DATA PROCESSING ADDENDUM
Hereinafter Service Provider and Customer shall also be individually referred to as “Party” and jointly as “Parties”.
1.1. Service Provider is the owner and licensor of certain software products and related services which the Service Provider has licensed to the Customer.
1.2. This Addendum sets out the terms and conditions for the processing of personal data by the Service Provider on behalf of the Customer.
1.3. The Service Provider acts as a data processor and the Customer acts as a data controller, within the meaning of the applicable data protection legislation.
1.4. For the purposes of this Addendum, the applicable data protection legislation shall mean the applicable laws and regulations in respect of processing personal data, including but not limited to, the Finnish Data Protection Act (1050/2018) and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation, “GDPR”) as well as supplementary Finnish legislation, local adaptions, case-law and guidance from supervisory authorities.
2. DATA PROTECTION AND PROCESSING OF PERSONAL DATA
2.1. The subject-matter, nature and purpose of the processing, the type of personal data and categories of data subjects are described in Exhibit 1.
3. RESPONSIBILITIES OF THE CUSTOMER
3.1. The Customer acts as a data controller under applicable data protection legislation. The Customer commits to ensure compliance with the data controller’s obligations under the applicable data protection legislation. In particular, the Customer shall be responsible to ensure, inter alia, that:
(i) the Customer has the right to disclose personal data to the Service Provider according to the purposes of the Agreement;
(ii) there is a valid legal ground for the processing provided in applicable data protection legislation such as contract, legitimate interests of the data controller or data subjects’ consent;
(iii) the processing and purposes of the data collected or processed have been specified prior to the processing activities;
(iv) the data collected is accurate, correct and necessary for each specific purpose of the processing, and no unnecessary data is collected;
(v) the Customer instructs the Service Provider lawfully in the processing of personal data, incl. provides documented instructions regarding the processing of personal data. The Customer is responsible for the lawfulness, maintenance and availability of the instructions.;
(vi) the Customer provides access rights to the persons designated by the customer and removes access rights when they are no longer necessary and ensures the proper guidance and training of its users;
(vii) personal data has been protected against unauthorized access, and accidental or unlawful destruction, alteration, disclosure, transport or other unlawful processing;
(viii) personal data that are inaccurate or incorrect are rectified or erased without delay;
(ix) personal data that have become outdated or unnecessary will not be processed, but disposed of in a reliable manner, unless Union or Member State law requires storage of the personal data;
(x) data subjects have the opportunity to obtain transparent information regarding the processing of their personal data, which is easily accessible and understandable and provided using clear and plain language.
4. RESPONSIBILITIES OF THE SERVICE PROVIDER
4.1. The Service Provider acts as a data processor under applicable data protection legislation. The Service Provider processes personal data the Customer is responsible for on behalf of the Customer according to the Customer’s documented instructions. The Service Provider shall implement appropriate technical and organizational measures for ensuring the security of the processing and maintain appropriate documentation of these measures and processing activities.
4.2. The Service Provider commits to ensure that all the persons processing personal data under the authority and supervision of the Service Provider have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality in addition to that such persons shall process personal data only pursuant to this Addendum, the Agreement and the Customer’s instructions.
4.3. The Service Provider commits to assist the Customer to ensure compliance with the provisions on the data subject's rights by appropriate technical and organizational measures and to inform the Customer about the requests received from the data subjects. The Service Provider shall be entitled to charge reasonable labor costs incurred from assisting the Customer.
4.4. The Service Provider shall provide the Customer all information necessary to demonstrate compliance with the obligations concerning the processing of personal data. The Service Provider shall allow the Customer either on their own or with a third party – which shall not be a competitor to the Service Provider – to conduct audits in the presence of the Service Provider. The Customer shall notify the Service Provider in writing at least 30 days in advance, after which the Parties shall mutually agree on the extent and timing of the audit, always conducted during the Service Provider’s normal working hours. The Service Provider shall be entitled to charge reasonable labor costs incurred from assisting the Customer.
4.5. The Service Provider has an obligation to assist the Customer in completing possible data protection impact assessments, notifications of personal data breaches and prior consultation requests to the extent they relate to the software service provided by the Service Provider. The Service Provider shall be entitled to charge reasonable labor costs incurred from assisting the Customer.
5. THE SERVICE PROVIDER’S SUBCONTRACTORS
5.1. Possible subcontractors used by the Service Provider, which take part to processing of personal data, also act as data processors on behalf of the Customer. By accepting this Addendum, the Customer has provided a written authorization for the use of subcontractors. The Service Provider shall have full responsibility for the actions and omissions of its subcontractors, and shall ensure that the subcontractors comply with the responsibilities of the Service Provider under this Addendum and the Agreement. The Service Provider shall inform the Customer in writing of any intended changes concerning the addition or replacement of subcontractors, thereby giving the Customer the opportunity to object to such changes.
