Project-TOP Solutions Oy
Teknobulevardi 3-5, PL35
+358 40 703 0513
VAT ID: FI21990189
Effective Date 1.12.2015.
Please read these this agreement carefully. By using ProjectTOP Products, you acknowledge that you have read, understood and agree to be bound by this agreement. Users who violate this agreement may have their access of ProjectTOP Products suspended or terminated, at any time.
This Customer Agreement (“Agreement”) is between you and Project-TOP Solutions Oy (2199018-9) (“ProjectTOP”). “Customer” or “you” means your company. If you are entering into these Terms on behalf of an entity, such as your employer or the company you work for, you represent that you have the legal authority to bind that entity.
ProjectTOP may change this Agreement from time to time. Please check the Customer Agreement periodically for changes.
You may increase the number of Users to access the Product. You must pay the applicable fee for the increased number of Users.
You are responsible for compliance with this Agreement by all Users.
You shall not license, sell, resell, transfer, assign, distribute or otherwise commercially exploit or make the Product available to any third party; reverse engineer the Product in order to build a competitive Product, build a Product using similar ideas, features, functions or graphics or copy any ideas, features, functions or graphics of the Product.
ProjectTOP makes efforts to protect Data, to conduct daily Data backups, and to store backups for five (5) days at a time in an appropriate facility.
ProjectTOP takes no responsibility for the quality, integrity, legality, appropriateness, and intellectual property ownership or right to use Data, and ProjectTOP shall not be responsible or liable for the deletion, correction, destruction, damage, loss or failure to store Data. We cannot guarantee that our security procedures will be error-free, that transmissions of your Data will always be secure or that unauthorized third parties will never be able to defeat our security measures or those of our third party service providers.
ProjectTOP may remove or delete your Data within a reasonable period of time after the termination of your subscription. ProjectTOP reserves the right to withhold, remove and discard Data, without notice, for any breach, including, without limitation, Customer’s non-payment. Upon termination for cause, User’s right to access or use Client Data immediately ceases.
Representations, Warranty and Disclaimer.
ProjectTOP’s consent, unless User unconditionally releases ProjectTOP of all liability and such settlement does not affect ProjectTOP’s business or Service,); (c) provides to User all available information and assistance; and (d) has not compromised or settled such claim.
ProjectTOP shall indemnify and hold User and User’s authorized Users, parent organizations, subsidiaries, affiliates, officers, directors, employees, attorneys and agents harmless from and against any and all claims, causes of action, costs, damages, losses, liabilities and expenses (including attorneys’ fees and costs) arising out of or in connection with: (i) an allegation that the Service directly infringes a copyright, a patent issued as of the Effective Date, or a trademark of a third party; (ii) a violation by ProjectTOP of its representations or warranties; or (iii) breach of this Agreement by ProjectTOP; provided in any such case, that User (a) promptly gives written notice of the claim to ProjectTOP; (b) gives ProjectTOP sole control of the defence and settlement of the claim (except ProjectTOP may not settle any claim, without User’s consent, unless it unconditionally releases User of all liability); (c) provides to ProjectTOP all available information and assistance; and (d) has not compromised or settled such claim.
ProjectTOP shall have no indemnification obligation, and User shall indemnify ProjectTOP pursuant to this Agreement, for claims arising from any infringement alleged to be caused by the combination of the Service with any of User’s Products, service, and hardware or business process.
1. What information does ProjectTOP collect?
Name and email address, permissions and consents to send emails.
2. From which sources is my information collected?
Personal data is mainly collected at the point of subscription or registration, or later during the customer relationship.
3. For which purposes is my data collected?
Delivery of our products, services and demos and targeted digital advertising.
4. How is my data stored and combined?
In our secure database located in the EU.
5. For how long will my data be stored?
We store user information only for as long as is necessary in order to fulfil the purposes set out in Section 3 above.
6. Who can handle my personal data?
ProjectTOP employees who have the access rights to handle personal information.
7. Will my data be transferred to third parties?
8. How is my personal data protected?
We use technical and organisational measures to protect personal data against unauthorised access, transfer, deletion or other handling that may compromise information security.
9. Are cookies used on ProjectTOP’s web sites?
10. Do third parties collect information about my visits to ProjectTOP websites?
Yes, we use third party web traffic analysers for anonymous statistics.
