(the “Customer” or “Data Controller”).
Reslink Solutions Oy
Ilmalankatu 2 C
00240 Helsinki Finland
(the “Supplier” or “Data Processor”).
The Customer and the Supplier may also be referred to as a “Party” or as the “Parties”, as the case may be. In connection with the Processing, the Customer shall be regarded as Data Controller and the Supplier shall be regarded as Data Processor under the Data Protection Laws.
2. SERVICE AGREEMENT AND PURPOSE OF THIS DPA
This DPA has been entered into in connection with the agreement concerning the provision of Reslink services entered into between the Parties (“Service Agreement”) and this DPA sets additional requirements and details regarding the Supplier’s handling of personal information relating to the Customer’s employees, contractors, partners or other parties (“Personal Data”) on behalf of the Customer in accordance with and as required by the Service Agreement. Subject-matter, nature and purpose of the Processing are defined and agreed under the Service Agreement.
The DPA shall form an integral part of the Service Agreement, meaning that applicable parts of the Service Agreement (including its provisions on governing law and dispute resolution) shall apply also to this DPA. However, in the event of conflict, the provisions of this DPA shall prevail over the provisions of the Service Agreement.
3. DURATION OF PROCESSING
Personal Data will be processed by the Supplier for the duration of the Service Agreement and maximum three months thereafter.
4. TYPES OF PERSONAL DATA BEING PROCESSED
The Personal Data processed shall contain e.g. the following types of Personal Data: Personal data
Email address Photo
IP address Location data
Online behaviour (cookies) Profiling and analytics data
Special categories of personal data Race
Trade union membership Health information
Details may be further specified under the Service Agreement.
The capitalized terms used herein shall have the meaning ascribed to them below or in the text of this DPA.
“Data Protection Laws” shall mean ( the Finnish Personal Data Act (523/1999, as amende until entry into force of the GDPR, and GDPR thereafter as well as any other applicable foreign data protection laws and regulations from time to time to which a Party is subject and/or in any jurisdiction that the Services are provided to or in respect; (i instructions, rules and orders of the competent data protection authorities under the re- ferred laws and regulations having jurisdiction over a Party or any of that Party’s assets, resources or business binding upon a Party.
“GDPR” shall mean General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679 of the Euro- pean Parliament and of the Council).
“Personal Data” shall mean any information relating to an identified or identifiable natural person; an identi- fiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Personal Data Breach” shall mean a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise pro- cessed hereunder.
“Processing” shall mean any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or oth- erwise making available, alignment or combination, restriction, erasure or destruction, of Personal Data.
“Sub-Processor” shall mean a processor contracted by the Data Processor to perform Processing hereunder,
in part or in whole, on the Data Processor’s behalf.
6. RIGHTS AND OBLIGATIONS OF THE PARTIES
Both Parties shall be responsible to ensure that the Processing is made in accordance with the Data Protection Laws which apply to each Party as well as good data processing practices.
The Data Processor shall
- perform the Processing only on and as per the documented instructions from the Data Controller, in- cluding with regard to transfers of Personal Data to a third country or an international organisation, un- less required to do so by Union or Member State law to which the processor is subject; in such a case, the processor shall inform the controller of that legal requirement before processing, unless that law pro-
hibits such information on important grounds of public interest;
- For the avoidance of doubt, the Data Controller shall at all times be deemed to have instructed the Data Processor to provide the Service as defined and agreed under the Service Agreement and as described in the attached privacy statement reslink.fi/privacy .
- ensure that persons authorised to perform the Processing hereunder have committed themselves to con- fidentiality or are under an appropriate statutory obligation of confidentiality as further described in this DPA;
- take all security measures required to be taken by data processors under the Data Protection Laws as fur-
ther described in this DPA;
- respect the conditions referred to under Data Protection Laws for engaging any Sub- Processor as fur- ther described in this DPA;
- insofar as this is possible and taking into account the nature of the Processing, assist the Data Controller
by appropriate technical and organisational measures for the fulfilment of the Data Controller’s obliga- tion to respond to requests for exercising the data subject’s rights laid down in under the Data Protection Laws;
- assist the Data Controller in ensuring compliance with its legal obligations, such as, data security, data
breach notification, data protection assessment and prior consulting obligations, as required of the Data Processor by the Data Protection Laws, taking into account the nature of Processing and the information available to the Data Processor;
- maintain necessary records and make available to the Data Controller all information necessary to demonstrate compliance with the obligations of the Data Processor according to the Data Protection Laws, and allow for and contribute to audits, including inspections, conducted by the Data Controller or any auditor mandated by the Data Controller as further agreed under this DPA; and
- at the Data Controller’s instructions, delete or return to the Data Controller all the Personal Data after the end of the provision of the Services relating to Processing, and delete existing copies unless applica- ble laws require storage of the Personal Data. Deletion and return methods may be further agreed be- tween the Parties;
Unless otherwise agreed, the Data Processor shall have the right to invoice reasonable costs resulting from the assistance described under and above.