6. TRANSFERS OF PERSONAL DATA
6.1. Service Provider may transfer personal data outside the European Union or European Economic Area, provided that the Service Provider shall ensure that it or its subcontractor transfers the personal data in compliance with the applicable data protection legislation, including provisions stipulated in chapter V of the GDPR.
7. PERSONAL DATA BREACHES
7.1. In the event of a personal data breach, the Service Provider shall without undue delay after becoming aware of it notify the Customer in writing and additionally in any other reasonable and prompt manner. The personal data breach notification shall contain at least the following:
a) a description of the nature of the personal data breach including, the categories and approximate number of data subjects concerned and the categories and approximate number of data records concerned;
b) the name and contact details of the person responsible for the data processor’s data protection matters;
c) a description of likely consequences and/or realized consequences of the personal data breach; and
d) a description of the measures taken to address the personal data breach and to mitigate its possible adverse effects.
8. CHANGES AND ADDITIONS
8.1. If provisions of the applicable data protection legislation are changed during the term of this Addendum, or if the data protection supervisory authority issues guidelines, decisions or regulations concerning the application of the data protection legislation in a way that this Addendum would no longer meet the requirements stipulated in Article 28 of the GDPR, the Parties shall make the necessary changes to this Addendum in writing, in order to meet such new or additional requirements.
9. TERM AND TERMINATION
9.1. This Addendum enters into force after duly signed by both Parties and remains in force as long as the Service Provider processes personal data as the Customer’s data processor.
9.2. After the end of the provision of services under the Agreement the Service Provider commits to either delete or return all the personal data under the Customer’s responsibility to the Customer, based on the Customer’s choice. The Service Provider has the right to charge labor costs incurred by returning the personal data by hour according to the price list. The Service Provider deletes existing copies of the personal data unless legislation requires storage of the personal data.
10. OTHER TERMS
10.1. This Addendum supersedes and replaces all prior data processing agreements between the Parties.
10.2. In other respects, the terms of the Agreement shall be applied to this Addendum.
10.3. This Addendum shall be governed and construed in accordance with the laws of Finland. Any dispute arising out of or in connection with this Addendum shall be settled in accordance with the dispute resolution provision in the Agreement.
EXHIBIT 1 – DESCRIPTION OF PROCESSING
|Subject-matter, nature and purpose of processing||
Service Provider processes personal data of Customer only for the following purpose:
Processing of personal data of individuals using the service under authority of Customer and respondents who have answered to surveys created by Customer through use of ZEF survey tool provided by Service Provider
|Categories of data subjects and types of personal data||
Personal data processed by Service Provider may include:|
- Email address,
- Home address,
- Phone number,
- Date of birth,
- Employment details,
- Education and qualification,
- Contact details,
- Other survey-specific information provided by a respondent and determined by Customer
Customer may also choose to conduct a survey without any personal data being provided from the respondents. In this event no personal data listed above will be collected and processed.
|Customer’s instructions||At the signature date of this exhibit Customer’s instructions to Service Provider are processing of personal data only for providing services under the Agreement in accordance with the Addendum.|
|Applied security measures||
Service Provider ensures the confidentiality, integrity and availability of personal
data processed via the services. Service Provider implements appropriate technical and
organizational measures and procedures in such a way that ensures the protection of data
subject’s rights, and always in accordance with applicable data protection law, as well
as to protect personal data against accidental or unlawful destruction, loss,
alteration, disclosure, access and other unlawful forms of processing.
Additional information of Service Provider’s security mechanisms shall be delivered to Customer upon request.
|Limitation of liability||For the sake of clarity it shall be noted that the limitation of liability clauses agreed in the Agreement shall be applied to the Addendum. Liability of a Party towards the other Party is at all times limited to amounts paid by Customer to Service Provider for the part of service in question.|
|Subcontractor||Location of personal data||Description||Transfer mechanism|
|Amazon Web Services||EU||ZEF utilizes Amazon Web Services (AWS) for hosting "Arviointikone / ZEFsurvey".|
|UpCloud||EU||ZEF utilizes UpCloud for hosting "Arviointikone / ZEFsurvey".|
|Sendgrid||US||ZEF utilizes Sendgrid for sending emails via the ZEF service||EU-U.S. Privacy Shield Framework|
|Google Cloud Platform||EU, US||ZEF utilizes Google Cloud Platform (GCP) for hosting "Matchit / ZEF Global" and the new ZEF product version.||EU-U.S. Privacy Shield Framework, European Commission Model Contract Clauses|
|Google Analytics||EU, US||ZEF utilizes Google Analytics to collect website usage data.||EU-U.S. Privacy Shield Framework|