solution on how continued provision of the Service will be carried out, including at relevant costs and in a manner reasonably acceptable for both Parties. If the Parties should not manage to reach a solution within one (1) month from the date when Data Controller notified Data Processor that such consent is not granted, Data Processor or Data Controller shall be allowed to terminate the provision of the Services in parts affected.

7. International Data Transfers

Permissible grounds for transfer outside the European Union. To the extent Data Controller requests transfer of Personal Data outside the European Union, Data Controller shall ensure adequate grounds to do so exist. Without prejudice to section 6 above (Sub-processing), Data Controller authorizes an International Data Transfer by Data Processor if based on:

(i) the European Commission’s decision that adequate level of data protection is ensured in the given situation, without any additional authorization for such transfer. Currently, adequate level of data protection (as provided in Article 45 of GDPR) is ensured as regards to those countries officially recognized by the European Commission as having such;

(ii) the approved binding corporate rules in accordance with Applicable Data Protection Laws without any additional authorization for such transfer; or

(iii) conditions that provide appropriate safeguards to ensure an adequate level of data protection is provided for as required by Applicable Data Protection Laws. For clarity entering into a data processing agreement that includes the corresponding data protection obligations as set out in this DPA, e.g., with a non-EU data sub-processor, shall constitute such appropriate safeguards. Such agreement shall incorporate the Standard Contractual Clauses as required by Applicable Data Protection Laws (currently Article 26(2) of Directive 95/46/EC and Article 46 of GDPR).

Changes to transfer mechanisms. Where an International Data Transfer does not fulfil requirements set by Applicable Data Protection Laws or there is any threat thereof (e.g., due to an invalidation decision of competent authority), the Parties shall use all commercially reasonable efforts to ensure implementation of another legitimate transfer mechanism for International Data Transfer without undue delay to be able to continue such transfer.

8. Cessation of processing and deletion

Data Processor shall make processes available for Data Controller to instruct Data Processor to return or delete Personal Data.

In addition, Data Processor shall, unless otherwise required by Applicable Data Protection Laws, delete Personal Data when processing of Personal Data is no longer required under this DPA.

9. Liability

Each Party (“indemnitor”) shall indemnify the other Party (“indemnitee”) up to a maximum of ten million (10,000,000 SEK) Swedish Kronor against any fines and documented direct losses (excluding loss of profits, revenues, and contracts and damage to brand, reputation, or goodwill) suffered as a result of a breach by a indemnitor of its obligations under this DPA or Applicable Data Protection Laws concerning Personal Data, provided: (i) indemnitee notifies indemnitor without undue delay (maximum 14 calendar days) after receipt of an indemnifiable claim; (ii) indemnitee turns over full control of the defense to indemnitor and promptly provides all reasonable cooperation, at indemnitor’s expense, to indemnitor regarding the resolution of the matter; and (iii) indemnitee does not issue any communication about the matter or enter into any discussions or agreement regarding settlement of the matter without express written agreement of indemnitor. Indemnitor may not agree to any settlement that admits guilt or creates un-indemnified obligations on behalf of indemnitee without indemnitee’s express written consent.

10. Term

This DPA enters into force when you as an agent of Data Controller start using the Services and continues until Sony no longer provides Data Controller any Services regulated by this DPA. Termination shall not affect liability for obligations existing prior to termination.

11. General

The Data Processor may update this DPA at any time by updating provided the changes comply with applicable privacy and data protection laws. The Data Controller acknowledges and agrees that it is its responsibility to keep itself informed of the content of this DPA, including any changes thereto, at all times. Notwithstanding the foregoing, if the Data Processor wishes to amend any of the Instructions for processing or add any approved sub-processors then the terms set out in the relevant sections above shall govern such changes.

In any conflict, documents shall prevail in the following order: (i) EU Commission Standard Contractual Clauses (if required and signed); (ii) any agreement entered into by the Parties that explicitly overrides this DPA; (iii) this DPA, including appendices; (iv) any agreement entered into by the Parties that does not explicitly override this DPA.

If Parties have entered into an agreement for provision of Services, the choice of law therein shall apply. If not, this DPA shall be governed by the laws of Sweden (excluding conflicts of law provisions) and disputes related to the DPA shall be resolved by arbitration in Malmö, Sweden administered by the Arbitration Institute of the Stockholm Chamber of Commerce under their Rules for Expedited Arbitrations. All communications shall be in English and considered confidential information. The foregoing shall not prevent a party seeking interim relief or exercise of an arbitral award in a court of competent jurisdiction.