This Data Processing Agreement (“DPA”) is an appendix to Software License Agreement (“Agreement”) between i4ware Software (“Processor”) and the Customer, and is subject to its terms and conditions to the extent not otherwise agreed herein.
Hereinafter Processor and Customer shall also be individually referred to as a “Party” and jointly as “Parties”.
1. Background and purpose
- Processor is the owner and licensor of certain software products and related services (“Services”) which Processor has licensed to the Customer under the Agreement.
- In connection with performing the Services, Processor may process personal data on behalf of the Customer.
- This DPA sets out the terms and conditions for the processing of personal data by Processor on behalf of the Customer.
- For the purposes of this DPA, “Applicable Law” shall mean the applicable laws and regulations in respect of processing personal data, including but not limited to, the Finnish Data Protection Act (1050/2018) and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation, “GDPR”) as well as binding orders from supervisory authorities.
2. Description of processing
- The subject-matter, nature and purpose of the processing, the type of personal data and categories of data subjects are described in documentation to be drawn up during Agreement period or in other instructions issued by the Customer. The Customer is responsible for the lawfulness, maintenance and availability of the description and instructions.
- At the effective date of this DPA, the Customer has instructed Processor to process personal data for the purposes of the Agreement in accordance with the terms of this DPA.
3. Obligations of the Customer
- The Customer acts as a data controller and commits to ensure compliance with the data controller’s obligations under Applicable Law. In particular, the Customer shall be responsible to ensure, inter alia, that:
- the Customer has the right to disclose and transfer personal data to Processor for the purposes of the Agreement;
- there is a valid legal ground for the processing provided in Applicable Law such as contract, legitimate interests of the data controller or data subjects’ consent;
- the processing and purposes of personal data processed have been specified prior to the processing activities;
- personal data collected is accurate, correct and necessary for each specific purpose of the processing, and no unnecessary personal data is collected;
- the Customer is responsible for issuing access rights to nominated persons and removal thereof when such access rights are no longer needed;
- the Customer is responsible for proper training and instructions of its personnel on processing of personal data and data security;
- personal data has been protected against unauthorized access, and accidental or unlawful destruction, alteration, disclosure, transport or other unlawful processing;
- personal data that are inaccurate or incorrect are rectified or erased without delay;
- personal data that have become outdated or unnecessary will not be processed, but disposed of in a reliable manner, unless Union or Member State law requires storage of personal data;
- data subjects have the opportunity to obtain transparent information regarding the processing of their personal data, which is easily accessible and understandable and provided using clear and plain language.
4. Obligations of Processor
- Processor acts as a data processor under Applicable Law. Processor processes the Customer’s personal data on behalf of the Customer for the purposes of the Agreement in accordance with this DPA and the Customer’s documented instructions. Processor shall implement appropriate technical and organizational measures for ensuring the security of the processing and maintain appropriate documentation of these measures and processing activities.
- Processor commits to ensure that persons processing personal data under the authority and supervision of Processor have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality in addition to that such persons shall process personal data only pursuant to this DPA, the Agreement and the Customer’s instructions.
- Processor commits to assist, to the extent possible, taking into account the nature of the processing operation, the Customer to ensure compliance with the Customer’s responsibility to respond to requests that concern the use of rights of data subjects by appropriate technical and organizational measures, and to inform the Customer about the requests received from the data subjects.
- Processor shall, upon request and to the extent possible, provide the Customer information necessary to demonstrate compliance with the obligations concerning the processing of personal data under this DPA. Processor shall allow the Customer either on their own or with a third-party auditor to conduct audits relating to processing of the Customer’s personal data in the presence of Processor. Such third-party auditor shall not be a competitor to Processor and must be approved by Processor prior to the audit. The Customer shall notify Processor in writing at least 30 days prior to the audit. Thereafter, the Parties shall mutually agree on the extent and timing of the audit, always conducted during Processor’s normal working hours. The audit may not interfere with Processor’s normal business activities, nor lead to breaches of confidentiality obligation of Processor towards third parties nor endanger Processor’s data security. The Customer shall bear all costs related to the audit.
- Processor shall, taking into account the nature of the processing and information available to Processor, assist the Customer in completing possible data protection impact assessments, notifications of personal data breaches and prior consultation requests to the extent they relate to the software service provided by Processor.
- After the end of the provision of Services under the Agreement, Processor commits to either delete or return all personal data to the Customer, based on the Customer’s choice. Processor deletes existing copies of personal data unless legislation requires longer storage of personal data.
- Processor commits to answer to notifications, complaints and other inquiries of the Customer without undue delay.
- Processor shall be entitled to invoice the Customer for costs incurred by the assistance measures performed under this Clause 4 in accordance with its then-valid price list.
5. Subcontractors of Processor
- Possible subcontractors used by Processor, which take part to processing of the Customer’s personal data, also act as data processors on behalf of the Customer. By accepting this DPA, the Customer has provided a written authorization for the use of subcontractors. Processor shall have full responsibility for the actions and omissions of its subcontractors and shall ensure that the subcontractors comply with the data protection obligations of Processor under this DPA.
- Processor shall, as soon as reasonably possible, inform the Customer in writing of any intended changes concerning the addition or replacement of subcontractors, thereby giving the Customer an opportunity to object to such changes. The Customer shall have the right to object to such changes within fourteen (14) days after receipt of such notification by terminating this DPA and the Agreement. There will be no returns of payments made under the Agreement. If the Customer does not object to such changes within said time period, the Customer is deemed to have accepted the use of the new subcontractor.
6. Transfers of personal data
- Processor shall not transfer personal data to any third parties other than its approved subcontractors. Processor is entitled to transfer personal data outside the European Union or the European Economic Area, provided that Processor commits to ensure that Processor itself and its subcontractors transfer personal data in compliance with the Applicable Law.
7. Personal data breach notifications
- In the event of a personal data breach, Processor shall notify the Customer in writing without undue delay after having become aware of it.
- The personal data breach notification shall contain at least the following (to the extent the information is in the possession of Processor):
- a description of the nature of the personal data breach including, the categories and approximate number of data subjects concerned and the categories and approximate number of data records concerned;
- the name and contact details of the person responsible for the data processor’s data protection matters;
- a description of likely consequences and/or realized consequences of the personal data breach; and
- a description of the measures taken to address the personal data breach and to mitigate its possible adverse effects.
- Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.
8. Limitation of Liability
- Liability of the Parties concerning administrative fines imposed by supervisory authorities or compensation claims presented by data subjects are determined in accordance with the stipulations of the Applicable Law.
- Processor shall not be responsible for any consequential or indirect damages. In any event Processor’s liability shall not exceed the amount paid by the Customer to Processor under the Agreement during a 6-month period preceding the occurrence of the damage.
9. Other terms
- This DPA replaces all other agreements and terms related to processing of personal data and information and data security in force between the Parties.
10. Applicable law and dispute resolution
- This DPA shall be governed by and construed in accordance with the laws of Finland without giving effect to its choice of law provisions.
- Dispute resolution clause in the Agreement shall be applied to this DPA.
11. Term and termination
- This DPA enters into force when the software is taken into use by the Customer and remains in force as long as Processor processes personal data as the Customer’s data processor.