Preconditions for processing personal data

7.5.2018

General terms and conditions

This agreement appendix “Preconditions for processing personal data” is applied as part of the Service agreement that Vilkas Group Oy (hereinafter referred to as “Vilkas”) has made with the Customer specified in section 1.1 (hereinafter referred to as “Customer”) regarding the online shop services (hereinafter referred to as “Agreement”). The parties undertake to include this agreement appendix as part of all future agreements between Vilkas and the Customer concerning the processing of personal data and data protection.

This agreement appendix is an inseparable part of the Agreement, and it complements the terms and conditions of the Agreement.

Binding for the Customer and Vilkas, this agreement appendix defines the agreement terms concerning the processing of personal data and data protection according to which Vilkas, commissioned by the Customer, processes, as the processor referred to in the data protection legislation, personal data on behalf of the Customer, in addition to the terms and conditions of an individual agreement.

In their operations, the parties undertake to follow the currently valid legislation relating to the processing of personal data and data protection. Each party is responsible for ensuring that the processing of personal data is performed in accordance with the legislation applied for the party in question and observing good data processing practice. In addition, the parties undertake to bring the processing of personal data and data protection to the level required by the EU General Data Protection Regulation by 25 May, when the application of the Data Protection Regulation begins.

The target, duration, nature and purpose of the processing of personal data as well as the types of personal data and groups of data subjects are described in the Agreement. In the Agreement, the Customer provides Vilkas with written instructions on the processing of personal data, which Vilkas undertakes to follow.

Roles of the parties in the processing of personal data

In the Agreement, the Customer acts as the controller referred to in the legislation concerning the processing of personal data and data protection. The Parties understand that, as the controller, the Customer may only use processors that implement sufficient protection measures to execute appropriate technical and organisational measures so that the processing meets the requirements of the valid legislation relating to the processing of personal data and data protection and, as of 25 May 2018, the requirements of the EU General Data Protection Regulation, and this ensures the protection of the rights of the data subject.

In the Agreement, Vilkas acts as the processor of the Customer’s personal data referred to in the legislation concerning the processing of personal data and data protection and processes the Customer’s personal data on behalf of the Customer. The subcontractors used by Vilkas in accordance with the Agreement and this agreement appendix that participate in the processing of the Customer’s personal data also act as processors on behalf of the Customer.

The Customer undertakes to take care of the duties of the controller in accordance with the legislation concerning the processing of personal data and data protection.

The Customer has described to Vilkas the target, duration, nature and purpose of the processing of personal data according to the Agreement in the Agreement or a separate document.

The Customer shall give Vilkas written instructions on the processing of personal data. Vilkas undertakes to follow the instructions in question. When legislation or official regulations change substantially, the parties undertake to update the terms of the instructions as extensively as possible to correspond with the principles of the original instructions. The Customer shall ensure that it has submitted to Vilkas all the information that Vilkas needs and has asked from the Customer in order to process personal data in accordance with legislation. Vilkas is responsible for asking the Customer for all the data it needs to deliver the services in accordance with agreements between the parties, this Agreement and the currently valid regulations.

Subcontractors processing personal data

With this agreement appendix, Vilkas receives from the Customer a general written pre-authorisation to use the services of other processors (hereinafter referred to as “subcontractors”). Vilkas must notify the Customer of all the planned changes concerning adding or changing subcontractors and thus give the Customer the opportunity to oppose these changes.

Vilkas and its possible subcontractors who, as processors, process the Customer’s personal data on behalf of the Customer shall comply with the obligations concerning the processor described in this agreement appendix and other agreements between the parties. In its own agreements, Vilkas is obligated to commit the subcontractors it uses to comply with the terms of this agreement appendix and other agreements between the parties. If a subcontractor used by Vilkas does not fulfil its data protection obligations, Vilkas shall be liable to the Customer for the agreement violation of the subcontractor.

General obligations and rights of the controller

As the controller, the Customer is obligated to provide Vilkas, the processor, with comprehensive and reasonable instructions concerning the processing in a documented format. The Customer has the right and the obligation to define the purpose and methods of personal data processing in accordance with the Agreement.

The Customer is responsible for seeing that all the data subjects whose personal data is being processed are supplied with the necessary notices and information. The Customer must ensure that transferring personal data to Vilkas and processing it in accordance with the Agreement is legal for the duration of processing the personal data but in such a way that Vilkas remains responsible for its own operations in accordance with legislation.

The Customer is obligated to confirm that the processing of personal data according to the Agreement meets the requirements of the controller, including the data security requirements, and that it has submitted to Vilkas all the data that Vilkas needs and has asked in order to perform the processing according to legislation.

The Customer has the right to authorise an auditor to perform auditing, such as inspections, for Vilkas concerning the processing and data protection of the personal data specified in the Agreement. The Customer is obligated to agree with Vilkas on the time and other details of the auditing in good time before performing the auditing. The Customer is liable for all the costs arising from the auditing and shall compensate Vilkas for the costs arising from it.

General obligations and rights of the processor

As the processor, Vilkas shall process personal data only in accordance with the documented, legal and reasonable instructions provided by the Customer, i.e. the controller, unless otherwise required by legislation. Vilkas shall notify the Customer of this kind of legal requirement prior to processing, unless such notification is forbidden by the law in question because of important reasons concerning general benefit.

Vilkas undertakes to ensure that all the persons entitled to process personal data are committed to complying with the confidentiality obligation specified in the Agreement or any legal confidentiality obligation.

To ensure the safety level corresponding to the risk, Vilkas undertakes to implement the objectively appropriate technical and organisational measures in accordance with the established industry practices to ensure the safety of processing personal data, taking into account the latest technology, implementation costs, the nature, extent, context and purposes of the processing, risks of varying probability and severity to the rights and liberties of natural persons and risks included in the processing, especially the accidental or illegal destruction, deletion, alteration or unauthorised disclosure of transferred, recorded or otherwise processed personal data and access to such data. Vilkas has the right to charge the Customer for the costs arising from this.

Taking into account the nature of the processing measures, Vilkas shall help the controller, where possible, with appropriate technical and organisational measures to fulfil the obligation of the controller to respond to requests concerning the use of the legal rights of the data subject.

If necessary, Vilkas undertakes to assist the Customer for a fee in the performance of an impact assessment concerning data protection in accordance with the legislation regarding the processing of personal data and in possible prior consultation and acquiring of data protection certification, taking into account the data available to Vilkas and the nature of the processing.

After the end of the provision of services relating to the Agreement, Vilkas undertakes, according to a separate agreement, to remove all personal data or return it to the Customer and to remove any existing copies unless legislation requires the personal data to be retained.

Vilkas shall make all the data necessary for the demonstration of compliance with the obligations described in this agreement appendix available to the Customer, allow an auditor authorised by the Customer to perform auditing, such as inspections, and participate in the auditing. The parties shall agree on the time and other details of the auditing in good time before its performance. The Customer is liable for all the costs arising from the auditing and shall compensate Vilkas for the costs arising from it.

Data security violations

Data security violation refers to a violation of data security resulting in the accidental or illegal destruction, deletion, alteration or unauthorised disclosure of personal data that has been transferred, recorded or otherwise processed under this agreement or other agreement between the parties and access to such data.

Vilkas must notify the Customer in writing of a data security violation of personal data without undue delay when it learns of such a violation. Vilkas must give the Customer at least the following information concerning a data security violation:

  1. the description of the data security violation, including the groups and estimated numbers of data subjects affected and the groups and estimated numbers of personal data types<
  2. the indication of a privacy specialist or other responsible person who can provide more information on the matter
  3. the description of the likely results of the data security violations of personal data
  4. the description of measures the processor in question would propose or has implemented as a result of a data security violation of personal data and, if necessary, the measures to mitigate any harmful effects.

Liability for damage

As the controller, the Customer is liable for the damages caused by processing its personal data in a way that violates the legislation concerning the processing of personal data and data protection. As the processor, Vilkas is liable for the damages caused during the processing of personal data only if it has not specifically followed the legal obligations of processors or it has operated outside or in violation of the legal instructions for processors given in the Agreement. Vilkas is not responsible for any part of administrative fines relating to data protection.

Other terms and conditions

The parties understand that at the time of making the Agreement, the legislation concerning data protection is in the process of changing. If changes are made to the legislation in question or the recommendations, instructions or regulations concerning the legislation or its interpretation and those changes affect the position or duties of the parties defined in this agreement, this agreement appendix may be revised for those parts, if necessary.

Disputes

This agreement appendix is subject to Finnish law, excluding connecting factor rules. Any disputes related to this appendix shall be resolved primarily through negotiations, and if a resolution cannot be reached, the dispute may be resolved by the Pirkanmaa District Court