Terms and Conditions for Processing Personal Data

Last updated: 12.9.2024

Version Number: 3.0


Definitions

  • Customer (Controller): The entity that determines the purposes and means of the processing of personal data. In this Agreement, referred to as the "Customer."

  • Service Provider (Processor): Foxie.ai, which processes personal data on behalf of the Customer. Referred to as the "Service Provider."

  • Parties: The Customer and the Service Provider collectively.

  • Personal Data: Any information relating to an identified or identifiable natural person processed under this Agreement.

  • Data Protection Laws: All applicable laws relating to data protection and privacy, including the GDPR.

  • GDPR: Regulation (EU) 2016/679 (General Data Protection Regulation).

1. General Information

1.1 This Appendix, "Terms and Conditions for Processing Personal Data" (hereinafter referred to as the "Appendix"), is part of the Foxie.ai Service agreement (hereinafter referred to as the "Agreement") entered into between the Customer and the Service Provider.

1.2 This Appendix defines the contractual terms and conditions for the processing of personal data and data protection, which are binding on the Customer and the Service Provider. These terms stipulate how the Service Provider processes personal data on behalf of the Customer. Unless otherwise agreed in this Appendix, the measures and obligations of the Service Provider described herein shall not give rise to any separate compensation.

2. Subject Matter, Nature, and Purpose of Processing

2.1 In relation to the processing of personal data under the Agreement, the Customer is the Controller, and the Service Provider is the Processor, unless otherwise specified by the purpose of the processing. However, for any analytics data (e.g., usage statistics, web analytics) generated through the use of the Service, the Service Provider acts as the Controller.

2.2 The subject matter, duration, nature, and purpose of the processing of personal data, the types of personal data, and categories of data subjects are described in Annex 1: Description of Processing Activities or in other instructions provided by the Customer. The Service Provider undertakes to comply with the terms and descriptions contained in the Agreement, the Description of Processing Activities, and the Customer's instructions. The Customer shall be responsible for the maintenance and availability of the instructions.

2.3 If the Description of Processing Activities pursuant to Clause 2.2 has not been drawn up or is incomplete, the Customer shall prepare or supplement the description of processing activities in cooperation with the Service Provider, if necessary.

3. General Obligations of the Service Provider

3.1 The Service Provider shall process personal data in accordance with the Agreement and the instructions given by the Customer. If a group of companies (Group) is the Processor, the obligations of this Appendix apply to all members of the Group and any subcontractors used by the Group who are involved in the processing of personal data.

3.2 The Service Provider shall implement appropriate technical and organizational measures to ensure that the processing of the Customer's personal data takes place in accordance with the requirements of the Agreement and the agreed practices. These measures are designed to ensure the lawful processing of personal data and the confidentiality, integrity, availability, and fault tolerance of the processing systems and services, in compliance with Article 32 of the GDPR.

3.3 The Service Provider shall ensure that personal data is not processed or used for purposes other than those specified in the Agreement, this Appendix, and Annex 1.

3.4 The Service Provider shall designate a Data Protection Officer (DPO) or a contact person responsible for data protection matters for any contact relating to the Customer's personal data. The Service Provider shall inform the Customer in writing of the contact details of the DPO or contact person before processing begins and notify the Customer of any changes without undue delay.

3.5 The Service Provider shall make available to the Customer, at the latter's request, all information necessary for the Customer to demonstrate compliance with the obligations imposed on the Controller and the Service Provider. Upon request and as agreed, the Service Provider shall participate in the preparation and maintenance of descriptions and other documents under the responsibility of the Customer, such as data protection impact assessments (DPIAs), and in the performance of prior consultation in accordance with the GDPR. Unless otherwise agreed, the Service Provider shall carry out these tasks at the rates set out in the Agreement, provided that the Customer is informed in advance of any additional costs.

3.6 The Service Provider shall inform the Customer without undue delay if the instructions provided by the Customer are incomplete or if the Service Provider believes they infringe applicable data protection laws. The Service Provider shall not comply with such instructions until they have been clarified or modified by the Customer.

3.7 The Service Provider shall allow and contribute to audits, including inspections, conducted by the Customer or an auditor authorized by the Customer. The audits shall:

  • Be conducted during normal business hours with reasonable advance notice of at least 20 business days;

  • Not unreasonably interfere with the Service Provider's business activities;

  • Be limited to once per calendar year, unless a data breach or other significant event justifies additional audits.

The Customer shall bear its own costs and expenses associated with the audit. 

4. Instructions from the Customer

4.1 The Service Provider shall process the Customer's personal data in accordance with the terms and conditions agreed in the Agreement, this Appendix, and the Customer's written instructions. The Customer shall be responsible for the maintenance and availability of the instructions.

4.2 The Customer has the right to change, supplement, and update the instructions provided to the Service Provider regarding the processing of personal data and data protection. Such updates shall be communicated in writing and shall become effective upon receipt by the Service Provider. The Service Provider shall acknowledge receipt in writing within five business days.

If the amendments to the instructions result in other than minor changes to the Services under the Agreement, the effect of such changes shall be agreed in the change management procedure under the Agreement, including any necessary adjustments to fees and timelines.

4.3 The Service Provider shall inform the Customer without undue delay if the instructions provided are incomplete or if the Service Provider suspects that they are unlawful. The Service Provider shall not act upon such instructions until they have been clarified or confirmed by the Customer.

