• DATA PROCESSING AGREEMENT

    Page 1
    Data Processing Agreement (Version 2.0, 2023.12.20)
    DATA PROCESSING AGREEMENT
    This Data Processing Agreement (“DPA”) entered by and between Filmstaden AB (Business Reg. No.
    556035-1651 with its registered address Greta Garbos Väg 11-13, 169 86 Stockholm, Sweden) (hereinafter
    “Service Provider” or “Processor”) and you as a Customer (hereinafter “Customer” or “Controller”), set
    forth the terms and conditions relating to the processing of Personal Data connected with the service to
    be rendered by the Service Provider to Customer pursuant to the accepted Terms & Conditions for the
    Service (the “Agreement”).
    If you have questions regarding this DPA, you may contact our Data Protection Officer by email to
    [email protected].
    In consideration of the mutual agreements in this DPA, in the Agreement and for other good and
    valuable considerations, the sufficiency of which is hereby acknowledged, Customer and Service
    Provider agree as follows:
    1. Definitions
    1.1. “Data subject” means a natural person who can be identified, directly or indirectly, by the Personal
    Data
    1.2. “EEA” means the member state countries of the European Union and countries of the European
    Economic Area.
    1.3. “GDPR” refers to the Regulation (EU) 2016/679 of the European Parliament and of the Council.
    1.4. “Personal Data” means any information relating to an identified or identifiable natural person such
    as name, email address, telephone number, location data, date of birth, postal address, any other
    unique identifier or that is defined as “Personal Information”, “Personal Identifiable Information,
    “Personal Data” or any similar designation by Applicable Data Protection Law, in any form or media,
    that the Service Provider receives, accesses, collects, generates, processes, compiles or creates in
    connection with this DPA.
    1.5. “Processing” or “to Process” means any operation or set of operations performed upon Personal
    Data or on sets of Personal Data, whether or not by automated means, such as collection, recording,
    organization, structuring, storage, adaption or alternation, retrieval, use, consultation, disclosure by
    transmission, dissemination or otherwise making available, alignment or combination, erasure and
    destruction, or restriction.
    1.6. “SCC” means either the Standard Contractual Clauses adopted by the European Commission
    implementing decision 2021/3972 (Module three) or any other clauses amending or replacing them.
    1.7. “Sub-processor” means any third party engaged by the Processor, or its Sub-processor, to Process
    Personal Data on behalf of the Controller.
    1.8. “Data Protection Law” refers to the Regulation (EU) 2016/679 of the European Parliament and of the
    Council, the Data Protection Act (2018:218) and the Data Protection Ordinance (2018:219), and all other
    applicable data protection legislation.
    1.9. “Data Processor” or “Processor” means the Service Provider which process Personal Data on behalf
    of the Data Controller, and in compliance with the terms and conditions provided hereto.
    1.10 “Data Controller” or “Controller” means the Customer provided that it determines the purposes
    and means of the processing of Personal Data in relation and in connection to the Service Provider
    Agreement.
    Page 2
    Data Processing Agreement (Version 2.0, 2023.12.20)
    1.11. “International transfers” means the transfer of personal Data from a country to another jurisdiction
    or an international organization.
    1.12. “Technical and Organizational Security Measures” means those measures aimed at protecting
    Personal Data against unlawful destruction or accidental destruction or loss, alternation, unauthorized
    disclosure, or access, and against all other unlawful forms of Processing.
    1.13. “Personal Data Breach” means a breach of security leading to the accidental or unlawful
    destruction, loss, alteration, unauthorized disclosure of or access to, Personal Data transmitted, stored,
    or otherwise processed.
    1.14. “Disclosure Request” means a request of accessing personal data from any public authority,
    agency or third party.
    2. DATA PROCESSING
    2.1. BACKGROUND
    As a Customer of the Service Provider, you have chosen to use Service Provider’s web service for
    distribution of digital tickets/electronic codes to your selected recipients via text message or e-mail
    (the "Service"). The Service is administered by us as the Processor, who may Process the Personal Data
    you enter or have made available in the Service and for which you, as a Customer, are the Controller.
    Regulation (EU) 2016/679 of the European Parliament and of the Council ("GDPR") requires that a
    written agreement is drawn up between the Controller and the Processor regarding the Data
    Processor's processing of personal data for which the Controller is responsible. This agreement (the
    "Data Processing Agreement") - which shall be deemed to have been entered into when you decide to
    use the Service - regulates such processing.
    2.2. COMPLIANCE WITH LAWS
    Terms in this DPA relating to personal data or the processing thereof shall be interpreted in
    accordance with the GDPR and Data Protection Law.
    Both parties will comply with all applicable requirements of the Data Protection Law. This DPA is in
    addition to, and does not relieve, remove, or replace, a party's obligations under Data Protection Law.
    2.2. ROLE OF THE PARTIES

