Data Protection Terms
Version: May, 2018
These data protection terms (the “DPT”) have been entered into by and between Customer and Mynewsdesk (each a “Party” and collectively the “Parties”). The Parties have agreed as follows:
1.1. Customer and Mynewsdesk have entered into an agreement regarding Mynewsdesk’s provision of Services to the Customer (below the “Main Agreement”). These DPT set out and describe different aspects and obligations of the Parties with regard to the Processing of Personal Data that may take place when Customer uses these Services or otherwise as an effect of the Main Agreement.
1.2. Furthermore, the Parties may in respect of their relationship and in relation to the Processing of Personal Data described in Clause 1.1 take on different roles and responsibilities. These DPT clarify when the Parties act as Data Controller and when Mynewsdesk acts as Data Processor and Processes Personal Data on behalf of Customer, as well as the Parties’ obligations and responsibilities in relation hereto.
1.3. Also, Applicable Data Protection Law stipulates that when a Data Processor Processes Personal Data on behalf of a Data Controller, such relationship shall be governed by a contract. Appendix 1 (the “DPA”) has been established to comply with the requirements on such contracts, for the situation where Mynewsdesk acts as Data Processor. The DPA forms an integral part of these DPT.
1.4. Terms used herein shall have the same meaning as set out elsewhere in the Main Agreement and as set out in Applicable Data Protection Law.
1.5. With respect of the above the Parties have agreed as follows.
In these DPT:
“Applicable Data Protection Law”
means any and all data protection laws and regulations applicable from time to time on the Processing of Personal Data under these DPT (including but not limited to the Swedish Data Protection Act (Sw. lag (2018:218) med kompletterande bestämmelser till EU:s dataskyddsförordning) and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation)(“GDPR”).
means the service and feature on Mynewsdesk’s platform where Customer may collect contact information and other information about its contacts in order to efficiently manage and distribute Content.
means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data
means a natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Data Controller.
means an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
means any information relating to a Data Subject.
“Processing (of Personal Data)”
means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Obligations and responsibilities
It is important for Mynewsdesk to safeguard personal integrity and ensure that any Processing of Personal Data within the Services is correct and lawful. Therefore, Mynewsdesk’s Services may only be used in accordance with Applicable Data Protection Law.
3.2. Processing of Personal Data of the Parties’ employees and/or representatives
3.2.1. Each Party may as an effect of the Main Agreement and these DPT Process contact information, and possibly also other Personal Data, of the other Party’s employees and/or representatives. Such Processing may be for communication and invoicing purposes and otherwise to manage each Party’s relationship with the other Party. Each Party shall ensure that the other Party has the right to Process such Personal Data belonging to such employees and/or representatives of that Party, to the extent necessary for the first Party’s fulfilment of the Main Agreement and these DPT.
3.2.2. Customer’s employees and/or representatives may create user accounts for their use of Mynewsdesk’s Services. Mynewsdesk’s Processing of Personal Data of such Data Subject is, in addition to what is covered by Clause 3.2.1, subject to the direct relationship between Mynewsdesk and such employee and/or representative and covered by Mynewsdesk’s relevant terms for user accounts including relevant privacy notice or similar.
3.3. Publishing of Content containing Personal Data on the Mynewsdesk platform
Customer may publish Content on Mynewsdesk’s platform, by itself or by instructing Mynewsdesk to publish such Content on behalf of Customer. Customer acts as Data Controller for such Processing to the extent such Content contains Personal Data. Mynewsdesk is the Data Processor in relation to Customer for the provision of a publishing function on its platform and when Mynewsdesk publishes Content on Customer’s behalf and instruction.
3.4. Processing of Personal Data in the Contacts feature
18.104.22.168. Contacts is a service and feature on Mynewsdesk’s platform where Customer may collect contact information and other information about its contacts. Customer may collect such information by itself importing it into Contacts, or by using functions in the platform allowing it to collect information imported into Contacts by Mynewsdesk or its third party suppliers.
