GENERAL TERMS OF DELIVERY (2018/5) OF LOYALISTIC LTD

1 GENERAL

These general terms of delivery are applicable to all Services provided by the Supplier to its Clients.

Definitions

Agreement shall refer to the Agreement between the Client and the Supplier regarding the provision of Services which has been concluded on the grounds of either subscribing the Service, an offer, or an agreement separately signed.

Client shall refer to the parties identified in the offer or the Agreement using the Service.

Client's Materials shall have the meaning defined in Section 8.

Implementation Service shall mean the integration, parametrization and other similar implementation work carried out by the Supplier in order to set up the Service to Client's use as agreed in the Agreement and in accordance with Section 5 of these general terms.

Supplier shall refer to Loyalistic Ltd.

2 CLIENT'S RIGHTS AND OBLIGATIONS

Right of use of the Service

Subject to the Client's compliance with and fulfillment of its duties under the Agreement and these Terms, including the Client's payment of relevant service charges, the Supplier grants to the Client a non-exclusive right to use the Service during the term of the Agreement as set out herein.

The Client may grant access to the Service by virtue of its right of use to its employees or its other partners in cooperation in accordance with these terms and the service description. The Client shall not have the right to transfer or grant a right of use of the Service in any other manner to a third party. The Supplier shall not be responsible for the suitability of the Service for the intended purpose of use of the Client.

Applications, hardware and data connections

The Client shall see to that it possesses necessary applications, hardware, data connections and equipment for the use of the Service and shall be responsible for the repair, replacement and operating condition thereof. The Supplier shall not be responsible for any interferences or failure to operate of the Service caused by the applications, hardware or data connections on the Client's responsibility.

Inputting data to the Service

The Client shall be responsible for inputting its data to the Service. The Client shall be responsible for the accuracy and accordance with the law and authority orders of the data.

User credentials to the Service

All user credentials related to the Service, such as e.g. usernames, keys and passwords provided by the Supplier, are confidential and personal and they may not be handed to another person by their user. The Client is responsible for inputting correct and accurate personal information to the Service in the registration process. The Client shall be under obligation to keep the passwords and usernames related to the use of the Service with all due care. The Client shall be responsible for all use of the Service conducted with its passwords and usernames irrespective of by whom they have been used. The Client shall be obliged to notify the Supplier if there is any reason to suspect that said passwords or usernames have been exposed to a third party.

Obligation to cooperate

The Client shall provide the Supplier with adequate and to its best knowledge correct information for the purpose of performing the Services and other consultation services of the Supplier in the agreed form and schedule. The Client shall be responsible for the information, instructions and orders it gives to the Supplier.

3 SUPPLIER'S RIGHTS AND OBLIGATIONS

The Supplier shall see to that the Service is not in breach of any laws or authority orders in Finland.

The Supplier may alter its prices charged for the Service e.g. if a law amendment (e.g. tax increase) or an authority order or another reason so necessitates. The Supplier shall notify the alteration to the Client 30 workdays before the entry into force of the alteration at the latest.

The Supplier shall have the right to monitor and utilize in its own operations anonymized data pertaining to the use of the Service, statistics of the Client's Materials, and maintenance (such as data concerning Service load, information related to the use of the Service, number of Users etc.). No individual identifiers of the Client shall be made public in regard of said data.

The Service is always provided "as is" and "as available" and the Supplier does not warrant that the Service will operate uninterrupted or that it will be free from minor errors or defects which do not materially affect such performance. The Supplier does not warrant or give any undertaking with regard to any further feature or quality of the Service either.

The Supplier may use the Client's name and logo in its marketing materials and on its web page as a reference. If the Client wishes to prohibit the use of its name and logo by the Supplier, this shall be separately agreed upon between the Parties. Any reference meetings and other publicity shall be agreed upon separately between the Parties.

4 MODIFICATIONS OF THE SERVICE

The Supplier shall have the right to modify the Service and its content in the way it deems appropriate. The modifications of the Service may regard software used by the Supplier, data connections, new features, or other corresponding products, functionalities, or components used in the production of the Service. The Supplier shall strive to notify the Client of substantial modifications in advance, 30 calendar days before the entry into force of the modification at the latest. The notification obligation does not apply to modifications of urgent nature (e.g. data security updates or other measures considered as urgent modification needs by the Supplier).

