Processing of personal data in Cooperation Agreements
Data protection legislation determines the roles of the parties involved in the processing of personal data. A controller means the party that determines the purposes and means of the processing of personal data. A processor processes personal data on behalf of the controller. With regard to the services provided and purchased under this cooperation agreement, these roles are divided as follows between the parties. These roles determine the position and obligations of the parties in the personal data processing terms below.
Below is a list of the services provided by Intrum in which both Intrum and the Client have the role of an independent controller and are subject to the terms and conditions set out in section A below.
Debt collection services
Credit Information Services as regards to credit data on companies
International debt collection
VAT services as regards consultancy services
Invoicing and accounts ledger services as regards to reminder services
Below is a list of the services provided by Intrum that involve the processing of personal data carried out by Intrum on behalf of the Client in the role of processor. These services are subject to the personal data processing terms set out in section B below.
Credit Information Services as regards to credit data on private persons
VAT services as regards reclaiming of VAT
Invoicing and accounts ledger services excluding reminder services
A) Personal Data Processing Terms – Controller–Controller -relation
Both of the parties act as independent controllers. The parties undertake to process personal data under their control and related to this cooperation agreement in accordance with the applicable legislation.
The parties will implement appropriate technical and organisational safety measures in order to safeguard the security of the processing of personal data.
Each party undertakes to keep confidential and secret the personal data obtained from the other party as well as to inform all the parties involved in the processing of personal data of the confidential nature of said personal data. The parties will ensure that all persons involved in the processing of said personal data have signed an appropriate non-disclosure agreement and/or have otherwise undertaken to comply with confidentiality. However, the above confidentiality obligation is not applicable to situations where a party has a statutory obligation or right to disclose data.
B) Personal Data Processing Terms – Intrum as processor
1.1 These personal data processing terms apply to the extent Intrum processes personal data as a data processor. These personal data processing terms form an integral part of the co-operation agreement. However, in the event of conflict, the provisions of these personal data processing terms shall prevail.
1.2 The personal data processed by Intrum, the nature and purpose of the processing, the type of personal data and categories of data subjects have been described in each service description and/or applicable file description. Intrum processes the personal data until actions that are agreed/necessary for the service provided have been completed and the retention period under applicable legislation has ended.
2 General obligations
2.1 The Client undertakes to ensure that there is a valid legal ground for the processing, that the personal data transferred to Intrum are correct, that the end customer has received sufficient information about the processing and to give Intrum comprehensive, written and lawful instructions on the processing, where performance of the Services in accordance with the co-operation agreement and any applicable service descriptions shall be deemed to be in compliance with such written instruction.
2.2 Intrum will only process personal data as instructed by the Client, including with regards to transfers to a third country, unless required to do so to comply with a legal obligation to which Intrum is subject. Intrum shall inform the Client of such legal requirement before processing, unless that law prohibits such notification on important grounds of public interest.
Intrum warrants that it will treat all personal data as strictly confidential and ensures that all its employees, agents and/or approved sub-processors engaged in processing the personal data have signed an adequate confidentiality agreement and/or are under any other binding obligation of confidentiality.
Intrum shall implement technical and organisational measures appropriate to the risk of the processing, including, as appropriate: (i) pseudonymisation and encryption of personal data, (ii) being able to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services, (iii) being able to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident, and (iv) having a process in place for regularly testing, assessing and evaluating the effectiveness of the measures implemented to ensure the security of the processing.
Once per calendar year, on the Client’s expense and in accordance with the parties mutual agreement, Intrum shall make available all information necessary to demonstrate compliance with Intrum’s obligations as a processor, and allow for and contribute to audits, including inspections, conducted by the Client or a third party auditor mandated by the Client, and approved by Intrum, provided that the Client notifies Intrum of its intention to conduct an audit no later than two (2) weeks prior to the audit. The audit shall be conducted during normal business hours and without interruption to Intrum’s ongoing business operations.
6 Assistance, information obligations and incident management
6.1 Intrum shall, taking into account the nature of the processing and the information and technical means available, assist the Client in: (i) ensuring compliance with its legal obligations, such as, data security, data breach notification, data protection impact assessment and prior consulting obligations, and (ii) responding to requests for exercising the data subject's rights. On the Client’s written request, Intrum shall make available to the Client all such information it possesses, which are in accordance of Article 28 of the General Data Protection Regulation ((EU) 2016/679), necessary to demonstrate compliance with the obligations regarding the use of a data processor. Unless otherwise agreed, Intrum has the right to invoice the reasonable costs incurred as a result of the aforementioned assistance and provision of data in accordance with the price list in force.
6.2 Intrum shall inform the Client of any requests from the Client’s data subjects and/or the supervisory authorities.
7 Contracting with sub-processors
7.1 These personal data processing terms include a general written authorisation of the Client for Intrum to subcontract the performance of whole or parts of the Service(s) included in the co-operation agreement to a third party. Intrum shall inform the Client of the engagement of a new sub-processor. If the Client does not in writing object to the engagement of the sub-processor in question within one (1) week after having received notice thereof, the Client shall be deemed to have accepted the sub-processor in question. If the Client objects to the use of a new sub-processor, Intrum shall be entitled to, for each service, without consequences for Intrum, decline cases, omit to take action and/or close the applicable case(s). For the avoidance of doubt, the Client has accepted all sub-processors used by Intrum at the time this co-operation agreement comes into force.
7.2 Intrum shall ensure that the sub-processor is bound (in writing) by the same or equal obligations as Intrum under these personal data processing terms, and shall supervise compliance thereof.
8 Destruction of personal data
Upon termination of the co-operation agreement and after the end of provisioning the services, Intrum will destroy and/or anonymise the personal data processed on behalf of the Client, including any copies thereof, unless applicable law requires or allows for storage of the personal data.
If the Client leaves additional instructions, which go beyond the co-operation agreement, any associated costs for compliance with such instructions, shall be borne by the Client.
10 Limitation of Liability
The parties acknowledge that the division of the parties’ liability related to administrative fines and/or damages imposed by a supervisory authority or a court under these personal data processing terms is based on each party’s obligation to fulfil its own duties under data protection legislation. Therefore, each party is liable for the administrative fines and/or damages that are imposed by a supervisory authority or a court and that have been imposed on it for infringements of data protection legislation caused by the party in question. A party’s liability for damages for any direct damage that is incurred by the other party of the cooperation agreement and that results from the party’s breach of these personal data processing terms is limited to the amount corresponding to the charges paid by the Client to Intrum under this cooperation agreement during the year preceding the event giving rise to liability. The parties are not liable for any indirect or consequential damage. No limitations of liability are applicable to damage arising from wilful misconduct, gross negligence or breach of the confidentiality obligation.