DATA PROCESSING AGREEMENT (the "DPA")

BACKGROUND AND UNDERTAKINGS

THE PARTIES AGREE THE FOLLOWING:

A   The “Customer” is a customer of AB Sandvik Coromant (the "Processor") in relation to the Processor's provision of services under the terms of service (the "Agreement"). Within the scope of the Agreement, the Processor will process personal data on behalf of Customer. This DPA constitutes a schedule to the Agreement and forms an integral part of the Agreement.

B   Within the scope of this DPA, Customer: (a) is the sole controller of Customer personal data which Processor processes on behalf of Customer; or (b) has been instructed by and obtained the authorisation of the relevant Customer Affiliate(s) to agree to the processing of personal data by Processor as set out in this DPA. Processor will process personal data on behalf of Customer in accordance with what is set forth in Annex 1.

C   Notwithstanding any priority clauses in the Agreement, this DPA is subject to the non-conflicting terms of the Agreement. With regard to the subject matter of this DPA, in the event of inconsistencies between the provisions of this DPA and the Agreement, the provisions of this DPA shall prevail with regard to the parties’ data protection obligations.

D   In its capacity as processor, Processor may provide both Hosting Services and/or Support and Maintenance Services. Due to the nature of said services, the Processor's obligations herein may vary depending on which services the Processor provides under the Agreement. Such specific obligations shall be explicitly clarified in this DPA. Where no limitation to Hosting Services or Support and Maintenance Services is stated, all provisions of this DPA will apply.

1. DEFINITIONS

In this DPA, the following terms have the meanings set forth below:

"Agreement" means the underlying agreement entered into between the parties as described in recital A above;

"Applicable Data Protection Laws" means laws and regulations under EU law, including the General Data Protection Regulation "GDPR" (2016/679/EU), and relevant Member State laws that from time to time that apply to the processing of personal data;

"Data Processing Agreement" means this DPA and all appendices attached hereto (as amended from time to time in accordance herewith);

“Customer Affiliate” means any entity which is controlled by Customer, which controls Customer, or which is under common control with Customer. For the purpose of this DPA, “control” of an entity means the direct or indirect ownership of more than fifty per cent (50%) of the shares or interests entitled to vote for the directors of such entity or equivalent power over the management of such entity, for so long as such entitlement or power exists.

"Hosting Services" means technology services offered to the Customer by Processor that hosts the physical servers running services for the Customer. Access to the service is usually provided through a direct network connection that may or may not run via the Internet.

“Processor Affiliate” means any entity which is controlled by Processor, which controls Processor, or which is under common control with Processor. For the purpose of this DPA, “control” of an entity means the direct or indirect ownership of more than fifty per cent (50%) of the shares or interests entitled to vote for the directors of such entity or equivalent power over the management of such entity, for so long as such entitlement or power exists.

"Third Country" means a country which is not a member of the European Union (EU) or the European Economic Area (EEA);

“Services” means the Hosting Services and/or the Support and Maintenance Services, including on premise services, as per the Agreement;

"Sub Processor" means a Processor Affiliate or a third-party engaged by Processor or a Processor Affiliate as a processor of personal data under this DPA; and

"Support and Maintenance Services" means support and maintenance provided by Processor under the Agreement.

For the purposes of this DPA, the terms recognised by the GDPR shall have the meanings set forth therein such as “controller", "data subject", "processor", "processing", "personal data", and "personal data breach.”

2. GENERAL OBLIGATIONS OF THE PROCESSOR

Instructions

2.1 Customer instructs Processor to process personal data to provide the Services in accordance with the Agreement (including this DPA). Customer may provide additional, documented instructions to Processor to process personal data, however, Processor shall be obligated to perform such additional instructions only if they are consistent with the terms and scope of the Agreement and this DPA.

