Last update: 20.12.2017
This data processing agreement (“DPA”) is applied to the agreement (“Agreement”) according to which CRM-service Oy (“Supplier”) delivers the CRM-service service (“Service”) to the customer (“Customer”).
2 DEFINITIONS AND ROLES
Notwithstanding what is stated in the Agreement, in the event of conflict between this DPA and the Agreement the terms and conditions of this DPA shall prevail.
“Data Protection Regulation” shall in this DPA mean the Finnish Personal Data Act (523/1999) or any other applicable data protection legislation as amended from time to time (including but not limited to the EU Data Protection Directive (95/46/EC) and the General Data Protection Regulation, “GDPR” (2016/679/EU)) and the instructions and binding orders of the data protection authorities.
Any terms not defined in this DPA or the Agreement shall be given the meaning allocated to them in Data Protection Regulation from time to time.
When providing the Service, Supplier acts as a Data Processor and Customer acts as a Data Controller, the concepts of which are further defined in the Data Protection Regulation. An individual whose Personal Data is being processed by Supplier under this DPA and the Agreement will act as a Data Subject, the concept of which is further defined in the Data Protection Regulation.
3 THE PURPOSE OF THE PROCESSING OF PERSONAL DATA
Supplier shall process Personal Data on behalf of Customer and in accordance with the terms and conditions of the DPA for the purpose of providing the Service under the Agreement. The Personal Data processed under this DPA is defined in the Agreement.
4 RIGHTS AND RESPONSIBILITIES OF CUSTOMER
- process Personal Data in accordance with good data processing practices and in compliance with Data Protection Regulation and all applicable laws;
- give documented instructions to Supplier on the processing of Personal Data, which instructions shall be binding on both Customer and Supplier after the written approval of Supplier;
- at all times retain the control and authority to Personal Data, including readiness to respond to requests for exercising the Data Subject’s rights under the Data Protection Regulation; and
- assist Supplier by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of Supplier’s obligations under this DPA and Data Protection Regulation.
5 RESPONSIBILITIES OF SUPPLIER
Supplier shall process the Personal Data only in accordance with the Data Protection Regulation, the Agreement and this DPA as well as the approved documented instructions from Customer, unless otherwise required in applicable laws and regulations to which Supplier is subject. In such case, Supplier shall inform Customer of such requirement under applicable laws and regulations before processing of Personal Data, unless the applicable laws and regulations prohibit such notification.
5.1 Assistance of Customer
Supplier shall, taking into account the nature of the processing of Personal Data under this DPA:
- assist Customer by appropriate technical and organisational measures in Customer’s obligation to respond to requests for exercising the Data Subject’s rights; and
- assist Customer in ensuring compliance with its legal obligations, such as, with Customer’s data security, data protection assessment and prior consulting obligations set out by the Data Protection Regulation.
5.2 Data security
As from the first date when the GDPR is applied, Supplier shall implement technical, physical and organisational measures to comply with the obligations regarding security of processing under the GDPR.
Supplier shall ensure that the Personal Data processed are kept confidential. Supplier shall ensure that any person the Supplier has authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
5.4 Personal Data Breach Notification
In the event of a breach of security leading to accidental or unlawful destruction, loss, alternation, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed, Supplier shall notify Customer without undue delay after becoming aware of the personal data breach.
5.5 Returning or destroying of Personal Data
Upon termination of the applicable purpose of the processing of Personal Data, or upon Customer’s written request, Supplier shall either destroy or return to Customer all Personal Data unless otherwise required by law.
Supplier shall be entitled to return to Customer and destroy all Personal Data processed under this DPA if Customer has not requested Supplier to destroy or return the Personal Data within sixty (60) days from the date when the applicable purpose of the processing of Personal Data has terminated.
6 TRANSFERS OF PERSONAL DATA
Supplier shall not transfer any Personal Data to any third party or country outside the European Union or the European Economic Area except for transfers in accordance with the Customer’s prior written instructions and the express terms of this DPA and the Agreement.
Supplier may engage third-party subcontractors when providing the Service and processing Personal Data.
Supplier shall ensure that the subcontractors comply with the confidentiality, data security and other obligations specified in this DPA. Supplier is fully liable for the performance of the subcontractor’s obligations.
Supplier shall inform Customer of possible forthcoming changes regarding the subcontractors in which case Customer may object to such change by notifying Supplier within five (5) days of such notice. Customer may not object to the changes without a grounded reason.
At any time during the term of this DPA, Customer or a recognised, independent third party auditor appointed by Customer with proven experience and procedures shall have the right to perform audits and inspections of Supplier in order to verify compliance of Supplier with this DPA and especially with the technical and organizational security measures required to be implemented. Supplier shall have the right not to accept a specific third party if the third party is a competitor of Supplier.
Customer shall give a prior written notice to Supplier at latest sixty (60) calendar days prior to any audit. Audits shall be organized during Supplier’s normal working hours. Supplier shall assist Customer in the execution of an audit and charge such assistance in accordance with the pricing and payment terms defined in the Agreement.
If an essential error is discovered in an audit caused by the Supplier, Supplier shall be responsible for the own direct costs arising from the audit required to identify and fix the error. No indirect costs shall be compensated. At most one (1) audit per year may be conducted.
The assistance performed by Supplier under this DPA shall be charged in accordance with the pricing and payment terms in the Agreement.
10 APPLICABLE LAW AND DISPUTE RESOLUTION
This DPA shall be governed by the laws of Finland without regard to its principles and rules on conflict of laws and shall be subject to dispute resolution in accordance with the Agreement.
11 TERM AND AMENDMENTS
This DPA shall become effective when Customer confirmed acceptance of this DPA in writing or the Parties otherwise agreed to the terms of this DPA. This DPA shall automatically terminate upon termination of the applicable purpose of processing of Personal Data under the Agreement.
The GDPR shall be applied since 25 May 2018. When the GDPR has been implemented into national legislation or if binding instructions are given by any supervisory authority, this DPA might need to be updated, if so mutually agreed between the Parties.