Data Processing Agreement

1 Purpose and scope 

This DPA shall govern all the Personal Data Processing conducted by Tietoevry group companies (including affiliates) ("Supplier" or "Data Processor") on customer's (and the organization(s) customer represent, including affiliates) ("Customer" or "Data Controller") behalf as specified and agreed under applicable Processing Specification referring to this DPA.

The Customer and the Supplier may also be referred to as a "Party" or as the "Parties", as the case may be. Any reference to "Customer" or "Supplier" shall be construed as referring to any Party or Parties acting in such capacity from time to time.

1.1 Structure of the agreement

The Parties shall specify the Processing activities conducted under this DPA in accordance with a Processing Specification, which – in executed format – shall be an integral part of this DPA; provided, however, that in the event of conflict, the provisions of the Processing Specification shall prevail.

The DPA shall regulate the Processing of Personal Data by the Supplier on behalf of the Customer under agreement(s) to which a Processing Specification is referring and/or applicable to for the provision of Services as defined under the applicable agreement(s) ("Main Agreement"). This DPA shall form an integral part of the Main Agreement, meaning that applicable parts of the Main Agreement (including its provisions on governing law and dispute resolution) shall apply also to this DPA. In the event of conflict, the provisions of this DPA shall prevail.

In the absence of a signed Processing Specification or separate data processing agreement between the Customer and the Supplier, the Supplier shall nevertheless act in accordance with this DPA when processing Customer Personal Data, if so required by the Laws.

The DPA includes the following Appendices, which apply in the following order:

1. Processing Specification
2. Technical and organisational security measures
3.1 Standard Contractual Clauses based on EU Commission Decision 2010/87/EU
3.2 Standard Contractual Clauses based on EU Commission Decision (EU) 2021/914

1.2 Defined terms

All capitalized terms shall have the same meaning ascribed to them in the Laws, unless otherwise stated herein. Any use of the singular includes plural and vice versa.

Affiliate: any legal entity which is directly or indirectly owned or controlled by a Party or directly or indirectly owning or controlling a Party or under the same direct or indirect ownership or control as a Party for so long as such ownership or control lasts. Ownership or control shall exist through direct or indirect ownership of more than fifty (50%) per cent of the nominal value of the issued equity share capital or of more than fifty (50%) per cent of the voting rights entitling to vote for the election of directors or persons performing similar functions or right by any other means to elect or appoint directors or persons who collectively can exercise such control.

Laws: Regulation (EU) 2016/679 General Data Protection Regulation (“GDPR”) and applicable data protection laws under the governing law of the Main Agreement, including decisions by relevant data protection authorities.

Processing Specification: the DPA appendix specifying processing activities under the DPA or other specifying appendix agreed between the Parties.

SCCs: Standard Contractual Clauses issued by the European Commission by the decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to the, or any subsequent legal instrument permitting the lawful transfer of Personal Data to non-European Economic Area countries.

Services: any services provided under or in connection with the Main Agreement.

Sub-Processor: a processor contracted by the Data Processor to perform Processing hereunder, in part or in whole, on the Data Processor's behalf.

Transfer Impact Assessment: An assessment conducted in accordance with Clause 14(b) of the SCCs.

2 Rights and obligations of the Parties

2.1 General

In connection with the Processing, the Customer shall be regarded as Data Controller and the Supplier shall be regarded as Data Processor.

Both Parties shall be responsible to ensure that the Processing is made in accordance with the Laws which apply to each Party as well as good data processing practices.

2.3 Rights and obligations of the Data Controller

The Data Controller shall

1. give the Data Processor documented and comprehensive instructions on the Processing, which instructions shall comply with the Laws;
2. have the right and obligation to specify the purpose and means of Processing of Personal Data;
3. represent that all the data subjects of the Personal Data have been provided with all appropriate notices and information and establish and maintain for the relevant term the necessary legal grounds for transferring the Personal Data to the Data Processor and allowing the Data Processor to perform the Processing contemplated hereunder;
4. represent that if the Data Controller represents its Affiliates or third parties under this DPA, it has the legal grounds to enter into this DPA with the Data Processor and allow the Data Processor to process the Personal Data according to the terms of this DPA and the Main Agreement; and
5. confirm that:

• the Processing stipulated under this DPA meets the Data Controller's requirements including, but not limited to, with regard to intended security measures, and
• it has provided the Data Processor with all necessary information in order for the Data Processor to perform the Processing in compliance with the Laws.

2.4 Rights and obligations of the Data Processor

The Data Processor shall

1. perform the Processing only on and as per the documented, legitimate and reasonable instructions from the Data Controller unless required to do otherwise by Laws, in which latter case the Data Processor shall inform the Data Controller of such deviating legal requirement (provided the Laws do not prohibit such notification). Amended instructions shall be handled in accordance with the change management process set out the Main Agreement or as otherwise agreed between the Parties. For the avoidance of doubt, the Data Controller shall at all times be deemed to have instructed the Data Processor to provide the Service as defined and agreed under the Main Agreement;
2. ensure that persons authorised to perform the Processing hereunder have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality as further stated under this DPA;
3. take all security measures required to be taken by data processors under the Laws as further stated under this DPA;
4. respect the conditions referred to under Laws for engaging any Sub-Processor as further stated under this DPA;
5. insofar as this is possible and taking into account the nature of the Processing, assist the Data Controller by appropriate technical and organisational measures for the fulfilment of the Data Controller's obligation to respond to requests for exercising the data subject's rights laid down in under the Laws;
6. assist the Data Controller in ensuring compliance with its legal obligations, such as, data security, transfer impact assessment, data breach notification, data protection assessment and prior consulting obligations, as required of the Data Processor by the Laws, taking into account the nature of Processing and the information available to the Data Processor;
7. maintain necessary records and make available to the Data Controller all information necessary to demonstrate compliance with the obligations of the Data Processor, as laid down in the Laws, and allow for and contribute to audits, including inspections, conducted by the Data Controller or any auditor mandated by the Data Controller as further agreed under this DPA; and
8. at the Data Controller's instructions, delete or return to the Data Controller all the Personal Data after the end of the provision of the Services relating to Processing, and delete existing copies unless applicable laws require storage of the Personal Data. Deletion and return methods may be further agreed between the Parties;

Unless otherwise agreed, the Data Processor shall have the right to invoice any costs resulting from the above assistance under 5-6 above in accordance with the Data Processor's prevailing price list.

3 Security of Processing

3.1 Security measures

The Data Processor shall implement and maintain appropriate Technical and organisational measures to protect the Personal Data, taking into account:

1. the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, and
2. the risks that are presented by the Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the Personal Data transmitted, stored or otherwise processed.

3.2 Details on security measures

The principles of the security measures taken for the applicable Processing by the Data Processor under this DPA are described in Technical and organisational security measures and may be further specified and amended in the relevant Processing Specification and/or the Main Agreement.

Such measures include, inter alia as appropriate:

1. the pseudonymisation and encryption of the Personal Data;
2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
3. the ability to restore the availability and access to the Personal Data in a timely manner in the event of a physical or technical incident; and
4. a process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the Processing.

3.3 Information about security measures

The Data Controller is responsible for ensuring that the Data Processor is informed of all issues (including but not limited to risk assessment and the inclusion of special categories of Personal Data) related to the Personal Data provided by the Data Controller which affect the technical and organizational measures employed under this DPA.

3.4 Changes to security measures

Changes in security measures shall be handled in accordance with change management process of the Main Agreement.

4 Sub-Processors

4.1 Use of Sub-Processors

The Data Processor may from time to time use Sub-Processors to process the Personal Data hereunder. Sub-Processor(s) used in the provision of Services are listed in the Processing Specification and/or the Main Agreement.

Such use will be under written contract and the Data Processor will require the Sub-Processor to comply with the data protection obligations applicable to the Data Processor under this DPA or obligations which provide for the same level of data protection.

The Data Processor will be liable for its Sub-Processor’s actions as for its own.

4.2 Approval

The Data Controller agrees that the Data Processor has a general approval to use the Data Processor’s Affiliates as Sub-Processors when Processing Personal Data. Tietoevry Affiliates are listed at www.tietoevry/com/en/contact-tietoevry/.

4.3 Changes to Sub-Processors

The Data Processor will inform the Data Controller in advance on any intended changes concerning the addition or replacement of Sub-Processors.

If the Data Controller does not accept an intended change, the Data Controller may terminate such part of the Main Agreement which the sub-processing would be related to by way of thirty (30) days’ prior written notice.

5 Transfer of Personal Data

5.1 Customer’s approval to transfer data outside of Approved Jurisdictions

The Data Processor will only transfer Personal Data out of the territory of the member states of the European Union, the European Economic Area, or other countries which the European Commission has found to guarantee an adequate level of data protection (collectively, the “Approved Jurisdictions”) with the Data Controller’s prior written approval. For purpose of clarity, such approval must be clearly indicated in the Processing Specification or the Main Agreement.

5.2 Data protection during data transfer

If required by the Laws, the Data Processor shall enter relevant contractual arrangements with required parties (including with the Data Controller itself and/or any of the Data Controller’s Affiliates, as applicable) for the lawful transfer of Personal Data from the Approved Jurisdiction to third countries.

Such contractual arrangements shall be carried out in accordance with the standard data protection clauses adopted or approved by the European Commission attached herein (“SCCs”). As an alternative to entering into the SCCs, the Data Processor may rely upon an alternative transfer safeguard permitting and providing for the lawful transfer of Personal Data outside of the Approved Jurisdictions, provided that such safeguard is in compliance with the Laws.

Where the SCCs are used as a contractual arrangement in the transfer from by the Data Processor or its Sub-Processor in an Approved Jurisdiction to Sub-Processor not in an Approved Jurisdiction, the following shall be applied:

1. The Data Processor agrees to implement (or have its Sub-Processors implement, as applicable) the SCCs published by the EU Commission in June 2021 in accordance with the transition period specified in Article 4 of the Commission implementing decision (EU) 2021/914 of June 2021.
2. Unless otherwise agreed with the Data Controller in Processing Specification, the Data Processor shall implement the Processor-to-Processor SCCs module (MODULE THREE) with its Affiliates and/or with third parties acting as Sub-Processors, or shall, where applicable, have such Sub-Processors implement the same with their sub-processors.
3. Where applicable, prior to implementing the Processor-to-Processor SCCs module (MODULE THREE), the Parties may rely on any previously implemented SCCs that have been executed by the Data Processor with its Sub-Processors in the name and on behalf of the Data Controller.
4. The Data Processor agrees to provide the Data Controller with a copy of the fully executed SCC upon request of the Data Controller.
   
   

6 Notification of Personal Data Breach

6.1 Personal Data Breach notification process

The Data Processor shall without undue delay notify the Data Controller if it, or one of its Sub-Processors, becomes aware of a Personal Data Breach. Information shall be provided to the contact person named by the Data Controller, if not otherwise agreed between the Parties.

6.2 Personal Data Breach notification content

The Data Processor shall without undue delay inform the Data Controller of the circumstances giving rise to the Personal Data Breach, and any other related information reasonably requested by the Data Controller and available to the Data Processor.

Additionally, to the extent it is available, the Data Processor shall provide to the Data Controller the following information:

1. a description of the nature of the Personal Data Breach including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of Personal Data records concerned;
2. a description of the likely consequences of the personal data breach; and
3. a description of the measures taken or proposed to be taken by the Data Processor to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

The Parties may agree on a more detailed breach notification process in separate.

7 Auditing

7.1 General

The Data Controller shall be entitled to audit the Data Processor's performance of its Processing obligations under this DPA ("Audit").

7.2 How auditing is performed

The Data Controller is obligated to use external auditors who are not competitors of the Data Processor, to conduct such an Audit.

The Parties shall agree well in advance on the time and other details relating to the conduct of such Audits.

The Audit shall be conducted in such a manner that the Data Processor's undertakings towards third parties (including but not limited to the Data Processor's customers, partners and vendors) are in no way jeopardized. All the Data Controller's representatives or external auditors participating in the Audit shall execute customary confidentiality undertakings towards the Data Processor.

7.3 Authorities' right to audit

The Data Processor shall always allow any relevant regulatory authority supervising the Data Controller's business to conduct Audits of the Data Processor's operations, in which case relevant parts of the Parties' agreement hereunder shall apply.

7.4 Cost of auditing

The Data Controller shall bear all Audit expenses, and compensate the Data Processor for any and all costs incurred as a result of the Audit.

However, if the Audit reveals material deficiencies in the Data Processor's performance, the Data Processor shall bear its own costs for the Audit.

8 Confidentiality

8.1 Data Processor's undertakings

The Data Processor shall

1. keep any Personal Data received from the Data Controller confidential;
2. ensure that persons authorized to process the Personal Data have committed themselves to confidentiality; and
3. ensure that Personal Data is not disclosed to third parties without the Data Controller's prior written consent, unless the Data Processor is obliged by mandatory law or decree to disclose such information.

8.2 Disclosure

In case data subjects or governmental authorities make a request concerning Personal Data, the Data Processor shall, as soon as reasonably possible, inform the Data Controller about such requests before providing any response or taking other action concerning the Personal Data.

In case any applicable authority prescribes an immediate response to a disclosure request, the Data Processor shall inform the Data Controller as soon as reasonably possible, unless the Supplier is prohibited by mandatory law or authority order to disclose such information

9 Limitation of liability

9.1 General

The limitations of liability set out under the Main Agreement shall apply also to this DPA.

9.2 Liability

The Parties agree that the general principle of division of responsibilities between the Parties relating to administrative fines imposed by any relevant supervisory authority or claims by data subjects under this DPA is based on the principle that the respective Party needs to fulfil its own obligations under the Laws. Hence, any administrative fines imposed or damages ordered should be paid by the Party that has failed in its performance of its legal obligations under the Laws, as decided by the relevant supervisory authority or competent court authorized to impose such fines or damages.

10 Term and Termination

10.1 General

This DPA shall enter into force at the last signature date of Processing Specification referring to this DPA. This DPA shall be in effect for the term of an applicable Processing Specification.

10.2 Surviving clauses

All provisions which by nature are intended to survive the termination of this DPA shall remain in full force and effect regardless of the termination of this DPA.

10.3 Changes and amendments

The Supplier has the right to change this DPA from time to time. However, the version of the DPA which was applicable at the time the relevant Processing Specification entered into force shall govern the Processing between the Parties until terminated as set out under this DPA and relevant Processing Specification. The Supplier will upkeep change history of the DPA. Customer is also encouraged to download this DPA when signing the Processing Specification.