11. Does ProjectTOP use data about the location of my device?
12. How can I influence my privacy?
Users have the right to prevent their information from being used for direct sales or marketing purposes, and for electronic direct marketing purposes. Users can opt-out directly from the e-mail. User accounts will be deleted upon request.
13. Is this privacy statement subject to changes?
15. How can I contact you?
Our primary contact is: [email protected]
1 SCOPE OF APPLICATION
1.1 These general terms and conditions shall apply to the sale and licensing of information technology products and to the supply of information technology services.
2.1 Deliverables mean the products and services that constitute the object of the agreement.
2.2 Open Source Software means any software or software component which (a) is licensed subject to the open source licence terms and conditions listed at www.opensource.org/licenses; (b) fulfil the open source definition set out at www.opensource.org/docs/osd; or (c) is otherwise licensed subject to licence terms and conditions conforming to the criteria set out at www.opensource.org/ docs/osd.2.3 Product means the hardware, equipment, software, data system or other similar product that constitutes the object of the agreement and any instructions or other documentation related thereto.
2.4 Service means the installation, maintenance, support, consultancy, training, software service or other service that constitutes the object of the agreement.
2.5 Standard software means software or software component marketed or licensed to several customers and the instructions or other documentation and potential media related to the standard software in question.
3 DELIVERABLES AND TERMS AND CONDITIONS APPLICABLE THERETO
3.1 The parties shall define deliverables in writing.
3.2 The parties shall agree in writing as to whether the product includes open source software or standard software.
3.3 In case of discrepancy between these general terms and conditions and possible IT2018 special terms and conditions and the terms and conditions of the open source software that are part of the agreement, the terms and conditions of the open source software in question shall take precedence.
3.4 In case of discrepancy between these general terms and conditions and possible IT2018 special terms and conditions and the terms and conditions of the standard software that are part of the agreement, the terms and conditions of the standard software in question shall take precedence.
4.1 The parties shall agree the prices, pricing principles and the adjustment of the prices for the deliverables in writing. To the extent the parties have not agreed otherwise in writing regarding the
prices, pricing principles and the adjustment of the prices for the deliverables, the terms set out in sections 4.2 – 4.9 shall apply.
4.2 The currency to be used for prices and invoicing is the Euro.
4.3 If a price for a product or a service has not been agreed in the agreement or otherwise, the price in the supplier’s price list effective on the date of order shall apply to the product or service in question.
4.4 If the price of a product or service is wholly or partly tied to specific price adjustment criteria, the price shall be adjusted in proportion to the change if the change is at least 2 percent. With respect to the specific price adjustment criteria the base value or quotation at the date of the signature of the agreement shall apply. With respect to prices tied to a currency exchange rate, these shall be
determined using the mid-rate quoted by the European Central Bank at the date of delivery; save for products or services invoiced periodically, the price of which shall be determined using the
mid-rate quoted by the European Central Bank at the date of invoicing.
4.5 The supplier shall be entitled to adjust the recurring charge of a product or service by notifying the customer of the change and of the reason of the change in writing at least 90 days before the effective
date of the change. Where a price change occurs the customer shall be entitled to terminate the agreement for the product or service in question on the effective date of the price change by notifying the supplier thereof in writing at least 30 days before the effective date of the change. In that case the customer shall also be entitled to terminate the agreement simultaneously with respect to other products and services which, due to the above-mentioned termination, can no longer be essentially used for the benefit of the customer. The change shall not affect the charges for invoicing
periods which have commenced before the effective date of the change.
4.6 The prices shall include all public charges determined by the authorities and effective on the date of signature of the agreement, with the exception of value added tax. Value added tax shall be added to the prices in accordance with the then current regulations. If the amount of public charges determined by the authorities or their collection basis change due to changes in the regulations or taxation practice, the prices shall be revised correspondingly.
4.7 The supplier shall be entitled to charge for customary and reasonable travel and accommodation costs as well as per diem allowances separately. The supplier shall also be entitled to charge, separately, fifty percent of the agreed hourly charge for time taken by a journey necessitated by the service and exceeding 60 kilometres back and forth. If the journey back and forth total not more than 60 kilometres, the travel time shall not be charged for. Other travel arrangements shall be agreed separately.
4.8 Pursuant to the agreed pricing principles, the supplier shall be entitled to charge, separately, for work that does not fall within the scope of deliverables but is ordered by the customer in writing.
In addition, the supplier shall be entitled to charge extra fees in respect of such work pursuant to the agreed pricing principles if the customer makes a written order for work to be conducted outside
the supplier’s normal working hours.
4.9 Pursuant to the agreed pricing principles, the supplier shall be entitled to charge, separately, for additional costs incurred as a result of the provision of incorrect information by the customer or other similar reason for which the customer is responsible.
5 PAYMENT TERMS
5.1 The parties shall agree the payment instalments and payment terms in writing. To the extent the parties have not agreed otherwise in writing regarding the payment instalments and payment terms,
the terms set out in sections 5.2 – 5.4 shall apply.
5.2 The supplier shall invoice for the products upon delivery and for the services following their performance. However, the supplier shall be entitled to invoice for recurring charges and other periodically
invoiced charges in advance in accordance with intervals agreed in writing or, if the intervals have not been agreed in writing, monthly in advance. However, if the parties have agreed on acceptance procedure of the delivery or part of the delivery, the supplier shall invoice for timebased charges monthly in arrears and for other charges based on delivery following acceptance of such delivery or part of the delivery.
5.3 The payment term is 14 days net from the date of delivery or date of invoice, whichever is later.
5.4 Interest on delayed payments accrues in accordance with the Interest Act.
6.1 Unless otherwise agreed in writing, either party shall have the right to subcontract its obligations under the agreement. Upon request by the other party, such party shall provide necessary information regarding its subcontractors that execute tasks related to the deliverables.
6.2 Each party shall ensure that its subcontractors comply with the requirements set out for the party. Each party shall be liable for the performance of its subcontractors as for its own performance.
6.3 Each party shall contribute to the cooperation between its subcontractors and the subcontractors of the other party where necessary for the tasks related to the deliverables.
7.1 Each party shall keep in confidence all material and information received from the other party and marked as confidential or which should be understood to be confidential, and may not use such
material or information for any purposes other than those set out in the agreement. The confidentiality obligation shall, however, not apply to material or information, (a) which is generally available
or otherwise public; (b) which the receiving party has received from a third party without any obligation of confidentiality; (c) which was in the possession of the receiving party prior to receipt of the same from the other party without any obligation of confidentiality related thereto; (d) which the receiving party has independently developed without using material or information received from the other party; or (e) which the receiving party is required to provide due to law or regulation by the authorities.
7.2 Each party shall promptly upon termination of the agreement or when the party no longer needs the material or information in question for the purpose set out in the agreement cease using confidential material and information received from the other party and upon request return or destroy the material including all copies thereof in a reliable manner. Each party shall, however, be entitled
to retain such material as is required by law or regulation by the authorities.
7.3 Each party shall be entitled to use the professional skills and experience acquired in connection with the delivery.
7.4 The rights and responsibilities under this section 7 shall survive the termination, expiration or cancellation of the agreement. Unless otherwise agreed in writing, these rights and obligations shall
expire after 5 years from the termination, expiration or cancellation of the agreement. The termination, expiration or cancellation of the agreement shall, however, not affect the rights and obligations
related to this section 7, if applicable laws require a longer confidentiality obligation than the confidentiality period set out in this section 7.4.
8 DATA SECURITY AND BACKUP
8.1 Each party and its subcontractors shall comply with the measures agreed by the parties in writing and the legal requirements set out in applicable laws related to data security and backup requirements.
To the extent the parties have not agreed otherwise in writing regarding data security and backup requirements, the terms set out in sections 8.2 – 8.4 shall apply.
8.2 Each party shall ensure that the part of the deliverables and the party’s own environments, such as equipment, communications network, service production facilities and business premises, within
that party’s responsibility under the agreement, are protected against data security threats in accordance with the adequate data security procedures used by the party, and shall ensure that measures relating to data security and backup are complied with. Neither party is responsible for the data security of the general communications network or any disturbance in the general communications network.
8.3 A party shall notify the other party without undue delay of any significant data security risks and data security breaches, actual or suspected, detected by such party that pose a threat to the product
or its use. A party shall, for its part, take immediate action in order to eliminate or reduce the effect of any data security breach. A party shall be responsible for contributing in the investigation of
data security breaches.
8.4 Each party shall be responsible for making back-up copies of its data and data files and for verifying the functionality of such back-up copies.
