TERMS OF THE DATA PROCESSING AGREEMENT (the “DPA”) regarding the processing of Personal Data. The customer agreeing to these terms (the “Customer” or “Controller”) and Fixably Oy, Company ID 2694664-6 (“Fixably” or “Processor”) have entered into an agreement under which Fixably, which operates http://www.fixably.com (the “Site”), has agreed to provide the software-as-a-service application also known as Fixably (the “Software”) and related Services and technical support to the Customer (as amended from time to time, the “Agreement”).


1. Background and purpose

1.1 The purpose of this DPA is to set out the terms and conditions for the processing of Personal Data in accordance with the applicable Data Protection Regulation.

1.2 Fixably is a processor of that Customer’s Personal Data under the applicable Data Protection Regulation.

1.3 The Customer is a controller in accordance with the applicable Data Protection Regulation.

1.4 This DPA sets out the terms and conditions for the Processor’s processing of those Personal Data that the Processor has received or that the Controller has otherwise transferred to the Processor for the purposes of the performance of the Agreement.

1.5 The Controller instructs Processor to process Personal Data on behalf of the Controller for the sole purpose of providing the Software and Services under the Agreement, including the activities and purposes as further instructed by Controller in writing.

1.6 The Processor acts as the Data Processor and the Controller acts as the Data Controller, as defined in the Data Protection Regulation.

2. Definitions 

Unless otherwise stated herein, the following terms and expressions, including their grammatical variations, shall have the meaning set forth below:

Confidential Information

means all material and information received from the other Party, including but not limited to Personal Data, regardless of the possible media and received in whatever form marked as confidential or otherwise deemed to be confidential.

“Contracted Processor”

means a Subprocessor as defined below.

“Data Controller”

means a data controller, as defined in Data Protection Regulation, determining the purpose and means of Personal Data processing.

“Data Processor”

means a data processor, as defined in Data Protection Regulation, processing Personal Data on behalf of the Data Controller.

“Data Protection Regulation”

means the General Data Protection Regulation "GDPR" (2016/679/EU), national Data Protection Act (1050/2018, as amended) in force from time to time and other applicable data protection legislation and regulations as in force and amended from time to time as well as instructions and binding orders of data protection authorities.

“Data Subject”

means an individual whose Personal Data is processed by the Data Processor under this DPA.

“Personal Data”

means any information relating to an identified or identifiable natural person considered as Personal Data under applicable Data Protection Regulation, and which the Data Processor has received from the Data Controller.

“Personal Data Breach”

means a breach of security leading to an accidental, unlawful or unauthorized destruction, loss, alteration, unauthorized disclosure to or access to by third parties, of Personal Data, or if the confidentiality, integrity and availability of the Personal Data is compromised due to any other event.

“Services”

refers to the Service Order Management solution (the Fixably Software) used to process customer data in order to conduct the repair operations the Controller provides to its customers.

“Subprocessor”

means a third party whose services the Processor uses to process the Personal Data in accordance with the terms of this DPA.

2.1 Any terms not defined herein shall have the meaning allocated to them in the Data Protection Regulation.

3 Processing of Personal Data

3.1 The subject, purpose and means for processing of the Personal Data are set forth in Appendix 1 or in the documented instructions received from the Controller by email to privacy@fixably.com prior to the start of processing the Personal Data.

4. Rights and Responsibilities of the Parties

4.1 The Data Controller shall:

(a) process the Personal Data in compliance with the Data Protection Regulation and good data protection practice;

(b) be entitled to give more detailed instructions to the Processor on the processing of the Personal Data;

(c) control the use and processing of the Personal Data;

(d) retain title and ownership to the Personal Data;

(e) be responsible for the lawfulness of the processing of Personal Data; and

(f) be responsible that it has the right to transfer the Personal Data to the Processor.

