DPA Europe (GDPR)

GDPR-specific data processing terms for European customers.

Effective Date: 1 January 2024

Last Updated: 15 December 2024

1. Scope

This DPA Europe supplements the standard Data Processing Addendum with specific provisions required under the General Data Protection Regulation (GDPR) for the processing of personal data of individuals in the European Economic Area (EEA), United Kingdom, and Switzerland.

2. Roles and Responsibilities

For the purposes of GDPR:

  • Customer is the Data Controller
  • Cention is the Data Processor

Each party will comply with its respective obligations under GDPR.

3. Lawful Basis for Processing

Controller is responsible for ensuring a lawful basis exists for the processing of personal data. Processor will process personal data only in accordance with Controller's documented instructions.

4. Data Subject Rights

Processor will assist Controller in fulfilling obligations to respond to data subject requests under GDPR Articles 15-22, including:

  • Right of access
  • Right to rectification
  • Right to erasure ("right to be forgotten")
  • Right to restriction of processing
  • Right to data portability
  • Right to object
  • Rights related to automated decision-making

5. Security Measures (Article 32)

Processor implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

  • Pseudonymisation and encryption of personal data
  • Ability to ensure ongoing confidentiality, integrity, availability
  • Ability to restore availability and access in a timely manner
  • Regular testing, assessing, and evaluating effectiveness of measures

6. Data Breach Notification (Articles 33-34)

Processor will notify Controller without undue delay (and within 48 hours where feasible) of any personal data breach. Notification will include:

  • Nature of the breach
  • Categories and approximate number of data subjects affected
  • Categories and approximate number of records concerned
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach

7. International Transfers (Chapter V)

Personal data will not be transferred outside the EEA unless:

  • The destination country has an adequacy decision
  • Standard Contractual Clauses (SCCs) are in place
  • Binding Corporate Rules apply
  • Another valid transfer mechanism under GDPR exists

We use the European Commission's Standard Contractual Clauses (2021/914) for international transfers.

8. Data Protection Impact Assessments

Processor will assist Controller in conducting Data Protection Impact Assessments (DPIAs) and prior consultations with supervisory authorities where required.

9. Records of Processing Activities

Processor maintains records of processing activities carried out on behalf of Controller as required by Article 30(2), including:

  • Categories of processing carried out
  • Transfers to third countries
  • Description of technical and organisational security measures

10. Data Protection Officer

Cention has appointed a Data Protection Officer who can be contacted at dpo@cention.io

11. Supervisory Authority

Cention's lead supervisory authority is the Swedish Authority for Privacy Protection (IMY).

12. EU Representative

As Cention is established in the EU (Sweden), no EU Representative under Article 27 is required.

Back to Trust Center