1. PARTIES
1.1 ZenTreasury Oy (hereinafter "Processor")
Business ID: 2762104-2
Otakaari 5, 02150 Espoo, Finland1.2 The party who has concluded the Agreement with the Processor on the use of the Processor's Service (hereinafter "Controller" or "Customer")
2. DEFINITIONS
2.1 "Agreement" means the main agreement between the Parties that includes this Data Processing Agreement.
2.2 "Data Processing Agreement" means this agreement.
2.3 "Data Protection Laws" means the Data Protection Act of Finland (1050/2018), the General Data Protection Regulation of the European Parliament and of the Council (679/2016) and any other data protection legislation in force and any legally valid instructions or orders given by the data protection authorities.
2.4 "Party" or "Parties" mean the Controller or/and the Processor.
2.5 "Personal Data" means any information relating to an identified or identifiable natural person for which the Controller or the Controller’s customer or another affiliate acts as the controller. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
2.6 "Service" means the SaaS service offered by the Processor and used by the Controller.
3. SUBJECT-MATTER AND DURATION OF THE PROCESSING
3.1 The Parties agree in this Data Processing Agreement on the terms and conditions of the processing of Personal Data that stem from the Agreement.
3.2 The Agreement includes the processing of Personal Data the Controller is in charge of.
3.3 The Processor has the right to process the Personal Data for as long as the Agreement is in force, unless the Controller decides otherwise.
4. NATURE AND PURPOSE OF THE PROCESSING
4.1 The purpose of the Service is to provide the Customer with a SaaS service related to treasury management. The Processor processes Personal Data only when and if the Controller discloses such data to the Service.
5. TYPE OF PERSONAL DATA AND CATEGORIES OF DATA SUBJECTS
5.1 The categories of data subjects consist of the data subjects whose
Personal Data the Controller discloses to the Service.
5.2 The register, that consists of the Personal Data, may include: (i)
contact information, such as full name, address, phone numbers and
e-mail addresses; (ii)nationality, age, gender, title or profession and
language skills; (iii) possible registration information, such as
username, pseudonym, password and other unique identification; (iv)
information regarding the customer relationship, such as billing and
payment information, product-, service- and ordering information,
information regarding customer feedback and contacts and cancellation
information; (v) information relating to the implementation of
communications and information relating to use of services, such as
browsing and search information; and (vi) possible other data the
Controller discloses to the Service.
6. OBLIGATIONS AND RIGHTS OF THE CONTROLLER
6.1 The Processor shall process the Personal Data according to the
Data Protection Laws and by following good data processing
practices, other relevant legislation and compulsory guidance of the
authorities.
6.2 The Controller reserves the right to monitor the Personal
Data.
6.3 The Controller reserves the ownership of the Personal Data and
any immaterial rights and other rights relating to the Personal
Data, unless the Controller notifies the Processor that such
ownerships belong to the Controller’s customer or another affiliate
company.
7. INSTRUCTIONS FROM THE CONTROLLER IN REGARD TO THE
PROCESSING OF PERSONAL DATA
7.1 The Processor is not allowed to process the Personal Data for
any other purposes than what the Parties have specifically
agreed on in the Agreement.
7.2 When processing the Personal Data, the Processor has an
obligation to follow the Data Protection Laws.
7.3 The Controller gives the Processor a general permission to
hand over, transfer or in any similar way process Personal Data
outside the EU/EEA. Upon such processing, the Processor has an
obligation to follow the Data Protection Laws, the instructions
of the Controller and the Agreement (including this Data
Processing Agreement). If any of the prerequisites of the
approval seize to exist, the Processer has an obligation to
immediately: (i) perform an action that ensures the lawful
processing of the Personal Data and that the processing is
conducted according to the instructions given by the Controller
and the Agreement; or (ii) seize the transfer of Personal Data
outside the EU/EEA and return the Personal Data transferred
outside the EU/EEA to the Controller.
8. CONFIDENTIALITY
8.1 The Processor is under an appropriate statutory
obligation of confidentiality when it processes Personal
Data.
9. SECURITY OF PROCESSING
9.1 Taking into account the risks related to the nature
of the Agreement, the Processor ensures appropriate
technical and organizational measures when it processes
Personal Data. Those measures shall especially aim to
prevent the accidental, unauthorized or unlawful
processing of Personal Data, monitor the processing,
disappearance, destruction, alteration or impairment of
Personal Data and prevent unauthorized access to the
Personal Data.
9.2 The Processor shall ensure that its employees do not
process the Personal Data against the instructions given
by the Controller.
