This Data Processing Agreement (the "DPA") is entered into between the Customer (below the “Controller”) and the Husqvarna Sales Company (below the “Processor”). The Processor may process personal data on behalf of the Controller within the scope of providing the Husqvarna Fleet Services. This DPA forms part of the Terms and Conditions for Husqvarna Fleet Services between the Controller and the Processor (the “Terms and Conditions”). The provisions relating to assistance to the Controller in complying with its own obligations under regulation (EU) 2016/679 will not become applicable on Processor for Customers not subject to regulation (EU) 2016/679.
This DPA consists of this main document and Appendix 1-2 Instructions and Security measures.
In this DPA, capitalized terms shall have the meanings set out below or if not defined herein, the meanings set forth in Applicable Legislation or elsewhere in the Terms and Conditions.
Means (i) the GDPR and (ii) any applicable supplementary legislation to the GDPR, as well as any US State Data Privacy legislation to include: California Consumer Privacy Act of 2018 as set forth in California Civil Code § 1798.100 et seq., as amended by the California Privacy Rights Act of 2020; Colorado Privacy Act;Connecticut Personal Data Privacy and Online Monitoring Act; Indiana Consumer data Protection Act; Iowa Consumer Data Protection Act; Montana Consumer Data Privacy Act; Tennessee Information and Protection Act; Utah Consumer Privacy Act; and Virginia Consumer Data Protection Act. Multiple US states are also contemplating enacting similar legislation. The definition of Applicable Legislation will simultaneously update with new laws and regulations relating to processing, collecting, and sharing Personal Data.
Has the meaning given to it in the introduction of this DPA.
Has the meaning given to it in the introduction of this DPA.
Means regulation (EU) 2016/679 as amended, supplemented and/or varied from time to time.
Means the personal data (as defined in Applicable Legislation), specified in Appendix 1 here to that the processor processes on behalf of the Controller.
Has the meaning given to it in the introduction of this DPA.
Has the meaning given to it in Section 6.1.
Has the meaning given to it in the introduction of this DPA.
3.1 The Processor shall process the Personal Data in accordance with the DPA, Applicable Legislation and the Controller’s written instructions set forth in Appendix 1. The Controller is responsible for meeting the obligations of a data controller under Applicable Legislation.
3.2 The Processor may not process the Personal Data for any other purposes or in any other way than as instructed by the Controller in writing from time to time.
3.3 In the event the Processor considers that any instruction violates Applicable Legislation, the Processor shall refrain from acting on such instructions and shall promptly notify the Controller and await amended instructions.
3.4 The parties acknowledge that within the Fleet concept, the Processor or its affiliates may also act as controller for certain processing of personal data. Any such processing is not subject to the requirements set out in this DPA.
3.5 To the extent that US State Data Privacy legislation applies to the processing of Personal Data herein, the Processor shall:
a ) only use the Personal Data in accordance with Applicable Legislation to the minimal extent necessary and as required to perform its obligations under the Terms and Conditions, unless otherwise required by law.
b ) not, unless otherwise approved in writing by Controller (i) retain, use, or disclose Personal Data for any purpose other than for the specific purpose of performing the Husqvarna Fleet Services, including retaining, using, or disclosing Personal Data for a commercial purpose other than providing the Husqvarna Fleet Services, or (ii) collect, sell, or use Personal Data, except as necessary to satisfy its obligations under the Terms and Conditions.
4.1 The Processor shall at all times maintain adequate technical and organizational security measures to ensure that the Personal Data is protected. The security measures are detailed in Appendix 2.
4.2 The Processor shall ensure (i) that only authorized employees who need access to the Personal Data for the fulfilment of the Processor's obligations under the Terms and Conditions have access to the Personal Data, (ii) that the authorized employees process the Personal Data only in accordance with this DPA and the Controller's instructions, and (iii) that each authorized employee is bound by a confidentiality undertaking towards the Processor in relation to the Personal Data.
4.3 The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach, in accordance with Applicable Legislation.
The Processor shall assist the Controller in accordance with Applicable Legislation, with the fulfilment of the Controller’s obligation to ensure that the data subjects may exercise their rights under Applicable Legislation, by ensuring appropriate technical and organizational measures. The Processor shall further, in accordance with Applicable Legislation, assist the Controller in relation to the Controller’s obligations under Articles 32-36 of the GDPR.
6.1 The Processor may engage other Husqvarna group affiliates or third parties to process the Personal Data or any part thereof on its behalf (each such third party, a “Sub-Processor”). Where the Processor intends to engage a new Sub-Processor, other than the pre-authorized Sub- processors listed in Appendix 1, the Controller must be informed thereof in writing (including electronic form). The new Sub-Processor may process the Personal Data if the Controller has not objected in writing within ten (10) days after such information was provided. The Processor is responsible towards the Controller for its Sub- Processors’ acts and omissions as for its own. Processor undertakes to maintain an updated list of all engaged Sub-Processors, which will be provided to the Controller upon request.
6.2 The Processor shall enter into a written agreement with every Sub-Processor, in which each Sub-Processor undertakes obligations at least reflecting those undertaken by the Processor under this DPA.