5 IMPLEMENTATION SERVICE

General principles of Implementation Service

If the Supplier and the Client have agreed on the provision of Implementation Service in the Agreement, the Supplier shall provide the Implementation Service to the Client as a separate consultation service. The Client shall be responsible for the suitability of the Implementation Service in accordance with the Agreement for the Client's purpose of use and requirements. The Supplier shall be responsible for ensuring that the Implementation Service corresponds to what has been agreed upon in the Agreement.

The Supplier shall be responsible for that the Implementation Service is performed in accordance with the Agreement, with due care and craftsmanship observing good consultation practice.

The Supplier's working methods and processes, which may be freely modified by the Supplier, shall be utilized in the performance of the Implementation Service.

Each Party shall be responsible for making decisions necessary for the performance of the Implementation Service without delay.

Acceptance of Implementation Service

The Supplier's Implementation Service shall be deemed accepted when the Supplier has notified that the Implementation Service has been performed as agreed and the Client has informed the Supplier in writing (per email) that it accepts the results of the work performed as consultation service, or if the Client has not notified any defects in writing in five (5) workdays from the delivery at the latest, or when the Supplier has corrected the defects notified by the Client in writing to the Supplier within the aforementioned time period.

If the Client has begun to utilize either the results of the work performed under the Implementation Service or the Service, the Client shall be deemed to have accepted the Implementation Service.

The Implementation Service shall be invoiced from the Client prior to the performance of the Services.

Supplier's responsibility for Implementation Service

The Supplier's responsibility for the result of the work performed under the Implementation Service is limited in all cases to the re-performance of the defective part of the work so that the work shall in essential parts correspond to what has been agreed upon. The Supplier's responsibility shall seize when the Implementation Service has been accepted.

6 PRICES AND PAYMENT

Prices

The fees payable by the Client for utilizing the Service are defined in the Agreement. The service charges are calculated on a monthly or yearly basis.

Any consultancy work undertaken by the Supplier (including Implementation Service) shall be charged according to the price list in effect at the time. The Supplier shall have the right to charge ordinary and reasonable travel and accommodation expenses and daily allowances.

Unless otherwise stated by the Supplier, all prices are exclusive of VAT and other taxes, which will be added to the prices.

Payment

The fees payable by the Client shall be paid or invoiced in advance or at the latest in the beginning of each contractual period, as referred in Section 16 (Term and Termination of Agreement). The standard payment term for the invoices is fourteen (14) days net from the date of the invoice.

If the Client has opted for credit card payment and selected recurring payments, the fees for subsequent contractual periods shall be debited automatically from the Client's credit card in advance.

7 PROCESSING OF PERSONAL DATA

Controller

The Client shall be, in respect of the processing of all personal data of the Client's employees or other natural persons processed in the Service, the controller referred to in the General Data Protection Regulation of the European Union ("GDPR," 2016/679/EU). The Supplier is the data processor, who processes said personal data on behalf of and by the order of the Client and on the basis of its instructions. The parties shall agree on the processing of personal data in more detail in Appendix 1 (Data Protection).

Access to personal data by Supplier's personnel

The Supplier's personnel shall have no general access to the personal data contained in the Service. Only named persons at the Supplier or its partners in cooperation and its partner in cooperation may be granted access to the personal data contained in the Service. The Supplier shall in the processing comply with the GDPR and other Finnish and EU data protection legislation.

Location of personal data and Supplier's obligations in the processing of personal data

Unless otherwise agreed in writing, the Supplier has the right to transfer personal data outside the EU or EEA in accordance with the GDPR. The Supplier shall be entitled to transfer the personal data freely within the EU or EEA for the purpose of providing the Service.

8 INTELLECTUAL PROPERTY RIGHTS

Intellectual property rights to the Service

The ownership, copyright and other intellectual property rights to the Service as well as the software, materials (audiovisual etc.) and components used in its production shall belong to the Supplier or its partner in cooperation. The Client does not acquire in connection to its right of use defined in Section 1 any rights relating to the applications, processes, operation models or their execution solutions contained, used, or utilized in the Service.

