General Terms and Conditions (GTC)

These are the regulations for using our products and services as well as our Personal Data Processor Agreement and Personal Data Policy.

General Terms of Service and Supply of Hardware

(Version 1:2023)


Notice:
Please read before access or use of the Software-as-a-Service (SaaS) provided hereunder, or as applicable as a cloud based service, for asset management and application (App) (the “Service”) that you are attempting to access or that otherwise accompanies or is provided with these General Terms of Service and Supply of Hardware (“General Terms “).
The Service Provided reserves the right to at any time change these General Terms to make them compliant with changes in legislation, decision of authorities on new or changed legislation or practises of courts, which in any way affect the provision of the Service or these General Terms. Any changed version of the General Terms is labelled with a new version number and is valid for all applicable subscriptions from the moment it is published on the Service Provider’s website and/or in the Service.
By actively agreeing to be bound by the General Terms, accessing or in any way using the Service, the entity or company that you represent (the ”User”) is unconditionally consenting to be bound by the General Terms constituting an “Agreement” with the Service Provider.
The User represents and warrants that it has the legal power and authority to accept the General Terms and to enter into the Agreement with the Service Provider.
If the User does not unconditionally agree to all terms of the General Terms or want to become a party to the Agreement, then, unless expressly approved otherwise by the Service Provider, any access or use of the Service is strictly prohibited.
The Agreement constitutes the Agreement between the Service Provider and the User with respect to license of the Service. The Agreement forms a legally binding contract between you as User (licensee) and the Service Provider (licensor) in relation to your access and use of the Service.
EXCEPT FOR THE LICENSE RIGHTS GRANTED HEREIN, NO INTELLECTUAL PROPERTY RIGHTS ARE TRANSFERRED.
Please contact info@comlink.se with any questions.

1. Definitions
“Affiliate” means any entity controlling or controlled by or under common control with a Party where control is ownership of more than 50 % of the equity or voting rights of such entity.
“Agreement” means the agreement created by the User with the Service Provider by the User completing the required registration process for use of the Service and actively agreeing to be bound by the General Terms, or any such other contract document together with its appendices (annexes), and any amendments and supplements thereto, duly executed by the User and the Service Provider, that set forth additional and specific terms and conditions for subscription/use, price and payment terms and other terms, conditions and documents.
“Airtime” means wireless airtime and mobile network capacity.
“API” means application programming interface enabling communication between the Service (the library/functions/variables etc.) and other User or third-party software applications, scrips, plug-ins or alike.
“App” means the Service Provider’s software application that is necessary to control, utilize and interact with the Service. The App is available at App Store and Google Play.
“Availability” means when the User can access the Service Provider admin user interface and API for the Service. Availability of the Service is measured monthly over all days of the month (24h/day).
“Bearer Services” means the provision of services by designated telecom operator (as amended from time to time), used for the Service and the User’s devises.
“Partner” means Partner to the Service Provider, admitted to and identifiable as a Partner under the Service Provider’s Partner Program.
“Confidential Information” shall have the meaning set forth in Clause 13.
“Description” means the description and specifications of the Service and usage requirements.
“Documentation” means any specification, user guide, manual and other documentation that is provided by the Service Provider and that explain the installation (if applicable), use and functions of the Service, including but not limited to related system and service documentation, all comments, procedural language, materials useful for understanding and using the Service.
“Effective Date” means the date when the User has completed the required registration process entitling the User to use the Service.
“General Terms” means these General Terms of Service and Supply of Hardware.
”Hardware Unit” means a hardware device connected to the Service that is designed to be connected to and published in the Service. The right to access the Hardware Unit can be delegated between Users.
”Hardware Unit Data” means Service Data generated and stored in Hardware Unit.
”Independent Development” shall have the meaning set forth in Clause 26.
“Intellectual Property Rights” means software, patents, inventions, copyrights, trademarks and symbols, domain names, trade secrets, know-how, processes, algorithms, techniques, designs and other technical material or information and any other intellectual property and/or proprietary rights, or modifications, enhancements and other derivative works of the foregoing, whether registered or not.
“Party” or “Parties” means the User and the Service Provider individually or jointly.
“Renewable Term” means each renewed successive term pursuant to Clause 15.
“Service” means the Service Provider’s software-as-a-service and cloud model services (as applicable), the App and API, and any subsequent updates, upgrades, bug fixes, work around, or other services and/or products delivered or made accessible in connection with the Service.
”Service Data” means the dynamic data generated in Hardware Unit and in the Service and App related to a specific Hardware Unit, such as access authorizations, transactions, delegations etc, but excluding the User Data.
“Service Provider” means Comlink AB, co. org. no. 556514-0190, Energigatan 10B, SE-434 37 Kungsbacka, Sweden, its Affiliates or other companies and entities (such as enterprise customers, resellers, channel partners, distributors) authorized to provide the Service.
“Service Provider Content” means by the Service Provider supplied texts, audio, video, graphics, features, functions, images, photographs, animations, music, applets incorporated into the Service or on the Service Provider’s website, and other information and data available by means of the Service and/or the Service Provider’s web site.
“Service Provider’s Technology” means the Service, App, API, Hardware Unit and all the Service Provider’s and/or its licensors technology (including but not limited to software, software development kits, hardware, products, processes, algorithms, user interfaces, know-how, techniques, designs and other tangible or intangible technical material or information), owned by the Service Provider and/or its licensors, and/or used in the course of providing and supporting the Service, App, API, Hardware Unit and subsequent updates or upgrades of any of the foregoing.
“Service Provider’s Property and Proprietary Rights” means the Service, Service Provider Content, Service Provider’s Technology, the Service Provider’s Confidential Information, and any and all Intellectual Property Rights to or relating thereto.
“Term” means the permitted length of each use of Service, as further governed by these General Terms.
“Third Party Materials” means any third-party content and materials.
“Third Party Services” means any services, products, gateways, links or other functionality that may be included in or linked to the Service and that allows the User to access third party services, for example connectivity- and mobile network services.
“User” means the entity or person that uses the Service.
“User Data” means the static data owned and, as applicable, submitted and stored on the Service Provider system by the User to the Service Provider using the Service.

2. General
2.1 The General Terms apply between the Service Provider and the User regarding the provision and use of the Service.
2.2 The Agreement incorporates the General Terms. Subject to the Users complete registration process, and, as applicable, in consideration for subscription fee payable by the User, the Service Provider shall provide the Service.

3. The Service
3.1 Subject to complete registration process the Service Provider grants to the User a

(a) non-exclusive, non-transferable, non-sub-licensable, worldwide, license
(b) to access, display and use the Service, App and Documentation
(c) for the User’s internal use in accordance with the General Terms.

3.2 The User acknowledges and agrees that the Service is licensed and subscribed on a Software-as-a-service and/or Cloud basis (as applicable) and the App is licensed on user-basis and, unless explicitly approved by the Service Provider in writing, not sold to the User.
3.3 Unless explicitly permitted herein or by the Service Provider’s written approval, the User may not sell, resell, rent, assign, share, outsource, included in network, or in SaaS-services or in external cloud computing environments or lend the Service. The Service Provider reserves all rights to the Service not expressly granted to the User herein.
3.4 Without granting any additional licenses hereunder, the User may authorize its contractors and outsourcers to use or operate the Service solely on the User’s behalf and provided that the User obtains such third parties’ binding consent in advance to abide by the terms of these General Terms and provided the User shall be responsible for such parties’ use and compliance. Such parties are not, and shall not be deemed to be, third party beneficiaries hereunder or for any other reason.
3.5 Without granting any additional licenses hereunder and subject to Service Provider’s approval, the User may use and authorize third parties to use or operate Service Provider’s API, solely on the User’s behalf and provided;

(a) that the User obtains such third parties’ binding consent in advance to abide by the terms of the General Terms, and
(b) that the User is responsible for such third parties’ use and compliance. Such third parties are not, and shall not be deemed to be, third party beneficiaries hereunder or for any other reason.

3.6 Unless explicitly approved by the Service Provider and to the extent the rights and obligations set out in this Clause 3.6 is in compliance with applicable mandatory law, the User is only permitted to use the Service Provider’s Property and Proprietary Rights , unchanged and ‘as supplied’ by the Service Provider and may not modify, decompile, reverse engineer, disassemble or otherwise attempt to derive and/or gain access to source code from any software made available as part thereof.
3.7 The Service Provider reserves the right to from time to time make changes and updates to the functionality of the Service provided to the User, and associated Description and Documentation, provided that such changes do not have a material adverse effect on the functionality of the Service.
3.8 The User shall neither use nor permit others to use the Service for any unlawful, invasive, infringing, defamatory, fraudulent, or obscene purpose.
3.9 Unless explicitly undertaken by the Service Provider while providing the Service, the Service Provider is not responsible for the User’s use of the Service, testing procedures or for determining or evaluating the ability of the designated websites to withstand for use of high traffic delivering the Service.
3.10 The User is responsible for all activities that occur during the User’s use of the Service. The User agrees to immediately notify the Service Provider of any unauthorized use of the Service or any other known or suspected breach of security.
3.11 Unless explicitly undertaken by the Service Provider while providing the Service, access to and use of the Service requires appropriate connections to the Internet. The User is solely responsible, at the User’s expense, for acquiring, installing, maintaining, and updating all hardware, computer software, and communications capability necessary for the use of the Service.
3.12 The User acknowledges and agrees that the provision of Airtime is subject Third Party Service to the geographic extent of Airtime coverage and local geography, topography and/or atmospheric conditions and/or other physical or electromagnetic interference that may from time to time adversely affect the provision of the Airtime in terms of line clarity and call interference. For the avoidance of doubt the Service Provider does not warrant any Airtime. It is the User’s responsibility to ensure Airtime on sites where User intends to use the Bearer Service.

4. Ownership
4.1 The Service Provider and if applicable, its licensors, retain all Intellectual Property Rights, title and interest in and to the Service Provider’s Property and Proprietary Rights.
4.2 The Agreement grants no licensing or ownership rights, express or implied, in Service Provider’s Property and Proprietary Rights, except as explicitly granted herein.
4.3 Unless explicitly approved by the Service Provider and to the extent the rights and obligations set out in this Clause 4.3 is in compliance with applicable mandatory law, the User agrees not, at any time, during the duration of the Agreement or thereafter, to contest or aid others in contesting or doing anything which impairs the rights, title, or interest in or validity of any of Service Provider’s Property and Proprietary Rights.
4.4 The User shall own and shall continue to own all User Data.
4.5 Service Data generated in the Service during the time when the User is the subscriber of the Service shall be owned and shall continue to be owned by the User.
4.6 Hardware Unit Data shall be owned by the owner of the Hardware Unit. (If a Hardware Unit is transferred to another party, the ownership to Hardware Unit Data contained on the Hardware Unit, unless deleted, will pass to the acquiring party upon transfer and the right to data generated after transfer shall apply to the new owner.)

5. Access to services and passwords
5.1 The Service is provided via the Service Provider’s system.
5.2 The User shall access the Service via the Service Provider designated platform and/or instructions. Access to and use of the Service requires appropriate connections to the Internet or other relevant public electronic network.
5.3 To be able to use the Service the User need and will be provided login username and password from the Service Provider.
5.4 The use/subscription term commences on the Effective Date. User is solely responsible, at User’s expense, for acquiring, installing, maintaining, and updating all hardware, computer software, and communications capability necessary for connecting to the Internet and for the use of the Service.
5.5 The User’s designated login username(-s) and password(-s) are strictly confidential and may only to be used by the User. The User is responsible for all activities that occur during the User’s use of the Service. The User agrees to immediately notify the Service Provider of any unauthorized use of the Service, usernames, passwords, account, or any other known or suspected breach of security.

