DATA PROCESSING AGREEMENT

1.

General

1.1

This DPA is entered into between the Parties in connection with the agreement between the Parties regarding the Customer’s access to the Skolon Platform (the ”Agreement”) between the Supplier and the Customer.

1.2

Under this DPA, the Supplier will Process Personal Data on behalf of the Customer in capacity of the Customer’s Processor and in connection with the Supplier’s provision of services under the Agreement. The Customer is the Controller for the Processing of the Personal Data.

2.

Definitions

”Agreement”

means as defined in Section 1.1.

”Commencement Date”

means the commencement date of the GDPR, i.e. 25 May 2018.

”Controller”

means a natural or legal person, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

”Customer”

means the party defined above and acting as the Controller.

”Data Protection Laws”

means the laws and regulations, applicable from time to time, in respect of Processing of Personal Data, including but not limited to, the Swedish Personal Data Act (1998:204) (Sw. personuppgiftslagen) and from 25 May 2018, Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (the “GDPR”), replacing the Swedish Personal Data Act (1998:204), as well as the Supervisory Authority’s binding decisions, regulations and recommendations and supplementary local adaptions and regulations in respect of data protection.

“DPA”

means this Data Processing Agreement.

“Data Subject(s)”

means the natural person to whom Personal Data relates to.

”Personal Data”

means any information relating to an identified or identifiable natural person that the Supplier Processes on behalf of the Customer under this DPA.

”Process/-ing”

means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

”Processor”

means a natural or legal person, agency or other body which Processes personal data on behalf of the Controller.

“Skolon”

means the party defined above and acting as the Processor hereunder.

”Supervisory Authority”

means the supervisory authority/supervisory authorities authorised to conduct supervision of processing of Personal Data or considered to be a supervisory authority concerned under the Data Protection Laws.

”Sub-processor”

means another Processor engaged by the Supplier for carrying out specific Processing activities on behalf of the Supplier (including, but not limited to, companies within the Supplier’s group of companies).

”Supplier”

means the party defined above and acting as the Processor.

“Term”

means as defined in Section 12.1

“Third Country”

means a country outside the European Economic Area.

2.2

Any other terms or concepts used in capitalized letters in this DPA shall, unless otherwise stated, have the meaning provided for under the Data Protection Laws and otherwise under the Agreement, unless otherwise obviously required from the circumstances.

3.

Responsibilities and instructions

3.1

The type(s) of Personal Data to be Processed under this DPA, the purpose and duration of the Processing and categories of Data Subjects are set out in Appendix 1 (Instructions regarding the Processing of Personal Data).

3.2

Skolon shall only Process Personal Data on documented instructions from the Customer as set out in Appendix 1. As of the Commencement Date, additional Processing may also be performed provided that Union or Member State law to which Skolon or a Sub-processor is subject to requires such Processing. In such case of additional Processing, Skolon shall inform the Customer of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.

3.3

Skolon undertakes to provide written instructions to persons acting under the authority of Skolon, who have access to Personal Data, obliging such persons only to Process the Personal Data only according to documented instructions from the Customer, unless required to do so by Union or Member State law.

4.

Security of Processing

4.1

The Supplier shall take all measures required pursuant to article 31 section 1 of the Swedish Personal Data Act. From the Commencement Date, the Supplier shall instead take all measures required pursuant to article 32 of the GDPR.

4.2

The Supplier shall, taking into account the nature of Processing and the information available to the Supplier, from the Commencement Date, assist the Customer in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR.

5.

Confidentiality

5.1

The Supplier undertakes to keep the Personal Data confidential, except with respect to information that the Supervisory Authority communicates to the Supplier should be disclosed, or which is disclosed subject to the Data Protection Regulations or another legal binding obligation, including under the provisions of applicable public access to information acts.

5.2

The Supplier undertakes to ensure that persons authorised to Process Personal Data have, from the Commencement Date, undertaken confidentiality obligations or are subject to appropriate statutory obligation of confidentiality.

6.

Disclosure of Personal Data and information

In the event the Supplier receives a request for information from a Data Subject, Supervisory Authority or other third party regarding the processing of Personal Data, the Supplier shall, without undue delay, forward such request to the Customer. The Supplier, the Supplier’s employees, or Sub-processors may not disclose Personal Data or any other information about the Processing of Personal Data without instructions from the Customer, unless such disclosure is required under the Data Protection Laws.

7.

Right of the Data Subject

The Supplier shall, from the Commencement Date, taking into account the nature of the Processing under this DPA, assist the Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Customer’s obligation to respond to requests for exercising the Data Subject’s rights laid down in Chapter III of the GDPR.

8.

Transfer of Personal Data outside of the European Economic Area

Skolon shall only be allowed to transfer Personal Data to a Third Country or an international organisation with the Customer’s written approval. As of the Commencement Date, transfer of Personal Data to a Third Country or an international organisation may also take place provided that Union or Member State law to which the Supplier or Sub-processor is subject to requires such transfer. In such case of legal requirement for transfer to a Third Country, the Supplier shall inform the Customer of that legal requirement before transferring Personal Data to a Third Country, unless that law prohibits such information on important grounds of public interest.