Client's Materials

The Client shall own and possess all intellectual property rights to the Client's Materials it has saved in the Service. The Client shall grant the Supplier a right to process the Client's Materials in accordance with the Agreement where necessary. The Client shall be responsible in all respects for its own Client's Materials saved in the Service and its processing for its own part.

Other materials pertaining to the Service

The materials belonging and pertaining to the Services (such as user manuals etc.) shall be owned and copyrights as well as all other intellectual property rights shall be held by the Supplier or its partner in cooperation.

The Client shall be granted a free and temporarily unrestricted right of use to the materials produced by the Service which have been generated in connection to the use of the Service and which are based on the Client's Materials (e.g. reports etc.).

Rights to the consultation services

Copyrights and all other intellectual property rights to the documents and other results generated as end results of the consultation services shall belong to the Supplier or its partner in cooperation. The Client shall acquire a right of use lasting for the term of this Agreement to the results of the work performed as consultation services in its own internal usage.

9 SUBCONTRACTORS

The Supplier shall be entitled to use a subcontractor in the performance of its obligations under the Agreement. The Supplier shall be responsible for the work of the subcontractor it has used as for its own work.

10 SUSPENSION OF THE SERVICE

The Supplier shall have the right to suspend the Implementation Service or the provision of the Service to the Client in part or wholly on the following grounds:

  1. the suspension of the Service is necessary for the reparation measures, maintenance or other corresponding measures of the Service or its part. The Supplier shall notify the suspension to the Client in advance, if reasonably possible,
  2. the Client has not made undisputed payments arising under the Agreement in spite of a reminder;
  3. the Client's measure or a matter on the Client's responsibility has caused or causes interference, excessive traffic to or from the Service, threat, or damage to the Service or to the other users of the Service; there is reason to suspect that the Client's usernames or passwords are disclosed without permission to a third party and used to access the Service;
  4. according to the Supplier's justified understanding the Service has been used or is used to activities in breach of the law or authority regulations;
  5. a liquidation or bankruptcy application has been lodged against the Client or the Client has otherwise been found insolvent;
  6. the Client fails to comply with the terms of agreement or these General Terms and has not within three workdays from the Supplier's written notification corrected its breach.

In addition, if any of the aforementioned grounds arise caused by the Client's customer, the same shall apply as where they had been caused by the Client.

The suspension of the Service by the Supplier does not in any way affect the Client's payment obligations. The Supplier is not liable to pay any compensation or damages to the Client due to the suspension of the Service.

If the Service has been suspended under this Section for two consequent weeks, the Supplier shall have the right to terminate the Agreement with immediate effect and without any reimbursement or other payment to Client.

11 CONFIDENTIALITY AND NON-DISCLOSURE

The Parties undertake to keep confidential the documents and information (pricing, technical information and characteristics etc.) relating to the Agreement and the Service unless otherwise separately agreed in writing, and they may not be disclosed, given, or rendered in any part to the knowledge or use of a third party without the advance written approval of the other Party. The Supplier shall however be entitled to deliver the Client's confidential Materials on the grounds of a Court decision, authority regulation or another similar reason.

However, confidentiality does not apply to materials and information (a) which are publicly available or otherwise public or (b) which a Party has acquired from a third party without confidentiality or (c) which the Party possessed without confidentiality before acquiring them from the other Party or (d) which the Party has independently developed utilizing materials, documents and/or information acquired from the other Party. Confidentiality shall remain in force for five (5) years from the termination of the Agreement.

Both Parties must immediately return the other Party's materials including all copies thereof upon the termination of the Agreement. Both Parties may however keep copies of the materials as required by the law or authority orders. Both Parties have the right to utilize the professional skills and experience acquired during the contractual relationship in other business relations.

