1.1 If the Customer has purchased Service(s) that includes that GleSYS, when providing such Service(s) and fulfilling the Agreement, processes personal data for which the Customer is the controller, GleSYS acts as the Customer's processor. In the event that the Customer acts as a processor on behalf of a third party who is the controller (e.g. companies within the Customer's group or the Customer's customers), GleSYS is instead a sub-processor.

1.2 This Data Processing Agreement (the "DPA") forms an integral part of the Agreement between GleSYS and the Customer. The purpose of the DPA is to ensure secure, correct and legal processing of personal data, to comply with applicable legal requirements for data processing agreements, as well as to ensure adequate protection of the personal data processed within the scope of the DPA.

1.3 In certain situations, the Customer may choose to purchase Third Party Products provided by an external supplier through GleSYS. When processing personal data within the framework of such Third Party Products, the external suppliers' data processing agreement applies instead of this DPA.

1.4 The GDPR and a supervisory authority's binding decisions, recommendations and guidelines, practices in the field of data protection, supplementary local adaptation and legislation as well as sector-specific legislation in relation to data protection are collectively referred to as the “Data Protection Rules”.

1.5 Any terms used in this DPA, e.g. processing, personal data, data subjects, supervisory authority, etc., shall primarily have the meaning as stated in the GDPR and otherwise as set out in the Agreement, unless otherwise clearly indicated by the circumstances. The terms "processing" and "personal data" refer exclusively to such processing and such personal data that GleSYS processes on behalf of the Customer under the DPA.

2.1 Categories of personal data and categories of data subjects that GleSYS processes under the DPA as well as the purpose, nature and duration of the processing are described in the instruction on the processing of personal data, Appendix A, in relation to the respective Service.

2.2 When processing personal data, GleSYS:

1. only processes personal data according to the Customer's documented instructions. Exceptions apply if processing is required by the GDPR, or by law to which GleSYS or the person processing personal data as a sub-processor to GleSYS ("Sub-processor") is subject to. In such cases, GleSYS or the Sub-processor shall inform the Customer of the legal requirement prior to such processing, unless prohibited by applicable law;


2. ensures that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;


3. maintains an adequate level of security of the personal data by implementing all the technical and organisational measures set out in Article 32 of the GDPR in the manner set out in clause 3 below;


4. respects the conditions referred to in clauses 2 and 4 of Article 28 of the GDPR for the engagement of a Sub-processor;


5. taking into account the nature of the processing, assists the Customer by appropriate technical and organisational measures, insofar as it is possible, for the fulfilment of the Customer’s obligation to respond to requests for exercising the data subjects’ rights laid down in Chapter III of the GDPR;


6. assists the Customer in ensuring compliance with the obligations pursuant to Articles 32-36 of the GDPR, taking into account the nature of the processing and the information available to GleSYS;


7. depending on the Customer's choice, deletes or returns all personal data to the Customer after termination of the Agreement, and deletes existing copies, unless EU law or applicable national law of an EU Member State requires storage of the personal data; and


8. provides the Customer with access to all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and the DPA and allow for and contribute to audits, including inspections, conducted by the Customer or by another auditor agreed by the parties.

2.3 If GleSYS considers that an instruction violates the Data Protection Rules, GleSYS shall inform the Customer of its position within a reasonable time and await the Customer's revised written instructions. If the Customer does not provide new instructions within a reasonable time, GleSYS shall be entitled to take reasonable and necessary security measures at the Customer's expense in order to comply with the Data Protection Rules. Furthermore, GleSYS shall immediately inform the Customer of any changes that affect GleSYS' obligations under the DPA. GleSYS shall not take any actions which may result in the Customer being deemed to be in violation of the GDPR.

