Data Protection Appendix

Version: 2023-10-01. 7ac87c7d93a61dc030055ffbb0206590265f675c

1. General

This contractual appendix on the processing of personal data (“Data Protection Appendix”) is an integral and inseparable part of Seravo Oy’s (“Processor”) contractual Terms of Service (“Contract”), an up-to-date version of which is available at https://seravo.com/en/terms. This Data Protection Appendix applies when the Processor acts as a processor of personal data within the meaning of the EU General Data Protection Regulation (2016/679) (“GDPR”), i.e. when the Processor processes personal data on behalf of its customer acting as a data controller (“Data Controller”). This Data Protection Appendix, alongside with the Agreement, sets out the principles and conditions for the protection and security of personal data. In the event of any conflict between the Agreement and this Data Protection Appendix and any other possible appendices, the processing of Personal Data between the Processor and the Data Controller shall be governed primarily by this Data Protection Appendix.

Data Controllers may refer to this Data Protection Appendix in their privacy statements as required by the EU General Data Protection Regulation. An updated version of the Data Protection Appendix is available at https://seravo.com/en/dpa.

The Data Protection Appendix constitutes an agreement between the Processor and the Data Controller in accordance with the requirements of Article 28(3) of the EU General Data Protection Regulation. This Data Security Appendix is not intended to transfer any legal obligations of the Data Controller to the Processor.

2. Definitions

Agreement the Processor’s general terms and conditions, i.e. the Terms of Service. Personal Data any personal data (as defined in the applicable Data Protection Legislation) relating to a natural person (“Data Subject”) from which he or she can directly or indirectly be identified and which is transferred or transmitted by the Data Controller to the Processor in accordance with this Data Protection Appendix and the Agreement and which is generated in connection with the Services or otherwise processed by the Processor in connection with the provision of the Services. A data breach a data breach resulting from accidental or unlawful destruction, loss, alteration, unauthorised disclosure, disclosure or access to Personal Data. Data Protection Authority any competent data protection authority of an EU Member State under the Data Protection Legislation. Data Protection Legislation the EU General Data Protection Regulation (2016/679/EU), data protection legislation and any applicable guidelines and/or regulations issued by the Data Protection Authority from time to time. Service any service provided by the Processor to the Data Controller under the Contract. Data Subject a natural person whose Personal Data is processed in connection with the Services. Processing any operation or operations which the Processor performs on Personal Data, with or without the use of automated data processing.

3. Contact details of the Processor:

Seravo Oy
Kauppakatu 3 A 4
FI-33200 Tampere
Finland

Website: https://seravo.com
E-mail: dpo@seravo.com
Phone: +358 (0)44 777 0020

Business identifier: FI2392019-2

4. On provision of services

The Processor provides the Data Controller with Internet services and Internet-accessible storage space, which the Data Controller can use, for example, to store and publish its website. The storage space may allow data to be stored, for example, as files or as objects in a relational database.

The Processor acts as a technical data recorder and provider of server space and does not know more specifically the content of the data stored by the Data Controller.

All data stored by the Data Controller on the Processor’s servers is controlled by the Data Controller.

As a rule, the services of the Data Controller are provided on shared servers. The shared servers store data of several different clients and access to this data is restricted.

5. On the rights and obligations of the data controller

The Data Controller is responsible for the definition of the Personal Data to be processed and for ensuring that it processes the Personal Data in accordance with the Data Protection Legislation and good data processing practices. The Data Controller is responsible for ensuring that there is a basis for the processing of Personal Data in accordance with the Data Protection Legislation.

The Data Controller is obliged to define the purposes and means of processing Personal Data and to provide the Processor with binding written instructions on the processing of Personal Data in accordance with the Data Protection Legislation.

The Data Controller shall ensure and be responsible for providing the data subject with all information required by the Data Protection Legislation regarding the processing of Personal Data. In addition, the Data Controller shall be responsible for ensuring that it has the right to transfer Personal Data for processing in accordance with this Data Protection Appendix and the Agreement (including to subcontractors used by the Processor) throughout the duration of the Agreement in accordance with the Data Protection Legislation.

