Personal data service agreement

This Agreement applies between the Customer (“Personal Data Controller”) and Waya Finance & Technology AB, org no. 559012-7725, Sveavägen 9, 111 57 Stockholm, (“Personal Data Protection Officer”). Waya and the Customer are individually referred to as "Party" and collectively as "Parties".

1. Background

1.1 The parties have entered into an agreement regarding Wayas invoice service service ("Invoice Service Service") in accordance with contract terms (“Main Agreement”) and/or reminder and collection service Inkassogram (the “Collection Service”) in accordance with contract terms (“Main Agreement”) or Waya Invoice mailing service in accordance with Special conditions ("Main Agreement"), collectively called the "Services" through which the Personal Data Processor will process personal data on behalf of the Personal Data Controller.

1.2 The parties have entered into this personal data assistant agreement (“Assistance agreement”) to ensure the protection of the personal integrity and fundamental freedoms and rights of individuals when the Personal Data Assistant processes Personal Data on behalf of the Personal Data Controller.

2. Definitions

2.1 Terms in this agreement shall be considered to have the same meaning as in the Applicable Data Protection Act as well as the practice that has developed at any time regarding the Applicable Data Protection Act. This means that this Assistant Agreement's definitions will change during the term of the agreement.

"Treatment” means the action or combination of actions concerning personal data or sets of personal data, such as collection, registration, organization, structuring, storage, processing or modification, production, reading, use, disclosure by transmission, dissemination or otherwise making available, adjustment or aggregation , limitation, deletion or destruction.

"The Data Protection Regulation” refers to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free flow of such data and on the repeal of Directive 95/46/EC including all possible amendments and additions to this.

"EU regulation” means (i) up to and including 24 May 2018, Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free flow of such data, and all amendments and additions thereto, (ii) up to and including May 24, 2018, local laws where the directive set forth in (i) is implemented and any amendments and additions thereto; and (iii) as of May 25, 2018, the Data Protection Regulation.

"Personal data” means any information relating to an identified or identifiable natural person who is alive.

"Supervisory authority” refers to any court, authority or body which, according to applicable legislation and/or regulation (including the Applicable Data Protection Act), exercises supervision over privacy issues and/or processing of personal data.

"Applicable Data Protection Act” refers to such privacy and personal data legislation, including regulations and the Supervisory Authority's decisions and regulations, as well as other possible legislation and newly mentioned types of decisions and regulations, which are applicable to the personal data processing that takes place under this Assistant Agreement, including national such legislation, decisions and regulations, and the EU regulation and such legislation, decisions and regulations that may at any time replace the above-mentioned legislation, decisions and regulations.

3. Processing of personal data

3.1 In order to carry out the commitments that the Personal Data Processor has under the Main Agreement, namely to deliver agreed services, the Personal Data Processor will have access to certain personal data and the processing of these is a natural part of the Main Agreement. The Personal Data Assistant will therefore, on behalf of the Personal Data Controller, process personal data contained in the Personal Data Controller's system in accordance with instructions for processing personal data, Appendix 1.

3.2 The personal data described above may only be processed for the purpose of carrying out the commitments that the Personal Data Processor has under the Main Agreement and the purposes described in more detail in Appendix 1.

4. Responsibility and instruction

4.1 The Personal Data Controller shall be the Personal Data Controller for the personal data processed on behalf of the Personal Data Controller under the Main Agreement. The person in charge of personal data is thus responsible for:

a) consent or other legal support exists for the processing of personal data that the Personal Data Controller assigns to the Personal Data Processor through the Main Agreement and this Subsidiary Agreement;

b) the data subjects have received sufficient information about the personal data processing in accordance with the Applicable Data Protection Act, including that the Personal Data Assistant may process the personal data on behalf of the Personal Data Controller;

c) be the contact person for the data subjects;

d) the instructions that the Personal Data Controller gives the Personal Data Assistant regarding the processing are in accordance with the Applicable Data Protection Act; and

e) inform the Personal Data Controller of incorrect, corrected, updated or deleted personal data that is covered by the Personal Data Controller's processing, immediately after this comes to the attention of the Personal Data Controller.

4.2 The Personal Data Processor shall be the Personal Data Processor for the personal data processed on behalf of the Personal Data Controller under the Main Agreement.

4.3 The personal data processor undertakes to, with regard to the processing of personal data that must take place under the Main Agreement, only carry out such processing in accordance with the Main Agreement and this Processing Agreement and the Personal Data Controller's additional documented instructions from time to time. The personal data processor undertakes not to disclose or otherwise make personal data that has been processed in accordance with this personal data processor agreement available to third parties, with the exception of subcontractors who have been engaged under the Processor Agreement.

