Data Processing Agreement Skillhabit

1. Background

1.1

This Data Processing Agreement (“DPA”) is entered into as of the effective date of the Main Agreement (defined below) by and between TicTac Learn AB, Corporate Identity No. 556567-7266, Dockplatsen 1, 211 19 Malmö (“Processor”) and the Client (as defined in the Main Agreement) agreeing to the Main Agreement (“Controller”).

1.2

The Controller and the Processor (collectively, the “Parties”) have entered into an agreement regarding the Processor’s provision of a cloud-based platform called Skillhabit (“Skillhabit”) that is used by the Controller in order to distribute and follow up knowledge digitally (the “Main Agreement”). Within the framework of the Main Agreement, the Processor will, as a Data Processor, process personal data for which the Controller is the Data Controller under Data Protection Laws and Regulations (the “Processing”).

1.3

The purpose of this DPA is to ensure that the Processing takes place in accordance with Data Protection Laws and Regulations, the Controller's instructions and what has otherwise been agreed between the Parties. This DPA shall be considered to be an integral part of the Main Agreement.

1.4

In the event of conflicts between the provisions of this DPA and the Main Agreement, this DPA shall prevail.

2. Applicable law and definitions

2.1

Data Protection Laws and Regulations shall apply to the Processing.

2.2

“Data Protection Laws and Regulations” means all applicable laws, regulations and rules applicable to the processing of personal data, including but not limited to the EU General Data Protection Regulation 2016/679/EC and any amendments to, additions to or regulations replacing such laws, regulations and rules.

2.3

Unless otherwise stated in this DPA, concepts used in this DPA shall have the meaning given to them in Data Protection Laws and Regulations.

3. Responsibilities of the Controller

3.1

In relation to the Data Subjects, the Controller is responsible for ensuring that the legal requirements for the Processing meet the requirements of Data Protection Laws and Regulations.

3.2

The Controller confirms that the Processing is consistent with the purposes for which the personal data covered by the Processing has been collected.

3.3

It is the responsibility of the Controller to ensure that the Processor is informed at any given time of the Controller’s current instructions, such as those in Annex A and other written instructions from the Controller regarding the Processing. In the event that the Controller gives new instructions regarding the Processing that deviate from those resulting from the Services under the Main Agreement, and these instructions require more from the Processor and go beyond what is prescribed by the Data Protection Laws and Regulations or the Swedish Authority for Privacy Protection's advice and statements, the Processor shall consider, but is under no obligation to accept, such instructions. If such additional instructions significantly change the scope of the services performed by the Processor under the Main Agreement, the matter shall primarily be dealt with under the Main Agreement.

3.4

All instructions from the Controller must be written or otherwise documented.

4. Responsibilities of the Processor

4.1

The Processing is described in more detail in Annex A. The Processor undertakes to process personal data only in the manner and for the purposes necessary to fulfil its obligations under the Main Agreement, this DPA or in accordance with the documented instructions provided by the Controller in Annex A and approved by the Processor. The Processor may also process personal data to provide any additional services ordered by the Controller from time to time.

4.2

Upon receiving written instructions regarding the Processing by the Controller, such as those in Annex A, the Processor shall take appropriate measures within a reasonable time to ensure that the Processing is adapted in accordance with the instructions. For such actions regarding the Processing that have not been expressly specified by the Controller at the time of conclusion of the Main Agreement and this DPA, the Processor has the right to request special compensation.

4.3

The Processor undertakes to ensure that any natural person who performs work under its direction and who has access to personal data is informed of the content of this DPA and only processes the personal data in accordance with the DPA and the Controller's documented instructions.

4.4

The Processor shall reasonably assist the Controller through appropriate technical and organizational measures to the extent necessary for the Controller to fulfil its obligations to respond to requests from Data Subjects for record extracts or rectification, blocking or erasure of personal data.

4.5

The Processor shall inform the Controller without undue delay from the time the Processor has become aware of a personal data breach. The Processor shall, to a reasonable extent, assist the Controller with the information that the Controller needs to fulfil its obligations regarding the notification of the personal data breach to the competent supervisory authority and, where applicable, provide information to the Data Subjects about the personal data breach.

4.6

The Processor undertakes to assist the Controller in carrying out data protection impact assessments and prior consultations and to assist in the investigation of personal data breaches with competent supervisory authorities.

4.7

The Processor shall be entitled to fair remuneration for the work done in respect of the commitments set out in paragraphs 4.4 and 4.6.

5. Transfer of personal data

5.1 Transfer to non-EU/EEA countries

5.1.1

The Processor undertakes not to transfer personal data to a location outside the EU/EEA without the prior written consent of the Controller.

5.1.2

If the transfer of personal data to recipients outside the EU/EEA is permitted by law when a special agreement has been concluded (or other measures have been taken) for the purpose of maintaining an adequate level of protection and the Processor can demonstrate that such agreement exists (or such measures have been taken), the Controller is not entitled to refuse such transfer.

5.2 Transfer to third parties

5.2.1

The Processor may not disclose any personal data to third parties without the prior written consent of Controller unless disclosure is required by applicable law or government decision. However, the Processor always has the right to disclose personal data to subcontractors in accordance with section "Hiring of Sub-Processors" below and to parties whose services the Processor distributes.

