Version: 1.0
Effective Date: 2026-05-29
This Data Processing Agreement (“DPA”) forms part of the Line Inspector Terms of Service (the “ToS”) between Mobile Worker Systems Sweden AB (the “Company”, “Processor”) and the customer entity that has entered into the ToS (“Customer”, “Controller”). This DPA applies where the Company Processes Personal Data on behalf of Customer in connection with the Service.
If there is any conflict between this DPA and the ToS regarding the Processing of Personal Data, this DPA will prevail to the extent of the conflict.
Capitalized terms not defined in this DPA have the meaning given in the ToS.
For the purposes of this DPA, “Personal Data”, “Processing”, “Controller”, “Processor”, “Data Subject”, “Supervisory Authority”, “Personal Data Breach”, and “Sub-processor” have the meanings set out in the EU General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”).
“Customer Data” means data, content, and information submitted to the Service by or on behalf of Customer or its Authorized Users, including Personal Data.
“Applicable Data Protection Law” means the GDPR, the UK GDPR (to the extent applicable), and any other data protection and privacy laws and regulations applicable to the Processing of Personal Data under this DPA (including any national implementations or supplements).
Customer is the Controller of Personal Data Processed by the Company on Customer’s behalf in connection with Customer’s use of the Service.
The Company acts as Processor when Processing Personal Data within Customer Data on Customer’s behalf to provide and support the Service, as further described in Annex 1 (Description of Processing).
This DPA does not apply to Personal Data for which the Company acts as Controller, such as account administration contacts, billing contacts, website visitors, and support communications handled for the Company’s own purposes. Those activities are described in the Privacy Policy.
The subject matter, duration, nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects are described in Annex 1.
The Company will Process Personal Data only on documented instructions from Customer, including as set out in the ToS, this DPA, Customer’s configuration and use of the Service, and any other written instructions agreed by the parties.
Customer is responsible for ensuring its instructions comply with Applicable Data Protection Law. The Company will promptly inform Customer if, in its opinion, an instruction infringes Applicable Data Protection Law. The Company is not required to follow instructions that it reasonably believes are unlawful.
The Customer remains solely responsible for determining the lawfulness of the Processing of Personal Data, including the purposes, legal basis, and use of the Service. The Company does not independently verify the legality of Customer’s use of the Service.
Customer authorizes the Company to apply a documented anonymization process to Customer Data and to create Anonymous Statistics as described in Section 6.5.2 of the ToS. Once Anonymous Statistics have been produced, they are not Personal Data and the Company’s use of them is governed by the ToS rather than this DPA. The Company will not attempt to re-identify Anonymous Statistics or otherwise treat them as Personal Data.
Customer, through its account administrator, may opt out of the creation of new Anonymous Statistics at any time by emailing support@lineinspector.com; the Company will give effect to the opt-out within a reasonable period of receipt. The Company is not required to remove or recalculate Anonymous Statistics created before the opt-out takes effect.
For the avoidance of doubt, Processing of Customer Data to provide, support, and secure the Service is governed by Customer’s documented instructions and the rest of this DPA, not by this Section 4.3.
Customer is responsible, as controller, for:
For workforce monitoring features such as GPS location tracking, Customer is responsible for defining lawful and proportionate purposes, providing required notices, selecting an appropriate lawful basis, consulting workers or representatives where required, and completing any required data protection impact assessment or similar assessment.
The Company will ensure that persons authorized to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
Access to Personal Data is limited to authorized personnel who require access to perform their duties and who are subject to confidentiality obligations.
Taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Company will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
The Company’s current technical and organizational measures are described in Technical and Organizational Measures (“TOMs”), which is incorporated by reference into this DPA.
The Company will restrict administrative and support access to Customer Data to personnel located in jurisdictions providing appropriate protection under Applicable Data Protection Law, taking into account the region where the Customer Data is hosted. For Customer Data hosted in the EU/EEA, access is restricted to personnel located in the EU/EEA or in other jurisdictions providing adequate protection. Where access involves a restricted transfer under Applicable Data Protection Law, the safeguards described in Section 13 apply. The Company may agree alternative access arrangements in writing or where required by law.
