ANNEX 2 – DATA PROCESSING AGREEMENT
This Data Processing Agreement (the ” Agreement”), is an appendix to Mondido’s Terms and Conditions, and has been made between Mondido IT AB, org. nr 559366-9913 (“Processor”) and the User (“Controller”).

(each “Party” and collectively “the Parties”).

1. Introduction
A. A Processor provides a payment service to the Controller (the “Service”). The parties have agreed that the Data Processing Agreement, within the framework of the Service, shall process personal data attributable to the Controller’s customers on behalf of the Controller within the framework of the service. The purpose of the processing and the service for which such processing takes place is described in more detail in the Controller’s Terms and Conditions.

B. The Parties agree that the Controller shall be deemed to be the Controller and that the Processor shall be considered as a Processor  as defined in Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and on the repeal of Directive 95/46 / EC (“GDPR”).

C. In the light of the foregoing, the Parties have entered into this Agreement.

2. Instructions of the Controller Processor undertakes to process personal data only within the framework of the Service and in accordance with the Controller’s from time to time other written instructions and in accordance with the GDPR. In the event that the Processor does not have the necessary instructions, the Processor shall inform the Controller thereof and wait for the instructions that the Controller deems necessary.

3. Processor’s commitments
3.1 The Processor undertakes in particular that:
(a) have adequate technical and organizational security and take the security measures provided for in Article 32 of the GDPR to protect the personal data processed under this Agreement, including the imposition of appropriate confidentiality obligations for staff employed with the Processor;
(b) assist the Controller in complying with the security requirements set out in Articles 32-36 of the GDPR, as well as the Controller’s obligations regarding individual rights in Chapter III of the GDPR are met;
(c) refer to the Controller the individual whose personal data is processed, the Data Protection Authority or another third party who requests information from the Processor concerning the processing of personal data. The Processor shall without delay inform the Controller of any contacts from the Data Protection Authority that concern or may be of significance for the processing of personal data,(d) depending on what the Controller chooses to delete, anonymize or return all personal data to the Controller when the Agreement terminates, regardless of the reason for this, including deleting all copies which according to GDPR must not be saved;
(e) otherwise provide the Controller with access to such information as is necessary for the Controller to be able to fulfill his obligations as data controller vis-à-vis the Data Protection Authority and/or individuals, and shall contribute to audits, including inspections, for which the Controller shall bear all costs.
(f) not transfer the personal data to a third country or an international organization unless this is required by the GDPR whereby the Processor shall immediately inform the Controller, unless such information is prohibited.

3.2 The Processor further undertakes to always process personal data in accordance with the GDPR. This includes, but is not limited to, keeping a register of all categories of processing carried out, providing a register extract of completed processing at the request of an individual or Controller and immediately informing the Controller if the Processor suspects that there is a risk that the freedom and rights of individuals are violated.

4. Compensation
The Processor is entitled to reasonable compensation for the processing of personal data in accordance with this Agreement.

5. Responsibility
Liability is regulated in accordance with the Processor’s Terms and Conditions.

6. Term
The Agreement is valid from its conclusion and as long as the Processor processes Personal Data on behalf of the User.

7. Other
7.1 Changes and additions
7.2 All amendments and additions to this Agreement shall be in writing (with express reference to this Agreement) and duly signed by each Party.

8 Sub-processors
8.1 The Processor has the right to hire sub-processors for the processing of personal data on behalf of the Controller. The Processor undertakes to inform the Controller regarding the Processors possible plans to hire and/or replace a sub-processor, so that the Controller has the opportunity to object to such changes. The Controller hereby approves sub-assistants in accordance with this Sub-Annex.
8.2 If the Processor engages sub-processors for the processing of personal data on behalf of the Controller, the Processor is fully responsible to the Controller for the sub-processors’s actions and processing.