6. Support
Support services for the Service and other matters relating to use of the Service shall be provided in or via the Service. Whereas the service is provided via a Partner under the Service Provider’s Partner Program, first line support shall be provided by the Partner.

7. User data and security
7.1 The User will have sole responsibility for the accuracy, quality, integrity, legality, reliability, appropriateness of and copyright permissions for all such User Data.
7.2 The User is not permitted and undertakes to not enter any data into the Service that constitute Confidential Information or special categories of personal data, to the effect that the Service Provider shall be justified to treat all data entered into the Service by the User as non-confidential information.
7.3 The User undertakes to ensure to make sure that data entered into the Service Provider’s system is in the agreed format and virus-free. And not in any way capable of damaging or negatively affecting the Service Provider’s system of the Service.
7.4 The User grants to the Service Provider and its Affiliates a non-exclusive license to use, copy, store, transmit and display technical information, and User Data to the extent reasonably necessary to provide and maintain the Service, and for internal statistics, product development purposes. The Service Provider may aggregate anonymous statistical data regarding use and functioning of its system by its various users, including the User. Such aggregated statistical data will be the sole property of the Service Provider. The Service Provider will use commercially reasonable security measures to protect the User’s data against unauthorized disclosure or use. The Service Provider’s security (privacy) policies in effect from time to time are located at https://www.comlinksweden.com.

8. Links to third party sites
The User may link to third party sites using the Service. The third-party sites are not under the control of the Service Provider, and the Service Provider is not responsible for the contents of any third-party sites, any links contained in third party sites, or any changes or updates to third-party sites.

9. Warranty and warranty disclaimers
9.1 The Service Provider warrants that;

(a) the Service provided to the User is and will be completed in a professional, efficient manner, with the degree of skill and care that is required by good, and sound professional procedures, and shall be completed in accordance with the Agreement and Service Description;
(b) the Service do not, to the best of the Service Provider’s knowledge, misappropriate, violate or infringe any copyright, trademark, mask work, trade secret, patent or other intellectual property or proprietary right of others; and
(c) the Service Provider has full power to grant the rights granted to the User under the Agreement. The Service Provider’s warranties as regards the function of the Service, only apply if, and require that, the Hardware Units (as applicable) have been properly and securely installed and connected to the Service by qualified technician and maintained in accordance with the Service Provider’s instructions and guidance from time to time.

9.2 The Service may include Third Party Service and Third Party Materials. The Service Provider does not supply and is not responsible for any Third Party Service or Third Party Materials, which may be subject to their own licenses, end-user agreements, privacy and security policies, and/or terms of use. The Service Provider makes no warranty to and has no liability for Third Party Service and Third Party Material.
9.3 For any defective or non-conforming portion of the Service covered by the foregoing warranty, the Service Provider shall promptly upon the User’s notice of any non-conformity, at the Service Provider’s option perform one of the following measures (provided that (a) and (b) shall only be performed by the Service Provider to the extent they are commercially practicable): (a) re-perform the Service; and (b) correct or replace the non- conforming portion. Any notice of any nonconformity by the User to the Service Provider must be in writing and within 30 days after the User first encounter any such nonconformity.
9.4 The warranties expressly stated in this Agreement are the sole and exclusive warranties offered by the Service Provider. There are no other warranties of any kind, express or implied, the Service Provider expressly disclaims any and all warranties of title, merchantability, fitness for a particular purpose, accuracy or quit enjoyment.
9.5 Except as stated herein, the Service and documentation are provided to the User on an “as is” and “as available” basis. User assumes all responsibility for determining whether the services or the information generated thereby is accurate or sufficient for User’s purposes.
9.6 The Service Provider does not warrant that use of the services will be error-free or uninterrupted. The Service Provider is not responsible for software installed or used by the User or other users or for the operation or performance of the internet.

10. Indemnification
10.1 The Service Provider will, at its expense and at the User’s request, defend, indemnify and hold harmless the User and its officers, directors, employees from and against any and all claims, actions, demands, liabilities, settlements, costs, damages and fees arising, in whole or in part, in connection with

(a) any allegation that any portion of the Service or Documentation misappropriates, violates or infringes any third party’s patent, copyright, trademark, trade secret, or other intellectual property or proprietary right;
(b) any bodily injury, personal injury, death or property damage caused by the Service Provider or the Service Provider’s employees;
(c) any gross negligence and wilful misconduct of the Service Provider or the Service Provider’s employees; or (d) the Service Provider’s breach of the warranties set forth herein.

10.2 The User will, at its expense and at the Service Provider’s request, defend, indemnify and hold harmless the Service Provider and its Affiliates, officers, directors, employees from and against any and all claims, actions, demands, liabilities, settlements, costs, damages and fees (including attorneys’ and other professionals’ fees and costs) arising, in whole or in part, in connection with a claim, suit, action, or proceeding by a third party;

(a) alleging that the User Data or information supplied by the User infringes the intellectual property rights or other rights of a third party or has caused harm to a third party,
(b) from any third party subpoena or compulsory legal order or process that seeks User Data and/or other User-related information or data, including, without limitation, prompt payment to the Service Provider of all costs (including attorneys’ fees) incurred by the Service Provider as a result,
(c) out of the User’s breach of contract, or any bodily injury, personal injury, death or property damage caused by the User. In case of such subpoena or compulsory legal order or process, User also agrees to pay the Service Provider for its staff time in responding to such third party subpoena or compulsory legal order or process at the Service Provider’s then applicable hourly rates.

10.3 In case of any claim that is subject to indemnification as set forth herein, the Party that is indemnified (Indemnitee) will provide the indemnifying Party (Indemnitor) reasonably prompt notice of the relevant claim. Indemnitor will defend and/or settle, at its own expense, any demand, action, or suit on any claim subject to indemnification as set forth herein. Each Party will cooperate in good faith with the other to facilitate the defence of any such claim and will tender the defence and settlement of any action or proceeding covered by this Clause to the Indemnitor upon request. Claims may be settled without the consent of the Indemnitee, unless the settlement includes an admission of wrongdoing, fault or liability.
10.4 Each Party shall, in order not to lose its right to claim damages, put forward such claim no later than 30 days from the time when the Party noticed or should have noticed the ground for the claim, however no later than six months from 90 days from date of termination/expiry of Term of the applicable Oder Form, whichever is the earliest.

11. Limitation of liability
11.1 No party shall be liable to the other party for any loss of profit, loss of use, loss of production, lost revenues, lost business or for any financial or economic loss or for any indirect or consequential damages whatsoever.
11.2 Each party’s sole, exclusive and maximum liability to the other party for the Service and under these General Terms shall on aggregate be limited to a total maximum amount of € 50,000 per event and series of events with the same cause of damage and per calendar year.
11.3 Nothing in this contract shall limit or exclude a party’s liability for:

(a) death or personal injury caused by its negligence;
(b) fraud or fraudulent misrepresentation; and/or
(c) any other liability that cannot be excluded by law.

11.4 The Service Provider does not accept liability for Third Party Services and Third Party Material Including acts and omissions).
11.5 The Service Provider does not accept liability arising as a result of improper or unsecure installation and/or maintenance of hardware Units.
11.6 The Service Provider does not accept liability for any effects upon User’s devises, equipment or any effects of the User’s devises equipment, or upon any electronic or radio systems in equipment, vehicles or aircraft in the vicinity of such users, of any emissions or transmissions to, from, by or through the network and/or the User’s devises and equipment.

12. Sale and purchase of Hardware Unit
12.1 If an agreement for the purchase of Hardware Unit is formed specifying the sale and purchase of Hardware Unit, these General Terms and referenced Orgalim terms and conditions in clause 12.6 below shall be deemed to be incorporated into any such sale agreement.
12.2 The User shall be responsible for ensuring that the Hardware Unit ordered by the User is suitable for the User’s requirements and is compatible with the User’s existing systems (hardware and software) and practices.
12.3 The User acknowledges that the Hardware Unit contains software or be accompanied by separate software, including but not limited to operating systems and applications. Such software may be included in or be embedded in the Hardware Unit, or it may be contained separately on disks or on other media. Such software constitutes Service Provider’s Technology and proprietary IPR and may also contain valuable trade secrets and be protected by patents. The User is licensed to use software contained in or accompanying the Hardware Unit, subject to Service Provider’s licensing terms and conditions provided with or otherwise accompanying the Hardware Unit, applicable patent, trademark, copyright, and other intellectual property laws.
12.4 All Hardware Unit Data, except Service Provider’s data and proprietary IPR pursuant to clause 12.3, shall belong to the owner of the Hardware Unit.
12.5 Service Provider will supply, and ship ordered Hardware Unit as indicated in separate agreement for sale (Purchase Order or Contract) in accordance with these General Terms (this Clause 12) and the general terms ORGALIM S 2022 and ORGALIME SI 14, as incorporated in theses General Terms and any agreement for sale of Hardware Unit.(An agreement for sale as used herein correspond to “Contract” in Orgalim 2022 and Orgalime SI 14.) Risk of loss or damage to all Hardware Unit will pass to User upon delivery. Any specified delivery dates are estimates only. Service Provider shall not be liable for any shipment failure or shipment delay unless caused by Service Provider.
12.6 Title to and the right to retake possession of the Hardware Unit purchased from Service Provider shall remain with Service Provider until all sums in respect of the delivered Hardware Unit have been paid in full.
12.7 All shipments (including the Hardware Unit, the packages, and the number of packages) shall be deemed correct and undamaged unless the User informs Service Provider of any shortfall or error in writing within 14 days after delivery. The Subscriber’s failure to inform Service Provider shall constitute a waiver of any such claim. For faulty shipments, Service Provider shall, at its sole discretion, issue a replacement shipment, or a credit to the Subscriber.
12.8 The price for ordered Hardware Unit will be the price offered from time to time by the Service Provider. Unless stated in the offer, the price includes standard freight.
12.9 If the User is an importer of the Hardware Unit, the User shall be responsible for the payment of all copyright levies, recycling fees and other similar duties imposed on the Hardware Unit (or parts thereof) or their packaging by central or local authorities, collecting societies or other institutions. In addition to the payment of recycling fees or similar duties, local law or recycling schemes may require importers or scheme members to comply with certain take-back, collection or recycling requirements. the Subscriber shall comply with such requirements and any additional requirements.
12.10 All new Hardware Unit carry a 12-month warranty against defects in materials and workmanship. The Subscriber shall not be entitled to make any warranty claim against Service Provider unless the claim is made within 2 months of discovering or learning of the defect.
12.11 The above warranty does not apply to damage caused;

(a) by alteration, repair, adjustment, or installation by someone other than Service Provider,
(b) due to accident, misuse, or abuse,
(c) due to normal wear and tear,
(d) due to use of parts and components not supplied or intended for use with the Hardware Unit, or
(e) to products, software or services made, created, or performed by a party other than Service Provider.

12.12 Service Provider shall either repair or replace the Hardware Unit that does not comply with the warranty set forth herein. Where Hardware Unit is replaced, the User shall return the replaced Hardware Unit to Service Provider or else Subscriber shall pay Service Provider, by invoice, the applicable prices for the replacement Hardware Unit.

13. Confidentiality
13.1 “Confidential Information” means any information that is disclosed by one Party (the Discloser) to the other (the Recipient), which, at the time it is disclosed, in any form, is identified or designated by Discloser as “confidential or proprietary” or reasonably should be known by Recipient to be proprietary or confidential information of Discloser.
13.2 The Recipient shall not use or disclose the Discloser’s Confidential Information without the prior written consent of the Discloser, except;

(a) as specifically permitted by the Discloser; or
(b) for the purpose of performing its obligations or enforcing its rights under the Agreement, provided that such disclosures are made only to those employees, consultants, contractors, professional advisors or third party service providers with a direct business need to know and who have agreed in writing to confidentiality provisions that provide the Discloser with at least as much protection as those contained herein.

