Great news!

Our website is available in your market. Do you want to explore our offer in your market or do you want to stay on the current page?

Standard Solutions Group

This data processing agreement including appendices and references ("DPA") forms part of the Agreement between

SSG Standard Solutions Group AB, reg. no. 556403-1523, hereinafter referred to as "SSG", and

The customer who has entered into an agreement with SSG that refers to this Data Processing Agreement, hereinafter referred to as "Customer".

Customer and SSG are hereinafter jointly referred to as "Parties" and separately as "Party".

1. Purpose of this DPA and reference from the SSG General Terms and Conditions

1.1 The parties have one or more concluded agreements, including SSG’s general terms and conditions and appendices (the "Agreement") through which SSG shall provide certain services to the Customer (the "Service"). SSG is primarily the data controller for processing of personal data within the framework of SSG's products and services, including the Service. In exceptional cases, however, SSG acts as a data processor to the Customer as a data controller. This DPA applies only to the processing of personal data that SSG performs as a data processor for Customer as a data controller in connection with the provision of one or more of the Functions as defined below and further described in this DPA.

1.2 By reference to this DPA in the Agreement or in SSG's general terms and conditions, the DPA forms an integral part of the Agreement between the Parties, provided that the Customer purchases one or more of the Features described in this DPA. The DPA is limited to regulating only the processing of personal data carried out by SSG as a data processor to the Customer. If different data processing agreements have been entered into between the Parties, the most recent version drawn up by SSG shall apply. The most recent version of the DPA is the one published on SSG's website. The Parties agree that the most recent version of the DPA shall apply between the Parties and replace any existing data processing agreements on the processing of Relevant Personal Data (as defined below) that the Parties may have previously entered into.

1.3 Upon Customer's written request, the Parties may enter into a digitally signed version of the most recent version of this DPA.

2. Definitions

2.1 The terms "Data Controller", "Data Processor", "Personal Data", "Data Subject" and other terms in this DPA shall be interpreted and applied in accordance with the GDPR, unless otherwise described herein.

2.2 The following terms shall have the following meanings in this DPA.

Applicable Law” means the laws applicable to the processing of Relevant Personal Data under this DPA, such as the General Data Protection Regulation (EU 2016/679) ("GDPR") and the Swedish act (2018:218) with supplementary provisions to the GDPR.

Data Controller” means the Customer, which determines the purposes and means of processing Relevant Personal Data in the Features.

Data Processor” means SSG, which processes personal data on behalf of the Customer when providing the Features.

Data Subject” means the individual(s) to whom Relevant Personal Data refers.

DPA” means this Data Processing Agreement between SSG and the Customer.

"Feature"/"Features" means those parts of SSG's services described in the Instruction, in which SSG as Data Processor processes Relevant Personal Data on behalf of the Data Controller.

Instruction” means the instruction in Appendix 1 from the Customer as the Data Controller to SSG as the Data Processor to process Relevant Personal Data in the Features.

Relevant Personal Data” means the personal data specified in the Instruction relating to Data Subjects that are processed by SSG as Data Processor for the Customer to provide the Features.

3. SSG as a data processor and applicability

3.1 The Customer is the data controller and SSG is the data processor only for the processing of Relevant Personal Data in the Features as explicitly described in this DPA.

3.2 Appendix 1 constitutes the Instruction from the Customer to SSG to process personal data in the Features in accordance with the DPA. The provisions of the DPA shall only apply to the personal data processing carried out by SSG as data processor for the Customer in order to provide the Features as described herein, not to any other part of the Parties' agreements and interactions. When interpreting the DPA, the commitments, obligations, and rights of a Party shall be deemed to be applicable only to the Feature provided and the Relevant Personal Data.

3.3 For the avoidance of doubt, with the exception of the Features, SSG is the data controller of the personal data processing carried out by SSG in SSG’s services. This includes, inter alia, personal data about end-users of the services and other parts of SSG's services (including the Service as defined in the Agreement). Such personal data processing is subject to SSG's privacy policy, which is updated from time to time and published on SSG's website. Please visit https://www.ssgsolutions.com/about-ssg/privacy to read the privacy policy.

4. Processing of Relevant Personal Data in the Features

4.1 SSG shall provide one or more of the Features to the Customer in conjunction with provision of the overall Service, to the extent and in the manner described in the Agreement. Processing of Relevant Personal Data in the Features is described in detail in the Instruction. The DPA shall apply only to the processing of Relevant Personal Data carried out by SSG for the Customer in provision of the Features.

