§ 1 General
These Terms of Agreement set forth the contractual obligations between Paloma In Sweden AB (hereafter referred to as Paloma) and the Customer for the service Paloma (hereafter referred to as the Service).
§ 2 Period of agreement and cancellation notice
Unless otherwise agreed in writing, the agreement shall commence to apply when Paloma has confirmed the order or when the Service is opened for use. Orders may be placed via the order form on the Paloma website, www.paloma.se, by email or by verbal agreement. To enable full utilization of the Service, Customers wishing to subscribe to the Service must provide the information requested by Paloma in conjunction with registration. The Customer is obligated to sign a written agreement if Paloma so requests. Paloma will assign the Customer a user name and a password. Paloma may change this identification for technical, operational or other special reasons, including compliance with governmental decision. Notice of cancellation may be made in writing, verbally or via email. Failure to pay an invoice will not be considered notice of cancellation. Paloma will not reimburse paid licensing fees unless in the event of errors, deficiencies or delays on the part of Paloma that are not of negligible significance to the Customer. The agreement may be terminated at any time. Paloma will not reimburse paid licensing fees for time remaining in any commenced subscription period (monthly, quarterly or annual) under agreement. The agreement will be renewed automatically unless cancelled before the commencement of the next period of agreement, i.e. the start of the subsequent month, quarter or year according to the agreement period. Paloma is entitled to cancel the agreement with immediate effect if Paloma terminates the Service, incorporates it into another service, or changes the conditions for subscription to the Service, e.g. due to an increase in functionality or fees for the Service. Any outstanding payments will be credited to the Customer in a credit invoice.
§ 3 Pricing and payment terms
The Service shall be invoiced according to the applicable price at the time of order. Prices listed do not include Value Added Tax (VAT) or other similar added charges or fees. The Service shall be invoiced according to the subscription period chosen by the Customer (i.e. monthly, quarterly or annual subscription) at the commencement/renewal of the agreement. Payment shall be received by Paloma no later than 30 days after the date of invoice unless otherwise agreed. In the event payment is not remitted by the due date, the Customer shall be obligated to pay Paloma overdue payment interest charged from the day payment should have been received, in accordance with Section 6 of the Swedish Interest Act. Paloma reserves the right to terminate delivery of the Service if payment is not received. The Customer is obligated to notify Paloma of address changes.
§ 4 Operation, support and customer service
Services are normally in operation 24 hours a day, seven days a week. Operation is, however, unmonitored during certain times and operational disturbances may occur during these times. Paloma is furthermore entitled to limit Service operation without prior notification to perform upgrades, etc. Should messages be sent to the Customer, the email address the Customer provided for receiving operational information will be used. Paloma will provide the Customer with support, if support has been ordered, via email for questions or problems as may arise concerning the use of the Service. Requests for support received during normal office hours, 9:00 a.m. - 5:00 p.m. Swedish time, will normally be responded to within four hours. For urgent support issues, the Customer is requested to contact Paloma directly at +46 225-410 22 to report the issue.
§ 5 Technical requirements for the Service
In order to use the Service, the Customer must meet the minimum technical requirements for the Service specified on the Paloma website.
§ 6 Restrictions and delivery refusal
Paloma is entitled to review the material communicated by the Customer via the Service in order to ensure that the Customer fulfils the obligations of these Terms of Agreement.
Paloma reserves the right to immediately terminate delivery of the Service if the Customer’s use of the Service is in violation of the terms or restrictions set forth in the agreement. Examples of restrictions in usage include: disturbing content such as racism, Nazism/fascism, slander, insult, persecution, threats or pornography chain letters or pyramid schemes the creation of a false identity for the purpose of misleading others sending or in another way making accessible material protected by intellectual property rights, without having acquired the rights to the material or procuring all of the requisite licences, permits, etc. for use of the material infringing upon the intellectual property rights of Paloma or others sending or in another way making accessible material that contains a virus, Trojan horse, worm, time bomb, cancelbot, damaged file or any other software, program, etc. that may damage the operation of anyone else’s computer or property falsifying or deleting author attribution, or falsifying or removing pertinent legal information or any other pertinent information regarding property rights for the source of the transmitted material or message failure to comply with codes of conduct or other guidelines that may be applicable to the Service without permission, attempting to access, obstruct, interrupt or terminate accounts, computers or networks appertaining to the Service acquiring access to or attempting to acquire access to information or data via the Service, with the exception of information that Paloma intends to make accessible to the Customer exploiting access to the Service for the purpose of procuring information for constructing, developing or updating another program, software, etc. charging others for the use of the Service, either directly or indirectly systematically and without apparent justification updating entire recipient lists or large portions of recipient lists on a repeated basis and thereby circumventing the applied fee policy for the Service
Services terminated due to the terms listed in Section 6 or due to payment difficulties on the part of the Customer are not entitled to reimbursement. The Customer’s right to use the Service shall in these cases be terminated immediately. Data saved in the Service after it is terminated may be lost. Paloma is not responsible to the Customer for any loss of data caused by the termination of the Service.
