This Data Processing Agreement ("DPA") is an integral part of the Terms & Conditions ("Agreement") entered into between Tracklution Oy ("Service Provider") and the user ("Client"). This DPA shall apply to all processing of personal data under the Agreement. Where applicable and when this DPA does not explicitly state otherwise, the terms of the Agreement, such as governing law and dispute resolution, shall be applied to this DPA.
1.1. "Agreement" refers to the Terms & Conditions (including its appendices and/or any other written agreements between Parties) entered into between the Service Provider and the Client.
1.2. "Client" refers to the user of the Service and the controller of personal data under the EU General Data Protection Regulation (GDPR).
1.3. "Service Provider" refers to Tracklution, which processes personal data on behalf of the Client as a processor under the GDPR.
1.4. "GDPR" refers to EU Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
1.5. "Personal Data" refers to any information relating to an identified or identifiable natural person ("Data Subject") processed by the Service Provider on behalf of the Client.
2.1. Providing the Client with the Service may require the Service Provider processing certain Personal Data on behalf of the Client. This DPA governs the processing of Personal Data by the Service Provider on behalf of the Client during the term of the Agreement.
2.2. The Service Provider shall process Personal Data only as specified in the Agreement, unless required to do otherwise by applicable law. The Client shall ensure that it complies with applicable data protection laws.
3.1. The Client, as the controller, shall be solely responsible for the lawful processing and collection of Personal Data. The Client shall ensure that it has a valid legal basis for the processing and collection of Personal Data and that it fulfils its obligations as a controller under the GDPR and other laws, regulations and directives pertaining to the processing or collection of personal data.
3.2. The Service Provider, as the processor, shall process Personal Data on behalf of the Client and shall act solely as described in the Agreement, except as required by applicable law. Also additional written, reasonable processing guidance provided by the Client can be applied in the processing operations of the Service Provider. The Service Provider shall take appropriate technical and organisational measures to protect the Personal Data.
3.3. The Service Provider will not observe the Client’s processing or collection of Personal Data in the Service, and the Client shall be solely responsible for having the required and necessary rights and permissions to use and disclose Personal Data for the purposes set out in the Agreement. The Client shall ensure that the Client is entitled to transfer the data to the Service Provider so that the Service Provider may lawfully process, use and transfer the data in accordance with the Agreement and this DPA.
4.1. The Service Provider shall process Personal Data only for the purposes of providing the Service to the Client as specified in the Agreement.
4.2. The Service Provider shall not transfer or disclose Personal Data to any third party without the prior written consent of the Client, unless required to do so by applicable law.
4.3. The Service Provider shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk to the rights and freedoms of Data Subjects.
4.4. The particular types of Personal Data may vary on a case-by-case basis depending on what Personal Data the Client decides to process as part of their use of the Service. Such Personal Data may include, but is not limited to, the following information:
4.5. The Personal Data may be processed as long as the Agreement between the Client and Service Provider remains in force, unless otherwise instructed by the Client in accordance with this DPA. After the Agreement expires and customer relationship ends, the Service Provider will delete the Personal Data within reasonable time.
4.6. The Service Provider may transfer Personal Data to countries outside the EU or the EEA, provided that such transfers comply with applicable data protection laws and regulations. The Service Provider shall ensure that any international data transfers are conducted in accordance with appropriate safeguards as required under the General Data Protection Regulation (GDPR) or other relevant data protection laws.
5.1. The Service Provider may engage subprocessors to process Personal Data on behalf of the Client.
5.2. Where the Service Provider engages a subprocessor, it shall ensure that the subprocessor is bound by contractual obligations that provide the same level of data protection and security as set forth in this DPA.
6.1. The Service Provider shall assist the Client in fulfilling its obligations to respond to requests from Data Subjects to exercise their rights under the GDPR. The Service Provider shall promptly notify the Client if it receives a request directly from a Data Subject where resolving such a request may require the assistance of the Service Provider.
6.2. Taking into account the nature of the processing, the Service Provider shall provide reasonable assistance to the Client in fulfilling its obligations to respond to any request from a Data Subject to exercise their rights, including but not limited to the rights of access, rectification, erasure, restriction, objection, data portability, and automated decision-making.
7.1. The Service Provider shall implement appropriate technical and organisational measures to ensure the security of the Personal Data, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk to the rights and freedoms of Data Subjects.
7.2. The Service Provider shall promptly notify the Client in the event of a security breach that affects Personal Data and shall cooperate with the Client in investigating, mitigating, and remedying the security breach.
7.3. Each party of this DPA shall be solely responsible for the information security of the party’s own communications networks. Neither Party shall be responsible or liable for the information security of general communications networks, or for interferences or other disruptions, outside of the Parties influence, that may occur in general communications networks.
8.1. The Service Provider shall process personal data as long as the Agreement with the Client remains in force, unless instructed otherwise by the Client in accordance with the DPA.
8.2. Upon termination or expiration of the Agreement, the Service Provider shall securely delete or destroy the Personal Data within a reasonable timeframe.
9.1. The Service Provider shall make available to the Client all information necessary to demonstrate compliance with its obligations under this DPA and allow for and contribute to audits, including inspections, conducted by the Client or another auditor mandated by the Client.
10.1. This agreement shall be interpreted and construed in accordance with the laws of Finland.
10.2. Any dispute, controversy or claim arising out of or relating to this contract, or the breach, termination or validity thereof, shall be finally settled by arbitration in accordance with the Arbitration Rules of the Finland Chamber of Commerce. The number of arbitrators shall be one. The seat of arbitration shall be Helsinki, Finland. The language of the arbitration shall be English.
11.1. This DPA may only be amended by written agreement between the Service Provider and the Client.