Data Processing Agreement – Capital partner
Gilion Platform
1. General
1.1 The Controller (or any of its affiliates) has in conjunction with this Data Processing Agreement (“DPA”) entered into, or may potentially enter into, an agreement with an affiliate of the Processor or a third party lender (“Lending Entity”) arranged by the Processor (or an affiliate of the Processor) concerning financing made available to the Controller (or any of its affiliates) by the Lending Entity (“Loan Agreement”). Pursuant to the Loan Agreement or the Terms of Service (as defined below), the Controller will have access to the Services (as defined below) delivered by the Processor and as a result thereof the Processor will process personal data on behalf of the Controller (or any of its affiliates) in the capacity of a data processor.
1.2 This DPA governs the rights and obligations of the Parties when the Processor processes personal data on behalf of the Controller (or any of its affiliates) pursuant to the Loan Agreement or the Terms of Service (as applicable).
1.3 This DPA, including its appendices, together with the Loan Agreement or Terms of Service (as applicable), constitute the Controller’s (or any of its affiliates) complete instructions to the Processor for the processing of the personal data.
1.4 If the information stipulated in the Loan Agreement (if entered into) or the Terms of Service conflicts with this DPA, this DPA shall take precedence.
1.5 This DPA aims to meet the current requirements for a DPA in accordance with Applicable Data Protection Legislation.
2. Definitions
To the extent that Regulation (EU) 2016/679 of the European Parliament and of the Council, hereinafter referred to as the General Data Protection Regulation (“GDPR”), contains terms similar to those used in this DPA, such terms shall have the same meaning as in the GDPR. To the extent not defined herein or in GDPR, defined terms shall have the meaning set out in the Terms of Service.
“Applicable Data Protection Legislation” means all applicable privacy and personal data legislation applicable to the personal data processing that is carried out under this DPA.
“Controller” means the company on whose behalf the registration for the Platform as a customer has been completed and in connection therewith this DPA was entered into.
“DPA” means this Data Processing Agreement and its appendices.
“GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council.
“Loan Agreement” means (if entered into) an agreement with the Lending Entity concerning financing made available to the Controller (or any of its affiliates).
“Lending Entity” means an affiliate of the Processor or a third party lender under a Loan Agreement (if entered into).
“Party” means the Controller or the Processor.
“Platform” means the digital platform provided by the Processor to which the Controller is granted access in accordance with the Terms of Service.
“Processor” means Gilion AB, reg. no. 559264-9726, Eriksbergsgatan 27, 114 30 Stockholm.
“Services” means the Platform and its content including the Result (as defined in the Terms of Service), features, functionalities, tools, data, software and services related thereto provided by Gilion.
“SCC” means the standard contractual clauses for the transfer of Personal Data to processors established in third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, implemented by the European Commission decision (EU) 2021/914 of 4 June 2021.
“Sub-processor” means the legal person who processes personal data on behalf of the Processor.
“Terms of service” means the Terms of Service governing the use of the Services as entered into by the Parties.
3. Processing of Personal Data
3.1 The Processor shall ensure compliance with Applicable Data Protection Legislation and its obligations under this DPA when processing personal data on behalf of the Controller.
3.2 The Processor may only process personal data on behalf of the Controller in accordance with the Controller’s documented instructions unless required to do so by the laws of the European Union or a member state of the union to which the Processor is subject, in which case the Processor shall inform the Controller of that legal requirement before processing unless that law prohibits such information on important grounds of public interest. The Controller’s instructions are set out in Appendix 1.
3.3 The Controller warrants that it is entitled under Applicable Data Protection Legislation to instruct the Processor to process the personal data in accordance with this DPA also on behalf of any affiliates (to the extent relevant or applicable).
3.4 Except as set out in Section 3.2, the Processor may not process any personal data for its own purposes or other purposes not set out in this DPA.
3.5 The Processor shall immediately inform the Controller if, in the Processor´s opinion, the Processor has not received sufficient instructions to process personal data in accordance with its obligations or if, in the Processor’s opinion, an instruction infringes Applicable Data Protection Legislation, and defer the processing until receipt of further instructions from the Controller.
3.6 Any changes to the Controller’s instructions shall be negotiated separately and documented in writing. The Processor shall be entitled to compensation for additional costs incurred as a result of any such amendments provided that the Processor has informed the Controller of such additional costs.
