Data Processing Agreement Lime Go

1 Background

1.1 The Data Controller and Data Processor have entered into an agreement regarding a licence or subscription for the Data Processor’s software products (the “Principal Agreement”), which means that the Data Processor will carry out Processing of Personal Data on behalf of the Data Controller.

1.2 The Agreement governs the Data Processor’s Processing of Personal Data on behalf of the Data Controller. The parties have entered into this Agreement in order to comply with the requirements of Applicable Data Protection Legislation.

1.3 This Agreement takes precedence over conflicting or incompatible provisions on the Processing of Personal Data in the Principal Agreement. This Agreement presupposes and is not valid without reference to the Principal Agreement.

1.4 The parties confirm that the undersigned have the authority to enter into the Agreement.

2 Definitions

2.1 In addition to the terms defined in the body text of the Agreement, the following terms shall have the meanings set out below.

2.2 Personal Data: Any type of data relating to an identified or identifiable person (the Data Subject).

2.3 Data Subject: An identified or identifiable natural person. An identifiable person is someone who can be identified, either directly or indirectly, particularly through reference to an identification number or to one or more factors specific to the person’s physical, physiological, mental, economic, cultural or social identity.

2.4 Processing (of Personal Data): Any measure or series of measures taken in respect of Personal Data, regardless of whether or not this takes place automatically, e.g. collection, registration, organisation, storage, adaptation or modification, search, consultation, use, transfer, dissemination or other supply, compilation or combination, blocking, deletion or destruction.

2.5 Data Controller: A natural or legal person, authority, institution or other body that alone or together with others determines the purposes and means for the Processing of Personal Data.

2.6 Data Processor: A natural or legal person, authority, institution or other body that carries out Processing of Personal Data on behalf of the Data Controller.

2.7 Applicable Data Protection Legislation: The General Data Protection Regulation (GDPR) – i.e. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC – and national laws that implement or supplement the GDPR and apply to the Processing of Personal Data under this Agreement.

2.8 Third Country: A country outside of the EU/EES.

3 Processing of Personal Data

3.1 The Data Processor shall carry out Processing of Personal Data only in accordance with this Agreement and in accordance with documented instructions issued by the Data Controller, unless the Data Processor is obliged under EU law (including the national laws of its member states) to carry out Processing of the Personal Data.

3.2 The Data Controller shall issue written instructions to the Data Processor on how to carry out the Processing.

3.3 The Data Processor shall carry out Processing of the Personal Data for the entire term stated in the Principal Agreement and for a limited period thereafter (see section 12). Appendix A contains information on the Processing of Personal Data including i) categories of Personal Data, ii) categories of Data Subject, iii) nature and purpose of the Processing, iv) site for Processing and v) duration of the Processing.

4 The obligations of the Data Processor

By signing this Agreement, the Data Processor is confirming the following.

4.1 The Data Processor shall carry out the Processing only in accordance with the Agreement and instructions. For the sake of clarity, the Data Processor may carry out Processing of Personal Data if such Processing is required in accordance with a relevant law that applies to the Data Processor. The Data Processor shall inform the Data Controller of such requirements if it is not prohibited from disclosing such information due to an important public interest. When Processing Personal Data in accordance with the Agreement, the Data Processor shall comply with Applicable Data Protection Legislation.

4.2 The Data Processor shall ensure that all natural persons who work under its management and have access to Personal Data comply with the Agreement and the Data Controller’s instructions.

4.3 During the Processing, the Data Processor and its staff shall observe a duty of confidentiality and secrecy regarding the Personal Data they have access to under this Agreement. This provision also applies after the Agreement is terminated.

4.4 The Data Processor shall take the security precautions required by Article 32 of the GDPR.

4.5 To the extent possible, the Data Processor shall help the Data Controller fulfil its obligations towards the Data Subjects by taking appropriate technical and organisational measures.

