Gridheart Data Processing Terms

Version 2018-05

These terms reflect the parties’ agreement with respect to governing the processing of personal data. These Gridheart data processing Terms (including the appendices, “Data Processing Terms”) are entered into by Gridheart and Customer and supplement the Gridheart Service Agreement(s).

These Data Processing Terms will be effective and replace any previously applicable terms relating to their subject matter (including any data processing amendment or data processing addendum relating to the Processor Services), from the Terms Effective Date.

These Data Processing Terms sets out in which manner Gridheart shall Process Personal Data on behalf of Customer.

1 Introduction

These Data Processing Terms reflect the parties’ agreement on the terms governing the processing and security of Customer Personal Data in connection with the Data Protection Legislation.

2 Definitions and Interpretation

In these Data Processing Terms:

“Affiliate” means an entity that directly or indirectly controls, is controlled by, or is under common control with, a party.

“Customer Personal Data” means personal data that is processed by Gridheart on behalf of Customer in Gridheart’s provision of the Processor Services.

“Data Incident” means a breach of Gridheart’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data on systems managed by or otherwise controlled by Gridheart. “Data Incidents” will not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.

“Data Protection Legislation” means, as applicable: (a) the GDPR; and/or (b) the Federal Data Protection Act of 19 June 1992 (Switzerland).

“Data Subject Tool” means a tool (if any) made available by a Gridheart Entity to data subjects that enables Gridheart to respond directly and in a standardized manner to certain requests from data subjects in relation to Customer Personal Data (for example, online advertising settings or an opt-out browser plugin).

“EEA” means the European Economic Area.

“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

“Gridheart” means the Gridheart Entity that is party to the Agreement.

“Gridheart Affiliate Subprocessors” has the meaning given in Section 11.1 (Consent to Subprocessor Engagement).

“Gridheart Entity” means Gridheart AB or any other Affiliate of Gridheart AB.

“Notification Email Address” means the email address (if any) designated by Customer, via the user interface of the Processor Services or such other means provided by Gridheart, to receive certain notifications from Gridheart relating to these Data Processing Terms.

“Processor Services” means the applicable services listed at https://www.gridheart.com/privacy-services.

“Security Documentation” means any documentation that Gridheart may make available in respect of the Processor Services.

“Security Measures” has the meaning given in Section 7.1.1 (Gridheart’s Security Measures).

“Subprocessors” means third parties authorized under these Data Processing Terms to have logical access to and process Customer Personal Data in order to provide parts of the Processor Services and any related technical support.

“Term” means the period from the Terms Effective Date until the end of Gridheart’s provision of the Processor Services under the Agreement.

“Terms Effective Date” means, as applicable:

25 May 2018, if Customer clicked to accept or the parties otherwise agreed to these Data Processing Terms before or on such date; or
the date on which Customer clicked to accept or the parties otherwise agreed to these Data Processing Terms, if such date is after 25 May 2018.

“Third Party Product(s)” means any service offered through the Gridheart Marketplace by a third party.

“Third Party Subprocessors” has the meaning given in Section 11.1 (Consent to Subprocessor Engagement).

The terms “controller”, “data subject”, “personal data”, “processing”, “processor” and “supervisory authority” as used in these Data Processing Terms have the meanings given in the GDPR.

Any phrase introduced by the terms “including”, “include” or any similar expression will be construed as illustrative and will not limit the sense of the words preceding those terms. Any examples in these Data Processing Terms are illustrative and not the sole examples of a particular concept.

Any reference to a legal framework, statute or other legislative enactment is a reference to it as amended or re-enacted from time to time.

3 Duration of these Data Processing Terms

These Data Processing Terms will take effect on the Terms Effective Date and, notwithstanding expiry of the Term, remain in effect until, and automatically expire upon, deletion of all Customer Personal Data by Gridheart as described in these Data Processing Terms.

4 Application of Data Protection Legislation

These Data Processing Terms will only apply to the extent that the Data Protection Legislation applies to the processing of Customer Personal Data.

5 Processing of Data

5.1 Nature and Purpose of the Processing

Gridheart will be processing (including, as applicable to the Processor Services and the instructions described in Customer’s Instructions), collecting, recording, organizing, structuring, storing, altering, retrieving, using, disclosing, combining, erasing and destroying) Customer Personal Data for the purpose of providing the Processor Services and any related technical support to Customer in accordance with these Data Processing Terms.

