PERSONAL DATA PROCESSING AGREEMENT


1. Controller

This Personal Data Processing Agreement (” DPA ”) is an inseparable part of the agreement signed between the ” Provider ” and Supermetrics Oy (” Customer” ) (” Agreement ”).

The purpose of this DPA is to agree on the privacy and data protection of the personal data of the Customer in the services of the Provider. This DPA constitutes a written agreement in accordance with the EU General Data Protection Regulation (679/2016) concerning the processing of personal data.

If the terms concerning the Processing of personal data of the DPA and the Agreement are in conflict, the parties shall primarily apply the terms of this DPA.

The terms used in this DPA shall have the same meaning than in the EU General Data Protection Regulation (679/2016).



2. Rights and obligations of the Customer

The Customer agrees to comply with the Data Protection Laws. Inter alia, the Customer shall be liable for drafting the privacy policy and informing the Data Subjects, where necessary.

The Customer shall define the purpose and methods of the Processing of Personal Data; give documented instructions to the Processor on the Processing; retain the control and authority to the Personal Data.

This DPA and its Appendices shall form the written instructions referred into in this Section unless otherwise agreed between the Parties in writing.



3. Rights and obligations of the Provider

3.1 General obligations of the Provider

The Provider shall have sufficient expertise and resources to fulfil the privacy and data protection measures defined herein. The Provider is entitled to Process the Personal Data of the Customer only pursuant to and during the term of this Agreement, and according to the written instructions of the Customer and only in so far as it is necessary for providing the service.

The Provider shall have documented processes and action plans in place for risk management purposes related to all aspects of the Processing. The Provider is liable for regularly assessing, identifying and mitigating any privacy and data security risks related to the services and applying the necessary measures to prevent such risks.

The Provider shall make available to the Customer all information necessary to demonstrate compliance with the Processor’s obligations set out in this Agreement and in the Data Protection Laws. The Provider shall also assist the Customer in ensuring compliance with the Customer’s legal obligations, such as, with the Customer’s data security, data protection impact assessment and prior consulting obligations set out by the Data Protection Laws.

The Provider shall maintain a record of the Processing activities carried out on behalf of the Customer. The record will contain the following information: (i) the name and contact details of the Customer, the Provider and the Provider’s data protection officer or another contact person and information about possible subcontractors; (ii) the categories of Processing carried out on behalf of the Customer; (iii) information on transfers of Personal Data outside the EU or EEA, including the said third countries and a report on how a sufficient level of data protection is ensured; and (iv) a description of the technical and organizational safety measures implemented by the Provider.


3.2 Subcontractors

The Provider may use subcontractors in the processing of the personal data of the Customer. If the subcontractors are used, the Provider shall inform the Customer of all of its subcontractors and changes thereof by email to privacy@supermetrics.com . The Customer may, on reasonable grounds, object to the use of new subcontractors.

The Provider shall make a written agreement with its subcontractors and is liable for the subcontractors abiding by the terms of this DPA. The Provider is liable for supervising the actions of its subcontractors regularly and is liable for the actions of its subcontractors as for its own.


3.3 Data Transfers outside EU/EEA

The Provider and its subcontractors may process personal data outside the EU/EEA provided that the service requires that, and the Customer gives its consent for processing in the ANNEX 1 of this DPA.

In case the transfer of data outside the EU/EEA is permitted, the Provider shall ensure that the transfer is only to: (a) countries for which the Commission has decided that they have an adequate level of data protection or (b) parties, which use currently applicable standard contractual clauses or other appropriate safety measures as they are described in article 46 of the General Data Protection Regulation. In addition, the Provider shall conclude transfer impact assessments and should the assessment require supplementary safety measures, the Provider shall implement necessary technical, organizational and contractual measurements.


3.4 Data Subject Requests and Communications Regarding Personal Data

The Provider shall immediately forward to the Customer all requests to inspect, rectify, erase or object to the processing of personal data or any other requests received from the data subjects. If requested by the Customer, the Provider shall support the Customer in fulfilling the requests of the data subjects. The Provider shall be liable for being able to fulfill the statutory requests of a data subject.

The Provider shall forward all inquiries made by data protection authorities directly to the Customer and shall await further guidance from the Customer. Unless otherwise agreed, the Provider is not authorized to represent the Customer or act on behalf of the Customer in relation to the authorities supervising the Customer.


3.5 Auditing

The Provider is liable for proving, if requested, that it and its subcontractors abide by the terms of this DPA. On the grounds of a notification, presented by the Customer 14 days beforehand in writing, the Customer or an auditor authorized by the Customer (not a competitor of the Provider, however) may once every year inspect that the Provider and its subcontractors process the personal data of the Controller in accordance with this DPA. The Provider shall rectify the defects and shortcomings without delay. Both parties shall be responsible for the costs that they have themselves incurred. If the inspection proves that the Provider has breached this DPA in an essential way, the Provider shall compensate the Customer for the inspection and the third-party costs incurred from inspecting the rectifications per the invoice of the auditor.



4. Types of Personal Data and Categories of Data Subjects

The categories of personal data and sets of data subjects Processed in the services have been defined in the form the Processing Specification Form (Appendix 1).



5. Data Security

The Provider shall be liable to implement the appropriate technical and organizational security measures required by legislation to ensure the protection of the personal data it processes. The Processor’s security measures shall at all times meet or exceed the applicable legal requirements or standards prevalent in the Processor’s industry. E.g. the following rules shall be followed when Processing:

  1. The personnel of the Provider and the Provider’s subcontractor taking part in the processing of the personal data must commit to non-disclosure undertakings regarding the data.
  2. The systems and communications used in the processing of the personal data of the Customer shall be protected by adequate and up-to-date data protection solutions in accordance with best available practices of the industry.
  3. The personal data shall not be used in the development or testing of the Provider’s services nor for any other purposes of the Provider.

The Provider shall be liable for the backing up of the data of the Customer, unless otherwise agreed.

The Provider shall document all the activities taken to ensure its compliance according to this Section 5 and provide the documentation to the Customer upon the Customer’s request without undue delay.



6. Data Breaches

The Provider shall inform the Customer without delay, and in any case no later than 24 hours, of any actual or suspected Personal Data Breaches. The notification shall describe at least the following:


a) description of the nature of the Personal Data Breach including, the categories and approximate number of data subjects concerned, and the categories and approximate number of data records concerned;

b) the name and contact details of the person responsible for the Provider’s data protection matters;

c) a description of likely consequences and/or realized consequences of the Personal Data Breach; and

d) a description of the measures taken to address the Personal Data Breach and to mitigate its possible adverse effects.


The Provider shall without delay inspect the cause and effects of the breach and carry out the appropriate measures to end the breach, minimize the impact and prevent comparable breaches. The Provider shall without delay document the results of the inspection, and the measures carried out, to the Customer.

For the sake of clarity, the Provider shall not inform any third-party of any accidental, unauthorised or unlawful processing of all or part of the Personal Data and/or a Personal Data Breach without first obtaining the Customer's written consent, except when required to do so by domestic or EU law.

The Provider shall cooperate with the Customer and ensure that the Customer has the documentation required by legislation and the data protection authorities at hand concerning data security breaches.

The party whose actions have caused the data breach and who, according to applicable data protection legislation is liable for the data breach, shall be liable for the costs incurred from the breach and the rectification thereof, taking into account the order or decision of a competent authority or a court of law.



7. Liabilities

The Parties’ liability for damages under the DPA shall be limited to double of the maximum amounts set out in the respective Agreement, except when limitations of liability are expressly prohibited under the applicable legislation or are otherwise legally invalid or unenforceable, or when the damages are incurred by the Customer as a result of fault or negligence by the Provider, or by a subcontractor or supplier to the Provider, in the processing of personal data in breach of the Agreement, applicable legislation or this DPA.

In addition, if a person has suffered material or non-material damage as a result of an infringement of the EU General Data Protection Regulation (679/2016) or this DPA, the Provider shall be fully liable for the damage, without any limitation of liability, in so far as it has not complied with the obligations directed to it in the EU General Data Protection Regulation (679/2016) or this DPA or written guidance of the Customer. In this case, both parties are obligated to pay only the part of the damages and administrative fines that correspond to the liability for damage confirmed in the final decision of a data protection authority or a court of law.



8. Other Provisions

Following the expiry of the Agreement the Provider shall return all the data of the Controller to the Customer in the form provided for in the Agreement. Afterwards, the Provider shall take care that the data of the Controller in its or its subcontractors’ possession is destroyed and confirms the destruction thereof to the Customer in writing.

The Provider is obligated to inform the Customer of all changes that may affect its ability or chances to abide by this DPA and the written guidance of the Customer. The Parties shall agree on all additions and amendments to this DPA in writing.

This DPA shall enter into force after both parties have signed it. The DPA shall remain in force (i) as long as the Agreement is in force or (ii) the parties have obligations concerning personal data processing activities towards one another.

Those obligations that due to their nature are meant to survive the expiry of this DPA shall remain in force after the expiry of the DPA.