Customer provides a general written authorization for the Company to engage Sub-processors to Process Personal Data on Customer’s behalf, subject to the requirements in this Section 8.
The Company maintains a current list of Sub-processors at Sub-Processor List, which is incorporated by reference.
The Company may update the Sub-processor list from time to time. The Company will provide notice of any intended new Sub-processor by emailing Customer’s account administrator or other notice contact and by updating the Sub-processor list, in each case at least fourteen (14) days before the new Sub-processor begins Processing Customer Data.
Urgent replacement. Where the Company must engage a new Sub-processor on an urgent basis to address a security incident, service-continuity issue, or other circumstance that does not reasonably permit fourteen (14) days’ advance notice, the Company will provide notice as soon as reasonably possible, including the reasons for the urgency. Customer’s objection right under this Section 8.3 continues to apply.
If Customer objects to a new Sub-processor on reasonable and documented data protection grounds that materially affect the protection of Personal Data, Customer must notify the Company within fourteen (14) days after notice, before the new Sub-processor begins Processing Customer Data. The parties will work in good faith to resolve the objection, which may include providing additional information, using a commercially reasonable alternative, or limiting the affected Processing where feasible. If the objection is not resolved, Customer may terminate the affected Services by providing written notice to the Company, and the Company will refund any prepaid fees for the terminated portion of the subscription (if any). Nothing in this Section 8.3 limits Customer’s rights under Applicable Data Protection Law.
Where the Company engages a Sub-processor, the Company will impose data protection obligations that are no less protective than those set out in this DPA, including by way of a written agreement, in particular providing sufficient guarantees to implement appropriate technical and organizational measures.
The Company remains responsible to Customer for the performance of the Sub-processor’s obligations.
Taking into account the nature of the Processing, the Company will assist Customer by appropriate technical and organizational measures, insofar as possible, for the fulfilment of Customer’s obligation to respond to requests for exercising the Data Subject’s rights under Applicable Data Protection Law (including, where applicable, rights of access, rectification, erasure, restriction, portability, and objection). Where permitted, the Company may direct the Data Subject to Customer.
The Company will assist Customer in ensuring compliance with Customer’s obligations pursuant to GDPR Articles 32 to 36, taking into account the nature of Processing and the information available to the Company.
The Company provides standard assistance under this Section 9 and Section 11 at no additional cost where the Service includes self-service tools or standard functionality sufficient to support Customer’s obligations. Where Customer requests assistance that requires substantial Company time and resources beyond such self-service tools and standard functionality (including, for example, complex custom data extraction, bespoke Data Subject request handling, or extended assistance with impact assessments or prior consultation), the Company may charge reasonable time and materials fees for such assistance. The parties will agree on scope and fees in advance where practicable.
The Company will, where required under Applicable Data Protection Law and taking into account the nature of the Processing, cooperate with Supervisory Authorities in relation to Processing carried out under this DPA.
The Company will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Personal Data Processed under this DPA.
Where feasible, the Company will provide an initial notification promptly after confirming a Personal Data Breach and will provide further information in phases as it becomes available.
The notification will include information reasonably available to the Company, such as the nature of the breach, categories and approximate number of Data Subjects and records concerned (if known), likely consequences, and measures taken or proposed to address the breach.
Upon termination or expiry of the ToS (or, where applicable, the relevant Order Form), the Company will, at Customer’s choice and as available through the Service: (a) return Customer Data to Customer in a structured, commonly used, and machine-readable format, and/or (b) delete Customer Data, except to the extent storage is required by Applicable Data Protection Law.
Unless Customer requests earlier deletion, the Company will retain Customer Data for up to ninety (90) days after termination to allow Customer to export data or reinstate service. After this period, the Company will delete or anonymize Customer Data in accordance with its deletion procedures.
