Data Processing Agreement

Data Processing Agreement with Customers

Version 20th April 2018

1. Parties

Eazybreak Oy, Company ID 2304493-8,Kutomotie 16, 00380, Helsinki (”Supplier”)

and

Customer who has registered to Eazybreak service and accepted these terms (“Customer”)

2. Purpose of this amendment to the service agreement

With this agreement, the parties agree on processing of Customer’s employees’ personal data (“Personal Data”) to provide Eazybreak digital employee benefit service to Customer’s employees (“Service”) based on agreement between Customer and Supplier (“Service Agreement”).

This agreement shall form an integral part of the Service Agreement. Therefore, all applicable parts of the Service Agreement (including its provisions on governing law and dispute resolution) shall apply also to this agreement. However, in the event of conflict, the provisions of this agreement shall prevail over the provisions of the Service Agreement.

3. Subject matter of processing

 Personal Data will be processed solely for the fulfilment of the Service Agreement.

4. Duration of processing

Personal Data will be processed by Service Provider for the duration of the Service Agreement and unless a longer period is agreed between the parties in the Service Agreement e.g. for storage service or in order to transfer the Personal Data to third parties. Customer can always require Supplier to stop processing of Personal Data. Customer’s admin users can remove users and their information from the Service. Employees can also modify their own information within the Service.

5. Nature and purpose of processing

 Personal Data is being processed for fulfilling the Service Agreement and to perform the Service.

6. Types of personal data being processed

The following data relating to the Customer’s employees

  • Non-sensitive personal data – first name, surname, employee identification, e-mail address, telephone number, employer, employer office, cost center, payment group, Eazybreak contactless ID code for contactless payment, opening and closing date of employees personal Eazybreak account, long term absence start and ending dates
  • Information relating to used tax free employment benefits
  • Log information

7. Categories of data subjects

Customer’s employees

8. Processing of Personal Data

8.1.  The parties note that Customer is data controller as defined in the European Union General Data Protection Regulation (2016/679) (“GDPR”) and that Supplier processes Personal Data as a data processor for such data. Supplier informs employees of data processing with data protection statement that is available within the Service.

8.2.  The parties agree to comply with the data protection laws, the GDPR, applicable national and international regulations concerning data protection as well as guidance and decisions of the relevant data protection authorities (together “Data Protection Regulations”).

8.3. Customer is responsible to ensure that it can pass the Personal Data to Supplier and that Supplier is entitled to process the Personal Data provided to it under this agreement by Customer and its employees.

8.4. Supplier shall comply with all instructions and guidance by Customer regarding data protection. Customer will inform Supplier of these obligations and their possible amendments well in advance.

8.5. Supplier shall comply with Customer’s separate instructions and requirements regarding data security.

8.6. Supplier is not entitled to hand over Personal Data to third parties or process them for any other purpose than the purposes of the Service Agreement without Customer’s prior written consent. Supplier is entitled to use sub-processors for the processing of Personal Data under this agreement only if it has received prior written consent for such processing from Customer. Supplier is responsible for the performance of its subcontractors of the provisions of this agreement. Supplier uses the following approved suppliers who process Personal Data:

Vakka-Suomen Puhelin Oy, FI02130722
Planeetta Internet Oy, FI17534949
Netsize IPX Ab, SE556664706001
Additionally, Service Providers who have registered to the Service will process Personal Data to provide the Service

8.7.  Supplier is responsible to

(i) Process Personal Data lawfully, carefully and according to good data protection practices and act also otherwise so that data subject’s privacy and other basic rights protecting privacy are not limited without legal grounds;

(ii) Process Personal Data only on and as per the documented instructions from the Customer. Processing for Supplier’s own purposes, e.g. marketing purposes, is strictly prohibited. Conditions and descriptions of Supplier’s products and services included in the Service Agreement are also considered documented instructions;

(iii) Without delay assist Customer and provide the required information that is required to comply with the rights of data subjects and to answer the requests by data subjects and supervisory authorities described in the Data Protection Laws;

(iv) Informs Customer in advance the countries where it will process Personal Information. At the time of entering into this agreement Personal Data is processed in Finland and Sweden;

(v) Only transfer Personal Data to third parties outside the territory of the member states of the European Union and the European Economic Area or to international organisations with the prior written approval of Customer;

(vi) Upon commercially reasonable terms and to the extent possible, include terms and conditions similar to the ones contained in this agreement to all its contracts with its subcontractors who process Personal Data directly or indirectly on behalf of Customer;

(vii) In case data subjects, governmental authorities or supervisory authorities make a request for information, Supplier shall immediately inform Customer about such request;

(viii) Maintain appropriate technical and organisational measures to protect the Personal Data, taking into account: the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, and 
the risks that are presented by the processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the Personal Data transmitted, stored or otherwise processed. Such measures include, inter alia as appropriate: a) the pseudonymisation and encryption of the Personal Data; b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; c) the ability to restore the availability and access to the Personal Data in a timely manner in the event of a physical or technical incident; and d) a process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the Processing. When determining the appropriate security level special attention needs to be paid to risks involved in processing Personal Data, in particular accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the Personal Data transmitted, stored or otherwise processed.