    The parties acknowledge that for the purposes of the Data Protection Law, the Customer acts as the
    Controller and the Service Provider acts as the Processor.
    2.3 SCOPE OF THE DATA PROCESSING AGREEMENT

    This Data Processing Agreement sets out the conditions under which the Service Provider, as a
    Processor, will process personal data on behalf of the Customer according to the Customer's
    instructions and for the purpose of providing the Service included in the Agreement, as well as when
    performing their obligations under this Data Processing Agreement and the Agreement. Provided that
    the Service Provider shall not Process the Customer's Personal Data for any other purposes.

    2.4 DESCRIPTION OF THE PROCESSING OF PERSONAL DATA BY SERVICE PROVIDER AND
    CUSTOMER’S INSTRUCTIONS

    The nature and purpose of Processing, duration of Processing, categories of Data Subjects and types
    of Personal Data Processed, is set out in ANNEX 1 of the Data Processing Agreement attached hereto.
    Page 3
    Data Processing Agreement (Version 2.0, 2023.12.20)
    2.5. CUSTOMER’S PROCESSING OF PERSONAL DATA
    2.5.1 Customer shall, in its use of the service, Process Personal Data in accordance with the
    requirements of the applicable laws, rules, regulations, and orders of governmental authorities having
    jurisdiction, including Applicable Data Protection Laws and any applicable requirements to provide
    notice to Data Subjects of the use of the Service provided by the Service Provider as the Processor to
    Process Personal Data for the duration and purpose of this Data Processing Agreement.
    2.5.2 The Customer shall have sole responsibility for the accuracy, quality, and legality of Personal
    Data and the means by which Customer acquired Personal Data. Customer specifically acknowledge
    that its use to the Service does not violate the rights of any Data Subject.
    2.6 SERVICE PROVIDER’S PROCESSING OF PERSONAL DATA
    2.6.1 The Processor may only process Personal Data in accordance with (i) this Data Processing
    Agreement, (ii) GDPR and other applicable Data Protection Law, and (iii) in accordance with
    documented instructions from the Controller, including instructions regarding erasure, return and
    deletion of Personal Data Processed within scope of this Service.
    2.6.2 If the Processor lacks instructions from which the Processor deems necessary in order to carry out
    an assignment from the Controller, or if the Controller’s instructions infringe Data Protection Law or
    other applicable law, the Processor shall notify the Controller without undue delay and await the
    Controller’s further instructions.
    2.6.3 The Processor shall enable the Controller to access, rectify, erase, restrict and transmit the
    Personal Data Processed by the Processor. The Processor shall comply with any instructions related to
    the above without undue delay and in any event within 30 calendar days. If the Controller erases, or
    instruct the Processor to erase, any Personal Data held by the Processor, the Processor shall ensure
    that the Personal Data is erased so that it cannot be recreated by any party.
    2.6.4 The Processor shall notify the Controller without undue delay about any events or other
    circumstances likely to have an adverse effect on Processor’s ability to fulfil its obligations under this
    Data Processing Agreement, including SCC, whenever applicable.
    2.6.5 The Processor shall notify the Controller without undue delay as to any contacts with a
    supervisory authority, concerning or of significance to, the Processing of Personal Data carried out on
    behalf of the Controller. The Processor may not represent the Controller, nor act on the Controller’s
    behalf, against any supervisory authority or other third party.
    2.6.6 The Processor shall assist the Controller in its contact with any supervisory authority, including,
    upon the Controller's instructions, by providing any information requested by the supervisory authority.
    To the extent permitted by the applicable law, the Processor may not disclose Personal Data or any
    information on the Processing of Personal Data without explicit instructions from the Controller.
    If a Data Subject requests information from the Processor concerning the Processing of Personal Data,
    the Processor shall forward the request to the Controller and assist the Controller in responding to such
    request if compelled to do so by applicable law.
    2.6.7 The Processor shall impose adequate contractual obligations regarding confidentiality and
    security upon its personnel which have been authorized to Process Personal Data.
    2.6.8 The Processor shall maintain a record of all Processing activities carried out on behalf of the
    Controller. Upon the Controller’s request, the Processor shall make the record available to the
    Controller in a generally readable electronic format, including as a minimum the following:
    Page 4
    Data Processing Agreement (Version 2.0, 2023.12.20)
    i) the name and contact details of the Processor, its authorized representatives, and if applicable, the
    Data Protection Officer of the Processor.
    ii) where applicable, the name and contract details of any Sub-processor, its authorized
    representatives, and if applicable, the Data Protection Officer of the Processor.
    iii) general description of the technical and organisational measures implemented to ensure an
    appropriate level of security
    iv) the actual processing activities carried out by the Processor and/or Sub-processor on behalf of the
    Controller; and
    v) where applicable, transfers of Personal Data to a third country including the identification of that
    third country and safeguard measures implemented to ensure an adequate level of protection of the
    Data Subject.
    3. SECURITY
    3.1 The Processor shall implement appropriate technical and organisational measures in accordance
    with the Data Protection Law to ensure a level of security appropriate to the risks that are presented by
    such Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised
    disclosure of, or access to Personal Data, taking into account the state of the art, the costs of
    implementation, the nature, scope, context and purposes of processing and the likelihood and severity
    of risk in relation to the rights and freedoms of the Data Subject. The Processor shall ensure that all
    personnel who have access to and/or process Personal Data are contractually obliged to keep the
    Personal Data confidential.
    3.2 The Processor shall observe relevant codes of conduct, industry best practices, and guidelines
    issued or approved by supervisory authority, and at least implement a process for regularly testing,
    assessing, and evaluating the effectiveness of any measure taken as described in Section 3.1.
    4. DISCLOSURE REQUESTS
    4.1 The Processor shall not disclose Personal Data to any public authority, agency or third party (each a
    “Public Authority”), unless the Processor receives a civil or criminal subpoena, or other official and
    written request which i) is issued by a public authority with the authority and jurisdiction to demand the
    disclosure,, ii) is legally binding on the Processor and requires the Processor to disclose Personal Data
    in response thereto, and iii) not contradictory to Data Protection Law.

