Support

Data Processing Addendum (DPA)

Updated on 10th of October 2023

THIS DATA PROTECTION ADDENDUM (the “Addendum”) forms an integral part of the Agreement (as defined in the GapHook Terms of Service).

The capitalized terms used in this Addendum shall have the meanings set forth in this Addendum. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement. Except as modified below, the terms of the Agreement shall remain in full force and effect.

In case of discrepancies between this Addendum and the Agreement, the terms and conditions of this Addendum shall prevail.

The terms and conditions set forth in this Addendum concern the Processing activities of “us” GapHook Terms of Service and acting as the Supplier and Data Processor and/or data sub-processor with respect to the Customer Personal Data we process on behalf of the “you” as Customer acting as Data Controller.

The detailed context and description of the data processing hereunder is the following:

  1. Subject matter and duration: Processing of Customer Personal Data during term of Agreement
  2. Nature and purpose of the Processing: collection, storage, and use of Customer Personal Data in Service in order to provide the Service
  3. Type of personal data: full name, e-mail address, personal photo, employment details such as job title and organizational unit, areas of personal expertise and interest, and other personal data users may provide of themselves or other individuals
  4. Categories of data subjects: as a rule, employees of the Customer and other individuals the Customer or users authorized by the Customer choose to grant access to the Customer’s Account; and, in addition, other individuals whose personal data such users may enter into the Account as part of User Content.

1. Definitions

1.1 In this Addendum, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:

“Process/Processing”, “Personal Data”, “Data Controller”, “Data Processor”, “Data Subject” and “Personal Data” shall have the same meaning as in the Data Protection Laws, and “Data Controller” and “Data Processor” shall be interpreted as in accordance with the terms “Controller” and “Processor”;

“Affiliate” means an entity that owns or controls, is owned or controlled by or is under common control or ownership with a Party, whereby control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of management or policies of an entity, whether through ownership of voting securities, by contract or otherwise;

“Applicable Laws” means (i) European Union or Member State laws with respect to any Customer Personal Data in respect of which Customer is a Controller under EU Data Protection Laws; and (ii) any other applicable law, rule, code, treaty, ordinance, decisions, injunction, award or regulation, including from any competent court or regulatory and governmental authority with respect to any Customer Personal Data to which Customer is subject;

“Customer Personal Data” means the data of the Customer disclosed, transferred or where access is otherwise granted to the Supplier under the Agreement, as well as any other Personal Data Processed by the Supplier on behalf of the Customer pursuant to or in connection with the Agreement;

“Data Protection Laws” shall mean EU General Data Protection Regulation 2016/679 of the European Parliament and of the Council (“GDPR”) and Directive 2002/58/EC, in each case as transposed into domestic legislation of each member state of the EEA and in each case as amended, replaced or superseded from time to time (GDPR and Directive 2002/58/EC collectively as “EU Data Protection Laws”) and to the extent applicable, the data protection or privacy laws of any third country not member of the EEA;

“End Date” means the date falling on the earlier of (i) the cessation of Processing of the Customer Personal Data by the Supplier; or (ii) termination of the Agreement;

“Party” means Customer or Supplier individually and ”Parties” means Customer and Supplier jointly;

“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data transmitted, stored or otherwise Processed;

“Service” means the services to be supplied by Supplier and/or Supplier Affiliates to Customer pursuant to the Agreement;

“Sub-processor” means any Data Processor (including any third party and any Supplier Affiliate) appointed by Supplier to Process Customer Personal Data on behalf of the Customer;

“Supervisory Authority” means (a) an independent public authority which is established by a Member State pursuant to article 51 GDPR; and (b) any similar regulatory authority responsible for the enforcement of Data Protection Laws.

2. Data processing terms

2.1 In the course of providing the Service to Customer pursuant to the Agreement, Supplier may Process Customer Personal Data on behalf of the Customer. Supplier agrees to comply with Data Protection Laws and the provisions set out in this Addendum with respect to any Customer Personal Data Processed by the Supplier in connection with the Service or otherwise Processed for the Customer by the Supplier.

3. Processing of customer personal data

3.1 The Supplier shall only Process such Customer Personal Data necessary for the provision of the Service or otherwise in connection with the purposes of the Agreement. The Supplier undertakes not to Process the Customer Personal Data except in accordance with the Customer’s written instructions given in the Agreement or this Addendum, unless such Processing is required by Applicable Laws to which Supplier is subject.

