Read also

3 DEFINITIONS

“Processor”      
means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller, i.e. Supplier.

“Personal Data Breach”   
means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

“Processing”     
means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“Law” and “Laws”               
means the European Union’s General Data Protection Regulation (679/2016) and other applicable data protection regulations in force in Finland.

“Service” or “Services”     
means the Supplier’s service obligations as defined in the Agreement.

“Controller”      
means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data; where the purposes and means of such Processing are determined by the European Union or Member State law, the Controller or the specific criteria for its nomination may be provided for by the European Union or Member State law. The Customer is the Controller.

“Data Subject”
is defined above with the definition of “Personal Data”.

“Agreement” 
means the contract to which this Appendix is attached or to which this Appendix otherwise applies.

4 Use of subcontractors

  • 4.1 The Customer hereby gives general written consent for the Supplier to use the services of other Processors, i.e. the Supplier’s subcontractors, in the Processing of Personal Data.
  • 4.2 When the Supplier uses the services of other Processors to perform specific processing functions on behalf of the Customer, such Processors are subject to the same privacy obligations as described in this Appendix.

5 Customer’s obligations

  • 5.1 The Customer acts as the Controller regarding all Personal Data. The Customer’s responsibilities include making sure that all Personal Data is accurate and that the Supplier and Supplier’s subcontractors have the right to Process Personal Data. The Customer is responsible for ensuring that Personal Data submitted to the Supplier or its subcontractors is in compliance with the personal data legislation and has been disclosed to the Supplier and the subcontractors in accordance with the personal data legislation.

6 DATA SECURITY

  • 6.1 Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of Processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the Processing, the Customer and Supplier shall implement appropriate technical and organisational measures to guarantee a level of data security appropriate to the risk as agreed with the Customer, such as a) pseudonymisation and encryption of the Personal Data as agreed with the Customer; b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; c) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

7 Procedures in the event of a breach

  • 7.1 The Supplier must, without undue delay after having become aware of it, submit a personal data breach notification to the Customer.

8 Transfer of Personal Data to third countries

  • 8.1 The Supplier transfers Personal Data to the United States from the European Economic Area on the basis of EU Commission Model Clauses or the EU-US Privacy Shield.

9 Other terms and conditions

  • As these privacy rules are part of the Agreement, the other terms and conditions to the Agreement are also applicable to these privacy rules.