DATA PROCESSING AGREEMENT



This Data Processing Agreement (the “DPA”) is entered between the Customer (below, the “Controller”) and Husqvarna AB (below, the “Processor”) due to that the Processor may process personal data on behalf of the Controller within the scope of providing Fleet Services. This DPA forms part of the terms and conditions for Fleet Services (“Terms and Conditions”). The provisions relating to assistance to the Controller in complying with its own obligations under regulation (EU) 2016/679 will not become applicable on Processor for Customers not subject to regulation (EU) 2016/679.

  1. DOCUMENTS

This DPA consists of this main document and Appendix 1-2 Instructions and Security measures.

  1. DEFINITIONS AND INTERPRETATION

In this DPA, capitalized terms shall have the meanings set out below or if not defined herein, the meanings set forth in Applicable Legislation or elsewhere in the Terms and Conditions for Husqvarna Fleet Services.

Applicable Legislation

means (i) regulation (EU) 2016/679 as amended, supplemented and/or varied from time to time (the “GDPR”) and (ii) any applicable supplementary legislation to the GDPR.

Personal Data

means the personal data (as defined in Applicable Legislation), specified in Appendix 1 hereto.

  1. INSTRUCTIONS

  1. The Processor shall process the Personal Data in accordance with the DPA, Applicable Legislation and the Controller’s written instructions set forth in Appendix 1. The Controller is responsible for meeting the obligations of a data controller under Applicable Legislation.

  2. The Processor may not process the Personal Data for any other purposes or in any other way than as instructed by the Controller in writing from time to time.

  3. In the event the Processor considers that any instruction violates Applicable Legislation, the Processor shall refrain from acting on such instructions and shall promptly notify the Controller and await amended instructions.

  4. Husqvarna AB may act in the capacity of Controller in relation to the Personal Data when Husqvarna uses the Personal Data for its own purposes, such as its own direct marketing activities, to identify issues, manage and improve Fleet Services and/or for any statistical purposes.

  5. SECURITY MEASURES

  6. The Processor shall at all times maintain adequate technical and organizational security measures to ensure that the Personal Data is protected. The security measures are detailed in Appendix 2.

  7. The Processor shall ensure (i) that only authorized employees who need access to the Personal Data for the fulfilment of the Processor’s obligations under the Terms and Conditions have access to the Personal Data, (ii) that the authorized employees process the Personal Data only in accordance with this DPA and the Controller’s instructions, and (iii) that each authorized employee is bound by a confidentiality undertaking towards the Processor in relation to the Personal Data.

  8. The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach, in accordance with Applicable Legislation

  9. THE PROCESSOR’S OBLIGATIONS TO ASSIST

The Processor shall assist the Controller in accordance with Applicable Legislation, with the fulfilment of the Controller’s obligation to ensure that the data subjects may exercise their rights under Applicable Legislation, by ensuring appropriate technical and organizational measures. The Processor shall further, in accordance with Applicable Legislation, assist the Controller in relation to the Controller’s obligations under Articles 32-36 of the GDPR.

  1. SUB-PROCESSORS

  1. The Processor may engage third parties to process the Personal Data or any part thereof on its behalf (each such third party, a “Sub-Processor”). Where the Processor intends to engage a new Sub-Processor, other than the pre-authorized Sub-processors listed in the Fleet Services web platform, the Controller must be informed thereof in writing (including electronic form). The new Sub-Processor may process the Personal Data if the Controller has not objected in writing within ten (10) days after such information was provided. The Processor is responsible towards the Controller for its Sub-Processors’ acts and omissions as for its own. Processor undertakes to maintain an updated list of all engaged Sub-Processors, which will be kept available at Fleet Services web platform.

  2. The Processor shall enter into a written agreement with every Sub-Processor, in which each Sub-Processor undertakes obligations at least reflecting those undertaken by the Processor under this DPA.

  3. In the event the Controller objects to any new Sub-Processor in accordance with Section 10, the Processor shall refrain from using such Sub-Processor. If that is not practically or commercially reasonable according to the Processor, the Controller shall at its sole discretion be entitled either to (i) compensate the Processor for any additional costs incurred by it due to such objection, or, (ii) cease all use of the Fleet Services by terminating the Services in accordance with the Terms and Conditions.

  4. TRANSFERS TO THIRD COUNTRIES

The Processor is entitled to transfer personal data outside the EU/EEA, or engage a Sub-Processor to process Personal Data outside of the EU/EEA, provided the Processor has an applicable legal ground for such transfer. The Processor shall upon the Controller’s request provide documented evidence showing the applicable legal ground for the transfer.

  1. AUDIT

  2. Upon the Controller’s request, the Processor will once per calendar year provide to the Controller the information necessary to demonstrate the Processor’s compliance with its obligations under Applicable Legislation and this DPA.

  3. If the Controller, despite receiving the information set out in Section 15 above, has a legitimate and documented reason to suspect that the Processor does not fulfill its obligations under Applicable Legislation and this DPA, the Controller shall be entitled to on 30 days’ written notice carry out an audit of the Processor’s processing of the Personal Data and information relevant in that respect. The Processor shall assist the Controller, disclose any information necessary and provide the access necessary in order for the Controller to carry out such audit. Each Party shall carry its own costs for such audit.

