Data Processing Agreements
This data processing agreement applies between Caverion and its customer where so stated in a signed agreement between the parties. 1. INTRODUCTION This Data Processing Agreement (“ DPA ”) is an essential part of the main agreement (“ Agreement ”). The Agreement defines who is the customer (“ Controller ”) and the applicable Caverion entity (“ Processor ”). The parties have agreed on provision of services as a part of which the Processor processes personal data on behalf of the Controller. The services, for which the personal data is processed, are described in the Agreement. The Processor and the Controller are referred to individually as “ Party ” and collectively as “ Parties ”. This DPA sets out the Parties’ obligations regarding data protection and compliance with Data Protection Laws under the Agreement. In the event of conflict between this DPA and the Agreement the provisions of this DPA shall prevail. Except as expressly modified hereby, all other terms and conditions of the Agreement shall remain unchanged and in full force and effect in accordance with its terms. The terms used in this DPA shall have the same meaning as in the applicable Data Protection Law if not defined otherwise. 2. DEFINITIONS “ Countries with Adequacy Decision ” shall mean the European Union and the European Economic Area or other countries with laws considered by the European Commission to provide an adequate level of protection of personal data. “ Personal Data ” shall mean any information relating to an identified or identifiable natural person (as personal data is defined in the Data Protection Laws), and which the Processor to processing on behalf of the Controller under the Agreement “ Data Breach ” shall mean a data breach, as defined in the Data Protection Laws. “ Data Subject ” shall mean a person, as defined in the Data Protection Laws, whose Personal Data the Processor processes under the Agreement. “ Data Protection Laws ” shall mean, without limitation and as applicable, all directly applicable EU legislative acts related to protection of personal data as in force from time to time and other applicable data protection legislation and rulings in the country where the services are agreed to be provided under the Agreement. 3. COMPLIANCE WITH LAWS AND THE CONTROLLER’S INSTRUCTIONS Both Parties shall be responsible to ensure that processing of Personal Data is done in accordance with Data Protection Laws and good data processing practices. To the extent that the Processor is processing Personal Data on behalf of the Controller, the Processor shall process Personal Data solely to the extent necessary for fulfilling their obligations under the Agreement and in accordance with the procedures conforming to the Controller’s requirements and instructions expressly provided in the Agreement or this DPA, which are the Controller’s complete written instructions. If the Controller at a later date during the Agreement provides new additional instructions, such instructions must be in writing. Should any future written instructions of the Controller require active actions from the Processor, Controller will compensate the Processor for the incurred costs. The Processor shall use its best reasonable endeavours to follow the instructions and inform the Controller if, in its opinion, the Controller’s instructions infringe the Data Protection Laws. The Processor shall ensure that its subcontractors comply with the same requirements applicable to the Processor in processing of Personal Data. The Processor shall not process the Personal Data for any other purposes than those specified in the Agreement and this DPA unless required to do by European Union or national law to which the Processor is subject. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest. 4. DATA CONTROLLER’S RIGHTS AND OBLIGATIONS The Controller shall: give the Processor documented and comprehensive instructions; have the right and responsibility to specify the purpose and means of processing; warrant that all the data subjects have been provided with all appropriate notices and information and establish and maintain for the term of processing the necessary legal grounds for transferring the Personal Data to the Processor and allowing the Processor to perform the processing as agreed in this DPA; confirm that the Controller represents its affiliates or third parties under this DPA and allow the Processor to process the Personal Data according to the terms of this DPA and Agreement; and confirm that the processing under this DPA meets the Controller’s requirements regarding information security and that it has provided the Processor with all necessary information for the Processor to be able to perform processing in compliance with Data Protection Laws. 5. TRANSFER OF PERSONAL DATA TO OUTSIDE THE COUNTRIES WITH ADEQUACY DECISION Unless otherwise agreed, the Processor will not process Personal Data in a country outside the Countries with Adequacy Decision. Should the Personal Data be transferred for processing to a country that is not a Country with Adequacy Decision, the Processor shall ensure compliance with the Data Protection Laws in connection with all such transfers of Personal Data and enter into the appropriate contractual arrangements (including with the Controller itself) on the transfer of Personal Data to third countries (Standard Contractual Clauses issued by the European Commission by the decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to the, or any subsequent legal instrument permitting the lawful transfer of Personal Data to non-European Economic Area countries). 