4.6 At the request of the Data Controller, the Data Processor shall assist the Data Controller in ensuring that the obligations under Articles 32–36 of the GDPR are met, taking into account the type of Processing and the information available to the Data Processor.

4.7 The Data Processor shall notify the Data Controller immediately if the Data Processor considers the Data Controller’s instructions to be unclear or in any way contrary to Applicable Data Protection Legislation. The Data Processor shall not carry out such an instruction until the Data Controller has confirmed that the instruction is lawful.

5 The obligations of the Data Controller

By signing this Agreement, the Data Controller is confirming the following.
5.1 The Agreement satisfies the Data Controller’s obligation to prepare a data processing agreement in accordance with Applicable Data Protection Legislation.

5.2 When using the services provided by the Data Processor in accordance with the Principal Agreement, the Data Controller shall carry out Processing of Personal Data in accordance with Applicable Data Protection Legislation. The Data Controller is responsible for ensuring that there is a lawful basis for the Processing at all times and for formulating correct instructions so that the Data Processor (and its subprocessors) can fulfil its commitments and obligations under this Agreement and, if applicable, the Principal Agreement.

5.3 The Data Controller is authorised to carry out Processing of and disclose the Personal Data covered by the Principal Agreement to the Data Processor (including to any subprocessors it may have).

5.4 The Data Controller is solely responsible for the accuracy, integrity, content, reliability and legality of the Personal Data disclosed to the Data Processor. The Data Processor does not bear any responsibility for any consequences of the Personal Data it receives being found to be incorrect.

5.5 The Data Controller has fulfilled its obligations to provide mandatory information to the Data Subjects about Processing of Personal Data and the transfer of Personal Data to the Data Processor and the Data Processor’s Processing of Personal Data in accordance with Applicable Data Protection Legislation.

5.6 When using the services provided by the Data Processor in accordance with the Principal Agreement, the Data Controller may not disclose any sensitive Personal Data to the Data Processor.

5.7 The Data Controller shall notify the Data Processor without delay of any changes to its contact person or contact information.

6 Security precautions

6.1 The Data Processor shall meet the general security requirements provided for in Article 32 of the GDPR. The Data Processor shall therefore ensure an appropriate level of security for the Processing, including secrecy, integrity and access to the Personal Data, through systematic, organisational and technical measures, taking into account the latest technology and the costs of implementation in relation to the risk associated with the Processing.

6.2 Documentation regarding this must be presented at the request of the Data Controller. The Data Processor is therefore obliged to give the Data Controller access to information about security checks and other measures taken by the Data Processor to protect Personal Data and comply with Applicable Data Protection Legislation. If the Data Controller requests information about security checks in addition to the standard information provided by the Data Processor, the Data Processor may charge the Data Controller for such additional service and assistance.

6.3 The Data Processor has developed internal data protection rules which aim to protect confidentiality, integrity and access to Personal Data. The following measures are especially important in this context:

1. Data communication. During external transfers, Personal Data shall be protected from unauthorised access and influence through technical methods, such as encryption
2. Authorisation checks. Access to Personal Data shall be restricted by prohibiting staff from collecting, handling and/or using Personal Data without permission or for purposes other than delivering the service in accordance with the Principal Agreement and fulfilling the obligations set out in this Agreement.
3. Protection against vulnerabilities. The Data Processor shall actively work to detect and prevent incidents caused by technical vulnerabilities.
4. Access control. Computer equipment and storage media shall be protected against unauthorised use, influence or theft.
5. Backups. Personal Data shall be backed up regularly. The backup copies shall be stored separately and be well protected so that the Personal Data can be recreated following a disturbance.
6. Transfers. Components/systems involved in the Processing and transfer of Personal Data between the parties (the Data Controller and the Data Processor along with its subprocessors) are mapped and documented.

7 Audits and inspections

7.1 The Data Processor shall provide the Data Controller with access to all the information required to demonstrate that the obligations arising from the Agreement have been fulfilled and to enable and contribute to audits, including inspections, carried out by the Data Controller or a third party appointed by the Data Controller.

