Last updated: May 21st, 2025
INTRO AUTOMATES SEARCH, SCREENING, AND CONTACT WITH CANDIDATES. FOR RECRUITMENT PURPOSES, CANDIDATES AND THE RECRUITING PARTY'S PERSONAL DATA ARE PROCESSED AND THEREFORE THIS ASSISTANCE AGREEMENT EXISTS.
The following personal data processing agreement (the "Processing Agreement") is entered into on the Effective Date (defined below) between:
Introfied AB, corporate identity number 556847-3432 ("Intro"). ("the Customer"), and
Introfied AB (1) and the Customer (2) are hereinafter each referred to as a "Party" and jointly as the "Parties".
The Client and Intro have entered into an agreement under which Intro shall provide the Client with certain recruitment services. In connection with the services, Intro may process personal data on behalf of the Client for which Intro is responsible. The Client determines the purposes and means of the processing of the personal data and is therefore the data controller, while Intro processes the personal data in its capacity as data processor.
This Data Processing Agreement sets out the conditions under which Intro is entitled to process the relevant personal data on behalf of the Client and the Parties' respective responsibilities and obligations in connection with such processing.
The Client and Intro agree that both parties have a responsibility to comply with Applicable Data Protection Regulation and other applicable law insofar as it applies to controllers and processors. In this Data Processing Agreement, the following terms are defined as follows:
"Agreement" means the commercial agreement between the Parties, including its appendices. The Agreement covers access to Intro's recruitment platform.
"Contract Date" means the date on which the Contract was entered into.
"Applicable data protection regulation" means all laws and regulations, including court decisions and governmental regulations applicable to the processing of personal data by the processor.
"Processing" means any operation or set of operations which is performed upon Personal Data, whether or not by automated means.
"Controller" means a natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data.
"Processor" means a natural or legal person, public authority, agency or other body which Processes personal data on behalf of the Controller.
"Personal data" means any information relating to an identified or identifiable natural person, including characteristics such as name, identification number, location data, online identifiers or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of a natural person.
"Data subject" means a natural person whose personal data are processed.
Other definitions in this Data Processing Agreement shall have the same meaning as in the Contract or shall be interpreted in accordance with the Applicable Data Protection Regulation.
The Customer is responsible for ensuring that there is a legal basis for the Processing and that the Processing at Intro is carried out for legitimate and clearly stated purposes.
4.1 Intro undertakes to process personal data only in accordance with the Customer's instructions under this Assistance Agreement, including what is standard for Intro's recruitment platform to function technically and instructions given in writing from time to time.
4.2 Intro undertakes to process personal data in accordance with the applicable data protection regulations at the time, and to comply as soon as possible with decisions and rulings issued by the Swedish Data Protection Authority, other competent authorities, courts or, where applicable, arbitration tribunals regarding the personal data.
4.3 Should Intro consider that instructions from the Customer are contrary to Applicable Data Protection Regulation, Intro shall immediately cease the processing of personal data based on the instructions and notify the Customer thereof, and then await further instructions.
5.1 Intro is fully responsible for the Sub-processor's Processing towards the Controller.
5.2 Intro is entitled to engage a new sub-processor, provided that
a.) the Sub-processor has been engaged by Intro under a written agreement that complies with the terms and conditions set out in this Data Processing Agreement in respect of the Sub-processor's processing of personal data; and
b.) the security and confidentiality activities of the sub-processor have been assessed by Intro before deciding whether the sub-processor is capable of providing the protection of personal data required by this Data Processing Agreement.
5.3 Intro has the right to decide on the use of sub-processors, provided that Intro informs the Client prior to any planned additions or changes to the list of sub-processors and includes the name, address and duties of the new sub-processor.
5.4 The Customer is entitled to object to such changes as presented in clause 5.3 within 30 days if the Customer has a legitimate reason under applicable data protection law to object to the processing of personal data by a new sub-processor. The Customer may terminate the Contract (limited to the service the new sub-processor was intended to perform) by written notice to Intro. Such termination shall be effected at the time determined by the Customer, which shall not be more than thirty (30) calendar days from Intro's notification to the Customer of information to the Customer regarding the new sub-processor.
