Between you (”Personal Data Controller” and customer to PAAM) and PAAM Systems, org. nr 556842-0672, Idrottsvägen 33, 702 32 Örebro (“Personal data processor”).

General

Regulation 2016/679 of the European Parliament and of the Council (General Data Protection Regulation), hereinafter called the Regulation, requires written Personal Data Processor agreements when a party is to process personal data on behalf of another party. PAAM Systems Processes Personal Data in order to comply with signed agreements with its customers.

1. Definitions

1.1. “Personal Data” refers to any information relating to an identified or identifiable physical person, wherein an identifiable physical person is a person who can be identified directly or indirectly with reference to an identifier. Example of identifiers are a name, identification number, location or online identifier or one of more factors specific to the physical, psychological, genetic, mental, economic, cultural or social identity of the physical person.

1.2. “Registered” means the person referred to as Personal Data.

1.3. “Process” or “Processing” means an action or combination of actions on sets of personal data, whether performed automated or not, such as collection, registration, organization, structuring, storage, processing or modification, production, reading, use, transfer by transmission, dissemination or provision by other means, adjustment or assembly, restriction, erasure or destruction.

1.4. “Regulation” refers to GDPR (General Data Protection Regulation)

1.5. Otherwise, terms in this agreement shall be interpreted in accordance with the Regulation.

2. The Personal Data Processor commitments

2.1. The Personal Data Processor commits to comply with GDPR as well as to keep informed of the Regulation and related legislation relevant to the agreed Processing.

2.2. The Personal Data Processor may only Process Personal Data in accordance with this agreement or, from time to time, by instructions provided by the Personal Data Controller. If the Processor does not have instructions that the Processor assesses are necessary to carry out the task assigned, or the

instructions violates the Regulation, the Processor shall promptly inform the Controller and await further instructions. New instructions shall be documented.

2.3. Upon the use of additional Personal Data Processors, the Processor shall ensure that this additional Processor commits to perform the Processing to the same standards as this agreement states. The Personal Data Controller must give prior written approval if the Processor is to replace or use a new additional Processor.

2.4. The Personal Data Processor shall only Process Personal Data on equipment physically located within the EEA, including the use of cloud services. The Processor owns the right to move the data when deemed necessary for security reasons or to ensure the service level, but only after consulting the Personal Data Controller.

2.5. For those cases where a registered, the authorities or any other third-party request information from the Processor, the Processor shall refer to the Controller to withhold such information.

2.6. The Processor shall promptly inform the Controller of any contacts from the authorities that may be of importance for the Processing of Personal Data. The Processor is not entitled to represent the Controller or act for the Controller against the authorities or any third party.

2.7. Upon detection of an incident regarding Personal Data, the Processor shall inform the Controller without unnecessary delay.

2.8. The Processor shall take reasonable technical and organizational measures to protect Personal Data against unauthorized access, destruction and amendment in accordance with the requirements of the regulation, with regard to the requirements of article 32.

2.9. To the extent that it is relevant to the nature, extent, context and purpose of the treatment, the Processor shall carry out an impact assessment to determine if it is likely that the processing may lead to a high risk for the natural persons rights. The impact assessment shall be based on article 35 in the Regulation. The Processor shall consult the authorities if the assessment shows that the processing lead to a high risk for the Registered.

2.10. The Processor shall, upon termination of this agreement, transfer all Personal Data onto specified media and make sure there are no copy or backup left. This is if the functions integrated in the product isn’t sufficient for some reason.

2.11. The Personal Data Processor may not, in any event, convey Personal data outside the EEA without the consent of the Personal Data Controller.

3. The Personal Data Controller commitments

3.1. The Personal Data Controller shall ensure that the processing is made in accordance with the Regulation. The Controller is responsible, inter alia, for informing the Registered of the Processing and if necessary gather consent.

3.2. The Controller shall inform the Processor without delay of any changes in the Processing of Personal Data that may affect the Processor.

4. Confidentiality

4.1. The Personal Data Processor undertakes not to disclose any information to a third party regarding the Processing of Personal Data covered by this agreement or any other instructions received from the Controller. This commitment does not apply to information submitted to the data inspection board. The confidentiality obligation also applies after this agreement has expired.

4.2. The Processor undertakes to ensure that individuals authorized to Process Personal Data undertake the same level of confidentiality as applies to the Personal Data Process by this agreement or applicable law.

5. Responsibility

5.1. In case of a Registered or other third party direct claims against the Personal Data Controller due to the Processing of Personal Data by the Personal Data Processor, the Controller shall be held free from the complaint. This is if the claim is due to the Processors violation of this agreement or if notified instructions has been unkempt.

6. Agreement rewording

6.1. If required by law in the field of regulatory requirements, this agreement shall be renewed without undue delay in such manner that it is compliant with the legislation that caused the rewording.

7. Agreement period

7.1. This agreement is valid for as long as the Personal Data Processor is Processing Personal Data for the Personal Data Controller. This is governed by a separate agreement describing the type of service to which the Processing refers.