This agreement on the processing of personal data (\u201cAnnex\u201d) constitutes a part of the
\nGeneral contractual terms (\u201cAgreement\u201d) between Maximum Effort Ay (\u201cService
\nprovider\u201d)and the customer (\u201cCustomer\u201d).<\/p>\n
1. Initial information<\/strong> <\/p>\n 2. Definition<\/strong> \u201cModel contractual clauses\u201d refers to the standard contractual terms approved by the \u201cPersonal data\u201d refers to any information relating to an identified or identifiable natural person; \u201cProcessor\u201d refers to the Service provider that processes personal data on behalf of the Customer. \u201cSubcontractor\u201d refers to a processor that performs Processing in accordance with this Annex on <\/p>\n 3. Responsibilities of the Service provider<\/strong> The Service provider does not specify the type of personal data stored by the Customer on the If the Service provider has reasonable grounds to suspect that the guidelines provided by the <\/p>\n 3.1 Requests from Data subjects or authorities<\/strong> Taking the nature of the Processing of the Personal data and the data being accessible into The Service provider shall forward all inquiries from data protection authorities directly to the <\/p>\n 3.2 Service provider and Regulatory compliance<\/strong> The information regarding the data protection officer shall be provided to the Customer upon <\/p>\n 4. Responsibilities of the Customer<\/strong> <\/p>\n 5. Technical and organisational measures<\/strong> The Customer shall be obliged to ensure that the Service provider is informed of all aspects The implemented data security measures are defined in the minimum data security The Customer shall be responsible for the implementation and maintenance of security <\/p>\n 6. Reporting a security breach<\/strong> At the Customer\u2019s request, the Service provider shall, without undue delay, provide the <\/p>\n 7. Audit<\/strong> The Customer shall be responsible for all costs of auditing. The Service provider shall have the 7. Subcontractors<\/strong> <\/p>\n 8. Server centre location and data transfer<\/strong> <\/p>\n 9. Other terms and conditions<\/strong> The Service provider shall inform the Customer in writing of any changes that may affect its The Annex shall be valid (i) for as long as the Agreement is in force or (ii) the parties have Obligations which, by their nature, are intended to remain in force irrespective of the <\/p>\n
\nThe purpose of this Annex is to agree on the obligations under the relevant personal data
\nregulations between the Service provider and the Customer. This Annex constitutes a written
\nagreement between the parties on the processing of personal data in accordance with the EU
\nGeneral Data Protection Regulation (679\/2016). The obligations and rights related to the EU
\nData Protection Regulation will not enter into force until the application of the EU General Data
\nProtection Regulation starts on May 25, 2018.
\nAccording to the Agreement, the Service provider provides the services (\u201cService\u201d), including, but
\nnot limited to, hosting services and\/or support services to the Customer. The service can be used
\nfor storing and\/or processing Personal data. This also applies to the Personal data of the
\nCustomer. The Customer acts as the Data controller with regards to the Personal data processed
\nin these Services. The Service provider acts as the processor for such Personal data.<\/p>\n
\nThe terms used within this Annex shall be applied according to the definitions specified in
\nthe Agreement. In addition, the following terms have a specific meaning in this Annex:
\n\u201cData controller\u201d refers to the Customer who determines the purpose and means of processing
\npersonal data.
\n\u201cRegulation\u201d refers to any national data protection law, the General Data Protection Regulation
\nof the EU (2016\/679, \u201cGDPR\u201d) from its date of application (May 25, 2018), and any future
\napplicable data protection legislation.<\/p>\n
\nEuropean Commission for the disclosure of personal data from EU Data controllers to
\nthird country processors (decision 2002\/16 EC).<\/p>\n
\nan identifiable natural person is a person who can be identified, directly or indirectly, in
\nparticular by means of identification data such as name, personal identification number,
\nlocation data, online identification or one or more characteristic physical, physiological, genetic,
\npsychological, economic, cultural or social factor.<\/p>\n
\n\u201cProcessing\u201d refers to any activities in which Personal data is processed.<\/p>\n
\nbehalf of the Service provider or Customer.<\/p>\n
\nThe Service provider Processes the Personal data of the Customer on behalf of the Customer
\non the basis of the Agreement. The Service provider shall undertake to comply with the
\napplicable legislation, regulations and authorities\u2019 provisions and guidelines for the Processing of
\nPersonal data valid in Finland and the European Union and, if necessary, amend the provisions
\nof this Annex to comply with them.<\/p>\n
\nService. The Service provider shall not be responsible for how such information is classified,
\nhow they are available or exchanged with other parties or otherwise Processed. The Service
\nprovider Processes the Personal data solely on behalf of the Customer, and only to the extent
\nand manner specified in the Agreement and Annex or as separately instructed by the Customer.
\nThe separate guidelines of the Customer shall be documented in connection with the order,
\nService description, support request or other written communication.<\/p>\n
\nCustomer conflict (i) with the applicable laws or regulations, and\/or (ii) with the provisions of the
\nAgreement or this Annex, the Service provider shall inform the Customer of this without undue
\ndelay. The Service provider shall be entitled to postpone the implementation of the guidelines
\nuntil the Customer amends its guidelines or a separate agreement has been reached regarding
\nthe implementation between the Service provider and the Customer.<\/p>\n
\nThe Service provider shall immediately inform the Customer about all requests from Data
\nsubjects or authorities regarding the revision, correction, deletion or Processing prohibition of the
\nPersonal data, or about other requests from Data subjects related to exercising the rights of the
\nData subject stipulated in current legislation and the EU General Data Protection regulation. The
\nCustomer shall be obliged to respond to these requests. Taking the nature of the Processing
\nactivity into account, the Service provider shall help the Customer with appropriate technical and
\norganisational measures, where possible, for fulfilling the Customer\u2019s obligation to respond to
\nthe requests of Data subjects.<\/p>\n
\naccount, the Service provider shall be obliged to assist the Customer in ensuring compliance
\nwith its statutory obligations. These obligations may include obligations relating to data security,
\nnotification of data security breaches, data security impact assessments and prior consultation.
\nThe Service provider shall be obliged to assist the Customer to the extent stipulated by the
\napplicable data protection law. Unless otherwise agreed, the Service provider shall be entitled to
\ninvoice the costs arising from the activities related to this section of the Annex in accordance
\nwith its current price list. In addition, the Service provider shall be given a reasonable time to
\nassist the Customer.<\/p>\n
\nCustomer, and the Service provider shall not have authority to represent the Customer or act
\non behalf of the Customer with the supervisory data protection authorities.<\/p>\n
\nThe Service provider shall comply with the provisions applicable to its own activities and the
\nprovision of Services, privacy and security laws, as well as the obligations under this Annex.
\nHowever, the Service provider shall not be responsible for complying with the laws applicable
\nto the Customer or the industry of the Customer if that legislation is not generally applicable to
\ninformation technology providers. If required by law, the Service provider shall appoint a data
\nprotection officer who shall fulfil his or her duties in accordance with the applicable law.<\/p>\n
\nrequest. The Service provider shall maintain all necessary reports and, at the request of the
\nCustomer, make available all information necessary to demonstrate compliance with this
\nAnnex and the Legislation.<\/p>\n
\nThe Customer shall undertake to comply with the applicable legislation, regulations and
\nauthorities\u2019 provisions and guidelines for the Processing of Personal data valid in Finland and the
\nEuropean Union and, if necessary, amend the provisions of this Annex to comply with them.
\nThe Customer shall be responsible for ensuring the necessary rights and consents to the
\nProcessing of Personal data under the Agreement. The Customer shall be responsible for the
\npreparation and availability of a privacy policy, and for informing the Data subjects and notifying
\ndata protection authorities.