5.5 Intro shall follow internal policy documents for the selection of any sub-processors and shall confidently only enter into collaborations with all that is good business and industry practice.
6.1 Intro shall assist the Customer to the extent necessary for the Customer to fulfill the data subject's rights under Applicable Data Protection Regulation, such as rectifying, erasing and restricting the processing of personal data and providing the data subject with extracts from the register. The Customer is aware that actions taken beyond what is necessary to comply with applicable law may have an impact on Intro's services and business agreements.
6.2 Intro shall assist the Customer to the extent necessary to enable the Customer to fulfill its obligations to, inter alia, report personal data breaches to the supervisory authority and the data subject where applicable, perform data protection impact assessments and consult with the supervisory authority, in accordance with Applicable Data Protection Regulation. Intro shall notify the Customer of the occurrence of an Incident without undue delay, but at the latest within 48 hours of becoming aware of it. Such notification shall contain all necessary and available information that the Client needs to be able to take appropriate preventive and countermeasures and fulfill its obligations regarding notification of Incidents to the competent supervisory authority and information to the data subject about an Incident.
7.1 Intro shall be entitled to process personal data, including through the use of sub-processors, in accordance with this Processor Agreement outside the EU/EEA, to the extent that it is compatible with applicable data protection regulation.
7.2 In cases where Intro in connection with the processing transfers personal data to a country outside the EU/EEA and which is not considered by the European Commission to meet an adequate level of protection in relation to Applicable Data Protection Regulation, the Parties shall enter into a supplementary agreement based on the European Commission's standard contractual clauses.
7.3 If Intro has engaged a Subprocessor with the effect that personal data is transferred to a country referred to in clause 7.2, Intro shall enter into a supplementary agreement with the Subprocessor on behalf of the Customer based on Standard Contractual Clauses. Where applicable, Intro shall be deemed to represent the Customer by virtue of a power of attorney and shall, at the Customer's request, provide the Customer with a signed copy of such supplementary agreement as referred to above.
7.4 Nothing in the Contract or this Assistance Agreement shall be construed as taking precedence over any conflicting clause in the standard contractual clause.
8.1 If Intro has received a request from a data subject concerning Intro's processing of the Customer's personal data, Intro shall, without undue delay, inform the Customer thereof. Intro may not respond to such a request without first having received the Customer's instructions, if possible.
8.2 If Intro is obliged to disclose information relating to the processing of personal data pursuant to applicable law, a court order or a decision by a public authority, Intro must first notify the Customer of this without delay, unless otherwise provided by applicable law, a court order or a decision by a public authority.
9.1 Intro shall inform the Customer as soon as possible, but no later than within 48 hours, in the event of suspected unauthorized, accidental or unlawful access, destruction or alteration of personal data held by Intro, and shall provide all necessary and available information that can be assumed to be of material importance to the Customer and which the Customer needs in order to be able to take preventive and countermeasures and to fulfill its obligations regarding notification of incidents to the competent supervisory authority and information to the data subject.
10.1 The Customer, or an independent third party on behalf of the Customer, has the right to carry out inspections to verify that Intro's processing of the personal data is carried out in accordance with the obligations set out in the Data Processing Agreement and in accordance with the Applicable Data Protection Regulation. Such obligation includes, but is not limited to, granting access to Intro's premises and computer equipment to the extent necessary for this purpose. However, the customer shall give Intro written notice of the inspection no later than four (4) weeks before the inspection. The inspection shall take place during normal working hours and in order to avoid that information sensitive to Intro, such as but not limited to business secrets, falls into the wrong hands, the inspection shall take place according to Intro's instructions. The inspection shall take place during normal working hours. The customer shall ensure that personnel carrying out the inspection are subject to confidentiality or professional secrecy under law or agreement.