The Data Controller is responsible for obtaining the necessary consents for the processing of Personal Data. In addition, the Data Controller is responsible for complying with all mandatory obligations and requirements for notifications to the authorities and obtaining authorisations for the processing of Personal Data. The Data Controller is responsible for implementing its own requests for amendment, deletion and information to its stakeholders in accordance with the GDPR.

The Data Controller is responsible for what data is stored in the online service, how it is processed (including any pseudonymisation) and where it is disclosed. The Data Controller is solely responsible for the accuracy, timeliness, content, reliability and lawfulness of the Personal Data disclosed to the Processor.

The Data Controller is responsible for ensuring that the online service is properly designed and implemented, either by the Data Controller itself or by the Data Controller’s online service development partner. Where the website is part of a larger information system containing particularly sensitive data (for example, a patient information system), it is the responsibility of the Data Controller to ensure that the processing of the website is properly segregated so that a security breach on the website does not result in a large-scale data leakage.

Both the Data Controller and the Processor shall be liable for any costs incurred by them in fulfilling their respective obligations under the Data Protection Legislation or this Data Protection Appendix.

6. On the rights and obligations of the processor

The Processor shall act in accordance with this Data Protection Appendix when providing services to the Data Controller under the Agreement. The Processor may use the Personal Data only for the purpose of fulfilling its obligations under the Agreement and the Processor shall not disclose or transfer the Personal Data to any third party, unless expressly agreed in writing between the Processor and the Data Controller.

The Processor shall comply with the applicable Data Protection Legislation and the instructions issued in writing by the Controller, which may be supplemented by the Data Controller during the contract period. The Processor is obliged to inform the Data Controller immediately if it considers the instructions to be unlawful, unless such information would be prohibited by law for important reasons of public interest.

It is the Processor’s responsibility to ensure that those who have access to Personal Data are aware that they are only entitled to process Personal Data in accordance with the Data Controller’s instructions, this Data Protection Appendix and the Data Protection Legislation.

The Processor must maintain a record of the processing activities for which it is responsible, where required by Data Protection Legislation.

The Processor is obliged to assist the Data Controller in activities where the Data Controller needs the Processor’s cooperation in order to fulfil its obligations under the Data Protection Legislation. Such activities may include, for instance, participating in impact assessments and providing information about habits and reports pertaining to data protection. If the Data Controller requests information or assistance with security-related measures, documentation or other information related to the Processor’s processing of Personal Data in such a way that the requests differ in substance from the applicable Data Protection Legislation and this results in additional work for the Processor, the Processor shall be entitled to charge the Data Controller for such additional services.

The Processor shall, provided that it is appropriate and lawful, inform the Data Controller of requests for access to Personal Data made by the Data Subject and of requests for access to Personal Data made by public authorities, as well as of any queries under the Data Protection Legislation. The Processor will not process on behalf of the Data Controller any requests from third parties under the EU GDPR, but they will be transmitted as such to the Data Controller, who will verify their authenticity and relevance and respond to them as the Data Controller.

As stated previously, the Data Controller and the Processor are responsible for their own costs incurred in fulfilling their respective obligations under the Data Protection Legislation or this Data Protection Appendix.

The Processor does not monitor the information the Data Controller stores on its online service, but security practices are designed to allow the Data Controller to store Personal Data on its online service.

The Processor is obliged to develop its service in such a way that data security and data protection are implemented by default in the normal use of the service and that the Data Controller has tools at its disposal that support its role as a data controller and the exercise of the rights of Data Subjects in the typical use of the service. An example of a typical use is the verification or deletion of user data in the user database of a WordPress website.

7. Processor access to the Data Controller’s data

During the term of the Service Agreement, the Processor will not, under normal circumstances, add, delete or retrieve any information from the data stored by the Data Controllers without an explicit request from the Data Controller. An exception to this includes, for example,

  • When providing the service, the Processor collects log information about visitors to each of the Data Controller’s websites (e.g. IP address, country and AS number of the source network based on the IP address, browser version, etc.).
  • investigation and repair of faults and incidents
  • order by the authorities
  • potential corrections to be made in the event of server changes
  • a data breach or an investigation into a suspected data breach
  • the closure of the service, or part of the service, under the general terms and conditions

Requests and instructions from the Data Controller must be recorded in the Processor’s customer relationship management system. When handling the above exceptions, the Processor’s technical staff may see parts of the data stored by the Data Controllers.

