1. Purpose and Scope
This Data Processing Agreement, including its exhibits, (the “Agreement”) governs the Processing of Personal Data by Lifetimely Oy having the company registration number 3107222-6 (the “Processor”) on behalf of respective controller (the “Controller”) Controller.
The purpose of this Agreement is to establish a binding personal data processing agreement between the Parties as required by Data Protection Law. The Parties acknowledge and agree that if Data Protection Law or regulatory guidelines are significantly amended, the terms of this Agreement shall be revised to reflect, to the greatest extent possible, the originally intended principles of the Parties when executing this Agreement.
This Agreement is incorporated into the terms and conditions of the Controller.
In this Agreement, the following definitions shall apply:
- “Controller’s Data“ shall mean the Personal Data of which the Controller is the Data Controller.
- “Contract” shall mean the terms and conditions of the Controller.
- “Data Controller” shall mean a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
- “Data Protection Law” means EU Data Protection Regulation (2016/679) and the data protection laws under the governing law of the Contract applicable to the Processing hereunder from time to time.
- “Data Subject” shall mean an identified or identifiable natural person who can be identified, directly or indirectly, by reference to an identifier, such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
- “EU” shall mean European Union.
- “GDPR” shall mean the Regulation (EU) 2016/679 (General Data Protection Regulation).
- “Instruction” shall mean an instruction issued by the Controller to the Processor and directing the Processor to perform a specific action with regard to the Processing of the Controller’s Data in order to achieve compliance with the Data Protection Law.
- "Party” or ”Parties” shall refer to Controller and Processor.
- “Personal Data” shall mean any information relating to an identified or identifiable natural person.
- “Data Processor” shall mean a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Data Controller;
- “Processing” shall mean any operation which is performed on Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- “Sub-processor” shall mean an entity that Processes Personal Data as a sub-processor of the Data Processor.
All capitalised terms not defined herein shall have the meaning set forth in the Agreement.
Unless and to the extent the context otherwise requires, any use of the singular includes plural and vice versa.
Both Parties shall be responsible to ensure that the Processing is made in accordance with the Data Protection Law which apply to each Party as well as good data processing practices.
4. Rights and obligations of the Data Controller
The Data Controller shall
- give the Data Processor documented and comprehensive instructions on the Processing, which instructions shall comply with the Data Protection Law;
- have the right and obligation to specify the purpose and means of Processing of Personal Data;
- represent that all the Data Subjects of the Personal Data have been provided with all appropriate notices and information and establish and maintain for the relevant term the necessary legal grounds for transferring the Personal Data to the Data Processor and allowing the Data Processor to perform the Processing contemplated hereunder;
- confirm that:
- the Processing stipulated under this Agreement meets the Data Controller’s requirements including, but not limited to, with regard to intended security measures and consents needed, and
- it has provided the Data Processor with all necessary information in order for the Data Processor to perform the Processing in compliance with the Data Protection Law.
5. Rights and obligations of the Data Processor
The Data Processor shall
- perform the Processing only on and as per the documented, legitimate and reasonable instructions from the Data Controller unless required to do otherwise by Laws, in which latter case the Data Processor shall inform the Data Controller of such deviating legal requirement (provided the Laws do not prohibit such notification). For the avoidance of doubt, the Data Controller shall at all times be deemed to have instructed the Data Processor to provide the Service as defined and agreed under the Contract.
- ensure that persons authorised to perform the Processing hereunder have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality as further stated under this Agreement;
- take all security measures required to be taken by data processors under the Data Protection Laws as further stated under this Agreement;
- respect the conditions referred to under Data Protection Laws for engaging any Sub-Processor as further stated under this Agreement;
- insofar as this is possible and taking into account the nature of the Processing, assist the Data Controller by appropriate technical and organisational measures for the fulfilment of the Data Controller's obligation to respond to requests for exercising the data subject's rights laid down in under the Data Protection Law;
- assist the Data Controller in ensuring compliance with its legal obligations, such as, data security, data breach notification, data protection assessment and prior consulting obligations, as required of the Data Processor by the Laws, taking into account the nature of Processing and the information available to the Data Processor;
- maintain necessary records and make available to the Data Controller all information necessary to demonstrate compliance with the obligations of the Data Processor, as laid down in the Data Protection Law; and allow for and contribute to audits, including inspections, conducted by the Data Controller or any auditor mandated by the Data Controller as further agreed under this Agreement; and
- at the Data Controller’s instructions, delete or return to the Data Controller all the Personal Data after the end of the provision of the Services relating to Processing, and delete existing copies unless applicable laws require storage of the Personal Data. Deletion and return methods may be further agreed between the Parties;
- Unless otherwise agreed, the Data Processor shall have the right to invoice any costs resulting from the above assistance under 5-6 above in accordance with the Data Processor’s prevailing price list.
6. Security of Processing
The Data Processor shall implement and maintain appropriate technical and organizational measures to protect the Personal Data, taking into account:
- the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, and
- the risks that are presented by the Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the Personal Data transmitted, stored or otherwise processed.
