Senast ändrad: 25 maj 2018

This Story Engine Standard Data Processing Agreement (the “Story Engine DPA”) forms part of the agreement entered into concerning services relating to KIT Story Engine (the “Main Contract”). The Main Contract was entered into by signing and order form or other written or electronic agreement related to the Story Engine services.

The Story Engine DPA is entered into between Keep In Touch Media AB, a corporation of Sweden with registration no 556980-8404 and place of business at Norra Stationsgatan 93, 113 64 Stockholm (which shall be referred to as "Processor" or "Party") and the customer signing the Main Contract (which shall be referred to as "Controller" or "Party"), the Controller and the Processor are collectively referred to as the "Parties".

Recitals:

1. The Parties have entered into an agreement concerning services relating to the Main Contract. In order to satisfy its obligations under the Main Contract, the Processor needs to Process Personal Data for which the Controller is the data controller.
2. The General Data Protection Regulation (EU) 2016/679 (the "GDPR") require that a written contract is entered into between the Controller and the Processor (a data processing agreement). This Story Engine DPA regulates the Processor's Processing of Personal Data on behalf of the Controller as well as the organizational and technical measures that is to be achieved when Processing Personal Data.
3. Unless otherwise stated in this Story Engine DPA, all references to "Personal Data", "Processing", "Data Subject" and any other capitalized terms not defined herein shall have the same meaning in this Story Engine DPA as in the GDPR.
4. For the avoidance of doubt, obligations of the Processor in relation to Personal Data as set out herein applies only in relation to Personal Data of the Controller.

1.            The Processing

1. Personal Data that may be Processed by the Processor hereunder include Personal Data as described in Appendix 1.
2. The Processor may only Process Personal Data in accordance with (i) this Story Engine DPA, (ii) the Main Contract and its schedules, (iii) the GDPR and any other applicable law and, (iv) the documented instructions of the Controller.
3. The Processor shall not Process Personal Data for its own purposes unless required to do so by applicable law.

2.            Sub-processors

The Processor has the right to engage or replace third parties as sub-processors for the Processing of Personal Data in accordance with this Story Engine DPA (so called "Sub-processing") provided that the Processor and the sub-processor enters into a written contract and that the Sub-processing complies with this Story Engine DPA and applicable law. The Processor shall remain responsible for any sub-processors. The Processor shall keep the Controller informed of any new appointments or replacement of sub-processors and provide the Controller with the possibility to object to a change of sub-processors, such objection shall be delivered in writing to the Processor no more than 14 days after the Processor informed the Controller of the change of sub-processors. The Controller's sole remedy if the Controller does not approve of a new sub-processor is to terminate the Main Contract and this Story Engine DPA by providing thirty 60 days' prior written notice.

The Sub-processors listed at www.gostoryengine.com/legal/sub-processors are approved for processing of Personal Data under the Circumstances specified in this Story Engine DPA.

3.            Security of Personal Data

The Processor shall implement appropriate technical and organizational measures to protect the Personal Data Processed in accordance with Article 32 of the GDPR. The Controller is responsible for analyzing and assessing the relevant security measures and confirm that they are sufficient considering the Personal Data to be processed hereunder.

4.            Instructions and Assistance

1. If the Processor lacks instructions from the Controller that the Processor deems necessary in order to Process the Personal Data, or if the Processor, in its reasonable opinion, considers the Controller's instructions to infringe the GDPR or other applicable law, the Processor (i) may refrain from the relevant Processing, (ii) will notify the Controller of its opinion, and (iii) the Controller shall immediately provide documented instructions in compliance with applicable legislation.
2. At the Controller's request and to the extent possible, the Processor shall assist the Controller with the fulfilment of the Controller's obligation to respond to requests for exercising the Data Subject's rights as set out in chapter III of the GDPR. The Processor has implemented what it considers to be appropriate technical and organizational measures for this purpose. The Controller has analyzed the relevant measures and confirms by signing the Main Contract to this Story Engine DPA that it considers the measures to be adequate.
3. If requested, the Processor shall assist the Controller in fulfilling its obligations under the GDPR Articles 32-36 taking into account the information available to the Processor and the nature of the Processing. The Processor shall be compensated on a time and material basis when providing such assistance.

