Data Processing Addendum
This Data Processing Addendum (“Addendum”) has been entered into by and between Flockler Oy, a limited liability company duly incorporated and organized under the laws of Finland, address Rautatienkatu 21 B, 33100 Tampere, Finland (“Flockler”); and Customer”.
Hereinafter Flockler and Customer shall also be individually referred to as “Party” and jointly as “Parties”.
1.1. Flockler is the owner and licensor of certain software products and related services which Flockler has licensed to the Customer.
1.2. Flockler and Customer have entered into a separate agreement for the licensing of Flockler’s software and related service. The Parties have agreed to alter the terms of the Agreement as follows.
1.3. This Addendum sets out the terms and conditions for the processing of personal data by Flockler on behalf of the Customer.
1.4. Flockler acts as a data processor and the Customer acts as a data controller, within the meaning of the applicable data protection legislation.
1.5. For the purposes of this Addendum, the applicable data protection legislation shall mean the applicable laws and regulations in respect of processing personal data, including but not limited to, the Finnish Personal Data Act (523/1999), and from 25 May 2018, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation, “GDPR”) as well as supplementary Finnish legislation, local adaptions, case-law and guidance from supervisory authorities.
2. Data protection and processing of personal data
2.1. The subject-matter, nature and purpose of the processing, the type of personal data and categories of data subjects are described in Appendix 1.
3. Responsibilities of Customer
3.1. The Customer acts as a data controller under applicable data protection legislation. The Customer commits to ensure compliance with the data controller’s obligations under the applicable data protection legislation.
4. Responsibilities of Flockler
4.1. Flockler acts as a data processor under applicable data protection legislation. Flockler processes personal data the Customer is responsible for on behalf of the Customer according to the Customer’s documented instructions. Flockler shall implement appropriate technical and organizational measures for ensuring the security of the processing and maintain appropriate documentation of these measures and processing activities.
4.2. Flockler commits to ensure that all the persons processing personal data under the authority and supervision of Flockler have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality in addition to that such persons shall process personal data only pursuant to this Addendum, the Agreement and the Customer’s instructions.
4.3. Flockler commits to assist the Customer to ensure compliance with the provisions on the data subject's rights by appropriate technical and organizational measures and to inform the Customer about the requests received from the data subjects.
4.4. Flockler shall provide the Customer all information necessary to demonstrate compliance with the obligations concerning the processing of personal data. Flockler shall allow the Customer either on their own or with a third party – which shall not be a competitor to Flockler – to conduct audits in the presence of Flockler. The Customer shall notify Flockler in writing at least 30 days in advance, after which the Parties shall mutually agree on the extent and timing of the audit, always conducted during Flockler’s normal working hours.
4.5. Flockler has an obligation to assist the Customer in completing possible data protection impact assessments, notifications of personal data breaches and prior consultation requests to the extent they relate to the software service provided by Flockler.
4.6. Flockler has the right to charge labor costs incurred by the assistance measures set out in this section 4 in accordance with its then current price list.
5. Flockler's subcontractors
5.1. Possible subcontractors used by Flockler, which take part to processing of personal data, also act as data processors on behalf of the Customer. By accepting this Addendum, the Customer has provided a written authorization for the use of subcontractors. Flockler shall have full responsibility for the actions and omissions of its subcontractors, and shall ensure that the subcontractors comply with the responsibilities of Flockler under this Addendum and the Agreement. Flockler shall inform the Customer in writing of any intended changes concerning the addition or replacement of subcontractors, thereby giving the Customer the opportunity to object to such changes.
6. Transfers of personal data
6.1. Flockler shall not transfer any personal data to any third party other than the subcontractors agreed in writing by the parties. Flockler may transfer personal data outside the borders of the European Union and European Economic Area, provided that Flockler shall ensure that it and its subcontractor(s) transfer the personal data in compliance with the applicable data protection legislation.
7. Personal data breaches
7.1. In the event of a personal data breach, Flockler shall without undue delay after becoming aware of it notify the Customer in writing and additionally in any other reasonable and prompt manner. The personal data breach notification shall contain at least the following:
- A description of the nature of the personal data breach including, the categories and approximate number of data subjects concerned and the categories and approximate number of data records concerned;
- The name and contact details of the person responsible for the data processor’s data protection matters;
- A description of likely consequences and/or realized consequences of the personal data breach; and
- A description of the measures taken to address the personal data breach and to mitigate its possible adverse effects.
8.1. In relation to processing of personal data in connection with this Addendum, both Parties shall be liable towards one another for direct loss and damage caused by their breaches of this Addendum or the applicable data protection legislation to the non-breaching Party (including, but not limited to any administrative sanctions by competent supervisory authorities). Neither Party shall be liable for any indirect or consequential loss or damage, including but not limited to any loss of profits, revenue, reputation or goodwill. The Parties’ liability hereunder shall be subject to the liability cap agreed in the Agreement.
9. Changes and additions
9.1. If provisions of the applicable data protection legislation are changed during the term of this Addendum, or if the data protection supervisory authority issues guidelines, decisions or regulations concerning the application of the data protection legislation in a way that this Addendum would no longer meet the requirements stipulated in Article 28 of the GDPR, the Parties shall make the necessary changes to this Addendum in writing, in order to meet such new or additional requirements.
9.2. All changes and additions to this Addendum shall be made in writing.
10. Term and termination
10.1. This Addendum enters into force on 25 May 2018. By continuing to use Flockler, Customer approves the terms and conditions of this Addendum, and it remains in force as long as Flockler processes personal data as the Customer’s data processor.
10.2. After the end of the provision of services under the Agreement Flockler commits to either delete or return all the personal data under the Customer’s responsibility to the Customer, based on the Customer’s choice. Flockler has the right to charge labor costs incurred by returning the personal data by hour according to the price list. Flockler deletes existing copies of the personal data unless legislation requires storage of the personal data.
11. Other terms
11.1. This Addendum supersedes and replaces all prior data processing agreements between the Parties and supersedes any deviating provisions of the Agreement concerning the subject matter of this Addendum, notwithstanding anything to the contrary in the Agreement.
11.2. This Addendum shall be governed and construed in accordance with the laws of Finland. Any dispute arising out of or in connection with this Addendum shall be settled in accordance with the dispute resolution provision in the Agreement.
Appendix 1: Description of data processing
Nature and purpose of the processing: Providing a platform to store, organize and analyse user-generated content
Subject-matter and duration of the processing: Customer data for the duration of the Agreement.
Types of data stored on Flockler:
- financial information (payment information)
2. Content managers (Flockler users)
- name, email, social media profiles (name, username, profile image)
3. Social media users and content (nicknames, public content available on the web):
- social media post (name, username, profile image, content, location)
- social media profile (name, username, profile image, follower count)
See the updated list of subcontractors