2.1.1 In the event Customer provides additional documented instructions regarding processing of personal data, which goes beyond the scope of this DPA or the Agreement, or which requires the Processor to take measures over and above the standard measures taken by the Processor in order to protect the personal data processed by the Processor, Processor is entitled to remuneration for any costs incurred by the Processor as a result of such additional instructions. In such case, Processor may send a quote of the additional costs to Customer.

2.1.2 If Processor notifies Customer that an additional instruction is not feasible or Customer notifies Processor that it does not accept the quote for the additional instruction, Customer may terminate, wholly or partly (if possible), the affected Services one month after sending the Processor a written notification to terminate the affected Services. Processor will refund a prorated portion of any prepaid charges for the period after such termination date.

2.1.3 Notwithstanding what is stated in section 2.1.1 above, Processor is entitled to process the personal data to the extent it is necessary in order to comply with legal requirements under Applicable Data Protection Laws to which the Processor is subject. The Processor shall inform the Customer about such legal requirement before the processing, unless Applicable Data Protection Laws prohibit the Processor from providing the information.

2.2 Notwithstanding any provisions regarding choice of law agreed between the parties in the Agreement, Processor shall comply with Applicable Data Protection Laws applicable to processors. Customer shall comply with Applicable Data Protection Laws applicable to Customer as controller.

3. SECURITY MEASURES AND ASSISTANCE

3.1 In regards Hosting Services, Processor shall implement appropriate technical and organisational measures as set forth in Processor’s applicable security policy (available upon request) to ensure a level of security appropriate to the risk for Processor’s scope of responsibility. Technical and Organisational measures are subject to technical progress and further development. Accordingly, Processor reserves the right to modify such measures provided that the functionality and security of the Services are not degraded.

3.2 In regards Support and Maintenance Services, Processor shall take appropriate technical and organisational measures to protect the personal data that is processed when the Processor is carrying out the Support and Maintenance Services, including measures to ensure that personal data is not unnecessarily copied or otherwise stored in the Processor's systems.

3.3 Processor shall, upon the Customer's request and taking into account the nature of the processing and the information available to the Processor, provide information to the Customer in order to allow the Customer to fulfil its obligations to, where applicable, carry out data protection impact assessments (DPIAs) and prior consultations with the relevant supervisory authority under Applicable Data Protection Laws in relation to the processing of personal data covered by the Services. Processor is entitled to compensation from the Customer for any costs and expenses relating to the Processor's assistance in accordance with the Customer's request pursuant to this section 3.3.

3.4 In regards Hosting Services, Processor shall take measures to ensure that access to personal data is limited to such employees of the Processor who need access to the personal data in order for the Processor to fulfil its obligations under the Agreement and the DPA.

3.5 In regards the Support and Maintenance Services, Processor shall take measures to ensure that access to personal data is limited to such employees of the Processor who need access in order to provide the Support and Maintenance Services. When a support or maintenance matter is closed, Customer shall restrict the Processor's employees' access to the personal data accessed within the scope of the support or maintenance matter.

3.6 Processor shall ensure that all employees authorised to access and process personal data observes confidentiality not less restrictive than the confidentiality undertaking set out in section 7 of this DPA.

4. PERSONAL DATA BREACH

4.1 Hosting Services

4.1.1 In the event of a personal data breach involving personal data processed on behalf of Customer and subject to this DPA, Processor shall notify Customer, in writing without undue delay, after becoming aware of the personal data breach. Processor shall notify Customer by email.

4.1.2 The notification to the Customer shall include the following information:

4.1.2.1a Description of the nature of the personal data breach including the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned; and

4.1.2.2a Description of the measures taken or proposed to be taken by the Processor to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

4.1.3 Where, and insofar as it is not possible for the Processor to provide the information set out in section 4.1.2 above at the same time, the Processor may provide the information in phases without any further undue delay.

4.2 Support and Maintenance Services

4.2.1 If Processor discovers a personal data breach within the scope of the Support and Maintenance Services and such personal data breach is attributable to the Customer's processing of personal data, the Processor shall only be responsible for notifying Customer about the personal data breach and await written instructions from Customer about whether Customer wishes that Processor shall investigate the personal data breach on behalf of Customer. If Customer requires further assistance from Processor, Processor shall be entitled to reasonable remuneration for such assistance.