5.2.2

If the Processor is ordered by a court or authority to disclose personal data or take other action as a result of the Processing, the Processor is entitled to reasonable compensation for the work done. The Processor is also entitled to fair remuneration for the disclosure of personal data to other than Controller and for measures in connection with such disclosure.

6. Hiring of Sub-Processors

6.1

The Controller acknowledges and agrees that the Processor will engage subcontractors for the performance of the Processing ("Sub-Processor"). The transfer of personal data to the Sub-Processor is at the Processor's risk and does not entail any changes in the division of responsibilities that applies between the Processor and the Controller.

6.2

The Processor undertakes to inform the Controller in writing before engaging a Sub-Processor. The Controller shall have the opportunity to object to the Processor's choice of Sub-Processor within five (5) days of receiving the Processor's notice to that effect. The Processor may not use the chosen Sub-Processor if the Controller has presented reasonable objections. The Parties agree that the Controller may be deemed to have been informed that the Processor intends to use the Sub-Processor listed in Annex B.

6.3

When the Processor engages Sub-Processor for the performance of the Processing, the Processor undertakes to sign an agreement for the processing of personal data with the Sub-Processor, whereby the Sub-Processor is subject to the same obligations as under this Agreement.

7. Technical and organizational security measures

7.1

The Processor shall take the technical and organizational measures required by Data Protection Laws and Regulations to ensure a level of security appropriate to the risk, in particular in relation to risks related to unauthorized access, destruction and alteration of the personal data covered by the Processing. The Processor decides how such measures are to be implemented in order to achieve the required level of protection.

7.2

If Controller makes it likely that a new security measure is required or that the existing security measures must be adapted to meet legal requirements for the appropriate level of security or to comply with government decisions, the Parties shall discuss the implementation of such measure or the amendment of the existing security measure. Extended or additional security measures require written agreement between the Parties. In such a case, the Processor shall be entitled to special compensation for the security measures taken.

8. Confidentiality

8.1

The Processor undertakes not to disclose to third parties information received by the Processor as a Data Processor from the Controller or information otherwise processed by the Processor as a Data Processor to the Controller. The Processor undertakes to ensure that the persons working under its direction have undertaken to observe confidentiality in accordance with this section, titled “Confidentiality”. However, confidentiality commitments shall not apply to information that:

i) is publicly known or comes to public knowledge other than through violations of this DPA;

ii) information that the Processor may demonstrate that the Processor had in his possession prior to the Processor receiving the information from the Controller in connection with this DPA;

iii) information that the Processor rightfully receives from third parties outside this contractual relationship without limitation; or

iv) information that the Party is legally obliged to provide due to mandatory legislation, court orders or decisions of another authority.

9. Audits

9.1

The Controller has the right to carry out, at thirty (30) days' notice at its own expense, itself or through this authorized third party (the “Auditor”), audits (including inspections) to verify that the Processor complies with this DPA.

9.2

When appointing the Auditor, the Controller shall take into account aspects of competition relating to business relations between the Processor and the intended Auditor. In this respect, the Auditor must be approved by the Processor. However, such approval shall not be unreasonably refused by the Processor.

9.3

The Processor undertakes to provide the Controller or the Auditor with access to the documentation necessary to demonstrate that the Processor has fulfilled its obligations under the DPA and shall also otherwise assist the Controller or the Auditor in carrying out the audit and inspection. Audits and inspections may be carried out during office hours, on weekdays between 9 am and 5 pm.

9.4

The Processor may give the Auditor limited access to the Processor's premises where the Processing is carried out. When such site inspection is carried out, the Auditor must comply with the Processor's reasonable work rules, safety requirements and other regulations that apply at the workplace and must not interfere with the Processor's day-to-day operations. The Auditor shall not have access to confidential information relating to the Processor's other customers or other personal data that is not processed under this DPA.

10. Damages and liability towards third parties

10.1

Party undertakes to indemnify the other Party in the event that the other Party suffers damage as a result of the first Party's processing of personal data in violation of Data Protection Laws and Regulations or this DPA. Such damage may include, but is not limited to, the obligation to pay damages to a Data Subject or to pay administrative fines decided by the competent supervisory authority.

10.2

A Party shall not be liable to pay compensation for indirect damages such as loss of profit under this DPA.

11. Period and measures upon termination of the agreement

11.1

The DPA applies from the time both Parties sign the same and as long as the Processor processes personal data on behalf of the Controller. Provisions for termination can be found in the Main Agreement.

11.2

Unless the Controller expressly instructs the Processor that the personal data shall be returned, the Processor undertakes to delete all personal data covered by the Processing from such systems used in the Processing at the time of termination of this DPA, unless such procedure is incompatible with applicable national or EU law. The request for the return of personal data must be in writing and submitted to the Processor at the latest in connection with the termination of the Main Agreement.

11.3

If the Main Agreement terminates and a new such agreement, which also includes the processing of personal data, is reached without a Data Processing Agreement being reached, this DPA also applies to personal data processing that takes place as part of services provided under the new agreement.

12. Choice of law and dispute resolution

12.1

This DPA shall be governed by and constructed in accordance with the substantive laws of Sweden.

12.2

Dispute in connection with this DPA shall be finally settled in a general court with Malmö District Court as the first instance.