9.

Demonstration of compliance

9.1

The Supplier shall, from the Commencement Date, make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for, and contribute to audits, including inspections, conducted by an independent third party auditor mandated by the Supplier.

9.2

With regard to Section 9.1 above the Supplier shall, from the Commencement Date, immediately inform the Customer if, in Supplier opinion, an instruction infringes the GDPR or other Union or Member State data protection provisions.

10.

Sub-processors

10.1

The Customer hereby grants the Supplier a general authorization to engage Sub-processors. The Supplier shall inform the Customer of any intended changes concerning the addition or replacement of Sub-processors, thereby giving the Customer the opportunity to object to such changes if to the extent the conditions set forth in Section 10.2 are not fulfilled.

10.2

Subject to the Customer’s prior specific or general written authorization, the Supplier may engage Sub-processors, provided that the same data protection obligations as set out in this DPA as referred to in article 28.3 of the GDPR, are imposed on such Sub-processor by way of a written contract. The Supplier must ensure that only Sub-processors are engaged who provide sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the Processing will meet the requirements of the Data Protection Laws.

10.3

The Sub-processors listed in Appendix 2 are pre-approved by the Customer to be used as Sub-processors by the Supplier under this DPA.

11.

Term and termination

11.1

This DPA enters into force on the day of signing by both Parties and remains in force for as long as the Supplier Processes Personal Data on behalf of the Customer under the Agreement (the “Term”). The Customer may however terminate this DPA at any time effective as of the date chosen by the Customer.

11.2

After the end of the Supplier’s provision of services relating to Processing under the Agreement, the Supplier shall, at the choice of the Supplier, upon the Customer’s written request delete or return all the Personal Data to the Supplier and delete existing copies unless Union or Member State Law requires storage of the Personal data. If the Customer does not provide the Supplier with such written request, the Supplier shall permanently delete the Personal Data at the latest 180 days from the expiry of the Term and cause any Sub-processor to do the same.

11.3

In respect of External Apps (made available through the Skolon Platform) that the Customer elects to purchase/license, the function of these External Apps may require access to certain Personal Data, e.g. from End-Users and Administrators, for which the suppliers of such External Apps will be the data processor in relation to the Customer. For this purpose, the Customer may be required to also enter into a Data Processing Agreements directly with suppliers of External Apps. Skolon shall not be responsible or liable for any processing of Personal Data taking place within External Apps, and the Customer shall indemnify and hold Skolon harmless from any such claims.

12.

Compensation

The Supplier shall have the right to invoice the Customer for any work performed by the Supplier or a Sub-processor under sections 4.2, 7 and 9.1 according to the Supplier’s or the Sub-processors applicable hourly fees.

13.

Liability

13.1

The Parties shall be liable towards each other for any direct damages, costs and losses, including administrative sanctions incurred due to the breaching Party’s violation of this DPA and the breaching Party shall compensate the other Party for any such damage, cost or loss.

13.2

The Parties agree to indemnify and hold each other harmless from any claim of damages or loss suffered by a third party as a result from either Party’s breach of its obligations under this DPA.

13.3

In the event a Data Subject, the Data Protection Authority or other third party submits a claim against the Supplier due to the Supplier’s processing of Personal Data, the Controller shall indemnify and hold the Supplier harmless from such claims; provided that the Supplier has Processed such Personal Data in compliance with the Agreement and this DPA.

13.4

Notwithstanding the above, the “Limitations and exclusions of liability” under the Agreement (Section 13 and 11.3 of the General terms and conditions) shall apply correspondingly under this DPA.

14.

Changes

14.1

If, during the Term, Data Protection Laws are changed, or new guidelines, rulings or regulations are published by the Supervisory Authority causing this DPA to be non-compliant with such law, guidelines, rulings or regulations, each of the Parties shall have the right to request appropriate amendments to this DPA to satisfy the new requirements.

14.2

The Customer may continuously submit new or changed written instructions regarding the Supplier’s Processing of Data. In case such instructions materially hinders the Supplier from providing its services, or increases the Supplier’s costs of delivering its services to the Customer, the Supplier has the right to, with continued obligation for the Customer to pay all agreed fees, abort and restrict all Processing of Personal Data, and cause all Sub-processors to do the same, until the Parties have reached a mutually agreeable understanding on how to proceed.

14.3

Changes to this DPA shall, in order to be effective, be made in writing and signed by both Parties. Signatures may be made by electronic means and shall have the same force and effect as original signatures.

15.

15. Miscellaneous

15.1

With regard to the Processing of Personal Data, the regulations in the DPA shall have priority over conflicting regulations in any other agreement between the Parties.

15.2

This DPA shall be governed by the substantive laws of Sweden.

15.3

Any dispute, controversy or claim arising out of or in connection with this DPA shall be settled in accordance with the dispute regulations laid down in the Agreement.

*****

This DPA may be executed by electronic means or in two or more counterparts, each of which shall be deemed an original, but all of which shall together constitute one Customer Agreement. Signatures to this DPA made by electronic means or delivered by facsimile or other electronic means shall have the same force and effect as originals.