4.2.2 If the personal data breach is attributable to Processor, then Processor shall without undue delay notify Customer after becoming aware of the personal data breach. Processor shall notify Customer by email and provide the following information:

4.2.2.1a Description of the nature of the personal data breach including the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned; and

4.2.2.2a Description of the measures taken or proposed to be taken by Processor to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

4.2.3 Where, and insofar as it is not possible for Processor to provide the information set out in section 4.2.2 above at the same time, the Processor may provide the information in phases without any further undue delay.

5. ACCESS TO INFORMATION AND AUDIT

5.1 Upon request, Processor shall provide Customer documentation reasonably necessary to demonstrate compliance with Applicable Data Protection Laws applicable to Processor.

5.2 Customer may conduct an on-site inspection of the technical and organizational measures that Processor has implemented to fulfil its obligations under this DPA provided that: 

(i) The above documentary audit cannot reasonably demonstrate compliance with Applicable Data Protection Laws applicable to Processor; or 

(ii) A Supervisory Authority in the EEA requires inspection of the Processor. Customer shall notify Processor thirty (30) days in advance prior to conducting such inspection.

5.3 For the avoidance of doubt, an inspection carried out in accordance with section 5.2 above shall only comprise such information that is strictly necessary in order for Customer to determine whether Processor takes appropriate technical and organizational measures to fulfil its obligations under this DPA and shall under no circumstances comprise any other information e.g. regarding the Processor's business operations, other customers of Processor or intellectual property which is not relevant to the Processor's processing of personal data on behalf of the Customer under this DPA.

5.4 The Parties acknowledge and agree that an on-site inspection must be conducted by a third party auditor jointly appointed by both Parties. The Customer shall ensure that such third party undertakes confidentiality in relation to any information that the third party receives within the scope of the inspection, such confidentiality undertaking being not less restrictive than the confidentiality undertaking in section 7 below. Further, the inspection must occur during normal business hours and only in a manner that causes minimal disruption to Processor’s business. Customer shall be liable for any breach of such confidentiality undertaking by the third party. Any and all costs and expenses related to the inspection shall be borne by the Customer, including any potential costs and expenses incurred by the Processor due to the Processor's participation in such inspection.

6. USE OF SUB-PROCESSORS

6.1 Customer hereby agrees that Processor or a Processor Affiliate may engage Sub-Processors to process personal data on behalf of Customer. Sub-Processors that are Processor Affiliates have entered into an Intra Group Data Transfer Agreement whereby Processor and Processor Affiliates have signed the Standard Contractual Clauses ensuring the legal transfer of personal data as controller and processor within Processor’s group of companies. Processor or the relevant Processor Affiliate, as applicable, shall ensure the Sub-Processor has entered into a data processing agreement with obligations no less restrictive than those set out in this DPA.

6.2 Processor provides a list of its Sub-Processors in Annex 3, stating the:

6.2.1 Identity of the Sub-Processor (including full legal name and address);

6.2.2 Type(s) of service(s) provided by the Sub-Processor; and

6.2.3 Geographical location where the Sub-Processor will process personal data on behalf of Customer.

6.3 Processor shall provide Customer with a mechanism to obtain notice of any updates to such list.

6.4 Customer may object to a Sub Processor processing Customer’s personal data provided that such objection is reasonable and based on data protection grounds. If Processor is unable to accommodate Customer’s objection, Customer may terminate, wholly or partly (if possible), the affected Services by providing Processor with a written notice within one month of Processor’s notice. Processor will refund a prorated portion of any pre-paid charges for the period after such termination date.

Processor shall be liable for the acts and omissions of any Sub-Processors to the same extent as if the acts or omissions were performed by Processor.

