APPENDIX 1 Data Processing Agreement
Last Updated: November 24, 2023
Data Processing Agreement
In addition, Data Processing Agreement (“DPA”) is entered into by the entities. The entity you represent (“Customer”, “you”, or “your”) and Monitzion Oy (“Monitzion”, “Supplier”, “we”, “us”, or “our”) and collectively as “Parties” in connection with the Services the Supplier provides to the Customer under the Agreement.
Unless otherwise expressly agreed herein, the definitions set forth in the Agreement shall apply. In case a definition provided in this DPA, and a definition provided in the Agreement, the definition provided in this DPA shall prevail (and where the context so admits the singular shall include the plural and vice versa).
“Data Protection Regulation” means the applicable laws relating to protection of personal data, including without limitation the laws implementing EU Directive 95/46/EC EU and Directive 2002/58/EC, the GDPR and any amendments thereto.
“Data Subject” means a natural person whose Personal Data is processed by Supplier under the Agreement and this DPA.
“GDPR” means the General Data Protection Regulation (EU) 2016/679 and any amendments thereto.
“Personal Data” means any information relating to an identified or identifiable natural person, and which Supplier is processing under the Agreement or otherwise, and of which Customer is a Controller.
“Personal Data Breach” means a breach of security leading to destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed, which is adverse to this DPA or Data Protection Regulation or otherwise unlawful.
“Services” means the services, systems, any deliverables, and other activities supplied by or on behalf of Supplier to the Customer pursuant to the Agreement.
“Standard Contractual Clauses” or “SCCs” means the contractual clauses issued by the European Commission by the decision 2010/87/EU for international transfers of Personal Data, and any amendments thereto.
“Controller”, “Processor”, “Process”, “Processing” and “Supervisory Authority” shall have the meaning set forth in the GDPR.
This DPA sets out the terms and conditions for the Processing of Personal Data by Supplier on behalf of the Customer under the Agreement for the purpose of providing the Services to the Customer (the “Purpose”).
The subject matter of the Processing is the Customer’s Personal Data as set out in the Agreement, this DPA and other appendices.
Personal Data may comprise of:
- Customer’s Personal Data; or
- Customer’s Clients’ and/or Partners’ Personal Data
Personal Data may include also other types of data if required by the Purpose of the Processing agreed between the Parties.
To the extent Supplier processes Customer’s Personal Data under the Agreement, the Parties acknowledge that the Customer acts as the Controller and Supplier is the Processor Processing Personal Data on behalf of the Customer. By uploading and storing data on our Services you acknowledge and agree that Monitzion shall act as a data processor regarding the data. To the extent Supplier processes Customer’s Client’s and/or Partner’s Personal Data under the Agreement, the Parties acknowledge that the Client and/or the Partner acts as the Controller, the Customer as a Processor and Supplier as a sub-Processor Processing Personal Data on behalf of the Customer.
Supplier shall process Personal Data in compliance with Data Protection Regulation and the documented instructions in this Agreement, unless prescribed otherwise by a provision of Data Protection Regulation applicable to Supplier. Supplier shall be responsible for complying with Data Protection Regulation and requirements applicable to Processors and/or sub-Processors relating to its Services.
Supplier shall ensure that members of Supplier ‘s staff and/or its subcontractors with access to Personal Data have committed to an appropriate confidentiality obligation and reasonable measures for data security.
The Supplier shall implement and maintain appropriate technical and organizational measures to protect the Personal Data as Processor, considering:
- the costs of implementation and the nature, scope, context, and purposes of Processing as well as the varying risk and severity for the rights and freedoms of natural persons, and
- the risks that are presented by the Processing in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to the Personal Data transmitted, stored or otherwise processed.
Supplier agrees to, considering the information available to Supplier, provide all reasonable assistance to the Customer in responding to requests for exercising the rights of Data Subjects. If only Supplier has the access to the information required in Supplier’s systems and/or services, Supplier will provide, at its own expense, all necessary assistance required to the Customer in responding to requests for exercising the rights of Data Subjects.
Supplier shall, considering the information available to Supplier, provide reasonable assistance to the Customer in ensuring the Customer’s compliance with its obligations set out in Data Protection Regulation relating to data security and data protection impact assessments.
Supplier shall make available to the Customer all information necessary to demonstrate compliance with obligations set out in this DPA and in Data Protection Regulation. The Customer shall keep all such information confidential.
Supplier shall have the right to charge the Customer for reasonable costs and expenses that were incurred because of assisting the Customer to comply with Customer’s obligations.
Supplier shall implement technical and organizational measures to ensure an appropriate level of security to protect Personal Data against unauthorized access and loss, destruction, damage, alteration or disclosure, or against other unlawful Processing.
Supplier shall notify the Customer of all Personal Data Breaches without undue delay, and in due course considering the set timelines by legislation, after Supplier has become aware of the Personal Data Breach. The Personal Data Breach notification shall contain the following, and any other information required by authorities at the point of time:
- description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects concerned and the categories and approximate number of data records concerned;
- name and contact details of the contact person of Supplier handling the Personal Data Breach;
- description of likely consequences and/or realized consequences of the Personal Data Breach; and
- description of the measures Supplier has taken to address the Personal Data Breach and to mitigate its adverse effects.
After Supplier has become aware of the Personal Data Breach, Supplier shall ensure security of Personal Data and take appropriate measures to ensure protection of Personal Data in cooperation with the Customer. Supplier shall document Personal Data Breach and disclose the documentation to the Client. If it is not possible to provide the information listed at the same time, the information may be provided in phases.
Supplier shall have the right to use subcontractors in Processing Personal Data. Supplier shall take appropriate measures to ensure that its subcontractors are subject to equivalent requirements regarding confidentiality and security, as set out in this DPA. Supplier is responsible for the performance of its subcontractors as it is responsible for the performance of its own obligations.
Supplier or its subcontractors shall not transfer Personal Data outside of the European Economic Area without agreeing on it beforehand with the Customer and without complying with the statutory requirements regarding the transfer of Personal Data outside of the European Economic Area.
Supplier shall be liable under this DPA where it has not complied with the obligations of the GDPR directed to Processors or where it has acted outside or contrary to the lawful instructions of the Controller. Supplier’s total aggregate liability are subject to the limitations of liability in the Agreement entered into between the Parties.
The Parties agree that when the Customer requests for an audit an independent auditor may audit Supplier’s compliance with obligations set out in this DPA for Customer to ensure that Supplier has fulfilled the obligations set out in this DPA. The Customer has the right to request an audit prescribed in this section once every twelve (12) months.
Supplier shall assist the Customer and the third party in conducting the audit with reasonable measures. The Customer shall bear the reasonable costs and expenses incurred by Supplier, the Customer and the third party in connection with the audit.
If the audit reveals shortcomings, Supplier shall correct such shortcomings without delay or at the latest within thirty (30) days of a written notice from the Partner at its own expense, unless the Parties agree otherwise. Any material shortcomings that pose an obvious threat to data security shall be rectified without delay.
The DPA shall continue in force during the term of the Agreement. In the event of termination of the Agreement, the Supplier shall have the right to delete and destroy the Personal Data processed. In case the Customer demands that the Personal Data is returned to the Customer or to a third party, the Customer shall pay Supplier for reasonable costs and expenses arising out such return of the Personal Data.