4.2 The Data Processor shall:

(a) process Personal Data in compliance with the Data Protection Regulation and good processing practice with appropriate precautions and by high professional standards;

(b) process the Personal Data only in accordance with the terms of this DPA and documented instructions of the Controller;

(c) maintain an up-to-date record of all processing of the Personal Data carried out on behalf of the Controller;

(d) take reasonable steps to ensure the reliability of any employee, agent or contractor of any Contracted Processor who may have access to the Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know and/or access the relevant Personal Data, as strictly necessary for the purposes of the Agreement, and to comply with Data Protection Regulation in the context of that individual’s duties to the Contracted Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality to ensure its employees and other persons who have the right to process Personal Data have undertaken to keep the Personal Data confidential.

(e) taking into account the latest technology, the implement technical, physical, and organizational measures to ensure a high level of security for the processing of the Personal Data and to protect the Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, alteration, or disclosure. Processor shall at least implement the security measures set out in Appendix 2;

(f) taking into account the nature of the processing of the Personal Data, assist the Controller with appropriate technical and organizational measures to fulfil the Controller’s obligation to reply to requests concerning the rights of Data Subjects;

(g) assist the Controller to ensure that the requirements relating to the security of the processing, notifications about the data breaches and obligations relating to the data protection impact assessment set forth in the Data Protection Regulation and complied with, taking into account the nature of the processing measure and the information available to the Processor; and

(h) provide the Controller all information necessary for the Controller to ensure its compliance with all of its obligations set in the Data Protection Regulation.

5 Subcontractors

5.1 The Controller gives a prior authorization for the Processor to use services by another data processor (Subprocessor). The Processor is obliged to ensure via regular review that the Subprocessors comply with the confidentiality, data security and other obligations specified in this DPA.

5.2 The Processor must enter into written agreements with each Subprocessor concerning the processing of Personal Data. By the Controller’s request, the Processor shall give information concerning the implementation of data security and confidentiality obligations by the Subprocessors.

5.3 The Processor is responsible for its Subprocessors’ work as for its own. Any neglect, willful misconduct or gross negligence by a Subprocessor shall be deemed as neglect, willful misconduct or gross negligence by the Processor.

6 Data Subject Rights

6.1 Taking into account the nature of the processing of Personal data, Processor shall assist the Controller by implementing appropriate technical and organizational measures, insofar as this is possible, to respond to requests to exercise Data Subject rights under the Data Protection Regulation.

6.2 Processor shall:

(a) promptly notify Controller if it receives a request from a Data Subject under any Data Protection Regulation in respect of Personal Data; and

(b) ensure that it does not respond to that request except on the documented instructions of the Controller or as required by applicable laws to which the Processor is subject, in which case Processor shall to the extent permitted by applicable laws inform the Controller of that legal requirement before the Processor responds to the request.

7 Transfer of Personal Data

7.1 The Processor shall not transfer any Personal Data to any country outside the European Union or the European Economic Area without a prior written approval from the Controller and in accordance with the conditions set in the Data Protection Regulation.

7.2 If the use of Subprocessors requires a transfer of Personal Data outside of the European Union and European Economic Area, and such transfer is approved by the Controller, the Processor shall have the right, on behalf of the Controller, to transfer the Personal Data to the Subcontractors in accordance with the European Commission’s unamended standard contractual clauses, as required to satisfy the requirements of Data Protection Regulation. Once concluded, the Processor shall provide a copy thereof to the Controller. Any such standard contractual clauses shall automatically terminate upon the termination of this DPA.

8 Records

8.1 The Processor shall maintain a record of all Personal Data processing carried out on behalf of the Controller. Records should include at least:

(a) the name and contact details of the Processor and their representatives;

(b) the categories of processing activities carried out on behalf of the Controller;

(c) where applicable, information regarding data transfers outside of European Union and/or European Economic Area and the documentation of the appropriate safeguards;

(d) a general description of the technical and organizational security measures that are implemented; and

(e) a list of Subcontractors used for processing of Personal Data (if any).

8.2 The Processor shall provide Controller with the record without undue delay upon the Controller’s request.

9 Auditing

During the Term of this DPA, the Processor shall allow for and contribute to audits, including inspections, concluded by the Controller or an independent auditor, who is bound by appropriate confidentiality obligations, mandated by the Controller, relating to the processing of Personal Data. The Controller shall notify about the audit thirty (30) days prior to its execution and the audits shall be concluded during the normal office hours on weekdays. The Controller shall bear the costs related to the audit unless it is revealed in the audit that the Processor has not processed Personal Data in compliance with this DPA. If the Processor has not fulfilled its obligations as set herein in this DPA, the Processor shall bear the costs related to the audit.