2.4 The Customer undertakes and is responsible for complying with the Data Protection Rules. In particular, the Customer shall:

1. be the contact person towards data subjects and i.e. respond to their inquiries regarding the processing of personal data;


2. ensure the lawfulness of the processing of personal data, provide information to data subjects pursuant to Articles 13 and 14 of the GDPR and maintain a record of processing activities under its responsibility;


3. ensure the accuracy of the documented instructions for the processing of personal data by GleSYS;


4. immediately inform GleSYS of any changes that may affect GleSYS' obligations under the DPA;


5. immediately inform GleSYS if a third party takes action or makes a claim against the Customer as a result of GleSYS' processing under the DPA; and


6. immediately inform GleSYS if any other party is a data controller or joint data controller with the Customer for the processing of personal data under the DPA.

3.1 GleSYS shall implement technical and organisational measures to protect the personal data against destruction, alteration, unauthorised disclosure and unauthorised access. The measures shall ensure a level of security appropriate to the state of the art, the cost of implementation, the nature, scope, context and purposes of the processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons.

3.2 More detailed descriptions of the technical and organisational security measures are described in GleSYS' Information Security Policy as applicable at any given time. GleSYS is entitled to change its technical and organisational measures provided that such changes do not adversely affect the security of the processing of personal data.

3.3 GleSYS shall notify the Customer of any accidental or unauthorised access to personal data or other personal data breach without undue delay after becoming aware of such data breach and in accordance with Article 33 of the GDPR. Such notification shall in no way imply that GleSYS has committed any wrongful act or omission, or that GleSYS shall be held liable for the data breach.

3.4 If the Customer requires additional security measures after the conclusion of the DPA, GleSYS shall strive to meet these requirements as far as possible. GleSYS is entitled to compensation for the costs resulting from GleSYS implementing such additional security measures at the Customer's request (unless the Customer can show that these are required by the Data Protection Rules), however, GleSYS endeavours to take such measures without affecting the Customer financially.

4.1 If GleSYS receives a request from a data subject, supervisory authority or any other third party regarding obtaining access to personal data processed by GleSYS on behalf of the Customer, GleSYS shall immediately forward the request to the Customer. GleSYS, or anyone working under GleSYS's direction, shall not disclose personal data or other information about the processing of personal data without explicit documented instructions from the Customer, unless GleSYS is required to do so subject to the GDPR or any other applicable laws or regulations. In the event that GleSYS is required by law to disclose personal data, GleSYS shall take all actions to request confidentiality in connection with the disclosure of the requested information and immediately inform the Customer of the disclosure, in so far as GleSYS is not prevented from doing so under applicable law.

4.2 GleSYS shall without undue delay inform the Customer of any contacts from the supervisory authority concerning the processing of personal data and provide the Customer, to the extent permitted by law, with all information relevant to the Customer in this respect. GleSYS is not entitled to represent or act on the Customer’s behalf in relation to the supervisory authority.

5.1 The Customer hereby grants GleSYS a general prior authorisation to engage Sub-processor. Sub-processors, engaged by GleSYS at the conclusion of the Agreement, are listed in the list of Sub-processors in Appendix B in relation to the respective Service. GleSYS shall enter into a personal data processing agreement with each Sub-processor, according to which, the same data protection obligations as set out in this DPA, are imposed upon the Sub-processor. GleSYS is responsible in relation to the Customer for the Sub-processors’ fulfilment of its obligations, in relation to the Customer.

5.2 GleSYS shall inform the Customer of intended changes concerning the addition or replacement of Sub-processors, in order to give the Customer the opportunity to object to such changes. Such objections shall be made in writing and within thirty (30) days after GleSYS has informed the Customer of the intended changes in the Control Panel or to the specified email. If the Customer objects to GleSYS engaging a Sub-Processor and the parties fail to reach an agreement within a reasonable period of time, either party shall have the right to terminate the DPA and/or the relevant parts of the Agreement with the notice period specified in the Agreement.

5.3 At the request of the Customer, GleSYS shall provide the Customer with a correct and up-to-date list of the Sub-processors that have been engaged in the processing of personal data, the contact details of the Sub-processors, the geographical location of such processing and which processing of personal data each Sub-processor performs.