4.2 SSG shall notify the Customer if SSG believes that an instruction from the Customer regarding Relevant Personal Data violates Applicable Law. SSG shall comply with the Customer's additional instructions provided that they are legally required, technically feasible, reasonable and do not require any changes to the Features. If SSG is unable to comply with an additional instruction, it shall immediately notify the Customer.

4.3 In processing Relevant Personal Data, SSG shall comply with Applicable Law, which shall be interpreted in all respects in accordance with the functionality of the Features provided by SSG.

4.4 SSG shall assist the Customer with appropriate technical and organisational measures, taking into account the nature of the processing and insofar as this is possible, to enable the Customer to comply with its obligations regarding data subjects' rights under Chapter III GDPR. SSG undertakes to assist the Customer following reasonable written instructions from the Customer on a case-by-case basis.

4.5 At the Customer's request, SSG shall assist the Customer in ensuring compliance with the obligations under Articles 32 to 36 GDPR, taking into account the nature of the processing and the information available to SSG.

4.6 SSG is entitled to reasonable compensation from the Customer for any work or action carried out specifically for the Customer under this DPA or carried out on the Customer's instructions, for example in relation to the fulfilment of SSG's obligations as a data processor under Articles 32-36 GDPR.

5. Security and confidentiality

5.1 SSG shall implement and maintain appropriate technical and organisational measures as instructed by the Customer and take the measures required pursuant to Article 32 of the GDPR. SSG is expressly allowed by the Customer to implement and maintain alternative measures that achieve an equivalent or higher level of security than instructed by the Customer.

5.2 The Customer acknowledges and agrees that Relevant Personal Data may be published or shared by SSG in the context of the provision of the Features. SSG shall, where appropriate, endeavour to ensure that Relevant Personal Data are handled confidentially, and that access is limited to only those employees who need access to perform their duties. SSG shall ensure that employees who are involved in the processing of Relevant Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

6. Audit

6.1 SSG shall grant the Customer access to the information which is reasonably necessary to enable the Customer to verify compliance with the obligations which follow from Article 28 of the GDPR and to enable and assist in audits, including inspections, which are conducted by the Customer or by a reputable auditor authorised by the Customer. SSG shall be entitled to reasonable notice in the event the Customer wishes to exercise its right to conduct an audit or inspection. SSG is entitled to compensation from the Customer for the reasonable costs incurred as a result of such an audit or inspection. The Customer is entitled to audit SSG once a year.

6.2 The information and knowledge obtained by the Customer as a result of the audit carried out under this chapter shall be treated with strict confidentiality and shall be considered as SSG's trade secret. The information and knowledge may not be used for any purpose other than to verify SSG's compliance with Applicable Law. All collected information shall be deleted within one month from the date of the inspection. The Customer acknowledges and agrees that access to server halls and other such premises may not be possible to arrange in certain cases for security reasons, whereby alternative measures shall be discussed between the Parties.

6.3 SSG shall ensure that the competent supervisory authority can carry out an audit in accordance with the provisions of Applicable Law. If access to Relevant Personal Data is requested by authorities, SSG must refer to the Customer without undue delay, unless such reference is prohibited by Applicable Law.

7. Sub-processors

7.1 The Customer acknowledges and agrees that SSG will engage Sub-processors (“Sub-processor”) to fulfil its obligations under the Agreement. Relevant Personal Data will thus also be processed by Sub-processors on behalf of the Customer.

7.2 SSG is currently engaging the Sub-processors listed on the SSG website at the following link: https://www.ssgsolutions.com/about-ssg/privacy/subprocessors. The Customer authorises SSG to use the Sub-processors listed on the website.

7.3 The Customer grants SSG a general authorisation to engage new Sub-processors and replace Sub-processors. SSG will inform the Customer of any plans to engage a new Sub- processor and if an existing Sub-processor is to be replaced, provided that the Customer has chosen to subscribe to such information. In order to subscribe to SSG's information on changes regarding Sub-processors, please visit https://www.ssgsolutions.com/about-ssg/privacy/subprocessors. The Customer acknowledges and agrees that SSG will only send information on Sub-processors to the Customer if the Customer has chosen to subscribe to the information. SSG encourages the Customer to subscribe to the information and to enter an email address linked to a department/function rather than a specific person.