9 PROCESSING OF PERSONAL DATA
9.1 If the supplier processes personal data on behalf of the customer, IT2018 EHK special terms and conditions for processing of personal data shall apply, unless otherwise agreed in writing.
10 FORCE MAJEURE
10.1 Neither party shall be liable for delay and damage caused by an impediment beyond the party’s control and which the party could not have reasonably taken into account at the time of conclusion of the agreement and whose consequences the party could not reasonably have avoided or overcome. Such force majeure events shall include, if not proven otherwise, inter alia, war or insurrection, earthquake, flood or other similar natural catastrophe, interruptions in general traffic, data communication or supply of electricity, import or export embargo, strike, lockout, boycott or other similar industrial action. A strike, lockout, boycott and other similar industrial action shall also be considered, if not proven otherwise, a force majeure event when the party concerned is the target or a party to such an action.
10.2 A force majeure event suffered by a subcontractor of a party shall also be considered a force majeure event in relation to the party if the work to be performed under subcontracting cannot be done or acquired from another source without incurring unreasonable costs or significant loss of time.
10.3 Each party shall without delay inform the other party in writing of a force majeure event and the termination of the force majeure event.
11 INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS
11.1 The supplier warrants that the deliverables do not infringe third party intellectual property rights in the agreed country of delivery or use. Unless otherwise agreed in writing, the agreed country of delivery and use shall be Finland.
11.2 The supplier shall at its own expense indemnify the customer against claims presented against the customer that a deliverable infringes third party intellectual property rights in the agreed country
of delivery or use provided that the customer promptly notifies the supplier in writing of such presented claims and permits the supplier to defend or settle the claims on behalf to the customer and gives to the supplier, at the request of the supplier and at the supplier’s expense, all necessary information and assistance available and the necessary authorisations. The supplier shall pay all damages awarded in a trial or agreed to be paid to a third party if the customer has acted in accordance with the foregoing.
11.3 If in the reasonable opinion of the supplier a deliverable infringes third party intellectual property rights in the agreed country of delivery or use or if such infringement has been confirmed in a trial, the supplier shall and may at its own expense and discretion either (a) obtain the right to continue use of the deliverable for the customer; (b) replace the deliverable with a product or service that complies with the agreement and corresponds to the deliverables; or (c) modify the deliverable in order to eliminate the infringement in such a manner that the modified deliverable complies with the agreement. If none of the above-mentioned alternatives is available to the supplier on reasonable terms, the customer shall, at the request of the supplier, stop using the deliverable and return it, and the supplier shall refund the price paid by the customer for the deliverable less the proportion of the price corresponding to the actual time of use.
11.4 The supplier shall, however, not be liable if the claim (a) is asserted by a company, which exercises control over the customer or which is controlled by the customer within the definition of control laid down in the Accounting Act; (b) results from alteration of the deliverable by the customer or from compliance with the customer’s written instructions; (c) results from use of the deliverable in combination with any product or service not supplied or approved by the supplier; or (d) could have been avoided by the use of a released product or service that complies with the agreement and corresponds with the deliverables and which product or service is offered for use to the customer by the supplier without separate charge.
11.5 The supplier’s liability for infringement of intellectual property rights in the deliverables shall be limited to this section 11.
12 DELAY AND CANCELLATION OF AGREEMENT
12.1 If a party finds that a delay will or is likely to occur, such party shall without delay inform the other party in writing of the delay and of the effects of the delay on the delivery time schedule.
12.2 If it becomes evident that fulfilment of the agreement will be delayed for more than 60 days due to a force majeure event, the party not subject to the force majeure event shall be entitled to cancel
the agreement wholly or in part without either party having the right to claim damages.
12.3 If the delivery is delayed due to a reason attributable to a party and does not take place within a reasonable extension of time, such extension of time to be at least 30 days, set by the non-breaching party in writing, the non-breaching party shall be entitled to cancel the agreement with respect to the products and services whose delivery is delayed, provided that the delay is of a substantial importance to the non-breaching party and the delayed party knew or should have known this.
12.4 A party shall also be entitled to cancel the agreement wholly or in part if the other party is otherwise materially in breach of the terms of the agreement and the breach is of substantial importance to
the non-breaching party. If the breach is capable of being remedied, the agreement may be cancelled only if the party in breach has not rectified its breach within a reasonable period of time set by the other party in writing, such period to be at least 30 days.
