Current changes and additions to the Access Agreement

Amendments November 2024

In the General Terms and Conditions, have, in addition to small editorial changes, the following main amendments have been made:

The Main Administrator role has generally been replaced by Super User, which is also a defined role in the IA System. The role Main Administrator was previously the contact person in the General Terms and Conditions. This is replaced by "Contact person", which is this person that Afa Försäkring contacts when, for example update of Access Agreement.

Section 5.3 have been updated with terms that updates of a new Contact Person, shall be made by using the form “Change of Contact Person”, which is published at https://www.iasystemet.se/en

Section 6.3 have been adjusted and the development of unique system solutions has been removed as example of additional services that can be provided

Section 14.1 have been updated to include a form for notice of termination of the Access Agreement. This form is accessible at https://www.iasystemet.se/en

Section 15.3 covers amendments and additions o the Access Agreement and to this section it has been added, that the amendments and additions will be published 30 days prior the change enters into force at https://www.iasystemet.se/en, and that an e-mail is also sent to the Contact Person.

In the Data Processing Agreement, except to limited minor editorial changes, the following material amendments have been made:

Section 3. Obligations of the Data Processor

Section 3.1 has been clarified by stating that the instructions to the Data Processor in the Data Processing Agreement is exhaustive and the scope of the instructions has been clarified.

Section 3.2 of the Data Processing Agreement, dated May 2023, with the following wording has been removed:

“ Should the Data Controller present new instructions that go beyond the provisions contained in this Data Processing Agreement or the Access Agreement and which are not necessary to comply with Applicable Legislation, the Data Processor shall be entitled to remuneration in accordance with the Data Processing Agreement’s price list applicable from time to time, or as agreed between the Parties.”

Section 3.4 has been added as with the following wording:

” The Data Processor undertakes to, taking into account the nature of the Processing and the information available to the Data Processor, assist the Data Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR.”

Section 3.5 has been updated with the obligation tong that the Data Processor immediately must notify the Data Controller if the Data Processor is unable to meet its obligations set forth in the Data Processing Agreement.

Section 4. Security measures

4.1 Obligation to take technical and organisational measures to protect Personal Data

Section 4.1.1 have been updated with that the Data Processor shall take appropriate technical and organisational measures in accordance with Article 32 of the GDPR to ensure that the Personal Data Processed are protected.

Section 5. Personal Data Breach

Section 5.4 has been added as a new term and has the following wording:
 ” In the event of a Personal Data Breach that is likely to result in a high risk to the rights and freedoms of the Data Subject, the Data Processor must provide the Data Controller, without undue delay, with such information that the Data Controller is required to provide in accordance with Applicable Data Processing Legislation.” 

Section 6. Access to information and the right to audit

Section 6.2 has been updated to include that the Data Processor must, “if requested”, give the Data Controller access to all information necessary to show that the Data Processor has met its obligations set forth in Article 28 of the GDPR.

Section 6.4 has been adjusted to include that the Parties shall cooperate and make all relevant information available to the supervisory authority.

Section 7. Engaging Sub-processors

Section 7.1 has been clarified regarding the right for the Data Processor to engage other data processors.

Section 9. Liability

Section 9.1. The Data Processors limited liability regarding maximum amount of compensation has been removed.

Section 9.2 in Data Processing Agreement, dated May 2023, with the following wording has been removed: “ The Parties acknowledge and agree that neither Party shall have an obligation to indemnify the other Party for any administrative fines imposed by a supervisory authority or court under Applicable Personal Data Legislation.”

Section 11. Return of Personal Data

Has been adjusted regarding that the Personal Data cannot be deleted if union or member state law requires storage of the Personal Data.

Appendix 2.1

Description of the Processing of Personal Data Subject to this Data Processing Agreement

Some clarifications have been made regarding categories of personal data that are processed.

We have conducted a comprehensive update of the appendix. The chapters have been rewritten to improve clarity and relevance. We have updated each section with current information and made several changes to reflect the latest safety requirements related to our work process.

One of the most significant updates is that the appendix now includes information about our ISO 27001 certification, which highlights our commitment to maintaining a high level of information security. This certification means that we continuously work to improve our security procedures through regular internal and external audits. This is an important part of our security work and something we want to emphasize in the updated appendix.

In addition to general updates, the following updates are particularly noteworthy:

1.     Focus on API: The appendix provides a more detailed description of API management, including version control and logging of imports/exports.

2.     Specific encryption: Encryption of data at rest and in transit is described in more detail in the appendix, including specifications of TLS 1.2 and at least AES128.

3.     Personnel security: The document places greater emphasis on confidentiality, background checks, and training for personnel handling the IA system.

Amendments June 2023

A review of the General Terms and Conditions have been performed, where the structure has been adjusted and clarifications and additions have been included. E.g. clarifications have been made in Clause 9 regarding intellectual property rights  in Clause 9 (Intellectual Property Rights and Data) and in item 13 (Infringements of Intellectual Property Rights) conditions regarding the parties’ liability in the event of infringement have been added.