6.3 In the event the Controller on objectively reasonable grounds objects to any new Sub-Processor in accordance with Section 6.1, the Processor shall refrain from using such Sub-Processor. If that is not practically or commercially reasonable according to the Processor, the Controller shall at its sole discretion be entitled either to (i) compensate the Processor for any additional costs incurred by it due to such objection, or, (ii) cease all use of the Fleet Services by terminating the Services in accordance with the Terms and Conditions.
The Processor is entitled to transfer personal data outside the EU/EEA, or engage a Sub-Processor to process Personal Data outside of the EU/EEA, provided the Processor has an applicable legal ground for such transfer. The Processor shall upon the Controller’s request provide documented evidence showing the applicable legal ground for the transfer.
8.1 Upon the Controller’s request, the Processor will once per calendar year provide to the Controller the information necessary to demonstrate the Processor’s compliance with its obligations under Applicable Legislation and this DPA.
8.2 If the Controller, despite receiving the information set out in Section 8.1 above, has a legitimate and documented reason to suspect that the Processor does not fulfill its obligations under Applicable Legislation and this DPA, the Controller shall be entitled to on 30 days’ written notice carry out an audit of the Processor’s processing of the Personal Data and information relevant in that respect. The Processor shall assist the Controller, disclose any information necessary and provide the access necessary in order for the Controller to carry out such audit. Each Party shall carry its own costs for such audit.
8.3 Any information provided to the Controller shall be confidential and only used by the Controller for purposes of ensuring compliance with Applicable Legislation and this DPA.
8.4 If a data protection authority carries out an audit of the Processor which may involve the processing of Personal Data, the Processor shall promptly notify the Controller thereof.
The Controller shall bear all costs incurred by the Processor due to any altered or additional instructions issued by the Controller regarding the processing of the Personal Data or the Processor’s security measures, unless the Controller has altered or added its instructions in order to comply with new legal requirements under Applicable Legislation.
10.1 Each Party’s liability for damages under this DPA is governed by the Terms and Conditions.
10.2 Notwithstanding Section 10.1 above, if a Party becomes liable to a data subject under Applicable Legislation and the other Party was involved in the same processing as formed the basis for the data subject’s claim, the other Party shall (in accordance with Article 82.5 of the GDPR) reimburse the liable Party with the part of the compensation corresponding to the other Party’s part of the responsibility for the damage. In addition, the other Party shall compensate the liable Party for fair and proportionate (in relation to the other Party's liability) costs of defending such claims.
10.3 A Party subject to a claim from a data subject shall within reasonable time inform the other Party in writing of the claim, if it is likely that claims against the other Party may be made. The other Party shall gain insight into the data subject’s and the first Party’s documents in such lawsuit and shall be given the opportunity to comment on this.
Upon termination of the Fleet Services, the Processor shall on the Controller’ instruction, transfer the Personal Data to the Controller (such transfer to be made in a common machine-readable format). The Processor will erase or permanently anonymize the Personal Data from its systems without undue delay after the effective date of termination of the Fleet Services.
This DPA shall, notwithstanding the term of the Terms and Conditions, enter into effect when the Processor commences to process Personal Data on behalf of the Controller and shall terminate when the Processor has erased the Personal Data in accordance with Section 11 above.
The main purpose of the Husqvarna Fleet Services as such is not to be a tool for processing of personal data on behalf of Husqvarna's customers. However, as part of providing the service, Processor will process certain personal data to be able to deliver the services – such as location data that will show the location of the assets that are part of the customers' fleet and which may constitute personal data.
In addition, there may be fields or areas where the Controller or an individual user can insert information which may contain personal data, and which will result in Husqvarna becoming a data processor.
The purpose of the processing is to enable the Controller to use the Husqvarna Fleet Services as desired, which includes enabling identification and access management, settings and preferences and to operate, manage and support the Husqvarna Fleet Services.
The processing mainly consists of storage, displaying current and historic positions, displaying statistics for the assets connected to the services and any other action required to provide the Husqvarna Fleet Services, which may depend on the field or area filled out by the Controller. All processing may also include day-to-day actions with the Personal Data which are for the fulfilment of and within the scope of these instructions.
The Personal Data will be processed for as long as the Controller chooses to keep the Personal Data within the Husqvarna Fleet Services.
The categories of data subjects depend entirely on the Controller but will normally be employees or consultants of the Controller.
Name (first name, last name) and email address of users of the Husqvarna Fleet Services, location data (of assets connected to the services), product identifiers, product name.
If the Controller choses to add further categories in the system, such categories will also be processed by the Processor.
Husqvarna AB (publ.), a corporation registered under the laws of Sweden, with registered office at Drottninggatan 2, 561 82 Huskvarna, Sweden.
Technical and organizational measures to control physical access to premises and facilities, particularly to identify permitted personnel at entry:
Technical and organizational security measures designed to ensure that users with access to the relevant IT systems are identified and authenticated:
Technical and organizational security measures designed to ensure that users with access to the Personal Data are identified and authenticated:
Technical and organizational measures to transport, transmit and communicate or store data on data media and for subsequent checking:
Technical and organizational measures to ensure the physical and electronic availability and accessibility of the Personal Data:
Technical and organizational measures to ensure that the Personal Data are stored and processed separately from other data: