Data Processing Agreement
(last updated: 4th June, 2021)
1. Scope
1.1 This Data Processing Agreement is an Appendix to the Agreement between the Supplier and the Customer. This Data Processing Agreement covers all Processing of Personal Data under and in connection with the Agreement.
1.2 This Data Processing Agreement is an integral and inseparable part of the Agreement and is subject to the terms and conditions of the Agreement.
2. Definitions
2.1 “Agreement” means the Agreement between the Customer and the Supplier concerning the provision of the Supplied Services, always including the Platform of Trust General Terms of Service.
2.2 “Controller” means anyone who alone or jointly with others determines the purposes and means of the Processing of Personal Data.
2.3 “Data Protection Regulation” means the General Data Protection Regulation (679/2016) of the European Union, any other applicable national data protection provisions, and any regulations and instructions issued by the data protection authorities.
2.4 “DPA” means this Data Protection Agreement.
2.5 “Personal Data” means any information relating to an identified or identifiable living natural person.
2.6 “Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
2.7 “Processor” means a natural or legal person, public authority, agency or other body which Processes Personal Data on the behalf of the Controller.
2.8 “Sub-Processor” means a natural or legal person, public authority, agency or other body which Processes Personal Data for a Processor and on the behalf of the Controller.
2.9 “Supplied Service(s)” shall mean the Service set out in the Agreement as well as any other services agreed to be supplied to the Controller by the Supplier under the Agreement.
3. Roles
3.1 Unless agreed otherwise, the Customer is the Controller of Personal Data processed under this DPA and the Supplier is a Processor of such Personal Data.
3.2 In cases where the Customer processes Personal Data to which a third party is the Controller, the Customer is a processor of such Personal Data and the Supplier is a Sub-Processor. in this case, what has been set out as regards the rights of the
Controller shall apply to the Customer as the processor of the Controller’s Personal Data, and the Controller shall use its rights through the Customer.
3.3 The Supplier is never a Controller of any Personal Data processed under this DPA. For clarity, the Supplier may be a Controller for Personal Data it has collected under its applicable Privacy Policy, but such Personal Data is solely subject to the Supplier’s Privacy Policy.
4. Nature and purpose of processing
4.1 Nature and Purpose
4.1.1 The Supplier Processes the Controller’s Personal Data in order to provide the Supplied Services. In the course of the provision of the Supplied Services the Supplier will Process Personal Data for the purposes of delivery of the Supplied Services, billing, Controller support, prevention and investigation of errors or misuse of the Supplied Services, measuring quality and performance of the Supplied Services and for the further development of the Supplied Services.
4.2 Scope and Duration
4.2.1 The Supplier Processes the Controller’s Personal Data to the extent such processing is necessary for the purposes set out in Section 4.1.1 above. In any case, the Supplier will Process the Personal Data for as long as the Controller is using the Supplied Services. Upon the termination of the Agreement for any reason, the Supplier shall cease to Process the Personal Data and shall return to the Controller or delete the Personal Data in the manner described in the Platform of Trust General Terms of Service.
4.3 Types of Personal Data and categories of data subjects
4.3.1 Categories of data subjects may include Customer’s or its end-customers or their service providers’ contact persons, employees, users, clients and other natural persons whose Personal Data Customer elects to process via the Supplied Services, the extent of which is determined and controlled by the Customer.
4.3.2 Types of Personal Data include Personal Data that Customer or its users have submitted, stored, sent or received via the Supplied Services such as name, contact information, role and data subject’s other attributes, the extent of which is controlled by the Customer.
5. Controller's responsibilities and rights
5.1 The Controller shall take all necessary measures to ensure that the Controller acts in full compliance of the Data Protection Regulation when Controller uses the Supplier to Process such Personal Data.
5.2 The Controller has the right to give binding written instructions to Supplier on the Processing of personal. The Parties note that the Agreement, and in particular this DPA constitutes the Controller’s exhaustive binding instructions as regards the processing of personal data under the Agreement.
5.3 The Controller shall be solely liable for having all the necessary rights, consents and agreements for the Processing of Personal Data as described in the Agreement. The Controller shall be liable for the documentation of the Processing. The Customer is responsible for the validity and integrity of the Personal Data it provides to the Supplier. The Controller shall also be responsible for communicating with the Data Protection authorities as well as providing them with all the necessary notifications. The Controller is responsible for drafting necessary privacy notices and providing them to the Data Subjects.
6. Processor's responsibilities and rights
6.1 The Supplier shall Process Personal Data in compliance with the Data Protection Regulation and in accordance with the Agreement and the Controller’s binding written instructions. The Supplier shall notify the Controller without undue delay if the Supplier considers that the Controller’s instructions infringe the Data Protection Regulation. In such event, the Supplier also retains the right to immediately stop following the Customer’s instructions and cease all Processing activities. The Supplier is entitled to postpone the Processing until the Customer either changes the instructions or until the Parties have otherwise agreed on the Processing.
6.2 The Supplier shall keep the Controller’s Personal Data confidential and shall not disclose such Personal Data to any third parties or use the Personal Data in any other way in contradiction with the Agreement. The Supplier shall also ensure that persons authorised to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
6.3 The Supplier shall implement all appropriate technical and organisational measures necessary in order to combat and protect the Personal Data against unauthorised or unlawful Processing and protect the Personal Data against unintentional loss, change, destruction or damage. During the implementation of the Supplied Services, the sensitivity of the Personal Data as well as the costs of the obtainable technical options will be taken into consideration in proportion to the special risks related to the Processing. The Customer shall notify the Supplier about all information related to the Personal Data, which could affect the organizational and technical measures pursuant to this DPA. Such information could be, e.g. different risk analyses, the type and sensitivity of the Personal Data as well as information relating to special categories of Personal Data.
6.4 The Supplier shall assist the Controller (taking into consideration the nature of Processing) by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to and to fulfil requests from data subjects exercising their rights laid down in Chapter III of the GDPR.
6.5 Supplier shall assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR (implement security measures, manage Personal Data breaches, conduct data privacy impact assessments and participate in prior consultations with the supervisory authority) taking into account the nature of the Processing and the information available to Supplier. The Supplier is obligated to assist the Controller only within the limitations of what is set out in the Legislation regarding obligations of the Processors of Personal Data.
6.6 The Supplier shall make available to the Controller all information necessary for the Controller to demonstrate its compliance with the obligations of a Controller.
6.7 The Supplier shall without delay inform the Controller of all requirements and inquiries made by the data subjects or data protection authorities concerning the Controller’s Personal Data. The Supplier is not obligated to represent the Controller nor act on behalf of the Controller with respect to the Data Protection Authorities.
6.8 The Supplier is entitled to collect anonymous and statistic data related to the services pursuant to the Agreement. The data does not specify the Customer nor the Data Subjects and is used for analytic and development purposes.
7. Personal data breaches PERSONAL DATA BREACHES
7.1 The Supplier shall inform the Customer of all Data breaches related to the service without undue delay after receiving such information.
7.2 Upon request, the Supplier shall without undue delay provide the Customer with all relevant information related to the Data breach. If available, the following information shall be attached to the notification:
7.2.1 a description of the data breach and the circumstances leading to it;
7.2.2 a description of the nature of the data breach, including, when possible, the sets of Data Subjects and the estimated number affected by the breach as well as the sets of Personal Data types and the estimated number affected by the breach;
7.2.3 a description of the likely consequences caused by the breach; and
7.2.4 a description of the reparative measures taken or planned to be taken in order to avoid such data breaches in the future, and when necessary, the measures taken to minimize the harmful effect of the data breach.
7.3 The Supplier shall examine all the circumstances that lead to the breach and enact reparative measures in order to minimize the harmful effects of the breach and to prevent data breaches in the future. The Supplier shall document this process and report the results and measures carried out to the Customer. The Controller is responsible for providing all the necessary notifications to the Data Protection Authorities.
8. Audit
8.1 The Controller has the right, at its own cost, to audit the Supplier’s and its sub-Processor’s compliance with this DPA. Unless otherwise agreed, the Controller shall appoint an independent third-party expert as an auditor. The auditor cannot be a competitor of the Supplier. The Supplier has the right to reject an auditor that does not meet this criterion.
8.2 The Controller shall notify the Supplier of the audit no less than two (2) weeks in advance. The Customer and the Supplier shall agree on the specifications and time of the auditing ahead of time and no later than 14 workdays before the audit. The auditor shall commit to confidentiality prior commencement of the audit. The level of confidentiality obligations shall be at least the same as agreed in the Agreement.
8.3 The auditing shall be performed in a way that does not disrupt the service performance of the Supplier or its Subcontractors and does not impede upon the obligations that they might have towards third parties.
8.4 The Supplier shall participate in the audit at its own cost.
9. Location of personal data
9.1 The Supplier shall be entitled to transfer Personal Data freely within the European Union and the European Economic Area. The Controller is entitled to receive information regarding the location where the Controller’s Personal Data is Processed at any time upon request.