7. CONFIDENTIALITY

Without prejudice to any confidentiality undertakings in the Agreement, the Processor shall keep and maintain all personal data strictly confidential and not disclose personal data to any third party, unless otherwise authorized in advance in writing by the Customer or otherwise required by applicable laws or for the performance of this DPA and/or the Agreement.

8. LIABILITY

8.1 The parties are liable jointly and severally in relation to claims from data subjects. The party compensating the data subject shall have a right to recourse in accordance with the provisions under Art 82 of the GDPR.

8.2 The parties acknowledge and agree that neither party shall have an obligation to indemnify the other Party for any administrative fines imposed by a supervisory authority or a court under Applicable Data Protection Laws.

8.3 For the purposes of Section 8.2 above, both parties shall, to a reasonable extent, provide information to the other party which may be useful within the scope of a supervisory matter or a court proceeding.

8.4 For the purposes of Sections 8.1 above, each party's total liability shall be limited to an amount equal to the lowest of: 

(i) The total amount paid by Controller for the Services under the Agreement during the 12 months immediately preceding the date on which the claim arose; or 

(ii) Any limitation cap provided for under the Agreement.

9. RIGHTS OF THE DATA SUBJECT

If a data subject directs a request to Processor to exercise its rights under Applicable Data Protection Laws (Data Subject Rights), Processor shall refer the data subject to Customer. To the extent a data subject’s personal data is not accessible to Customer through the Services, Processor will, as necessary to enable Customer to meet its obligations under applicable Data Protection Laws, provide reasonable assistance to make such Personal Data available to Customer.

10. RETURN OF PERSONAL DATA

Upon termination of the Agreement and for any Customer personal data in Processor or a Sub-Processor’s possession, Processor shall delete or anonymise such personal data or, upon Customer's written request, return such personal data to Customer, unless Processor is obligated under applicable law to continue to store the personal data.

11. TRANSFER TO AND PROCESSING OF PERSONAL DATA IN A THIRD COUNTRY

11.1 Processor is entitled to transfer personal data under this DPA to a Third Country, provided that:

11.1.1 The Third Country, according to a decision issued by the EU Commission, provides an adequate level of protection for personal data;

11.1.2 Processor ensures that there are appropriate safeguards in place for the transfer in accordance with Applicable Data Protection Laws such as the standard data protection clauses adopted by the EU Commission under Applicable Data Protection Laws; or

11.1.3 Processor is able to apply other legal mechanisms under Applicable Data Protection Laws for the transfer of the personal data.

11.2 For the purposes of section 11.1.2 above, the Customer hereby grants, to the extent permissible by applicable law, a power of attorney to Processor to execute any standard data protection clauses adopted by the EU Commission with any Sub-Processor that will process personal data on behalf of Customer, to the extent such processing will entail a transfer of personal data to a Third Country.

12. TERM AND TERMINATION

This DPA shall enter into force when the Agreement has been agreed by both parties and shall continue to apply during the term of the Agreement or the longer period during which Processor or a Sub-Processor processes personal data on behalf of Customer.

13. MISCELLANEOUS

13.1 Assignment

Neither the rights nor the obligations of either Party under this DPA may be assigned in whole or in part without the prior written consent of the other Party. The Processor may, however assign its rights and obligations under this DPA to a company within the Processor's group of companies, provided that such company can provide sufficient guarantees that the company will be able to comply with the provisions of this DPA.

13.2 Amendments

Additions and amendments to this DPA shall be in writing and duly signed by both Parties to be valid.

13.3 Entire agreement

Without prejudice to the Agreement, this DPA constitutes the entire agreement between the Parties on all issues to which the DPA relates. The contents of this DPA and its appendices supersede all previous written or oral commitments and undertakings between the Parties on the issues to which this DPA relates.

13.4 Headings

The division of this DPA into separate sections and the insertion of headings are for convenience only and shall not affect the interpretation of this DPA.

14. APPLICABLE LAW AND DISPUTE RESOLUTION

14.1 This DPA shall be governed by and construed in accordance with Swedish law, without regard to any provisions regarding conflict of laws.