5.4 GleSYS and/or Sub-processors shall not process or transfer any personal data outside the EU/EEA.

6.1 In the event of compensation for damage in connection with the DPA which, by a determined judgment or settlement, shall be paid to the data subject as a result of a breach of a provision of the DPA, instructions and/or applicable provision of the GDPR, the provisions of the GDPR concerning the party's liability shall apply. The same applies in relation to the party's liability regarding administrative fines.

6.2 If GleSYS, a Sub-processor or a person working under the supervision of GleSYS or a Sub-processor, process personal data in violation of the DPA, the Customer's instructions or the GDPR, GleSYS shall indemnify the Customer for any damage caused to the Customer due to the improper processing.

6.3 If a third party makes a claim against GleSYS due to the Customer's incorrect or inadequate instructions, the Customer shall indemnify GleSYS for such claims directly attributable to the Customer, provided that GleSYS without delay notifies the Customer in writing of such claims made against GleSYS and allows the Customer to control the defence of the claim, if the Customer so wishes, and to decide in its own discretion on any settlement.

6.4 GleSYS liability in relation to damage other than that resulting from the above clause 6.1 in connection with the DPA is limited in accordance with the provisions of the Agreement.

7.1 If the Data Protection Rules change in such a way that the DPA does not fulfil the requirements for a data processing agreement pursuant to the Data Protection Rules, the parties shall be entitled to request amendments to the DPA to meet such new, amended or clarified requirements.

7.2 Changes according to the above clause 7.1 shall become effective thirty (30) days after notification of the amendment by the party who wishes to make such amendment, unless the other party has objected to the proposed amendment to the DPA. If a party makes such an objection and the parties do not reach an agreement within a reasonable period of time, termination may be made as specified in the Agreement.

7.3 Amendments to the DPA be made in accordance with the Agreement.

8.1 The DPA is valid from its conclusion and remains in force as long as GleSYS is processing personal data on behalf of the Customer, including deleting or returning personal data as stated in clause 8.2 below. The DPA shall thereafter cease to apply.

8.2 Upon termination of the DPA, GleSYS shall delete the personal data that GleSYS processes under the DPA, including any existing copies, so that the relevant personal data does not remain and cannot be recreated at GleSYS, no later than thirty (30) days after the termination of the processing. Exceptions apply in cases where the storage of personal data is required by law. GleSYS may, if the Customer so requests no later than fourteen (14) days before the termination of the DPA, return the personal data instead of deleting it.

8.3 Section 6 shall continue to apply after the termination of the DPA.

9.1 GleSYS is not entitled to any additional compensation for the processing of personal data in accordance with the DPA. However, GleSYS is entitled to compensation according to the current price list for any assistance and work performed by GleSYS staff in accordance with the DPA as well as additional costs arising from changes in the Customer's instructions that require GleSYS to make special adaptations on behalf of the Customer, unless the Customer can show that these changes are necessary according to the Data Protection Rules.

9.2 The DPA replaces any previous data processing agreements and/or other clauses regarding personal data processing between the parties.

9.3 In the event of a conflict between the provisions of the Agreement and the DPA, the provisions of the DPA shall prevail in relation to the processing of personal data and nothing in the Agreement shall be deemed to restrict or modify the obligations in the DPA to the extent that this results in the Customer not complying with the requirements of the GDPR.

9.4 If the Customer assigns the Agreement (in accordance with the provision of the Agreement), the DPA shall also be deemed to be assigned to the assignee of the Agreement. However, the DPA may still be apply between the original parties. GleSYS shall not assign the DPA separately from the Agreement.

9.5 Swedish law, without regard to its choice of law provisions, shall under all circumstances apply to this DPA. Any disputes arising out of or in connection with this DPA shall be resolved in accordance with the dispute resolution provision of the Agreement.