Data Processing Agreement Twine
Last Updated: October 16, 2024
This Data Processing Agreement ("DPA") is entered into by Entwine AB, reg. no. 559436-1478 ("Twine"), and the Counterparty, which may be the Customer, Sub-processor, or End Customer (as defined below). This DPA, together with Twine's updated Terms of Service (available on Twine’s website), governs the processing of personal data in connection with Twine's services and any sub-processing activities, in accordance with Regulation (EU) 2016/679 (the "GDPR") and other applicable data protection laws.
By using Twine’s services, acting as a Sub-processor, or being a Customer or End Customer, you agree to the terms of this DPA and Twine's Terms of Service (available on Twine's website), unless otherwise agreed in writing.
1. introduction
1.1 The text of this Agreement follows the new General Data Protection Regulation (GDPR) from the EU, which entails stricter handling and storage of personal data. Through this Processing Agreement, the Parties fulfill the requirement set out in applicable data protection legislation that there must be a written agreement when the Data Controller transfers to a Data Processor to process personal data on behalf of the Data Controller. This agreement aims to ensure that Twine processes personal data on behalf of the Customer in accordance with the requirements of Regulation (EU) 2016/679 ("GDPR").
1.2 The Processing Agreement constitutes an appendix to the User Agreement for the Twine Service and covers the same period as the User Agreement. Through the Processing Agreement and the User Agreement, the Data Controller provides instructions to the Data Processor on how the Data Processor should perform the assignment. Additional instructions on the processing of personal data must comply with the formal requirements set out in this Processing Agreement.
1.3 If anyone else, together with the Customer, is the data controller for the relevant personal data, the Customer must promptly inform Twine of this.
1.4 This Data Processing Agreement takes precedence over any conflicting provisions regarding the processing of personal data in the Main Agreement or other agreements entered into between the Parties.
1.5 For customers using Twine as an integral part of their solutions to their own customers, the following agreement extends and applies for the Data Processing service to the relevant parties.
2. definitions
Unless clearly stated otherwise by the circumstances, the definitions used in this Agreement shall have the corresponding definition as stated in Regulation (EU) 2016/679 ("General Data Protection Regulation") and in accordance with practice.
In this Agreement, the following terms have the meanings indicated below:
Personal data: Any information that directly or indirectly can be related to a living individual.
Customer: The entity that has subscribed to Twine’s services and typically acts as the Data Controller or Processor of personal data.
Sub-processor: Any third party appointed by Twine or the Customer to process personal data on behalf of the Data Controller or Processor.
End Customer: The customer of the Customer who may also be the Data Controller of personal data, whose data is processed through the integration platform or related services.
Data Controller: The entity that alone or jointly with others determines the purposes and means of the processing of personal data.
Data Processor: The entity that processes personal data on behalf of the Data Controller.
Processing: Any operation or set of operations performed on personal data, whether automated or not, including collection, storage, use, and deletion.
3. responsibilities and instructions of the data controller
3.1 The Data Controller (either the Customer or End Customer) is responsible for ensuring that all processing of personal data is in compliance with applicable data protection laws. The Data Processor (Twine or any Sub-processor) will process personal data solely based on documented instructions from the Data Controller or another authorized party, such as a Customer acting as a Processor on behalf of an End Customer.
3.2 If the Data Processor (including any Sub-processor) notices that the Data Controller or Customer has provided incorrect, incomplete, or insufficient instructions, the Data Processor must promptly notify the Data Controller or Customer and seek clarification.
4. processing of personal data by the data processor and sub-processors
4.1 As stated in point 1.2 above, the Data Controller, through this Processing Agreement and the Main Agreement, gives instructions to the Data Processor on how the Data Processor should process personal data and fulfill its obligations under the Processing Agreement and applicable data protection legislation on behalf of the Data Controller. The instructions must be in writing, and the Data Controller is responsible for ensuring that the additional written instructions are permitted under points 3.1 and 3.2 above. If the instructions conflict with points 3.1 or 3.2 above, the Data Processor reserves the right to refuse to comply with the additional processing.
4.2 The Data Processor may only process personal data according to the Data Controller's instructions and applicable data protection legislation. If the Data Processor notices that the Data Controller has provided incorrect, incomplete, or deficient instructions, it must promptly notify the Data Controller in writing.
4.3 The Data Processor processes personal data on behalf of the Data Controller by providing an integration platform for data exchange between the customer's systems and may process the following data on behalf of the Data Controller:
HR information (personal data, time reporting, salary statistics, etc.)
Financial information (costs, revenues, various financial transactions)
Other information (statistics, administrative data, logistical information)
The Data Processor also processes contact information for the Data Controller's users of the Service to fulfill its obligations under the Main Agreement. In this case, the Data Processor acts as the data controller.