13.3 Confidential Information will exclude information that;

(a) the Recipient can demonstrate to have had rightfully in its possession prior to disclosure to the Recipient by the Discloser;
(b) the Recipient can demonstrate is now or subsequently becomes available to the public through no wrongful act of the Recipient;
(c) the Recipient can demonstrate has been rightfully received by the Recipient from a third party who has the right to transfer or disclose it to the Recipient without restriction on disclosure;
(d) the Recipient can demonstrate has been independently developed by the Recipient without the use of any of the Discloser’s Confidential Information as evidenced by appropriate documentation; or
(e) has been approved for release by written authorization executed by an authorized officer of the Discloser.

Notwithstanding the foregoing, if the Recipient is required to disclose Confidential Information pursuant to a court order or other requirement of applicable law, the Recipient shall provide the Discloser with prompt written notice of any such requirement sufficient to permit the Discloser to seek and obtain appropriate protective orders prior to such disclosure by the Recipient.
13.4 All Confidential Information remains the property of the Discloser and no license or other rights in the Confidential Information is granted hereby.
13.5 All information provided hereunder is provided ‘as is’ and without any warranty, express, implied, or otherwise, regarding its accuracy or performance. At any time at the request and choice of the Discloser, the Recipient will either return to the Discloser or destroy all the Discloser’s Confidential Information, in whatever form, which is in its custody or control.

14. Suspension of services by service provider
14.1 The Service Provider may, in its sole discretion, suspend a User’s username and password, account, or use of the Service if the User materially violates/breaches any right and/or obligation under the Agreement, and such violation/breach has not been cured promptly within 10 days of notice of such breach, or the User is in delay of any payment due to the Service Provider, or violates/breaches any of its duties and obligations in Clause 3, the Service Provider may suspend the Service immediately without notification.
14.2 Should there be a Service suspension; the Service Provider reserves the right to charge a fee to reinstate the Service.

15. Subscription periods and termination
15.1 The Service license period takes effect and commences on the Effective Date and shall, unless the Parties agree otherwise or for specific subscription periods, continue to apply with a notice period of 15 days for the User, and with a notice period of 90 days for the Service Provider. Termination by the User shall be made in writing to the Service Provider, and termination by the Service Provider shall be by way of notice procedures in the Service and to the Service Provider’s last known email-address to the User.
15.2 The Service Provider may terminate the Service license immediately upon notice;

(a) if the User materially breaches any of its obligations under and pursuant to these General Terms and/or the Agreement, including the payment of relevant fees för Subscription, Hardware and other purchased products and services from the Service Provider (or any of its Affiliates or Partners) in full and on time, and such violation/breach has not been cured promptly within 30 days of notice of such breach,
(b) if the User uses the Service in violation with these General Terms and/or the Agreement, or infringes the Service Provider’s Intellectual Property Rights in or related to the Service Provider’s Property and Proprietary Rights, or challenges the Service Provider’s ownership to or the validity of any such Intellectual Property Rights, or the User is in breach of Clause 26, and such violation/breach has not been cured promptly within 10 days of notice of such breach, or
(c) if the User should enter into liquidation either voluntary, compulsory or become insolvent or enter into composition or corporate reorganisation proceedings or if execution be levied on any goods and effects of the User or the User should enter into receivership.

16. Effect of termination
At the User’s request, within 30 days of the termination of the Service for any reason, the Service Provider shall make available one backup of all data and information generated and/or held by the Service Provider as a result of the User’s use of the Service. The backup shall be stored in the Service Provider’s standard format. User agrees and acknowledges that the Service Provider has no obligation to retain any User Data, and the Service Provider may delete User Data that remains in the Service Provider’s possession or control more than 60 days after termination.

17. Force majeure
17.1 Neither Party will be deemed in default, to the extent that performance of its obligations or attempts to cure any breach are delayed or prevented by reason of any event beyond the reasonable control of such Party, including without limitation, any act of God, fire, earthquake, natural disaster, accident or act of government (in any case to the extent that such event is not due to, nor arises out of, the negligence of the Party whose performance is delayed), and provided that the Party seeking to be excused gives the other Party
17.2 written notice thereof promptly and, in any event, within 15 days of discovery thereof and uses its reasonable efforts to continue to so perform or cure. In the event of such a force majeure event, the time for performance or cure will be extended for a period equal to the duration of the force majeure event. If the period of delay or non-performance continues for in excess of 30 days, the party not affected may terminate the Service by giving written notice to the affected party.

18. Publicity
Unless stated in the Agreement, neither Party may use, without the other Party’s prior written consent in each instance, the names, characters, artwork, designs, trade names, trademarks or service marks of the other Party.

19. Additional remedies; equitable relief
Any remedies at law or equity not specifically excluded by the Parties remain available to both Parties. The Parties expressly acknowledge and agree that a breach of any of the provisions of these General Terms and/or the Agreement may result in irreparable harm to the non-breaching Party, and in such case, the non-breaching Party shall have the right to seek to enforce any provision of these General Terms and/or the Agreement, and any of its provisions by injunction, specific performance or other equitable relief, in any event without prejudice to any other rights and remedies that such Party may have.

20. Export controls
The User shall comply with all export laws and restrictions and regulations, and the User shall not export, or allow the export or re-export of, the Service in violation of any such restrictions, laws or regulations. The User is responsible for obtaining all licenses required to export, re-export, transfer or import the Service.

21. Data privacy
21.1 The data protection obligations (in particular the EU General Data Protection Regulation 2016/679 (GDPR) and all other applicable data protection laws) shall be observed. The Service Provider processes personal data on behalf of the User as a Data Processor, and only if and to the extent necessary to fulfil the purpose of the contractual arrangement with the User. In doing so, the Service Provider also implement appropriate technical and organizational measures which meet the requirements of applicable data protection law, in particular the GDPR and these General Terms.
21.2 As far as personal data will be processed by the Service Provider on behalf of the User and upon User’s instructions (under a controller-to-processor relationship) the Parties will conclude a relevant Controller-to-Processor Agreement pursuant to the User’s registration process for the Service.
21.3 In the absence of a relevant Controller-to-Processor Agreement and in so far as the Service Provider processes personal data on behalf of the User, the following shall apply.
21.4 The Service Provider must ensure that all reasonable precautionary measures are taken to guarantee the security of the personal data and to prevent any corruption, loss, damage, or destruction of the personal data. In the event of unauthorised access to the personal data of the User, or if the personal data have fallen into the hands of an unauthorised third party, the Service Provider shall immediately notify the User about the unauthorised access and provide its cooperation to the User for the taking of all measures that are deemed necessary in order to minimise the risk of such a data breach or unauthorised access.
21.5 The Service Provider or the individuals who work under the direction of the Service Provider may only process such personal data in accordance with the instructions given by the User from time to time. Should the Service Provider not have the instructions that is required by law and that the Service Provider deems necessary to perform any services for the User, the Service Provider shall, without delay, inform the User thereof and await such instructions.
21.6 The Service Provider may, for the processing of personal data, use subcontractors (sub processors), where the Service Provider shall enter into data sub-processing agreements with the subcontractors on the User’s behalf with terms corresponding to the terms herein, whereby the subcontractor undertakes to adhere to what is set out in this Clause 21, including the adherence to Swedish law in the sub-processing. To the extent personal data is transferred to a country outside EU/EEA, the Service Provider shall ensure that the subcontractor signs the EU model clauses for the transfer of personal data to a third country on the User’s behalf. The Service Provider shall on request inform the User of what the subcontractors that have been employed and where they conduct their business.
21.7 In certain situations, two or more Users may act jointly to determine the purposes and means of processing of (same) personal data, by delegating access and sharing use of cloud entities (connected hardware units) within the Service. Joint data controllers are governed by Article 26 of the GDPR stipulating inter alia the need for a joint data controller agreement. By becoming a User of the Service (by completing the registration process) each such joint controller/User will conclude and be bound by a specific Joint Data Controller Agreement (JDCA) as provided by the Service Provider. The JDCA only applies to the joint controller situation and does not apply to Users being a sole data controller.
21.8 It is specifically noted that an authorized partner to the Service Provider, admitted to and identifiable as an authorized Partner under the Service Provider’s specific partner program, shall not, unless otherwise specified by a partner, be bound by the JDCA and each partner will, and is under an obligation to have its own set of terms and conditions for collection and handling of personal data in relation to partner’s customers and other providers. In other words, the Service Provider has no liability for the partner’s activities and legal relationships in relation to GDPR and the partner’s customers.

22. Governing law, dispute, resolution, jurisdiction and venue
22.1 These General Terms and/or the Service and/or the Agreement and the rights and obligations of the Parties pursuant thereto will be governed by the laws of Sweden, without regard to conflicts of law principles. The Parties irrevocably agree that, subject as provided below, the courts of Sweden shall have exclusive jurisdiction in relation to any claim, dispute or difference concerning these General Terms and the Service and any matter arising therefrom.
22.2 Nothing in this Clause shall limit the right of either Party, at any time to seek injunctive relief in the courts of any appropriate jurisdiction in the case of any breach or threatened breach by the other of any obligation of confidentiality or any infringement by other or its Affiliates of that Party’s Intellectual Property Rights.

23. Notices
Any notice required or permitted hereunder shall be in writing and shall be given to each Party’s registered address, or at such other address as the Party may hereafter specify in writing. Such notice shall be deemed to have been given;

(a) in the case of personal service – at the time of service,
(b) in the case of prepared registered mail – latest 5 days after the date of mailing, and
(c) in the case of e-mail – on the date the receipt acknowledged e-mail is sent.

24. Survival or terms
All terms and provisions of these General Terms and/or the Agreement, including any and all exhibits, addenda and amendments hereto, which by their nature are intended to survive any termination or expiration, shall so survive.

25. Relationship of the parties
No employment relationship is created between the Parties. At all times during the term hereof, the Service Provider shall retain its independent status and use its own discretion in performing the Service subject to general direction by the User and to the specific requirements of these General Terms and/or the Agreement. Nothing in these General Terms and/or the Agreement will be construed as creating a partnership, franchise, employment, joint venture or agency relationship or fiduciary duty of any kind between the Parties.

26. Independent development
A Party’s is free to develop, manufacture, purchase, use or market, directly or indirectly, alone or with others, products or services competitive with those offered by the other Party (“Independent Development”), provided that such Independent Development is made (i) without any infringement of the other Party’s Intellectual Property Rights (in relation to the Service Provider such Intellectual Property Rights also applies to the Service Provider’s Property and Proprietary Rights), (ii) without the use of any of the other Party’s Confidential Information, and (iii) without breach of any obligation of confidentiality.

27. Modification
Any waiver, modification or amendment of any provisions of this these General Terms, the Agreement shall be effective only if in writing and signed by the Parties.

28. Severability
If any provision of this Agreement, or the application thereof to any person or circumstances, shall for any reason or to any extent, be invalid or unenforceable, such invalidity or enforceability shall not in any manner affect or render invalid or unenforceable the remainder of this Agreement, and the application of that provision to other persons or circumstances shall not be affected but, rather, shall be enforced to the extent permitted by law.

29. Entire agreement
29.1 Each of the Parties acknowledges and agrees that in entering into these General Terms together with the Agreement, which together constitute the contract between the Parties (Contract), it does not rely on any statement, representation, warranty or understanding (whether negligently or innocently made) of any person (whether party to this agreement or not) other than as expressly set out in the Contract.
29.2 Each of the Parties acknowledges and agrees that the only remedy available to it for breach of this Contract shall be for breach of contract under the terms of the Contract. Nothing in the Contract shall, however, operate to limit or exclude any liability for fraud.
29.3 The Contract constitutes the entire agreement and understanding of the Parties and supersedes any previous agreement between the Parties relating to the subject matter of the Contract.