    4.2 If the Processor is contacted by a Public authority with a Disclosure Request, the Processor shall

    i) promptly notify the Controller by submitting an incident notification for Personal Data Breach according to Section 7 with a copy of the Disclosure Request, unless legally prohibited from doing so.

    ii) review the Disclosure Request to determine whether it is valid and if the Processor has a legal requirement to disclose Personal Data; and

    iii) asserts it legal rights, including to resist or narrow the demand by taking available remedies with reasonable prospect of success.

    4.3 In no event shall the Processor provide any Public Authority with

    i) direct or indirect access to Personal Data

    ii) encryption keys used to secure Personal Data or the ability to break such encryption; or

    iii) access to Personal Data if the Processor is aware that the Personal Data is to be used for Purpose sother than those stated in the Disclosure Request, unless such access is based on EU or EU Member State laws, legally binding on the Processor.

    4.4 In support of the above, the Processor may provide the Requesting Authority with the Controller’s basic contact information used for incident notifications referred to in Section 7.

    5. SUB-PROCESSING

    The Controller consents to the Processor appointing third parties as Sub-Processor of Personal Data under this Data Processing Agreement, where this is necessary for the delivery of the service. The Processor confirms that it has entered or (as the case may be) will enter into a written agreement with the Sub-Processor incorporating terms which are substantially similar to those set out in this DPA. The Processor shall, at the Controller's request, provide a copy of the parts of the Processor's agreement with sub-processors that are required to show that the Processor has fulfilled its obligations under this Data Processing Agreement.

    6. INTERNATIONAL TRANSFERS

    6.1 The Processor (and, where applicable, Sub-Processors) may not transfer personal data to countries outside the EU/EEA or enable access to personal data from such a country, without first ensuring that an adequate level of protection is in place regarding the transfer in line with the International Transfer requirements of Data Protection Law.

    6.2 The Controller agrees that where the Processor engages with Sub-processors in accordance with Section 5 for carrying out specific Processing activities on behalf of the Controller, and those Processing activities involves a transfer of Personal Data with the meaning of Data Protection Law, the Processor and the Sub-processor shall ensure compliance with Data Protection Law by using SCC, provided that the conditions for the use of SCC are met.