The Data Controller shall
- give the Data Processor documented and comprehensive instructions on the Processing, which instruc- tions shall comply with the Data Protection Laws;
- have the right and obligation to specify the purpose and means of Processing of Personal Data;
- represent that all the data subjects of the Personal Data have been provided with all appropriate notices and information and establish and maintain for the relevant term the necessary legal grounds for transfer- ring the Personal Data to the Data Processor and allowing the Data Processor to perform the Processing contemplated hereunder;
- represent that if the Data Controller represents third parties under this DPA, it has the legal grounds to enter into this DPA with the Data Processor and allow the Data Processor to process the Personal Data according to the terms of this DPA and the Service Agreement; and
- confirm that the Processing stipulated under this DPA meets the Data Controller’s requirements includ- ing, but not limited to, with regard to intended security measures, and it has provided the Data Processor with all necessary information in order for the Data Processor to perform the Processing in compliance with the Data Protection
7. SECURITY OF PROCESSING
Both Parties shall implement and maintain appropriate technical and organisational measures to protect the Personal Data, taking into account:
- the state of the art, the costs of implementation and the nature, scope, context and purposes of Pro- cessing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, and
- the risks that are presented by the Processing, in particular from accidental or unlawful destruction,
loss, alteration, unauthorised disclosure of, or access to the Personal Data transmitted, stored or oth- erwise processed.
Such measures include, inter alia as appropriate:
- the pseudonymisation and encryption of the Personal Data;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing sys- tems and services;
- the ability to restore the availability and access to the Personal Data in a timely manner in the event of a physical or technical incident; and
- a process for regularly testing, assessing, and evaluating the effectiveness of technical and organisa- tional measures for ensuring the security of the
The Data Controller shall inform Data Processor of all issues (including but not limited to risk assessment and the inclusion of special categories of Personal Dat related to the Personal Data provided by the Data Con- troller which affect the technical and organizational measures that should be employed under this DPA.
8. SUB-PROCESSORS AND GEOGRAPHIC LOCATIONS
The Data Processor may from time to time use Sub-Processors to process the Personal Data hereunder. Sub- Processor(s) used in the provision of Services are listed in the Service Agreement or otherwise in writing.
Such use will be under written contract and the Data Processor will require the Sub-Processor to comply with the data protection obligations applicable to the Data Processor under this DPA or obligations which provide for the same level of data protection. The Data Processor will be liable for its Sub-Processor’s actions as for its own.
The Data Processor will inform the Data Controller in advance on any intended changes concerning the addi- tion or replacement of other processors, thereby giving the controller the opportunity to object to such changes.
Geographic locations agreed and used under the Service Agreement shall be considered agreed geographic locations.
9. STORAGE OF PERSONAL DATA
The Data Processor shall inform the Data Controller in writing about the locations where Personal Data is stored, accessed or otherwise processed on behalf of the Data Controller and the identities of the Sub-Proces- sors, if any, taking part in such processing.
10. TRANSFER OF PERSONAL DATA
The Data Processor will only transfer Personal Data out of the territory of the member states of the European Union, the European Economic Area, or other countries which the European Commission has found to guar- antee an adequate level of data protection (collectively, the “Approved Jurisdictions”). Transfers of Personal Data outside Approved Jurisdictions may have been agreed under the Service Agreement.
If required by applicable legislation, the Data Processor shall enter into relevant contractual arrangements with required parties (including with the Data Controller itsel for the lawful transfer of Personal Data from the Approved Jurisdiction to third countries.
Such contractual arrangements shall be carried out in accordance with the standard data protection clauses adopted or approved by the European Commission (“Standard Contractual Clauses”). As an alternative to entering into the Standard Contractual Clauses, the Data Processor may rely upon an alternative transfer safe- guard permitting and providing for the lawful transfer of Personal Data outside of the Approved Jurisdictions, provided that such safeguard is in compliance with applicable legislation.
