1.1 To the extent Bioservo in connection with the IronConnect Pro Service processes per-sonal data as a processor on behalf of the Customer this data processing agreement ("DPA") applies.
1.2 The Parties agree that the Partner may execute this DPA on behalf of Bioservo.
1.3 This DPA supersedes and replaces any data processing agreements previously con-cluded between the Parties.
1.4 Applicable Data Protection Laws apply to the processing of personal data covered by this DPA.
These terms may be updated, the latest version is always available on the Bioservo website here.
2.1 The following defined terms are used in this DPA:
| "Applicable Data Protection Laws" | means the GDPR and all data protection legislation and regulations, including regulations issued by relevant Supervisory Authority, protecting the fundamental rights and freedoms of data subjects with respect to the processing of their personal data, that apply to the Parties; |
| "Applicable Laws" | means laws and regulations under EU law and relevant Member State laws that apply to the Parties; |
| "Bioservo" | means Bioservo Technologies AB, a company incorporated in Sweden with corporate registration number 556650-7264, having its office at Torshamnsgatan 35, 164 40 Kista, Sweden; |
| "Controller" | means the legal entity that uses the IronConnect Pro Service under a commercial agreement either with the Partner or Bioservo; |
| “Customer” | same as “Controller” |
| "Data Subject Request" | means a request from a data subject to exercise rights afforded to data subjects under Applicable Data Protection Laws; |
| "Diagnostic and Ergonomics Data" | means diagnostic and ergonomics data collected from Ironhand gloves by the IronConnect Pro Service; |
| "GDPR" | Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation); |
| "Instruction" | means any documented instruction issued by the Customer that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and any specific requirements that apply to the processing, including Annex 1 of this DPA; |
| "IronConnect Pro Service" | means a service provided by Bioservo for optimizing the use of Ironhand systems, including Bioservo's BioCloud service, a cloud service developed and managed by Bioservo for data storage and management; |
| "Parties" | means the Customer and Bioservo together; |
| "Partner" | means a legal entity authorized by Bioservo under a commercial agreement to re-sell the IronConnect Pro Service to the Customer; |
| "Subprocessor" | means a subcontractor, supplier, consultant or third party engaged by Bioservo to process personal data on behalf of the Customer; |
| "Supervisory Authority" | means an independent public authority which is established by a Member State pursuant to Article 51 of the GDPR; |
| "Third Country" | means a country which is not a member of the European Union (EU) or the European Economic Area (EEA); and |
| "Website" | means Bioservo's website which is available at: www.bioservo.com/dataprocessing. |
2.2 Lower case terms used but not defined in this DPA, such as "controller", "processor", "personal data", "processing" and "personal data" shall have the same meaning as in Article 4 of the GDPR.
3.1 Bioservo agrees to only process personal data on behalf of the Customer in accord-ance with the details set out in Annex 1 of this agreement and Applicable Data Protec-tion Laws.
3.2 Any further Instruction with respect to the processing of personal data shall be provided to Bioservo by way of e-mail to the following address: gdpr@bioservo.com. If the Cus-tomer issues new Instructions which are over and beyond what Applicable Data Protec-tion Laws require, Bioservo shall be entitled to compensation for the cost that this implies or otherwise according to a separate agreement between the Parties.
3.3 Notwithstanding what is stated in Clause 3.1 above Bioservo may process the personal data to the extent it is necessary in order to comply with legal requirements under Appli-cable Laws to which Bioservo is subject. Bioservo shall inform the Customer of that le-gal requirement before the processing, unless Applicable Laws prohibit Bioservo from providing this information.
3.4 Bioservo shall immediately notify the Customer if Bioservo cannot fulfil its obligations under this DPA or if Bioservo is of the view that an Instruction regarding the processing of personal data given by the Customer would be in breach of Applicable Data Protection Laws, unless Bioservo is prohibited from notifying the Customer under Applicable Laws. Notification shall be given by e-mail to the designated e-mail address set by the Customer in the IronConnect Pro Service.