5. Personnel of the Service Provider

5.1 The Service Provider shall ensure that all persons working under its authority who are entitled to process the Customer's personal data are bound by the confidentiality obligations agreed in the Agreement or are subject to a legal obligation of confidentiality.

5.2 The Service Provider shall ensure that all persons under its authority who have access to the Customer's personal data are aware of their obligations in relation to the processing of personal data and shall only handle such data in accordance with the Agreement, this Appendix, and the Customer's instructions.

6. Subcontractors Processing Personal Data

6.1 To the extent that the Service Provider uses subcontractors who process personal data, the subcontracting is subject to the terms and conditions described in this Appendix in addition to the Agreement.

6.2 If a subcontractor of the Service Provider processes the Customer's personal data, the use of the subcontractor requires the prior written consent of the Customer.

6.3 The Service Provider shall enter into a written agreement with each subcontractor, in which it undertakes to ensure that the subcontractors it uses comply with the obligations imposed on the Service Provider in the Agreement and with the instructions issued by the Customer in force from time to time in relation to the processing of personal data. The Service Provider shall ensure that the Customer's right of inspection under the Agreement can be extended to the subcontractor.

6.4 The Service Provider shall be responsible for the share of the subcontractor it uses as if it were its own. The Service Provider shall be responsible for ensuring that the subcontractor complies with the obligations imposed on the Processor. If the Customer reasonably considers that the subcontractor of the Service Provider does not fulfil its data protection obligations, the Customer shall have the right to require the Service Provider to change the subcontractor.

6.5 The Customer shall be informed in advance of any change of the subcontractor involved in the processing of personal data. The notification shall describe how the subcontractor will process the Customer's personal data in accordance with data protection legislation. The Customer has the right to object to the proposed subcontractor for justified reasons.

7. Place of Service

7.1 Unless otherwise agreed, the Service Provider is entitled to process the Customer's personal data within the European Economic Area (EEA). What is agreed in the Agreement and in this Appendix regarding the processing of personal data shall also apply to the provision of access to the Customer's personal data, for example, through a management and control connection.

7.2 If the Parties agree that the Service Provider may transfer the Customer's personal data outside the EEA, the Parties shall ensure that the transfer of personal data is carried out in accordance with the GDPR. This includes implementing appropriate safeguards, such as Standard Contractual Clauses, Binding Corporate Rules, or transfers to countries for which the European Commission has issued an adequacy decision.

8. Assistance to the Customer

8.1 The Service Provider shall inform the Customer without undue delay of any request received from data subjects concerning the exercise of their rights. The Service Provider shall not respond to such requests unless authorized by the Customer.

8.2 The Service Provider shall assist the Customer in order to enable the Customer to fulfil its obligation to respond to such requests. Such assistance may include helping the data subject in providing information and communication, exercising the data subject's right of access, rectification or erasure of personal data, restriction of processing, or transfer of the data subject's own personal data from one system to another.

8.3 Unless otherwise agreed, the Service Provider shall be entitled to charge the Customer at the rates agreed in the Agreement if the assistance entails additional costs for the Service Provider. The Service Provider shall inform the Customer in advance of any additional costs incurred.

9. Data Security Breaches

9.1 The Service Provider shall notify the Customer in writing without undue delay and, where feasible, within 24 hours after becoming aware of any personal data security breach. In addition, the Service Provider undertakes to inform the Customer without undue delay of any other disruption or problem that may affect the position and rights of data subjects.

9.2 The Service Provider shall provide the Customer with at least the following information about the data breach:

  • i. A description of the security breach that occurred, including the categories and estimated numbers of data subjects affected and the categories and estimated numbers of personal data records concerned, to the extent known;

  • ii. The name and contact details of the Data Protection Officer or other responsible person from whom further information may be obtained;

  • iii. A description of the likely consequences of the breach; and

  • iv. A description of the measures that the Service Provider proposes to take or has already taken in response to the breach and, where appropriate, measures to mitigate any adverse effects.

9.3 Upon detection of a personal data breach, the Service Provider shall immediately take the measures agreed in the Agreement to remedy the personal data breach and to limit and remedy its effects.

10. Termination of Processing of Personal Data

10.1 During the term of the Agreement, the Service Provider shall not delete personal data processed by it on behalf of the Customer without the express request of the Customer, unless required by applicable law.

10.2 Upon termination or cancellation of the Agreement, at the Customer's choice, the Service Provider shall return to the Customer all personal data processed on behalf of the Customer and shall destroy any copies of the personal data from its own records, unless Union or Member State law requires storage of the personal data. The Service Provider shall certify in writing to the Customer that it has complied with this obligation.

11. Liability and Indemnification

11.1 The Service Provider shall be liable for damages arising from its breach of this Agreement, including violations of data protection laws, subject to the limitations set forth in the main Agreement.

11.2 The Service Provider agrees to indemnify and hold harmless the Customer against any claims, damages, or fines arising from the Service Provider's breach of its obligations under this Agreement.

12. Governing Law and Jurisdiction

12.1 This Agreement shall be governed by and construed in accordance with the laws of Finland, excluding its conflict of law principles.

12.2 Any disputes arising out of or in connection with this Agreement shall be subject to the exclusive jurisdiction of the courts of Finland.

13. Miscellaneous

13.1 In the event of any conflict between the terms of this Appendix and the main Agreement, the terms of this Appendix shall prevail with respect to data protection matters.

13.2 This Appendix forms an integral part of the Agreement.