DAYRADAR – GENERAL PERSONAL DATA PROCESSING CONDITIONS
This agreement annex “General personal data processing conditions” is part of the service agreement (hereinafter: Agreement) between the Customer and DayRadar.
This agreement annex shall define the terms and conditions for the personal data processing and data protection for the Customer and DayRadar under which DayRadar, on the Customer’s mandate, processes personal data on behalf of the Customer in addition to the terms and conditions in the Agreement. However, if DayRadar is a legal employer for the employees of the Customer and therefore DayRadar generates an employment relationship register, DayRadar shall in this regard act as a registrar under the personal data processing and data protection act.
The Parties shall undertake to comply with applicable personal data processing and data protection legislation and furthermore, the Parties shall undertake to bring the personal data processing and data protection to the level required by the EU General Data Protection Regulation (EU) 2016/679 by May 25, 2018, when application of the General Data Protection Regulation begins.
It is acknowledged for the sake of clarity that DayRadar may collect and process Customer related personal data for its own purposes, such as customer relationship management and invoicing. In these cases, DayRadar shall act as the registrar of such Personal data. This annex shall not apply to the aforementioned processing, which is described in the registry description of DayRadar.
DayRadar shall have the right to collect anonymous and statistical data of the services according to the Agreement, which cannot be used for identifying the Customer or the persons in the registry, and use it for analysing and developing its services.
If the terms and conditions regarding the processing of personal data of this annex and the Agreement are incompatible, the Parties shall primarily apply the terms of this annex.
The Customer shall act as the registrar defined in the personal data processing and data protection legislation, which defines the purposes and means of processing personal data.
DayRadar shall act as the handler defined in the personal data processing and data protection legislation, who processes the personal data on behalf of the Customer. The subcontractors used by DayRadar in accordance with the Agreement and this annex, who are involved in the processing of the personal data of the Customer, shall also act as handlers on behalf of the Customer. If the supplier is a group, the obligations of this agreement annex shall apply to all members of the group and its subcontractors participating in the processing of personal data.
DayRadar shall only act as a registrar under the personal data processing and data protection act, which defines the purposes and means of processing personal data, if DayRadar is a legal employer for the employees of the Customer, and therefore DayRadar generates an employment relationship register. As far as the Customer uses the personal data of the employees of DayRadar for the purposes required by its business, the Customer shall have the responsibility of a registrar as defined in the legislation regarding the processing of personal data and data privacy.
The Customer shall undertake to fulfil the obligations of a registrar in accordance with the personal data processing and data privacy legislation. The Customer shall ensure that it has a legitimate basis to process the personal data, in which DayRadar is participating, in accordance with the personal data processing and data protection legislation. The Customer shall be responsible for the preparation and publication of a description of the processing of personal data as well as for informing the persons included in the registry about the processing of personal data.
The subject, nature and purpose of the processing of personal data and the types of personal data and groups of registered persons, as well as the responsibilities and rights of the Registrar and Handler shall be described in the Agreement, in the documentation prepared during the contractual service binding DayRadar or other Customer’s instructions. DayRadar shall undertake to comply with the terms and conditions regarding the processing of personal data of the Agreement, documentation and instructions, unless they are unlawful. In this case, DayRadar may notify the Customer of the unlawfulness and immediately discontinue the processing of personal data. The Customer shall be responsible for the availability and updates of instructions.
If no description has been made in accordance with the preceding paragraph or it is incomplete, the Customer shall prepare or supplement the description in cooperation with DayRadar, if necessary. DayRadar shall notify the Customer if the instructions provided are inadequate or if DayRadar suspects they are unlawful.
3 Subcontractors processing personal data
DayRadar shall have the right to use subcontractors for processing the personal data of the Registrar. DayRadar shall be responsible for subcontractors’ activities and prepares written agreements with them on the processing of personal data. If the Customer reasonably considers that a subcontractor of DayRadar does not fulfil its data privacy obligations, the Customer shall have the right to require DayRadar to change subcontractors.
DayRadar shall keep an up-to-date list of its subcontractors at www.DayRadar.fi/privacy/alihankkijat. When DayRadar makes changes to the list, it is updated to the website and marked with the date of the update. The Customer shall have the right to oppose the use of a new subcontractor for a justified reason. If the Parties do not reach agreement on the use of a new subcontractor, the Customer shall have the right to terminate the Agreement in accordance with the validity and termination terms specified therein.
4 General obligations of the personal data handler
The personal data handler processes personal data in accordance with the Agreement and the Customer’s instructions.
The personal data handler undertakes to ensure that any person under his or her authority who is entitled to handle personal data is committed to its confidentiality or is subject to the appropriate legal confidentiality obligation.
