Arrangements for joint personal data responsibility
This arrangement on joint personal data responsibility (the "Arrangement") regulates the joint personal data responsibility that applies between a customer who has entered into a framework agreement on booking assignments (the "Customer") with Avisita AB ("Avisita").
The parties above are hereinafter jointly referred to as the "Parties" and individually as a "Party".
1. the scope of the event
1.1 This Arrangement describes the Parties' joint personal data responsibility that applies when the Customer uses Avisita's customer portal.
1.2 The Parties are jointly responsible for the processing that takes place in or is shared to Avisita's customer portal. In the customer portal, the following categories of personal data may be processed: name, social security number, address, telephone number, professional role, membership number, information about the individual's journey and information about special preferences.
2. respective responsibilities of the parties
2.1 Avista is responsible for:
a) having the main responsibility for the customer portal and that technical and organizational security measures are taken in relation to the customer portal in accordance with GDPR Article 32;
b) engaging any data processors who process personal data in the customer portal, including ensuring that processor agreements are entered into with them;
c) providing information to data subjects in accordance with GDPR Articles 13 and 14 (including essential parts of this Arrangement); and
d) in the event of a personal data breach, notifying IMY and informing the data subjects in accordance with GDPR Articles 33 and 34.
2.2 The Customer is responsible for:
a) ensuring that its employees take appropriate security measures in relation to its login to the Customer Portal, for example protecting its login details;
b) complying with the framework agreement's wording on the Customer Portal, for example ensuring that information in the Customer Portal is kept up to date; and
c) ensuring that all data subjects are aware of the information text that Avisita produces under section 2.2 b) above.
2.3 Each Party is responsible for complying with the applicable Data Protection Rules, specifically
a) be responsible for its and its employees' inputs and other actions that take place in the Customer Portal and/or are shared to it (e.g. via an API) as well as the processing that the Party instructs the other Party to do, e.g. the Customer is responsible for the processing that the Customer instructs Avisita to do;
b) ensure that its processing of personal data is carried out in accordance with the law, and maintain a register of processing under its responsibility
c) be the contact point for data subjects and answer their questions regarding the processing of their personal data;
d) in addition to the above, maintain an appropriate level of security for the personal data by implementing all technical and organizational security measures set out in Article 32 of the GDPR; and
e) provide each other with all reasonable support necessary to demonstrate compliance with the Data Protection Rules, including Article 24 of the GDPR.
2.4 The Parties recognize that, notwithstanding the terms of this Arrangement, a data subject may exercise his or her rights under the Data Protection Rules against any Party.
3. validity period and changes to the arrangement
3.1 This Arrangement is valid until further notice.
3.2 Avisita may at any time inform the relevant Parties of changes to this Arrangement, for example due to changes in law or Avisita's set-up in the customer portal. Such changes shall take effect thirty (30) days after Avisita has notified the Customer in writing, provided that the Customer has not objected to these changes in writing within the same period.
2024-10-02