Liana Personal Data Processing Agreement
1. Contracting Parties
Customer: Agreement Contact Person: Customer's Data Protection Officer or |
Supplier: Agreement Contact Person: Supplier's Data Protection Officer: |
Each Contracting Party must notify the other Contracting Party in writing without undue delay of any change in their contact person. The contact person does not have the right to agree on changes to this Agreement.
2. Definitions
"Personal Data" means any information relating to an identified or identifiable natural person that the Supplier processes on behalf of the Customer. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
"Processing" means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
"Contracting Parties" means the Customer and the Supplier together.
"Main Agreement" means the agreement between the Customer and the Supplier for the provision of the service.
"Data Protection Regulation" means the European Union's General Data Protection Regulation 2016/679.
"Data Protection Legislation" means the Data Protection Regulation, the Data Protection Act (1050/2018), and other applicable data protection legislation.
"Data Security Breach" means an event resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Processed Personal Data, or an event where the security of Personal Data has been compromised.
3. General
This Personal Data Processing Agreement ("Personal Data Processing Agreement" or "Processing Agreement" or "Agreement") defines the terms and conditions binding on the Customer and the Supplier concerning the Processing of Personal Data, according to which the Supplier Processes the Customer's Personal Data on behalf of and for the account of the Customer.
The Contracting Parties undertake to comply with applicable data protection legislation in force in their operations.
The Customer is the Controller of the Personal Data to be Processed, who defines the purposes and means of the Personal Data Processing. The Supplier is the Processor of Personal Data, who Processes the said Personal Data on behalf of and for the account of the Customer as agreed in this
Processing Agreement. The Contracting Parties will describe in more detail in Appendix 1 the categories of data subjects, the processing activities carried out by the Supplier, data security procedures, and the purposes of Personal Data Processing. The Customer has the right and possibility to update the information described in Appendix 1 primarily in the Supplier's Service.
The Contracting Parties understand that authorities may issue orders and guidelines concerning the scope of application of the Data Protection Regulation after the signing of the Main Agreement and undertake to supplement this Personal Data Processing Agreement as necessary based on such orders and guidelines.
Any disputes arising from this Processing Agreement will primarily be resolved through negotiations between the Contracting Parties. Disputes that the Contracting Parties cannot resolve through negotiation will be resolved as stipulated in the Main Agreement, or if the Main Agreement cannot be identified, according to Liana's General Terms and Conditions.
Unless expressly agreed otherwise in this Personal Data Processing Agreement, the Supplier shall be solely responsible for all costs incurred by it in complying with the Personal Data Processing Agreement and Data Protection Legislation. Costs arising from audits are agreed upon in Liana's General Terms and Conditions.
Notwithstanding any other agreements between the Contracting Parties concerning matters covered by this Personal Data Processing Agreement or related liabilities, or the order of precedence of contractual documents, this Personal Data Processing Agreement shall always take precedence in matters concerning the Processing of Personal Data.
4. Customer's Rights and Obligations
The Customer must process Personal Data in accordance with the Data Protection Legislation in force at any given time. The processing of Personal Data must in all cases be appropriate for the Customer's operations, and appropriate permissions or consents have been obtained from data subjects for the collection and processing of Personal Data. The Customer is responsible for defining the purpose of processing the collected Personal Data, ensuring that Personal Data Processing has been planned in advance, and that Personal Data collected for a specific purpose is not processed in a manner incompatible with the original purpose of use. The Customer is also responsible for all other obligations of the Controller under Data Protection Legislation.
The Customer shall, if necessary, provide the Supplier with written instructions for Personal Data Processing. The Customer has the right to unilaterally amend or supplement the instructions within the limits set by Data Protection Legislation. The Supplier must immediately inform the Customer if it considers that the instructions violate Data Protection Legislation.
5. Supplier's General Obligations
The Supplier Processes Personal Data in accordance with this Personal Data Processing Agreement, the Customer's instructions, and Data Protection Legislation. The Supplier has no right to Process Personal Data for any other purpose than that agreed upon in this Agreement, Appendix 1, the Main Agreement, and its appendices.
The Supplier ensures that all persons acting under its authority who process Personal Data have committed to confidentiality or are subject to an appropriate statutory duty of confidentiality.
The Supplier undertakes to notify the Customer without undue delay of requests from data subjects concerning the Customer's Personal Data in accordance with Data Protection Legislation.
Taking into account the nature of the processing operations, the Supplier shall assist and support the Customer in responding to requests made in accordance with Data Protection Legislation, concerning the following data subjects' rights mentioned in Data Protection Legislation:
- the right to access Personal Data;
- the right to rectification and erasure of Personal Data;
- the right to restrict the Processing;
- the right to data portability; and
- the right to object to the Processing of Personal Data.
