SUB-PROCESSING AGREEMENT
THIS SUB-PROCESSING AGREEMENT
1. Wolters Kluwer Scandinavia AB, reg.no. 556459-8521, Emigrantvägen 2 G, 414 63 Gothenburg, Sweden (”Wolters Kluwer”) and
2. Customer (as defined in the Agreement) (”Customer”).
The parties above are hereinafter each referred to as a “Party” and jointly as the “Parties”.
1. BACKGROUND
1.1 This Sub-Processing Agreement apply when Wolters Kluwer process personal data on behalf of the Customer in the capacity of sub-processor to the Customer’s customers in connection with the Customer’s use of Wolters Kluwer’s online services.
1.2 The Customer is the main processor of the Customer’s customers and Wolters Kluwer is a sub-processor of the Customer’s customers as regards the processing of personal data under this Sub-Processing Agreement.
1.3 This Sub-Processing Agreement constitutes an appendix to the Agreement (as defined in Sub-clause 2.4 below) that govern the rights and obligations of the Parties concerning the Customer’s use of the Service (as defined in Sub-clause 2.5 below).
1.4 This Sub-Processing Agreement shall have precedence over any conflicting terms in Agreement.
2. DEFINITIONS
2.1 “Agreement” means the agreement entered into between the Parties and which includes the content of the GTC, this Sub-Processing Agreement, along with any other agreement, which may be reached between the Parties concerning the Customer’s use of the Service.
2.2 ”Applicable Data Protection Legislation” means, unless otherwise agreed separately, the Data Protection Acts in Sweden and the binding regulations and decisions issued by the Data Protection Authorities in Sweden, Denmark and Norway to the extent these Data Protection Acts and such binding regulations and decisions apply to the processing of personal data under this Sub-Processing Agreement.
2.3 “Data Controller” means one or all (as the case may be) of the Customer’s customers and whose personal data Wolters Kluwer shall process under this Sub-Processing Agreement in the capacity as sub-processor.
2.4 “GTC” means the General Terms and Conditions Online Services that govern the rights and obligations of the Parties concerning Customer’s use of the Service.
2.5 “Service” means the Customer’s use of Wolters Kluwer’s online application services.
2.6 Terms with initial capital letters in this Sub-Processing Agreement shall have the meaning specified in the Agreement. Other terms in this Sub-Processing Agreement shall be interpreted in accordance with Applicable Data Protection Legislation.
3. PROCESSING OF PERSONAL DATA
3.1 Instructions
3.1.1 The Data Controllers are, in their capacity as controller of personal data, responsible for personal data being processed under this Sub-Processing Agreement in accordance with Applicable Data Protection Legislation. The Customer is responsible for ensuring that Wolters Kluwer does not process any categories of personal data other than those specified in Appendix 1 (Specification of the Processing of Personal Data) and to the extent specified therein.
3.1.2 Wolters Kluwer, and each person authorised to perform work on its behalf, undertakes to only process personal data in accordance with the Data Controllers’ documented instructions, unless Wolters Kluwer is obligated to process the personal data pursuant to applicable Swedish or European legislation. In such event, Wolters Kluwer shall inform the Customer about this obligation before the processing begins, to the extent that this is permissible under applicable rules. The Customer shall thereafter inform the Data Controllers about this obligation. Each Party shall ensure that the other Party is entitled to process contact details and any other personal data of its employees if and to the extent that this is necessary to facilitate the performance of the Service.
3.1.3 Wolters Kluwer shall be entitled to process personal data for the purposes of maintaining and supplying support as regards the Service. Wolters Kluwer shall also be entitled to process personal data for the purposes of developing and improving the Service, provided that this is expressly indicated by Appendix 1 (Specification of the Processing of Personal Data).
