Data Processing Agreement

1.1 This data processing agreement (the DPA) governs Vendion's processing of personal data on the Customer's behalf and has been entered into between the Customer (data controller) and Vendion (data processor):

2.1 Vendion provides the Service to the Customer. Within the scope of the Service, Vendion processes personal data on the Customer's behalf, e.g. data about the Customer's guests and employees. The Customer is the data controller for this processing and Vendion is the data processor. 2.2 The purpose of the DPA is to meet the requirements of Article 28 of Regulation (EU) 2016/679 of the European Parliament and of the Council (the General Data Protection Regulation or GDPR) and to govern Vendion's processing of personal data on the Customer's behalf. 2.3 The DPA does not cover processing where Vendion is an independent data controller, e.g. the processing of data about the Customer's contact persons and users for Vendion's own purposes. Such processing is governed by Vendion's privacy policy. 2.4 The processing of card and payment data in connection with card payment is performed by the Customer's payment and acquiring provider in accordance with that provider's own terms and applicable rules, e.g. PCI DSS, and is not covered by the DPA other than to the extent such data is actually processed in the Service.

Read the privacy policy →

3.1 The terms personal data, processing, data controller, data processor, data subject, personal data breach and third country have the same meaning as in the GDPR. 3.2 Sub-processor means a data processor engaged by Vendion to carry out certain processing on the Customer's behalf. 3.3 Instruction means the Customer's documented instructions to Vendion under section 4.

4.1 The subject matter, duration, nature and purpose of the processing, the categories of data subjects concerned and the types of personal data are set out in Appendix A. 4.2 Vendion shall only process personal data in accordance with the Customer's documented Instructions, including with regard to transfers to a third country, unless otherwise required by Union or Swedish law. If such processing is required by law, Vendion shall inform the Customer of the legal requirement before the processing, unless such information is prohibited by law. 4.3 At the conclusion of the DPA, the Customer's Instructions consist of the Main Agreement, this DPA, Appendix A and the Customer's use and configuration of the Service. The Customer may in addition provide further written Instructions within the scope of what the Service allows. 4.4 Vendion shall without delay inform the Customer if Vendion considers that an Instruction infringes the GDPR or other applicable data protection provisions. 4.5 The Customer is responsible for ensuring that the Customer's Instructions and the processing of personal data in the Service have a legal basis and otherwise take place in accordance with applicable data protection legislation.

5.1 Vendion shall process personal data in a manner that meets the requirements of the GDPR and that protects the rights of the data subjects. 5.2 Vendion shall ensure that the persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. 5.3 Vendion shall limit access to the personal data to such personnel as need the access in order to perform Vendion's obligations under the DPA.

6.1 Vendion shall take appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR. The measures are set out in Appendix C. 6.2 When assessing the appropriate level of security, particular account shall be taken of the risks presented by the processing, in particular the risk of accidental or unlawful destruction, loss or alteration of, or unauthorised disclosure of or access to, the personal data. 6.3 Vendion may update the security measures, provided that the level of security is not lowered.

7.1 The Customer hereby gives general written prior authorisation for Vendion to engage Sub-processors. The Sub-processors engaged at the conclusion of the DPA are set out in Appendix B. 7.2 Vendion shall, by written agreement, impose on each Sub-processor in all material respects the same data protection obligations as apply to Vendion under the DPA, to the extent they are applicable to the Sub-processor's processing. 7.3 Vendion is liable to the Customer for the Sub-processor's processing in the same way as for its own. 7.4 Vendion shall notify the Customer of planned changes regarding the addition or replacement of Sub-processors in reasonable time before the change is made, so that the Customer is given the opportunity to object. Notification may be made by email or by publishing an updated sub-processor list to which the Customer is directed. 7.5 If the Customer objects, on objective, data-protection-related grounds, to a new Sub-processor within thirty (30) days of the notification, the Parties shall seek a solution in good faith. If a solution cannot be reached, the Customer has the right to terminate the part of the Service that requires the Sub-processor in question.

8.1 Personal data shall be processed within the EU/EEA, unless otherwise set out in Appendix B or unless the Customer has given an Instruction to the contrary. 8.2 If a transfer to or processing in a third country takes place, Vendion shall ensure that the transfer is covered by a valid transfer mechanism under Chapter V of the GDPR, e.g. the European Commission's standard contractual clauses or an adequacy decision, together with supplementary safeguards where necessary.

9.1 Vendion shall, taking into account the nature of the processing and by appropriate technical and organisational measures, insofar as possible, assist the Customer in fulfilling the Customer's obligation to respond to requests for exercising the rights of data subjects under Chapter III of the GDPR. 9.2 If a data subject contacts Vendion directly with such a request, Vendion shall without undue delay forward the request to the Customer and not answer it itself, unless the Customer has instructed otherwise. 9.3 Vendion shall assist the Customer in ensuring compliance with the obligations under Articles 32–36 of the GDPR, taking into account the nature of the processing and the information available to Vendion. This includes assistance with data protection impact assessments and prior consultation with a supervisory authority. 9.4 Vendion is entitled to reasonable compensation for assistance under this section to the extent the assistance goes beyond what is included in the Service and arises from the Customer's specific request, according to the rates in force from time to time.

