Terms of Service
Last updated: 27.04.2024
Version Number: 2.6
This is the Repo Work Oy's register description in accordance with the Personal Data Act (Sections 10 and 24) and the EU's General Data Protection Regulation (GDPR).
1.Foxie, Platform6, Åkerlundinkatu 8, Tampere, Pirkanmaa 33100, Finland, Repo Work Ltd.
2. Contact person responsible for the register
Roni Saroniemi, roni.saroniemi@foxie.ai, (+358) 045 490 8082
3. Name of the register
Company customer register and contract archive
4. Legal basis and purpose of the processing of personal data
The legal basis for the processing of personal data under the EU General Data Protection Regulation is a contract to which the data subject is a party. The purpose of processing personal data is to contact customers and to maintain the customer relationship.
5. Data content of the register
The data stored in the register include: name, position, company/organisation, contact details (telephone number, e-mail address, address), information on ordered services and changes thereto, billing information, other information related to the customer relationship and ordered services.
6. Regular sources of information
The data stored in the register is obtained from the customer, for example, when logging in to the web application, from messages sent via web forms, by e-mail, by telephone, through social media services, contracts, customer meetings and other situations in which the customer discloses his/her data.
7. Regular disclosures of data
Data will not be disclosed to third parties for marketing purposes.
8. Transfer of data outside the EU or EEA
We may use service providers who may have access to personal data from outside the EU/EEA, such as the United States, to process personal data. We will ensure that such transfers are carried out in an appropriate and lawful manner in accordance with the law governing the processing of personal data. We ensure that the parties involved in the transfer comply with the international ISO 27001 and SOC 2 data security certifications, and use the highest level of encryption (AES-256) to protect user data. In all circumstances, we will only transfer personal data outside the EU/EEA on one of the legal grounds listed below:
* The European Commission has determined that the recipient country in question ensures an adequate level of data protection.
* We have put in place appropriate safeguards for the transfer of personal data using standard data protection clauses adopted by the European Commission. In such cases, the customer has the right to obtain a copy of these standard clauses by contacting us.
* You have given your explicit consent to the transfer of your personal data, or there is another legal basis for the transfer of your personal data outside the EU/EEA.
9. The register is processed with due care and the data processed by the computer systems are adequately protected. The controller shall ensure that stored data, server access rights and other information critical to the security of personal data are treated confidentially and only by employees whose job description includes this.
10. Right of inspection and right to request correction of information
Every person in the register has the right to check the data recorded in the register and to request the correction of any inaccurate data or the completion of incomplete data. If a person wishes to check or request the rectification of data stored about him or her, the request must be sent in writing to the controller. The controller may, if necessary, ask the applicant to prove his or her identity. The controller will reply to the customer within the time limit laid down in the EU General Data Protection Regulation (as a general rule, within one month).
11. Other rights relating to the processing of personal data
A data subject in the register has the right to request the erasure of personal data concerning him or her from the register ("right to be forgotten"). Data subjects also have other rights under the EU General Data Protection Regulation, such as the restriction of the processing of personal data in certain circumstances. Requests should be sent in writing to the controller. The controller may, if necessary, ask the applicant to prove his or her identity. The controller will respond to the customer within the time limits set by the EU GDPR (usually within one month).
1 General information
1.1 This appendix "Terms and Conditions for Processing Personal Data" is part of the Foxie.ai agreement (hereinafter referred to as the "Agreement") that the Customer has entered into with the Service Provider.
1.2 This Appendix to the Agreement defines the contractual terms and conditions for the processing of personal data and data protection, which are binding on the Customer and the Service Provider, according to which the Service Provider processes personal data on behalf of the Customer. The measures and obligations of the Service Provider described in these terms and conditions shall not give rise to any separate compensation, unless otherwise agreed in these terms and conditions.
2.1 When processing personal data, the Customer is the controller and the Service Provider is the processor of personal data (hereinafter also referred to as "processor"), unless otherwise provided for by the purpose of the processing of personal data. "Subscriber's personal data" in these Terms means personal data for which the Subscriber is responsible as controller.
2.2 The subject matter, nature and purpose of the processing of personal data, the types of personal data and categories of data subjects, as well as the obligations and rights of the controller and processor are described in the description of the Processing Operations in Annex 1 to these Terms and Conditions or in other instructions provided by the Subscriber. The Service Provider undertakes to comply with the terms and descriptions contained in the Contract, the Description of Processing Operations and the Instructions. The Customer shall be responsible for the maintenance and availability of the Instructions.
