Data processing addendum

This Data Processing addendum (the “DPA” or “Addendum”) is attached to and forms part of the Supplier General Terms and Conditions (the “Agreement”) between Valamis Group Ltd. (“Supplier”) and the customer (“Customer”).

1. Purpose of this data processing addendum

The Supplier is the owner, licensor and/or provider of certain software products and/or services which the Supplier has licensed and/or otherwise provides to the Customer.

This Addendum sets out the terms and conditions for the processing of personal data by the Supplier on behalf of the Customer.

For the purposes of this Addendum, the applicable data protection legislation shall mean the applicable laws and regulations in respect of processing of personal data, including but not limited to, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation, “GDPR”) as well as supplementary Finnish legislation.

2. Defined terms

Valamis Group Affiliate means any company or other legal entity that is directly or indirectly controlled by, under common control with, or controlling the Supplier, that may assist in the producing of the services and may be engaged in the processing of personal data. "Control" means, in respect of a company or other legal entity: (i) the holding of the majority of the voting rights in that company or other legal entity, or (ii) having the direct or indirect power to control the composition of the board of directors or other corresponding decision-making body of that company or other legal entity. “Controlled” shall be construed accordingly.

EU Standard Contractual Clauses (SCC’s) means the standard contractual clauses approved by European Commission for transfers of personally identifiable data from controllers in the EU to processors in third countries (Decision 2010/87/EU).

Terms such as "data controller", "processor", "data subject", "processing", "personal data" and "personal data breach" as well as other terms defined in the applicable data protection legislation shall have the meanings given to them in such legislation.

3. Obligations of the Supplier

  1. The Supplier acts as a data processor under applicable data protection legislation. The Supplier processes personal data controlled by the Customer (acting as a data controller) on behalf of the Customer according to separately agreed Customer’s documented instructions, unless required to do otherwise by laws applicable to the Supplier, in which case the Supplier shall inform the Customer of such conflicting obligations. Where, in the opinion of the Supplier, an instruction by the Customer infringes applicable legislation, the Supplier endeavors to inform the Customer of it.
  2. The Supplier shall implement appropriate technical and organizational measures for ensuring the security of the processing and shall maintain appropriate documentation of these measures and processing activities pursuant to applicable data protection legislation.
  3. The Supplier commits to ensure that the persons processing personal data under the authority and supervision of the Supplier have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Furthermore, such persons shall process personal data controlled by the Customer only pursuant to this Addendum (including section 5 (Use of Data by the Supplier)), the Agreement and the separately agreed Customer’s instructions.
  4. Taking into account the nature of the processing and the information available to the Supplier, the Supplier reasonably assists the Customer in complying with the provisions of applicable data protection legislation on the data subject's rights by appropriate technical and organizational measures and informs the Customer about the requests received from the data subjects concerning personal data controlled by the Customer.
  5. The Supplier shall provide the Customer with information reasonably necessary to demonstrate compliance with the obligations concerning the processing of personal data on behalf of the Customer. If a third party is to conduct the audit, - which shall not be a competitor to the Supplier - the third party must be mutually agreed to by both parties and the auditor must execute a written confidentiality agreement acceptable to the Supplier before conducting the audit. To request an audit, the Customer must submit a detailed audit plan at least 4 weeks in advance of the proposed audit date describing the proposed scope, duration, and start date of the audit for review. The audit reports are confidential information of the parties under the terms of the Agreement.
  6. Taking into account the nature of processing and information available to the Supplier, the Supplier shall reasonably assist the Customer in ensuring compliance with the obligations of the Customer pursuant to Articles 32 - 36 of GDPR.

4. Obligations of the Customer

The Customer commits to ensure compliance with the controller’s obligations under the applicable data protection legislation. In particular, the Customer shall be responsible to ensure, inter alia, that:

  1. The Customer has the right to disclose personal data to the Supplier according to the purposes of the Agreement and this Addendum (including section 5 (Use of Data by the Supplier));
  2. There is a valid legal ground for the processing provided in applicable data protection legislation;
  3. The processing and purposes of the data collected or processed have been specified prior to the processing activities;
  4. The data collected is accurate, correct and necessary for each specific purpose of the processing, and no unnecessary data is collected;
  5. The Customer instructs the Supplier lawfully in the processing of personal data, incl. provides documented instructions regarding the processing of personal data;
  6. The Customer provides access rights to the persons designated by the Customer and removes access rights when they are no longer necessary and ensures the proper guidance and training of its users;
  7. Personal data has been protected against unauthorized access, and accidental or unlawful destruction, alteration, disclosure, transport or other unlawful processing;
  8. Personal data that are inaccurate or incorrect are rectified or erased without delay;
  9. Personal data that have become outdated or unnecessary will not be processed, but disposed of in a reliable manner, unless applicable laws require storage of the personal data;
  10. Data subjects have the opportunity to obtain transparent information regarding the processing of their personal data, which is easily accessible and understandable and provided using clear and plain language.

