Tietoevry Data Processing Principles for Data Processors

1 Rights and obligations of the Parties in Processing

Tieto as the Controller (or on behalf of the Customer)

Instructions

The Controller shall be entitled to give documented instructions to the Processor on the Processing of Personal Data, which shall be binding on the Processor.

Purpose and means

The Controller shall have the exclusive right to specify the purpose and means of Processing of Personal Data and at all times retain the control and authority to the Personal Data.

You as Processor

Performance of Processing

The Processor shall perform the Processing only as required for the purposes of executing specific tasks comprised in the Services and only in accordance with any instructions from the Controller and the terms and conditions of the Agreement, unless required to do otherwise by the Laws. In the latter case, the Processor shall inform the Controller of such deviating legal requirement (provided that the Laws do not prohibit such notification).

Confidentiality

All Personal Data shall be kept strictly confidential. The Processor shall ensure that persons authorised to perform the Processing have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

Without the Controller’s approval the Personal Data shall not be:

1. used by the Processor otherwise than in connection with providing the Services and in accordance with instructions given by the Controller;

2. disclosed, sold, assigned, leased or otherwise provided to third parties by the Processor unless the Processor is obliged by mandatory law or decree to disclose such information; or

3. commercially exploited by or on behalf of the Processor.

In case data subjects or governmental authorities make a request concerning the Personal Data, the Processor shall, without undue delay, inform the Controller about such requests.

Technical and organizational security measures

The Processor shall take all appropriate technical and organisational security measures required to be taken by data processors under the Laws and as are required under the Technical and organisational privacy and security measures and as may be further specified in the Agreement.

Use of Sub-Processors

The Processor may use Sub-Processor(s) to process the Personal Data hereunder only with prior written consent of the Controller. Sub-Processor(s) used in the provision of Services are listed in the Processing Specification Form. The Controller can cancel its consent for a justified reason by submitting a written notice thereof to the Processor providing the Processor with a reasonable time (at least sixty (60) working days) to find a replacement for the Sub-Processor so as to avoid any adverse effect on the Services caused by such cancellation by the Sub-Processor.

Processor’s use of Sub-Processor(s) will be under a written contract and the Processor will require the Sub-Processor(s) to comply with the data protection obligations applicable to the Processor under this DPA and any other relevant requirements agreed under this DPA or the Agreement. The Processor will be liable for its Sub-Processor’s actions as for its own.

Assistance, data subject rights

The Processor shall, insofar as this is possible and taking into account the nature of the Processing, assist the Controller by appropriate technical and organisational measures for the fulfilment of the Controller's obligation to respond to requests for exercising the data subject's rights laid down in the Laws.

Assistance, Controller obligations

The Processor shall assist the Controller in ensuring compliance with its legal obligations, such as, data security, data breach notification, data protection assessment and prior consulting obligations, as required of the Processor by the Laws, taking into account the nature of Processing and the information available to the Processor.

Data Breach Notification

The Processor shall without undue delay notify the Controller if it, or one of its Sub-Processors, becomes aware of a Personal Data Breach. The Processor shall inform of the nature of the breach, categories and number of data subjects and personal data records affected, likely consequences of the breach, measures taken or proposed to be taken as well as other details relating to the breach as requested by the Controller as further set out under the Technical and organisational privacy and security measures.

End of Processing

The Processor shall at the Controller’s instructions, delete or return to the Controller all the Personal Data after the end of the provision of the Services relating to Processing, and delete existing copies unless applicable laws require storage of the Personal Data.

Information and audit

The Processor shall maintain necessary records and make available to the Controller all information necessary to demonstrate compliance with the obligations of the Processor, as laid down in the Laws, and allow for and contribute to audits, including inspections by the Controller on Processor’s performance of its Processing obligations under this DPA.

With regard to possible sub-processor(s), the Processor shall ensure that the sub-processor(s) agreements include same auditing requirements as set out herein and the Processor shall conduct audits towards its sub-processors periodically and also when requested by the Controller and shall disclose all results of such audits to the Controller upon request.

The Parties shall be responsible for their own audit costs; provided, however, that if the audit reveals material deficiencies in the Processor’s performance, the Processor shall bear both Parties’ costs for the audit.

Transfer of Personal Data

The Processor shall ensure that it will only transfer Personal Data out of the territory of the member states of the European Union, the European Economic Area (collectively, the “EU/EEA”) with the Controller’s prior written consent.

The Processor shall enter into Standard Contractual Clauses and any other relevant contractual arrangements with required parties for the transfer of Personal Data from the EU/EEA to third countries. If agreed in writing by Tieto, as an alternative to entering into the Standard Contractual Clauses, the Processor may rely upon an alternative transfer safeguard permitting and providing for the lawful transfer of Personal Data outside of the EU/EEA, provided that such safeguard is in compliance with the Laws.

Processing obligation

The Processor shall commit to the requirements set out in the Appendix 1 - Technical and organisational privacy and security measures.

Unless otherwise agreed, all obligation set out for the Processor under this DPA are included in the Services at no cost to Tieto or Customer.

2  Limitations of liability

The limitation of liability set out under the Agreement shall apply also to Your processing of Personal Data under the Agreement. For purpose of clarity, any direct damage or loss suffered by the Customer or any other end-customer due to Your breach of the Laws or the obligation laid out for You in these Principles, shall be considered Tieto’s direct damages under the Agreement.

Notwithstanding the above, in case the Customer or Tieto has paid compensation to a person according to article 82, Right to compensation and liability of the EU Data Protection Regulation (2016/679), the Customer or Tieto, as the case may be, shall be entitled to claim back from You the whole compensation or that part of the compensation that exceeds its part of the responsibility for the damage finally awarded against the Customer or Tieto by a competent court. The liability of the parties shall be restricted in accordance with article 82. The limitation of liability set out under the Agreement shall not be applied to the whole compensation or part of the compensation described herein.