1 BACKGROUND

1.1 This personal data processing agreement (“Personal Data Processing Agreement”) applies when Kivra Sverige AB, org. no. 556917-3544, or another company within the same group as Kivra Sverige AB ("Kivra”) provides a Service as described in Kivra's general terms and conditions for the verification service (“General Terms and Conditions”).

1.2 When providing the applicable Service under the General Terms and Conditions, Kivra will process personal data in its capacity as a data processor for the Controller. The Controller is the data controller for the same processing.

1.3 If and to the extent that another company in the same group as the Controller is to be considered the data controller (alone or together with the Controller) for processing covered by this Data Processor Agreement, the Controller hereby confirms that it has obtained the necessary permissions to enter into the Data Processor Agreement also for such company bill.

2 DEFINITIONS

2.1 The definitions and terms used in this Data Processor Agreement shall have the same meaning and significance as the definitions and terms set out in the General Terms and Conditions unless otherwise stated.

2.2 The following terms shall have the meanings set out below unless the circumstances clearly indicate otherwise (and terms not defined in the Data Processing Agreement such as, for example, “data controller”, “data processor”, “personal data”, “processing”, “personal data incident” shall have the meanings set out in the Data Protection Regulation):

“Data Protection Regulation” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

“Data Subject” means a natural person whose personal data is included in the Data. “Applicable Data Protection Legislation” means: (i) the Data Protection Regulation and any successor legislation; (ii) applicable Swedish law relating to data protection; and (iii) to i) and ii) above related regulations and rules issued by the Supervisory Authority and applicable to the activities of the Parties.

“Supervisory Authority” refers to the Privacy Protection Authority and, where applicable, other competent supervisory authority that, by law, exercises supervision over the activities of the Parties.

“Data” refers to the personal data that is transferred to, stored or otherwise processed by Kivra on behalf of the Controller pursuant to this Personal Data Processing Agreement. The types of personal data covered are stated in the Specification.

3 INSTRUCTIONS

3.1 The Personal Data Processing Agreement consists of this document and the Specification. The Specification provides an overview of the processing that takes place, the purposes of the processing; the Data that is processed; the categories of Data Subjects that are covered; how long the Data is stored; and any sub-processors and where this processing is located in such cases.

3.2 The Controller grants Kivra permission to transfer Data to third parties in cases where it is necessary to fulfill the purpose of this Personal Data Processing Agreement, including its instructions, and/or to fulfill a legal obligation. This includes, but is not limited to, transferring Data to suppliers, partners and authorities.

3.3 Kivra may not process the Data in any other way, for other purposes or according to other instructions than those stated in this Personal Data Processing Agreement, the Controller's instructions and Applicable Data Protection Legislation. In the event that Kivra assesses that there are no instructions that are necessary to carry out the assignment as stated in this Personal Data Processing Agreement, or if Kivra notices that the instructions are in conflict with Applicable Data Protection Legislation, Kivra shall immediately inform the Controller of its position and await further instructions from the Controller. Kivra is therefore not obliged to follow an instruction if Kivra believes that the instruction violates Applicable Data Protection Legislation.

4 SECURITY - TECHNICAL AND ORGANIZATIONAL MEASURES

4.1 Kivra is obliged to take such appropriate technical and organizational measures that meet the requirements of Applicable Data Protection Legislation, in particular Article 32 of the General Data Protection Regulation, and thereby ensure that the rights of the Data Subjects are protected. Such measures include Kivra protecting the Data against unauthorized access, destruction or alteration.

4.2 Kivra undertakes to ensure that Kivra has the expertise, reliability and resources to implement technical and organizational measures that meet the requirements of Applicable Data Protection Legislation, in particular with regard to the security requirements as set out above. Kivra also undertakes that the measures taken will be reviewed and updated as necessary.

5 INFORMATION DUTY AND ASSISTANCE

5.1 Kivra shall, without undue delay after Kivra has discovered any completed cases or attempts at unauthorized access, destruction or modification of the Data and other personal data incidents, inform the Controller thereof. In the event that the Service, or parts of the Service, are unavailable for reasons other than the aforementioned events, for example in the event of internal system failures, information about this will be provided directly in the Service and kivra.se.

5.2 When Kivra notifies the Controller pursuant to clause 5.1 above, the notification shall include information on:

a) the nature of the personal data breach, including, where possible, the categories and approximate number of Data Subjects affected and the categories and approximate number of Data affected,

b) the name and contact details of the Data Protection Officer or other contact points where further information can be obtained,

c) the likely consequences of the personal data breach, and

d) the measures taken or proposed by Kivra to address the personal data breach,

including, where appropriate, measures to mitigate its potential adverse effects.

5.3 If and to the extent that it is not possible to provide information pursuant to clause 5.2 simultaneously, the information may be provided in stages, but without further undue delay.

5.4 Kivra shall assist and cooperate with the Controller to a reasonable extent in ensuring that the obligations under Articles 32–36 of the Data Protection Regulation are fulfilled, taking into account the type of processing and the information available to Kivra and to ensure that the rights of Data Subjects under Applicable Data Protection Law can be fulfilled.