2.3 If the description of the Processing Activities pursuant to Clause 2.2 has not been drawn up or is incomplete, the Contracting Entity shall draw up or supplement the description of the Processing Activities in cooperation with the Service Provider, if necessary.
3 General obligations of the service provider
3.1 The Service Provider shall process personal data in accordance with the Contract and the instructions given by the Client. Where a Group is the Processor, the obligations of this Annex apply to all members of the Group and any subcontractors used by the Group who are involved in the processing of personal data.
3.2 The Service Provider shall take appropriate technical and organisational measures to ensure that the processing of the Subscriber's personal data takes place in accordance with the requirements of the Agreement and the agreed practices. These measures are designed to ensure the lawful processing of personal data and the confidentiality, integrity, availability and fault-tolerance of the processing systems and services.
3.3 The Service Provider shall not process or otherwise use the personal data processed by it under the Contract other than for the purposes and to the extent necessary for the performance of the Contract.
3.4 The Service Provider shall designate a data protection officer or a contact person responsible for data protection for any contact relating to the Subscriber's personal data. The Service Provider shall inform in writing the Subscriber of the contact details of the Data Protection Officer or contact person.
3.5 The Service Provider shall make available to the Subscriber, at the latter's request, all information necessary for the Subscriber to demonstrate compliance with the obligations imposed on the controller and the Service Provider, and shall, upon request and as agreed, participate in the preparation and maintenance of descriptions and other documents under the responsibility of the Subscriber, such as impact assessments, and in the performance of prior consultation in accordance with the GDPR. Unless otherwise agreed, the Service Provider shall carry out these tasks at the prices set out in the Contract.
3.6 The Service Provider shall inform the Subscriber without delay of any request from data subjects concerning the exercise of their rights. The Service Provider itself shall not respond to such requests. The Service Provider shall assist the Subscriber in order to enable the Subscriber to fulfil its obligation to respond to such requests. Such requests may require the Service Provider, for example, to assist the data subject in providing information and communication, exercising the data subject's right of access, rectification or erasure of personal data, restriction of processing or transfer of the data subject's own personal data from one system to another. Unless otherwise agreed, the Service Provider shall be entitled to charge the Subscriber at the prices agreed in the contract if the assistance entails additional costs for the Service Provider. The Service Provider shall be obliged to inform the Subscriber in advance of any additional costs incurred.
3.7 The Service Provider shall allow and participate in inspections carried out by the Client or an auditor authorised by the Client. The detailed terms and conditions of the inspection procedure are set out in the contract.
4 Subscriber instructions
4.1 The Service Provider shall process the Subscriber's personal data in accordance with the terms and conditions agreed in the Contract and these Specific Conditions, as well as the Subscriber's written instructions. The Customer shall be responsible for the maintenance and availability of the instructions. The Service Provider shall inform the Subscriber without undue delay if the instructions provided by the Subscriber are incomplete or if the Service Provider suspects that they are unlawful.
4.2 The Subscriber has the right to change, supplement and update the instructions given to the Service Provider regarding the processing of personal data and data protection. If the amendments to the instructions result in other than minor changes to the Services under the Contract, the effect of such changes shall be agreed in the change management procedure under the Contract.
5 Service staff
5.1 The Service Provider shall ensure that all persons working under its authority who are entitled to process the Subscriber's personal data are bound by the confidentiality obligations agreed in the contract or are subject to a legal obligation of confidentiality.
5.2 The Service Provider shall ensure that all persons under its authority who have access to the Subscriber's personal data are aware of their obligations in relation to the processing of personal data and shall only handle such data in accordance with the Agreement, these Specific Conditions and the instructions of the Subscriber.
6 Subcontractors processing personal data
6.1 To the extent that the Service Provider uses subcontractors who process personal data, the subcontracting is subject to the terms and conditions described in this Annex in addition to the Agreement.
6.2 If a subcontractor of the Service Provider processes the Subscriber's personal data, the use of the subcontractor requires the prior written consent of the Subscriber.
6.3 The Service Provider shall enter into a written agreement with the subcontractor, in which it undertakes to ensure that the subcontractors it uses comply with the obligations imposed on the Service Provider in the agreement and with the instructions issued by the Subscriber in force from time to time in relation to the processing of personal data. The Service Provider shall ensure that the Subscriber's right of inspection under the contract can be extended to the subcontractor.
