Data Processing Agreement
1. PARTIES
1.1
Name: People Cloud Oy (hereinafter “Processor”)
Business ID: 2940913-3
Address: Sisämaantie 35 B, 02780 Espoo, Finland
1.2
The party who has concluded the Agreement with the Processor on the use of the Processor’s Service
(hereinafter “Controller” or “Customer”)
2. DEFINITIONS
2.1
“Agreement” means the main agreement between the Parties that includes this Data Processing
Agreement.
2.2
“Data Processing Agreement” means this agreement.
2.3
“Data Protection Laws” means the Finnish Data Protection Law, General Data Protection Regulation of the European Parliament and of the Council (679/2016) and any other data protection legislation in force and any legally valid instructions or orders given by the data protection authorities.
2.4
”Party” or ”Parties” mean the Controller or/and the Processor.
2.5
“Personal Data” means any information relating to an identified or identifiable natural person for which the Controller or the Controller’s customer or another affiliate acts as the controller. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
2.6
“Service” means the SaaS service offered by the Processor and used by the Controller.
2.7
“Supplier” means Customer who supplies its employees’ data to the Service for Utilizers.
2.8
“Utilizer” means Customer who utilizes the expertise of the Supplier’s employees.
3. SUBJECT-MATTER AND DURATION OF THE PROCESSING
3.1
The Parties agree in this Data Processing Agreement on the terms and conditions of the processing of Personal Data that stem from the Agreement.
3.2
The Agreement includes the processing of Personal Data the Controller is in charge of.
3.3
The Processor has the right to process the Personal Data for as long as the Agreement is in force, unless the Controller
decides otherwise.
4. NATURE AND PURPOSE OF THE PROCESSING
4.1
The purpose of the Service is to enable (i) the Utilizers to employ the employees of the Suppliers and (ii) the Suppliers to offer their employees for the Utilizers through a SaaS service.
4.2
The Processor processes Personal Data only when and if the Controller discloses such data to the Service.
5. TYPE OF PERSONAL DATA AND CATEGORIES OF DATA SUBJECTS
5.1
The categories of data subjects consist of:
Customer
Category of data subjects
Supplier
Persons using the Service on behalf of the Supplier
Employees of the Supplier
Utilizer
Persons using the Service on behalf of the Utilizer
5.2
The register, that consists of the Personal Data, may include (i) contact data, (ii) employment data, (iii) registration
information, (iv) information regarding customer relationships and (v) possible other data the Controller discloses
to the Service.
6. OBLIGATIONS AND RIGHTS OF THE CONTROLLER
6.1
The Processor shall process the Personal Data according to the Data Protection Laws and by following good data processing practices, other relevant legislation and compulsory guidance of the authorities.
6.2
The Controller reserves the right to monitor the Personal Data.
6.3
The Controller reserves the ownership of the Personal Data and any immaterial rights and other rights relating to the Personal Data, unless the Controller notifies the Processor that such ownerships belong to the Controller’s customer or another affiliate company.
7. INSTRUCTIONS FROM THE CONTROLLER IN REGARD TO THE PROCESSING OF PERSONAL DATA
7.1
The Processor is not allowed to process the Personal Data for any other purposes than what the Parties have specifically agreed on in the Agreement.
7.2
When processing the Personal Data, the Processor has an obligation to follow the Data Protection Laws.
7.3
The Controller gives the Processor a general permission to hand over, transfer or in any similar way process Personal Data outside the EU/EEA. Upon such processing, the Processor has an obligation to follow the Data Protection Laws, the instructions of the Controller and the Agreement (including this Data Processing Agreement). If any of the prerequisites of the approval seize to exist, the Processer has an obligation to immediately: (i) perform an action that ensures the lawful processing of the Personal Data and that the processing is conducted according to the instructions given by the Controller and the Agreement; or (ii) seize the transfer of Personal Data outside the EU/EEA and return the Personal Data transferred outside the EU/EEA to the Controller.
8. CONFIDENTIALITY
8.1
The Processor is under an appropriate statutory obligation of confidentiality when it processes Personal Data.
9. SECURITY OF PROCESSING
9.1
Taking into account the risks related to the nature of the Agreement, the Processor ensures appropriate technical and organizational measures when it processes Personal Data. Those measures shall especially aim to prevent the accidental, unauthorized or unlawful processing of Personal Data, monitor the processing, disappearance, destruction, alteration or
impairment of Personal Data and prevent unauthorized access to the Personal Data.
