Personal Data Processing Addendum
The purpose of this DPA is to agree on the privacy and data protection of the Personal Data of the Controller in the Services of the Processor. This DPA constitutes a written agreement in accordance with the EU General Data Protection Regulation (679/2016) (“Regulation”) concerning the processing of personal data.
By accessing or using the Services you acknowledge and agree that you have read, understood, and agree to be bound by this DPA. We may update this DPA from time to time, and by continuing to use the Services you accept the modification. If you do not agree with this DPA you should immediately discontinue using the Services.
If the terms concerning the Processing of Personal Data of the DPA and the Terms are in conflict, the parties shall primarily apply the terms of this DPA.
In accordance with the EU General Data Protection Regulation, the terms below are defined as follows:
“Controller” shall mean the User or the User’s client, who shall define the purposes and methods of Personal Data Processing.
“Processor” shall mean GameBook Oy, who shall Process Personal Data on behalf of the Controller based on the Terms.
“Processing” or “Processing Activities” shall mean any operation or set of operation which is performed on Personal Data or sets of Personal Data using automated means or manually, such as data collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Personal Data” shall mean any information relating to an identified or identifiable natural person, hereafter ”Data Subject”; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Personal Data Breach” shall mean a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.
3. DATA PROTECTION AND PROCESSING PERSONAL DATA
3.1 Obligations of the Processor and the User
The Processor shall Process the Personal Data of the Controller on behalf of, and commissioned by the Controller, on the grounds of the Terms. The Personal Data that the Processor Processes may relate to, e.g. employees or Users. The User or the User’s client shall be the Controller and the Processor shall be the Processor of the Personal Data Processed in the Services. The parties undertake to abide by the legislation, decrees and authority orders and guidelines concerning Processing of Personal Data in force from time to time both in Finland and EU.
The Controller is entitled and obligated to define the purpose and methods of the Processing of Personal Data. The subject, character, purpose and other necessary details of Processing is defined in more detail in Section 9 of the DPA.
The Processor is entitled to Process the Personal Data and other data of the Controller only on the grounds of the Terms, this DPA and according to the written guidelines of the User and only to the extent and in a manner, it is necessary in order to provide services. The Processor shall notify the User if any conflict with the data protection legislation of EU or Finland is detected in the guidelines and in such a case, the Processor may immediately decline and stop the application of the guidelines of the User.
The Processor shall maintain the service description or other record of the Processing Activities of the Services in cases where it is required to do so by the EU General Data Protection Regulation. The Processor is entitled to collect anonymous and statistic data of the use of the services pursuant to the Terms, that does not specify the User nor Data Subjects and uses it for analyzing and developing its services.
3.2 Deletion or Returning of Data
After the expiry of the Terms, the Processor shall return or delete, according to the guidelines of the User, all the personal data of the Controller and delete all duplicates, unless applicable legislation requires the retention of the Personal Data.
The Processor may use subcontractors for Processing the Controller’s Personal Data. The Processor is responsible for its subcontractor’s actions as for its own and shall draft written agreements with the subcontractors concerning the Processing of Personal Data. If requested, the Processor shall inform the User beforehand of subcontractors the Processor intends to use in processing the personal data pursuant to the Terms. The User is entitled to oppose the use of a new subcontractor on reasonable grounds. If the Parties are unable to reach an agreement concerning the use of a new subcontractor, the User is entitled to terminate the Service with thirty (30) days’ notice, in so far as the change of subcontractor affects the Processing of Personal Data pursuant to the Terms.
3.4 Processor’s Obligation to Provide Assistance
The Processor shall immediately forward all requests to inspect, rectify, erase or object to the Processing of Personal Data or other requests received from the Data Subjects, to the User. If requested by the User, the Processor shall support the User in fulfilling the requests of the Data Subjects.
The Processor is obligated, taking into account the nature of the Processing of Personal Data and the data available, to assist the User in ensuring that the User complies with its legal obligations. These obligations may include requirements related to data security, notifying of data breaches, data protection impact assessments as well as obligations regarding prior consultations. The Processor is obligated to assist the User only to the extent that applicable legislation obligates the Processor of Personal Data. Unless otherwise agreed, the Processor is entitled to invoice the expenses incurred from action pursuant to this section 3.4 according to the Processor’s valid price list.
