This Data Processing Agreement (‘DPA’) is the Data Processing Agreement referenced in the Joy Terms of Use between Joy solutions AB (referred to as “Joy” in this DPA) and the customer as identified during the registration process (referred to as “Customer” in this DPA).
The defined terms in the Terms of Service shall apply to this DPA.
In addition, the following definitions shall apply:
“‘Data Protection Laws’ means all laws and regulations that apply to or govern the processing of personal data under the EU General Data Protection Regulation ((EU) 2016/679) ('GDPR'), the UK GDPR, any national data protection laws and regulations implementing the EU Electronic Communications Privacy Directive (2002/58/EC), and the UK Privacy and Electronic Communications Regulations (PECR), as well as any amendments to or replacements of such laws and regulations.
Terms used in this DPA shall have the same meaning as in the Data Protection Laws.
Under the Terms of Service, Joy will be processing personal data on behalf of the Customer. This DPA sets out the details of that processing and the DPA is effective for so long as the Terms of Service is in force.
1. The processing shall be carried out in accordance with the Data Protection Laws.
2. Obligations of the Customer
2.1 In relation to the data subjects, the Customer is responsible for the processing’s compliance with the Data Protection Laws.
2.2 The Customer warrants that the processing is carried out in accordance with the purpose for which the personal data have been collected.
2.3 It is the Customer’s responsibility to ensure that Joy, at any time, is duly informed of the Customer’s written instructions regarding the processing. If the Customer provides additional instructions which deviate from the instructions that follow from the Terms of Service, and such additional instructions entail that the scope of the Services is materially changed, the matter must be handled under the Terms of Service.
2.4 All instructions provided by the Customer must be in writing.
3. Obligations of Joy
3.1 The processing is described in detail in Appendix A. Joy undertakes to only process personal data necessary for the performance of the Services, in accordance with the Terms of Service, this DPA or according to specific and documented instructions provided by the Customer in connection with the conclusion of the Terms of Service, which have been approved by Joy.
3.2 Upon receipt of written instructions from the Customer regarding the processing, such as provided for in Appendix A or additional written instructions, Joy must, within a reasonable period of time, take appropriate measures to ensure that the processing is carried out in accordance with the instructions.
3.3 Joy undertakes to ensure that any natural person acting under the authority of Joy, and who has access to personal data, is informed of the content of this DPA and processes the personal data only in accordance with the DPA and the Customer’s documented instructions.
3.4 Joy is required to assist the Customer with appropriate technical and organisational measures for the fulfilment of the Customer’s obligation to respond to requests from data subjects regarding access to and rectification or erasure of personal data.
3.5 Joy must, without undue delay, notify the Customer after becoming aware of a personal data breach. Joy shall assist the Customer by providing information necessary for the fulfilment of the Customer’s obligation to notify the competent supervisory authority of a personal data breach and, when applicable, the Customer’s obligation to communicate the personal data breach to the affected data subjects.
3.6 Joy is required to assist the Customer in connection with any data protection impact assessments and prior consultations carried out by the Customer, as well as to assist in any
investigations carried out by the competent supervisory authority regarding a personal data breach.
4. Engagement of Sub-Processors
4.1 By accepting this DPA, the Customer approves and acknowledges that Joy may engage subcontractors for the purpose of carrying out the processing (“sub-processors”). Should Joy’s engagement of a sub-processor involve the transfer of personal data to a third country, such sub-processor may only be engaged by Joy if the requirements set forth under section 5.1 are met.
4.2 When engaging a sub-processor for the purpose of carrying out the processing, Joy undertakes to enter into an agreement with the sub-processor regarding the processing activities, pursuant to which the sub-processor shall be bound by the same obligations as is Joy under this DPA.
4.3 The parties agree that the Customer, by accepting this DPA, is deemed to have been informed of Joy’s intended engagement of the sub-processors listed in Appendix B.
4.4 Any transfer of personal data to the sub-processors is made at Joy’s risk and does not alter the allocation of responsibility between Joy and the Customer.
5. Transfers of personal data outside of the EU/EEA
5.1 Joy undertakes not to transfer personal data to a third country (i.e. a country outside of the EU/EEA), unless the Customer has approved of such transfer in writing, and at least one of the following requirements are met:
(i) the receiving country has an adequate level of security;
(ii) the data subject has given its consent to the transfer;
(iii) the Data Protection Laws provide a legal ground for the transfer; or
(iv) agreements including certain standard contractual clauses issued by the European Commission (2010/87/EU) have been entered into, without any conflicting changes or amendments.
5.2 Provided that at least one of the relevant actions set forth in section 5.1 has been taken, the Customer may not unreasonably withhold its approval regarding the transfer.
6. Disclosure of information
6.1 Joy may not disclose any personal data to third parties without the Customer’s prior written consent, unless the disclosure or transfer is required by applicable law or under any court judgments or official orders. Notwithstanding the above, Joy is always entitled to transfer personal data to sub-processors in accordance with section 4.
6.2 Joy shall without undue delay notify the Customer in writing if it is approached by a supervisory authority with any matters regarding, or which may be of relevance for the processing. If Joy by operation of law or injunction is obligated to disclose personal data, section 8.2(iv) shall apply.
7. Technical and organisational security measures
7.1 Joy is required to implement appropriate technical and organisational measures in accordance with the Data Protection Laws in order to ensure a level of security appropriate to the risk, including risks relating to unauthorised access, destruction and alteration of personal data covered by the processing. Joy shall determine how such measures are to be implemented in order to reach an appropriate level of security.
7.2 If the Customer makes probable that new security measures are required or that existing security measures must be altered in order to achieve compliance with the legal requirements regarding an appropriate level of security, or in order to achieve compliance with any court judgments or official orders, the parties shall discuss the implementation of such new measures or alterations of existing measures. Any implementation of extended or additional security measures requires that the Parties have agreed on such implementation in writing. Joy is entitled to reasonable compensation for any extended or additional security measures taken.
7.3 If Joy lacks any instructions from the Customer that Joy deems necessary in order to carry out the processing, or if Joy deems the Customer’s instructions, wholly or partly, be in breach of the Data Protection Laws, Joy shall without delay notify the Customer, and await any further instructions that the Customer deems necessary.
8. Confidentiality
8.1 Joy and the persons working under its authority must maintain confidentiality in all respects when carrying out the processing. This means that personal data may not be unduly disclosed to a third party. Joy undertakes to ensure that the individuals working under its authority and who will process personal data observe and comply with Joy’s confidentiality undertaking according to this section 8.
8.2 Joy undertakes not to disclose to any third party such information which Joy, in its capacity as data processor, has received from the Customer or any other such information which Joy processes in its capacity as data processor under this DPA. Joy undertakes to ensure that all persons acting under its authority have undertaken to observe confidentiality in accordance with this section 8. However, this confidentiality obligation shall not apply to:
(i) information which is generally known or becomes generally known other than as a result of a breach of the Terms of Service or this DPA;
(ii) information which Joy can prove was in Joy’s possession prior to being provided to Joy under the Agreement;
(iii) information which Joy, lawfully and without restrictions regarding the right to transfer such information, receives from any third party outside the scope of the Terms of Service or this DPA; or
(iv) information which Joy is obligated to disclose under law or any court judgment or public authority decision. In such a case, Joy must without undue delay inform the Customer in writing about the disclosure and request that the personal data are kept confidential by the recipient.
8.3 This confidentiality undertaking shall survive the termination of this DPA.
APPENDIX A
Instructions regarding the processing
Joy shall, in addition to complying with the provisions in this DPA and the Terms of Service, carry out the processing in accordance with the instructions below.
Purpose
The processing may only be performed in order to provide the Services under the Terms of Service, i.e. for the purpose of facilitating communication between Users. The personal data may not be processed or used for Joy’s own or any other purposes.
Types of processing
Joy may use any types of processing which are necessary in order to provide the Services, including, but not limited to, sorting, administering, storing, returning and erasing personal data.
Types of personal data
Joy may process personal data and health information provided by the Customer as required to provide their services.
Categories of data subjects
The personal data processed by Joy may only concern the Users, such as healthcare professionals, patients and customers.
Duration of the processing
The personal data must be erased by Joy at the time of termination of the Terms of Service, as set forth in the Terms of Use. Furthermore, personal data shall be erased from time to time, in accordance with the Customer’s documented instructions.
Location of the processing
The processing may only be performed within the EU/EEA, using such equipment and/or infrastructure that Joy is in direct or indirect (through approved subcontractors) control over.
APPENDIX B
Sub-Processors approved by the Customer
The Customer accepts and recognizes that Joy engages the following sub-processors in accordance with section 4.3 of the Agreement.
Google Cloud Platform (Sweden/EU, https://cloud.google.com/privacy/gdpr), for the operation and maintenance of the platform, including storage of encrypted data.
NLPCloud (https://nlpcloud.com/#security), for speech-to-text and other services.
Daily.co (https://www.daily.co/legal/data-processing-addendum/), Daily.co provides the infrastructure for the secure video conferencing in the app.
Crisp (https://crisp.chat/en/privacy/), for in-app support chat.
Mailchimp (https://mailchimp.com/legal/data-processing-addendum/), email and name of our Customers for email updates.
Paddle (https://www.paddle.com/legal/data-processing-addendum), for payments, invoices and subscriptions.
Typeform (https://typeform.com), email and name and survey answers.
Website Toolbox LLC (https://www.websitetoolbox.com) community platform, email and any details provided by the user in the forum.
Stripe (https://stripe.com/en-se/legal/dpa), for payments, invoices and subscriptions.
Sentry (https://sentry.io/legal/dpa/), for error tracking and performance monitoring of our application.