5.2 Roles and Regulatory Compliance; Authorization

The parties acknowledge and agree that:

Gridheart is a processor of Customer Personal Data under the Data Protection Legislation;
Customer is a controller or processor, as applicable, of Customer Personal Data under the Data Protection Legislation; and
each party will comply with the obligations applicable to it under the Data Protection Legislation with respect to the processing of Customer Personal Data.

Customer Personal Data may include the types of personal data described at www.gridheart.com/privacy-services.

If Customer is a processor, Customer warrant to Gridheart that Customer’s instructions and actions with respect to Customer Personal Data, including its appointment of Gridheart as another processor, have been authorized by the relevant controller.

5.3 Categories of Data Subjects

Customer Personal Data will concern the following categories of data subjects:

data subjects about whom Gridheart collects personal data in its provision of the Processor Services; and/or
data subjects about whom personal data is transferred to Gridheart in connection with the Processor Services by, at the direction of, or on behalf of Customer.

Depending on the nature of the Processor Services, these data subjects may include individuals: (a) who have visited specific websites or applications in respect of which Gridheart provides the Processor Services; and/or (b) who are customers or users of Customer’s products or services.

5.4 Customer Instructions

By entering into these Data Processing Terms, Customer instruct Gridheart to process Customer Personal Data only in accordance with applicable law: (a) to provide the Processor Services and any related technical support; (b) as further specified via Customer’s use of the Processor Services (including in the settings and other functionality of the Processor Services) and any related technical support; (c) as documented in the form of the Agreement, including these Data Processing Terms; and (d) as further documented in any other written instructions given by Customer and acknowledged by Gridheart as constituting instructions for purposes of these Data Processing Terms.

5.4.1 Gridheart’s Compliance with Instructions

Gridheart will comply with the instructions described in Section 5.4 (Customer’s Instructions) (including with regard to data transfers) unless EU or EU Member State law to which Gridheart is subject requires other processing of Customer Personal Data by Gridheart, in which case Gridheart will inform Customer (unless that law prohibits Gridheart from doing so on important grounds of public interest).

5.4.2 Third Party Products

If Customer uses any Third Party Product, the Processor Services may allow that Third Party Product to access Customer Personal Data as required for the interoperation of the Third Party Product with the Processor Services. For clarity, these Data Processing Terms do not apply to the processing of personal data in connection with the provision of any Third Party Product used by Customer, including personal data transmitted to or from that Third Party Product.

6 Data Deletion

6.1 Deletion During Term

During the Term Gridheart will comply with:

any reasonable request from Customer to facilitate such deletion, insofar as this is possible taking into account the nature and functionality of the Processor Services and unless EU or EU Member State law requires storage; and
the data retention practices described at www.gridheart.com/privacy/.

Gridheart may charge a fee (based on Gridheart’s reasonable costs) for any data deletion under Section 6.1. Gridheart will provide Customer with further details of any applicable fee, and the basis of its calculation, in advance of any such data deletion.

6.2 Deletion on Term Expiry

On expiry of the Term, Customer instruct Gridheart to delete or anonymize all Customer Personal Data (including existing copies) from Gridheart’s systems in accordance with applicable law. Gridheart will comply with this instruction as soon as reasonably practicable and within a maximum period of 180 days, unless EU or EU Member State law requires storage.

7 Data Security

7.1 Gridheart’s Security Measures and Assistance

7.1.1 Gridheart’s Security Measures

Gridheart will implement and maintain technical and organizational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access as described in Appendix 1 (the “Security Measures”). Gridheart may update or modify the Security Measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Processor Services.

7.1.2 Security Compliance by Gridheart Staff

Gridheart will take appropriate steps to ensure compliance with the Security Measures by its employees, contractors and Subprocessors to the extent applicable to their scope of performance, including ensuring that all persons authorized to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

7.1.3 Gridheart’s Security Assistance

Customer agree that Gridheart will (taking into account the nature of the processing of Customer Personal Data and the information available to Gridheart) assist Customer in ensuring compliance with any obligations of Customer in respect of security of personal data and personal data breaches, including (if applicable) Customer’s obligations pursuant to Articles 32 to 34 (inclusive) of the GDPR, by:

implementing and maintaining the Security Measures in accordance with Section 1.1 (Gridheart’s Security Measures);
complying with the terms of Section 2 (Data Incidents); and
providing Customer with the Security Documentation in accordance with Section 4.1 (Reviews of Security Documentation) and the information contained in these Data Processing Terms.

