Data Processing Addendum - Vainu Similar Companies

Vainu Connector is a CRM integration processing customer data. This Data Processing Agreement (“DPA”) and its Annex A: Processing Description and list of sub-processors, which forms an integral part of this DPA, govern the delivery of Service/s using Vainu Connector and are made pursuant to and form an integral part of the Terms of Service (“Agreement”), meaning that applicable parts of the Agreement shall also apply to this DPA. In the event of a conflict between this DPA and the Agreement, this DPA will take precedence.

Terms used in this DPA shall have the same meaning as set forth in the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation or GDPR).

1. Description of data processing at Vainu Connector

This DPA shall apply when Vainu Finland Oy (hereinafter “Vainu”) processes personal data on behalf of your company (hereinafter “the Customer”) under the Agreement to the extent that customer data processed in connection with Vainu Connector contains personal data (“Customer’s Personal Data”) as specified in Annex A and/or Customer CRM. In this case, the Customer is the controller, and Vainu is the data processor for the personal data. This DPA shall not apply to data processing activities undertaken by Vainu as controller.

The categories of Customer’s Personal Data and the categories of data subjects processed at Vainu Connector are defined in Annex A and/or Customer’s CRM. 

2. General responsibilities of the Parties 

Parties agree to comply with applicable data protection legislation within the European Union (“Data Protection Legislation”), including the GDPR.

As the controller, Customer determines the purposes and means of processing Customer’s Personal Data and provides written instructions to Vainu on the processing of Customer’s Personal Data. The Agreement, this DPA, including its annexes, and any applicable service documentation are the Customer’s complete and final documented instructions. Any addition or change in the Customer’s documented instructions must be agreed upon separately and in writing. If a change in the documented instructions requires a modification of the Vainu Connector, the effect and costs of such a change shall be determined in accordance with the Agreement.

Customer ensures that Customer’s Personal Data transferred to Vainu under the Agreement has been collected in compliance with Data Protection Laws and thus lawfully transferred to Vainu.

3. Vainu’s responsibilities

Where Vainu processes Customer’s Personal Data, Vainu agrees to 

1. process Customer’s Personal Data only in accordance with the documented instructions given by the Customer, unless required by EU law to which Vainu is subject. Vainu informs the Customer of the said legal requirement before processing unless the law prohibits this on important grounds of public interest;
2. inform the Customer if Vainu considers the Customer’s instructions to be incompatible with applicable Data Protection Legislation. Vainu shall not be responsible for processing the Customer’s Personal Data in accordance with the Customer’s instructions if the Customer’s instructions infringe the applicable Data Protection Legislation;
3. ensure that persons authorised to process Customer’s Personal Data are under obligations of confidentiality; 
4. assist the Customer in fulfilling data subjects’ rights by appropriate technical and organisational measures in so far as this is reasonably possible. Vainu shall inform the Customer of any data subject’s request it might receive without undue delay. Vainu is not obliged to respond to such data subject request unless explicitly instructed otherwise by the Customer; 
5. assist the Controller in ensuring its compliance with its legal obligations pursuant to Articles 35-36 of the GDPR, taking into account the nature of the processing and the information available to Vainu. These obligations include assisting the Customer in its obligations to conduct data protection impact assessments and, where necessary, any prior consultations with supervisory authorities; 
6. maintain documentation as required by the Data Protection Legislation; and 
7. at the Customer’s request, make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in this DPA.

Unless otherwise agreed, Vainu shall have the right to charge the Customer for any reasonable costs incurred from assisting the Customer under paragraphs IV-V of this Section 3 in accordance with the Agreement.

4. Data security 

Vainu shall implement technical and organisational measures appropriate to the risk of processing Customer’s Personal Data. This includes protecting the Customer’s Personal Data against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access to the data (personal data breach). In assessing the appropriate level of security, the Vainu shall take into account state of the art, the costs of implementation, the nature, scope, context, and purposes of the processing, and the risks involved for the data subjects. 

5. Subprocessors

By entering into this DPA, the Customer grants Vainu general authority to use and engage subprocessors for processing the Customer’s Personal Data in connection with Vainu Connector for the purposes set out in this DPA. Appendix A contains the list of subprocessors that are used at the time of entering into this DPA. Vainu is responsible for ensuring that the subprocessors and possible new subprocessor are bound by written agreements requiring them to comply with data processing obligations materially similar to those contained in this DPA. Vainu remains responsible for its subprocessors’ compliance with the obligations of this DPA. 

