Personal Data Processor Agreement for users
1. BACKGROUND
1.1 This data processing agreement ("Data Processing Agreement") applies when Kivra Sverige AB, org. no. 556917-3544, or any other company within the same group as Kivra Sverige AB ("Kivra") provides a Service as described in Kivra's general terms and conditions for users or Kivra's general terms and conditions for business users (collectively “General Terms”).
1.2 In providing the applicable Service according to the General Terms, Kivra will process personal data as a data processor on behalf of (i) Users who carry out processing for private use or related to the User's private household; (ii) Users who carry out processing for purposes other than private use or their private household, such as in individual business activities; and/or (iii) Business users (collectively “Users”). The User is the data controller for the same processing.
1.3 Kivra's obligations according to section 5.4 of this Data Processing Agreement do not apply to Users according to (i) in section 1.2 as these Users do not have any obligations under the General Data Protection Regulation (see Article 2.2 c) of the General Data Protection Regulation (the so-called private use exception)). Otherwise, this Data Processing Agreement applies in its entirety to all Users.
1.4 If any other company within the same group as the User is to be considered as data controller (alone or together with the User) for processing covered by this Data Processing Agreement, the User hereby confirms that necessary permissions have been obtained to enter into the Data Processing Agreement also on behalf of such company.
2. DEFINITIONS
2.1 The definitions and terms used in this Data Processing Agreement shall have the same meaning and interpretation as the definitions and terms stated in the General Terms unless otherwise indicated.
2.2 The following terms shall have the meaning specified below unless the circumstances clearly dictate otherwise (and terms not defined in the Data Processing Agreement such as “data controller”, “data processor”, “personal data”, “processing”, “data breach” shall have the meaning given in the General Data Protection Regulation):
"General Data Protection Regulation" refers to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
"Data Subject" refers to a natural person whose personal data is included in the Data.
"Applicable Data Protection Legislation" refers to: (i) the General Data Protection Regulation and replacing legal acts; (ii) applicable Swedish law regarding data protection; and (iii) to i) and ii) above, related regulations and directives issued by the Supervisory Authority that are applicable to the Parties’ operations.
"Supervisory Authority" refers to the Swedish Authority for Privacy Protection and, where applicable, other competent supervisory authority that, under the law, exercises supervision over the Parties' operations.
"The Data" refers to the personal data that are transferred to, stored, or otherwise processed by Kivra on behalf of the User under this Data Processing Agreement. The types of personal data covered are specified in the Specification.
3. INSTRUCTIONS
3.1 The Data Processing Agreement consists of this document and the Specification. The Specification provides an overview of the processing taking place, the purposes of the processing; the Data being processed; the categories of Data Subjects covered,; the retention period for the Data; and any sub-processors and, if so, where this processing is located.
3.2 The User authorizes Kivra to transfer Data to third parties as required to fulfill the purpose of this Data Processing Agreement, including its instructions, and/or to comply with a legal obligation. This includes, but is not limited to, transfers of Data to suppliers, partners, and authorities.
3.3 Kivra may not process the Data in any other way, for other purposes, or according to other instructions than those specified in this Data Processing Agreement, the User's instructions, and Applicable Data Protection Legislation. In the event that Kivra assesses that necessary instructions for carrying out the assignment according to this Data Processing Agreement are missing, or if Kivra notices that the instructions conflict with Applicable Data Protection Legislation, Kivra shall immediately inform the User about its position and await further instructions from the User. Thus, Kivra is not obliged to follow an instruction if Kivra considers the instruction to conflict with Applicable Data Protection Legislation.
3.4 However, Kivra may process the Data for its own purposes in the role of data controller for the purpose of providing and improving its services to users in accordance with the General Terms and Conditions. Kivra is responsible for informing about this processing in Kivra's data protection information in force at any time.