5.            Audits and Supervision

The Controller has the right to monitor, by itself or by appointing an independent third party (that is not a competitor to the Processor and that is bound by confidentiality undertakings acceptable to the Processor in its reasonable opinion), that the Processor is compliant with the Controller's requirements for Processing of Personal Data hereunder. The Processor shall upon reasonable prior notification assist the Controller or a third party that performs such analysis with reasonable documentation, and be available to answer questions. Should the Processor fail to provide such documentation or be unavailable to answer questions, the Controller or such third party shall upon additional reasonable notice be granted access to premises, IT-systems and other assets used for the Processing of Personal Data, but strictly to the extent required to follow up the Processor's compliance with this Story Engine DPA. The Processor's obligations to assist the Controller as set out hereunder is subject to the Controller agreeing to provide reasonable compensation to the Processor on a time and material basis.

6.            Confidentiality

The Processor will ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

7.            Term and Termination

1. This Story Engine DPA shall enter into force on the date on which the Main Contract has been signed by both Parties and shall remain in force for as long as Processing of Personal Data is carried out by the Processor and/or a Sub-processor for the purposes stated in this Story Engine DPA or the Main Contract.
2. Upon termination of the Main Contract, the Processor shall, in accordance with the Controller's instructions, return the Personal Data it has to the Controller or delete or make it anonymous unless storage by the Processor is required by law. If the Controller has not provided its written instructions to the Processor within three (3) months after the termination of the Main Contract, the Processor may in its sole discretion decide to delete or return the Personal Data to the Controller.

8.            Miscellaneous

1. Subject to changes to or additional instructions of the Controller in writing according to this Story Engine DPA, this Story Engine DPA constitutes the entire agreement between the Parties relating to the subject matter hereof and may not be amended except in a written document executed by both Parties. In case of discrepancies between this Story Engine DPA and the Main Contract, this Story Engine DPA shall prevail.
2. This Story Engine DPA applies to and covers any changes, additions or amendments to the Main Contract (e.g. changes to the service description or additional support). If the Main Contract is terminated and a new contract with a similar scope and purpose to the Main Contract is entered into, but without a new data processing agreement, this Story Engine DPA shall apply to the new contract. This also applies if an explicit reference is made to this Story Engine DPA in a contract between the Controller and the Processor.

9.            Governing Law and Settlement of Disputes

1. This Story Engine DPA shall be governed by and construed in accordance with the law stated in the Main Contract.
2. Any dispute, controversy or claim arising out of or in connection with this Story Engine DPA, or the breach, termination or invalidity thereof, shall be finally settled in accordance with the dispute resolution provision in the Main Contract.

Appendix 1

Specification of processing of Personal Data

Data subjects

The personal data to be processed concern the following categories of data subjects (please specify):

• Employees and/or subcontractors of Controller (“Users”)
• Data subjects of varying kinds included in the User Content (eg. Videos and articles) created by the Controllers Users in the Services or otherwise added to the Services by the Controller (may include suppliers, interviewees, contributors etc).

                     
Nature and purposes of the processing

The processing of data is necessary for the following purposes (please specify):

• User Account - Log in, authentication and account management of Users with access to KIT Story Engine on behalf of the Controller.

• User Content - Producing User Content (both editorial and marketing) in the KIT Story Engine core services by the Users on behalf of the Controller.

Processing Activities 

• User Account – collection and storage

• User Content – collection, storage and distribution

Categories of data

The personal data to be processed fall within the following categories of data (please specify):

• User account - name (required), email (required), username (required), profile image (optional), Twitter username (optional), Facebook username (optional), Instagram username (optional), Google+ username (optional),

• User content - Personal data included as part of User Content by the Users on behalf of the Controller (may include names or other personal data written in free text, images etc.)

Sensitive data (if appropriate)

The personal data to be processed fall within the following categories of sensitive data (please specify):

No sensitive data is processed for User Accounts. Sensitive data will only be processed if included as part of User Content by the users on behalf of the Controller for the sole purpose of handling User Content as set out in the Main Contract.

Unstructured data

All User Content is unstructured data.

Processing activities based on Processors purposes

When using the Services the Processor will process some information based on the Processors purposes. For this processing Keep In Touch Media AB is the data controller. For further information about which information is gathered and for what purpose please see the Story Engine Integritetspolicy, www.gostoryenginge.se/legal/integritetspolicy

Storage limit

The personal data transferred may be stored for 6 months after the respective Order Term or until the Controller requests that KIT delete the personal data, whichever comes first. The storage limit might be increased upon written agreement between the Controller and the Processor.