Last updated 11.10.2019.
This DPA defines binding conditions for the processing of personal data when Supplier processes the Customer's personal data on behalf of clients. This DPA is an integral part of service agreement ("Agreement") between Agendium Oy (“Supplier”) and Customer (“Customer”) for the supply of the service (“Service”). If the Agreement is in conflict with this DPA, this DPA will have primaricy concerning the processing of personal data. The terms used in this appendix correspond to the terms defined in the EU General Data Protection Regulation. Amendments to the DPA shall be valid only if they are made in writing and if both Parties have confirmed changes with their signatures or confirmation by e-mail.
The roles of the parties The Customer is the “Data Controller” of the personal data processed by the Service and the Supplier its “Data processor”. For the purposes of the terms of this DPA, “Customer's Personal Data” means personal data relating to individual data subjects over which the Customer is responsible as the Data Controller.
The nature and purpose of the processing of the personal data of the supplier The purpose of the processing of the personal data of the Supplier is to: 1) ensure the availability and integrity of the data stored in the Customer's service (e.g. backup and logging ) ; 2) Secure identification of the users the Customer has invited to the service; and 3) upon request, assisting the Customer in various problem situations.
The types of personal data processed by the supplier and the groups of the data subjects The Supplier may process the personal data of 1) the Customer’s administrators; and 2) other users invited by the administrator. Types of personal data are 1) contact information (name, email address, phone number); 2) technical tags and logs (IP addresses, login log, change log); and 3) the content (messages, recorded descriptions, etc.) stored by the persons themselves.
Customer's right to instruction The Customer has the right to issue binding written instructions to the Supplier on the processing of personal data. The Supplier processes Customers Personal Data in accordance with data protection legislation and the written instructions provided by the Customer.
Customer's responsibility for the legality of the processing The Customer is responsible for the lawfulness of the processing of personal data, such as the existence of legal bases and compliance with processing principles. In addition, the Customer is responsible for providing transparent information to the Data Subjects regarding the processing of personal data. The Supplier does not monitor the content, quality, or timeliness of the personal data provided.
Obligation of the Supplier to point out unlawful instructions The Supplier shall inform the Customer immediately if the Supplier considers that the Customer's instructions are in breach of data protection legislation.
Transfer of data outside the EU or the EEA The Supplier has the right to freely transfer personal data within the European Union or the European Economic Area. It is also possible to transfer information outside the European Union or the European Economic Area, in accordance with applicable data protection legislation. Customer have the right to receive information about the location of the data processing at any time.
Prohibition of other use The Supplier shall not process or otherwise utilize any personal data it processes under this DPA except for the purpose of performing its obligations under the Agreement .
Removal during processing During the validity period of the Agreement, the Supplier shall not remove any personal data it processes on behalf of the Customer without the Customer's express request.
Removal after termination of the contract Upon termination of the Agreement, the Supplier will remove all personal data under the Agreement or, upon request, return it to the Customer and remove any copies thereof.
Right to use Sub-processors The Supplier has the right to use third-party Sub-processors to process Customer's personal data.
Notice of Adding or Replacing Subcontractors The Supplier will inform the Customer in writing without unnecessary delay before involving a sub-processor in the processing of Customer’s personal data If the Customer does not accept the use of the Sub-processors, the Supplier shall have the right to terminate the Agreement with a 30-day notice period.
The responsibility for the activities of the Sub-processors The Supplier is responsible for the actions of the Sub-processors as their own and makes written agreements with the Sub-processors for the processing of personal data.
Supplier security practices The Supplier shall take appropriate technical and organizational measures to ensure the processing of personal data in accordance with the requirements of the Agreement. The purpose of the measures is to ensure the lawful processing of personal data and the confidentiality, integrity, availability and fault tolerance of processing systems and services. The Supplier provides more details on security measures on Customer on Customer request. Security practices are constantly being maintained and developed by the Supplier.
Organization of professional secrecy The Supplier shall ensure that all persons acting under its authority who are authorized to process Customer's personal data, are bound by the obligation of professional secrecy or subject to statutory confidentiality.
Assisting in processing the request The Supplier assists the Customer in fulfilling his obligation to respond to requests for information about the rights of the data subject. Requests may, for example, require the Supplier to assist the Customer in informing and communicating to the data subjects, enablingthe data subjects to exercise their right of access, correcting or deleting personal data, implementing processing restrictions, or transferring the personal data of the data subject from one system to another.
Obligation to notify upon receipt of the request The Supplier shall inform the Customer immediately of any requests made by the data subjects regarding the exercise of the rights of the data subject. The Supplier is not responsible for these requests.
Costs for assisting Unless otherwise agreed, the Supplier is entitled to invoice the Customer its standard fees for its services, if the assistance causes additional costs to the Supplier. The Supplier is obliged to notify the Customer in advance of any additional costs that may be incurred.
Reporting a security breach The Supplier shall notify the Customer in writing of any personal data breach that has come to his knowledge without undue delay. In addition, the Supplier undertakes to notify the Customer without undue delay of other service disruptions or problems that may affect the status and rights of the data subjects.
Content of the security breach notification The Supplier shall provide the Customer with at least the following information about the security breach; (1) a description of the security breach committed, including the groups of the data subjects concerned and the estimated numbers, as well as the categories of the personal data types and the estimated numbers, with the accuracy that is known; 2) the name and contact details of the Data Protection Officer or other person responsible for receiving additional information; 3) a description of the likely consequences of the security breach; and 4) a description of the measures that the Supplier has already taken as a result of the security breach and, if necessary, measures it proposes to further mitigate any adverse effects.
Actions when detecting a security breach Upon detection of a personal data breach, the Supplier shall immediately take steps to eliminate the security breach and limit and repair its effects.
Right to audit The Customer or its authorized auditor has the right to verify compliance with the personal data processing obligations of the Supplier or its sub-contracted sub-processors. The Supplier shall allow and participate in audits carried out by the Customeror any other authorized auditor .
Supplier's participation Upon request, the Supplier shall make available to the Customer all information required by the Customer to demonstrate compliance with the obligations imposed on the Data Controller, and shall, upon request, participate in the preparation and maintenance of descriptions and other documents required from Data Controller, such as impact assessment, and in preparation to any prior consultations required from Customer under the GDPR.
Cost of auditing The parties carry their own costs caused by the audit process.
Damages and administrative fines for damage caused to the data subjects Each party is obliged to pay a proportion of the damages and administrative fines imposed that corresponds to the level of liability assigned to it by the Data Protection Supervisor or the court in the final decision on the damages.
Damages between the parties A Party's liability for damages to the other Party is no more than 100 percent of the annual fee of the Service, excluding VAT. The Party is not liable for any indirect damage. For example, loss of profit or loss resulting from the reduction or interruption of production or turnover is considered indirect damage. However, no limitation of liability shall be applicable to damage or losses arising out of a breach of any specified confidentiality obligations, the provisions concerning Intellectual Property Indemnification, or an act of gross negligence or willful misconduct.
Entry into force, order of application and validity This DPA shall enter into force when Customer agrees to by bound by the Agreement. The validity of the DPA expires automatically upon termination of the Agreement.