4. SECURITY - TECHNICAL AND ORGANIZATIONAL MEASURES
4.1 Kivra is obligated to take such appropriate technical and organizational measures that meet the requirements of Applicable Data Protection Legislation, especially Article 32 of the General Data Protection Regulation, thereby ensuring that the rights of the Data Subjects are protected. Such measures include, among other things, protecting the Data against unauthorized access, destruction, or alteration.
4.2 Kivra undertakes to ensure that Kivra has the expertise, reliability, and resources to implement technical and organizational measures that meet the requirements of Applicable Data Protection Legislation, especially regarding the requirements for security as mentioned above. Kivra also undertakes to review and update the measures taken as necessary.
5. DUTY TO INFORM AND ASSISTANCE
5.1 Kivra shall, without undue delay after discovering completed cases of or attempts at unauthorized access, destruction, or alteration of the Data and other personal data incidents, inform the User about this. In the event the Service, or parts of the Service, are unavailable for reasons other than the aforementioned events, such as internal system disruptions, information about this will be communicated directly in the Service and at kivra.se.
5.2 When Kivra notifies the User according to point 5.1 above, the notification shall contain information about:
a) the nature of the personal data incident, including, if possible, the categories of and the approximate number of Data Subjects affected and the categories of and the approximate number of Data affected,
b) the name and contact details of the data protection officer or other contact points where more information can be obtained,
c) the likely consequences of the personal data incident, and
d) the measures that Kivra has taken or proposed to address the personal data incident, including, where appropriate, measures to mitigate its potential adverse effects.
5.3 If and to the extent it is not possible to provide information according to point 5.2 simultaneously, the information may be provided in stages, however, without further undue delay.
5.4 Kivra shall assist and cooperate with the User to a reasonable extent to ensure that the obligations according to Articles 32–36 of the General Data Protection Regulation are fulfilled, considering the type of processing and the information available to Kivra, and to ensure that the Data Subjects' rights under Applicable Data Protection Legislation can be fulfilled.
6. AUDIT
6.1 The User has the right to itself or through an independent third party carry out checks of Kivra's processing of the Data to ensure compliance with Applicable Data Protection Legislation, this Data Processing Agreement, and the instructions issued. Unless otherwise provided by a specific separate written agreement, each Party bears its own costs for the audit and for providing information according to this point 6.1.
6.2 Kivra shall reasonably contribute to such controls and audits and, upon request, provide the User with the assistance and documentation reasonably required for this.
6.3 If the User engages a third party to conduct an inspection of Kivra's processing of the Data on behalf of the User, the User shall ensure that such third party signs an appropriate confidentiality agreement not to disclose information to a third party before any such inspection.
6.4 Inspection for auditing, information provision, and the like shall be scheduled at times of the day and otherwise conducted in a manner that causes the least possible impact on Kivra's operations. The audit of Kivra shall be conducted with due regard for the security measures set by Kivra, provided that the measures do not prevent or significantly hinder the conduct of the audit.
7. USE OF SUB-PROCESSORS
7.1 The User hereby approves the use of the sub-processors already engaged by Kivra as specified in the Specification to this Data Processing Agreement.
7.2 Kivra undertakes to inform the User about any plans to engage new sub-processors and/or replace existing sub-processors at least thirty (30) days before such plans are implemented. Notification of the engagement of new sub-processors and/or replacement of existing sub-processors will occur when the User logs into the Service through the web or via Kivra's app. The User is responsible for keeping updated on such possible notifications by logging into the Service.
7.3 If the User does not return to Kivra within the thirty (30) days according to point 7.2, the User is considered to have accepted Kivra's plan to engage/replace the sub-processor(s) that Kivra has informed the User about. If the User does not approve of a sub-processor that Kivra intends to use, the User has the right to terminate this Data Processing Agreement immediately.
7.4 Kivra undertakes to enter into a written agreement with existing and new sub-processors that regulates the processing performed by the sub-processor. In terms of data protection, the agreement shall impose the same obligations on the sub-processor as are imposed on Kivra in this Data Processing Agreement. In the event that the sub-processor fails to fulfill its obligations regarding the processing, Kivra remains responsible towards the User for the sub-processor's fulfillment of its obligations under this Data Processing Agreement.
7.5 For any transfers of Data to sub-processors outside the EU/EEA, Kivra shall ensure that the transfer is made to countries that, as decided by the European Commission, have an adequate level of protection or, if necessary, enter into the European Commission's standard contractual clauses in force at the time.
8. LIABILITY
8.1 If a Party (including those working under the Party's direction or subcontracted sub-processors) acts in violation of this Data Processing Agreement or Applicable Data Protection Legislation, such Party shall indemnify the other Party for any damage that such unauthorized action has caused.
8.2 Kivra shall be liable for damage arising from the processing of Data only if Kivra has not fulfilled the obligations under this Data Processing Agreement that specifically target Kivra. Kivra shall avoid liability if it can prove that Kivra is in no way responsible for the event that caused the damage.
8.3 The Party's right to compensation according to point 8.1 is limited as set out in the applicable General Terms and Conditions.
8.4 Fines according to Article 83 of the General Data Protection Regulation, or Chapter 6, Section 2 of the law (2018:218) with supplementary provisions to the EU's General Data Protection Regulation shall be borne by the Party that has been imposed such a fine by the Supervisory Authority.
8.5 If either Party becomes aware of a circumstance that may lead to damage for another Party, it shall immediately inform the other Party about the situation and actively work together to prevent and minimize such damage.
9. CONFIDENTIALITY
9.1 The Party shall ensure that persons who have access to the Data or confidential information have committed to observe confidentiality or are covered by statutory confidentiality in accordance with the requirements of Applicable Data Protection Legislation and are informed about how the Data may be processed.
10. CHANGES AND NOTICES
10.1 The User may change the content of this Data Processing Agreement only to the extent required to accommodate requirements arising from Applicable Data Protection Legislation. Such change shall take effect no later than thirty (30) days after the notice of change has been received by Kivra.
10.2 Any adjustments to the User's instructions as further described in the Specification shall be communicated by the User to Kivra within a reasonable time in accordance with point 10.4 so that necessary changes in procedures can be implemented. Kivra has the right to refuse the assignment if the User's instructions cannot reasonably be met. Such change shall take effect no later than thirty (30) days after the notice of change has been received by Kivra.
10.3 Kivra reserves the right to change and/or add to this Data Processing Agreement at any time. Such changes and additions shall be notified by Kivra at least thirty (30) days before the change takes effect. However, Kivra always has the right to immediately make changes and additions prompted by Applicable Data Protection Legislation or governmental decisions. If the User does not accept the new terms, the User has the right to terminate this Data Processing Agreement immediately.
10.4 All notices and other communication according to this Data Processing Agreement from a User to Kivra shall be made in writing through email to dataskydd@kivra.se. All notices and other communication from Kivra to the User shall be made in writing through email to the email address that the User has registered in the Service or directly in the Service through the web or via Kivra's app unless another communication channel is specified in this Data Processing Agreement. The responsibility to keep their contact details updated rests on each Party.
11. TERM OF THE AGREEMENT AND ACTIONS UPON TERMINATION
11.1 The Data Processing Agreement is valid from the time the User registers for the Service with Kivra and as long as Kivra processes Data on behalf of the User.
11.2 The Parties agree that Kivra and any sub-processors after the processing has ceased shall without undue delay but no later than within thirty (30) days delete the transferred Data.
