Data Controller: Customer as defined in the main contract for the Charging and Payment Service
Personal Data Processor: ChargeNode Europé AB
Org No: 559188-1130
Address: Neongatan 4B, 431 53 Mölndal
E-mail: info@chargenode.eu
Date of entry into force of the Agreement: The agreement shall enter into force upon signing of the main contract for the charging and payment service
This Agreement governs the processing of personal data by the processor on behalf of the controller in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (“GDPR”).
For the purposes of this Agreement, the following definitions apply:
Data Controller: a natural or legal person, public authority, institution or other body that alone or jointly with others determines the purposes and means of the Processing of Personal Data.
Personal Data Processor: Natural or legal person, public authority, institution or other body that Processes Personal Data on behalf of the Data Controller
Personal data“any information relating to an identified or identifiable natural person, an identifiable natural person being a person who can be identified directly or indirectly in particular by reference to an identifier such as a name, identification number, location data or online identifiers or one or more factors specific to the physical, physiological, genetic, psychological, economic, cultural or social identity of the natural person.
Treatment: an action or combination of actions relating to Personal Data or sets of Personal Data, whether carried out automatically or not, such as collection, registration, organisation, structuring, storage, processing or alteration, production, reading, use, disclosure by transmission, dissemination or other provision, adjustment or aggregation, restriction, erasure or destruction
Data Protection Legislation: Refers to all privacy and personal data laws, as well as other laws, regulations and regulations applicable to the Processing under this PUB Agreement, including such national and EU laws
Logging: Logging is the continuous collection of data relating to the Processing of Personal Data carried out under this PUB Agreement and which may be linked to an individual natural person.
Personal Data Incident: a security incident that results in accidental or unlawful destruction, loss or alteration, or to unauthorised disclosure or unauthorised access to the Personal Data transferred, stored or otherwise Processed.
Registered: Natural person whose Personal Data is Processed.
3.1 Purpose and scope
With this Data Processor Agreement (hereinafter collectively referred to as the “PUB Agreement”), the Data Controller governs the Processing of Personal Data by the Personal Data Processor on behalf of the Data Controller. The purpose of the PUB Agreement is to ensure the Data Subject's rights and freedoms in the Processing, as set out in Article 28 (3) of the General Data Protection Regulation EU 2016/679 (the “Data Protection Regulation”).
3.2 Processing of personal data
The Controller hereby appoints the Personal Data Processor to carry out the Processing on behalf of the Data Controller in accordance with this PUB Agreement. The Controller shall provide written Instructions to the Data Processor on how to carry out the Processing. The Data Processor may only carry out the Processing in accordance with the PUB Agreement and the Instructions in force at any time.
4.1 The Controller is responsible for ensuring that there is a legal basis for the Processing at all times and for formulating correct Instructions, taking into account the nature of the Processing, so that the Data Processor and any Sub-Processor can carry out their duties under this PUB Agreement and the Master Agreement where applicable.
4.2 The Controller shall without undue delay inform the Personal Data Processor about changes in the Processing which affect the Data Processor's obligations under the Data Protection Legislation.
4.3 The Controller is responsible for informing the Data Subject about the Processing and for exercising the Data Subject's rights under the Data Protection Legislation and taking any other action that is incumbent on the Controller under the Data Protection Legislation.
5.1 The Data Processor undertakes to carry out the Processing only in accordance with the PUB Agreement and for the specific purposes specified in the Instructions and to comply with the Data Protection Legislation. The personal data processor also undertakes to be continuously informed about the applicable law in this area.
5.2 The Data Processor shall take measures to protect the Personal Data against all types of Processing that are not in accordance with the PUB Agreement, Instructions and Data Protection Legislation.
5.3 The Data Processor undertakes to ensure that all natural persons working under its management comply with the PUB Agreement and Instructions and that the natural persons are informed of the relevant legislation.
5.4 The Data Processor shall, at the request of the Controller, assist the Data Controller in ensuring that the obligations under Articles 32 to 36 of the GDPR are fulfilled and respond to requests for the exercise of the Data Subject's rights in accordance with the General Data Protection Regulation, Chapter 5. III, taking into account the type of Processing and the information available to the Data Processor.