4. The Processor’s Obligations to Assist the Controller
4.1 The Processor shall assist the Controller in fulfilling its obligations in accordance with Applicable Data Protection Legislation per the Controller’s request. This means that the Processor shall:
Through appropriate technical and organizational measures, to the extent possible and with due regard to the nature of the processing, assist the Controller in fulfilling the Controller's obligations to comply with the data subjects’ requests for exercising their rights under the GDPR (such as rectification, deletion, restriction, data portability and request of access);
Assist the Controller in fulfilling the Controller's obligations to take appropriate security measures for the processing of personal data under this DPA to ensure a level of security appropriate considering the level of risk that the processing of personal data in question entails;
Assist the Controller by providing the information, assistance and resources that are reasonably necessary for fulfilling the Controller’s obligation to report personal data breaches to the competent supervisory authority;
Assist the Controller with the information, assistance and resources that may reasonably be required to fulfill the Controller's obligation to inform the data subjects, within the framework of this DPA, in the event of a data breach that is likely to result in a high risk to the rights and freedoms of natural persons;
Assist the Controller in fulfilling the Controller's obligation to carry out impact assessments for processing under this DPA, which is likely to result in a high risk to the rights and freedoms of individuals; and
Assist the Controller by providing the Controller with the information, assistance and resources that may reasonably be required to fulfill the Controller's obligation to provide information and documentation to the supervisory authority for prior consultation, and when necessary, and to a reasonable extent, attend meetings with the competent supervisory authority.
4.2 When the Processor assists the Controller in fulfilling the Controller’s obligations under Applicable Data Protection Legislation in accordance with Sections 4.1 b) - f) above, consideration shall be given to the type of processing it refers to, and the information available to the Processor. In order to avoid any misunderstandings, nothing in this Section 4 shall be interpreted as indicating that the Processor may act on behalf of the Controller. The Processor may only act to fulfill its obligations vis-à-vis the Controller.
5. Security and Confidentiality
5.1 The Parties' obligations to observe confidentiality are regulated in the Loan Agreement or the Terms of Service (as applicable).
5.2 The Processor undertakes to take appropriate technical and organizational measures to protect the personal data being processed under this DPA in accordance with Applicable Data Protection Legislation.
5.3 The Processor shall ensure that only the personnel who must have access to the personal data in order to fulfill the Processor's obligations under this DPA will have access to such personal data. The Processor shall ensure that all such personnel are bound by appropriate confidentiality obligations, either by law or by agreement.
6. Personal Data Breaches
6.1 The Processor shall without undue delay inform the Controller after becoming aware of any personal data breach.
6.2 A notification pursuant to Section 6.1 shall include all information that may reasonably be required by the Controller to fulfill its obligations under Applicable Data Protection Legislation. Such information includes e.g. a description of:
the nature of the personal data breach, categories of and the approximate number of data subjects affected, categories of and the approximate number categories of personal data included;
likely consequences as a result of the data breach; and
a description of the measures taken to rectify the personal data breach or to mitigate its potential adverse effects.
6.3 If and to the extent it is not possible to provide all the information at the same time, the information may be provided in installments without undue further delay.
6.4 The Controller shall compensate the Processor for any direct costs that the Processor incurs if the measures taken under this Section 6 are due to the Controller’s non-compliance of Applicable Data Protection Legislation.
7. Sub-processors
7.1 For the performance of the Agreement, the Processor engages Sub-processors for certain tasks, such as IT operation and data hosting etc. The Processor is hereby given prior general authorization for the engagement of Sub-processors through which personal data may be transferred for the Processor to be able to fulfil its obligations pursuant to the Agreement.
7.2 The Processor shall notify the Controller of any plans to engage new Sub-processors or to replace any Sub-processor, thereby giving the Controller the opportunity to object to such changes.
7.3 The Processor is responsible for ensuring that the Sub-processor, through a written agreement or other legal act pursuant to Applicable Data Protection Legislation, is bound to data protection obligations equivalent to those laid down in this DPA, and for ensuring that the Sub-processor provides sufficient guarantees that it will implement appropriate technical and organizational measures in such a manner that the data processing will meet the requirements of Applicable Data Processing Legislation.
7.4 The Processor is entitled to engage Sub-processors to process personal data on behalf of the Controller. The Processor shall enter into an agreement with all Sub-processors which imposes corresponding obligations as are applicable to the Processor in accordance with this DPA. The Processor shall be fully accountable to the Controller for the performance of the Sub-processors’ obligations.
7.5 A list of pre-approved Sub-processors from time to time are listed in Appendix 2.
8. Transferring Personal Data to a Third Country
The Processor may move, store, transfer, or otherwise process the personal data outside of the EU/EEA, provided that such transfers meet the requirements and undertakings that follow from Applicable Data Protection Law. The Processor undertakes to enter into the relevant module of the EU Commission’s Standard Contractual Clauses with its Sub-processors that transfer personal data outside EU/EEA, unless another applicable transfer mechanism applies, and to take all reasonable measures to control that the engaged Sub-processors ensure the lawfulness of any further transfers of personal data that the Sub-processors’ sub-processors may undertake.
9. Request for Information and Disclosure of Personal Data
9.1 In cases where a data subject or other third party requests information from the Processor about the processing of personal data that belongs to the Controller, the Processor shall refer such data subject or third party to the Controller.