22.214.171.124. Contacts allows Customer to search information, to create address lists for send-outs based on its collected information, to distribute Content to its contacts, and to follow-up and analyze its contacts’ personal interests and how its contacts interact with messages sent to them through the functions in Contacts.
126.96.36.199. The purpose of Contacts is to facilitate and enable the procedure of managing and distributing commercial and non-commercial content (including marketing messages) based on the legitimate interest to do so or, where applicable, based on an alternative legal ground that Customer may have for its Processing, in accordance with Applicable Data Protection law.
3.4.1. About Contacts
3.4.2. Categories of Personal Data in Contacts
The following categories of Personal Data may be imported to and Processed in Contacts:
Name and contact details such as address, email address and telephone number and fax number;
Nationality, country and other location information;
Professional title and company name;
Information regarding the contacts and the contacts’ interests.
3.4.3. Importing of Personal Data to Contacts
188.8.131.52. Customer may import Personal Data, as set out in Clause 3.4.2, to Contacts by uploading such Personal Data to the platform via its user account. Customer acts as Data Controller for such Processing and may only import such data to the platform if and to the extent Customer has secured its legal right to do so.
184.108.40.206. Customer may, by using Contacts, gain access to Personal Data that Customer has not uploaded to the platform, such as contact information and supplementing information about other contacts than its contacts and, to the extent applicable, supplementing information about its contacts. The Personal Data described in this Clause 220.127.116.11 is researched and collected, from publicly accessible sources such as social media and other media channels online, and imported into Contacts by Mynewsdesk, itself or via its third party suppliers. Mynewsdesk acts as Data Controller for the gathering and transfer to Customer of such Personal Data to the extent it is researched, collected and imported into Contacts by Mynewsdesk, and may only transfer such data to Customer if and to the extent Mynewsdesk has secured its legal right to do so. Each third party supplier acts as Data Controller for its gathering and transfer to Customer of such Personal Data.
3.4.4. Further Processing of Personal Data in Contacts
18.104.22.168. Customer may in Contacts further Process such Personal Data described in Clause 3.4.3. Customer may hereby store (in general as well as in organized address lists), edit, manage, and erase such data, by itself or by instructing Mynewsdesk to carry out such action on behalf of Customer. Customer may also use functions in the platform to send electronic messages to its contacts and analyse its contacts’ behaviour in relation to such messages. Customer acts as Data Controller in relation to such further Processing of Personal Data. Mynewsdesk acts as Data Processor in relation to Customer for the storing of Personal Data accordingly as well as for the provision to Customer of an interface and function on its platform allowing Customer to send electronic messages and analyse its contacts’ behaviour in relation to such messages and, where applicable, for support services provided to Customer.
22.214.171.124. Mynewsdesk acts as Data Controller in relation to its further Processing of Personal Data in Contacts for its own purposes (providing its services to enable Processing activities in Contacts and analysing Data Subjects’ activity in order to improve the Services, including error handling).
3.5. The Parties’ obligations in their capacity as Data Controller
3.5.1. Each of the Parties shall, when it acts as Data Controller under these DPT, ensure and be responsible for compliance with the requirements on such Data Controller as set out in Applicable Data Protection Law, including, but not limited to, ensuring a legal ground applicable to its Processing, taking appropriate measures to inform Data Subjects about relevant Processing of Personal Data and facilitating the exercise of Data Subjects’ rights in relation to such Processing. Each of the Parties shall also ensure and be responsible for compliance with any other legislation applicable to its Processing under these DPT. Customer shall thus ensure and be responsible for obtaining consent from Data Subject for send-outs containing marketing messages to the extent such consent is necessary according to applicable law.