§ 7 Customer obligation
The Customer is responsible for ensuring that the Service is used in accordance with current applicable laws and ordinances in Sweden and in the rest of the world. The Customer undertakes to keep Paloma indemnified against any financial loss or other damage attributable to the Customer’s use of the Service. The Customer agrees to not reveal his/her password to any unauthorized person and agrees to ensure that all documentation containing information about this password is kept inaccessible to unauthorized persons. The Customer shall immediately contact Paloma to request a password block if there is any suspicion that an unauthorized person may have acquired access to the Customer’s password. The Customer is solely responsible vis-à-vis Paloma for the information transmitted, stored or provided through the Service. The Customer agrees to use the Service in accordance with the principle of “permission marketing”. This means that the Service shall be used for the further development of existing relationships. Recipients of a mailing must either directly or indirectly give their consent to receive information from the Customer. Consent may be considered given by virtue of an existing relationship with the customer, through personal contacts or by a completed application expressing interest in receiving information via the Service. Recipients of information via the Service shall always be offered the opportunity of deregistering from further mailings via a highly visible clickable link in each individual mailing. Deregistration shall be simple to carry out and must always be respected. Sending out invitations to launch a newsletter are acceptable on the condition that they are sent on a one-time basis to each recipient and that they are sent to a relevant target group with a presumed interest in the content.
§ 8 Paloma account terms
The Customer agrees that there may only be one registered sender per Paloma account and that no more than 10,000 addresses may be registered per Paloma account (basic package). The Customer is entitled to subscribe to
Paloma accounts on behalf of clients. However, there may be no more than one such registered client/sender per Paloma account.
§ 9 Limitation of liability
Paloma shall not be liable for any inconvenience, damage or loss as a result of circumstances outside Paloma’s control or which Paloma could not have reasonably foreseen or forestalled. Exempting circumstances shall include (but not be limited to): accidents, wars, riots, inclement weather, labour disputes, errors in the operator’s or sub-contractor’s computer network or any other similar occurrence over which Paloma has no control. Paloma shall under no circumstance be liable for indirect damage or consequential loss.
§ 10 Paloma’s liability
In the event of error, deficiency or delay on the part of Paloma that is not of negligible significance to the Customer, the Customer may be compensated through a cost-free extension of the subscription period for a period of time equivalent to the relevant service failure. In no case shall monetary compensation be paid for delays or deficiencies in service as described above. If a request for compensation is not made within one month of the time the Service should have been opened or the time the error ceased, and the request could have been presented in the proper time but was not, the Customer shall lose the right to compensation.
§ 11 Changes to the agreement
Revisions to these general terms must be approved by the Customer in order to be applicable. Until such changes have been approved, the previously agreed upon Terms of Agreement shall apply.
§ 12 Changes in fees
Fee changes are made by implementing the change in our currently applicable price list. If the Customer does not approve the change or additional charge, the Customer is entitled to cancel his/her agreement for the Service, as set forth in Section 2. Should this not occur, the Customer shall be considered to have approved the new terms. The new terms shall be applied from the start of the next period of agreement, but always one (1) month after Paloma notified the Customer of the upcoming price increase. The message will be sent to the email address the Customer provided for receiving operational information.
§ 13 Transfer of agreement
The Customer is not entitled to transfer the agreement to a third party without written permission from Paloma AB.
§ 14 Confidentiality
Each party agrees not to reveal confidential information received from the other party or obtained during the use of the Paloma Service to a third party.
§ 15 Information to third parties
Paloma is entitled to provide address lists to third parties with the consent of the Customer.
§ 16 Changes to the Service
Paloma is entitled to change the design or format of the Service for any reason without prior notice. Such changes will apply immediately. The Customer shall receive an email notifying him/her of any change that could conceivably affect the Customer's use of the Service. This email shall be sent in a reasonable time frame and to the email address provided by the Customer for receiving operational information.
§ 17 Transfer of Service
The Customer is not entitled to transfer the Service to a third party.