4.4 The Personal Data Controller shall inform the Personal Data Controller if the Personal Data Controller considers that an instruction provided by the Personal Data Controller is contrary to the Applicable Data Protection Act. For the avoidance of misunderstanding, the Main Agreement and this Subsidiary Agreement shall be deemed to be such documented instructions. The personal data assistant may carry out processing of personal data in addition to the documented instructions given by the data controller to the extent that such processing is required according to the Applicable Data Protection Act. However, the Personal Data Assistant must inform the Personal Data Controller about such processing before it is carried out, unless there are obstacles to providing such information according to the Applicable Data Protection Act.

4.5 The Personal Data Controller shall without undue delay, however no later than thirty (30) days from the Personal Data Controller's request, give the latter access to the personal data the Personal Data Controller processes on behalf of the Personal Data Controller and carry out the requested change, deletion, restriction or transfer of said personal data unless this is incompatible with Applicable Data Protection Act. If the Personal Data Controller has deleted or instructed the Personal Data Assistant to delete personal data, the Personal Data Assistant must take measures to ensure that the personal data cannot be reproduced. However, this commitment shall not affect the Personal Data Assistant's possibilities for customary back-up of data for security purposes.

4.6 The personal data assistant must maintain a written register of all personal data processing that takes place on behalf of the Personal Data Controller, and at the express request of the Personal Data Controller or the competent supervisory authority, hand over a readable register extract containing, at a minimum, information on:

a) name and contact details of the Personal Data Assistant and, where applicable, the name and contact details of any other personal data controller who hires the Assistant as a personal data assistant, such representatives as the Assistant hires, and, where applicable, the Assistant's representatives, data protection officers and, where applicable, hired by Sub-Assistants;

b) the processing carried out by the Personal Data Assistant on behalf of the Personal Data Controller

c) where applicable, transfer of personal data to third countries, the third country where the data is processed and what adequate protection measures have been taken, and

d) a general description of the technical and organizational measures taken to maintain an appropriate level of protection.

5. Capacity and Ability

5.1 The personal data processor guarantees that it possesses the necessary technical and organizational capacity and ability, including technical solutions, competence, financial and personnel resources, routines and methods, to fulfill its obligations according to this Processor Agreement and the Applicable Data Protection Act.

5.2 The personal data assistant must, at the request of the personal data controller, or an independent third party hired by the latter, prove that the obligations set out in this assistant agreement and the Applicable Data Protection Act are fulfilled by providing relevant documentation without undue delay, refer to relevant and approved code of conduct or certification, enable and contribute to reviews and inspections of premises, IT systems and other assets and/or providing other adequate evidence.

6. Security and Privacy

6.1 The personal data processor must take all measures necessary to fulfill the security requirements in connection with the processing of personal data according to the Applicable Data Protection Act, including, but not limited to, in terms of pseudonymisation and encryption of personal data, the ability to continuously ensure the integrity and resilience of the processing systems and services as well as the ability to restore availability and access to personal data in a reasonable time in the event of a physical or technical incident.

6.2 The personal data processor shall, through appropriate technical and organizational measures, limit access to the personal data and only grant authorization to such personnel who need to have access to the personal data in order to fulfill their obligations under this Processor Agreement, ensure that such personnel have the necessary training and have been sufficiently instructed to handle the personal data in an appropriate and secure manner and ensure that the staff only process the personal data when the Personal Data Controller has been instructed to do so and in accordance with the instructions provided by the Personal Data Controller.

6.3 The Personal Data Processor shall process Personal Data confidentially and ensure that persons authorized to Process the Personal Data with the Personal Data Processor have entered into a special confidentiality agreement or been informed that a special duty of confidentiality exists according to agreement or applicable law.

6.4 The Personal Data Controller must, without unreasonable delay after it becomes known to the Personal Data Controller, notify the Personal Data Controller of the existence of or the risk of accidental or unauthorized access to personal data or other security incidents (personal data incident). Such notification must contain all necessary and available information that the Data Controller needs to be able to take appropriate preventive measures and countermeasures and to fulfill their obligations regarding the notification of personal data incidents to the competent supervisory authority.

7. Collaboration

7.1 The personal data assistant shall, at the request of the data controller, assist him in fulfilling his obligations according to the Applicable Data Protection Act, such as the performance of impact assessments regarding data protection, the design of appropriate technical and organizational measures for built-in data protection, prior consultation with the competent supervisory authority and participate in the investigation of personal data incidents. Given the nature of the processing, the Personal Data Officer must also assist with appropriate technical and organizational measures, to the extent that this is possible, so that the Personal Data Controller can fulfill its obligation to comply with a data subject's request for access to, information about and access to personal data, deletion, correction, restriction of processing or data portability or other request in accordance with the Applicable Data Protection Act regarding the exercise of the data subject's rights. Unless the Parties have agreed otherwise, such assistance as referred to in this paragraph shall not entitle the Personal Data Assistant to special compensation.

7.2 The Personal Data Processor must notify the Personal Data Controller without undue delay if the latter is contacted by a competent supervisory authority or other third party with the aim of gaining access to personal data that the Personal Data Processor, or as the case may be, the Sub-Processor, has in its possession.

7.3 The Personal Data Processor shall inform the Personal Data Controller in writing and in advance of planned changes to the processing procedure, including technical and organizational changes that may affect the protection of the Personal Data and the Personal Data Processor's compliance with the Applicable Data Protection Act. Before such changes are carried out, the Data Controller must give his consent, which must not be reasonably refused.

8. Engagement of subcontractors and transfer to third countries

8.1 The Personal Data Processor has the right to engage a subcontractor for the fulfillment of the Personal Data Processor's obligations under this Subcontractor Agreement, provided that such subcontractor enters into a written so-called subcontractor agreement with the Personal Data Processor with terms that correspond to the terms of this Subcontractor Agreement, and then in particular to provide sufficient guarantees to implement appropriate technical and organizational measures to meet the requirements of the Applicable Data Protection Act. The sub-assistants listed in Appendix 2 to this assistance agreement are approved by the Personal Data Controller as of the date of this Assistance Agreement.

8.2 Before the Personal Data Processor hires a new subcontractor or replaces an existing subcontractor for the processing of personal data covered by this Subcontract, the Personal Data Processor must inform the Personal Data Controller so that the Personal Data Controller has the opportunity to object to such a change. The Personal Data Assistant must provide the Personal Data Controller with all information that the Personal Data Controller requires for assessment of the subcontractor. If the Personal Data Controller opposes the proposed subcontractor or withdraws its previous consent to the use of a subcontractor, the Personal Data Controller has the right to terminate this Assistance Agreement and other agreements entered into that concern the processing of personal data. During the notice period, personal data may not be transferred to the new subcontractor. 

8.3 In cases where the Personal Data Processor engages a subcontractor, it is the Personal Data Processor's responsibility that the engaged subcontractor performs the assignment in such a way that the subcontractor fulfills all the commitments and observes the restrictions that follow from this Subcontractor Agreement or the Applicable Data Protection Act.

8.4 If, in connection with the Processing of Personal Data, the Personal Data Controller intends to transfer personal data to a subcontractor that is established outside the European Economic Area ("EEA") and which is not considered by the European Commission to meet an adequate level of protection in relation to the Applicable Data Protection Act, the Personal Data Controller shall take the necessary measures to ensure that the legal basis for transfer under the Applicable Data Protection Act is met, to the extent this is required under the Applicable Data Protection Act. Appendix 2 contains a list of subcontractors that are pre-approved on the effective date of the Data Processor Agreement.

8.5 If Personal Data is transferred outside the European Union, the Personal Data Officer must ensure that there are legal grounds under applicable data protection laws for these transfers, for example the European Union model clauses. The Personal Data Controller authorizes the Personal Data Assistant to enter into the European Union Model Clauses (2017/87/EU) on behalf of the Personal Data Controller.

8.6 The personal data assistant may not transfer personal data outside the EEA in other cases than stated above, unless such transfer is required by the Applicable Data Protection Act. In that case, the Personal Data Assistant must inform the Personal Data Controller of the requirement for transfer before such transfer is made.

9. Right to access and information

9.1 The Personal Data Processor must give the Personal Data Controller access to all the information required for the Personal Data Controller to be able to check that the Personal Data Processor, as well as any subcontractors according to point 8 above, fulfill the commitments that have been described under this Processor Agreement.

9.2 In the event of an actual or suspected personal data incident, the Personal Data Assistant must report by e-mail to the Personal Data Controller

10. Damage

10.1 The limitations of liability for damage stated in the Main Agreement shall apply correspondingly to the commitments made under this Subsidiary Agreement.

