Data Processing Agreement (DPA)

This Data Processing Agreement (“Agreement”) forms part of the Contract for Services (“Principal Agreement”) between
Adcyma AB
(the “Company”, the “Data Processor” and the “Data Controller”)
and
Customer
(the “Client”),
(together referred to as the “Parties”).

WHEREAS

(A) Adcyma AB acts as a Data Controller with respect to personal data it collects directly from end users in connection with the provision of its services.
(B) Adcyma AB acts as a Data Processor with respect to personal data provided by the Client and processed on the Client’s behalf in accordance with the Client’s instructions.
(C) The Parties seek to implement a Data Processing Agreement in accordance with the GDPR (Regulation (EU) 2016/679) and relevant data protection laws.
(D) The Parties wish to define their respective rights and obligations with regard to the processing of personal data.

IT IS AGREED AS FOLLOWS:

1. Definitions and Interpretation

1.1 Unless otherwise defined herein, capitalized terms and expressions used in this Agreement shall have the following meanings:
1.1.1 “Company” means Adcyma AB, acting as a Data Controller for data collected directly from end users.
1.1.2 “Data Processor” means Adcyma AB, acting as a Data Processor for data provided by the Client.
1.1.3 “Client” means Customer, acting as a Data Controller for data they provide to the Data Processor for processing.
1.1.4 “Company Personal Data” means any personal data processed by the Data Processor on behalf of the Client, or by the Company as a Data Controller.
1.1.5 “Subprocessor” means any person or entity appointed by or on behalf of the Data Processor to process personal data in connection with the Agreement.
1.1.6 “Data Protection Laws” means EU Data Protection Laws and, where applicable, the data protection or privacy laws of any other country.
1.1.7 “GDPR” refers to the EU General Data Protection Regulation 2016/679.

2. Processing of Personal Data

2.1 When acting as a Data Controller, Adcyma AB shall ensure compliance with all applicable Data Protection Laws for data collected directly from end users.
2.2 When acting as a Data Processor, Adcyma AB shall:
2.2.1 Comply with all applicable Data Protection Laws in processing personal data on behalf of the Client.
2.2.2 Process personal data only based on the Client’s documented instructions.
2.3 The Client instructs the Data Processor to process personal data as necessary to fulfill its obligations under the Principal Agreement.

3. Processor Personnel

The Data Processor shall take reasonable steps to ensure the reliability of any employee, agent, or contractor with access to personal data and ensure that such individuals are bound by confidentiality obligations.

4. Security

4.1 The Data Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
4.2 In assessing the appropriate level of security, the Data Processor shall consider the risks presented by processing, particularly risks of a personal data breach.

5. Subprocessing

5.1 The Data Processor shall not appoint or disclose personal data to any Subprocessor without the prior authorization of the Client.
5.2 The Client authorizes the Data Processor to use the Subprocessors listed on the Data Processor’s website at the following URL: www.adcyma.com/legal/subprocessors. The Data Processor shall ensure that this list remains up to date.
5.3 The Data Processor shall notify the Client in advance of any intended changes concerning the addition or replacement of Subprocessors, giving the Client the opportunity to object to such changes. 

6. Data Subject Rights

6.1 The Data Processor shall assist the Client, where possible, in responding to requests to exercise data subject rights under applicable Data Protection Laws.
6.2 The Data Processor shall promptly notify the Client if it receives a request from a data subject and will not respond to the request except as authorized by the Client.

7. Personal Data Breach

7.1 The Data Processor shall notify the Client without undue delay upon becoming aware of a personal data breach affecting the Client’s personal data.
7.2 The Data Processor shall cooperate with the Client to investigate and remediate any personal data breach.

8. Data Protection Impact Assessment and Prior Consultation

The Data Processor shall provide reasonable assistance to the Client in conducting data protection impact assessments or prior consultations required under applicable Data Protection Laws.

9. Deletion or Return of Personal Data

9.1 The Data Processor shall, at the Client’s request and after the cessation of services, delete or return all personal data processed on the Client’s behalf.

10. Audit Rights

10.1 The Data Processor shall make available to the Client all information necessary to demonstrate compliance with this Agreement and shall allow for audits by the Client or its designee.

11. Data Transfers

11.1 The Data Processor may not transfer personal data outside the EEA without the prior written consent of the Client and ensuring adequate protection is in place, such as relying on EU-approved Standard Contractual Clauses.

12. General Terms

12.1 Confidentiality: Both Parties agree to maintain the confidentiality of any confidential information exchanged in connection with this Agreement.
12.2 Notices: Notices under this Agreement must be in writing and delivered by hand, email, or postal mail. For updates related to Subprocessors, the Data Processor will notify the Client via email, and an updated list of Subprocessors can be found at www.adcyma.com/legal/subprocessors
12.3 Governing Law: This Agreement is governed by the laws of Sweden, and any disputes shall be resolved in the courts of Malmö Tingsrätt.

Effective Date: 2024-10-06

Last Updated: 2024-10-13

Scroll to Top