***

Data Processing and Data Security Agreement

(Version 1:2023)


Notice:
This Data Processing Agreement (“DPA”) creates the legal framework, between the data controller and the data processor, for processing of personal data in a manner compliant with EU General Data Protection Regulation 2016/679 (GDPR).
The data controller is using a subscribed (licensed) service (SaaS) including an App and, as applicable, Hardware Unit provided by the data processor, and the data processor will, on behalf of the data controller, process Personal Data selected, collected and submitted by the data controller and its data subjects, and/or third parties designated by the data controller, and stored and used within and as otherwise included by the Data Controller in the service.
The data processor also processes Personal Data with respect to such information that can be associated with a contractual relationship, subscriptions, billing, and other such information that is collected from or about a data controller and its data subject. Such information may include name, email, phone number, user-ID and passwords of the data controller and for certain data subjects designated by the data controller to be the data controllers contacts and administrators, location of Hardware Units, and also data that is licensed to the Data Processor for the Data Processor’s internal use and Service purposes, and other information that the data processor process to supply products and services to the data controller (“Excluded Data”). Any such Excluded Data is collected and owned by the data processor in the capacity of a data controller and is governed by the Data Processor’s privacy policy at https://www.comlinksweden.com/terms/.
By agreeing to be bound by this DPA the data controller (you, the entity or company that you represent) is unconditionally consenting to be bound by and is becoming a party to this DPA with the data processor; Comlink AB, co. reg. no. 556514-0190, Energigatan 10B, SE-434 37 Kungsbacka, Sweden. If the data controller does not unconditionally agree to all terms of this DPA the use of the service is strictly prohibited, other than for internal validation and testing purposes.
Should European Parliament and/or the Council pass new regulations and/or issue any guidelines which contains terms that conflict with those used in this DPA, such terms in this DPA shall be changed or otherwise interpreted and applied strictly in accordance with any such new regulation and guideline.
Please send an email to info@comlink.se if you have any questions.

1. Definitions
All capitalized terms used in this DPA shall have the meanings given to them below:
“Cloud Entity” means entities added to the Data Controller’s account to which Personal Data may be associated and/or processed.
“Data Controller” has the meaning given in GDPR (and, for the purpose of this DPA, means the party licensing and using the Service).
“Data Processor” has the meaning given in GDPR (and, for the purposes of this DPA, Comlink AB, co. reg. no. 556514-0190, Energigatan 10B, SE-434 37 Kungsbacka, Sweden).
“Data Security Breach” has the meaning set forth in Clause 4.2(c).
“Data Subject” means an individual who is the subject of Personal Data.
“Data Subject Request” has the meaning set forth in Clause 4.2(f).
“Data Transfer” means a transfer of Personal Data from the Data Controller to the Data Processor, or an onward transfer of Personal Data from the Data Processor to a Sub-Processor, or between two establishments of a Data Processor; in each case, where such transfer would be prohibited by EU Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of EU Data Protection Laws).
“DPA” means this Data Processing and Data Security Agreement together with its annexes, as supplemented and amended from time to time.
“EEA” means the European Economic Area.
“EU Data Protection Laws” means EU Directive 95/46/EC, as transposed into domestic legislation of each member state and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR.
“GDPR” means EU General Data Protection Regulation 2016/679.
“JDCA” means the joint data controller agreement set forth in Exhibit C, between a Data Controller and a third part data controller (who is also bound by this DPA), creating the legal framework for the access delegation and shared use of Cloud Entities and the joint use and processing of (same) Personal Data. Access to and right to use each delegated Cloud Entity is conditioned upon the prior acceptance of the JDCA.
“Joint Data Controller” has the meaning given in GDPR (and, for the purposes of this DPA, the Data Controller and such third party (each a joint data controller) that under a JDCA and by sharing the use of Cloud Entities are jointly determining the purposes and means of Processing of Personal Data in and for the Service).
“Party” means either Data Controller or Data Processor.
“Parties” means Data Controller and Data Processor.
“Personal Data” means any information relating to an identified or identifiable natural person, as further defined in GDPR.
“Processing” means any operation or set of operations which is performed upon Personal Data or sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Service” means the Data Processor’s proprietary Software-as-a-Service and (as applicable) Cloud Sourcing services that are ordered by Data Controller through a link or via an order form and made available online by Data Processor, via the applicable subscriber login link and other web pages designated by Data Processor or Data Processor’s reseller/channel partner.
“Sub-Processor” means any third party data processor engaged by Data Processor who receives Personal Data from Data Processor or Data Controller for Processing on behalf of Data Controller.
“Subscription Agreement” means the agreement and terms and conditions under which the Data Controller is subscribing and granted licensing rights to use the Service.
“Supervisory Authority” means any Data Protection Supervisory Authority with competence over Data Controller, Joint Controllers, Data Processor and any Sub-Processor Processing of Personal Data.
“Third Party Services” means any services, products, devices, equipment, gateways, links or other functionality and any third-party content and materials that may be included in or linked to the Service and that allows the user to access third party services, for example connectivity- and mobile network services.

2. Purpose
2.1 The Data Controller has entered into a Subscription Agreement pursuant to which Data Controller is granted a license to access and use the Service, and the Data Processor will, on behalf of the Data Controller, Process Personal Data selected, collected and submitted by the Data Controller, and/or third parties designated by the Data Controller with whom Data Controller transacts using the Service, and such Personal Data is stored and used within the Service.
2.2 The Parties are entering into this DPA to ensure that the Processing by the Data Processor of Personal Data, within the Service, is done in a manner compliant with GDPR and its requirements regarding the collection, use and retention of Personal Data.
2.3 To the extent that any terms of the Subscription Agreement conflict with the substantive terms of this DPA (as they relate to the protection of Personal Data and the Parties’ respective obligations and liabilities), the terms of this DPA shall take precedence.

3. Ownership of data
3.1 As between the Parties, all Data generated in the Service during the time when the Data Controller a subscriber of the Service shall be owned and shall continue to be owned by the Data Controller, except Excluded Data, and such data shall remain the property of the Data Controller. Under no circumstances will the Data Processor act, or be deemed to act, as a data controller (or equivalent concept such as joint data controller) of such Personal Data Processed within the Service under GDPR.
3.2 Any data contained on a Hardware Unit Data shall be owned by the owner of the Hardware Unit. (If a Hardware Unit is transferred to another party, the ownership to Hardware Unit Data contained on the Hardware Unit, unless deleted, will pass to the acquiring party upon transfer and the right to data generated after transfer shall apply to the new owner.)
3.3 Under the General Terms of Service, the Data Processor is granted the right (license) to access, display and use the Data Controller’s data for as long as the Data Controller is using the Service or as needed to perform the Data Processor’s obligations to Data Controller. The Data Processor shall use such licensed Data in aggregate and anonymized form and such use to be in accordance with the Data Processor’s privacy policy at https://www.comlinksweden.com/terms/.
3.4 The Data Processor’s will also collect and process the Data Controller’s data for the following purposes;

(a) to ensure the security of the Services, Hardware Units and other provided products, to detect and prevent use that is in violation of law or the General Terms,
(b) to prevent abuse of the Service, and to detect and prevent fraud, etc, to ensure adequate and correct communications,
(c) to ensure adequate and correct communication. Communication calls, emails, and support with the Data Processor’s customer support may be recorded, analysed, and stored to train our employees and improve our ways of working, and
(d) processing of several types of statistics for analysis.

4. Obligations of Data Processor
4.1 The Parties agree that the subject-matter and duration of Processing performed by the Data Processor under this DPA and the Subscription Agreement, including the nature and purpose of Processing, the type of Personal Data, and categories of Data Subjects, shall be as described in Exhibit A of this DPA.
4.2 As part of the Data Processor providing the Service to the Data Controller under the Subscription Agreement, Data Processor shall comply with the obligations imposed upon it under GDPR Articles 28 – 32 and agrees and declares as follows:

(a) The Data Processor shall process Personal Data in accordance with the instructions set forth in this DPA;
(b) the Data Processor shall ensure that all staff and management of the Data Processor are fully aware of their responsibilities to protect Personal Data in accordance with this DPA and have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality in accordance with GDPR Article 28(3)(b);
(c) the Data Processor shall implement and maintain appropriate technical and organizational measures to protect Personal Data in accordance with GDPR Article 32 against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access (a “Data Security Breach”), provided that such measures shall take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, so as to ensure a level of security appropriate to the risks represented by the Processing and the nature of the Personal Data to be protected, including data security consistent with the Security Standards described in Exhibit B;
(d) the Data Processor shall notify the Data Controller in accordance with GDPR Article 33(2), without undue delay but in any event within 48 hours, in the event of a confirmed Data Security Breach affecting the Data Controller’s Personal Data and to cooperate with the Data Controller as necessary to mitigate or remediate the Data Security Breach. Further, the Data Processor shall cooperate with the Data Controller and take such commercially reasonable steps as are directed by the Data Controller to assist in the investigation, mitigation and remediation of any such Data Security Breach under GDPR;
(e) the Data Processor shall comply with the requirements of Clause 5 when engaging a Sub-Processor;
(f) considering the nature of the Processing, the Data Processor shall assist the Data Controller (including by appropriate technical and organizational measures), insofar as it is commercially reasonable, to fulfil Data Controller’s obligation to respond to requests from Data Subjects to exercise their rights under GDPR (a “Data Subject Request”). In the event the Data Processor receives a Data Subject Request directly from a Data Subject, it shall (unless prohibited by law) direct the Data Subject to the Data Controller. However, in the event the Data Controller is unable to address the Data Subject Request, taking into account the nature of the Processing and the information available to the Data Controller, the Data Processor, shall, on the Data Controller’s written request and the Data Controller’s instruction to the Data Processor, and at the Data Processor’s reasonable expense (scoped prior to the Data Processor’s response to the Data Subject Request), address the Data Subject Request, as required under GDPR;
(g) upon request, the Data Processor shall provide the Data Controller with commercially reasonable information and assistance, considering the nature of the Processing and the information available to the Data Processor, to help the Data Controller to conduct any data protection impact assessment or Supervisory Authority consultation it is required to conduct under GDPR;
(h) upon termination of the Data Controller’s access to and use of the Service, the Data Processor shall comply with the requirements of Clause 10;
(i) the Data Processor shall comply with the requirements of Clause 6 to make available to the Data Controller information that demonstrates the Data Processor’s compliance with this DPA; and
(j) the Data Processor shall appoint a security officer who will act as a point of contact for the Data Controller, and coordinate and control compliance with this DPA.

4.3 The Data Processor shall immediately inform the Data Controller if, in its opinion, the Data Controller’s processing instructions infringe any law or regulation. In such event, the Data Processor is entitled to refuse Processing of Personal Data that it believes to be in violation of any law or regulation.

5. Use of Sub-Processors
5.1 The Data Controller hereby confirms its general written authorisation for the Data Processor’s use of the Sub-Processor(-s) listed in accordance with GDPR Article 28, to assist it in providing the Service and Processing Personal Data provided that such Sub-Processor(-s),

(a) agree to act only on the Data Processor’s instructions when Processing the Personal Data (which instructions shall be consistent with the Data Controller’s Processing instructions to the Data Processor), and
(b) agree to protect the Personal Data to a standard consistent with the requirements of this DPA, including by implementing and maintaining appropriate technical and organizational measures to protect the Personal Data they Process consistent with the Security Standards set forth in Exhibit B.

