Data Processing Agreement

This Data Processing Agreement is an exhibit and an integral part of the Klintberg & Way Parts AB General Terms and Conditions entered into with the Customer that has accepted the General Terms.

1. Scope of the Agreement

The Controller is a reseller of the Processor’s products and/or services, and is for that purpose using an order system provided by the Processor where Personal Data concerning the Controller’s customers may be handled. This Agreement sets out the respective responsibilities of each party in relation to the Personal Data being Processed, and will be valid for the duration of the parties’ business relation or until the Agreement is terminated by either part.

2. Definitions

2.1. “Personal Data” means all kinds of information relating to an identified or identifiable person, as
defined by the regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April
2016 (“the GDPR”).

2.2. “Data Controller” means the entity that determines the purposes and means of the Processing of
Personal Data.

2.3. “Data Processor” means the entity which Processes Personal Data on behalf of the Data

2.4. “Process” or “Processing” means any operation or set of operations upon Personal Data as defined
by the GDPR.

3. Categories of data subjects

The categories of data subjects Processed under the scope of the Agreement will be the Controller’s: Customers.

4. Types of Personal Data

The types of Personal Data Processed under the scope of the Agreement includes: Car registration number or VIN number of the customer’s car and any other information that the Controller chooses to register in the system.

5. Responsibility and instructions

The Controller shall determine the purposes and means of the
Processing of Personal Data in connection with the Agreement. The Controller is responsible for issuing
instructions to the Processor regarding the Processing of Personal Data, and the Processor shall only Process such Personal Data in accordance with the terms of this Agreement and the from time to other given instructions provided by the Controller. The Processor shall be entitled to reasonable
compensation for any changes or updates in given instructions. If the Processor thinks that an instruction is not compliant with the GDPR, it shall point this out to the Controller without delay.

6. Support and information

The Processor shall provide the Controller with cooperation and assistance in relation to handling requests relating to data subjects’ rights, and otherwise support the Controller in fulfilling its obligations by providing information and support when requested by the Controller. The Processor shall be entitled to reasonable compensations for support provided in accordance with this section.

7. Security and secrecy

The Processor shall take appropriate technical and organizational measures to protect the Personal Data Processed under this Agreement, especially taking article 32 of the GDPR into account.

The Processor shall permit any audit that a supervising authority or the Controller may require in order to ensure that the Processor fulfills its obligations under the Agreement.

Only employees, consultants and other personnel of the Processor that need to have access to the Personal Data in order for the Processor to fulfill its obligations under the Service Agreement shall have access to the Personal Data, and such personnel shall be bound by suitable confidentiality undertakings.

8. Use of subprocessors

Subject to this Section 8, the Controller hereby authorizes the Processor to use subprocessors for Processing of Personal Data solely for the purpose of meeting the obligations under the Service Agreement. 

The Processor shall ensure that all subprocessors are subject to written agreement(s) that implements the same obligations as the Processors’ obligations vis-à-vis the Controller, as set out in this Agreement.

Supplier is fully responsible for any failure of any subprocessor to comply with the obligations relating to Processing of Personal Data under this Agreement.

The Processor may decide to remove, replace or appoint additional suitable and reliable subprocessors provided that the terms of this Section 8 are observed at all times. The Processor shall provide the Controller with a notification in writing of a new subprocessor(s) before authorizing any new
subprocessor(s) to Process Personal Data under the scope of the Service Agreement, and the Controller has a right to object to the use of a new subprocessor.

The processor will maintain a list of subprocessors and will provide a copy of that list to the Controller upon request.

9. Third country transfers

The Processor and its subcontractors may Process Personal Data under the scope of the Agreement in a country located outside of the EU or the countries approved by the EU Commission only if;

a) The receiving organization of the Personal Data has been certified according to the Privacy Shield
program, or;

b) The transfer and the rights and freedoms of the data subjects are protected through binding corporate rules according to article 47 of the GDPR, or;

c) The transfer and the rights and freedoms of the data subjects are protected through the Standard Contractual Clauses approved by the EU Commission.

10. Liability

The Processor’s total liability for damages incurred under the scope of the Agreement shall be limited to direct damages incurred as a result of the Processor’s breach of this Agreement and up to a maximum amount of the fees payed or payable by the Controller for the by Processor provided products and/or services under the past year.

11. Termination of the Agreement

Upon termination of the Agreement, the Processor shall return and/or delete all Personal Data Processed under the Agreement, as advised by the Controller.