11. Compensation

11.1 The Personal Data Processor is entitled to special compensation according to the Personal Data Processor's price list in force at any time for work performed in accordance with clauses 4.5, 5.2, 7, 9.1 and 13.1.

12. Contract period and termination of processing of personal data

12.1 This applies as long as the Personal Data Assistant processes personal data on behalf of the Personal Data Controller due to this Assistant Agreement or the Main Agreement.

12.2 Upon termination of the Main Agreement (regardless of the reason), the Personal Data Processor's processing of the Personal Data Controller's personal data shall cease.  The Personal Data Controller must then, in accordance with instructions from the Personal Data Controller, return or destroy all data containing personal data that the Personal Data Controller handed over to the Personal Data Controller or that otherwise came to the Personal Data Controller, including such data generated during the Personal Data Controller's processing of the Personal Data Controller's data, in a format reasonably requested by the Personal Data Controller and storage medium no later than three (3) months after the Main Agreement or this Subsidiary Agreement ceased to apply. Such return or such destruction of data shall mean that the relevant data shall no longer remain and cannot be reproduced with the Personal Data Processor or in the Personal Data Processor's system. In the event that destruction is to take place, the Personal Data Officer must, without delay, confirm in writing that destruction has taken place. This clause 12.2 applies unless the Applicable Data Protection Act or other legislation applicable to the Personal Data Processor's activities prevents the Personal Data Processor from returning or deleting the personal data. In such cases, the Personal Data Officer must handle all personal data with confidentiality and not process the personal data beyond what is permitted under the Applicable Data Protection Act or other applicable legislation.  Regardless of what is stipulated above, the Personal Data Officer has the right to retain and use anonymized data for use for statistics, market research and product development.

13. Additions and changes

13.1 If the Applicable Data Protection Act changes during the period of the Assistance Agreement, or if the competent Supervisory Authorities publish guidelines, decisions or regulations regarding the application that cause this Assistance Agreement not to meet the requirements set for an agreement concerning the processing of personal data, this Assistance Agreement must be amended to meet such requirements. Such change shall enter into force no later than thirty (30) days after the Personal Data Controller sends written notice to the Personal Data Controller of the change, or otherwise no later than within such time period as is required under the amended Applicable Data Protection Act. If the Personal Data Processor should refuse such change, the Personal Data Controller has the right to terminate the Main Agreement, including this Processor Agreement, with immediate effect.

14. Dispute and choice of law

14.1 This Assistance Agreement shall be governed by substantive Swedish law without regard to its choice of law rules. Disputes arising out of this Subsidiary Agreement shall be resolved in accordance with the Main Agreement's provisions on dispute resolution.

Appendix 1

Instructions for processing personal data

Purpose: Provision of services for in accordance with the Main Agreement.

Categories of data: Name, social security number, contact details, bank account number, login ID, address, telephone number, e-mail address, next of kin, debt balance, and messages to/from the registered person.

Categories of registered:  Contact persons at Customer, employees, owners, contractors; Suppliers who are natural persons; Customers and potential customers who are natural persons; User of Wayas system that are natural persons; Debtors.

Treatments: Collection, registration, storage, processing, processing and dissemination. Import of personal data via file transfer: synchronization of personal data against external registers, e.g. population registers. Transfer to other companies within the Berazy Group. Transfer of personal data to authorities.

Location of treatments: Processing of personal data takes place in Sweden.

Information security: The personal data is encrypted and stored in two geographically separate data centers in Sweden with full redundancy and is only accessible by our IT security officer. Processes and routines are implemented for the processing of personal data according to the GDPR, and validation takes place continuously to check compliance with this. Complete information regarding organizational and technical measures for information security can be found at https://www.waya.se/integritetspolicy.

Appendix 2

Approved assistants

Assistant:                                         Place of treatment:

DGC Access AB – Sweden

21 Grams AB – EU

Three Partners Communication AB – Sweden

Handelsbanken – Sweden

LiveChat - USA (Privacy Shield certified - https://www.privacyshield.gov/participant?id=a2zt0000000L16xAAC&status=Active)

Google Gsuit - EU

Crediflow AB – Sweden

Bisnode Sweden AB – Sweden

PipeDrive – Germany

MailChimp - USA (Privacy Shield certified - https://www.privacyshield.gov/participant?id=a2zt0000000TO6hAAG&status=Active)

Financial partner in Gothenburg – Sweden

Postmark/Wildbit – USA (Privacy Shield certified – https://www.privacyshield.gov/participant?id=a2zt00000004EKYAA2&status=Active)