9.2 The Supplier shall not transfer the Controller’s Personal Data outside the European Economic Area without the Controller’s prior written consent unless expressly agreed otherwise in the Agreement.
9.3 If the Customer gives consent for the Processing and authorizes the Processor to enter into agreements on its behalf regarding the provisions and Standard Contractual Clauses about Controller’s rights and obligations, the Supplier and its Subcontractors are entitled to Process Personal Data in third countries if: a) The country fulfils the Data protection requirements set by The European Commission (Directive 95/46/EC); b) the party residing outside of the EU/EEA territory is part of the Privacy Shield Personal Data transfer mechanism; c) The Standard Contractual Clauses are used in the transfer or; d) the contractual provisions regarding Personal Data protection are otherwise agreed upon in a way that meet the requirements set in EU Data Protection Regulation Article 46.
10. Sub-processors
10.1 The Controller grants the Supplier a general authorisation to engage Sub-Processors located within the European Economic Area. The Supplier undertakes to agree on such Processing of Personal Data with each sub-Processor in writing so that the sub-Processor is bound by restrictions regarding Processing that are at least as restrictive than those set out in this DPA.
10.2 The Controller is entitled to receive information of Sub-Processors used by the Supplier from time to time and any changes that the Supplier makes in the use of Sub-Processors. If the Controller does not accept the change of a Sub-Processor, the Controller shall have the right to terminate the Agreement for the part concerning the relevant Supplied Service with immediate effect. If the Controller has reasonable grounds, it is entitled to oppose the use of a new Subcontractor. The Controller shall notify the Supplier of its opposition without delay and no later than 14 days after receiving the notification from the Supplier. If the Parties do not reach a consensus on the use of a new Subcontractor, both Parties are entitled to terminate the Agreement with 30 days’ notice, in so far as the change of Subcontractor would affect the Processing of the Personal Data pursuant to the Agreement.
11. Maintenance, deletion and return of personal data
11.1 During the term of the Agreement, the Controller shall be responsible for the maintenance of its Personal Data and for the deletion of any unnecessary Personal Data. During the term of the Agreement, the Supplier may not delete the Controller’s Personal Data otherwise as set out in the Agreement without the Controller’s explicit request for such deletion. However, the Supplier may correct any obvious errors in such data such as erroneous country codes for telephone numbers on its own initiative as a part of its normal service maintenance operations. The Supplier shall notify the Controller in writing of any performed corrections.
11.2 Upon the termination of the Agreement for any reason, the Supplier shall retain the Controller’s Personal Data for thirty (30) days after the effective date of the termination and make such Personal Data available to the Controller via the Supplied Services. After the thirty (30) days' period, the Supplier shall have the right to destroy the Personal Data of the Controller from the Service. The Supplier is entitled to retain Personal Data over the period of 30 days if applicable legislation so demands.
13. Service fees
13.1 The Supplier shall be entitled to charge the Controller in accordance with Supplier’s price list as in force from time to time for the tasks the Supplier has performed at the Controller’s request pursuant to this Data Processing Agreement to the extent the performance of such task is not included in the standard Supplied Services fees for the Supplied Service in question.
14. Limitation of liability
14.1 The total aggregate liability of a Party towards the other Party under the Agreement shall not exceed per calendar year an amount corresponding to the fees (excluding VAT) paid by the Controller to the Supplier during the twelve (12) months preceding the event giving rise for the claim.
14.2 A Party shall not be liable for any indirect, incidental, or consequential damages such as loss of profits, revenue or business, damages caused due to decrease in turnover or production or loss, alteration, destruction or corruption of data even if the Party has been advised of the possibility of such damages.
14.3 The limitations of liability shall not apply to damages caused by wilful misconduct or gross negligence
15. Other provisions
15.1 This DPA enters into force when both Parties have signed the Agreement. This DPA shall remain in force as long as the Agreement is in force or as long as Parties have obligations that concern Personal Data Processing towards each other.
15.2 If the Parties have obligations that are meant to remain in force after the expiration of the Agreement and this DPA, such obligations remain in force even after the termination of this DPA.
16. Contact persons CONTACT PERSONS
16.1 The Controller shall provide the Supplier with the name and contact details of the person(s) within their organisation being responsible for the Processing of the Controller’s Personal Data and data protection.
16.2 Contact information of the Supplier’s Data Processing Officer:
Email:
dpo@vastuugroup.fi
Mail:
Platform of Trust Oy
c/o Vastuu Group Oy
Data Protection Officer
Tarvonsalmenkatu 17 B
02600 Espoo
Finland