5.2 The Data Processor agrees and warrants to remain liable to the Data Controller for the Processing services of any of its Sub-Processor(-s) under this DPA. The Data Processor shall maintain an up-to-date list of the names and locations of all Sub-Processor(-s) used for the Processing of Personal Data under this DPA at https://www.comlinksweden.com/terms/. The Data Processor shall update the list on its website of any Sub-Processor to be appointed at least 30 days prior to the date on which the Sub-Processor shall commence processing Personal Data. The Data Controller may sign up to receive email notification of any such changes. (The details of the sign-up process are as detailed in the aforementioned https://www.comlinksweden.com/terms/.)
5.3 In the event that the Data Controller objects to the Processing of its Personal Data by any newly appointed Sub-Processor, as described in this Clause 5, the Data Controller shall inform the Data Processor within 30 days following the update of its online policy above. In such event, the Data Processor will instruct the Sub-Processor to cease any further processing of the Data Controller’s Personal Data and this DPA shall continue unaffected.
5.4 In addition, and as stated in the Subscription Agreement, the Service requires integrations and combinations with Third Party Services. If the Data Controller elects to enable, access or use such Third Party Services, its access and use of such Third Party Services is governed solely by the terms and conditions and privacy policies of such Third Party Services, and the Data Processor does not endorse, is not responsible or liable for, and makes no representations as to any aspect of such Third Party Services, including, without limitation, their content or the manner in which they handle Personal Data or any interaction between the Data Controller and the provider of such Third Party Services. The Data Processor is not liable for any damage or loss caused or alleged to be caused by or in connection with the Data Controller’s enablement, access or use of any such Third Party Services, or the Data Controller’s reliance on the privacy practices, data security processes or other policies of such Third Party Services. A provider of a Third Party Service shall not be deemed a Sub-Processor for any purpose under this DPA.

6. Audit
6.1 Subject to this Clause 6, the Data Processor shall make available to the Data Controller on request all information necessary to demonstrate compliance with this DPA, and shall allow for and contribute to audits, including inspections, by the Data Controller or an auditor mandated by the Data Controller in relation to the Processing of Personal Data by the Data Processor and any Sub-Processor.
6.2 Information and audit rights of the Data Controller only arise under Clause 6.1 to the extent that the DPA does not otherwise give them information and audit rights meeting the relevant requirements of GDPR.
7. International data transfers
7.1 The Data Controller acknowledges that Services Data Processor and its Sub-Processors may maintain Processing operations in countries that are outside of the EEA. As such, both Data Processor and its Sub-processors may Process Personal Data in non-EEA countries. This will apply even where Data Controller has agreed with Data Processor to host Personal Data in the EEA, if such non-EEA countries Data Transfer and Processing is necessary to host, provide and develop the Service, and access and support-related or other services requested by Data Controller.
7.2 If Personal Data processed in the Service and under this DPA is transferred from a country within the EEA to a country outside the EEA, the Data Processor shall ensure that the Personal Data are adequately protected. To achieve this, the Data Processor shall, unless agreed otherwise, rely on EU approved standard contractual clauses for the transfer of Personal Data.

8. Obligations of Data Controller
As part of the Data Controller receiving the Service under the Subscription Agreement, the Data Controller agrees to abide by its obligations under GDPR and declares and warrants as follows.

(a) That the Data Controller is solely responsible for how Personal Data is acquired and used by the Data Controller, including instructing Processing by the Data Controller in accordance with the provisions of the Subscription Agreement and this DPA, is and shall continue to be in accordance with all the relevant provisions of GDPR, particularly with respect to the security, protection and disclosure of Personal Data,
(b) that if collection of Personal Data involves any ‘special’ or ‘sensitive’ categories of Personal Data (as defined in GDPR), the Data Controller is responsible for acquiring and transferring such Personal Data in accordance with GDPR,
(c) that that Data Controller will inform its Data Subjects (if applicable);
(1) about its general use of data processors to Process their Personal Data, including the Data Processor, and
(2) that their Personal Data may be Processed outside of the EEA,
(d) that, upon instructions from the Data Processor, it shall respond in reasonable time and to the extent reasonably practicable to enquiries by Data Subjects regarding the Processing of their Personal Data by the Data Processor, and to give appropriate instructions to the Data Processor in a timely manner,
(e) that, upon instructions from the Data Processor, it shall respond in a reasonable time to enquiries from a Supervisory Authority regarding the Processing of relevant Personal Data by Data Processor, and
(f) that the Data Controller is solely responsible for any arrangement in the event of the Data Controller becomes a Joint Data Controller as further specified in Clause 9.

9. Joint Controllers
9.1 Subject to the Subscription Agreement, the Data Controller may appoint and delegate access to and share use of Cloud Entities with (another) third party data controller who is also bound by this DPA. The Data Controller and the third party data controller may then, as Joint Data Controllers subject to GDPR Article 26, be jointly determining the purposes and means of processing of (same) Personal Data related to the (same) Cloud Entity.
9.2 As further specified in the JDCA, a Data Processor qualified and included as a Partner to the Data Processor, in other words, admitted to and identifiable as a Partner under the Data Processor’s Partner Program, shall not, unless specifically accepted and as specified by such Partner, be bound by the JDCA. The reason for this is that a Partner normally shares access to the Data Processor’s Service Entities in an administrative capacity, under a contract between the Partner and the Data Controller, but does not collect data, determine the purpose and means of processing of such personal data and is therefore not to be considered a (joint) data controller of the Data Controller’s data. The Partner is however subject to certain Partner Program terms including to be bound do confidentiality undertakings regarding the Personal Data determined and supplied by the Data Controller and processed by the Data Processor.
9.3 By registration and by becoming a Data Controller under the Service, and in all events before granting access to and right to use any delegated Cloud Entities, the delegating Data Controller and the third party data controller, being delegated to, accepts to be bound by the JDCA in Exhibit C, to ensure that the Joint Data Controllers comply with the requirements relating to Joint Data Controllers pursuant to GDPR Article 26. The JDCA determines the Joint Data Controllers’ respective responsibilities for compliance with the obligations under the GDPR, in particular as regards the exercising of the rights of the Data Subject and their respective duties to provide the information as set forth in GDPR. In other words, the delegating Data Controller and the third party data controller (being delegated to) accepts the DPA and the JDCA when accepting the terms and conditions for the Service (during registration) and are then automatically becoming Joint Data Controllers by delegation, upon which the JDCA shall come into full effect between the Joint Data Controllers.
9.4 The JDCA includes a confirmation that the appointed third party joint controller;
(i) has accepted and agreed to be bound by terms and conditions of this DPA, and
(ii) has accepted the appointment of the Data Processor under the DPA for Processing of relevant Personal Data for each of the Joint Data Controllers.
9.5 Each Joint Data Controller is responsible for its own Personal Data Transfers, including for ensuring that a legal basis for joint data controlling exists and that GDPR Article 26 has been fully observed and adhered to.
9.6 The Data Controller delegating access to and right to share the use of Cloud Entities is legally solely responsible and liable for ascertaining the creation of a JDCA and the Data Controller acknowledges that the Data Processor’s only responsibility in this respect is to adhere to this DPA and to inform the Data Controller of the legal requirements under GDPR pertaining to joint data controlling and that the JDCA is provided by the Data Processor solely as a service.

10. Return and destruction of Personal Data
Upon the termination of the Data Controller’s access to and use of the Service, the Data Processor will up to 30 days following such termination at the choice of the Data Controller either;

(a) permit the Data Controller to export its Personal Data, at its expense, or
(b) delete all Personal Data in accordance with the capabilities of the Service in accordance with GDPR Article 28(3)(g).

Following such period, the Data Processor shall delete or anonymize all Personal Data stored or Processed by the Data Processor on behalf of the Data Controller in accordance with the Data Processor’s deletion policies and procedures. The Data Controller expressly consents to such action.

11. Duration
This DPA will remain in force for as long as the Data Processor Processes Personal Data on behalf of the Data Controller under the Subscription Agreement and for the Service.

12. Limitation on liability
12.1 As between the Data Controller and the Data Processor this DPA shall be subject to the limitations of liability set forth in this Clause 12 below, and in applicable Subscription Agreement for the Service subscribed by the Data Controller.
12.2 The Data Processor does not accept any liability under this DPA or GDPR for any Third Party Services, including acts and omissions.
12.3 The Data Processor does not accept any liability under this DPA or GDPR due to the Data Controller’s breach of its obligations to create a Joint Data Controller arrangement as set forth in Clause 9.
12.4 The limitation of liability set forth in this Clause 12 shall not be construed as limiting the liability of either Party with respect to claims by Data Subjects.

13. Miscellaneous
13.1 This DPA may not be amended or modified except by a writing signed by both Parties hereto. This DPA may be executed in counterparts, provided however that the Data Processor shall be entitled to from time to time make non-material functional changes and updates to the DPA (not changing the Parties’ respective rights and responsibilities in this DPA) by giving the Data Controller 30 days’ notice. Also, should European Parliament and/or the Council pass new regulations and/or issue any guidelines which contains terms that conflict with those used in this DPA, the Parties hereby agree that such terms in this DPA shall primarily be changed or secondarily be interpreted and applied strictly in accordance with any such new regulation and guideline.
13.2 Each party agrees and represents, on behalf of itself, its employees and agents to whom it is permitted to disclose confidential information that it will not disclose the other party’s confidential information to any third party; provided, however, that each party shall have the right to disclose such information to its officers, directors, employees, auditors, attorneys and third party contractors who are under an obligation to maintain the confidentiality thereof and further may disclose such information as necessary to comply with an order or subpoena of any administrative agency or a court of competent jurisdiction or as reasonably necessary to comply with any applicable law or regulation.
13.3 Subject to the foregoing restrictions, this DPA will be fully binding upon, inure to the benefit of and be enforceable by the Parties and their respective successors and assigns.
13.4 This DPA and the Subscription Agreement constitute the entire understanding between the Parties with respect to the subject matter herein, and shall supersede any other arrangements, negotiations or discussions between the Parties relating to that subject-matter.

14. Governing law and jurisdiction
14.1 This DPA and the rights and obligations of the Parties pursuant thereto will be governed by the laws of Sweden, without regard to conflicts of law principles. The Parties irrevocably agree that subject as provided below, the courts of Sweden shall have exclusive jurisdiction in relation to any claim, dispute or difference concerning this DPA (including the right to appeal).
14.2 For the avoidance of doubt, Clause 14.1 shall not be construed or interpreted as limiting Data Subjects rights to enforce their rights under the GDPR, such as to bring actions in other jurisdictions.

***

Exhibit A to DPA

Processing Personal Data and Data Subjects

(Data Controller’s instructions)
(Version 1:2023)


Terms defined in the DPA shall have the same meaning in this Exhibit.

1. Data Processor (where applicable)
The Data Processor (where applicable) operates a Software-as-a-Service and (as applicable) Cloud Sourcing services for asset management and the operation and administration of attached equipment including the identification of users, for example for entry into doors and gates via mobile phones.
Further information can be found online at https://www.comlinksweden.com.

2. Data Controller
The Data Controller is the subscriber and user of the Service and will collect and process Personal Data for registering persons and users for access-controlling attached equipment.

3. Duration of Processing
The processing of Personal Data shall endure for the duration of the subscription term in the relevant Subscription Agreement for the Service.

