Background information

The Controller uses, under separate agreement, a service (hereinafter "the Service") from the Processor, in which personal data is processed. The Processor warrants that it has the necessary technical and organizational capacity and ability to process personal data for the Controller in the performance of the Service in accordance with applicable data protection rules, and in accordance with the provisions of this Agreement.

Definitions

1. Processing means any operation or set of operations which is performed upon Personal Data or sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
2. Applicable data protection rules refer to the General Data Protection Regulation (GDPR) and other data protection regulations applicable in Sweden at any given time.
3. Personal data means any information relating to an identified or identifiable natural person (hereinafter "Data Subject"), whereby an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data or online identifiers or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
4. Personal data breach, means a security incident resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.
5. Third country, refers to a country outside the EEA.
6. Sub-processor, refers to a data processor engaged by the Data Processor for the processing of Personal Data.

Processing of personal data

1. The Processor is not entitled to process Personal Data in any other way than
   1. the provisions of this Agreement and any annexes thereto
   2. according to applicable data protection rules
   3. according to written instructions from the Controller
2. The Processor shall without delay, and no later than 30 days from the Controller's request
   1. give it access to Personal Data held by the Processor
   2. implement requested changes, restrictions, or transfers of Personal Data
   3. delete Personal Data, unless such deletion is contrary to applicable data protection rules or other mandatory legislation or regulations for the Processor.
3. In the event that the Controller has requested the deletion of Personal Data, and deletion subsequently takes place, the Processor shall ensure that the deleted Personal Data cannot be recreated.
4. The Data Processor shall, at the request of the Data Controller, provide evidence that the obligations that the Data Processor has undertaken under this agreement or what follows from applicable data protection rules are complied with. In this regard, the Data Processor shall without delay, at the latest within 30 days of the request, provide the Data Controller with relevant documentation that proves compliance with these obligations. The Processor shall correspondingly provide the Controller with this information from any sub-processors.
5. The Processor is obliged to maintain records of the processing of Personal Data carried out on behalf of the Controller. Upon request, extracts from this register shall be provided to the Controller, or to the competent supervisory authority. The register shall be in a readable format and contain:
   1. the name and contact details of the Controller and of the Processor and, where applicable, their Data Protection Officer
   2. the names and contact details of any sub-processors of the Processor
   3. The categories of processing of Personal Data carried out on behalf of the Controller.
   4. If the Personal Data has been transferred to a Third Country - indication of which country/countries, and the safeguards put in place.
   5. A technical and organizational description of the security measures taken by the Processor to prevent unauthorized processing of Personal Data.

Responsibilities of the controller

1. The controller is responsible for ensuring that the processing of Personal Data is lawful and supported by applicable data protection rules.
2. The Controller shall only grant access to Personal Data to the Processor that is necessary for the performance of the service.
3. The Controller is responsible for ensuring that the instructions given to the Processor regarding the processing of Personal Data are accurate and complete at all times.

Security and enforcement

1. The Processor shall endeavor to restrict access to the Personal Data when processing it for the performance of the Service. The Personal Data shall be treated with confidentiality. It is the responsibility of the Processor to ensure that persons who are to process the Personal Data have entered into a special confidentiality agreement or have otherwise been informed of the applicable data protection rules when processing Personal Data.
2. The Processor shall take appropriate and necessary measures to ensure that the Personal Data is protected against processing that is contrary to the provisions of this Agreement or applicable data protection regulations.
3. The Processor shall notify the Controller if it is contacted by a supervisory authority, Data Subject, or other third party for the purpose of obtaining access to Personal Data. The Processor is obliged to assist the Controller without undue delay in obtaining the requested information.
4. The Processor shall without undue delay, and at the latest within 24 hours of becoming aware of it, notify the Controller of the occurrence or risk of a Personal Data Breach. Such notification shall contain all necessary and available information that the Controller needs in order to be able to take countermeasures and to be able to fulfill its obligations to the Data Inspectorate or other competent supervisory authority.

Sub-consultants

1. The Processor may not, without the Controller's prior written consent, engage a Sub-Processor for the processing of Personal Data under this Agreement. The list of Sub-processors is set out in the appendix to this agreement.
2. The Processor is responsible for ensuring that any Sub-Processors engaged comply with all applicable provisions of this Agreement and applicable data protection rules when processing Personal Data.

Transfers to third countries

1. In the event that the Processor intends to process Personal Data or engage a Sub-processor in a Third Country, and such country is not considered by the European Commission to provide an adequate level of protection in relation to applicable data protection rules, the parties shall enter into a separate supplementary agreement in this regard.

Limitation of liability

1. The Processor shall be held harmless against supervisory authorities, Data Subjects, or other third parties in respect of claims for damages, penalties, or other sanctions directed against the Controller or the Processor in connection with the Processor's processing of Personal Data on behalf of the Controller. However, the limitation of liability does not apply to claims for compensation based on the Processor's processing of Personal Data in violation of the Controller's instructions or of applicable data protection rules.

Contact details

1. Notifications under this Agreement shall be made in writing. Contact details are set out in the applicable service agreement between the parties.

Contract duration and changes to contract terms

1. The duration of the contract is governed by the parties' agreement on the service. Any additions or adjustments to this Agreement shall be agreed between the Parties in writing.
2. In the event that the Processor intends to make technical or organizational changes that may affect the protection of the Personal Data, the Controller shall be notified. Changes of a substantial nature may not be made without the prior written consent of the Controller.
3. The Processor shall, upon termination of the Agreement, or upon instruction from the Controller, delete or return Personal Data in its possession, unless this is incompatible with applicable data protection rules or other mandatory legislation or regulations for the Processor.

Dispute resolution

1. Any dispute arising from this Agreement shall be settled in a general court of law, in accordance with Swedish law, with Stockholm District Court as the court of first instance.

Annex to the Data Processing Agreement

In connection with the signing of the Data Processing Agreement, the parties have agreed on what is stipulated in this annex regarding the processing of Personal Data.

1. Purposes of the processing

The Data Controller uses the service board portal and website of the Data Processor. The Data Processor is only entitled to process Personal Data for the Data Controller in the implementation of the above-mentioned service, unless otherwise provided by applicable data protection rules or other mandatory legislation for the Data Processor.

2. Type of treatment

The Processor will process Personal Data in the performance of the Service as follows;

Read, store, export, modify and delete.

3. Type of personal data

When performing the service, the Processor will process the following types of personal data:

Name, address, e-mail addresses, telephone, date of membership, storage number, rent/fee, move-in date, living space, number of rooms, land registry apartment number, apartment number, purchase price, type of lease, internal fund, ownership share, fee, IP address and social security number.

4. Categories of personal data

Will so-called sensitive personal data be processed by Reduca? No, it will not.

5. Geographical location

The personal data will be stored on servers in Sweden and through sub-processors in the EU.

6. Time limitation of treatment

Processing of Personal Data on behalf of the Data Controller is limited in time to the duration of the service agreement between the parties, and thereafter only if, and for as long as, the Data Processor is required by mandatory law or applicable data protection rules to continue processing Personal Data.

7. Sub-consultants

The Processor will use the following sub-processors for the processing of Personal Data: