Data Processing Agreement
Updated: | Version: |
June 2023 | 2023.06 |
- Introduction
- The Supplier will in connection with the provision of the Services process personal data as a processor on behalf of the Subscriber. To the extent the processing of personal data is subject to Applicable Data Protection Laws, this data processing agreement (“DPA”) applies. This DPA forms an integral part of the Subscription Agreement.
- The Parties agree that a Partner may enter into this DPA on behalf of the Supplier.
- This DPA supersedes and replaces any data processing agreements previously concluded between the Parties.
- Applicable Data Protection Laws apply to the processing of personal data covered by this DPA.
- In the event of any conflict or inconsistency between this DPA and the terms of the Subscription Agreement, the terms of this DPA shall prevail.
- Definitions
- The following defined terms are used in this DPA:
“Applicable Data Protection Laws”means the GDPR and all data protection legislation and regulations, including regulations issued by relevant Supervisory Authority, protecting the fundamental rights and freedoms of data subjects with respect to the processing of their personal data, that apply to the Parties;“Applicable Laws”means laws and regulations under EU law and relevant Member State laws that apply to the Parties;“Data Subject Request”means a request from a data subject to exercise rights afforded to data subjects under Applicable Data Protection Laws;“GDPR”Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);“Instruction”means any documented instruction issued by the Subscriber that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and any specific requirements that apply to the processing, including Schedule 1 of this DPA;“Partner”means a legal entity authorized by the Supplier under a commercial agreement to re-sell the Services to the Subscriber;“Subprocessor”means a subcontractor, supplier, consultant or third party engaged by the Supplier to process personal data on behalf of the Subscriber;“Supervisory Authority”means an independent public authority which is established by a Member State pursuant to Article 51 of the GDPR; and“Thirty Country”means a country which is not a member of the European Union (EU) or the European Economic Area (EEA). - Lower case terms used but not defined in this DPA, such as “controller”, “processor”, “personal data” and “processing” shall have the same meaning as in Article 4 of the GDPR.
- Capitalized terms used, but not defined in this DPA, shall have the same meaning as in the General Terms and Conditions, as amended from time to time, available on www.quickchannel.com/toc.
- The following defined terms are used in this DPA:
- General obligations on the supplier
- The Supplier agrees to only process personal data on behalf of the Subscriber in accordance with any Instruction of the Subscriber and Applicable Data Protection Laws.
- Any further Instruction with respect to the processing of personal data shall be provided to the Supplier by way of e-mail to the following address: legal@quickchannel.com. If the Subscriber issues new Instructions which are over and beyond what Applicable Data Protection Laws require or which is not supported by the Services, the Supplier shall, if the Subscriber maintains the Instruction, be entitled to reasonable compensation for the cost that the new Instruction implies or otherwise according to a separate agreement between the Parties.
- Notwithstanding what is stated in Clause 3.1 above the Supplier may process the personal data to the extent it is necessary in order to comply with legal requirements under Applicable Laws to which Supplier is subject. The Supplier shall inform the Subscriber of that legal requirement before the processing, unless Applicable Laws prohibit Supplier from providing this information.
- The Supplier shall immediately notify the Subscriber if the Supplier cannot fulfil its obligations under this DPA or if the Supplier is of the view that an Instruction regarding the processing of personal data given by the Subscriber would be in breach of Applicable Data Protection Laws, unless the Supplier is prohibited from notifying the Subscriber under Applicable Laws. Notification shall be given by e-mail to the designated e-mail address set by the Subscriber in the Orderform.
- Security measures etc.
- The Supplier shall at its own cost implement appropriate technical and organisational measures (“TOMs”) to protect and safeguard the personal data that is processed against personal data breaches. The TOMs shall at least reach a level of security equivalent of what is prescribed by Applicable Data Protection Laws, relevant Supervisory Authorities’ applicable regulations, guidelines regarding security of personal data, and what is otherwise appropriate to the risk of the processing of personal data. The minimum TOMs implemented by Supplier are included in Schedule 2.
- The Supplier shall, taking into account the nature of the processing and the information available to the Supplier, assist the Subscriber in ensuring compliance with its obligations under Articles 35 and 36 of the GDPR to carry out data protection impact assessments (DPIAs) and prior consultations with the relevant Supervisory Authority in relation to the processing of personal data covered by this DPA. Requests for such assistance shall be sent to the Supplier by e-mail to legal@quickchannel.com.