12 FORCE MAJEURE

The Supplier is released from its obligations under the Agreement and its liability for damages if the compliance with a term of agreement is prevented or delayed by a force majeure event. As force majeure events shall be considered matters which could not have been reasonably foreseen and the consequences of which cannot be reasonably overcome or avoided. Such matter may be e.g. unreasonable difficulty in fulfilling the Supplier's contractual obligations, interruptions or malfunctions in communication networks, national state of emergency, industrial conflict, fire, thunder, storm, natural disaster, authority orders, damages to cables etc. caused by a third party, flood and water damage, interruptions in electric power network, wide communication errors or interferences, interruption in the supply of energy or another essential resource, or another unusual reason with similar consequences independent of the Supplier. A force majeure event met by the Supplier's subcontractor shall also be considered as grounds for release if the subcontracting cannot without unreasonable costs or essential loss of time be done elsewhere.

13 CHOICE OF LAW AND DISPUTE RESOLUTION

This Agreement shall be governed by Finnish law.

Disputes possibly arising under this Agreement shall first and foremost be resolved in bilateral negotiations between the Parties. If the negotiations fail to lead to an agreement, the differences shall be finally settled in arbitration in accordance with the Rules of the Arbitration Institute of the Finland Chamber of Commerce. The number of arbitrators shall be one. The arbitrator shall be named by the Arbitration Institute of the Finland Chamber of Commerce. The place of the arbitration shall be Helsinki and the arbitration shall be conducted in Finnish. Notwithstanding what has been stated above, the Supplier may bring action for undisputed invoice receivables in the District Court.

14 DAMAGES AND LIMITATION OF LIABILITY

Both Parties are responsible for direct damages caused to the other Party by a breach of agreement relating to the Agreement. The amount of damages for direct costs and damage including possible service level sanctions as well as delayed and other penalties shall amount to a total of three (3) previous months' Service payments in regard of the Place of Business by which the damage was sustained. If the Service has been in use for less than three (3) months, the amount of the damages shall be calculated on the basis of the months during which the Agreement has been in force.

The Parties are not under any circumstances responsible for any indirect damage (incl. loss or transformation of information, lost profit, and cover purchase) or damages, interference or expenses caused by a third party's products or services.

The limitation of liability shall not apply to any damages caused by wilful acts or gross negligence or by breach of confidentiality.

15 AMENDMENT AND TRANSFER OF THE AGREEMENT

The Supplier shall have the right to amend the terms of the Agreement if the content of the Service is changed or if there are other justified reasons thereto. If the Client does not accept the amendments it may give immediate notice on the Agreement. Notice must be given on the grounds of the amendment in two weeks from when the amendment took place at the latest. If the Client does not react to the amendment within two weeks from its publication, the amendment shall be deemed to be approved by the Client. The Supplier shall notify all amendments to the Agreement to the Client by publishing them on its web page.

The Agreement may not be transferred without the consent of the other Party. The Supplier may however transfer the Agreement to a corporation belonging to the same group or in connection to company restructuring (e.g. sale of business operations).

16 TERM AND TERMINATION OF AGREEMENT

The Agreement shall remain in force for a fixed period agreed upon in the Agreement. The Agreement shall be automatically renewed after the lapse of each contractual period for the period defined in the Agreement unless notice is given thereupon in writing (via email etc.) at least two (2) months prior to the beginning of the subsequent contractual period. Where the fixed period is three (3) months or less, the notice period shall be one (1) month.

The Supplier shall have the right to rescind the Agreement to terminate with immediate effect in its entirety or in part and suspend the provision of the Service: a) if the Client has not made payments in spite of a written reminder, b) the Client uses the Service in violation of the Agreement and in spite of a written notification continues its actions in breach of the Agreement.

Both Parties have the right to rescind the Agreement to terminate with immediate effect if the other Party: a) has been declared bankrupt, placed in reorganization or other insolvency proceedings, or it is otherwise evident that the Party will not be able to fulfil its economic obligations arising from the Agreement; b) has substantially breached its obligations under the Agreement and has not corrected its default in thirty (30) days after having received a written notification thereof.

No interest shall be paid on payments possibly returned to the Client upon the termination of the Agreement. If the Client terminates the Agreement, no refunds shall be made for Service payments made in advance. No payments relating to the implementation, consultation, installation of devices etc. shall be refunded.