7.4 The Customer has the possibility to object to changes regarding Sub-processors. An objection must be made in writing within fourteen (14) days of SSG sending out the information in accordance with paragraph 3. Objections shall only be made if there are objectively acceptable reasons. If the Customer objects, the Parties shall endeavour to adjust the provision of the relevant Feature in order to remove the objection raised. If such adjustment cannot reasonably be made within thirty (30) days of the objection, or if the adjustment is not commercially reasonable for SSG, either Party may terminate the Feature(s) that cannot be provided without the use of the relevant Sub-processor. The Customer is not entitled to any remedies other than the termination right in this paragraph.

7.5 SSG shall ensure that Sub-processors enter into a written data processing agreement before the Sub-processor processes Relevant Personal Data. Such data processing agreement shall contain the corresponding commitments and obligations that follow from this DPA. If the Sub-processor fails to fulfil its obligations, SSG shall be liable to the Customer for the performance of the Sub-processor's obligations, subject to the limitations set out in the DPA.

7.6 SSG may transfer Relevant Personal Data to third countries, i.e. to countries outside the EU/EEA. Such transfer shall take place in accordance with Applicable Law, for example by entering into the European Commission's standard contractual clauses with Sub-processors processing Relevant Personal Data outside the EU/EEA. The Customer authorises SSG to enter into standard contractual clauses with Sub-processors on the Customer's behalf where applicable.

8. Personal data breach

8.1 Taking into account the nature of processing and the information available to SSG, SSG shall assist the Customer in ensuring that the obligations in relation to any personal data breach relating to Relevant Personal Data can be fulfilled in accordance with Articles 33-34 GDPR.

9. Limitation of liability

9.1 SSG shall in relation to the Customer be liable for damages awarded to Data Subject(s) of the Customer caused by SSG’s or its Sub-processor’s processing of Relevant Personal Data in the Features in violation of the provisions of this DPA and which the Customer is obliged to compensate. The liability of SSG shall not extend to any claim arising from (i) a negligent act or omission of the Customer, its personnel and/or the data subject; (ii) Customer's breach of Applicable Law or the DPA, or (iii) an act or omission by a third party, including the data subject. The Customer must notify SSG immediately and within one month of Customer becoming aware of any claim. SSG's liability for damages is limited to the actual compensation that the Customer has been ordered by a court ruling to pay to the data subject or to the amount determined by a settlement approved by SSG. SSG's total liability to the Customer under this DPA is limited to the amount actually paid by the Customer for the Feature that caused the damage during the year preceding the damage. SSG is not responsible for any administrative fines imposed on the Customer.

9.2 SSG, in its capacity as a data processor, processes personal data as collected by the Customer and is not responsible for any consequences if the personal data obtained proves to be incorrect. The Customer is also responsible for ensuring that the personal data has been collected and that the data subjects have received information in accordance with Applicable Law and that there is a legal basis for the processing. The Customer shall compensate SSG for any damage and costs incurred by SSG as a result of the Customer's breach of the DPA or Applicable Law.

10. Term and termination of the DPA

10.1 This DPA enters into force on the date of conclusion of the Agreement and remains in force for as long as SSG processes Relevant Personal Data to provide the Features under the DPA. The DPA shall only apply to the processing of Relevant Personal Data to provide the Features, not otherwise.

10.2 This DPA may be terminated on the basis of the provisions that apply to the termination of the Agreement. This DPA shall automatically terminate on the same date as the Agreement, unless a new agreement is concluded to replace the Agreement or unless otherwise agreed in writing between the parties.

10.3 SSG has the right to terminate the DPA, subject to a three-month notice period.

11. Consequences of termination

11.1 Upon termination of the DPA, SSG shall delete or return the Relevant Personal Data to the Customer in accordance with the Customer’s instructions. If the Customer does not submit an instruction to SSG within 30 days after the termination of the DPA, SSG shall be considered instructed by the Customer to delete the Relevant Personal Data.

11.2 To avoid misunderstandings, this chapter 11only applies to Relevant Personal Data, namely personal data processed by SSG as a data processor within the framework of the Features. The personal data processed by SSG as a data controller is not subject to the obligations set out in this chapter.

11.3 This DPA shall continue to apply for as long as SSG processes Relevant Personal Data to fulfil its obligations in accordance with clause 1 above, even if the Agreement has been terminated.

12. Changes and version of the DPA

12.1 SSG has the right to make changes, adjustments, and updates to the DPA to the extent it follows from changes in SSG's services, including the Features. Otherwise, SSG's general terms and conditions section 15.3 shall apply to changes to the DPA.