In the Data Processing Agreement, in addition to some minor editorial changes, the following material amendments have been made: 

Section 3.2: The first sentence has been clarified with the following: “[…] and which are not necessary to comply with Applicable Legislation, […]”.

Section 5.2, second paragraph: The last sentence has been clarified with that the Data Processor’s right to remuneration is applicable “[…] if the Data Breach is due to circumstances over which the Data Processor had no control.”

Section 7.4: A clarification has been included regarding information about a new sub-processor “Information about a new Sub-processor will be published on https://iasystemet.se/en/amendments-and-additions-to-the-access-agreements/ ninety (90) days before the change enters into force.”

Section 7.5: A clarification has been included regarding the Data Controller’s right to terminate the Access Agreement prior the change of the sub- processor occur “The Data Processor also has the right to terminate the Access Agreement up and until the day on which the change of Sub-processor enters into force by notifying the Data Controller in writing. Continued use of the IA System after the change of the new Sub-processor has entered into force means that the change in Sub-processors is considered to have been accepted by the Data Controller.”

Appendix 2.1 Description of the processing of Personal Data Subject to this Data Processing Agreement: The table has been clarified with information about the geographical location of processing of personal data of the Data Processor and its sub-processor.

Minor changes.

Amendments June 2022

Appendix 3 – IA System Security has been developed with more detailed writing but does not include any substantive changes

Appendix 2 – Data Processing Agreement

Clause 6.3: ”Swedish Data Protection Authority (Datainspektionen)” is replaced by ” Supervisory Authority”

Clause 12.1.3: Previous wording: it is the understanding of the Data Processor that it is possible to rely on another exemption for the transfer of Personal Data under Applicable Personal Data Legislation.

New Wording 12.1.3:  it is possible to rely on another exemption for the transfer of Personal Data under Applicable Personal Data Legislation

Appendix 3 – IA System security

Clause 12.2 Browsers and tools. A reference to the terms of use and privacy policy for Google Maps is added.

Appendix 2 – Data Processing Agreement

Section 12.1.2 has been clarified with the text […] as well as other necessary protective measures required in the individual case; […].     

Section 12.3: If Data Processor intends to transfer Personal Data to a third country, the Data Processor shall, before such transfer takes place, inform the Data Controller of this.

Appendix 1 – General terms and conditions

In Appendix 1 - General Terms and Conditions, apart from minor editing changes, the main changes are as follows:

Clause 15.1: The agreement can be terminated with a notice period of 6 months (earlier 30 days) for The Supplier and a notice period of 30 days for the User Company.

Clause 6.2: In the event of planned downtimes, the User Company will be notified by information about them published in the IA system prior to the downtime occurring.

Clause 8: The division of responsibility between AFA Trygghetsförsäkring and the User Company in respect of personal data has been clarified for the purpose of further explaining which personal data processing each party is responsible for.

Clause 12.2: For additional services such as technical systems support, the cost will be SEK 1200 per hour.

Appendix 1 - General terms and conditions

In Appendix 1 - General Terms and Conditions, apart from minor editing changes, the main changes are as follows:

Clause 3.2: Amendments and additions to the Association Agreement will be published on (https://www.afaforsakring.se/ia/amendments).

Clause 3.3: The User Company is entitled to withdraw from the Association Agreement up to and including the date that the change in terms and conditions comes into force.

Clause 6.2: In the event of planned downtimes, the User Company will be notified by information about them published in the IA system prior to the downtime occurring.

Clause 8: The division of responsibility between AFA Trygghetsförsäkring and the User Company in respect of personal data has been clarified for the purpose of further explaining which personal data processing each party is responsible for.

Clause 12.2: For additional services such as technical systems support, the cost will be SEK 1200 per hour.

Appendix 2 - Personal Data Processing Agreement

In Appendix 2 - Personal Data Processing Agreement, apart from minor editing changes, the main changes are as follows:

Clause 7.3 (new): The sub-processors processing the personal data on behalf of the User Company must always be listed on https://www.afaforsakring.se/ia/subcontractors.

Comment: This provision is new and is intended to make it easier for the User Company to exercise its responsibility for checking who is performing the processing of the personal data. However, in accordance with Clause 7.4, AFA Trygghetsförsäkring will always, and without unnecessary delay, inform the User Company in writing of its intention of engaging a new sub-processor.

Clause 9 (formerly 7): The liability provision has been changed to make it clearer that it takes account of Article 82 of GDPR with regard to responsibility for fines and the possibility of limited liability and recourse in relation to claims for damages from data subjects.

Clause 12 (formerly 10): AFA Trygghetsförsäkring shall only be entitled to transfer personal information belonging to the User Company to a third country where the following conditions are fulfilled:

• the third country guarantees an adequate level of security for personal information in accordance with a decision handed down by the EU Commission;
• there are suitable security measures in place in accordance with the applicable personal data legislation, e.g. standardised data protection provisions adopted by the EU Commission which cover the transfer and  processing of personal data; or
• in the opinion of the Data Processor, it is possible to rely on another exemption under applicable personal data legislation for the transfer of personal data.

Comment: This provision means that the transfer of personal data to a third country can only be done in accordance with the rules in Chapter V of the GDPR.