VERSION 9 May 2018
Hereinafter Service Provider and Customer shall also be individually referred to as “Party” and jointly as “Parties”.
(i) the Customer has the right to disclose personal data to the Service Provider according to the purposes of the Agreement;
(ii) there is a valid legal ground for the processing provided in applicable data protection legislation such as contract, legitimate interests of the data controller or data subjects’ consent; the processing and purposes of the data collected or processed have been specified prior to the processing activities;
(iii) the processing and purposes of the data collected or processed have been specified prior to the processing activities;
(iv) the data collected is accurate, correct and necessary for each specific purpose of the processing, and no unnecessary data is collected;
(v) the Customer instructs the Service Provider lawfully in the processing of personal data, incl. provides documented instructions regarding the processing of personal data;
(vi) the Customer provides access rights to the persons designated by the customer and removes access rights when they are no longer necessary and ensures the proper guidance and training of its users;
(vii) personal data has been protected against unauthorized access, and accidental or unlawful destruction, alteration, disclosure, transport or other unlawful processing;
(viii) personal data that are inaccurate or incorrect are rectified or erased without delay;
(ix) personal data that have become outdated or unnecessary will not be processed, but disposed of in a reliable manner, unless Union or Member State law requires storage of the personal data;
(x) data subjects have the opportunity to obtain transparent information regarding the processing of their personal data, which is easily accessible and understandable and provided using clear and plain language.
a) a description of the nature of the personal data breach including, the categories and approximate number of data subjects concerned and the categories and approximate number of data records concerned;
b) the name and contact details of the person responsible for the data processor’s data protection matters;
c) a description of likely consequences and/or realized consequences of the personal data breach; and
d) a description of the measures taken to address the personal data breach and to mitigate its possible adverse effects.
|Subject-matter, nature and purpose of processing||Service Provider processes personal data of Customer only for the following purpose:
Processing of personal data of individuals using the service under authority of Customer and respondents who have answered to surveys created by Customer through use of ZEF survey tool provided by Service Provider
|Categories of data subjects and types of personal data||Personal data processed by Service Provider may include:
- Email address,
- Home address,
- Phone number,
- Date of birth,
- Employment details,
- Education and qualification,
- Contact details,
- Other survey-specific information provided by a respondent and determined by Customer
Customer may also choose to conduct a survey without any personal data being provided from the respondents. In this event no personal data listed above will be collected and processed.
|Customer’s instructions||At the signature date of this exhibit Customer’s instructions to Service Provider are processing of personal data only for providing services under the Agreement in accordance with the Addendum.|
|Applied security measures||Service Provider ensures the confidentiality, integrity and availability of personal data processed via the services. Service Provider implements appropriate technical and organizational measures and procedures in such a way that ensures the protection of data subject’s rights, and always in accordance with applicable data protection law, as well as to protect personal data against accidental or unlawful destruction, loss, alteration, disclosure, access and other unlawful forms of processing.
Additional information of Service Provider’s security mechanisms shall be delivered to Customer upon request.
|Limitation of liability||For the sake of clarity it shall be noted that the limitation of liability clauses agreed in the Agreement shall be applied to the Addendum. Liability of a Party towards the other Party is at all times limited to amounts paid by Customer to Service Provider for the part of service in question.|
|Subcontractor||Location of personal data||Description||Transfer mechanism|
|Amazon Web Services||EU||ZEF utilizes Amazon Web Services (AWS) for hosting "Arviointikone / ZEFsurvey".|
|UpCloud||EU||ZEF utilizes UpCloud for hosting "Arviointikone / ZEFsurvey".|
|Sendgrid||US||ZEF utilizes Sendgrid for sending emails via the ZEF service/td>||EU-U.S. Privacy Shield Framework|
|Google Cloud Platform||EU, US||ZEF utilizes Google Cloud Platform (GCP) for hosting "Matchit / ZEF Global" and the new ZEF product version.||EU-U.S. Privacy Shield Framework, European Commission Model Contract Clauses|
|Google Analytics||EU, US||ZEF utilizes Google Analytics to collect website usage data.||EU-U.S. Privacy Shield Framework|