9.3 In the case of a personal data breach, the Processor
shall immediately notify the personal data breach to the
Controller. In addition, the Processor shall, not later
than 24 hours after having become aware of the data
breach, provide the Controller with all relevant
information relating to the data breach (for example
descriptions of the security breach, the consequences of
the breach and the actions that have been taken by the
Processor as a result of a security breach). The
Controller needs such information to meet its statutory
obligations, investigate the matter, prevent similar
violations and make legal notifications. The Processor
has the obligation to present the Controller with any
relevant information the Controller requires from the
Processor in the case of the Data Breach.
10. SUBPROCESSORS
10.1 The Processor has a right to use other
processors (e.g. cloud services providers)
(hereinafter "Subprocessor") to process Personal
Data.
11. OBLIGATION OF THE PROCESSOR TO ASSIST
THE CONTROLLER
11.1 The Processor shall without delay assist the
controller by appropriate technical and
organizational measures, insofar as this is
possible, for the fulfilment of the Controller's
obligation to respond to requests for exercising
the rights of its customers. Upon written
request from the Processor, the Controller shall
without undue delay reimburse the Processor for
any costs arising from this Section 11.1.
11.2 The Processor shall assist the controller in
ensuring compliance with the obligations
pursuant to the General Data Protection
Regulations Articles 32 to 36, taking into
account the nature of the processing and the
information available to the Processor.
12. DELETION OR RETURN OF THE PERSONAL
DATA
12.1 After the Agreement is no longer in
force, the Processor and its subcontractor
shall return, at their own expense and
without delay, the Personal Data to the
Controller or the Controller’s customer if
it acts as the controller, by following the
instructions given by the Controller. If the
return of Personal Data is not possible,
then the Parties must agree on the
destruction of the material in a separate
agreement.
13. RECORDS OF PROCESSING
ACTIVITIES
13.1 The Processor shall keep records
(hereinafter "Records") of its
processing activities that relate to
this Agreement and the processing of
Personal Data. The Records must have at
least the following information:
(a) the name and contact details of
the Processor and, if possible, the
name and contact details of the
Processor’s data protection
officer;
(b) the description of the processing
activities of the Personal Data
conducted on behalf of the
Controller and the categories of
data subjects and personal data;
(c) if the Personal Data is
transferred outside the EU/EEA, the
information of the transfer and a
demonstration that the transfer was
conducted according to the Data
Protection Laws; and
(d) a description of the technical
and organizational measures taken.
14. INDEMNITY AND
LIABILITY
14.1 Each party hereby indemnifies
the other party against any and all
losses, damages, liabilities,
claims, penalties, fines, awards,
costs and expenses (including
reasonable legal fees) caused by any
breach of the warranties contained
in this Agreement.
14.2 The Controller has an obligation
to defend the Processor where a
claim is filed against the Processor
on the basis of the Processor’s
processing activities relating to
the Personal Data. The Processor has
the aforementioned obligation if the
Controller informs the Processor of
the matter in a written form and
without undue delay.
14.3 The Parties’ liability for
damages shall be determined on the
basis of the General Data Protection
Regulation (679/2016).
15. MISCALLENEOUS
15.1 If there is a conflict
between the Data Processing
Agreement and the Agreement, the
terms of the Data Processing
Agreement shall prevail.
15.2 The Processor has a right to
transfer the Data Processing
Agreement and a part of its
rights and obligations derived
from the Data Processing
Agreement to third parties
without a prior written approval
of the Controller.
15.3 The Controller has a right
to transfer the Data Processing
Agreement and a part of its
rights and obligations derived
from the Data Processing
Agreement to third parties
without a prior written approval
of the Processor.
15.4 If any court of law, having
the jurisdiction to decide on
this matter, rules any provision
of the Data Processing Agreement
invalid, then that provision
will be removed from the Data
Processing Agreement without
affecting the rest of the Data
Processing Agreement. The
remaining provisions will
continue to be valid and
enforceable.
15.5 The Data Processing
Agreement is governed by the
laws of Finland without regard
to its rules and principles on
conflict of laws.
15.6 Any dispute arising between
the Parties out of, or in
connection with, the Data
Processing Agreement, their
validity, interpretation or
performance shall be finally
settled in accordance with the
Arbitration Rules of the Finland
Chamber of Commerce in Helsinki,
Finland. The arbitration
tribunal shall consist of one
(1) arbitrator. The language of
the arbitration shall be English
or Finnish.
5.1 The categories of data subjects consist of the data subjects whose Personal Data the Controller discloses to the Service.
5.2 The register, that consists of the Personal Data, may include: (i) contact information, such as full name, address, phone numbers and e-mail addresses; (ii)nationality, age, gender, title or profession and language skills; (iii) possible registration information, such as username, pseudonym, password and other unique identification; (iv) information regarding the customer relationship, such as billing and payment information, product-, service- and ordering information, information regarding customer feedback and contacts and cancellation information; (v) information relating to the implementation of communications and information relating to use of services, such as browsing and search information; and (vi) possible other data the Controller discloses to the Service.
