PERSONAL DATA PROCESSING AGREEMENT

This Personal Data Processing Agreement, including all appendices hereto, (the “DPA”) is incorporated into and forms an integral part of the Flarie General Terms of Service for Businesses (the “Main Agreement”) between you as a business customer (“Customer” or “Controller”) and Flarie AB, reg. no 556856-2747, (the “Processor” or “Flarie”) as the service provider. This DPA shall only apply if the Customer has not already entered into a valid data processing agreement with Flarie concerning the subject matter hereof.

The Controller and Processor are hereinafter each referred to as a “Party” and jointly as the “Parties”.

1. INTRODUCTION

1.1 By signing, and/or in any other way entering into the Main Agreement subject to the terms therein, the Customer also enter into this DPA as it is considered an integral part of the Main Agreement. Unless stated otherwise in this DPA, all capitalized terms not defined herein shall have the meaning set forth in the Main Agreement.

1.2 If any provision of this DPA, relating to the Processing of Personal Data hereunder, is inconsistent with any term of the Main Agreement or any related agreement (including, if applicable, the Order Confirmation and Additional Terms thereto), the provision of this DPA will prevail to the extent necessary to comply with applicable data protection laws, including GDPR.

1.3 Pursuant to the undertakings which follow from the Main Agreement, the Processor may process certain Personal Data of End Users as well as other information on behalf of the Controller. As a consequence thereof, the Parties are entering into this DPA to govern the conditions for the Processor’s Processing of, and access to, Personal Data belonging to the Controller. The DPA shall apply to all agreements executed between the Parties in which the Processor is the Processor on behalf of the Controller, and the DPA shall remain in force for as long as the Processor Processes Personal Data on the Controller’s behalf.

1.4 Notwithstanding the terms of this DPA, each Party shall continue to be individually liable as independent controllers for its respective processing of Personal Data of End Users in accordance with the terms of Section 10 (Personal Data; Information Security etc.) of the Main Agreement. For the avoidance of doubt, this DPA exclusively governs the inter-party relationship concerning the specific Personal Data detailed in the Instruction and does not in any way affect the Parties’ separate responsibilities as independent controllers for any other Personal Data not specified in this DPA.

2. DEFINITIONS

Unless the circumstances clearly indicate otherwise, definitions or terms used in this DPA shall be defined as set forth below herein. Any term which is used in the GDPR and which is not stated below shall be defined as follows from Article 4 of the GDPR.

“Controller”

Means the Customer as a legal person, which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data, where the purposes and means of such Processing are determined by Union law or Member State law, the Controller or the specific criteria for its nomination may be provided for by Union law or Member State law.

“Data Subject”

Means a living natural person who is alive and whose Personal Data is Processed.

“GDPR”

Means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation).

“Instruction”

Means the instructions, as set out in Appendix 1 and Appendix 2 hereto, which the Controller gives to the Processor within the scope of this DPA.

“Other Regulation”

Means applicable national laws which, from time to time, apply to Processing of Personal Data (excluding the GDPR).

“Personal Data"

Means any information relating to an identified or identifiable natural person, whereupon an identifiable natural person is a person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data or online identifiers, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

“Personal Data Breach”

Means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored, or otherwise Processed.

“Processing”

Means an operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

“Processor”

Means Flarie, as a legal entity, which Processes Personal Data on behalf of the Controller.

3. DOCUMENTS

3.1 The DPA comprises this document and the Instruction in Appendix 1 and Appendix 2.

3.2 In the event of any contradictions between this document and the Instruction, this document shall take precedence, unless otherwise specifically stipulated or clearly indicated by the circumstances.

4. GENERALLY REGARDING THE PROCESSING OF PERSONAL DATA

4.1 The Controller is the Controller of the Personal Data which is Processed within the scope of the Main Agreement and specified in the Instruction.

4.2 The Processor is regarded as the Processor on behalf of the Controller of the specific Personal Data outlined in the Instruction.

4.3 The Controller ensures that a legal ground recognized under the GDPR applies for processing of the Personal Data under this DPA. The Controller shall further meet all other obligations of a controller under the GDPR and any Other Regulation, including that the Controller's Instruction for the processing of the Personal Data hereunder shall comply with GDPR and any Other Regulation. The Controller shall have the sole responsibility for the accuracy, quality and legality of the Personal Data and the means by which it acquired the Personal Data.

4.4 The Processor has provided sufficient guarantees that it shall take suitable technical and organisational measures to ensure that the Processing of Personal Data meets the requirements of the GDPR and Other Regulation, and ensures protection of the rights of the Data Subject. However, the Processor is not responsible for compliance with data protection laws applicable to the Controller or its industry that are not generally applicable to the Processor.

4.5 Taking into consideration the nature of the Processing, the Processor shall assist the Controller by taking reasonable technical and organisational measures, to the extent possible, to enable the Controller to perform its obligation to respond to requests regarding the exercise of the Data Subject’s rights in accordance with Chapter III of the GDPR.

4.6 If the Processor believes that the Instruction or other instruction or notification from the Controller would conflict with the GDPR or any Other Regulation, the Processor shall be entitled to notify the Controller and defer the Processing in question.

5. PURPOSE AND TYPE OF PERSONAL DATA, ETC

The Instruction shall, inter alia, state the subject of the Processing, the duration of the Processing, the nature and purpose of the Processing, the type of Personal Data, and categories of Data Subjects.

6. THE PROCESSOR'S PERSONNEL, ETC

6.1 The Processor, its employees, and other persons who perform work under the Processor’s supervision and who gain access to Personal Data belonging to the Controller may only process such Personal Data on the Controller’s instruction, unless such person is obligated to do so pursuant to Union law or Swedish national law.

6.2 The Processor shall ensure that its employees and all other persons for whom the Processor is liable and who are authorised to process Personal Data covered by this DPA have undertaken to maintain confidentiality (unless such person is subject to an appropriate statutory confidentiality obligation).

7. SECURITY

7.1 The Processor shall take all safeguards required under Article 32 of the GDPR.

7.2 Taking into consideration the type of Processing and the information which the Processor has, the Processor shall assist the Controller in ensuring that the obligations regarding security can be satisfied in a manner which follows from Article 32 of the GDPR.

7.3 In conjunction with the assessment of an appropriate security level, particular consideration shall be given to the risks which follow from the Processing, particularly resulting from unintentional or unlawful destruction, loss, or modification, from unauthorised disclosure, or from unauthorised access to the Personal Data which is transferred, stored, or otherwise processed.

8. PERSONAL DATA BREACH

Taking into consideration the type of Processing and the information available to the Processor, the Processor shall assist the Controller in ensuring that the obligations arising due to any Personal Data Breach can be fulfilled in a manner as required in Articles 33-34 of the GDPR.

9. IMPACT ASSESSMENT AND PRIOR CONSULTATION

Taking into consideration the nature of the Processing and the information, which is available to the Processor, the Processor shall assist the Controller in fulfilling its obligations, if any, to conduct an impact assessment and/or prior consultation with a supervisory authority pursuant to Articles 35 and 36 of the GDPR.

10. THE INSTRUCTION

10.1 The Processor may only process the Personal Data which is covered under this DPA on the documented lawful Instructions (including in respect of transfers of Personal Data to a third country or an international organisation, provided such Processing is not required pursuant to EU law or the national law of a Member State to which the Processor is subject and, in such case, the Processor shall inform the Controller of the legal requirement before the data is Processed, unless such information is prohibited with reference to an important public interest under relevant national law).

10.2 The Controller shall be entitled to update the Instruction from time to time. The Processor shall be entitled to reasonable compensation for additional costs incurred if the Controller modifies the Instruction. Such compensation shall be mutually agreed in writing between the Parties.

11. SUBPROCESSORS

11.1 The Processor shall not be entitled to retain subprocessors to perform the work under the DPA without first obtaining the Controller’s written approval.

11.2 The Controller have in conjunction with this DPA been informed of the subprocessors to be engaged by the Processor in order to perform its obligations under this DPA (a list of the Processor’s current subprocessors is available here). The Controller hereby provides a general written consent to the Processor for the engagement of such notified subprocessors to perform the undertakings and obligations which follow from this DPA. This consent allows the Processor to retain or change subprocessors at its discretion, subject to the conditions outlined in this in this Section 11.

11.3 The Processor shall inform the Controller of any plans to retain a new subprocessor or to replace an existing subprocessor, in order to allow the Controller to make objections to any such change (however, any objection must be based on an objectively acceptable reason).

11.4 Where the Controller has granted written approval, the Processor shall ensure that any such subprocessor enters into a written personal data processor agreement before the subprocessor begins work related to the Controller. Any such personal data processor agreement must contain the undertakings and obligations which follow from the DPA. In any such a personal data processor agreement, the subprocessor shall provide sufficient warranties in respect of taking suitable technical and organisational measures so that the Processing meets the requirements of the GDPR.

11.5 In the event a subprocessor fails to fulfil its obligations, the Processor shall be liable to the Controller for the performance of the subprocessor’s obligations.

11.6 The Processor is aware that it must comply with the provisions regarding retention of subprocessors.

12. TRANSFER TO A THIRD COUNTRY

The Processor may move, store, transfer, or otherwise process Personal Data belonging to the Controller outside of the EU/EEA, provided such actions are necessary and meets the requirements and undertakings which follow from the GDPR.

13. RIGHT TO TRANSPARENCY

The Processor shall grant the Controller access to all information which is required and necessary to enable the Controller to verify compliance with the obligations which follow from Article 28 of the GDPR and to enable and assist in audits, including inspections, which are conducted by the Controller or by an examiner authorised by the Controller. The Processor shall, at all times, be entitled to reasonable notice in the event the Controller wishes to exercise its right to conduct an audit or inspection and the Controller shall compensate the Processor for its costs incurred in connection with any such audit or inspection.

14. COMPENSATION

The Processor shall, based on the nature and extent of work required, be entitled to receive reasonable compensation for measures it takes in respect of Processing of Personal Data in accordance with this DPA if the Controller requires the Processor to perform extraordinary work in addition to the work normally required by the Processor for the day-to-day Processing in order to fulfil its obligations under the Main Agreement. If applicable, such compensation shall be reasonable and corresponding to fair market value for the services provided and be agreed upon by both Parties in writing.

15. LIABILITY

15.1 The Controller shall be liable for any damage caused by Processing which infringes in the GDPR. The Processor shall be liable for damage caused by its Processing only where it has not complied with obligations of GDPR specifically directed to processors or where the Processor has acted outside or contrary to this Agreement or the lawful Instructions of the Controller.

15.2 In the event the Parties have reached an agreement regarding limitation of liability in another agreement, such limitation of liability shall also apply to this DPA to the extent permitted by law. In the event the Parties have not reached an agreement regarding such a limitation of liability, a Party’s liability under this DPA or as a result of the Processing which is covered under the DPA shall to the extent permitted by law be limited to one hundred thousand kronor (SEK 100,000).

15.3 The Parties are aware that the limitation of liability in Section 15.2 above shall not apply: (i) in the event an authority for privacy protection or a court orders any of the Parties to pay an administrative fine; (ii) in conjunction with a claim for damages brought by a Data Subject; or (iii) a Party has a right of subrogation against the other Party because such Party was ordered to pay an administrative fine or damages which legitimately (or through joint and several liability) should have been imposed on the other Party.

16. TERMINATION OF THE AGREEMENT

16.1 The DPA shall terminate when the Processor discontinues Processing of Personal Data on behalf of the Controller. The Processor shall upon termination return all Personal Data to the Controller in the manner instructed by the Controller or, upon the Controller’s written notice, destroy and erase all Personal Data which is associated with the DPA.

16.2 Following termination of the DPA, the Processor shall not be entitled to save any Personal Data belonging to the Controller and, as soon as the Processor has complied with the provisions of Section 6.1 above, the Processor’s right to process or otherwise use Personal Data belonging to the Controller shall cease (provided storage of Personal Data is not required pursuant to national law or Union law, or the Processor has legal grounds to process relevant Personal Data).

17. CONFIDENTIALITY

17.1 The Parties hereby undertake, during the term of the DPA and thereafter, not to disclose to any third party information regarding the DPA, nor any other information which the Parties have learned as a result of the DPA, whether written or oral and irrespective of form (“Confidential Information”). The Parties agree and acknowledge that the Confidential Information may be used solely for the fulfilment of the obligations under the DPA and not for any other purpose. The receiving Party further agrees to use, and cause its directors, officers, employees, sub-contractors or other intermediaries to use, the same degree of care (but not less than reasonable care) to avoid disclosure or use of Confidential Information as it uses with respect to its own confidential and/or proprietary information.

17.2 This confidentiality undertaking does not apply to information which

at the date of its disclosure is in the public domain or at any time thereafter comes into the public domain (other than by breach of this DPA); or
the receiving Party can evidence was in its possession or was independently developed at the time of disclosure and was not obtained, directly or indirectly, by or as a result of breach of a confidentiality obligation.

