DATA PROCESSING ADDENDUM

BACKGROUND AND PURPOSE

  1. ProductSense Oy (“Processor”) and its Customer defined in the Agreement (“Controller”) have entered into a separate agreement, including its appendices (the “Agreement”) pursuant to which Processor provides a software service, as further specified in the Agreement (the “Service”) to Controller. This Data Processing Addendum (“DPA”) shall apply if and to the extent that Processor processes Personal Data on behalf of Controller in the course of providing the Service.

  2. This DPA is an agreement between the Parties on the processing of Personal Data and defines the principles of data protection and privacy applicable between the Parties when Personal Data is processed by Processor under the Agreement. The purpose of this DPA is to ensure that such processing is conducted in accordance with the Data Protection Laws and with due respect for the rights and freedoms of data subjects.

DEFINITIONS

Capitalized terms used in this DPA shall have the meanings given to them in this DPA, unless otherwise expressly stated or the context otherwise requires.

"Representatives"

means a Party's directors, officers, employees, contractors, agents, consultants, advisors or other representatives.

"Personal Data"

means the personal data Processor processes on behalf of Controller under the Agreement.

"Data Protection Laws"

means Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the “GDPR”) and any amendments, replacements or renewals thereof and all binding national laws of Finland implementing or supplementing the aforementioned. 

"Standard Contractual Clauses"

means the standard contractual clauses adopted by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as may be amended or replaced or supplemented from time to time. 

The terms “processing”, “data subject”, “personal data breach” and other terms defined in the Data Protection Laws used in this DPA shall have the same meanings as set out in the Data Protection Laws and shall be construed accordingly.

1 Processing of personal data

1.1 Processor is entitled to process or make available Personal Data only for the purposes specified in the Agreement or in this DPA or as otherwise agreed in writing between the Parties. Processor shall not be entitled to process Personal Data for any other purposes. 

1.2 Processor shall process the Personal Data in accordance with the written instructions provided by Controller in this DPA and in the Agreement and in accordance with the provisions of the Data Protection Laws applicable to Processor, unless otherwise required by the laws of the European Union or of a Member State applicable to Processor. In such a case, Processor shall inform Controller of the requirement under such legislation prior to processing, unless such applicable law prohibits such information on grounds of important public interest. 

1.3 Processor shall ensure that its Representatives to whom Processor has provided access to the Personal Data are authorized and properly trained with a "need-to-know" and are subject to a contractual confidentiality obligation or to an appropriate statutory confidentiality obligation.

1.4 Processor shall implement and maintain appropriate technical and organisational measures required pursuant to the Data Protection Laws to protect the Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized access, disclosure or transfer, misuse, and against all other unlawful forms of processing.

1.5 Processor shall, to a reasonable extent, assist Controller in demonstrating compliance with the Data Protection Laws, and for such purposes, make available to Controller all information available to Processor reasonably required and necessary for Controller to demonstrate its compliance.

1.6 Taking into account the nature of the processing, Processor shall, upon the request of Controller and in accordance with the request, assist Controller (for example by means of appropriate technical and organizational measures) in carrying out the requests on the fulfilment of the rights of the data subjects laid down in the Data Protection Laws, but only to the extent Controller cannot itself fulfil such requests. Processor shall be entitled to charge a reasonable fee for the performance of its tasks under the obligation to provide assistance referred to in this Section 1.6.

1.7 Processor shall secure Controller's right to conduct inspections or audits at Processor's premises to verify compliance with this DPA and applicable Data Protection Laws. Such audits may be conducted once per calendar year, with reasonable prior notice. Controller may carry out the audit itself or engage a third-party auditor, subject to Processor's approval, provided that the third party is bound by customary confidentiality obligations. Alternatively, Processor may choose to have an external auditor perform the audit and, in such cases, shall provide Controller with an audit report that is no older than one calendar year. Processor shall cooperate fully with the audit process and address any identified non-compliance issues promptly.

1.8 Processor shall document any personal data breaches affecting Personal Data in its possession of which it becomes aware, including the consequences and effects of such breaches, and the steps taken to mitigate them. In addition, Processor shall: 

(i) notify Controller of a personal data breach without undue delay; and

(ii) promptly investigate the causes and effects of the personal data breach and take appropriate measures to stop the breach, mitigate its adverse effects and prevent similar breaches in the future, documenting the results of its investigation and actions taken. 

For clarity, the occurrence of a personal data breach involving Personal Data held by Processor does not, by itself, automatically imply a contractual breach by Processor.

1.9 Processor shall inform Controller without undue delay in the following circumstances:

(i) when Processor believes that Controller's written instructions violate applicable Data Protection Laws;

(ii) upon receiving any enquiries, questions, or requests from data subjects regarding the exercise of their rights. Processor shall not respond to such communications; and

(iii) upon receiving any requests or questions from supervisory authorities, other governmental bodies, or third parties relating to Personal Data. Processor shall not respond to such requests unless obligated to do so by mandatory European Union or Member State law.

1.10 Controller shall ensure that the processing of Personal Data under this DPA is lawful and that it is entitled to entrust the processing of Personal Data to Processor to the extent specified in the Agreement and this DPA. Controller shall reasonably contribute to the implementation of Processor's obligations regarding the processing of Personal Data in accordance with Processor's request and shall bring any processing risks identified to Processor's attention without undue delay.

2 Sub-Processors

2.1 This Section 2 shall apply when Processor engages subcontractors or other third-party processors (“Sub-Processors”) in the processing of Personal Data.

2.2 Processor informs Controller of Sub-Processors it uses by maintaining a list of Sub-Processors at https://productsense.com/dpa/subprocessors.html. In the event Processor makes any changes or additions to the list of Sub-Processors, Processor shall notify Controller of any such changes or additions by email to the address indicated by Controller in the Agreement. Controller shall have the right to object to such changes on reasonable and documented grounds, which it shall notify to Processor without undue delay after Processor has notified the proposed change. If Controller objects to the proposed changes, the Parties shall negotiate in good faith. If no amicable solution is found, either Party shall have the right to terminate the Agreement by giving reasonable notice.

2.3 In addition, the following conditions apply: 

(i) Processor shall enter into a written agreement with each Sub-Processor. The agreement entered into between Processor and Sub-Processor shall require the Sub-Processor to comply with obligations that materially correspond to those applicable to Processor under this DPA and the Data Protection Laws.

(ii) If Personal Data is or will be transferred outside the European Union or the European Economic Area to a country that does not provide an adequate level of data protection, Processor shall ensure that Standard Contractual Clauses apply to such transfers or that another appropriate data transfer mechanism is in place in accordance with the Data Protection Laws.

(iii) Processor shall be deemed responsible for the actions and omissions of its Sub-Processors as for its own.

3 Other provisions

3.1 It is hereby expressly stated that the Parties are obligated to comply with the Data Protection Laws regardless of the content of this DPA. Should there be a conflict between the Data Protection Laws and the provisions of this DPA, each Party is entitled and obliged to comply with the Data Protection Laws and such actions of complying with the Data Protection Laws shall not be deemed as a breach of obligations of the Agreement or this DPA. A Party shall without undue delay inform the other Party of such discrepancies.

3.2 The Parties' liabilities and limitations of liability shall be governed by the terms of the Agreement. Notwithstanding the foregoing, the Parties agree that any liability arising from administrative fines imposed by competent authorities or claims for compensation by data subjects shall be allocated to the Parties as provided for in the GDPR.

3.3 This DPA constitutes the entire agreement and understanding between the Parties relating to the subject matter of this DPA and supersedes any prior agreements and other written or oral communications between the Parties relating to it, including any prior agreements between the Parties relating to data protection and the processing of Personal Data. 

3.4 In the event of any conflict between the terms of this DPA and the Agreement, the terms of this DPA shall prevail with respect to the terms governing the processing of Personal Data. 

3.5 This DPA shall enter into force upon the entry into force of the Agreement and shall remain in force for the duration of the Agreement. This DPA shall automatically terminate upon expiry of the Agreement. Upon termination of the Agreement, Processor shall delete all Personal Data, subject to any rights and obligations of Processor under the applicable laws regarding the retention of Personal Data. 

4 Appendices

4.1 The following appendices form an integral part of this DPA:

Appendix 1: Description of data processing

APPENDIX 1 Description of data processing

1 Processing on behalf of Controller

When Processor is processing Personal Data, all processing relates to the offering the Service to Controller.

2 CATEGORIES OF DATA SUBJECTS & GROUPS OF PERSONAL DATA

Categories of data subjects

Processor may process Personal Data of the data subjects submitted to the Service the extent of which is determined and controlled by Controller in its sole discretion, and which may include Personal Data relating to the following categories of data subjects:

Groups of personal data

Processor may process Personal Data submitted to the Service, the extent of which is determined and controlled by Controller in its sole discretion, and which may include the following groups of data which may, in certain circumstances, alone or in connection with other data, constitute personal data:

Duration of processing

Processor processes personal data for the duration of the Service or the Agreement.