4. Data Subjects
The Data Controller may, at its sole discretion, collect and submit Personal Data to the Service, which may include, but is not limited to, the following categories of Data Subjects (all of whom are natural persons) of the Data Controller and any natural person(s) authorized by the Data Controller to use the Service:

1. Employees
2. Relatives of employees
3. Customers
4. Prospective customers
5. Service providers
6. Business partners
7. Vendors
8. Advisors
9. Subscribers of the Service
10. Users of Data Controller provided services

5. Categories of Personal Data
The Data Controller may, at its sole discretion, submit Personal Data to the Service which may include, but is not limited to, the following categories of data:

1. First name
2. Last name
3. Email address
4. Telephone number
5. Address
6. Other contact details
7. Contractual relations/matters
8. Support communications
9. Customer service information
10. Restrictions or grants
11. Information provided to third parties (for example credit reference agencies, public directories)
12. Service usage

6. Processing Operations
The subject matter of the Processing of the Personal Data:
The Data Processor will host, and process Service Data and User Data constituting Personal Data, obtained by the Data Controller or third-party using the Service, while providing and as a technical prerequisite for the Data Processor to provide the Service to the Data Controller and its Users.
The Data Processor processes Personal Data on behalf on the Data Controller for the following purposes:

(a) To provide and administrate the Service, including to ensure necessary performance of functionality of the Service including to ensure the security of the Service and Service Entities (including the Data Controller’s properties),
(b) To collect and store Personal Data for Data Controller’s authorizations, permissions, and user roles, and otherwise to ascertain the Data Controller’s contractual obligations towards its Users.
I For billing and payment purposes.
(d) To collect and keep statistics and optimize the Data Controller’s and its Users’ use of the Service and Service Entities.
I To ensure communication in relation to the Service, Users and Service Entities.
(f) To perform necessary log/register maintenance and to comply with legal requirements.
(g) To detect and prevent use of the Service that is in violation of law or the terms and conditions for the Service, including to investigate, prevent, or act on illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of agreement.
(h) To comply with legal obligations.
(i) To establish and defend legal claims.
(j) To response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

Length of keeping Personal Data during Processing Operations:
Data Processor shall only collect and process Personal Data for as long as the Data Controller is an active customer of the Data Processor, or for as long as needed for the Data Controller to perform its contractual obligations to its Users, to comply with legal obligations, to resolve disputes, to preserve legal rights, or to enforce agreements.
The Data Processor shall only retain service and user data constituting Personal Data for reasons described in (a) – (j) above.
Return and destruction of Personal Data upon termination of Subscription Agreement
Upon the Data Controller’s written request, the Data Processor will; (a) permit the Data Controller to export its Personal Data, and (b) manually delete or anonymize all Personal Data in accordance with the capabilities of the Service in accordance with GDPR Article 28(3)(g). Please note that data may be retained longer for reasons described herein, but then such data will be kept in an aggregated and anonymized way.

7. Restrictions
Processing shall take place exclusively within the European Union or in another contracting state of the agreement of the EEA.
Any transfer of Personal Data outside of the EEA requires the prior approval of the Data Controller and shall be in accordance with the DPA and relevant parts of the GDPR.

8. Contact Details
For Personal Data queries arising from or in connection with this Processing and this DPA, the Controller and Data Subjects shall contact the following:
DATA PROCESSOR:
COMLINK AB (Co. reg. no. 556514-0190)
Adress: Energigatan 10B, SE-434 37 Kungsbacka, Sweden
Web: www.comlinksweden.com
Email: info@comlink.se
Tel: +46 (0)31-208600
Appointed Contact person Peder Kierkemann
Email: peder@comlink.se
Tel: +46 31-208600

***

Exhibit B to DPA

Data Security Standards

(Version 1:2023)


This Data Security Standard policy (Policy) sets forth Comlink AB’s (Comlink) technical and organizational security measures for the processing of Service Data and Personal Data to ensure a level of security appropriate to risks (Security Standards). These Security Standards apply to all Personal Data that Comlink receives and process using the Comlink operated services (Service) and Comlink’s App.
Terms defined in the DPA shall have the same meaning in this Exhibit.

1. Physical Access Controls
The Data Processor shall take reasonable measures to;

(a) prevent physical access, such as security personnel and secured buildings, and
(b) prevent unauthorized persons from gaining access to Personal Data or ensure third parties operating data centres on its behalf are adhering to such controls.

2. System Access Controls
The Data Processor shall take reasonable measures to prevent Personal Data from being used without authorization. These measures shall vary based on the nature of the Processing undertaken and may include, among other;

(a) controls,
(b) authentication via passwords and/or two-factor authentication,
(c) documented authorization processes,
(d) documented change management processes, and/or,
(e) logging of access on several levels.

All access is logged and audited for suspicious/anomalous behaviour.

3. Data Access Controls
The Data Processor shall take reasonable measures to provide that;

(a) Personal Data is accessible and manageable only by properly authorized staff,
(b) direct database query access is restricted, and application access rights are established and enforced to ensure that persons entitled to use a data processing system only have access to the Personal Data to which they have privilege of access, and
(c) Personal Data cannot be read, copied, modified or removed without authorization in the course of Processing.

4. Transmission Controls
The Data Processor shall take reasonable measures to ensure that it is possible to check and establish to which entities the transfer of Personal Data by means of data transmission facilities is envisaged so Personal Data cannot be read, copied, modified or removed without authorization during electronic transmission or transport.

5. Input Controls
The Data Processor shall take use commercial best efforts to provide that it is possible to check and establish whether and by whom Personal Data has been entered into data processing systems, modified or removed.
The Data Processor shall take reasonable measures to ensure that;

(a) the Personal Data source is under the control of the Data Controller; and
(b) Personal Data integrated into the Service is managed by secured transmission from the Data Controller for interactions with Data Processor’s User Interface (“UI”) or Application Programming Interface (“API”).

6. Data Backup
Back-ups of the databases in the Service are taken on a regular basis, are secured, and encrypted to ensure that Personal Data is protected against accidental destruction or loss. Comlink has established procedures for recovery of data.

7. Logical Separation
Personal (Service) Data from different data controller’s and their respective users is logically segregated on systems managed by the Data Processor to ensure that Personal Data that is collected by different data controllers is segregated from one another.

***

Exhibit C to DPA

Joint Data Controller Agreement

(Version 1:2023)


Notice:
This Joint Data Controller Agreement (“JDCA”) shall apply to each data controller (each delegating data controller) who is using a subscribed (licensed) service (SaaS) and who also to another data controller delegates access and shared use of cloud entities within the service, or part thereof, being joint data controllers jointly determining the purposes and means of processing of (same) personal data, pursuant to Article 26 of the EU General Data Protection Regulation 2016/679 (GDPR). In the event there is no such joint data control this JDCA shall not apply.
It is specifically noted that a Partner to Comlink, admitted to and identifiable as a Partner under Comlink’s Partner Program, shall not, unless specifically accepted and as specified by a Partner, be bound by this JDCA and each Partner will, and is under an obligation to under the Partner Program, to have its own set of terms and conditions for collection and handling of personal data in relation to Partner’s customers and other providers. In other words, Comlink has no liability for Partner’s activities and legal relationships in relation to GDPR and the Partner’s customers.
This JDCA defines the relationship between two joint data controllers and creates the legal framework for the joint data controllers in a manner compliant with GDPR. This JDCA determines the joint data controllers’ respective responsibilities for compliance with the obligations under the GDPR, in particular as regards the exercising of the rights of the data subject and their respective duties to provide the information.
By accepting this JDCA the Joint Data Controllers (the delegating joint data controller and the data controller being delegated to) are unconditionally consenting to be bound by and is becoming parties to this JDCA.
By delegation of a Cloud Entity the delegating Data Controller and the third party data controller being delegated to (receiver) are automatically becoming Joint Data Controllers under GDPR regarding the Personal Data related to the shared Cloud Entity, and also the JDCA accepted by the Joint Data Controllers shall come into full effect and shall apply between the Joint Data Controllers. The JDCA can be terminated at any time; by the delegating Data Controller by retracting the delegation, or by the receiving data controller by deleting the Cloud Entity from the receiving account.
In connection with an audit or a complaint or part of a complaint by a data subject, the joint data controllers must notify the essence of or provide access to this JDCA as in effect between the joint data controllers.
Should European Parliament and/or the Council pass new regulations and/or issue any guidelines which contains terms that conflict with those used in this JDCA, such terms in this JDCA shall be changed or otherwise interpreted and applied strictly in accordance with any such new regulation and guideline.
Definitions
All capitalized terms used in this JDCA shall have the meanings given to them below:
“Cloud Entity” means entities added to the Data Controller’s account to which Personal Data may be associated and/or processed.
“Data Controller” has the meaning given in GDPR (and, for the purpose of this DPA, means the party licensing and using the Service).
“Data Processor” has the meaning given in GDPR (and, for the purposes of this JDCA, Comlink AB, co. reg. no. 556514-0190, Energigatan 10B, SE-434 37 Kungsbacka, Sweden).
“Data Security Breach” means accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access of Personal Data.
“Data Subject” means an individual who is the subject of Personal Data.
“DPA” means the Data Processing and Data Security Agreement together with its annexes, as supplemented and amended from time to time, as in effect between each of the Joint Data Controllers and the Data Processor.
“EEA” means the European Economic Area.
“EU Data Protection Laws” means EU Directive 95/46/EC, as transposed into domestic legislation of each member state and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR.
“GDPR” means EU General Data Protection Regulation 2016/679.
“JDCA” means this joint data controller agreement between the Data Controller and each third part data controller (who is also bound by the DPA), creating the legal framework between such Joint Data Controllers for delegated access to and shared use of Cloud Entities and the joint use and processing of (same) Personal Data.
“Joint Data Controller” has the meaning given in GDPR (and, for the purposes of this JDCA, the Data Controller and such third party (each a joint data controller) that under an arrangement are jointly determining the purposes and means of Processing of Personal Data in and for the Service).
“Personal Data” means any information relating to an identified or identifiable natural person, where an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Processing” means any operation or set of operations which is performed upon Personal Data or sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Service” means the Data Processor’s proprietary Software-as-a-Service and (as applicable) Cloud Sourcing services that are ordered by Data Controller through a link or via an order form and made available online by Data Processor, via the applicable subscriber login link and other web pages designated by Data Processor or Data Processor’s reseller/channel partner.
“Subscription Agreement” means the agreement and terms and conditions under which the Data Controller is subscribing and granted licensing rights to use the Service.
“Supervisory Authority” means any Data Protection Supervisory Authority with competence over Data Controller, Joint Controllers, Data Processor and any sub-processor Processing of Personal Data.

1. General Terms and Conditions
1.1 Subject to GDPR Article 26, where two or more Data Controllers jointly determine the purposes and means of Processing, they shall be Joint Data Controllers.
1.2 Joint Data Controllers shall determine their respective responsibilities for compliance with the obligations under GDPR, in particular as regards the exercising of the rights of the Data Subject and their respective duties to provide the information referred to in GDPR Articles 13 and 14, by means of an arrangement between the Joint Data Controllers unless, and in so far as, the respective responsibilities of the controllers are determined by Union or member state law to which the controllers are subject.
1.3 The arrangement referred to in Clause 1.2 shall duly reflect the respective roles and relationships of the joint controllers vis-à-vis the data subjects. The essence of the arrangement shall be made available to the data subject.
1.4 Irrespective of the terms of the arrangement between the Joint Data Controllers, the data subject may exercise his or her rights under GDPR in respect of and against each of the Joint controllers.
1.5 The ‘internal’ distribution of responsibilities in the Joint Data Controller arrangement does not prevent the supervisory authority from exercising its powers vis-à-vis each of the Joint Data Controllers.

2. General distribution of responsibilities and liabilities
2.1 The Joint Data Controllers agree that in connection with the use of the Service and Personal Data, they are Joint Data Controllers. The assessment shall consider:

(a) All relevant Data Subjects that the Joint Data Controllers have access to and use for the Service and Personal Data
(b) In connection with the Joint Data Controllers’ access to the Service and Personal Data, they have access to Personal Data of all relevant Data Subjects.