- The Supplier shall ensure that access to the personal data is limited to personnel of the Supplier who need access to personal data in order for the Supplier to fulfil its obligations under this DPA. The Supplier shall ensure that the personnel only process personal data in accordance with Clause 3.1 above.
- The Supplier shall ensure that all employees authorized to access and process personal data covered by this DPA have committed themselves to confidentiality by ensuring that there are written confidentiality agreements in place with the personnel which covers personal data that the Supplier processes on behalf of the Subscriber under this DPA.
- The Supplier shall allow for and contribute to audits, including inspections, conducted by the Subscriber. The Parties agree that such inspections shall be carried out by a third-party auditor jointly appointed by the Parties which has committed itself to confidentiality.
- For the avoidance of doubt, any inspection or audit shall only comprise such information that is necessary in order for the Subscriber to determine whether the Supplier fulfils its obligations under Article 28 of the GDPR and this DPA and shall not comprise any other information which is irrelevant to the Supplier’s processing of personal data under this DPA.
- The Subscriber shall give the Supplier reasonable notice of at least one (1) month prior to exercising its audit rights in order to allow the Parties to plan the audit or inspection. A request for an audit or inspection shall be sent to the Supplier by e-mail to legal@quickchannel.com.
- Each Party shall bear its own costs in relation to any such audit. Should an audit or inspection show that the Supplier has not fulfilled its obligations under this DPA or Applicable Data Protection Laws, the Supplier shall without undue delay remedy such issue at its own cost.
- Personal data breach notification
- In the event of a personal data breach the Supplier shall notify the Subscriber in writing without undue delay after becoming aware of the personal data breach. Notification shall be given by e-mail to the designated e-mail address set by the Subscriber in the Orderform.
- The Supplier shall assist the Subscriber to the extent necessary in order to investigate the personal data breach and to enable the Subscriber to fulfil its notification obligations, where applicable, to relevant Supervisory Authorities and data subjects concerned under Applicable Data Protection Laws. The Supplier shall therefore immediately after becoming aware of a personal data breach:
- commence an investigation of the personal data breach in order to determine the scope, nature and the likely consequences of the personal data breach;
- take appropriate remedial measures in order to mitigate the possible adverse effects of the personal data breach; and
- consult with the Subscriber in order to determine as to whether the Subscriber would be obligated under Applicable Data Protection Laws to notify the relevant Supervisory Authority and or the data subjects concerned of the personal data breach.
- as soon as possible following the commencement of the investigation, the Supplier shall provide the following information to the Subscriber as regards the personal data breach:
- a description of the nature of the personal data breach including the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
- the likely consequences of the personal data breach; and
- a description of the measures taken or proposed to be taken by Supplier to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
- Where, and in so far as, it is not possible for the Supplier to provide the above information at the same time, the information may be provided in phases without undue further delay. Notification of the information in Clause 5.2 (iv) above shall be given by e-mail to the designated e-mail address set by the Subscriber in the Orderform.
- Use of subprocessors
- The Subscriber hereby gives the Supplier a general written authorization to engage Subprocessors, named in appendix Subprocessors, which are necessary to provide the Services. Supplier shall prior to engaging a new (or replacing an existing) Subprocessor which will process personal data on behalf of the Subscriber:
- carry out an adequate due diligence to ensure that the Subprocessor is capable of providing sufficient guarantees with respect of compliance with Applicable Data Protection Laws;
- ensure that there is a written data processing agreement with the Subprocessor which imposes obligations on the Subprocessor which fulfils the requirements of Article 28(3) of the GDPR, upon which the Supplier may enter into such data processing agreement directly with the Subprocessor;
- where the Subprocessor will process personal data in a Third Country ensure that the requirements of Clause 8 of this DPA are fulfilled.
- The Supplier maintains a list of all Subprocessors which Supplier has engaged from time to time. The list is available on www.quickchannel.com/en/gdpr-subprocessors. The list includes at least the following information in relation to each Subprocessor:
- the identity of the Subprocessor (including full legal name, corporate registration number and address);
- the type(s) of service(s) provided by the Subprocessor;
- the location where the Subprocessor will process personal data on behalf of the Subscriber; and
- and information on the measures (or where information on such measures may be found) that the Subprocessor has taken to protect the personal data.
