1. DEFINITIONS

 

The following terms have the meanings assigned to them herein:

Agreement” means an agreement in which the Parties agree on the provision of the Software Service and/or the Professional Services to the Customer, such as (i) a written agreement signed by the Parties, (ii) the Supplier’s binding email or other electronic written offer accepted by the Customer or (iii) the Customer’s email or other electronic or written order accepted by the Supplier e.g. by commencing the deliveries under these Terms.

Application Software” means the application software licensed by the Supplier to the Customer based on the Agreement, which is accessible to Users in application store(s) (App Store or Google Play) and that is to be installed in each User’s device. The definition of the Application Software includes any of its modifications, enhancements, fixes, new versions and releases that the Supplier may publish at any time in application store(s) or supplies to the Customer.

“Controller” means the legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

Customer Data” means the content, photos, videos, text, data and/or any other data submitted by the Customer or any User to the Software Service, including but not limited to any Personal Data included in such content, photos, videos, data and/or data.

Confidential Information” means information of the other Party that is marked as confidential or that should be reasonably understood to be confidential.

Documentation” usage instructions, user manuals and other written or electronic documentation delivered by the Supplier to the Customer or that is accessible through the Software Service, but excluding any and all marketing materials.

Error” means an error in the Software Service which causes the Software Service not to be available for the Customer at the Supplier’s data center’s outer perimeter by not functioning at all or by not functioning materially as set out in the Software Service description Documentation, excluding the service breaks set out in Section 6 of the Terms.

Initial Term” is defined in Section 13 of the Terms.

Intellectual Property Rights” means patents, inventions, trademarks, domain names, rights in know-how, trade secrets, copyrights, database rights, rights related to copyrights and any other intellectual and industrial property rights, whether registered or not, and including without limitation the right to amend and further develop the objects of those rights and the right to assign the rights to third parties.

Laws” means mandatory laws in force from time to time in Finland relating to the protection of Personal Data and the Processing, including but not limited to the EU General Data Protection Regulation 2016/679 (“GDPR”).

Maximum Support Hours” is defined in Section 7 of the Terms.

Personal Data” means any information relating to an identified or identifiable natural person (“Data Subject”) which information is Processed under the Agreement on behalf of the Customer. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.

Process” or “Processing” means any operation or set of operations which is performed on the Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Processor” means a legal person, public authority, agency or other body, which Processes the Personal Data on behalf of the Controller.

Professional Service(s)” means the professional services agreed to be performed by the Supplier to the Customer, such as deployment, integration, configuration, customization, consultation, additional support service and/or training service.

Service(s)” means the Professional Services and/or the Support Service.

Service Hours” means Finnish business hours Monday to Friday 09 a.m.-5 p.m., excluding national holidays in Finland.

Software Service” means the Viesti software as a service delivered via data networks. The definition of the Software Service includes any of its modifications, enhancements, fixes, new versions and releases that are taken into production use by the Supplier from time to time.

Support Service” means the Supplier’s Help Desk services, as defined in Section 7 of the Terms.

Ticketing System” is part of the Software Service and it means access by Users to a Customer-specific database that includes Customer Data and some guidance for use of the Software Service. The Users may e.g. search photos or videos [or any other content] submitted by Users regarding certain User related use cases or locations.

User” means the Customer’s (i) employees and other representatives such as directors and (ii) service providers’ and other cooperating partners’ employees and representatives who use the Software Service and the Application Software only on behalf of and for the benefit of the Customer.

 

 

2 CUSTOMER DATA

 

2.1 The Customer warrants that:

 

(a) the Customer retains control on what types of Customer Data is submitted the Software Service;

(b) the Supplier and its subcontractors are entitled to store and otherwise process the Customer Data lawfully for the purposes of the Agreement;

(c) the Customer makes sure that no patient data, data related to social security clients or military data is ever submitted to or processed with the Software Service; and

(d) the Customer trains the Users in the collection and submission of the Customer Data to the Software Service so that it is ensured that only lawful data is submitted and that for example third parties’ trade secrets or data violating third parties’ privacy are not submitted.

2.2 The Customer understands and agrees that the Application Software has access to and uses photo galleries of the Users’ mobile devices.

2.3 During the term of the Agreement, the Supplier has a free of charge right to store and use the Customer Data for the purpose of the development of the Software Service, the Application Software, the Services and the Documentation.

2.4 During and after the term of the Agreement, the Supplier has a permanent, non-revocable, transferable, sublicensable and free of charge right to store and use the Customer Data for the purpose of the development of the Software Service, the Application Software, the Services and the Documentation, only in a form that no individual person’s or Customer’s identity can be identified from such statistical form of Customer Data. Therefore, for example no Personal Data can be processed.

 

 

3 PERSONAL DATA

 

3.1 The Customer warrants that the Supplier and its subcontractors are entitled to store and otherwise process the Customer Data lawfully for the purposes of the Agreement.