6. CONFIDENTIALITY Except to the extent necessary for the Processor to perform its obligations towards the Controller under the Agreement, the Processor shall keep Personal Data confidential, shall have no rights to Personal Data, and, unless specifically agreed otherwise with the Controller in writing, shall not access, use, process, disclose, or transfer Personal Data, in part or in whole, to any third party during or after the term of the Agreement unless legally required. Upon termination or expiry of the Agreement, at the Data Controller’s instructions, the Processor shall delete or return to the Data Controller all the Personal Data after the end of the provision of the Services relating to Processing, and delete existing copies unless the Data Protection Laws require storage of the Personal Data. Deletion and return methods may be further agreed between the Parties. 7. USE OF THIRD PARTIES IN DATA PROCESSING The Processor may engage subcontractor(s) to process Personal Data provided that: such engagement will be under a written contract, and the subcontract will require the subcontractor(s) to comply with the same obligations applicable to the Processor. The Processor is responsible for its subcontractors’ obligations under this DPA the same way as it is responsible for its own obligations. The Processor shall inform the Controller of any intended changes concerning the addition of new subcontractors processing Personal Data before the change takes effect. If the Controller objects, it may terminate the part of the Agreement which the sub-processing would be related to by a thirty days’ written notice to the Processor. If the Controller does not object in seven (7) days, the Processor may use the new subcontractors. The current list of approved subcontractors is in Exhibit B (Subcontractors used in Data Processing). 8. SAFEGUARDS The Processor shall implement and use its reasonable efforts to maintain relevant operational and technical measures to protect the Personal Data against accidental, unauthorized or unlawful destruction, loss, alteration, disclosure or access as required by the Data Protection Laws. The Processor shall implement the following measures, as applicable: the pseudonymization and encryption of the Personal Data; the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; the ability to restore the availability and access to the Personal Data in a timely manner in the event of a physical or technical incident; and a process for regularly testing, assessing, and evaluating the effectiveness of Technical and organisational measures for ensuring the security of the Processing. The Processor shall keep appropriate records of processing activities carried out on behalf of the Controller under the Agreement. The Processor shall limit access of Personal Data to authorized personnel with a well-defined “need-to-know” basis and who is bound by appropriate confidentiality obligations. 9. DATA BREACH NOTIFICATION The Processor shall notify the Controller without undue delay after becoming aware of a Data Breach. The Processor shall provide the Controller with reasonably detailed written notice of its discovery of any Data Breach. The Data Breach notification shall contain at least the following: description of the nature of the Data Breach including where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned; the name and contact details of the contact point where more information can be obtained; description of the likely consequences of the Data Breach; description of the measures taken or proposed to be taken by the Processor to address Data Breach, including, where appropriate, measures to mitigate its possible adverse effects. If it is not possible to provide the information at the same time, the Processor may provide the information in phases. The Controller shall notify the Processor without undue delay if it suspects a Data Breach that concerns Personal Data processed under the Agreement. 10. RIGHT TO AUDIT The Controller shall have the right to audit the processing activities of the Processor under this DPA to examine the level of protection and security provided for Personal Data processed under the Agreement. The Parties agree that this right will be exercised by appointment of a recognized, independent third-party auditor with proven experience in the field. Such third party must not be a competitor of the Processor and prior to commencement of any auditing activities, the auditor must sign a confidentiality agreement with the Processor that is substantially similar to the confidentiality provisions contained in the Agreement. The audit timetable, method and scope will be agreed beforehand between the Parties and the audit may not burden Processor or endanger Processor or Processor’s other clients’ delivery, quality, security or confidentiality. The Controller will pay all costs related to the audit. In the event of an audit request directly from a supervisory authority regarding processing of Personal Data, the Processor must cooperate with Controller in answering the request. 