Data Processing Agreement
1 June 2018 version
This Data Processing Agreement sets out the terms and conditions with regard to the Processing of Personal data by WhistleB and/or WhistleB’s Sub-Processors as part of provision of its whistleblowing service (“Service”), specified separately in the Service Agreement (“Service Agreement”). Use of WhistleB’s Service constitutes acceptance of these terms on behalf of the Customer. WhistleB may Process Personal Data and may therefore be considered a Processor (“Processor”) within the meaning of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”). The Customer may be considered a Controller within the meaning of the GDPR (“Controller”). WhistleB and the Customer are hereinafter referred to separately as “Party” or jointly as “Parties”.
Data Subject is the person to whom Personal Data pertains.
Data Processing Agreement is the present agreement.
Special Categories of Personal Data are Personal Data within the meaning of Article 9.1 of the GDPR.
Data Breach is a security breach within the meaning of Article 4.12 of the GDPR.
User is an individual authorised by the Customer to use the Service in accordance with the Service Agreement, to access messages and manage them in the Case management tool, with defined User rights.
Auxiliary Supplier is a party engaged by the Processor to assist in the performance of the Service. If the Auxiliary Supplier Processes Personal Data on the instructions of the Processor and on behalf of the Controller, the Auxiliary Supplier is considered a Sub-Processor.
Personal Data are any data regarding an identified or identifiable natural person, which are or will be Processed by the Processor in any way whatsoever in the context of the Service Agreement.
Sub-Processor is anyone who has been engaged by the Processor for the performance of specific Processing on behalf of the Controller and who Processes Personal Data as a sub-contractor and on behalf of the Controller.
Processing is any activity or combination of activities involving Personal Data, in any event including but not limited to the collecting, recording, organising, storing, updating, amending, accessing, consulting, using, providing by way of forwarding, distributing or any other form of supplying, compiling, linking, as well as safeguarding, deleting or destroying of data (“Process”, “Processes” and “Processed” shall have the same meaning).
The Processor undertakes to Process Personal Data on the terms and conditions of this Data Processing Agreement in accordance with the documented instructions of the Controller, including with regard to transfers of personal data to a third country (i.e. a country outside the EEA) or an international organisation. However, the Processor may Process Personal Data if required by union or member state law to which the Processor is subject to. In such case, the Processor shall inform the Controller of the legal requirement before the Processing, unless that law prohibits such information on important grounds of public interest. The Processor shall Process the Personal Data properly, with due care and in accordance with the GDPR and other applicable legislation and regulations relating to the Processing of Personal Data. In the event that the Processor believes that the Controller’s instructions conflict with the requirements of the GDPR or other EU or Member State laws, the Processor shall immediately inform the Controller.
The Processor shall only carry out the Processing to the extent necessary to provide the Service to the Controller as described in the Service Agreement. The Personal Data may not in any way be Processed for any other purposes, with the exception of when required under mandatory law.
The Processor may not adapt Personal Data for its own benefit, for the benefit of a third party and/or own purposes, advertisement or other purposes, regardless possible opposite requirements under statutory law.
The Processor shall not retain Personal Data made available to the Processor in the context of the Service Agreement any longer than is necessary (i) for the performance of the Service Agreement; or (ii) to comply with any of its statutory obligations. The Annex describes the applicable retention periods.
The Processor is obligated to immediately inform the Controller regarding any future changes in the performance of the Service Agreement, so that the Controller can monitor compliance with arrangements made with the Processor. This also includes the engagement of (new) Sub-processors, without prejudice to the provisions in Article 3 (Use of Sub-processors) and Article 13 (Change).
3. Use of Sub-Processors
Without the prior written permission from the Controller, the Processor shall not grant access to the Personal Data to third parties, including Sub-processors. The Controller shall not withhold such permission on unreasonable grounds. When granting permission, the Controller is entitled to attach conditions or restrict the permission in time. The Processor is responsible for ensuring compliance with Articles 28.2 and 28.4 GDPR when engaging Sub-Processors, and ensuring that Sub-Processors provide sufficient guarantees to implement appropriate technical and organisational measures, in such a manner that the Processing meets the requirements of GDPR.
