Drafted 16.3.2023, last updated 28.6.2023

  1. Processor

JamJarSoft Oy, business-ID 3281278-3 (hereinafter ”Processor”)

Kasarmikatu 4

13100 Hämeenlinna

  1. Controller

JamJarApp or JamJarAccounting service’s customer (hereinafter ”Controller”)

  1. Background and Terms

The Data Processor and Data Controller have entered into a service agreement (hereinafter the ”Service Agreement”) that requires the Service Provider to process personal data collected by the Customer. This agreement on the processing of personal data (hereinafter the ”DPA”) sets out the terms and conditions for the processing of personal data, which the parties accept and undertake to comply with. The processing operations are described in more detail in Annex A Description of the Processing, and Annex B Instructions by the Controller for the Processing. The Processor may update the Annexes during the term of the Agreement if necessary. In addition to this DPA, the parties undertake to comply with mandatory legislation in force at any time, as well as contractual obligations arising from other agreements.

  1. Definitions

Concepts not specifically defined in this DPA shall be given the same meaning as those of the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC).

  1. Rights and Obligations of the Controller

The Controller reserves all rights, including intellectual property and property rights, to the personal data.

The Controller is responsible for:

  • collecting personal data and legality of collecting the data,
  • legality and diligence of processing of the personal data,
  • ensuring the privacy of data subjects is not infringed or restricted more than is necessary or without legal and legitimate grounds,
  • defining the nature, purposes and means of processing personal data to the extent of this DPA,
  • delivering all notifications required by law or this DPA to the data subjects,
  • fulfilling the rights of the data subjects,
  • its eligibility and competence to commit to the Service Agreement and this DPA,
  • legality of the legal basis and purposes of the processing to the extent of this DPA,
  • handing all necessary information to the Processor required to ensure the legality of the processing,
  • rectifying erroneous or incomplete data, deleting data, and informing these actions to the Processor,
  • the implementation and costs of its audit to the extent desired to ensure compliance by the Processor and subcontractors with this DPA,
  • the accuracy of all data given to the Processor and legality of the disclosure of the data.
  1. Rights and Obligations of the Processor

The Processor:

  • shall process personal data only in accordance with documented instructions issued by the controller, including transfers of personal data to a third country or international organisation, and only for the duration of this DPA to the extent necessary to fulfil the contractual obligations set out in the Service Agreement,
  • shall not utilize personal data covered under this DPA for any other purposes or activities than the purposes and activities defined in this DPA,
  • shall not disclose, process, or combine personal data with any other data in any other way than defined in this DPA or necessary to fulfill obligations set out in the Service Agreement,
  • shall process personal data carefully and in accordance with the law and good data processing practice, without restricting or violating the privacy of data subjects in a way not specified in this DPA or more than is necessary for the execution of the Service Agreement,
  • shall process personal data only in accordance with documented instructions by the Controller and oversee that any natural person processing the data under the supervision of the Processor follows these instructions,
  • shall derogate from the documented instructions of the Controller only when required by law and inform the Controller of such a derogation if the law accepts such a notification,
  • shall ensure that personal data is processed and accessible only to persons whose duties require such access and who are committed to compliance with professional secrecy or are subject to appropriate legal secrecy,
  • shall execute all appropriate technical and organisatiorial measures as defined in this DPA to ensure the processing fulfills all security obligation set out in the law,
  • shall as far as possible, taking into account the nature of the processing, assist the Controller with appropriate technical and organisatorial measures to fulfill its obligations to respond to requests by data subjects regarding their rights,
  • shall, taking into account the nature of the processing and information available to the Processor, assist the Controller as required by law to ensure legal obligations are complied with,
  • shall conduct all appropriate measures should the Controller inform the Processor of any rectifications or deletions of personal data,
  • shall, following the choice of the controller, delete or return all personal data to the Controller upon termination of the Service Agreement and delete all existing copies unless otherwise required by law,
  • shall, where required by law, make available to the Controller all the information necessary to demonstrate compliance with the obligations laid down by law and allow and participate in audits, such as inspections, carried out by the Controller or other auditor authorised by the Controller,
  • shall inform the Controller if according to the view of the Processor documented instructions given by the Controller on the processing of personal data are unlawful or if there are other obvious shortcomings in the Controller’s operations regarding this DPA and fulfillment of data protection obligations.

The Processor shall be entitled to compensation for any assistance it performs and for any action it takes to safeguard the rights of data subjects and to support audits.

  1. Transfer of Personal Data

The Processor may transfer personal data under this DPA to another country within the European Union or the European Economic Area or to a country for which the European Commission has determined that it ensures an adequate level of data protection. Outside this area, the Processor may transfer personal data to a third country only if the Controller has given prior written consent and a separate agreement on the transfer of personal data between the Processor and the Controller is concluded.

  1. Subcontractors

The Processor has under this DPA the right to use subcontractors for the processing of personal data. The authorisation to use subcontractors is general. The subcontractors in use shall be notified to the Controller upon a written request.