The Processor shall forward all inquiries made by data protection authorities directly to the User and shall await further guidance from the User. Unless otherwise agreed, the Processor is not authorized to represent the User or act on behalf of the User in relation to the authorities supervising the User.
4. PROCESSING TAKING PLACE OUTSIDE EU/EEA
The Processor and its subcontractors may process personal data outside the EU/EEA.
In case the transfer of data outside the EU/EEA from the Processor to the sub-processor is permitted according to subsection 3.3, the Processor ensures that the transfer is only to: (a) countries for which the Commission has decided that they have an adequate level of data protection or (b) parties, which have committed to the Privacy Shield or use standard contractual clauses or other appropriate safety measures as they are described in article 46 of the General Data Protection Regulation. When the above-mentioned prerequisites are met and presuming that the Processor keeps the Controller aware of transfers of personal data outside the EU/EEA, the Controller gives its consent to the transfers and authorizes the Processor to agree on the use of privacy clauses on behalf of the Controller and to represent the Controller regarding those conditions of the standard contractual clauses that refer to the rights and liabilities of the Controller.
The User or an auditor authorized by the User (however, not a competitor of the Processor) is entitled to audit the activities pursuant to the DPA. The Parties shall agree on the time of the auditing and other details ahead of time and at latest 14 days before the inspection. The auditing shall be carried out in a way that does not impede the obligations of the Processor or its subcontractors in regard to third parties. The representatives of the User and the auditor must sign conventional non-disclosure commitments.
The User shall be responsible for its own and the Processor’s expenses caused by the auditing.
6. DATA SECURITY
The Processor shall implement the appropriate technical and organizational measures to protect the Personal Data of the Controller, taking into account all the risks of Processing, especially the unintentional or illegal destruction, loss, alteration, unauthorized disclosures or access to Personal Data that has been transferred, saved or otherwise Processed. When organizing the security measures, the technical options and their costs shall be assessed in relation to the special risks of the Processing at hand and the sensitivity of the Personal Data Processed.
The User shall be obligated to ensure that the Processor is notified of all the circumstances concerning the Personal Data the User has delivered, such as risk assessments and the Processing of special sets of Data Subjects that affect the technical and organizational measures pursuant to this DPA. The Processor shall ensure that the personnel of the Processor or a subcontractor of the Processor shall abide by the appropriate non-disclosure commitments.
The detailed description of the technical and organizational security measures the Processor has implemented is available here.
7. DATA BREACHES
The Processor must notify the User of all Personal Data Breaches without undue delay after receiving information of the breach or after a subcontractor of the Processor has received information of the breach.
If requested by the User, the Processor shall, without undue delay give the User all relevant information concerning the data breach. In so far as the information in question is available to the Processor, the Processor shall describe at least the following to the User:
- a) the occurred data breach,
- b) if possible, the sets of data subjects and the number thereof, as well as the sets of personal data types and estimated numbers,
- c) a description of the likely consequences caused by the data breach, and
- d) a description of reparative measures, that the Processor has implemented or shall implement in order to prevent data breaches in the future, and if necessary, the measures to minimize the harmful effects of the data breach.
The Processor shall document and report the results of the inquiry and the implemented measures to the User.
The User shall be liable for the necessary notifications to the data protection authorities.
If any tangible or intangible damage is caused to a person due to a breach against the EU General Data Protection Regulation or the DPA, the Processor shall be liable for the damage only in so far that it has not explicitly abided by the obligations directed to Personal Data Processors in the EU General Data Protection Regulation or this DPA.
Both parties are obligated to pay only the part of the damages or administrative fine that corresponds to the liability for damage confirmed in the final decision of a data protection authority or a court of law. In all cases the liability of the parties shall be determined pursuant to the Terms.
9. DESCRIPTION OF THE DATA PROCESSING DETAILS
The Processor shall only process personal data in accordance with the Controller’s from time to time applicable written instructions concerning the details of the Processing Activities. Unless otherwise agreed, such details are as follows:
The categories of Data Subject included in the processing;
– Customer contact persons
– Service users
The categories of personal data included;
– Email address
10. OTHER PROVISIONS
The DPA shall remain in force (i) as long as the Terms is in force or (ii) the parties have obligations concerning personal data processing activities towards one another.
Those obligation that due to their nature are meant to survive the expiry of this DPA shall remain in force after the expiry of the DPA.
— End of DPA —