5.5 In the event that the Personal Data Processor finds that Instructions are unclear, in violation of the Data Protection Legislation or are missing and the Personal Data Processor considers that new or supplementary Instructions are necessary to implement its obligations, the Data Processor shall promptly inform the Data Controller, temporarily cease the Processing and await new Instructions, unless the parties agree otherwise.
5.6 In the event that the Controller provides the Personal Data Processor with new or amended Instructions, the Personal Data Processor shall, without undue delay from receipt, notify the Data Controller whether the implementation of the new Instructions results in changing the costs incurred by the Personal Data Processor.
6.1 The Data Processor shall take all appropriate technical and organisational security measures required by the Data Protection Legislation to prevent personal data breaches, by ensuring that the Processing complies with the requirements of the Data Protection Regulation and that the rights of the Data Subject are protected.
6.2 The Data Processor shall continuously ensure that the technical and organisational security associated with the Processing provides an appropriate level of confidentiality, integrity, accessibility and resilience.
6.3 Any additional or modified requirements for protection measures by the Controller, after the parties have signed the PUB Agreement, shall be considered as new Instructions under the PUB Agreement.
6.4 The Personal Data Processor shall, through authorization control systems, grant access to the Personal Data only to natural persons who work under the direction of the Personal Data Processor and who need access in order to perform their duties.
6.5 The Personal Data Processor undertakes to continuously Log access to the Personal Data under the PUB Agreement to the extent required by the Instruction. Logs may not be deleted until five (5) years after the Logging Date unless otherwise specified in the Instruction. Logs shall be subject to the necessary safeguards, in accordance with data protection legislation.
6.6 The Data Processor shall systematically test, investigate, evaluate and ensure the effectiveness of the technical and organisational measures to ensure the safety of the Processing.
7.1 The Data Processor and all natural persons working under its direction shall observe both confidentiality and confidentiality in the Processing. Personal data may not be used or disseminated for other purposes, either directly or indirectly, unless otherwise agreed.
7.2 The Data Processor shall ensure that all natural persons working under its supervision who participate in the Processing are bound by a confidentiality obligation regarding the Processing. However, this is not required if they are already subject to a penal duty of professional secrecy imposed by law. The Data Processor also undertakes to ensure that there are confidentiality agreements with the Sub-Processor and confidentiality relationships between the Sub-Processor and all natural persons working under its direction who participate in the Processing.
7.3 The Data Processor shall promptly inform the Controller of any contacts with the supervisory authority regarding the Processing. The Data Processor does not have the right to represent the Controller or act on behalf of the Data Controller vis-à-vis supervisory authorities in matters relating to the Processing.
7.4 If the Data Subject, supervisory authority or third party requests information from the Data Processor concerning the Processing, the Data Processor shall inform the Data Controller about the matter. Information about the Processing may not be disclosed to the Data Subject, supervisory authority or third party without the written consent of the Controller, unless it is stipulated by mandatory law that information must be provided. The personal data processor shall assist in the transmission of information subject to consent or legal requirements.
8.1 As part of its guarantees, pursuant to Article 28 (1) of the General Data Protection Regulation, the Data Processor shall, at the request of the Data Controller, be able to disclose, without undue delay, the technical and organisational security measures used for the Processing to comply with the requirements of the PUB Agreement and Article 28 (3) (h) of the Data Protection Regulation.
8.2 The Data Processor shall at least once (1) annually review the security of the Processing by means of a self-check to ensure that the Processing complies with the PUB Agreement. The results of such self-examination shall be communicated in the course of regular contractual follow-up with the Controller.
8.3 The Data Controller has the right to follow up, by himself or through another third party appointed by him (who may not be a competitor to the Personal Data Processor), that the Personal Data Processor complies with the requirements of the PUB Agreement, the Instructions and the Data Protection Legislation. In such an audit, the Data Processor shall assist the Controller, or the person performing the audit in place of the Controller, with documentation, access to premises, IT systems and other assets necessary to be able to review the Data Processor's compliance with the PUB Agreement, Instructions and Data Protection Legislation. The Controller shall ensure that personnel carrying out the audit are subject to confidentiality or non-disclosure obligations under law or contract.