12. APPLICABLE LAW AND DISPUTE RESOLUTION
12.1 Applicable law and dispute resolution shall follow the General Terms and Conditions.
SPECIFICATION
PROCESSING | PURPOSE OF THE PROCESSING | CATEGORIES OF PERSONAL DATA | CATEGORIES OF REGISTERED | DURATION OF PERSONAL DATA PROCESSING FOR THE PURPOSE | SUB-PROCESSORS (LOCATION) |
Storage and handling of Content (always applicable) | Kivra shall receive, store, delete, and manage Content along with associated Metadata. | Personal data present in Content. Metadata associated with Content. | Users. Individuals featured in Content. | 20 days after the User has terminated the Service. Receipts are stored for the earlier of (i) 8 years after receipt; or (ii) 20 days after the User has terminated the Service. | Not applicable. If the User uploads payable documents in Kivra's Android app, text recognition technology from Google LLC is used where Google is the data controller, see the terms for Google ML Kit. |
Customization of the Service (always applicable) | Kivra shall customize the Service according to the User's choices, settings, and interactions with the Service. | Information about your choices, settings, and interactions with the Service. Contact and identification details. Metadata associated with Content. Device information. | Users. | 20 days after the User has terminated the Service. | Not applicable. |
Notification (optional)
| Kivra shall notify Users of events in the Service.
| Personal data present in notifications. Contact details in the form of email address and Device ID.
| Users.
| Until the notification has been delivered to the User. | Braze Inc. (EU/EEA) providing a notification service. Google Cloud EMEA Limited (Firebase Cloud Messaging) (USA) providing a push notification service for Android. Apple Inc. (Apple Push Notification service) (USA) providing a push notification service for Apple. Mailgun Inc. (EU/EEA) providing an email notification service. |
Payments with Tink (optional) | Kivra shall share details with, and receive details from, Tink to enable and manage payment. Kivra shall also store and manage payment information in the Service. | Contact and identification details. Payment information. | Users. | Sharing occurs immediately. 20 days after the User has terminated the Service. | Not applicable. Sharing with Tink AB occurs where Tink is the data controller. See Tink's privacy information here. |
Payments with Swish (optional) | Kivra shall store and manage payment information in the Service. | Payment information. | Users. | 20 days after the User has terminated the Service. | Not applicable. |
Automatic payments (optional) | Kivra shall store and manage information on direct debit authorizations and payment. | Information on direct debit authorization and payment. | Users. | 20 days after the User has terminated the Service. | Not applicable. |
Sharing of Content (optional) | Kivra shall share Content with Users and other parties chosen by the User in the Service. | Personal data present in Content chosen by the User to share. Metadata associated with Content. | Users. Individuals featured in Content. | Until the User chooses to end the sharing. | Not applicable. |
Invitations to shared folders (optional) | Kivra shall manage invitations to shared folders. | Contact and identification details. | Individuals the User invites to shared folders. | 30 days from the invitation. | Not applicable. |
Management and verification of signed documents (optional) | Kivra shall show the User details of signings in the Service and verify signed documents. | Information on signings, in terms of: date, time, method of signing, IP address, document ID and checksum for document, document title, and parties. | Users. Individuals featured in signed documents. | The earlier of: i) 30 days after all parties have deleted a signed document; or ii) up to 20 days after all parties have terminated the Service. Verified documents are deleted 13 months from the case being closed at Kivra's customer service. | Not applicable. |
Assigning and revoking the right to represent a Corporate User (optional for Corporate Users) | Kivra shall enable Corporate Users to ensure that representatives have the right to represent the Corporate User. | Contact details in the form of contact and identification details as well as information on corporate positions. | Users representing the Corporate User.
| As long as the User represents the Corporate User. | Not applicable. |
Scanning and storage of physical mail (optional for Corporate Users) | Kivra shall receive, open, scan, and store physical mail and convey these as E-shipments to the Corporate User. | Personal data present in physical mail and E-shipments. Metadata associated with E-shipments. | Individuals featured in physical mail and E-shipments. | Storage of physical mail for accounting purposes lasts seven (7) years from the delivery of the physical mail to Kivra. | PostNord Strålfors AB (Sweden) providing a service for scanning and storage of physical mail. |
Email (optional for Corporate Users) | Kivra shall receive emails and convey these as E-shipments to the Corporate User. | Personal data present in emails and E-shipments. Metadata associated with E-shipments. | Individuals featured in emails and E-shipments. | 20 days after the Corporate User has terminated the Service. | Amazon Web Services EMEA SARL (EU/EEA) providing a service for temporary storage of email. Support cases may exceptionally be processed in the USA. |