In case of conflict between the Standard Contractual Clauses or any other alternative transfer safeguard per- mitting the lawful transfer of Personal Data outside the Approved Jurisdictions and the DPA, the Standard Contractual Clauses or such alternative framework shall always take precedence over the Service Agreement and this DPA.
11. NOTIFICATION OF PERSONAL DATA BREACH
The Data Processor shall without undue delay notify the Data Controller if it, or one of its Sub-Processors, becomes aware of a Personal Data Breach. Information shall be provided to the contact person named by the Data Controller, if not otherwise agreed between the Parties.
The Data Processor shall without undue delay inform the Data Controller of the circumstances giving rise to the Personal Data Breach, and any other related information reasonably requested by the Data Controller and available to the Data Processor.
Additionally, to the extent it is available, the Data Processor shall provide to the Data Controller the following information:
- a description of the nature of the Personal Data Breach including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of Personal Data records concerned;
- a description of the likely consequences of the personal data breach; and
- a description of the measures taken or proposed to be taken by the Data Processor to address the Per- sonal Data Breach, including, where appropriate, measures to mitigate its possible adverse
At any time during the term of the DPA, the Data Controller and/or a recognized, independent third party auditor appointed by the Data Controller with proven experience and procedures shall have the right (exercis- able by giving prior written notice to the Data Processor, such notice to be given at least fourteen (14) calendar days prior to any audit) to perform audits and inspections of the Data Processor in order to verify compliance of the Data Processor with the DPA and especially with the technical and organizational security measures required to be implemented (“Audit”).
The Audit shall be conducted in such a manner that the Data Processor’s undertakings towards third parties (including but not limited to the Data Processor’s customers, partners and vendors) are in no way jeopardized.
All the Data Controller’s representatives or external auditors participating in the Audit shall execute customary confidentiality undertakings towards the Data Processor.
The Data Processor shall always allow any relevant regulatory authority supervising the Data Controller’s busi- ness to conduct Audits of the Data Processor’s operations, in which case relevant parts of the Parties’ agree- ment hereunder shall apply.
The Data Controller shall bear all Audit expenses, and compensate the Data Processor for costs incurred as a result of the Audit. However, if the Audit reveals material deficiencies in the Data Processor’s performance, the Data Processor shall bear its own costs for the Audit.
The Data Processor shall
- keep any Personal Data received from the Data Controller confidential;
- ensure that persons authorized to process the Personal Data have committed themselves to confidential- ity; and
- ensure that Personal Data is not disclosed to third parties without the Data Controller’s prior written
consent, unless the Data Processor is obliged by mandatory law or decree to disclose such information.
In case data subjects or governmental authorities make a request concerning Personal Data, the Data Processor shall, as soon as reasonably possible, inform the Data Controller about such requests before providing any response or taking other action concerning the Personal Data.
In case any applicable authority prescribes an immediate response to a disclosure request, the Data Processor shall inform the Data Controller as soon as reasonably possible, unless the Supplier is prohibited by mandatory law or authority order to disclose such information.
14. LIMITATION OF LIABILITY
The limitations of liability set out under the Service Agreement shall apply also to this DPA.
The Parties agree that the general principle of division of responsibilities between the Parties relating to admin- istrative fines imposed by any relevant supervisory authority or claims by data subjects under this DPA is based on the principle that the respective Party needs to fulfil its own obligations under the Data Protection Laws. Hence, any administrative fines imposed or damages ordered should be paid by the Party that has failed in its performance of its legal obligations under the Data Protection Laws, as decided by the relevant supervisory authority or competent court authorized to impose such fines or damages. Therefore, the limitations of liability set out under the Service Agreement shall not, however, apply such fines.
15. TERM AND TERMINATION
This DPA shall be in effect as long as the Parties have Service Agreements between them in force.
All provisions which by nature are intended to survive the termination of this DPA shall remain in full force and effect regardless of the termination of this DPA.
16. COPIES AND SIGNATURES
This DPA has been executed in two (2) counterparts, each Party taking one. Any signed and electronically exchanged copy shall have the same effect as the original signed document.
|On behalf of
(the “Customer” or “Data Controller”).
|On behalf of Reslink Solutions Ltd
(the “Supplier” or “Data Processor”)
|Name:||Name: Jukka Hautala|
|Title:||Title: Managing Director|