Data Processing Agreement

Between

1. Nordic Defender AB, reg. no 559201-3030 with registered office at Kungsportavenyn 23 411 53 Gothenburg, Sweden (the Processor); and

2. The User that has entered into the Terms and Conditions for Service Providers Nordic Defender️ (the Controller);

Processor and the Controller are referred to separately as “the Party” and together as “the Parties”.

1. Background

The terms and conditions specified below and Privacy Policy shall apply if and when Processor process personal data on behalf of the Controller and its affiliates in their capacities of data controllers. Should any conflict arise between a clause in this Data Processing Agreement and a clause in the Terms and Conditions for Service Providers Nordic Defender️, the provisions in this Data Processing Agreement shall take precedence wherever the provision in this Data Processing Agreement provides greater protection for the Personal Data being processed.

The data processing activities hereunder are further described in the Annex 1.

2. Definitions

In this Data Processing Agreement, the following definitions shall have the meaning set forth below:

“Processing”, “Personal Data Controller”, “Personal Data”, “Personal Data Processor”, “Personal Data Incident”, and “Data Subject” shall have the same meaning as in Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (“GDPR”);

“Processing Agreement” is this Processing Agreement and any appendices and annexes to it; “Applicable Legislation” means legislation, regulations and directives in force at the time in the EU and in relevant Member States that are applicable to the Processor and the Controller; and “Applicable Personal Data Legislation” means legislation, regulations and directives in force at the time, including directives notified by relevant supervisory authorities, with respect to the protection of privacy and fundamental rights and freedoms of individuals and, in particular, their right to the protection of their Personal Data with respect to the Processing of Personal Data applicable to the Processor and the Controller, including legislation, regulations and directives within the meaning of Directive 95/46/EC and, from 25 May 2018, the GDPR;

and

“Third Country” is a country outside the European Union (EU) or the European Economic Association (EEA).

“Nordic Defender” means the services described in the Agreement;

“Agreement” means the Terms and Conditions for Service Providers Nordic Defender️ entered into by the Parties for Nordic Defender️.

3. Obligations of the Controller

3.1. The Controller is responsible for ensuring that the Processing of the Personal Data is carried out in accordance with Applicable Legislation and that the Data Subjects are informed about the Processing.

3.2. The Processor does not have an obligation nor the technical means to check the accuracy or completeness of the Personal Data entered into Nordic Defender️. This obligation is the sole responsibility of the Controller.

4. Obligations of the Processor

4.1. The Processor shall

only process the Personal Data on written instructions (see annex 1) from the Controller;

based on the information about the consultant, prepare and make available a report which will better present the consultant as a candidate (profiling, without making automated decisions);

keep the Personal Data confidential and ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

maintain a record of all Processing activities carried out on behalf of the Controller.

considering the nature of the processing, assist the Controller by appropriate technical and organizational measures, insofar as this is possible and reasonable, for the fulfilment of the Controller obligation to respond to requests for exercising the Data Subject’s rights;

assist the Controller in ensuring compliance with the obligations pursuant to applicable law, considering the nature of processing and the information available to the Processor as the processor;

at the choice of the Controller, delete or return all the personal data to the Controller after the end of the provision of Nordic Defender️, and delete existing copies unless European Union or EU Member State law requires storage of the personal data;

make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this section and allow for, and contribute to, audits, including inspections, conducted by the data controller under applicable law or another auditor mandated by the Controller.

4.2 Based on the information about the consultant and tests made by the consultant, prepare and make available a report which will better present the consultant as a candidate and match your profile to assignments (profiling, without making automated decisions). The workstyles derived from tests results or other information that you have provided.

4.3 Nordic Defender️ allow sharing of information, including personal data, in many ways. Where we have made settings available, we will honor the choices make about who can see Content or restricting your content visibility from job and skills searching activities within the service). At this moment there is two main ways to share Content:
a) Invite to bounty program
b) following other User
c) accept searchable option

4.4 Who receives your data and how do we host your data?
Internal recipients of your Data: the recipient of your Personal Data are the authorized staff of Nordic Defender.
Data store and processing location:

• Self-hosted data center, Sweden
• Hertzner, the data hosting company Huurrekuja 10, 04360 Tuusula, Finland
• Hertzner, the data hosting company 25, 91710 Gunzenhausen, Germany

• No Third party is involved in the Nordic Defender data processing procedure.

