Data processing agreement
1. Background and purpose
1.1 This agreement on the processing of personal information (“Appendix”) is an integral part of the terms-of-use agreement (“Terms of Service”) made between Surveypal Ltd. (“Surveypal” or “We”) and the customer (“The Customer” or “You”) and the agreement that concerns the provision of services according to the Terms of Service (“Agreement”).
1.2 The purpose of this Appendix is to agree on the privacy and data protection of personal information collected through Surveypal services by You, as the Controller, in the Surveypal services. Between the parties, this Appendix constitutes a written agreement on the processing of personal information such as is meant in the EU’s General Data Protection Regulation (2016/679). The rights and responsibilities directly based on the General Data Protection Regulation only come into force when the Regulation starts to be applied on 25 May 2018.
1.4 If the terms of this Appendix and the Contract concerning the processing of personal information contradict each other, the parties shall primarily apply the terms of this Appendix.
2.1 This Appendix uses the following definitions according to the EU General Data Protection Regulation.
I. “The Controller” means You, who defines the purposes and methods of the Processing of personal information. The Controller commits to this Appendix on its own behalf and on behalf of the group companies of the Controller that act as controllers when Surveypal processes personal information according to this Appendix and other agreements made between Surveypal and the Controller.
II. “The Processor” means Surveypal, which Processes personal information on behalf of the Controller on the basis of the Agreement. Surveypal commits to this Appendix on its own behalf and on behalf of the group companies of Surveypal that participate in processing personal information according to this Appendix and other agreements made between Surveypal and the Controller.
III. “Processing” and “Processing Procedures” operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
IV. “Personal Information” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
V. “Data breach of personal information” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
3. Data protection and processing of personal information
3.1 The parties agree to follow the laws, decrees, and official orders on the Processing of personal information in force in Finland and the European Union.
3.2 The types of personal information and groups of registered persons processed in the service cover all the personal information defined and collected by the Customer in the Surveypal service.
Responsibilities of Surveypal
3.3 Based on the Agreement, we process your personal information on your behalf and on commission for you. Among other things, the personal information processed by us may be related to your employees or customers. You are the Controller of the personal information processed in the service, and Surveypal is the Processor.
3.4 We will only process your personal information in accordance with the Agreement, this Appendix, and your written instructions, and only inasmuch and to the extent that this is required to deliver services. We shall notify You if the instructions are found to violate the data protection legislation in force in Finland or the EU. In this kind of situation, Surveypal may immediately refuse and cease to follow your instructions.
3.5 If the EU General Data Protection Regulation so requires, we shall maintain the service description or other statement required by the EU General Data Protection Regulation on the Processing Procedures performed in the service.
3.6 We have the discretion to collect anonymous and statistical information that does not identify You or the Registered Persons on the use of the services covered by the Agreement and described further in our Terms of Service.
3.7 You, as the controller, are responsible for the accuracy of the personal information Processed in the Surveypal service.
Responsibilities of the Controller
3.8 The Controller is responsible for ensuring that it has the required rights and consents to Process personal information according to the Agreement.
3.10 The Controller has the right and duty to define the purpose, methods, object, nature and duration of the Processing of personal information.
Removal/restoration of information
3.11 After the Agreement has come to an end, we shall return all the personal information of Registered Persons possessed or collected by the Controller or erase the information and its duplicate copies according to your instructions or as set forth in Terms of Service, except in cases where the applicable legislation requires such personal information to be kept.
3.12 We may engage sub-processors in Processing the personal information on Registered Persons processed or collected by the Controller. We remain fully liable to You for the performance of the sub-processor obligations under the Agreement.
3.13 Prior to the engagement of a sub-processor, we shall ensure the sub-processor, has the ability to provide, at least, the same data protection obligations as set out in this, including obligations to implement appropriate technical and organizational measures and to ensure that the transfer of Personal Data is done in such a manner that the processing will meet the requirements of applicable data protection law.
3.14 We maintain a list of our current sub-processors at: https://my.surveypal.com/subprocessors. For up-to-date information on our sub-processors and on changes to the list of sub-processors, visit this website.
3.15 You have the right to receive a copy of the relevant provisions of the written agreement with sub-processors related to data protection obligations.
3.16 You have the right to oppose the use of a new sub-processor for reasonable cause. If we cannot reach an agreement on the use of a new sub-processor, You have the right to end the Agreement with thirty (30) days’ notice inasmuch as the change affects the Processing of personal information covered by the Agreement.
Responsibility of Surveypal for assisting
3.17 We shall immediately transfer to You all the requests received from Registered Persons on the inspection, correction, or erasure of personal information, on forbidding the Processing of personal information, or on any other matters. At your request, we shall assist you in carrying out the requests of registered persons. We have the right to invoice the costs caused from measures related to these requests according to the company’s current price list.