17.3 Neither shall this confidentiality undertaking apply to the extent that any Party is required to make a disclosure of information by law or pursuant to any order of court or other competent authority or tribunal or by any applicable stock exchange regulations or the regulations of any other recognised marketplace. In the event that any Party would be required to make any such disclosure, each Party undertakes to give the other Party immediate notice prior to any such disclosure, in order to make it possible for the other Party to seek an appropriate protective order or other remedy. Each Party also agrees and undertakes to use its best efforts to ensure that any information disclosed under this Section 17, to the extent possible, shall be treated confidentially by anyone receiving such information.

18. AMENDMENTS

If the applicable data protection law hereunder is amended, replaced or repealed, the Parties shall, where necessary, negotiate in good faith a solution to enable the Processing of Personal Data to be conducted in compliance with such applicable law.

19. ASSIGNMENT OF THE AGREEMENT

Neither Party shall be entitled to assign its rights and/or obligations under the DPA, in whole or in part, without the prior written consent of the other Party.

20. GOVERNING LAW AND JURISDICTION

20.1 This DPA shall be governed by and construed in accordance with the laws of Sweden, without regard to its principles of conflict of laws.

20.2 Any dispute, controversy or claim arising out of or in connection with this DPA, or the breach, termination or invalidity thereof, shall be finally and exclusively settled by the Swedish courts, with the Stockholm district court (Sw. Stockholms tingsrätt) as the court of first instance.

APPENDIX 1 – INSTRUCTION (INDIRECT IDENTIFIERS ETC.)

This Appendix 1 to the DPA, together with Appendix 2, is the Instruction.

Definitions used in this Instruction shall have the same meaning as in the DPA and the Main Agreement, unless the circumstances clearly indicate otherwise.

1. CONTACT INFORMATION

1.1 Controller

Controller: the Customer (as defined above in the DPA).

Contact details: as separately specified by the Customer in connection with entering into the Main Agreement (and subsequent Order Confirmation, if applicable).

1.2 Processor

Controller: Flarie AB, reg. no 556856-2747

Address: Hornsgatan 24, 118 20 Stockholm, Sweden

Phone number: +46 766349064

E-mail address: niclas@flarie.com

Data protection contact person: Niclas Bergfors, CTO

2. PROCESSING OF PERSONAL DATA

2.1 Categories of Personal Data

The Processor shall Process the following categories of Personal Data:

Hashed tokens / indirect identifiers.

2.2 Special categories of Personal Data

The Processor shall not Process any special categories of Personal Data and the Controller agrees not to transfer or enable the transfer any special categories of Personal Data when using the Service and/or Flarie Studio.

2.3 Categories of Processing

The following categories of Processing shall take place:

Collection and storage of hashed tokens / indirect identifiers;
Provision of a webhook to the Controller in order for the Controller to receive the hashed tokens / indirect identifiers;
Regular data cleaning and updating.

2.4 Categories of Data Subjects

The following categories of Data Subjects are included:

Individuals (End Users) that are getting access to Content and/or playing Games on the Platform or in the App.

2.5 Purpose of each Processing activity

The purpose of each Processing activity is as follows:

Hashed tokens / indirect identifiers: to uniquely identify End User using the Service for security and gameplay customization purposes and to keep scores / top lists of Game results;
Hashed tokens / indirect identifiers: to provide the Service to the Controller (as Flarie’s Customer) according to the Main Agreement including carrying out analyses, keep Game results, provide the Games, and conduct user management;
Webhook for hashed tokens / indirect identifiers: in order for the Controller / Customer to receive Game data from the Processor and identify the relevant End User in the Controller’s systems.

3. SECURITY MEASURES

3.1 Technical and organisational security measures

The Processor shall take the following technical and organisational security measures:

Encryption of Personal Data in transit and at rest;
Implementation of access controls and authentication mechanisms;
Regular security audits and vulnerability assessments;
Employee training on Data Protection and security protocols;
Implementation of Data Breach Notification Procedures;
Implementation of Disaster Recovery Plan.

3.2 Storage minimisation

Personal Data will be destroyed or erased as follows:

Personal Data will be reviewed annually, or more frequently if deemed appropriate, to ensure relevancy and accuracy;
Personal Data pertaining to inactive accounts will be deleted after a period of two (2) years of inactivity.

APPENDIX 2 - INSTRUCTION (COMMUNICATION FEATURE)

This Appendix 2 to the DPA, together with Appendix 1, is the Instruction.

Definitions used in this Instruction shall have the same meaning as in the DPA and Main Agreement, unless the circumstances clearly indicate otherwise.