3.5.2. Mynewsdesk will, as part of their services to Customer, assist Customer in fulfilling its obligations as set out in Clause 3.5.1 insofar that (i) Mynewsdesk will provide a privacy notice, including information about the Processing of Personal Data in Contacts in each electronic message sent via Contacts and on the Mynewsdesk website and (ii) Mynewsdesk’s platform will include functions allowing Data Subjects to unsubscribe from receiving marketing messages via Contacts as well as to opt-out from Processing of their Personal Data in Contacts. Mynewsdesk will also provide a support email address to which Data Subjects can send requests to exercise their rights. Mynewsdesk will, through functions in Contacts or otherwise, inform Customer when it receives information that a Data Subject chooses to exercise its rights in relation to the Processing of its Personal Data by Customer in Contacts.
3.5.3. Customer shall at all times respect Data Subjects’ exercise of their rights according to Applicable Data Protection Law. Customer may thus not within the Services Process the Personal Data of any Data Subject which has objected to, opted-out from or otherwise opposed such Processing or which has requested the erasure of its Personal Data from the Services.
3.6. Restrictions in relation to Sensitive Personal Data
Customer is aware that the Services are not intended to collect, manage or in any other way Process special categories of Personal Data (so called “Sensitive Personal Data”). Customer is further aware that such Processing is prohibited according to Applicable Data Protection Law, except where an exception set out in such law is applicable. Customer shall, to the extent it Processes special categories of Personal Data in its use of the Services be fully responsible thereto and at all times hold Mynewsdesk harmless from any liability that may result from Customer’s use of the Services to Process Sensitive Personal Data.
3.7. Restrictions in relation to Personal Data gained access to through the Services
3.7.1. Except for as expressly set out herein, Customer may not, during the term of these DPT or thereafter, to any third parties disclose, misuse or use for any other purpose or in any other way than for its use of the Services, Personal Data gained access to as a result of its use of the Services. For the sake of clarity, such data include, but is not limited to, the following:
Personal Data that the Customer has not itself imported to Contacts, as set out in Clause 126.96.36.199;
The identity of Customer’s newsroom followers and their interaction with messages sent to them through the functions in Contacts; and
Personal Data included in materials produced by Mynewsdesk’s media monitoring and media analysis services.
3.7.2. Except for as expressly set out herein, Mynewsdesk may not, during the term of these DPT or thereafter, to any third parties disclose, misuse or use for any other purpose or in any other way than for Customer’s use of the Services Personal Data gained access to from Customer as a result of Customer’s use of Contacts. For the sake of clarity, such data includes Personal Data as Customer has imported to Contacts as set out in Clause 188.8.131.52.
3.7.3. The restrictions set out in this Clause 3.7 do not apply to information that is generally known or that the Party subject to the restriction is obliged to provide in accordance with law, regulations or the decisions of the authorities.
Obligation to provide contact information of data protection officer
If Customer has appointed a data protection officer, Customer shall provide contact information of such data protection officer to Mynewsdesk in order for Mynewsdesk to be able to disclose such contact information to Data Subjects, as the case may be.
5.1. Each Party shall, with the limitations set out in the Main Agreement (Section 13), indemnify and hold the other Party harmless from any and all damages, claims, losses, costs and expenses of any kind which is attributable to the first Party’s Processing of Personal Data in breach of these DPT and/or Applicable Data Protection Law, unless the first Party can show that it, or its sub-processor if applicable, is not in any way accountable.
5.2. Each Party shall within reasonable time notify the other Party in writing if it receives a claim for damages or other liability and provide the other Party with sufficient insight to the documentation in order for such Party to prepare its defence and/or limit the damage.
Survival of obligations
On termination of the Main Agreement and accordingly these DPT, regardless of the reason for such termination, provisions contained in these DPT that are expressed or by their sense and context are intended to survive the expiration or termination of these DPT, shall so survive the expiration or termination and continue in full force and effect.