9.2
The Processor shall ensure that its employees do not process the Personal Data against the instructions given by the Controller.
9.3
In the case of a personal data breach, the Processor shall immediately notify the personal data breach to the Controller. In
addition, the Processor shall, not later than 24 hours after having become aware of the data breach, provide the Controller with all relevant information relating to the data breach (for example descriptions of the security breach, the consequences of the breach and the actions that have been taken by the Processor as a result of a security breach). The Controller needs such information to meet its statutory obligations, investigate the matter, prevent similar violations and make legal notifications. The Processor has the obligation to present the Controller with any relevant information the
Controller requires from the Processor in the case of the Data Breach.
10. SUBPROCESSORS
10.1
The Processor has a right to use other processors (e.g. cloud services providers) (hereinafter “Subprocessor”) to process Personal Data.
10.2
Subprocessors shall be under the same obligations as the Processor.
11. OBLIGATION OF THE PROCESSOR TO ASSIST THE CONTROLLER
11.1
The Processor shall without delay assist the controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Controller’s obligation to respond to requests for exercising the rights of its data subjects. Upon written request from the Processor, the Controller shall without undue delay reimburse the Processor for any costs arising from this Section 11.1.
11.2
The Processor shall assist the controller in ensuring compliance with the obligations pursuant to the General Data Protection Regulations Articles 32 to 36, taking into account the nature of the processing and the information available to the Processor.
12. DELETION OR RETURN OF THE PERSONAL DATA
12.1
After the Agreement is no longer in force, the Processor and its subcontractor shall return, at their own expense and without delay, the Personal Data to the Controller. If the return of Personal Data is not possible, then the Parties must agree on the destruction of the material in a separate agreement.
13. CONTROLLER’S DEMONSTRATION OF COMPLIANCE
13.1
Upon a written request of the Controller, the Processor makes available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allows for and contributes to audits, including inspections, conducted by the Controller or another auditor mandated by the controller.
13.2
Upon written request from the Processor, the Controller shall without undue delay reimburse the Processor for any costs arising from this Section 13.
14. RECORDS OF PROCESSING ACTIVITIES
14.1
The Processor shall keep records (hereinafter “Records”) of its processing activities that relate to this Agreement and the processing of Personal Data. The Records must have at least the following information:
(a)
the name and contact details of the Processor and, if possible, the name and contact details of the Processor’s data protection officer;
(b)
the description of the processing activities of the Personal Data conducted on behalf of the Controller and the categories of data subjects and personal data;
(c)
if the Personal Data is transferred outside the EU/EEA, the information of the transfer and a demonstration that the transfer was conducted according to the Data Protection Laws; and
(d)
a description of the technical and organizational measures taken.
15. INDEMNITY AND LIABILITY
15.1
Each party hereby indemnifies the other party against any and all losses, damages, liabilities, claims, penalties, fines, awards, costs and expenses (including reasonable legal fees) caused by any breach of the warranties contained in this Data Processing Agreement.
15.2
The Controller has an obligation to defend the Processor where a claim is filed against the Processor on the basis of the Processor’s processing activities relating to the Personal Data. The Processor has the aforementioned obligation if the
Controller informs the Processor of the matter in a written form and without undue delay.
15.3
The Parties’ liability for damages shall be determined on the basis of the General Data Protection Regulation (679/2016).
16. MISCALLENEOUS
16.1
If there is a conflict between the Data Processing Agreement and the Agreement, the terms of the Data Processing Agreement shall prevail.
16.2
If there exist any discrepancies between the English and Finnish Data Processing Agreements, the English version shall prevail.
16.3
A Party has a right to transfer the Data Processing Agreement and all or a part of its rights and obligations derived from the Data Processing Agreement to third parties without a prior written approval of the other Party.
16.4
If any court of law, having the jurisdiction to decide on this matter, rules any provision of the Data Processing Agreement invalid, then that provision will be removed from the Data Processing Agreement without affecting the rest of the Data Processing Agreement. The remaining provisions will continue to be valid and enforceable.
16.5
The Data Processing Agreement is governed by the laws of Finland without regard to its rules and principles on conflict of laws.
16.6
Any dispute arising between the Parties out of, or in connection with, the Data Processing Agreement, their validity, interpretation or performance shall be finally settled in accordance with the Arbitration Rules of the Finland Chamber of Commerce in Helsinki, Finland. The arbitration tribunal shall consist of one (1) arbitrator. The language of the arbitration shall be English or Finnish.