PERSONAL DATA PROCESSING TERMS AND CONDITIONS

1. Background and purpose, general obligation

The user of the services provided by FREE Laskutus Oy (“FREE”) is the “Client” in accordance with these terms and conditions.

The Client and FREE have entered into a contract according to the Service Terms and Conditions (“Service Agreement”) on basis of which FREE provides the Client with invoicing, bookkeeping, administrative and/or consultation services as per which services the Client from time to time on basis of the Service Agreement and the Service Terms and Conditions will be using. Following the purpose of the Service Agreement FREE processes on behalf of the Client personal data relating to the Client’s operation, in regard of which personal data the Client is the Controller (below “personal data” and FREE is the processor of personal data as meant in the General Data Protection Regulation (the GDPR) of the European Union.

The data processing terms and conditions form an integral part of the Service Agreement between the parties and shall be applicable in personal data processing relating to the contractual relationship between the parties.

The Parties undertake that they will in their cooperation and personal data processing comply with the General Data Protection Regulation (EU 2016/678) of the EU, Data Protection Act (5.12.2018/1050) as well as any and all from time-to-time valid legislation and authorities’ regulations regarding data protection (together “Data protection legislation”).

The Client, as the Controller, guarantees that it has the right to, under Data processing legislation, process and transfer personal data to FREE to be processed by FREE pursuant to the Service Agreement.

2. Processor’s obligations

2.1 The Processor shall keep the Personal data confidential and shall process these only for the agreed purpose. The processor shall implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of the Data protection legislation, and the protection of the rights of the data subject is ensured.

2.2 The subject-matter of personal data processing is indicated in the clause 2. FREE shall be entitled to process personal data in its operation for that time the Service Agreement between FREE and its’ Client is valid, and for the part of each data subject only for the duration as required for the purpose-related processing of personal data. The processor shall, however, be entitled to store personal data longer if it has an obligation to do so pursuant to valid legislation or binding regulations by authorities.

2.3 The nature and purpose of personal data processing is carrying out the Service by FREE based on the Service Agreement. As classes of personal data are the clients’ names, birth dates and personal identification numbers, addresses, email addresses, phone numbers, invoicing details and payment transactions, personal data, and other contact details of the customers of the FREE’s clients that are needed to produce the service, and categories of data subjects are representatives of the Client and representatives if the Client’s customers.

2.4 The processor shall ensure that persons authorized to process the personal data have agreed to confidentiality or are under an appropriate statutory obligation of confidentiality.

2.5 When entering into the Service Agreement the Client gives the processor a prior consent to use services of another personal data processor (sub-processors) provided that the processor ensures that the same data protection obligations are applicable to this other processor as set out in this Agreement, and sufficient guarantees are provided that appropriate technical and organisational measures are implemented in such a manner that the processing will meet the requirements set out in the Data protection legislation.

2.6 The processor shall not be entitled to transfer personal data to a third party outside the EU and the EEA area without a prior written consent from the Client.

When entering into the Service Agreement the Client gives the express consent to that personal data will be processed in connection with the Service by the following enterprises operating in the USA:

