DATA PROCESSING AGREEMENT

Between

DATA CONTROLLER, CORP. REG. NO., ADDRESS (the ”Data Controller”)

and

Junglemap AB, 559043-6720, Hammarbybacken 27, 120 30 Stockholm (”Junglemap”).

collectively referred to as the ”Parties” and individually as a ”Party”, has on this date entered into the following.

  1. Definitions
    • This data processing agreement (”DPA”) shall be applied and interpreted in accordance with, and have the corresponding definitions as set out in, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, below referred to as the ”GDPR”, including such member state laws and regulations implementing or supplementing the GDPR (collectively ”Data Protection Legislation”).
  2. Content and purpose
    • The Data Controller has received access to Junglemap’s services for digital learning (the “E-learning Service”). In connection hereto, Junglemap will, acting as a data processor, process personal data on behalf of the Data Controller.
    • The purpose of this DPA is to govern the Parties rights and obligations relating to the processing of personal data, in order to ensure that the personal data is processed in accordance with the provisions of the GDPR (or such corresponding legislation replacing, amending or supplementing the GPDR).

 

  1. Data processors obligations and instruction
    • Junglemap undertakes to only process personal data set out in Appendix 1 hereto (below the ”Personal Data”) in accordance with this DPA and the Data Controller’s from time to time applicable instructions in accordance with Appendix 1, and only to the extent necessary for the purposes of providing the E-learning Service. In the event of any contradiction between the from time to time applicable instruction of Appendix 1 and the DPA, the instruction shall take precedence.
    • Furthermore, Junglemap undertakes to process the Personal Data in accordance with the from time to time applicable Data Protection Legislation, including case-law related thereto and the regulations, guidelines and recommendations of the relevant supervisory authority regarding processing of personal data.
    • Junglemap shall, in accordance with the from time to time applicable Data Protection Legislation, maintain a register of all categories of processing of Personal Data conducted by Junglemap on behalf of the Data Controller.
    • Junglemap shall ensure that all employees, consultants, contractors and similar persons who process Personal Data are adequately informed of the requirements under this DPA, including what limitations and restrictions apply in relation to the processing of Personal Data.
    • Junglemap undertakes to, taking into account the nature of the processing, assist the Data Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Data Controller’s obligations in relation to data subjects. In the event Junglemap receives a request from a data subject, Junglemap shall notify the Data Controller hereof and refer such data subject to the Data Controller.
    • Junglemap shall, without undue delay, notify the Data Controller of any actual, attempted, unintended or unlawful destruction, loss, change or unauthorized disclosure or access to the Personal Data, and all other similar forms of personal data breaches. Such notification shall at least:
      • Describe the nature of the personal data breach, including the categories and approximate number of data subjects concerned and the approximate number of personal data records concerned.
      • Include the name and contact details of Junglemap’s data protection officer or such other contact details where additional information regarding the personal data breach may be obtained.
      • Describe the likely consequences of the personal data breach.
      • Describe the measures taken, or proposed, by Junglemap to address to personal data breach including, where appropriate, measures to mitigate its possible adverse effects.
    • To the extent Junglemap is not able to provide the Data Controller with all information of Section 3.6 above at the same time (or the Data Controller request additional or supplementary information from Junglemap), the information may be provided by Junglemap in phases without undue further delay.
    • Junglemap undertakes to assist the Data Controller, in accordance with the from time to time applicable Data Protection Legislation including recommendations of the supervisory authority, with carrying out any data protection impact assessments with respect to the consequences of the processing of the Personal Data.
    • Junglemap’s undertakings in accordance with Sections 3.6 – 3.8 above shall be fulfilled taking into account the nature of the processing and the information available to Junglemap.
    • At the time when the Data Controller has ceased all use of the E-learning Service, Junglemap shall ensure that, in accordance with the Data Controller’s written instruction, the Personal Data is either destroyed and erased or returned to the Data Controller, unless further processing of the Personal Data is required by the mandatory laws of the European Union (the “EU”) and/or any member state of the EU.
  2. Confidentiality
    • Each Party undertakes to not, without the prior written approval of the other Party, transfer or otherwise disclose to a third party Personal Data, or such other information reasonably considered as confidential business information or trade secrets, of the other Party. Information marked as ”confidential” by a Party shall always be considered confidential business information and/or trade secrets of such Party. The duty of confidentiality under this Section 4 shall not apply to the extent either Party can show that the information is publicly known or was already in the possession of the receiving Party. Furthermore, the duty of confidentiality does not apply to the extent either Party is obliged to disclose the information under law, by a court order or any other binding decision issued by a competent authority.