3.2 The types of Personal Data and categories of the Data Subjects of the Personal Data that can be Processed by the Supplier on behalf of the Customer based on the Agreement are specified in the Agreement.

3.3 The Supplier and any person acting under the authority of the Supplier, who has access to the Personal Data, may Process the Personal Data only on documented instructions from the Customer, unless required to do so by EU or EU member state law to which the Supplier is subject. In such a case, the Supplier shall inform the Customer of that legal requirement before the Processing, unless that law prohibits such information on important grounds of public interest. Such documented instructions are hereby given by the Customer to the Supplier and include and are limited to: the Customer gives the Supplier instructions to Process the Personal Data in order for the Supplier and its subcontractors to provide the Software Service to the Customer in accordance with the Software Service description of the Supplier as amended by the Supplier from time to time and to provide the Services. If the Customer desires to amend the documented instructions or give new documented instructions to the Supplier, the amended and new instructions are subject to the Supplier’s written consent (not withheld unreasonably) and may be priced in accordance with the Supplier’s price list.

 

3.4 The Supplier shall:

 

(a) ensure that persons authorised to Process the Personal Data on its behalf have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

(b) in accordance with the Supplier’s price list, taking into account the nature of the Processing, assist the Customer by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Customer’s obligation to respond to requests for exercising the Data Subject’s rights laid down in the Laws;

(c) in accordance with the Supplier’s price list, assist the Customer in ensuring compliance with the obligations pursuant to the Laws, in the performance of data protection impact assessments and consultations with the supervisory authorities as required pursuant to the Laws;

(d) in accordance with the Supplier’s price list, as requested by the Customer in writing, delete or return all Personal Data to the Customer after the end of the provision of the Software Service relating to the Processing, and delete existing copies unless EU or EU member state law requires storage of the Personal Data; and

(e) in accordance with the Supplier’s price list, make available to the Customer information necessary to demonstrate compliance with the obligations laid down in the Laws and allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer. The Supplier shall inform the Customer if, in its opinion, the Customer’ instruction infringes the Laws. The auditor may not be the Supplier’s competitor and the Parties shall agree on the timing of the audit in good time advance. The information regarding the Supplier’s operations learnt during the audits are the Supplier’s trade secrets, and the audit may not reveal the Supplier’s other clients’ information to the auditor. The Customer is liable for the auditor’s compliance with the confidentiality and other terms of the Agreement.

3.5 If the Supplier engages a sub-Processor for carrying out specific Processing activities, the Supplier shall impose the same data protection obligations as set out in these Terms by way of a written contract or other legal act, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the Processing will meet the requirements of these Terms.

3.6 The Customer acts as the Controller in relation to all Personal Data. The Customer is (among other things) liable for the correctness of the Personal Data and the lawfulness of the Processing of the Personal Data and for other duties and liabilities of the Controller.

3.7 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Customer and the Supplier shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with the Laws, including inter alia as appropriate: (a) in accordance with the Supplier’s price list and as agreed by the Parties, the pseudonymisation and encryption of the Personal Data, (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (c) the ability to restore the availability and access to the Personal Data in a timely manner in the event of a physical or technical incident; and (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the Processing.

3.8 The Supplier shall notify the Customer without undue delay after becoming aware of a Personal Data Breach. The Supplier shall in accordance with the Supplier’s price list, assist the Customer in ensuring compliance with the the Customer’s obligations pursuant to Laws to notify the Personal Data Breach to the supervisory authority and/or to the Data Subjects, taking into account the nature of the Processing and the information available to the Supplier.

3.9 The Supplier and its subcontractors might transfer the Personal Data to countries outside the European Economic Area (EEA) and European Union (EU) (“Third Country”) for the purposes set out in these Terms. The legal basis for the transfer of the Personal Data to Third Countries is the Supplier’s or its subcontractors’ Binding Corporate Rules, European Commission’s Standard Contractual Clauses for the transfer of Personal Data to processors established in third countries, the EU-U.S. Privacy Shield Framework, alternative data export mechanisms for the lawful transfer of Personal Data (as recognized under EU data protection laws) or other legal basis.

3.10 Also, the Customer or a User might use the Software Service in Third Countries or a User might contact the Supplier in Service matters from locations in Third Countries. In such situations, it is deemed that the Customer has consented to the transfer of the relevant Personal Data to Third Countries.

3.11 The Customer indemnifies and holds the Supplier and its subcontractors harmless from and against any and all direct and indirect damages and expenses (including reasonable attorneys’ fees) arising out of any claim, demand or suit by any any third party arising out of or relating to the Personal Data used by the Supplier and/or its subcontractors based on the Agreement.

3.12 The Customer understands and agrees that certain Personal Data of the Customer’s internal users relating to the contractual relationship between the Customer and the Supplier are governed by the Supplier’s respective customer privacy policy and the Supplier is the Controller of such Personal Data and might be allowed to store and otherwise Process such Personal Data also after the term of the Agreement, for example if the Personal Data in question is necessary for the establishment, exercise or defence of legal claims.