5. Use of data by the Supplier

The Customer hereby acknowledges and agrees that the Supplier may use any data, including personal data, relating to the use of the Supplier's services and/or products (including software) by the Customer (including the employees and other authorized users of the Customer) for the Supplier's product development and other purposes. Where reasonably possible, the Supplier shall endeavor to use the personal data in anonymous form. To the extent such data contains personal data and the Supplier uses the data for purposes independent from the DPA, the Supplier shall be considered to be the data controller with regard to such processing. Where relevant, the Customer agrees to reasonably assist the Supplier in ensuring compliance with the Supplier's obligations as a data controller, by e.g. providing information to its users on this processing, as further instructed by the Supplier.

6. Deletion of data

After termination or expiry of the Agreement, or upon the Customer’s request, the Supplier shall destroy or return to the Customer all personal data it is processing on behalf of the Customer pursuant to this Addendum and the Agreement.

This requirement shall not apply to the extent that Supplier is required by any applicable law to retain some or all of the personal data, or in situations where the Supplier is considered to be the data controller with regard to such personal data. For the avoidance of doubt, this obligation shall also not be applicable to situations where the Supplier is processing personal data as referred to in section 5 (Use of data by the Supplier) above.

7. International transfers

The parties agree that (a) the Supplier may transfer personal data outside of the European Economic Area (EEA), provided that it has taken such measures as are necessary to ensure that the transfer is made in compliance with applicable data protection legislation, and (b) the Supplier shall have the right to enter into the EU Standard Contractual Clauses on behalf of and in the name of the Customer with the sub-processors of the Supplier, if considered necessary by the Supplier to ensure that such personal data transfers are made in compliance with applicable laws.

8. Sub-processors

The Supplier may need to engage sub-processors to provide services and support to the Customer. The Customer hereby gives its specific consent to the Supplier´s use of Valamis Group Affiliates as its sub-processors. In addition, the Customer hereby gives its general consent to the Supplier´s use of other sub-processors on following conditions:

  1. The Supplier will provide the Customer with a list of sub-processor(s) used in the processing of personal data on behalf of the Customer
  2. The Supplier will inform the Customer in advance of any change in the sub-processors and give the Customer an opportunity to object to such change. The Customer must respond to the Supplier's notice about the change promptly and in any case no later than 14 days after receipt of the Supplier's notice. The Customer may not unreasonably object the use of a sub-processor.
  3. If the Customer objects to such change, the Supplier shall have the right to terminate such part of the Agreement to which the sub-processing would relate to by giving thirty (30) days’ prior written notice.
  4. The Supplier will require sub-processors to conclude a written agreement and to comply with the data protection, security and confidentiality obligations applicable to the Supplier under this Addendum and Agreement or obligations which provide for the same level of data protection.
  5. The Supplier remains responsible to the Customer for the performance of its sub-processors as for its own.

9. Security Incidents and Data breach

  1. The Supplier shall notify the Customer without undue delay upon becoming aware of a personal data breach affecting the Customer’s personal data.
  2. The Supplier shall reasonably co-operate with the Customer and take such commercially reasonable steps as are reasonably required by the Customer to assist in the investigation, mitigation and remediation of each such personal data breach.

10. Limitations of liability

The Supplier shall not be liable for any indirect and/or consequential damages and/or losses. The Supplier's total aggregate liability under or in relation to this DPA shall always be limited to 100 000 euros.

11. Other terms

  1. The Supplier shall have the right to charge the Customer for any activities performed under or in relation to this DPA in accordance with its then current hourly rates or other price list.
  2. This Addendum supersedes and replaces all prior data processing agreements between the Parties.
  3. In other respects, the terms of the Agreement shall be applied to this Addendum.
  4. This Addendum shall be governed and construed in accordance with the laws of Finland, excluding its choice of law provisions. Any dispute arising out of or in connection with this Addendum shall be settled in accordance with the dispute resolution provision in the Agreement. If no such dispute resolution provision is agreed in the Agreement, any dispute, controversy or claim arising out of or relating to this DPA, or the breach, termination or validity thereof, shall be finally settled by arbitration in accordance with the Arbitration Rules of the Finland Chamber of Commerce. The number of arbitrators shall be one and the seat of arbitration shall be in Helsinki, Finland.