- The Supplier shall prior to engaging a new Subprocessor notify the Subscriber of this by e-mail to the designated e-mail address set by the Subscriber in the Orderform.
- If, within thirty (30) days of such notice, the Subscriber notifies the Supplier in writing of any objections to the appointment, the Supplier and the Subscriber shall seek to agree on a solution which is acceptable to Parties concerned. If the Parties do not agree on a solution within thirty (30) days following the Subscriber’s written objection, or at such later time (which the Parties have agreed on in writing) and it is not possible for Supplier to provide the Services without the Subprocessor, the Subscriber shall have a right to terminate the Subscription Agreement in advance to end following the thirty (30) days’ period.
- eUpon the Subscriber’s request and without undue delay the Supplier shall provide a copy of the data processing agreement that the Supplier has entered into with the Subprocessor. The Supplier shall, however, have a right to delete or remove commercial information from such data processing agreement prior to disclosing the agreement to the Subscriber. Such a request shall be sent to Supplier by e-mail to legal@quickchannel.com.
- Where a Subprocessor fails to fulfil its data protection obligations, the Supplier shall remain fully liable to the Subscriber for the performance of the Subprocessor’s obligations.
- The Subscriber hereby gives the Supplier a general written authorization to engage Subprocessors, named in appendix Subprocessors, which are necessary to provide the Services. Supplier shall prior to engaging a new (or replacing an existing) Subprocessor which will process personal data on behalf of the Subscriber:
- Confidentiality of personal data
- Without prejudice to the confidentiality undertaking in Clause 8 in the General Terms and Conditions, the Supplier shall keep and maintain all personal data in strict secrecy and not disclose or make available the personal data to a third party, unless otherwise authorized in advance in writing by the Subscriber or otherwise required by Applicable Laws or for the performance of this DPA.
- The Supplier agrees that this confidentiality undertaking shall survive the termination of this DPA and continue to apply until all personal data have been returned or (upon the Subscriber’s written request) have been deleted or anonymized in a secure and irreversible way in accordance with Clause 9 below.
- Data subject requests
- The Supplier shall, insofar as this is possible, assist the Subscriber by taking appropriate measures for the fulfilment of the Subscriber’s obligation to respond to Data Subject Requests.
- The Supplier shall forward any Data Subject Request concerning personal data covered by this DPA to the Subscriber. Notification shall be given by e-mail to the designated e-mail address set by the Subscriber in the Orderform.
- Return of personal data
- Upon termination of the Subscription Agreement, the Subscriber shall instruct Supplier in writing whether the personal data that Supplier (or a Subprocessor) processes on behalf of the Subscriber shall (i) Subscriber download the data or (ii) be deleted in a secure and irreversible way. If the Subscriber does not provide such instruction within sixty (60) days following the termination of the Subscription Agreement, the Supplier shall delete any personal data covered by this DPA and in Supplier’s possession without undue delay. The Instruction shall be given to Supplier by e-mail to legal@quickchannel.com.
- The obligations under Clause 9.1 above do not apply if the Supplier is required under Applicable Laws to continue to store the personal data.
- The Supplier shall, upon the Subscriber’s request, provide a written notice as regards the measures taken by the Supplier to comply with its obligations under this Clause 9. Notification shall be given by e-mail to the designated e-mail address set by the Subscriber in the Orderform.
- Personal data transfers
- The Supplier shall ensure that personal data covered by this DPA will be processed and stored within the EU/EEA (including by Subprocessors engaged by the Supplier), unless the Parties agree otherwise.
- The Supplier is only entitled to transfer personal data covered by this DPA to a Third Country if the Subscriber has given its prior written authorization or if they are chosen in the Orderform and listed in this agreement in appendix Subprocessors and such transfer fulfills the requirements under Applicable Data Protection Laws.
- Request from supervisory authority
- In case a Supervisory Authority requests:
- information from the Supplier regarding its processing of personal data under this DPA; or
- that the Supplier shall disclose personal data that Supplier processes on behalf of the Subscriber under this DPA,
- The Supplier shall without undue delay notify the Subscriber thereof. Notification shall be given by e-mail to the designated e-mail address set by the Subscriber in the Orderform. The Parties shall thereafter consult regarding the Supervisory Authority’s request. The Supplier’s obligations do not apply if the Supplier is prohibited under Applicable Laws to notify or consult with the Subscriber. The Supplier may not act on the Subscriber’s behalf as agent for the Subscriber or otherwise.