3.1.4 This Sub-processing Agreement, including Appendix 1 (Specification of the Processing of Personal Data), constitutes the Data Controllers’ complete instructions for the processing of personal data under this Sub-processing Agreement, with the exception of any written instructions that the Data Controllers are obliged to provide during the term of the Agreement in order to comply with Applicable Data Protection Legislation. The Customer is responsible for ensuring that the Data Controllers’ complete instructions are set out in this Sub-Processing Agreement and for that the Data Controllers’ complete instructions are provided to Wolters Kluwer under the term of the Agreement. All other amendments to the instructions shall be agreed separately by the Parties. Wolters Kluwer shall be entitled to reasonable compensation from the Customer for abiding by the amended written instructions.
3.1.5 To the extent required under Applicable Data Protection Legislation, the Customer is upon Wolters Kluwer’s written request obligated to provide Wolters Kluwer with the name and contact details of the Customers.
3.2 Security measures
3.2.1 Wolters Kluwer shall implement the organisational and technical measures required pursuant to Applicable Data Protection Legislation and those stated in Appendix 1 (Specification of the Processing of Personal Data) and also those that may otherwise be stipulated in the Agreement in order to protect the personal data processed against personal data breaches (“security measures”).
3.2.2 When performing the Service, Wolters Kluwer shall abide by the security measures specified in Appendix 1 (Specification of the Processing of Personal Data) and as may be stipulated in the Agreement and otherwise its internal security regulations. After signing of the Agreement, Wolters Kluwer may amend its internal security regulations in accordance with the terms of the Agreement, provided that the amendment is compliant with Applicable Data Protection Legislation.
3.2.3 The Customer is responsible for ensuring that the security measures agreed in accordance with Sub-clause 3.2.2 complies with the Data Controllers’ data security obligations pursuant to the Applicable Data Protection Legislation as regards the personal data processed. If the Customer, on a Data Controller’s behalf, requests an amendment of the security measures, the same provisions as apply for the Customer’s instructions according to Sub-clause 3.1.4 shall apply to such a request.
3.2.4 If Wolters Kluwer discovers that the security measures agreed in accordance with Sub-clause 3.2.2 wholly or in part conflict with Applicable Data Protection Legislation, Wolters Kluwer shall notify the Customer in writing within a reasonable time. The Customer is responsible for immediately notifying the Data Controllers about this. If the Customer fails to provide new instructions to Wolters Kluwer within a reasonable time despite being asked to do so, Wolters Kluwer is entitled to implement any reasonable and necessary security measures required by Application Data Protection Legislation at the cost of the Customer.
3.3 Reporting personal data breaches
3.3.1 Wolters Kluwer shall notify the Customer without undue delay after becoming aware of a personal data breach. The Customer is responsible for immediately notifying the Data Controllers about this in accordance with Applicable Data Protection Legislation.
3.4 Sub-processors and transfers to third countries
3.4.1 Wolters Kluwer shall be entitled to engage sub-processors within and outside the EU/EEA for the processing of personal data under this Sub-Processing Agreement. Wolters Kluwer shall ensure that sub-processors are bound by written agreements that impose the same obligations when processing personal data as those obligations laid down in this Sub-processing Agreement. Where the sub-processor fails to fulfil its obligations under such agreement, Wolters Kluwer shall remain fully liable to the Customer for the performance of the sub-processor's obligations.
3.4.2 Wolters Kluwer shall notify the Customer if Wolters Kluwer intends to replace or engage a new sub-processor. Wolters Kluwer shall then state the sub-processor’s name and details of the location of the processing and, at the Customer’s written request, information about the processing activity to be undertaken by the sub-processor on behalf of Wolters Kluwer. The Customer shall be entitled to object to such changes in writing within 30 days of Wolters Kluwer’s notice. If Wolters Kluwer still intends to replace or engage a new sub-processor despite the Customer’s objection, the Customer shall be entitled to terminate the Agreement for the Service affected within 30 days of Wolters Kluwer’s notice of the change. Notice of termination shall be given in writing, and the notice period shall be at least 30 days but no more than 60 days. Wolters Kluwer shall then reimburse the Customer for any charges paid for the period after the expiry of the notice period. If the Customer has a justifiable reason for its objection, Wolters Kluwer may not, for the Service affected, engage the new sub-processor for the processing of the Customer’s personal data during the Customer’s notice period. If the Customer does not have a justifiable reason for its objection, the Customer’s notice shall be regarded as a premature notice of termination without cause, whereby the Customer shall pay the compensation stated in the Agreement for such termination and otherwise an amount corresponding to 25% of the remaining monthly charges for the Service from the expiry of the notice period. A ‘justifiable reason’ shall in this Sub-clause mean circumstances on the part of the sub-supplier that significantly affect, or are likely to affect, the protection of the data subject’s personal data, e.g. where the new sub-processor does not satisfy the requirements on processors in Applicable Data Protection Legislation.
3.4.3 The Customer shall ensure that Wolters Kluwer is entitled to enter into the European Commission’s standard contractual clauses for transfer of personal data to a third country or any provisions succeeding these, on the Data Controllers’ behalf.
3.5 Obligation to assist the Customer
3.5.1 Wolters Kluwer shall, in addition to the provisions of Sub-clause 3.2 (Security measures), implement appropriate technical and organisational measures in order to, at the Customer’s written request, assist the Data Controllers in fulfilling the Data Controllers’ obligation to respond to the requests for exercising the data subject's rights laid down in Chapter III of the General Data Protection Regulation. Wolters Kluwer shall only be required to perform its obligations as set forth in this Sub-clause 3.5.1 insofar as it is possible and to the extent the nature of the processing requires it.
3.5.2 Taking into account the nature of processing and the information available to Wolters Kluwer, Wolters Kluwer shall also be obliged at the written request of the Customer to assist the Data Controllers in ensuring compliance with the Data Controllers’ obligations in respect of security for processing, personal data breaches, data protection impact assessments and prior consultation in accordance with Applicable Data Protection Legislation.
3.5.3 Unless otherwise agreed in writing, Wolters Kluwer shall be entitled to reasonable compensation form the Customer for Wolters Kluwer’s assistance to the Data Controllers in accordance with Sub-clause 3.5.
3.6 Disclosure of personal data
3.6.1 Wolters Kluwer shall not disclose or otherwise reveal any personal data covered by the Sub-Processing Agreement to a data subject or third party, unless otherwise stated in the Agreement or required by law or a court or official authority’s decision. In the event that Wolters Kluwer must disclose such personal data due to law or a court or official authority’s decision, Wolters Kluwer shall notify the Customer of the disclosure, unless this is prohibited by applicable law or a court or official authority’s decision.
3.6.2 Wolters Kluwer shall notify the Customer without undue delay about any enquiries from a data subject, the Data Protection Authority or another supervisory authority that refer specifically to the processing of personal data under this Sub-Processing Agreement and also refer such data subject, the Data Protection Authority or another supervisory authority to the Customer. Wolters Kluwer shall be entitled to reasonable compensation from the Customer for any requested cooperation that refers specifically to the processing of personal data processed under this Sub-Processing Agreement that is not a consequence of Wolters Kluwer being in breach of its obligations under the Sub-Processing Agreement regarding the processing of personal data
3.6.3 The Customer is responsible for informing the Data Controllers about any notification from Wolters Kluwer under this section 3.6.
4. AUDIT
4.1 Wolters Kluwer shall make available to the Customer all information necessary to demonstrate compliance with the Applicable Data Protection Legislation’s requirements on processors and allow for and contribute to audits, including inspections, conducted by the Data Controllers or another auditor mandated by the Data Controllers. In the event that a Data Controller wishes to conduct an inspection, such Data Controller shall provide Wolters Kluwer with reasonable prior notice and shall at the same time specify the content and scope of the inspection. Wolters Kluwer may charge the Customer for any reasonable costs incurred in conjunction with the audit.