    7. INCIDENT NOTIFICATIONS 7.1 The Processor shall notify the Customer of a Personal Data Breach in accordance with Article 33 GDPR by means of sending a notification email in English to the Customer contact person.

    7.2 The notification shall be as specific as possible and at least include all information available to the Processor regarding the Personal Data Breach set out in Article 33.3 GDPR. The notification may not include any Personal Data related to the Data Subject(s) affected by the Personal Data Breach.

    8. LIABILITY

    8.1 The Processor shall indemnify the Controller for claims for compensation from the Data Subject or administrative fines or other financial penalties imposed by the supervisory authorities or other competent authorities that the Controller is affected by as a result of the Data Processor, or a subprocessor engaged by the Data Processor, in violation of this Data Processing Agreement, having carried out unlawful or negligent processing of personal data for which the Data Controller is responsible.

    8.2 A Party that has a claim for compensation or administrative fees directed against it shall notify the other Party thereof without delay.

    9. LIMITATION OF LIABILITIES

    For the purposes of the Agreement and of this Data Processing Agreement, Controller represents and warrants that all the personal Data made available to, communicated, accessed by the Processor, have been Processed by the Controller in full compliance with applicable Data Protection Laws.

    Consequently, the Controller will hold harmless the Processor from any claims, request of
    Data Processing Agreement (Version 2.0, 2023.12.20) indemnifications or compensation of damages regarding the Processing operations performed by the Controller on the Personal Data that will then be Processed by Processor for the purpose of the Agreement.

    10. TERM

    10.1 Upon termination or expiry of the services relating to the Processing, the Processor shall submit all personal Data to the Controller on a medium reasonably requested by the Controller. The Processor shall thereafter, in accordance with the provisions on erasure in Section 2.6.3, ensure that there is no Personal Data remaining with the Processor or any of its Sub-processors.

    10.2 This Data Processing Agreement is applicable from the date of its execution and until all Personal Data is erased in accordance with Section 10.1 above.

    11. DISPUTE RESOLUTION

    11.1 This Data Processing Agreement shall be governed by law in the jurisdiction where the Controller is domiciled.

    11.2 The Parties agree that they will try to amicably settle a dispute, controversy or claim arising out of, or in connection with this Data Processing Agreement, or the breach, termination, or invalidity hereof. 11.3 In lack of amicable settlement, any dispute, controversy, or claim arising out of or in connection with this DPA, shall be finally settled by arbitration in accordance with the Rules of Expedited Arbitrations of the Arbitration Institute of the Stockholm Chamber of Commerce (“SCC”). The Rules for Expedited Arbitrations shall apply unless the SCC in its discretion determines, taking into account the complexity of the case, the amount in dispute and other circumstances, that the Arbitration Rules shall apply. In the latter case, the SCC shall also decide whether the Arbitral Tribunal shall be composed of one or three arbitrators.

    ANNEX 1

    DESCRIPTION OF THE PROCESSING OF PERSONAL DATA

    Under Data Protection Law, the Processor must only Process Personal Data in accordance with Controller’s documented instructions, which are regulated by the Data Processing Agreement. This document forms a part of the Controller's instructions.

    1. Scope of Processing. The Processor will only Process Personal Data to perform the Services pursuant to the Agreement, and as further instructed by the Customer in its use of the Services. In particular, processing operations entails retrieval, storage, registration, organisation, accessing (reading or consultation), use (according to the terms of this DPA, disclosure by transmission and erasure or destructions.

    2. Nature and purpose of processing. The Processor will only Process Personal Data to perform the Services pursuant to the Agreement, and as further instructed by the Customer in its use of the Services.

    3. Duration. The duration of all processing operations shall be up to 16 months, unless otherwise agreed upon in writing or legally required.

    4. Types of Personal Data Processed. Controller may submit Personal Data to the Services, the extent of which is determined and controlled by the Controller in its sole discretion, and which may include contact information of individuals, including e-mail address, telephone number and name.

    5. Categories of Data Subjects. Controller may submit Personal Data to the Services, the extent of which is determined and controlled by the Controller in its sole discretion, and which may include, but is not limited to Personal Data relating to employer relations of Controller, individuals, or organisations in a relationship with the Controller.

    Data Processing Agreement (Version 2.0, 2023.12.20)