Digitala pulstavlor som hjälper dig att fånga avvikelser och fatta rätt beslut.
Fånga era avvikelser och förvandla dem till förbättringar.
Digitala förbättringstavlor och andra verktyg för ständiga förbättringar
Få full koll på allt som ska göras med hela teamets uppgifter i en tydlig veckovy.
Förbättra viktiga nyckeltal inom just era fokusområden med vår SQCDP-tavla.
Använd PDCA-cykeln som ett verktyg för att förbättra både kvalitet och processer.
Digitala verktyg för 5S-arbete, återkommande audits och en välorganiserad arbetsplats.
Visualisera nyckeltal och kommunicera effektivt i hela organisationen!
Enkel hantering av projekt och aktiviteter i Boards on Fire.
Kanban är en kraftfull metod för att visualisera, hantera och optimera arbetsflöden.
Digitala tavlor för taktat flöde med taktklocka och stopptid.
Digital besöksregistrering ger full koll på alla planerade och genomförda besök till verksamheten.
This Data Processing Agreement (the “DPA”) constitutes a schedule to the Agreement regarding BoF’s (the “Processor’s”) provision of the Services to Customer. The definitions in the Agreement and its schedules shall apply here. Unless otherwise expressly stated in the Agreement or this DPA, defined terms shall have the same meaning as in applicable data protection legislation, including Regulation (EU) 2016/679 of the European Parliament and of the Council (“GDPR” and collectively the “Data Protection Rules”).
Processor, while providing the Services, will process Personal Data as either Processor or, where applicable, as a sub-processor, for which the Customer or Customer’s customer, where applicable, is the Controller. Processor’s Processing of Personal Data shall then take place in accordance with the provisions herein.
Customer shall ensure that the Processing carried out by Customer when using the Services complies with the terms herein and with the Data Protection Rules.
Customer has the right, and is obliged, to decide on the purposes and means of the Processing. The purpose of the Processing is to provide the Services in accordance with the Agreement.
Customer’s instructions
Processor shall only Process Personal Data provided by Customer in connection with the provision of the Services under this DPA, based on Customer’s instructions, in accordance with applicable legal requirements and in accordance with the Data Protection Rules, including, but not limited to, Article 28(3)(a)-(h) of the GDPR.
If Processor finds that Customer’s instructions are contrary to the Data Protection Rules or are missing and Processor deems that new or additional instructions are necessary, Processor shall inform Customer without delay and, if possible, temporarily cease the Processing concerned and await new instructions.
Processor shall, at the request of Customer, be able to demonstrate that it complies with the DPA, Customer’s instructions and the Data Protection Rules.
Technical and organisational measures, etc.
Processor shall take appropriate technical and organisational security measures to protect Customer’s Personal Data Processed by Processor. In particular, Processor shall ensure that it fulfils the obligations arising from Article 32 of the GDPR and otherwise, if applicable, complies with any specific requirements for security measures agreed between Processor and Customer. Processor shall also assist Customer in fulfilling Customer’s obligations under Articles 32-36 of the GDPR, taking into account the type of Processing carried out by Processor.
Processor shall limit access to the Personal Data to such persons who need to have access to the Personal Data in order to fulfil Processor’s obligations to Customer. Processor shall ensure that the persons concerned are covered by appropriate confidentiality undertakings.
No Personal Data governed by this DPA may be retained by Processor after the Services have ended, except if this is required to comply with applicable law, the Agreement or this DPA.
Processor may not disclose Personal Data to Third Parties without Customer’s prior written consent, unless the obligation to disclose the Personal Data follows from the Agreement, Data Protection Rules or a binding decision by a Supervisory Authority.
Personal Data Breaches
Processor shall report confirmed and suspected Personal Data Breaches to Customer without undue delay, and no later than 12 hours after becoming aware of the Personal Data Breach. The reporting shall at least include:
(i) the nature of the Personal Data Breach and, where possible, the categories and number of Data Subjects concerned, and the categories and number of Personal Data involved.
(ii) The likely consequences of the Personal Data Breach.
(iii) Actions taken or proposed and measures to mitigate the potential adverse effects of the Personal Data Breach.
If Processor cannot provide the full description of a Personal Data Breach in a single instance, the description may be provided in instalments, without undue delay. Processor shall, if reasonable, at Customer’s request, also assist in investigating suspicions of possible unauthorised Processing.
