Appendix 1: Data Processing Agreement
This Personal Data Processing Agreement (“Appendix”) is an inseparable part of the Terms of Service (“Main Agreement“) between Media Tailor Oy (“Service Provider”) and the Customer (“Customer“) .
BACKGROUND AND PURPOSE
The Service Provider offers the Customer a smart media management solution for the management, storage and sharing of media content and files (“Service”).
During the course of providing the Service to the Customer, the Service Provider will process personal data on behalf of the Customer.
The purpose of this Appendix is to agree on the processing of Customer’s Personal Data as required by the EU General Data Protection Regulation 2016/679 (the “Regulation”) and the responsibilities thereof. The Customer acts as the data controller and the Service Provider acts as the processor of personal data as referred to in the Regulation.
This Appendix forms an integral part of the Main Agreement concluded between the Customer and the Service Provider on the date when the Main Agreement is approved. In case of discrepancy between the Main Agreement and this Appendix, the latter shall have priority.
PERSONAL DATA SUBJECT TO PROCESSING
In this Appendix, “Personal Data” refers to any information relating to an identified or identifiable natural person, which is entered into the Service by the Customer or a representative of Customer or otherwise collected or stored via the use of the Service.
Personal Data may be processed for the following data subject groups:
- individuals using the Service as registered users or otherwise; and
- individuals featured in the media content stored within the Service.
The categories of Personal Data subject to processing may include:
- communication data and other identifiable data relating to the activity of the user within the Service;
- personal data of identifiable individuals featured in the media content.
RESPONSIBILITIES REGARDING DATA PROCESSING
The Service Provider undertakes to process Personal Data diligently and only to the extent necessary for the provision of the Service to the Customer.
The Customer is responsible for the legal obligations of a data controller. The customer is, for example, solely responsible for establishing the legal basis under which any Personal Data is processed by Customer and solely responsible for any information obligations towards the data subjects.
Instructions of the Customer
The Service Provider shall not use Personal Data for any purpose other than that of rendering and providing the Service and will not sell or disclose the Personal Data to any third parties, without the Customer’s prior written approval.
The Service Provider shall process Personal Data in accordance with this Appendix and the documented instructions of the Customer. The instructions must be commercially reasonable, compliant with applicable data protection laws and consistent with this Appendix. The Service Provider shall not be obliged to verify whether any instruction given by the Customer is consistent with applicable laws. However, if the Service Provider detects that any instruction given by the Customer is non-compliant with the requirements of any data protection legislation applicable to the Service Provider’s operations, the Service Provider shall inform the Customer in writing of such non-compliance.
Technical and organizational measures
The Parties shall implement and maintain appropriate technical and organizational security measures to protect the Personal Data in order to safeguard the Personal Data against unauthorized or unlawful processing or access and against accidental loss, destruction or damage. When choosing such security measures, the Parties must take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
The Parties shall ensure that the persons processing Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
OBLIGATION TO ASSIST
Where possible, Customers must primarily use the Service’s functions to respond to the requests of individuals exercising their rights under data protection legislation.
The Service Provider shall, taking into account the nature of the processing, provide the Customer with commercially reasonable assistance in responding to the legal requests of the data subjects without undue delay. The Service Provider shall further provide commercially reasonable assistance in ensuring compliance with the Customer’s obligation to perform security and data protection assessments, breach notifications and prior consultations of the competent supervisory authority, as set out and required in the data protection legislation, taking into account the nature of the processing and the information available to the Service Provider.
In case the assistance offered by the Service Provider requires extensive measures from the Service Provider, The Customer shall pay the Service Provider a reasonable remuneration for the handling of such assistance requests. The Service Provider shall always inform of such expenses in advance and acquire Customer’s consent in writing for the assisting measures and for the expenses caused by such measures.
The Customer accepts that to provide the Service the Service Provider may have Personal Data processed and accessible by its subprocessors outside the European Economic Area (“EEA”) or outside Customer’s country of domicile.
In case Personal Data is transferred from the EEA to a subprocessor, or otherwise transferred to, any country outside the EEA that is not recognized by the European Commission as providing an adequate level of protection for personal data, the Service Provider provides for appropriate safeguards by standard contractual clauses, adopted or approved by the European Commission and applicable to the processing by the non-EEA subprocessor, or by any other appropriate safeguard as foreseen in the Regulation.