4.4 The Data Processor may not represent the Data Controller before a Competent Supervisory Authority. The Data Processor must inform the Data Controller in writing of contacts it has had with the Competent Supervisory Authority regarding the processing of personal data. This does not apply if Twine is legally, judicially, or administratively prohibited from doing so.
4.5 A request from a data subject directed to the Data Processor about how their personal data is processed must be forwarded to the Data Controller without undue delay. The Data Processor may only disclose information to the data subject about how their personal data is processed after receiving written approval from the Data Controller, unless there is a legal obligation for the Data Processor to provide the information.
4.6 To avoid misunderstandings, Twine has the right during the term of the processing agreement and thereafter to store and process data originating from the Customer in an aggregated or anonymized format, i.e., data that does not contain personal data.
4.7 For further processing beyond the Processing Agreement and Main Agreement, the Data Controller must provide additional instructions to the Data Processor.
4.8 Twine may engage Sub-processors to assist in the provision of services. Sub-processors will only process personal data in compliance with the instructions provided by Twine or the Data Controller (via the Customer). Sub-processors are required to implement appropriate technical and organizational measures to ensure the security of personal data.
4.9 If Twine engages a Sub-processor, Twine will ensure that the Sub-processor enters into a data processing agreement that imposes the same obligations as outlined in this DPA. Twine remains fully liable for the performance of any Sub-processor it engages.
5. organizational and technical capacity of the data processor
5.1 The Data Processor certifies through this Processing Agreement that it possesses sufficient and necessary technical and organizational capacity and ability, including technical solutions, competence, financial and personnel resources, routines, and methods to fulfill its obligations under this Processing Agreement and applicable data protection legislation.
5.2 Within the framework of its legal obligations, the Data Processor shall assist the Data Controller in fulfilling its obligations under applicable data protection legislation. If the Data Controller's request under the first paragraph above involves cooperation regarding data protection impact assessments, prior consultations with the Privacy Authority or other competent supervisory authority, or cooperation regarding the design of technical and organizational data protection measures for the Data Controller, the Data Processor is entitled to compensation according to the applicable hourly rate at the time. The Data Processor must inform the Data Controller in writing that the requested work will be charged according to the applicable hourly rate before such work can begin.
6. security and confidentiality
6.1 All representatives of the Data Processor have signed a confidentiality agreement through their employment contract that covers the processing of personal data on behalf of the Data Controller performed within the Service. Access to personal data must be limited to those who need them to perform their job duties.
6.2 The Data Processor must, through appropriate technical and organizational measures and routines, limit access to personal data to authorized personnel only. The measures must be adapted to a level that is appropriate considering how sensitive the personal data is, the particular risks involved, existing technical possibilities, and the costs of implementation.
6.3 The Data Processor may not disclose personal data without the Data Controller's written approval, unless the Data Processor is obligated under applicable data protection legislation to disclose the personal data.
7. subcontractors
7.1 Through this DPA, the Customer and End Customer provide general authorization for Twine to engage Sub-processors as necessary for the provision of services. Twine will provide notice to the Customer of any new Sub-processors, allowing the Customer or End Customer to raise reasonable objections within 30 days of the notification.
7.2 If an objection is raised based on legitimate data protection concerns, Twine will work in good faith to address the concern, either by modifying the processing arrangement or engaging a different Sub-processor. If the issue cannot be resolved, the Customer may terminate this DPA or the relevant services related to the Sub-processor, subject to a 30-day notice period.
7.3 Transfer of data by the Customer, Sub-processor, or Twine to a location outside the EEA may be undertaken provided that the current requirements for such transfers under data protection regulations are met. All parties involved in the processing, including End Customers, must ensure that appropriate safeguards are implemented for any cross-border transfer, such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs).
8. security incident
In the event of a personal data breach, all parties involved, including Twine and any Sub-processors, must notify the Data Controller without undue delay and no later than 48 hours from becoming aware of the breach. The notification must include all relevant information to allow the Data Controller to meet its reporting obligations under applicable data protection laws.
9. liability for damage
9.1 Twine is only liable for damage if:
a) Twine has not fulfilled such obligations specifically directed at data processors under GDPR and for which liability for damages may follow, and/or
b) Twine has acted in violation of the Agreement and has not taken corrective action following written notice from the Customer, and/or
c) Twine has acted in violation of the Customer's written and lawful instructions.
9.2 Twine can in no case be held liable for damages beyond what is provided by GDPR.
9.3 Twine will remain fully liable to the Customer for the performance of its Sub-processors' obligations under this DPA. Sub-processors must ensure they comply with the terms of this DPA and applicable data protection laws. If any Sub-processor fails to comply, Twine may be required to take corrective actions or replace the Sub-processor, as necessary.
10. applicable law and dispute
Upon termination of this DPA, Twine, its Sub-processors, and End Customers must either return or securely delete all personal data as instructed by the Data Controller, unless applicable law requires retention. Each party will confirm in writing that such deletion has been completed.