Bricknode Personal Data Processing Agreement


Effective starting: 2018-05-25 

This Bricknode Personal Data Processing Agreement (the “Agreement”) is between you (“Personal Data Controller” or “Customer”) and Bricknode Platform AB (“Personal Data Processor” or “Bricknode”) (company number 559040-5709) with primary place of business at Lögegatan 11, 541 30 Skövde, Sweden.

In the event that the Customer acts as a personal data processor, Bricknode is instead a sub-processor.

If you are agreeing to this Agreement not as an individual but on behalf of your company, then “Customer” or “you” means your company, and you are binding your company to this Agreement. 


  1. Scope of the Agreement

According to the Bricknode Customer Agreement you are going to use Bricknode Products as a tool for managing Your Data which you are responsible for according to the General Data Protection Regulation EU2016/679, referred below to as “GDPR”.

The Agreement governs the processing of personal data that the Customer makes available to Bricknode on behalf of the Customer and the level of privacy that shall be attained during the processing.

  1. Agreement documents

The following documents are integrated parts of this Agreement:

Annex 1 – Security Measures

In the event that content of the documents does not match, the main document takes precedence over the annex.

  1. Definitions

To the extent GDPR contains concepts equivalent to those used in this Agreement, such concepts shall be construed and applied in accordance with the definitions set out in the GDPR.

  1. Obligations of the Personal Data Controller

The Customer undertakes to ensure that there is a legal basis for all processing of personal data that Bricknode treats in accordance with this Agreement.

The Customer shall provide all necessary information to enable Bricknode to fulfil its contractual obligations towards the Customer.


The Customer undertakes to inform Bricknode without delay of any circumstances that may affect Bricknode’s obligations pursuant to current Data Protection Act, other relevant legislation or this Agreement.

  1. Obligations of the Personal Data Processor


5.1. Processing of personal data

Bricknode is required to observe the applicable Data Protection Act or other relevant legislation in respect of the processing of personal data.

Bricknode shall only process the personal data according to documented instructions from the Customer. The Customer agree that this Personal Data Processing Agreement, Bricknode Customer Agreement together with the customer's use and configuration of functions in Bricknode products is the customer's complete and final documented instructions for the processing of personal data.

The Customer and Bricknode agree that:

The subject of the processing is limited to personal data according to GDPR.

The duration of the processing depends on the Customer's right to use Bricknodes products and until all personal data has been deleted or returned upon termination of the Agreement.

Bricknode use the personal data to provide, support and improve the services described in the Bricknode Customer Agreement in order to fulfil our contractual agreements with you.

All kinds of personal information that directly or indirectly attribute to a natural person who is alive may, depending on what the customer chooses to implement in Bricknode products, be covered by the processing of this Agreement.

The following categories of data subjects may be covered by the processing under this agreement; end customers.

Bricknode shall, without undue delay, inform the Customer in the event that the personal data processing is in contrary of current Data Protection Act, other relevant legislation or this Agreement.

5.2. Secrecy

Bricknode must ensure that any person who will process personal data under this Agreement is either bound by a confidentiality clause or by a statutory duty of confidentiality.

5.3. Security

The Personal Data Processor shall take appropriate technical and organizational measures to protect the Personal data processed under this Agreement. Annex 1 to this Agreement sets out the security measures that Bricknode has taken in this regard.

If, after review by the supervisory authority or you, it appears that additional measures need to be taken in this regard, the annex shall be changed immediately. You will be allowed full disclosure of security measures listed in Annex 1 to meet the GDPR’s requirements for the Customer.


Bricknode shall enable and contribute to the inspections that the supervisory authority, you or other interested party, according to the GDPR, may require in order to ensure the maintenance of a proper processing of personal data. Any reasonable costs incurred by Bricknode for such inspections will be paid by you and will be invoiced by Bricknode to you separately from any other fees according to the Bricknode Customer Agreement.

Bricknode shall assist the Customer as necessary in providing information that is requested by a third party.

5.4. Incident reporting

In case of a suspicious or discovered security incident, Bricknode shall immediately investigate the incident and take appropriate measures and corrective actions. 

Bricknode shall inform the Customer without undue delay and in all circumstances within 72 hours, after having become aware of a security incident.

A notification as set out above shall contain all the information required by the Customer to fulfil its obligations in relation to the supervisory authority.

5.5. Impact assessments and prior consultation

Bricknode shall, where necessary and upon request, assist the Customer in fulfilling its obligations according to GDPR concerning the performance of data protection impact assessments and prior consultation of the supervisory Authority.