8.4 Alternatively to what is stipulated in paragraphs 9.2 to 9.3, the Data Processor has the right to offer other means of review of the Processing, such as review by independent third parties. In such cases, the Controller shall have the right, but not the obligation, to apply this alternative audit approach. In the event of such an audit, the Data Processor shall provide the Controller or a third party with the assistance necessary for carrying out the audit.
8.5 The Personal Data Processor shall prepare the supervisory authority, or any other authority which has the legal right to do so, to carry out supervision at the request of the authority in accordance with the legislation in force at any time, even if such supervision would otherwise be contrary to the provisions of the PUB Agreement.
8.6 The Personal Data Processor shall insure the Data Controller's rights vis-à-vis the Sub-Processor which correspond to all the rights of the Data Controller vis-à-vis the Personal Data Processor pursuant to Section 9 of the PUB Agreement.
9.1 In the event that the Controller requests rectification or erasure due to the Data Processor's incorrect Processing, the Personal Data Processor shall take appropriate action without undue delay, at the latest within thirty (30) days, from the date on which the Data Processor has received the required information from the Data Controller. When the Data Controller has requested erasure, the Data Processor may only perform the Processing of the Personal Data in question as part of the process of rectification or erasure.
9.2 If technical and organisational measures (e.g. upgrades or troubleshooting) are taken by the Data Processor in the Processing, which may affect the Processing, the Data Processor shall inform the Controller in writing in accordance with the provisions of the Notices in Section 18 of the PUB Agreement. The information shall be provided in good time before the action is taken.
10.1 The Data Processor shall have the ability to restore the availability and access to the Personal Data in a reasonable time in the event of a physical or technical incident in accordance with Article 32 (1) (c) of the General Data Protection Regulation.
10.2 The Data Processor undertakes, taking into account the nature of the Processing and the information available to the Personal Data Processor, to assist the Data Controller in fulfilling its obligations in the event of a Personal Data Incident in relation to the Processing. At the request of the Data Controller, the Data Processor shall also assist in investigating suspicions of any unauthorized Processing and/or access to the Personal Data.
10.3 In the event of a Personal Data Incident of which the Personal Data Processor has become aware, the Personal Data Processor shall without undue delay notify the Data Controller in writing of the incident. The Data Processor shall, taking into account the type of Processing and the information available to the Data Processor, provide the Controller with a written description of the Personal Data Incident.
10.4 The description shall account for:
... the nature of the personal data breach and, where possible, the categories and number of Data subjects concerned and the categories and number of personal data items concerned;
... the likely consequences of the personal data breach, and
... measures that have been taken or proposed and measures to mitigate the potential adverse effects of the Personal Data Incident.
10.5 If it is not possible for the Data Processor to provide the complete description at the same time, in accordance with clause 11.3 of the PUB Agreement, the description may be provided in installments without undue further delay.
11.1. The personal data processor is obliged to inform the controller when new sub-processors are hired. The personal data processor undertakes to conclude contracts and ensure that all sub-processors are subject to the same conditions that apply to the personal data processor. The personal data processor is fully responsible for the sub-processors hired in relation to the controller.
11.2 If the Personal Data Processor intends to engage Sub-Processors, it shall provide information on the type of data and categories of data subjects a given Sub-Processor shall deal with, as well as its capacity and ability to comply with its obligations under data protection legislation and other relevant legislation with regard to the processing of personal data.
11.3 The Data Processor shall, at the request of the Data Controller, send a copy of the Personal Data Processing Agreement with the Sub-Processor.
11.4 The Personal Data Processor also undertakes to inform the Data Controller of any plans to cease using an approved sub-processor.
12.1 The Data Processor shall ensure that the personal data are (handled and) stored within the EU/EEA, unless the parties agree otherwise.