2.2 The Joint Data Controllers agree on the following joint rules and guidelines for the Joint Data Controllers’ use of the Personal Data, including, as applicable, access restrictions for certain types of Personal Data.
2.3 The Joint Data Controllers acknowledge that they are bound by the DPA and that they have accepted the Data Processor (Comlink AB) for Processing of the Joint Data Controllers’ Personal Data.
2.4 The Joint Data Controllers shall each have one designated contact point for Data Subjects, always provided that Data Subjects can exercise their rights under the GDPR vis-à-vis each individual Joint Data Controller.
2.5 The Joint Data Controllers are each responsible for the Data Subjects with whom the individual Joint Data Controller collects Personal Data, including the responsibility to inform the Data Subject of the Processing and the rights of the Data Subject;

(a) to ensure that the necessary authority exists for the Processing of the registered Personal Data, including the obtaining of consent, and
(b) that Personal Data is erased when they are no longer necessary.

2.6 Each Joint Data Controller who obtains specific data from sources other than the Data Subject is responsible for informing the Data Subject accordingly.

3. Principles and authority to process data
3.1 Each Joint Data Controller who obtains specific or sensitive data is responsible for ensuring that there is a valid legal ground for Processing and for documenting this to both Supervisory Authority and the Data Subject.
3.2 Each Joint Data Controller is responsible for compliance with the principles for the Processing, insofar as the rules apply to the individual Joint Data Controller’s areas of responsibilities.

4. Rights of the Data Subjects
4.1 Each Joint Data Controller is responsible for ensuring the rights of the Data Subjects in accordance with the provisions of the GDPR, this JDCA and the DPA, including but not limited to;

(a) duty of disclosure when collecting Personal Data from the Data Subject,
(b) duty of disclosure if Personal Data are not collected from the Data Subject,
(c) right of access by the Data Subject,
(d) right to rectification,
(e) right to erasure (the right to be forgotten),
(f) right to restriction of Processing,
(g) notification obligation regarding rectification or erasure of Personal Data or restriction of Processing,
(h) right to data portability (but not for public authorities), and
(i) right to object to Processing.

4.2 If one of the Joint Data Controllers receives a request or inquiry from a Data Subject regarding matters covered by another Joint Data Controller’s responsibilities, see above, the request is forwarded to such Joint Data Controller without undue delay.
4.3 Each Joint Data Controller is responsible for assisting each other to the extent this is relevant and necessary in order for both parties to comply with their obligations to the Data Subjects.

5. Security of processing and proof of compliance with the GDPR
5.1 Considering the nature, scope, context and purposes of Processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, each Joint Data Controller must implement appropriate technical and organisational measures and appropriate data protection policies to ensure and to be able to demonstrate that Processing is performed in accordance with the GDPR, DPA and the JDCA. Those measures must be reviewed and updated where necessary (GDPR Article 24). Each Joint Data Controller must have appropriate procedures for the handling of security breaches, requests for access and compliance with the duty of disclosure, in accordance with the GDPR, DPA and the JDCA.
5.2 The Joint Data Controllers are jointly responsible for compliance with the provision on data protection by design and by default in GDPR Article 25.
5.3 Each Data Controller is responsible for compliance with the requirement for security of Processing in GDPR Article 32. This involves that, considering the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Joint Data Controllers must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. Consequently, each Joint Data Controller must make (and be able to document) a risk assessment, and subsequently implement measures to mitigate the risks identified.

6. Use of Data Processors and Sub-Processors
The Data Controllers shall not be entitled to use other data processors and/or sub-processors than the Data Processor in connection with the use of the Service.

7. Record
7.1 Each Joint Data Controller is responsible for compliance with the requirement for records of Processing activities in GDPR Article 30. Each Joint Data Controller shall prepare records of the Processing activities, for which the parties are Joint Data Controllers.
7.2 The Joint Data Controllers shall inform each other about the contents of the above records.
7.3 On the basis of the contents of each other’s records, each Joint Data Controller shall prepare their own records of the Processing activities covered by this JDCA and the DPA.

8. Notification of a Personal Data Breach to the Supervisory Authority
8.1 Each Joint Data Controller is responsible for compliance with GDPR Article 33 on notification of a Personal Data breach to the Supervisory Authority.
8.2 The Joint Data Controller with whom a Personal Data Breach was committed or from whom the reason for the breach originates is responsible for notifying the Personal Data Breach to the Supervisory Authority.
8.3 Immediately after having become aware of a Data Security Breach, the Joint Data Controller must inform the other Joint Data Controller of the breach. The other Joint Data Controller must be kept informed of the process after the discovery of the Personal Data breach and will receive a copy of the notification to the Supervisory Authority.
8.4 If the reason for the breach is not immediately attributable to one of the Joint Data Controllers, the (delegating) Data Controller is responsible for notifying the Data Security Breach to the Supervisory Authority.

9. Communication of a Personal Data Breach to the Data Subject
9.1 Each Joint Data Controller is responsible for compliance with GDPR Article 34 on communication of a Personal Data breach to the Data Subject.
9.2 If a Personal Data breach is likely to result in a high risk to the rights and freedoms of natural persons, the Joint Data Controller with whom the Personal Data Breach was committed, or from whom the reason for the breach originates is responsible for communicating the Personal Data Breach to the Data Subjects affected.
9.3 If the reason for a Personal Data Breach is not directly attributable to one of the Joint Data Controllers, and the breach is likely to result in a high risk to the rights and freedoms of natural persons, (original) Data Controller (being party to the DPA) is responsible for communicating the Personal Data Breach to Data Subjects affected.

10. Data protection impact assessment and prior consultation
10.1 Each Joint Data Controller is responsible for compliance with the requirement in GDPR Article 35 on data protection impact assessment. Where a type of Processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the Processing, is likely to result in a high risk to the rights and freedoms of natural persons, the Joint Data Controllers must, prior to the Processing, carry out an assessment of the impact of the envisaged Processing operations on the protection of Personal Data.
10.2 Likewise, the Joint Data Controllers are obliged to comply with the requirement in GDPR Article 36 on prior consultation of the Supervisory Authority when this is relevant.

11. Transfers of Personal Data to third countries or international organisations
11.1 The Joint Data Controllers may decide that Personal Data can be transferred to third countries or international organisations.
11.2 Each Joint Data Controllers are responsible for compliance with the requirements in GDPR Chapter V if Personal Data are transferred to third countries or international organisations.
11.3 Each Joint Data Controller is responsible for its own Personal Data transfers to third countries, including for ensuring that a legal basis for transfer exists and that GDPR Chapter V has been observed.

12. Complaints
12.1 Each Data Controller is responsible for the handling of any complaints from Data Subjects if the complaints relate to the infringement of provisions in the GDPR, for which the Data Controller is responsible as given by this JDCA.
12.2 If one of the Joint Data Controllers receives a complaint which should rightfully be handled by the other Joint Data Controller, the complaint is forwarded to such Joint Data Controller without undue delay.
12.3 If one of the Joint Data Controllers receives a complaint, part of which should rightfully be handled by the other Joint Data Controller, such part is forwarded for reply by the Joint Data Controller without undue delay.
12.4 In connection with the forwarding of a complaint or part of a complaint to the other Joint Data Controller, the Data Subject must be notified about the essence of this JDCA between the Joint Data Controllers.
12.5 Generally, the Joint Data Controllers inform each other about all complaints received.

13. Information of the other parties
The Joint Data Controllers shall inform each other about matters of the essence to the joint Processing, this JDCA and the DPA.

14. Commencement and Termination
14.1 The JDCA (agreement) shall enter into force at the time of both Joint Data Controllers’ acceptance by means acceptable to the parties.
14.2 The JDCA shall be in force as long as relevant Personal Data for the Cloud Entity is being jointly processed, or until the arrangement is replaced by a new arrangement determining the distribution of responsibilities in connection with Processing.
14.3 The JDCA is terminated either by the delegating Data Controller by retracting the delegation or recipient by deleting the Cloud Entity from their account.

15. Governing law and jurisdiction
15.1 This JDCA (agreement) shall be governed by the laws of the country within the EEA where the delegating Data Controller is registered or incorporated, and in the absence of such country the substantive laws of Sweden shall apply, and the parties irrevocably submit to the exclusive jurisdiction of the courts of such jurisdiction and any court of appeal therefrom.
15.2 For the avoidance of doubt, this Clause 15 shall not be construed or interpreted as limiting Data Subjects rights to enforce their rights under the GDPR, such as to bring actions in other jurisdictions.

***

Policy on Privacy and Personal Data Processing

(Version 1:2023)


Privacy in personal data processing is paramount to Comlink AB. Therefore, we strive towards maintaining a high level of data security. This document describes our policy, what personal data we collect and how we use it within our Service. The policy also includes your rights and how you can use them.

Please feel free to contact us anytime when you have questions about how we process your personal data. Our contact information is at the end of this text.

What is personal data, and what does processing personal data involve?
Everything that can directly or indirectly be attributable to a living, natural person is covered by the term personal data. This involves more than simply name and personal identity number, including images and email addresses.

Processing personal data involves everything that is done to your personal data in an electronic processing system, whether this involves using mobile units or computers. This includes collecting, registration, structuring, storing, processing, and transferring any information. In certain instances, processing may also involve actions taken outside a digital system. This applies to using a registry.

GDPR roles and how they apply within our Service
Data Controller
All ”Users” of the Service (entity or person) that register for accounts in our Service in accordance with the ”General Terms of Service” GTS and ”Data Processing and Data Security Agreement” DPA. These terms, which may be changed from time to time, are available for review at https://www.comlinksweden.com/terms/
These Users determines the purpose of the processing of personal data and how the data is processed in the Service. Data Controller is responsible for obtaining consent from Data Subjects.
Joint Data Controller
Users can share access to “Devices” (Physical hardware which is connected to and administrated in our Service) with other Users. They thereby become Joint Data Controllers and enter into a Joint Data Controller Agreement which is integrated as part of the Data Processing and Data Security Agreement.
Data Processor
Comlink AB is the processor of personal data (Comlink AB, CRN. 556514-0190, Energigatan 10B, 434 37 Kungsbacka, Sweden).
Data Subject
Users may store information about individuals (Data Subjects) which are thereby granted limited (non admin) access to a Device. This data is generally limited to name, phone number and email address. No sensitive (special category) data may be stored within the Service.

What personal data do we collect about you, and why?
Data Controller
Users of the Service register for an account and we process the relevant personal data such as name, email address, phone number, company, address, zip-code, city, country, selected language, and owned Devices. We also process Data Controller interactions with the Service.
Data Subjects
We primarily process name, email address and phone number of Data Subjects. We also process the Data Subjects interactions with Devices along with timestamp of the event.

We process personal data for the purpose of providing the agreed services and products to the User. We will also process personal data to manage and administer our relationship with the User.

Comlink AB always processes personal data in compliance with applicable laws. We process personal data when necessary to fulfil our obligations under a contract for the Service, respond to your request for service, or when we have another legitimate and justified interest in processing your personal data, such as to inform you about changes in the Service.

The lawful basis for us to process personal data is User’s explicit consent (when registering for User account) and on the following lawful bases:
Performance of contract
• Provision of the Service (administratively and electronically) and supporting the Service (such as keeping statistics, optimizing, uphold safety and security relating to the Service and to comply with legal requirements).
• Billing and payment processes.
• Establish and defend legal claims.
• To ensure the security of our services and products, to detect and prevent use of the Service that is in violation of law or the terms and conditions for the Service. We also process data to prevent abuse of the Service, and to detect and prevent fraud, virus attacks etc.
Compliance with legal obligation
• To ensure the security of our services and products, to detect and prevent use of the Service that is in violation of law or the terms and conditions for the Service. We also process data to prevent abuse of the Service and subscriptions, and to detect and prevent fraud, virus attacks etc.
• To meet our obligations under law, for example the Swedish Bookkeeping Act, and to response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
Legitimate interest
• To ensure necessary performance of functionality of the Service, to do technical enhancements and for improving the standard of the Service and security, to collect statistics for the Service, and to perform necessary log/register maintenance.
• To ensure adequate and correct communication with the User in relation to the Service subscriptions. Communication calls, emails, and customer support online with our customer support may be recorded, analysed, and stored to train our employees and improve our ways of working.
User consent
• To ensure adequate and correct communication with the User in relation to the Service subscriptions. Communication calls, emails, and customer support may be recorded, analysed, and stored to train our employees and improve our ways of working.
• Processing of different types of data to market our products and services. For this purpose, we may also compile statistics for analysis.