6.1 The Processor shall process the Personal Data according to the Data Protection Laws and by following good data processing practices, other relevant legislation and compulsory guidance of the authorities.
6.2 The Controller reserves the right to monitor the Personal Data.
6.3 The Controller reserves the ownership of the Personal Data and any immaterial rights and other rights relating to the Personal Data, unless the Controller notifies the Processor that such ownerships belong to the Controller’s customer or another affiliate company.
7.1 The Processor is not allowed to process the Personal Data for any other purposes than what the Parties have specifically agreed on in the Agreement.
7.2 When processing the Personal Data, the Processor has an obligation to follow the Data Protection Laws.
7.3 The Controller gives the Processor a general permission to hand over, transfer or in any similar way process Personal Data outside the EU/EEA. Upon such processing, the Processor has an obligation to follow the Data Protection Laws, the instructions of the Controller and the Agreement (including this Data Processing Agreement). If any of the prerequisites of the approval seize to exist, the Processer has an obligation to immediately: (i) perform an action that ensures the lawful processing of the Personal Data and that the processing is conducted according to the instructions given by the Controller and the Agreement; or (ii) seize the transfer of Personal Data outside the EU/EEA and return the Personal Data transferred outside the EU/EEA to the Controller.
8.1 The Processor is under an appropriate statutory obligation of confidentiality when it processes Personal Data.
9.1 Taking into account the risks related to the nature of the Agreement, the Processor ensures appropriate technical and organizational measures when it processes Personal Data. Those measures shall especially aim to prevent the accidental, unauthorized or unlawful processing of Personal Data, monitor the processing, disappearance, destruction, alteration or impairment of Personal Data and prevent unauthorized access to the Personal Data.
9.2 The Processor shall ensure that its employees do not process the Personal Data against the instructions given by the Controller.
9.3 In the case of a personal data breach, the Processor shall immediately notify the personal data breach to the Controller. In addition, the Processor shall, not later than 24 hours after having become aware of the data breach, provide the Controller with all relevant information relating to the data breach (for example descriptions of the security breach, the consequences of the breach and the actions that have been taken by the Processor as a result of a security breach). The Controller needs such information to meet its statutory obligations, investigate the matter, prevent similar violations and make legal notifications. The Processor has the obligation to present the Controller with any relevant information the Controller requires from the Processor in the case of the Data Breach.
10. SUBPROCESSORS
10.1 The Processor has a right to use other processors (e.g. cloud services providers) (hereinafter "Subprocessor") to process Personal Data.
11. OBLIGATION OF THE PROCESSOR TO ASSIST
THE CONTROLLER
11.1 The Processor shall without delay assist the
controller by appropriate technical and
organizational measures, insofar as this is
possible, for the fulfilment of the Controller's
obligation to respond to requests for exercising
the rights of its customers. Upon written
request from the Processor, the Controller shall
without undue delay reimburse the Processor for
any costs arising from this Section 11.1.
11.2 The Processor shall assist the controller in
ensuring compliance with the obligations
pursuant to the General Data Protection
Regulations Articles 32 to 36, taking into
account the nature of the processing and the
information available to the Processor.
12. DELETION OR RETURN OF THE PERSONAL
DATA
12.1 After the Agreement is no longer in
force, the Processor and its subcontractor
shall return, at their own expense and
without delay, the Personal Data to the
Controller or the Controller’s customer if
it acts as the controller, by following the
instructions given by the Controller. If the
return of Personal Data is not possible,
then the Parties must agree on the
destruction of the material in a separate
agreement.
13. RECORDS OF PROCESSING
ACTIVITIES
13.1 The Processor shall keep records
(hereinafter "Records") of its
processing activities that relate to
this Agreement and the processing of
Personal Data. The Records must have at
least the following information:
(a) the name and contact details of
the Processor and, if possible, the
name and contact details of the
Processor’s data protection
officer;
(b) the description of the processing
activities of the Personal Data
conducted on behalf of the
Controller and the categories of
data subjects and personal data;
(c) if the Personal Data is
transferred outside the EU/EEA, the
information of the transfer and a
demonstration that the transfer was
conducted according to the Data
Protection Laws; and
(d) a description of the technical
and organizational measures taken.
14. INDEMNITY AND
LIABILITY
14.1 Each party hereby indemnifies
the other party against any and all
losses, damages, liabilities,
claims, penalties, fines, awards,
costs and expenses (including
reasonable legal fees) caused by any
breach of the warranties contained
in this Agreement.