A Contracting Party must notify the other Contracting Party without undue delay of the receipt of a request concerning the exercise of data subject rights, if the implementation of the request requires action from the other Contracting Party. If the implementation of the request requires action from the Supplier, the Supplier shall implement the request without undue delay upon receiving information about it and shall comply with any additional instructions given by the Customer in the matter.
The Supplier shall provide the Customer with the necessary documentation for the implementation of the request. If the data subject's request concerns the right to access data, the Supplier shall provide the Customer with either a copy of the data subject's Personal Data being Processed or the data in a commonly used electronic format.
Taking into account the nature of the processing operations, the Supplier helps the Customer fulfill its obligations under Data Protection Legislation. The Supplier assists the Customer in complying with the following obligations laid down in Articles 32-36 of the Data Protection Regulation:
- ensuring the security of Personal Data Processing with appropriate technical and organisational measures;
- notifying the supervisory authority and data subjects of Data Security Breaches;
- participating, at the Customer's request, in the performance of a data protection impact assessment; and
- participating, at the Customer's request, in prior consultation with the supervisory authority.
The Supplier shall make available to the Customer all information necessary to demonstrate the Customer's compliance with its obligations under Data Protection Legislation. The Supplier permits audits conducted by the Customer or its authorized auditor in accordance with Liana's General Terms and Conditions.
If the aforementioned measures exceed the mandatory obligations imposed on the Supplier by Data Protection Legislation, the Supplier has the right to charge for the measures in accordance with its current price list.
6. Data Security
The Supplier must have appropriate and sufficient technical and organisational measures in place to protect Personal Data and to ensure a level of security appropriate to the risk, so that the Processing of Personal Data complies with the requirements of this Personal Data Processing Agreement and Data Protection Legislation. The Supplier implements all necessary measures to protect Personal Data from unauthorized access to data, accidental or unlawful destruction, loss, alteration, disclosure, transfer, or other unlawful Processing.
Taking into account the latest technologies and the costs of implementation, the nature, scope, context and purposes of Processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the Supplier shall implement the following measures:
- the pseudonymisation and encryption of personal data;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing; and
- other measures agreed upon by the Contracting Parties in Appendix 1.
The Supplier understands that Personal Data is confidential information. The Supplier ensures that only designated employees have access to the Personal Data to be Processed, and implements measures to ensure that such persons Process Personal Data only in accordance with this Data Protection Appendix and the Customer's written instructions.
Further information on the information security measures implemented by the Supplier is available in the Supplier's current information security guidelines.
7. Personal Data Transfers
The Supplier may not transfer Personal Data outside the EU or EEA area without the Customer's prior written consent. However, the Supplier has the right to transfer the Customer's Personal Data outside the EU or EEA area without the Customer's prior consent, if the transfer and processing of Personal Data is necessary for the provision of the service in accordance with the Main Agreement.
The transfer of Personal Data requires a transfer basis in accordance with the Data Protection Regulation, and the Supplier must ensure that the recipient of the data has the right to process the transferred Personal Data and that the level of Personal Data protection under Data Protection Legislation is not jeopardized. The Supplier shall inform the Customer in writing in advance of planned Personal Data transfers outside the EU or EEA area. The Supplier is responsible for ensuring that Personal Data is processed outside the EU or EEA area in accordance with the Personal Data Processing Agreement and Data Protection Legislation.
The Supplier must inform the Customer in writing of the subcontractors involved in the implementation of the Service and the location of personal data. Unless otherwise agreed, the subcontractors used for the implementation of the Service are listed in Appendix 2 of this Processing Agreement.
8. Subcontractors
The Supplier may use the subcontractors listed in Appendix 2 for Personal Data Processing. The Supplier must inform the Customer in writing in advance of all planned changes concerning subcontractors. The Customer has the right to object to such changes.
If the Supplier, despite the Customer's objection, changes and/or adds subcontractors, the Customer has the option to terminate the part of the Service affected by the subcontractor change, or if the change affects all services described in the Main Agreement, the entire Main Agreement with its termination periods without penalties. The Supplier is responsible for ensuring that the subcontractor Processes Personal Data in accordance with this Personal Data Processing Agreement and Data Protection Legislation. The agreement between the Supplier and the subcontractor must, in terms of its essential obligations, correspond at least to what has been agreed in this Personal Data Processing Agreement.
The Supplier is fully responsible for the Personal Data Processing carried out by its subcontractor.
9. Data Security Breaches
The Supplier must notify the Customer without undue delay of any Data Security Breach that has come to its knowledge and relates to Personal Data processed under this Processing Agreement. The Contracting Parties may agree on the notification process in more detail separately in writing.
When notifying of a Data Security Breach, or without undue delay after notification, the Supplier must provide the Customer with:
- a description of the Data Security Breach, including the categories and estimated number of data subjects concerned and the categories and estimated number of Personal Data types;
- the contact details of the Supplier's data protection officer or other person from whom further information can be obtained;
- a description of the likely consequences of the Data Security Breach; and
- a description of the measures taken by the Supplier in response to the Data Security Breach and measures to mitigate possible adverse effects.