4.1 Bioservo shall at its own cost implement appropriate technical and organizational measures ("TOMs") to protect and safeguard the personal data that is processed against personal data breaches. The TOMs shall at least reach a level of security equivalent of what is prescribed by Applicable Data Protection Laws, relevant Supervisory Authorities' applicable regulations, guidelines regarding security of personal data, and what is other-wise appropriate to the risk of the processing of personal data. The minimum TOMs implemented by Bioservo and its Subprocessors can be obtained on request.
4.2 Bioservo shall taking into account the nature of the processing and the information avail-able to Bioservo assist the Customer in ensuring compliance with its obligations under Articles 35 and 36 of the GDPR to carry out data protection impact assessments (DPIAs) and prior consultations with the relevant Supervisory Authority in relation to the pro-cessing of personal data covered by this DPA. Requests for such assistance shall be sent to Bioservo by e-mail to gdpr@bioservo.com.
4.3 Bioservo shall ensure that access to the personal data is limited to personnel of Bioservo who need access to personal data in order for Bioservo to fulfil its obligations under this DPA. Bioservo shall ensure that the personnel only process personal data in accordance with Clause 3.1 above.
4.4 Bioservo shall ensure that all employees authorized to access and process personal data covered by this DPA have committed themselves to confidentiality by ensuring that there are written confidentiality agreements in place with the personnel which covers personal data that Bioservo processes on behalf of the Customer under this DPA.
4.5 Bioservo shall allow for and contribute to audits, including inspections, conducted by the Customer. The Parties agree that such inspections shall be carried out by a third-party auditor jointly appointed by the Parties which has committed itself to confidentiality.
4.6 For the avoidance of doubt, any inspection or audit shall only comprise such information that is necessary in order for the Customer to determine whether Bioservo fulfils its obli-gations under Article 28 of the GDPR and shall not comprise any other information which is irrelevant to the Bioservo's processing of personal data under this DPA.
4.7 The Customer shall give Bioservo reasonable notice of at least one (1) month prior to exercising its audit rights in order to allow the Parties to plan the audit or inspection. A request for an audit or inspection shall be sent to Bioservo by e-mail to gdpr@bioservo.com.
4.8 Each party shall bear its own costs in relation to any such audit. Should an audit or in-spection show that Bioservo has not fulfilled its obligations under this DPA or Applicable Data Protection Laws Bioservo shall without undue delay remedy such issue at its own cost.
5.1 In the event of a personal data breach Bioservo shall notify the Customer in writing with-out undue delay after becoming aware of the personal data breach. Notification shall be given by e-mail to the designated e-mail address set by the Customer in the Ironhand Pro Service.
5.2 Bioservo shall assist the Customer to the extent necessary in order to investigate the personal data breach and to enable the Customer to fulfil its notification obligations, where applicable, to relevant Supervisory Authorities and data subjects concerned under Applicable Data Protection Laws. Bioservo shall therefore immediately after becoming aware of a personal data breach:
5.2.1 commence an investigation of the personal data breach in order to determine the scope, nature and the likely consequences of the personal data breach;
5.2.2 take appropriate remedial measures in order to mitigate the possible adverse effects of the personal data breach; and
5.2.3 consult with the Customer in order to determine as to whether the Customer would be obligated under Applicable Data Protection Laws to notify the relevant Supervisory Au-thority and or the data subjects concerned of the personal data breach.
5.3 As soon as possible following the commencement of the investigation, Bioservo shall provide the following information to the Customer as regards the Personal Data Breach:
a) a description of the nature of the personal data breach including the categories and approximate number of data subjects concerned and the categories and ap-proximate number of personal data records concerned;
b) the likely consequences of the personal data breach; and
c) a description of the measures taken or proposed to be taken by Bioservo to ad-dress the personal data breach, including, where appropriate, measures to miti-gate its possible adverse effects.
5.4 Where, and in so far as, it is not possible for Bioservo to provide the above information at the same time, the information may be provided in phases without undue further delay. Notification of the information in Clause 5.3 above shall be given by e-mail to the desig-nated e-mail address set by the Customer in the Ironhand Pro Service.