(ix) Informs Customer, if the Supplier deems that instructions or practises of Customer are in breach of Data Protection Laws;

(x) Assists Customer in ensuring compliance with their legal obligations, such as, data security, data breach notification, data protection assessment and prior consulting obligations, as required from Customer by the Data Protection Laws,

(xi) Ensure that persons authorised to perform the processing hereunder have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality as further described in this agreement;

(xii) Implement measures to ensure that every person processing Personal Data on behalf of Supplier only processes them as instructed by Customer unless applicable laws otherwise require;

(xiii) At Customer’s instructions, delete or return to Supplier all the Personal Data after the end of the provision of the Services relating to Processing, and delete existing copies, unless applicable laws require storage of the Personal Data.

8.8. Customer shall be entitled to audit Supplier’s performance of its obligations under this agreement and compliance with Data Protection Laws (“Audit”). They are entitled to use external auditors who are not competitors of Supplier, to conduct such an Audit.

8.9. Customer shall inform Supplier on the timing and other details relating to the conduct of such Audits at the latest thirty (30) days in advance, provided that mandatory decision of the authorities does not prevent such notice.

8.10. Supplier agrees to enable necessary access to Supplier‘s and its subcontractor’s premises and systems for the party conducting the Audit at the agreed time during their normal business hours. Supplier will, upon request, provide the information, documents and other material reasonably requested by the auditing party. Supplier will also reasonably assist in the Audit. The parties will agree on how to implement the changes identified in the Audits. Parties preforming Audits will need to agree to maintain confidentiality of the information they receive and not to use it for any other purpose than to conduct the Audit itself. Customer is responsible for the compliance of their aforesaid obligations.

8.11. Nothing stated in this clause limits the audit rights of authorities supervising Customer. These will be performed as instructed by the said authorities.

8.12. Customer shall bear all costs for Audits and it will compensate Supplier for all costs incurred due to the Audit. However, if any Audit reveals material deficiencies Supplier’s performance under this agreement, Supplier shall bear all costs for such Audit and it will compensate those to Customer.

8.13 Supplier shall immediately, an in any case within 24 hours after becoming aware of it, notify Customer if it or one of its sub-processors becomes aware of a personal data breach or of breach of Data Protection Laws relating to Customer’s employees (“Personal Data Breach”). Information shall be provided to the contact person named by Customer, unless otherwise agreed.

Supplier’s notice shall include at least the following information, provided that Supplier has access to it:

(i) a description of the nature of the Personal Data Breach and description of the security breach that caused the Personal Data Breach;

(ii) what information was subject to Personal Data Breach;

(iii) when Personal Data Breach relates to personal information, Supplier needs to specify those data subjects whose information was compromised and the overall number of data subjects affected by the Personal Data Breach;

(iv) who performed the Personal Data Breach and which parties obtained access to information that was exposed;

(v) a description of the likely consequences of the Personal Data Breach and possible damages and consequences for data subjects;

(vi) a description of the measures taken or proposed to be taken by Supplier to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects and prevent Personal Data Breaches in the future; and

(vii) any other information relating to Personal Data Breach possibly requested by Customer.

8.14. To prove that its compliance with Data Protection Laws, Supplier needs to document all Personal Data Breaches including details and consequences as well as the measures taken after Supplier became aware of Personal Data Breach.

8.15. Supplier is not allowed to provide information on Personal Data Breaches to third parties or publicise them without Customer’s prior written consent, unless Supplier is obliged by mandatory law or decree to disclose such information. Supplier assists Customer in reporting Personal Data Breaches to supervisory authorities and data subjects as instructed by Customer. If the practises, instructions and requirements mandated by Customer create wider responsibilities to Supplier that what is set by Data Protection Laws, Supplier is entitled to compensation for additional costs incurred.

8.16. Each party will compensate direct losses and damage caused to the other party as a result of its breach of this agreement or Data Protection Laws. Parties are not liable for indirect or consequential loss or damage. Damages that Customer is obliged to compensate to data subjects as well as any penalties set by the authorities and payable because of Data Protection Breach by Supplier are considered direct loss or damage that will be compensated by Supplier. The limitations of liability agreed in the Service Agreement do not apply to such loss or damage.