The Processor shall inform the Controller of any changes in the subcontractors in writing or in a notice visible in the Service at least 30 days before the changes takes effect. If the Controller does not accept the changes, the Controller has the right to terminate the Service Agreement and terminate use of the Service in accordance with the Service Agreement. If the Controller does not terminate the Service Agreement, the changes take effect, and the Controller accepts the changes.

The Processor shall enter into a written agreement on the processing of personal data with all subcontractors and ensure all subcontractors follow documented instructions given by the Controller.

  1. Confidentiality and Information Security

The controller and the processor agree to hold all personal data and other information received under this DPA confidential unless otherwise required by law or by terms and conditions in the Service Agreement. The Controller and the Processor undertake to provide and maintain appropriate technical and organisational measures in order to keep all personal data and other information confidential.

  1. Notification of Personal Data Breaches

The Processor shall inform the Controller without undue delay of any personal data breaches concerning personal data referred to in this DPA. The notification shall be made to the contact person in the Controller’s contact information or by a notification in the Service.

The Processor shall provide the Controller with information on the circumstances and causes that led to the breach and information on other facts available to the Processor in accordance with reasonable requests from the Controller and without undue delay.

Where the information is reasonably available to the Processor, the notification shall include at least (i) a description of the security breach, including the categories and numbers of data subjects concerned and the categories and numbers of personal data, (ii) the name and contact details of the Processor’s representative, (iii) a description of the likely consequences of the breach, and (iv) a description of the proposed measures taken or to be taken as a result of the breach and measures to mitigate the damages caused by the breach.

  1. Auditing

The Controller shall have the right to audit the activities of the Processor governed in this DPA. Auditing and procedure shall be agreed upon in advance in order for the audit to not cause undue harm to the activities of the Processor. The Controller shall bear all the costs of the audit, including the additional costs incurred by the Rrocessor for the audit.

  1. Limitation of liability

For the purposes of this DPA, the Processor shall only be liable for direct damages caused by negligence. Subject to the law, the Processor shall not be liable for any indirect damages. The Controller shall compensate the Processor for any damages resulting from an infringement of an obligation under this DPA and paid by the Processor to a third party, unless the damages are due to the negligent or intentional conduct of the Processor.

The upper limit of liability of the Processor shall always be the upper limit per damaging event as defined in the Service Agreement’s Terms of Service. The damaging event shall be deemed to be one even if the damages are due to a repeated error or the event is long in duration due to its nature. Any breach, error or omission of the DPA shall not rise any sanctions other than those mentioned above to the Processor unless otherwise required by mandatory legislation. All complaints and claims to the Processor shall be provided in writing within 14 days of the discovery or detection of an error, omission or omission or the moment when such an event should have been discovered or detected.

  1. Term and Changes to the DPA

The term of this DPA shall be tied to the term of the Service Agreement starting from the date of entry into force of the Service Agreement and expiring at the termination of the Service Agreement. However, the obligations which, by nature of the obligations arising out of this DPA or from the law, must remain in force irrespective of the termination of the DPA shall remain in force despite the termination of the Service Agreement for as long as the nature of the obligations so requires.

The Processor has the right to make changes to the terms of this DPA or Annex A Description of the Processing by notifying the Controller of the changes in writing or in the Service at least 30 days before the changes take effect. If the Controller does not accept the changes, the Controller is entitled to terminate the Service Agreement and terminate the use of the Service in accordance with the Service Agreement. If the Controller does not terminate the Service Agreement, the changes take effect, and the Controller accepts the changes.

Changes to Annex B Instructions by the Controller for the Processing may be implemented after a written notification by the Controller, which shall be submitted at least 30 days before the intended changes take effect. The proposed changes shall be approved in writing by the Processor. If the Processor does not accept the changes, they shall not enter into force and the Controller is entitled to terminate the Service Agreement and terminate the use of the Service in accordance with the Service Agreement.

  1. Governing law

This DPA, including its annexes, shall be governed by the laws of Finland.

Annexes

Annex A Description of the Processing

Annex B Instructions by the Controller for the Processing

ANNEX A Description of the Processing

Categories of data subjects whose personal data is processedThe Controller’s clients. 
Categories of personal data processedNameAddress, phone, emailHourly recordings, price per itemAccount number
Nature of the processingPersonal data is stored, stored, transferred, modified and deleted. Personal data is processed automatically.
Purposes for which the personal data is processed on behalf of the ControllerPersonal data shall be processed in order to fulfil the obligations defined in the Service Agreement and laid down by law.
Duration of the processingPersonal data shall be processed during the term of the DPA and after its termination, if such processing is a condition for the fulfilment of the obligations set out in the DPA or by law.
Regular sources of dataPersonal data shall be obtained from the controller in accordance with his own statement and records.
Technical and organisatorial measuresThe data shall be protected by appropriate technical measures, such as firewalls and passwords, both in the Processor’s own data systems and during the transfer of personal data between the Controller and the Processor or Processor and subcontractors.
Access to personal data shall be restricted to workers whose duties require the processing of personal data. The employees concerned shall be bound by the obligation of professional secrecy under contract or law.

ANNEX B Instructions by the Controller for the Processing

Instructions on the processing of personal data issued by the Controller are stored in the Processor’s information system and updated in accordance with instructions received from the customer.