Data Processing Policy
DEFINITIONS
The following definitions apply solely to this Data Processing Policy:
“Agreement” means the document that includes this Data Processing Policy as an appendix.
“Your Controlled Data” means the personal data in the content Ubisecure processes on your behalf and your instructions as part of the Services, but only to the extent that you are subject to EU Data Protection Law in respect of such personal data.
“EU Data Protection Law” means any data protection or data privacy law or regulation of Switzerland or any European Economic Area (“EEA”) country applicable to Your Controlled Data, including, as applicable, the EU General Data Protection Regulation 2016/679 and the e-Privacy Directive 2002/58/EC.
“GDPR” means the EU General Data Protection Regulation 2016/679.
The terms “Data Controller”, “Data Processor”, “Data Subject”, and “Personal Data” have the meanings given to these terms in the GDPR or secondarily in the EU Data Protection Law.
PARTIES AND PURPOSE
This Data Processing Policy (“DPP”) is attached to and supplements the IDaaS Trial Terms and Conditions ("Agreement") between the Company, who acts as the Data Controller, and Ubisecure Oy, who acts as the Data Processor.
The purpose of this DPP is to set out the terms and conditions for the processing of Personal Data by the Data Processor on behalf of the Data Controller, in accordance with the requirements of the applicable EU Data Protection Laws.
APPLICABILITY
This Data Processing Policy only applies in respect of Your Controlled Data, when your Data Subjects are residents within the EEA or Switzerland.
DURATION AND TERMINATION
This DPP shall terminate automatically when the Agreement is terminated AND all the Personal Data is deleted, unless Law requires it to be stored in part or in whole. The Data Processor shall certify that the actions have taken place and, upon request, provide the Data Controller with technical evidence of permanent destruction of all Personal Data.
CONFLICT
In case of any conflict between the terms of the Agreement and the terms of this DPP, the relevant terms of this DPP shall take precedence, unless expressly stated otherwise.
PROCESSING ROLES AND ACTIVITIES
Ubisecure is the Data Processor for Your Controlled Data. The Data Controller is responsible for ensuring that their instructions comply with all laws, regulations and rules applicable in relation to Your Controlled Data and that Your Controlled Data is collected lawfully by you or on your behalf and provided to us by you in accordance with such laws, rules and regulations. The Data Controller will also ensure that the processing of Your Controlled Data in accordance with your instructions will not cause or result in us or you breaching any laws, rules or regulations (including EU Data Protection Law). Ubisecure will not access or use Your Controlled Data except as provided in the Agreement, as necessary to maintain or provide the Services or as necessary to comply with the law or binding order of a governmental, law enforcement or regulatory body.
OUR PROCESSING RESPONSIBILITIES AS THE DATA PROCESSOR
Notification of Breach. We will provide you notice without undue delay after becoming aware of and confirming the occurrence of a Breach for which notification to you is required under the applicable EU Data Protection Laws. We will, to assist you in complying with your notification obligations under Articles 33 and 34 of the GDPR, provide you with such information about the Breach as we are reasonably able to disclose to you, taking into account the nature of the Services, the information available to us, and any restrictions on disclosing the information such as for confidentiality.
Notification of Inquiry or Complaint. We will provide you notice, if permitted by applicable law, upon receiving an inquiry or complaint from an End User, or other individual whose personal data is included in your Content, or a binding demand (such as a court order or subpoena) from a government, law enforcement, regulatory or other body in respect of Your Controlled Data that we process on your behalf and instructions.
Reasonable Assistance with Compliance. We will, to the extent that you cannot reasonably do so through the Services, your Account or otherwise, provide reasonable assistance to you in respect of your fulfilment of your obligation as the Data Controller to respond to requests by Data Subjects under Chapter 3 of the GDPR, taking into account the nature of the Services and information available to us. You will be responsible for our reasonable costs arising from our provision of such assistance.
Sub-Processors. You agree that we can share Your Controlled Data with Sub-Processors in order to provide you the Services. We will always make a written agreement with each subcontractor, ensure that the subcontractors are properly experienced and qualified, regularly monitor the performance of its subcontractors, and upon the Data Controllers request, provide the Data Controller with a list of all current subcontractors and processing locations of Personal Data, as well as information on the substance of the contract related to the data protection and security obligations within the subcontract relationship.
Ubisecure audits. Ubisecure may (but is not obliged to) use internal or external auditors to verify the adequacy of our security measures.
RIGHTS AND RESPOSIBILITIES OF THE DATA CONTROLLER
The Data Controller shall
(a) process the Personal Data in compliance with the Data Protection Laws and good data processing practice;
(b) give documented and binding instructions to the Data Processor on the processing of Personal Data;
(c) at all times retain the control and authority to the Personal Data; and
(d) at all times retain title and intellectual property rights and other rights to Personal Data.
DATA TRANSFERS
You authorise us to transfer Your Controlled Data away from the country in which such data was originally collected. In particular, you authorise us to transfer Your Controlled Data to Finland and Ireland. We will not transfer Your Controlled Data to outside of the EEA without your prior written consent.
CATEGORIES OF PERSONAL DATA
The categories of Personal Data processed by the Data Processor are set out in Annex 1. The Data Processor may process such Personal Data only as long as the services are provided under the Agreement, and as long as one or more Parties have a right or obligation to process such data.
LIABILITY AND INDEMNIFICATION
The Parties agree that any Data Subject who has suffered damage as a result of any breach of this DPP is entitled to seek compensation primarily from the Party who has breached this DPP. If the other Party has paid damages to any Data Subject that are partly or fully attributable to the other Party, the former is entitled to claim back the relevant part of the damages from the latter.
Notwithstanding any limitations of liability, the parties agree that the Data Processor shall only be liable for any direct damages up to one million Euros, resulting from the Data Processor’s breach of this DPP.
Annex 1, categories of personal data
This Annex forms a part of the DPP.
1. CATEGORIES OF DATA SUBJECTS
The Data Processor processes Personal Data on the following categories of Data Subjects:
- Employees, including job applicants and agency contract workers
- Customers and customer employees
- Potential customers and employees of potential customers
- Partners, such as suppliers and their employees
2. TYPES OF PERSONAL DATA
The Data Processor processes Personal Data on the following categories of Data Subjects:
- Name and other identification information such as first name, last name, home address, email address, telephone number, and/or mobile number
- Technical or security data such as IP addresses, other technical identifiers, metadata, and/or data on technical or security events such as access control log data or system monitoring data