Mediaflow’s DPA (Data Processing Agreement)

Mediaflow provides a publicly recommended standard DPA that is adapted to the service and complies with current data protection legislation and GDPR. Because there is a close connection between the services, the terms of service, and the DPA, it is important that these terms and the DPA apply specifically to Mediaflow’s services. Standard DPAs from the ordering organisation rarely cover Mediaflow’s services or adequately regulate the processing of personal data resulting from those services. Mediaflow therefore requires that the DPA provided by us governs Mediaflow’s services and the processing of personal data arising from them, and that no other DPA is submitted to Mediaflow. DPAs received by Mediaflow that do not cover Mediaflow’s services cannot be concluded.

We have revised our processes, and our DPA includes the necessary adaptations. The DPA is continuously updated in accordance with applicable data protection legislation.

Mediaflow has access controls that meet applicable security requirements. Access control within the system is governed by the customer, and Mediaflow ensures that organisational and technical security measures are implemented.

Mediaflow Europe AB engages subcontractors (sub-processors) for certain additional services. To the extent these subcontractors have access to personal data, Mediaflow has entered into DPAs with them in accordance with GDPR requirements. An updated list of our subcontractors is maintained in the DPA.

For Mediaflow Europe AB’s subsidiaries (where a customer has a contract with one of these subsidiaries), Mediaflow Europe AB will be the contracting party for the DPA. Mediaflow Europe AB’s Nordic subsidiary is:

Mediaflow Norge AS

Nydalsveien 33
N-0484 Oslo
Sentralbord: 22 15 55 00
Org.nr: 928 123 693

No — data processing in the Mediaflow service takes place within the EU/EEA. Mediaflow Europe AB processes and stores all data on servers in Sweden. From April 2021, we also operate co-location infrastructure in MSB-III-classified data centres in Stockholm with 99.99% SLA compliance. This provides redundant internet and power supply and a compliant operating environment. Interxion is certified according to ISO 27001 and ISO 22301, and Mediaflow has begun the process of ISO 27001 certification.

Within the system, there are no transfers of files, data, or personal information to subcontractors in or outside Sweden. If the customer wishes to use the automatic transcription feature for videos (via the Video Manager module), Mediaflow uses Lingsoft (Finland) as the standard subcontractor. Lingsoft has no subcontractors and handles all data in its Finnish data centres. As part of an optional add-on service, text transcription is also provided by Amberscript (Netherlands). Mediaflow’s sub-processors have entered into specific partner agreements and DPAs in accordance with GDPR, which explicitly state that no personal data may be transferred to third countries outside the EU/EEA.

Mediaflow has established procedures for notifying personal data breaches in accordance with GDPR requirements. These procedures ensure that all notification obligations are met.

Our DPA is continually updated according to the GDPR. The updated agreement must be approved by the customer before the provisions take effect. In practice, approval of the updated terms for most customers will be carried out via the designated contact person who receives the information letter, has the necessary authorisation, approves the DPA for the ordered service, and ensures that the DPA is signed.

The answer depends primarily on which Mediaflow products/services the customer has contracted. The various service appendices in Mediaflow’s DPA list the personal data processed within the different service deliveries.

As a processor in connection with our systems, Mediaflow has no control over whether data subjects are informed about the collection/registration of information stored in the services. The customer (as the controller) is responsible for informing data subjects about the collection/registration of personal data.

Information to registered individuals about where their personal data is stored is the responsibility of the customer (as controller), not Mediaflow (as processor).

As a processor, Mediaflow acts according to instructions from and agreements with the customer (as controller), including regarding data deletion.

Yes — Mediaflow has its own Data Protection Officer (DPO) registered with the Swedish Data Protection Authority (IMY) and a GDPR team of five people who meet regularly and have continuous consultations with expert lawyers on these matters.

Assessment of privacy impacts (DPIA) and risk/vulnerability analyses in line with new data protection legislation and updated regulations around GDPR form a central part of Mediaflow’s GDPR compliance efforts. All new processes, functionality, or services will be subject to risk and vulnerability analysis, and where necessary, a DPIA will be conducted in accordance with GDPR and Article 29 requirements..