Data Processing Agreement
Effective from 25 May 2018. Updated on 23 May 2018.
This annex to the agreement ("Annex") forms an essential and integral part of the terms and conditions (hereinafter also referred to as "Agreement") entered by Pulse247 Oy ("Service Provider") and the customer ("Customer") regarding the use of services ("Service"). In the event of an inconsistency between the terms and conditions of the Agreement and the present Annex, the Annex takes precedence.
The terms used in this Annex have the same meaning as given in the regulation of the European Parliament on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data ("General Data Protection Regulation").
These include, in particular, the following:
- Legislation The EU General Data Protection Regulation (2016/679, "GDPR") as of the date of its application (25 May 2018) and any other existing legislation
- Data Controller The Customer, who determines the purposes and means of Personal Data processing
- Data Subject Natural person as defined under legislation
- Personal Data Any information related to an identified or identifiable natural person
- Data Processor The Service Provider, who processes Personal Data on behalf of a Customer
- Processing Any activity or function, which involves handling of Personal Data
- Subcontractor A party who by order of the Service Provider carries out processing as per this Annex on behalf of the Service Provider and the Customer
- Standard contractual clause Standard contractual clauses approved by the European Commission concerning the transfer of Personal Data to third-country processors (decision 2002/16 EC)
With this Annex, the parties agree that for the duration of the agreement, the Service Provider acts in the capacity of the Data Processor and process Personal Data on behalf of the Customer, the Data Controller.
Obligations of the Customer
The Customer acts as the Data Controller within the meaning of the legislation for Personal Data of its customers, employees and other individuals, which the Service Provider processes in the Service for the implementation thereof ("Customer Personal Data").
The Customer defines the manner in which Personal Data is used, exchanged or otherwise processed. The Customer makes sure that all data subjects have been duly informed and provided with all necessary information regarding the processing of Personal Data, and that the Customer has obtained necessary rights and consents to process Personal Data. The Customer is also responsible for the establishment of a policy describing the processing.
The Customer only transfers to the service and the systems data that it has the right to process under applicable data protection legislation.
The Customer is obliged to inform the Service Provider of anything (including special risks and Personal Data categories), which requires additional technical or organizational security measures.
The Customer is also responsible for its employees and other individuals to whom the Customer has granted right of access or right of use to the Services. In addition, the Customer is responsible for an event in which a third party gains access to its Personal Data or the Service, even if the Customer had not authorized the processing of the data, if the Customer has failed to adopt necessary safety measures.
The Customer informs the Service Provider without undue delay if the Customer becomes aware of any security breach, which may relate to the Personal Data processed by the Service Provider on behalf of the Customer. Should the Service Provider need any information from the Customer following the security breach incident in order to fulfil its obligations under this data protection annex and applicable legislation, the Customer must provide such information without undue delay.
Obligations of the Service provider
Unless otherwise explicitly stated in applicable legislation, the Service Provider and personnel acting under its authority processes the Personal Data on behalf of the Customer only as per the agreement, the annexes and possible written instructions agreed upon separately.
The Service Provider keeps the Customer's Personal Data confidential and ensures that those entitled to handle the data are bound by the obligation to observe secrecy.
The Service Provider maintains all necessary policies and, at the Customer's request, makes available all necessary information in order to demonstrate compliance with this Annex and applicable legislation.
In the event of a security breach against the data processed on behalf of the Customer, the Service Provider informs the Customer of the matter without undue delay. Taking into account the nature of the processing and available information, the Service Provider gives the Customer necessary information regarding the security breach in order for the Customer to fulfil its obligations under the applicable data protection legislation, including the notification obligation and the security breach documentation obligation.
The Service Provider informs the Customer without delay if Data Subjects present data-related requests directly to the Service Provider.
The Customer allows the Service Provider to use subcontractors for the processing of Personal Data. The subcontractors process the data to the extent agreed with the subcontractors.
If the Service Provider uses subcontractors to process the Customer's Personal Data, the Service Provider ensures that each Subcontractor is bound by an agreement or similar contractual document to implement similar or no less stringent data protection obligations as those set out in this Annex. In particular, the Subcontractor must provide sufficient guarantees that the technical and organizational aspects of the processing are carried out in a way that meets the requirements of the applicable legislation.
The Service Provider is responsible for the Services provided by its Subcontractors in the same way as if it had carried out the Services itself.
The Customer has the right to request information regarding the subcontractors used by the Service Provider and changes therewith. The Customer may object the use of a subcontractor in the processing of Personal Data. The Service Provider may terminate the agreement, if the operation or security of the Service cannot be guaranteed due to the Customer's objection.
For the sake of clarity, it should be noted that the Customer may activate Service properties, which involve data transfers to third-party service providers in charge of, for example, payments, logistics or analytics, who will then process Customer's Personal Data on behalf of the Customer. Such third parties will not be considered subcontractors of the Service Provider. The Customer is responsible for documenting and including the processing operations of these third-party service providers in its own policies.
Implementation of Data Subject rights
During the term of the agreement, the Customer may ask the Service Provider to assist the Customer in fulfilling the requirements laid down by applicable data protection legislation.
The Service Provider assists and supports the Customer to ensure its ability as the Data Controller to reply to requests submitted by data subjects based on the rights assigned to them by the GDPR. These rights may, for example, relate to Data Subjects’ right to access and edit Personal Data, right to object to the processing, right to erasure ("right to be forgotten"), right to restriction of processing, and right to have data transferred from one system to another.