We follow generally accepted standards to protect the personal data submitted to us, both during transmission and once it is received and stored. These security and privacy practices, including how we protect, collect, and use electronic data, text, messages, communications, or other materials submitted to and stored within the Service are found in our applicable Data Security Standards in the DPA.
Below is more detailed information on what data is collected and what it is used for.

What sources do we retrieve personal data from?
User account information
We collect and process personal data when User registers for a User account to access or utilize our Service.
Using the Service, Device transaction data and other statistics
While using our Service the Service collects information about Device operations or whatever operation that may be available from such an operation. This information belongs to and is controlled by the User which enables the operation.
We may also collect anonymous usage statistics to be used solely by us to improve the Service and to find and fix problems and for improving safety and security when using the Service. We may also use mobile analytics software to allow us to better understand the functionality of our mobile versions of the App and the Service on mobile devices. This mobile analytics software may record information such as how often the App, the events that occur within the App, aggregated usage, performance data, and where the application was downloaded from.
We do not link any information that we store as usage statistics to any personally identifiable information that is submitted for the mobile application.
Location data
You may choose to activate location data in the mobile device to use the App to locate position (GPS positioning and Beacons) in relation to Service. The Service will then request permission to use the location for displaying Devices, but the Service does not (itself) process and store this location data, and as such this location data is not included in the Service, not covered by this policy.
The Service also use Device location data within the Service. Such location data is a special functionality or configuration to the Service and Devices. The location data together with the geographical position of a Device will indicate performed operations at a certain time at a certain geographical place. Such location data is included in the Service and will be stored in the Service related to Devices and as such covered by this Policy and our responsibility.
App
When registering an App and downloading the App to a mobile device, the Service automatically collects information on the type of mobile device, and the operating Service version.
Other
As for most websites and services delivered over the Internet, we gather certain information and stores it in log files while interacting with our websites and Service. This information includes internet protocol (IP) addresses as well as browser type, internet service provider, URLs of referring/exit pages, operating system, date/time stamp, searched information, locale and language preferences, identification numbers associated with Devices, mobile carrier, and system configuration information. Occasionally, we connect personal data to information gathered in our log files as necessary to improve our Websites and the Service. In such a case, we will treat the combined information in accordance with this Policy.

Who do we share your personal data with?
Data Subprocessor
In certain situations, it may become necessary for us to hire a third party to perform some of our processing. For example, this may be when we hire various IT service providers to provide, for example, hosting for and maintenance of the Service, App development, backup, storage, payment processing, analytics, and other services for us. These third-party service providers may have access to or process personal data for the purpose of providing services to us. These parties are considered personal data subprocessors for us. An updated list of subprocessors is available at

Comlink AB is liable to enter contracts with all our personal data subprocessors and provide them with instructions regarding how they may process personal data. We naturally check to ensure that all our personal data subprocessors can provide sufficient guarantees regarding security and confidentiality of your personal data.

When we hire a personal data subprocessor, we do this only in full compliance with the purposes for which we process such data ourselves.

Personal information related to User account and Service operation will, as a technical necessity, be automatically shared with the User and its designated administrators, for the purpose of administering the Service and the subscription to the Service.
We do not permit any third-party to use personal data for marketing purposes or for any other purpose than in connection with the services they provide to us.
In certain situations, we may be required to disclose personal data, or specific operation data, in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. We may disclose such data to respond to subpoenas, court orders, or legal process, or to establish or exercise our legal rights or defend against legal claims. We may also share such information to the extent necessary to investigate, prevent, or act regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of our applicable subscription/license agreements, or as otherwise required by law.
We may also share personal data with other third parties when we have consent to do so.

Where is your personal data stored?
Personal data in the Service is processed and stored in in data-centres located Sweden.

All communication and transfer of personal data to and from the data-centres is encrypted. We use best practices in terms of encryption and security.

An updated list of data-centres is available at https://www.comlinksweden.com/terms/.

How long do we save your personal data?
We only collect and process personal data for as long as needed for us to perform our contractual obligations to User, to comply with legal obligations, to resolve disputes, to preserve legal rights, or to enforce agreements.

We never save your personal data for longer than necessary for the purpose at hand. We have instituted clearing procedures to ensure that personal data is not stored longer than necessary for each specific purpose. The length of time this involves varies depending on the purpose for the processing. Certain bookkeeping data are required by law to be saved for seven years.

Once an User account is terminated, we will automatically delete or anonymize all personal data within 3 months from account-closure in accordance with the capabilities of the Service in accordance with GDPR Article 28(3)(g). Please note that data may be retained longer for reasons described herein, but then such data will be kept in an aggregated and anonymized way.

How do we process your personal identity number?
We avoid processing personal identity numbers to the extent possible. Regarding processing of personal identity numbers, such as the corporate registration number for sole traders, this is necessary when such companies are customers, since the registration number is the same as the sole trader’s personal identity number.

Security breach?
We have implemented and maintains appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access (a Data Security Breach), taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, so as to ensure a level of security appropriate to the risks represented by the processing and the nature of the Personal Data to be protected, including data security consistent with our applicable Data Security Standards in the DPA.

To report a Data Security Breach, please contact us at info@comlink.se or by phone at: +46 (0) 31-208600.

What are your rights regarding registered information?
When you are recorded in a registry, you have several legally enforceable rights. The procedures available to you in enforcing these rights are described in the paragraph below headed ‘Exercising your rights.’ Here, we list the rights you have relating to registered data.
Right to registry extract (Right of access)
If you want to know what personal data of yours that we process, you can request access to the data. When you submit such a request, we may ask you several questions to ensure efficient handling of your request. We will also take measures to ensure the information is requested by and provided to the right person.
Right of rectification
If you find an error in your data, you have the right to request that it be corrected. You may also supplement any incomplete personal data.
In certain instances, you can make the corrections yourself, in which case we will inform you.

Right to erasure
You can request that we erase the personal data about you that we process, including:

• Data that is no longer necessary for the purposes for which they are processed.
• You object to the balancing of interests we have made regarding our legitimate interest, where your reasons for objecting weigh greater than our legitimate interest.
• Personal data is being processed illegally.
• The personal data has been collected regarding a child (less than 13 years) for whom you have parental responsibility.
• If the data was obtained based on your consent and you want to rescind that consent.

However, we may have the right to deny your request when legal duties prevent us from immediately erasing certain portions of your personal data. We may also be required to process such information to be able to establish, pursue, or defend a legal claim.
If we are prevented from erasing your personal data, we will block that data from being able to be used for other purposes than those preventing their erasure.

Right to restriction
You have the right to request that our processing of your personal data be restricted. If you object to the factual correctness of the personal data that we process, you may request restriction to that processing for the period we need to ensure that the personal data is correct.

If, and when, we no longer need your personal data for the established purposes, our normal procedure is to delete them. If you require them to be able to establish, pursue, or defend a legal claim, you may request restrictions to our processing of your personal data. This means that you can request that we do not delete and erase your data.
If you have objected to a balancing of legitimate interests that we have made as legal grounds for a purpose, you may request restriction to that processing for the period we need to ensure that our legitimate interest weighs greater than your interests in having the data erased.

If the processing has been restricted as provided in any of the situations described above, we may, in addition to simply storing that data, only process them to establish, pursue, or defend a legal claim, to protect the rights of a third party, or where you have issued your consent.
Right to object certain types of processing
At all times, you have a right to object to all processing of your personal data that relies on a balancing of interest. You also have the right to stop their use for direct marketing.
Right to data portability
As the person registered, you have the right to data portability if our right to process your personal data relies on either your consent or fulfilment of a contract with you. A prerequisite for data portability is that the transfer is technically possible and can be done automatically.
Exercising your rights
Your request for a registry extract, or your demand to invoke any of your other rights, shall be made in writing with your handwritten signature. We will respond to your request without undue delay, or not later than within 30 days. Email your request to info@comlink.se. The email shall, to the extent possible, be sent from the email address you are registered with at Comlink AB.

Cookies and why we use them
We use cookies for our website and Service. According to the Electronic Communications Act, all those visiting a website with cookies shall be given access to information that the website contains cookies and the purpose of these. The user shall also be given the opportunity to consent to cookies being saved on the computer. We use two types of cookie. Persistent cookies, which are a text file stored on your computer, and session cookies, which are only stored temporarily and disappear when the user shuts down the web browser. We use these two types of cookie to both optimize the functionality of the Website and Service and to be able to analyze statistics so that we will be able to provide the best possible service and offers in its contact with the user. In order to be given access to the Service, it is necessary for the user to approve our use of cookies. By using the Service, the user consents to us using cookies in order to offer the Service and the best possible experience to the user.

Supervisory Authority
You have the right to complain to a Data Protection Authority about our collection and use of personal data. For more information, please contact your local data protection authority in the EEA.
If you are in Sweden, you may complain to Integritetsmyndigheten (imy.se).

Will this Policy change?
Should European Parliament and/or the Council pass new regulations and/or issue any guidelines which contains terms that conflict with those used in this Policy, we reserve the right to change this policy from time to time to make it compliant with any such new legislation or guideline.
The latest version of our privacy policy is always available at our website https://www.comlinksweden.com/terms/.

Contact us when you have any question about how we process personal data!
Our data protection representative is Peder Kierkemann. If you have any question about how we process personal data, or you want to request to invoke your rights as detailed above, you are always welcome to contact us at: info@comlink.se or by phone at: +46 (0) 31-208600.

Conflict Minerals Sourcing Policy

(Version 1:2019)


Conflict minerals are defined by the SEC as columbite-tantalite (coltan), cassiterite, gold, wolframite, or their derivatives, which are limited to tantalum, tin, gold and tungsten. Conflict minerals originating in the Democratic Republic of the Congo (“DRC”) or an adjoining country, collectively defined as the “Covered Countries” may sometimes be mined and sold, “under the control of armed groups”, to “finance conflict characterized by extreme levels of violence”. Some of these minerals can make their way into the supply chains of the products used around the world, including those in the electronics industry.

Comlink AB’s suppliers acquire and use conflict minerals from multiple sources worldwide. As part of Comlink AB’s commitment to corporate responsibility and respecting human rights in our own operations and in our global supply chain, it is Comlink AB’s goal to use tantalum, tin, tungsten and gold in our products that do not directly or indirectly finance or benefit armed groups in the Covered Countries while continuing to support responsible mineral sourcing in the region. Comlink AB expects our suppliers to have in place policies and due diligence measures that will enable us to reasonably assure that products and components supplied to us containing conflict minerals are DRC conflict free.

Comlink AB expects our suppliers to comply with the EICC Code of Conduct and conduct their business in alignment with Comlink AB’s supply chain responsibility expectations.

In support of this policy, Comlink AB will:

–  Exercise due diligence with relevant suppliers consistent with the OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas and encourage our suppliers to do likewise with their suppliers.

–  Provide, and expect our suppliers to cooperate in providing, due diligence information to confirm the tantalum, tin, tungsten and gold in our supply chain are conflict free.

–  Collaborate with our suppliers and others on industry-wide solutions to enable products that are DRC conflict free. Commit to transparency in the implementation of this policy by making available reports on our progress to relevant stakeholders and the public.

For questions and further information, please contact:

Comlink AB
Energigatan 10B
434 37 Kungsbacka
Sweden
+46 (0)31 208600

Subprocessor list


 

Name Activity Country where processing is performed
Oderland AB Hosting provider Sweden