10.2 The customer reserves the right to cooperate with the relevant supervisory authority to the extent provided by law by which Intro is bound. The right to cooperate means, inter alia, that Intro shall:
10.3 provide the necessary information requested by the supervisory authority to fulfill its tasks;
10.4 provide the supervisory authority with access to Intro's premises, computer equipment and personal data collected from the Customer; and
10.5 restrict or cease processing personal data on behalf of the Customer following a decision by the supervisory authority.
11.1 Intro undertakes to establish and maintain appropriate technical and organizational measures to protect the personal data processed against unauthorized, accidental or unlawful access, disclosure, loss, destruction or damage to such personal data. Such measures shall be taken taking into account (i) the technical possibilities available, (ii) the costs of implementing the measures, (iii) the specific risks of the processing, and (iv) the degree of sensitivity of the personal data processed. Such measures include but are not limited to keeping logs of the data, having a security policy, a secure IT environment and establishing security procedures and physical security measures.
11.2 Intro undertakes to grant access to personal data only to such employees or other persons for whom disclosure is necessary for Intro to fulfill its obligations under the Agreement. Intro further undertakes to ensure that all of Intro's employees and other persons who are granted access to personal data undertake to comply with the provisions of this Data Processing Agreement and that they have entered into a special confidentiality agreement or have been informed of the existence of statutory confidentiality or duty of secrecy.
11.3 The aforementioned technical and organizational measures shall include, but not be limited to
11.4 adoption of a company-wide security policy and instructions for processing personal data within Intro's organization;
11.5 regular training of employees and other staff involved in the processing of personal data, regarding the security policy, instructions and other Applicable Data Protection Regulation;
11.6 the establishment of a secure IT environment, including, inter alia, the necessary security procedures, encryption systems, user authorization and back-up procedures, including the storage of back-up copies; and
11.7 the introduction of the necessary physical security measures, such as access control systems, fire, water and intruder alarms, etc.
12.1 In the event of compensation for damage in connection with Processing to be paid to the Data Subject, by way of a judgment or settlement, due to a breach of a provision of the Processing Agreement, Instructions and/or applicable provision of the Data Protection Regulation, Article 82 of the GDPR shall apply.
12.2 Penalty fees in accordance with the Data Protection Regulation, Article 83, or Act (2018:218) with supplementary provisions to the EU Data Protection Regulation, Chapter 6, Section 2, shall be borne by the party to the Assistance Agreement on which such a fee has been imposed.
12.3 If either party becomes aware of any circumstance that may result in harm to the other party, the party shall immediately inform the other party of the circumstance and actively work with the other party to prevent and minimize such harm.
13.1 The Data Processing Agreement enters into force on the Agreement Date and shall apply for as long as Introfied AB processes personal data on behalf of the Client.
13.2 Upon termination of the Agreement and upon the Customer's express request and instructions, Intro shall without further delay return or, if the Customer so requests, delete all personal data covered by the Agreement. The return, or destruction where applicable, shall be carried out in such a way that Intro does not subsequently have access to such personal data.
13.3 Handover and deletion pursuant to Clause 13.2 of the Data Processing Agreement shall be completed no later than thirty (30) days from the date of the Customer's explicit request pursuant to Clause 13.2 of this Agreement.
13.4 The confidentiality provisions of this Assistance Agreement shall continue to apply even if the Agreement is otherwise terminated.
14.1 Amendments and additions to the Agreement must be in writing and signed by both Parties to be binding.
14.2 In the event of inconsistency between other documents within the Contract and the Data Processing Agreement regarding the processing of personal data, the provisions of this Data Processing Agreement shall prevail.
14.3 This Data Processing Agreement constitutes the entire agreement between the Parties with respect to the matters covered by the Data Processing Agreement and supersedes all prior written or oral commitments.
15.1 Disputes arising from the Assistance Agreement shall be finally settled by arbitration in accordance with the Rules for Expedited Arbitration of the Arbitration Institute of the Stockholm Chamber of Commerce. The seat of the arbitration shall be Stockholm, the language of the proceedings shall be Swedish, unless the Parties have agreed otherwise in writing. Swedish law shall apply to the dispute and to the content of the Assistance Agreement.