14.2 The Controller has an obligation
to defend the Processor where a
claim is filed against the Processor
on the basis of the Processor’s
processing activities relating to
the Personal Data. The Processor has
the aforementioned obligation if the
Controller informs the Processor of
the matter in a written form and
without undue delay.
14.3 The Parties’ liability for
damages shall be determined on the
basis of the General Data Protection
Regulation (679/2016).
15. MISCALLENEOUS
15.1 If there is a conflict
between the Data Processing
Agreement and the Agreement, the
terms of the Data Processing
Agreement shall prevail.
15.2 The Processor has a right to
transfer the Data Processing
Agreement and a part of its
rights and obligations derived
from the Data Processing
Agreement to third parties
without a prior written approval
of the Controller.
15.3 The Controller has a right
to transfer the Data Processing
Agreement and a part of its
rights and obligations derived
from the Data Processing
Agreement to third parties
without a prior written approval
of the Processor.
15.4 If any court of law, having
the jurisdiction to decide on
this matter, rules any provision
of the Data Processing Agreement
invalid, then that provision
will be removed from the Data
Processing Agreement without
affecting the rest of the Data
Processing Agreement. The
remaining provisions will
continue to be valid and
enforceable.
15.5 The Data Processing
Agreement is governed by the
laws of Finland without regard
to its rules and principles on
conflict of laws.
15.6 Any dispute arising between
the Parties out of, or in
connection with, the Data
Processing Agreement, their
validity, interpretation or
performance shall be finally
settled in accordance with the
Arbitration Rules of the Finland
Chamber of Commerce in Helsinki,
Finland. The arbitration
tribunal shall consist of one
(1) arbitrator. The language of
the arbitration shall be English
or Finnish.
11.1 The Processor shall without delay assist the controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising the rights of its customers. Upon written request from the Processor, the Controller shall without undue delay reimburse the Processor for any costs arising from this Section 11.1.
11.2 The Processor shall assist the controller in ensuring compliance with the obligations pursuant to the General Data Protection Regulations Articles 32 to 36, taking into account the nature of the processing and the information available to the Processor.
12.1 After the Agreement is no longer in force, the Processor and its subcontractor shall return, at their own expense and without delay, the Personal Data to the Controller or the Controller’s customer if it acts as the controller, by following the instructions given by the Controller. If the return of Personal Data is not possible, then the Parties must agree on the destruction of the material in a separate agreement.
13.1 The Processor shall keep records (hereinafter "Records") of its processing activities that relate to this Agreement and the processing of Personal Data. The Records must have at least the following information:
(a) the name and contact details of the Processor and, if possible, the name and contact details of the Processor’s data protection officer;
(b) the description of the processing activities of the Personal Data conducted on behalf of the Controller and the categories of data subjects and personal data;
(c) if the Personal Data is transferred outside the EU/EEA, the information of the transfer and a demonstration that the transfer was conducted according to the Data Protection Laws; and
(d) a description of the technical and organizational measures taken.
14. INDEMNITY AND LIABILITY
14.1 Each party hereby indemnifies the other party against any and all losses, damages, liabilities, claims, penalties, fines, awards, costs and expenses (including reasonable legal fees) caused by any breach of the warranties contained in this Agreement.
14.2 The Controller has an obligation to defend the Processor where a claim is filed against the Processor on the basis of the Processor’s processing activities relating to the Personal Data. The Processor has the aforementioned obligation if the Controller informs the Processor of the matter in a written form and without undue delay.
14.3 The Parties’ liability for damages shall be determined on the basis of the General Data Protection Regulation (679/2016).
15. MISCALLENEOUS
15.1 If there is a conflict between the Data Processing Agreement and the Agreement, the terms of the Data Processing Agreement shall prevail.
15.2 The Processor has a right to transfer the Data Processing Agreement and a part of its rights and obligations derived from the Data Processing Agreement to third parties without a prior written approval of the Controller.
15.3 The Controller has a right to transfer the Data Processing Agreement and a part of its rights and obligations derived from the Data Processing Agreement to third parties without a prior written approval of the Processor.
15.4 If any court of law, having the jurisdiction to decide on this matter, rules any provision of the Data Processing Agreement invalid, then that provision will be removed from the Data Processing Agreement without affecting the rest of the Data Processing Agreement. The remaining provisions will continue to be valid and enforceable.
15.5 The Data Processing Agreement is governed by the laws of Finland without regard to its rules and principles on conflict of laws.
15.6 Any dispute arising between the Parties out of, or in connection with, the Data Processing Agreement, their validity, interpretation or performance shall be finally settled in accordance with the Arbitration Rules of the Finland Chamber of Commerce in Helsinki, Finland. The arbitration tribunal shall consist of one (1) arbitrator. The language of the arbitration shall be English or Finnish.