9.2 In the event a public authority requests the type of data as set forth in Section 9.1, the Processor shall immediately inform the Controller of the request unless prevented by law, and the Processor and the Controller shall thereafter, in consultation, agree on a suitable course of action. Unless expressly agreed between the Parties, the Processor shall not act on behalf of the Controller.
9.3 The Processor shall not disclose or make any personal data available to third parties unless the Processor is under a legal obligation deriving from the laws of the European Union or a member state, or court or public authorities’ order to disclose the personal data.
9.4 If an obligation to disclose information as stipulated in this Section 9 emerges, the Processor shall immediately inform the Controller of such situation.
10. Audit and Documentation
10.1 The Processor undertakes to document and keep records of the measures taken by the Processor in order to comply with its obligations under this DPA and Applicable Data Protection Legislation.
10.2 The Processor shall assist the Controller in obtaining information and documentation relating to the processing of personal data carried out on behalf of the Controller to the extent required to demonstrate that the Processor has fulfilled its obligations in accordance with Applicable Data Protection Legislation. The right to information shall include the right of access to the Processor’s premises. The Controller shall be entitled to request an audit for this purpose which may be conducted either by the Controller or by an independent third party provided that such third party is subject to confidentiality and does not constitute a competitor to the Processor.
11. Compensation
The Processor shall receive compensation for any reasonable costs for measures which it takes in respect of processing personal data in accordance with this DPA.
12. Liability
12.1 In the event of compensation for damages in connection with wrongful processing of personal data, which, through an established judgment or settlement, shall be payable to data subjects due to a breach of the provisions in this DPA, the Controller’s instructions or Applicable Data Protection Legislation, Article 82 GDPR shall apply.
12.2 Any administrative fines pursuant to Article 83 GDPR or Chapter 6 of the Swedish Data Protection Act (2018:218) shall be borne by the Party upon whom such a charge is imposed.
12.3 The breaching Party’s liability towards the other Party for such claims referred to in Section 12.1 above is (i) if a Loan Agreement is entered into, limited to 200% of the average aggregated interest paid by the Controller (or any of its affiliates) to the Processor under the Loan Agreement the relevant year and (ii) if no Loan Agreement is entered into, limited to the amount set out in the Terms of Service.
12.4 The Controller shall fully indemnify the Processor against any damages, fines or costs that the Processor incurs as a result of any breach by the Controller of the warranty set out in Section 3.3.
13. Term
With the exception of Sections 5 and 12, the provisions of this DPA shall apply for as long as the Processor processes personal data on the Controller’s behalf.
14. Measures in Connection with Termination
14.1 When the Loan Agreement expires (or if no Loan Agreement is entered into, the Terms of Service are terminated), the Processor shall, at the Controller’s request and per the Controller’s instructions, permanently delete, or return in a format that the Controller chooses, all personal data processed in accordance with the DPA to the Controller, unless the Processor is required by law to save a copy of the personal data.
14.2 In this context, deletion means that the personal data is deleted by the industry standard in force at any given time to make it impossible for the data to be recreated using any technology or method known at the time of deletion. This shall also apply to personal data that has been processed for logging and security purposes.
15. Miscellaneouss
15.1 This DPA forms an integral part of the Agreement between the Parties. In case of conflicting provisions in the Agreement, the DPA shall prevail.
16. Assignment of the DPA
Neither Party shall be entitled to assign its rights or obligations under this DPA, in whole or in part, without the prior written consent of the other Party. However, the Processor may, without the prior written consent of the Controller, assign any of its rights or obligations under this DPA to an affiliate, or to another third party as part of a corporate reorganization, upon a change of control, consolidation, merger, sale of all or substantially all of its business or assets of the Processor.
17. Applicable Law and Dispute Resolution
17.1 This DPA shall be governed by the substantive law of Sweden, without regard to its choice of law provisions.
17.2 Any dispute, controversy or claim that solely regards this DPA shall be finally settled by arbitration in accordance with the Rules for Expedited Arbitrations of the Arbitration Institute of the Stockholm Chamber of Commerce. The seat of arbitration shall be Stockholm and the language to be used in the arbitral proceedings shall, unless otherwise agreed between the Parties, be English. Any other dispute, controversy or claim shall be settled in accordance with the Loan Agreement (if entered into).
17.3 The Parties undertake and agree that any arbitral proceedings conducted with reference to this arbitration clause shall be kept strictly confidential. This confidentiality undertaking shall cover all information disclosed in the course of such arbitral proceedings, as well as any decision or award that is made or declared during the proceedings. Information covered by this confidentiality undertaking may not, in any form, be disclosed to a third party without the written consent of the other Party. This notwithstanding, a Party shall not be prevented from disclosing such information in order to safeguard in the best possible way its rights vis-à-vis the other Party in connection with the dispute, or if the Party is obliged to so disclose pursuant to statute, regulation, a decision by an authority, applicable stock exchange regulations or the regulations of any other recognized marketplace.
_____________________________
APPENDIX 1
Specification of the Processing
This Appendix applies to data imported by the Controller for the purpose of analyzing its potential or existing portfolio companies (“Portfolio Companies”) through the Processor’s business intelligence Platform.
1. Brief Description of the Services
The Services are delivered as part of the Platform, an online business intelligence portal provided by the Processor. The primary users of the Services are companies regularly engaged in or established for the purpose of making, purchasing or investing in loans or equity wanting to analyze the performance and outlook of their potential or existing portfolio companies (“portfolio companies”), such as the Controller.
The Services include access to the Platform where dashboards with metrics and analyses relating to portfolio companies are presented to the Controller. The Platform aims to enhance understanding of various aspects of the portfolio companies’ business, including revenue trends, user retention and churn, marketing efficiency, and future projections as well as market, team evaluation, financial and business model analysis.
To increase the analytical value and utility of the Platform, the Controller may import relevant data sets into the Platform. Such data sets typically contain financial and operational information relating to the Controller’s portfolio companies. To the extent personal data is included, it may concern individuals connected to such portfolio companies, primarily investors, owners and members of management teams. The Processor processes these data sets to produce outputs which are made available to the Controller through the Platform’s dashboards and analytical tools.
2. Purpose and Subject Matter of the Processing
The processing of personal data is carried out for the purpose of enabling the Processor to provide the Services to the Controller as described above. This includes the calculation, aggregation, and presentation of metrics and analyses relating to portfolio companies, to support the Controller’s investment analysis, portfolio monitoring, and related business operations.
In the course of providing the Services, the Processor may receive and process personal data included in the data sets imported by the Controller. The processing of such personal data will be limited to storing and presenting in the Platform and using it to perform web searches in order to provide background information and insights relating to, for example, management teams and investors of the portfolio companies.
3. Categories of Personal Data
The Platform is designed to minimize and restrict processing of personal data to what is necessary to deliver the Services. To the extent personal data is processed, it may include information relating to individuals associated with the Controller’s portfolio companies, such as:
Full names and professional roles
Contact details (including such as home address, email addresses, and telephone numbers)
Social security numbers
Salary
Ownership and investment information (including such as shareholdings)
Background or publicly available biographical data (including such as professional experience, education, board memberships)
Financial or transactional details relevant to investment or company performance
Correspondence with the Controller
Geographical location information
Sensitive personal data under Article 9 of the GDPR and other personal information which may be regarded as sensitive from an integrity perspective may not be processed in the Platform or Services. The Controller is not permitted to import or store such data unless these instructions are explicitly amended in writing and signed by both Parties.
4. Categories of Data Subjects
The personal data processed may contain the following information concerning individuals connected to the Controller’s portfolio companies:
Employees and members of management teams
Customers
Board members
Investors and owners
Employees in the context of this DPA refer to individuals who are or have been employed by the Controller.
Customers in the context of this DPA refer to existing or previous customers or end users of the Controller’s goods or services.
Board members in the context of this DPA refer to any existing or previous members of any board, supervisory or decision making body the Controller.
Investors in the context of this DPA refer to existing or previous, direct or indirect, investors or owners of the Controller.
The Controller is not permitted to import or store otherwise process personal data relating to end consumers of the portfolio companies in the Platform unless these instructions are explicitly amended in writing and signed by both Parties.
5. Processing Operations
The Controller’s login details are encrypted and stored in systems using AES-256 encryption algorithm.
During the data ingestion process, the Processor processes personal data on the designated encrypted shared host located in Europe. Cross host data transformation takes place and it is done in a closed, secure, and shielded environment.
The Platform calculates and presents analyses based on aggregated, pseudonymized, or otherwise non-personal data wherever possible.
6. Location of Processing Operations
All data is stored and processed in Europe (multi-region EU).
7. Duration of the processing (retention period)
Personal data that is relevant for analytical purposes (for example, information relating to management teams or investors) may be retained for as long as necessary to provide the Services, including to maintain the accuracy and continuity of portfolio analyses.
All other personal data that is not used for analytical purposes is:
(i) deleted immediately after ingestion; or
(ii) retained only as necessary to provide the Services, and in any event deleted no later than thirty (30) days following termination of the provision of the Platform.
The Processor will also apply manual processes to ensure that any remaining personal data is deleted within 30 days of detection. Personal data may persist for a few days before being fully erased.
APPENDIX 2
List of Pre-Approved Sub-processors
Sub-Processor | Service | Place of processing |
Google Cloud EMEA Limited | Google Cloud Platform Services | EU |
Ory Corp | User authentication | EU |
Datadog, Inc. | On site error tracing | EU |