5. Security measures

The Processor takes appropriate technical and organizational measures to ensure that the Personal Data that are processed are protected from Personal Data Incidents. The measures must ensure that at least the level of security required by Applicable Personal Data Legislation and by applicable regulations and guidelines of relevant supervisory authorities for personal data security is in place. More information of the security measures taken by the Processor can be found in the Security appendix.

Furthermore, the Processor must, if so requested, assist the Controller with information necessary to enable the Controller, as applicable, to be able to meet its obligations to carry out an impact analysis and pre-consultation discussion meetings with relevant supervisory authorities concerning the Processing of Personal Data that are subject to the terms of this Processing Agreement. If the Controller requests the Processor to assist with an impact analysis, even though there is no obligation under Applicable Personal Data Legislation to carry out an impact analysis, the Processor shall be entitled to remuneration as set out in the price list in force at the time.

6. Personal Data Incident

Should a Personal Data Incident occur, the Processor must notify the Controller in writing of the breach without undue delay after the Processor has become aware of the Personal Data Incident.

If it is not unlikely that a Personal Data Incident poses a risk to the privacy of the Data Subjects, the Processor must, immediately after it has become aware of the Personal Data Incident, take all appropriate steps to prevent or minimize the potential negative consequences of the Personal Data Incident.

If requested by the Controller, the Processor shall provide:

a description of the Personal Data Incident’s nature, categories of and the number of Data Subjects affected, and categories of and the number of personal data items affected; the likely consequences of the Personal Data Incident; and a description of the measures that the Personal Data Processor, where appropriate, has already taken or intends to take to correct the Personal Data Incident and/or to minimize the potential negative consequences of the Personal Data Incident. Should it not be possible for the Processor to provide the information in one go, the information may be provided in batches without any further undue delay.

7. Subcontractors

The Processor may hire subcontractors, consultants or other third parties for the Processing of Personal Data on behalf of the Controller (“Subcontractor”).

If the Processor hires a Subcontractor, the Controller consents to the Processor entering into a Processing Agreement directly with the Subcontractor. The obligations under such Processing Agreement with the Subcontractor shall be equal to and no less restrictive than those under this Processing Agreement. The Controller accepts that the Processor and the Subcontractor enter into the Subcontractor’s standard agreement for personal data processing when circumstances so require, on condition that such a standard agreement meets the requirements stipulated in Applicable Personal Data Protection Legislation.

Should the Processor hire a new Subcontractor, the Processor must notify the Controller in writing without undue delay of the following:

The Subcontractor’s identity (including details of the company’s name, organisation number and address); the type of service performed by the Subcontractor; and at which location the Subcontractor will be Processing Personal Data on behalf of the Controller.

With respect to hiring new Subcontractors, the Controller is entitled to make objections to the hiring of the Subcontractor.

The Processor is liable to the Controller for the Subcontractor’s Processing of Personal Data and on its own behalf. For approved subcontractors, please see appendix 2 Approved subcontractors.

8. Confidentiality

Without prejudice to the application of any obligations of confidentiality in the User Agreement, the Processor agrees to keep all Personal Data that is processed on behalf of the Controller strictly confidential. Accordingly, the Processor will not, either directly or indirectly, divulge, disclose or communicate any Personal Data to any third party without the prior written consent of the Controller, unless the Processor has an obligation under Applicable Legislation or a decision by a court or authority to provide the Personal Data, or where this is necessary in the fulfilment of the requirements of the Agreement or this Data Processing Agreement. The Processor shall notify the Controller if Personal Data is provided to a third party, unless prevented from so doing by Applicable Legislation or a decision by a court or authority.

The Processor accepts that the obligation of confidentiality shall remain in force even following the termination of the Personal Data Processing Agreement and until all Personal Data have been provided to the Controller or have been securely and irreversibly destroyed or anonymized.

The Controller agrees to keep all information that the Controller receives about the Personal Data Processor’s security measures, procedures, IT systems and any other information of a confidential nature strictly confidential and not to disclose to any third party any confidential information originating from or provided by the Processor or its Subcontractors. The Controller may only disclose such information that the Controller is required to disclose under Applicable Legislation or under the terms of the Agreement or this Processing Agreement. The Controller accepts that this obligation of confidentiality remains in force even after this Processing Agreement is terminated or otherwise ceases to be in effect.

9. Liability

The Processor shall indemnify the Controller against any and all liability, loss, claim or expenses that it incurs which has been caused by the Personal Data Processor, either intentionally or through gross negligence, processing personal data in breach of the terms of the Agreement or Applicable Personal Data Protection Legislation.

