EU agents data protection
EU & EEA AGENTS DATA PROTECTION ADDENDUM
1. Definitions
Controller, Processor, Sub-processor, Data Subject, Personal Data, Personal Data Breach, Processing, and Appropriate Technical and Organisational Measures | are all defined in accordance with the applicable Data Protection Legislation (defined below). | |
2. Data Protection Legislation | “Data Protection Legislation” refers to:
· The General Data Protection Regulation (GDPR); · The Swedish Data Protection Act (Lag (2018:218)); · Any other applicable laws or regulations related to the Processing of Personal Data; · Any legally binding guidance and codes of practice issued by the Swedish Authority for Privacy Protection (IMY) or other relevant regulatory authorities. |
3. Roles and Responsibilities
The parties agree that:
3.1. TalkRemit AB is the Controller and the Agent is the Processor with respect to Customer Data.
3.2. The nature, scope, and purpose of Processing, the duration of Processing, and the types of Personal Data and categories of Data Subjects are set out in Section 12 below.
3.3. This Addendum applies to Processing activities conducted within the EU/EEA, ensuring compliance with the relevant Data Protection Legislation in these jurisdictions.
4. Agent Obligations
The Agent, in its role as Processor, agrees to:
4.1. Ensure that any staff who have access to or Process Customer Data are under a duty of confidentiality.
4.2. Take reasonable steps to ensure the reliability of any staff handling Customer Data and restrict access to only those authorised staff only who require access to it for the purpose of complying with the obligations under this Agreement.
4.3. Not transfer any Customer Data to third parties without the prior written consent of TalkRremit AB.
4.4. Not transfer Customer Data outside of the registered agent EU/EEA jurisdiction without prior written consent from TalkRemit AB where such transfers are permitted under Data Protection Legislation and appropriate safeguards are in place.
4.5. Only Process Personal Data on documented instructions from TalkRemit AB and in accordance with the terms of this Agreement.
5. Data Protection Impact Assessment (DPIA)
5.1. The Agent shall assist TalkRemit AB, upon request, in preparing any necessary Data Protection Impact Assessments (DPIAs) required by the applicable Data Protection Legislation. This includes providing information on the Processing operations, associated risks, and measures taken to mitigate those risks.
6. Data Subject Requests
6.1. If the Agent receives a request from a Data Subject concerning their rights under the Data Protection Legislation (e.g., access, rectification, erasure), it will immediately notify TalkRemit AB and assist in the handling of the request as instructed by TalkRemit AB.
7. Use of Sub-processors
7.1. If the Agent engages a Sub-processor to perform specific Processing activities, the Agent shall ensure that the Sub-processor complies with the same data protection obligations set out in this Addendum by way of a contract. This contract shall meet the requirements of the Data Protection Legislation within the EU/EEA.
8. Information Security
8.1. Taking into account the nature of Processing, the state of the art, the costs of implementation, and the risks posed to the rights and freedoms of Data Subjects, the Agent shall implement appropriate technical and organisational measures to ensure the security of Personal Data, including but not limited to:
8.1.1. Pseudonymisation and encryption of Personal Data where appropriate;
8.1.2. Ensuring the ongoing confidentiality, integrity, availability, and resilience of Processing systems and services;
8.1.3. The ability to restore access to Personal Data in a timely manner following a technical or physical incident;
8.1.4. Regular testing and evaluation of the effectiveness of technical and organisational measures to ensure the security of Processing.
8.1.5. These measures must comply with the requirements of EU/EEA Data Protection Legislation.
9. Personal Data Breach Notification
9.1. The Agent must notify TalkRemit AB immediately upon becoming aware of any Personal Data Breach. The Agent shall take all reasonable steps to mitigate the breach and cooperate with TalkRemit AB and relevant regulatory authorities, including the IMY (Sweden), in addressing the incident.
10. Assistance and Compliance
10.1. The Agent shall provide TalkRemit AB with all necessary assistance to comply with TalkRemit AB’s obligations as Controller under the applicable Data Protection Legislation, including access to records, information, and cooperation in any regulatory investigations by authorities.
11. Termination or Expiry of the Agreement
11.1. Upon termination or expiry of this Agreement, the Agent shall, at TalkRemit AB’s written request, either delete or return all Customer Data to TalkRemit AB, unless retention of the data is required by law. This provision applies across all relevant jurisdictions within the EU/EEA.
12. Processing Details
12.1. Subject Matter of the Processing: Processing of Personal Data related to the transfer of funds.
12.2. Duration of the Processing: For the duration of this Agreement.
12.3. Nature and Purpose of the Processing: Processing necessary to facilitate the transfer of funds between Data Subjects in the EU/EEA.
12.4. Types of Personal Data: Name, national identification number (or equivalent), address, contact details, bank account details, and identification documents.
12.5. Categories of Data Subjects: Individuals wishing to transfer or receive funds.
12.6. Plan for Return or Destruction of Data: As specified in this Agreement and in compliance with EU/EEA
13. Bad Instructions
13.1. The Agent (and any Sub-processor) shall immediately inform TalkRemit AB if, in its opinion, an instruction from TalkRemit AB infringes any applicable Data Protection Legislation within the EU/EEA.