\nThe Customer shall define the type of Personal data stored on the Services. The Customer
\nshall also determine how the Personal data is used, exchanged or otherwise Processed. The
\nCustomer shall be responsible for the integrity, security, maintenance and proper protection of
\nthe Personal data, as well as for ensuring that the Customer follows all applicable data
\nprotection, data security and security laws and provisions.<\/p>\n
\nThe Service provider shall take appropriate technical and organisational measures to protect the
\nPersonal data of the Customer, taking into account the risks of the Processing, in particular
\nregarding the accidental or unlawful deletion, loss, modification, disclosure or access to
\ntransferred, stored or otherwise Processed Personal data. The implementation of security
\nmeasures shall take into account the available technical options and their costs in relation to the
\nspecific risks associated with the Processing, as well as the sensitivity of the Processed
\nPersonal data.<\/p>\n
\nrelated to the Personal data provided by the Data controller, such as risk assessments and the
\nprocessing of special categories of persons who affect the technical and organisational
\nmeasures under this Annex. The Service provider shall ensure that the personnel of the Service
\nprovider or the subcontractor of the Service provider are bound by an appropriate confidentiality
\nobligation.<\/p>\n
\nrequirements of the Service provider described in more detail on the website of the Service
\nprovider (www.domainhotelli.fi). The Customer shall be obliged to inform the Service provider of
\nany matters (including specific risks or categories of personal data) that require the definition
\nand agreement of additional technical or organisational security measures in the Agreement.<\/p>\n
\nmeasures and other technical and organisational safeguards. The measures shall be
\nproportionate to the nature and quantity of Personal data stored and\/or otherwise Processed by
\nthe Customer. The Customer shall also be responsible for the personnel for whom the Customer
\nhas provided access to or usage rights to the Services. The Customer shall also be responsible
\nfor third parties having access to the Personal data or the Service, even if the Customer has not
\ntaken the necessary security measures, and they have not given permission to process the data.<\/p>\n
\nThe Service provider shall inform the Customer of any breach of the Personal data without
\nundue delay after obtaining such information, or when the subcontractor of the Service provider
\nhas been informed of the breach. The Customer shall be responsible for the necessary
\nnotifications to the data protection authorities. The Customer shall also be responsible for
\nnotifying the Service provider accordingly of encountered security breaches.<\/p>\n
\nCustomer with all relevant information related to the breach. In so far as that information is
\navailable to the Service provider, the Service provider shall provide at least:
\n\u25cf a description of the security breach,
\n\u25cf a description of the likely consequences of the breach, and
\n\u25cf a description of the corrective measures that the Service provider has performed or will
\nperform to prevent such breaches in the future if the security breach has been caused
\nby the Service provider and, where appropriate, the measures for minimising the
\nadverse effects of a potential security breach.
\nThe Service provider shall document and forward the results of the report, as well as
\nthe measures taken, to the Customer.<\/p>\n
\nThe Customer or an appointed auditor (not a competitor of the Service provider) shall be
\nentitled to audit the activities under this Annex. The parties agree on the time and other details
\nof the audit well in advance and no later than 14 working days before the audit. The audit shall
\nbe carried out in a manner that does not adversely affect the commitments of the Service
\nprovider and its subcontractors to third parties. The usual confidentiality agreements shall be
\nsigned by the representatives of the Customer and the auditor.<\/p>\n
\nright to invoice the cost of the work performed in the audit to the Customer.<\/p>\n
\nThe Service provider shall have the right to use subcontractors for Processing the Personal
\ndata of the Customer. The Service provider shall be responsible for the activities of the
\nsubcontractors, and prepare corresponding written agreements with the subcontractors on the
\nProcessing of Personal data. Upon request, the Service provider shall notify the Customer in
\nadvance of the subcontractors it intends to use for the Processing of Personal data under the
\nAgreement. The Customer shall have the right to object to the use of the new subcontractor for
\nlegitimate reasons. If the Customer does not oppose the addition or replacement of the
\nsubcontractor in writing, it shall be interpreted as accepting the replacement of that
\nsubcontractor. If the parties do not reach an agreement on the use of a new subcontractor, the
\nCustomer shall have the right to terminate the Agreement with a thirty (30) days\u2019 notice to the
\nextent that the subcontractor replacement affects the Processing of the Personal data.<\/p>\n
\nThe server centres of the Service provider, where all personal data are stored and Processed,
\nare mainly located in Finland. However, the Service provider may transfer the Personal data to
\nany data centre located in the EU\/EEA, as well as data centres located outside the EU\/EEA, as
\ndescribed in the Service description or agreed in connection with the Agreement. The transfer of
\nPersonal data outside the EU\/EEA shall be governed by the Standard contractual clauses
\nattached to this Annex, or any other transfer mechanism permitted by the Legislation. The
\nStandard contractual clauses shall constitute a part of this Annex and supersede all the
\nprovisions of the Agreement or this Annex that are in contradiction.<\/p>\n
\nIf material or non-material damage is caused to a person due to an infringement of the EU data
\nprotection regulation, the Service provider shall be liable for the damage only to the extent that it
\nhas not expressly complied with the EU data protection regulation or the obligations of this Annex.
\nEither party shall be liable to pay the damages and administrative fines imposed only for the part
\ncorresponding to the liability for the damage established in the final decision of the data protection
\nsupervisory authority or the Court of Justice. In other respects, the parties\u2019 liability shall be defined
\nunder the Agreement.<\/p>\n
\nability or potential to comply with this Annex and the written instructions provided by the
\nCustomer. The parties shall agree on all additions and amendments to this Annex in writing.<\/p>\n
\nobligations to each other under the Personal data Processing activities.<\/p>\n
\nexpiry of this Annex shall remain in force after the expiry of the Annex.<\/p>\n