17 OBLIGATION TO ASSIST UPON THE TERMINATION OF THE AGREEMENT

The Supplier shall be obliged to reasonably contribute to the transfer of the provision of the Service to another provider upon the termination of the Agreement. The obligation to cooperate includes an obligation to return the Client's Material to the Client in a commonly used electronic form enabling further processing. Unless otherwise agreed in writing, the obligation to cooperate shall seize when 3 months have passed from the termination of the Agreement. The Supplier shall be entitled to charge a fee in accordance with its price sheet for the services pertaining to the obligation to cooperate.

The Supplier is not under an obligation to cooperate as referred to in this Section if the Agreement is terminated due to a substantial breach of agreement by the Client.

18 APPENDICES

Appendix 1        Data Protection


APPENDIX 1: TERMS AND CONDITIONS REGARDING THE PROCESSING OF PERSONAL DATA

This Data Processing Appendix ("DPA") forms an integral part of the General Terms of Delivery of Loyalistic Ltd ("General Terms and Conditions").

1 DEFINITIONS

"Data Protection Legislation" means the current Personal Data Act (523/1999) until 25 May 2018 and the GDPR as of 25 May 2018;

"GDPR" means the General Data Protection Regulation of the European Union (2016/679/EU), which will be applied as of 25 May 2018;

"Personal Data" means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

"Personal Data Breach" means an event leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to Personal Data Processed;

"Processing" means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

2 GENERAL

This DPA sets out the terms and conditions under which the Supplier processes the Client's Personal Data. The purpose of this DPA is to take into account the responsibilities and obligations set by the GDPR.

The Client is the data controller of the Client's Personal Data Processed in connection with the Services agreed in the Agreement. As a data controller, the Client determines the purposes and means of the Processing of Personal Data. The Supplier is the data processor, who Processes the said Personal Data on behalf of and by the order of the Client as agreed in this DPA. The Parties understand that authorities may issue orders and guidelines within the scope of the GDPR after the signing of the Agreement. The Parties commit to, if necessary, amend this DPA based on such orders and guidelines.

The Parties shall inform each other of the contact details of their possible data protection officers.

3 THE PURPOSE AND CONTENTS OF THE PROCESSING

The Supplier shall Process the Personal Data solely for the purpose of providing the Services to the Client in accordance with the General Terms and Conditions. For this purpose, the Supplier shall Process the following categories of Personal Data: name, contact details (such as address, billing address, e-mail and phone number), company name, language and other information that personally identifies the data subject (such as IP-address).

The Supplier shall perform the following Processing activities on the Personal Data: collecting personal data through forms, automatically and/or programmatically and storing the data; organising and presenting the data in different ways for various purposes; making the data available to the Client and to the data subject, for viewing, modification and deletion.

4 RESPONSIBILITIES OF THE CLIENT

The Client shall process the Personal Data in compliance with the Data Protection Legislation. The Client is responsible for the lawfulness and completeness of the instructions on the Processing of Personal Data and that there are no defects or errors in the said instructions. Possible changes to the Client's instructions and possible cost effects shall always be agreed on separately in writing.

The Client is responsible for the Personal Data provided to the Supplier and the lawfulness of the Processing during the whole term of this DPA. The Client is responsible for providing all appropriate notices and information related to the Processing of Personal Data to the data subjects in accordance with applicable laws. The Supplier does not monitor the content, quality or timeliness of the Personal Data provided by the Client.

The Client shall ensure that the purpose and grounds for Processing are in compliance with the Data Protection Legislation. The Client shall also ensure that Personal Data has been collected in accordance with the Data Protection Legislation and that the Client has the right to transfer the Personal Data to be Processed by the Supplier.

The Parties do not intend to transfer any of the controller's legal obligations arising from the Data Protection Legislation to the Processor with this DPA.

5 RESPONSIBILITIES OF THE SUPPLIER

The Supplier shall Process the Personal Data in accordance with the Data Protection Legislation and the Client's written instructions, unless otherwise required by law applicable to the Supplier. In such case, the Supplier shall inform the Client of such legal requirement before the Processing, unless the applicable law prohibits such notification. For the sake of clarity, the Client will always be deemed to have instructed the Supplier to provide the Services in accordance with the General Terms and Conditions.

Taking into account the nature of the Processing, the Supplier shall assist and support the Client with appropriate technical and organisational measures chosen by the Supplier so that the Client can fulfil its obligation to respond to requests concerning the exercise of the following rights of the data subjects, as set out in Chapter III of the GDPR (provided that the data subject has the said right under the GDPR):

  1. right of access to the Personal Data;
  2. right to rectification and erasure;
  3. right to restriction of Processing;
  4. right to Personal Data portability; and
  5. right to object to Processing of Personal Data.

In case a Party receives a request concerning the use of the data subject's rights, the Party receiving the request shall notify the other Party of the request immediately and at the latest on the first weekday following the receipt of the request, if fulfilment of the request requires any actions from the other Party. The notification will contain all information necessary to the other Party to fulfil the request. The Supplier is entitled to charge the Client for all actions taken to fulfil the request of the data subject on a time and material basis in accordance with its price list applicable at the time. Taking into account the nature of the Processing, the Supplier shall implement the functionalities concerning the fulfilment of the data subject's rights provided for in sections 5 c-d above in a manner chosen by the Processor as a part of the agreed Services only as of 25 May 2018.

Taking into account the nature of the Processing, the Supplier shall assist the Client in ensuring compliance with the following obligations under Articles 32-36 of the GDPR (taking into account the nature of the Processing and the information available to the Supplier):

  1. ensuring the security of Processing by implementing appropriate technical and organisational measures;
  2. notification of Personal Data Breaches to supervisory authority and the data subjects;
  3. participating in data protection impact assessment if such impact assessment is necessary under Article 35 of the GDPR; and
  4. participating in the prior consultation of the supervisory authority if such prior consultation is necessary under Article 36 of the GDPR.

The Supplier shall assist the Client only to the extent required of a data processor in the Data Protection Legislation. The Supplier is entitled to charge the Client for the aforementioned measures on a time and material basis in accordance with its price list applicable at the time.

6 DATA SECURITY

The Parties undertake to implement the technical and organisational measures commonly used in the industry to protect the Personal Data. In connection with agreeing on the implementation of such measures, the Parties shall in planning and implementation take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. When assessing appropriate level of security, the Parties shall also take into account the risks of the Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise Processed.

Such measures include e.g.:

  1. pseudonymisation and encryption of Personal Data;
  2. the ability to ensure the continuing confidentiality, integrity, availability and resilience of processing systems and services;
  3. the ability to restore the availability of and access to Personal Data in a timely manner in the event of a physical or technical incident; and
  4. a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures to ensure the security of data Processing.

The aforementioned measures are examples of how the Parties may ensure the security of the Processing of Personal Data.

The Client shall ensure appropriate and sufficient data security of the equipment and IT environment under its control. Unless agreed otherwise in the Agreement, the Client shall be responsible for taking backups of the Personal Data and the verification of the functionality of the backups.

The Client shall inform the Supplier of all issues related to the Personal Data provided by the Client, such as risk assessment and the inclusion of special categories of Personal Data, which issues affect the technical and organizational measures implemented under this DPA. For the sake of clarity, possible changes to the agreed data security procedures and the cost impacts of such changes will always be agreed separately in writing.

The Supplier shall ensure that the persons Processing Personal Data are committed to confidentiality or are under an appropriate statutory obligation of confidentiality. The Supplier shall implement necessary measures to ensure that the said persons only process Personal Data in accordance with the Client's written instructions.

7 TRANSFER OF PERSONAL DATA

Unless otherwise agreed in writing, the Supplier has the right to transfer Personal Data outside the EU or EEA in accordance with the Data Protection Legislation. The Supplier shall be entitled to transfer the Personal Data freely within the EU or EEA for the purpose of providing the Services.

8 SUBCONTRACTORS

The Supplier is entitled to use subcontractors in the provision of the Services and the related Processing of Personal Data. The Supplier shall notify the Customer of the subcontractors used in the Processing of Personal Data at the time of signature of the Agreement. The Supplier shall be responsible that its subcontractors Process the Personal Data in accordance with this DPA and the Data Protection Legislation.

The Supplier shall notify the Client if it plans on changing or adding subcontractors participating in the Processing of Personal Data. The Client is entitled to object to such changes on reasonable grounds. The Client shall notify the Supplier of the objection without undue delay after receiving the said notice from the Supplier. Should the Client not accept the change or the addition of a subcontractor, the Supplier has the right to terminate the Agreement with 30 days' notice.