3.2 Customer shall warrant that the Customer is, and for the duration of the Agreement remains, in compliance with any and all responsibilities set for Data Controllers under Data Protection Laws towards Data Subjects, the Supplier and relevant third parties.

3.3 Customer shall especially warrant that Customer is entitled to disclose or transfer Customer Personal Data to the Supplier for lawful Processing hereunder.

3.4 Customer acknowledges that due to the nature of the Service, Supplier cannot control and has no obligation to verify Customer Personal Data transferred or made available to Supplier for Processing under the Agreement.

4. Supplier personnel

4.1 Supplier shall take reasonable steps to ensure the reliability of any employee, agent or contractor who may have access to Customer Personal Data, ensuring that access is strictly limited to those individuals who need to access the relevant Customer Personal Data for the agreed purposes, ensuring that all such individuals:

  1. are informed of the confidential nature of the Customer Personal Data and are aware of Supplier’s obligations under this Addendum and the Agreement in relation to the Customer Personal Data;
  2. have undertaken training in relation to the Data Protection Laws; and
  3. are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

5. Security

5.1 The Supplier implements appropriate technical and organizational measures to ensure appropriate level of security, such as the measures described in article 32 of the GDPR.

5.2 In assessing the appropriate level of security, the Supplier shall take into account the risks that are presented by Processing, in particular relating to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to the Customer Personal Data Processed.

6. Sub-processing

6.1 Customer acknowledges and hereby authorizes the Supplier to engage Sub- processors in connection with the performance of the Supplier’s obligations under the Agreement.

6.2 Supplier undertakes to inform Customer regarding changes (additions or replacements) in its Sub-processors used by Supplier for the purposes of Processing Customer Personal Data in connection with the Agreement. Customer may, for a justifiable reason pertaining to privacy and data protection, object the use of a certain Sub-processor. In such case, the Parties shall strive to find an alternative solution pertaining to the Processing of Customer Personal Data for the purposes of providing the Service under the Agreement. If such solution is not found, Supplier may terminate or suspend the Processing of Customer Personal Data without being in breach of the Agreement.

6.3 With respect to each Sub-processor, the Supplier shall:

  1. only use Sub- processors that, to the Supplier’s reasonable knowledge, are capable of providing the level of protection for Customer Personal Data as is required by this Addendum in such a manner that Processing will meet the requirements of GDPR and this Addendum;
  2. include terms in the contract between the Supplier and each Sub-processor which are substantially similar to those set out in this Addendum; and
  3. remain liable (subject to the GDPR) for the actions of its Sub-processors as it is of its own.

7. Data subject rights

7.1 The Supplier agrees to reasonably and insofar as practically possible assist the Customer in the fulfilment of the Customer’s obligations (as a Controller in each case) to respond to requests for exercising Data Subject rights established by the GDPR. The Supplier shall without undue delay notify the Customer if it receives a request from a Data Subject under any Data Protection Laws in respect of Customer Personal Data.

7.2 The Supplier agrees to reasonably and insofar as practically possible co-operate with the Customer to enable the Customer to comply with the exercise of rights by a Data Subject under any Data Protection Laws in respect of Customer Personal Data and comply with any assessment, enquiry, notice or investigation under any Data Protection Laws in respect of Customer Personal Data or this Addendum by e.g. providing the Customer with the necessary information on the Supplier’s Processing of the Customer Personal Data.

7.3 The Customer shall reimburse the Supplier for reasonable costs incurred by Supplier while providing assistance to Customer in accordance with sections 7.1 and 7.2 above.

8. Personal data breach

8.1 Supplier shall notify the Customer without undue delay upon becoming aware of a Personal Data Breach, providing the Customer with sufficient information which allows the Customer to meet its obligations to report a Personal Data Breach under the Data Protection Laws. Such notification shall include the information required under article 33 GDPR. The information can also be provided in instalments if the Supplier cannot reasonably provide all required information at once.

8.2 In the event of a Personal Data Breach, the Supplier shall not inform any third party without first obtaining Customer’s prior written consent, unless notification is required by Applicable Laws to which the Supplier is subject, in which case the Supplier shall to the extent permitted by such law inform Customer of that legal requirement, provide a copy of the proposed notification and consider any comments made by Customer before notifying the third party.

8.3 The Customer shall reimburse the Supplier for reasonable costs incurred by Supplier while providing assistance to Customer in accordance with sections 8.1 and 8.2 above.

9. Data protection impact assessment and prior consultation

9.1 The Supplier shall provide reasonable assistance to Customer with any data protection impact assessments which are required under article 35 GDPR and with any prior consultation to any supervisory authority of Customer which are required under article 36 GDPR, in each case solely in relation to Processing of Customer Personal Data by the Supplier on behalf of the Customer and taking into account the nature of the Processing and information available to the Supplier.

9.2 The Customer shall reimburse the Supplier for reasonable costs incurred by Supplier while providing assistance to Customer in accordance with sections 9.1 above.

10. Deletion or return of customer personal data

10.1 Following the End Date, the Supplier shall within a reasonable time period but in any case within six (6) months delete and procure deletion of all copies of Customer Personal Data Processed by the Supplier or its Sub-processor(s), unless the Supplier is required to retain the Customer Personal Data due to mandatory requirements under Applicable Laws.

10.2 Further to Section 10.1 above, the Customer may request the Supplier to provide a copy of the Customer Personal Data. Such Customer Personal Data shall be delivered in an electronic form commonly in use. Supplier shall have the right to charge for the collection, processing and delivery of the information in accordance with its then current price list.

10.3 Supplier reserves the right to use volume and statistical information relating to Service usage, provided that such information is in anonymous and aggregate format, for Service improvement, marketing purposes, creating statistics and analyses, and for other commercial purposes.

11. Audit rights

11.1 Upon request, the Supplier agrees to make available to Customer the information necessary to demonstrate compliance with this Addendum and allow for and contribute to audits, including inspections by Customer or a third party auditor approved by Supplier where such approval may not be unreasonably upheld, and agreed by both Parties of the Supplier’s premises where the Processing of Customer Personal Data takes place in order to assess compliance with this Addendum. The Supplier shall permit Customer or its mandated auditor to inspect, audit and copy the Supplier’s relevant records, and to inspect and audit processes and systems. The Supplier agrees to co-operate in respect of such audit. All audits by the Customer or a mandated auditor are subject to a thirty (30) days’ prior written notice.

11.2 Unless otherwise agreed between the Parties, the Customer is allowed to conduct one (1) audit in every twelve (12) months. Any audit must be conducted during normal business hours and in a way that does not cause substantial disturbance to Supplier’s business operations. Customer shall bear all costs for such audit, unless the audit reveals that the Supplier has committed a substantial breach of this Addendum, in which case Supplier shall bear the audit costs.

11.3 The Customer also has the right to request and receive the information and material strictly necessary for regulatory supervision, auditing, or internal risk management and supervision relating to Customer’s operations from the Supplier. This includes allowing audits at the Supplier’s premises used for Processing Customer Personal Data performed by Supervisory Authorities or auditors. The Supplier shall ensure that its Subcontractors are likewise obligated to give necessary information and material and allow audits as stated above.

12. Transfers

12.1 The Customer accepts that Supplier may have Personal Data processed and accessible by Supplier or its sub-processors outside the European Economic Area (“EEA”) to provide the Service. If personal data is transferred from the EEA for processing in any country outside the EEA that is not recognized by the European Commission as providing an adequate level of protection for personal data, the Customer authorizes Supplier to enter, on behalf of and in the name of the Customer, into the Standard Contractual Clauses adopted or approved by the European Commission applicable to processing outside the EEA, or Supplier shall provide for other appropriate safeguard for the protection of the personal data transferred outside the EEA as set out in the GDPR.

13. Liability

13.1 Each Party’s liability for the damages incurred by any Data Subject in connection with the Processing of Customer Personal Data under the Agreement shall be defined in accordance with article 82 of the GDPR, or another corresponding and applicable provision of compulsory Data Protection Laws.

13.2 The Supplier shall not be liable for any indirect or consequential loss or damage caused in connection with this Addendum or the Agreement. Otherwise, the liability terms of the Agreement shall apply to Processing of the Customer Personal Data by the Supplier on behalf of the Customer.

14. General terms

14.1 The Parties agree that this Addendum shall terminate automatically upon (i) termination of the Agreement; or (ii) expiry or termination of all service contracts, statements of work, work orders or similar contract documents entered into by Supplier with Customer pursuant to the Agreement, whichever is later.

GapHook Oy

Kappelikuja 6
02200 Espoo, Finland

Contact details

Pages

Home

Team

Contact us

Book meeting

Software as a service

GapHook™ Wallet

Digital pass creation, delivery and management solution for the digitally brave merchants.

Backend platform

GapHook™ for Enterprises

Custom digital self-service experiences built by our Solution Partners.

Copyright ©2023 GapHook™. All Rights Reserved. | Terms of Use

English flagFinnish flag