HeadQ Data Processing Terms
Version: April 6, 2022
These terms become applicable between MVP Digital Oy (hereinafter also “HeadQ”) and a customer with whom HeadQ has concluded an agreement if HeadQ is considered as data processor and customer data controller in the meaning as given in EU General Data Protection Regulation.
The terms used herein shall have the same meaning as given in Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the “Regulation”). Such terms include without limitation controller, processor, personal data, data subject, processing and personal data breach.
With these terms, the parties agree that the customer, the controller, appoints HeadQ as its data processor to process customer’s personal data during the term of an agreement under the terms agreed herein.
The processor shall process the personal data only to further its obligations set forth in an agreement and in accordance with the written instructions provided by the controller.
The controller shall be the sole controller for the personal data and shall be responsible for complying with the obligations the Regulation and other applicable laws set for data controllers, such as ensuring that there is a legal basis for processing personal data, informing data subjects about processing activities with privacy policies, complying with other controller’s documentation obligations and ensuring that the data is kept accurate. If and to the extent the legal basis for processing personal data is an individual’s consent, the controller is liable for obtaining the consent and managing it as provided in the Regulation.
Processor is not entitled to process the personal data for any other purpose or for anyone else. The processor is entitled to transfer personal data outside the EU or EEA, provided that the transfer is made in compliance with the obligations that the Regulation specifies in terms of adequate safeguards in international data transfers. Processor must immediately notify controller, if it considers that the written instructions provided by controller for processing personal data are in violation of the Regulation or national data protection laws. In addition to the terms of this annex, the parties agree to comply with the Regulation as applicable to each party.
Additional details regarding processing may be described in the agreement or in a separate document.
Processor is entitled to use sub-processors for processing personal data. List and additional information about sub-processors can be provided at request. If the processor plans to make changes to its sub-processors, it will notify the controller by giving at least 5-days written notice. Processor’s obligation to notify concerns intended adding, removal or change of a sub-processor. After receiving notification, the controller has the right to object to the intended change in the use of a sub-processor. If the controller objects the intended change and the data processor cannot reasonably use another sub-processor or another method in processing the personal data, then the processor is not liable for damages or harm caused by such objection. In this situation the processor is entitled to terminate the agreement by giving at least 1-month’s written notice to the controller.
When using sub-processors for processing personal data, the processor agrees that it will impose data protection terms on any sub-processor it appoints that protect the personal data to the same standard as provided for by this Annex. Processor is fully liable that its sub-processors comply with the requirements of this Annex.
All personal data processed by processor on behalf of controller is considered controller’s confidential information and processor shall not disclose the personal data to anyone or use it for any other than agreed purpose. Processor ensures that only such people shall have access to the personal data that is necessary for furthering processor’s obligations relating to the purpose and that such people shall be subject to a strict duty of confidentiality, contractual or statutory, and shall not permit any person to process the personal who is not under such a duty of confidentiality. The duties of confidentiality shall survive the termination or expiration of the Agreement.
Processor shall implement appropriate technical and organizational measures to protect the personal data in its possession from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to the personal data. Such measures shall take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for natural persons’ rights and freedoms. For the avoidance of doubt, this data security obligation does not concern data systems or software that is owned by the controller or of which intellectual property rights belong to the controller or a third party.
Such measures can include, as appropriate:
the pseudonymisation and encryption of personal data;
the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
Personal data breaches
Processor must notify controller without undue delay about personal data breaches it becomes aware of, so that controller can comply with the provisions of the Regulation regarding personal data breach notifications within the set time limits. When notifying the controller, the processor must include necessary details about the personal data breach and also otherwise provide reasonable assistance for the controller. The processor must also take all such other necessary measures to mitigate or remedy the effects of the personal data breach and to prevent further breaches.
Data protection impact assessment
If the processor becomes aware that the planned processing would cause a high risk for the rights and freedoms of natural persons it must notify the controller about this and assist the controller, if necessary, in conducting a data protection impact assessment.
Data subject’s rights
Taking into consideration the nature of the data processing, the processor must reasonably and without undue delay assist the controller, including by applicable technical and organizational measures, to fulfill any request from a data subject to exercise its rights under the Regulation. Such rights may include, as they are described in the Regulation, rights of access, correction, objection, erasure (“right to be forgotten”) and data portability. If such requests are made directly to the processor, it must notify the controller about the request without undue delay.
Processor shall permit controller to audit processor’s compliance with these terms, and shall provide access and make available to controller all systems, premises, resources, information and staff as necessary for controller to conduct such audit. Audits will be performed during normal business hours with the aim of causing as little disruption to processor’s business operation as reasonably possible. Controller must also provide at least 20 days’ advance notification of planned audits. Both parties are responsible for their own costs and expenses relating to an audit.
If the processor must assist the controller in fulfilling the controller’s obligations related to data breaches, data subjects’ rights and data protection impact audits, the processor is entitled to invoice the reasonable actual time used for the assistance tasks in accordance with the hourly rates agreed between the parties. Invoicing the time used for the assistance tasks requires that the controller has accepted that the processor can use time to perform assistance tasks.
HeadQ is not liable to the customer for any indirect, consequential or special damages or for claims made by third parties. The liability of HeadQ to the customer in respect of any claim for loss, damage, cost or expense that is attributable to a specific order, shall in no event exceed in the aggregate a sum equal to 30 % of the amount paid by customer to HeadQ for the service.
Term and effects of termination
These terms come into force on the same date as the agreement between the parties and shall thereafter remain in force until the agreement is terminated or expires under its terms.
Within a reasonable time after the termination or expiration of the agreement, the processor shall delete or return all personal data to the controller and also delete all copies of the personal data, unless national or EU or member state law requires the processor to retain some or all of that data. In such an event any further processing of the personal data is prohibited, except to the extent required by law. The controller is obligated to make sure that it has backup copies of the data prior to deletion, if it considers the data still necessary.
If the controller has not notified the processor about deletion or return of data within 12 months from the termination or expiration of the agreement, the processor shall delete all personal data in its possession, including any copies, unless national or EU or member state law requires the processor to retain some or all of that data. In such an event any further processing of the personal data is prohibited, except to the extent required by law. The controller is obligated to make sure that it has backup copies of the data prior to deletion, if it considers the data still necessary.
Annex 1: DESCRIPTION OF THE PROCESSING
Nature of processing:
Provision of services and ecommerce platform to HeadQ customers. As a data processor, HeadQ collects, processes and stores personal data in accordance with the agreement, applicable law and these terms.
Categories of data subjects:
Especially contact persons of customers and potential customers of a HeadQ customer.
Categories of personal data:
Especially name, employer’s name, job title, company address, email address, phone number, IP address, billing and payment details, details of transactions, purchase history and other data.
List and additional information of subcontractors used by HeadQ can be provided at request.