6.1 By using the service, the Customer authorizes Bioservo to engage Subprocessors. By entering into this DPA, the Customer approves the Subprocessors engaged by Bioservo as of the date of the execution of this DPA.
6.2 Bioservo shall prior to engaging a new (or replacing an existing) Subprocessor which will process personal data on behalf of the Customer:
a) carry out an adequate due diligence to ensure that the Subprocessor is capable of providing sufficient guarantees with respect of compliance with Applicable Data Protection Laws;
b) ensure that there is a written data processing agreement with the Subprocessor which imposes obligations on the Subprocessor which fulfils the requirements of Article 28(3) of the GDPR, upon which Bioservo may enter into such data pro-cessing agreement directly with the Subprocessor on behalf of the Customer;
c) where the Subprocessor will process personal data in a Third Country ensure that the requirements of Clause 9.1 of this DPA are fulfilled.
6.3 Bioservo maintains a list of all Subprocessors which Bioservo has engaged from time to time. The list is available in Annex 2 of this document. The list includes the following information in relation to each Subprocessor:
a) the identity of the Subprocessor;
b) the type(s) of service(s) provided by the Subprocessor;
c) the location where the Subprocessor will process personal data on behalf of the Customer;
6.4 Where a Subprocessor fails to fulfil its data protection obligations, Bioservo shall remain fully liable to the Customer for the performance of the Subprocessor's obligations.
7.1 Without prejudice to any other confidentiality undertaking applicable between the Parties, Bioservo shall keep and maintain all personal data in strict secrecy and not disclose or make available the personal data to a third party, unless otherwise authorized in advance in writing by the Customer or otherwise required by Applicable Laws or for the perfor-mance of this DPA. 7.2 Bioservo agrees that the confidentiality undertaking shall survive the termination of this DPA and continue to apply until all personal data have been returned or (upon the Cus-tomer's written request) have been deleted or anonymized in a secure and irreversible way in accordance with Clause 9 below.
7.3 The Customer commits itself to keep all information that the Customer receives regarding Bioservo's security measures, routines, IT systems or which otherwise is of confidential nature strictly confidential and not to any third party disclose confidential information con-cerning Bioservo or its Subprocessors. The Customer may only disclose such information that the Customer is obligated to disclose under Applicable Laws or this DPA.
8.1 Bioservo shall, insofar as this is possible, assist the Customer by taking appropriate measures for the fulfilment of the Customer's obligation to respond to Data Subject Re-quests.
8.2 Bioservo shall forward any Data Subject Request concerning personal data covered by this DPA to the Customer. Notification shall be given by e-mail to the designated e-mail address set by the Customer in the Ironhand Pro Service.
9.1 Upon termination of the DPA, the Customer shall instruct Bioservo in writing whether the personal data that Bioservo (or a Subprocessor) processes on behalf of the Customer shall (i) be returned to the Customer or (ii) be deleted in a secure and irreversible way. If the Customer does not provide such instruction within thirty (30) days following the ter-mination of the DPA, Bioservo shall delete the personal data without undue delay. Any personal data in backups will be deleted within 13 months. The instruction shall be given to Bioservo by e-mail to gdpr@bioservo.com.
9.2 Bioservo may, prior to returning or deleting personal data, make an anonymized copy of the personal data which Bioservo may use in accordance with Clause 11 below.
9.3 The obligations under Clause 9.1 above do not apply if Bioservo is required under Appli-cable Laws to continue to store the personal data.
9.4 Bioservo shall, upon the Customer's request, provide a written notice as regards the measures taken by Bioservo to comply with its obligations under this Clause 9. Notifica-tion shall be given by e-mail to the designated e-mail address set by the Customer in the Ironhand Pro Service.
10.1 Bioservo shall ensure that personal data covered by this DPA will be processed and stored within the EU/EEA (including by Subprocessors engaged by Bioservo) unless the Parties agree otherwise.