• Hubspot, Inc – Cambridge, Massachusetts, USA – https://legal.hubspot.com/privacy-policy
• Google LLC (used services – Analytics, Google Workspace, YouTube) : Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA: https://policies.google.com/privacy?hl=en_US
• Facebook Inc (used services – Facebook, Instagram, WhatsApp) – Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA: https://www.facebook.com/about/privacy/previous
• LinkedIn Corporation (a part of Microsoft): Sunnyvale, California, United States: https://www.linkedin.com/legal/privacy-policy
• Asana, Inc – 1550 Bryant Street, Suite 200, San Francisco, CA 94103, https://asana.com/terms
• Twilio, Inc (used services – Twilio, Sendgrid) – San Francisco, California – https://www.twilio.com/legal/tos
• Cloudtalk – Slovakia, Západný rad 31, 811 04 Bratislava – https://www.cloudtalk.io/terms-and-conditions
• Zoom Video Communications, Inc. – 55 Almaden Blvd, Suite 600 San Jose, CA 95113 – https://zoom.us/privacy
• ByteDance Ltd. (TikTok) – https://www.tiktok.com/legal/privacy-policy?lang=en – 5800 Bristol Parkway in Culver City, Los Angeles
• Yodiz – app.yodiz.com
• Miro – https://miro.com/legal/terms-of-service/ – 201 Spear Street, Suite 1100, San Francisco, CA 94105
• Clarity: Microsoft Corporation One Microsoft Way Redmond, WA 98052-6399 USA
• GCloud (used services- App engine, Kubernetes engine, Storage, Database): Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA https://cloud.google.com/terms/cloud-privacy-notice – Data is stored at Hamina, Finland and Belgium
• Cloud City Oy – https://my.cloudcity.fi/privacy/ – Tähdenlennonkuja 1, 02240 Espoo, Finland
• AWS – Seattle, Washington, United States – https://aws.amazon.com/service-terms/ – Data is stored at Europe (Ireland)

By giving the consent the Client is aware that transfers may give rise to risks to the data subject due to the lack of decisions concerning sufficient data protection and of appropriate protection measures.

2.7 The processor will implement technical and organizational measures appropriate to the risks relating to the processing in order to meet the requirements of the article 32 of the GDPR, and that (inter alia, but not limited to) the confidentiality, integrity and resilience of the processing will be ensured.

2.8 The processor shall prepare internal data protection instructions to defend against and prevent unauthorized and unlawful processing of personal data, and to defend against accidental loss, alteration, destruction, or damage of personal data. The processor shall be entitled to amend its instructions according to changing procedures provided that the security level of the data protection will not be negatively affected.
The processor shall be liable to ensure that its applicable data protection measures meet the requirements of the Data protection legislation, and based on these, sufficient technical and organizational measures will be implemented to ensure that the rights of the data subjects will not be endangered.

2.9 FREE shall assist with appropriate technical and organizational measure within its powers, the Client to fulfill the controller’s obligation to respond to requests that concern the data subjects’ exercising their rights as set out in the GDPR, and assist in implementation of these rights.

2.10 To fulfill the Client’s obligations, FREE shall i) provide without undue delay on the Client’s request a copy of the stored personal data of the data subject, ii) maintain personal data in a such structure and format that will enable the Client’s / data subject’s easy access to the personal data, and iii) assist the Client in implementation of its’ report obligation as set out in the Data protection legislation.

2.11 The processor will assist the Client to ensure that 1) personal data will be processed safely, 2) any personal data breach shall be notified to the supervisory authority and if conditions so require, communicated to the data subjects, and 3) the data protection impact assessment and thereto related prior consultation can be made, if necessary.
FREE shall inform the Client of any personal data breach that comes to its attention within 48 hours having become aware of the same.

2.12 The processor shall provide the Client with the requested necessary information to prove the compliance with the obligations set out in the GDPR and shall allow assessments by the Client authorised auditor, and will participate therein.

2.13 The liability for damages owned by FREE on basis of this Agreement to the Client is in total five thousand (5 000) Euro at maximum. FREE shall not be liable for any indirect damage incurred to the Client, such as lost profit, or decrease in production or business turnover.

2.14 The English language translation of these Data Processing Terms are a part of FREE customer service and for convenience only. Should there be any discrepancies between the Finnish language version and the English version, the Finnish version shall prevail.

3. Validity

3.1 These terms and conditions shall gain validity when the Client has registered itself as user of the FREE service. The terms and conditions shall be applicable during the cooperation of the parties. The ending of the cooperation and contractual relationship between the parties shall not affect the rights and obligations established during the validity of the terms and conditions.

3.2 These terms and conditions shall replace any and all agreements possibly made between the parties in regard to personal data processing. FREE shall be entitled to update the terms and conditions in case amendments in the legislation or authorities’ orders should so require. Amendments in the terms and conditions shall be communicated to the Client in FREE service before the amendment will be in force.