7.2 Data Incidents

7.2.1 Incident Notification

If Gridheart becomes aware of a Data Incident, Gridheart will: (a) notify Customer of the Data Incident promptly and without undue delay; and (b) promptly take reasonable steps to minimize harm and secure Customer Personal Data.

7.2.2 Details of Data Incident

Notifications made under Section 7.2.1 (Incident Notification) will describe, to the extent possible, details of the Data Incident, including steps taken to mitigate the potential risks and steps Gridheart recommends Customer take to address the Data Incident.

7.2.3 Delivery of Notification

Gridheart will deliver its notification of any Data Incident to the Notification Email Address or, at Gridheart’s discretion (including if Customer has not provided a Notification Email Address), by other direct communication (for example, by phone call or an in-person meeting). Customer is solely responsible for providing the Notification Email Address and ensuring that the Notification Email Address is current and valid.

7.2.4 Third Party Notifications

Customer is solely responsible for complying with incident notification laws applicable to Customer and fulfilling any third party notification obligations related to any Data Incident.

7.2.5 No Acknowledgement of Fault by Gridheart.

Gridheart’s notification of or response to a Data Incident under this Section 7.2 (Data Incidents) will not be construed as an acknowledgement by Gridheart of any fault or liability with respect to the Data Incident.

7.3 Customer Security Responsibilities and Assessment

7.3.1 Customer’s Security Responsibilities.

Customer agrees that, without prejudice to Gridheart’s obligations under Sections 7.1 (Gridheart’s Security Measures and Assistance) and 7.2 (Data Incidents):

Customer is solely responsible for its use of the Processor Services, including:
1. making appropriate use of the Processor Services to ensure a level of security appropriate to the risk in respect of Customer Personal Data; and
2. securing the account authentication credentials, systems and devices Customer uses to access the Processor Services; and
Gridheart has no obligation to protect Customer Personal Data that Customer elects to store or transfer outside of Gridheart’s and its Subprocessors’ systems.

7.3.2 Customer’s Security Assessment.

Customer acknowledges and agrees that (taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing of Customer Personal Data as well as the risks to individuals) the Security Measures implemented and maintained by Gridheart as set out in Section 7.1.1 (Gridheart’s Security Measures) provide a level of security appropriate to the risk in respect of Customer Personal Data.

7.4 Reviews and Audits of Compliance

7.4.1 Reviews of Security Documentation

To demonstrate compliance by Gridheart with its obligations under these Data Processing Terms, Gridheart will make the Security Documentation available for review by Customer.

7.4.2 Customer’s Audit Rights

Gridheart will allow Customer or a third party auditor appointed by Customer to conduct audits (including inspections) to verify Gridheart’s compliance with its obligations under these Data Processing Terms in accordance with Section 7.4.3 (Additional Business Terms for Audits). Gridheart will contribute to such audits as described in this Section 7.4 (Reviews and Audits of Compliance).

7.4.3 Additional Business Terms for Audits

Customer will send any request for an audit to Gridheart as described in Section 1 (Contacting Gridheart).
Following receipt by Gridheart of an audit request under this Section, Gridheart and Customer will discuss and agree in advance on the reasonable start date, scope and duration of, and security and confidentiality controls applicable to such audit.
Gridheart may charge a fee (based on Gridheart’s reasonable costs) for any audit under Section 4.2. Gridheart will provide Customer with further details of any applicable fee, and the basis of its calculation, in advance of any such audit. Customer will be responsible for any fees charged by any third party auditor appointed by Customer to execute any such audit.
Gridheart may object to any third party auditor appointed by Customer to conduct any audit under Section 4.2 if the auditor is, in Gridheart’s reasonable opinion, not suitably qualified or independent, a competitor of Gridheart or otherwise manifestly unsuitable. Any such objection by Gridheart will require Customer to appoint another auditor or conduct the audit itself.
Nothing in these Data Processing Terms will require Gridheart either to disclose to Customer or its third party auditor, or to allow Customer or its third party auditor to access:
1. any data of any other customer of a Gridheart Entity;
2. any Gridheart Entity’s internal accounting or financial information;
3. any trade secret of a Gridheart Entity;
4. any information that, in Gridheart's reasonable opinion, could: (i) compromise the security of any Gridheart Entity’s systems or premises; or (ii) cause any Gridheart Entity to breach its obligations under the Data Protection Legislation or its security and/or privacy obligations to Customer or any third party; or
5. any information that Customer or its third party auditor seeks to access for any reason other than the good faith fulfilment of Customer’s obligations under the Data Protection Legislation.