6.4 The Service Provider shall be responsible for the share of the subcontractor it uses as if it were its own. The Service Provider shall be responsible for ensuring that the subcontractor complies with the obligations imposed on the processor. If the Customer reasonably considers that the subcontractor of the Service Provider does not fulfil its data protection obligations, the Customer shall have the right to require the Service Provider to change the subcontractor.
6.5 The Customer shall be informed in advance of any change of the subcontractor involved in the processing of personal data. The notification shall describe how the subcontractor will process the Subscriber's personal data in accordance with data protection legislation. The Subscriber has the right to object to the proposed subcontractor for justified reasons.
7 Place of service
7.1 Unless otherwise agreed, the Service Provider is entitled to process the Subscriber's personal data only within the European Economic Area. What is agreed in the contract and in these Specific Conditions regarding the processing of personal data shall also apply to the provision of access to the Subscriber's personal data, for example through a management and control connection.
7.2 If the parties to the Agreement agree that the Service Provider may transfer the Subscriber's personal data outside the European Economic Area, the parties to the Agreement shall ensure that the transfer of personal data is carried out in accordance with the law.
8 Data security breaches
8.1 The Service Provider shall notify the Subscriber in writing without undue delay of any personal data security breach of which it becomes aware. In addition, the Service Provider undertakes to inform the Subscriber without undue delay of any other disruption or problem that may affect the position and rights of data subjects.
8.2 The Service Provider shall provide the Subscriber with at least the following information about the data breach:
i. a description of the security breach that occurred, including the categories and estimated numbers of data subjects affected and the categories and estimated numbers of personal data types, to the extent known;
ii. the name and contact details of the Data Protection Officer or other responsible person from whom further information may be obtained;
iii. a description of the likely consequences of the breach; and
iv. a description of the measures that the Service Provider proposes to take or has already taken in response to the breach and, where appropriate, measures to mitigate any adverse effects.
8.3 Upon detection of a personal data breach, the Service Provider shall immediately take the measures agreed in the Contract to remedy the personal data breach and to limit and remedy its effects.
9 Termination of processing of personal data
9.1 During the term of the Contract, the Service Provider shall not delete personal data processed by it on behalf of the Subscriber without the express request of the Subscriber.
9.2 Upon termination or cancellation of the Contract, the Service Provider shall return to the Subscriber all personal data processed on behalf of the Subscriber and shall destroy any copies of the personal data from its own records, unless otherwise agreed. The data may not be deleted if the Service Provider is required by law or by order of a public authority to retain the personal data.
DESCRIPTION OF PROCESSING OPERATIONS
1. The parties involved
Customer
Service provider: Repo Work Oy
2. The Contracting Authority has entered into a Contract with the Service Provider for a service where the Service Provider acts as a processor of personal data contained in the personal data file maintained by the Contracting Authority. This document describes the processing activities that the Service Provider, as a processor of personal data, carries out on behalf of the Subscriber, the types of personal data and the personal data processed. This document is attached as Annex 2 to the Foxie Service Agreement.
The processing of personal data shall comply with the Agreement between the Service Provider and the Subscriber and the Subscriber's instructions.
3. Types of personal data and categories of data subjects
The Parties have agreed that the Service Provider shall process the following personal data of the Customer that are part of the Customer's personal data file on behalf of the Customer for the purpose of providing the service agreed in the Contract.
Categories of data subjects: employees of the Client
Data Processed:
- First name and last name
- e-mail address
- Role (administrator/expert)
- data entered by the person in the service including but not limited: feedback text content, satisfaction ratings, follow-up responses, comments and additional notes.
The Parties have agreed that the Service Provider shall process the following associated data that enhances the service quality, which is not considered as personal information.
Usage information:
- frequency of Responses
- date, time and duration of feedback submission events
- associated organisations, projects or campaigns if provided
- interaction history with the feedback system
- login/Logout times
4. Nature and purpose of the processing
The parties have agreed that the Service Provider will process the personal data contained in the Subscriber's register in order to provide the Subscriber with an AI-based customer and staff feedback tool to improve customer collaboration. The Service Provider shall process the personal data of the Subscriber's employees in order to enable them to access and participate in the feedback process. The service provider will also process the data entered by the person in the service to refine the feedback collection based on the topics mentioned by the participants, as well as the roles of the participants to define user rights and functions.
5. Duration of processing of personal data
The Service Provider shall process the personal data identified in this Annex for the following period: for the duration of the contract, starting from the signature of the contract, after which the Service Provider shall destroy the personal data unless the Customer and the Service Provider agree on a new contract.