Tietojenkäsittelysopimus

ANNEX TO THE LICENSE AGREEMENT: DATA PROCESSING AGREEMENT

DATA PROCESSING AGREEMENT

This Data Processing Agreement (“DPA”) forms part of the Access Agreement between Aksios Corporation Oy (business ID 1860232-5, Valimotie 13 A, 00380 Helsinki, Finland (“Supplier”) and the Customer (“Data Controller”).

  1. Definitions

“Customer” means the customer who has purchased the right to use the software/application and accepted the License Agreement.

“Sub-processor” means a processor who processes the personal data covered by the License Agreement, in whole or in part, on behalf and for the account of the processor.

“Personal Data” means any data relating to an identified or identifiable natural persons

personal data.

“Processor” means the Aksios that processes the Personal Data during the term of the Software/Application License Agreement acquired by the Customer.

“Processing” means any operation or operations, which are performed on personal data or on sets of data containing personal data, whether by automatic or manual means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“Software” means the software version of Aksios’ off-the-shelf software purchased by the Customer.

“Parties” means Aksios and Customer collectively, each “Party.”

“Controller” means the Customer, who determines the purposes and means of the processing.

“Data Protection Legislation” means the General Data Protection Regulation of the European Union (Regulation 2016/679 EU) and the data protection laws applicable to the License Agreement and to the processing under this DPA from time to time in force.

“Delivery” means the commencement of use of the Software.

” License Agreement” means the agreement between the Supplier and the Customer for the use of software

  1. Subject matter and purpose of the Agreement

2.1 This DPA applies to every processing of personal data under the License Agreement.

2.2 This DPA constitutes a binding contract between the parties for the processing of personal data as required by data protection legislation.

2.3 The processing carried out by the Processor is limited to the processing activities and software functionalities provided for in the License Agreement. The controller determines the type and amount of personal data to be processed in the software, the categories of data subjects and the purposes and means of the processing of personal data.

  1. Rights and obligations of the processor

3.1 The processor undertakes to comply with the obligations imposed by data protection legislation and good data processing practice when processing personal data.

3.2 The Processor is obliged to process the personal data stored in the Software in accordance with the documented, lawful and reasonable instructions provided by the Controller. For the sake of clarity, the controller shall always be deemed to have instructed the processor to carry out the processing operations under the Licence Agreement. In the event of a conflict between the controller’s instruction and a legal requirement under data protection law, the processor is obliged to comply with the legal requirement under data protection law in the first instance, in which case the processor shall inform the controller of this legal requirement, provided that such information is not prohibited by data protection law.

3.3 The Processor shall ensure that persons that are entitled to process personal data on behalf of the Processor are bound by an obligation of confidentiality, or are subject to an appropriate legal obligation of confidentiality which shall survive the termination of the access agreement.

3.4 The Processor shall ensure that the Personal Data is not disclosed to third parties without the prior written consent of the Controller, unless the Processor is under an obligation to disclose the data pursuant to mandatory law or an order of a public authority.

3.5 The Processor undertakes, where possible and taking into account the nature of the processing, to assist the Controller by appropriate technical and organizational measures to fulfil the Controller’s obligation to respond to data subjects’ requests to exercise their rights under data protection law.

3.6 The processor undertakes, taking into account the nature of the processing and the information available to the processor, to assist the controller in ensuring compliance with its obligations under data protection legislation. For the sake of clarity, the processor is only obliged to assist the controller to the extent required by data protection legislation or other mandatory legislation.

3.7 The processor shall keep the necessary records of the processing operations and make available to the controller all information necessary to demonstrate compliance with the obligations imposed on the processor in accordance with data protection legislation.

3.8 Unless otherwise agreed, the Processor shall be entitled to charge the Controller for the costs of the activities described in paragraphs 3.5 and 3.6 above.

  1. Obligations of the controller

4.1 In using the Software, the Controller undertakes to comply with the obligations imposed by data protection legislation and other mandatory legislation and to observe good data processing practice in the processing of personal data.

4.2 The controller is obliged to provide the processor with comprehensive and lawful processing instructions in a documented form. Any instructions that deviate from the Access Agreement must always be agreed separately in writing between the parties, and the processor may charge the controller separately for their implementation.