12.5 The supplier shall also be entitled to cancel the agreement wholly or in part if the customer has not paid a due and correct payment within 30 days of a written overdue payment reminder and the
customer has not provided the supplier with an acceptable guarantee for the payment of the charges under the agreement.
12.6 A party shall be entitled to cancel the agreement wholly or in part prior to the date of its fulfilment if it becomes evident that the other party will commit a breach of the agreement justifying its cancellation. Such cancellation of the agreement shall, however, be invalid, if the other party either provides an acceptable guarantee for the fulfilment of the agreement or presents other reliable
clarification of the fulfilment of the agreement promptly following receipt of the notice of cancellation.
12.7 If the customer cancels the agreement with respect to a product or service, the customer shall also have the right to cancel at the same time the agreements between the parties with respect to other
products and services which relate to the same delivery entity and which due to the above-mentioned cancellation can no longer be used essentially for the benefit of the customer.
12.8 In order for the cancellation to be valid, the party cancelling the agreement must inform the other party thereof in writing.
12.9 If a party shall be entitled to cancel the agreement, the party shall also have the right suspend its performance by giving written notice to the other party. The right of the party to suspend its performance ends, if the other party either provides an acceptable guarantee for the fulfilment of the agreement or presents other reliable clarification of the fulfilment of the agreement promptly following receipt of the notice of suspension.
13 LIABILITY FOR DAMAGES AND LIMITATION OF LIABILITY
13.1 The parties shall agree liability for damages and limitation of such liability in writing. To the extent the parties have not agreed otherwise in writing regarding liability for damages and limitation of liability, the terms set out in sections 13.2 – 13.5 shall apply.
13.2 The maximum liability for damages of a party towards the other party based on the agreement shall not, excluding possible liquidated damages payable due to delay, service credits or other similar contractual penalties or credits, exceed in aggregate 20 percent of the total price for the deliverables excluding value added tax. However, where solely a fixed term product or service provided against a recurring charge or solely a product or service agreed until further notice and provided against a recurring charge is concerned, the maximum liability for damages shall not, excluding possible liquidated damages payable due to delay, service credits or other similar contractual penalties or credits, exceed in aggregate the calculatory monthly price for the product or service at the point of breach of contract, excluding value added tax, multiplied by 6. If the breaching party has an obligation to pay liquidated damages payable due to delay, service credits or other similar contractual penalties or credits, the breaching party is also liable to pay damages only for the part of the loss exceeding the liquidated damages payable due to delay, service credits or other similar contractual penalties or credits.
13.3 Neither party shall be liable for any indirect or consequential damage. Indirect or consequential damage shall mean, inter alia, loss of profits or damage caused due to decrease or interruption in turnover or production.
13.4 Neither party shall be liable for the destruction, loss or alteration of the other party’s data or data files, nor for any damages and expenses incurred as a result, including expenses involved in the reconstitution of data files. This section 13.4 shall not apply, if a party’s obligations under the agreement comprise taking back-up copies of the other party’s data or data files or managing the other party’s data security and that party has not fulfilled this duty.
13.5 The limitations of liability shall not apply to liability under sections 7 and 11 or damages caused by (a) the transfer, copying or use of deliverables contrary to law or the terms and conditions of the agreement; (b) breach of section 15.1; or (c) wilful conduct or gross negligence.
14 APPLICABLE LAW AND SETTLEMENT OF DISPUTES
14.1 The agreement shall be governed by the laws of Finland.
14.2 Any dispute, controversy or claim arising out of or relating to the agreement, or the breach, termination or validity thereof shall be finally settled by arbitration in accordance with the Arbitration
Rules of the Finland Chamber of Commerce. A dispute shall be resolved by a sole arbitrator. Notwithstanding the preceding sentences, claims for non-payment of monetary charges may be
resolved in the district court of the respondent’s place of domicile if the respondent does not contest its payment obligation.
14.3 If the parties so agree in writing, any dispute, controversy or claim arising out of the agreement
shall be resolved in the district court.
15 EXPORT RESTRICTIONS
15.1 The customer agrees to comply with the laws and regulations laid down by the authorities of Finland and with such laws and regulations laid down by the authorities of the country of origin of the product as are notified to the customer by the supplier and are applicable to the export of products and technical information from Finland. The customer also agrees not to provide any products or technical information to a third party if doing so would violate the laws or regulations laid down by the authorities of Finland or such laws or regulations laid down by the authorities of the country of origin of the product as are notified to the customer by the supplier.