The Controller shall hold the Processor harmless from any and all liability, loss, claim or expenses that the Processor incurs as a result of the Controller Processing Personal Data in breach of the terms of the User Agreement or Applicable Personal Data Protection Legislation.

10. Rights of Data Subjects

The Processor shall, to the extent possible, assist the Controller by taking all and any technical and organizational measures that are necessary to enable the Controller to meet its obligation to respond to a request for the exercise of a Data Subject’s right according to the rights of data subjects as required by the Applicable Personal Data Protection Regulation. The Processor shall be entitled to compensation for any expenses that such assistance incurs at the rates stated on the price list in force at the time.

11. Third Countries

Processing and use of Personal Data under this Agreement shall only be carried out within the EU/EEA, and specifically storing of personal Data shall be limited thereto. Any transfer to, or extension into Third Countries requires prior written consent from or agreement with the Controller.

12. Additional protective measures

The processor shall maintain and promptly provide the Controller with up-to-date information regarding its data processing activities as the Controller may reasonably request to meet its obligations under legal data protection requirements.

Processor may not make any filings or publish any information regarding any Data Breach without the Controller’s prior approval unless required by mandatory law. To the extent the laws require that an individual or authority be notified of a Data Breach, Processor shall at the Controller’s request and prior approval of the content, form and timing, provide any notices to such an individual or governmental authority containing the information as mandated by the mandatory laws. Upon the Controller’s request, Processor shall at its own cost provide remediation services, customer care and other reasonable assistance to individuals impacted by the Data Breach directly or through a third party. Upon the Controller’s request, Processor shall cooperate and provide information about the nature, circumstances and causes of the event at issue. Processor will take all necessary actions to prevent further losses and otherwise limit the consequences of the event at issue. Processor shall conduct professional forensic and security review and audit in connection with such Data Breach. These data breaches, if any, shall be resolved according to the applicable data protection laws and the specific instructions that might be provided to Processor by the Controller.

Subject to what is permitted under mandatory law, if Processor receives a request or complaint from a governmental authority or body (“Authority”) regarding any Personal Data, it shall without delay notify the Controller identifying the Authority, the scope of the request and grounds presented for the request or complaint. Processor shall respond to such Authority request or complaint only with the Controller’s prior approval of the response.

13. Validity

This Processing Agreement shall become effective upon acceptance by the Parties (acceptance by the Processor is given by publication of this agreement on the website, after acceptance by the Controller, the Agreement is treated as concluded between the Parties), and shall remain effective throughout the term of the Agreement.

14. Transfers

Neither Party may transfer, in full or in part, its rights and obligations under this Agreement without the written consent of the other Party.

15. Amendments and additions

The provisions relating to amendments and additions set forth in the Agreement shall apply correspondingly to this Processing Agreement.

16. Applicable law and litigation

The provisions relating to applicable law and litigation set forth in the Agreement shall apply correspondingly to this Processing Agreement.

17. Business contact details

The personal data, including business contact details, of the Controller’s employees and other workforce whose data is provided in the course of carrying out this Agreement, the Agreement, shall only be processed to the limited extent required to administrate the business relation between the Controller and or Processor.

Annex 1

This annex constitutes the instruction for the Processor to process personal data on the Controller’s behalf.

Purpose of the data Processing

The Personal Data is processed for the following purposes:

• invite you to the Bounty program, the Customer, and assignment-related services and events
• send you newsletters with info from Nordic Defender️
• send you updates with new requests
• compiling statistics
• for support and service regarding your User Account
• to administrate your User account
• to enable you to use Nordic Defender️
• to enable the Customer to connect with you in Nordic Defender&#65039 and send you job requests
• to send you job offers, guides, blog, posts, invites to events and other information with content referring to the consultant market and Nordic Defender️.
• Categories of data subjects

The Processor will process data about the following data subjects:

• Users of Nordic Defender️.
• profiles added by the Service Provider
• Categories of Personal Data

The personal data can possibly concern the following categories of data:

• Phone number
• Name (surname and first name)
• Email address
• Address
• Photo
• Log in credentials
• CV
• Rate
• Assignment applications
• Any information that a user adds in free text
• Results of tests and analysis (Workstyles)
• Processing activities

The Processor will conduct the following processing activities:

• Collection
• Storage
• Structuring
• compiling statistics
• Forwarding
• Erasure
• Storage of personal data

The personal data will be retained for as long as the User has an active account unless a longer retain period is needed to fulfill other contractual or legal obligations regarding the individual. The personal data will the delete once the User account is deleted.

Annex 2 Approved subcontractors