In any event the following conditions will be attached to the Controller’s permission to engage Sub-Processors for the provision of the Service:
When the Processor engages a Sub-Processor the Processor must enter into a written agreement with the relevant Sub-Processor, in which data processing obligations corresponding to what is set out in this Data Processing Agreement are imposed upon the Sub-Processor. The agreement shall also in any event include the following:
- an obligation that the Sub-Processor shall act in accordance with all the provisions from the Data Processing Agreement including the Annexes relating to the Processing of Personal Data;
- an obligation that the Sub-Processor shall follow all of the Controller’s and/or the Processor’s instructions relating to the Processing of Personal Data;
- an undertaking from the Sub-Processor to only Process the Personal Data on and in accordance with the instructions of the Controller;
- an undertaking from the Sub-Processor to not engage any other sub-processors itself without the Controller’s prior written permission;
- an undertaking that the Sub-Processor shall enable the Processor (and consequently the Controller) to fulfil its obligations in the event of a suspected or actual Data Breach.
- The Processor shall only grant the Sub-Processor access after permission from the Controller; and
- The Controller has the possibility to request the arrangements made between the Processor and the Sub-Processor.
- The Controller grants general written permission to engage Sub-Processors for the provision of the Service, included in Annex A. If new Sub-Processors are engaged, or changes are made, then the Processor must inform the Controller in advance and set a term for making an objection. The Processor warrants that the conditions from Article 3 have been observed with each Sub-Processor. The Controller may at all times request a list of the Sub-Processors engaged from the Processor.
If a Sub-Processor fails to fulfil its data protection obligations, the Processor shall remain liable to the Controller for the performance of the Sub-Processor’s obligations.
The Processor shall implement appropriate technical and organisational measures to secure Personal Data against loss or any form of unlawful Processing. Taking into account the state of the art and the costs of their implementation, these measures guarantee an appropriate security level given the risks associated with Processing and the nature of the Personal Data to be protected. The measures are, in part, aimed at preventing unnecessary collection and further Processing. The Processor shall record the measures in writing and shall ensure that the security as referred to in this paragraph meets with the security requirements under the GDPR. Annex A describes the security measures that the Processor shall apply in any event. Furthermore, the Processor shall take all other measures required pursuant to Article 32 GDPR.
On request, the Processor shall immediately provide the Controller with written information relating to (the organisation) of the security of Personal Data.
5. Obligation to report data breaches and security breaches
In the event of a suspected or actual (i) Data Breach; (ii) breach of security measures; (iii) breach of the confidentiality obligation or (iv) loss of confidential data, the Processor shall notify the Controllerwithout undue delay , The Processor shall take all measures reasonably necessary to prevent or limit (further) unauthorised examination, change, and provision or otherwise unlawful Processing and to stop and prevent any future breach of security measures, breach of the confidentiality obligation or further loss of confidential data, without prejudice to any right the Controller might have to damages or other measures. This provision applies to incidents at the Processor and its Sub-processors, if any.
At the Controller’s request, the Processor shall cooperate, in so far as possible, in informing the competent authorities and Data subject(s).
The Processor shall make written arrangements with Sub-processors about the reporting of incidents to the Processor, which will enable the Processor and the Controller to comply with obligations in the event of an incident.
These arrangements must in any event include the obligation that the Sub-processors shall notify the Processor without undue delay after the first discovery of an incident, and at the Controller’s request shall cooperate, in so far as possible, in informing the competent authorities and the Data Subject(s).
The Processor shall ensure that all of the Processor’s employees that has access to the Personal Data shall meet the Processor’s obligations.
6. Audit etc.
The Processor is required, upon request from the Controller, to have an independent IT auditor or expert to be designated by the Processor conduct an audit, including inspections, regarding the organisation of the Processor in order to have it established that the Processor complies with the provisions regarding the protection of confidentiality, integrity, availability and security of Personal Data and confidential information as defined in the Service Agreement and Data Processing Agreement. Furthermore, the Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR. The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes the GDPR or other union or member state data protection provisions.
Upon request, the Processor is obliged to make the findings of the IT auditor or expert available to the Controller in the form of a third party memorandum.
If it is established during an audit that the Processor has failed to comply with the provisions of the Service Agreement and the Data Processing Agreement, the Processor shall take all reasonably necessary measures to ensure compliance as yet.