16 ASSIGNMENT AND AMENDMENTS OF THE AGREEMENT
16.1 Neither party may assign the agreement, either wholly or in part, without the written consent of the other party. Such consent shall not be unreasonably withheld if the assignee undertakes in writing to comply with the terms and conditions of the agreement and the assignment is to a company belonging, according the Accounting Act, to the same group of companies as the party, or is made in connection with the transfer of business operations.
16.2 The supplier shall, however, be entitled to assign its receivables under this agreement to a third party by notifying the customer of the assignment in writing.
16.3 All changes and amendments to the agreement shall be agreed in writing in order to be valid.
© 2018 Finland Chamber of Commerce, Finnish Software Entrepreneurs Association, Finnish Association of Purchasing and Logistics LOGY, Technology Industries of Finland ISBN 978-952-238-224-5
and Finnish Information Processing Association, TIVIA www.it-ehdot.fi
1 SCOPE OF APPLICATION
1.1 These special terms and conditions shall apply when the supplier processes personal data on behalf of the customer under the agreement the parties have concluded. In this case, the customer acts as the controller and the supplier acts as the processor of personal data.
1.2 In addition to these special terms and conditions, the IT2018 YSE general terms and conditions shall apply. In case of discrepancy between these special terms and conditions and the IT2018 YSE general terms and conditions, these special terms and conditions shall take precedence.
2.1 Personal data means any information relating to an identified or identifiable natural person or to any other personal data referred to in data protection legislation.
2.2 Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
2.3 Processing means any operation or set of operations that the supplier performs on behalf of the customer under the agreement the parties have concluded and that is performed on personal data or sets
of personal data, whether or not by automated means, or to any other processing of personal data referred to in data protection legislation.
2.4 Controller means a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data, or to any other controller referred to in data protection legislation.
2.5 Data protection legislation means the General Data Protection Regulation (679/2016) of the European Union, any other applicable data protection provisions, and any regulations and instructions issued by the data protection authorities.
3 GENERAL RIGHTS AND RESPONSIBILITIES IN THE PROCESSING OF PERSONAL DATA
3.1 The more detailed contents of the personal data processing, including:
(a) the nature and purpose of the processing;
(b) the type of personal data and categories of data subjects;
(c) the applicable data protection measures;
(d) the customer’s rights and responsibilities as a controller in greater detail than set out in these special terms and conditions; and
(e) the object and duration of the personal data processing under the agreement shall be described in greater detail in the agreement between the parties and appendices to it or in the customer’s other instructions binding on the supplier.
3.2 The customer has the right to give binding written instructions to the supplier on the processing of personal data. The supplier and the supplier’s personnel shall process personal data in compliance with
the applicable data protection legislation, the agreement between the parties, and the written instructions the customer has given to the supplier. The supplier shall notify the customer without delay if the supplier considers that the customer’s instructions infringe the data protection legislation.
3.3 As the controller, the customer shall take the necessary measures to ensure that, as regards the customer, the processing of personal data to be transferred to the supplier complies with the data protection legislation.
3.4 At the customer’s request, the supplier shall without delay provide the customer with all information the customer may need for fulfilling the rights of the data subjects, including any access rights, or for complying with the requirements or instructions of the data protection authorities. The supplier shall, without delay, inform the customer of all requirements and inquiries made by the data subjects, the Data Protection Ombudsman or other authorities. The supplier has the right to invoice the customer for these tasks in accordance with the agreement the parties have concluded or, if no price has been agreed, in accordance with the supplier’s general price-list.
4.1 The customer or an auditor mandated by the customer has the right to audit whether the supplier meets its obligations related to the processing of personal data in order to assess the compliance of the supplier and its subcontractors with the obligations set by these special terms and conditions and other obligations set by the agreement for the processing of personal data.
4.2 The supplier assures the rights that the customer has under the data protection legislation to audit the supplier’s subcontractors.
4.3 Any audits conducted by the customer shall not limit the obligations and responsibilities of the supplier or its subcontractors under these special terms and conditions or the agreement.
4.4 Each party to the agreement is liable for its part for the audit costs.
5 DATA SECURITY
5.1 The supplier shall take any appropriate technical and organisational measures to combat and prevent unauthorised and unlawful processing of personal data and to prevent unintentional loss, change, destruction of or damage to personal data.
5.2 The supplier shall ensure that the persons who process personal data have signed a confidentiality agreement or are under an appropriate statutory obligation of confidentiality, and that they process personal data only in connection with their duties for the agreed purpose.
5.3 The supplier shall notify the customer in writing without undue delay of all data security violations targeted at personal data and of any other incidents that have jeopardised the data security of personal data processed on behalf of the customer, or when the supplier has reason to believe that the data security may have been jeopardised. At the customer’s request, the supplier shall provide the customer with all relevant information related to a data security violation. The supplier shall also inform the customer of the measures taken because of the data security violation. Unless otherwise provided by mandatory legislation obliging the supplier, the notification the supplier provides to the customer on a data security violation shall include at least the following:
(a) a description of the nature of the violation,
(b) itemisation of the data at which the violation was targeted,
(c) if the target of the violation includes personal data, a description of the categories of data subjects in question and the total number of the persons affected,
(d) a description of the remedial actions that the supplier has taken or is going to take in order to prevent data security violations in the future,
(e) a description of the consequences of the data security violation, and
(f) a description of the actions the supplier has taken to minimise the adverse effects of the data protection breach.
5.4 The supplier shall document all violations of data security, comprising the facts relating to the violation, its effects and the remedial action taken.
6 LOCATION OF PERSONAL DATA
6.1 The supplier shall be entitled to transfer personal data freely within the European Union or the European Economic Area in order to provide the service. Unless otherwise agreed in writing, the supplier is also entitled to transfer personal data outside the European Union or the European Economic Area in compliance with the data protection legislation. The customer is entitled to receive information from the supplier at any time on location where personal data is processed.
6.2 If personal data is processed outside the European Union or the European Economic Area, each party to the agreement shall ensure for its part that the processing of personal data complies with the data
7 USE OF THIRD PARTIES IN DATA PROCESSING
7.1 Unless otherwise agreed in writing, the supplier is entitled to use another data processor as its subcontractor in the processing of personal data. At the customer’s written request, the supplier shall inform the customer in writing of the subcontractors it uses.
7.2 When the supplier uses a subcontractor in the processing of personal data, the following terms and conditions are applicable:
(a) the assignment is governed by a written agreement; and
(b) the written agreement obliges the subcontractor to fulfil the same responsibilities and commitments that are applicable to the supplier under this agreement and the data protection legislation, and provides the customer with the same rights towards the subcontractor as the customer has towards the supplier.
7.3 Before changing any subcontractors participating in the processing of personal data or hiring new subcontractors, the supplier shall notify the customer of this in writing without undue delay. If the customer does not approve the change of subcontractors or the use of new subcontractors, the supplier has the right to terminate the agreement by giving 30 days’ notice.
7.4 The supplier is responsible for its subcontractors’ operations and defaults in relation to the customer.
8 DELETING AND RETURNING PERSONAL DATA
8.1 During the period of validity of the agreement, the supplier shall not delete any personal data processed
on behalf of the customer unless the customer so specifically requests.
8.2 Upon expiry of the agreement, the supplier shall, according to the customer’s choice, either delete all
personal data processed on the behalf of the customer or return it to the customer and delete all copies of it, unless the legislation requires the supplier to retain it. If the customer does not request the supplier to delete or return the personal data processed on the behalf of the customer, the supplier shall retain the personal data processed on the behalf of the customer for six (6) months after the expiry of the agreement, after which the supplier shall delete all copies of it, unless the legislation requires the supplier to retain it.
9 LIABILITY FOR DAMAGE AND LIMITATION OF LIABILITY
Unless the parties to the agreement have otherwise agreed in writing, these special terms and conditions
are otherwise subject to Section 13 of the IT2018 YSE general terms and conditions, but a
party’s maximum liability for damage as referred to in Section 13.2 shall be double the amount indicated in Section 13.2.
© 2018 Finland Chamber of Commerce, Finnish Software Entrepreneurs Association, Finnish Association of Purchasing and Logistics LOGY, Technology Industries of Finland ISBN 978-952-238-224-5 and Finnish Information Processing Association, TIVIA www.it-ehdot.fi