8 Impact Assessments and Consultations

Customer agrees that Gridheart will (taking into account the nature of the processing and the information available to Gridheart) assist Customer in ensuring compliance with any obligations of Customer in respect of data protection impact assessments and prior consultation, including (if applicable) Customer’s obligations pursuant to Articles 35 and 36 of the GDPR, by:

providing the Security Documentation in accordance with Section 4.1 (Reviews of Security Documentation);
providing the information contained in these Data Processing Terms; and
providing or otherwise making available, in accordance with Gridheart’s standard practices, other materials concerning the nature of the Processor Services and the processing of Customer Personal Data.

9 Data Subject Rights

9.1 Responses to Data Subject Requests

If Gridheart receives a request from a data subject in relation to Customer Personal Data, Gridheart will:

if the request is made via a Data Subject Tool, respond directly to the data subject’s request in accordance with the standard functionality of that Data Subject Tool; or
if the request is not made via a Data Subject Tool, advise the data subject to submit his/her request to Customer, and Customer will be responsible for responding to such request.

9.2 Gridheart’s Data Subject Request Assistance

Customer agrees that Gridheart will (taking into account the nature of the processing of Customer Personal Data and, if applicable, Article 11 of the GDPR) assist Customer in fulfilling any obligation of Customer to respond to requests by data subjects, including (if applicable) Customer’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III of the GDPR, by:

providing the functionality of the Processor Services;
complying with the commitments set out in Section 1 (Responses to Data Subject Requests); and
if applicable to the Processor Services, making available Data Subject Tools.

Gridheart is entitled to remuneration for any potential costs and expenses if Customer requests that Gridheart shall assist Customer with responding to a Data Subject's request to exercise his or her rights according to Applicable Data Protection Laws.

10 Transfer to and processing of personal data in a third country

Gridheart is entitled to transfer Personal Data belonging to Customer, to a Third Country, provided that:

the Third Country according to a decision issued by the EU Commission provides an adequate level of protection for Personal Data which comprises the Processing of Personal Data;
Gridheart ensures that there are appropriate safeguards in place in accordance with Applicable Data Protection Laws, e.g. standard data protection clauses adopted by the EU Commission under Applicable Data Protection Laws, that comprises the transfer and the Processing of Personal Data; or
if there are any other exemptions under Applicable Data Protection Laws that comprise the Processing of Personal Data.

For the avoidance of doubt, Personal Data may not be transferred to or Processed in a Third Country if none of the conditions outlined in Section 10 above exists.

Information about the locations of data centers is available per service at http://www.gridheart.com/privacy-services.

11 Subprocessors

11.1 Consent to Subprocessor Engagement

Customer specifically authorizes the engagement of Gridheart’s Affiliates as Subprocessors (“Gridheart Affiliate Subprocessors”). In addition, Customer generally authorizes the engagement of any other third parties as Subprocessors (“Third Party Subprocessors”).

11.2 Information about Subprocessors.

Information about Subprocessors is available per service at http://www.gridheart.com/privacy-services.

11.3 Requirements for Subprocessor Engagement

When engaging any Subprocessor, Gridheart will:

ensure via a written contract that:
1. the Subprocessor only accesses and uses Customer Personal Data to the extent required to perform the obligations subcontracted to it, and does so in accordance with the Agreement (including these Data Processing Terms); and
2. if the GDPR applies to the processing of Customer Personal Data, the data protection obligations set out in Article 28(3) of the GDPR are imposed on the Subprocessor; and
remain fully liable for all obligations subcontracted to, and all acts and omissions of, the Subprocessor.

11.4 Opportunity to Object to Subprocessor Changes

(a) When any new Third Party Subprocessor is engaged during the Term, Gridheart will, at least 30 days before the new Third Party Subprocessor processes any Customer Personal Data, inform Customer of the engagement (including the name and location of the relevant Subprocessor and the activities it will perform) by updating the Subprocessor list at https://www.Gridheart.com/privacy/services and by publishing a notification in the Gridheart Platform.