The Processor is entitled to full compensation for all work and costs stemming from requirements imposed by the Controller and which the Processor is subject. The Processor shall be compensated according to the Processor’s from time to time current hourly rate (currently EUR 150) for all work the Processor is entitled to pursuant to this Section 7, unless the Parties in writing has agreed otherwise. The costs shall be compensated according to the Processor’s actual costs.
8. International transfer
The Processor warrants that every Processing of Personal Data in connection with the performance of the Service Agreement performed by or for the Processor, including the third parties engaged by the Processor, will take place within the European Union (EU).
9. Investigation requests
If the Processor receives a request or order from a supervisory authority, government agency or investigation, prosecution or national security agency to provide (access to) Personal Data, the Processor shall immediately notify the Controller. When handling the request or order, the Processor shall observe all of the Controller’s instructions (including the instruction to leave the handling of the request or order in full or in part to the Controller) and provide all reasonably required cooperation to the Controller.
If the request or order prohibits the Processor from complying with its obligations on the basis of the above, the Processor shall promote the Controller’s reasonable interests.
10. Rights of Data Subjects etc.
Taking into account the nature of the Processing, The Processor shall fully cooperate, in so far as possible by appropriate technical and organisational measures, so that the Controller can comply with its legal obligations in the event that a Data Subject exercises its rights under the GDPR or other applicable regulations concerning the Processing of Personal Data.
The Processor shall also assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 and 36 GDPR taking into account the nature of Processing and the information available to the Processor.
If a Data Subject, in relation to the execution of its rights under the GDPR, directly requests the Processor to correct, delete or block Personal Data, Processor shall refer such data subject to the Controller.
11. Nature and purpose of processing
i. General nature and purpose of the Processing
The nature and purpose of the Processing is to deliver whistleblowing functions for the Controller. Processor does not own Customer Data, nor has access to any Customer Data. Processor handles encrypted Customer Data on behalf of the Controller and for purposes decided by the Controller. The Customer Data is Processed and collected by the Controller for its own purposes.
ii. The Categories of Data Subjects
The categories of Data Subjects concerned comprise all persons given access to the Communication channel by the Customer.
iii. Categories of Personal Data
The following categories of Personal Data are concerned by the Processing
- Contact data of Users of the WhistleB whistleblowing system – name, address, e-mail, phone number.
- Payment data – invoice data, bank account number, etc.
- Encrypted whistleblower reports (Customer Data)
iv. Transfers of Personal Data
Personal Data is Processed within the EEA.
v. Use of Sub-Processors
Please see the Annex.
12. Indemnification and limited liability
The Processor indemnifies the Controller from and against all claims by third parties, including Data Subjects, asserted against the Controller due to a breach of the GDPR or other applicable regulations concerning the Processing of Personal Data that is attributable to the Processor or Sub-processors engaged by the Processor. This does not apply when the breach is due to unclear, inadequate or unpermitted instructions from the Controller or otherwise depending on circumstances on the Controller’s side.
The Controller shall indemnify and hold the Processor harmless from and against any claims against the Processor because of the Processor’s or Sub-Processor’s Processing of Personal Data on behalf of the Controller, as well as costs and other direct or indirect damage – including administrative sanctions – caused by the Processor’s violation of privacy regulations. This applies when the violation is due to unclear, inadequate or unpermitted instructions from the Controller or otherwise depending on circumstances on the Controller’s side.
To the maximum extent permitted by law, the Processor’s liability for any damages arising from, or related to, this Data Processing Agreement (for any cause whatsoever and regardless of the form of the action), will at all times be limited to an amount equal to the yearly license fee. The existence of more than one claim will not extend this limit.
If a change in the Personal Data to be Processed or a risk analysis of the Processing of Personal Data gives reason to do so, upon the Controller’s first request the Parties shall consult on amending the arrangements made in the Data Processing Agreement.
The arrangements to be newly made must be recorded in writing and form part of the Data Processing Agreement prior to their application. The changes must not result in the Controller becomes non-compliant with GDPR and other relevant laws and regulations relating to Personal data.
If the Data Protection Rules changes during the term of this Data Processing Agreement, or if the Supervisory Authority issues guidelines, decisions or regulations concerning the application of the Data Protection Rules resulting in this Data Processing Agreement no longer meets the requirements for a data processing agreement, this Data Processing Agreement shall be changed in order to meet such new or additional requirements. The Parties shall agree mutually in writing on such changes.