Such measures include, inter alia as appropriate:
- the pseudonymisation of the Personal Data; and
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.
The Data Controller is responsible for ensuring that the Data Processor is informed of all issues (including but not limited to risk assessment and the inclusion of special categories of Personal Data) related to the Personal Data provided by the Data Controller which affect the technical and organizational measures employed under this DPA.
The Data Processor may from time to time use Sub-Processors to process the Personal Data hereunder. Sub-Processor(s) used in the provision of Services are listed in the Annex. Such use will be under written contract and the Data Processor will require the Sub-Processor to comply with the data protection obligations applicable to the Data Processor under this DPA or obligations which provide for the same level of data protection. The Data Processor will be liable for its Sub-Processor’s actions as for its own.
The Data Processor will inform the Data Controller in advance on any intended changes concerning the addition or replacement of Sub-Processors.
If the Data Controller does not accept an intended change, the Data Controller may terminate such part of the Contract which the sub-processing would be related to by way of seven (7) days’ prior written notice.
8. Transfer of Personal Data
The Data Processor will only transfer Personal Data out of the territory of the member states of the European Union, the European Economic Area, or other countries which the European Commission has found to guarantee an adequate level of data protection (collectively, the “Approved Jurisdictions”) with the Data Controller’s prior written consent.
If required by applicable legislation, the Data Processor shall enter into relevant contractual arrangements with relevant parties for the lawful transfer of Personal Data from the Approved Jurisdiction to third countries. Such contractual arrangements shall be carried out in accordance with the standard data protection clauses adopted or approved by the European Commission (“Standard Contractual Clauses”). As an alternative to entering into the Standard Contractual Clauses, the Data Processor may rely upon an alternative transfer safeguard permitting and providing for the lawful transfer of Personal Data outside of the Approved Jurisdictions, provided that such safeguard is in compliance with applicable legislation.
9. Notification of Personal Data Breach
The Data Processor shall without undue delay notify the Data Controller if it, or one of its Sub-Processors, becomes aware of a Personal Data Breach. Information shall be provided to the contact address assigned by the Data Controller, if not otherwise agreed between the Parties.
The Data Controller shall be entitled to audit the Data Processor’s performance of its Processing obligations under this Agreement (“Audit”). The Data Controller is obligated to use external auditors who are not competitors of the Data Processor, to conduct such an Audit.
The Parties shall agree well in advance, at least seventy (70), days, before on the time and other details relating to the conduct of such Audits. The Audit shall be conducted in such a manner that the Data Processor’s undertakings towards third parties (including but not limited to the Data Processor’s customers, partners and vendors) are in no way jeopardized. All the Data Controller’s representatives or external auditors participating in the Audit shall execute customary confidentiality undertakings towards the Data Processor.
The Data Processor shall always allow any relevant regulatory authority supervising the Data Controller’s business to conduct Audits of the Data Processor’s operations, in which case relevant parts of the Parties’ agreement hereunder shall apply. The Data Controller shall bear all Audit expenses, and compensate the Data Processor for any and all costs incurred as a result of the Audit.
The Data Processor shall keep any Personal Data received from the Data Controller confidential. In case data subjects or governmental authorities make a request concerning Personal Data, the Data Processor shall, as soon as reasonably possible, inform the Data Controller about such requests before providing any response or taking other action concerning the Personal Data.
In case any applicable authority prescribes an immediate response to a disclosure request, the Data Processor shall inform the Data Controller as soon as reasonably possible, unless the Supplier is prohibited by mandatory law or authority order to disclose such information.
12. Limitation of liability
The limitations of liability set out under the Contract shall apply also to this DPA.
The Parties agree that the general principle of division of responsibilities between the Parties relating to administrative fines imposed by any relevant supervisory authority or claims by data subjects under this DPA is based on the principle that the respective Party needs to fulfil its own obligations under the Laws. Hence, any administrative fines imposed or damages ordered should be paid by the Party that has failed in its performance of its legal obligations under the Laws, as decided by the relevant supervisory authority or competent court authorized to impose such fines or damages.
13. Term and Termination
This DPA shall be in effect for as long as the Parties have agreements between them in force.
All provisions which by nature are intended to survive the termination of this DPA shall remain in full force and effect regardless of the termination of this DPA.
Purpose and nature of processing
- To provide Customer with a LIFETIMELY Service in accordance with Contract.
Categories of Personal Data
- Controller’s customers’ email addresses;
- Controllers’ customers’ country information;
- Information about Controller’s customers’ orders and refunds; and
- Usage analytics data
- No special categories of Personal Data as defined in Art. 9(1) of the GDPR are processed according to this Agreement.
Categories of Data Subjects
- The affected Data Subjects shall include natural persons, Controller’s customers, whose personal data is supplied by the Controller to the Processor through the Service
- The Processor does not interact with the Data Subjects directly in any manner without Controller’s prior approval.
The list of the Sub-processors
Sub-processor: Hetzner Online GmbH, Gunzenhausen
Purpose: Hosting and cloud storage service provider