Customer acknowledges that residual copies of Customer Data may persist in backups for a reasonable period of time in accordance with the Company’s backup rotation and disaster recovery practices. The Company will continue to protect any such residual data in accordance with this DPA and will delete it in the ordinary course of backup rotation.
Customer may export Customer Data or request reasonable assistance with export and switching as described in Section 6.7 of the ToS. The Company will provide such assistance in accordance with the timeline, format, retrieval, deletion, continuity/security, and charge provisions set out in the ToS. This Section 11.4 does not limit Customer’s rights under Applicable Data Protection Law (including portability under GDPR Article 20) or the EU Data Act where applicable.
The Company will make available to Customer information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by Customer or an independent auditor mandated by Customer, as required by GDPR Article 28(3)(h), subject to the following:
Where reasonable, the Company will satisfy audit requests by providing relevant third-party audit reports or certifications (if available) and/or written responses to reasonable audit questionnaires, instead of on-site inspections, except where a Personal Data Breach has occurred or Customer has a reasonable basis to suspect non-compliance.
The Company hosts Customer Data with the cloud infrastructure providers identified in the Sub-Processor List. The Service is currently operated in regions located in the EU/EEA; additional regions may be used in the future as identified in the Sub-Processor List. The Company restricts administrative and support access to Customer Data as described in Section 7.2.
Where any Sub-processor listed in the Sub-Processor List Processes Personal Data outside the EU/EEA, or otherwise makes a restricted transfer under Applicable Data Protection Law, the parties rely on appropriate safeguards including, as applicable, an adequacy decision, the EU Standard Contractual Clauses, the UK International Data Transfer Addendum, the EU-US Data Privacy Framework, or another lawful transfer mechanism, together with supplementary measures such as encryption in transit and at rest and limiting the categories of Personal Data shared with each Sub-processor to what is necessary for the relevant purpose. The Company incorporates these mechanisms by reference through its data processing agreements with each affected Sub-processor.
The Company will assess international transfers on an ongoing basis and, where required under Applicable Data Protection Law, perform and document transfer risk assessments to evaluate whether the laws and practices of the destination country may affect the level of protection of Personal Data.
Where necessary, the Company will implement additional contractual, technical, or organizational safeguards to ensure that Personal Data remains protected to a standard essentially equivalent to that provided under EU law.
Government Access Requests
Where the Company receives a legally binding request from a public authority for access to Personal Data, the Company will assess the validity and scope of the request and, where reasonably appropriate, challenge requests that are unlawful, disproportionate, or overbroad.
Where permitted by law, the Company will make reasonable efforts to notify Customer before disclosing Personal Data so that Customer may seek protective measures.
The Company will limit any disclosure to what is legally required and apply appropriate safeguards to protect Personal Data in connection with such requests.
Unless otherwise stated in the ToS, the liability provisions (including limitations of liability) set out in the ToS apply to this DPA.
This DPA becomes effective on the Effective Date or on the date Customer first uses the Service (whichever is earlier) and remains in effect until the Company no longer Processes Personal Data on behalf of Customer under the ToS.
Customer may contact the Company regarding this DPA at support@lineinspector.com or at the Company address set out in the ToS.
The subject matter is the Processing of Personal Data within Customer Data in order to provide and support the Line Inspector service. The duration is for the term of the ToS and any post-termination retention period described in this DPA.
Processing activities may include: collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission (as directed by Customer), alignment/combination, restriction, erasure, and destruction of Personal Data, to:
Customer Data may include, depending on Customer’s use of the Service:
Data Subjects may include:
Recipients may include:
Customer should not upload Special Categories of Personal Data (as defined in GDPR Article 9) unless strictly necessary and Customer has ensured a lawful basis and appropriate safeguards. If Customer chooses to Process Special Categories of Personal Data through the Service, Customer remains responsible as Controller for establishing a lawful basis and meeting additional compliance requirements.