12.2 This version of the DPA was updated by SSG on 5 December 2024.

13. Governing law and dispute resolution

13.1 Swedish law shall apply to this DPA, without regard to its principles on conflict of laws. Disputes regarding the interpretation or application of the DPA shall be finally settled in accordance with what is stated regarding disputes in the Agreement.

 

Appendix 1 to the DPA - Instruction

1. General

1.1 The Customer is the data controller and SSG is the data processor for the personal data processing operations in the Features as described in this Instruction.

1.2 Relevant Personal Data includes only the personal data explicitly listed in this Appendix that is required to provide the respective Feature, or part of it. Relevant Personal Data does not include the personal data that SSG otherwise processes, such as personal data in agreements, personal data relating to end-users and administrators of SSG's services, personal data in SSG's general content such as SSG’s e-courses and/or in other services provided by SSG, for which SSG is the data controller.

1.3 This Instruction describes the processing of personal data in each Feature. Whether the Customer actually purchases a particular Feature from SSG is set out in the Agreement. Only the Features that the Customer actually purchases in accordance with the Agreement are relevant between the Parties. Other Features are not included and shall not apply between the Parties.

1.4 As data processor, SSG shall mainly perform the following processing operations on Relevant Personal Data: collection, structuring, use, copying, alteration, storage, disclosure, dissemination or otherwise making available, deletion and erasure.

2. The Feature local courses and courses with customer-specific content (only applicable on the Customer Data) in SSG Entre and/or SSG Academy.

2.1 Purpose: In consultation with the Customer, SSG may develop and provide local courses, such as local SSG Entre courses and local Employee Safety courses, as well as create customised courses, such as via SSG Create (Sw. SSG Skapa). A Customer-specific local course is based on both the Customer Data and SSG's general material (the latter is not covered by this DPA). The Customer-specific local course shall be published by SSG so that end-users and course participants can take the course. The purpose of the Feature is to allow the Customer to have a customer-specific safety course or other type of local course based on actual information about the Customer, to enable provision of courses tailored the Customer's business operations and thereto associated risks.

2.2 Relevant Personal Data. Personal data that the Customer provides and/or SSG obtains on the Customer's instructions in order to develop the Customer-specific local course, such as photos of staff, safety briefing video, contact details to be included in the course material, union representative at the plant (special category of personal data) and other personal data that the Customer wishes to include in the Customer-specific local course. The personal data is mainly related to the Customer's staff and other persons that the Customer chooses to include.

2.3 Duration. Generally, the Customer's local course(s) will be retained for the duration of the Agreement, unless the Customer specifically requests SSG to delete the course(s). The Customer grants SSG the right to delete outdated and/or obsolete local courses, such as courses that have had no participants in the last three years.

2.4 Delimitation. Relevant Personal Data only includes the personal data contained in Customer Data to produce the Customer-specific local course. Relevant Personal Data includes, for example, name and contact details of a security officer, photo and video. Relevant Personal Data does not include, for example, (i) personal data in materials provided by SSG to produce the Customer-specific local course, (ii) personal data of end-users and administrators of SSG's services, and (iii) personal data on course participants.

2.5 Sharing. Relevant Personal Data may be shared by SSG with course participants, administrators and contractors.

3. The Feature Project Staffing in SSG On Site

3.1 Purpose. Project Staffing is an add on module to SSG On Site. The purpose of the Feature Project Staffing is to enable the Customer to staff and monitor projects. In addition, the Customer can keep a personnel register, which is a legal requirement that may be incumbent on the Customer. Each personnel register created by the Customer is limited to the specific project only.

3.2 Relevant Personal Data. A Data Subject's personal data is in relevant parts copied from the Data Subject's SSG account to the Customer's specific project at time of staffing and to the personnel register upon registration in the register. The copied personal data is then kept in the Customer's specific project/personnel register. Upon registration, the copied personal data forms part of the Relevant Personal Data. Relevant Personal Data includes name, social security number/identification number, facility visited, check-in time and check-out time, authorisations to carry out projects and other project details chosen by the Customer. The personal data relates to the Customer's employees and, if Customer has linked contractors/suppliers to a project, personal data on the contractors/suppliers who will perform work for the Customer.

3.3 Duration. In order to fulfil the legal requirements on retention of information in a personnel register, and unless otherwise specified by the Customer, a specific personnel register is kept for three years after the end of the calendar year in which the Relevant Personal Data was recorded in the specific personnel register. Relevant Personal Data is kept for the duration of the project and for sex months thereafter. SSG is thereafter entitled to delete or anonymise the data. Inactive end-users (no activity for 24 months) are anonymised in ongoing projects. The Customer can manually delete personal data of individuals in projects. If the Customer wants to keep a project/personnel register for a longer time period, the Customer shall extract a separate copy from the Feature.