§ 18 Preferential right of interpretation
Paloma enters agreements with customers in many countries and translates agreements as needed to various languages. If an agreement can be interpreted differently due to linguistic differences, agreements prepared by Paloma in English shall have preferential right of interpretation over agreements prepared in other languages. However, if the Customer has entered an agreement written in Swedish with Paloma, the Swedish agreement shall have preferential right of interpretation over agreements written in English.
§ 19 Applicable law
Formulation requirements for entering an agreement and questions concerning the validity of an agreement between Paloma and the Customer shall be settled in accordance with Swedish law. Agreements made between Paloma and the Customer shall be interpreted in accordance with Swedish law and shall have the legal consequences determined thereof.
§ 20 Disputes, controversies or claims
Should any disputes arise between the parties, these shall be settled in accordance with Swedish law and by a Swedish court of law, of which the Stockholm City Court shall be the court of first instance.
PERSONAL DATA PROCESSOR CONTRACT
1.1 The Customer and Paloma have entered into an agreement regarding the use of Paloma’s services (”the Agreement”).
1.2 This personal data processor contract (”the Processor Contract”) only regulates matters concerning Paloma’s Processing of Personal Data on behalf of the Customer. In the event of discrepancies between the Agreement and the Processor Contract, the Agreement shall take precedence.
2.1 Terms defined with uppercase letters in the Processor Contract, which also appear in the General Data Protection Regulation (EU) 2016/679 (”GDPR”), have the same definition as in GDPR.
The Agreement refers to the agreement regarding the use of Paloma’s services that has been entered into prior to, or in conjunction with, the entering into of this Processor Contract.
The Processor Contract refers to this Personal Data Processor Contract.
Legislation refers to the applicable Swedish legislation at any given time.
At the time the Agreement was or is entered into, the processing of personal data in Sweden is primarily regulated by the Swedish Personal Data Act (1998:204) and the Swedish Personal Data Ordinance (1998:1191). However, these regulations will be replaced on 25 May 2018. From this date the personal data area will instead be primarily regulated by the General Data Protection Regulation (EU) 2016/679 (”GDPR”) and a (as yet not introduced) law with supplementary provisions to the EU’s data protection regulation. The Parties understand and agree that this Processor Contract shall be interpreted in accordance with the Swedish legislation that applies at any given time.
Personal Data Controller (“the Controller”) refers to the Customer, who determines the purpose and means of the Processing.
Personal Data Processor (“the Processor”) refers to Paloma, which processes Personal Data on behalf of the Controller.
Standard Contractual Clauses refers to the clauses for the protection of Personal Data transferred to a third country in accordance with the European Commission’s decision C(2010)593 of 5 February 2010, or equivalent clauses which replace these.
Sub-processor refers to a party engaged by the Processor with the assignment, and with the responsibility that rests on a Processor, to carry out Processing in accordance with this Processor Contract and the Controller’s instructions.
3.1 The purpose of the Processor Contract is to establish such a binding written contract regarding the personal data processor as is required according to the Legislation.
3.2 Furthermore, the purpose is to ensure that the security and confidentiality of the Personal Data is maintained during the Processor’s Processing of the Personal Data.
4.1 The Controller is responsible for ensuring that Processing takes place in accordance with the Legislation applicable at any given time.
4.2 The Parties understand and agree that, if the Legislation or applicable instructions from authorities change significantly, the terms and conditions set out in this Processor Contract shall be adjusted so that they equate, to the greatest extent possible, to the principles originally intended by the Parties when this Processor Contract was entered into.
5. THE CONTROLLER’S RIGHTS AND OBLIGATIONS
5.1 The Controller shall
- a) provide the Processor with such detailed and documented instructions regarding the Processing that the Processor is able to carry out the Processing in accordance with this Processor Contract and the Legislation;
- b) be entitled and obligated to specify the purpose and means of the Processing of the Personal Data;
- c) ensure that everyone whose Personal Data has been registered has received necessary notifications and information, and shall ensure that necessary legal grounds for the transfer of Personal Data to the Processor exist for the relevant time period, which permit the Processor to carry out the Processing in accordance with that which is prescribed herein;
- d) ensure, in the event that the Controller represents its Group companies or a third party in accordance with this Processor Contract, that the Controller has all legal powers to enter into and perform this Processor Contract with the Processor on behalf of the aforementioned Group companies and/or third party, and to allow the Processor to Process the Personal Data in accordance with the terms and conditions set out in this Processor Contract and the Agreement; and
- e) ensure that the Processor has received all necessary information from the Controller in order for the Processor to be able to carry out the Processing in accordance with the Legislation.