4.2 Wolters Kluwer shall immediately inform the Data Controller if Wolters Kluwer considers that information, including inspections, in accordance with Sub-clause 4.1 above, is not required or infringes Applicable Data Protection Legislation. An inspection may only be conducted if an audit cannot according to Applicable Data Protection Legislation be met by Wolters Kluwer providing information.
4.3 A precondition for an audit under Sub-clause 4.1 is that the Data Controllers or an auditor mandated by the Data Controllers, has entered into necessary confidentiality undertakings and complies with Wolters Kluwer’s security regulations at the location where the inspection is to be performed, including that the inspection will be performed without any risk of it hindering the Wolters Kluwer’s business or the protection of other customers’ information. Information collected as part of the inspection shall be erased after the audit has been completed or when it is no longer needed for the purpose of the audit.
5. CONFIDENTIALITY
5.1 Wolters Kluwer’s processing of the Data Controllers’ personal data under the Sub-Processing Agreement is covered by the confidentiality provisions included in the Agreement.
5.2 Wolters Kluwer is obligated to ensure that only such personnel that directly require access to the personal data in order to fulfil Wolters Kluwer’s obligations in accordance with this Sub-Processing Agreement has access to the personal data. Wolters Kluwer shall ensure that such personnel are bound by an adequate confidentiality agreement.
6. REMUNERATION FOR WORK PERFORMED
6.1 In addition to what is otherwise stated in this Sub-Processing Agreement, Wolters Kluwer shall be entitled to reasonable remuneration for complying with the Customer’s written instructions, provided that the action requested is not included in the Service and specified in the Agreement. If Wolters Kluwer is entitled to remuneration for work performed, the price list applicable in the Agreement shall apply to such work and, in the absence of such, Wolters Kluwer’s current price list.
7. LIABILITY ACCORDING TO APPLICABLE DATA PROTECTION LEGISLATION
7.1 If Wolters Kluwer:
a) becomes the Party liable to pay damages to the data subject under Applicable Data Protection Legislation, or
b) becomes the Party liable to pay damages as regards damages to the data subject to the Data Controllers under Applicable Data Protection Legislation, and
c) the Customer was involved in the same processing that constitutes the ground for any such claim,
the Customer shall reimburse Wolters Kluwer for such part of the compensation that Wolters Kluwer according to law is obliged to pay to the data subject and/or Data Controller that exceeds the compensation that Wolters Kluwer is lawfully obligated to pay to the data subject and/or the Data Controller if Wolters Kluwer has not complied with the General Data Protection Regulation’s obligations specifically directed to Wolters Kluwer as processor, or where Wolters Kluwer has acted outside or contrary to the lawful instructions issued by the Data Controllers in their capacity as controller. The Customer shall also reimburse Wolters Kluwer’s reasonable and proportional (in relation to the Customer’s responsibility) costs, including compensation for litigation costs that Wolters Kluwer has become obliged to pay to a data subject or Data Controller, for defending itself against such claims.
7.2 If the Customer becomes the Party liable to pay damages to the data subject under Applicable Data Protection Legislation, and Wolters Kluwer was involved in the same processing that constitutes the ground for the data subject’s claim, Wolters Kluwer shall reimburse the Customer for such part of the compensation that the Customer is according to law obliged to pay to the data subject that corresponds to the compensation Wolters Kluwer is lawfully obligated to pay if Wolters Kluwer has not complied with the General Data Protection Regulation’s obligations specifically directed to Wolters Kluwer as processor, or Wolters Kluwer has acted outside or contrary to the lawful instructions issued by the Data Controllers in their capacity as controller and Wolters Kluwer cannot prove that Wolters Kluwer is not responsible in any way for the event giving rise to the damage. Wolters Kluwer shall also reimburse the Customer for its reasonable and proportional (in relation to Wolters Kluwer’s responsibility) costs, including compensation for litigation costs that the Customer has become liable to pay to the data subject, for defending itself against such claims. Wolters Kluwer’s overall responsibility under this Sub-Processing Agreement in accordance with this Sub-clause 7.2 is limited to an amount corresponding to 150% of the first 12 months’ fees for the Service affected, except in the case of intent or gross negligence.