10.1 Vendion shall, without undue delay after becoming aware of a personal data breach concerning the processing, notify the Customer. 10.2 The notification shall, to the extent the information is available, contain a description of the nature of the breach, the likely consequences of the breach and the measures taken or proposed to address the breach and mitigate its possible adverse effects. 10.3 It is incumbent on the Customer, as data controller, to notify the supervisory authority where applicable and to inform the data subjects concerned.

11.1 The Customer is responsible for ensuring that there is a legal basis for the processing, that the data subjects have been given the prescribed information and that the processing otherwise takes place in accordance with applicable data protection legislation. 11.2 The Customer is responsible for the accuracy of the personal data that the Customer and its users enter into the Service and for ensuring that the Customer's Instructions are lawful.

12.1 Vendion shall give the Customer access to the information required to demonstrate compliance with the obligations under Article 28 of the GDPR and this DPA. 12.2 Vendion shall allow for and contribute to reviews, including inspections, conducted by the Customer or by an auditor mandated by the Customer. Such a review shall be notified in writing in reasonable time, normally at least thirty (30) days in advance, be carried out during ordinary working hours, not unreasonably disturb Vendion's operations and be conducted with due observance of confidentiality. 12.3 Vendion may fulfil its obligation under this section by providing current documentation, e.g. relevant certificates, audit reports or statements from independent third parties, to the extent such documentation reasonably satisfies the review need. 12.4 Each Party bears its own costs for a review. Vendion is, however, entitled to reasonable compensation for time spent on a review that goes beyond what is reasonably required or that is conducted more often than once a year, except where the review is occasioned by an established personal data breach.

13.1 When the processing under the DPA ceases, Vendion shall, at the Customer's choice, delete or return all personal data processed on the Customer's behalf and delete existing copies, unless storage is required by Union or Swedish law. 13.2 Vendion makes the Customer's data available for export for a reasonable period after the end of the Main Agreement in accordance with the Main Agreement, normally thirty (30) days, after which the data may be deleted. 13.3 Vendion may retain personal data to the extent and for the period required by law, in which case Vendion shall only process the data to the extent and for the purpose that the storage requires.

14.1 The Parties' liability under the DPA is subject to the limitations of liability that follow from the Main Agreement, unless otherwise required by mandatory law. 14.2 The allocation of liability for damages between the Parties towards data subjects is governed by Article 82 of the GDPR. A Party that has paid full compensation for damage is entitled to claim back from the other Party the part of the compensation corresponding to the other Party's share of responsibility for the damage.

15.1 The DPA applies from the time it becomes binding between the Parties and for as long as Vendion processes personal data on the Customer's behalf under the Main Agreement. 15.2 Provisions that by their nature are to continue to apply after the DPA ends, e.g. regarding confidentiality, liability and deletion and return, continue to apply thereafter.

16.1 Vendion may amend the DPA on reasonable notice to the extent the amendment is required in order to comply with law, a government decision or established practice regarding data protection, or to reflect changes in the Service, provided that the level of protection for the data subjects is not lowered. Other amendments shall be made in writing and approved by the Parties.

17.1 The DPA is governed by Swedish law. 17.2 Any dispute arising out of the DPA shall be settled in accordance with what is stated regarding dispute resolution in the Main Agreement.

18.1 For the standard flow, the DPA is accepted as an integral part of the Main Agreement when the Customer enters into the Main Agreement, and requires no separate signature. 18.2 If the Parties wish to sign the DPA separately, this is done in a signed version in which the Parties' details and signatures are completed. A digital signature has the same legal effect as a signature on an original document.

Subject matter and nature

The subject matter of the processing is the processing of personal data within the scope of providing the Service, a cloud-based point-of-sale system with associated modules. The nature of the processing covers collection, recording, organisation, structuring, storage, adaptation, use, disclosure by transmission within the Service and erasure.

Vendion engages the sub-processors below for the processing of personal data within the scope of the Service. The list is kept current and forms the basis for notification under section 7. Where processing takes place outside the EU/EEA, the transfer is made on the basis of a valid transfer mechanism under Chapter V of the GDPR.

Vendion takes, among others, the following technical and organisational measures under Article 32 of the GDPR:

• Encryption of personal data in transit, e.g. with TLS, and where appropriate also at rest.
• Authorisation management and access control based on the principle of least privilege, together with strong authentication, e.g. multi-factor authentication, for administrative access.
• Logging and monitoring of access and security-relevant events.
• Measures to continuously ensure the confidentiality, integrity, availability and resilience of the processing systems.
• Regular backups and procedures for restoring the availability of and access to personal data in the event of an incident.
• Procedures for detecting, reporting and handling personal data breaches.
• Network security, firewalls and protection against malicious code.
• Pseudonymisation or minimisation of personal data where appropriate.
• Confidentiality undertakings and recurring training for personnel with access to personal data.
• Procedures for regular testing and evaluation of the effectiveness of the measures.
• Requirements on and monitoring of sub-processors' security.
• Physical security in data centres provided by Vendion's infrastructure suppliers.