Some of the above-mentioned duties can be performed by the Customer via the Service. The Service Provider seeks to develop methods and technical solutions, which would enable the implementation of Data Subject rights and response to related requests via the Service.
Taking into account the nature of the processing and the data available to the Service Provider, the Service Provider may, at the Customer's request and expense, assist the Customer in responding to Data Subject requests, provided such obligations relate to the Service and are reasonable in nature.
All Personal Data processed by the Data Processor on behalf of the Data Controller is considered confidential. The Data Processor undertakes to keep all such data confidential and to not convey or disclose them to a third party, or use the data for purposes other than those agreed. Additionally, the Data Processor undertakes to disclose or convey the Personal Data only to those employees or other individuals (including any subcontractors) in its own organization who need the data for an agreed purpose and who under an employment contract or other agreement are legally obligated to maintain the confidentiality of the information. The obligation of confidentiality remains in force despite the termination or expiry of the agreement.
The Service Provider takes appropriate measures to ensure that the processing complies with the requirements of applicable legislation and security measures in order to prevent accidental or unlawful destruction, loss or alteration of the data, or unauthorized disclosure or access. The measures must be dimensioned to ensure the level of security appropriate to the risks.
- pseudonymization and encryption of Personal Data;
- ability to ensure continued confidentiality, integrity, availability and fault tolerance of processing systems and services;
- ability to quickly re-establish the access to and availability of information in the event of a physical or technical failure;
- a procedure used to regularly test, examine and assess the efficiency of technical and organizational measures to ensure the security of data processing.
Personal data breaches
Each party, without undue delay, notifies the other party of any security incidents or breaches brought to its attention. The notification must include the following information, if available:
- circumstances leading to the breach
- description of the nature of the breach, including, as far as possible, the targeted Personal Data groups and the estimated number thereof, and the Data Subject groups and the estimated number thereof.
- description of the likely consequences of the breach
- description of the measures that have been taken or proposed in order to react to the breach, including, if necessary, measures to mitigate potential adverse effects
Each party examines all causes of a breach within their scope of responsibility and takes appropriate action to end the breach, to mitigate any adverse effects and to prevent similar breaches in the future. The parties must document and submit to the other party the results of their investigation and the actions taken. The parties cooperate to a reasonable extent in order to meet the requirements laid down by the data protection annex and applicable legislation.
The Customer has the right to perform an audit, such as an inspection, in order to assess the fulfilment of the data protection obligations under this annex and the level of data security.
The Customer may authorize a third party to carry out the audit. The authorized third party may not be a competitor to the Service Provider. The Service Provider has the right to determine whether the authorized third party is its competitor. The Service Provider is entitled to require the use of an authorized third-party auditor who is not a competitor to the Service Provider.
The Service Provider must attend the inspections and provide the Customer with all information necessary to demonstrate compliance with the obligations of the Service Provider. The Customer also has the right to inspect the operation of the Service Provider's subcontractors as far as it is necessary for the protection of Personal Data processed in the Service. The Customer and its authorized third party must observe professional secrecy with regard to the Service Provider's business secrets revealed in the course of the audit.
The exercise of the right of audit, the content and procedures thereof, and the audit date are always agreed separately. The Service Provider undertakes to order inspections performed by competent third parties as per the industry standards regarding the services provided and the processing of Personal Data. The Customer bears the expenses incurred by the Service Provider and the third party as a result of such inspections.
The authorities' right of inspection may be exercised in situations, for example, where Customer processes are assessed, and the service provided by the Service Provider to the Customer forms a part of the inspected entity.
Location and transfer of data
The Service Provider's data centers, where all the Personal Data are retained and processed, are located in Finland. However, the Service Provider may transfer the Personal Data to data centers or sub-processors located in any EU/EEA country or countries, which the European Commission has defined as providing adequate protection.
When Personal Data is transferred outside the EU/EEA, the transfer takes place under the EU-U.S. Privacy Shield arrangement, using the EU Commission's standard contractual clauses or other transfer mechanism permitted by the law. In this case, the Service Provider ensures by contracts, inter alia, that the confidentiality of the information is maintained and the data continues to be processed as per legislation.
The Customer has the right to request information regarding data transfers by the Service Provider outside the EU/EEA and any known changes therein. The Customer may object to the transfer of Personal Data outside the EU/EEA. The Service Provider may terminate the agreement, if the operation or security of the Service cannot be guaranteed due to the Customer's objection.
Date of entry into force and consequences of the termination of the agreement
This annex enters into force on 25 May 2018 and will remain in effect in accordance with the terms and conditions of the agreement until terminated by either party after appropriate notice period. The Customer is obliged to ensure the transfer or backup of data before the termination or expiry of the agreement.
At the end of the agreement, the Data Processor will delete Customer's Personal Data in accordance with its practices. The Data Processor does, however, have the right to retain the Customer's Personal Data after the termination or expiry of the agreement for as long as it is deemed necessary for the fulfilment of the Service Provider's own legal obligations, ensuring the security of the services or investigating any misuses. In such cases, the Data Processor is not allowed to process the data further and must continue to comply with the confidentiality requirements described in this annex.