9 PERSONAL DATA BREACHES

Each Party shall notify the other Party without undue delay, if it becomes aware of a Personal Data Breach. When notifying the Supplier of a Personal Data Breach, the Client shall provide to the Supplier all information that can be deemed to help in the investigation, restriction and prevention of the Personal Data Breach. The Parties may separately agree on the notification procedure more specifically. Unless otherwise agreed by the Parties, the notification will be made to the contact person informed by each Party.

When notifying the Client of a Personal Data Breach the Supplier shall, to the extent such information is available to the Supplier, provide the Client with the following information:

  1. a description of the nature of the Personal Data Breach, including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned (as far as the information is available to the Supplier);
  2. the contact information of the Supplier's data protection officer or other contact point where more information can be obtained;
  3. a description of the likely consequences of the Personal Data Breach; and
  4. a description of the measures taken by the Supplier to address the Personal Data Breach and the measures taken by the Supplier to mitigate the adverse effects of the Personal Data Breach.

If the Personal Data Breach is caused by a reason that is under the responsibility of the Client, the Client shall be liable for the Supplier's costs resulting from the Personal Data Breach. The Client shall be responsible for notifying the supervisory authority and the data subjects of the Personal Data Breach as set out in the GDPR.

10 RECORDS OF PROCESSING ACTIVITIES

The Supplier shall maintain a record of Processing activities carried out behalf of the Client. The record contains the following information:

  1. the name and contact details of the Client, the Supplier and the Supplier's possible data protection officer and information about possible subcontractors;
  2. the categories of Processing carried out behalf of the Client;
  3. information on transfers of Personal Data outside the EU or EEA; and
  4. where possible, a general description of the technical and organisational safety measures implemented in accordance with section 6 of this DPA.

11 RIGHT TO AUDIT

During the term of the Agreement, the Client or an independent third party auditor appointed by the Client, which third party may not be the Supplier's competitor, will have the right to audit the Supplier's compliance with the obligations addressed to it under this DPA. The subject of the audit will be the Supplier's relevant material related to the Processing of the Client's Personal Data and the Supplier's systems and premises used in the Processing of Client's Personal Data. The audit may be carried out no more than once per year and the Supplier shall be notified of the audit in writing at least 30 days in advance. However, the Supplier shall always allow the regulatory authority supervising the Client's business to conduct audits targeted at the Client's data processor's operations. The relevant parts of this DPA will be applied to such audits.

The Supplier shall participate in the audit and provide to the auditor information required to demonstrate the Supplier's compliance with the requirements addresses to it under this DPA. The audit may not interfere with the Supplier's operation of services and the auditor will not be entitled to access information of the Supplier's Clients or partners. Should the Client not be the one performing the audit, the auditor will enter into a confidentiality agreement with the Supplier prior to the execution of the audit.

The Client shall bear all costs resulting from the audit and compensate the Supplier for all costs incurred as a result of the audit. If the audit reveals material deficiencies in the Supplier's performance, the Supplier shall bear its own resulting from the audit.

12 TERMINATION OF THE PROCESSING OF PERSONAL DATA

Upon termination of the provision of the Services related to the Processing of Personal Data, the Supplier undertakes, in accordance with the Client's written request, to delete or return the Personal data to the Client. Additionally, upon termination of the Agreement, the Supplier shall delete all existing copies of the Personal Data, unless the Supplier is required to store the said Personal Data under applicable law or regulation. The Supplier is entitled to charge the Client for the return or destruction of the Personal Data on a time and material basis in accordance with its price list applicable at the time. The Parties may agree more specifically on the practices related to the deletion or return of Personal Data.

13 DAMAGE CAUSED BY THE PROCESSING OF PERSONAL DATA

If a data subject suffers damages due to a breach of the GDPR, each Party shall itself be liable for the damage caused to the data subject in accordance with Article 82 of the GDPR. Each Party shall also itself be liable for any administrative fines imposed by a supervisory authority to it in accordance with Article 83 of the GDPR.

The limitation of liability clause of the General Terms and Conditions is applied to this DPA.