- In case a Supervisory Authority requests:
- Liability
- Each Party shall be liable for any administrative fines imposed on the Party in question due to the Party’s failure fulfils its obligation under this DPA or Applicable Data Protection Laws or otherwise has processed personal data in breach of Applicable Data Protection Laws.
- Liability for any claims for damages from data subjects concerned shall be governed by Article 82 of the GDPR.
- With prejudice to Clauses 12.1 and 12.2 above, the limitation of liability included in the Subscription Agreement shall apply. The limitation of liability is, however, not applicable with respect to damages which arise in connection with breach of Clause 7 (Confidentiality of Personal Data).
- Term and termination
- This DPA enters into effect on the Start Date and applies for as long as the Supplier (or a Subprocessor engaged by the Supplier) processes personal data on behalf of the Subscriber.
- The DPA will automatically terminate if:
- a Party commits a material breach of any term of this DPA and/or substantially fails to fulfil its obligations under this DPA and fails to remedy such breach and/or failure within thirty (30) days following a written notice from the other party of the breach; or
- the other party is declared bankrupt, is subject to corporate reorganization, commence composition proceedings, goes into liquidation or otherwise can be assumed to have become insolvent.
- Clause 7 (Confidentiality of Personal Data), Clause 9 (Return of Personal Data), Clause 12 (Liability), and Clause 14 (Miscellaneous) shall survive the termination of this DPA for any reason.
- Miscellaneous
- The DPA and its appendices constitute the entire agreement between the Parties on all matters to which the DPA relates.
- Neither the rights nor the obligations of either party under this DPA may be assigned in whole or in part without the prior written consent of the other Party.
- This DPA shall be governed by Swedish law.
- Clause 13.7 in the General Terms and Conditions shall apply with respect to any dispute, controversy or claim arising out of or relating to this DPA, or the breach, termination or validity thereof.
Schedule 1 to DPA – Instruction regarding the processing of personal data for the provision of the Services
This Schedule 1 sets out the Subscriber’s Instruction with respect to the Supplier’s (and its Subprocessors) processing of personal data in connection with provision of the Services.
Purposes of the processing
The Supplier will process personal data for the purposes of providing, managing, developing and improving the Services in order to allow the Subscriber and the Users to use the Services and to fulfil its obligations under this DPA and Applicable Data Protection Laws.
Specifically, the Supplier shall process personal data on behalf of the Subscriber to:
- Create, edit, manage, store and distribute online video, communication and content using the Services,
- Enable User interactions on the Services,
- Share online video, communication and content using the Services,
- Analyse the use of the Services,
- Manage access to the Services,
- Communicate with Users regarding the Services,
- Provide support and respond to questions regarding the Services,
- Develop and improve the Services, and
- Ensure technical functionality and security of the Services.
Description of the Processing of Personal Data
Create, edit, manage, store and distribute online video, communication and content using the Services
Personal data is processed when content, including online video and communication, is created, edited, managed, stored, and distributed using the Services.
Categories of data subjects | Categories of personal data |
Users Participants | Contact information Content Identification information Profile information Technical information |
Enable User interactions on the Services
Personal data is processed when Users interact on the Services, for example in chats, polls, and using voting functionality in the Services.
Categories of data subjects | Categories of personal data |
Users Participants | Contact information Content Identification information Profile information Technical information |
Share online video, communication and content using the Services
Personal data is processed when content, including online video and communication, is shared by using the Services, for example when using integrations or the APIs.
Categories of data subjects | Categories of personal data |
Users Participants | Contact information Content Identification information Profile information Technical information |
Analyse the use of the Services
Personal data is processed when analysing the use of the Services, for example to generate statistics and reports of meetings, streams, attendance etc.
Categories of data subjects | Categories of personal data |
Users Participants | Contact information Content Identification information Profile information Technical information User generated information |
Manage access to the Services
Personal data is processed when managing access to the Services, for example when creating user accounts or granting access to the Service for Users.
Categories of data subjects | Categories of personal data |
Users | Contact information Identification information Profile information Technical information |
Communicate with Users regarding the Services
Personal data is processed when communicating with Users regarding the Services, for example to send information regarding meetings, content, updates to the Services or maintenance and incidents.