11.1 As per the Customer's Instruction in Annex 1, Bioservo may continuously anonymize Di-agnostic and Ergonomics Data for the purpose of developing and improving the IronCon-nect Pro Service. Bioservo is entitled to use and keep such anonymized Diagnostic and Ergonomics Data for these purposes until further notice.
12.1 In case a Supervisory Authority requests:
a) information from Bioservo regarding its processing of personal data under this DPA; or
b) that Bioservo shall disclose personal data that Bioservo processes on behalf of the Customer under this DPA,
Bioservo shall without undue delay notify the Customer thereof. Notification shall be given by e-mail to the designated e-mail address set by the Customer in the IronConnect Pro Service. The Parties shall thereafter consult regarding the Supervisory Authority's re-quest. Bioservo's obligations do not apply if Bioservo is prohibited under Applicable Laws to notify or consult with the Customer. Bioservo may not act on the Customer's behalf as agent for the Customer or otherwise.
13.1 Each party shall be liable for any administrative fines imposed on the party in question due to the party's failure fulfils its obligation under this DPA or Applicable Data Protection Laws or otherwise has processed personal data in breach of Applicable Data Protection Laws.
13.2 Liability for any claims for damages from data subjects concerned shall be governed by Article 83 of the GDPR.
13.3 With prejudice to Clauses 13.1 and 13.2 above, the Parties shall not be liable for any indirect, incidental, or consequential damages, including, without limitation, any lost prof-its, data or income, arising out of or in connection with this DPA.
14.1 This DPA enters into effect on the date executed by the Customer and Bioservo (or the Partner on behalf of Bioservo) and applies for as long as Bioservo (or a Subprocessor engaged by Bioservo) processes personal data on behalf of the Customer.
14.2 Each party has a right to terminate the DPA by giving three (3) months' written notice.
14.3 The DPA will automatically terminate if:
a) A party commits a material breach of any term of this DPA and/or substantially fails to fulfil its obligations under this DPA and fails to remedy such breach and/or failure within thirty (30) days following a written notice from the other party of the breach; or
b) the other party is declared bankrupt, is subject to corporate reorganization, com-mence composition proceedings, goes into liquidation or otherwise can be as-sumed to have become insolvent.
14.4 Clause 7 (Confidentiality of Personal Data), Clause 9 (Return of Personal Data), Clause 11 (Use of Diagnostic and Ergonomics Data), Clause 12 (Liability), Clause 17 (Governing Law), and Clause 18 (Disputes) shall survive the termination of this DPA for any reason.
15.1 The DPA and its appendices constitute the entire agreement between the Parties on all matters to which the DPA relates.
16.1 Neither the rights nor the obligations of either party under this DPA may be assigned in whole or in part without the prior written consent of the other party.
17.1 This DPA shall be governed by Swedish law.
18.1 Any dispute, controversy or claim arising out of or relating to this DPA, or the breach, termination or validity thereof, shall be finally settled by arbitration administered by the Arbitration Institute of the Stockholm Chamber of Commerce (the "SCC"). The Rules for Expedited Arbitrations shall apply, unless the SCC in its discretion determines, taking into account the complexity of the case, the amount in dispute and other circumstances, that the Arbitration Rules shall apply. In the latter case, the SCC shall also decide whether the arbitral tribunal shall be composed of one (1) or three (3) arbitrators. The seat of arbitration shall be Stockholm, Sweden. The language to be used in the arbitral proceed-ings shall be English. 18.2 Notwithstanding the above, a party shall be entitled to seek equitable and/or injunctive relief to prevent or stop a violation of the terms and conditions contained in this DPA in any court of law.
18.3 The Parties undertake and agree that all arbitral proceedings conducted with reference to this Clause 18 will be kept strictly confidential. This confidentiality undertaking shall cover all information disclosed in the course of such arbitral proceedings, as well as any decision or award that is made or declared during the proceedings. Information covered by this confidentiality undertaking may not be disclosed to a third party without the prior consent by the other party. Exceptions to the foregoing shall only apply to the extent that disclosure may be required of a party due to mandatory law, an order of a competent court or public authority, or to protect, fulfil or pursue a legitimate legal right or obligation or to enforce or challenge an award.
| Customer Date: ______________________ Name: _____________________ Title: _______________________ | Bioservo Technologies AB; by and on behalf of its partners, as applicable Name: Petter Bäckgren Title: CEO
|
This Annex 1 sets out the details with respect to Bioservo's (and its Subprocessors) processing of personal data in connection with the IronConnect Pro Service.
