Data Processing Agreement (DPA)

The agreement that governs how personal data is handled and protected in accordance with the General Data Protection Regulation (GDPR).

Last updated: 2025-07-09

Data Controller:
The customer is located within the EU.

Data Processor:
Company: Conlumina Digital
Registration No.: SE771104167801
City: Stockholm
Country of Registration: Sweden

The Parties have entered into this Data Processing Agreement (“Agreement”) regarding the Data Processor’s processing of personal data on behalf of the Data Controller.

§ 1. Processing of Personal Data

This Agreement is concluded in connection with the Data Controller’s use of the Data Processor’s services as part of the subscription and additional services described in Webbförvaltning.se’s Terms of Service (“Main Agreement”).

The Data Processor processes registered personal data on behalf of the Data Controller and in accordance with Appendix 1.

The Agreement and the Main Agreement are interdependent and may not be terminated separately.

§ 2. Purpose

The Data Processor may only process personal data to fulfill its obligations to the customer and to provide the services specified in the Main Agreement.

§ 3. Obligations of the Data Controller

The Data Controller guarantees that the personal data is only processed for legitimate purposes and that the Data Processor processes the data solely for this purpose.

The Data Controller ensures there is a legal basis for processing personal data when transferring it to the Data Processor. The Data Controller must be able to demonstrate the justification and legal basis upon the Data Processor’s request.

If the Data Controller instructs another sub-processor, the Data Processor must be informed immediately. The Data Processor is not responsible for any processing carried out by another sub-processor based on such instructions.

§ 4. Obligations of the Data Processor

The Data Processor shall process personal data provided by the Data Controller in accordance with the Controller’s instructions and data protection regulations. The Data Processor must be able to justify its processing and shall immediately inform the Controller if anything contradicts the GDPR.

The Data Processor must implement appropriate technical and organizational security measures to ensure that personal data is not accidentally or unlawfully damaged, lost, destroyed, shared with unauthorized third parties, processed, or misused in violation of the GDPR. These measures are described in more detail in Appendix 1.

The Data Processor is responsible for ensuring that employees who process personal data are subject to legally binding confidentiality obligations.

Upon request by the Data Controller, the Data Processor must demonstrate and/or document compliance with applicable data protection legislation, including information regarding data flows and processing.

To the extent possible, the Data Processor shall assist the Data Controller with technical and organizational measures to fulfill data subject requests under Chapter 3 of the GDPR.

The Data Processor or sub-processor must forward any data subject requests or objections to the Data Controller for further handling unless the Data Processor can handle them directly. Upon request, the Data Processor must assist in responding to these requests.

If personal data is processed in another EU country, the applicable security laws in that country must be followed.

The Data Processor must inform the Data Controller if there is any suspicion of breach of data protection laws or other irregularities in processing. The Data Processor must report a security breach within 24 hours of becoming aware of it. Upon request, the Data Processor must assist in clarifying the extent of the breach, e.g., by preparing a notification to the Data Protection Authority or the data subject.

The Data Processor must provide the Controller with the necessary information to demonstrate compliance with Article 28 of the GDPR and the terms of this Agreement.

In addition, the Data Processor must assist the Controller in fulfilling its obligations under Articles 32–36 of the GDPR. The type of assistance depends on the nature of the data, processing, and the Data Processor’s access.

§ 5. Transfer of Information to Sub-Processors or Third Parties

The Data Controller hereby grants the Data Processor general authorization to enter into agreements with sub-processors. The Data Processor must notify the Controller of any changes or additions to sub-processors. The Controller has the right to object to such changes. If the Data Processor continues using a sub-processor despite objections, the Parties may terminate this Agreement and, if applicable, the Main Agreement with short notice. During this period, the sub-processor may continue to be used.

The Data Processor must ensure sub-processors are bound by the same obligations stated in this Agreement and provide sufficient guarantees for implementing appropriate measures to meet the requirements of the GDPR.

If a sub-processor fails to fulfill its data protection obligations, the Data Processor remains fully liable to the Data Controller for the performance of those obligations.

The Data Processor must enter into DPAs with sub-processors located within the EU/EEA. For sub-processors outside the EU/EEA, standard contractual clauses (SCCs) or other valid mechanisms such as the EU-US Privacy Shield must be used.

The Data Controller grants the Data Processor a general mandate to enter into such standard agreements on their behalf.

§ 6. Liability

The Parties’ liability is governed by the Main Agreement. Liability for damages under this Agreement is governed by the Main Agreement.

§ 7. Term and Termination

This Agreement enters into force at the same time as the Main Agreement.

Upon termination of the Main Agreement, this Agreement also terminates. However, the Data Processor remains bound by its obligations for as long as it processes personal data on behalf of the Controller. In a situation as described in section 5.2, either party may terminate the Agreement and Main Agreement with one (1) month’s notice, effective at the end of the month.

When processing ceases, the Data Processor must, at the request of the Controller, delete or return all personal data and delete any existing copies, unless storage is required by EU or national law.

§ 8. Governing Law

Swedish law applies to this Agreement. Disputes shall be resolved by Swedish courts.

Appendix 1

Categories of Data Subjects, Types of Personal Data, and Processing Instructions

1. Categories of Data Subjects:

The Data Processor processes contact details of the Data Controller’s current, potential, or former customers and/or members, employees, suppliers, business partners, affiliates, and group companies.

The Data Processor provides its system as a hosting service and cannot determine all categories of data subjects. If the Controller processes additional categories, they must register this information.

2. Types of Personal Data:

  • Contact and identity data, including email
  • IP addresses
  • Domain names
  • Usernames
  • Membership information
  • Analytics and user data
  • Order history and related info
  • Contracts
  • Communication
  • Photos
  • Support data
  • Other types of personal data may occur

3. Instructions

Service

The Data Processor may process personal data for the purpose of delivering, developing, handling, and managing the services in the Main Agreement, such as ensuring server stability and complying with applicable laws.

Security

The Data Processor must ensure confidentiality, integrity, and availability of personal data. Measures must be appropriate to the situation, data type, and risk, and must include:

  • Access-controlled facilities for authorized personnel only
  • Role-based access and login to ensure data minimization
  • System backups
  • Antivirus protection
  • Change logs
  • Encrypted internet communications between systems
  • Classification of data for appropriate security measures
  • Use of secure systems and processes to improve data protection

The Data Processor may introduce additional technical and organizational security measures to ensure an adequate level of protection.

Retention Period

Personal data in the Data Processor’s systems is deleted or anonymized within a reasonable period after termination of the Main Agreement—normally within 8 weeks. Exceptions apply when legally required to retain data, such as in legal disputes.

Log data is also typically deleted within 8 weeks.

Data Location

The Data Processor’s systems are located in Stockholm. The Data Controller authorizes the Data Processor to move data to other EU-based data centers if it maintains equivalent security and uptime.

Audit

The Data Processor must, at its own cost, annually provide an audit or inspection report from a third party to demonstrate compliance with this Agreement and Appendix 1.

en_USEnglish
de_DEDeutsch sv_SESvenska en_USEnglish