The Supplier undertakes to assist the Customer in notifying the supervisory authority and data subjects of the Data Security Breach and to make all necessary information about the Data Security Breach available to the Customer.
The Supplier must, without undue delay, take measures to prevent or mitigate the adverse effects of the Data Security Breach. The Supplier must also prepare and present to the Customer, upon request, procedures on how it can prevent future Data Security Breaches. If the Supplier is not responsible for the Data Security Breach, the Supplier has the right to charge for the aforementioned jointly agreed measures.
The Supplier documents all Personal Data Security Breaches, including the facts related to the Data Security Breach, the effects of the Data Security Breach, and the corrective actions taken. The Supplier shall provide the documentation to the Customer upon the Customer's written request.
10. Record of Processing Activities
The Supplier shall maintain, in cooperation with the Customer, a record of the Personal Data Processing it carries out on behalf of the Customer. The record shall contain the following information:
- the name and contact details of the Customer, the Supplier, and the Supplier's data protection officer or data protection contact person, as well as information about any subcontractors;
- the processing activities carried out on behalf of the Customer;
- information on the transfer of personal data outside the EU or EEA area, including the third countries concerned and an explanation of how an adequate level of data protection is ensured; and
- a description of the technical and organisational security measures implemented by the Supplier, as per section 5.
Appendix 1 shall be used as the record unless otherwise agreed.
11. Termination of Personal Data Processing
Upon termination of the Main Agreement, the Supplier undertakes, upon the Customer's written request, to return all Personal Data to the Customer in a commonly used and machine-readable format for a reasonable compensation and/or to delete the data free of charge, unless otherwise provided by law. The Supplier shall also delete all existing copies (including log data) no later than 9 months thereafter. The Customer has the right to instruct the Supplier at the time of termination of the Agreement on details related to the return of personal data, such as the procedure for transferring or destroying Personal Data.
The Supplier undertakes not to Process Personal Data after it has been transferred to the Customer or destroyed.
12. Damages Caused by Personal Data Processing
Liabilities arising from a breach of this Personal Data Processing Agreement and Data Protection Legislation shall be determined in accordance with Article 82(4) of the Data Protection Regulation. The Supplier is liable for damages caused to data subjects only if it has failed to comply with the obligations of Data Protection Legislation specifically addressed to the personal data processor or if it has acted contrary to this Personal Data Processing Agreement or the Controller's lawful instructions.
If a data subject suffers damage due to a breach of the Data Protection Regulation, each Contracting Party shall be responsible for its share of the damage caused to the data subject in accordance with Article 82 of the Data Protection Regulation. The Controller and the Processor, each separately, shall be liable only for the share of administrative fines or compensation for damages that the competent supervisory authority or court orders them to pay.
The limitations of liability clauses in the Main Agreement do not apply to the right to receive compensation from the other Contracting Party in accordance with Article 82(5) of the Data Protection Regulation.
13. Appendices
Appendix 1: Record of Processing Activities for the Personal Data Processor
Appendix 2: Subcontractors
Appendix 1: Processor's Record of Processing Activities
Nature, Duration, and Purpose of Processing
For the duration of the Main Agreement (unless otherwise stated later), Liana undertakes to process Personal Data on behalf of and for the account of the Customer in accordance with Data Protection Legislation for the purpose of providing services under the Main Agreement as follows:
- [Describe the nature, duration, and purpose of processing]
Data Subjects
The Personal Data processed concern the following categories of data subjects:
- [Describe each category of data subjects separately]
Types of Personal Data
The processing operations concern the following types of Personal Data:
- [Describe each type of personal data separately]
Transfers to Third Countries
Third countries and international organizations to which data are transferred, or information that no personal data is transferred to third countries or international organizations:
- [Describe to which third countries data is transferred or indicate that no transfer takes place]
Safeguards Concerning Transfers
Documentation on appropriate safeguards, if personal data are transferred to third countries or international organizations by means of a transfer referred to in Article 49(1), second subparagraph, of the Data Protection Regulation:
- [Describe the safeguards in place if personal data are transferred to third countries]
Applicable Data Security Procedures
General description of technical and organizational security measures pursuant to Article 32(1) of the Data Protection Regulation:
- Liana's data security procedures are described in more detail in the document "Data Security Guidelines", the current version of which is available at: https://www.lianatech.com/documents/information-security-guidelines.html
Appendix 2: Subcontractors
The Supplier's following subcontractors process the Personal Data provided by the Customer in the following situations and for the following purposes.
Company name | Business ID | Server Location | Description how the subcontractor processes the personal data |
[fill-in based on the Service] |
[fill-in based on the Service] |
[fill-in based on the Service] |
[fill-in based on the Service] |
Document in downloadable format
Download the document:
Liana Personal Data Processing Agreement