7.3 A Party’s obligation to reimburse the other Party under this Clause 7 shall survive the termination and expiration of the Agreement.
7.4 A Party receiving a claim covered under this Sub-Processing Agreement shall within a reasonable time notify the other Party in writing about such a claim when the Party deems it likely that a claim against the other Party as set forth in this Clause 7 be pursued, allow the other Party to review the data subject’s and the Party’s documentation in such proceedings and to provide its comments. No later than within six months from when the Party became liable to pay damages to the data subject shall the Party make a claim for reimbursement as set forth in this Clause 7.
7.5 A Party’s liability for other types of damages than what is expressly governed by this Clause 7 shall be exclusively governed by the Agreement.
8. TERM OF SUB-PROCESSING AGREEMENT AND MEASURES UPON TERMINATION OF THE SUB-PROCESSING AGREEMENT
8.1 This Sub-Processing Agreement is valid for as long as Wolters Kluwer is processing personal data on behalf of the Data Controllers under this Sub-Processing Agreement. The Customer is responsible for immediately notifying Wolters Kluwer when the agreement between the Customer and a Data Controller has terminated and the personal data Wolters Kluwer is processing on such Data Controller’s behalf shall be deleted by Wolters Kluwer.
8.2 Upon the termination of the agreement between the Customer and a Data Controller, Wolters Kluwer shall, at the Customer’s request that shall be made no later than 60 days after the termination of the agreement between the Customer and the Data Controller, unless the Parties have agreed upon another time limit, and at the option of the Customer, delete or promptly return all personal data to the Customer or to the party nominated by the Customer. The personal data available electronically shall also, if the Customer so requests, be submitted in electronic form in accordance with the Customer’s instructions, provided this is reasonable. The Customer is responsible for that the Customer’s requests to Wolters Kluwer under this Sub-clause 8.2 are made in accordance with the Data Controllers’ instructions. If a Data Controller should provide instructions under this Sub-clause 8.2 directly to Wolters Kluwer regarding the processing of its personal data, Wolters Kluwer shall comply with such instructions. Wolters Kluwer may delete existing copies of the personal data following expiry of the above-mentioned period, unless applicable Swedish or European legislation requires otherwise.
8.3 After transferring the Data Controller’s personal data, or if no such transfer has been requested by the Customer after the expiration of the 60 days period mentioned Sub-clause 8.2, Wolters Kluwer shall delete the Data Controller’s personal data within a reasonable time, but no later than within six months from the termination of the agreement between the Customer and the Data Controller. After the termination of the Agreement, Wolters Kluwer must not process personal data for other purposes than to delete or protect the Data Controller’s personal data from personal data breaches, unless Applicable Data Protection Legislation requires otherwise. Wolters Kluwer shall be entitled to reasonable compensation for any work as set forth in Sub-clause 8.2 and 8.3 in accordance with Wolters Kluwer’s current price list. Wolters Kluwer shall, upon request, provide written information about what measures have been taken in conjunction with the termination of the Agreement or, alternatively, confirm that Wolters Kluwer has taken the measures required to comply with Sub-clause 8.2 and 8.3.
________________
Appendix 1
Specification of the Processing of Personal Data
1. INSTRUCTIONS
1.1 Brief description of the Service and the purposes of the processing
Wolters Kluwer will process the personal data to the extent necessary to provide the Service pursuant to the Agreement and as further specified in the Specification, and as further instructed by the Customer in its use of the Service.