The Processor is not entitled to use customer data for any purpose other than the provision of the service under the service contract.

8. Data storage and security

When placing an order, the Data Controller has the possibility to choose from among the options provided the country in which the controller’s online service and the data it contains will be located. However, back-up copies are always stored in Finland. The Processor will not transfer the website, including the Personal Data stored on it, to another country without the consent of the Controller.

The Processor must ensure that the personal data is protected in a technically and organisationally adequate and appropriate manner, taking into account the legal requirements. The Processor shall ensure that at least the following measures are taken:

Pseudonymisation and encryption of personal data to the extent required by the Data Controller

the possibility of ensuring at all times the confidentiality, integrity, availability and sustainability of the systems and services used to process personal data.

Restoring the availability of and access to Personal Data without undue delay following a physical or technical incident

The Data Controller is responsible for the appropriate and adequate security of the necessary equipment and IT environment under its responsibility, taking into account the specific characteristics of the Data Controller’s business.

Through backups and technical duplication, the processor aims to maximise the preservation and integrity of the data. The backups are inaccessible to the Processor’s customers, so that the backups cannot be used to retrieve outdated data by accident, for example.

The backups made by the Processor are only intended for recovery from failure situations, so their storage period is short. The time and format of backup copies may vary, and it may not be possible to easily restore a single file or other limited part of the service from the backup. At the request of the Data Controller, the Processor may examine whether the information needed by the Data Controller can be restored from backups. If the Data Controller needs backups in its own operations, it is responsible for organizing backups according to its needs.

9. Auditing

The Data Controller and/or a third party authorized by it for this purpose have the right to conduct an audit to assess the compliance with the data protection obligations according to this Data Protection Appendix and the level of data security to be observed in the processing of Personal Data. The Data Controller performs the audit once a year at most. However, the Data Controller may request inspections to be carried out more often, if required by the legislation applicable to the Data Controller.

The Processor must participate in the audit and provide the Data Controller with all the information necessary to demonstrate compliance with the Processor’s obligations. The Data Controller has the right to also audit the operations of the subcontractors used by the Processor to the extent that it is necessary to protect the Personal Data processed in the service.

Upon request, the Processor provides the Data Controller with the necessary information and allows and assists in audits in order to demonstrate that the Processor complies with the provisions of this data protection appendix. The Processor, in its capacity as a processor of Personal Data, is obliged to make available to the Data Controller all information that is necessary for the Data Controller in its role as a data controller, so that the Processor can demonstrate having complied with its obligations set out in the Data Protection Regulation.

The Processor has the right to refuse the audit, if it has been assigned to be performed by an entity considered to be a direct or indirect competitor of the Processor or an entity whose expertise or reliability can be reasonably doubted.

The Processor is not obliged to hand over to the Data Controller such information which is of minor importance in terms of data protection, or the handing over of which would violate the protection of the Processor’s business secrets or the interests of another customer or a third party.

If the audit detects a deficiency caused by the Processor, the Processor must rectify the matter at its own expense without delay.

If the Data Controller wishes to commission a separate data security audit, its execution will be agreed on a case-by-case basis. The Data Controller is responsible for the costs related to the audit. The time spent by the Processor’s personnel is billed at the Processor’s regular hourly rate.

10. Handling data security breaches

The Processor must notify the Data Controller of all data security breaches without undue delay, and if possible within 72 hours after the Processor has become aware of the data security breach. The notification must include the following information:

  • a description of the data security breach including information on which groups of Data Subjects have been affected by the data security breach and the estimated number of such groups;
  • the name and contact information of the contact person of the Processor handling the investigation of the data security breach;
  • a description of the realised consequences and/or likely consequences of a data security breach; and
  • a description of the measures the Processor has taken due to the data security breach and to mitigate its adverse effects.

If it is not possible to provide the above-mentioned information at the same time, the information can be provided in parts.