4.3 The Controller is responsible for ensuring that all data subjects whose personal data are processed by the Software are provided with the information required by data protection legislation and that the processing of personal data, including any transfer of personal data to the Processor required for the use of the Software, is lawful throughout the term of the License Agreement and this DBA.

4.4 Prior to entering into the License Agreement and this DBA, the Controller shall ensure that the processing of personal data under this DBA complies with the requirements for the processing of personal data imposed on the Controller, including security requirements.

  1. Security of processing and personal data breaches

5.1 The processor shall implement and maintain appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction, loss, alteration or unauthorized disclosure of or access to personal data.

5.2 The Processor undertakes to notify the Controller without undue delay of any personal data security breach detected by the Processor or its subcontractor affecting personal data processed under the Access Agreement. Unless otherwise agreed by the parties, the notification shall be made to the contact person designated by the controller.

  1. Subcontractors

6.1 The Processor shall ensure that any subcontractors it uses to undertake to process personal data in accordance with data protection legislation, this DBA and the instructions provided by the Controller.

6.2 The Processor shall be entitled to use subcontractors for the processing of personal data under this DBA. The Processor undertakes to enter a written agreement with subcontractors when using subcontractors for the processing under this agreement. The processor shall be responsible for the fulfillment of the obligations of the subcontractors it uses vis-à-vis the controller under the DBA.

6.3 The Processor shall inform the Controller in advance of any planned changes concerning the addition or replacement of subcontractors. If the Controller does not accept the planned change, and the change of a subcontractor affects the processing of personal data under the License Agreement, the Processor shall be entitled to terminate the License Agreement subject to a ten (10) day notice period.

  1. Transfer of personal data outside the EU or EEA

7.1 The Processor may transfer Personal Data outside the European Union (“EU”), the European Economic Area (“EEA”) or other countries that have been recognised by the European Commission as providing an adequate level of data protection (collectively, the “Recognised Territories”) in accordance with the terms of the License Agreement. The Processor will comply with any requirements imposed by supervisory authorities or other authorities as a condition for obtaining regulatory approval to transfer personal data outside the Eligible Territories.

7.2 Prior to transferring Personal Data outside the Authorised Regions, the Processor will implement the appropriate safeguards required by the Data Protection Legislation and where necessary, enter into a contract with the subcontractor it uses for the transfer of Personal Data using the Model Contractual Clauses approved by the European Commission (“Model Contractual Clauses”). The controller authorizes the processor to enter into an agreement with a subcontractor established outside the approved territories on behalf of the controller to apply the Standard Contractual Clauses.

  1. Auditing

8.1 The Controller shall have the right, at its own expense, to audit the Processor’s activities under the DPA (“Audit”). The Controller shall also reimburse the Processor for any costs incurred by the Processor in connection with the Audit.

8.2 The Parties shall agree on the timing and other details of the audit well in advance of the audit. All persons participating in the audit shall sign the confidentiality undertaking required by the Processor in favor of the Processor. Unless otherwise required by data protection legislation, the controller shall be entitled to carry out a maximum of one audit per twelve (12) month period.

  1. Responsibility

9.1 The parties are responsible for fulfilling their obligations under the Data Protection Legislation, another mandatory legislation and this DPA in their respective activities. Each Party shall therefore be liable for any administrative fines imposed by a supervisory authority or damages awarded by a competent court in response to claims by data subjects or other third parties which, in the opinion of the relevant authority or court, are the result of an act or omission by a Party in breach of its obligations under data protection legislation, other mandatory legislation or this DPA. In all other respects, the liability between the parties shall be governed by the liability and limitation of liability provisions agreed in the License Agreement.

  1. Duration and termination of the agreement

10.1 This DPA shall remain in force for as long as the License Agreement remains in force or until the Processor terminates the Processing, whichever is the latter.

10.2 Upon termination of the License Agreement, the Processor undertakes, in accordance with the Controller’s instructions, to delete or return all Personal Data to the Controller and to delete any existing copies, unless an applicable mandatory law requires the retention of the Personal Data. The deletion and return policy may be further agreed between the parties. In any case, the Processor shall have the right to delete the Personal Data without prior notice no later than three (3) months after the expiry of the Access Agreement.