7.1. These DPT do not constitute any transfer of ownership to the Personal Data or any other data subject to these DPT.
7.2. These DPT, including its Appendix, form an integral part of the Main Agreement and any provisions in the Main Agreement applicable for the subject of these DPT shall apply also in relation hereto. For the sake of clarity, such provisions include, but are not limited to, the provisions in the General Terms and Conditions regarding term and termination (Section 11), limitation of liability (Section 13) and changes to the Main Agreement (Section 19) which shall thus apply also in relation to these DPT. In case of conflict between the Main Agreement and these DPT, these DPT shall however take precedence in relation to the Processing of Personal Data that is subject to these DPT.
3.8. Mynewsdesk’s Processing of data for the purposes of providing the Services
Mynewsdesk may however at all times Process Personal Data and other data that Customer has uploaded to the platform for the purposes of providing its Services, including for improving the Services and ensuring and improving the IT security of the Services. Mynewsdesk may, for a period of 12 months from the creation of the file, for these purposes create and keep a log file on Customer’s employees’ and/or representatives’ use of and actions within Mynewsdesk’s Services. Mynewsdesk acts as Data Controller for such Processing of Personal Data for its own purposes.
Appendix 1 - Data Processing Agreement (the “DPA”)
1.1. Applicable Data Protection Law sets out that when a Data Processor Processes Personal Data on behalf of a Data Controller, such relationship shall be governed by a contract. This DPA has been established to comply with the requirements on such contract and shall apply only when Mynewsdesk acts as Data Processor on behalf of Customer.
1.2. It follows from Clauses 3.3 and 184.108.40.206 of the DPT in which situations that Mynewsdesk acts as Data Processor on behalf of Customer.
1.3. The type of Personal Data Processed under this DPA, the categories of Data Subjects that the Personal Data concern, and the nature and purpose of the Processing under this DPA are set forth in Clause 3 of the DPT.
Processing of Personal Data
2.1. Mynewsdesk’s general obligations as Data Processor
2.1.1. When Processing Personal Data under this DPA, Mynewsdesk shall comply with Applicable Data Protection Law.
2.1.2. Mynewsdesk shall ensure that persons authorised to Process, on behalf of Mynewsdesk, the Personal Data Processed under this DPA, have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
2.1.3. Taking into account the nature of the Processing, Mynewsdesk shall assist Customer by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of Customer's obligation to respond to requests for exercising Data Subject's rights under Applicable Data Protection Law.
2.1.4. Taking into account the nature of the Processing and the information available to Mynewsdesk, Mynewsdesk shall assist Customer in ensuring compliance with Customer’s obligations pursuant to Applicable Data Protection Law, including (where applicable) its obligations to (i) implement appropriate technical and organisational measures, (ii) notify personal data breaches to the supervisory authority, (iii) inform Data Subjects of personal data breaches, (iv) carry out data protection impact assessments, and (v) carry out prior consultation with the supervisory authority.
2.2. Customer’s Instructions
2.2.1. Mynewsdesk may only Process Personal Data on behalf of Customer in accordance with the documented instructions from Customer, set out in the Main Agreement including, for the sake of clarity, the DPT and this DPA or as otherwise communicated by Customer to Mynewsdesk, unless required to do so by EU law (including the laws of its member states) to which Mynewsdesk is subject; in such a case, Mynewsdesk shall inform Customer of that legal requirement before Processing, unless EU law prohibits Mynewsdesk from informing Customer on important grounds of public interest.
2.2.2. Mynewsdesk shall immediately inform Customer if, in its opinion, an instruction is in breach of Applicable Data Protection Law and await further instructions. Customer shall provide Mynewsdesk with the necessary instructions within reasonable time. If Customer does not provide such instructions Mynewsdesk may take necessary measures to ensure compliance with Applicable Data Protection Law. For the avoidance of doubt, this does not affect Customer’s responsibility under the Main Agreement including, for the sake of clarity, the DPT and this DPA.
