ZEF - Data Processing Addendum

(Based on general IT2022 Terms and Conditions) 

1   OBJECT OF AGREEMENT

The Customer and the Supplier specified below have agreed in accordance with the Terms and Conditions of this Agreement on Services Delivered via Data Network (hereinafter “Software Service”). Unless particularly agreed otherwise in this DPA, following appendixes shall apply 1) IT2022 EHK – Special terms and conditions for the processing of personal data and 2) IT2022 YSE – General terms and conditions. Accepting and maintaining this Data processing addendum ("DPA") is a condition of using the Software Service.

2   CONTRACTING PARTIES

Customer: The customer is the legal entity that has acquired a license for the use of the Software service (Zeffi) from the Supplier and has accepted these ZEF - DPA and ZEF - Terms of service.

Supplier: ZEF Ltd (Business identity code: 0640379-1). Supplier’s address: Elektroniikkatie 6, FI-90590 Oulu, FINLAND.

3   NATURE AND PURPOSE OF THE PROCESSING

The nature and purpose of the processing of personal data is specified as follows:

The Supplier processes the Customer's personal data for two groups: 1) Survey Creators, whose information has been imported to the Zeffi organization managed by the Customer and 2) Survey Respondents, whose information the Customer has imported to invite respondents or which the respondents have themselves handed over to the software service as survey answers.

At the date of approval of this addendum Customer’s instructions to the Supplier are processing of personal data only for providing the software service under the Agreement in accordance with the Addendum.

The customer is the data controller and owns the data in their Zeffi organization. The Supplier's personnel only processes data for customer service purposes, for example when responding to support requests by the Customer, in which case the data is only processed to the extent required by the support request.

 4   TYPE OF PERSONAL DATA AND CATEGORIES OF DATA SUBJECTS

4.1 Survey Creators’ Personal data processed by the Supplier may include:

- Email address

- Name (optional)

- Phone number (optional)

- Social media accounts (optional)

- IP address used in signing in to the software service

- Credit Card and Invoicing data (if applicable)

4.2 Survey Respondents’ Personal data processed by the Supplier may include:

- Name, Email address, Home address, Phone number and other contact details (all optionall)

- Age and Date of birth

- Employment details, education and qualifications 

- Social media accounts (optional)

- Other survey-specific information provided by a respondent and determined by Customer

The Customer may also choose to conduct a survey without any personal data being provided from the respondents. In this event no personal data listed above will be collected or processed.

5   APPLICABLE DATA SECURITY MEASURES

Data security has been agreed in accordance with the IT2022 Terms and Conditions annexed to this Agreement.

Backup procedures: The data generated during the Customer's use is stored on the Supplier's server during the contract period. As a logged-in user within the scope of his license, the Customer has access to the latest content, and in addition, previous survey versions are stored for 30 days in the backup archive.

 6   PRICES

The processing of personal data does not involve separate time-based fees on top of the license pricing. As described in section 3.4 of the IT2022 EHK Terms and conditions, the Supplier has the right to invoice reasonable compensation according to its current price list for any work performed.

7 DETAILED OBLIGATIONS OF CUSTOMER AS DATA CONTROLLER

The detailed obligations of the customer as a data controller have been specified as follows:

7.1 The customer must designate an Owner for their Zeffi organization, who is responsible for keeping the Zeffi organization's access rights up to date. The Owner must revoke the access rights of users who no longer have the right to use the software service.

7.2 As stated in section 3.3 of the IT2022 EHK Terms and conditions, the Customer is responsible to handle personal data in accordance with data protection legislation on their behalf in the process of transferring personal data to the Supplier.

8   SUBJECT-MATTER AND DURATION OF PROCESSING

The subject-matter and duration of the processing of personal data have been specified as follows:

8.1 As the data controller, the Customer determines the subject-matter and duration of the personal data processing in their Zeffi organization. 

8.2 In terms of the subject-matter and duration of personal data processing, the Customer must ensure that the processing complies with data protection legislation in accordance with section 7.2 of this DPA.

8.3 The Supplier's role as a data processor is limited to the technical processing of data as a software service provider in accordance with the Customer's instructions.

8.4 In addition, the Supplier's personnel offers the Customer a technical support service. During the support process the data of the Customer's Zeffi organization can be processed to the extent required by the support request.

9 LOCATION OF PERSONAL DATA

9.1 Regarding Survey Respondents, no personal data is transferred outside the EU/EEA area.

9.2 Regarding Survey Creators, in addition to the EU/EEA region, the personal data can  also be processed in the US region. Data transfer takes place in accordance with the European Commission's model contract clauses.

9.3 The Supplier’s responsibilities related to any possible transfer of personal data outside the EU/EEA are defined in more detail as follows: The Supplier limits data transfers to as limited as is needed for the provision of the software service. Necessary information for the service is the e-mail and IP address processed in connection with login and authentication, as well as invoicing information.

10 SUB-PROCESSORS OF PERSONAL DATA

Approved subprocessors: 

11 LIABILITY FOR DAMAGES AND LIMITATION OF LIABILITY

Liability for damages of the processing of personal data has been specified in the IT2022 EHK Special Terms and Conditions for the Processing of Personal Data in Section 9.

12 OTHER TERMS AND CONDITIONS

12.1 The Supplier ensures that all persons participating in the processing of personal data in it’s organization are committed to comply with the confidentiality obligation or are subject to the appropriate statutory confidentiality obligation and, in addition, that the personal data is processed only in accordance with this DPA, ZEF - Terms of service and the Customer's instructions.

12.2 The Supplier assists the Customer, with appropriate technical and organizational measures,  in fulfilling its obligations regarding the exercise of registered rights, as well as informing the Customer of any requests received from registered users.

12.3 The Supplier assists the Customer in possible impact assessments regarding the data protection of the software service, information security breach notifications and requests for preliminary hearings made to the authorities.

12.4 This ZEF - DPA enters into force on June 28, 2023 and is valid until further notice.

13 ANNEXES OF AGREEMENT AND ORDER OF PRIORITY

13.1 This DPA is an integral part of the agreement between the Customer and the Supplier. The ZEF - Terms of service takes precedence over this ZEF - DPA.

13.2 Following annexes are an integral part of this ZEF - DPA  (freely accessible at www: it-ehdot.fi/briefly-in-english/)  

  1. IT2022 EHK Special terms and conditions for the processing of personal data 
  2. IT2022 YSE General terms and conditions