14.2 Any dispute arising out of or in connection with this DPA shall be finally settled in accordance with the dispute resolution provisions set forth in the Agreement, unless the Parties agree otherwise.

Annex 1

DESCRIPTION OF THE PROCESSING OF PERSONAL DATA COVERED BY THE DPA

This Annex 1 includes a description of the processing of personal data carried out by the Processor on behalf of the Customer, pursuant to the DPA.

1. HOSTING SERVICES

Categories of data subjects
Employees of the Customer or any other User of the service

Categories of Personal data
Email address

Purpose(s) of the Processing
For the performance of the Services under the Agreement.

Processing Operations
Hosting of the service, including customer data. Track events and changes in the software for reporting purposes.

Locations
The Personal data are Processed by the Processor in EU (unless otherwise specified in Annex 3).

Retention of Personal data
The Processor will retain the Customer's Personal data in accordance with the Customer's from time to time provided instructions or such longer period necessary for the Processor to fulfil its obligations according to Applicable Laws.

2. SUPPORT AND MAINTENANCE SERVICES

Categories of data subjects
Employees of the Customer or any other User of the service

Categories of Personal data
Name, Address, email, phone number, company name, country.

Purpose(s) of the Processing
For the performance of the Services under the Agreement.

Processing Operations
Maintenance or updates of the service, support provided to Users (e.g. customer service, installation or account administration).

Locations
The Personal Data are Processed by the Processor in EU.

Retention of Personal data
The Processor will retain the Customer's Personal data in accordance with the Customer's from time to time provided instructions or such longer period necessary for the Processor to fulfil its obligations according to Applicable Laws.

Annex 2

SECURITY MEASURES

Available on Request

Annex 3

LIST OF SUB PROCESSORS

Sub Processor
Microsoft Ireland Operations Limited
One Microsoft Place,
South County Industrial Park,
Leopardstown,
Dublin 18,
D18 P521

Microsoft AB
Regeringsgatan 25
111 53 Stockholm
Stockholms län Sweden

Data processing service
Hosting of service on Microsoft Azure cloud

Processing location
EU

Sub Processor
IPS Solutions Est.
Postfach 209
Landstrasse 104
9490 Vaduz
Liechtenstein

Data processing service
Support, development, and maintenance services

Processing location
EU, EEA

Sub Processor
SANDVIK ASIA PVT. LTD.
Mumbai - Pune Road,
Dapodi, Pune - 411012. India

Data processing service
Analytics necessary for compliance with a legal obligation to which the controller is subject, i.e. trade law and export control regulations

Processing location
PUNE, INDIA

Sub Processor
Sandvik Coromant Global Contact and Support Center
7th Floor, Kirloskar Tech Park,
Hebbal, Bangalore - 560024, India

Data processing service
Analytics necessary for compliance with a legal obligation to which the controller is subject, i.e. trade law and export control regulations

Processing location
BANGALORE, INDIA

Sub Processor
Stripe Payments Europe, Ltd
The One Building, 1, Lower Grand Canal Street, Dublin 2, Ireland

Data processing service
Payment processing services

Processing location
UNITED STATES, CANADA

Sub Processor
ZignSec AB (publ)
Gävlegatan 12B, SE-113 30 Stockholm, Sweden

Data processing service
Analytics necessary for compliance with a legal obligation to which the controller is subject, i.e. trade law and export control regulations

Processing location
GERMANY

Sub Processor
SAP Svenska AB
Sveavägen 44, 111 34 Stockholm, Sweden

Data processing service
Assigning and connecting email address to software license

Processing location
GERMANY

Sub Processor
Sandvik Holdings Ltd, Sandvik Information Systems UK,
Manor Way, Halesowen, West Midlands
B62 8QZ, Birmingham

Data processing service
Analytics necessary for compliance with a legal obligation to which the controller is subject, i.e. trade law and export control regulations

Processing location
UNITED KINGDOM