  4. If a data protection authority carries out an audit of the Processor which may involve the processing of Personal Data, the Processor shall promptly notify the Controller thereof.

  5. COSTS

The Controller shall bear all costs incurred by the Processor due to any altered or additional instructions issued by the Controller regarding the processing of the Personal Data or the Processor’s security measures, unless the Controller has altered or added its instructions in order to comply with new legal requirements under Applicable Legislation.

  1. LIMITATION OF LIABILITY

  2. Each Party’s liability for damages under this DPA is governed by the Terms and Conditions.

  3. Notwithstanding Section 10.1 above, if a Party becomes liable to a data subject under Applicable Legislation and the other Party was involved in the same processing as formed the basis for the data subject’s claim, the other Party shall (in accordance with Article 82.5 of the GDPR) reimburse the liable Party with the part of the compensation corresponding to the other Party’s part of the responsibility for the damage. In addition, the other Party shall compensate the liable Party for fair and proportionate (in relation to the other Party's liability) costs of defending such claims.

  4. A Party subject to a claim from a data subject shall within reasonable time inform the other Party in writing of the claim, if it is likely that claims against the other Party may be made. The other Party shall gain insight into the data subject’s and the Party’s documents in such lawsuit and shall be given the opportunity to comment on this.

  5. RETURN AND DELETION OF DATA

Upon termination of the Fleet Services, the Processor shall on the Controller’ instruction, transfer the Personal Data to the Controller (such transfer to be made in a common machine-readable format). The Processor will erase the Personal Data from its systems no earlier than 30 days and no later than 60 days after the effective date of termination of the Fleet Services.

  1. TERM

This DPA shall, notwithstanding the term of the Terms and Conditions, enter into effect when the Processor commences to process Personal Data on behalf of the Controller and shall terminate when the Processor has erased the Personal Data in accordance with Section 11 above.

___________


APPENDIX 1 – INSTRUCTIONS

Purposes of the processing

The main purpose of Fleet Services as such is not to be a tool for processing of personal data on behalf of Husqvarna’s Customers. However, there may be fields or areas where the Controller or an individual user can insert information which may contain personal data, and which will result in Husqvarna AB becoming a data processor.

The purpose of the processing is thus to enable the Controller to use Fleet Services as desired, which includes enabling identification and access management, settings and preferences and to operate, manage and support Fleet Services.

The character of the processing

The processing mainly consists of storage and any other action required to provide Fleet Services, which may depend on the field or area filled out by the Controller. All processing may also include day-to-day actions with the Personal Data which are for the fulfilment of and within the scope of these instructions.

The period of the processing

The Personal Data will be processed for as long as the Controller chooses to keep the Personal Data within Fleet Services.

Categories of data subjects

The categories of data subjects depend entirely on the Controller but will normally be employees or consultants of the Controller.

Categories of personal data

The categories of personal data will also entirely depend on the Controller but will usually be the data subject’s first and last name, title and/or user roles, organizational belonging, contact details such as e-mail and phone number, password, location data (country), language preferences, notification settings, time zone, IP address, device type, OS version, App version, usage history and meta data.





APPENDIX 2 – SECURITY MEASURES

Control of physical access to premises

Technical and organizational measures to control physical access to premises and facilities, particularly to identify permitted personnel at entry:


  • Locked doors on all entrances / exits (e.g., electronic locks; physical locks; etc.)

  • Presence of security personnel (e.g., security at the front desk)

  • Burglar alarm systems

Control of access to IT systems

Technical and organizational security measures designed to ensure that users with access to the relevant IT systems are identified and authenticated:


  • IT security systems requiring individual users to log in using unique user names

  • State-of-the art encryption applied to all data ‘in transit’

  • State-of-the art encryption applied to all data ‘at rest’

  • Password databases are subject to strong encryption / hashing

  • Training for employees regarding access to IT systems

Control of access to Personal Data

Technical and organizational security measures designed to ensure that users with access to the Personal Data are identified and authenticated:


  • Read’ rights for systems containing Personal Data restricted to specified personnel roles

  • Edit’ rights for systems containing Personal Data restricted to specified personnel roles or profiles

  • State-of-the art encryption on drives and media containing personal Data (e.g., using Sophos SafeGuard; TrueCrypt; etc.)

  • Secure pseudonymisation of data

Control of disclosure of Personal Data

Technical and organizational measures to transport, transmit and communicate or store data on data media and for subsequent checking:

  • Secure data networks (e.g., encrypted VPNs)

  • State-of-the art encryption for all systems used to send Personal Data (e.g., encrypted email; encrypted FTP; etc.)

  • SSL encryption for all internet access portals

Control mechanisms to ensure availability of the Personal Data

Technical and organizational measures to ensure the physical and electronic availability and accessibility of the Personal Data:


  • Documented disaster recovery procedures

  • Secure backup procedures in place, with full backups run regularly

  • Multiple backup facilities and locations

  • Secure anonymization or deletion of Personal Data

Control mechanisms to ensure separation of the Personal Data from other data

Technical and organizational measures to ensure that the Personal Data are stored and processed separately from other data:


  • Logical separation of live or production data from backup data and development or test data



- 4 -