Data Processing Agreement
1 Purpose and scope
This DPA shall govern all the Personal Data Processing conducted by Tieto group companies (including affiliates) ("Supplier" or "Data Processor") on customer's (and the organization(s) customer represent, including affiliates) ("Customer" or "Data Controller") behalf as specified and agreed under applicable Processing Specification Form referring to this DPA.
The Customer and the Supplier may also be referred to as a "Party" or as the "Parties", as the case may be. Any reference to "Customer" or "Supplier" shall be construed as referring to any Party or Parties acting in such capacity from time to time.
1.1 Structure of the agreement
The Parties shall specify the Processing activities conducted under this DPA in accordance with a Processing Specification Form, which – in executed format – shall be an integral part of this DPA; provided, however, that in the event of conflict, the provisions of the Processing Specification Form shall prevail.
The DPA shall regulate the Processing of Personal Data by the Supplier on behalf of the Customer under agreement(s) to which a Processing Specification Form is referring and/or applicable to for the provision of Services as defined under the applicable agreement(s) ("Main Agreement"). This DPA shall form an integral part of the Main Agreement, meaning that applicable parts of the Main Agreement (including its provisions on governing law and dispute resolution) shall apply also to this DPA. In the event of conflict, the provisions of this DPA shall prevail.
In the absence of a signed Processing Specification Form or separate data processing agreement between the Customer and the Supplier, the Supplier shall nevertheless act in accordance with this DPA when processing Customer Personal Data, if so required by the Laws.
The DPA includes these Appendices, which apply in the following order:
Where applicable, capitalized terms used under this DPA shall have the meaning ascribed to them in Appendix 1. Unless and to the extent the context otherwise requires, any use of the singular includes plural and vice versa.
In connection with the Processing, the Customer shall be regarded as Data Controller and the Supplier shall be regarded as Data Processor.
Both Parties shall be responsible to ensure that the Processing is made in accordance with the Laws which apply to each Party as well as good data processing practices.
2.3 Rights and obligations of the Data Controller
The Data Controller shall
2.4 Rights and obligations of the Data Processor
The Data Processor shall
Unless otherwise agreed, the Data Processor shall have the right to invoice any costs resulting from the above assistance under 5-6 above in accordance with the Data Processor's prevailing price list.
3.1 Security measures
The Data Processor shall implement and maintain appropriate technical and organisational measures to protect the Personal Data, taking into account:
3.2 Details on security measures
The principles of the security measures taken for the applicable Processing by the Data Processor under this DPA are described in Technical and organisational security measures and may be further specified and amended in the relevant Processing Specification and/or the Main Agreement.
Such measures include, inter alia as appropriate:
3.3 Information about security measures
The Data Controller is responsible for ensuring that the Data Processor is informed of all issues (including but not limited to risk assessment and the inclusion of special categories of Personal Data) related to the Personal Data provided by the Data Controller which affect the technical and organizational measures employed under this DPA.
3.4 Changes to security measures
Changes in security measures shall be handled in accordance with change management process of the Main Agreement.
4.1 Use of Sub-Processors
The Data Processor may from time to time use Sub-Processors to process the Personal Data hereunder. Sub-Processor(s) used in the provision of Services are listed in the Processing Specification Form and/or the Main Agreement.
Such use will be under written contract and the Data Processor will require the Sub-Processor to comply with the data protection obligations applicable to the Data Processor under this DPA or obligations which provide for the same level of data protection.
The Data Processor will be liable for its Sub-Processor’s actions as for its own.
The Data Controller agrees that the Data Processor has a general consent to use the Data Processor’s Affiliates as Sub-Processors when Processing Personal Data. Tieto Affiliates are listed at https://www.tieto.com/addresses.
4.3 Changes to Sub-Processors
The Data Processor will inform the Data Controller in advance on any intended changes concerning the addition or replacement of Sub-Processors.
If the Data Controller does not accept an intended change, the Data Controller may terminate such part of the Main Agreement which the sub-processing would be related to by way of thirty (30) days’ prior written notice.
5.1 Customer’s consent to transfer data outside of Approved Jurisdictions
The Data Processor will only transfer Personal Data out of the territory of the member states of the European Union, the European Economic Area, or other countries which the European Commission has found to guarantee an adequate level of data protection (collectively, the “Approved Jurisdictions”) with the Data Controller’s prior written consent. For purpose of clarity, such consent must be clearly indicated in the Processing Specification Form or the Main Agreement.
5.2 Data protection during data transfer
Subject to Data Controller’s consent under 5.1 above, the Data Processor shall enter into relevant contractual arrangements with required parties for the lawful transfer of Personal Data from the Approved Jurisdiction to third countries.
Such contractual arrangements shall be carried out in accordance with the standard data protection clauses adopted or approved by the European Commission attached herein (“Standard Contractual Clauses”). As an alternative to entering into the Standard Contractual Clauses, the Data Processor may rely upon an alternative transfer safeguard permitting and providing for the lawful transfer of Personal Data outside of the Approved Jurisdictions, provided that such safeguard is in compliance with applicable legislation.
Subject to Data Controller’s consent under 5.1 above, the Data Controller authorizes the Data Processor to enter into and sign Standard Contractual Clauses in the name and on behalf of the Data Controller, unless otherwise agreed. The duly signed Standard Contractual Clauses document is available for Data Controller’s review upon request.
5.3 Order of application
In case of conflict between the Standard Contractual Clauses or any other alternative transfer safeguard permitting the lawful transfer of Personal Data outside the Approved Jurisdictions and the DPA, the Standard Contractual Clauses or such alternative framework shall always take precedence over the Main Agreement and this DPA.
6.1 Personal Data Breach notification process
The Data Processor shall without undue delay notify the Data Controller if it, or one of its Sub-Processors, becomes aware of a Personal Data Breach. Information shall be provided to the contact person named by the Data Controller, if not otherwise agreed between the Parties.
6.2 Personal Data Breach notification content
The Data Processor shall without undue delay inform the Data Controller of the circumstances giving rise to the Personal Data Breach, and any other related information reasonably requested by the Data Controller and available to the Data Processor.
Additionally, to the extent it is available, the Data Processor shall provide to the Data Controller the following information:
The Parties may agree on a more detailed breach notification process in separate.
The Data Controller shall be entitled to audit the Data Processor's performance of its Processing obligations under this DPA ("Audit").
7.2 How auditing is performed
The Data Controller is obligated to use external auditors who are not competitors of the Data Processor, to conduct such an Audit.
The Parties shall agree well in advance on the time and other details relating to the conduct of such Audits.
The Audit shall be conducted in such a manner that the Data Processor's undertakings towards third parties (including but not limited to the Data Processor's customers, partners and vendors) are in no way jeopardized. All the Data Controller's representatives or external auditors participating in the Audit shall execute customary confidentiality undertakings towards the Data Processor.
7.3 Authorities' right to audit
The Data Processor shall always allow any relevant regulatory authority supervising the Data Controller's business to conduct Audits of the Data Processor's operations, in which case relevant parts of the Parties' agreement hereunder shall apply.
7.4 Cost of auditing
The Data Controller shall bear all Audit expenses, and compensate the Data Processor for any and all costs incurred as a result of the Audit.
However, if the Audit reveals material deficiencies in the Data Processor's performance, the Data Processor shall bear its own costs for the Audit.
8.1 Data Processor's undertakings
The Data Processor shall
In case data subjects or governmental authorities make a request concerning Personal Data, the Data Processor shall, as soon as reasonably possible, inform the Data Controller about such requests before providing any response or taking other action concerning the Personal Data.
In case any applicable authority prescribes an immediate response to a disclosure request, the Data Processor shall inform the Data Controller as soon as reasonably possible, unless the Supplier is prohibited by mandatory law or authority order to disclose such information.
The limitations of liability set out under the Main Agreement shall apply also to this DPA.
The Parties agree that the general principle of division of responsibilities between the Parties relating to administrative fines imposed by any relevant supervisory authority or claims by data subjects under this DPA is based on the principle that the respective Party needs to fulfil its own obligations under the Laws. Hence, any administrative fines imposed or damages ordered should be paid by the Party that has failed in its performance of its legal obligations under the Laws, as decided by the relevant supervisory authority or competent court authorized to impose such fines or damages.
This DPA shall enter into force at the last signature date of Processing Specification Form referring to this DPA. This DPA shall be in effect for the term of an applicable Processing Specification Form.
10.2 Surviving clauses
All provisions which by nature are intended to survive the termination of this DPA shall remain in full force and effect regardless of the termination of this DPA.
10.3 Changes and amendments
The Supplier has the right to change this DPA from time to time. However, the version of the DPA which was applicable at the time the relevant Processing Specification Form entered into force shall govern the Processing between the Parties until terminated as set out under this DPA and relevant Processing Specification Form. The Supplier will upkeep change history of the DPA. Customer is also encouraged to download this DPA when signing the Processing Specification Form.