5.6. Performance of obligations relating to the rights of the data subjects

Bricknode shall, where necessary and upon request, assist the Customer through appropriate technical and organisational measures, to the extent possible, in order to enable the Customer to help the data subjects to use their rights, such as removal- and correction of data, data portability etc. in accordance with GDPR or unless other legislation requires certain actions.

If Bricknode receives a request directly from a data subject to exercise its rights in accordance with GDPR, Bricknode shall refer the data subject to make a request to the Customer. The Customer is responsible for responding to such requests.

5.7. Audits and inspections

The Customer shall be entitled, itself or through third parties, to conduct an audit of Bricknode or otherwise verify that Bricknode’s processing of personal data complies with the Agreement and applicable provisions. In the event of such an audit or inspection, Bricknode shall provide the Customer with the assistance necessary for carrying out audits.

Bricknode shall, upon request and without undue delay, demonstrate compliance with the contractual obligations and the applicable provisions as well as enable the Customer to carry out the necessary audits and inspections. Bricknode is entitled to compensation for reasonable costs that may occur during the Customer’s performance of audits and inspections.

5.8. Subcontractors

Bricknode may use subcontractors to process personal data that the Customer is responsible for according to GDPR.


Bricknode undertakes to ensure that the subcontractor is bound to similar conditions for processing of personal data as those stipulated in this Agreement and the Bricknode Customer Agreement.

5.9. Transfer of personal data to third countries

Bricknode may transfer personal data to a country outside the EU/EEA based on a decision on adequate level of protection as referred to in article 45 in the GDPR or where the transfer is subject to appropriate security measures pursuant to articles 46-47 or exception in article 49 in the GDPR.

  1. Data return and deletion after termination of the Bricknode Customer Agreement

Upon termination of the processing of Personal data by Bricknode, the Customer have 60 days to export data from Bricknode Products. After 60 days from termination Bricknode will delete all data from Bricknode Products.If applicable laws prevent Bricknode from deleting/destroying personal data, Bricknode will only process this Personal data in order to comply with current laws.

  1. Indemnity

Bricknode should keep you harmless in the event that you incur damage that is attributable to Bricknodes processing of personal data in violation of this Agreement or the Annexes to the Agreement. Unless intent or gross negligence, the maximum liability for Bricknode shall be limited, per calendar year, to the direct damages to a total amount of 10% of the annual fee that you have paid to Bricknode for the purchase of Bricknode Products. Bricknode is not responsible for any lost profits or other indirect damage or loss incurred by you.

  1. Term and termination

This Agreement shall enter into force by 25thMay 2018 and remain in effect as long as Bricknode is processing data on behalf of the Customer.

  1. Supplements and amendments of this Agreement

Bricknode may modify this Agreement from time to time, subject to the terms in clause 28 (Changes to this Agreement) in the Bricknode Customer Agreement.

  1. Disputes

The agreement shall be interpreted and applied in accordance with Swedish law. Disputes concerning interpretation or application of this Agreement shall be governed by the provisions of dispute in the agreements that form the basis for cooperation between you and Bricknode, the Bricknode Customer Agreement.

Annex 1 – Security measures




Bricknode shall comply with the General Data Protection Act (GDPR).



The employees, consultants and other assistants and aides of Bricknode is either bound by a confidentiality clause or by a statutory duty of confidentiality.

Bricknode undertakes to ensure that all persons working under his leadership comply with the stipulations of this Agreement, the instructions and also to be informed of the relevant legislation.



Bricknode should have a record regarding how Customer data are stored.


Access control

Employees, consultants and other assistants and aides of Bricknode shall only have access to personal data they need to perform their duties for the fulfillment of contractual agreements with you.

Bricknode must have an access control system that prevents unauthorized access to personal data.

Bricknode should use secure routines to identify and authenticate users of Bricknode´s system.



Bricknode should have processes for restoring Customer data.

Bricknode log all sorts of events in the system.


Security policy

Bricknode should have an updated and implemented security policy that specifies how personal data are processed, to whom employees can turn if an intrusion or other incident has occurred, which employees have access to the type of data. The policy should be formulated after a risk analysis has been made to map the threats to personal data. The policy should also consider backup procedures, contingency plans etc.


Security incidents

Bricknode shall report security incidents concerning the Customer data to the Customer with no delay and in all circumstances within 72 hours.


Security software

Bricknode should have current and up-to-date antivirus software and virus definitions installed on all workstations, desktops, laptops and servers.



The premises that Bricknode uses should be protected against fire, water damage and intrusion.




Data traffic and security backups are encrypted.