PURPOSES OF THE PROCESSING
Bioservo shall process personal data for the purpose of managing, providing, developing and improving the IronConnect Pro Service and to fulfill its obligations under this DPA and Applicable Data Protection Laws. Specifically, Bioservo shall process personal data on behalf of the Customer to:
DESCRIPTION OF THE PROCESSING OF PERSONAL DATA
Manage Equipment and Assign Operators
Personal data is processed to manage equipment and assign operators, for example to add new operators or remove current operators, show an overview of installations and equipment and the status of installations and equipment.
| Categories of data subjects | Categories of personal data | Default storage period |
|
| Personal data is stored for this purpose as long as the operator is active in the IronConnect Pro Service. |
Create Analyzes and Ergonomic Risk Reports
Personal data is processed to create analyzes and ergonomic risk reports, for example to create reports showing information on grasps, frequency, duty cycle, forces and risk assessments.
| Categories of data subjects | Categories of personal data | Default storage period |
| Operator | Operator Description Ergonomics information | Personal data is stored for this purpose as long as the operator is active in the IronConnect Pro Service or included in an ergonomic risk report. |
Manage the IronConnect Pro Service
Personal data is processed to manage the IronConnect Pro Service, for example to create and register user accounts and to give users access to the IronConnect Pro Service.
| Categories of data subjects | Categories of personal data | Default storage period |
| Operator |
| Personal data is stored for this purpose as long as the user account is active. |
Communicate with the Customer regarding the IronConnect Pro Service
Personal data is processed to communicate with the Customer regarding the IronConnect Pro Service, for example to communicate information regarding maintenance and incidents.
| Categories of data subjects | Categories of personal data | Default storage period |
| Users | E-mail address
Account name | Personal data is stored for this purpose as long as the user account is active. |
Manage customer support and questions
Personal data is processed to manage customer support and questions, for example to register the support matter, carry out troubleshooting and to communicate for the same purpose.
| Categories of data subjects | Categories of personal data | Default storage period |
| Users Operator | E-mail address Account name Operator Description Ergonomics information Diagnostic information | Personal data is stored for this purpose as long as the user account is active and the operator is active in the IronConnect Pro Service or included in an ergonomic risk report. |
Develop and improve the IronConnect Pro Service
Personal data is processed to develop and improve the IronConnect Pro Service, for example to test and develop functionality and to verify software fixes.
| Categories of data subjects | Categories of personal data | Default storage period |
| Operator Users | Diagnostic information Ergonomics information Technical information | Personal data is stored for this purpose for the time necessary to test and develop functionality and to verify software fixes, however, for a maximum period of up to six (6) months from the date of the measure. |
Ensure the technical functionality and security of the IronConnect Pro Service
Personal data is processed to ensure the technical functionality and security of the IronConnect Pro Service, for example for error handling, and backups.
| Categories of data subjects | Categories of personal data | Default storage period |
| All concerned categories of data subjects | All relevant categories of personal data | Personal data is stored for the same period as stated in relation to each relevant purpose of the processing. Personal data in backups are stored for a period of 12 months from the date of the backup.
|
Fulfill legal obligations
Personal data is processed to fulfill legal obligations under this DPA and Applicable Data Protection Laws.
| Categories of data subjects | Categories of personal data | Default storage period |
| All concerned categories of data subjects | All relevant categories of personal data | Personal data is stored for such period that is necessary to fulfil each legal obligation. |
Personal data is processed by Bioservo in Sweden and by its Subprocessors within the EU.
| Subprocessor | Purpose | Applicable Service | Location |
| Upcloud Oy | Hosting and infrastructure | Data hosting provider | Germany |