6 AUDIT

6.1 The Controller has the right to carry out audits of Kivra’s processing of the Data itself or through an independent third party to ensure that what is stated in the Applicable Data Protection Law, this Data Processing Agreement and the instructions issued are complied with. Unless otherwise provided for by a separate written agreement, each Party shall bear its own costs of the audit and for the provision of information pursuant to this clause 6.1.

6.2 Kivra shall contribute to such audits and audits to a reasonable extent and upon request provide the Controller with the assistance and documentation reasonably required for this purpose.

6.3 If the Controller engages a third party to carry out an inspection of Kivra's processing of Data on behalf of the Controller, the Controller shall ensure that such third party signs an appropriate confidentiality agreement not to disclose information to third parties prior to any inspection.

6.4 Access for inspection, provision of information and the like shall be scheduled at times of the day and otherwise carried out in a manner that causes the least possible impact on Kivra's operations. Inspection of Kivra shall be carried out in compliance with the security measures set by Kivra, provided that the measures do not prevent or cause significant difficulties in carrying out the inspection.

7 ENGAGEMENT OF SUB-PROCESSORS

7.1 The Controller hereby approves the use of the sub-processors already engaged by Kivra as set out in the Specification to this Personal Data Processing Agreement.

7.2 Kivra reserves the right to replace and/or engage new sub-processors at any time. Since the Controller needs to accept the General Terms and Conditions including this Personal Data Processing Agreement each time the Controller uses the Verification Service, the Controller is responsible for reviewing the Specification with a list of sub-processors in force at any time.

7.3 Kivra undertakes to sign a written agreement with existing and new sub-processors that regulates the processing carried out by the sub-processor. In terms of data protection, the agreement shall impose the same obligations on the sub-processor as are imposed on Kivra in this Personal Data Processing Agreement. In the event that the subprocessor fails to comply with its obligations regarding the processing, Kivra shall remain liable to the Controller for the subprocessor's compliance with its obligations under this Data Processing Agreement.

7.4 In the event of any transfers of Data to subprocessors outside the EU/EEA, Kivra shall ensure that the transfer takes place to countries that, as determined by the EU Commission, have an adequate level of protection or, if necessary, enter into the EU Commission's standard contractual clauses in force at any time.

8 LIABILITY

8.1 If a Party (including anyone working under the Party's direction or a subprocessor engaged by the Party) acts in breach of this Data Processing Agreement or Applicable Data Protection Legislation, such Party shall indemnify the other Party for any damage caused by such unauthorized action.

8.2 Kivra shall be liable for damage arising from the processing of Data only if Kivra has not fulfilled the obligations under this Personal Data Processing Agreement that are specifically addressed to Kivra. Kivra shall avoid liability if it proves that Kivra is in no way responsible for the event that caused the damage.

8.3 The right of the Party to compensation under clause 8.1 is limited as stated in the applicable General Terms and Conditions.

8.4 Penalty fees under Article 83 of the Data Protection Regulation, or Chapter 6, Section 2 of the Act (2018:218) with supplementary provisions to the EU Data Protection Regulation shall be borne by the Party to which such a fee has been imposed by the Supervisory Authority.

8.5 If either Party becomes aware of a circumstance that may lead to damage to any other Party, it shall immediately inform the other Party of the situation and actively work together to prevent and minimize such damage.

9 CONFIDENTIALITY

9.1 The Party shall ensure that the persons who have access to the Data or confidential information have undertaken to observe confidentiality or are subject to a statutory duty of confidentiality in accordance with the requirements of Applicable Data Protection Legislation and are informed of how they may process the Data.

10 AMENDMENTS AND NOTICES

10.1 The Controller may change the content of this Personal Data Processing Agreement only to the extent required to satisfy requirements arising from Applicable Data Protection Legislation.

10.2 Any adjustments to the Controller's instructions as further described in the Specification shall be notified by the Controller to Kivra within a reasonable time in accordance with clause 10.4 so that necessary changes to procedures can be implemented. Kivra has the right to withdraw from the assignment in the event that the Controller's instructions cannot reasonably be fulfilled.

10.3 Kivra reserves the right to change and/or make additions to this Personal Data Processing Agreement at any time. Since the Controller needs to accept the General Terms and Conditions including this Personal Data Processing Agreement each time the Controller uses the Verification Service, the Controller is responsible for taking note of the Personal Data Processing Agreement in force at any time.

10.4 All notices and other communications under this Personal Data Processing Agreement from a Controller to Kivra shall be in writing by e-mail to dataskydd@kivra.se. All notices and other communications from Kivra to the Controller shall be to the contact details that the Controller has registered with the Swedish Companies Registration Office. The responsibility for keeping their contact details updated lies with each Party.

11 AGREEMENT TERM AND MEASURES UPON TERMINATION

11.1 The Personal Data Processing Agreement is valid from the time the Controller registers for the Service with Kivra and for as long as Kivra processes Data on behalf of the Controller.

12 APPLICABLE LAW AND DISPUTE RESOLUTION

12.1 Applicable law and dispute resolution follow from the General Terms and Conditions.