GDPR
SUPPLEMENTAL AGREEMENT
Effective from March 23, 2018
This supplemental agreement supplements the service agreement between San Francisco Oy (hereinafter “the Supplier”) and the Client under the service agreement. The supplement applies to agreements effective from March 23, 2018, as well as those entered into after this date.
Each Party is responsible for complying with the applicable data protection legislation in force at any given time.
The Client, based on the use of the service, acts as the data controller in relation to personal data registers that may arise, in accordance with the General Data Protection Regulation (EU 2016/679) and other applicable data protection laws in force. In turn, the Supplier acts as the data processor in relation to personal data registers that may arise from the use of the service.
As the data controller, the Client is responsible for ensuring that personal data is processed in accordance with the requirements arising from legislation and regulatory authority orders and guidelines. The Client is also responsible for ensuring that all necessary actions for data processing, such as those required by the General Data Protection Regulation, the Information Society Code, and any other applicable data protection legislation in force, have been undertaken.
The Client authorizes the Supplier to process personal data to the extent necessary for the delivery of the service. The Supplier may process personal data on behalf of the Client for purposes such as providing and using the services, billing, technical development, statistical analysis, marketing, service optimization, and other lawful, legitimate, and acceptable purposes in accordance with applicable legislation. Personal data will be processed for the duration required for the above-mentioned activities. The Supplier will ensure that individuals authorized to process personal data are committed to confidentiality or are subject to appropriate legal confidentiality obligations.
The Client is responsible for ensuring that users of the service are aware of the transfer of their personal data to the Supplier and the purposes for which it will be used, in accordance with applicable legislation, as well as collecting and ensuring the existence of any necessary consents from users for the processing and transfer of personal data. The Client is responsible for ensuring that the Supplier has accurate, up-to-date, and correct information about the users.
The Supplier may provide the Client, upon request, with intermediary, personal, and other data and reports to the extent permitted and required by the Information Society Code and other applicable data protection laws. The data transfer and related procedures will always comply with the requirements of the applicable legislation. The Client agrees to use the data and reports received from the Supplier solely for the purpose for which they were provided and only to the extent allowed by law for the data controller.
The Supplier will process personal data in accordance with the agreement and the Client’s written instructions attached to the agreement. The Supplier is entitled to bill the Client in accordance with its pricing schedule for any work and actions required by the Client’s written instructions, unless otherwise agreed in the contract. After the processing has been completed, the Supplier, based on the Client’s choice and specified instructions, will either delete or return the Client’s personal data, unless retention of the data is required by law.
The Supplier will implement technical and organizational measures required by law to secure personal data.
These measures must ensure an appropriate level of security, taking into account:
- a) available technical capabilities,
- b) the cost of implementing the measures,
- c) the nature, scope, context, and purposes of the processing, and
- d) the specific risks associated with the processing.
When processing personal data on behalf of the Client, the Supplier will assist the Client in ensuring compliance with the obligations set out in Articles 32-36 of the General Data Protection Regulation regarding the secure processing of personal data, taking into account the nature of the processing and the information available to the Supplier.
If the Supplier incurs costs in complying with security requirements or assisting the Client, the Client will reimburse the Supplier for such costs.
Customer and personal data may be transferred and disclosed to the Supplier’s partners and subcontractors if necessary for the provision of the service. Data may be transferred and disclosed outside the EU and EEA in accordance with data protection legislation. In other cases, the Supplier will not disclose personal data received from the Client to third parties without the Client’s prior consent. As the data processor, the Supplier will direct personal data requests from data subjects, the data protection authority, or other relevant authorities to the Client. Likewise, the Supplier will direct requests for data deletion, transfer, correction, and restriction to the Client and, where possible, assist the Client in responding to such requests with reasonable technical measures. The obligations mentioned in this paragraph do not apply to the Supplier if the Supplier is legally obligated to disclose the data.
The Supplier will duly notify the Client of any personal data breaches or attempts thereof involving the Client’s personal data that the Supplier becomes aware of.
The Supplier allows audits related to personal data processing by the Client and authorities under the law. The specifics of any audit carried out by the Client will be agreed separately. The Supplier is entitled to charge the Client for the costs associated with such audits.
The Supplier requires its subcontractors, in accordance with legal requirements, to comply with terms similar to those described in this section.