(b) Customer may object to Gridheart's assignment of a Subprocessor that shall Process Personal Data on behalf of Customer within 90 days of being informed of the engagement of the new Third Party Subprocessor as described in Section 11.4(a), whereby the Parties shall seek to agree on a solution which is acceptable to both Parties. If a mutual acceptable solution cannot be reached, Customer may terminate the Service Agreement immediately upon written notice to Gridheart. This termination right is Customer’s sole and exclusive remedy if Customer objects to any new Third Party Subprocessor.

12 Contacting Gridheart; Processing Records

12.1 Contacting Gridheart

Customer may contact Gridheart in relation to the exercise of its rights under these Data Processing Terms via the methods described at https://www.gridheart.com/privacy/ or via such other means as may be provided by Gridheart from time to time.

12.2 Gridheart’s Processing Records

Customer acknowledges that Gridheart is required under the GDPR to: (a) collect and maintain records of certain information, including the name and contact details of each processor and/or controller on behalf of which Gridheart is acting and (if applicable) of such processor’s or controller's local representative and data protection officer; and (b) make such information available to the supervisory authorities. Accordingly, Customer will, where requested and as applicable to Customer, provide such information to Gridheart via the user interface of the Processor Services or via such other means as may be provided by Gridheart, and will use such user interface or other means to ensure that all information provided is kept accurate and up-to-date.

13 Liability

The provisions regarding liability under the Service Agreement shall apply correspondingly to this Data Processing Agreement.

14 Effect of these Data Processing Terms

If there is any conflict or inconsistency between the terms of these Data Processing Terms and the remainder of the Service Agreement, the terms of these Data Processing Terms will govern. Subject to the amendments in these Data Processing Terms, the Service Agreement remains in full force and effect.

15 Changes to these Data Processing Terms

15.1 Changes to URLs

From time to time, Gridheart may change any URL referenced in these Data Processing Terms and the content at any such URL. Gridheart may only change the list of potential Processor Services at https://www.gridheart.com/privacy-services:

to reflect a change to the name of a service;
to add a new service; or
to remove a service where either: (i) all contracts for the provision of that service are terminated; or (ii) Gridheart has Customer’s consent.

15.2 Changes to Data Processing Terms

Gridheart may change these Data Processing Terms if the change:

is expressly permitted by these Data Processing Terms, including as described in Section 1 (Changes to URLs);
reflects a change in the name or form of a legal entity;
is required to comply with applicable law, applicable regulation, a court order or guidance issued by a governmental regulator or agency; or
does not: (i) result in a degradation of the overall security of the Processor Services; (ii) expand the scope of, or remove any restrictions on, Gridheart’s processing of Customer Personal Data, as described in Section 4.1 (Gridheart’s Compliance with Instructions); and (iii) otherwise have a material adverse impact on Customer’s rights under these Data Processing Terms, as reasonably determined by Gridheart.

15.2.1 Notification of Changes

If Gridheart intends to change these Data Processing Terms under Section 15.2(c) or (d), Gridheart will inform Customer at least 30 days (or such shorter period as may be required to comply with applicable law, applicable regulation, a court order or guidance issued by a governmental regulator or agency) before the change will take effect by either: (a) sending an email to the Notification Email Address; or (b) alerting Customer via the user interface for the Processor Services. If Customer objects to any such change, Customer may terminate the Agreement by giving written notice to Gridheart within 90 days of being informed by Gridheart of the change.

16 Confidentiality

Without prejudice to any confidentiality undertakings included in the Service Agreement, Gridheart shall keep and maintain all Personal Data in strict secrecy and not disclose any Personal Data to a third party, unless otherwise authorized in advance by Customer or otherwise required by Applicable Laws or for the performance of the Data Processing Terms and the Service Agreement. Gridheart agrees that the confidentiality undertaking under this Section 16 shall apply until all Personal Data have been returned or (upon Customer's written request) have been deleted or anonymized in a secure and irreversible way.

17 Code of Conduct

Gridheart adheres to the GÉANT Data Protection Code of Conduct.

18 Applicable law

This Data Processing Agreement shall be governed by Swedish law, without regard to any provisions regarding conflict of laws.

19 Dispute

Any dispute arising out of or in connection to this Data Processing Agreement shall be finally settled in accordance with the dispute resolution provisions of the Service Agreement.