en

Log in(external link)

Personal data prosessing agreement (DPA)

1. Parties

a. Controller

Customer organisation: (hereinafter ‘Controller’)

b. Processed by

Supplier organisation: Finnish Olympic Committee (hereinafter ‘Processor’)

2. Background and purpose

In this data processing agreement (hereinafter ‘DPA’), the parties agree on the terms and conditions under which the Processor shall process personal data on behalf of the Controller in the Suomisport service (hereinafter ‘Service’) and the connected information system, along with any personal data transferred from the Suomisport service to another information system or data medium. This DPA is related to the service agreement signed by the parties, which authorises the use of the use of the Service, including any possible appendices, additions and changes (hereinafter ‘Agreement’) pursuant to which the Controller procures services from the Processor.

This DPA is not applied to any such personal data that are processed by the Processor independently as the responsible controller in relation to the contact persons of the main agreement, contact related to invoicing between the parties and corresponding activities, for example.

In the event of a conflict between the Agreement and the DPA, the terms and conditions of the DPA shall be prioritised, unless otherwise stipulated in this DPA.

3. Definitions

Unless otherwise agreed upon or necessitated by the context, this DPA shall adhere to the definitions of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter ‘General Data Protection Regulation’, i.e. GDPR).

The term ‘Data Protection Provisions’ refers to the GDPR and other applicable EU or national data protection legislation as well as regulations and statements issued by regulatory authorities, including acts and practices derived from the measures of the European Data Protection Board and the European Commission.

4. The Controller’s rights and responsibilities

  • The Controller shall be responsible for the lawful collection, processing and use of the personal data to be processed in the Service pursuant to this DPA, for the accuracy of the data, and for the fulfilment of the Controller’s obligations under the Data Protection Provisions.
  • The Controller shall notify persons registered in the service if their personal details are transferred and ensure that there is an appropriate legal basis for transferring the personal data to the Processor so that it can process the personal data for the purpose of providing the agreed service.
  • The Controller confirms that the instructions of the Controller regarding the processing of personal data have been presented comprehensively in the Agreement and this DPA. If the Controller wishes to change the instructions later on, it shall contact the Processor in writing. If the implementation of such new instructions causes additional costs to the Processor, the Processor has the right to charge to the Controller for any additional costs caused by the Processor for implementing any such new instructions. The instructions must be reasonable and compliant with the Data Protection Provisions.

5. The Processor’s rights and responsibilities

  • The processor undertakes to observe the Data Protection Provisions and the controller’s instructions during data processing. The Processor may not process the Controller’s personal data for any purposes other than those for which the processing is covered by the Agreement or this DPA.
  • Pursuant to this DPA, the Processor shall be responsible for the lawful collection, processing and use of the personal data to be processed and the accuracy of the data, and for the fulfilment of the Processor’s obligations under the Data Protection Provisions.
  • The Processor shall notify the Controller if any new instruction issued by the Controller violate the Data Protection Provisions. The Processor may suspend the implementation of the new instructions until such time that they are changed or the Controller confirms them. The Controller is always ultimately responsible for the instructions being compliant with the Data Protection Provisions. The Processor is only obliged to notify the Controller if it notices that the instructions inevitably violate the Data Protection Provisions. However, it does not have other obligations to check or ensure that the instructions comply with the Data Protection Provisions.
  • The Processor undertakes to assist the Controller, to a reasonable degree, in the performance of its obligations as regards the personal data processed by the Processor under this DPA. Such obligations may include assisting the Controller in responding to requests or enquiries from a competent authority, conducting data protection impact assessments and requesting advance information from a supervisory authority as well as assisting the Controller with fulfilling requests related to the rights of data subjects under the Data Protection Provisions. The Processor has the right to charge for any additional costs caused by providing assistance related to the rights of data subjects, and the Controller is obliged to pay such additional costs.
  • If a party registered with the Service, some other natural person or a supervisory authority requests assistance directly from the Processor in relation to personal data (e.g. request to gain access to data, correct or delete data, supply data or perform another measure), the Processor shall notify the Controller of any such request as soon as reasonably possible pursuant to Data Protection Provisions.
  • The Processor shall maintain, instruct and train its employees who participate in the personal data processing on the requirements of the Data Protection Provisions and ensure that the employees in question are committed to the appropriate confidentiality as regards the requirements pertaining to privacy or covered by the appropriate statutory obligation to secrecy. In the event that the Controller has provided special instructions related to its processing of personal data, the Processor shall also instruct any of its employeeswho are engaged in the processing of personal data on behalf of the Controller on the content of any such
  • instructions.
  • The Processor shall implement and maintain the appropriate technical and organisational measures with regard to all of the personal data it processes. The Processor selects such data security measures at its sole discretion based on field-specific standards, market practices and special requirements derived from Data Protection Provisions, for example. The Processor may adjust the data security measures from time to time, but it may not reduce the general level of data security while the DPA remains in force.
  • The Processor shall ensure the confidentiality, integrity, availability and sustainability of the personal data that it processes. The Processor shall regularly test, examine and assess the efficiency of the technical and organisational data security measures implemented by the Processor. The Processor undertakes to adhere to the official decisions related to the processing of personal data.
  • The Processor undertakes to notify the Controller, without delay, of any personal data breaches that pertain to the personal data transferred by the Controller to the Processor. These notifications shall include the following in accordance with the Data Protection Provisions: a description of the nature and scope of the data security breach, including, where possible, the categories and estimated number of data subjects as well as the personal data categories and estimated quantity of the Controller’s personal data affected; the name and contact information of the Processor’s data security officer or other contact details for obtaining additional information; a description of the assessed consequences of the data security breach; and a description of the measures that the Processor has taken or intends to take to process and rectify data security breaches, including any measures to minimise any resulting harmful effects.