1.2 Categories of personal data
- Identification numbers such as social security numbers and IP-addresses
- Contact information such as names, email addresses, telephone numbers and physical addresses
- Financial information insofar necessary to perform compliance processes such as closing of books, tax declaration and audit
- Information on social and/or societal status insofar necessary to perform compliance processes such as closing of books, tax declaration and audit
1.3 Categories of data subjects
Employees of the Data Controllers.
Clients of the customers.
1.4 Processing activities
Storage, administration, erasure and error correction of personal data and such other processing activities that are required to process the personal data in accordance with the Customer’s instructions and to ensure that the Customer can use the compliance processes supported by the Service, such a closing of books, tax declaration and audit services.
1.5 Location of personal data processing
Sweden, Denmark, USA, The Netherlands, Ireland, Spain and Germany.
1.6 Use for the purposes of improving the Services
1.6.1 Specification of the categories of personal data that may be used for the purposes of improving services that the Customer has ordered:
Email address and name of the Data Controller’s employees.
1.6.2 This personal data shall be obtained from the following processing activities that Wolters Kluwer performs on behalf of the Customer:
License management processing.
End-user support processing.
1.6.3 And may only be used by Wolters Kluwer for the purposes of improving and/or developing the following kinds of service or categories of service ordered by the Customer:
Improve end-user support and issue handling.
Improve software products and related services.
2. SECURITY MEASURES
2.1 Physical access control
See Wolters Kluwer Global IT Security Policy (GBS), and Wolters Kluwer Information Security Baseline (GDPR Privacy Library #6.1).
2.2 Access control for systems
See Wolters Kluwer Global IT Security Policy (GBS), and Wolters Kluwer Permission Management Policy and Matrix (GDPR Privacy Library #4.1).
2.3 Access control for personal data
See Wolters Kluwer Global IT Security Policy (GBS), and Wolters Kluwer Permission Management Policy and Matrix (GDPR Privacy Library #4.1)
2.4 Access controls during transfers
Wolters Kluwer enforces encryption in transit whenever (personal) data is transmitted electronically outside of Wolters Kluwer’s secure IT environment. Wolters Kluwer enforces encryption in transit and encryption at rest when practically possible within Wolters Kluwer’s secure IT environment. Backup data is always encrypted.
2.5 Control of personal data entry
Wolters Kluwer maintains an Audit Trail of the processing of personal data in accordance with the General Data Protection Regulation.
2.6 Accessibility checks
Wolters Kluwer has backup and restore processes in place for all business-critical data, including personal data. These processes are regularly tested and maintained.
2.7 Separation checks
Wolters Kluwer actively maintains a comprehensive register of all personal data processing activities, including the purpose of each processing. This register is used -amongst other things- to ensure that personal data is used only for its explicitly stated purpose.
2.8 Retention rules
2.8.1 During the term of the Agreement: As soon as possible and at the latest within one month from when the Customer asked for the personal data to be erased.
2.8.2 After the Agreement has ceased to apply: See Sub-clause 8.2 of the Sub-Processing Agreement.
2.9 Security policy
See Wolters Kluwer Global IT Security Policy (GBS).
2.10 Certifications, etc.
See Wolters Kluwer Global IT Security Policy (GBS), which is based on ISO27001.
3. PRE-APPROVED SUB-PROCESSORS
Wolters Kluwer is entitled to use the following sub-processors to process personal data under this Sub-Processing Agreement:
Name | Location of processing (Country) |
Tele2 Business AB | Sweden |
Itadel AS | Denmark |
B4Restore AS | Denmark |
Penneo APS | Denmark |
Amazon Web Services | Ireland, Germany, Sweden |
Microsoft (Azure) | Ireland, Netherlands |
Citycloud | Sweden |
Sendgrid, Inc. * | USA, Standard Contractual Clauses (SCC) |
Multisoft AB | Sweden |
Wolters Kluwer Espana S.A | Spain |
* Used for e-mail notifications in the service (like in document archive and periodical reports).
Last update of the list of Sub-Processors: November 2020
The terms and conditions above are dated November 2020.