6. Transfers outside the EU/EEA 

Vainu shall not transfer Customer’s Personal Data outside the EU/EEA unless instructed to do so by the Customer. All transfers of Customer’s Personal Data must be executed in accordance with Data Protection Legislation and this DPA.

The Customer authorises Vainu to transfer Customer’s Personal Data outside EU/EEA if the provisioning of services under the Agreement would exceptionally require Vainu to transfer Customer’s Personal Data outside the EU/EEA. Vainu is responsible for ensuring that such a transfer is made under a data transfer mechanism that complies with the Data Protection Legislation. Where relevant, Vainu further commits to adopting supplementary technical, contractual and organisational measures. 

7. Personal Data Breaches 

In case of a personal data breach relating to a Customer’s Personal Data, Vainu agrees to notify the Customer in writing without undue delay after becoming aware of the breach. Vainu will take appropriate steps to prevent and/or minimise the potential negative consequences of such a breach. The notification will include all available and relevant details concerning the breach, including at least;

1. a description of the nature of the personal data breach, including the categories and an approximate number of data subjects concerned and the categories and an approximate number of personal data records concerned; 
2. the contact details of the data protection officer of Vainu;
3. a description of the likely consequences of the personal data breach;
4. where available, recommended appropriate steps to prevent and/or minimise the potential negative consequences of a data breach. 

If it is not possible to provide the information listed above at the time Vainu becomes aware of the personal data breach, Vainu may provide such information in phases at the earliest availability of such information to avoid undue further delay.

Vainu shall cooperate with the Customer and take reasonable commercial steps as directed by the Customer to assist in the investigation, mitigation, and remediation of each such personal data breach. In addition, Vainu shall assist the Customer with reasonable effort in reporting the data breach to the competent supervisory authority and to the data subjects in accordance with the Customer’s instructions.

8. Audits

 The Customer has a right to audit Vainu's performance of its data processing obligations under this DPA, provided that the Customer provides at least sixty (60) business days prior written notice to Vainu before such audit and that the audit is subject to a mutually agreed audit plan and reasonable and appropriate confidentiality undertakings. The Customer shall cover costs relating to the audit.

9. Term and termination 

This DPA shall become effective on the same Effective Date as stated in the Agreement and shall remain in force until Vainu no longer processes Customer’s Personal Data for the provision of Vainu Connector.

After the end of the provision of Vainu Connector, Vainu will no longer have access to the Customer’s CRM and will delete all existing copies of the Customer’s Personal Data without undue delay after the expiration of the Agreement, unless otherwise required by applicable law. 

10. Limitations of liability

The limitations of liability set out under the Agreement will also apply to this DPA. However, if one Party has paid compensation to a data subject according to Article 82 of the GDPR based on damage partly or fully attributable to the other Party, the former is entitled to claim back the relevant part of the compensation from the latter.

Each Party shall be liable towards the other Party for the part of any administrative fines imposed by a supervisory authority or damages ordered by a court of competent jurisdiction, which corresponds to and is caused by an attributable failure in the performance of the Party’s obligations pursuant to Data Protection Legislation and this DPA, as finally decided by the competent supervisory authority or court authorised to impose such sanctions.

Annex A 

Processing Description and list of sub-processors

1. Background and purpose 

This Annex A (Processing Description) is an annex to and forms an inseparable part of the DPA entered into by and between Customer and Vainu. The purpose of this Annex A is to supplement the DPA, where necessary and only to the extent explicitly set forth below. 

Unless expressly otherwise stated, the applicable definitions provided in the DPA and the Agreement shall be applied to this Annex A.

2. Processing Description 

Purpose(s) and the nature of the Processing(s): 

Customer’s Personal Data will be processed for the following purposes:  

• Provision of the service and performance of the agreement between Vainu and the Customer

Categories of Data Subjects: 

Vainu Connector will process Customer’s Personal Data about the following categories of Data Subjects:  

• Customer’s CRM user data
• CRM authentication data

Types of Personal Data: 

Vainu Connector will process the following types of Customer’s Personal Data:  

• Customer employee’s name
• Customer employee’s email

Duration of the personal data processing:

Vainu Connector will process Customer’s Personal Data:  

• as long as necessary for the provision of Vainu Connector under the Agreement.

3. List of Sub-processors 

Vainu uses the following subprocessors under the DPA to process the Customer’s Personal Data stated in the previous section: