Data Processing Agreement
Effective: 25 May 2018
This Data Processing Agreement has been entered into between Supermetrics Oy (“we”, “us”, “our”) as a data processor and you as the data controller.
This Data Processing Agreement forms an essential part of the Main Agreement, described as the Terms of Service, entered into between you and us (“Main Agreement”) and shall always be interpreted in accordance with the Terms and Conditions of such Main Agreement. The capitalized terms used in this Data Processing Agreement shall have the meanings set forth in the Main Agreement.
- Processing of your personal data
To the extent any of the data processed in connection with your use of the Service constitutes personal data under the applicable legislation, you hereby authorise us to process such data (and any other data, regardless of whether they constitute personal data or not) on your behalf for the purposes of providing the Service in accordance with the Terms, Policies and applicable legislation.
For the sake of clarity, it is noted that in relation to the personal data processed under this agreement, we act as the data processor and you act as the data controller.
We confirm that we will process your personal data in a lawful manner which meets requirements of the applicable legislation relating to the processing of personal data, including the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and that we will otherwise comply with the applicable legislation in relation to processing of personal data.
- Responsibilities of the data controller
You agree that it is exclusively your responsibility to comply with any and all obligations of data controller set out in applicable legislation, including the GDPR, and that the Service is provided “as is” and “as available” in accordance with this Data Processing Agreement as well as the Main Agreement including its Terms and Policies. You confirm that you will comply with the applicable legislation in relation to processing of personal data, including the GDPR.
- Assistance to you as the data controller
We will assist you in providing any technical or organisational measures for the fulfilment of your obligations as data controller in relation to possible requests for exercising the data subjects’ rights laid down in the applicable legislation. Taking into account the nature of the Service, you further agree that we cannot commit to providing such assistance.
We will assist you in ensuring compliance with your obligations relating to the security of data processing, notifications of personal data breaches to the supervisory authorities and communications to data subjects and data protection impact assessments. We will notify you about any personal data breaches concerning your data as soon as possible and, where feasible, at the latest 48 hours after having become aware of such personal data breach.
Taking into account the nature of the data processing and the information available to us as the data processor, you agree that we may be unable to assist you in these matters.
- Confidentiality and security
We confirm that our personnel involved in providing the Service to you have committed to confidentiality obligations with regard to personal data (if any) processed in connection with the Service. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons we confirm that we have taken such technical and organisational security measures which ensure a level of security appropriate to the risk.
You agree that we may engage third parties including other data processors in connection with the Service and that such third parties may be located, and your data may be processed, outside the European Economic Area (including e.g. in the United States) subject to applicable legislation. If we transfer any personal data outside the European Economic Area, we ensure that the personal data is transferred in accordance with the applicable law, for example, by using appropriate European Union Standard Contractual Clauses.
If we engage another processor for carrying out processing activities on your behalf, at least the same data protection obligations as set out in this agreement, shall also apply to such sub-processor. If such sub-processor fails to fulfil its data protection obligations, we shall remain fully liable to you for the performance of the sub-processor’s obligations. We will inform you of any intended changes concerning the addition or replacement of sub-processors.
We may provide information regarding such third party data processors upon request, and always subject to our confidentiality obligations. If you do not approve our use of any third party processors, please stop using the Service immediately.
- Retention of your data
We have no obligation to store and we will not store any of your data after the termination of your account and/or subscription of the Service unless otherwise agreed or required under applicable law. We will delete or return all personal data related to you after the end of the provision of services relating to processing.
You may have the right, in accordance with applicable legislation only, to receive information necessary to demonstrate compliance with the obligations laid down in this Data Processing Agreement and applicable legislation and, where and to the extent mandated under applicable legislation to do so, we may allow for, and contribute to, audits, including inspections, conducted by you in relation to personal data in relation to our Service provided to you only. The timing and other practicalities related to any such audit or inspection are determined by us and any such information and assistance are provided at exclusively your cost and expense, and we reserve the right to charge you for any additional work or other costs incurred by us in connection with you using such rights.
This Data Processing Agreement forms a part of the Main Agreement. In the event of any discrepancies relating to the processing of personal data between this Data Processing Agreement and the Main Agreement, the provisions of this Data Processing Agreement shall prevail.
N.B. Please contact firstname.lastname@example.org if you need/would like a signed copy of this Data Processing Agreement.