10 Notification concerning Personal Data Breach

10.1 The Processor shall document all Personal Data Breach and notify the Controller without undue delay after becoming aware of the Personal Data Breach.

10.2 The Personal Data Breach notification shall contain the information necessary for the Controller to fulfil its notification obligations under the Data Protection Regulation and at least (to the extent the Processor has this information):

(i) a description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects concerned and the categories and approximate number of data records concerned;

(ii) a description of likely consequences and/or realized consequences of the Personal Data Breach; and 

(iii) the name and contact details of the person responsible for the Processor’s data protection matters.

10.3 After receiving the notification concerning the Personal Data Breach, the Controller shall without undue delay give the Processor written directions about the appropriate measures to minimize the consequences of the Personal Data Breach. The Processor shall also independently take necessary measures to secure the Personal Data and to minimize the consequences of the Personal Data Breach.

11 Returning or Destroying Personal Data

11.1 Upon expiry or termination of this DPA, or upon the Controller’s written request, the Processor shall either destroy or return to the Controller all Personal Data, including all copies thereof. The Processor shall, upon the Controller choosing, either destroy or return all Personal Data, including all copies thereof within 10 business days.

12 Indemnification and Limitations of Liability

12.1 If a Party is in material breach of this DPA or Data Protection Regulation, that Party is liable for the damages arising from the breach to the other Party in full.

12.2 Unless the applicable laws and regulations do not specifically require otherwise, neither Party shall be liable:

(a) for any indirect or consequential damage related to this DPA; 

(b) caused by an event beyond the control of the Party affected provided that such Party could not reasonably have foreseen such event at the time of entering into this DPA and could not reasonably have avoided or overcome its consequences.

12.3 The Parties agree that the Parties’ liability, relating to administrative fines and/or damages issued by a Supervisory Authority, is allocated under this DPA based on each Party’s responsibility to fulfil its obligations under the Data Protection Regulation. As such, each Party is responsible for those administrative fines and/or damages issued by a Supervisory Authority in relation to the Party’s breach of its obligations under the Data Protection Regulation.

12.4 If a Party has paid restitution to the Data Subject for the damages caused by a breach of Data Protection Regulation, said Party shall have the right, notwithstanding the agreed limitation of liability, to claim from the other Party engaged in the same data processing its share of the damages paid to the Data Subject.

13 Confidentiality

13.1 The Parties shall keep Confidential Information received from the other Party based on this DPA confidential and use it only for the purposes set in this DPA and retain the Confidential Information in a manner that prevents it from being disclosed to a third party.

13.2 The Confidential Information does not, however, include information

(i) which is approved for release or use by prior written express authorization of the assigning Party;

(ii) which has been available in the public domain or later comes into the public domain through no fault of the acquiring Party;

(iii) which verifiably was in the knowledge of the acquiring Party before the Confidential Information was assigned to the acquiring Party.

14 Term and Termination of the DPA

14.1 This DPA shall become effective on the date when the Parties enter into the Agreement.

14.2 This DPA shall terminate on the date when the Processor no longer processes Personal Data, whichever is later.

14.3 Termination or expiration of this DPA shall not discharge the Data Processor from its responsibilities and obligations pursuant to this DPA including but not limited to the confidentiality obligation and all other obligations pursuant to the Data Protection Regulation.

15 Governing Law and Jurisdiction

15.1 Any dispute, controversy, or claim arising out of or relating to this DPA, or the breach, termination, or validity thereof that cannot be settled amicably, shall be finally settled by arbitration in accordance with the Arbitration Rules of the Finland Chamber of Commerce. The number of arbitrators shall be one and the seat of arbitration shall be Helsinki. The arbitral proceedings shall be conducted in the English language.