Categories of data subjects | Categories of personal data |
Users | Contact information Content Identification information Profile information Technical information |
Provide support and respond to questions regarding the Services
Personal data is processed to provide support and respond to questions regarding the Services, for example to register the support matter, carry out troubleshooting and to communicate for the same purpose.
Categories of data subjects | Categories of personal data |
Users Contact persons of the Subscriber | Contact information Content Identification information Profile information Technical information |
Develop and improve the Services
Personal data is processed to develop and improve the Services, for example to anonymize personal data for the same purpose, to test and develop functionality and to verify software fixes.
Categories of data subjects | Categories of personal data |
Users | Content Identification information Profile information Technical information |
Ensure technical functionality and security of the Services
Personal data is processed to ensure the technical functionality and security of the Services, for example for security logging, error handling, and backups.
Categories of data subjects | Categories of personal data |
All concerned categories of data subjects, including users, contact persons of the subscriber and participants | All relevant categories of personal data above |
For information on all processing of personal data and current storage times please contact legal@quickchannel.com.
Sub processors
Accepted mandatory sub processors:
Subprocessor | Purpose | Location of processing |
OVH Groupe SAS www.ovh.ie Address: 2 rue Kellermann, 59100 Roubaix, France. | Cloud service provider. Used for storage of media files, Live Events, Videosite and Storage of encrypted backups. Optionally used for CDN services. | EU |
Cleura AB cleura.com Address: Blekingegatan 1, 37157 Karlskrona, Sweden. | Cloud Service Provider Currently unused but may be used for backups, storage and Live capacity. | Sweden |
Copernica B.V. www.copernica.com Address: De Ruijterkade 112, 1011 AB, Amsterdam, Netherlands. | Mail Service Provider Used for automatic emails such as reset password or webinar invites and other communication with the service. | Netherlands |
Accepted sub processors in addition to the mandatory sub processors are decided in the Order form by one of the choices ”EU Only” or ”Global”.
With EU Only in the Orderform the following sub processors are included:
Subprocessor | Purpose | Location of processing |
BunnyWay d.o.o. Bunny.net Address: Cesta komandanta Staneta 4A, 1215 Medvode, Slovenia. | Optional subprocessor providing CDN distribution. | EU |
Scriptix B.V. www.scriptix.io Address: Oder 20, 2491DC, The Hague, Netherlands | Optional subprocessor providing Speech-to-text transcription. | EU/EES |
With Global in Orderform the following sub processors are included:
Subprocessor | Purpose | Location of processing |
BunnyWay d.o.o. Bunny.net Address: Cesta komandanta Staneta 4A, 1215 Medvode, Slovenia. | Optional subprocessor providing CDN distribution. | EU |
Scriptix B.V. www.scriptix.io Address: Oder 20, 2491DC, The Hague, Netherlands | Optional subprocessor providing Speech-to-text transcription. | EU/EES. |
Amazon Web Services, Inc. aws.amazon.com Address: 38 avenue John F. Kennedy, L-1855 Luxembourg. | Optional subprocessor providing CDN distribution, Storage and Live streaming. | Storage -Sweden, Ireland CDN and Live – Worldwide |
Microsoft Corporation www.microsoft.com Address: Regeringsgatan 25, 111 53, Stockholm, Sweden. | Optional subprocessor providing Integrations to AzureAD and Sharepoint. | Ireland, Netherlands |
Google Ireland Limited www.google.com Reg.no. 368047 Address: Gordon House, Barrow Street, Dublin 4, Ireland | Optional subprocessor providing: Login via Ouath2; or speech-to-text transcription; or Translation; or; Analytics integration; or Ads integration; or Chromecast functionality. | Worldwide (distributed in EU/EEA and USA). |
Vonage B.V. www.vonage.com Address: Basisweg 10 1043 AP, Amsterdam, NOORD-HOLLAND Netherlands | Optional subprocessor providing Mixing of video sources in webinars. | EU |
Place of processing
Information on which Subprocessors the Supplier has contracted and where they process the personal data can be found on quickchannel.com/gdpr.
Changes to this instruction
The Parties agree that this Instruction may be updated from time to time in order to reflect the processing of personal data carried out by the Supplier (and its Subprocessors) in connection with the provision of the Services.