7.2 The Data Controller may review the Data Processor’s compliance with the Agreement a maximum of one (1) time a year. If required by Applicable Data Protection Legislation, the Data Controller may require more frequent reviews.

7.3 To request an audit, the Data Controller shall submit a detailed audit plan to the Data Processor at least four weeks before the proposed audit. The plan must include the scope, duration and proposed start date of the audit. If the audit is to be carried out by a third party, as a general rule this must be agreed between the Data Controller and the Data Processor. If the Processing takes place in an environment with Personal Data deriving from other data controllers or similar, the Data Processor may, at its own discretion, decide for security reasons that the audit shall be performed by a generally highly regarded audit company chosen by the Data Processor.

7.4 If the requested audit has already been performed and described in a report in accordance with ISAE 3402, ISO or similar by a qualified third-party auditor within the last 12 months, and the Data Processor confirms that the audited controls have not changed materially, the Data Controller must accept these results instead of requesting an audit of the controls covered by the report.

7.5 The audit shall be carried out during the facility’s normal busniess hours in accordance with the Data Processor’s policies and may not cause unreasonable disruption to the Data Processor’s operations.

7.6 The Data Controller is responsible for all costs arising in connection with an audit requested by the Data Controller and the Data Processor’s assistance in this regard.

7.7 The Data Processor shall give the supervisory authority, or another authority that is legally entitled to it, the opportunity to carry out supervision in accordance with the applicable legislation at any time. The Data Processor and its staff shall, upon request, co-operate with the supervisory authority as it performs its duties.

8 Support for the Data Controller

8.1 Taking into account the nature of the Processing and as far as possible, the Data Processor shall assist the Data Controller with appropriate technical and organisational measures so that the Data Controller can fulfil its obligation to respond to requests for Data Subjects to exercise their rights.

8.2 As far as practically possible and lawful, the Data Processor shall notify the Data Controller of i) requests received from Data Subjects to disclose Personal Data, except when the Data Controller has authorised the Data Processor to respond to such a request, and ii) requests from authorities to disclose Personal Data, except where the Data Controller has authorised the Data Processor to respond to such a request.

8.3 The Data Processor may, however, be prevented from notifying the Data Controller due to investigation secrecy during a law enforcement investigation. The Data Processor shall not disclose information about this Agreement to authorities with regard to Personal Data, unless it is required to do so by law or the request is supported by a court decision, search warrant or similar.

8.4 Taking into account the nature of the Processing and the information available to the Data Processor, the Data Processor shall assist the Data Controller in ensuring that the obligations under Applicable Data Protection Legislation are fulfilled, including (if applicable) the Data Controller’s obligation to i) take appropriate technical and organisational measures, ii) report data breaches to the supervisory authority, iii) notify Data Subjects of data breaches, iv) carry out impact assessments regarding data protection and v) consult the supervisory authority prior to Processing.

8.5 The Data Processor shall notify the Data Controller in writing without undue delay if the Data Processor has become aware of a data breach. The Data Processor shall provide the Data Controller with a description of the data breach. In the event that the Data Processor does not have all of the relevant information regarding the data breach when it first informs the Data Controller that a data breach has taken place, the Data Processor may provide such information in batches.

8.6 The Data Processor is entitled to charge the Data Controller for work carried out and reasonable costs that have arisen in connection with the Data Processor’s support as described above and in accordance with Applicable Data Protection Legislation. This includes e.g. work and costs that have arisen from Data Subjects having requested register extracts regarding the Processing of their Personal Data, the erasure of Personal Data, the transfer of Personal Data (portability) or the disclosure of mandatory information to Data Subjects.

9 Use of subprocessors

9.1 As part of the service delivery provided by the Data Processor to the Data Controller in accordance with the Principal Agreement, the Data Processor is hereby given general written prior authorisation to use subprocessors for the Processing of Personal Data on behalf of the Data Controller.