    • Each Party shall, by way of confidentiality undertakings with employees or other suitable means, ensure that the above duty of confidentiality is maintained. Either Party is responsible for ensuring that any sub-contractor performing work in relation to the DPA or the Main Agreement, enters into a confidentiality undertaking corresponding to Section 4.1 for the benefit of the other Party, and undertakes to only disclose to such sub-contractors’ information that is strictly necessary in order for the latter to perform the relevant assignment.
  3. Security
    • Junglemap shall, at a minimum, comply with the security measures set out in Appendix 2. Furthermore, Junglemap shall implement appropriate technical and organizational measures required in order to protect the Personal Data in accordance with the from time to time applicable Data Protection Legislation, and ensure a level of security appropriate to the risk, including inter alia as appropriate:
      • The pseudonymization and encryption of personal data.
      • The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.
      • The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
      • A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
    • In assessing the appropriate level of security in accordance with Section 5.1 above, account shall be taken in particular of the risks that are presented by the processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed.
    • Furthermore, Junglemap shall, taking into account the nature of the processing and the information available to Junglemap, to a reasonable extent assist the Data Controller with the Data Controller’s compliance with the obligations pursuant to article 32 of the GDPR.
    • Junglemap shall, at the request of the Data Controller, provide all information necessary to demonstrate Junglemap’s compliance with its obligations under this DPA with respect to the Personal Data processed for the purposes of providing the E-learning Service (”Information Request”). An Information Request shall be made in writing by the Data Controller, and Junglemap shall be afforded reasonable time to respond to such request. In addition, Junglemap shall allow for and contribute to audits, including inspections, conducted by the Data Controller or another auditor mandated by the Data Controller, in accordance with the from time to time applicable Data Protection Legislation, however limited to the Data Controller’s Personal Data processed by Junglemap under this DPA (”Audit”).
    • The Data Controller is entitled to make one (1) Information Request or one (1) Audit per calendar year. To the extent the Data Controller wishes to make additional Information Request or Audits, Junglemap is entitled to receive reasonable compensation for the additional costs incurred by Junglemap in connection with such additional Information Request or Audit. The aforementioned right to compensation shall, however, not apply to the extent the additional Information Request or Audit is requested due to the fact that Junglemap has been subject to a serious personal data breach or security incident that relates to the Personal Data.
    • Junglemap shall comply with any decisions made by the supervisory authority with respect to the Personal Data and the technical and organizational measures to protect them.
  4. Damages, liability, indemnification
    • Junglemap shall indemnify and hold the Data Controller harmless from and against all damages incurred as a consequence of Junglemap’s processing of Personal Data in violation of the DPA, applicable Data Protection Legislation or the written instructions of the Data Controller.
    • Junglemap shall immediately inform the Data Controller if Junglemap, in its opinion, considers that an instruction infringes applicable Data Protection Legislation and, in such case, Junglemap is entitled to not act in accordance with such instruction until such a time when an authorized representative of the Data Controller notifies Junglemap in writing that the current (or amended version) of the instruction shall apply. To the extent Junglemap still considers that the relevant instruction infringes the Data Protection Legislation, Junglemap shall be entitled to immediately remove the Data Controller’s access to the E-learning Service without any liability in relation to the Data Controller.  
    • The Data Controller shall indemnify and hold Junglemap harmless from and against all damages costs, losses, claims, liabilities, expenses (including but not limited to reasonable attorneys’ fees) and settlement amounts incurred in connection with any claim, suit, action or proceeding by a third party arising from or relating to the Data Controller’s violation of the DPA, Data Protection Legislation or its own instructions. Junglemap shall never be held liable for any damages caused by, or incurred as a consequence of, Junglemap acting in accordance with the Data Controller’s instruction.
  5. Sub-processors
    • Junglemap is entitled to engage a sub-processor for the purposes of carrying out all or some of the processing activities related to the Personal Data. I such case, any sub-processor will be listed in an appendix in this DPA. To the extent Junglemap wishes to engage sub-processors, or change any existing sub-processors, Junglemap will inform the Data Controller hereof by notification to the address set out in the introduction of this DPA at least three (3) months prior to the change coming into effect. If the Data Controller does not accept a new or changed sub-processor, the Data Controller is entitled to terminate the Main Agreement subject to one (1) month’s notice.

    • Junglemap shall ensure that all sub-processors are bound by obligations and undertakings regarding the Personal Data that correspond to the obligations and undertakings of Junglemap under this DPA. Junglemap remains fully liable to the Data Controller in the event any sub-processor does not comply with its obligations in relation to the processing of the Personal Data.
  6. Transfers to third countries
    • Junglemap undertakes not to engage sub-processers outside of the EU / EEA (a ”Third Country”) or otherwise to transfer Personal Data to recipients in a Third Country, without the prior written approval of the Data Controller. If Junglemap, following the prior written approval of the Data Controller, engages sub-processors outside the EU / EEA for processing of Personal Data or otherwise intends to transfer Personal Data to a recipient in a Third Country, such transfer of Personal Data is only allowed if:
  7. an adequacy decision in accordance with article 45 of the GDPR is at hand with respect to the Third Country to which the Personal Data will be transferred;
  8. Junglemap has entered into an agreement with the sub-processor or recipient containing the EU standard data protection clauses for transfers of personal data to a Third Country (including, as appropriate, such additional security measures necessary to ensure an essentially equivalent level of protection of the Personal Data in the Third Country as in the EU / EEA), in accordance with article 46.2 (c) of the GDPR; or
  9. Junglemap and the sub-processor or recipient has entered into binding corporate rules in accordance with article 47 of the GDPR.

Junglemap undertakes to always provide the Data Controller with information on which of the grounds set out in a) – c) above Junglemap relies on with respect to any specific transfer to a Third Country.

  • If the Data Controller approves any transfer, Junglemap and the Data Controller shall cooperate in order to ensure that the transfers are carried out in accordance and compliance with applicable Data Protection Legislation, particularly as regards the need to implement additional security measures in accordance with Section 8.1 b) above.
  • To the extent Junglemap relies on Section 8.1 b) above, Junglemap shall, upon the Data Controller’s request and without undue delay, send to the Data Controller a copy of the agreement that have been entered into with the sub-processor or recipient.
  1. Obligations of the Data Controller
    • The Data Controller confirms that it has;
      • A legal basis for the processing of the Personal Data in accordance with article 6 of the GDPR.
      • A legal basis, and the sole responsibility, for the lawfulness of the transfer of Personal Data to Junglemap, and Junglemap’s processing of the Personal Data in accordance with this DPA and the from time to time applicable instructions.
      • The responsibility for the correctness, integrity, contents, reliability and lawfulness of the Personal Data.
      • Provided the data subjects with adequate information on the transfer and processing of the Personal Data under this DPA, all in accordance with articles 12 – 14 of the GDPR.
    • The Data Controller is solely responsible for notifying the supervisory authority of any personal data breaches.
  2. Amendments
    • Junglemap may, due to legislative changes or for the purposes of ensuring an adequate level of security, introduce changes to this DPA. Junglemap will provide information on any such changes by way of email, including information on from which date the changes come into affect. The changes shall be deemed accepted by the Data Controller if the latter has not requested negotiation regarding the change within fourteen (14) days from Junglemap’s notification in accordance with the above.
  3. Disputes
    • This DPA shall be governed by and interpreted in accordance with the laws of Sweden. Any dispute, controversy or claim arising out of or in connection with this DPA shall be finally settled by the Swedish courts.
  4. Term of the DPA
    • The DPA will remain in force for as long as the Data Controller is using the E-learning Service and until the processing of Personal Data related to the E-learning Service finally cease, and this DPA will thereafter terminate automatically. In the event that the Parties enter into a main agreement regarding the E-learning Service, the Parties acknowledge and agree that a new data processing agreement related to such main agreement shall be entered into and replace this DPA in its entirety.

_______________________

This DPA has been duly executed in two (2) original copies, of which each of the Parties have taken one copy.

 

 Place, 202_-__-__

 

Stockholm, 202_ - ___ - ___

 

The Data Controller

 

The Data Processor

The Data Controller

 

Junglemap AB

 

 

 

Name
Title



Matti Olofsson
CEO

 

 

Appendix 1 – Instructions to Junglemap

This appendix constitute the written instructions to Junglemap according to the DPA and thus forms an integral part of the DPA.

