This data processing addendum (“Agreement”) applies to all activities where Sales Led Oy (“Clevenio”) processes Personal Data of the Customer in connection Customer’s use of Clevenio’s sales machine software (“Service”) accordance with the Clevenio Terms and Conditions.
Clevenio shall use the Personal Data of the Customer solely in the interest and on behalf of the Customer and for provision of the Service. In this Agreement Clevenio shall be considered as the Processor and the Customer as the Controller.
This Agreement shall not apply to processing of Personal Data for which Clevenio acts as an independent controller in accordance with the GDPR (e.g. business contact information and invoicing information within the scope of the Parties’ cooperation).
Definitions
1.1 Processing of Personal Data: Any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as accessing, collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
1.2 Data Protection Laws: Any applicable data protection legislation including the EU General Data Protection Regulation (2016/679), relevant national laws and regulations and updates (both existing and future) in EU General Data Protection Regulations (hereinafter “GDPR”).
1.3 Data Subject: An individual whose Personal Data is being Processed by the Processor.
1.4 Personal Data: Any information relating to an individual who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
1.5 Personal Data Breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed;
2 Scope of the Processing and Categories
2.1 Personal data is processed as part of the provision of the Service, and it is processed until expiration or termination of the Services.
2.2 The processed personal data included the contact information of the Customer and other information necessary for the provision of the Service, Categories of data subjects consist of the Customer’s employees and external persons and Customer’s end-customer details.
3. Obligations of the Controller
3.1 The Controller shall Process Personal Data in accordance with applicable laws. The Controller is solely in charge of the legality of personal data it discloses into the Service, and the Customer warrants that it has a right to process all personal data it discloses into the Service. If the Controller unlawfully discloses personal data to the Service, the Customer shall fully reimburse the Processor for all the costs that arise to the Processor for the said activity. The Customer may, if necessary and possible considering the provision of the Service, provide the Processor with binding written instructions regarding this DPA.
3.2 The Controller shall inform the Processor immediately and completely of any disruptions.
3.3 The Controller shall always confirm any oral instructions in writing or via email.
4 Obligations of the Processor
4.1 The Processor shall Process or otherwise use Personal Data of the Controller solely on behalf of the Controller and according to the Controller’s instructions as set out in this Agreement or otherwise communicated to the Processor and always in accordance with the requirements of the Data Protection Laws.
4.2 Processor shall implement and maintain appropriate technical and organizational measures to ensure a level of security for the Personal Data.
5 Notification obligation of Personal Data Breach
5.1 In case of a Personal Data Breach, the Processor shall, without undue delay and in any case within seventy-two (72) hours after having become aware of the Personal Data Breach, notify the Controller of the Personal Data Breach in writing. Information shall be provided to the operational contact person named by the Controller, if not otherwise agreed between the parties.
6 Confidentiality
6.1 The Processor undertakes to keep confidential any Personal Data (including any material and information related thereto) and not disclose the Personal Data to any third party unless instructed to do so by the Controller in accordance with this Agreement and Data Protection Laws. The Processor shall ensure that its employees and other designees who may have access to Personal Data are subject to confidentiality undertakings or professional or statutory obligations of confidentiality, ensuring in each case that access to Personal Data is limited to those individuals who need to have access to the relevant Personal Data for the purposes of this Agreement or provision of the Services.
7 Inquiries and Erasure
7.1 If the Controller, on the basis of Data Protection Laws, is obliged to answer to inquiries from Data Subjects on the Processing of Personal Data relating to such Data Subject, upon request of the Controller, the Processor shall support the Controller in order to provide such information.
7.2 If the Controller, on the basis of Data Protection Laws, is obliged to erase or rectify Personal Data concerning Data Subjects, the Processor shall erase or rectify that Personal Data also from its data registers, upon the request of the Controller.
8 Control Rights and Certificates
8.1 The Controller may itself – or, if required by the Processor, by a third party being subject to statutory professional confidentiality obligations – carry out an audit at the Processor’s establishment, during the usual business hours and without disturbing the Processor’s business processes, to convince itself of the Processor’s compliance with the technical and organizational measures, this Agreement and Data Protection Laws. Controls and audits shall be announced at least two (2) weeks in advance and shall be coordinated with the Processor. Any costs of such controls and audits, including possible costs of the Processor, shall be borne by the Controller.
8.2 In the event an audit or an information request from a regulatory authority supervising the Controller’s business, the Processor shall assist the Controller in answering the request and organizing the audit. The Processor shall always allow any such regulatory authority to conduct audits of the Processor’s operations. Each party shall bear its own costs in connection with audits initiated by such regulatory authority.
9 Subprocessors
9.1 The Processor shall be entitled to use subcontractors for processing of the Personal Data after notifying the Controller of the use of such subcontractors. The Controller is entitled to prohibit a use of a specific subcontractor for justified reason. To avoid any adverse effects to the provision of the Services, the Controller shall give the Processor a reasonable time to find a replacing subcontractor.
9.2 Before any subcontractor processes Personal Data, the Processor shall inform that the subcontractor is capable of providing the level of protection for Personal Data required by this Agreement.
9.3 The Processor shall be responsible for the subcontractors’ obligations as for its own. The Controller shall have audit rights vis-à-vis the Processor and the subcontractor as agreed in Section 8 of this Agreement.
10 Transfer of data to third countries
10.1 The Controller acknowledges that the Processor is global in nature. With respect to the scope of this Agreement, Personal Data is transferred outside the EEA and in order to adduce adequate safeguards with respect to the protection of privacy of the Data Subjects and to enable safe transfer of the Personal Data, one of the two following must apply to such transfer of Personal Data outside the EEA:
10.1.1 The Personal Data is transferred to a country where there is a European Commission’s decision on the adequate level of protection.
10.1.2 The Processor and relevant sub-processor have entered into separate data transfer agreements executed in the form of European Commission approved and non-modified standard contractual clauses (“SCC Agreement”) for data processors established in third countries as provided in the applicable European Commission Decision and in case the applicable Decision is revoked and replaced by another decision or a legislative act, under such a replacing decision or a legislative act.
11 Liability
11.1 The limitations of liability set out in the Clevenio Terms and conditions shall apply to this Agreement, with the exception that the Processor’s maximum liability under this Agreement for all causes of action and theories of liability shall be limited to 50% of the fees paid to the Processor during twelve (12) months prior the event causing the liability.
12 Termination
12.1 This Agreement shall remain in force as long as the Customer uses the Services and shall automatically terminate upon any termination or expiration of provision of the Services.