14. Terms and termination
The terms of the Data Processing Agreement are equal to the terms of the Service Agreement. The Data Processing Agreement cannot be terminated separately from the Service Agreement.
Upon termination of the Service Agreement and prior to deletion, the Processor will provide the Controller or a party appointed by the Controller with all data necessary for using the Personal Data it has access to in a readable manner and common format, in order for the Controller to be able to continue using the Personal Data in other contexts.
Unless there is a statutory obligation to store Personal Data, the Processor (and any Sub-processor) shall delete or destroy in a secure and definite manner all Personal Data (including back-up copies) without undue delay after termination or expiry of the Service Agreement and following delivery of the Personal Data.
In the event that the confidentiality of data is not provided for in the Service Agreement or elsewhere, the Parties shall keep confidential all Personal Data and other data or information, the confidential nature of which they are aware of or can reasonably suspect, and that have come to their attention or to which they obtained access in the context of the performance of the Service Agreement or the Data Processing Agreement, and shall refrain from disclosing these internally or externally and/or providing these to third parties, except in so far as:
- Disclosure and/or provision of said Personal Data and other data or information is necessary in the context of the performance of the Service Agreement or the Data Processing Agreement;
- Any mandatory statutory provision or court decision requires the Parties to disclose and/or provide said (Personal) data or other information, in which case the parties shall first notify the other party;
- Disclosure and/or provision of said Personal Data and other data or information takes place with the prior written consent of the other party; or
- It concerns information that has already been legitimately disclosed in a manner other than through the acts or omissions of one of the parties.
The Parties shall contractually require the persons working for them (including employees) who are involved in the Processing of confidential Personal Data and other data or information to keep said information confidential.
Upon the other Party’s request, the Parties shall cooperate in the exercise of supervision by or on behalf of the other Party on the safekeeping and use of confidential Personal Data and other data or information by the other Party.
Upon the other Party’s first request, the Parties shall provide the other Party with all Personal Data and other data or information they hold in the context of the performance of the Service Agreement, including any copies.
The Processor shall ensure that persons authorised to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
This confidentiality obligation shall remain in force after the termination of this Data Processing Agreement.
16. Governing law and disputes
The Data Processing Agreement and its performance are subject to the relevant provisions on governing law and dispute resolution of the Service Agreement.
17. Contact information
If you wish to contact the Processor, or if this Data Processing Agreement requires the Controller to give notice to the Processor in writing, please contact the Processor at: WhistleB Whistleblowing Centre AB, PO Box 70396, 107 24 Stockholm, Sweden
E-mail: [email protected]
ANNEX – Data processing details
Categories of Data subjects
Data subjects comprise of all persons given access to the Communication channel by the Customer. The most common is that the Data subject is hired by the Customer but it may also be suppliers, partners and customers.
Categories of Personal Data to be processed
The data is encrypted when stored in the service and only available to the Customer. WhistleB is not able to decrypt and read communication through the WhistleB-system, if not authorized by the Controller.
When a whistleblower’s report is closed, the Customer Data is permanently deleted after 30 days from closure – and cannot be restored. Personal Data such as User name is deleted when an account is deleted.
Security measures taken
WhistleB secures the privacy and security of Personal Data, and ensures the whistleblower’s anonymity. WhistleB has no access to a whistleblower’s report data with regard to contents, as WhistleB will at no time have access to any encryption keys used by its Users.
Tracking of IP addresses
In order to ensure that whistleblowers cannot be traced in company firewalls, we recommend whistleblowers to access our Services from another network than the internal company network.
Back up routines
The Service is delivered to the Customer through Microsoft Azure data centres, each designed to run 24/7/365, and each employing various measures to protect operations from power failure, physical intrusion, and network outages. Personal Data is kept secure through encrypted communications as well as threat management and mitigation practices, including regular penetration testing.
Database and blob storage (used for logs, backups and report attachments) are replicated with failover nodes, storing three copies within Microsoft Azure’s primary data centre.
The availability, performance and security of the Service is monitored 24/7/365, and alerts are sent to the support manager and the WhistleB management team. Administrative access to the Service uses multi-factor authentication. For information on access, control and deletion of personal data, please visit the online WhistleB Trust Centre (https://whistleb.com/trust-centre/), also for further information on data privacy and security.
WhistleB maintains an overview of all its sub-processors. The actual overview of sub-processors is available for download.