9.2 The Data Processor shall ensure that all subprocessors are bound by written agreements which ensure that the subprocessor is subject to obligations regarding the Processing of Personal Data that, as a minimum, correspond to the obligations set out in this Agreement.

9.3 If the subprocessor does not fulfil its obligations in accordance with Applicable Data Protection Legislation, the Data Processor shall be fully responsible to the Data Controller for carrying out the subprocessor’s obligations.

9.4 The Data Processor shall make available an updated and current list of subprocessors that are used to carry out the services provided by the Data Processor under the Principal Agreement. The list shall contain information about the identity of the subprocessors, the contact person for the subprocessor, where the Personal Data is processed and a general description of the type of service provided by each subprocessor. The list of subprocessors is available at Lime’s website. By signing this Agreement, the Data Controller is approving the Data Processor’s use of the listed subprocessors.

9.5 The Data Processor shall notify the Data Controller of any plans to hire a new subprocessor or replace an existing one. The Data Controller may object to such changes. If no objection is made within ten (10) days of receipt of the notification, it is assumed that the Data Controller has not made any objection.

9.6 The Data Processor is entitled to take appropriate corrective measures in the event of such an objection. If the Data Controller finds that no corrective measures have been taken or the objection has not been remedied within thirty (30) days, the Data Processor is entitled to terminate the Agreement and, if the Agreement is necessary for the Data Processor to fulfil its obligations under the Principal Agreement, terminate the Principal Agreement through written notification.

10 Transfer of personal data to a Third Country

10.1 The Data Processor and its subprocessors may transfer Personal Data to a Third Country to the extent that it is necessary in order to perform the services provided by the Data Processor in accordance with the Principal Agreement and provided that the transfer takes place in accordance with Chapter V of the GDPR.

10.2 When using standard contractual clauses (Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, or decisions and standard contractual clauses that replace these clauses), the Data Processor or subprocessor is entitled at its own discretion to decide which version and which modules of the standard contractual clauses apply in an individual case.

10.3 In accordance with the requirements set out in Applicable Data Protection Legislation regarding transfers based on appropriate security precautions being taken, the Data Processor shall carry out a risk assessment in each individual case to ensure that legislation in the Third Country in question does not adversely affect the effectiveness of the appropriate safeguards and to ensure that there are effective remedies for Data Subjects. If necessary, the Data Processor shall identify and implement supplementary measures, such as technical, organisational or contractual measures, to ensure that the level of protection in the Third Country in question is substantially equivalent to the level of protection within the EU/EEA.

10.4 Section 10.3, and the risk assessments carried out by the Data Processor in accordance with 10.3, do not limit the Data Controller’s responsibility for Processing Personal Data in accordance with Applicable Data Protection Legislation. The Data Controller confirms that it must carry out its own risk assessments and must not rely on the risk assessments carried out by the Data Processor, or any supplementary measures taken by the Data Processor, fulfilling the requirements for the Data Controller’s Processing of Personal Data in accordance with Applicable Data Protection Legislation.

10.5 At the reasonable request of the Data Controller, the Data Processor shall report the information on which the risk assessment is based. The Data Controller is entitled to object in writing to the Data Processor’s risk assessments if they are changed after the Agreement comes into force and the Data Controller deems that the new risk assessments do not fulfil the requirements for the Data Controller’s Processing of Personal Data in accordance with Applicable Data Protection Legislation. The Data Controller is entitled to request that the Data Processor take appropriate corrective measures. If the parties do not agree on the risk assessment and/or appropriate corrective measures within thirty (30) days, the Data Processor is entitled to terminate the Agreement and, if the Agreement is necessary for the Data Processor to fulfil its obligations under the Principal Agreement, it is entitled to terminate the Principal Agreement through written notification.

10.6 In the event that the European Court of Justice, European Commission or any other competent EU institution or national court or authority finds the transfer mechanism used for the transfer to a Third Country to be invalid or illegal, the Data Processor shall ensure that all Processing of Personal Data in a Third Country is based on another (valid) transfer mechanism.

11 Term of Agreement

11.1 This Agreement is valid for as long as the Data Processor carries out Processing of Personal Data on behalf of the Data Controller in accordance with the Principal Agreement.

11.2 This Agreement automatically ceases to apply when the Principal Agreement is terminated.

12 Measures upon termination of the Agreement

12.1 Upon termination of this Agreement, the Data Processor shall, depending on what the Data Controller instructs the Data Processor in writing, erase or return all Personal Data being Processed on behalf of the Data Controller in accordance with the Agreement, as well as all copies of the data, unless storage of the Personal Data is required in accordance with Applicable Data Protection Legislation.

12.2 If the Data Controller has not provided any instructions or responded to the Data Processor’s request for instruction sixty (60) days after termination of the Agreement, the Data Processor shall return all Personal Data to the Data Controller and then erase the Personal Data.

13 Confidentiality

The Data Processor shall not, during the term of the Agreement or thereafter, disclose information about the Processing of Personal Data in accordance with this Agreement to a third party or otherwise reveal information received as a result of this Agreement. The confidentiality obligation does not apply to information that the Data Processor is obliged to disclose to authorities. In addition to this section (13), the confidentiality obligations in the Principal Agreement shall also apply.

14 Amendments and additions

14.1 Amendments to this Agreement may occur due to changes in legislation, security requirements or other practical circumstances. In the event of an amendment that affects the Processing of Personal Data in accordance with this Agreement, the other party shall be notified by means of an e-mail sent to its contact person stated above. Such notification of an amendment shall be deemed to have been accepted by the other party, provided that the other party has not made reasonable objections in writing within thirty (30) days of the date of the notification.

14.2 Should a competent court, authority or arbitration board find that any provision in this Agreement is unenforceable or invalid, the other provisions shall not be affected. In that regard, the parties shall replace the unenforceable or invalid provision with a lawful provision that reflects the purpose of the unenforceable or invalid provision.

15 Liability

Liability for violation of the provisions of this Agreement is regulated, unless otherwise specified by binding law, by the liability clauses in the Principal Agreement between the parties. This also applies to violations committed by the Data Processor’s subprocessors.

16 Choice of law and legal forum

16.1 This Agreement shall be interpreted and applied in accordance with the provisions on choice of law in the Principal Agreement.

16.2 Any disputes that arise in connection with this Agreement shall ultimately be settled in accordance with the provisions on dispute resolution in the Principal Agreement.

This Agreement constitutes an appendix to the Principal Agreement. By signing the Principal Agreement the parties accept this Agreement in its entirety.

Appendix A – Instructions for Processing Personal Data

Categories of Personal Data

The Data Controller may input Personal Data into the service provided by the Data Processor in accordance with the Principal Agreement. The Personal Data input into the service is entirely up to the Data Controller and may e.g. include the following categories of Personal Data:

• Name.
• Phone number.
• E-mail address.
• Customer history.

Categories of Data Subject

The Data Controller may input Personal Data into the service provided by the Data Processor in accordance with the Principal Agreement. The Personal Data input into the service is entirely up to the Data Controller and may e.g. include Personal Data concerning the following categories of Data Subject:

• The Data Controller’s employees, customers, suppliers and consultants.
• Employees of the Data Controller’s potential customers.

Nature and purpose of the Processing

The Processing of Personal Data in order to provide the services provided by the Data Processor in accordance with the Principal Agreement and the Data Controller’s instructions.

Site for Processing

• The Data Processor carries out Processing of Personal Data within the EU/EEA.
• See the list of subprocessors for details about the subprocessors’ Processing.

Duration of the Processing

Processing of Personal Data will take place during the period of validity of the Principal Agreement and for a limited period thereafter in accordance with the Agreement. The Data Processor shall co-operate with the Data Controller to determine how long the Personal Data shall be stored at the Data Controller.

Updated 2021-12-03