Last updated: September 13, 2022
These Data Processing Terms shall be deemed to be incorporated into the Agreement on supply of the Steep service (the “Agreement”) between Steep Analytics AB (the ”Processor”) and the relevant Customer (the ”Controller”).
The Controller shall be considered the controller in relation to the processing of the Personal Data. The Processor shall be considered a data processor, and will process the Personal Data on behalf of the Controller in connection with supply of the Service under the Agreement.
Accordingly, the Parties have agreed to these Data Processing Terms, which have been executed in accordance with the General Data Protection Regulation (EU) 2016/679, and other applicable data privacy legislation (below referred to as ”Data Privacy Laws”).
“Personal Data”, “Data Subjects”, “Supervisory Authority”, “Personal Data Breach” and other defined terms used herein shall have the meanings set forth in applicable Data Privacy Laws.
The Processor shall process the Personal Data in accordance with the Controller’s instructions, as follows:
| Instructions | |
|---|---|
| Purposes of the processing | The Processor will process the Personal Data for the sole purpose of supplying the agreed Service, which will include grant of access to Customer Data (which, depending on the nature of the Customer Data, may include Personal Data), for the purposes of performing data analysis and data visualisation. |
| The character of the processing | The Processor will receive certain access rights to the Personal Data (which includes reading rights, but for the avoidance of doubt not editing rights) in relation to pre-defined queries to be sent by the Service to the Controller’s databases. |
| Customer Data | Means (a) all data in Customer's databases provided to the Processor by the Controller via the Service, (b) all results provided to the Controller for queries executed against such data via the Service, and (c) data provided as a result of using the Service, such as comments and targets. |
| Duration of processing | During the term of the Agreement, or the shorter time period instructed by the Controller. |
The Processor may not process the Personal Data for other purposes than as set forth above in respect of the Controller’s instructions. The Parties shall update the above instructions in case of new or changed instructions.
Where the Processor considers that an instruction may violate Data Privacy Laws, the Processor shall not follow the instructions, inform the Controller immediately and await changed instructions.
The Processor shall maintain at all times appropriate technical and organizational measures to protect the Personal Data, and shall ensure that the Personal Data is protected at all times against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to the Personal Data. The Processor shall further ensure that all access to, and all measures in relation to, the Personal Data, by the Processor, are logged and traceable.
The Processor shall ensure (a) that only authorized persons at the Processor who need access to the Personal Data in order for the Processor to fulfill its obligations under these Data Processing Terms and the Agreement have access to the Personal Data; (b) that such authorized persons process the Personal Data only in accordance with these Data Processing Terms and the Controller’s instructions; and (c) that each authorized person is bound by a confidentiality undertaking.
The Processor shall notify the Controller without undue delay after becoming aware of a Personal Data Breach. Furthermore, the Processor shall assist the Controller in ensuring compliance with the Controller's obligations to (a) document any Personal Data Breach; (b) notify the applicable Supervisory Authority of any Personal Data Breach; and (c) communicate such Personal Data Breaches to the Data Subjects, in accordance with Data Privacy Laws.
The Controller hereby provides a general authorization to the Processor using third parties for performing the whole or part of the processing (”Subprocessors''). The Subprocessors currently used by the Processor are listed at steep.app/subprocessors.
Where the Processor intends to engage a new Subprocessor, or make other material changes in relation to the listed Subprocessors set forth above, the Processor will inform the Controller thereof (by electronic communication or otherwise) and the Controller be entitled to object thereto within fourteen (14) days from the Controller’s notification of the change. Where the Controller does not object within the stated time period, the Controller shall be deemed to have approved the change. Where the Controller objects to the change, the Parties will discuss in good faith the practical handling of the situation as a consequence thereof, and where the Parties cannot agree, each Party may terminate the Agreement prematurely without further liability to the other Party.
The Processor will be liable for all actions or omissions of a Subprocessor, as for its own actions or omissions. The Processor shall enter into a written agreement with each Subprocessor, where the Subprocessor undertakes obligations which at least correspond to those undertaken by the Processor according to these Data Processing Terms.
The Processor may not transfer the Personal Data originating from outside the EU/EEA area to a third country not determined by the European Commission to offer an adequate level of data protection, or engage a Subprocessor for processing of the Personal Data outside the EU/EEA area, without the Controller’s consent. Such transfer shall be subject to the Standard Contractual Clauses (EU)2021/914. For avoidance of doubt, signature of the DPA shall be deemed to constitute signature and acceptance of the Standard Contractual Clauses. Module 2 (Controller to Processor) shall apply.
The Processor shall assist the Controller in the fulfillment of the Controller’s obligations to ensure that the Data Subjects may exercise their rights under Data Privacy Laws (to the extent relevant for the Processor’s processing of the Personal Data only). The Data Subjects’ rights include (a) rights to object to the processing and have the Personal Data erased; (b) rights to request information about and access to the Personal Data; (c) if technically possible, rights of data portability; and (d) rights to request correction of Personal Data.
The Processor shall further assist the Controller in relation to the Controller’s fulfillment of its obligations under Articles 32-36 of the GDPR.
The Processor shall notify the Controller without undue delay if Processor or any Subprocessor becomes aware of any personal data breach affecting Customer Data, providing Controller with sufficient information to report the data breach under Data Privacy Laws.
In case a Data Subject, Supervisory Authority or other third party requests information from the Processor in relation to the processing of Personal Data, the Processor shall refer such request to the Controller and await further instructions. The Processor may not represent the Controller in relation to a Data Subject, Supervisory Authority or any other third party.
The Controller shall be entitled, on fourteen (14) days prior written notice, to carry out an audit of the Processor’s processing of the Personal Data and other documentation which is relevant for the Processor’s processing of the Personal Data, in accordance with applicable Data Privacy Laws. The Processor shall assist the Controller and make available any information and documentation that is necessary in order for the Controller to carry out such an audit. The Controller shall bear all costs for such audit.
If a Supervisory Authority carries out an audit of the Processor which may involve the processing of the Personal Data, the Processor shall promptly notify the Controller thereof. The Processor shall cooperate to the necessary extent in relation to an audit or inspection by a Supervisory Authority of the Processor’s processing of the Personal Data, and comply with any decisions by the Supervisory Authority in relation to such audit or inspection.
Each Party will be liable for any administrative fines imposed on that Party by a Supervisory Authority due to that Party’s breach of applicable Data Privacy Laws. Such administrative fines will not be subject to allocation of liability under the Agreement.
In case of damages which, through a final judgment or settlement, are payable to Data Subjects due to a Party’s breach of these Data Processing Terms or applicable Data Privacy Laws, Article 82 of the GDPR shall apply. The regulations on liability, including limitations of liability, set forth in the Agreement shall thereby apply.
The confidentiality obligations set forth in the Agreement shall apply for the processing of Personal Data according to these Data Processing Terms.
Upon the expiry or termination of the Agreement, or at the earlier point of time when the Controller presents such a request, the Processor shall automatically cease with the processing of Personal Data according to these Data Processing Terms. The Controller may thereby instruct the Processor in writing as to whether the Personal Data shall be transferred to the Controller or be deleted.
These Data Processing Terms shall apply from the commencement of processing of Personal Data by the Processor on behalf of the Controller, and shall cease when the Processor has deleted the Personal Data in accordance with the above.
The same governing law and dispute resolution mechanism as set forth in the Agreement shall apply also for these Data Processing Terms.