6. THE PROCESSOR’S RIGHTS AND OBLIGATIONS
6.1 The Processor shall
- a) Process Personal Data on documented, lawful and reasonable instructions from the Controller, unless otherwise required to do so according to the Legislation, in which case the Processor shall inform the Controller of the legal requirement in question, provided the Legislation does not prohibit the provision of such information;
- b) ensure that persons authorised to carry out the Processing in accordance with this Processor Contract have undertaken to observe a duty of confidentiality or are covered by a statutory duty of confidentiality, such as is set out in this Processor Contract;
- c) take all security measures as are required of the Processor according to the Legislation, in a manner that is set out in this Processor Contract;
- d) comply with the terms and conditions that are set out in the Legislation in relation to the engagement of a Sub-processor, in a manner that is set out in this Processor Contract;
- e) insofar as it is possible, and taking into account the nature of the Processing, assist the Controller by way of appropriate technical and organisational measures, so that the Controller can fulfil its obligation to respond to requests for exercising the data subject’s rights in accordance with the Legislation;
- f) assist the Controller to fulfil its legal obligations, including such obligations regarding security of personal data, notification of a personal data breach, data protection impact assessment and obligations regarding prior consultation, as is required of the Processor according to the Legislation, taking into account the nature of Processing and the information available to the Processor;
- g) on the Controller’s instructions, delete or return all Personal Data to the Controller and delete existing copies, provided storage of the Personal Data is not required according to applicable Legislation. The methods for deletion and/or return shall be determined and agreed between the Parties; and
- h) maintain necessary registers of the Processing and provide the Controller with access to all information necessary to demonstrate that the obligations imposed on the Processor have been complied with as stipulated in the Legislation, and facilitate and contribute to audits, including inspections, that are carried out by the Controller or a third party thus mandated by the Controller.
6.2 The Processor does not have the right, other than in accordance with instructions from the Controller, to change the purposes or means of the Processing.
7. SECURITY REQUIREMENTS ETC.
7.1 The Processor shall undertake and maintain appropriate technical and organisational measures for the protection of the Personal Data, taking into account:
- a) the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risks, of varying likelihood and severity, for the rights and freedoms of natural persons; and
- b) the risks that the Processing entails, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or unauthorised access to Personal Data that has been transferred, stored or in some other way processed.
7.2 The Controller is responsible for ensuring that the Processor is informed about all circumstances (including risk assessment and Processing of special categories of Personal Data) regarding the Personal Data provided by the Controller, which affect the technical and organisational measures covered by this Processor Contract.
7.3 The Processor shall notify the Controller, without unreasonable delay, although no later than 48 hours after the matter has come to the attention of the Processor, of the occurrence of, or risk for, a Personal Data Breach.
8.1 The Processor has the right to engage the services of one or more Sub-processors for the performance of the Processor’s obligations according to this Processor Contract.
8.2 A Sub-processor that has been engaged pursuant to this Processor Contract shall comply with all applicable provisions regarding the protection of Personal Data and shall otherwise essentially fulfil the other obligations of a Processor as are regulated in this Processor Contract.
8.3 The Processor shall inform the Controller in advance of any and all planned changes, additions or replacements of Sub-processors.
9. GENERAL INSTRUCTIONS FOR PALOMA’S SERVICES
9.1 If the Agreement involves the Postman service, the Controller’s instructions shall be:
- a) to Process Personal Data on behalf of the Controller by sending out a newsletter created by the Customer to email addresses stipulated in an address list prepared by the Customer,
- b) to Process any Personal Data that exists in the newsletter, and
- c) to save the address list for the purpose of using the email addresses for a later mailing.
9.2 If the Agreement involves the Magnet service, the Controller’s instructions shall be:
- a) to Process Personal Data on behalf of the Controller by receiving registrations for different types of events,
- b) to sell, in certain cases, paid tickets to these events and thus Process payment information,
- c) to provide the Customer with access to the Personal Data of the data subjects who have registered for the events, consisting primarily of the data subject’s name, contact details and payment information, and
- d) to Process Personal Data by offering a function for ”checking in” registered participants to events.
9.3 If the Agreement involves the Kurios service, the Controller’s instructions shall be:
- a) to Process any Personal Data on behalf of the Controller by sending out a survey questionnaire created by the Customer or Paloma to email addresses stipulated in an address list prepared by the Customer,
- b) to save any Personal Data that arises in conjunction with completion of the questionnaires, and
- c) to Process Personal Data by maintaining statistics regarding the outcome of the surveys.