3.18 Taking into account the nature of the Processing of personal information and the information available to us, we are obligated to help You to ensure that the responsibilities set to You in law are met. These responsibilities may concern obligations related to data security, notifications of data breaches, impact assessments concerning privacy or prior consultation. We are only obligated to assist You to the extent that obligations are set by the applicable data protection legislation. We have the right to invoice the costs caused from measures related to these requests according to Surveypal’s current price list.
3.19 We shall direct all enquiries by the data protection supervisory authorities directly to You and await your instructions. If not agreed otherwise, We are not authorised to represent You or act on Your behalf in dealings with the data protection supervisory authorities that monitor the Controller.
4. Processing outside the EU/EEA
4.1 We and our sub-processors may transfer and Process Personal Information outside the EU/EEA.
4.2 Inasmuch as we carry out this kind of Processing outside the EU/EEA, we will ensure that the transfer is only to: (a) countries for which the Commission has decided that they have an adequate level of data protection or (b) parties, which use currently applicable standard contractual clauses or other appropriate safety measures as they are described in article 46 of the General Data Protection Regulation. In addition, we shall conclude transfer impact assessments and should the assessment require supplementary safety measures, we shall implement necessary technical, organizational, and contractual measurements.
4.3 As described in section 3 of this Appendix, all sub-processors shall abide by the same obligations toward any processing of Personal Information outside the EU/EEA.
5.1 You or an auditor authorised by you (however, not a competitor of Surveypal) has the right to audit the activity covered by this Appendix. The auditing or other inspection shall be performed in a cost-efficient and timely manner and without causing undue disruption to the daily activity of Surveypal. The parties shall agree on the date and time and other details of the auditing in good time, at least 14 days before the inspection. The auditing shall be performed in a manner that does not affect the commitments to third parties of Surveypal and its sub-processors. The usual confidentiality agreements shall be signed by Your representatives and the auditor.
5.2 You shall be responsible for all the costs caused by auditing. Surveypal has the right to invoice you for the time and expenses related to the auditing on the basis of time and materials. If significant faults are found in our activity in the auditing, we shall be responsible for our own costs caused by the auditing.
6. Data protection and secrecy
6.1 We shall carry our appropriate technical and organisational measures to protect the Controller and the personal information collected by the Controller. We shall take into account the risks involved in Processing, and especially the illegal or accidental destruction, erasure, alteration of the personal information transferred, saved or otherwise Processed, and unauthorised transmission of or access to such information. The provision of protective measures shall take into account the available technical alternatives and their cost in relation to the special risks related to data processing and the confidentiality of the personal information Processed.
6.2 You shall be responsible for ensuring that We are informed of all the considerations related to the personal information submitted by you, such as risk assessments or the Processing of special groups of persons, that may affect the technical and organisational measures covered by the Agreement.
6.3 We shall ensure that our staff and the staff of our sub-processors follow the appropriate obligation to confidentiality.
7. Data breaches
7.1 We shall notify You, without undue delay, of all the data breaches concerning personal information after noticing the breach or being informed to it by our subcontractor.
7.2 At your request, we shall supply you, without undue delay, with all the appropriate information related to the data breach. Inasmuch as the information is available to us, the notification shall describe at least the following:
I. the data breach that has occurred,
II. the groups of registered persons and estimated number of registered persons as well as the groups of types of personal information and estimated number of these (inasmuch as this is possible),
III. a description of the likely consequences of the data breach, and
IV. a description of the rectifying measures taken or due to be taken by Surveypal to prevent data breaches in the future, and of any possible measures to minimise the harmful effects of the data breach.
7.3 We shall document and report to You the results of the enquiry and the measures taken.
7.4 As the Controller, you shall be responsible for the required notifications to data protection supervisory authorities.
8. Other terms and conditions
8.1 If material or immaterial damage is caused to a person by violations of the EU Data Protection Regulation or the Appendix, we are responsible for the damage only inasmuch as we have not followed the obligations expressly falling on Us by the EU Data Protection Regulation or the Appendix. Otherwise, the responsibilities of the parties are determined according to the Agreement.
8.2 Each party is responsible for paying only that share of damages or administrative fines decreed that corresponds to the responsibility assigned to the party in a final decision by a data protection supervisory authority or court of law.
8.3 We shall keep You informed of all decisions that may affect our ability or opportunity to follow this Appendix and the written instructions given by you. You shall be informed of all the changes and additions to this Appendix.
8.4 The Appendix is in force as long as the Agreement is in force.
8.5 Obligations whose nature is such that they are intended to stay in force regardless of the validity of this Appendix shall stay in force after the Agreement ceases to be valid.
8.6 The Appendix shall be governed by the above-mentioned laws, and disagreements shall be resolved according to the provisions of the Agreement.