  •  ddd
  • dddd
  1. Processing of Personal Data
    • Purpose of the processing of Personal Data

To provide a service for digital learning, the E-learning Service, to the employees and personnel of the Data Controller.

The Data Controller may use certain functions of the platform independently, and thereby gather personal data in a way that Junglemap cannot control or effect, and any such processing of personal data is therefore not covered by this DPA.

 

  • Categories of data subjects and personal data
    • Categories of data subjects

  1. Employees
  2. Consultants

iii. Any other individual who the Data Controller provides with access to Junglemap’s platform

 

  • Categories of personal data
  1. email address (mandatory)
  2. department (voluntary)

iii. manager (voluntary)

  1. results from tests and course evaluations
  2. such information requested by the Data Controller, to the extent the Data Controller is using the platform.

 

  • Special categories of personal data
  1. No

 

The Data Controller may only use the platform in a manner implying that no special categories of personal data, as set out in article 9 of the GDPR, is processed by Junglemap. If the Data Controller wishes to use the platform in any other way, implying that special categories of personal data may be processed by Junglemap, such use requires a specific and separate agreement between the Parties.

 

  • Duration and nature of the processing

The processing will continue for as long as the Data Controller is using the E-learning Service. Once the Data Controller has ceased all use of the E-learning Service, the personal data shall be deleted by Junglemap, unless instructed otherwise by the Data Controller in accordance with Section 3.10 of the DPA.

Generally, personal data will be processed by Junglemap if necessary to provide the E-learning Service.

This may, from time to time, include:

  • Supporting the Data Controller in setting up and distributing courses to the employees of the Data Controller.
  • Supporting the Data Controller with providing reports and statistics for the purposes of monitoring and measuring efficacy.
  • Provide the Data Controller with support, by phone, email or other support functions.
  • Store the personal data for as long as the Data Controller is using the E-learning Service, unless otherwise agreed.
  • Transfer personal data to the Data Controller, e.g. in the form of logs or results (in identifiable or non-identifiable formats).

 

  • Geographical location of the processing and the sub-processors

All processing of personal data will be conducted within the EU / EEA, unless otherwise agreed in accordance with Section 8 of the DPA.

 

 

Appendix 2 – Security measures

  1. Junglemap warrants and confirms that:

All personal data provided by the Data Controller to Junglemap will be treated as confidential, meaning:

- All access to the Personal Data is on a strictly need-to-know basis and Junglemap will ensure persons will only be able to view or access the Personal Data if this is strictly necessary. Each employee who may receive access to the Personal Data have, as part of their individual employment agreements, undertaken to treat all Personal Data strictly confidential.

 

  • Access and authorization control

    There is a technical system in place for authorization control, governing the access to Personal Data within Junglemap. Authorization is limited to the individuals who need access to the Personal Data to perform their work and is otherwise limited in accordance with this DPA. Junglemap has implemented routines for assigning and removing authorizations.

The Data Controller may, at their discretion, anonymize the personal data and partly limit Junglemap’s access to the personal data.

 

  • Physical access control


Only authorized and trained (internal security training and education in data protection legislation) personnel gains access to Junglemap’s facilities where IT-equipment is located which would enable access Junglemap’s systems.

  • Transfer and communication

    Personal data, when transferred across open/public networks, shall be protected against destruction, alterations or corruption. Furthermore, the personal data shall be protected against unauthorized access and connections shall be protected against unauthorized traffic. The protection shall be adjusted depending on the sensitivity of the personal data. Personal Data will be encrypted, both in transit and at rest, if agreed between the Parties. The database is encrypted with SHA256 and in transit data is encrypted with AES256.

  • Logging

Access to the Personal Data is monitored by logging. Junglemap maintains logs at system, software, database and network levels enabling Junglemap to identify and register any security incidents (e.g. failed log-in attempts, unauthorized deletion or copying of data) and ensures the integrity of such logs. Such logs are regularly reviewed by Junglemap and, when required to do so under the DPA, Junglemap will report any findings to the Data Controller.

 

  • Protection against malicious code/malware

The customers’ data in our database, as well as the rest of Junglemap digital infrastructure, is protected from malicious code such as viruses, worms and trojans.

 

  • Destruction of physical media

When physical media containing Personal Data is no longer of use, they are handled by Junglemap in accordance with the processes and routines established by Junglemap, in a manner ensuring that no data, personal data or otherwise, can be recreated.