3.4 Sharing. Relevant Personal Data may be shared by SSG with administrators, linked contractors and parties connected to a project. Through screen integration, Relevant Personal Data can be displayed on screens in locations chosen by the Customer, for example inside a site office.

4. The Feature Workflow in SSG On Site

4.1 Purpose. Workflow is an add on module to SSG On Site. The purpose of the Feature Workflow is to enable the Customer to digitize its permit processes. The Feature essentially includes the following:

a) Issued local certificates can be used to issue and store local certificates linked to the Customer´s site. For example, this may apply to an issued certificate for completed safety training or authorisation to operate a certain type of machinery at the Customer´s site. The purpose of the Feature is to enable the Customer to issue and administer local certificates digitally and to administer site-specific certificates, licences, and authorisations. A local certificate issued is stand-alone in each case.

b) Issued work permits can be used to issue and store work authorisations to perform certain work at the Customer's site. Examples include authorisations to enter certain areas, work permits such as hot works, handling chemicals or working at height. Work permits linked to the Customer can be staffed and administered both by the Customer and by a contractor's employer (the contractor company). The purpose of the Feature is to enable the Customer to manage its work permits digitally and to store them in accordance with legal requirements that may apply to the Customer. A work permit issued is stand-alone in each case.

c) Issued driving permits can be used to issue and store driving permits. For example, this may apply to authorisations to drive a certain type of forklift or lifting device on the Customer's site. Driving permits linked to the Customer can be staffed and administered both by the Customer and by the contractor's employer (the contractor company). The purpose of the Feature is to provide the Customer with a digital tool to fulfil its coordination responsibilities, manage its driving permits digitally and store them in accordance with legal requirements that may apply to the Customer. A driving permit issued is stand-alone in each case.

4.2 Relevant Personal Data. A Data Subject's personal data is copied from the Data Subject's SSG account upon confirmation of the issuance of a local certificate, work permit or driving permit or added manually by the Customer (if such functionality is available in the Feature). Upon finalisation of the issued certificate/permit, the copied personal data forms part of the Relevant Personal Data. Relevant Personal Data includes name, social security number/identification number, details of the issued certificate/permit, information on underlying certificates/permits, personal data in uploaded certificates/permits, employee number, and other personal data that the Customer chooses to include in the issued certificate/permit. In a driving permit, the type of vehicle/lift relevant for the permit is included. The personal data relates to the Customer´s staff and others who receive a certificate/permit from the Customer.

4.3 Duration. Relevant personal data are kept as follows:

a) Issued local certificates are kept for as long as the certificate is valid and for six months thereafter.

b) Issued work permits are kept for as long as the permit is valid and for six months thereafter Unconfirmed work permits expire after one month.

c) Issued driving permits are kept for as long as the permit is valid and for six months thereafter. Unconfirmed driving permits expire after one month.

4.4 Sharing. Relevant Personal Data may be shared by SSG with administrators, linked contractors and parties that receive a certificate/permit. Through screen integration, Relevant Personal Data can be displayed on screens in locations chosen by the Customer, for example inside a site office.

5. The Feature public information regarding Customer’s site in SSG On Site

5.1 Object and purpose: In SSG On Site, the Customer can choose to publish information about its site. The published information is publicly available to users of SSG On Site. The purpose of SSG On Site is for the Customer to make available to contractors, visitors, and others at the Customer’s facility the information and personal data that the Customer chooses, such as safety information, news, contacts, emergency numbers, maps and other information that a contractor needs to have access to before and during a visit to the site. Other examples of information that can be made available in the app are information in case of fire, information about evacuation and assembly point, alarm lists and alarm numbers, as well as loading and unloading information.

5.2 Relevant Personal Data. Relevant Personal Data includes the personal data that the Customer chooses to publish about its facility in SSG On Site, such as names, email addresses, contact details, titles, photographs, etc. The personal data is attributable to the Customer's employees and other persons included by the Customer. Public site information has no connection to the personal data processed by SSG as a data controller.

5.3 Duration. Any personal data included in the Customer’s public facility information in SSG On Site is stored for as long as the Customer uses SSG On Site and has such information published. The Customer chooses in the service if and when the personal data will be deleted.

5.4 Sharing. Relevant Personal Data is published and made public in SSG On Site and on the SSG website.