9.4 It is the Controller who bears the full responsibility for ensuring that the Processing of the Personal Data in the Services fulfils the requirements in the Legislation. It should be noted in particular that special consideration should be given to the saving of address lists and the collection of survey questionnaires with free text responses when it comes to ensuring compliance with the Legislation’s requirements regarding (among other things) legal grounds, correctness and erasure.
10. TRANSFER OF PERSONAL DATA TO A THIRD COUNTRY
10.1 In the event that the Processor, in conjunction with the Processing, transfers Personal Data to a country outside the European Economic Area (“EEA”) and which is not deemed by the European Commission to ensure an adequate level of protection in relation to the Legislation, the Parties shall enter into an additional contract based on Standard Contractual Clauses.
10.2 If the Processor has engaged the services of a Sub-processor, and such engagement entails the transfer of Personal Data to a country outside the EEA which is not deemed by the European Commission to ensure an adequate level of protection in relation to the Legislation, the Processor and the Sub-processor shall enter into an additional contract based on Standard Contractual Clauses. In applicable cases, when requested to do so, the Processor shall provide the Controller with a signed copy of such additional contract(s) as described above. In the event of discrepancies between this Processor Contract and the aforementioned Standard Contractual Clauses, the Standard Contractual Clauses shall take precedence.
11. RIGHT OF ACCESS
11.1 If the Controller so requests, the Processor, without unreasonable delay, shall provide the Controller, or an independent third party engaged by the Controller, with access to such information and documentation as is necessary in order for the Controller to be able to carry out an effective check/review of the Processor’s measures according to this Processor Contract or the Legislation.
11.2 The Controller shall bear the costs that arise in conjunction with a check/review of the Processing of Personal Data carried out by the Processor.
12.1 Unless the Controller’s instructions say otherwise, the Processor shall
- a) observe a duty of confidentiality in relation to all Personal Data provided by the Controller,
- b) ensure that persons authorised to carry out the Processing of the Personal Data have undertaken to observe a duty of confidentiality, and
- c) ensure that Personal Data is not disclosed to a third party without the prior approval of the Controller, unless the Processor is obligated to disclose such information in accordance with mandatory legislation or regulation.
12.2 If a data subject or an authority makes a request related to the Personal Data covered by this Processor Contract, the Processor, as quickly as is reasonably possible, shall notify the Controller of such request before the Processor replies to the request or undertakes other measures regarding the Personal Data.
12.3 In the event that a competent authority demands an immediate reply, the Processor shall notify the Controller of such request as quickly as is reasonably possible after reply to the request has been made. However, in the event that the Processor is prevented by mandatory legislation or a competent authority’s regulations from disclosing such information, the Processor is not obligated to notify the Controller of such request.
13. LIABILITY AND BREACH OF CONTRACT
13.1 Regardless of that which is stated in the Processor Contract, the Controller shall hold the Processor harmless for any damages or losses (including, for example, but not limited to, administrative sanction fines, damages payable to data subjects, or legal representation fees) which the Processor incurs as a result of the Controller, or someone for whom the Controller is responsible, having acted in violation of the Processor Contract. Any departure from this provision requires written agreement between the Parties on some other regulation, whereby such written agreement must expressly state that the alternative regulation represents a departure from this provision.
13.2 In the event of the existence of some form of compensatory damage or loss as described above, the Processor shall undertake measures to limit the damage or loss, provided such measures do not result in unreasonable costs or are not otherwise unreasonably burdensome.
13.3 If the Controller has acted in violation of the Processor Contract in a not insignificant respect, the Processor has the right to enforce early termination of the Agreement with effect from a point in time determined by the Processor.
13.4 Contract period
13.5 This Processor Contract applies between the Parties as long as the Processor processes Personal Data as a consequence of its undertaking to deliver services to the Customer in accordance with the Agreement. If the Agreement is terminated or otherwise ceases to apply, and a new such agreement is entered into without the signing of a new personal data processor contract, this Processor Contract shall also apply in relation to the new agreement. This Processor Contract can be terminated on the basis of the terms and conditions that are set out in the Agreement.
14. CONSEQUENCES OF CESSATION OF PROCESSING
14.1 When the Processing has ceased, or prior to this if the Controller so requests, the Processor shall hand over or destroy all Personal Data Processed by the Processor.