The Data Controller must notify the Processor without delay if the Data Controller suspects a data security breach. The Data Controller is also obliged to assist in the investigation of a data security breach and to provide the Processor with the necessary information to investigate the data security breach. The Processor has the right to suspend the investigation of a data security breach if the Data Controller does not respond to contacts or if the interest to be protected is obviously small.

In potential data security breach situations, the Processor informs the Data Controller about the situation, and the Data Controller itself is responsible for further informing, for example, its own customers or registered users of its online store. In connection with data security breaches, the processor may also inform the Cybersecurity Center of the Finnish Transport and Communications Agency, the police or other authorities and plan the necessary measures together with them.

11. Confidentiality

The Processor and any person acting under the authority of the Processor shall keep the Personal Data and other information received from the Data Controller confidential. In addition, the Processor shall ensure that only authorised persons have access to the Personal Data. The Processor must also ensure that the persons processing Personal Data are bound by a duty of confidentiality or are subject to an appropriate legal obligation of confidentiality.

The data stored by the Data Controller in the service will not be read or processed in any way other than what is necessary for the provision of the service.

12. Use of subcontractors and transfer of data

The Processor may use subcontractors to provide services to the Data Controller in accordance with this Data Protection Appendix. Where a subcontractor processes Personal Data on the basis of consent, the Processor shall be responsible for the subcontractor’s activities as if they were its own. The Processor shall ensure that its subcontractor complies with the confidentiality, security and data protection requirements of this Data Protection Appendix and the Agreement, as well as the Data Protection Legislation.

Appendix B of this Data Protection Appendix lists the current subcontractors who have access to Personal Data.

The Processor is entitled to change subcontractors during the duration of the Agreement. The Processor shall inform the Data Controller in advance of any changes in the subcontractors processing Personal Data.

By accepting this Data Security Appendix, the Data Controller consents to the use of the Processor’s subcontractors as described above.

The Processor is responsible for ensuring that only its own staff and management have legal access to the subscriber’s data. Subcontractors are not granted access rights at a level that could give them access to any Personal Data stored by the Data Controller on the Service. An exception to this is the entity used by the Processor to carry out the invoicing.

13. Processing of personal data outside the EU/EEA

The Processor processes Personal Data primarily within the EU/EEA, but Personal Data may also be processed outside the EU/EEA. If Personal Data is transferred outside the EU/EEA, the transfer must be subject to appropriate safeguards required by law, such as the use of standard data protection clauses adopted by the European Commission. Upon written request, the Data Controller is entitled to obtain from the Processor information on the location of the processing of Personal Data.

14. Duration of processing and deletion of data

The Processor will process Personal Data only for as long as services are provided to the Data Controller under the Agreement.

Upon termination of the Agreement, the Processor, at the choice of the Data Controller, will either permanently erase or return all personal data to the Data Controller and will also erase any existing copies, except where the retention of personal data for a specified period after termination of the Agreement is required by the law.

15. Costs related to data security and data protection issues

If the Processor is required to assist the Data Controller in complying with the provisions of the GDPR regarding data breaches, enforcement of the rights of Data Subjects and data protection impact assessment, the Processor is entitled to charge for reasonable hours of work performed at an hourly rate agreed by the parties. However, billing for the hours of work shall be subject to the prior approval of the Data Controller of the use of the time required to fulfil the assistance obligations.

16. Liability and other conditions

If the Data Subject suffers damage as a result of a breach of data protection obligations, the controller and the processor shall be liable for the damage suffered by the data subject in accordance with Article 82 of the GDPR. The Data Controller and the Processor shall each be liable for any sanctions imposed on them by the competent supervisory authority.

This Data Protection Appendix is valid for as long as the Agreement is in force and for as long after the termination of the Agreement or the end of the contractual period as is necessary to complete the activities related to the processing of Personal Data (such as the return of Personal Data to the Data Controller) or longer, if applicable law so provides.

Upon termination of the contractual relationship, the Processor shall delete all Personal Data of the Data Controller and copies thereof in its possession, unless the applicable legislation requires the retention of the Personal Data. Prior to the termination of the contractual relationship, the Data Controller may request in writing that the Processor provide a copy of the Data Controller’s Personal Data held by the Processor under the Agreement upon termination of the contractual relationship.