Processing of personal Data (DPA)
REGISTER AND DATA PRIVACY STATEMENT
This is the company’s EU General Data Protection Regulation (GDPR) compliant register and data privacy statement. Created on 10.9.2021 and updated on 12.5.2022.
This privacy statement describes the collection and processing of personal data in connection with Rowly Oy.
1. DATA CONTROLLER
RowlyGO
3320839-3
Kisällinkatu 8,
70780 Kuopio
FINLAND
2. CONTACT INFORMATION FOR DATA-RELATED MATTERS
Data Protection Officer
Pasi Pesonen
pasi.pesonen@rowly.fi
+358 10 582 7302
3. INTRODUCTION AND PURPOSE OF THE AGREEMENT
3.1 This Data Processing Agreement (the “Appendix”) applies to agreements between Rowly Oy (“Supplier”) and the customer (“Customer”) regarding RowlyGO’s products and services, involving the processing of personal data of the Customer and/or the Customer’s clients (the “Agreement”).
3.2 This Appendix stipulates the privacy and data security for the personal data of the Customer and the Customer’s clients within the Supplier’s services. It constitutes a written agreement between the parties in accordance with the EU General Data Protection Regulation (679/2016) regarding personal data processing.
3.3 If there are conflicts between the terms of this Appendix and those of the Agreement concerning personal data processing, the terms of this Appendix shall take precedence.
4. DEFINITIONS
4.1 In this Appendix, the following terms are defined in accordance with the EU Data Protection Regulation:
“Data Controller” refers to the Customer, who determines the purposes and means of personal data processing.
“Processor” refers to the Supplier, who processes personal data on behalf of the Data Controller under the Agreement.
“Processing” refers to any operation or set of operations performed on personal data, whether by automated means or manually, such as collection, storage, organization, alteration, retrieval, use, dissemination, or deletion.
“Personal Data” refers to any information relating to an identified or identifiable natural person (data subject).
“Personal Data Breach” means a security breach leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data.
5. DATA PROTECTION AND PERSONAL DATA PROCESSING
5.1 Responsibilities of the Supplier and Customer
5.1.1 The Supplier processes the Customer’s personal data on behalf of and as instructed by the Customer under the Agreement. Customer data may include details about members, employees, or other natural persons. The Customer is the Data Controller, and the Supplier is the Processor of the personal data processed within the service. Both parties agree to comply with the current legislation, regulations, and guidelines on personal data processing in Finland and the EU.
5.1.2 As the Data Controller, the Customer is responsible for ensuring the necessary rights and consents for personal data processing. The Customer is also responsible for preparing the statement and keeping it available, informing data subjects, and making necessary notifications to the data protection authorities.
5.1.3 The Supplier may only process the Customer’s personal data according to the Agreement, this Appendix, and the Customer’s written instructions, and only to the extent necessary for service provision.
5.2 Data Deletion/Return
5.2.1 Upon termination of the Agreement, the Supplier shall, at the Customer’s direction, either return or delete all personal data and existing copies, unless legal requirements mandate its retention.
5.3 Subcontractors
5.3.1 The Supplier has the right to use subcontractors in personal data processing. The Supplier remains responsible for subcontractors’ actions and must have equivalent data processing agreements with them.
5.4 Assistance Obligation
5.4.1 The Supplier will assist the Customer with responding to data subject requests, such as access, correction, deletion, or objection requests, through appropriate technical and organizational measures, if possible.
6. PROCESSING OUTSIDE THE EU/EEA
6.1 The Supplier and its subcontractors shall not process personal data outside the EU/EEA without the Customer’s written consent.
7. AUDIT
7.1 The Customer or an authorized auditor may audit the activities covered by this Appendix.
8. DATA SECURITY
8.1 The Supplier implements appropriate technical and organizational measures to protect the Customer’s personal data, taking into account the risks and the nature of the processing.
9. REPORTING DATA BREACHES
9.1 The Supplier shall notify the Customer of any personal data breaches without undue delay.
9.2 The Customer is responsible for notifying the data protection authorities and the data subjects if necessary.
10. OTHER TERMS
10.1 Each party shall be responsible for their respective compliance with data protection legislation.