    The aforementioned information regarding a data security breach can also be provided in phases if the Processor cannot supply them at the same time as it notifies the Controller of the data security breach.
  • The Processor undertakes, as chosen by the Controller, to erase or, where possible, return the personal data processed under this DPA after the end of the Agreement and this DPA, and to destroy any copies unless and to the extent that the applicable legislation obliges the Processor to retain the personal data in question.
  • The Processor has the right to produce anonymised statistics on the personal data processed under this DPA, to be used by the Processor or its partners.

6. Transferring personal data

The Processor shall process the personal data within the European Economic Area (EEA). If the Controller needs to or agrees to transfer personal data outside the EEA, the parties undertake to implement the necessary legal protective measures to ensure that the Controller’s personal data remains secure and confidential in accordance with the Data Protection Provisions.

7. Auditing

The Processor undertakes to maintain the appropriate statements and policies or otherwise document the processing carried out on behalf of the Controller where and to the extent that this is required by the Data Protection Provisions. On request, the processor shall present to the Controller a duplicate of the appropriate parts of such documents or statements insofar as they pertain to the processing of personal data under this DPA.

The Controller or an external auditor that has been appointed by the Controller but is not a competitor of the Processor may conduct an audit to ensure that the Processor adheres to the DPA and the Data Protection Provisions in the processing of personal data. The Controller is entitled to perform audits according to this DPA once per calendar year. The Controller shall notify the Processor of all audits conducted on the Processor’s premises in writing and always at least twenty one (21) days in advance.

If the audit covers systems used by the Processor, the Processor shall create a test environment within which the Controller can conduct the audit pertaining to the processing of personal data under this DPA. Such audits must primarily be carried out by an independent third-party auditor and always within the Processor’s normal office hours, without significant disturbance to the Processor’s business operations.

The Processor shall provide a duplicate of the processing measures concerning the Controller’s personal data along with all other documents that are essential to the audit. Furthermore, the Processor shall, on request by the Controller, undertake to take all reasonable measures to assist the Controller in any audits. The Processor has the right to invoice for work and reasonable costs related to any additional documents, support and services requested by the Controller. This also includes sufficient compensation for the working hours of the Processor’s staff assisting the Controller’s auditing efforts. The Controller shall cover its own costs related to audits (including the costs of any external auditor).

8. Subcontractors

The Controller provides a general authorisation and consent for the Processor to use subcontractors in the processing of personal data under this DPA, insofar as such use of subcontractors does not lead to activities that violate the Data Protection Provisions or the Processor’s obligations under this DPA. The Processor undertakes to ensure that the subcontractors that it uses are qualified, and that they sign a personal data processing agreement with the Processor and undertake to comply with the appropriate obligations for secrecy. The Processor is liable to the Controller for the personal data processing conducted by its subcontractors. The Processor undertakes to provide the Controller with a list of any subcontractors that it uses in the context of processing personal data under this DPA and, at the request of the Controller, of any information systems they provide to the Processor.

The Processor may choose and replace subcontractors according to the terms of this DPA and the Data Protection Provisions. However, the Processor shall notify the Controller of any essential changes to its subcontractors. If the Controller justifiably concludes that such a change in subcontractors would cause a risk related to the Controller’s personal data, the Controller has the right to object to the change in subcontractors.

9. Processing breakdown

Appendix 1 to this DPA specifies the contact persons of the parties, the subject and duration of the personal data processing, the nature and purpose of the processing, the type of personal data, and the groups of data subjects. The appendix is an integral part of this DPA (Appendix 1: Processing of personal data in the Suomisport service).

10. Compensation for damage to the parties

Each party is entitled to compensation for damage caused by a contractual violation by the other party, unless the violation has been caused by such circumstances outside the other party’s control that it cannot be reasonably be expected to have considered at the time of entering into the DPA and the consequences of which it cannot be reasonably expected to have avoided or overcome.

Neither party is responsible for any indirect or consequential losses or damage, including, but not limited to, all losses of profit, income, reputation or business value.
The maximum liability for the parties under this DPA is no less than €1,000 or no more than €100,000 or 4% of the relevant turnover.

The parties state that any administrative sanctions imposed by regulatory authorities are determined in accordance with the Data Protection Provisions.

11. Validity and termination of the Agreement

This DPA shall enter into force upon signing and remain in effect until further notice until such time as its validity ends and the Processor has completed all obligations under the Agreement.

12. Applicable law and dispute resolution

This DPA is governed by Finnish law.
Any disputes arising from this DPA shall be ultimately resolved through arbitration according to the rules of arbitration of the Finland Chamber of Commerce. The court of arbitration shall have one member, and the proceedings shall be held in Helsinki, Finland, in Finnish.

In the event that the dispute pertains to the Agreement in addition to the DPA, the dispute shall, in contrast to what is agreed in Section 12.2, be resolved fully pursuant to the terms of dispute resolution under the Agreement, both with regard the Agreement and the DPA.


Appendix 1 – Processing of personal data in Suomisport service

Main agreement

The main agreement is a service agreement signed by the parties, which refers to this appendix (Appendix 3 in main agreement).

Subject, nature and purpose of the personal data processing

The subject, nature and purpose of the personal data processing are described in the terms of use and commitments for organisation users (Appendix 2) and the personal data processing agreement (Appendix 3), which are appended to the main agreement.

Sensitive personal data

Sensitive personal data are not processed in the service.

Data security

The data security requirements are described in the service description appended to the main agreement (Appendix 1).

Subprocessors

At the time of signing the agreement, the parties do not employe subprocessors. Section 8 of the personal data processing agreement (Appendix 3 to the main agreement) lays down the provisions for handling subcontractors, to which the parties shall commit.