16 Miscellaneous

Amendments. Any amendment to this DPA shall be in writing and shall have no effect before it is signed by the duly authorized representatives of both Parties.

Appendices

Appendix 1 The subject, purpose and means of processing of Personal Data 

Appendix 2 Security measures


Appendix 1

THE SUBJECT, PURPOSE AND MEANS OF PROCESSING OF PERSONAL DATA


Subject matter

Fixably’s provision of the Software and Services to the Customer

Duration of the processing

The term of this DPA until deletion of all the Customer’s Personal Data by Fixably in accordance with this DPA.

Nature and purpose of the processing

Fixably will process the Customer’s Personal Data for purposes of providing the Software and Services to the Customer in accordance with the Agreement.

Categories of Data

Data relating to Customer provided to Fixably via the Software and Services by Customer.

Data subject

Means an individual whose Personal Data is processed by the Data Processor under this DPA.



Appendix 2

SECURITY MEASURES


The Processor shall implement appropriate technical, physical, and organizational measures to ensure a high level of security for the processing of Personal Data and to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, alteration, or disclosure. In addition, the Processor guarantees that systems and processes used for processing Personal Data comply with any statutory requirements regarding data protection by design and data protection by default.

The Processer complies with the principles of the latest version of the ISO/IEC 27001 standard and relevant IT security baselines. These requirements support the EU GDPR requirements of article 25 (Privacy per design and per default) and 32 (Security of processing). 

At a minimum, the Processor must ensure that the following measures have been taken:

1. Organizational measures

  • Access (physical as well as logical) to Personal Data and the systems processing Personal Data is limited to persons with a work-related need for access.
  • Employees authorized to access Personal Data have undertaken a confidentiality obligation or are under an appropriate statutory obligation of confidentiality.
  • Employees who handle Personal Data receive adequate instruction and training in the handling of Personal Data.
  • Employees who handle Personal Data receive adequate information on the security risks associated with the data processing activities and are made aware of the adapted security standards and the required security measures.
  • Procedures are in place to ensure appropriate removal of access to Personal Data in case of organizational restructuring, job changes, resignation, etc.
  • Personal passwords are required for equipment that gives access to Personal Data.
  • Passwords must be changed on a regular basis.
  • Passwords must be unique and designed to ensure security so that passwords cannot be reused within a specified period.
  • Remote access to systems must support two-step verification, e.g. a combination of a regular password and a one-time password sent via SMS.
  • Employees must be instructed in keeping the passwords confidential.
  • Access must be blocked if a specific number of repeated failed attempts has been logged.
  • Personal Data is deleted in accordance with the Controller’s specific instructions.

2. Technical measures

  • Personal Data is encrypted in rest and when transmitted via open networks, including in website forms, and when stored on physical media.
  • Security measures, such as firewalls and antivirus protection programs, are installed to protect systems containing Personal Data, and such programs  are updated on a regular basis. 
  • Access to and processing of Personal Data are logged, and such logging makes it possible to see which persons have had access to the Personal Data and the processing thereof.
  • The log must be reviewed on a regular basis – both by means of random tests and on specific suspicion – to detect any misuse of Personal Data.
  • Personal Data is backed up routinely.
  • Backup copies must be kept separately and securely so that the data can be restored.
  • The deletion of Personal Data is effective (see the organizational measures).
  • Personal Data must be deleted effectively from equipment or mobile devices when the equipment or devices are discarded.
  • The Processor will conduct a risk analysis before implementing any new IT solutions, including IT systems and applications.
  • The risk analysis (except for information infringing third-party rights) should, on request, be handed over to the Controller. 
  • Processor has implemented the principles of privacy by design and privacy by default.
  • Procedures are in place to ensure that changes and updates to hardware and/or software are tested and approved before being implemented.

3. Physical measures

  • All data is stored in facilities where access control measures are in place to ensure that only authorized personnel enter the premises.

The above list is not exhaustive, and the Processor must implement appropriate technical and organizational measures to ensure a high level of security, taking into account the nature, scope, context and purposes of the processing, as well as the risks of varying likelihood and severity to the rights and freedoms of data subjects.

Fixably Oy (Ltd.) © 2023