Sub-processors
Processor is entitled to engage sub-processors or replace sub-processors, provided that Processor notifies Customer in writing at least 30 days prior to the engagement or replacement of a sub-processor. Processor shall notify Customer about the change of sub-processors via the Services and by e-mail to the contact person specified in the Agreement. If Customer provides a reasonable objection to the engagement of a specific sub-processor to Processor, in writing, within 30 days of the Processor notifying Customer thereof, the Parties shall collaborate to find a suitable solution to work around the reason behind the objection. If the Parties cannot agree upon a suitable solution within 30 days of Customer’s objection, Processor shall not engage the objected-to sub-processor for the Processing of Customer’s Personal Data. If refraining from using the sub-processor materially impairs Processor’s ability to provide the Services, each Party is entitled to terminate the Agreement with 30 days written notice.
Processor undertakes to enter into a data processing agreement with each sub-processor that includes at least the same obligations as those arising from this DPA. Processor is fully responsible to Customer for Processing carried out by the sub-processors. In the event that the sub-processor is located outside the EU/EEA, Processor shall ensure that the use of such sub-processor is in accordance with the Data Protection Rules and this DPA. At the time of entering into this DPA, Processor has engaged the sub-processors listed on Processor’s website. Processor shall keep the list of sub-processors on the website updated.
International transfer of Personal Data
Personal Data shall, unless otherwise agreed, be Processed within the EU/EEA and not be transferred outside the EU/EEA. If Personal Data is to be transferred outside the EU/EEA, the transfer shall be made to a country subject to an adequacy decision under Article 45 of the GDPR or be subject to appropriate safeguards under Article 46 of the GDPR, including, where applicable, the Standard Contractual Clauses adopted by the Commission Implementing Decision (EU) 2021/914.
If Personal Data is to be transferred to a country without an adequacy decision, Processor shall carry out, or assist Customer in carrying out, a transfer impact assessment. Where the assessment identifies deficiencies, Processor shall implement supplementary measures sufficient to ensure an essentially equivalent level of protection, or refrain from the transfer.
Audits
Processor is obliged to provide Customer with access to the information required to demonstrate compliance with the obligations under Article 28 of the GDPR. Processor shall allow Customer to audit Processor’s compliance with this DPA. Such an audit may be conducted twice every twelve month period. Prior to the commencement of such audit, Customer and Processor shall jointly agree on the scope, timing, duration, verification and evidence requirements and cost allocation of the audit, provided that this requirement for agreement does not allow Processor to unreasonably delay the conduct of the audit. Customer shall give Processor at least 30 days’ written notice of any intended audit.
Data Subject rights
Processor shall promptly notify Customer of any request it has received from a Data Subject. It shall not respond to that request itself unless it has been authorised to do so by Customer.
Processor shall assist Customer in fulfilling Customer’s obligation to respond to requests to exercise Data Subjects’ rights. Processor is entitled to charge Customer a reasonable fee for such assistance where the request requires measures beyond Processor’s ordinary operations in connection with the Services, provided that Processor notifies Customer of such fee in advance. Processor shall not delay its assistance pending payment where such delay would prevent Customer from complying with applicable response deadlines.
Requested information
Processor is not obligated to provide Customer with information requested related to Sections 3.15, 3.16, if the Customer can access the requested information independently through the use of the Services.
Management at the end of the Service
Upon termination of the Services, Processor shall within 30 days either make the Personal Data available to Customer or a relevant partner of Customer, or delete the Personal Data as agreed between the Parties.
Each Party’s liability under this DPA is subject to the same limitations and exclusions of liability as set out in the Agreement.
Both Parties are entitled to request renegotiation of the DPA if the applicable legislation, or the interpretation thereof, changes in a way that is decisive for the Processing. Additions and amendments to the DPA shall be in writing and signed by both Parties.
INSTRUCTIONS
In addition to the instructions to Processor otherwise set out in this DPA and the Agreement, the instructions and information below shall be observed when Processing the Personal Data.
Processor Processes the Personal Data to deliver the Services. Processing shall also take place for troubleshooting, correcting errors, keeping the Services updated, ensuring that the Services work, and improving user productivity, reliability, efficiency, quality, and security. Processor may also Process Personal Data in other ways when Processor performs services in accordance with the Agreement or subsequent written agreements between the Parties.
The following Personal Data may be Processed by Processor:
(i) Non-sensitive categories of Personal Data:
(ii) Sensitive categories of Personal Data:
Processor shall Process Personal Data for the following categories of Data Subjects of the Customers, which include its:
(i) Employees;
(ii) Suppliers;
(iii) Partners;
(iv) Customers.
Processing includes through the Services the storage, organisation, structuring, adaptation, retrieval, compilation, sharing, erasure, troubleshooting, support and other processing of the information sent to/uploaded/posted/created and otherwise handled by Customer, where applicable Customer’s customer, and Processor within the framework of the Services.
The Processing shall continue for as long as the Agreement provides, or because the Processing is necessary under applicable law.