12.2 The Data Processor has the right to transfer personal data to third countries, for example, for service, support, maintenance, development, operation or similar processing, if the controller has authorised such transfer and issued specific instructions (Appendix 1).
12.3 Transfers to third countries may only take place if the Data Protection and other relevant legislation and this Agreement and the related instructions are complied with.
13.1 In the event of compensation for damage caused by a judgment or other decision to the data subject due to a breach of any provision of this Agreement, instruction of the Controller or the applicable data protection provision, Article 82 GDPR shall apply.
13.2 Penalty fees pursuant to Article 83 of the General Data Protection Regulation or Chapter 6, Section 2 of the Act (2018:218) and supplementary provisions to the EU Data Protection Regulation shall be borne by the Party charged with such a charge.
13.3 If the Data Controller becomes aware of a circumstance that may lead to damages or liability for payment of the Personal Data Processor, the Data Controller shall immediately inform the Personal Data Processor about the relationship and actively work together with the Data Processor to prevent and minimize such damages or liability for payment.
13.4 Notwithstanding the provisions of the Main Agreement and its Annexes, 13.1 and 13.2 apply before other rules on the allocation of claims between the Parties with regard to the processing of personal data.
14.1 The PUB Agreement shall apply from the date on which the PUB Agreement is signed by both parties and until further notice. The parties have the mutual right to terminate the PUB Agreement to terminate upon thirty (30) days' notice.
15.1 The termination of the PUB Agreement will result in a breach of contract which may constitute grounds for termination of the main contract.
15.2 Upon termination of the PUB Agreement, the Data Processor shall, without undue delay, whichever the Controller chooses, either delete and certify to the Controller that it has been executed, or return
... all Personal Data Processed on behalf of the Data Controller and
... all related information such as Logs, Instructions, system solutions, descriptions and other documents obtained by the Data Processor through the exchange of information under the PUB Agreement.
15.3 In connection with the return, the Data Processor shall also delete existing copies of Personal Data and related information.
15.4 The obligation to delete or return Personal Data or related information does not apply where the storage of the Personal Data or information is required by Union or relevant national law where Processing may be carried out under the PUB Agreement.
15.5 The return of Personal Data or related information shall be in a commonly used and standardised format, unless otherwise agreed between the parties.
15.6 Until the data is deleted or returned, the Data Processor shall ensure compliance with the PUB Agreement.
15.7 Return or deletion under the PUB Agreement shall be made no later than thirty (30) calendar days from the date of termination of the Pub Agreement, unless otherwise specified in the Instruction. Processing of Personal Data that the Personal Data Processor performs thereafter is considered as unauthorized Processing.
15.8 Section/confidentiality provisions in Section 8 shall continue to apply even if the Pub Agreement otherwise lapses.
16.1 When interpreting and applying the PUB Agreement, Swedish law applies with the exception of the conflict-of-law rules. Disputes arising from the Pub Agreement shall be settled by the competent Swedish court.
17.1 This PUB Agreement is provided in digital format as an annex to the ChargeNode Charging and Payment Services Agreement, and is deemed to be signed at the time of signing said Agreement.
1. Purpose of the treatment
ChargeNode processes personal data to provide charged and paid services, including:
management of user accounts and member information
management of charging sessions and billing
support, troubleshooting and operation
security logging and incident management
2. Categories of data subjects
Members/Users who use the Charging Services
3. Categories of personal data
Contact details (name, email, telephone)
User/Member ID
Charging history
Billing details
Technical Logs
4. Treatments that ChargeNode may perform
ChargeNode may carry out the following operations in order to fulfil its obligations:
storing
viewing
registration and updating
debugging and logging
erase/thinning according to retention policy
transfer to sub-contractors under contract
5. Thinning and storage time
Data will be processed for as long as the customer agreement is valid and 12 months thereafter.
6th. Sub-assistants
ChargeNode may use the subprocessors specified in the current list, which are updated on an ongoing basis.
7. Deviations
If the customer requests processing in addition to these instructions, the customer must provide written supplementary instructions, which are considered new instructions under the PUB agreement.
Charge Node Europe AB
Neongatan 4B
431 53 Molndal