RIGHT TO AUDIT
The Customer shall have the right to reasonably audit the facilities and processing activities of the Service Provider under this Appendix to examine the level of protection and security provided for Personal Data processed under this Appendix and to assess the Service Provider’s compliance with the provisions relating to processing of Personal Data set out herein. The Customer shall bear all costs for such an audit. The Customer shall inform the Service Provider at least 15 working days in advance before conducting the audit.
Where an audit may lead to the disclosure of business or trade secrets of the Service Provider or threaten intellectual property rights of the Service Provider, an independent expert must be employed to carry out the audit, and such expert shall agree to be bound to confidentiality to the Service Provider’s benefit.
In case the audit reveals material deviations from the Service Provider’s obligations relating to the processing of Personal Data or information security measures, the Service Provider shall take corrective measures to cure such deviations or vulnerabilities without undue delay and shall provide information regarding the corrective measures to The Customer. The Service Provider shall bear its own costs for such corrective measures.
General authorization. The Service Provider shall, on the basis of a general authorization hereby granted by Customer, have the right to involve the Service Provider’s affiliated companies and other subcontractors as sub processors to process Personal Data in connection with the provision of the Service, to the extent such appointment does not lead to non-compliance with any applicable law or the Service Provider’s obligations under this Appendix.
The Service Provider ensures that the involved sub processors will operate under a data processing agreement with the Service Provider and comply with data processing obligations similar to the ones contained herein. The Service Provider shall be liable towards the Customer for the processing of Personal Data carried out by the Service Provider’s subprocessors.
Upon request, the Service Provider shall provide The Customer the information regarding sub processors currently involved.
Change of a subprocessor. The Service Provider is free to choose and change its subcontractors. The Service Provider shall provide the Customer with a notice of any intended changes concerning the addition or replacement of other processors.
In case the Customer objects a change of subcontractor on reasonable grounds, the Customer has the right to request the replacement of the subcontractor. If the Service Provider is not willing to replace the subcontractor the Customer has objected, the Customer shall have the right to terminate the Service.
DATA SECURITY BREACHES
The Service Provider shall, without undue delay after having become aware of it, inform the Customer in writing about any data security breaches relating to Personal Data and any other events where the security of Personal Data processed on behalf of the Customer has been compromised. The Service Provider’s notification about the breach to the Customer shall include at least the following:
- description of the nature and possible consequences of the breach;
- description of the measures taken by the Service Provider to address the breach, including, where appropriate, measures to mitigate its possible adverse effects; and
- name and contact details of the Service Provider’s contact point where more information can be obtained.
DELETITION OR RETURN OF PERSONAL DATA
Personal Data shall be processed under this Appendix until the Customer has ceased to use the Service. Within a reasonable time after the termination or expiry of the Main Agreement, and after the Customer has permanently ceased to use the Service, the Service Provider shall permanently delete all Personal Data from the Service Provider’s storage media, unless specifically instructed otherwise or unless the Service Provider is required by law to store such Personal Data. Upon Customer’s request the Service Provider shall confirm the deletion in writing.
In case additional and more extensive assistance is required in relation to the return of Personal Data or conversion of such data, the Parties shall agree separately on such assistance and the costs incurred due to the Customer’s assistance request.
Subject to the limitations of liability agreed in the Main Agreement, Service Provider shall be liable to the Customer and the Customer shall be liable to the Service Provider for direct damage relating to:
- administrative fines imposed to the other Party by a competent authority, provided that the other Party has paid the fines; and
- damages paid to a natural person by the other Party either resulting from a settlement (which the other Party has accepted) or from a final judgement of the court, provided that the claim against the Party entitled to compensation has been based on a breach of this Appendix or the applicable data protection legislation by the breaching Party.
For clarity, it is confirmed that the liability limitations agreed in the Main Agreement shall apply to this Section 10 in full.
This Appendix enters into force on the date when main Agreement is approved and shall continue to be in force until Service Provider has ceased to process Customer’s Personal Data or until replaced by another agreement between the Parties in regard to data processing.
This Appendix may be accepted through an online service or signed as one or more original copies. An acceptance given through an online service or a copy of the signed original agreement delivered by email shall be regarded as valid as a manually signed original copy.