In addition to the provisions of the Agreement on the personal data protection, information security and confidentiality of the data, the personal data handler shall undertake to take appropriate technical and organisational measures to ensure the level of security, taking into account the latest technology and implementation costs, the nature, scope, context and purpose of the processing, as well as the risks of varying probabilities to the rights and freedoms of natural persons and to follow the Customer’s instructions and any updates to the Customer’s instructions.
The personal data handler shall also take measures to ensure that any natural person under his or her authority with access to the personal data processes the data solely in accordance with the terms of the Agreement and the Customer’s instructions.
The personal data handler shall undertake, without undue delay, to notify the Customer of any requests received from registered persons regarding the use of the rights of registered persons in the existing legislation and EU data protection regulation.
The personal data handler shall undertake to assist the Customer with appropriate technical and organisational measures so that the Customer is able to fulfil its duty to respond to requests for the use of the rights of registered persons. The personal data handler shall understand that requests for using these rights may require him or her to provide information and communication to the registered person, arrange access rights for the registered person, correcting or deleting personal data, arranging restrictions to the processing and/or transferring the personal data from one system to another. Unless these tasks have been included in the services and costs under the Agreement, DayRadar shall be entitled to charge reasonable labour costs as defined in the Agreement.
DayRadar shall ensure that the personal data processed by it are in a generally used and machine-readable form so that they can be automatically removed from the system for transfer to another system.
The personal data handler undertakes, if necessary, to assist the Customer in the performance of a data protection impact assessment in accordance with the EU General Data Protection Regulation, in any prior hearings and in obtaining any data protection certification. DayRadar shall be entitled to charge reasonable labour costs of such assistance to the Customer, as defined in the Agreement.
At the Customer’s discretion, the personal data handler shall undertake to remove or return all Customer’s personal data after the provision of the related processing services and to remove existing copies, unless the legislation of the ET or the member state requires the retention of personal data. The Customer may give more detailed instructions to the personal data handler in this regard, which the data handler shall duly follow.
The personal data handler may not pass personal data outside the EU or the EEA unless it complies with the procedure described in this section. The transfer of personal data to third countries may be effected by an appropriate transfer agreement in accordance with the template clauses currently in force at the EU Commission and / or any other personal data transfer requirements at that time. As for the transfer of personal data to the United States, the transfer of data to a transferee registered in the Privacy Shield system is deemed appropriate.
The Customer or an auditor appointed by the Customer (excluding competitors of DayRadar) shall have the right to audit the activities under this annex. An audit or other inspection shall be performed in a timely and cost-effective manner without any unnecessary interference to the day-to-day operations of DayRadar. The Parties agree on the date and other details of the audit in good time and at least 14 days before the audit. Auditing shall be carried out in a manner that does not interfere with the commitments of DayRadar and its subcontractors with respect to third parties. The representatives of the Customer and the auditor shall sign common non-disclosure agreements.
The Customer shall be responsible for all the costs of the audit. DayRadar shall have the right to invoice the Customer for the time and resources spent on the audit. If the audit reveals significant shortcomings in DayRadar’s operations, DayRadar shall bear all costs of the audit.
6 Security breaches
The personal data handler shall notify the Customer without delay in writing of any personal data security breach.
Upon the Customer’s request, DayRadar shall provide without delay any relevant information of the data security breach. Insofar as this information is available to DayRadar, the notice shall contain at least the following:
- a description of the personal data breach, including, where possible, the relevant registered groups and estimated number of entries as well as the categories of personal data and the estimated number of entries
- describe the likely consequences of the personal data breach
- describe the measures that this personal data handler proposes or has taken in response to the personal data breach and, where appropriate, measures to mitigate the possible impact.
The Customer shall be responsible for the necessary notifications to the data protection authorities.
7 Other terms
If a breach of the EU General Data Protection Regulation or this annex incurs any material or non-material damage to a person, DayRadar shall be liable for damages only in so far as it has not specifically complied with the obligations set out in the EU General Data Protection Regulation or this annex. In other respects, the Parties’ liability shall be determined by the Agreement.
Each Party shall be liable to pay damages or administrative fines only for the part corresponding to the liability for damage sustained as determined by the final decision of data protection authorities or the court. However, at most, in accordance with the Agreement.
DayRadar shall notify in writing any changes that may affect its ability to comply with this annex and the written instructions provided by the Customer. All additions and modifications to this annex shall be made in writing.
The annex is valid:
- As long as the Agreement is valid
- The Parties shall have obligations arising from the processing of personal data to each other.
Obligations which, by their nature, are intended to remain in force irrespective of the expiration of this Annex, shall remain in effect.
Applicable laws shall be applied in this annex and any disputes shall be settled in accordance with the provisions of this Agreement.