2.3. Duration of Processing
2.3.1. Mynewsdesk shall Process Customer’s Personal Data under this DPA for the duration of the Main Agreement. Mynewsdesk shall at all times respect Customer’s request to delete Personal Data Processed under this DPA and shall also at all times respect Data Subject’s opt-out from Contacts (by registering the Data Subject’s email address in order to identify it as blocked from Processing and keeping the request for a reasonable period of time).
2.3.2. Mynewsdesk shall delete, or at Customer’s request return to Customer, all Personal Data Processed under this DPA after such period of time set out in Clause 2.3.1 of this DPA, including deleting existing copies, unless EU law (including the laws of its member states) requires storage of the Personal Data.
Security of Processing
3.1. Mynewsdesk shall implement appropriate technical and organisational measures in accordance with Applicable Data Protection Law to ensure a level of security appropriate to the risk, including inter alia as appropriate:
the pseudonymisation and encryption of Personal Data;
the ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services;
the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the Processing; and
maintaining, updating and storing logs regarding the Personal Data, maintaining a secure IT environment, and establishing and maintaining physical safety measures and routines. Logs will be stored for 12 months.
3.2. Mynewsdesk shall be prepared to follow any decisions from the supervisory authorities regarding measures needed to meet legal security requirements.
3.3. Mynewsdesk shall notify Customer, without undue delay, after becoming aware of a personal data breach (as defined in Applicable Data Protection Law) affecting the Personal Data Processed under this DPA and provide Customer with any information reasonably required by Customer regarding such personal data breach.
Information and audits
Customer shall have the right to obtain information from Mynewsdesk and to verify the measures taken by Mynewsdesk in accordance with Clauses 2.1.4 and 3.1 of this DPA. Mynewsdesk shall allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer. The purpose of such audits shall be to verify Mynewsdesk’s compliance with the obligations laid down in this DPA. Any audits shall be at Customer’s expense but Mynewsdesk shall provide any required assistance free of charge. Customer may perform an audit or inspection no more than once a year unless special circumstances are at hand, such as if Customer can show that there is reason to believe that Mynewsdesk is in breach of this DPA.
5.1. Mynewsdesk may use sub-processors for the Processing of Personal Data under this DPA. Should Mynewsdesk wish to appoint or replace a sub-processor, Mynewsdesk must first notify Customer who may object to such measures within ten (10) days. Customer’s objection must be based on reasonable grounds, for example if Customer can show that the use of the intended sub-processor causes significant risks in relation to the protection of the Personal Data. If Customer and Mynewsdesk are unable to settle the objection, Mynewsdesk has the right to immediately terminate the Main Agreement, including for the sake of clarity the DPT and this DPA, by giving Customer written notice to that effect.
5.2. In case Mynewsdesk uses sub-processors, data processing agreements shall be concluded between Mynewsdesk and such sub-processor. Such data processing agreement shall ensure that the sub-processor undertakes the same obligations regarding protection of Personal Data as set forth in this DPA and shall provide sufficient guarantees that the sub-processor will perform appropriate technical and organisational measures in a manner that ensures that the Processing complies with Applicable Data Protection Law. If Mynewsdesk uses sub-processors, Mynewsdesk shall be fully responsible, with the limitations set out in the Main Agreement and the DPT, for the acts and omissions of such sub-processors in relation to Customer.
Processing of Personal Data in countries outside EU/EEA
Unless otherwise agreed, Mynewsdesk may Process Personal Data in a country outside of the EU/EEA. Mynewsdesk shall then ensure that such Processing at all times complies with Applicable Data Protection Law. This may e.g. be achieved by establishing a binding agreement, in accordance with the applicable EU Commission Model Contracts for the transfer of Personal Data to third countries, between Mynewsdesk and any sub-processors. Processing in a country outside the EU/EEA may also take place on the basis of a valid adequacy decision, such as the EU-U.S. Privacy Shield Framework, or on the basis of binding corporate rules that have been approved by the relevant supervisory authorities, to the extent Mynewsdesk and the relevant sub-processors have adopted the same binding corporate rules.