11. ASSISTING THE CONTROLLER If requested by the Controller in order for the Controller to comply with the Data Protection Laws, the Processor shall, at the standard rates, provide the Controller with such information and cooperation regarding the processing of Personal Data under the Agreement as the Controller may reasonably request, including assisting in facilitating the exercise of their rights by Data Subjects, and assist the Controller in providing individuals whose Personal Data is being processed with such information regarding the processing as the Controller may reasonably request, and assist the Controller in ensuring compliance with the obligations pursuant to data protection impact assessment and prior consultation taking into account the nature of processing and the information available to the Processor. 12. LIABILITY The limitations of liability set out in the Agreement shall apply to processing of Personal Data contemplated under this DPA. The Parties agree that responsibilities for administrative fines imposed by any supervisory authority or claims by data subjects are divided between the Parties relating to the responsibilities of the Parties and thus the Party who has failed in performing its legal obligations under Data Protection Laws as decided by the relevant supervisory authority or competent court authorized to impose such fines or damages, is responsible to pay such fines or damages. 13. GOVERNING LAW AND DISPUTE RESOLUTION The governing law and dispute resolution set out in the Agreement shall apply to this DPA. 14. APPENDICES This DPA has the following appendices: Exhibit A: Technical and Organizational Measures Details of personal data and its processing, including used subcontractors will be specified in the Agreement. Exhibit A: Security Document Technical and organizational measures according to Art. 32 GDPR In compliance with its obligations under Article 32 of the GDPR, Caverion has implemented the following measures: Organizational management and assignment of specialized personnel responsible for developing, implementing and maintaining the information security program. Audit and risk assessment processes for the purpose of periodically reviewing risks to the organization, monitoring and complying with the requirements of generally applicable data protection laws as well as reports on the state of information security to the management. Data security controls the minimum logical data separation, access restrictions, access monitoring and use of industry-standard commercial encryption technologies to personal data that: via public networks (e.g. the Internet) or by radio communication; or are stored on portable or removable media (e. g. laptops, CD/DVD, USB memory, back-up tapes). Access controls that manage electronic access to data and system functionalities based on competency levels and areas of activity (e.g. granting access on a need-to-know basis with least privileges, use of one-time user IDs and passwords for all users; periodic review and revocation/modification of access rights when collaboration is terminated or there is a change in scope of activity). Password protection, which enables management and control of the strength, expiration and use of passwords and prevents users from sharing passwords and requires employee passwords: (i) to be at least eight (8) characters long; (ii) are not stored in readable form on computer systems; (iii) must be amended regularly; (iv) have a degree of complexity; (v) newly issued passwords must be changed after first use. System audits and event logging and related monitoring processes to proactively record user access and system activity. Physical and environmental security of data centers, server rooms and other areas containing Personal Data are designed to: (i) protect information assets from unauthorized physical access; (ii) manage, monitor and log personal access to the Controller's facilities; (iii) protect against environmental risks such as heat, fire or water damage. Operations and controls to ensure the configuration, monitoring and maintenance of technology and information systems in accordance with prescribed internal and industry standards. This also includes the safe disposal of systems and media by making the information illegible and irretrievable before disposal or abandonment. Change management procedures and tracking techniques designed to test, approve, and monitor all changes to technology and information systems at the Caverion. Incident and problem management procedures that allow Caverion to investigate, respond, mitigate and inform events related to technology and information systems. Network security controls that enable the use of corporate firewalls and layered DMZ architectures, as well as intrusion detection systems and other systems for checking traffic and event correlations. Vulnerability testing, patch management, threat protection technologies, and monitoring processes designed to detect, screen, contain, and protect against security risks, viruses, and malicious code. Business resilience and contingency plan procedures to maintain and/or recover from foreseeable emergency situations.