This Data Protection Addendum (“DPA”) applies between the Customer and Trustmary Finland Oy (“Trustmary”) to the extent that the Trustmary processes personal data on behalf of Customer whilst Customer’s use of the Trustmary online platform (“Service”) in accordance with the Trustmary Terms of Service (“Agreement”).
Customer shall be considered the data controller of such personal data under EU regulation 2016/679 (“GDPR”) and Trustmary will process, when providing the Service to the Customer, such personal data on behalf of Customer as a data processor for the purposes of the Agreement. As used herein, “personal data” means such personal data that Trustmary processes on behalf of the Customer as the Customer’s data processor.
For the avoidance of doubt, this DPA shall not apply to processing of personal data for which Trustmary acts as an independent data controller in accordance with the GDPR (e.g. business contact information and invoicing information within the scope of the Parties’ cooperation).
The processing is initially specified as follows:
Nature, purpose and duration of processing: Provision of the Service to Customer during the term of the Agreement.
Types of personal data: Names and contact details, feedback given by an identifiable individual, identifiable media content such as video testimonials and photographs.
Categories of data subjects: Customers, employees or contractors of the Customer.
Trustmary shall only process personal data in accordance with this DPA and documented instructions from the Customer, unless required to do so by Union or Member State law to which Trustmary is subject. In such case Trustmary shall inform the Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
The Customer’s instructions must be commercially reasonable, compliant with applicable data protection legislation and consistent with this DPA. If the Customer’s instructions require additional measures or work to be performed by Trustmary, Trustmary has the right to charge an hourly consulting fee from the Customer for complying with such Customer’s instructions in accordance with Trustmary’s then current price for consulting services, subject to the Customer’s prior approval of such additional costs.
Trustmary shall immediately notify the Customer in writing, if, in its opinion, an instruction of the Customer infringes applicable data protection legislation. In case the instructions of the Customer are not compliant with the GDPR or any other applicable data protection legislation, Trustmary is not required to comply with such Customer’s instructions.
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Trustmary’s processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Trustmary shall implement and maintain appropriate technical and organizational security measures in order to safeguard the personal data against unauthorized or unlawful processing and damage, and in particular against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data
Trustmary shall, without undue delay after having become aware of it, inform the Customer in writing about any data breaches relating to personal data. Trustmary’s notification about the breach to the Customer shall include at least the following: (i) description of the nature of the breach; (ii) name and contact details of Trustmary’s contact point where more information can be obtained; (iii) description of the likely consequences of the breach; (iv) description of the measures taken by Trustmary to address the breach, including, where appropriate, measures to mitigate its possible adverse effects. Trustmary shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken.
Trustmary’s shall ensure that individuals processing personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
Taking into account the nature of the processing, Trustmary shall assist the Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Customer’s obligation to respond to requests for exercising the data subject’s rights under Chapter III of the GDPR (such as the right of access and the right to rectification or erasure).
Taking into account the nature of the processing and the information available to Trustmary, Trustmary shall further provide the Customer with assistance in ensuring compliance with the Customer’s obligations set out in Articles 32 to 36 of the GDPR (e.g. to perform security and data protection impact assessments, transfer impact assessments, breach notifications and prior consultations of the competent supervisory authority).
In case such assistance requires measures from Trustmary, Trustmaryhas the right to charge an hourly consulting fee from the Customer for handling such assistance requests in accordance with Trustmary’s then current price for consulting services, subject to the Customer’s prior approval of such additional costs.
The Customer gives its general authorization to allow Trustmary to engage subcontractors as subprocessors to process personal data in connection with the provision of the Service.
Trustmary is free to choose and change its subprocessors. The subprocessors currently used by Trustmary are listed here. In case there is a later change of a subprocessor (addition or replacement), Trustmary shall notify the Customer of such change, thereby giving the Customer the opportunity to object to such change. If Trustmary is not willing to change the subprocessor the Customer has objected to, both Parties shall have the right to terminate the Agreement and this DPA.
Where Trustmary engages a subprocessor for carrying out specific processing activities on behalf of the Customer, the same data protection obligations as set out in this DPA shall be included in the DPA between Trustmary and that subprocessor. Where a subprocessor fails to fulfil its data protection obligations, Trustmary shall remain fully liable to the Customer for the performance of the subprocessor’s obligations.
The Customer accepts that Trustmary may have personal data processed and accessible by Trustmary or its subprocessors outside the European Economic Area (“EEA”) to provide the Service. If personal data is transferred from the EEA for processing in any country outside the EEA that is not recognized by the European Commission as providing an adequate level of protection for personal data, the Customer authorizes Trustmary to enter, on behalf of the Customer, into the modernized standard contractual clauses (Module Three, Processor-to-Processor transfers) adopted or approved by the European Commission applicable to processing outside the EEA, or Trustmary shall provide for other appropriate safeguard for the protection of the personal data transferred outside the EEA as set out in the GDPR.
Upon request, Trustmary will provide Customer with information regarding the supplementary safeguards adopted for the international transfers, including information about implemented supplementary measures to protect personal data within the jurisdiction it is being transferred to.
The Customer or an auditor appointed by the Customer shall with the assistance of Trustmary have the right to audit the processing activities of Trustmary under this DPA to assess the compliance of Trustmary with its contractual obligations under this DPA and applicable data protection legislation during ordinary business hours of Trustmary and with 30 days’ prior written notice. The Customer shall be responsible for the costs incurred by Trustmary or the Customer in relation to the audit.
Where an audit may, in Trustmary’s sole opinion, lead to the disclosure of trade secrets of Trustmary or threaten the intellectual property rights of Trustmary, the Customer shall employ an independent auditor, that is not a competitor of Trustmary, to carry out the audit, and the auditor shall agree to be bound to confidentiality to Trustmary’s benefit.
Trustmary makes available to the Customer, at the Customer’s request, information necessary to demonstrate compliance with the GDPR. In case the aforementioned request by the Customer require measures or work to be performed by Trustmary, Trustmary has the right to charge an hourly consulting fee in accordance with its then current price for consulting services for handling such requests, subject to the Customer’s prior approval of such additional costs.
Within a reasonable time after the termination or expiry of the Agreement or after the Customer has permanently ceased to use the Service, Trustmary shall, as instructed by the Customer, delete or return to the Customer all personal data, except to the extent that Trustmary is under a European Union or Member State law obligation to continue storing such personal data.